Isn't there insane money to make just suing everybody in breach of gdpr? I always thought there were laywers scouring the internet in search of a quick buck.
Wouldn't that just end up in the hands of whatever government is relevant? I believe the fines you pay for GDPR violations are paid to governments, not users or suers.
Administrative penalties (those levelled by the supervisory authorities) do go to the state, but one can receive compensation for damages caused by infringement of rights under the Regulation.
> I don't think you really "sue" anyone for breaching GDPR. I think you report it to the local authorities, and then they pursue a case.
You can.
Article 79 explicitly states that data subjects have a "right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
Article 82 also states that "any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."
>As to the practicality of suing for violations, how would you quantify "damaged suffered" from saving a cookie in my browser?
The GDPR does not regulate cookies at all, at least unless they are a form of processing of personal data, so you wouldn't be able to sue for that.
It's the ePrivacy Directive that deals with cookies (and storing/accessing other data on your devices), and that lacks any sort of private cause of action, at least at the EU level. Directives (unlike Regulations) have to be transposed in to domestic law in EU member states, so depending on where you are there might be a private enforcement mechanism, but I doubt it.
It would probably be some very large number backed by a theory like "this violation has deprived the plaintiff of their ability to fully control the disposition of their private information and activities, thereby creating permanent direct and indirect risks whose damages to the plaintiff's income, income potential, business, reputation, and family are limited only by the malevolent collective imagination of an unbounded pool of individual, institutional, or governmental adversaries."
I'm not sure what lessons the rest of the world should have taken from the US's "war on drugs" (or, for that matter, the US's prohibition before it).
... but "If you pass the law that outlaws a wildly-popular behavior, most people will stop that behavior" probably wasn't it. Law can bend behavior on the margins. It just encourages rule-breaking when you try to drive it like a spike through the middle.
Wait, they criminalized it? I thought it was just fines for shitty behavior. Fines for shitty behavior I can get behind. "We were used to getting away with it" is a poor excuse that gets poorer every day. But yeah, making it criminal is too far too fast. Assuming they've actually done that.
EDIT: they haven't, "shadowgovt" just overstated the comparison. No, I do not believe that getting away scot-free with shitty behavior today entitles anyone to get away scot-free with shitty behavior tomorrow.
In my country, we didn't end that practice without a civil war.
I think that story is an excellent example of the limits of the coersive power of law. Even though the goal is righteous, the law may be the wrong tool to achieve it.
What alternative tools can be deployed on this topic?
Is the issue of consistent and proper enforcement a "Quis custodiet ipsos custodes" issue, or a lack of resources to police / monitor / enforce issue right now? IIUC, enforcement must be "proportionate," but that's a pretty anxiety-inducing word in a law unless there's either solid precedent to establish what that word means or an oversight board.
And if the issue is that they're under-funded, I agree with increasing resources to proportionate to the need to properly enforce the law. Coupled with proper proportionate penalties (including warnings for good-faith efforts to compliance, making the law a bit more like online speeding tickets than the 20-million-euro minimum penalty suggests it should be), it may be able to adjust behavior.
On the other hand, I'd expect the resulting behavior adjustment magnitude to be in the realm of speeding tickets (with the occasional reckless-driving for, say, a FAANG mass-harvesting data). Maybe that's good enough for the goals though.
I don't agree with the approach for obvious reasons, but he's not entirely wrong either. Even that ruling doesn't change anything - the IAB was fined a token amount, the others get off scot-free and can keep the profits earned over 4 years of illicit data processing.
Quite the opposite, the ruling made clear that trying to outsource the risk to a third party doesn't work.
"All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses."
How are they going to find out? Are they mandating source code & database audits?
If it took them 4 years to take action on something that was pushed in every web user's face several times per day, you're probably looking for a few millennia for them to take action on something only a few hundred company insiders are aware of.
I mean this clearly is still being worked out as consent popups are a requirement of the law but the enforcers and courts don't seem to like that fact and are getting very creative in there interpretations to avoid the explicit requirements of the law.
> consent popups are a requirement of the law but the enforcers and courts don't seem to like that fact
I don't think you could misrepresent the situation any more if you tried. IAB did not even have a data protection officer. As a massive advertising body.
How you go from the very specific and clear list of violations [1] to "the courts don't like consent popups" is entirely beyond me. That's like a car manufacturer stating the authorities don't like cars after failing a crash test for not having airbags.
I'd have a lot more patience with this law if it had come with an implementable w3c do-not-track-like signal sites could transparently operate on so it didn't wreck the UX for people who didn't care (or for that matter, people who did!).
(... which, unfortunately, I guess wasn't "do no track" since that pretty much failed, right?)
Dismissing cookie notices is just a sign of companies outsourcing the cost of being privacy friendly.
They could just run their own analytics tool and you wouldn't need any notice at all for basic visitor counting. But everybody is craving for that shiny numbers from Google Analytics (for mysterious reasons _perfectly_ integrated into all other Google tools), easy ad money and whatever metric marketing wants to see this month.
Please don't make glib statements about what people do and don't want. If you don't want the metrics that you get from something like Google then that's fine but a lot of companies, ourselves included, find the insight massively valuable when we are trying to work out which parts of our product are or aren't working properly.
Sure, we could roll our own but that creates its own problems and doesn't exempt you from cookies notices at all.
Cookie notices are only necessary when you are transferring data to third-parties and there's no technical reason for that.
Selling my personal data to some analytics company, and you have chosen to do exactly that, is not technically neccessary but a very deliberately made decision by someone.
> If you don't want the metrics that you get from something like Google then that's fine but a lot of companies, ourselves included, find the insight massively valuable when we are trying to work out which parts of our product are or aren't working properly.
As a user, I don't want to be spied on so that you can "improve" your product aka make it more addictive or refine your dark patterns. I definitely don't want Google spying on me to help you achieve that goal either.
The GDPR making it harder for you to do this means it's working as intended and I'm very glad to have it as a user.
That's what browser extensions like Super Agent are good for.
And the fact that we need a browser extension to deal with such incredibly annoying and intrusive "functionality" that is required by law is just insane.
I wonder what is the GDP cost of millions if not billions of people flushing the toilet every day, often multiple times a day.
We can all make silly arguments, just because something requires you to take action, and it might cost money, doesn't mean we therefore have to just let late stage capitalism run wild.
If we didn't flush toilets but all of a sudden because of some law (directly or indirectly), we started flushing toilets; we should be concerned about it. But that's clearly not the case here and your analogy doesn't hold up.
A better analogy was if you were forced to use the toilet every time you entered a store you haven't been to previously... Just why in the world would I need to take part in such a wasteful charade.
My guess is that it is not a cost. It is a small annoyance, and I would be delighted for it to be gone. But... I really can't support any argument that inflates the cost of it.
That cost should be paid by the companies forcing pop-ups onto users.
Popups in no way GDPR's fault. The law does not mandates them.
Instead, it's a form of malicious compliance. Companies pester visitors with popup banners that are almost always unnecessary.
E.g. GDPR allows essential cookies e.g. a login cookie containing an encrypted token without any popup. If you want to notify users about it for extra safety you can show a little privacy notice on the login form. No need for popups.
I'm not sure it's malicious compliance. When you are threatened with massive fines for non-compliance but you aren't told explicitly about how to solve it other than, "A cookie notice would be a way of complying", everyone will use a cookie notice.
Modern cookie banners definitely are malicious compliance and most certainly are also violations of the GDPR.
All those companies could use less invasive methods of asking for consent, such as optional checkboxes in signup forms. Or a non-intrusive "click here to opt-in to tracking". The reason they don't do it like this is because they prefer forcing users to click "Accept All" using dark patterns.
Anyone complaining about shitty cookie banners is actually complaining about companies breaking GDPR.
Oh the irony of this site itself having a "we use cookies, got it?" banner while lamenting this exact perceived lack of choice. I always laugh a little when I see those anyway, knowing that my browser's settings and privacy extensions are blocking the cookies and tracking connections either way.
Did we consider that if everyone is breaking the law, the law itself might need a rework?
Obviously there’s no definition, but I’d say a reasonable baseline is when a user expects a stateful interaction on the stateless medium that is the web. So for example, a multistage checkout process.
Necessary site functionality, without the spyware. Unfortunately, most websites sites are funded by spyware, so the minimum cookies to keep the internet economy running would have to include the spyware.
Disagree. Let it burn, it's the only way. (change my mind?)
This made me think of the Ukraine war, and how the sanctions may turn out to be a bigger help to climate crisis than any political entity could muster on the basis of the impeding climate snafu. Sometimes radical action is the right course of action; for democracy-(pre)serving reasons our governance systems often inhibit change unless most of the population is rallied around a specific cause as we see with Ukraine. That is the time for radical change to happen, or democracies would never progress. End of sidetrack :)
EDIT: I mean, Strong agree with "Necessary site functionality, without the spyware. ", but disagree with last part
I was just asserting out that a law that banned spyware-based advertising would harm the current website ecomomy which is largely based around spyware. I would like to see an end to mass spying, and therefore the creation of a different kind of funding mechanism. That could indeed be brought about by law, but that seems a bit too violent to me. I think what we're missing is a better alternative.
I read an interesting article (from the mid 2000s? Will update if I can find it) arguing that microtransactions will never work due to the cognitive burden of paying for hundreds (or thousands!) of tiny things a day.
Brave's BAT seems to solve this part of the problem by automating the payments based on how much time the user spends on each site. It would require everyone to switch to Brave and use their crypto thing to make it work, so it's obviously "suboptimal".
> I was just asserting out that a law that banned spyware-based advertising would harm the current website ecomomy which is largely based around spyware.
I think that largely, the website economy is based around advertising. I honestly doubt the advertising-centered business model would disappear even if large-scale tracking did. Would it be less targeted and less efficient on a micro-level - yes probably.
But less abusive advertising would also have upsides for website owners: Privacy conscious people are increasingly blocking all ads, losing them eyeballs. Privacy friendly ads may be given a pass.
Right now it's mostly impossible for privacy-conscious people to support a website the like by looking at their ads. The adtech industry is to blame for this for data-raping people. Website owners would benefit from a sustainable advertising model, where users don't have to make the choice between not contributing financially, vs sacrificing their privacy to data leeches. All the websites crying over ad-blockers would instead be forced to use legal ad networks that don't rely on illegal tracking, and people might again be willing to look at ads for content.
Brave is an interesting take, but I think the more optimal solution is to just ban the practice of tracking and shadow-profile building. Problem solved, and I don't need to encourage people to install ad-blockers anymore.
>Would it be less targeted and less efficient on a micro-level - yes probably.
I remember reading not too long ago that tracking did not increase profits! I find that hard to believe because once the tracking gets good enough, they actually start showing me ads for things I actually might want to buy! (Imagine that!) In my experience, Facebook's ads (at least on Instagram) show me really cool things, while Google (who should know way more about me) shows me complete garbage on all its platforms (YouTube being worst of all).
Re: less abusive advertising
I'm considering making some (hopefully!) profitable web games but I'm averse to putting ads on them. After giving it some thought I realized my main objection wasn't aesthetics / UX (though that is certainly a concern when it comes to "art" -- I want my games to be beautiful and ads sort of kill the vibe there) -- my main concern was actually running strange 3rd party fingerprinting / zombie-tracker / god-knows-what. If it was just a clearly labeled affiliate link, eg. <a><img>, that would do away with most of my concerns! (And simplify my GDPR compliance by just.. not storing anything.. and eliminate the need for those horrible banners :)
In general I'm averse to government regulations, but this might be a rare case where the alternative (rampant spying) is worse... After that, all that remains is to get the governments to ban themselves from spying too ;)
> Facebook's ads (at least on Instagram) show me really cool things, while Google (who should know way more about me) shows me complete garbage
I personally remember being pretty shocked at how the Facebook like button & social login spread to everywhere and they could track you all around. Long time ago. Facebook probably knows a lot more about you than you think.
"This made me think of the Ukraine war, and how the sanctions may turn out to be a bigger help to climate crisis than any political entity could muster on the basis of the impeding climate snafu."
Huh? Here in germany there is talk by politicians that climate policies have to stand back now and we need to rely more on the coal plants and not close them, as it was planned.
I really hope, that the actual solutions will be more renewables and nuclear, but I am a bit pessimistic about it.
Germany is in a very tough spot energy-wise and is the most impacted by the Russian sanctions. A lot of house heating is gas and that isn't something you can change in 6 month. So in the very short term they probably need coal to replace the gas where possible so that stockpiles can meet next winters demand for heating.
But for medium-term, a lot of infrastructure investment will be needed. Times are such that the public will be quick to condemn investment in fossil energy, so there will be pressure to find green solutions where feasible.
The other day I saw a headline that France had stopped subsidizing gas heating installations. I don't get why it took a Russian war to do that, but apparently it did.
There have been many other such headlines. Will it matter? Probably some, maybe a lot... one can hope.
Showing an ad next to a news article is not fundamental to the function of a news site, even if it's how the bills are paid. You can't degrade the experience because visitors reject cookies. So you can't do a "we'll show you the article but only if you agree to ads". And you have to make the reject-all-cookies the default choice and easier than accepting. It's pretty simple.
And, to make it even more precise, I would call cookies, which are for login, also as non-essential, unless a visitor really wants to log in, meaning they navigate to the login page.
This means, that be default, I don't need any cookies, because I don't want to log in to most websites I visit. Only if I want to log in, I have need for such cookies.
...hit the nail on the head. By 'as close to none' I pretty much meant "any cookie that isn't about authentication and/or holding state of something as an authenticated user that would matter"
For each cookie present, an independent third party expert would be willing to testify that the cookie is required in order for the website to operate as the user expects.
As much as this may really damage the sector I work in, I’d cherish the clarity a stance like this could provide.
There are many businesses trying to be compliant whilst maintaining access to metrics their business depends on.
Compliance is very difficult at this time as the legal advice is shifting in different territories and there is conflicting guidance when you start to dig into it.
Id rather see a selection of activities and tactics entirely banned/regulated rather than this directive which is clearly too open to interpretation.
Appreciate the sentiment. Policy changes will probably always hurt somebody. The expectation is the the economy will realign around new goals.
In this case it's even simpler since a software company would like be able to develop a new product with hopefully more value to society than the vast majority of data collecting companies provide. I'm also not too afraid for tech workers being able to find other jobs, although I'm sorry for any other collateral damage.
Isn't this already the case? Does anyone actually think that you give voluntary informed consent to something by being annoyed into pressing a button?
No, if you show a cookie banner your users do not opt-in. So a cookie banner is pointless since it doesn't actually give you permission to store cookies you couldn't store before. So we already have the law, we just don't enforce it.
I agree that a cookie banner is pointless. But they are even on government websites, so obviously something has gone terribly wrong along they way (hint: lobbyism).
My thinking goes like this:
1. The law explicitly talks of requesting consent.
2. Incentives will drive actors to request additional permissions if possible (you always get some legal, can claim ignorance, etc)
3. People get constant intrusions wasting our collective time and attention on an enormous scale.
The current law is encouraging this type of user-hostile behavior. This is stating an objective fact, since the current situation is clearly a result of the current law.
If any type of consent-banner or opt-in method is allowed, industry groups will lobby for loopholes they can use to trick users using whatever mechanism the law leaves at their disposal.
Just outright ban the use of cross-site tracking and user profiling. We don't have a societal need for this to be legal.
The most common use of “tracking” cookies is just to be able to count unique views for your site, which I think is a perfectly reasonable thing to want to do. Knowing the impact of your site is something pretty much every website producer (including governments, individuals, and businesses) wants to do.
Other examples of where cross-site tracking is useful is for preventing online payments fraud. You have a similar IRL version of this where your bank will freeze your card if it sees purchases being made in different countries simultaneously.
Somewhere along the line, counting views or helping reduce fraud for customers turned into “store full demographic information about someone who never signed up for our service”, which is where everything went wrong in my mind. The cookies themselves aren’t the problem, it’s how they’re being used.
> The most common use of “tracking” cookies is just to be able to count unique views for your site, which I think is a perfectly reasonable thing to want to do.
Sure, and I don't remember if this is currently legal without need to notify/ask, but I think it should be.
As long as the tracking data is legally and technically isolated to only domains/apps/devices controlled by the same entity... Most people have the expectation that a website/business will be able to remember them across visits from the same browser.
But people will not necessarily have this expectation of being recognized across domains or different devices - indeed most people won't know it's even possible - so anything facilitating such identify/profile correlation should be considered illegal tracking by default. The specific technical method of creating the correlation should not matter. Honestly this could extend to non-web profile building as well.
The exception, of course, is if the user has self-identified by logging in.
> Other examples of where cross-site tracking is useful is for preventing online payments fraud. You have a similar IRL version of this where your bank will freeze your card if it sees purchases being made in different countries simultaneously.
True, completely agree. There are already blanket exemptions for certain uses in the GDPR and those should be extended as needed for use cases that have legitimate value. Cookie law should be changed so no need to ask/inform the user about these use cases other than in the website's privacy statement, where such tracking should be stated.
Industries handling such tracking data should be regulated and audited to ensure proper handling and use of the data. Again I think this should be applied as a broader principle, and I think for example loyalty programs should be also audited to ensure compliance with legal uses of the collected data.
4 out of 4 in my case. May I ask which ones you checked, I'm genuinely curious, cause I really don't remember seeing any official website in the EU without cookie banner in many years.
Okay, the first two are pretty hilarious, but as far as I can tell, the first one doesn't actually set any cookies if you don't react to the banner, and the second one sets just this: "{"cm":false,"all1st":false,"closed":false}", which seems acceptable.
The other two are trickier to judge, but contain (user?) identifiers, which could certainly be used for tracking, so I'll have to concede your point.
Edit: I had to recheck some of the sites I'd previously checked, as your examples helped me realize that my browser does a lot of blocking. It turns out that just one of my examples was actually a good one: https://finlex.fi/en/
Terve! Not surprised to see Finland slightly ahead of the curve.
I think the default is that most people, professionals included, don't understand the law and throw in the banner-spam to be on the safe side or because of outdated checklists.
I have zero problem with (edit: first-party) cookies, only with the web being a horrible UX for 95% of people, so hope more official websites can lead the way, so that pop-ups can slowly be de-normalized in peoples minds.
> Did we consider that if everyone is breaking the law, the law itself might need a rework?
No, GDPR is doing tons of good works.
The whole web is a privacy and security nightmare and we've been tolerating this mess long enough.
Many companies are engaging in malicious compliance by annoying users with popups and push the blame onto GDPR.
The reality is that 99% of websites need zero cookies, zero popups and no logging of IP addresses. The ones requiring login can set a login cookie without pestering the user.
Exactly, everyone’s still breaking the law, but it’s not a binary thing. They’re breaking the law much less now, and they’re being much better about documenting the ways in which they’re breaking it than they were previously.
Sure, but you have to also accept that there are aspects that have made the internet a worse experience without actually improving the situation from a privacy point of view.
To be fair, the GDPR does outlaw all the things we find annoying with the cookie banners (or rather, data processing consent flows, as they cover more than just cookies).
The problem is continuous lack of enforcement and distinct lack of billion-dollar fines everyone was fear mongering about, which allows companies to passively-aggressively pretend to comply by making their banners annoying on purpose to mislead people into hating the GDPR.
This problem would be resolved overnight (and everyone's privacy increased by orders of magnitude, since spyware would become illegal again) if those fines actually started coming down.
Billion-dollar fines can only happen if the company in question had a revenue of €25B per year and was hit with the maximum fine. But either way, enforcement is absolutely happening: https://www.enforcementtracker.com/ has over a 1,000 rulings in its DB.
It's not enough. That link gets posted all the time but it just shows that over 4 years, across all companies, the total fine amount is just over 1Bn. How much does Google or Facebook profit from non-consensual data processing in just a single year?
Clearly the EU wants to give companies the time to adapt.
Internet privacy has been a laissez-faire dystopian wasteland for decades.
Even with the current very gentle enforcement, GDPR has received a lot of push back and called draconian (by those who benefit from corporate surveillance).
Yeah, but it's hard to enforce a law at scale when the difference between legal and illegal behavior is not obvious to a layperson. The law is too technical.
It also has shouldn't have options where a user can simply allow further data collection, since this makes it hard clearly say whether a certain practice is legal or not, since it "will depend".
This creates more friction to enforcement. If things were more clear-cut, enforcement could be automated, and you would probably see those fines roll out.
It is harder to say "this software library is illegal to use in the EU" if there are certain circumstances where it's not.
> ...the difference between legal and illegal behavior is not obvious to a layperson.
GDPR and cookie law is not hard to understand, so that excuse is a little bit lame to be honest. Besides, if you really need to understand what you must do by law, you should hire a lawyer. That's the same as with any other law.
What I meant to say was that pressure to enforce laws only happen if there is public pressure to see the law implemented, and when the concepts are too abstract/intangible, the public disengages more easily from the issue.
Political will for improvements and funding is more likely to happen with more public support as counter to the influence of industry lobbists.
Public support is easier to rally when people can personally relate, or ideally share a pain point. A good candidate would be the annoying pop-up boxes. Frame them as dangerous because increasing the risk of online data and identity leaks. Solution to this threat to public security is to eliminate them by default answer. Simple law proposal.
It’s a conference submission. It’s not like the authors are responsible for or affiliated with the usenix.org website. It wouldn’t be ironic if I published a GitHub UI dark patterns study on github.com.
It is just that most websites don’t comply and developers misunderstand it.
You can freely use cookies like we used to do, for session id’s, shopping carts etc. Once you add stuff to your shopping cart, you have a business relationship with the site, and they can store cookies necessary basic functionality.
You can not use them to track users on third party sites, or store personally identifiable info without explicit consent, and in that case, denying consent should be as easy, and not affect other functionality, such as blocking content.
Yeah like instead of having them on the street, they could have a shop and you could tax them a lot and make sure people know what they are getting into.
Same with sharing personal data - maybe not a bad parallel :)
Everyone and their dog who has been getting away with bad behavior is going to take that stance as a stalling tactic. It might be true, but either way it's going to have a lot of bad-faith weight behind it, so we need to make our strategy robust to that inevitability.
I'll default to skepticism but keep my mind open to proposals that are concrete and specific.
IMO, the problem with GDPR is the same problem we have with a lot of European laws. There's nobody who's incentivized to enforce compliance.
If you were able to sue for GDPR violations, either on your own or in a class lawsuit, you would have an incentive to prove that the violation has indeed occurred. As long as your lawyer was working on commission, they would share that incentive.
As it stands, all you can do is file a complaint with your GDPR office and hope it makes a difference. You don't get any money from that, so hiring a lawyer to get such a complaint right is an expense you will not get reimbursed for. More importantly, the person investigating your complaint is probably on a salary, not a commission, so they don't personally care about how successful they are.
Compare that to the ADA[1], for example, where you literally get legal firms looking for disabled Americans, finding places that don't comply with the law and suing them. Enforcement was partially privatized, and the free market, as it often does, found a better and more efficient way of enforcing the law than the government could dream of.
> Enforcement was partially privatized, and the free market, as it often does, found a better and more efficient way of enforcing the law than the government could dream of.
I'm not a fan of this. You're replacing one kind of dark-pattern wielding, stain-on-underpants-of-society, predator with another!
You will spawn industries of failed lawyers going after the easy money, i.e. clueless everyday people who inadvertently misconfigured wordpress and can't afford a lawyer when they get threatened with court cases if they don't pay the extortion fees.
Just like asshole copyright lawyers under Germany's shitty jurisdiction extending their disgusting and threatening attacks on everyday citizens around Europe who dare to have a personal webpage without being experts in copyright law. As with ad-tech, also not the kind of enterprises we need to have in our society. Also wouldn't shed a tear for that industry to just die.
If you do this kind of thing you need to directly target the companies enabling the illegal behavior, not the website owners.
You can actually sue under the GDPR and get compensation.
Article 79 explicitly gives data subjects "the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation"
Article 82 states that if someone has "suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered".
Because GDPR has been around for a few years and its still unmanageable. Laws need to be realistic to make compliance easy and widespread. Maybe there needs to be resources for training or something. There are lots of things you can tweak while still getting the benefits.
Compliance is easy and manageable, for the most part. It's just that companies want to still do the things the law is trying to disincentivize, and want to put as many dark patterns as they can in the way of users avoiding it. So the "unmanageable" part is trying to figure out how close you can come to breaking the law without being blatant.
If you as a developer are tasked with understanding this, you take the time to read the actual rules and then you misunderstand it, you are incompetent. But this is not what generally happens. Folks don't read, just yolo some terrible explanation off of SO and then complain when someone tells them they are not compliant. That's laziness. Those are the only reasons for noncompliance, outside of actual malice.
It can be cheaper to misunderstand it. So long as risk of getting fined is low, and the fines aren't higher than they are, you aren't really tasked with being compliant. You are given a task to implement something in compliance but what that means is as compliant as possible while still making sure the business survives, possibly even on the same business model. That latter part isn't explicitly given to a developer in the instructions - but it's going to be made clear that if you don't want to put up the minimum-effort cookie wall, there is someone else that can do that job.
This is why we need a law that people actually fear to the point where they would rather switch off the lights and take down the sign, than try to put up an off the shelf cookie wall that can be configured to have an "Accept all" button.
The law should not have had the consent provision. Without consent provisions, the law makes a fine general prohibition on unnecessary use of personal data,† albeit with a few kinks that I'm glossing over with "unnecessary". But it has the outlines of a sensible regulation, the corner cases could surely have been smoothed out in court.
The consent provision ruins everything. The fact of its existence reframes otherwise unlawful processing as "you need to get consent" instead of "you shouldn't be doing this", which is how it should be framed. It turns the whole regulation into a farce, restricting data processing to necessary uses except if you have the ability to document and semi-coerce consent (subtly enough to not invalidate the content you've obtained, but empirically that's clearly not closely examined).
And lo, a parasite industry dedicated to coercing and documenting "consent"!
†Just talking article 6 here, I don't really want to get into the weeds of chapter 3.
> Did we consider that if everyone is breaking the law, the law itself might need a rework?
I think GDPR assumed companies would like to do right by their visitors. I guess the only way to do that is to increase the severity of the consequences for violating user trust. GDPR itself offers a guideline that many seem to misunderstand... you don't need a popup for every kind of cookie.
I'm not against enforcing minimal tracking as default, and opting into cookies should be similar to going through a purchase flow... because it is one, just using "data" as a currency. So yes, convince me to click the "Buy cookies" button.
>GDPR itself offers a guideline that many seem to misunderstand... you don't need a popup for every kind of cookie.
Cookie banners predate the GDPR, most of them are from the "cookie law"[1] that predates it. They're two entirely separate laws that don't supercede each other.
> Did we consider that if everyone is breaking the law, the law itself might need a rework?
The law is fine, the enforcement is not. If the enforcement had any teeth, then people wouldn't be breaking it. So long as managers try to get away with dark patterns rather than just take their business off the internet, the penalties are clearly not stiff enough. But I'm fine with this taking a few years to get in place. It's better to ramp up penalties once the law has matured a bit, than to have the kind of business-ending penalties I'd like to see, for a very new law.
I doubt that very much. A lot of the indieweb sites don't bother collecting information about their users so they don't need to show information pop-ups nor worry about GDPR. I know I don't.
if your site is running on apache with default logging, or a shared host like DreamHost, you are probably not fully in compliance with the letter of the GDPR since you're logging IP addresses and aren't using them for necessary site operations.
... especially if the log just grows and grows and never rotates. The GDPR is a very wide-reaching law.
Of course, there's no real need to worry since, practically speaking, it was intended as a cudgel to beat FAANG with and not a dagger to stab indies with. If you're comfortable with the safety of your operations being "The folks with legal power to enforce won't wield it on you", you have nothing to worry about.
The problem is, they can enforce it on you at any time of their choosing should you do something deemed unpopular or troublesome. While the cudgel was intended for FAANG, the dagger still hangs to stab any indie that gets out of line.
Why would I rely on the kindness of government not to enforce a poorly written law?
I don't think "enforce" means what you think it means. If you are contacted about a GDPR matter usually you have time to fix it before it's "a violation" that incurs penalties.
It's "squishy" terms in law, like "usually" that I find bothersome. Granted, I haven't read the complete specifics of all of the minutia when it comes to the GDPR, I'll admit. I do keep cookies by default though, as a habit, which seems to be in violation of GDPR rules.
Should I start publishing a blog or some such which was antithetical to the prevailing party doctrine, that happened to gain traction with the public, terms like usually tend to go out of the window. Al Capone wasn't indicted on bootlegging after all.
Enforcement action must be "proportionate", so even if you are pulled up by a supervisory authority it's unlikely they're going to give you a massive fine straight off the bat - especially if you are trying to comply and can demonstrate that.
I think everyone seems to be missing the point of what I'm saying, and maybe it's my fault. In the defense of the law that people have given to me, so far, the terms "Usually" and "Unlikely" have come up. Neither of those terms are very satisfactory if I write a critical piece critical of the government and am taken to the full extent of the GDPR's breadth, with little ability to fight it, being a small, independent, self published journalist who had a friend set up a server using the default Apache settings(this is an example - I am not).
In such a case, a massive fine would not only bankrupt that person but would silence such critical dissension from occurring in a much needed vocal minority. Investigative journalism from non-corporate outlets, through non-corporate outlets is a wonderful thing, which has become a rarity, and has the potentiality of becoming illegal due to clerical mishaps.
While I do understand the necessity of a user's privacy, I also understand the necessity of "removing the tumor and saving the leg", to borrow a colloquialism. Broad-brush approaches have quite a few down-stream consequences, which are seldom realized until it's too late. We've only to look at "the war on terror" and the domestic surveillance that came about in the name of "safety" to understand that =/
> In such a case, a massive fine would not only bankrupt that person
At worst you are fined for 4% of your annual income, it wont bankrupt you. No government is going to go through all that hassle just to fine an independent journalist for a paltry sum. If they really wanted that power they would add defamation laws like UK where they can put you in jail for speaking negatively about public figures.
And until the thing you fear happens at least once to a small business we can assume it will never happen. In the extremely unlikely event that it really happens you pay a 4% fee of your annual income, that hurts for sure but it isn't life altering.
The fine is up to up to €20 million or 4 percent of worldwide turnover for the preceding financial year—whichever is higher.
In terms of limits, €20 million is the floor of the upper bound of what the regulator can choose to levy as fine.
> And until the thing you fear happens at least once to a small business we can assume it will never happen
Yes. This is how we hand power to governments and then end up shocked when they are deployed for political ends. All it will take is one politically-inconvenient blogger to cross the wrong person with ties to the regulators, and then there's no structural back-stop to that person getting dragged through a €20 million fine process.
Remember, Aaron Swartz was facing "only" six months in jail...
> I do keep cookies by default though, as a habit, which seems to be in violation of GDPR rules.
Which cookies do you keep? That matters. GDPR doesn't care about cookies, it cares about PII and some other stuff.
For example, setting a cookie called "hello" with the value "world" on the browser of every user does not require consent, as long as this is not used to identify specific user, of course.
>For example, setting a cookie called "hello" with the value "world" on the browser of every user does not require consent, as long as this is not used to identify specific user, of course.
No, that needs consent because that cookie is not strictly necessary for the provision of the service.
(But the reason that requires consent is not the GDPR, it's the ePrivacy Directive)
> A lot of the indieweb sites don't bother collecting information about their users so they don't need to show information pop-ups nor worry about GDPR.
Not true.
I've spent far too much time with expensive lawyers going through the painful details of GDPR compliance and edge cases. If you keep logs at all, anywhere, then technically you could be at risk of crossing the GDPR. Don't assume that you're free and clear because you haven't gone out of your way to add any analytics.
If you keep logs forever, yes you'll be in trouble (though probably much less than plastering your website with analytics or ads).
Keep logs for a reasonable amount of time (90 days) and you'll be fine.
Well, given the current state of GDPR enforcement, you'll be fine whatever you do. But lawyers are going to lawyer and consent management platforms will be delighted to scare you into buying their "solution", even if nitpicking by bringing up edge-cases that are unlikely to occur and for which no case law exists nor will ever exist.
The intent for keeping IP addresses in logs also matters. To give two examples: if you're keeping logs for legal reasons, then it is perfectly fine. If you're keeping for anti-fraud reasons, this is also fine and can be considered "legitimate interest" (as long as the amount of time for storage is reasonable, as you said). If you intend to use this data for other reasons, then you need consent before doing so.
Government regulation that outsources/hides the cost on consumers and businesses needs additional scrutiny. Did anyone analyze the full cost of these regulations? It must be insanely high.
If those businesses had thought of actual consent to their practices before and had acted accordingly, they would not sit on a mountain of tech debt now and their costs of becoming conform with GDPR would be minimal.
Once you get into it, the GDPR is extraordinarily vague. It obviously wasn't written by engineers or even people with domain experience. You can easily interpret common server-side logging operations as GDPR violations if you're not careful.
Seems a very patronising response. Personally, I have found the GDPR clear and well thought-out. Of course, there are some things that are annoying that you have to comply with like "IP addresses are personal data" but that is a problem with the web, not with the intention and implementation of GDPR.
As it should be. The G stands for "General", after all.
If engineers wrote the law, it would have no effect, because it would specify the means by which tracking happens (e.g. cookies, HTML5 localstorage) but not the act of tracking itself; and it would be easy to circumvent. Legal documents cannot be precisely specified bundles of English-language-shaped computer code; they need flexibility so that the judge can actually rule things that make sense.
For example... why shouldn't server-side logging be treated as in GDPR scope? It does not matter if cookies weren't used to collect it; an IP address and time pair is already enough information to identify an ISP account and that's usually enough for lawyers to sue you with.
I'm upvoting this because you are correct that the GDPR about much more than just cookies, but I disagree with the (perceived?) negativity around how the regulation is vague.
It's designed to be vague because it covers intent and outcomes more than specific technical means of achieving them. This ensures the law doesn't need updating every time there's some new variant of local storage, new browser fingerprinting vector, etc and also to prevent offenders from trivially working around it using a technicality.
Similarly, enforcement will also be much more about intent and outcomes than any specific technical means (well that's the theory - in practice neither is being enforced right now). Nobody will enforce it based on some technicalities, they'll enforce it based on outcomes - if you collect personal data and use it to track a user without an appropriate legal basis (in this case, it should usually be consent), you'll be in trouble regardless of whether you use a cookie, a browser fingerprint, or even just save whatever search queries they type and use that as a way to reidentify them. Conversely, nobody is going to go after you if you set a session cookie to persist a login or shopping cart.
The GDPR is far from vague, the complications come from the legalese that was used to write it. Engineers aren't lawyers and vice versa. You wouldn't want to develop software thrown together by lawyers, and lawyers wouldn't want to work on law written by engineers.
It's "vague" on purpose. Had the GDPR banned cookies, companies would have switched to fingerprinting. Had the GDPR banned JS tracking, Google would've pushed Dart to Chrome. It's written that way so that companies can't think of loopholes because of the language used.
Most (European) law is written quite vaguely. The vagueness allows judges to make the right call rather than become law robots. Instead of specifying concrete limits, the law refers to the current state of the art. If you let the law decide what safeguards are or aren't appropriate, we'd be using 3DES and MD5 to this day, because that's what the law says.
We've seen what the EU does when it tries to lay down more concrete rules: they're trying to force the EU to manage certificate authorities for browsers, which is obviously a terrible idea. Crap like that is why we need vague laws.
More charitably and historically accurate, it's the result of hardcore political negotiations with the originally proposed legislation watered down due to pressure from politicians and governments influenced by lobbyists.
But yeah, the result is too complicated to be effectively enforced, sadly. So further reform is needed.
It's pretty well known that cookie-walls are rife with anti-consumer patterns. Going to something like formula1.com requires me to click more than a 100 times to object to the 'legitimate interests' of as many companies. Which is a pretty terrible anti-pattern when I don't want to be tracked at all...
After reading the abstract, it seems the authors try to classify cookies using a special browser extension called "CookieBlock" [1]. I hope they are successful, because I hate being tracked on the internet.
TrustArc's consent popup disappears instantly on Accept All but shows a loading spinner for "up to several minutes" if you reject cookies. I emailed them about this (because in my experience it's only their software that implements such a dark pattern), they replied "customer misconfigured our software, not our fault" lol.
I wonder if it's a really lazy and terrible attempt at accounting for how long the opt-out request would take. Let's imagine it has no way to know (because of cross-domain restrictions?) whether an opt-out request to a third-party succeeds - in which case it simply waits a reasonable amount of time for the request to complete. Of course, a reasonable time should be a handful of seconds, but I guess at least it makes sense that this is configurable and could explain the problem.
That's about the only non-malicious reason I can think of.
It's entirely possible that it is the result of incompetence rather than malice. Either way, it strongly discourages users from rejecting cookies by wasting their time for 20-30 seconds every time.
Whatever it's doing can simply be done in the background, it doesn't even require UI.
My understanding is that the preferences should not be an opt-out of a default setting per the GPDR, they should be preferences that requested and then saved. So surely the opt-in setting would take just as long as the opt-out setting, wouldn't it?
The opt-in should technically take more time, since you shouldn't be sending PII data before the consent.
In the case of opt-out the only single thing that has to happen is setting a local cookie and closing the modal window, which are things that also happen when you accept.
You are right that technically opt-in should always take longer. No cookies should have been set until the user accepts.
But opt-out should not set anything. I don't know what you mean by "local cookie", a cookie is always sent over the wire by HTTP. If you mean saving to LocalStorage, then I don't think that's allowed either.
> But opt-out should not set anything. I don't know what you mean by "local cookie", a cookie is always sent over the wire by HTTP. If you mean saving to LocalStorage, then I don't think that's allowed either.
It is allowed for this case.
You must save a cookie (or a localStorage value) with the user preferences to avoid showing the cookie banner again. Simplifying: cookies are fine under GDPR as long as they don't carry PII (Personal Identifiable Information). You don't have to ask for consent to store those. They're called "Strictly necessary cookies" in GDPR lingo. (And, of course you can't use any of those to track, though. Intent matters.)
And you can save cookies using a Javascript API. That doesn't involve HTTP requests. The cookie will be sent to the server in future requests, though.
> You are right that technically opt-in should always take longer.
Hm... I suppose so, but negligibly. Setting cookies takes milliseconds, so there shouldn't be a significant difference from a user's perspective.
> No cookies should have been set until the user accepts.
That's not accurate. A number of different types of cookies can be set without consent, generally described as 'strictly necessary' cookies - these include cookies that are required for core functionality of the site, or those required to perform a service expressly requested by the user.
> But opt-out should not set anything.
It's a good practice to record the opt-out (or, that user has not opted in). This can be done as a cookie or using Local Storage. This allows you to do things such as only load third party embeds if the user has opted in, giving the 'opted out' user the option to conditionally opt-in for specific embeds without inconveniencing the 'opted in' user. As far as I understand, current thinking is that this type of preference being recorded falls within the scope of 'strictly necessary'.
> I don't know what you mean by "local cookie", a cookie is always sent over the wire by HTTP.
That's not necessarily true. It is possible to use JavaScript to set and read cookies as a sort of local storage. It's definitely not what cookies were invented for, but technically it can be done.
> If you mean saving to LocalStorage, then I don't think that's allowed either.
GDPR does not care about the method of storage, so if you're allowed to store a cookie, you're allowed to set something in Local Storage (and vice versa).
> Hm... I suppose so, but negligibly. Setting cookies takes milliseconds, so there shouldn't be a significant difference from a user's perspective.
When you accept third-party cookies in a website, additional scripts can be loaded and additional data can be sent to their backends. In the case of providers like TrustArc, etc, consent data is often sent to those third-party after consent is given.
It is of course possible to defer this in the name of user friendliness, which is what TrustArc, etc, tend to do, but only when there is consent.
Honestly I think the GDPR/cookie consent providers should be held equally liable as the website owner for the collective violations facilitated by their product.
I think being able to go after the enablers and profiteers would make enforcement much easier.
An officially maintained list of legal/illegal libraries and services could help website owners to chose a known legal solution. Right now it's hard to expect website owners 'do the right thing' when there's so much contradictory information out there.
Is that a big loss? I can't picture anyone, outside of their employees and shareholders who would be negatively affected by TrustArc disappearing overnight. I just checked their website and it seems like their entire business is GDPR pseudo-compliance targeted at businesses who can't legitimately comply with the GDPR.
> Honestly I think the GDPR/cookie consent providers should be held equally liable as the website owner for the collective violations facilitated by their product.
Most likely everything with a toggle except 'Required Cookies', which are required to make the site work between pages (if you want to turn those off you can disable cookies for the domain in your browser, at risk of the site breaking).
I'm asking because many of these "consent" dialogs allow you to "reject all" for cookies, but require an "object to all" for "legitimate interest" purposes. It wouldn't surprise me if these dialogs considered the "reject all" to apply only to cookies.
Seems like perverting the meaning of "legitimate interest" is the ad industry's next move, now that the obviously illegal popups were officially decried as illegal.
It's not true that you don't need to worry about GDPR if you're only going to use this information for a limited time to analyze attacks. It's a lot more complicated than that.
Keeping the information for a reasonable amount of time for security or fraud-detection purposes would definitely fall under legitimate interest.
I really don't see any bad outcome happening from doing the reasonable thing. Enforcement is near non-existent (Google and Facebook are still around after all), and when it does happen it still very much skews towards assuming good faith (even when it shouldn't) so you'll definitely be fine even if you get it wrong in which case you'll just be given guidance on how to do better.
> Keeping the information for a reasonable amount of time for security or fraud-
> detection purposes would definitely fall under legitimate interest.
Yes, but not being allowed to collect the data at all is not the only way you can fall foul of GDPR compliance.
E.g. you also have to give the data subjects processes for getting info about what data you have on them, getting it corrected if they want to, getting it deleted if they want to. Those are tied to mandatory maximum response times. You have to have a data processing register that the regulator can ask you to show them. You have to have co-controller or subcontractor agreements in place if third parties get to see the data in any way. -- There's a host of things you have to do.
> you also have to give the data subjects processes for getting info about what data you have on them
Nobody is going to do that for web server logs unless you associate them with user accounts. If it happens once because someone wants to joke around, you can handle it as a one-off. You could also decline unless they can provide a letter from their ISP certifying that the provided IP address is static and has been assigned to them for the requested timeframe, both as a way to verify the legitimacy of the requestor as well as to deter such obviously-malicious requests.
> getting it corrected if they want to
It's web server logs - those are generated automatically based on incoming request data; there's nothing to "correct" there.
> getting it deleted if they want to
Up to you how you want to handle this (this depends on whether you need those logs). If you're keeping them for legitimate interest for a certain period of time, you can just refuse, and you can obviously refuse as above until they go through a (admin-intensive) process of actually proving they have owned this IP address for the requested timeframe.
I quite agree with you that it would be highly unpractical to set up that kind of system around access logs. For that reason, the sensible thing to do is to not have IP addresses in your access log.
> E.g. you also have to give the data subjects processes for getting info about what data you have on them, getting it corrected if they want to, getting it deleted if they want to.
A Policy note is standard for most sites. An email address or form where users can request their data isn't possible for web logs storing IP alone. So long as the analysis window for the logs is shorter than the max response time to data requests, you can always autorespond at the end of the response time window saying "Thanks for your request on date D. We have no data stored for you from date D and earlier". Which would be true since the logs are then already flushed out. The paperwork if there is zero real per-user data, zero third parties/subcontractors etc. will be pretty minimal (thankfully).
This is of course assuming 2 things: 1) that you can do all your log analysis in a very short window and 2) that you can do it in house and won't send it to a third party.
The GDPR does not require websites to inform users that a website sets cookies. There is nothing in the GDPR about cookies.
It's the ePrivacy Directive[0] that deals with cookies (or, rather, "[storing] information or to gain[ing] access to information stored in the terminal equipment of a subscriber or user"). This is a law that pre-dates the GDPR.
If you can't get that right, frankly I question whether anything you write on the subject is correct.
(25) However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.
The rest of the GDPR makes it extremely clear that the goal of the whole thing is not to mandate some specific solution but to force people who run services to allow tracking only with informed consent and to offer options that do not track.
If you are not storing data on your users machines or just do so for legitimate purposes, you should not have a need to ask for a users consent and thus don't have any need a cookie banner.
The issue here is, that many people running websites just don't know what they are storing and how. Just slapping a cookie banner on that bad boy and calling it a day won't work either, because you have to list the purposes of these cookies. If you don't know why your weird wordpress template loads a cookie, maybe it is time to change it (or alternatively: change your profession).
You're wrong. The ePrivacy Directive does require that a website get consent before storing information on the end-user's device. Prior to GDPR, the local country implementations of the ePD allowed for implicit consent in some EU countries, and opt-out consent in other EU countries. GDPR redefined what constitutes legitimate consent to process personal data. Consent that was previously valid under the ePD was no longer valid under GDPR, which is why GDPR is about cookies, and every other processing of personal data.
No. You need consent to store data on an end user's machine, regardless of whether you later track that data or not, unless such storage is strictly necessary for the operation of service explicitly requested by the user.
By that logic the GDPR is "about" fridge magnets because any business storing personal data using letter magnets arranged on a fridge is subject to GDPR. Sure, often cookies constitute/contain personal data, but when they don't they are not regulated by GDPR.
I mean, if you're storing user information that isn't pertinent to the business with fridge magnets on a slab of metal, and the user asks you to take them down, it's a GDPR violation if you don't remove/scramble said magnets after 30 days.
Method of data storage isn't really specified, but that's why it's General Data Protection Compliance.
Yes of course it would cover that hypothetical situation, as I said in my comment, but it would still be ridiculous in general conversation to say "GDPR does require that businesses get consent before using fridge magnets" without specifying "if personal data is involved".
Yes, that is correct GDPR as written and as being interpreted by the courts covers every aspect of commerce, any interaction with another entity no matter how far removed, and any observable side effects of said interactions even if neither party knows of the third parties.
Yes of course it would cover that hypothetical situation, as I said in my comment, but it would still be ridiculous in general conversation to say "GDPR does require that businesses get consent before using fridge magnets" without specifying "if personal data is involved".
Before GDP, the legal consensus among lawyers I asked was that consent could be a 30 pages long legal document hidden through a 6 pixel text link at the bottom of a page that can only be accessed by trawling the website. It wasn't really what the politicians that wrote the ePrivacy Directive intended, which is why the word informed consent was added.
Now if a hidden 30 page long legal document that no one can read is consent then I have this bridge I want to sell. It is totally legit.
I asked a lawyers during a conference that discussed privacy and law. I initially asked if a 50 page document was fine, which they said was not, but then lowered it to 30 and they said "sometimes" without any irony in sight. After an additional discussion they said that even if people did not read the document or had the ability to understand it, it would still count as consent.
I have also talked personally with politicians who was involved with the work of writing GDPR, and the people who wrote the ePrivacy Directive has reportedly said that lawyers interpretation of consent was beyond the imagination of the original intent of the directive, which is why GDPR now require freely given informed consent in contrast to the old consent.
You asked the wrong lawyers, at least for the US. The FTC's case against Sears in 2009 made it clear that consent to a privacy notice isn't valid if the privacy notice is buried deep in a licensing agreement, even if the notice is correct.
(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
That's a recital, it's not part of the operative text. Recitals are the justification for the legal instrument (here, a Regulation), and are used as an aid to interpretation but they're not legally binding.
Yes, but that does not change the incorrectness of the statement: "There is nothing in the GDPR about cookies."
GDPR regulates collection and storage of personal data. Cookies are a means of collection and storage of such data. GDPR does not need to mention cookies specifically.
The ePrivacy Directive regulates public networks (cf. publicly accessible networks) and public electronic comminications services, e.g., e-mail, telephone, messaging. Many "tech" companies arguably fall outside that scope because their primary purpose is arguably not communications. GDPR, OTOH, is much more broad in scope and most would agree it regulates websites and "tech" companies.
The ePrivacy Directive addresses cookies specifically in Article 5(3). This "cookie rule" was not in the original regulation. It was added in 2009. The sudden increase in cookie consent requests on websites recently, and the subject of this Usenix presentation abstract, are probably not a response to the ePrivacy Directive.
The ePrivacy Directive is soon going to be replaced with something more up-to-date, with broader scope. Until that new regulation comes into force, there are obvious reasons why the Usenix authors would cite GDPR and not the ePrivacy Directive.
> Yes, but that does not change the incorrectness of the statement: "There is nothing in the GDPR about cookies."
I disagree, but it's a matter of semantics. I think we can agree that the operational part of the GDPR, the part that has legal force, doesn't mention cookies. Or storing/accessing information on the the terminal equipment of a user if you want to use that definition.
>GDPR regulates collection and storage of personal data. Cookies are a means of collection and storage of such data. GDPR does not need to mention cookies specifically.
But cookies can contain data that are not personal data, and those cookies require consent under the ePrivacy Directive.
And absent the ePD cookies wouldn't need consent (unless that was the legal basis being relied upon under the GDPR).
>The ePrivacy Directive addresses cookies specifically in Article 5(3). This "cookie rule" was not in the original regulation. It was added in 2009. The sudden increase in cookie consent requests on websites recently, and the subject of this Usenix presentation abstract, are probably not a response to the ePrivacy Directive.
No argument from me that the ePD has been (and is constantly being) ignored. And yes, the reason for the sudden increase in consent banners is because of the GDPR, for two reasons:
1) The ePD (as amended) referenced the Data Protection Directive which was replaced by the GDPR, and hence the definition of consent changed. But that still doesn't make violation of the ePD a violation of the GDPR.
2) The GDPR was very well publicised. That meant that people who had no idea what the hell all of this meant, and they first saw the requirements of the ePD at the same time as the GDPR (even though they should have been well aware of it already).
>The ePrivacy Directive is soon going to be replaced with something more up-to-date, with broader scope.
For some value of "soon". They've been promising that for six(!) years now. Hopefully the next round of trialogue (on the 31st March) will get it across the line.
Quite, that's why the ePrivacy Directive is more generic with it's language of "[storing] information or to gain[ing] access to information stored in the terminal equipment of a subscriber or user".
I run a website with a few hundred thousand monthly active users. I get tons of mails from users telling me how much they love it. One unintrusive, smallish Adsense banner pays for everything. For years now, everyone was happy.
Now Google sent me an email that they want me to gather user consent before showing Adsense. They offer an automatic consent modal. But the problem with that one is that it not only displays the consent modal but also injects a smaller widget into the site. It looks like the widget only pops up when the user scrolls down to the bottom of the page. Unfortunately, that also makes it pop up when the page is not longer than the screen. So pages where the content fits on the screen behave really really shitty. Maybe that is the reason why I have never seen it used anywhere.
And of course loading the consent script from Google before getting consent is not in line with GDPR in the first place.
Other consent solutions I see around the web are heavy third party widgets that do a lot of complicated stuff. And because they are third party scripts, they are also not in line with the GDPR.
I have not found any indie developers who have implemented their own consent solution. And as far as I understand it, Google has no communication channel. They just threaten to kick you off Adsense. So all I can do is implement my own solution and wait if it happens or not.
I started to implement my own consent banner now. Not sure if I will get it right so that it pleases Google.
I fear that this whole GDPR thing might be the end of my website.
He's saying to deny access to EU-based users, which will make it very unlikely that any EU-based user will complain, thus (in practice) removing the need for GDPR compliance.
> And of course loading the consent script from Google before getting consent is not in line with GDPR in the first place.
Only if Google uses that information whatsoever. They'd be on the hook if they run afoul of GDPR by collecting information when it's obtained before consent happens, and I'm sure the enforcement agency isn't going to fault the web admin for taking Google's word on compliance.
Given the amount of confusion and conflicting interpretations of GDPR we get on HN, I'm not really surprised. Then there's always the vocal minority that is fully convinced that GDPR is very simple and clear.
There's a huge amount of misinformation spread around it, and not to mention existing online information about the earlier and completely stupid "cookie law" is sometimes mistaken for the GDPR.
It doesn't help that the GDPR is only really simple if you don't abuse personal data. It will obviously become very complex when you're hoping to find loopholes do something that the GDPR was fundamentally designed to outlaw, and it just so happens that a large chunk of this site makes their money from this.
Cookie banners were a thing before the GDPR - the stupid "cookie law" aka ePrivacy Directive was a thing much earlier on.
The main problem however is the lack of enforcement though. None of these "cookie banners" comply with the GDPR, yet are allowed to proliferate because nobody is cracking down on them, so they're a form of pseudo-compliance that is very effective at swaying public opinion against the GDPR.
> It doesn't help that the GDPR is only really simple if you don't abuse personal data.
I'm not sure how helpful this criterion is; there exists a large gray area in what people consider to be "abuse". For instance, suppose that an EU-based business hotlinks an image from a U.S.-based website (or a website hosted on a U.S. CDN, or a website operated by a business owned by a U.S. corporation). Then that business is at risk of being fined, since it has no way of proving that the target website does not log IP addresses (e.g., for some DoS-protection suite), and if it does, the U.S. government could gain access to those IP addresses, which are defined as protected personal information.
In this scenario, the EU-based business isn't necessarily doing anything nefarious like selling data to advertisers, and it could even be refraining from storing any data at all. Likewise, a U.S.-based website that stores only connection logs isn't necessarily doing nefarious things with those. But the former business is still at risk of being fined, since IP addresses have been placed under the umbrella of protected personal information.
In the discussion a while back of the Google IP-address fine, I saw two talking points come up repeatedly: that there would have been no issue if Google weren't doing nefarious tracking of IP addresses, and that the EU operator must have known that IP addresses are radioactive to store or transmit but chose to do so anyway. AFAICT, the first is inaccurate, since any persistent storage of IP addresses by U.S. operators is problematic. And the second, I think, illustrates the real tension here: between privacy maximalists who prefer the least possible amount of data to be stored in all circumstances, regardless of the cost, and everyday server operators who fear that using the default settings on their software or using seemingly-trivial functionality could be introducing legal liability.
I'm still not sure myself about the relative merits of the two viewpoints, but much more could be done to assist the latter group in following best practices, instead of immediately demonizing them as nefarious loophole finders. (Not to say that nefarious operators don't exist, of course, but I suspect that their prevelance is very easily overstated.)
What about a wiki system + workflow tool for documenting all GDPR infringements on every website of interest with auto-submission of a complaint to the regulatory agencies?
Whenever people go "it's been four years, this law is too complicated", I am reminded that every now and again the US Supreme Court has to deal with issues that relate to the constitution.
If you're using it only to make your website work, then you don't need a cookie banner.
However, if it's doing double-duty and is also being used to track users (or to speak technically: if it can be considered PII by GDPR), then you need consent before using it for the tracking part.
GDPR doesn't apply for cookies, btw, it applies for any personal data. Someone above used "information stored using fridge magnets" as an example.
We're experimenting with blocking cookie notices by default in Nightly. There's webcompat risk - some websites just break if you block the cookie notice. "Works on 90% of websites" is just not good enough when deploying to 50 million Web users.
Part of my job is to maintain GDPR compliance for corporate websites. Even for companies that legitimately want to exceed compliance, you would not believe how much of a pain in the ass it is.
The first company wanted to do it "right". So we enabled opt-out by default for all cookies. Which requires setting an anonymized master cookie to check everytime we load a webpage to see if we are allowed to set other cookies. And since IP-detection was not allowed, we did it for all website visitors. And because we have to remember your settings, we had to create a seperate anonymized database outside of our normal website.
And the website broke ALL THE TIME. Product configurators, shopping carts, forms, downtime detection - all this stuff relied on cookies. And for several months the web team had a constant nightmare of customer complaints about broken stuff.
In the first year we ended up spending close to $250k on legal advice from European lawyers, and most of the advice boiled down to "you're not going to get in trouble if you just do what everyone else is doing". Seriously.
Since then it's gotten better - most third party vendors have done a better job of offering anonymized cookie versions of their products. Or there is just more industry guidance available on what kind of cookies can be considered sufficiently anonymous.
For people who claim GDPR compliance is clear and straightforward - I can't believe they actually have much experience working in Privacy. Actual implementation gets... very opaque. Especially when the law says it's illegal to deny service based on their cookie preference, but some services are literally impossible to provide without a cookie of some form.
I understand, my point is that nobody has really thought about this in detail, so you can't just plug in libgdrp to avoid the legwork, like you do with libjpeg or libffmpeg.
Yeah this sounds more like change management issues with the tech rather than steady-state problems. Changing anything is hard, but what about after the change?
At this point it's largely semantics. The ePrivacy directives were included in the same piece of GDPR legislation. And when people talk about GDPR they are talking about both.
The GDPR isn't about cookies, it's about personal data. You can still use cookies for functional stuff, like keeping track of the shopping cart on the client.
The problem here is that companies have an ingrained culture of taking the easy route and just grabbing all the data they can without regard to privacy, which now comes back to bite them.
I'm a privacy lawyer that has worked on cookie consents for a number of commercial websites. Everything you said here is all too true. The real legal answer in a lot of cases is "Do what everyone else is doing. Don't be an outlier. Use industry tools because if there's a problem with an industry tool, they'll go after the tool and not its users."
The comments about cookies not being part of GDPR are grossly wrong. One of the early discussions in the privacy law community was how to handle the collision of the new consent requirements under GDPR with the fact that the ePrivacy Directive requires consent for cookies. Prior to GDPR, a large number of EU jurisdictions allowed for implicit consent through a variety of actions, like scrolling a page, or non-actions, like seeing a banner and not clicking "no". GDPR redefined consent and that's why cookie banners pop up.
As lawyer, could you make an argument how consent can be given by a person if they haven't read the legal document, the other party know that the person has not read the document, and even if the person had read the document they would not understand it because of its language, complexity and size.
To put it in other words, if we used the same definition of consent in any other legal contexts that also require freely given informed consent, would the legal system still function?
> Especially when the law says it's illegal to deny service based on their cookie preference, but some services are literally impossible to provide without a cookie of some form.
To clarify what others are saying here - it is illegal under GDPR to deny service based on people opting out of providing PII in the cases where that PII is not needed for providing the service, not for refusing to accept cookies (although, sure, there can be some relation between these things).
If for example you were providing a service where you sent someone emails on their birthday with autogenerated Love from your AI Momma messages it would not be illegal for you to refuse to provide them access to your service if they opted out of you storing their email and birthday, because those two pieces of PII are needed for the service to work.
That said, most services do not need to store any PII for any length of time to work. Thus if a service says you can't read our medical advice column unless you allow us to store all this stuff we just hoovered up from your browser forever, that would be illegal. Because they don't need any of that stuff to show you the article they already have written and ready to go.
Yeah, anyone who says GDPR is "easy" is just lying through their teeth. It really is folks who have not actually had to implement or try to implement anything.
The best is they claim (falsely) that you don't actually have to pop-up the consent dialogs. Not really true on almost any actual website that does anything anyone wants.
I think it's easy to comply with GDPR if you run a website that doesn't offer any services or generate any income. I have to believe this is where a lot of these type of HN comments come from.
Even then it's actually not easy. You embed a youtube video? You host a font on a US CDN? There are TONs of gotchas even for the "free" sites. And then if you actually are running a business online - and want to let folks do almost anything, better get the pop-ups popping!
GDPR is easy when your only income is what your users pay you and you are not interested in their personal data. My company barely changed some internal documents and that was it.
> Product configurators, shopping carts, forms, downtime detection - all this stuff relied on cookies.
You don't have to ask for consent or permissions for data that is strictly required for the functionality of your website. You're still responsible for keeping PII data safe etc., of course.
basically, you created those problems for yourslef, and now blame the law.
> For people who claim GDPR compliance is clear and straightforward - I can't believe they actually have much experience working in Privacy.
It is very straightforward when it comes to the use cases you described.
> Actual implementation gets... very opaque.
That's your problem, not the law's problem. Ask only for data you strictly need. Keep safe. Do not share with/sell to third parties.
This was true for years before GDPR, and the only reason everyone found it "so hard" is that everyone, including you and your corporate sites, didn't give two craps about users' privacy.
Are you under the assumption that the GDPR requires consent for all processing of personal data?
Because it doesn't.
There are six legal bases for processing personal data in in Article 6 of the GDPR.
Consent is the first one, but the second one listed (paragraph (b)) is that the "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".
I really think we should reject the law and make another one that requires the browser vendors to provide the appropriate notices (think of what currently happens with non-https connections) and (browser enforced) choices.
No added work for website developers, no lawyers required, no dark patterns. Common icons and warnings the user can recognize easily because they would be the same for every website.
That makes no sense. How is the browser supposed to inform the user what they are consenting to? The point of the law is, among other things, that you need to have informed consent when you process personal information. That’s not a technical problem that you can solve with a new API. It requires organizations to work differently. Unfortunately it seems that very few orgs have been willing to put the necessary thought and care into this, instead they just slap these cargo cult consent dialogs across everything.
Put a cookies.txt (or json or xml or whatever) at the root of the website (or use a <link> element) with the name of the cookie and what it does. If the cookie isn't listed, the browser rejects it.
The GDPR is not inherently about cookies, and it also does not stand in the way of the solution you describe.
What is standing in the way is corporations considering it more profitable to hassle their users with antipattern-laden popups than to follow the spirit (and, ostensibly, letter) of the law.
The cookie consent stuff has always seemed straight forward to me, but maybe I've had it wrong this whole time. It does really say a lot that 95% of websites had a violation. I wish that we could make the GDPR entirely client-side.
Semi-related: my understanding is that it's impossible for American hosting companies to comply with GDPR (due to the CLOUD act).
If that's the case, and you're American/using an American host, is there any point in even trying to comply?
Honestly why can't browsers just implement a option in there settings?
Let the users decide in one place if the want to consent to extra none essential cookies.
And add a extra field to exclude certain sites in case you have a domain that you want to grant permission.
251 comments
[ 0.20 ms ] story [ 408 ms ] threadBasically I don't think there's any money for the lawyers to pick up here.
You can.
Article 79 explicitly states that data subjects have a "right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
Article 82 also states that "any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."
As to the practicality of suing for violations, how would you quantify "damaged suffered" from saving a cookie in my browser?
The GDPR does not regulate cookies at all, at least unless they are a form of processing of personal data, so you wouldn't be able to sue for that.
It's the ePrivacy Directive that deals with cookies (and storing/accessing other data on your devices), and that lacks any sort of private cause of action, at least at the EU level. Directives (unlike Regulations) have to be transposed in to domestic law in EU member states, so depending on where you are there might be a private enforcement mechanism, but I doubt it.
So far they seem to be correct. I would really like to see the courts deal a few black eyes over this, I hope this tool can help.
... but "If you pass the law that outlaws a wildly-popular behavior, most people will stop that behavior" probably wasn't it. Law can bend behavior on the margins. It just encourages rule-breaking when you try to drive it like a spike through the middle.
EDIT: they haven't, "shadowgovt" just overstated the comparison. No, I do not believe that getting away scot-free with shitty behavior today entitles anyone to get away scot-free with shitty behavior tomorrow.
I think that story is an excellent example of the limits of the coersive power of law. Even though the goal is righteous, the law may be the wrong tool to achieve it.
What alternative tools can be deployed on this topic?
And if the issue is that they're under-funded, I agree with increasing resources to proportionate to the need to properly enforce the law. Coupled with proper proportionate penalties (including warnings for good-faith efforts to compliance, making the law a bit more like online speeding tickets than the 20-million-euro minimum penalty suggests it should be), it may be able to adjust behavior.
On the other hand, I'd expect the resulting behavior adjustment magnitude to be in the realm of speeding tickets (with the occasional reckless-driving for, say, a FAANG mass-harvesting data). Maybe that's good enough for the goals though.
Not really. Just recently: GDPR enforcer rules that IAB Europe’s consent popups are unlawful https://news.ycombinator.com/item?id=30176712
This is going to require some time, and thus some patience.
"All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses."
And if they don't comply with that...
How are they going to find out? Are they mandating source code & database audits?
If it took them 4 years to take action on something that was pushed in every web user's face several times per day, you're probably looking for a few millennia for them to take action on something only a few hundred company insiders are aware of.
I don't think you could misrepresent the situation any more if you tried. IAB did not even have a data protection officer. As a massive advertising body.
How you go from the very specific and clear list of violations [1] to "the courts don't like consent popups" is entirely beyond me. That's like a car manufacturer stating the authorities don't like cars after failing a crash test for not having airbags.
[1]: https://www.iccl.ie/news/gdpr-enforcer-rules-that-iab-europe...
Not needlessly processing personal data is a requirement.
(... which, unfortunately, I guess wasn't "do no track" since that pretty much failed, right?)
They could just run their own analytics tool and you wouldn't need any notice at all for basic visitor counting. But everybody is craving for that shiny numbers from Google Analytics (for mysterious reasons _perfectly_ integrated into all other Google tools), easy ad money and whatever metric marketing wants to see this month.
Sure, we could roll our own but that creates its own problems and doesn't exempt you from cookies notices at all.
Sorry to tell you, but it actually does.
Cookie notices are only necessary when you are transferring data to third-parties and there's no technical reason for that.
Selling my personal data to some analytics company, and you have chosen to do exactly that, is not technically neccessary but a very deliberately made decision by someone.
As a user, I don't want to be spied on so that you can "improve" your product aka make it more addictive or refine your dark patterns. I definitely don't want Google spying on me to help you achieve that goal either.
The GDPR making it harder for you to do this means it's working as intended and I'm very glad to have it as a user.
And the fact that we need a browser extension to deal with such incredibly annoying and intrusive "functionality" that is required by law is just insane.
We can all make silly arguments, just because something requires you to take action, and it might cost money, doesn't mean we therefore have to just let late stage capitalism run wild.
Popups in no way GDPR's fault. The law does not mandates them.
Instead, it's a form of malicious compliance. Companies pester visitors with popup banners that are almost always unnecessary.
E.g. GDPR allows essential cookies e.g. a login cookie containing an encrypted token without any popup. If you want to notify users about it for extra safety you can show a little privacy notice on the login form. No need for popups.
Good news (for the companies): GDPR enforcement has and continues being laughable, so you don't have to worry either way.
All those companies could use less invasive methods of asking for consent, such as optional checkboxes in signup forms. Or a non-intrusive "click here to opt-in to tracking". The reason they don't do it like this is because they prefer forcing users to click "Accept All" using dark patterns.
Anyone complaining about shitty cookie banners is actually complaining about companies breaking GDPR.
Did we consider that if everyone is breaking the law, the law itself might need a rework?
Three years later, randomly enforced and generally ignored: should GDPR-for-anonymous-browsing be regarded as obsolete by the EU's courts?
Agreed - IMO, make cookie banners illegal and make 'minimum cookies' the default. Done?
Edit: by law I mean the GDPR.
Edit2: Get rid of the "cookie banner law" entirely, actually make it illegal, but require easily found links to privacy statement
This made me think of the Ukraine war, and how the sanctions may turn out to be a bigger help to climate crisis than any political entity could muster on the basis of the impeding climate snafu. Sometimes radical action is the right course of action; for democracy-(pre)serving reasons our governance systems often inhibit change unless most of the population is rallied around a specific cause as we see with Ukraine. That is the time for radical change to happen, or democracies would never progress. End of sidetrack :)
EDIT: I mean, Strong agree with "Necessary site functionality, without the spyware. ", but disagree with last part
I read an interesting article (from the mid 2000s? Will update if I can find it) arguing that microtransactions will never work due to the cognitive burden of paying for hundreds (or thousands!) of tiny things a day.
Brave's BAT seems to solve this part of the problem by automating the payments based on how much time the user spends on each site. It would require everyone to switch to Brave and use their crypto thing to make it work, so it's obviously "suboptimal".
I think that largely, the website economy is based around advertising. I honestly doubt the advertising-centered business model would disappear even if large-scale tracking did. Would it be less targeted and less efficient on a micro-level - yes probably.
But less abusive advertising would also have upsides for website owners: Privacy conscious people are increasingly blocking all ads, losing them eyeballs. Privacy friendly ads may be given a pass.
Right now it's mostly impossible for privacy-conscious people to support a website the like by looking at their ads. The adtech industry is to blame for this for data-raping people. Website owners would benefit from a sustainable advertising model, where users don't have to make the choice between not contributing financially, vs sacrificing their privacy to data leeches. All the websites crying over ad-blockers would instead be forced to use legal ad networks that don't rely on illegal tracking, and people might again be willing to look at ads for content.
Brave is an interesting take, but I think the more optimal solution is to just ban the practice of tracking and shadow-profile building. Problem solved, and I don't need to encourage people to install ad-blockers anymore.
I remember reading not too long ago that tracking did not increase profits! I find that hard to believe because once the tracking gets good enough, they actually start showing me ads for things I actually might want to buy! (Imagine that!) In my experience, Facebook's ads (at least on Instagram) show me really cool things, while Google (who should know way more about me) shows me complete garbage on all its platforms (YouTube being worst of all).
Re: less abusive advertising
I'm considering making some (hopefully!) profitable web games but I'm averse to putting ads on them. After giving it some thought I realized my main objection wasn't aesthetics / UX (though that is certainly a concern when it comes to "art" -- I want my games to be beautiful and ads sort of kill the vibe there) -- my main concern was actually running strange 3rd party fingerprinting / zombie-tracker / god-knows-what. If it was just a clearly labeled affiliate link, eg. <a><img>, that would do away with most of my concerns! (And simplify my GDPR compliance by just.. not storing anything.. and eliminate the need for those horrible banners :)
In general I'm averse to government regulations, but this might be a rare case where the alternative (rampant spying) is worse... After that, all that remains is to get the governments to ban themselves from spying too ;)
Exactly - i briefly looked into https://www.ethicalads.io/ but mostly IT related ads it seems.
> Facebook's ads (at least on Instagram) show me really cool things, while Google (who should know way more about me) shows me complete garbage
I personally remember being pretty shocked at how the Facebook like button & social login spread to everywhere and they could track you all around. Long time ago. Facebook probably knows a lot more about you than you think.
Huh? Here in germany there is talk by politicians that climate policies have to stand back now and we need to rely more on the coal plants and not close them, as it was planned.
I really hope, that the actual solutions will be more renewables and nuclear, but I am a bit pessimistic about it.
But for medium-term, a lot of infrastructure investment will be needed. Times are such that the public will be quick to condemn investment in fossil energy, so there will be pressure to find green solutions where feasible.
The other day I saw a headline that France had stopped subsidizing gas heating installations. I don't get why it took a Russian war to do that, but apparently it did.
There have been many other such headlines. Will it matter? Probably some, maybe a lot... one can hope.
Edit: or maybe the opposite. who knows
This means, that be default, I don't need any cookies, because I don't want to log in to most websites I visit. Only if I want to log in, I have need for such cookies.
There are many businesses trying to be compliant whilst maintaining access to metrics their business depends on.
Compliance is very difficult at this time as the legal advice is shifting in different territories and there is conflicting guidance when you start to dig into it.
Id rather see a selection of activities and tactics entirely banned/regulated rather than this directive which is clearly too open to interpretation.
In this case it's even simpler since a software company would like be able to develop a new product with hopefully more value to society than the vast majority of data collecting companies provide. I'm also not too afraid for tech workers being able to find other jobs, although I'm sorry for any other collateral damage.
No, if you show a cookie banner your users do not opt-in. So a cookie banner is pointless since it doesn't actually give you permission to store cookies you couldn't store before. So we already have the law, we just don't enforce it.
My thinking goes like this:
1. The law explicitly talks of requesting consent.
2. Incentives will drive actors to request additional permissions if possible (you always get some legal, can claim ignorance, etc)
3. People get constant intrusions wasting our collective time and attention on an enormous scale.
The current law is encouraging this type of user-hostile behavior. This is stating an objective fact, since the current situation is clearly a result of the current law.
If any type of consent-banner or opt-in method is allowed, industry groups will lobby for loopholes they can use to trick users using whatever mechanism the law leaves at their disposal.
Just outright ban the use of cross-site tracking and user profiling. We don't have a societal need for this to be legal.
Other examples of where cross-site tracking is useful is for preventing online payments fraud. You have a similar IRL version of this where your bank will freeze your card if it sees purchases being made in different countries simultaneously.
Somewhere along the line, counting views or helping reduce fraud for customers turned into “store full demographic information about someone who never signed up for our service”, which is where everything went wrong in my mind. The cookies themselves aren’t the problem, it’s how they’re being used.
Sure, and I don't remember if this is currently legal without need to notify/ask, but I think it should be.
As long as the tracking data is legally and technically isolated to only domains/apps/devices controlled by the same entity... Most people have the expectation that a website/business will be able to remember them across visits from the same browser.
But people will not necessarily have this expectation of being recognized across domains or different devices - indeed most people won't know it's even possible - so anything facilitating such identify/profile correlation should be considered illegal tracking by default. The specific technical method of creating the correlation should not matter. Honestly this could extend to non-web profile building as well.
The exception, of course, is if the user has self-identified by logging in.
> Other examples of where cross-site tracking is useful is for preventing online payments fraud. You have a similar IRL version of this where your bank will freeze your card if it sees purchases being made in different countries simultaneously.
True, completely agree. There are already blanket exemptions for certain uses in the GDPR and those should be extended as needed for use cases that have legitimate value. Cookie law should be changed so no need to ask/inform the user about these use cases other than in the website's privacy statement, where such tracking should be stated.
Industries handling such tracking data should be regulated and audited to ensure proper handling and use of the data. Again I think this should be applied as a broader principle, and I think for example loyalty programs should be also audited to ensure compliance with legal uses of the collected data.
Could you give some examples please? I checked all the government websites I could think of and didn't see any.
https://european-union.europa.eu/
https://www.sundhed.dk/
https://www.securite-sociale.fr/
4 out of 4 in my case. May I ask which ones you checked, I'm genuinely curious, cause I really don't remember seeing any official website in the EU without cookie banner in many years.
The other two are trickier to judge, but contain (user?) identifiers, which could certainly be used for tracking, so I'll have to concede your point.
Edit: I had to recheck some of the sites I'd previously checked, as your examples helped me realize that my browser does a lot of blocking. It turns out that just one of my examples was actually a good one: https://finlex.fi/en/
Edit2: Found others: https://www.suomi.fi/frontpage and https://vnk.fi/en/frontpage
Both actually do set cookies, but apparently nothing requiring consent.
I think the default is that most people, professionals included, don't understand the law and throw in the banner-spam to be on the safe side or because of outdated checklists.
I have zero problem with (edit: first-party) cookies, only with the web being a horrible UX for 95% of people, so hope more official websites can lead the way, so that pop-ups can slowly be de-normalized in peoples minds.
Edit:
> https://finlex.fi/en/
Nice find. Also:
https://oikeusministerio.fi/en/frontpage
Can they inform Denmark?
https://www.justitsministeriet.dk/
No, GDPR is doing tons of good works.
The whole web is a privacy and security nightmare and we've been tolerating this mess long enough.
Many companies are engaging in malicious compliance by annoying users with popups and push the blame onto GDPR.
The reality is that 99% of websites need zero cookies, zero popups and no logging of IP addresses. The ones requiring login can set a login cookie without pestering the user.
The problem is continuous lack of enforcement and distinct lack of billion-dollar fines everyone was fear mongering about, which allows companies to passively-aggressively pretend to comply by making their banners annoying on purpose to mislead people into hating the GDPR.
This problem would be resolved overnight (and everyone's privacy increased by orders of magnitude, since spyware would become illegal again) if those fines actually started coming down.
Internet privacy has been a laissez-faire dystopian wasteland for decades.
Even with the current very gentle enforcement, GDPR has received a lot of push back and called draconian (by those who benefit from corporate surveillance).
Yeah, but it's hard to enforce a law at scale when the difference between legal and illegal behavior is not obvious to a layperson. The law is too technical.
It also has shouldn't have options where a user can simply allow further data collection, since this makes it hard clearly say whether a certain practice is legal or not, since it "will depend".
This creates more friction to enforcement. If things were more clear-cut, enforcement could be automated, and you would probably see those fines roll out.
It is harder to say "this software library is illegal to use in the EU" if there are certain circumstances where it's not.
GDPR and cookie law is not hard to understand, so that excuse is a little bit lame to be honest. Besides, if you really need to understand what you must do by law, you should hire a lawyer. That's the same as with any other law.
What I meant to say was that pressure to enforce laws only happen if there is public pressure to see the law implemented, and when the concepts are too abstract/intangible, the public disengages more easily from the issue.
Political will for improvements and funding is more likely to happen with more public support as counter to the influence of industry lobbists.
Public support is easier to rally when people can personally relate, or ideally share a pain point. A good candidate would be the annoying pop-up boxes. Frame them as dangerous because increasing the risk of online data and identity leaks. Solution to this threat to public security is to eliminate them by default answer. Simple law proposal.
And no, privacy actually is improving.
And enforcement is ramping up.
We still have a way to go, but we're moving in the right direction.
It is just that most websites don’t comply and developers misunderstand it.
You can freely use cookies like we used to do, for session id’s, shopping carts etc. Once you add stuff to your shopping cart, you have a business relationship with the site, and they can store cookies necessary basic functionality.
You can not use them to track users on third party sites, or store personally identifiable info without explicit consent, and in that case, denying consent should be as easy, and not affect other functionality, such as blocking content.
I'm getting so tired of people implying the law is wrong just because sites still want to perform the tracking and data gathering it intends to limit.
Same with sharing personal data - maybe not a bad parallel :)
I'll default to skepticism but keep my mind open to proposals that are concrete and specific.
If you were able to sue for GDPR violations, either on your own or in a class lawsuit, you would have an incentive to prove that the violation has indeed occurred. As long as your lawyer was working on commission, they would share that incentive.
As it stands, all you can do is file a complaint with your GDPR office and hope it makes a difference. You don't get any money from that, so hiring a lawyer to get such a complaint right is an expense you will not get reimbursed for. More importantly, the person investigating your complaint is probably on a salary, not a commission, so they don't personally care about how successful they are.
Compare that to the ADA[1], for example, where you literally get legal firms looking for disabled Americans, finding places that don't comply with the law and suing them. Enforcement was partially privatized, and the free market, as it often does, found a better and more efficient way of enforcing the law than the government could dream of.
I'm not a fan of this. You're replacing one kind of dark-pattern wielding, stain-on-underpants-of-society, predator with another!
You will spawn industries of failed lawyers going after the easy money, i.e. clueless everyday people who inadvertently misconfigured wordpress and can't afford a lawyer when they get threatened with court cases if they don't pay the extortion fees.
Just like asshole copyright lawyers under Germany's shitty jurisdiction extending their disgusting and threatening attacks on everyday citizens around Europe who dare to have a personal webpage without being experts in copyright law. As with ad-tech, also not the kind of enterprises we need to have in our society. Also wouldn't shed a tear for that industry to just die.
If you do this kind of thing you need to directly target the companies enabling the illegal behavior, not the website owners.
Article 79 explicitly gives data subjects "the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation"
Article 82 states that if someone has "suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered".
Then maybe the law needs some adjusting to make compliance more manageable.
maybe developers beed some adjusting to make compliance numbers higher.
This is why we need a law that people actually fear to the point where they would rather switch off the lights and take down the sign, than try to put up an off the shelf cookie wall that can be configured to have an "Accept all" button.
The consent provision ruins everything. The fact of its existence reframes otherwise unlawful processing as "you need to get consent" instead of "you shouldn't be doing this", which is how it should be framed. It turns the whole regulation into a farce, restricting data processing to necessary uses except if you have the ability to document and semi-coerce consent (subtly enough to not invalidate the content you've obtained, but empirically that's clearly not closely examined).
And lo, a parasite industry dedicated to coercing and documenting "consent"!
†Just talking article 6 here, I don't really want to get into the weeds of chapter 3.
I think GDPR assumed companies would like to do right by their visitors. I guess the only way to do that is to increase the severity of the consequences for violating user trust. GDPR itself offers a guideline that many seem to misunderstand... you don't need a popup for every kind of cookie.
I'm not against enforcing minimal tracking as default, and opting into cookies should be similar to going through a purchase flow... because it is one, just using "data" as a currency. So yes, convince me to click the "Buy cookies" button.
Cookie banners predate the GDPR, most of them are from the "cookie law"[1] that predates it. They're two entirely separate laws that don't supercede each other.
[1] https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...
The law is fine, the enforcement is not. If the enforcement had any teeth, then people wouldn't be breaking it. So long as managers try to get away with dark patterns rather than just take their business off the internet, the penalties are clearly not stiff enough. But I'm fine with this taking a few years to get in place. It's better to ramp up penalties once the law has matured a bit, than to have the kind of business-ending penalties I'd like to see, for a very new law.
... especially if the log just grows and grows and never rotates. The GDPR is a very wide-reaching law.
Of course, there's no real need to worry since, practically speaking, it was intended as a cudgel to beat FAANG with and not a dagger to stab indies with. If you're comfortable with the safety of your operations being "The folks with legal power to enforce won't wield it on you", you have nothing to worry about.
Why would I rely on the kindness of government not to enforce a poorly written law?
"Broad government power is okay as long as they're clubbing the right people" is certainly a mood.
Should I start publishing a blog or some such which was antithetical to the prevailing party doctrine, that happened to gain traction with the public, terms like usually tend to go out of the window. Al Capone wasn't indicted on bootlegging after all.
In such a case, a massive fine would not only bankrupt that person but would silence such critical dissension from occurring in a much needed vocal minority. Investigative journalism from non-corporate outlets, through non-corporate outlets is a wonderful thing, which has become a rarity, and has the potentiality of becoming illegal due to clerical mishaps.
While I do understand the necessity of a user's privacy, I also understand the necessity of "removing the tumor and saving the leg", to borrow a colloquialism. Broad-brush approaches have quite a few down-stream consequences, which are seldom realized until it's too late. We've only to look at "the war on terror" and the domestic surveillance that came about in the name of "safety" to understand that =/
At worst you are fined for 4% of your annual income, it wont bankrupt you. No government is going to go through all that hassle just to fine an independent journalist for a paltry sum. If they really wanted that power they would add defamation laws like UK where they can put you in jail for speaking negatively about public figures.
And until the thing you fear happens at least once to a small business we can assume it will never happen. In the extremely unlikely event that it really happens you pay a 4% fee of your annual income, that hurts for sure but it isn't life altering.
In terms of limits, €20 million is the floor of the upper bound of what the regulator can choose to levy as fine.
> And until the thing you fear happens at least once to a small business we can assume it will never happen
Yes. This is how we hand power to governments and then end up shocked when they are deployed for political ends. All it will take is one politically-inconvenient blogger to cross the wrong person with ties to the regulators, and then there's no structural back-stop to that person getting dragged through a €20 million fine process.
Remember, Aaron Swartz was facing "only" six months in jail...
Which cookies do you keep? That matters. GDPR doesn't care about cookies, it cares about PII and some other stuff.
For example, setting a cookie called "hello" with the value "world" on the browser of every user does not require consent, as long as this is not used to identify specific user, of course.
No, that needs consent because that cookie is not strictly necessary for the provision of the service.
(But the reason that requires consent is not the GDPR, it's the ePrivacy Directive)
Not true.
I've spent far too much time with expensive lawyers going through the painful details of GDPR compliance and edge cases. If you keep logs at all, anywhere, then technically you could be at risk of crossing the GDPR. Don't assume that you're free and clear because you haven't gone out of your way to add any analytics.
Keep logs for a reasonable amount of time (90 days) and you'll be fine.
Well, given the current state of GDPR enforcement, you'll be fine whatever you do. But lawyers are going to lawyer and consent management platforms will be delighted to scare you into buying their "solution", even if nitpicking by bringing up edge-cases that are unlikely to occur and for which no case law exists nor will ever exist.
The intent for keeping IP addresses in logs also matters. To give two examples: if you're keeping logs for legal reasons, then it is perfectly fine. If you're keeping for anti-fraud reasons, this is also fine and can be considered "legitimate interest" (as long as the amount of time for storage is reasonable, as you said). If you intend to use this data for other reasons, then you need consent before doing so.
* You can't set all your cookies first, then ask permission.
* You can't set all your cookies whether the user accepts them or not.
* You can't tell users to stop using the website if they don't want cookies.
* You can't convince any business owner to follow the above rules.
Once you get into it, the GDPR is extraordinarily vague. It obviously wasn't written by engineers or even people with domain experience. You can easily interpret common server-side logging operations as GDPR violations if you're not careful.
If engineers wrote the law, it would have no effect, because it would specify the means by which tracking happens (e.g. cookies, HTML5 localstorage) but not the act of tracking itself; and it would be easy to circumvent. Legal documents cannot be precisely specified bundles of English-language-shaped computer code; they need flexibility so that the judge can actually rule things that make sense.
For example... why shouldn't server-side logging be treated as in GDPR scope? It does not matter if cookies weren't used to collect it; an IP address and time pair is already enough information to identify an ISP account and that's usually enough for lawyers to sue you with.
The idea is to provide a high level of data protection in general.
It's not just an internet/engineering law. It applies exactly the same in an offline setting as it does on the web.
It's designed to be vague because it covers intent and outcomes more than specific technical means of achieving them. This ensures the law doesn't need updating every time there's some new variant of local storage, new browser fingerprinting vector, etc and also to prevent offenders from trivially working around it using a technicality.
Similarly, enforcement will also be much more about intent and outcomes than any specific technical means (well that's the theory - in practice neither is being enforced right now). Nobody will enforce it based on some technicalities, they'll enforce it based on outcomes - if you collect personal data and use it to track a user without an appropriate legal basis (in this case, it should usually be consent), you'll be in trouble regardless of whether you use a cookie, a browser fingerprint, or even just save whatever search queries they type and use that as a way to reidentify them. Conversely, nobody is going to go after you if you set a session cookie to persist a login or shopping cart.
It's "vague" on purpose. Had the GDPR banned cookies, companies would have switched to fingerprinting. Had the GDPR banned JS tracking, Google would've pushed Dart to Chrome. It's written that way so that companies can't think of loopholes because of the language used.
Most (European) law is written quite vaguely. The vagueness allows judges to make the right call rather than become law robots. Instead of specifying concrete limits, the law refers to the current state of the art. If you let the law decide what safeguards are or aren't appropriate, we'd be using 3DES and MD5 to this day, because that's what the law says.
We've seen what the EU does when it tries to lay down more concrete rules: they're trying to force the EU to manage certificate authorities for browsers, which is obviously a terrible idea. Crap like that is why we need vague laws.
Indeed - if you log client IP, it is subject to GDPR.
Uncharitably, it's a way for the government to arbitrarily prosecute anyone they please.
But yeah, the result is too complicated to be effectively enforced, sadly. So further reform is needed.
After reading the abstract, it seems the authors try to classify cookies using a special browser extension called "CookieBlock" [1]. I hope they are successful, because I hate being tracked on the internet.
[1]https://github.com/dibollinger/CookieBlock
That's about the only non-malicious reason I can think of.
Whatever it's doing can simply be done in the background, it doesn't even require UI.
The whole point of the charade of "asking" is to get people to
1) Just say yes
2) Complain to their government about it
In the case of opt-out the only single thing that has to happen is setting a local cookie and closing the modal window, which are things that also happen when you accept.
But opt-out should not set anything. I don't know what you mean by "local cookie", a cookie is always sent over the wire by HTTP. If you mean saving to LocalStorage, then I don't think that's allowed either.
It is allowed for this case.
You must save a cookie (or a localStorage value) with the user preferences to avoid showing the cookie banner again. Simplifying: cookies are fine under GDPR as long as they don't carry PII (Personal Identifiable Information). You don't have to ask for consent to store those. They're called "Strictly necessary cookies" in GDPR lingo. (And, of course you can't use any of those to track, though. Intent matters.)
And you can save cookies using a Javascript API. That doesn't involve HTTP requests. The cookie will be sent to the server in future requests, though.
Hm... I suppose so, but negligibly. Setting cookies takes milliseconds, so there shouldn't be a significant difference from a user's perspective.
> No cookies should have been set until the user accepts.
That's not accurate. A number of different types of cookies can be set without consent, generally described as 'strictly necessary' cookies - these include cookies that are required for core functionality of the site, or those required to perform a service expressly requested by the user.
> But opt-out should not set anything.
It's a good practice to record the opt-out (or, that user has not opted in). This can be done as a cookie or using Local Storage. This allows you to do things such as only load third party embeds if the user has opted in, giving the 'opted out' user the option to conditionally opt-in for specific embeds without inconveniencing the 'opted in' user. As far as I understand, current thinking is that this type of preference being recorded falls within the scope of 'strictly necessary'.
> I don't know what you mean by "local cookie", a cookie is always sent over the wire by HTTP.
That's not necessarily true. It is possible to use JavaScript to set and read cookies as a sort of local storage. It's definitely not what cookies were invented for, but technically it can be done.
> If you mean saving to LocalStorage, then I don't think that's allowed either.
GDPR does not care about the method of storage, so if you're allowed to store a cookie, you're allowed to set something in Local Storage (and vice versa).
When you accept third-party cookies in a website, additional scripts can be loaded and additional data can be sent to their backends. In the case of providers like TrustArc, etc, consent data is often sent to those third-party after consent is given.
It is of course possible to defer this in the name of user friendliness, which is what TrustArc, etc, tend to do, but only when there is consent.
I think being able to go after the enablers and profiteers would make enforcement much easier.
An officially maintained list of legal/illegal libraries and services could help website owners to chose a known legal solution. Right now it's hard to expect website owners 'do the right thing' when there's so much contradictory information out there.
The EU is finally going after them: https://techcrunch.com/2021/11/05/iab-europe-tcf-gdpr-breach...
I do hope they get sued out of existence
Which are all illegal.
The wheels of justice turn slowly, but grind exceedingly fine.
And you can help: if you find an annoying pop up, file a complaint with your local data protection agency.
Not sure if this is because i'm in the states, but 'manage settings' has a 'reject all' button for me[0] and it seems to work.
0: https://i.judge.sh/0vCJB/q_nQ34wtjO.png
Keeping the information for a reasonable amount of time for security or fraud-detection purposes would definitely fall under legitimate interest.
I really don't see any bad outcome happening from doing the reasonable thing. Enforcement is near non-existent (Google and Facebook are still around after all), and when it does happen it still very much skews towards assuming good faith (even when it shouldn't) so you'll definitely be fine even if you get it wrong in which case you'll just be given guidance on how to do better.
> Keeping the information for a reasonable amount of time for security or fraud-
> detection purposes would definitely fall under legitimate interest.
Yes, but not being allowed to collect the data at all is not the only way you can fall foul of GDPR compliance.
E.g. you also have to give the data subjects processes for getting info about what data you have on them, getting it corrected if they want to, getting it deleted if they want to. Those are tied to mandatory maximum response times. You have to have a data processing register that the regulator can ask you to show them. You have to have co-controller or subcontractor agreements in place if third parties get to see the data in any way. -- There's a host of things you have to do.
Nobody is going to do that for web server logs unless you associate them with user accounts. If it happens once because someone wants to joke around, you can handle it as a one-off. You could also decline unless they can provide a letter from their ISP certifying that the provided IP address is static and has been assigned to them for the requested timeframe, both as a way to verify the legitimacy of the requestor as well as to deter such obviously-malicious requests.
> getting it corrected if they want to
It's web server logs - those are generated automatically based on incoming request data; there's nothing to "correct" there.
> getting it deleted if they want to
Up to you how you want to handle this (this depends on whether you need those logs). If you're keeping them for legitimate interest for a certain period of time, you can just refuse, and you can obviously refuse as above until they go through a (admin-intensive) process of actually proving they have owned this IP address for the requested timeframe.
A Policy note is standard for most sites. An email address or form where users can request their data isn't possible for web logs storing IP alone. So long as the analysis window for the logs is shorter than the max response time to data requests, you can always autorespond at the end of the response time window saying "Thanks for your request on date D. We have no data stored for you from date D and earlier". Which would be true since the logs are then already flushed out. The paperwork if there is zero real per-user data, zero third parties/subcontractors etc. will be pretty minimal (thankfully).
This is of course assuming 2 things: 1) that you can do all your log analysis in a very short window and 2) that you can do it in house and won't send it to a third party.
It's not automatically non-compliant, of course, but you might have to clear some legal hurdles to make it so.
It's the ePrivacy Directive[0] that deals with cookies (or, rather, "[storing] information or to gain[ing] access to information stored in the terminal equipment of a subscriber or user"). This is a law that pre-dates the GDPR.
If you can't get that right, frankly I question whether anything you write on the subject is correct.
[0] Directive 2002/58/processing of personal data and the protection of privacy in the electronic communications sector - https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A...
If you are not storing data on your users machines or just do so for legitimate purposes, you should not have a need to ask for a users consent and thus don't have any need a cookie banner.
The issue here is, that many people running websites just don't know what they are storing and how. Just slapping a cookie banner on that bad boy and calling it a day won't work either, because you have to list the purposes of these cookies. If you don't know why your weird wordpress template loads a cookie, maybe it is time to change it (or alternatively: change your profession).
This is outdated.
The relevant bit about consent and cookies was added in 2009, with directive 2009/136 modifying article 5(3) of directive 2002/58.
So all you're saying about legitimate interests etc. is wrong since 2011 (2009+2 years allowing for Member States implementation in national law)
Method of data storage isn't really specified, but that's why it's General Data Protection Compliance.
Now if a hidden 30 page long legal document that no one can read is consent then I have this bridge I want to sell. It is totally legit.
While GDPR did raise the threshold of valid consent, the interpretation before the GDPR was nowhere near what you describe here.
There are authority guidelines and sanctions predating the GDPR on this.
I have also talked personally with politicians who was involved with the work of writing GDPR, and the people who wrote the ePrivacy Directive has reportedly said that lawyers interpretation of consent was beyond the imagination of the original intent of the directive, which is why GDPR now require freely given informed consent in contrast to the old consent.
(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
GDPR regulates collection and storage of personal data. Cookies are a means of collection and storage of such data. GDPR does not need to mention cookies specifically.
The ePrivacy Directive regulates public networks (cf. publicly accessible networks) and public electronic comminications services, e.g., e-mail, telephone, messaging. Many "tech" companies arguably fall outside that scope because their primary purpose is arguably not communications. GDPR, OTOH, is much more broad in scope and most would agree it regulates websites and "tech" companies.
The ePrivacy Directive addresses cookies specifically in Article 5(3). This "cookie rule" was not in the original regulation. It was added in 2009. The sudden increase in cookie consent requests on websites recently, and the subject of this Usenix presentation abstract, are probably not a response to the ePrivacy Directive.
The ePrivacy Directive is soon going to be replaced with something more up-to-date, with broader scope. Until that new regulation comes into force, there are obvious reasons why the Usenix authors would cite GDPR and not the ePrivacy Directive.
I disagree, but it's a matter of semantics. I think we can agree that the operational part of the GDPR, the part that has legal force, doesn't mention cookies. Or storing/accessing information on the the terminal equipment of a user if you want to use that definition.
>GDPR regulates collection and storage of personal data. Cookies are a means of collection and storage of such data. GDPR does not need to mention cookies specifically.
But cookies can contain data that are not personal data, and those cookies require consent under the ePrivacy Directive.
And absent the ePD cookies wouldn't need consent (unless that was the legal basis being relied upon under the GDPR).
>The ePrivacy Directive addresses cookies specifically in Article 5(3). This "cookie rule" was not in the original regulation. It was added in 2009. The sudden increase in cookie consent requests on websites recently, and the subject of this Usenix presentation abstract, are probably not a response to the ePrivacy Directive.
No argument from me that the ePD has been (and is constantly being) ignored. And yes, the reason for the sudden increase in consent banners is because of the GDPR, for two reasons:
1) The ePD (as amended) referenced the Data Protection Directive which was replaced by the GDPR, and hence the definition of consent changed. But that still doesn't make violation of the ePD a violation of the GDPR.
2) The GDPR was very well publicised. That meant that people who had no idea what the hell all of this meant, and they first saw the requirements of the ePD at the same time as the GDPR (even though they should have been well aware of it already).
>The ePrivacy Directive is soon going to be replaced with something more up-to-date, with broader scope.
For some value of "soon". They've been promising that for six(!) years now. Hopefully the next round of trialogue (on the 31st March) will get it across the line.
Now Google sent me an email that they want me to gather user consent before showing Adsense. They offer an automatic consent modal. But the problem with that one is that it not only displays the consent modal but also injects a smaller widget into the site. It looks like the widget only pops up when the user scrolls down to the bottom of the page. Unfortunately, that also makes it pop up when the page is not longer than the screen. So pages where the content fits on the screen behave really really shitty. Maybe that is the reason why I have never seen it used anywhere.
And of course loading the consent script from Google before getting consent is not in line with GDPR in the first place.
Other consent solutions I see around the web are heavy third party widgets that do a lot of complicated stuff. And because they are third party scripts, they are also not in line with the GDPR.
I have not found any indie developers who have implemented their own consent solution. And as far as I understand it, Google has no communication channel. They just threaten to kick you off Adsense. So all I can do is implement my own solution and wait if it happens or not.
I started to implement my own consent banner now. Not sure if I will get it right so that it pleases Google.
I fear that this whole GDPR thing might be the end of my website.
Only if Google uses that information whatsoever. They'd be on the hook if they run afoul of GDPR by collecting information when it's obtained before consent happens, and I'm sure the enforcement agency isn't going to fault the web admin for taking Google's word on compliance.
That said, EU is now finally going after the trackers: https://techcrunch.com/2021/11/05/iab-europe-tcf-gdpr-breach...
It doesn't help that the GDPR is only really simple if you don't abuse personal data. It will obviously become very complex when you're hoping to find loopholes do something that the GDPR was fundamentally designed to outlaw, and it just so happens that a large chunk of this site makes their money from this.
It doesn't take a genius to figure out:
Who's to blame is irrelevant. Users don't care and the effects are real whether it is put on directly by companies as an indirect result of GDPR.The main problem however is the lack of enforcement though. None of these "cookie banners" comply with the GDPR, yet are allowed to proliferate because nobody is cracking down on them, so they're a form of pseudo-compliance that is very effective at swaying public opinion against the GDPR.
I'm not sure how helpful this criterion is; there exists a large gray area in what people consider to be "abuse". For instance, suppose that an EU-based business hotlinks an image from a U.S.-based website (or a website hosted on a U.S. CDN, or a website operated by a business owned by a U.S. corporation). Then that business is at risk of being fined, since it has no way of proving that the target website does not log IP addresses (e.g., for some DoS-protection suite), and if it does, the U.S. government could gain access to those IP addresses, which are defined as protected personal information.
In this scenario, the EU-based business isn't necessarily doing anything nefarious like selling data to advertisers, and it could even be refraining from storing any data at all. Likewise, a U.S.-based website that stores only connection logs isn't necessarily doing nefarious things with those. But the former business is still at risk of being fined, since IP addresses have been placed under the umbrella of protected personal information.
In the discussion a while back of the Google IP-address fine, I saw two talking points come up repeatedly: that there would have been no issue if Google weren't doing nefarious tracking of IP addresses, and that the EU operator must have known that IP addresses are radioactive to store or transmit but chose to do so anyway. AFAICT, the first is inaccurate, since any persistent storage of IP addresses by U.S. operators is problematic. And the second, I think, illustrates the real tension here: between privacy maximalists who prefer the least possible amount of data to be stored in all circumstances, regardless of the cost, and everyday server operators who fear that using the default settings on their software or using seemingly-trivial functionality could be introducing legal liability.
I'm still not sure myself about the relative merits of the two viewpoints, but much more could be done to assist the latter group in following best practices, instead of immediately demonizing them as nefarious loophole finders. (Not to say that nefarious operators don't exist, of course, but I suspect that their prevelance is very easily overstated.)
Otherwise, you need consent.
However, if it's doing double-duty and is also being used to track users (or to speak technically: if it can be considered PII by GDPR), then you need consent before using it for the tracking part.
GDPR doesn't apply for cookies, btw, it applies for any personal data. Someone above used "information stored using fridge magnets" as an example.
We're experimenting with blocking cookie notices by default in Nightly. There's webcompat risk - some websites just break if you block the cookie notice. "Works on 90% of websites" is just not good enough when deploying to 50 million Web users.
The first company wanted to do it "right". So we enabled opt-out by default for all cookies. Which requires setting an anonymized master cookie to check everytime we load a webpage to see if we are allowed to set other cookies. And since IP-detection was not allowed, we did it for all website visitors. And because we have to remember your settings, we had to create a seperate anonymized database outside of our normal website.
And the website broke ALL THE TIME. Product configurators, shopping carts, forms, downtime detection - all this stuff relied on cookies. And for several months the web team had a constant nightmare of customer complaints about broken stuff.
In the first year we ended up spending close to $250k on legal advice from European lawyers, and most of the advice boiled down to "you're not going to get in trouble if you just do what everyone else is doing". Seriously.
Since then it's gotten better - most third party vendors have done a better job of offering anonymized cookie versions of their products. Or there is just more industry guidance available on what kind of cookies can be considered sufficiently anonymous.
For people who claim GDPR compliance is clear and straightforward - I can't believe they actually have much experience working in Privacy. Actual implementation gets... very opaque. Especially when the law says it's illegal to deny service based on their cookie preference, but some services are literally impossible to provide without a cookie of some form.
Like Neo being unplugged out of the Matrix.
It takes a while to learn to respect privacy when all you knew was information = ads = $$$.
You seem to be under a misapprehension about what GDPR is about. It is not about cookies, it's about PII.
What? No. That's backwards.
The ePrivacy Directive referenced the Data Protection Directive. The GDPR replaced the DPD, and references to the DPD are now references to the GDPR.
That's really not the same as saying the ePD is "included in the same piece of GDPR legislation".
>And when people talk about GDPR they are talking about both.
And those people are wrong.
The problem here is that companies have an ingrained culture of taking the easy route and just grabbing all the data they can without regard to privacy, which now comes back to bite them.
The comments about cookies not being part of GDPR are grossly wrong. One of the early discussions in the privacy law community was how to handle the collision of the new consent requirements under GDPR with the fact that the ePrivacy Directive requires consent for cookies. Prior to GDPR, a large number of EU jurisdictions allowed for implicit consent through a variety of actions, like scrolling a page, or non-actions, like seeing a banner and not clicking "no". GDPR redefined consent and that's why cookie banners pop up.
To put it in other words, if we used the same definition of consent in any other legal contexts that also require freely given informed consent, would the legal system still function?
To clarify what others are saying here - it is illegal under GDPR to deny service based on people opting out of providing PII in the cases where that PII is not needed for providing the service, not for refusing to accept cookies (although, sure, there can be some relation between these things).
If for example you were providing a service where you sent someone emails on their birthday with autogenerated Love from your AI Momma messages it would not be illegal for you to refuse to provide them access to your service if they opted out of you storing their email and birthday, because those two pieces of PII are needed for the service to work.
That said, most services do not need to store any PII for any length of time to work. Thus if a service says you can't read our medical advice column unless you allow us to store all this stuff we just hoovered up from your browser forever, that would be illegal. Because they don't need any of that stuff to show you the article they already have written and ready to go.
The best is they claim (falsely) that you don't actually have to pop-up the consent dialogs. Not really true on almost any actual website that does anything anyone wants.
Yes? Are you saying that when people reject your cookie consent, you block the cookies that are fundamental to your product? Why would you do that?
You don't have to ask for consent or permissions for data that is strictly required for the functionality of your website. You're still responsible for keeping PII data safe etc., of course.
basically, you created those problems for yourslef, and now blame the law.
> For people who claim GDPR compliance is clear and straightforward - I can't believe they actually have much experience working in Privacy.
It is very straightforward when it comes to the use cases you described.
> Actual implementation gets... very opaque.
That's your problem, not the law's problem. Ask only for data you strictly need. Keep safe. Do not share with/sell to third parties.
This was true for years before GDPR, and the only reason everyone found it "so hard" is that everyone, including you and your corporate sites, didn't give two craps about users' privacy.
Because it doesn't.
There are six legal bases for processing personal data in in Article 6 of the GDPR.
Consent is the first one, but the second one listed (paragraph (b)) is that the "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".
That covers your payment case.
No added work for website developers, no lawyers required, no dark patterns. Common icons and warnings the user can recognize easily because they would be the same for every website.
What is standing in the way is corporations considering it more profitable to hassle their users with antipattern-laden popups than to follow the spirit (and, ostensibly, letter) of the law.
1. GDPR isn't just about browsers
2. Those "consent" popups are mostly illegal under GDPR. They are often provided by companies whose entire business is dark patterns. Thankfully, the EU is going after them, too: https://techcrunch.com/2021/11/05/iab-europe-tcf-gdpr-breach...
Semi-related: my understanding is that it's impossible for American hosting companies to comply with GDPR (due to the CLOUD act).
If that's the case, and you're American/using an American host, is there any point in even trying to comply?
It's the user-friendly option. Respect your users. Get consent for tracking.
[0]https://addons.mozilla.org/en-US/firefox/addon/stardust-cook...