Tell HN: Common Misconceptions About Cookies and Consent
Misconception: "The browser decides to send cookies." Wrong: A browser, or user-agent in general, will never invent a cookie out of thin air, and therefore it never sends a cookie unless it has been set by the webserver beforehand (either with an HTTP header 'Cookie' or with JavaScript code). [1]
Misconception: "Consent forms are mandatory for all cookies." Wrong: Cookies that are essential for the proper functioning of the website (e.g. supporting a login session) do not need any consent form, and can be set silently. [2]
Misconception: "Consent forms are mandatory _just_ for cookies." Wrong: User consent must be obtained for any kind of processing of the user's personal information (where no other lawful basis exists for the processing), no matter what technical solution achieves that processing. Example: A tracking pixel needs the same consent form as a tracking cookie. [3]
Misconception: "By browsing this site, you implicitly accept tracking cookies." Wrong: Consent must be opt-in, informed, freely given. If it's not freely given, it is not consent. Also, the user must be able to revoke consent just as easily as consent was given. [3]
Misconception: "If a user doesn't like cookies, they can just disable them in their browser." Wrong: Some cookies may be essential for proper functioning of websites. Browsers cannot technically propose any means to disable only non-essential cookies, that's outright impossible. The only entity capable of deciding if a cookie is essential or not is the website that sets the cookie. [2]
Misconception: "Marketing or tracking cookies can be disabled: just disallow third-party cookies." Wrong: marketing or tracking cookies can also be set by the first-party, ie. the website being visited. Example: Google Analytics. [4]
Misconception: "Cookies are morally justified because the webmaster has to cover the cost of running the website." I disagree: that reasoning is only valid for not-for-profit websites. If the webmaster struggles to cover the cost of running the website and cannot find a legitimate source of income, they are welcome to shut it down. No website is entitled to make money off of non-consenting visitors. "Staying afloat" is not a right of the webmaster, it is a privilege.
Cheers!
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
[2] https://www.cookieyes.com/blog/cookie-consent-exemption-for-strictly-necessary-cookies/
[3] https://blog.chino.io/gdpr-compliant-consent-tracking/
[4] https://www.optimizesmart.com/google-analytics-cookies-ultimate-guide/
21 comments
[ 3.2 ms ] story [ 59.5 ms ] threadThen I spend a few minutes explaining how laws work, spam traps, and most importantly, consent.
By volunteering explanations it's as if the onus is on you to convince the manager not to do the illegal thing with doing it being the default.
I understand it's wrong, but as a user, it seems like the website is saying "We don't care about your consent, we gonna track you anyways". Is there another way to deny this apart from not accepting cookies, blocking javascript and closing the site the moment I see this message? Is this solution I described even effective?
> Misconception: "The browser decides to send cookies."
> Wrong: A browser, or user-agent in general, will never invent a cookie out of thin air, and therefore it never sends a cookie unless it has been set by the webserver beforehand (either with an HTTP header 'Cookie' or with JavaScript code).
These statements are not mutually exclusive and are in fact both true. Browser would not "invent a cookie out of thin air", but it also "decides" to send a particular cookie and there are various configs, switches and decisions (either directly in browser code or extension) which determine if cookie gets sent.
Other misconception answers sound right to me.
I have run ad supported services in the past, and I could easily see how non-identifiable traffic might actually have less than a zero value to my operation (as in, they’re costing me money to service).
The biggest difference between a spam e-mail and website access is the client is actually making the request, the website isn’t pushing itself on you.
edit: I didn’t downvote you, but thought it’s worth responding.
https://lee-phillips.org/nomorecookiewarnings/
Truth 1: opting out has to be exactly as easy (or easier) then opting in. The buttons have to be the same prominence and equally accessible, so having to click through is illegal, as is de-emphasising the opt out button in any way.
Myth 2: People who use illegal banners don't know this.
We're very much splitting hairs here, but I think your "wrong" is a very subjective statement that's possible to argue with. A user can always disable cookies as it is their machine: this part of the statement is in fact true.
The fact that a site may then break in unknown ways or might continue to function perfectly is an important detail, but it doesn't mean that people can't do it. There's some users that currently browse websites with JavaScript disabled by default, even though the modern web basically depends on it and even highly trafficked sites break in unexpected ways.
> Browsers cannot technically propose any means to disable only non-essential cookies, that's outright impossible. The only entity capable of deciding if a cookie is essential or not is the website that sets the cookie.
I'm not 100% sure if this is entirely accurate either now, or will be so in the near future. I'm not an expert in this field, but apparently there's a lot of research going into figuring out how to prevent tracking cookies from doing damage and extraneous API calls without breaking websites. Here's one example I've heard of.
https://brave.com/privacy-updates/12-sugarcoat/
Thanks for sharing about sugarcoat, it's an interesting development I was not aware of.