Tell HN: Common Misconceptions About Cookies and Consent

49 points by Rygian ↗ HN
After participating in a few past discussions in HN, I have noticed many comments whose main argument is developed upon one or several of the following misconceptions. Disclaimer: I am an EU citizen.

Misconception: "The browser decides to send cookies." Wrong: A browser, or user-agent in general, will never invent a cookie out of thin air, and therefore it never sends a cookie unless it has been set by the webserver beforehand (either with an HTTP header 'Cookie' or with JavaScript code). [1]

Misconception: "Consent forms are mandatory for all cookies." Wrong: Cookies that are essential for the proper functioning of the website (e.g. supporting a login session) do not need any consent form, and can be set silently. [2]

Misconception: "Consent forms are mandatory _just_ for cookies." Wrong: User consent must be obtained for any kind of processing of the user's personal information (where no other lawful basis exists for the processing), no matter what technical solution achieves that processing. Example: A tracking pixel needs the same consent form as a tracking cookie. [3]

Misconception: "By browsing this site, you implicitly accept tracking cookies." Wrong: Consent must be opt-in, informed, freely given. If it's not freely given, it is not consent. Also, the user must be able to revoke consent just as easily as consent was given. [3]

Misconception: "If a user doesn't like cookies, they can just disable them in their browser." Wrong: Some cookies may be essential for proper functioning of websites. Browsers cannot technically propose any means to disable only non-essential cookies, that's outright impossible. The only entity capable of deciding if a cookie is essential or not is the website that sets the cookie. [2]

Misconception: "Marketing or tracking cookies can be disabled: just disallow third-party cookies." Wrong: marketing or tracking cookies can also be set by the first-party, ie. the website being visited. Example: Google Analytics. [4]

Misconception: "Cookies are morally justified because the webmaster has to cover the cost of running the website." I disagree: that reasoning is only valid for not-for-profit websites. If the webmaster struggles to cover the cost of running the website and cannot find a legitimate source of income, they are welcome to shut it down. No website is entitled to make money off of non-consenting visitors. "Staying afloat" is not a right of the webmaster, it is a privilege.

Cheers!

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

[2] https://www.cookieyes.com/blog/cookie-consent-exemption-for-strictly-necessary-cookies/

[3] https://blog.chino.io/gdpr-compliant-consent-tracking/

[4] https://www.optimizesmart.com/google-analytics-cookies-ultimate-guide/

21 comments

[ 3.2 ms ] story [ 59.5 ms ] thread
I also see this with emails too. I’ve had managers ask me to “just email everyone, even if they’ve opted out. This is important!”

Then I spend a few minutes explaining how laws work, spam traps, and most importantly, consent.

Could you expand on your response to them for those of us who are unsure of how to diplomatically push back on something like this?
"It is illegal in the EU (GDPR) and US (CANSPAM) to send promotional email to people who have opted out."
unfortuantely lots of messages are not marketing and in some cases companies have legal duties to send them. My German bank insists on notifying me that I have a message. They can’t send the actual message (for security reasons), and I can’t opt out because they have a duty to inform me. Infuriating but seems to fall within the legal framework :(
You should still be able to opt out, then they should have to send a letter. Unless of course the law says “email”
I tried but to no avail. My German is very basic which makes things even harder. From what I recall they have a legal duty to notify me, and email is an acceptable form of notification, and that’s about it. I ended up using a unique email address and then let it bounce, but not sure it’s the wisest thing(?). I don’t actually need any emails from my bank, so thought it was an ok solution, but not great.
I’ve found the easiest way to push back is to explain the very real risk of getting blacklisted. In the US, the law is basically inconsequential because there’s no private right of action (an individual can’t sue you for spamming them).
I think it would be better to say "No, that's illegal."

By volunteering explanations it's as if the onus is on you to convince the manager not to do the illegal thing with doing it being the default.

Nice to see this clearly spelled out.
> "By browsing this site, you implicitly accept tracking cookies."

I understand it's wrong, but as a user, it seems like the website is saying "We don't care about your consent, we gonna track you anyways". Is there another way to deny this apart from not accepting cookies, blocking javascript and closing the site the moment I see this message? Is this solution I described even effective?

I'm being a bit pedantic but

> Misconception: "The browser decides to send cookies."

> Wrong: A browser, or user-agent in general, will never invent a cookie out of thin air, and therefore it never sends a cookie unless it has been set by the webserver beforehand (either with an HTTP header 'Cookie' or with JavaScript code).

These statements are not mutually exclusive and are in fact both true. Browser would not "invent a cookie out of thin air", but it also "decides" to send a particular cookie and there are various configs, switches and decisions (either directly in browser code or extension) which determine if cookie gets sent.

Other misconception answers sound right to me.

Yes, a browser decides to echo or not a cookie set by the website.
Something I’ve wondered: Since website access is a pull (client initiated) action, can you straight up decline a visitor if you aren’t allowed to track and capitalize on them?

I have run ad supported services in the past, and I could easily see how non-identifiable traffic might actually have less than a zero value to my operation (as in, they’re costing me money to service).

The biggest difference between a spam e-mail and website access is the client is actually making the request, the website isn’t pushing itself on you.

Officially, you can't, though this has yet to be litigated. Some newspapers are taking the gamble and offer either to opt-in to tracking or to pay.
The GDPR's cookie consent requirement is one of the dumbest, most annoying things to happen to the web since its inception. Nothing like out-of-touch burecrats 'just trying to help' to make thing worse.
it’s mostly the ePrivacy directive, and it’s not dumb. It’s meant to protect your privacy if followed. Lots of companies however don’t actually follow it, and use dumb and misleading popups meant to trick you and cause you to agree out of fatigue and lazyness. If they don’t track you, there’s no need for popups of any kind. It’s entirely on them, not on the law.

edit: I didn’t downvote you, but thought it’s worth responding.

Myth 1: as long as there's a way to opt out, it's ok.

Truth 1: opting out has to be exactly as easy (or easier) then opting in. The buttons have to be the same prominence and equally accessible, so having to click through is illegal, as is de-emphasising the opt out button in any way.

Myth 2: People who use illegal banners don't know this.

> Misconception: "If a user doesn't like cookies, they can just disable them in their browser." Wrong: Some cookies may be essential for proper functioning of websites.

We're very much splitting hairs here, but I think your "wrong" is a very subjective statement that's possible to argue with. A user can always disable cookies as it is their machine: this part of the statement is in fact true.

The fact that a site may then break in unknown ways or might continue to function perfectly is an important detail, but it doesn't mean that people can't do it. There's some users that currently browse websites with JavaScript disabled by default, even though the modern web basically depends on it and even highly trafficked sites break in unexpected ways.

> Browsers cannot technically propose any means to disable only non-essential cookies, that's outright impossible. The only entity capable of deciding if a cookie is essential or not is the website that sets the cookie.

I'm not 100% sure if this is entirely accurate either now, or will be so in the near future. I'm not an expert in this field, but apparently there's a lot of research going into figuring out how to prevent tracking cookies from doing damage and extraneous API calls without breaking websites. Here's one example I've heard of.

https://brave.com/privacy-updates/12-sugarcoat/

To clarify, I'm using the word "user" in a large sense. It includes family members around me, for whom the mere notion of "cookie" is already a mystery, and who use routinely websites with technically essential cookies.

Thanks for sharing about sugarcoat, it's an interesting development I was not aware of.