What could you possibly mean? Government made it so much better. How else would you know that the cookies (you're going to consent to anyway) are being put on your computer?
It’s also not what EU law requires. All the many websites that make it easier for people in the EU to accept the tracking than to decline it, as common as that pattern is, are non-compliant. Under-enforcement of these rules is sadly the norm. Compliant websites, such as that of the European Commission, don’t make it any harder to dismiss the dialog by accepting only essential cookies than by accepting all of them.
I agree with you that the non-compliant approach teaches a bad security practice to the general population. The fix is better enforcement of existing law, without a new law actually being needed except possibly a better procedure for more effective enforcement.
Unfortunately, achieving that is hard for political reasons. The EU’s politicians, and therefore the data protection authorities whom they oversee, care mostly about seeming to protect privacy, whatever the reality, and don’t want to deal with the economic + lobbying + PR + political donation + therefore electoral consequences of routinely taking proper and timely action. This is especially true for some of the most regulatorily captured data protection authorities in the EU, such as Ireland’s.
So you’re a company with a web property. Your lawyers tell you you have two options:
1. Ensure that you’re perfectly abiding by all “legit purposes” and be prepared to update your policies and software each time those change, at the risk of huge fines. Or,
2. Just put an annoying banner up and have no risk.
Which do you do?
Government created this problem. Yes, it was in response to bad behavior from industry, but that doesn’t absolve the bureaucrats from responsibility for the results of their “solution”. If someone lights your kitchen on fire and the fire department’s response is to burn down the entire house, there is plenty of blame to go around.
This is nonsense. You can't just put any kind of cookie banner up and magically be in compliance. You'd still have to explain what kind of data is being shared with with parties and why. And you have to update your privacy policy to keep it accurate in any case!
In fact, many of the websites that have these obnoxious cookie banners are NOT in compliance because don't offer a simple and unambiguous opt-out option.
These cookie banners and cookie popups are intentionally made to be maximally annoying. That's not good faith behavior by companies. That's malicious and an attempt to get consumers to blame regulators for breaking their browsing experience. The worst thing is that some people totally fall for it!
If these are the two options your lawyers give you, fire them, because they are lazy shit bags.
All you need to do is not store cookies. That's it. It's not difficult at all. If you do want to cover your ass and use a consent dialog, there's a million options that are non-disruptive to your users and allow them to one click opt out.
The banners usually don't provide you with an all-or-nothing approach. Choice is usually between reject everything *except essential*, accept everything, or something in between.
That means the analysis for point 1 has been made. They know exactly which cookies need consent.
2 doesn't work since you actually have to list what you use the data for and keep that list up to date. You think large companies like Google didn't already try that?
> Which do you do?
Given that 2 goes out of its way to violate the law and make your users miserable I would suggest 1. But that is just the opinion of a non lawyer.
Is there anyone who actually consents for any other reason than the consent button being either to click than more options? Would we accept this kind of behavioural tracking in real life? Of course not.
Just ban tracking for advertising purposes entirely, or at the last least mandate that sites respect the do not track header and require browser manufacturers implement it as opt-in.
>Is there anyone who actually consents for any other reason than the consent button being either to click than more options?
If the "reject all" button isn't as easy to click as the "accept all" button, then the popup is illegal. The big players have all been forced into compliance, but there's a long tail of publishers who are chancing their arm on the assumption that the regulators don't have the resources to deal with everyone. That's probably a reasonable assumption in the short term, but the EU are playing the long game.
> If the "reject all" button isn't as easy to click as the "accept all" button, then the popup is illegal
You should watch the video in the linked article. The options are accept all and "customize". I'd be willing to bet a lot of money that accepting is one click and rejecting is more than one
That's what they say, but even government websites do the same thing.
Anyway, my point wasn't so much about the pop up itself but rather that if you make it easy to reject, then everyone will reject. So what's the point of allowing it? It's like having a cashier asking everyone "would you like to get kicked in the balls?" with the hope that someone misunderstands, and then they get to kick them in the balls.
It may be annoying, but just the possibility of opting out of some of them is already something against the rising tide of taking control away from the user.
Is it the perfect system? No. Is it better than no system at all. I think so.
And it is not like companies could have chosen a better approach.. like default opt-out, or remember that one thing, or respect a DNT. There would have been some options to comply with the law, but there was only one that still allows companies to grab most of the data and at the same time get people annoyed about the attempt to reasonable legislation (which certainly could be improved, like just go a DNT approach, but companies went immediately rampant on that for the same reasons..)
But big corps know what they wanted and do and lead the rest of the pack..
People with anti-GDPR views appear to assume that like them, everybody else also just wants to accept every cookie. But that is not true. And the interface affects how users respond, too. For example:
Given a binary choice, more users are willing to accept tracking compared to mechanisms that require them to allow cookie use for each category or company individually
And it’s so easy, with the choice of one button to make things work like they always did, or a quick sixteen-part questionnaire and identity verification process if you want to submit a request to be considered for an alternative cookie delivery experience.
In my personal experience, people who hate the GDPR are typically not EU citizens. I am an EU citizen and I strongly approve of GDPR. Is it perfect? No. Is it a step in the right direction? Yes.
Do you also approve of surveillance states that a lot of EU countries are? Do you approve of push to end encrypted messaging? Do you approve of impossibility of getting an anonymous SIM card?
And the EU is the only thing that consistently fights countries that try to spy on their citizens. I'm in Denmark and the government flat out refuse to stop tracking people via the cell phone network. The EU is pretty much the only organization that cares and tries to stop it (hard to actually stop it when the local government just ignores every ruling from the EU on the subject).
I don't consent to them. If websites are making it hard not to consent, then they are in violation of the GDPR.
Stop blaming the government for something private companies are doing to you. All the government did was require them to be honest about it.
Maybe the EU should be more aggressive with GDPR, and start fining these companies out of existence for not being 100% compliant. That would put a stop to the maze of dark patterns pretty quickly. Either every shitty company would go bankrupt overnight, or they would learn how to make very simple "yes cookies" and "no cookies" buttons.
i liked how the reddit popup had nothing to do with cookie consent and the second site didnt have any popups at all - author could have cherry picked a bad example but for some reason gave us this?
No mention of the dramatic difference between certain news websites not having intrusive pop ups due to GDPR. Which should be mentioned any time this debate pops up.
Well, it‘s fairer than cherry picking the most outrageous examples. Though I wonder if he didn‘t get any Reddit cookie banners because he had already accepted them at some point in the past.
It's also a great example as to why the web is as annoying as it is. It sounds like a lot of people here are mad because you called out the EU but realistically your video is a great example of the modern day web and it's awful.
And think, if website operators chose to actually use the DoNotTrack signal from your browser, you wouldn't have such a terrible experience on their websites.
Just a guess, but even people that don't want to be tracked choose the easy "accept everything" button than spending the time to customize the tracking.
If companies DoNotTrack, they will have fewer people opting-in for tracking.
> even people that don't want to be tracked choose the easy "accept everything" button
The design of these consent forms is often so obscure I end up in some menu system with too much information I didn't want, and no hotkeys to go back except leave the website.
Nearly every single cookie pop up I have seen is provided by the exact same third party company. That cookie dialog has an option where you can have a simple "Reject all" button that you can click to reject all "not necessary" cookies and use the website.
It is the website owners fault when they choose not to turn that feature on.
That shouldn't be a "feature" that you can turn on and off; according to the EU regulations, the option must be equally prominent so there should always be a "reject all" button, and it can't be buried or made harder to see than the "accept all" button.
(Leaving aside that sites should just not have these banners, which provides the best user experience. Just delete all the tracking and the banners along with it.)
I usually right click these and choose ublock origin's block element to make it go away. I actually don't know what that means as I never answered the question one way or the other.
Wasn't there an incident where a browser shipped with DoNotTrack enabled by default, and thus the signal didn't actually mean the user explicitly enabled DNT themselves?
It's a real pity. Part of the issue is on browsers at the time were competing for developers, not users. So this feature was largely buried in UIs, its treatment was inconsistent, and browsers never bothered to enforce it.
I feel like a reasonable tweak to GDPR is to require that if a site has an "accept all" button, it needs an equally (or more) prominent "reject non-essential" button.
It's pretty much a requirement already. The website can't make it hard to reject or make it seem like accepting is the only way ahead. Many popular sites had made rejection easier after GDPR complaints (smaller ones often still didn't because nobody cared enough to complain, I guess).
GDPR regs in fact already require exactly this, and all "consent" acquired without one has no legal basis. One or two national regulators have belatedly started to pursue it.
But you know that the problem are we operators - right?
There could be browser configuration for the cookie consent popup (accept, essential, reject all) that websites could follow but now - they prefer to be obnoxious about it hoping that everyone will click "allow" pit of boredom (not to mention that at the beginning it was only visible option and reject was hidden, which was illegal)...
This. It boggles the mind that browser vendors (and standards committee) haven‘t come up with a preferences page for cookie consent. Expose that through JS and/or send it to the server via a HTTP header.
The companies who actually use these cookies don't want that, because everyone would just turn everything off forever. It would probably just kill off tons of analytics companies overnight.
(I wouldn't lament the loss of invasive analytics, but the job losses would be saddening)
It's not the browser vendors (well, save for morons from google) because there is DoNotTrack header but it's not used/enforced. EU could amend the law to include that and it would be AWESOME.
Instead of hating the EU, how about directing your hate towards the bad players of the web? Cookie banners are not the fault of the EU, but the fault of companies disrespecting privacy rights and pushing data collection, ads and all possible shady growth hacking strategies towards the user. I am glad that a government body actually made this possible and made visible how horrible the internet is.
A bad bandaid is still a bad thing, regardless of what it is covering up. Cookies are table stakes on the internet. This is the wrong solution to a completely different problem.
Website analytics can be incredibly useful for designers and developers; giving those up would be a huge hit to a lot of companies, large and small, so it's understandable that they're not going to do so.
Random example from more than a decade ago: I worked at an online retailer, and we did a nice redesign of our cart page. Looked great, much more readable, but we started losing sales. Did people hate the redesign? It was certainly easier to use and navigate.
Our marketing guy looked at our analytics and saw that there was a massive drop in checkouts from users whose displays were set to 1024x768. He changed his resolution and, sure enough, the 'Checkout' button was something like four pixels below the bottom of the screen, if you were using Internet Explorer or Chrome and you had your browser maximized.
I get that analytics can seem creepy and gross, and stuff like that is 'none of [retailers'] business' to a lot of people, but without those analytics we would have had no idea why we lost those sales, and would have had to simply revert the redesign with no real opportunity to change it.
Doesn't HTTP has an header [0] for this? The user can opt easily in and out. I've just read the specs and find that it's being deprecated. Why? It may not be granular, but I believe anyone opting out of telemetry also does not want marketing tracking.
Yea websites straight up ignore it. Can’t currently find it but there was some wired/verge article detailing what they track of u and they actually mentioned as such too
> The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.
> Why is P3P useful?
> P3P uses machine readable descriptions to describe the collection and use of data. Sites implementing such policies make their practises explicit and thus open them to public scrutiny. Browsers can help the user to understand those privacy practises with smart interfaces. Most importantly, Browsers can this way develop a predictable behavior when blocking content like cookies thus giving a real incentive to eCommerce sites to behave in a privacy friendly way. This avoids the current scattering of cookie-blocking behaviors based on individual heuristics imagined by the implementer of the blocking tool which will make the creation of stateful services on the web a pain because the state-retrievel will be unpredictable.
> In some situations, the cookies we use to secure and authenticate your Google Account and store your preferences may be served from a different domain than the website you're visiting. This may happen, for example, if you visit websites with Google +1 buttons.
> Some browsers require third party cookies to use the P3P protocol to state their privacy practices. However, the P3P protocol was not designed with situations like these in mind. As a result, we've inserted a link into our cookies that directs users to a page where they can learn more about the privacy practices associated with these cookies.
> Website analytics can be incredibly useful for designers and developers; giving those up would be a huge hit to a lot of companies, large and small, so it's understandable that they're not going to do so.
Yes, but the cost of doing that through GA is that a single US megacorp outside EU jurisdiction can reconstruct most users entire browsing history for whatever US intelligence wants to do with it.
> Website analytics can be incredibly useful for designers and developers
I'd have sympathy for these people if they weren't also primarily responsible for the many darkpatterns, traps, and user-hostile aspects of modern interactivity.
The EU allows you to get stuff like 1024x768 without tracking individuals. This metric works just as well in aggregate. You can have metrics without per user id, or with an ephemeral id that evaporates when you leave the site.
> Website analytics can be incredibly useful for designers and developers; giving those up would be a huge hit to a lot of companies, large and small, so it's understandable that they're not going to do so.
I'll believe that when they don't have a huge banner that's covering a fourth of the page.
> Website analytics can be incredibly useful for designers and developers; giving those up would be a huge hit to a lot of companies, large and small, so it's understandable that they're not going to do so.
Everyone thinks that but in practice most folks don't have a clue what they're looking at and just use the numbers as a crutch for whatever opinion they already had.
Of course, this problem isn't just a web analytics one.
> Website analytics can be incredibly useful for designers and developers; giving those up would be a huge hit to a lot of companies, large and small, so it's understandable that they're not going to do so.
And at small small cost of privacy violations and spying on users.
> Our marketing guy looked at our analytics and saw that there was a massive drop in checkouts from users whose displays were set to 1024x768. He changed his resolution and, sure enough, the 'Checkout' button was something like four pixels below the bottom of the screen, if you were using Internet Explorer or Chrome and you had your browser maximized.
Hint: buy the cheapest crappiest laptop you can find. Test your site on it.
Why do you give those retroactive hints as if it is something obvious?
You are clearly confusing the issue here.
No one cares for your smartass solution for the problem - it's obvious enough once you are aware of the problem itself. The issue is tracking the problem in the first place.
Hints like "oh you should have just been totally aware of it in the first place" are plain naive.
Yeah, sorry but some small dev story won't bulge my opinion on this extremely lucrative 1984-esque business. I can come up with tons of similar battle stories for reason X or Y, they are nothing but tiny largely meaningless anecdotes. Also, you could have just spent a tiny bit more on UI testing and discover these rather obvious UI issues.
I'd expect a bit more from smart people who see very well into what kind of society we are going full speed, with no way out once in (if you don't consider going back to caves as a good option, I don't).
Its very fabric of whole society our kids will live in we are talking about here, nothing less. Is pretty clear what directions the biggest corporations are taking, hey are not even trying to hide what's in plain sight. If we common folks don't at least attempt to stop it or steer it in other direction I am worried nobody else ever will.
EU just requires explicit consent for non-table stakes/non-required persistent tracking.
> The commonly seen method of using a checkbox and a simple information note such as “remember me (uses cookies)” next to the submit form would be an appropriate means of gaining consent therefore negating the need to apply an exemption in this case.
If it is 'table stakes', like "remember me" checkbox, you don't need a separate cookie banner
It's not like this is limited to "bad players." It's standard procedure for almost every website. Whether that's good or bad is a separate topic - the point it's not just nefarious people using cookies to watch user behavior. Normal people use this information to make their websites better and create more effective products for people. Which is exactly what people said when this legislation was introduced. So instead of actually fixing anything, they made it worse. Now we're being tracked _and_ we have annoying nags that block content show up on every website, exactly like people said would happen when this legislation was introduced.
It's the same tired nonsense as when regulators try to tax a business that's already operating on thin margins and act surprised when the business passes the cost to their customers instead of eating it.
I'm not upset with the intent of what they were trying to do, which was noble; the upsetting thing is that it was patently obvious their hamfisted implementation would lead to this outcome, and they did it anyway, knowing they could count on people to deflect blame away from them.
It's not as if these companies are kicking in your door and violating your right to privacy. You're accessing their site with a device that is configured to transmit whatever you have it set to.
If you don't want cookies, disable cookies. If you want greater control, go and configure it yourself. Stop forcing your preferences on everyone.
The reality is that outside of a vocal contingent on HN, most people simply do not care. They won't pay a cent for their ad supported services. And I for one hate the endless consent popups and GDPR hoops I have to jump through. As an expat in London, I can't read many local news stories in the US because those sites simply block the traffic instead of trying to comply with a foreign law.
> You're accessing their site with a device that is configured to transmit whatever you have it set to.
This is not how it works.
Me visiting a website does not mean I want that website to send my personal identifiers to hundreds of unknown (both to me and the website operator in question) third parties.
I am using cookies as a catch all term, as many people do. I thought this was well known.
If you don’t want fingerprinting, disable canvas, fonts, or JS entirely. My point is that you are downloading code and then executing it. You have control.
Cookie banners are absolutely the fault of the EU.
Users have always been in control of whether they accept cookies. There have been settings in your browser since (at least) Netscape 3.0. It's only because of dumb EU laws that cookie control has been pushed up into "user space" with these idiotic banners that no one reads.
Our machines always had Cookie Pal [0] installed on them, and it allowed per domain settings for rejecting cookies and control over third party cookies [1].
> Cookie Pal includes the following features:
> Automatically and transparently accepts or rejects cookies from all or specified servers without user interaction.
> Cookies received from unspecified servers can be automatically accepted or rejected without user interaction, or the user can be asked for confirmation.
> "On the fly" adding of servers to the accept from and reject from lists, allows you to manually accept or reject a cookie the first time it is received and then have it automatically accepted or rejected every time it is received thereafter.
It seems like you don't practice what you preach, seeing how Hacker News relies on cookies for authentication.
Besides, GDPR isn't about cookies, it's about what companies are allowed to do with your personal information. Functional cookies don't require consent, abuse of your personal data does.
Enforcement is part of regulation. If the policymakers of the EU put regulation in place without enforcing it promptly and consistently, then it is indeed fair to blame them for this mess.
That ship has sailed. It is now on the end user to protect themselves. These banners are just plain noise. No one is reading them. People will click whatever they need to click to dismiss the dialog. The general computing population does not give a shit, and the ones who do will use privacy-oriented browsers and platforms.
Nothing is written in stone or in stars. Nd there used not to be legislation. And now there's legislation that fights towards user consent, so I don't see how anything has sailed anywhere. It's just a bunch of company code that needs to change, with a quick solution of a multiple-deletion commit as an option in most instances.
I think most of the comments here right now are missing the point of OP's post. It's not about one thing in particular (cookie consent), just that the whole ordeal is full of ads and popups (one of which is the cookie consent popup).
Most of this crap is the same everywhere, not just in the EU.
Thanks, that was my intention (back when I posted it). I added "from EU" just to make it clear—since people would have otherwise said "that's not how it works in the US :p"
Yeah hat EU remark unleashed some emotions a bit, people are (incorrectly) bashing EU for consent popup due to companies tracking (and monetizing) the hell out of their browsing habits
Lately, I've been having developers and designers on my team install each of the three major browsers without plugins and visit five of the "top 10 media sites" (https://www.similarweb.com/top-websites/news-and-media/), plus twitter, facebook and linkedin for a total of two hours so they see what the web looks like for regular users. It doesn't take long for people to realize just how terrible 25 years of accumulated surveillance, advertising and front-end cruft has made the web.
I traveled and I wonder why someone would use Youtube's free tier, There's like an ads every 3 minutes, plus the ones when the video starts (Youtube don't show ads in my country). My Twitch usage has gone down a lot because of 7-8 ads in a row. I would subscribe to the few creators I follow if not for the friction when I want to quickly check another creator's page (give me like at least 15 minutes without ads).
Sure. When they charge a reasonable price for occasional visitors, not the "just the price of a Starbucks coffee per month" subscription that's the SaaS wet dream.
Edit: also, non targeted NON INTRUSIVE ads will do too. Or would have done. If the ad industry wouldn't have burned any shred of credibility they ever had.
Maybe, but by being a paying customer with lots of options (including collective negotiation), you have a lot more leverage to get them to do what you want.
That's a pretty good point. If you want to be critical of the cookie/GDPR popup that's really the route to take. HN, Wikipedia and Github doesn't have any of this non-sense, because they have no incentive to track their users.
I do question the incentive of a number of sites. Reddit technically don't need to track you, they know all they need to based on which subreddit you're currently on. It's mainly sites that have no context to your activities that really need the tracking to attempt to provide ads that makes sense. Maybe having these sites should be financed differently?
That's what the companies make browsing the web in the EU look like nowadays. It's their decision to abuse us - and the law - and it is on them to fix it. If you check the enforcement tracker you can get an idea of what the tip of the iceberg looks like, the data that's lost/sold/leaked. Then take into account that just like with a real iceberg the bulk of the leaks and breaches goes unreported (and probably a large fraction of them goes undetected until the data shows up on some marketplace).
Until the GDPR a lot of this went on anyway, but totally invisible, now at least we have some idea of the magnitude of the problem and companies have an incentive to at least try to get it right. Not that many of them do. People that are categorically against government regulation tend to point at this and say 'see: that's what you get'. But they forget that in the relationship between companies and individuals it is the companies that on balance have the most power and there is ample evidence that this power then gets abused. Hence regulation. I'm all for tightening the rules another notch or two and adding a zero to the average fine. Because there is still a lot of room for improvement.
> That's what the companies make browsing the web in the EU look like nowadays. It's their decision to abuse us - and the law - and it is on them to fix it.
No, it's the EU that mandated those popups - an asinine solution to the tracking problem. The EU gets the blame.
The EU does not mandate popups. The EU mandates consent to be tracked. You could simply not track and then you wouldn't need consent. Or you could do it without a popup.
> The EU does not mandate popups. The EU mandates consent to be tracked.
Same difference. Semantics.
> You could simply not track and then you wouldn't need consent.
Not all tracking is malicious. It's not going to disappear, hence the popups.
As I said, it's an asinine solution. It's as useless as the default browser nonsense. The EU seems to make one of these annoying blunders every decade or so, next one should be coming up.
You have cause and effect mixed up, that's fine by me but you're not helping yourself - or the rest of the world - by doing that. The EU is simply trying to ensure that the rights of its subjects are respected. Companies apparently care more about their bottom line than either the comfort or the rights of those subjects and that is why you have those popups. Note that on my website there are no such popups and yet I'm completely in compliance with the law. Every other website could do the same.
Your beef is misplaced, madam/sir. EU does not mandate any website to store on your computer cookies that require consent. The companies (and individuals, hah) that choose to track you, do so of their own volition.
As an EU citizen, I am actually somewhat delighted that our legislation that attempts to improve privacy is being successfully exported. But similarly to how I find the US exporting their legislation quite loathsome---at least at times---I understand your beef.
It's hard to dynamically figure out if you're an EU citizen or not via the browser. Hence, websites play it "safe" by showing it to pretty much the whole world.
They can't really export it, it's just most big companies have a presence in the EU and don't want to risk it. Plenty of other websites just blacklisted EU IP address space.
Disclaimer: I actually click through the "do not consent" procedure, which tells a lot about what I'm about to say.
When the EU regulation came up, I was shocked that a single article was being shared with 100+ "partners". I knew it was bad, but I didn't know it was that bad. At least now I get the choice to opt-out. Sidenote: Google got fined for that pop-up because it should have a "do not accept" option [1].
Companies know they don't need those pop-ups. They are putting them there to anger you and demand for things to go back. Do you want to blame the EU for not anticipating that companies would act maliciously? Sounds fair to me. But don't let the companies off the hook for acting maliciously!
I would like an option for those of us who don’t care and click whatever button have brighter color. Like a default consent to sharing all data. This don’t have to be on by default. This would improve my browsing experience tremendously.
When the first cookie law came into action companies sprung up claiming to provide a solution. Rather than actually doing anything useful they'd give you a JavaScript snippet to just dump onto your page and then they'd deal with everything. They'd scan your site and compile a list of cookies and their purpose and present that to your users. It sort of worked, expect the service would frequently fail to recognize certain cookies or part of you site might be behind a login. But it was something you could easily implement and push the responsibility to a third-party for a small fee.
Then came GDPR and these retarded cookie banner companies decided to offer that as a service as well... Basically the same thing right? Well for many of the sites it is, because their goal is find a way to do nothing, or as little as possible, they don't want things to change and here's someone offering them just that.
I hate that it when people are blaming the EU for the nightmare that is consent popups. They aren't required, unless you doing stupid shit. Companies love presenting this as: The EU is making us do this. NO, you want to track people online and the EU is simply asking for you to declare that.
It's truly amazing that companies don't see to problem telling people that they care about their privacy, yet presents them with a list of 600 "partners" whom which they share our data.
So yes, it's laziness, these sites don't want to chance the way they deal with advertisers, because that would be slightly harder. It's also partly incompetence, there's an entire generation of ad people who don't know the first thing about advertising, they know Google Adwords and Facebook Ads.
> NO, you want to track people online and the EU is simply asking for you to declare that.
False. Cookies aren't there only to maliciously track your actions and show add. They solve lots of technical issues in various scenarios.
This is your typical premature compliance for a technically incompetent formalistic regulation. Better be safe than sorry - so thats why you see that stupid "this website uses cookies" on every other site that merely has a login form, a captcha, or a cdn - because of course it fucking does.
> Companies know they don't need those pop-ups. They are putting them there to anger you and demand for things to go back.
You're giving these companies much more credit than they deserve. They're just going through the motions in an attempt to avoid lawsuits, but clearly not even Google can get it right 100%.
Hanlon's razor:
"Never attribute to malice that which is adequately explained by stupidity."
Who the heck downloads apps these days for every stupid thing? I mean apart from clueless grannies who would gladly send some money to that poor Nigerian prince over and over again.
I've stopped quite some time ago, basically my collection of apps is set in stone once I configure a new phone. If something seismic happens in real world I may add app in average rate 1 app/year, and that's about it.
Not using apps is so cool, some crappy webs that don't support mobile firefox with ublock origin don't even get my time, the rest is well curated. Due to reasons behind I am more than fine clicking on consent popups, the way they are designed to get to reject consent dialog tells you outright how moral/amoral business is behind it. So this is actually time-saving feature.
The thing is, life is short. No, its darn short, ask any old person. Definitely too short to waste too much of it on regretful things like phones.
Having worked for a number of companies implementing these measures, there's no malicious intent, they are rolling their eyes the whole time. It's just a box they need to tick. Everyone wishes it would just go away.
>Companies know they don't need those pop-ups. They are putting them there to anger you and demand for things to go back. Do you want to blame the EU for not anticipating that companies would act maliciously? Sounds fair to me. But don't let the companies off the hook for acting maliciously!
This gets repeated a lot. However, even one of the pages on the official site of the EU has a cookie banner:
So far the law had desired effect, and the companies making it hard to opt out are actually breaking said law, just nobody yet bothered to take them to court for that.
Exactly, I always click the 'do not accept/consent' or 'manage my preferences' button. There are a surprising number of sites that use dark patterns.
Whoever made the initial video must be a shill for the tracking companies because they didn't click on the 'do not accept' options, otherwise people would see how pervasive and thoroughly ridiculous the trackers are.
And when you get one that has a whole series of sliders in the left position and and all lit up green or blue, and no "Reject All" button at the top or bottom, close the tab.
This is one of the reasons why Social Networks are eating websites. Most people get a bad experience browsing the internet. Yeah, I get it, we know Hacker News, and other good websites. But my dad just want to read news about sports and politics, it's much easier to do it through Facebook posts than to open a browser and get annoyed by ads, popups, etc. Same for young people: I can get fun with TikTok and YouTube, why should I go into that maze of websites that do not provide anything worth it?
Even despite the fact that Amazon is a pile of crappy knock-offs and astroturfed reviews, it still manages to be better than the UX nightmare of actually trying to go through the companies' own websites directly to figure out what they're selling and how much they cost.
yes, it is a terrible experience...I personally think GDPR and thinking about user data is a great thing to have. But, the actual implementation is terribe. Like consent banner etc... I can tell 100% that whoever made this law is not a techie person. They wanted to solve a technical problem, like sharing user data without consent, through the law system that we used to...It would be a lot better if they forced this as a part of http protocol...So that we could have our pre-defined consent answers...I mean right now, we have no standart way to say no to any consent banner. You have to understand the consent banner, understand the options, evaluate them, and then process the outcome...You have to do this for all websites that you are visiting...
Yes, please fork http...EU, you can do that...I know it...
The consent banners you complain about are not due to GDPR it is a different law plus a compliant website makes it as easy to reject cookies as it does to accept them.
I can feel that you are from EU. Just because the way you defend your arguments sounds so european. But, let me whisper it to your ears, this thing is shit bro. Literally, I'm spending hours looking at screen and this consent banner pops out almost every minute...I keep my right to take this to the court if I'm diagnosed with schizophrenia or whatever.
The popu repeating is definitely not due to EU legislation. You should only get it once and it shjould offer you the choice to accept all or reject all or optionally the complex choosing.
If it pops up every minute it is the website that is doing it wrong sue them.
EU politicians are dumbest beings on Earth. Dumbness of US politicians pales in comparison. They pretend like they care for citizens privacy, while simultaneously pushing for an end to encryption. States like Germany, which is at the helm of these policies, has fucking SCHUFA. It’s so hypocritical.
I recently started using Artifact on iOS as a news aggregator, and... wow. It uses a standard customized WebView and not a SafariViewController or whatever, meaning that it doesn't support any of the system-wide content blockers that I'm used to.
It's truly amazing that websites are so insanely difficult to just... read, these days. Ads that pop up covering the screen, videos (irrelevant to the article) which I scroll past, and which then suddenly decide to pin themselves to cover the top 1/3 of the screen and autoplay, along with ads covering the bottom 1/4 of the screen, while cookie reminders pop up and the page keeps jumping around because ads take so long to load... It's truly astonishing how bad of an experience I was missing out on.
Artifact is a pretty nice app, all in all, but the browsing experience without content blockers is so terrible that I just can't bring myself to use it anymore.
196 comments
[ 2.8 ms ] story [ 280 ms ] threadI agree with you that the non-compliant approach teaches a bad security practice to the general population. The fix is better enforcement of existing law, without a new law actually being needed except possibly a better procedure for more effective enforcement.
Unfortunately, achieving that is hard for political reasons. The EU’s politicians, and therefore the data protection authorities whom they oversee, care mostly about seeming to protect privacy, whatever the reality, and don’t want to deal with the economic + lobbying + PR + political donation + therefore electoral consequences of routinely taking proper and timely action. This is especially true for some of the most regulatorily captured data protection authorities in the EU, such as Ireland’s.
If website uses cookies just for legit purposes (e.g auth, language choice), then it doesn't need to show cookie consent.
Webmasters should get awarness on this or stop spying
1. Ensure that you’re perfectly abiding by all “legit purposes” and be prepared to update your policies and software each time those change, at the risk of huge fines. Or,
2. Just put an annoying banner up and have no risk.
Which do you do?
Government created this problem. Yes, it was in response to bad behavior from industry, but that doesn’t absolve the bureaucrats from responsibility for the results of their “solution”. If someone lights your kitchen on fire and the fire department’s response is to burn down the entire house, there is plenty of blame to go around.
In fact, many of the websites that have these obnoxious cookie banners are NOT in compliance because don't offer a simple and unambiguous opt-out option.
These cookie banners and cookie popups are intentionally made to be maximally annoying. That's not good faith behavior by companies. That's malicious and an attempt to get consumers to blame regulators for breaking their browsing experience. The worst thing is that some people totally fall for it!
All you need to do is not store cookies. That's it. It's not difficult at all. If you do want to cover your ass and use a consent dialog, there's a million options that are non-disruptive to your users and allow them to one click opt out.
The banners usually don't provide you with an all-or-nothing approach. Choice is usually between reject everything *except essential*, accept everything, or something in between.
That means the analysis for point 1 has been made. They know exactly which cookies need consent.
> Which do you do?
Given that 2 goes out of its way to violate the law and make your users miserable I would suggest 1. But that is just the opinion of a non lawyer.
For how many years they can pretend to be dumb and act like they dont know?
They just want to do shady stuff with the data, that's it.
Just ban tracking for advertising purposes entirely, or at the last least mandate that sites respect the do not track header and require browser manufacturers implement it as opt-in.
The cookie pop-up is a dumb law.
If the "reject all" button isn't as easy to click as the "accept all" button, then the popup is illegal. The big players have all been forced into compliance, but there's a long tail of publishers who are chancing their arm on the assumption that the regulators don't have the resources to deal with everyone. That's probably a reasonable assumption in the short term, but the EU are playing the long game.
You should watch the video in the linked article. The options are accept all and "customize". I'd be willing to bet a lot of money that accepting is one click and rejecting is more than one
That's what they say, but even government websites do the same thing.
Anyway, my point wasn't so much about the pop up itself but rather that if you make it easy to reject, then everyone will reject. So what's the point of allowing it? It's like having a cashier asking everyone "would you like to get kicked in the balls?" with the hope that someone misunderstands, and then they get to kick them in the balls.
No, but let's blame them for coming up with an asinine 'solution' to that problem.
Is it the perfect system? No. Is it better than no system at all. I think so.
But big corps know what they wanted and do and lead the rest of the pack..
Speak for yourself. I never consent to marketing or analytical cookies. I appreciate the option to turn them off.
Stop blaming the government for something private companies are doing to you. All the government did was require them to be honest about it.
Maybe the EU should be more aggressive with GDPR, and start fining these companies out of existence for not being 100% compliant. That would put a stop to the maze of dark patterns pretty quickly. Either every shitty company would go bankrupt overnight, or they would learn how to make very simple "yes cookies" and "no cookies" buttons.
Ads, Reddit popup, bad cambridge.org design are experienced by non EU too
A more accurate title like ""Sigh, this is what browsing the web looks like nowadays"" would not have gotten you criticism
If companies DoNotTrack, they will have fewer people opting-in for tracking.
The design of these consent forms is often so obscure I end up in some menu system with too much information I didn't want, and no hotkeys to go back except leave the website.
It is the website owners fault when they choose not to turn that feature on.
(Leaving aside that sites should just not have these banners, which provides the best user experience. Just delete all the tracking and the banners along with it.)
The argument is transparent self-serving BS, though.
Unlike do-not-track to 1, as far as I know, it is never set to 0 by default. So it should represent actual consent.
Not the best for privacy, but at least, it would make the web less annoying.
We might have tried similar things if Europe was as dominant in American tech markets.
Many websites seem to break this law.
There could be browser configuration for the cookie consent popup (accept, essential, reject all) that websites could follow but now - they prefer to be obnoxious about it hoping that everyone will click "allow" pit of boredom (not to mention that at the beginning it was only visible option and reject was hidden, which was illegal)...
(I wouldn't lament the loss of invasive analytics, but the job losses would be saddening)
Any other cookies are not "table stakes".
Random example from more than a decade ago: I worked at an online retailer, and we did a nice redesign of our cart page. Looked great, much more readable, but we started losing sales. Did people hate the redesign? It was certainly easier to use and navigate.
Our marketing guy looked at our analytics and saw that there was a massive drop in checkouts from users whose displays were set to 1024x768. He changed his resolution and, sure enough, the 'Checkout' button was something like four pixels below the bottom of the screen, if you were using Internet Explorer or Chrome and you had your browser maximized.
I get that analytics can seem creepy and gross, and stuff like that is 'none of [retailers'] business' to a lot of people, but without those analytics we would have had no idea why we lost those sales, and would have had to simply revert the redesign with no real opportunity to change it.
If you want analytics, just get consent for be tracked.
[0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/DN...
Requiring the opt-in to happen on the side creates an avenue to critique and dispute whether the website does the thing they say they do.
But because one really big early intenet player disrespected it [2] it became mostly useless.
[1] https://www.w3.org/P3P/
> What is P3P?
> The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.
> Why is P3P useful?
> P3P uses machine readable descriptions to describe the collection and use of data. Sites implementing such policies make their practises explicit and thus open them to public scrutiny. Browsers can help the user to understand those privacy practises with smart interfaces. Most importantly, Browsers can this way develop a predictable behavior when blocking content like cookies thus giving a real incentive to eCommerce sites to behave in a privacy friendly way. This avoids the current scattering of cookie-blocking behaviors based on individual heuristics imagined by the implementer of the blocking tool which will make the creation of stateful services on the web a pain because the state-retrievel will be unpredictable.
[2] https://support.google.com/accounts/answer/151657?hl=en
> P3P and Google's cookies
> In some situations, the cookies we use to secure and authenticate your Google Account and store your preferences may be served from a different domain than the website you're visiting. This may happen, for example, if you visit websites with Google +1 buttons.
> Some browsers require third party cookies to use the P3P protocol to state their privacy practices. However, the P3P protocol was not designed with situations like these in mind. As a result, we've inserted a link into our cookies that directs users to a page where they can learn more about the privacy practices associated with these cookies.
Yes, but the cost of doing that through GA is that a single US megacorp outside EU jurisdiction can reconstruct most users entire browsing history for whatever US intelligence wants to do with it.
I'd have sympathy for these people if they weren't also primarily responsible for the many darkpatterns, traps, and user-hostile aspects of modern interactivity.
I'll believe that when they don't have a huge banner that's covering a fourth of the page.
Everyone thinks that but in practice most folks don't have a clue what they're looking at and just use the numbers as a crutch for whatever opinion they already had.
Of course, this problem isn't just a web analytics one.
And at small small cost of privacy violations and spying on users.
Hint: buy the cheapest crappiest laptop you can find. Test your site on it.
You are clearly confusing the issue here.
No one cares for your smartass solution for the problem - it's obvious enough once you are aware of the problem itself. The issue is tracking the problem in the first place.
Hints like "oh you should have just been totally aware of it in the first place" are plain naive.
I'd expect a bit more from smart people who see very well into what kind of society we are going full speed, with no way out once in (if you don't consider going back to caves as a good option, I don't).
Its very fabric of whole society our kids will live in we are talking about here, nothing less. Is pretty clear what directions the biggest corporations are taking, hey are not even trying to hide what's in plain sight. If we common folks don't at least attempt to stop it or steer it in other direction I am worried nobody else ever will.
That's not really my problem as a (viciously tracked) user. Now, is it?
> The commonly seen method of using a checkbox and a simple information note such as “remember me (uses cookies)” next to the submit form would be an appropriate means of gaining consent therefore negating the need to apply an exemption in this case.
If it is 'table stakes', like "remember me" checkbox, you don't need a separate cookie banner
https://ec.europa.eu/justice/article-29/documentation/opinio... via https://law.stackexchange.com/questions/32152/gdpr-cookie-fo...
It's the same tired nonsense as when regulators try to tax a business that's already operating on thin margins and act surprised when the business passes the cost to their customers instead of eating it.
I'm not upset with the intent of what they were trying to do, which was noble; the upsetting thing is that it was patently obvious their hamfisted implementation would lead to this outcome, and they did it anyway, knowing they could count on people to deflect blame away from them.
It's not as if these companies are kicking in your door and violating your right to privacy. You're accessing their site with a device that is configured to transmit whatever you have it set to.
If you don't want cookies, disable cookies. If you want greater control, go and configure it yourself. Stop forcing your preferences on everyone.
The reality is that outside of a vocal contingent on HN, most people simply do not care. They won't pay a cent for their ad supported services. And I for one hate the endless consent popups and GDPR hoops I have to jump through. As an expat in London, I can't read many local news stories in the US because those sites simply block the traffic instead of trying to comply with a foreign law.
This is not how it works.
Me visiting a website does not mean I want that website to send my personal identifiers to hundreds of unknown (both to me and the website operator in question) third parties.
If you don’t want fingerprinting, disable canvas, fonts, or JS entirely. My point is that you are downloading code and then executing it. You have control.
That's like hating a rock for rolling downhill. Regulation is the only way.
https://commission.europa.eu/index_en
Is the EU itself acting maliciously in putting up that cookie banner?
Users have always been in control of whether they accept cookies. There have been settings in your browser since (at least) Netscape 3.0. It's only because of dumb EU laws that cookie control has been pushed up into "user space" with these idiotic banners that no one reads.
Did Netscape 3.0 have per-site options to enable cookies and specifically allow/block third party cookies?
If so, that’s impressive.
The more relevant aspect, I think, is that there's an essential/non-essential distinction in the law, which differs from 1st-party/3rd-party.
> Cookie Pal includes the following features:
> Automatically and transparently accepts or rejects cookies from all or specified servers without user interaction.
> Cookies received from unspecified servers can be automatically accepted or rejected without user interaction, or the user can be asked for confirmation.
> "On the fly" adding of servers to the accept from and reject from lists, allows you to manually accept or reject a cookie the first time it is received and then have it automatically accepted or rejected every time it is received thereafter.
[0] https://web.archive.org/web/19971012223847/http://www.kburra...
[1] https://web.archive.org/web/20010331050614/http://www.kburra...
Besides, GDPR isn't about cookies, it's about what companies are allowed to do with your personal information. Functional cookies don't require consent, abuse of your personal data does.
You'd want that to be the case, but in practice they do. Just look up how vague the definition of functional cookies is.
No one wants to risk insane fines.
It's google, facebook etc that are trying to shove these things down your throat, not the EU.
Most of this crap is the same everywhere, not just in the EU.
Edit: also, non targeted NON INTRUSIVE ads will do too. Or would have done. If the ad industry wouldn't have burned any shred of credibility they ever had.
I do question the incentive of a number of sites. Reddit technically don't need to track you, they know all they need to based on which subreddit you're currently on. It's mainly sites that have no context to your activities that really need the tracking to attempt to provide ads that makes sense. Maybe having these sites should be financed differently?
Until the GDPR a lot of this went on anyway, but totally invisible, now at least we have some idea of the magnitude of the problem and companies have an incentive to at least try to get it right. Not that many of them do. People that are categorically against government regulation tend to point at this and say 'see: that's what you get'. But they forget that in the relationship between companies and individuals it is the companies that on balance have the most power and there is ample evidence that this power then gets abused. Hence regulation. I'm all for tightening the rules another notch or two and adding a zero to the average fine. Because there is still a lot of room for improvement.
No, it's the EU that mandated those popups - an asinine solution to the tracking problem. The EU gets the blame.
Same difference. Semantics.
> You could simply not track and then you wouldn't need consent.
Not all tracking is malicious. It's not going to disappear, hence the popups.
As I said, it's an asinine solution. It's as useless as the default browser nonsense. The EU seems to make one of these annoying blunders every decade or so, next one should be coming up.
That's simply not true.
The EU legislated solution is directly responsible for the popup spam. There were other alternate solutions that would not lead to popup spam.
Your site may not need a popup, but many more complex sites do, and not because they are doing nefarious things.
It's OK to admit the EU makes bonehead decisions sometimes.
As an EU citizen, I am actually somewhat delighted that our legislation that attempts to improve privacy is being successfully exported. But similarly to how I find the US exporting their legislation quite loathsome---at least at times---I understand your beef.
It's hard to dynamically figure out if you're an EU citizen or not via the browser. Hence, websites play it "safe" by showing it to pretty much the whole world.
When the EU regulation came up, I was shocked that a single article was being shared with 100+ "partners". I knew it was bad, but I didn't know it was that bad. At least now I get the choice to opt-out. Sidenote: Google got fined for that pop-up because it should have a "do not accept" option [1].
Companies know they don't need those pop-ups. They are putting them there to anger you and demand for things to go back. Do you want to blame the EU for not anticipating that companies would act maliciously? Sounds fair to me. But don't let the companies off the hook for acting maliciously!
[1] https://www.taylorwessing.com/en/insights-and-events/insight...
https://duckduckgo.com/?q=i+still+don%27t+care+about+cookies
Then came GDPR and these retarded cookie banner companies decided to offer that as a service as well... Basically the same thing right? Well for many of the sites it is, because their goal is find a way to do nothing, or as little as possible, they don't want things to change and here's someone offering them just that.
I hate that it when people are blaming the EU for the nightmare that is consent popups. They aren't required, unless you doing stupid shit. Companies love presenting this as: The EU is making us do this. NO, you want to track people online and the EU is simply asking for you to declare that.
It's truly amazing that companies don't see to problem telling people that they care about their privacy, yet presents them with a list of 600 "partners" whom which they share our data.
So yes, it's laziness, these sites don't want to chance the way they deal with advertisers, because that would be slightly harder. It's also partly incompetence, there's an entire generation of ad people who don't know the first thing about advertising, they know Google Adwords and Facebook Ads.
False. Cookies aren't there only to maliciously track your actions and show add. They solve lots of technical issues in various scenarios.
This is your typical premature compliance for a technically incompetent formalistic regulation. Better be safe than sorry - so thats why you see that stupid "this website uses cookies" on every other site that merely has a login form, a captcha, or a cdn - because of course it fucking does.
You're giving these companies much more credit than they deserve. They're just going through the motions in an attempt to avoid lawsuits, but clearly not even Google can get it right 100%.
Hanlon's razor: "Never attribute to malice that which is adequately explained by stupidity."
I've stopped quite some time ago, basically my collection of apps is set in stone once I configure a new phone. If something seismic happens in real world I may add app in average rate 1 app/year, and that's about it.
Not using apps is so cool, some crappy webs that don't support mobile firefox with ublock origin don't even get my time, the rest is well curated. Due to reasons behind I am more than fine clicking on consent popups, the way they are designed to get to reject consent dialog tells you outright how moral/amoral business is behind it. So this is actually time-saving feature.
The thing is, life is short. No, its darn short, ask any old person. Definitely too short to waste too much of it on regretful things like phones.
See, everybody (who matters) wins.
Marketing is a funnel. People who bother to download the app are heavier users of the site. Finding those users is the point.
Having worked for a number of companies implementing these measures, there's no malicious intent, they are rolling their eyes the whole time. It's just a box they need to tick. Everyone wishes it would just go away.
This gets repeated a lot. However, even one of the pages on the official site of the EU has a cookie banner:
https://commission.europa.eu/index_en
Is the EU itself acting maliciously in putting up that cookie banner?
Yes, I think we should clearly hold legislators accountable for unintended consequences. And I think it would be crazy not to.
If the law didn't have the desired effect, and makes everyone miserable, we should fix or amend it.
A simple page request results in almost a thousand requests being made to third parties, just to show you some bad ads.
[1] https://pagexray.fouanalytics.com/q/pathofexile.fandom.com?f...
Whoever made the initial video must be a shill for the tracking companies because they didn't click on the 'do not accept' options, otherwise people would see how pervasive and thoroughly ridiculous the trackers are.
People will choose convenience over mostly everything else.
Yes, please fork http...EU, you can do that...I know it...
The popu repeating is definitely not due to EU legislation. You should only get it once and it shjould offer you the choice to accept all or reject all or optionally the complex choosing.
If it pops up every minute it is the website that is doing it wrong sue them.
It's truly amazing that websites are so insanely difficult to just... read, these days. Ads that pop up covering the screen, videos (irrelevant to the article) which I scroll past, and which then suddenly decide to pin themselves to cover the top 1/3 of the screen and autoplay, along with ads covering the bottom 1/4 of the screen, while cookie reminders pop up and the page keeps jumping around because ads take so long to load... It's truly astonishing how bad of an experience I was missing out on.
Artifact is a pretty nice app, all in all, but the browsing experience without content blockers is so terrible that I just can't bring myself to use it anymore.