Ask HN: What is the least obnoxious way to ask for cookie permissions?
Recently our legal department is asking to add a cookie disclaimer thing to our marketing website. I hate those and want to put in the least intrusive version. How do people here deal with this? Thanks!!
109 comments
[ 4.9 ms ] story [ 400 ms ] threadDo not give people options about cookies - either they accept (and dismiss the notice), or they leave
When I am presented with cookie options, I start to wonder why there are "unnecessary" cookies present: why are you letting me accept "necessary" cookies or "all" cookies? Why would you have ones that are not needed? Seems hyper sketch ... and I'll go elsewhere (or reject all)
You're obligated to give them a way to opt out while continuing to use your service, and it should be as easy to decline as it is to accept[0]. The funny part, of course, is that countless services have put up banners that don't make it easy at all to reject, which means they're still not compliant, they just make the legal team feel warm and fuzzy.
That's why you see necessary vs all, because it's "can we track you or not". If you're just doing absolutely required cookies (e.g. session cookie), you don't even need a banner.
[0]: https://gdpr-info.eu/issues/consent
https://noyb.eu/de/pay-or-okay-tech-news-site-heisede-illega...
Because some are required for the functioning of the site. They can justify dealing with those without you approving it.
Some are there for advertising, that's not required for you to use the site but they'd definitely like to. So they need you to actively consent.
That's outright and explicitly illegal.
(I just thought I'd make that point in a quicker and simpler way than the otherwise great sister post.)
You're allowed to say, "we have cookies - you do not have to stay"
As they should
If that's not an option, the next best thing is to have an overlay that is as honest as possible and most importantly provides not only an "Accept all", but also a "Reject all" button.
Don't use dark patterns, basically. That is, use the same color, style and size for each of those buttons.
My experience is that most users are so used to these overlays by now, they just look for the button which gets rid of them most quickly. Marketing will typically push to tinker with the appearance of the buttons to increase the conversion rate in favor of the "Accept all" option.
I had the pleasure to learn a lot about this while working in the higher levels of some german company with a somewhat questionable track record.
Here's what you can do (only applies to Germany, but might be similar elsewhere):
Complain to the data protection authority of your local state in writing. These complaints will be followed up by the authority and if enough of them accumulate, the company will have a bad time and the aforementioned incentive equation will be bent towards the end that favors user privacy.
Don't write angry emails. Nobody cares and you waste time.
Pretty clearly so. It seems weird to me that so many companies put up a cookie banner in order to avoid breaking the law, and then break the law in order to make it less effective. I suppose the win here is that if the (fairly toothless) regulators notice you can say "oh we thought this was enough" and then tweak it. But in that case why not just have no banner at all, and wait until they notice in the first place?
Just as daft as the extra-US sites that choose to show no content to EU geolocated origins instead of complying with the law. Which is... also illegal under the letter of the law, so why not just ignore the law. Presumably you're probably out of the jurisdiction anyway if you're bothering to do this.
extra-EU I mean.
Since when? The GDPR explicitly only applies if you offer your shit to EU subjects or monitor EU subject behavior while they're in the EU. By actively rejecting those potential customers and not tracking them (because you refuse to provide them the product), does that not suffice to not have to worry about the rest of the terms?
I know there are a few cases regarding linking to news articles and how the company in question can't stop providing that service, but in all such cases I'm aware of the offending company had other ties to the EU whereby the GDPR might have been enforceable.
Why is it so hard to for people to understand that I just want you to serve me the page and bugger off? It's like justifying embedding GPS tracking in pamphlets that people hand out on the street.
I don't want to be tracked period.
Is it that hard?
There’s 90% chance that no, it’s not your business. There’s also a lot of chances that your website is about a product. In which case, it doesn’t make sense to know how many people come and read. People only need the information to know "will I buy that or not?" or, even more frequently "I’ve bought that but I don’t understand something".
Tracking is counterproductive in most scenarios. (but very few understand that)
Why? What will you improve by knowing that, and why couldn't you improve that without knowing it?
[1]: https://www.europarl.europa.eu/portal/en
I had an experience with a national meteo application including facebook trackers. I complained and they replied that they were totally unaware of that fact. The tracking was added by default by the contractor as part of his standard template. (note: they removed the tracking after my complain).
But it is also about people in charge, who are completely addicts to statistics about the number of visitors and all information. People like to track others. They actually want that.
The sad part is that nobody in IT really complain nor tell them that it is creepy. We install blockers on our own computers and get over it, writing code that track those without blockers without batting an eye.
Which may be because if you do, you will typically be called the "technical person" who "doesn't understand anything about 'normal' users" and you should be more focused on your actual technical tasks.
Sorry for being cynical. I couldn't resist.
Once you have worked a while in business or marketing, you will see that it's not that easy unfortunately.
There's a lot of pressure to provide certain numbers or at least to collect them "just to be sure". Typically this requirement comes without any willingness to invest money, because "you can just install Google Analytics for free".
I don't want to justify this at all, because I believe in the long run these numbers aren't worth what people claim they are worth at all. I just wanted to explain that not everyone is "bad" or "anti-social" for complying with "leadership" decisions and installing a CMP and Google Analytics.
Nobody is forcing anybody to do this, this is a personal and business decision to make more money at the expense of users' well-being. When you're surrounded by lots of people that think a certain way, you start to see it as acceptable and even good.
Though I know lots of people that disagree, I personally don't think it's justifiable. If someone finds it justifiable, they should take responsibility for it.
Depends on how you define "force".
My experience is that the source of all this is the fear of having a substantial disadvantage against the competition and having to defend your decision of sustaining such a perceived disadvantage against the CEO/board. Understandable from my point of view, even though I don't like the outcome. This then usually trickles down the hierarchy in companies and, yes, someone will somehow implement it to earn their living. I'd define the implication of losing your livelihood as a consequence of not doing what you are told as force, but that is open to opinion I guess.
An anecdote that might be worth mentioning in this context:
I was once told by some CEO that they didn't hire a really qualified person, because that person had enough money to not be dependent on the job. This is, in my experience, an appropriate reflection of the role of money in controlling people's decisions. It's essential that you are dependent so that you can be forced to comply or risk losing your livelihood.
But to elaborate a bit: At least in Germany (and I believe this applies more or less everywhere) if you install a 1st-party tracking method based on 1st-party cookies, that doesn't fall under the 3rd-party consent requirement and you don't need consent. That means you can track your valuable retention numbers and won't need a consent banner. It's a common misunderstanding that you need that consent for all cookies. You only need it for cookies that aren't required to do your business. And 3rd-party cookies aren't.
It's just that marketing typically don't want to spend any money on this, because these retention numbers turn out to not be enough value to justify the investment. I wonder if they are as valuable as you described at all.
Edit: I should have said 1st-party tracking that doesn't collect personally identifiable information (PII).
The test isn't whether collecting that data is required to do your business - it is whether collecting that data is required to do what the user is asking you to do. So if (for example) you are tracking your users to see where they click in your web site in order to improve your web site, then that is only required for your business - your user has no interest in that, didn't ask for it, and therefore must be asked for consent for you to do it.
What I was basically saying is that 1st-party cookies are considered more likely to reflect a legitimate interest than 3rd-party cookies. And I think that is what the interpretation of the law was (or maybe still is).
You can do 1st-party tracking without collecting personally identifiable information if it's just about retention without a user ID, which I was referring to. And I in fact think that there is a case to be made that this could be part of the legitimate interests of improving the user experience on a web property of a given business, hence not requiring consent.
Even an IP address is PII, your may be lucky with some fingerprinting, but this won't be unique.
At least that's what I was told. Having said that, this is obviously a complicated and nuanced topic with a lot of grey areas. I guess it's a good idea to talk to a lawyer in any case.
My point was rather for non-cookie based kind of identification, but it was no clear enough.
I'll certainly agree that this is an area where different opinions abound, and also you are much less likely to be prosecuted for this, so it's likely that advice would be that it's probably alright and you'll get away with it. But a strict interpretation of the law says that you can't use information gathered for a purpose for which the user didn't consent (or deliberately ask for, etc), even if you have it lying around because you collected it for a separate reason that is valid.
Regarding arguing that improving the user experience is a legitimate interest - I'm not aware of that having been argued and decided in court, but my opinion is that it is a hopeful misinterpretation of the law, and a slippery slope towards quite egregious data collection.
Yes, you can collect web site metrics without identifying information, for instance how many times are the different links on a particular page clicked on, but if you're linking one page request to another by the identity of the browser that is requesting them, then that is crossing the line.
Just out of curiosity: That would be crossing a line, because it might be potentially possible to reconstruct an identity from the linked navigation pattern?
If so, I guess I would consider that beyond the realm of what any normal internet lawyer would include in their advice.
A 1st party tracking solution is in no way considered needed to deliver the service the user requested. Only things like remembering my shopping basked are necessary to deliver the services of a webshop. And you cannot use that cookie for other purposes (like counting visitors).
The easiest thing to do here, is to simply not associate those sessions with a particular user. Even if your user accounts are tied to specific PII for essential purposes of your app. As long as the tracking data is not connected to that identifier, does not log any PII data on it own, and is not shared with third parties you do not need consent.
One quick edit: Be careful with collecting errors, its easy for backtraces to include application specific data including any PII you might have which will tie that session back to a specific user and becomes a violation.
I was referring to the GDPR as pointed out in my comment.
There even is a GDPR recital that explicitly states:
"[...] The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
Source: https://gdpr-info.eu/recitals/no-47/
Analytics is not strictly necessary to deliver the service.
Just don't collect PII beyond was is absolutely essential for your application, and don't share it with third parties. Bam you don't have to get consent. Knowing what classifies as PII is still a hard problem because its full of so many conditionals. Email is not PII unless you have some part of their name for example and it counts if your company receives an email from that person that includes their name in the From field.
All the cookie banners out there are designed to make people weary of them into just accepting the previous practices. It's malicious compliance.
Yeah you don't need to do that though. You want to.
Also consider visitors are used to these prompts, without one they may wonder: does this site follow the law?
The last time I checked (a few years ago) most websites were doing a serious overkill with the banners, where the law didn't require it. Also, for certain companies the possible penalty for not having a banner was so low that it didn't make sense to have such banners at all.
What do you plan on using cookies for? There might be some ways of doing similar things without cookies or trackers (server-side analytics for example) that are more respective of users and also eliminiate the need for any banners at all.
I know my company's website has a pointless cookie modal - the necessary cookies are just for session affinity on a gateway (which I don't believe you'd need a modal for anyway), and the unecessary cookies are from one analytics integration that's been used just once since it was set up, and another that is used for the most basic reports that you could get from just the access logs.
This still gets you plenty of actionable analytics information: where geographically people are located (via GeoIP), what pages are most popular, what platforms (including desktop vs mobile) people are using.
I've been using https://plausible.io for analytics on a bunch of my sites for a couple of years now and I honestly don't miss the extra level of detail I got from cookie-based analytics I've used in the past.
edit - make sure you've actively made this decision and documented the assessment.
For EU things you must make sure what you're doing with this aligns with consent from the user / other justifications. Whether it's server side or cookies doesn't matter for GDPR, it's the collection & use of the data.
To OP, try not to collect data at all, and if you need to then make the consent banner not block the use of the website. Also don't animate it in, just have it there.
The ICO guidance in the UK is pretty good https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
Note that consent is not always the best justification for lawful processing.
Then the user can centrally review what permissions they gave, revoke them etc.
So no sites should have these kind of approval banners.
If the DNT header were set to "no" by default, websites would be happy to track users.
If the DNT header were set to "yes" by default, websites screamed bloody murder and pretended that it didn't represent user choice.
And that leads through to another tip to make your consent request less obnoxious - make sure that plugins like Consent-o-matic do actually work correctly and invisibly with your site.
I you have to have one I'd suggest it have a Reject All button which makes the banner go away without any further clicks.
Nothing is more soul destroying than having to click several times to make the nonsense go away.
Make sure that it does work with extensions like I don't care about cookies. That one is usually easy but make sure it works with the uBlock script too.
Do not have that the banner force any site reloads. Analytics for example can be loaded into a page wihtout reloading.
If that is done the ad blocker users will never notice the banner.
SO, as others have already said, definitely a "reject all" and be done with it right in the beginning, without the need for any forther clicks. Better yet if the banner is just a sliver on the side that doesn't interrupt my reading experience (clearly, as long as I didn't click "yes" on cookies, it can't set any; so it would be default-no, allows me to read, and if I want to click in the corner for something else, I can. Even better if it has an "X" to close that unintrusive side window, and of course the X gets treated as "reject all".
See, the problem is solved even before it appeared - if your company will comply with the law then the banner would not be obnoxious by design.
Pointing out this stuff forces you into the path of requiring that people click on it before being able to navigate the website, which is extremely intrusive, and makes all the marketing people insist that you apply dark patterns.
GitHub used to not have cookies for tracking purposes either but it looks like some people couldn’t live without tracking users so it’s back after 2 years on some subdomains: https://github.blog/2020-12-17-no-cookie-for-you/