> “We saw a lot of improvements on many websites and are very happy with the first results. Some major players like Seat, Mastercard or Nikon have instantly changed their practices. However, many other websites have only stopped the most problematic practices. For example, they may have added a ‘reject’ option, but still make it hard to read. The requirement to show a prominent withdrawal option clearly faced the biggest resistance from website owners.”
Legitimate interest is one of the six legal bases for processing personal data under the GDPR, alongside: consent, performance of a contract, a vital interest, a legal requirement, and a public interest.
I don’t think we’ve seen much in the way of precedent being set here, but theoretically if you can demonstrate and document a measured approach to the way you collect and process data it should be fine. (Objection not withstanding.)
On the other hand, a drag net approach to collecting and sharing data won’t stand up to legitimate interest claims no matter how many toggles you put on your cookie banners.
In the dialogs I have seen so far, the "legitimate interest" page was always a perfect carbon-copy of the "consent" page - with the only difference that the "consent" options were off by default while the "legimate interest" options were on by default.
I understand that, legally, the buttons represent different actions (not giving consent vs objecting a legitimate interest claim) but practically, the only purpose the "legitimate interest" page seems to serve is as a way to have on-by-default options that are still borderline legal.
I think a lot of sites are conflating cookie consent and GDPR consent. You only need GDPR consent when processing personal data, so you don’t need consent just for storing settings in a cookie (as long as those settings do not contain personal data or identifiers linked to personal data). But many sites will ask “GDPR consent” or claim “GDPR legitimate interest” for those settings cookies in any case (in my view that’s a dark pattern in itself because you’re actually making the side harder or impossible to use and thereby inducing visitors to just click the big green “accept all” button to get it over with already…)
As I understand, there's currently an update to the ePD working its way through which aims to clarify some of these points and unify it with the GDPR.
Here's what they say about analytics for example:
> Audience measurement shall be limited to non-intrusive practices that are not likely to create a privacy risk for users
> The Council’s position creates a new exception for audience measurement as suggested by the Article 29 Working Party6. However, the derogation for audience measurement as proposed by the Council is worded too broadly and could lead to an overly broad interpretation of what could fall under the scope of the derogation and consequently lower the level of protection of end users’ terminals.
> Therefore, the EDPB stresses that the derogation for audience measurement should be limited to low level analytics necessary for the analysis of the performance of the service requested by the user and should be solely limited to providing statistics to the service operator, and must be put in place by the operator or their processors. Therefore, this processing operation cannot give rise, by itself or in combination with other tracking solutions, to any singling-out or any profiling of users by the provider or other data controllers. Moreover, the audience measurement service should not allow to collect navigation information related to users across distinct websites/applications and should include a user-friendly mechanism to opt-out from any data collection.
What most websites don't realise is that cookies aren't only covered by GDPR, but also the ePrivacy directive (or more specifically its national implementation, since it is a directive).
The ePD says consent is the only legal basis permitted for placing non essential cookies. Essential has a very narrow meaning that effectively covers a shopping basket or login cookie for features you elect to use. It doesn't cover analytics etc. No presumed consent, no opt-out, etc.
The combination of GDPR and ePD means that your ePD cookie consent must meet GDPR standard levels of consent, which require clear, unambiguous opt-in, informed consent. And that rules out many dark patterns we see everywhere. The German "Planet 49" ruling confirms that consent is required for cookies.
Therefore every time I see "legitimate interest" on a cookie banner, I know it's an ill-informed attempt at a dark pattern by someone who wants a second bite at the cherry, and doesn't understand they:
1. Require consent
2. Need this consent to be actively given (opt in, not opt out).
3. Can't just ask the question again with a pre-ticked box and hide it behind a tab or fold...
> The ePD says consent is the only legal basis permitted for placing non essential cookies. Essential has a very narrow meaning that effectively covers a shopping basket or login cookie for features you elect to use. It doesn't cover analytics etc. No presumed consent, no opt-out, etc.
I think this area has always been a bit murky, actually. There's currently a review of the ePD taking place to unify it with the GDPR and clarify on points such as these. This is in the working group's memo from March 2021
> Audience measurement shall be limited to non-intrusive practices that are not likely to create a privacy risk for users
> The Council’s position creates a new exception for audience measurement as suggested by the Article 29 Working Party6. However, the derogation for audience measurement as proposed by the Council is worded too broadly and could lead to an overly broad interpretation of what could fall under the scope of the derogation and consequently lower the level of protection of end users’ terminals.
> Therefore, the EDPB stresses that the derogation for audience measurement should be limited to low level analytics necessary for the analysis of the performance of the service requested by the user and should be solely limited to providing statistics to the service operator, and must be put in place by the operator or their processors. Therefore, this processing operation cannot give rise, by itself or in combination with other tracking solutions, to any singling-out or any profiling of users by the provider or other data controllers. Moreover, the audience measurement service should not allow to collect navigation information related to users across distinct websites/applications and should include a user-friendly mechanism to opt-out from any data collection.
Of all the major players in this space, Trustarc are by far the worst imo. "Please wait while we save your preferences. This may take a few minutes". No it shouldn't, you're just taking punitive action because I didn't opt in to all the tracking. I guarantee that if I just accepted all cookies then the popup would disappear immediately.
I have to ask, do people really click on these things? I have never once clicked on a cookie banner. I mostly leave them alone neither accepting nor denying. In most cases I read the page using Reader mode, so other than seeing them flash in at the bottom for a second, I don't even see them. When a page doesn't work in Reader mode, I still ignore it and don't interact with it, even when it takes up half the page. If I'm prohibited from viewing the page without it and Reader view doesn't work, I hit the back button and leave the page. Who is clicking on these things and accepting them? Can anyone share their acceptance rate? I'm seriously curious how many people accept them and why. I've almost never had any bad consequence of ignoring them other than poor website design, which is usually a given even without them.
On my phone I use a browser, Firefox Focus, that wipes all saved state every time it's used. That means no cookies and the banners are always there fresh.
I didn't pick it specifically out of concern for tracking. I just tried it and found it nice to use, and it gives a little more peace of mind, so I made it the default
So like you, I browse with the banners because they are always there anyway and there's no point clicking them.
If a big one is in the way, I'm reluctant to take the easy route and pseudo-"agree" even knowing that all local state is wiped when I finish reading that page. Just because the insidious trackers might take it as pseudo-"consent" to use other tracking techniques that go beyond browser state.
But who am I kidding. Such trackers are unlikely to respect the law or the stated intentions of people browsing anyway.
Yeah, legitimate interest toggles have become a nightmare recently. Dozens of teeny tiny switches to click, it's infuriating.
Let alone the fact that "selling my data to make money" hardly qualifies ad "legitimate" in my book. Come on, that's exactly why GDPR exists in the first place!
I'm hitting the back button more and more these days.
Max Schrems is just amazing. Big Tech has been steamrolling over privacy for more than a decade, but Schrems keeps pushing back on them through courts. With major success (in the EU, at least).
And he's not some hard-line activist with extreme demands, all he's doing is asking for reasonable stuff.
What if the EU had a tech team which produced widgets that were mandatory to be used by companies rather than every company creating their own custom cookie prompt filled with dark patterns?
Kind of like the standardized Facebook like buttons which used to be so popular. But instead it's a JavaScript snippet or web component provided by the EU that Google would be legally mandated to integrate into their site?
Alternatively, could we just go back to using the DNT header? I liked this solution a lot better anyways, just set it once and forget about it. The problem was that sites would just ignore it, but if the EU adds some legal weight behind this functionality it could actually be meaningful.
We don't need damn widget. All we need is every web site to respect the standard do-not-track flag. And this can only work if the flag is off by default so only those who actually care set it.
Things like Google Analytics should also check and respect the flag. Requiring every webmaster to ask every visitor if they don't mind Google Analytics being injected is nonsensical.
We should also exclude remembering a user which has signed in from the tracking definition. It's absurd to warn the user about cookies when they sign in.
I also don't want classic (no-choice) cookie warning banners, regardless to whether I am tracked or not. Almost everybody already knows cookies are always there (and we can just introduce a browser extension indicating cookies usage for those who don't). The banners serve no purpose other than annoying people.
> this can only work if the flag is off by default so only those who actually care set it.
As the effort in the article is attempting to establish, this can also work when there is a legal stick against those who don't comply.
All we need is companies to stop tracking people by default. A side benefit is that webmasters don't need to ask about Google Analytics if it's not being used.
This is utopian. I want this but don't believe this is possible.
Perhaps they might agree to stop tracking a portion of users who opt out but forcing them to stop tracking anybody is unlikely to succeed, and even if it succeeds they will just track everybody secretly. I also am not confident in total elimination of tracking being a good idea from the economical point of view - many small businesses rely on precise targeting today.
What a dystopian world we live in when people/companies can just plainly and publicly say that they don’t agree and won’t comply with a binding law with supervision mechanisms and penalties, and still have the general public believe that there’s nothing we can do about it...
And mind you: we’re not (just) talking about the top-5 tech companies and 0.01% here. This attitude is shares by almost every other company out there, and I have a feeling (based on anecdata) that the issue is even worse in smaller companies who think they don’t have to comply because they’re small or because they’re a startup or because they just need to “move fast and break things”… and we seem to accept that…
I wonder if there suddenly would exist a bunch of google analytic competitor if google could no longer offer analytics as "free" by monetizing user data.
Google analytic is a prime example of why we need data protection. The web developer who uses it are not the one paying for it, and they might not even know that google are tracking users for monetizing purposes. It create a market with broken incentives and information asymmetry, with the buyer having relative no power.
Requiring every webmaster to ask every visitor if they don't mind Google Analytics is annoying, but fixing that market is a difficult job. Maybe the solution is more targeted regulation specific to website analytic software.
A don't think of Google Analytics as a problem for users - it's very easy to block, there is a number of ways and even an official way to opt out.
The problem is AFAIK Google forces the actual webmasters to use it - I am not 100% sure but I've read sites without Google Analytics show worse in the search results.
That’s actually the entire point: this should not be standardised. That would make it useless. The purpose of GDPR is that, in principle, you need consent to process personal data. The consent must be specific both in terms of what data is processed, and in terms of why it is processed. The consent must also be explicit (no opt-out or implicit consent by browsing a site) and voluntary (no coerced consent by refusing service for not giving away personal data that is not specifically required for the service you’re asking for). Standardised widgets are exactly the opposite of all that.
In a way it’s very frustrating to see all these nonsense cookie banners that absolutely do not comply with GDPR at all. Why nag visitors with annoying cookie banners when your website is just as “illegal” as when it wouldn’t have a nag screen at all. This is really the worst of both worlds.
Then again, it’s perfectly understandable for companies to comply just a little, as they can then start long arguments with regulators on whether their implementation is compliant or not and whether they are getting valid, specific, express and voluntary consent (rather than just getting fined right away because there’s clearly no consent being asked at all which would make it too easy for the regulator).
So I’m really glad to see someone picking up this battle to actually enforce GDPR and call out the complete joke/smokescreen that most companies have made of it…
I think what they mean is a standardized end-user interface with some drag-drop/easy configuration on the dev side. Every site on earth doesn't need to develop their own modals/UI to gather consent.
But why ask for consent right away when someone just visits your website for the first time? Imagine that you walk into a shop and the owner starts harassing you right away, blocking your path and your view and nagging you whether you consent to them following you around the shop tracking what you’re looking at, what you touch, what you actually purchase, and then give the shop next door a call to tell them all about your visit so that they can all “improve your shopping experience by giving you personalised recommendations”. Pretty sure almost no one would keep shopping there. In fact, this is pretty clear from Apple’s new do not track option where Facebook said in their quarterly report that it’s really hurting then (contrary to their statements that all of their users already happily consented to tracking and that they’re actually doing their users a favour by tracking them).
What should really happen is that sites just stop asking for bullshit consent to being tracked. No one will consent to being tracked if given an actual, clear and explicit opt-in choice, if there’s absolutely no downside in refusing consent and no one is tricked into giving consent by dark patterns.
Websites should just abstain from processing personal data until the visitor does something that actually requires personal data (e.g. sign up, make a purchase, …). In those cases, most obvious processing of personal data can be done based on other grounds (performance of contract, legitimate purposes, …) so really there should not be any consent nag screens needed at all except for some very specific exceptional cases…
> But why ask for consent right away when someone just visits your website for the first time? Imagine that you walk into a shop and the owner starts harassing you right away
You do implicitly give consent to "be tracked" when you walk into a shop. A savvy shop-keeper will look at the clothes (brand, style, etc.), hair, facial features, etc. and internally compare you to other's who have made purchases and either approach you or not.
The closest thing we have to that is our (pretty terrible, in the privacy kind of way) ad networks to tell us what kind of people visit our online shop. Without that information, it's hard to (nay, impossible) to guess what demographics come to our store and position the store to cater to the demographic that actually makes a purchase vs. those that don't. If I see a whole bunch of boomers coming to the site, but they don't convert, I can figure out why they're not making a purchase and do something about it, just like I could in a brick-and-mortar store.
I really don't like the amount of personal data gathered or the dark patterns surrounding them. But there's got to be a way to surface some kind of aggregate information without sacrificing privacy.
They can do the tracking you've described. We all have a brain and will process at a personal level.
But they aren't allowed to make it systematic by, for example, writing a file of paper notes describing each person's recognizable characteristics to share among the staff, or doing the same with photos. Those records would be covered by the GDPR, which corrects an omission in previous laws that only covered electronic records.
I think the elephant in the room is that tracking is the major business model that currently powers the web - and regulators (and citizens) have made clear they do not want this business model to continue.
It's really a power struggle between businesses and regulators in regards to tracking as a business - and overly complex cookie banners are the most visible sign of it.
I fully second the DNT header. Perhaps even some common set of headers, like DNT/FirstPartyOnly/Performance)
I like what GDPR did for privacy, but I absolutely hate it's impact on web browsing. Now _every_ damn site has a cookie banner covering the bottom third of the page. Plus many sites have a fixed nav or another damn banner at the top. Mobile browsing has gotten painful.
California seems to be trying to pass (or succeeded in passing?) some new legislation which aims to get sites to honour some new version of DNT.
The problem I have is that DNT is "good enough". Websites need to accept the law (opt in is needed, defaults must be to assume a user is opted out unless/until they do so of their own accord, and can't apply coercive pressure or try to force them to agree). DNT fell down when websites said they wouldn't honour it if browser makers made it enabled by default, or made it too easy for too many users to enable it, and it was "voluntary".
We now see CCPA privacy statements required to state whether they honour a DNT opt-out... If the next step is to require sites to honour the preference, It just seems to me that adding a new header achieves very little, and using the existing one could achieve more in a shorter time!
If we aren't careful, we'll end up with fingerprinting of the new privacy browser headers, based on the granularity of privacy choice information being conveyed in headers due to the various disparate attempts at applying more sticking plasters to the wound. Heck, fingerprinting just DNT and a couple of other proposed privacy headers alongside user agent would probably at least give enough information to distinguish multiple users sharing an IP via NAT... (!)
Doesn't this approach put the cart before the horse? The GDPR contains a lot of aspirational language, but European data protection authorities haven't yet articulated clear, binding common standards in this area. In the linked article, Max acknowledges this ("Others said that they want a clear ruling by the authorities, before they start complying.")
There's also the reality that different DPAs have different interpretations of what the GDPR requires. In the linked article, Max also acknowledges this: "We need clear pan-European rules. Right now, a German company feels that the French authorities’ interpretation of the GDPR only applies to France, even though they operate under the same law within the same European market."
This may be an unpopular take, but Noyb is essentially harassing hundreds of companies with his organization's particular interpretation of the GDPR. Wouldn't it be more appropriate to first push authorities to develop common, clear, technically detailed, and legally binding interpretations of the GDPR, rather than going after companies to take action in what is still a grey area? It's not even clear at this point that the changes Noyb is pushing for are either legally required or, on the flipside, legally sufficient.
Oh, just stop it right there. GDPR is already quite clear, the companies just keep pretending it’s more complicated than it actually is because they want to continue to look out for number one, is all.
But the GDPR is not clear -- I gave two examples from the linked article to support my point.
The same thing is true across the GDPR... I'm more familiar with the academic literature around whether there is a "right to an explanation" for AI systems embedded in the GDPR, for example. There are dozens of academic papers arguing both sides of that specific question, with no clear conclusion or consensus.
Your mistake is that you belive that (1) the law is not clear and (2) these poor companies end up with these crazy solutions because the law is unclear.
The thing is that the _intent_ of the law is very clear. You could search for loopholes and come up with all kinds of creative solutions to go around it, but then you can't pretend it is a decision you made in good fate.
Haha - on HN we literally have folks saying that a cookie popup / banner is a GDPR violation, and others pointing out the .eu sites that do exactly that (govt run!).
So yes - the GDPR is confusing as hell!
You either have to pop up for explicit consent or are not supposed to yadda yadda.
The average user is relatively sick of the GDPR I think that this point.
The cookie law is fine, the problem is with companies who maliciously comply with it (and often "comply" with it in a way that doesn't actually comply at all).
It's sort of like how telcos in America like to comply with various sales taxes by… making something up and adding a line item to your bill purporting to be taxes, but really it's just them charging you for no reason.
Is it fine ? As a user, I consider that it's OK for websites to track my activity. This is true for every single website in the world. Is there any way for me to indicate that preference anywhere in the current framework ?
The complain here is that it's too complex to opt out of the tracking. But I have no way of opting out of that fake "protection" framework, which I consider to be useless and wrong. None at all.
As made extensively clear by the pencil pusher who came up with this grand idea of mandating an interruption for every single website I visit: those are my data. I want to have the freedom of letting websites track me if they want to, I don't need them to ask me. Give me any way to do that, and I'll be happy. But that was explicitly prevented.
The EU seems to think they know what's best for me, and won't let me make my own choices. It really doesn't, and rather than accepting that fact and giving me the freedom they claim to defend, they would rather annoy me.
So I'll keep on clicking on "Accept All" for the years to come cursing the hours of brain time lost to make a dude feel important.
If you did try to pursue the EU, I think you would quickly meet the counter argument that there are many people who are unhappy being tracked in detail systematically without consent, and would be even more if they knew the extent of it, so it would not be ok to make your preference just be how it is for everyone.
The problem are the countless websites breaking the law or complying in the most annoying, manipulative way possible.
All the EU is asking for is that users aren't spied on and tracked across the web without their consent.
This is as if they made stalking illegal without consent, so now you are followed all day by annoying clowns constantly interrupting you asking whether you consent to them stalking you.
An interesting question as many don't understand the rules for when consent is required.
I'd wager it is far fewer sites than who don't show one, or show a meaningless pop-up saying they use cookies and you agree by browsing to the site.
These sites almost invariably are using GTM to load all sorts of third party scripts and cookies....
Heck even sites that show cookie prompts often don't link the prompt to the actual script placing the cookies! Cookies dumped before the consent box has even loaded...
I didn't remember the site, but the other day I saw one of this deceptive cookie banners that tries to trick you to accept all cookies and make you do many steps to reject.
I noticed that the banner was made by "One Trust", and if you go to One Trust site, the examples showed are not deceptive at all [1], all the examples have a clear "Reject all"/"Accept all" buttons.
One Trust marketing page is hiding that has deceptive designs built in.
I guess the OP can make GDPR complaints to One Trust and services like that, and fix in bulk the sites that are using those services (or make it lose clients and shut down).
The CMP vendors claimed defense is that they make their widgets configurable so sites can judge for themselves what they think they need to legally ask users for and give a default maximally compliant interface, but conveniently with lots of knobs to twiddle to maximise "consent" rates by making alternatives harder.
That said, even that preview page gives the option to see the "Legitimate Interests" interface by selecting "IAB TCF 2.0" under the regulations section, rather than just "GDPR".
I use a Firefox extension (self deleting cookies). Clicking "accept" and then having the browser delete all of those trackers when I leave the site? Pretty good.
browser fingerprinting hasn't been deployed in the wild, and I use the firefox built in anti-fingerprinting as well as extensive privacy protecting extensions. Of course, that's not perfect. On the other hand, it took 30% of people using adblock for anti-adblock measures to be enforced. I have yet to see practical, wide spread fingerprinting be deployed (although I don't doubt it's out there).
Self Deleting Cookies are, of course, one component of online privacy. Sadly.
If the European Union's own main website cannot do without a pop-up then what are we even talking about? They have effectively limitless resources to make it work. Their website doesn't even have to earn money and yet even they use a consent pop-up.
The goal of the law shouldn’t be for you to implement a banner asking for permission, but for you to build a website which does not need it because it respects and doesn’t gobble user data.
The EU’s website is setting a bad example by not embodying the optimal result of the law they created.
Nobody reads them. They either completely ignore them like me, or search for the "get the fuck out of my way and let me do the thing I came here to do" button.
> It’s just a problem that if you embed tweets on your website, or a YouTube video or something, your visitors will get the associated cookies.
Then don't do that on a government website! Why should I have to consent to that shit when visiting my government's websites? I don't want to use Twitter or YouTube and participating in government shouldn't force me to! WTF?
Except that refusing to serve people who reject cookies is explicitly not allowed by the GDPR. You cannot make tracking a requirement for using your site.
Except that many of the "deny consent" buttons I'm told either don't work or are intentionally made to slow you down. Again, not fair on a government site. Also, they all work by placing a cookie in your browser. If the whole point is that you don't want to be tracked by tracking cookies, then the solution, of "OK, we'll place this cookie to tell us not to track you using cookies" defeats the point. Once the cookies is on your computer, you can't really tell who's using it for what. They can just say it's not a tracking cookie, but still use it as one. The whole scheme is ludicrous.
I rarely use my GDrive but today I had to download an image sent from my phone and wasn't allowed because third party cookies were disabled. It seems like they've added a new dark pattern to force 3PC on but nobody's been complaining about it. It seems absolutely ridiculous that a Google property depends on a separate domain for access. After enabling, there were network requests to googleusercontent.com which really has no reason to exist other than to serve as a wedge for the dark pattern.
Not excusing their dark patterns (which don't play nice if you block double-click at DNS level, but just as an observation, googleusercontent.com itself is actually a legitimate and valid (at least IMO) security precaution.
By serving up all user generated content from a separate domain, it gives defense-in-depth against any kind of uploaded content getting script execution - it's served up from a domain that is completely separate from any authentication tokens or valuable cookies etc. That way, a user-uploaded HTML file (if someone found an endpoint that would render it) shouldn't be able to be served up from a first-party domain.
83 comments
[ 3.2 ms ] story [ 183 ms ] thread> “We saw a lot of improvements on many websites and are very happy with the first results. Some major players like Seat, Mastercard or Nikon have instantly changed their practices. However, many other websites have only stopped the most problematic practices. For example, they may have added a ‘reject’ option, but still make it hard to read. The requirement to show a prominent withdrawal option clearly faced the biggest resistance from website owners.”
We need people like Max to stop this annoying trend.
Edit: while at it, i have to get this off my chest: Legitimate Interest is probably illegal and violates GDPR.
Max should go after that next.
I don’t think we’ve seen much in the way of precedent being set here, but theoretically if you can demonstrate and document a measured approach to the way you collect and process data it should be fine. (Objection not withstanding.)
On the other hand, a drag net approach to collecting and sharing data won’t stand up to legitimate interest claims no matter how many toggles you put on your cookie banners.
I understand that, legally, the buttons represent different actions (not giving consent vs objecting a legitimate interest claim) but practically, the only purpose the "legitimate interest" page seems to serve is as a way to have on-by-default options that are still borderline legal.
I can't imagine this is in the spirit of the law.
They are doing that, however the the legal standard of consent under the ePrivacy Directive is the same as the GDPR.
The ePD initially referenced the definition in the Data Protection Directive, but that was replaced by the GDPR.
Here's what they say about analytics for example:
> Audience measurement shall be limited to non-intrusive practices that are not likely to create a privacy risk for users
> The Council’s position creates a new exception for audience measurement as suggested by the Article 29 Working Party6. However, the derogation for audience measurement as proposed by the Council is worded too broadly and could lead to an overly broad interpretation of what could fall under the scope of the derogation and consequently lower the level of protection of end users’ terminals.
> Therefore, the EDPB stresses that the derogation for audience measurement should be limited to low level analytics necessary for the analysis of the performance of the service requested by the user and should be solely limited to providing statistics to the service operator, and must be put in place by the operator or their processors. Therefore, this processing operation cannot give rise, by itself or in combination with other tracking solutions, to any singling-out or any profiling of users by the provider or other data controllers. Moreover, the audience measurement service should not allow to collect navigation information related to users across distinct websites/applications and should include a user-friendly mechanism to opt-out from any data collection.
https://edpb.europa.eu/system/files/2021-03/edpb_statement_0...
It was supposed to be adopted soon after the GDPR, but 5 years later and we're still waiting...
The ePD says consent is the only legal basis permitted for placing non essential cookies. Essential has a very narrow meaning that effectively covers a shopping basket or login cookie for features you elect to use. It doesn't cover analytics etc. No presumed consent, no opt-out, etc.
The combination of GDPR and ePD means that your ePD cookie consent must meet GDPR standard levels of consent, which require clear, unambiguous opt-in, informed consent. And that rules out many dark patterns we see everywhere. The German "Planet 49" ruling confirms that consent is required for cookies.
Therefore every time I see "legitimate interest" on a cookie banner, I know it's an ill-informed attempt at a dark pattern by someone who wants a second bite at the cherry, and doesn't understand they:
1. Require consent 2. Need this consent to be actively given (opt in, not opt out). 3. Can't just ask the question again with a pre-ticked box and hide it behind a tab or fold...
I think this area has always been a bit murky, actually. There's currently a review of the ePD taking place to unify it with the GDPR and clarify on points such as these. This is in the working group's memo from March 2021
> Audience measurement shall be limited to non-intrusive practices that are not likely to create a privacy risk for users
> The Council’s position creates a new exception for audience measurement as suggested by the Article 29 Working Party6. However, the derogation for audience measurement as proposed by the Council is worded too broadly and could lead to an overly broad interpretation of what could fall under the scope of the derogation and consequently lower the level of protection of end users’ terminals.
> Therefore, the EDPB stresses that the derogation for audience measurement should be limited to low level analytics necessary for the analysis of the performance of the service requested by the user and should be solely limited to providing statistics to the service operator, and must be put in place by the operator or their processors. Therefore, this processing operation cannot give rise, by itself or in combination with other tracking solutions, to any singling-out or any profiling of users by the provider or other data controllers. Moreover, the audience measurement service should not allow to collect navigation information related to users across distinct websites/applications and should include a user-friendly mechanism to opt-out from any data collection.
Source: https://edpb.europa.eu/system/files/2021-03/edpb_statement_0...
This seems a reasoned approach.
Is that thing doing anything or communicating with any servers while we are waiting?
It's not a surprising thing to do, but it pretty quickly leads to the percentage becoming yet another metric to "optimize".
I think it's save to assume there is no practical way to make more visitors want to accept more cookies.
That leaves only one way to optimize that metric, and that is dark patterns.
I didn't pick it specifically out of concern for tracking. I just tried it and found it nice to use, and it gives a little more peace of mind, so I made it the default
So like you, I browse with the banners because they are always there anyway and there's no point clicking them.
If a big one is in the way, I'm reluctant to take the easy route and pseudo-"agree" even knowing that all local state is wiped when I finish reading that page. Just because the insidious trackers might take it as pseudo-"consent" to use other tracking techniques that go beyond browser state.
But who am I kidding. Such trackers are unlikely to respect the law or the stated intentions of people browsing anyway.
Let alone the fact that "selling my data to make money" hardly qualifies ad "legitimate" in my book. Come on, that's exactly why GDPR exists in the first place!
I'm hitting the back button more and more these days.
And he's not some hard-line activist with extreme demands, all he's doing is asking for reasonable stuff.
[1] https://en.wikipedia.org/wiki/Max_Schrems
https://support.noyb.eu/join
A site can have a banner and still be in violation, hence Noyb's actions here.
Alternatively, could we just go back to using the DNT header? I liked this solution a lot better anyways, just set it once and forget about it. The problem was that sites would just ignore it, but if the EU adds some legal weight behind this functionality it could actually be meaningful.
Things like Google Analytics should also check and respect the flag. Requiring every webmaster to ask every visitor if they don't mind Google Analytics being injected is nonsensical.
We should also exclude remembering a user which has signed in from the tracking definition. It's absurd to warn the user about cookies when they sign in.
I also don't want classic (no-choice) cookie warning banners, regardless to whether I am tracked or not. Almost everybody already knows cookies are always there (and we can just introduce a browser extension indicating cookies usage for those who don't). The banners serve no purpose other than annoying people.
As the effort in the article is attempting to establish, this can also work when there is a legal stick against those who don't comply.
All we need is companies to stop tracking people by default. A side benefit is that webmasters don't need to ask about Google Analytics if it's not being used.
Perhaps they might agree to stop tracking a portion of users who opt out but forcing them to stop tracking anybody is unlikely to succeed, and even if it succeeds they will just track everybody secretly. I also am not confident in total elimination of tracking being a good idea from the economical point of view - many small businesses rely on precise targeting today.
And mind you: we’re not (just) talking about the top-5 tech companies and 0.01% here. This attitude is shares by almost every other company out there, and I have a feeling (based on anecdata) that the issue is even worse in smaller companies who think they don’t have to comply because they’re small or because they’re a startup or because they just need to “move fast and break things”… and we seem to accept that…
And many businesses relied on CFCs as coolants before they got forbidden. they found a solution.
Regulation can also be a source of innovation if it forces businesses to think of alternative, less harmful ways to solve a problem.
Google analytic is a prime example of why we need data protection. The web developer who uses it are not the one paying for it, and they might not even know that google are tracking users for monetizing purposes. It create a market with broken incentives and information asymmetry, with the buyer having relative no power.
Requiring every webmaster to ask every visitor if they don't mind Google Analytics is annoying, but fixing that market is a difficult job. Maybe the solution is more targeted regulation specific to website analytic software.
The problem is AFAIK Google forces the actual webmasters to use it - I am not 100% sure but I've read sites without Google Analytics show worse in the search results.
In a way it’s very frustrating to see all these nonsense cookie banners that absolutely do not comply with GDPR at all. Why nag visitors with annoying cookie banners when your website is just as “illegal” as when it wouldn’t have a nag screen at all. This is really the worst of both worlds.
Then again, it’s perfectly understandable for companies to comply just a little, as they can then start long arguments with regulators on whether their implementation is compliant or not and whether they are getting valid, specific, express and voluntary consent (rather than just getting fined right away because there’s clearly no consent being asked at all which would make it too easy for the regulator).
So I’m really glad to see someone picking up this battle to actually enforce GDPR and call out the complete joke/smokescreen that most companies have made of it…
What should really happen is that sites just stop asking for bullshit consent to being tracked. No one will consent to being tracked if given an actual, clear and explicit opt-in choice, if there’s absolutely no downside in refusing consent and no one is tricked into giving consent by dark patterns.
Websites should just abstain from processing personal data until the visitor does something that actually requires personal data (e.g. sign up, make a purchase, …). In those cases, most obvious processing of personal data can be done based on other grounds (performance of contract, legitimate purposes, …) so really there should not be any consent nag screens needed at all except for some very specific exceptional cases…
You do implicitly give consent to "be tracked" when you walk into a shop. A savvy shop-keeper will look at the clothes (brand, style, etc.), hair, facial features, etc. and internally compare you to other's who have made purchases and either approach you or not.
The closest thing we have to that is our (pretty terrible, in the privacy kind of way) ad networks to tell us what kind of people visit our online shop. Without that information, it's hard to (nay, impossible) to guess what demographics come to our store and position the store to cater to the demographic that actually makes a purchase vs. those that don't. If I see a whole bunch of boomers coming to the site, but they don't convert, I can figure out why they're not making a purchase and do something about it, just like I could in a brick-and-mortar store.
I really don't like the amount of personal data gathered or the dark patterns surrounding them. But there's got to be a way to surface some kind of aggregate information without sacrificing privacy.
But they aren't allowed to make it systematic by, for example, writing a file of paper notes describing each person's recognizable characteristics to share among the staff, or doing the same with photos. Those records would be covered by the GDPR, which corrects an omission in previous laws that only covered electronic records.
It's really a power struggle between businesses and regulators in regards to tracking as a business - and overly complex cookie banners are the most visible sign of it.
I like what GDPR did for privacy, but I absolutely hate it's impact on web browsing. Now _every_ damn site has a cookie banner covering the bottom third of the page. Plus many sites have a fixed nav or another damn banner at the top. Mobile browsing has gotten painful.
The problem I have is that DNT is "good enough". Websites need to accept the law (opt in is needed, defaults must be to assume a user is opted out unless/until they do so of their own accord, and can't apply coercive pressure or try to force them to agree). DNT fell down when websites said they wouldn't honour it if browser makers made it enabled by default, or made it too easy for too many users to enable it, and it was "voluntary".
We now see CCPA privacy statements required to state whether they honour a DNT opt-out... If the next step is to require sites to honour the preference, It just seems to me that adding a new header achieves very little, and using the existing one could achieve more in a shorter time!
If we aren't careful, we'll end up with fingerprinting of the new privacy browser headers, based on the granularity of privacy choice information being conveyed in headers due to the various disparate attempts at applying more sticking plasters to the wound. Heck, fingerprinting just DNT and a couple of other proposed privacy headers alongside user agent would probably at least give enough information to distinguish multiple users sharing an IP via NAT... (!)
[0] https://www.dataprotectioncontrol.org/
[0] https://www.dataprotectioncontrol.org/
There's also the reality that different DPAs have different interpretations of what the GDPR requires. In the linked article, Max also acknowledges this: "We need clear pan-European rules. Right now, a German company feels that the French authorities’ interpretation of the GDPR only applies to France, even though they operate under the same law within the same European market."
This may be an unpopular take, but Noyb is essentially harassing hundreds of companies with his organization's particular interpretation of the GDPR. Wouldn't it be more appropriate to first push authorities to develop common, clear, technically detailed, and legally binding interpretations of the GDPR, rather than going after companies to take action in what is still a grey area? It's not even clear at this point that the changes Noyb is pushing for are either legally required or, on the flipside, legally sufficient.
The same thing is true across the GDPR... I'm more familiar with the academic literature around whether there is a "right to an explanation" for AI systems embedded in the GDPR, for example. There are dozens of academic papers arguing both sides of that specific question, with no clear conclusion or consensus.
The thing is that the _intent_ of the law is very clear. You could search for loopholes and come up with all kinds of creative solutions to go around it, but then you can't pretend it is a decision you made in good fate.
So yes - the GDPR is confusing as hell!
You either have to pop up for explicit consent or are not supposed to yadda yadda.
The average user is relatively sick of the GDPR I think that this point.
AFAIK, you can use cookie banners, but opting in has to be as easy as opting out. The .eu sites do that.
https://news.ycombinator.com/item?id=28134437
https://support.noyb.eu/join
It's sort of like how telcos in America like to comply with various sales taxes by… making something up and adding a line item to your bill purporting to be taxes, but really it's just them charging you for no reason.
The complain here is that it's too complex to opt out of the tracking. But I have no way of opting out of that fake "protection" framework, which I consider to be useless and wrong. None at all.
As made extensively clear by the pencil pusher who came up with this grand idea of mandating an interruption for every single website I visit: those are my data. I want to have the freedom of letting websites track me if they want to, I don't need them to ask me. Give me any way to do that, and I'll be happy. But that was explicitly prevented.
The EU seems to think they know what's best for me, and won't let me make my own choices. It really doesn't, and rather than accepting that fact and giving me the freedom they claim to defend, they would rather annoy me.
So I'll keep on clicking on "Accept All" for the years to come cursing the hours of brain time lost to make a dude feel important.
"Advanced Data Protection Control": https://www.dataprotectioncontrol.org/
If you did try to pursue the EU, I think you would quickly meet the counter argument that there are many people who are unhappy being tracked in detail systematically without consent, and would be even more if they knew the extent of it, so it would not be ok to make your preference just be how it is for everyone.
This is as if they made stalking illegal without consent, so now you are followed all day by annoying clowns constantly interrupting you asking whether you consent to them stalking you.
Do you know how many websites are there that show cookie banners when they don't have to?
e.g they have only auth/technical cookies
I'd wager it is far fewer sites than who don't show one, or show a meaningless pop-up saying they use cookies and you agree by browsing to the site.
These sites almost invariably are using GTM to load all sorts of third party scripts and cookies....
Heck even sites that show cookie prompts often don't link the prompt to the actual script placing the cookies! Cookies dumped before the consent box has even loaded...
I noticed that the banner was made by "One Trust", and if you go to One Trust site, the examples showed are not deceptive at all [1], all the examples have a clear "Reject all"/"Accept all" buttons.
One Trust marketing page is hiding that has deceptive designs built in.
I guess the OP can make GDPR complaints to One Trust and services like that, and fix in bulk the sites that are using those services (or make it lose clients and shut down).
[1] https://www.onetrust.com/cookie-banner-gallery/
That said, even that preview page gives the option to see the "Legitimate Interests" interface by selecting "IAB TCF 2.0" under the regulations section, rather than just "GDPR".
Furthermore, some store it externally (e.g Trustarc) and maybe they can recover your consent later somehow?
Self Deleting Cookies are, of course, one component of online privacy. Sadly.
If the European Union's own main website cannot do without a pop-up then what are we even talking about? They have effectively limitless resources to make it work. Their website doesn't even have to earn money and yet even they use a consent pop-up.
The EU’s website is setting a bad example by not embodying the optimal result of the law they created.
It’s just a problem that if you embed tweets on your website, or a YouTube video or something, your visitors will get the associated cookies.
Nobody reads them. They either completely ignore them like me, or search for the "get the fuck out of my way and let me do the thing I came here to do" button.
> It’s just a problem that if you embed tweets on your website, or a YouTube video or something, your visitors will get the associated cookies.
Then don't do that on a government website! Why should I have to consent to that shit when visiting my government's websites? I don't want to use Twitter or YouTube and participating in government shouldn't force me to! WTF?
By serving up all user generated content from a separate domain, it gives defense-in-depth against any kind of uploaded content getting script execution - it's served up from a domain that is completely separate from any authentication tokens or valuable cookies etc. That way, a user-uploaded HTML file (if someone found an endpoint that would render it) shouldn't be able to be served up from a first-party domain.
A lot of fuss over ten websites.