83 comments

[ 2.8 ms ] story [ 119 ms ] thread
On the one hand I’m sad we left EU since there are some good consumer things (and Brexit was moronic)

But I’m also waiting to see how this is torn apart and made horrible by big corps just like cookies was

What's wrong with cookies? No tracking, no needed.
Popups everywhere that waste people's time.
That's not the fault of the GDPR. The point of the GDPR was to force companies to expose just how much they sell your data, and thus incentivize people to vote with their wallet and choose services that value protecting your data.

Unfortunately, corporate greed was too high, and the result are cookie banners listing sometimes >1k third-party entities.

That is not unfortunate. That is bad design.
Deliberate bad design by the websites; I'm not sure how the law could be rewritten except to just say "you had your chance to do this right, now you're all just banned from collecting anything unless it's strictly necessary, just as if every user had said 'deny'."
The law is already explicit about requiring that acceptance and refusal should be equally easy to access, the vast majority of these banners are actually illegal.
Also correct, but even with that modification to the popups, I think they may want to go further.
Well, it is informative to see to just how many entities they're going to sell my data.

My big question with those banners is: what the hell does "legitimate interest" mean? The toggle for normal cookies is generally off by default or easy to turn off, but then there's another tab, or other toggles, listed as "legitimate interest", and it lists all the same stuff I don't want: ad personalisation, tracking, etc. What's the difference? Why do they consider that legitimate interest?

That's a GDPR term. "Legitimate interest" should only be what is necessary to provide the service to the user (e.g. load balancer cookies, session cookies for logins).

Everything else is abusing the term and should be reported to the responsible data protection authority.

And cookies that are necessary to perform service required by end user don't require consent.
> My big question with those banners is: what the hell does "legitimate interest" mean?

There is a definition in the regulation, which IIRC basically amounts to a rewording of "strictly necessary". This definition does not cover what companies use it to excuse.

The way the phrase is actually used, for much wider tracking, what it has come to mean is "we see your preference not to be logged and stalked for the benefit of our business plan, but fuck you and your preference we want to do it anyway".

This is why the legitimate interest check boxes are often hidden in nested concertinas or other UX nightmares, to make it extra difficult to opt out of what should be an opt in. Once a body has gone this far to try engineer an accidental opt-in they are _definitely_ not to be trusted IMO. Though it is likely too late if you really care: they may have already dropped their payload & sent at least some information back to base, and will "accidentally" not remove it later or find some other excuse as to why they shouldn't.

> "we see your preference not to be logged and stalked for the benefit of our business plan, but fuck you and your preference we want to do it anyway".

That's certainly how I've been reading it.

What I really want is for my browser to automatically block all of it. I know Firefox blocks a bunch of stuff, and ad blockers probably do too, but I have no idea how thorough they are and whether there are ways of tracking they can't block at all. There probably are.

(Except login and preference cookies; those are legitimate. And only relevant for sites where I actually login and set preferences. I'm pretty sure most sites I just visit to read some article, have no reason to set any cookies at all.)

The popups make things even worse, because people automatically click on "Agree to all", which permits far more than would be permitted without a cookie banner.
Do they? On my side, when Consent-O-Matic don’t deal with it all automatically, I look for the "deny all" button and just go elsewhere to find the information I need.
I'd love to install Consent-O-Matic but when I try, my browser warns me that the extension can read and change all my data on all websites.

So, the EU makes laws that supposedly protect my privacy, and in order to deal with the awful practical consequences of those laws, I'd need to give an unknown third party access to all my data on all my websites?

I believe a German (?) court recently ruled that sending a do-not-track header in HTTP request is sufficient. So essentially, a website showing a cookie banner despite a visitor already expressing her/his preference using DNT, is a malfunctioning website.

Now all we need is some carrots or sticks to nudge companies to fix their websites. Like fines or decreased search ranking.

Yes, they do. Maybe some nerds don't, but 90% of people do.
That's because the implementation is illegal, it should show "Agree to all" and "Refuse all" in the same context, the implementations have decided, as a strategy, to bury the refusal which goes against even the text of the law which states it should be as easy to give as to remove consent.
It's not buried. They make one button green and the other grey, and 90% of users will click on the green button.
Also, non-tracking cookies (e.g. load-balancing, settings selected by the user) don't require consent. Still, many websites put cookie popups in place for those, adding to the noise.
Because everyone mindlessly copy everything they see on the net.
I think the idea is that after certain tech piece is getting regulated, giants will use this as opportunity to push for some replacement which they will get to influence.

https://www.theverge.com/2023/7/20/23801435/google-chrome-pr...

Regulation "failures" are mostly about the wording, the how; less about what and why.

I guess rather than regulating cookies, they meant to regulate tracking. Or maybe even regulate targeting, rather than tracking.

The cookie banners are mostly a tragedy, everyone agrees that modal, blocking cookie banners were never the intention. But the giants definitely had something to gain by suggesting they "were forced" to harass visitors.

And the forced harassment is very likely illegal, the law is pretty clear that refusing/removing consent should be as easy as giving consent. Very few sites have both "refuse all" and "accept all" on the same pop-up, even worse are the "legitimate interest" ones which hide a second layer of refusal under that tab.

I hope the EU cracks down on it at some point, the harassment is very much a strategy to manufacture discontent in the public about the regulation, and it works (as you can see in multiple replies anytime this topic shows up in HN), and the strategy is illegal.

> I guess rather than regulating cookies, they meant to regulate tracking. Or maybe even regulate targeting, rather than tracking.

When I see statements like this, I wonder: have people ever read anything besides what the industry feeds them? Or the echo chambers of HN and twitter?

Here's GDPR's text: https://gdpr.eu/tag/gdpr/ Please show me where exactly it talks about browsers. Or cookies. You could start with Subject Matter and Objectives: https://gdpr.eu/article-1-subject-matter-and-objectives-over...

> But the giants definitely had something to gain by suggesting they "were forced" to harass visitors.

Indeed. They redirected the ire from themselves to the law and the EU. Spreading FUD works.

I mean the pop ups on every single site I visit now. I wish they’d just ban them rather than force the pop ups.

My point is just that the corporations just find loopholes. Like how Apple have technically allowed out of app AppStore’s but mad it so horrible that no company would ever do it.

The proliferation of irritating cookie consent popups on the web is ENTIRELY the fault of the EU "Cookie Law" 2009/136/EC (amendment to 2002/58/EC)

I repeat - the cookie consent popups, and the resulting de-sensitisation of users to genuinely useful warning popups - that's ENTIRELY the fault of the technocratic leadership of the European Union.

"Big corps" have to follow the rules or they will face hefty fines.

---

Edit: the comments about the consent forms protecting against "spying" are disingenuous. Even functionality such as remembering user region, or allowing the website to improve performance and UX using simple analytics requires consent.

No.

In fact it's not a “cookie warning pop-up”, it's a cookie consent pop-up.

And there's an easy way to get rid of that pop-up for companies (big or small BTW): stop using cookies that require user consent: that is, stop harvesting people's data.

You're missing the point. The law didn't take into consideration that people are awful and as a result not only didn't accomplish its aims of either reducing the amount of data collected or making users aware of data collection, it made the act of using the web worse.

This is the problem with feel good laws like this. You always have to write laws assuming that those negatively effected will be bad actors that will try to subvert the law. That's just human nature. People want to keep doing what they're doing.

> The law didn't take into consideration that people are awful

Okay. I always ask this: what's your solution to this?

The huge fines suggest that they did take into account bad actors.
> not only didn't accomplish its aims of either reducing the amount of data collected or making users aware of data collection, it made the act of using the web worse.

It made the web worse because companies decided that making it worse was better than changing their business model. But it did reduce the amount of data collected.

> You always have to write laws assuming that those negatively effected will be bad actors that will try to subvert the law.

But they did. But EU was lobbied into being too business friendly, and relied on nudging them into better behavior instead of forcing them, and the businesses said “no way, we'd rather fuck up our website”.

There's no way the European Commission could have convinced the member states to accept a law that would be too detrimental to business interest. When discussing a law, you must always take into account the political forces that drives it adoption process.

This is an equivalent of your call being eavesdropped, EU forcing the operator to remind you every 60s that they are listening and you getting upset that the EU made calls so annoying.
But I'd rather they ban eavesdropping not make my call really annoying.

Not a well thought through law and clearly needs an update to restore usability to the web

Yet you are happy enough to stop at "the intention was good".

I imagine you smiling happily every time you have to click "set cookie preferences ... reject all".. ahh good old EU looking out for me, how wonderful they made things.

> Not a well thought through law and clearly needs an update to restore usability to the web

Show me where GDPR talks about browsers or cookie popups.

> Yet you are happy enough to stop at "the intention was good".

No, I'm not. I want the EU to slap the maximum possible fines on the biggest perpetrators, as defined by the law.

> I imagine you smiling happily every time you have to click "set cookie preferences ... reject all".. ahh good old EU looking out for me, how wonderful they made things.

The cookie banners you are complaining about are illegal, read the EU law directive [1], it states pretty explicitly:

> Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

It's not the fault of the EU law if companies decide to act illegally. Blame the fucking companies, they are the ones making you miserable.

[1] https://gdpr.eu/cookies/

Basically EU made sure you are aware that you are being spied upon, that your personal information is being harvested and sold for marketing........and you get angry at the EU?
What is your proposed policy alternative?
Users can disable cookies on their browser if they care about limiting tracking and website functionality.

Or if you insist on regulations that burden every website operator, how about the user ticks a box in their browser once e.g. "I do not consent to cookies regulated by EU Cookie Law" and then that choice is sent in the header of every web request, and website operators are mandated to respect it (and NOT show a banner asking for consent every time the user visits!)

What if the operators don't respect the header? Well, what if operators don't respect the user's responses to cookie consent popups? We're relying on operators doing the right thing in both cases, and the EU cannot guarantee either approach will work.

> Users can disable cookies on their browser if they care about limiting tracking and website functionality.

You seem to be deliberately ignoring the fact that cookies are necessary for normal website functions like logging in to a user account. And also the fact that those types of cookies do NOT require a consent banner.

> how about the user ticks a box in their browser once e.g. "I do not consent to cookies regulated by EU Cookie Law" and then that choice is sent in the header of every web request, and website operators are mandated to respect it (and NOT show a banner asking for consent every time the user visits!)

I agree, that would be ideal. I hope it comes in the next version of the ePrivacy directive.

> What if the operators don't respect the header? Well, what if operators don't respect the user's responses to cookie consent popups?

That's what law enforcement is for. A common critique of new EU laws is that the enforcement is lax at the beginning. However, it ramps up over time and is a one-way ratchet. The EU is like a massive ship with huge inertia. Changing course takes a long time, but once it gets going, you better not be in the way.

By the way, we saw this with those highly infuriating and illegal cookie banners that hide the option to deny cookies behind many clicks. The regulation clearly says it should be as easy to consent, as to not consent. And most cookie banners I see nowadays have an easy opt out button.

> The EU is like a massive ship with huge inertia. Changing course takes a long time, but once it gets going, you better not be in the way.

Yup, Europe is so lucky to have this stubborn, inertia-ridden juggernaut in charge of dynamic and innovative technology like the Internet

Well, I see your point. I also partly agree, in some cases it would be better if the law could catch up to new technologies faster. On the other hand, people here tend to value stability over novelty.
Won't somebody please think of all the "dynamic and innovative" ways that tech companies want to track users with? Curse the EU for putting the brakes on this!!
> And most cookie banners I see nowadays have an easy opt out button.

...which you have to click EVERY TIME you visit nearly every website on the web.

What a great success for usability.

That's entirely the website operator's choice. They could store that preference as a technically required cookie. But they choose to bother you every time. As we discussed, legally mandating a DNT header would be better.
> What a great success for usability.

Forced onto us by the site operators (directly, or via their "partners"), not the regulations.

It is called malicious compliance. In fact many of those popovers are not even properly compliant in various ways (usually breaking the "as easy to opt out as to out in" mandates, to give the most common example).

If you are angry at "cookie laws" and/or GDPR, you are angry at the wrong target.

That's the Do Not Track header, and the moment it was implemented in browsers it was used to track and spy on people.

I guess that, too, was the EU's fault (and not the industry's).

The EU could have enforced DNT, just like how they enfored the GDPR.
The main problem with GDPR is precisely that it's not really enforced. Had it been enforced properly, we wouldn't even have this conversation :)
Nope. (Also IANAL)

- EU Cookie Law is "tell people you're using cookies". And with GDPR it became "if you use that data strictly for the operation of your website, you don't need anything at all"

- GDPR is: if you want to collect more data, and track people, and sell/send people's data to third parties, you have to ask for their consent in a clear unambiguous manner, with opt-out being as easy as opt-in.

The industry's response to that [1]?

---

We value your privacy.

1498 partners

We're building a profile on you

GDPR made us do it

Agree to all

---

And the gullible devs gobbled that up and blame the law for their own industry's failing.

[1] https://twitter.com/dmitriid/status/1733421877119324609

No, ePrivacy article 5(3) always had an exception for strictly necessary purposes, with clear guidance of what it means from DPAs and WP29 (now EDPB). I agree with the rest of your message though.
> Even functionality such as remembering user region, or allowing the website to improve performance and UX using simple analytics requires consent.

no, it does not

IANAL but my understanding is that if a cookie is strictly necessary for functionality (such as a login token or storing the region the user explicitly selected) then no consent is needed.

"improve performance and UX using simple analytics" I don't see how performance requires persistent analytics. This smells like a flimsy justification or perhaps "we always did it this way" rather than strict technical necessity. You can send events from a current session without keeping state in the client. And if one truly cared about performance, there's a lot of fat to trim from many commercial webpages that shouldn't require any analytics at all, try opening a profiler first and notice how much time is spent on loading all the analytics stuff.

I think you might be reading improve performance to mean “page speed optimization” rather than “profit making optimization”.
This is correct, its not needed for good performance, and most things websites require cookies for dont require the disclaimer, with two caveats. First its pretty clear from the law what requires it, but what if you are wrong, what if corp requires legal to sign off on the engineers statement that it is legal, its not like you gain much from not having the disclaimer, and second, most freemium analytics (e.g. googles) and all ad related services do require it.
> its not like you gain much from not having the disclaimer

Then the "popups" (which aren't actually popups) aren't actually as onerous to users as the web developers on HN would have us believe.

Seriously, I never hear common people complain about it, only people in the industry who have a commercial stake in tracking people without consent

> s ENTIRELY the fault of the EU "Cookie Law"

i profoundly disagree. the cookie law+gdpr did not force the websites to show their obnoxious overlays, they do that in order to confuse a part of the users and make it hard do not opt in. they could have used a simpler way to show the information, or, you know... not sucking every information about you they can, which would have not created the need to show anything.

edit: maybe it's not well known exception, but cookies that are mandatory for the functionality of the website (and are not used for tracking) do not have to pass through the opt in process. for example, the session cookie for the login functionality.

> I repeat - the cookie consent popups, and the resulting de-sensitisation of users to genuinely useful warning popups - that's ENTIRELY the fault of the technocratic leadership of the European Union.

Repeat as much as you like, you're still wrong. Note that this website you're currently using doesn't have one. Neither does github.

> Even functionality such as remembering user region, or allowing the website to improve performance and UX using simple analytics requires consent.

That's the point.

I've seen analytics data. Looks neat. Definitely doesn't need to be granular to the level of individual users.

Also, given how badly I'm categorised by even the giants like FB, I simply don't believe this data is half as useful as it seems from the shiny graphs coming out of most analytics software.

You might have seen this already, but this was "fun" for me to go through: https://how-i-experience-web-today.com/
It's ironic that my password manager also added to the noise. The one thing I do control makes it even worse.
I haven't seen this before, that's awesome!

But even there I feel like the cookie banner at least offers some benefit to me, whereas all the other modals asking to send me notifications, subscribe to stuff, register here, follow us there, are completely superfluous and we should push back against those first.

At least they're trying. You mention cookies but, for instance, the free phone roaming was a masterstroke. I could also talk about how it costs only 55 euros to apply for a residency visa for a family member, including your girlfriend/boyfriend , and is pretty easy to get. Compare that to the $8,000 application fee for a spousal visa in Aus.

It's good having the EU as a counterpoint to the US in terms of regulation. It's not always going to work perfectly but it's worked fairly well over all.

> The rules require spare parts to be available at reasonable prices, and product makers will be prohibited from using "contractual, hardware or software related barriers to repair, such as impeding the use of second-hand, compatible and 3D-printed spare parts by independent repairers," the Commission said.

This sounds like it would stop Apple bricking phones when they are repaired using 3rd party parts (screens/cameras etc) but I wonder if they'll claim they are "Security related barriers" and therefore exempt?

I take it to read that Apple has to provide 3rd party repair shops with parts, and not do some weird stuff to prevent them from replacing those parts, but I don't see it necessarily requiring Apple to allow 3rd party spare parts.

The wording is weird, I can see the issue with second hand parts, but Apple will probably attempt to claim that a 3rd party part isn't compatible, due to the security features.

This is not the wording from the legislation, just a rough verbal summary.

I do not see any direct requirement to allow third-party parts, but the document does require providing repair-shops with documentation and parts at publicly known (and presumably same) prices. It also requires repair service to be available as long as it is technically feasible.

That is, if your screen is cracked, a third party shop will have original screens to install, and Apple will have to offer the service even if you have an unoriginal battery - which they otherwise use as excuse to not perform any service whatsoever.

Maybe I'm missing the part he was referring to about allowing third-party parts as well.

> It also requires repair service to be available as long as it is technically feasible.

If that is to be taken as how most technically minded people read it, that is a LONG time. A repair may not be financially feasible for more than a few years, but it is technically feasible for a very long time. If a type of screen no longer produced is may still be technically feasible to start up a new production line. The normal way to deal with this is to have stock of spare parts, but that goes against everything Apple and Tim Cook believes in.

It is not intended to be pedantically interpreted in the way where everything is technically feasible, and the long legal text outlines examples of something not being feasible.

The goal is solely to not decline repair for arbitrary reason, such as "we won't replace your battery because a moisture indicator has tripped" or "someone else had touched this so we won't look at it".

Even if this wasn't clear, imprecise wording is not a carte blanche to interpretation on this side of the pond - a court of law will only entertain reasonable interpretations from legal ambiguity, and "spend millions rebuilding the factory" is obviously not a reasonable response to a single phone repair request. However, within the specified time period they must ensure spare parts are available, and thus must not shut down manufacturing prematurely.

I'm sure they will claim it, but it won't work. EU is a vindictive bitch when it comes to enforcing stuff like this.
>they'll claim they are "Security related barriers" and therefore exempt?

Why would it be exempt?

The obvious cynical ploy is extending the EULA idea and apple becoming a phone leasing company. Going from hardware you don't really own, to hardware you really don't own.

> The obvious cynical ploy is extending the EULA idea and apple becoming a phone leasing company. Going from hardware you don't really own, to hardware you really don't own.

I'm afraid that's sadly the way to go, because it aligns incentives... It incentives Apple to make the most robust and repairable devices, and to maintain software as long as possible (BTW that's the business model of Commown, a cooperative lending smartphones, which IMO is good).

An example of this business model being good for long-term support are the HGW and STB in France: They are all lent by the operators, and have stellar support and maintenance. The best-in-class example there is the Freebox Revolution. STB and HGW released in 2011. Running Linux 5.15 in production, upgrade wip to 6.1 (and of course further is planned). Still receiving new features. And they are still being shipped to new customers 12 years later (at reduced pricing of course).

(Please note that simply lending the device isn't enough, you also need actual competition in the market. An US operator lending a HGW has no incentive to keep it working at all since they are usually in a monopoly anyway...)

I wonder if this also applies to supplies like print cartridges. Would put an end to the practice of HP and other printer manufactures.
Two year warranties after purchase are already common throughout the EU, and so are warranties upon repair. What this directive appears to do is make the former also cover replacement throughout the warranty period, and extend the latter to one year instead just a couple of months.

"which would then come into force 20 days after it is published in the Official Journal of the European Union"

One important detail...

EU directives don't come into force until they are translated/incorporated as law in each member state, which can take years. This is unlike regulations (e.g. GDPR) which don't require local incorporation.

In EU, most items are under 2 year seller warranty. When the buyer makes a warranty claim, it may be resolved by repair, replacement, or refund. If I understand correctly, the article says that when the warranty claim is resolved by repair, and less then one year remains in the warranty period, the warranty period is prolonged to one year. Do I understand it correctly or does this cover also post-warranty repairs?
Nope, it's specifically for repairs done during the warranty.
Listen, I get it. It would be amazing if every product was of perfect quality, highly repairable, had an instantly available supply chain of spare parts, was 100% carbon neutral, had zero profit margins, could turn itself into gold, and was in fact free!

Am I the only person who is skeptical of how this will turn out long term?

Not every company is Apple with insane profit margins and insane economies of scale.

The only rational outcome for this is increased prices, less choice, more corporates merging into giants, and less competition for EU consumers. You can’t change one side of the economic equation without affecting the other.

CSR left to the altruism of companies motivated solely by their shareholder returns is a puerile fantasy. It's like that old adage from Upton Sinclair “It's difficult to get a man to understand something when his salary depends on not understanding it."

We've tried leaving it to private enterprise - and seen that the rational outcome is eWaste and planned obsolescence. Now we try it the EUs way - which is focused on Societal rather than Economic results, much to the dismay of many US Commentators - and which also has supporting legislation to ensure more rather than less competition for EU consumers.

If a company can't manage their BOM and supply chain sufficient to offset the larger societal cost, then their business model is nonviable. We've already introduced the "Waste from Electrical and Electronic Equipment (WEEE)" act which enforces things like Retailers taking responsible for recycling eWaste on-demand from Consumers, and making it harder for exporters to disguise illegal shipments of WEEE.

https://environment.ec.europa.eu/topics/waste-and-recycling/...

You're falling for the original sin of central planning..."if it reduces competition, we'll just create legislation to ensure more competition!" I'm sorry. It just doesn't work that way.

I'd recommend looking into some of the classical failings of centrally planned economies. You don't even have to look beyond Europe, there's numerous "fun" examples of communist and/or dictator-driven central planning (USSR, Yugoslavia, Albania, Spain, etc).

What's Godwin's law for discussing European legislation with American Capitalists?

"As an online discussion about the EU grows longer, the probability of a false-equivalence with Communism being made approaches 1."

Simply put, it works exactly the way its intended - with a legislative lag due to fierce lobbying. The song and dance made about EU Foreign Subsidy legislation in Q4 of last year is testament to exactly that

https://www.wsj.com/articles/multinationals-slam-new-eu-fore...

Or we can look at the €8 Billion in anti-trust Rulings against Google - like in 2017, where it was found guilty of abusing market dominance and was fined €2.4 billion.

Or how about in 2018 where they fined them €4.8 billion over Android and mandated the following which were implemented in October 2018?

* Charging a licensing fee for the store, without requiring installation of Google apps, but making it free to pre-install the Google apps if they want.

* Allowing Google's hardware partners to market devices in the EU that run rival versions of Android or other operating systems.

* European users of Android phones are given an option of which browser and search engine they want on their phone at time of setup

> Rules also ban "contractual, hardware or software related barriers to repair."

Wonder if that includes trains? ;)