It's impossible to foresee everything, including the amount of malicious compliance.
In the end we are better off with this legislation and its future iterations and additions than we are without it. The extent to which people's data is misused is simply ridiculous.
No, people cannot escape responsibility by saying "the law made me be belligerent toward my users". It is intentional choice to use cookies and to make it unpleasant for people.
And use of cookies themswlves don't demand these banners, nor that they be so obstructive. Just don't collect unnecessary cookies or PII, or put in a prominent banner that doesn't overlap the site purpose.
> No, people cannot escape responsibility by saying "the law made me be belligerent toward my users".
Correction: people should not be able to escape responsibility by saying this.
The problem is that right now people do escape responsibility for saying this because the EU is not properly enforcing these new laws.
Introducing a law and then not enforcing it has consequences, and those consequences should have been foreseen. Either the law is unenforceable due to practical constraints, in which case it's a bad law, or the EU is failing to enforce it due to inability.
Hopefully the EU starts putting more focus on enforcing its existing laws rather than creating new ones.
As a reminder, it's the same people in tech we're trusting to build things like chat bots, "AI", cars that try to drive themselves and rockets that try to land themselves... etc.
You have to admit that if these same people can't be trusted to follow a simple "do not track" directive, humanity is in big trouble.
Sadly, we are. I didn't ever think of myself as an optimist until I realised just how pessimistic it is possible to become, as I've learned in the last 5 or so years. Now I realise I was quite an optimistic person, at least by comparison with my present self.
I mean, humanity is and always has been in big trouble. That's why history is full of disasters, mass death etc.
But I don't think it's that developers "can't" follow a DNT cookie. It's that they won't because it doesn't benefit their employer's financial interests.
Making a rocket that lands, on the other hand, does directly correspond to SpaceX's financial interests.
It's not enough to write a law on principles alone. It must be clear and practical to comply and clear how it will be enforced. The EU should not have created a situation where the most practical solution for 1000's of companies is a cookie banner.
In this case, it is just showing that most companies are collecting more data than they need.
You don’t need a banner for the data that is necessary for the service to work at minimum level. There is no role for the consent since the site won’t work otherwise.
How does it show that? Most people I know are annoyed by this and click on "reject" (if they can find it), but for a lot of non-technical people these banners are just a given because they don't even understand the problem. Doesn't mean they don't care
How many "normies" do you know that stopped visiting websites that track them? I don't know anybody who isn't in my tech bubble who cares, and very few normies who would rather pay money than to give access to their data.
None. That doesn't mean they don't care. As I said, most people I know are annoyed by this but take these banners and tracking as a given because they don't understand enough about technology and see them everywhere. And let's be honest here, if you were to stop visiting sites that track you, you could just stop using more or less the whole internet. It's not about stopping to use these sites, it's about stopping those sites from tracking you, which almost everyone I talk to is ok with. The only people I see that defend the amount of tracking happening on the web are commenters online (here, on reddit, etc.). That leads me to believe it's mostly corporate accounts.
To the point: Not using a site is not the point of it. Insert "yet you participate in society" meme
Apple do not track alert resulted in many people saying they don't want it. And of course, had impact on Meta's business.
So if websites presented cookie banners in a neutral way without dark patterns to make Reject difficult, "normies" would reject these, I'm sure.
The close to million users now on https://www.stilldontcareaboutcookies.com/ suggests that there's a pretty sizable amount of people that care less about the philosophy of European data laws and more about just getting on with their day.
>pretty sizable amount of people that care less about the philosophy
How does it show that?
It shows that they prefer to get on with their day over clicking cookie banners. It says nothing about whether they agree with the philosophy of the GDPR.
This is something a lot of people seem to misunderstand about GDPR. At its core it says you should only process people’s personal data within a lawful basis. There are 6, and consent is only one.
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
This is true, but the comment you replied to was about the cookie law, not about GDPR. They are separate issues, even if they are obviously related. Cookie law is about not using other peoples storage for usage that is not needed, GDPR is about personal information. You can use cookies for saving information that is not personal but that still would need banners.
The thing is, if you have any of (b)-(f), why shouldn't you also get (a)?
The maximum fine is 20 million euros or 4% of revenue, whichever is higher. Sure, it probably won't be imposed on a first time violation, but why take the chance?
Could you imagine any lawyer advising a company against requiring consent, even if they have some cover because of a legal obligation? Isn't it much safer to deny service to those that refuse to consent?
Sure, it'll annoy the customer, but right now the customer is used to minor annoyances.
> You don’t need a banner for the data that is necessary for the service to work at minimum level.
We were advised by our lawyers (a top SV tech law firm) that we should include a cookie banner in the EU even if we're only using cookies for functions like login. After eventually switching legal counsel (for unrelated reasons), we were told the same thing by our new counsel.
Either EU law covers cookie banners that use cookies for routine functionality, or it's so (deliberately) vague that even top tech law firms would rather everyone add a cookie banner than risk running afoul of the law. Either case validates PG's argument here.
It is indeed quite complex. I would argue that just the login does not need.
1. There are users who will come to your website with specific purpose or expectation of your service.
2. Then there are users who came to website by accident and might just try out things without understanding what is happening.
The banner recommendation from the lawyers is likely for the 2nd case. The users haven't subscribed to the service with certain expectation or knowledge what is expected from them to service to provide what they want. Or they have zero expectations about the service to provide something for their needs.
For example, the login case, the group 1. probably wants to stay logged in if they came to service with expectation of personal service, which cannot be linked to the person without an account.
Or the lawyers just did not understand your service well enough and just said that put the banner be done with it.
For group 2. it is unlikely that someone did not expect or want to stay logged in all the time, but that is for minority and arguable case whether is fair to assume that.
If the lawyers don't recommend you add the banner, and you somehow run into trouble because of it, the lawyers will be blamed. However, if they do recommend that you add a banner and you follow their advice, then they can get some more billable hours by recommending some verbiage for the banner, checking your website to make sure the banner is displayed in a compliant way, etc. And even if you don't follow their advice - people rarely fire their lawyer for recommending caution.
So, how did you ever expect the lawyers not to recommend adding the banner? That's like going to a plumber and ask them if you should DIY or not some installation. Of course they're going to recommend you get a professional...
On the one hand when murders go up because you make using a gun in a crime an automatic 5 year prison term you should have foreseen that possible situation, on the other hand the real bad guy is the one shooting the witnesses.
Yes and no? To some extent, sure. As an example: But if companies or people went out of their way to comply with a law that is clearly not complying with the spirit of the law, just the letter of it, are you really responsible for that? Or are they because they're doing everything to not comply?
Let's say you make a law to reduce working hours from 40 to 37 hours except in "emergency situations". Now a company will force employees to sign off on "emergency situations" every week or they'll be fired. They're clearly not complying to the spirit of the law? Is it really your fault when you make a law like that? I'd say only to some degree, the people trying to abuse every loop hole are much more responsible in this case.
Companies using dark patterns, hiding the "reject all" option behind an additional click (which even is illegal) and even trying to collect all data possible are much more responsible than the EU's law. Oftentimes they are collecting data just because, not even thinking about it, because they'll add GA to their WordPress site without even looking at it or whatever. That cookie banners have become the standard around the web is sad because it just shows how much everyone is trying to track you.
I would expect that most companies would be ashamed to publicly state that they sell your data to hundreds(!) of data providers and they would fix this before they had to disclose it. But nope, apparently the money is too good. And blaming the government is more convenient.
I guess PG's original tweet assumes that cookie banners are a) bad, b) the fault of the EU, and C) unanticipated and unintended by the EU, thereby demonstrating their incompetence.
I can't really comment on what the lawmakers foresaw or intended, but I'd argue that cookie banners are actually a) good, and b) the fault of companies who can't imagine a better way to treat their users.
The reason I think they're good is that they cause a psychological nuisance to users of software which doesn't go out of their way to do them well or avoid their necessity. Over time I hope this will tend to cause an association in users minds that sites with cookie banners are somehow seedy or unscrupulous, like pop-up ads.
I would put it another way. Any legislation against doing something is almost always motivated by someone's desire to do that very thing. Legislation is usually a battle of interests where the legislator, ideally, wants to protect the overall interests of the public when they conflict with narrower private interests. When the narrower interests belong to powerful groups, you often expect to see some struggle, and if the private interests have a way of making the regulation seem more intrusive and annoying than the harm it's intended to cause, they would take advantage of that to sway the public in their favour.
So legislators do expect such a struggle, and the shape it takes may be partly their fault, but it's clearly not all their fault. The more power the private interests have, the more likely they are to find some way to fight the regulation. They will certainly do everything they can to convince the public that the legislators are bad at regulation.
In this particular case, however, websites showing banners are also harming themselves as their competitors now have an interest in not showing banners and offering a better experience -- i.e. the regulation makes it worthwhile not to display banners in competitive situations. So we'll see how this all turns out.
The thing is, the consequences seem to be very much intended. The consequences of forcing companies to be transparent about tracking, and hopefully letting the users start voting with their wallets as they get annoyed by the omnipresent "We Value Your Privacy"-popups (which is very ironic considering all the dark patterns et al that are used to have users get tracked).
If nothing else, at least now people know just how much they've been tracked. One can only hope that this increased consciousness would help people to choose services that don't track people. For example Hacker News doesn't need tracking cookies nor a cookie popup, and it seems to be doing just fine, even in terms of the law ;)
Dumb take. “Just run your business with 10% of the revenue? What’s the problem?”
Edit: to those downvoting, yea, it’s agreed that tracking is bad but the tone of the article completely ignores that a lot of the web’s content depends on this model so if it “just didn’t track” a large swath would no longer exist.
Come on, this is such a ridiculous take. Adding google adsense to a website needs a cookie bar.
That’t not "doing sketchy shit with people's data"
I can’t believe how many people have bought into this EU regulation hook line and sinker. It’s ridiculous, imagine the man hours that have been wasted in the last 7 years just clicking cookie bars. And as OP says, it’s completely unrealistic to not have them.
Advertising is “ground zero” for the cookie explosion because nobody trusts anybody in the advertising biz.
For instance the website selling ads has every reason to inflate view and click count numbers, the ad buyer has reasons to diminish those numbers. In fact if you measure an honest pipeline it is going to look that way because some people drop out at each stage.
One reason you have 87 trackers on a typical web site is that many sites and advertisers figure if they have a large number of trackers they can’t all be wrong.
Site X could show ads to users just fine without third-party cookies but then advertisers would not be so sure about the stats.
Sure, but is that situation worse than other traditional forms of advertising? Are we just saying that the advertising industry is so greedy that they want so much more of the pie than they used to have, that we should enable them?
> Site X could show ads to users just fine without third-party cookies but then advertisers would not be so sure about the stats.
Feels like 99% of people would prefer this. Maybe advertising becomes less effective, but it may actually become more effective if it leads to more ads being visible since they are no longer ad-blocked.
Using anything Google on your website without asking for consent before loading it from Google, is in my definition quite sketchy. It may be either uninformed, no conscience, or not properly thinking about the ethics of ones choices, or whatever, but it is definitely not right and not ethical to do so. I am quite happy with regulations coming down on people and especially businesses, who continue to do this.
Many websites that you rely on would not be around if it wasn’t for Google ads.
You think it’s some sort of choice you have between being tracked or not, but it’s not, it’s between having a fairly decentralised internet or not.
And unfortunately with recent google SEO changes almost all small blogs at this point have been wiped out. Googles own properties, Reddit and Quora, and large websites like NYT and CNET are the only websites left in search rankings.
Do you mean a generalized "you", as in general Internet using population, or do you mean me in particular? If the later, I would ask, how you know what websites I personally rely on and perhaps state, which sites you think those are. I am quite far from the norm in that aspect, but maybe there is something I can further cut away.
You attributed a medical diagnose to me for saying something that is possibly uninformed. That makes me not ever want to have a conversation with you again.
Just food for thought...
Turns out you were the uninformed one. From the context through parent posts you can clearly see this was about a website using google adsense and by that, the company sells my info to an external (google) which then tries to take advantage of me to extract money from me.
That is what I am talking about and I think this was clear from the previous posts.
I think you owe me an apology
“ Turns out you were the uninformed one. From the context through parent posts you can clearly see this was about a website using google adsense and by that, the company sells my info to an external (google) which then tries to take advantage of me to extract money from me.”
This is not how it works. You might not be medically delusional but you are saying things that are not true.
> That’t not "doing sketchy shit with people's data"
Of course it is. If you add AdSense to your website you are letting Google track your users in exchange for a cut of the profits. Of course you should have to warn your users that they are being tracked at the very least.
Please do not bring American two-party politics into this, especially in a way that has nothing to do with my comment and provides no insight or opinion beyond "liberals bad".
Imagine a market in which companies charge a lot of hidden fees behind their customers' back, and users are not happy when they realize after the fact. The law is updated to say you are not allowed to charge the user a fee unless you tell him in advance.
Companies with tons of hidden fees decide to keep them but force you to read all the fees on every page of the menu before you can see the rest of the text, in the most annoying way possible, and promote the idea that the issue is not the extravagant fees, nor the fact that the companies hide them before and had to be forced by law to warn you about them, no the problem is a law that force them to tell you what you're getting into before it's too late !
That's, essentially, what's happening. And we have people complain that companies need to display their fees.
On this issue in the group that complain about the cookie law there are some people who are very wrong on purpose because it's in their interest, and some people who are very wrong because they genuinely don't understand the position they're defending, complaining about being made aware of the fee, instead of the fees themselves or the fact that the companies hide them if not forced by law.
To each their own belief about which category PG fits into.
> Not only that, I'm not an EU citizen and I'm not browsing websites based in EU but I'm still bombarded with cookie banners non-stop.
Again, that's the fault of the companies putting those up, they could make it opt-in to collect your data, they could just put a small notice on the footer with 2 simples links "Accept all/Reject all". But they chose, they decided to pester you with those banners as annoyingly as possible to make you have exactly the reaction you're having.
The law is pretty crystal clear. In many cases the issue is that websites are outsourcing their tracking to ad companies, which in turn apply those banners indiscriminately because that's in their interest.
That being said, all the dark-pattern banners actually break the law. The problem, if anything, is lack of enforcement of the law.
The law is pretty crystal clear. In many cases the issue is that websites are outsourcing their tracking to ad companies, which in turn apply those banners indiscriminately because that's in their interest.
You think a small company should roll their own tracking software? A mom and pop website that wants to track its conversion rate on its little eCommerce site?
So the problem is that the legislator did not expect companies to be even worse assholes than they already were...?
Laws are not borne in a perfect state; very much like programs, sometimes you need a few versions to see how the system actually works in practice and fix a few bugs. The fact that v1.0 has such bugs is not a good reason to just give up, nor it's an indication that the programmer is bad at programming.
All companies? Every single company with a website even if without any trackers or ads?! All companies are evil and the single law that triggered their evil behaviour is good. Sure. Ever heard of Occam's razor?
All companies exist just to make a buck. And in the process they serve us with literally every single product and service we are using every second of every day. They play by the rules we put on them, making their life easier or harder, and in the process making our life easier or harder. Like this bad cookie law.
It is the companies that suck, and Paul Graham is (quite literally) invested in the suckage, wherefore this dumb tweet. Which, if one wanted to create an ad campaign for that eternal Upton Sinclair quote, couldn't have been done much better.
"this is what you get for trying to handle us with kid gloves" is an understandable reaction/blowback from advertisers but I don't think it's something we should be giving any real weight or merit.
it's also generally an indictment of the modern neoliberal regulatory approach in general. asking people nicely to follow train safety regulations etc isn't going to get you results. even fines/penalties largely end up just as cost-of-doing-business (even in the EU). if you really want behavior to go away, make it illegal and give people at the top Sarbanes-Oxley-style legal culpability if it happens on their watch.
again, if you want to know the right way to set incentives so that people don't do a thing, you need only look at the way rich people want their money handled. you can bet that ripping off rich people is an ultra-mega-crime and doesn't just get a 1%-of-the-takings slap on the wrist. And lo and behold SOX does actually hold important people accountable as a result, not just some fall guy at the bottom.
For your first point I disagree, my companies don't track and we don't have banner cookies.
On your second point, that is again a choice of said companies, not a problem with the law. The GDPR has proven very well that if they cared, they can segment who is affected or not, and not just big tech lots of random local news site and the likes are doing it just fine.
Do you have /any/ examples of websites that don't have a bunch of 3rd party cookies that still have a cookie banner?
Middle managers absolutely love anything with charts and graphs because it makes their decisions feel more scientific. That's why they want tracking software included on their websites. And if the law requires disclosure then a cookie popup is the solution.
Germany is a bit litigious w.r.t. internet or privacy, so the combination---cookie consent---is a doozy. Nearly every German website that does anything will have a consent notification, and the slightest misstep (e.g. using Google Fonts without asking permission) can be punishable.
True, I hadn't noticed that at first glance, and I didn't see that as a third-party cookie in my site data. Nonetheless, I regularly see cookie warnings on sites with purely first-party cookies or even "just" session storage. (Mostly, I have been alert to this for the past year as I've started making non-personal web sites in Europe.)
My company recently announced a game, and we launched a website for the game. There's no ̶t̶h̶i̶r̶d̶ ̶p̶a̶r̶t̶y̶ e:tracking cookies (I didn't make the site, but I do run it).
Our US based legal team told us we needed a cookie banner if we were going to have visitors in the EU. I pushed back, but I lost, and ultimately it's not my fight.
I don't quite think Cargo Culting is the right label for it. It's not just because everyone's doing it. My experience when legal meets code is that common sense, intent and what is actually allowed go out the window, and cover-your-ass wins. My experience with Legal has been that they default to no "just in case" for every question you come to them with.
It's a battle to get them onboard to not taking the safest possible approach, so you only want to fight that battle when it's a kingmaker of an opportunity.
Yeah, people often approach legal in the wrong way: people often want to ask "is this OK?" and have the lawyers say "yes", but basically no lawyer is going to say that for almost anything. Instead you need to ask them to explain what the risks of different courses of action are and take a view as to whether they are important or not.
That's been my experience, but unfortunately _that's_ where cargo culting comes in. As part of $NEW_WEBSITE_CHECKLIST we have to "check with legal" which inevitably involves a laundry list of stuff like this, and the default is to accept what legal says, unless we _really_ don't like the answer at which point we're going to do it anyway...
Legal counsel is there to advise, not to design product UX. Some companies have bonehead policies like “you must develop whatever Legal advises” but that’s a choice the company is making. Sensible companies treat their in house counsel as advisory, and weigh the risks like they would weigh any other risks.
you're right, I said third party, but I actually meant tracking. I actually went and checked, and our only cookie is the cookie for if you've seen the cookie banner or not...
> Consent may be required even if there are no cookies at all.
>Our US legal team said that we need the banner if we have visitors from the EU, not if we're tracking them.
This actually makes sense - because if you didn't have the cookie banner then some fucking weirdo would come to Hacker News and make a self righteous post about how you're "tracking residents of the EU without their consent and abusing them" (even though you're not). Instant karma. Next thing you know these weirdos and their mob are reporting you to their government and you're dealing with government inquiries and more legal expenses trying to prove your cookie-less web 1.0 site doesn't "abuse people."
Do you have any basis at all for such an absurd claim? The law actually works in the opposite direction (kinda):
You may use "legitimate interest" cookies/tracking without saying so, but as soon as you show a privacy dialog you actually have to disclose everything you're doing including legitimate interest.
Basically by having a list of what youre're doing with your user's data you're giving up your right to do anything not listed.
GDPR actually doesn't specifically mention cookies at all. Tracking is what's illegal, not cookies.
Let's say you keep website logs with IPs on them, and you do analytics for non-essential purposes. You can do this under GDPR, but you must gain consent from the user before logging this PII.
It actually is completely and totally orthogonal to cookies. Some cookies are fine without consent. Some things that are not cookies are illegal without consent.
Which was probably written (even if not by the legal team, but someone they consulted) with an eye towards keeping more data than legitimate interest allows under GDPR.
Aggregate data is not considered personal data by the GDPR.
Managers and everyone else can have charts and graphs without retaining personal data.
The processing of personal data prior to anonymisation to turn it into aggregate data, that part needs protection. But you can do it in a variety of ways that don't require personally invasive tracking.
Sure. The nightmare is that every single time you open the browser on a website you have to go through the data tracking preference for that website. It's a lot of work to avoid being tracked (companies are obviously using dark patterns there) and when you do it 20 times a day it gets frustrating quickly and collectively a big waste of human time.
Now I am not saying the US doesn't have a problem. They just don't have GDPR and most website don't ask you for any permission to track you. So the experience is generally smoother (with the occasional tracking popup).
Ideally there should be a way for me to broadcast my willingness to share my data and not allow dark patterns to try to change my opinion. But the GDPR does not cover that and allows websites to drive you crazy until you click "YES, Track me"
I think your problem is that you're accessing US websites from Europe, since those are what you know. European websites are a lot less annoying, they actually care about the customer base here.
If you are using a browser provided by an ad company surely being nagged to death to provide data they can sell is the expected outcome? You could use Firefox, which can disable most cookie banners [0].
The post is dated 2022. The feature became generally available in v120. Stable is v123, so it is available now. It's gated, so you still have to enable it as described in the post.
It's crazy how censored the internet is too, you need a VPN to access even piracy adjacent sites in Germany. Unheard of that an ISP would block a website in the US without the FBI itself taking it down.
> On this issue in the group that complain about the cookie law there are some people who are very wrong on purpose because it's in their interest, and some people who are very wrong because they genuinely don't understand the position they're defending, complaining about being made aware of the fee, instead of the fees themselves or the fact that the companies hide them if not forced by law.
The reality is that I (and others who are complaining, as well as many who have resigned themselves to their fate) are happy to have a website "track me", certainly if the cost of non-tracking are having to click away an annoying popup, and think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.
This is addressed in the article. They could track you, with your consent, in many different ways. The fact that they are choosing to force this cost upon you is what is ridiculous.
> The reality is that I (and others who are complaining, as well as many who have resigned themselves to their fate) are happy to have a website "track me", certainly if the cost of non-tracking are having to click away an annoying popup
The you should doubly blame the companies, because that's what do not track was for, they're the one who decided to make it not work that way and instead being ignored and not considered a valid option for the law.
> think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.
You don't need a cookie for that, and what GDPR has told us is that we're not talking of that but about dozens or hundreds on every major sites so trying to frame it that way is disingenuous.
"Number of visitors" does not constitute tracking. The tracking in question here is to discover who you are specifically and the absurd amount of detail about your online activities collected and shared with data brokers for aggregation and resale.
A few of these cookie prompts during the day and they'd be able to tell everything from where your kids go to school to the kind of prn you prefer to watch on weekdays and everything in between.
I used to work at an online video advertisement company, you'd be horrified how much information we tracked across all the ads, especially since the ad was played with a special media player "plugin" loaded inside the other media player.
This is how ad companies can sell premium views, don't show cosmetics to men, increase car related ads to people who has watched other car related ads and so on.
There's no such thing as server-side "private browsing".
> This is how ad companies can sell premium views, don't show cosmetics to men, increase car related ads to people who has watched other car related ads and so on.
It's really not. They already could do all that before cyberstalking was normalized. It's called content-based profiling, and it doesn't require any GDPR consent.
The ad companies wanted to aggregate information across multiple channels.
The example about "show more car ads to someone who watched other car ads"? It's not about showing car ad on a site whose content is about cars (or where the site owner decided they like that kind of thing).
It's about knowing you have wandered over to car comparison site recently so they can show you car advertisements when you look up sports news, show car-related merchandise when you're browsing some shopping site, show you insurance ads, etc.
Honestly I don't mind them collecting this data, what is really infuriating is the fact they won't share it with me. I would love to know what kind of porn I prefer on weekdays. I think they shouldn't be allowed to track anything with consent or without it unless they share all the data with the subject of spying.
And aside from that, I think it should be much more expensive to say sorry than ask for permission. In my world a firm like facebook should not have any right to exist, they earned it. Fine them to oblivion just like I would get a long time behind bars if I wouldn't do my taxes right.
I call BS. Give me your email password and your browser history and I'll share everything I learn about you with you. I'll also keep it and share it with whomever else I want to, but I'll definitely share it with you, too.
> people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous
Is counting visitors all that sites are doing with tracking info?
They're not selling it to ad brokers, insurance companies, governments? They're not matching your name, address, and phone number with your web activity (including sexual interests, "anonymous" embarrassing stories, health concerns, etc)?
> The reality is that I (and others who are complaining, as well as many who have resigned themselves to their fate) are happy to have a website "track me", certainly if the cost of non-tracking are having to click away an annoying popup, and think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.
I agree that wanting to know the number of visitors is benign and it is not abuse.
But saying companies should be allowed to track me (for whatever purpose) across the web without my consent is also pretty ridiculous.
I've stopped going to Ars Technica exactly because their cookie pop-up lets me know that Condé Nast wants to share my data with at least (according to the popup) 159 partners.
They have so many "partners" that their cookie popup comes with a search bar.
56 of their "partners" want my precise geolocation data!
16 "partners" want to actively scan my device!
101 "partners" want to "match and combine data from other data sources" (I can't disable or object to this)
102 "partners" want to identify my device. I also can't object to this.
The only way I can really object is to close the tab, so that's what I do.
Well, different people want different things - I'd rather spend a millisecond to click 'refuse' rather than let them track me - out of spite if nothing else. Yes, cookie banners are annoying; the dark patterns within cookie banners (you need multiple clicks to get to the 'refuse' button while the 'accept' button is right there in your face) are even more so. But honestly - screw them.
Hidden fees are bad because of the specific combination - the hiding, and the fees. Since tracking isn't hidden and isn't a fee, the analogy doesn't help to justify the EUs law.
People should have a default expectation that if they give their personal data to companies then it will be recorded. And if they don't want cookies then they should disable cookies. The EU's regulation hasn't revealed anything that is useful to know about.
Tracking is certainly hidden if you're not a programmer, and is certainly a fee if you value your time. Not all people live in low-trust societies or desire to.
People don't "give" their information to trackers, it's collected without their knowledge. I don't think most people expect the kind of things trackers collect is being collected.
Agree. How much corporate propaganda are people consuming that legislators are seen as wholly responsible for the bad behavior and malicious compliance actions of corporations?
What does it say about the relationship between businesses and consumers that the first response to this bad behavior is to shout "look what you made them do!"
Seemingly it is everyone's fault except the bad actors themselves.
It's so depressing. Many of the people who are pointing the finger at the regulators for the annoying cookie banners don't actually see the web site/app *as* a bad actor. The fact that they had been tracking tons of extra data via cookies without their consent or knowledge was totally fine to them as long as it wasn't inconveniencing them in any way. The cookie banner is an inconvenience to their mindless consumption, so NOW it's a problem and they just don't care what the solution actually is as long as the thing goes away.
I've seen this attitude from tech people, too, so it's not just a matter of tech ignorance or illiteracy.
> The cookie banner is an inconvenience to their mindless consumption,
It’s an inconvenience to people who care about privacy and use browser configurations that don’t store state between visits.
So now in an attempt to protect regular users, the law ended up hurting users that already cared.
Additionally, the shadiest and incompetent sites still just track people with no cookie banner. So the law doesn’t really provide protection against uncooperative parties, whereas privacy technology does.
> It’s an inconvenience to people who care about privacy and use browser configurations that don’t store state between visits.
>
> So now in an attempt to protect regular users, the law ended up hurting users that already cared.
Fair point about the banners mostly "hurting" users who care about privacy (but, really though- how much does it really "hurt" you? I'm "hurt" more by the fact that I have to fold laundry several days a week).
But, I take major issue with you saying that the LAW ended up hurting users. Companies are under no legal obligation to make those banners as obnoxious as they are or with so many dark patterns (I sometimes don't know if I'm even enabling or disabling tracking with the way they word it). That's squarely on the web site owners pulling that nonsense.
> Additionally, the shadiest and incompetent sites still just track people with no cookie banner. So the law doesn’t really provide protection against uncooperative parties, whereas privacy technology does.
I agree that the only/best way to protect yourself is via technology and not by relying on people obeying the law.
However, if this is also an argument against having the law, it's an incredibly weak one. You can apply that logic to argue that NO laws are effective. People still murder even though it's illegal- must be a bad law, no?
> Companies are under no legal obligation to make those banners as obnoxious as they are
Actually every single lawyer we asked about implementing GDPR advised us to have one of those obnoxious banners. Because the law is so ambiguous and the penalties so high that is better to play it safe. And we have no ads nor tracking at all on our product website.
You can ignore your lawyer's advice if you want, but it's a bit like a lawyer office ignoring my data security and backup advice: assuming a huge amount of risk.
If you are using cookies for user preferences/settings, then they require consent. If you are only using cookies for session information (like a shopping cart), then you don't have to get consent. Your lawyers know this.
Frankly, I doubt the veracity of this anecdote. But even so, I'm willing to bet that the lawyers in this story did not tell you that the banners have to cover half the screen and have ambiguous wording to intentionally confuse visitors to your site. When I say "obnoxious banner" I'm not being redundant: not all banners or popovers are "obnoxious".
Are you a lawyer? Are you willing to assume the liability I may incur if I follow your advice? Or are you at least a business owner/manager who's had to deal with this crap?
Or are you in the peanut gallery willing to believe that there is some conspiracy where all websites have suddenly decided to obliterate their user's UX when GDPR appeared just because they are evil?
I live in the EU and I can tell you: ALL banners/popups are obnoxious. They ALL get in my way when I want to do something entirely different. As a (non ad/user-tracking) business I would never afflict them on my users if I had a choice.
The productivity loss here in EU since the GDPR would be staggering - if there was much productivity to begin with, of course.
The GDRP is about all kinds of tracking, of which things you can block locally at the browser level is only one part. So yes, even those users that already cared enough to block/discard cookies benefit.
I only got a cookie banner on the first of those links, and as far as cookie banners go it wasn't very annoying; I clicked "no" and it went away immediately.
"I would like website operators to assume that I consent to being tracked, so I'm annoyed that website operators are not allowed to assume that everybody consents to being tracked."
A site can serve ads without tracking (and the banner) - the ads just couldn't be targeted at individuals. Instead they'd have to guess what ad was appropriate ("Rolling Stone" could serve everybody ads for Taylor Swift's latest album without a banner, etc).
This is contrafactual. Many things survived on exact that model before hyper targetted ads. And besides, with targetted ads the middle men take most of the cut.
>> A site can serve ads without tracking (and the banner) - the ads just couldn't be targeted at individuals.
The biggest problem with online advertising is not tracking users. It's a lack of trust between advertisers and pretty much everyone else. If you're going to pay for an ad, you want to be sure it was seen by a real person. I'm not sure that's the concern any more because click-through is more important than "seeing" an ad. Regardless, the goals are to make sure it's easy for a given advertiser to get on many web sites, easy for a site to get ads, and also possible to prevent fraud since there will obviously be multiple parties involved.
I suspect tracking users was an offshoot of just verifying that users were real to prevent fraud in the ad world. Not saying any of it is OK, but it seems like the way to prevent tracking is to find a way to verify authenticity while also preserving privacy.
> ("Rolling Stone" could serve everybody ads for Taylor Swift's latest album without a banner, etc).
And that would be fine, as long as Swift was willing to pay for it. But the tracking and personalized ads thing was a numbers game; personalized ads have a higher conversion rate, thus are more valuable, thus we need data to personalize ads.
That was your choice in the end, but this was the problem - people didn't have the choice, or the awareness. The EU law fixed this, but instead of corporations going "Hmm, maybe we shouldn't track users", they instead went with malicious compliance and implemented annoyances - because data is more valuable for a lot of websites than whatever said website is peddling.
If it only were that simple. When the GDPR came out, a lot of confusion and misunderstanding ensued. Not only regarding the damn cookie banner. Even totally legitimate health-care providers started to collect signatures to be on the safe side. I still rememeber receiving a basic GDPR training where we were told that opt-out/signing is only necessary if the entity is planning to do weird stuff with your data. IOW, if someone wants you to sign, they plan a bad move. Then my bank wanted a signature. And a month later, one of my healthcare providers wanted a signature. After a chat with him, I learnt that his lawyer told him to collect the signatures just in case, and made him believe that if someone doesn't sign, that is a problem.
So now we have this situation where providers were trained to play the GDPR in such a way that they will never have a problem, no matter what they actually do with the data.
And consumers are pissed because they are made to sign things which essentially reduce their rights...
And if someone (like me) thinks the EU did a half-assed job there, the downvotes rain in.
The same people also complain they cannot use by default said websites unless they share all their personal data with them. Half-assed, indeed the measure is. But it also reflects the majority thinking, unfortunately. So unless there's some popular pressure to full-ass the measure, we will still have banners and misused personal data.
I kinda hate saying this, but Microsoft (or at least github) got it right in a week. Some OSS publishers also got it right, like nexedi, and some i'm sightly upset with (gitlab) but it is true that for the commercial internet it seems to be invasive. I do not use the commercial internet much, and like any person with greasemonkey, i took a rainy afternoon to remove the most annoying banners (i think now i use a plugin that does it for me).
The fact that you have to use a plugin or other thecnical remedies to fix the cookie banner situation is all the proof we need to see that the EU totally fucked up. It is easy to declare that you just need to install this or that to get a obstruction-free internet again. But it is also very very elitist. Not even 1% of the population is truly capable of handling that.
I use a plugin to block ads. That it also block most cookie consent banner is a positive side effect. It does not block all of them. It doesn't block gitlab banner, or EU website banners, because i think it automagically block cross domain js injection, which, you know, is good because less attack surface, and every browser should do the same without plugin (CORS do not go far enough imho).
That is so wonderfully naiv that I had to laugh out loud. The fairytale of the manager who suddenly is fined big-time for his/her decisions is just that, a fairytale to pacify critics.
> they are made to sign things which essentially reduce their rights...
But not as much as you might think. Consent under GDPR only applies to what you were informed of when you consented, and you're allowed to revoke consent (with prospective effect) at any time.
Yeah, but these are rather theoretical practicalities. In the majority of cases, consent is coaxed out of the consumer. If you show up for a MRI, and you get a piece of paper with the comment "It is for data protection", almost nobody has the time or nerve to actually read the text, and even less people have the inclination to decline to sign. After all, they (sometimes desperately) need the service. Let alone that the accompanying comment is deliberately phrased such that some people will believe they need to sign in order for their data to be protected. Dark patterns all over the place. My bank implemented the consent (for a while) as a reoccuring pop-up after login. Yes, you get the popup as long as you decline to sign it, over and over again. I think they gave up on that practice, and it was partly a dark pattern (IOW, there were two buttons to decline to sign, and one would result in the popup reoccuring). Examples are all over the place if you walk an EU country with open eyes.
Under GDPR, your MRI example and your bank example do not qualify as consent. (For the MRI example, they might be able to claim basis b, but only if they're doing stuff that you could actually have requested.)
I don't feel confident a complaint would be easy to get through. After all, my MRI example is standard procedure, good luck making a case against that. Besides, layers cost money.
would an adjustment of GDPR that forces websites to respect DNT solve the problem? am i missing something obvious? (aside from the pain in the ass that is amending laws) /gen
The funny thing is it's not just corporations. When you open the German state railways' website, somehow you get a GDPR overlay, When you open the German revenue agency's website, you get greeted by a cookie banner on top.
I call upon all German users of this website to write to their MPs! Obviously the German civil service is a bad actor! The German deep state is plotting to discredit our beloved eurocrats and must be shut down! Den Sumpf trockenlegen!
> I call upon all German users of this website to write to their legislators! Obviously the German civil service is a bad actor! The German deep state must be shut down!
I understand the joke you're trying to make but you clearly don't understand the relation between germans and privacy/tracking regulation to think this makes sense.
It's not supposed to make sense, it's supposed to show the absurd position of the post I'm replying to. The less it makes sense, the better.
And I only picked Germany, because it's one of the few EU countries where stuff like that is rigorously enforced. In the rest of the EU, everything unrelated to the common market and/or getting money from the EU is at best haphazardly enforced.
If you want to, check out france.fr, a website maintained by an agency of the French tourism ministry. (After disabling the 3 dozens of annoyance blocking extensions everyone must use nowadays, of course.) What do you see?
Apple is doing the same thing, passive-aggressively doing things like removing support for pinning webapps / PWAs / whatever they're called to your home screen, then backtracking after backlash. Or Microsoft with their browser choice screen or Windows releases without media player. And even those aren't as bad as the malicious compliance of cookie banners.
> How much corporate propaganda are people consuming that legislators are seen as wholly responsible for the bad behavior and malicious compliance actions of corporations
Why do I need to be "consuming corporate propaganda" when I just hate that I need to dismiss banners on every news website, when I didn't have to before the regulation?
I don't care about being tracked. But now that all websites need to cover their asses in response to regulation, I'm forced to figure out which button I need to click on to read content, and these websites don't even appear to save my preferences whether I agree to be tracked or not.
Objectively, the outcome of this regulation is that my experience is worse. Are the companies bad actors? Sure! Sounds like the EU should account for companies' bad behavior instead of forcing the internet to be more annoying.
The experience you describe is the fault of websites which chose to make things that way. The article goes into more detail on this point: There Is No Cookie Banner Law.
It's important to note that we didn't have to go through the banners after the law, either. We only had to go through them after website operators intentionally picked the most disruptive and annoying popup to serve us. We can blame them. They chose to add it when they could have legally not added anything at all.
Again, from the perspective of users, the experience got worse only after websites decided for themselves to add annoying cookie banners. Not after the regulation.
> make them go back to being less annoying
That is a request between you and them (the websites), unless you're talking about legislating a banner-less opt-out, or maybe just willing to file a complaint against the website with a data protection authority, if the banner is already illegally annoying.
Websites have the right to annoy their users with cookie popups, with or without the GDPR (ironically , the GDPR actually has some protections here, websites simply break the law). Unfortunately, it seems many are choosing to exercise that right because they make money doing so.
> Again, from the perspective of users, the experience got worse post-regulation.
Your right, the experience got worse.
But the underlying point is there two ways this could have gone. The GDPR simply mandated that if companies track you they have to get your informed consent. So one way it could have gone is companies didn't track anonymous users.
Notice this doesn't apply to non-anonymous users. By definition once you've logged in you've revealed who are and agreed to a far more onerous privacy statement. So one way companies could comply is just to make you log in to see some content (and track you that way), and not bug you otherwise.
But they didn't go that way. They insist on tracking you regardless. Perhaps you don't agree, but I find this even more annoying because I install tracking blocking extensions and that breaks some sites. To me the world would have been a much better place if they had just gone along with the intent of the damned law and not tracked people who are try to remain anonymous.
To be fair it's not so bad. Firefox dismisses the cookie banners for you [0], and I have extensions that block the worst of their effects. If you are using a browser from an ad company and are complaining about cookie banners (which almost to the man use a deceptive UI to encourage you to accept them all so the ads work better), then I don't have a lot of sympathy. Me rejecting as many cookies as I can then blocking their trackers the worst possible outcome for the web sites trying to garner some ad revenue of course, but shrug, the industry could have acted in good faith, and didn't.
Again, this should have been a >browser feature< instead of a website feature. I trust Safari and Firefox WAY MORE than I trust the website's owners to actually block cookies and protect privacy, as well as implement this in a better UX.
The proper way to have done this would have been to go to the W3C or WHATWG and proposed an extension to HTML for sites to define an opt-in manifest or something similar.
More like a content blocker. The websites can ask, but there's not guarantee the user will accept. Really no different than browsers asking to show popups beforehand.
Are we all such spoiled brats that some cookie banners interrupting our web browsing is all it takes for us to give up and call the malicious companies the winners and the law(s) trying to protect our privacy "bad"?
I don’t think this is strictly accurate. There’s nothing about cookies themselves that makes them a problem. It’s the way they are used. Needing to inform people you are using cookies for sessions is like needing to inform people you are using a fork to eat. The problem is that some people are using the fork to stab people, so now we require everyone to say how they’re going to use it in advance. Instead of just prohibiting stabbing people.
You don't need a cookie banner for session cookie, not in eprivacy nor in gdpr, same applies for all cookies that are "strictly necessary" for the functionnal operation of the website on the technical level. Language selection cookie, "remember me" cookie, etc ... Are all perfectly fine.
I’ve often wondered if necessary cookies could just be carved out and designed (and named) differently to improve handling. You could then just configure your browser to inherently accept the benign <biscuits/bikkies> from a site, which would then only ask for non-essential ones.
The real nirvana, IMO, would be better sandboxing between sites.
Browser based solution not mandated by law but made by the industry wouldn't work, because all 4 major browser vendor makes significant revenues from Ads.
At a time a solution appeared with "do not track", and we ended up with the industry making sure it was as toothless as possible, opt-in, and google pushing hard to control the browser market.
Cookies that do not require consent [...] or authentication cookies (when users authenticate themselves on your web site to log in in order to check online services such as their bank account).
Again: are you a lawyer?! If not, in what quality are you advising businesses how to implement such a dangerous law? Have you seen the magnitude of the potential punishment? Will you cover my fines if you're wrong?
Note that putting a “we use cookies” banner on your website will not absolve you from GDPR fines anyway. You still need to adher to the law about informend consent, storing safely etc.
If you are worried about GDPR, by far the safest is to just not collect personal information.
You are correct: implementing GDPR correctly is much, much harder and more expensive than people realise. Cookie banners are just the tip of the iceberg.
A few things not allowed under GDPR:
1. Analytics
2. Third-party resources like fonts or JS libraries
3. CDNs
4. DDOS protection services
And I am sure I am missing many more. I am not a lawyer, but I worked with a few.
See for example GitHub's statement [1] about no longer displaying a cookie banner. While ironically the blog still does display them, the main site doesn't.
A few places allow you to opt for a spoon instead, or drink right from the bowl without utensils. Note that it's not the customers who use the forks for stabbing; it's the restaurants themselves. To show their goodwill to a customer who does not trust them with a fork, they can offer a spoon.
The further we take this analogy, the more strained it becomes.
Yes, it's natural to use a cookie to track a session; this is a mechanism invented for that purpose. It's much less natural to share this tracking information with third parties, especially along with a record of your purchases or other interesting actions.
But ad revenue is much harder to obtain without targeting and thus tracking. And a lot of places depend mostly on ad revenue.
This is another case of "buy now, pay later" pattern, stretched to "take for free now, pay in loss of your privacy later". In a funny enough way, many people don't value the information they get on many ad-supported sites as highly as the marketers paying to grab their attention, so simply compensating by adding a subscription or one-time payment to go ad-free sometimes does not even work; the more generic / "doom-scrollalbe" the content is, the worse it works.
The fees example is maybe apples to oranges. The fees are a problem because they subvert the pricing information signals needed for the free market. The problem is not the fact that they are charged, the problem is that they are not included in an upfront price display. Were they included in the total upfront price and never specified the users should not care - it's not their business how a company spends their money.
But I suppose that was just an example you picked to illustrate the industry's malicious compliance, and not the main point, in which case fair enough. :-)
The use of secret tracking also subverts the pricing signals needed for the free market. Users aren't informed that the website is subsidized by the sale of the users' information, much less the details of the arrangements and monetary amounts.
If the total price of the website without the secret costs of tracking were presented upfront, it would be less of an issue.
This is a bad example because the market usually fixes this problem. The reason why the market doesn’t fix the cookie banner problem and the reason why this is bad law is because users defacto do not care, it is merely annoying.
There’s a law in California that says that businesses which have chemicals that might cause cancer on the premises need to let people know. That’s great but the levels they set turn out to be lower than what you can feasibly test for and as a result all properties pretty much just put up the signs that say “there might be chemicals here”. The warning is useless and annoying because of market forces which is another way of saying the law incentivized the behavior that occurred.
The market is working perfectly here, if you remember that users are not the customers. Users are the product sold to adtech, data brokers, law enforcement, etc.
For data-harvesting companies users are like livestock, and nobody cares about livestock's opinion. It only matters how much value can be extracted from users, even if it's annoying, misleading, and relies on dark patterns.
Yes, but that "livestock" can vote with their feet. If people cared about this, it would be a good opportunity for new entrants to take market share from incumbents by not using tracking cookies and thus not needing to have the cookie banners. But (to the parent comment's point) that isn't happening because this is not a compelling feature to offer, because people do not care about this, no matter how much we want them to.
I used to think this was just an education issue, that people just didn't understand the implications of privacy concerns on the web. But I no longer think this is the case. I think people do mostly understand, and just do not consider this a priority.
I agree with almost everything you said, except for one thing:
I don't believe the euphemism "hidden fees" helps to clarify the fact that these people are taking money away from people without their knowledge or explicit consent.
We have other more precise words to describe that action. I asked ChatGPT what those could be, here's its answer:
Q: What are some english words meaning "taking money away from people without their knowledge or explicit consent"?
ChatGPT: There are several words and phrases in English that convey the idea of taking money away from people without their knowledge or explicit consent:
Embezzlement: This refers to the act of dishonestly withholding assets for the purpose of theft. It often involves someone in a position of trust, such as an employee, misappropriating funds entrusted to them.
Misappropriation: Similar to embezzlement, misappropriation involves taking something (usually money) for one's own use without permission or legal right, often in a breach of trust.
Theft: Theft is the generic term for taking someone else's property without permission, including money.
Fraud: Fraud involves intentional deception for personal gain, which can include financial deception or stealing.
Swindling: This term implies deceitful behavior to cheat or defraud someone, often involving trickery or manipulation.
Skimming: Skimming refers to the illegal practice of taking cash "off the top" of the proceeds of a business or other source of income without recording it.
Extortion: While not always directly related to taking money without explicit consent, extortion involves obtaining money, property, or services from an individual or entity through coercion or threat.
Pilfering: Pilfering involves stealing small amounts or petty theft, often done stealthily or without detection.
Conning: This refers to the act of deceiving or tricking someone, often for financial gain, through manipulation or persuasion.
Clandestine withdrawals: This phrase specifically refers to taking money from someone's account without their knowledge or consent, typically in a secretive or unauthorized manner.
We here are all interested in hearing your thoughts, so please filter raw chatbot output through them, rather than pasting the output verbatim, which isn't value-added, and can even be negative value, given chatbots' penchant for hallucinating information.
> The law is updated to say you are not allowed to charge the user a fee unless you tell him in advance.
Why not a real regulation then to get rid of hidden fees and heavy fines/jail time for companies that are found to be doing it?
PG's argument (I hope) is that there is no point in talking about "regulation" and "customer protection" if companies STILL get away with their ridiculous and hostile practices.
There is no customer benefit in having user data collection and tracking. Companies do it only to exploit you. Even the usual BS excuses ("oh, we need user data to customize the experience") could be done completely in-device.
I don't want regulatory bodies to just give more hoops for other companies to jump. They will jump it anyway, because it is profitable to do so. What I want is for regulatory bodies to effectively stop predatory practices.
I mean, that would be great, but I suspect that even just here on HN you'd get a lot of people strongly disagreeing with you. Because that would infringe upon the companies' "freedom" to profit in whatever way they see fit—and the people's "freedom" to let their data be vacuumed up and sold for massive profits.
Whether they agree or not is irrelevant. I think that PG's argument is that all the "regulation" and "strength of the EU" amounts to nothing. It's just people pretending to play power games, doing privacy theater and solving absolutely zero problems.
I think this is a good analogy and I agree that the intent of the law was not to force websites to have a cookie banner, it was just the side effect.
What I think we are missing is a browser option/API that lets the user choose the acceptable tracking level. Similar to the do not track header but more fine grained.
As we are missing that, extensions are doing a good job ATM
The flaw in your analogy is that the modal consumer cares about hidden fees, wants to be made aware of them, and might even make a different decision with that knowledge. The modal consumer does not care about cookies.
Imagine you walk into a restaurant and they hand you a paper that details full allergy information for all of the foods they serve, and then they wait for you to say, "I consent to these ingredients being in the food," before they can seat you. I think that's a closer analogy. We can all agree that the restaurant shouldn't hide that information from you, and that some minority of people might want the information, but do we really have to add this inconvenient step to the process for all people? The current real-world system, where allergy information is available upon request, was working fine.
There are some things that everyone cares about and would be appalled by, that businesses should have to inform people about, and many things that a small minority of people care about. Why stop at cookies? Maybe we should mandate a popup if the website's server infrastructure was manufactured abroad, and another popup if the company that runs the website has higher than average carbon emissions, and another popup if the food in the food court that serves the headquarters of the company that runs the website is not kosher. The lobby of people who care about cookies is of similar size to the lobby of people who care deeply about binary size and about running JavaScript. Should there be mandatory popups to execute JavaScript? If the website is >10MB, should I have to consent on a lightweight page before downloading it? How do you determine which activities warrant a popup warning and which do not?
I am not allergic, then I do not need to know about it and I will suffer no damages from not caring. This is not the case for tracking. Tracking can hurt you.
One of the most egregious abusers of this recently got told off for it, I want to say it's IAB, but they're all as bad. Trust arc or whatever they're called deliberately made it as annoying and deceptive as possible. You can't blame the EU at all for a deliberate misinterpretation of the law.
Note that this isn't a cookie law, it's also the EU's main anti-malware law. The principle is that no piece of third-party controlled software should write information to your computer/phone, or read info from it, over the Internet, without your prior informed consent (with narrow exceptions for storage/reads that are needed to provide a service you've asked for, or equally narrow functions like load balancing). This isn't just about browser cookies, but also your webcam, your mic, and the contents of your Documents folder.
The principle seems sound, but the EU is deadlocked over reforms to create some extra exemptions, e.g. for security scans/mandatory updates, or privacy-respecting audience metrics. EU regulators are already sort of turning a blind eye to those, so it's fair to say the EU isn't great at regulating - it's not fixing what society mostly seems to see as bugs/overreach in the original (now decades-old) law.
The standard for browser was called Do Not Track [0], but of course adtech killed it, there is another one now, but unless this is mandated by law or courts it won't go anywhere. Note there seems to be a court decision upholding DNT as rejection of consent [1], but this would have to be much more powerful and broadly adopted to work.
Yes. Although in fairness, the "cookie rule" part has been updated since then. But not anytime recently.
And the GDPR's subsequent entry into force created the current emphasis on how actively (and individually) you need to consent to things, and how much you have to be told about them first. Stuff like "clicking anywhere on this site, tells us you consent" was a lot more common, pre-GDPR
> Note that this isn't a cookie law, it's also the EU's main anti-malware law. The principle is that no piece of third-party controlled software should write information to your computer/phone, or read info from it, over the Internet, without your prior informed consent
So it is a responsibility of the browser vendor to implement this.
No moreso than the OS itself. The real responsibility actually lies with the people causing the remote access (e.g. the website operator, the remote hacker, etc).
The Cookie banners aren't from the browser they're really from the site.
That said, it seems fair to require the browser vendor to implement it. The browser is the one that exposes a method to store data on the machine (ex. Cookies, LocalStorage) so it seems fair that they should know the user wanted data to be stored.
Part of what it means to be "good at regulation" is to anticipate the likely consequences of regulations. So a regulation that says that "businesses must now give away their products for free, unless they honk each customer's nose" will result in a lot of sore noses.
Which is basically the case here. Almost all websites make money through ads, or at least keep logs of user activity to help them optimize their website, and that's not going to change, so the EU's boneheaded regulations make the customers suffer a little extra.
Welcome to my new insurance company! Thanks for requesting a quote (it's free! the quote, not the insurance), my agent will swing by to install a GPS chip while you sleep. We're not doing anything malicious with it, we just give you call whenever you're within 5 miles of one of our locations. We'll put it in the bin the vehicle manufacturer conveniently installed for us to hold all the trackers grocery stores and shopping malls use to offer free parking, which you can of course empty out at any time (it's clearly labeled once you remove the oil pan).
What's this, a shopping center now asks before installing a GPS chip on my car (but still somehow offers free parking if I decline)? How inconvenient!
You’re forgetting a key thing, market acceptance. Drive at all once in your life and you’ll realize a majority of people speed. You’re not going to force these people to punish themselves so such a system would have to come from regulation. The market has already said no.
The EU regulation does not prevent ads from being shown, it specifically targets tracking. No tracking > no banner > everyone is happier > go ahead and show all the ads that are required.
And all that tracking comes down with inability to take risk on business side. Ad company wants to be 100% sure that ads are shown to humans, and pay only for those shown to humans(going deeper - to specific cohorts of humans, which in the past was approximated by content of the site showing ads).
Whereas sites serving ads want to extract as much money as it is possible from advertisers based on their audience count.
The incentives are on both sides to to one-up each other without tracking - hosts by inflating visitor numbers, advertisers by disputing that.
In a perfect world ad(wouldn't exist i know but bear with that) companies would pay X/month for site with Y visitors, where X depends on Y. No need for tracking, and roughly over multiple sites and multiple months it averages out.
Not enough conversion rates(risk for ad company - they could pay less)? offer lower rate per visitor next period.
Site gets spike in visitors(risk for host - they could charge more)? report higher estimated Y for next period.
What we got instead is an insane tracking infrastructure that costs way more than any possible profit gained for both sides. It's not even profit - it's avoiding being 'scammed', avoiding risk.
Remember that all that tracking bullshit started before targeted advertising was mainstream and widespread. It all started with bots and inflated click numbers, and inability to accept risk.
Tl;dr banning targeted advertising won't remove all tracking bullshit
ad networks can simply send out banners to sites for time slots, and that's it. do you want to advertise healthy food? send it to yoga sites (insert it on #yoga hashtag profile pages, insert it after videos/snaps/tiktoks/reels that the AI categorized as yoga, etc.) ... it's called item-to-item recommendation (use the content of the page - as it was done for - again - decades)
it's perfectly possible to ban and remove tracking bullshit
Hmm, what if people outside of yoga like health food? Or what if some people at the yoga site instead eat fried food but just have a good exercise routine?
your solution here just makes ads less valuable, which isn’t a win for advertisers or sites. if you can remove tracking, and still allow targeting, then you’ve hit gold. short of that you won’t find meaningful buy-in.
Ad networks can offer to optimize the impressions, help to with targeting.
After all the current implicit user profiling and targeting is already not a 100%. Many people use adblockers, many devices are used by more than one user, etc. (In this day and age we are still baffled how Amazon/Google/whatever advertises us - for days - the same fucking thing we just purchased yesterday. Of course, because based on their model it's still the most likely thing the user might buy or click on, etc.)
Google seems to be already moving away from individual profiles with FLoC - of course they still want all of the data to be able do dynamically allocate users to cohorts (to maximize their profits).
And this is why Tiktok and Instagram just went ahead and are now doing direct sales. (They put a link on the video overlay where the user can go and buy whatever shit the video talks about.)
> isn’t a win for [...] sites
this is something that a lot of people are pushing back on, because their claim is that we need some slack in the system for sites to be able to pursue their own creative vision (however lame, banal, mundane, or seemingly useless it is). before every click was tracked it was okay if some article (or video) underperformed, because in general the advertiser got the increased sales (or brand awareness or whatever they measured)
I’ll be honest that’s too long of a post to read and a cursory reading didn’t really shed any light on your point of view.
Many of us are old enough to remember untargeted ads, and pretty much all anybody saw at the time as an ad for cialis/viagra. 14 year old girls, 25 year old men, it didn’t matter, clearly you’re in the market for ED meds. this is a regression and i’ll take anonymized profile data over seeing completely irrelevant ads.
One thing that stood out to me from your post is this
> Many people use adblockers, many devices are used by more than one user, etc.
adblockers see no where near the adoption you seem to think, as it’s not many users, it’s a very small minority. and most users in fact have their own device and have for some years now. you seem to be detached from reality.
> this is a regression and i’ll take anonymized profile data over seeing completely irrelevant ads.
exactly. let the user decide. that's why it's out to be opt-in/out.
> you seem to be detached from reality.
I'm simply stating factors that are not insignificant compared to the difference we are talking about.
the policy discussion starts with cost-benefit analysis of "implicit profile-based ads" vs "alternative ads", and I'm simply stating that there are already many factors that ad networks consider.
FB/Meta rolled out Advantage+, which is a machine-learning-based full campaign optimization system. (The advertiser uploads many banners, and Meta tries all of them for various target groups, and learns which one to show for which users.) ... and it did all this because of Apple's ATT (app tracking transparency)
> your solution here just makes ads less valuable, which isn’t a win for advertisers or sites
It sounds like that's a natural outcome of the point of the law in the first place: people felt that, for too long, tracking has extracted too much value from them without their consent.
Whether a website "buys in" to complying with the law is of course a risk analysis they can conduct for themselves. Neither advertisers nor sites are entitled to a "win" here.
A site can keep logs of user activity to help optimize without tracking my personal data. As soon as a company needs to track me, it's doing more than "optimizing its website"—it's using my data to sell me stuff or selling my data to third parties. And I'm glad it needs permission to do those things.
What if I want to optimize my site for certain classes of users? Say a less than abled person. What if I want to make my product easier to use with various control schemes used by a handicapped person and my product is so complex that tracking this demographic’s usage of my product is the easiest or only way? and what if there is no intent to sell your data?
I could ask permission and delay, or I could just capture the data and run experiments or A/B testing. You should also learn that nobody knows everything, and saying something isn’t required usually is just showing your own ignorance as in almost every case you’ll come across you will find at least one valid use.
Say I want to know why handicapped people with certain disorders are having a difficult time accessing the site. Having a site accessible is a start, but unless you somehow predict difficulties using your product after design changes then you will constantly have to verify things like button sizes and placements.
Your point is well made, and this is an unfortunate consequence of the regulation (and I enjoyed the analogy). But it isn't necessary to have cookie banners on every website. Github is a moderately complex, user-optimised website, right? https://github.blog/2020-12-17-no-cookie-for-you/
Correct me if I'm wrong, aren't but IP addresses are considered to be "personal information" and therefore collecting them is "tracking" under the GDPR?
My guess is that they are because ISPs may keep records of them—I think they are required to in some jurisdictions. But you don't have to store IPs in your server logs.
You're also allowed to store IP addresses in your logs, you just have to take care with the data and the reason you're storing them needs to be justified - either because you have a legitimate interest in doing so (e.g. security) or because you have my explicit consent.
If I order something from an online shop, they don't need to have a banner in order to take my name and address to post the item to me - that's fully expected and reasonable. They do need my consent if they want to use that to post adverts to me though.
Yes but it depends what you're doing with them as to whether you need consent. If you're keeping a record of my IP address and what I do on your site to sell me stuff then yes you're tracking me and need my consent for that. If you've got my IP address in your logs because you keep security logs for reasonable timeframes then you don't need my consent - though you do need to handle them appropriately because it's my personal data.
Then store it for that purpose, don't use it for anything else, and delete it when it's not useful anymore (realistically, for these purposes, after a few minutes to an hour?).
Absolutely, and gdpr doesn't get in the way of those legal obligations. The point is that you can do what is necessary or expected to provide the service without consent, and you can do much more with consent.
Only if you maintain your own ad inventory, instead of using Google/Facebook ads like 90% of online advertisers do. And neither of those platforms work without installing their scripts on your site.
It would be like opening an independent video store when the entire market has moved to streaming. Yeah you could try it, but there are good reasons not to.
Sure, lots of people want to sell my data. That's a choice. You don't need to do that for advertising - it's a pretty recent invention having fully personalised adverts.
This is written from the standpoint that you want to deny consent. But I just want to give consent and get on with my day. I see it as sort of paying for the content.
Honestly I think most people see it this way, even if it’s an unpopular stance in some tech circles.
I find it annoying but I do the opposite. Don't give my consent for all the optionals and prefer not to get tracked. I don't believe all of that tracking is warranted in a significant number of cases. Websites appear to be still fully functional without all of those extras, too, meaning the website providers are also ok with foregoing it.
Putting up a wall in the middle of a busy street and then getting upset when people find ways around it doesn't make sense. The solution is either to remove the wall or ensure it cannot be bypassed.
Right now, it's just irritating for the average person and slightly inconveniencing those who actually break the rules.
This is the same situation with the cookie banner regulations. If the goal is to eliminate tracking, then making tracking illegal is the straightforward path (or make "do not track" actually mean something legally). Otherwise, ignoring it might be better. Implementing a policy that only frustrates the general public without effectively addressing the problem is not the right approach.
This is what the OP cannot understand.
EDIT: To the downvoters - I don't think you understand what the purpose of the downvote is on this site.
Since this is around the 5th time this sentiment has been expressed in this thread, I have to ask... are cookie banners really so frustrating? Oh no, gotta click one, maybe 2, more buttons...
a) they were standardized — they currently add a hefty cognitive load while parsing them, deciding which action to take, etc.
b) they worked properly — I would say, more often than not, they 'forget' the previous setting. I should never see a cookie popup on the same site twice unless I clear my browser settings.
Most consent banners are produced by a relatively small set of providers. As such, https://consentomatic.au.dk/ does a decent job of submitting your preferences and pushing them out of sight.
If you want to click “no” it’s often dozens of clicks (e.g. to explicitly disable each “trusted partner” with “legitimate interest”) alongside constant attempts to trick you into clicking “yes” accidentally.
It definitely happens where they don't give you a 'reject all' option, so you have to go 'select options' or similar and untick each one, or at least each category, and then 'confirm choices'.
As an aside, it's supposed to be as easy to decline as to accept; so if you give a 1 click 'accept all' then more than that (whether two or dozens) is unacceptable.
- bright red or green “OK” button that opts in to all tracking
- muted “save settings” button
But aha, gotcha, the default settings still have a bunch of tracking enabled, so you have to uncheck all of those, then remember to press “save” and not “OK”.
In the worst ones there’s an artificial delay when you uncheck one of the third-party boxes, as if it has to file a form in triplicate for the unusual request of not immediately sending all your account info there.
It would be time-consuming and expensive to take some of these companies to court, and likely difficult to win as they'd nitpick over fine details and pass the buck over who's responsible.
Slowly turn the wheels of justice. We’ll get there, I think. Lawsuits take time. Regulations take time. And, as demonstrated in every GDPR-discussion anywhere: understanding takes time.
Gears of EU grind slowly but finely. IAB just received a fine for promoting horrible banner practices. And it's not like we'd be better off if the gears didn't grind at all. Now just even uBlock will save you a lot of hassle and server-side tracking purely by the virtue of blocking the consent banners (so they can't be approved)
I think the goal was to give citizens the possibility to make informed decisions about where their personal data is being used.
If you don't care about tracking, ok. But some do. The EU tried to cater to both audiences which I think is fair. Turns out most people that did not care about tracking would also not consent when they are asked about it specifically and there are no immediately perceived downsides visible.
And therein lies the false premise that makes the whole thing absurd.
Most people have no idea what "cookies" are, don't understand what difference it makes when you reject them, and are never going to learn - and we shouldn't expect them to! Leave the technical stuff for the programmers.
The cookie law only makes sense if you think that there's any significant overlap between "people who understand what cookies are" and "people who need help with internet privacy", for which I refer you to the Venn diagram in this comic: https://churchm.ag/eu-cookie-law-history/
There is no cookie law. There is a law that makes companies ask for consent when they share personal data or store identifiers that make this possible.
If companies wouldn't try to frame the whole thing in technicalities, it could be a simple popup listing the features on the website that need sharing personal info and users could turn that off.
I think this is one of the rare cases where the now-popular-and-often-misused word "gaslighting" fits perfectly: the companies are punishing users because of a law that protects them from data exploitation, then blame the law for protecting them. It's beyond evil.
On the other hand, nobody is entitled to free content on the internet. Hopefully people will become annoyed enough that they will stop visiting the sites of data exploitation companies altogether.
As a person who is generally suspicious of regulation on the grounds that it is an always growing beast (rules do not get revisited enough and rejected when they become an unneeded complexity), this viewpoint is spot on for me.
And while the main visible results today are bad (cookie banners of various levels of annoyance) it is bad mostly due to existing dark patterns and encourages changes in the right direction. Will those chances come and, if so, when, is to be seen. My 2c.
Yes there is. More specifically, it’s the Privacy and Electronic Communications Directive 2002/58/EC, which each member state adjusts their own laws to follow. It’s published here:
> 3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
If you want to argue that companies have a legal alternative to showing you cookie banners, then by all means do so. But don’t say there’s no law because there clearly is. This is a misleading and inflammatory headline.
Edit: Yes, I read the article. To draw a distinction between “must obtain consent” and “must show UI that obtains consent” is of no value unless you want to write an article with a shocking headline.
The article makes that point. There is no law to put a giant banner that disturbs UX in your users face. Companies choose to do so. There only is a law that prevents companies from tracking you without consent.
But that is what the title states and is explained in the article. There is no law that forces a cookie banner. There is a law that requires consent before tracking, but that is not necessarily about showing a banner - that is just one of the possible ways of complying with the law. There is an electronic privacy law, and it is quite comprehensive. There is no "cookie banner law".
There’s a law, but it’s not a “cookie banner law”. The section you quoted says nothing about banners. The banners are a design decision by the operators.
I think you might not have fully grasped the meaning of the post. Let me rephrase it for clarity: there is no cookie banner law, but a consent law, but it doesn't need to be as ugly, intrusive or user-unfriendly as the current cookie banners. One alternative is to opt out of using cookies on your website entirely (which is what I do, by the way), and then you won't need to ask for consent. Or to use a simple, unremarkable, bar.
I think you might not have read beyond the first line of my comment. Why are you telling me that there are alternatives? I literally said that in my comment.
You are citing directive that does not apply in all cases.
It is amended by Directive 2009/136/EC, which changes especially the cookies part.
> (66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
If you read the exceptions part, you know that you don't need a banner on strictly necessary case.
This doesn't require a specific implementation just that informed consent is given. This could be implemented as a web standard alá Apple's ATT(App Tracking Transparency). There's nothing preventing the industry from creating such a standard, obviating cookie banners in the process. This would not only be a win for users, who could express their overall position on consent as a browser setting, but also save thousands of developer hours for website.
> This shall not prevent any technical storage or access ...or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
If the functionality explicitly requested by the user -- e.g., logging in, or changing the default language or currency, or what-not -- no consent is necessary to keep cookies. Cookies are only necessary for things the user didn't implicitly ask for, like tracking.
hmm I disagree. I found the article, quite an eye opener for me. I also thought that he cookie banners is what the EU forced the web-site owners to show.. but it clearly isn't.
It is just about consent. This consent could be given in a non-annoying way, but clearly the involved companies don't want to.
To me, this seems like engagement clickbait targeting PG to promote an infotainment product (CTO coaching/course):
>there is no cookie banner law
There definitely is. The article explicitly states this:
>you need my consent when you want to track me
"tracking" here means storing data:
>store information in a visitor's browser is only allowed if the user is provided with "clear and comprehensive information", in accordance with the Data Protection Directive, about the purposes of the storage of, or access to, that information; and has given their consent (wikipedia)
The actual directive also explicitly states this
>consent may be given by any appropriate method enabling a freely given specific and informed indication of the user's wishes, including by ticking a box when visiting an Internet website (32002L0058.17)
Hate this way of thinking where the government (with seemingly good intentions) tries to stop something but leaves a loophole where all our lives are made more tedious and then people defend it saying the companies should just not do it, well we needed the law in the first place so it's a bit silly thinking to suggest they stop doing it after the law, no?.
If the cookie law was written properly then it would have just been a browser setting that had to be respected and this whole thing would have been completely transparent to the end user and they would have benefitted by default.
Instead through incompetent government employees we now have cookie banners for the rest of eternity on almost every site and they're not even standardized so worst sites like where journalists publish can have more and more obtuse ones.
This is 100% what PG means IMO and the most sane take on this. Either write the law correctly so it's not easily bypassed or just don't touch anything because you will only make it worse.
The law is not bypassed, the annoying banners with no simple option to reject are illegal. The issue is that enforcement is slow, not that the law is badly written.
GDPR's Article 7 [0] is very clear:
> 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. [emphasis mine]
> The issue is that enforcement is slow, not that the law is badly written.
The enforcement/implementation of a law is so deeply entwined with the text that it's deceptive to separate them.
If a law is written in a way so as to make enforcement hard, or if the government doesn't have the resources to quickly and consistently apply it, then it's a bad law because it enables weaponized targeted/selective enforcement of a new law that wasn't present before.
Essentially all laws are difficult to enforce. If someone really won't follow the law, then it takes a lot of time and money to prosecute them. Society relies on most people voluntarily following most laws most of the time.
You literally say it's "deceptive to separate them". The whole POINT of modern governance is to separate them.
Saying legislature is writing "bad laws" because the judiciary may or may not have the resources to enforce is to necessarily subjugate the legislature to the judiciary which violates the principles of separation in the first place.
There are countless examples of legislation that does not get litigated due to political or other pressures on the judiciary. Your argument would require that the legislature lie down in those cases. Perhaps that is your preferred order of the world.
But in a modern, principled government, the entire principle is their separation and independence. Suggesting otherwise is to lean into autocracy, whatever your motives.
> The whole POINT of modern governance is to separate them
This is wildly incorrect. The point is not separation - that is obviously stupid and pointless. The point is maintaining checks and balances on the power of the government, and one of the (many) mechanisms is through separation.
> Saying legislature is writing "bad laws" because the judiciary may or may not have the resources to enforce is to necessarily subjugate the legislature to the judiciary which violates the principles of separation in the first place.
Again, incorrect, because the principle is limiting power, not separation of powers test for its own sake. Not passing laws that can't be correctly enforced is not a violation of that goal or the strategy of separation of powers.
> There are countless examples of legislation that does not get litigated due to political or other pressures on the judiciary. Your argument would require that the legislature lie down in those cases.
Nowhere did I say that or does my argument imply or necessitate that. Being unable to enforce a law due to lack of resources is categorically different than political pressure. You're intentionally misinterpreting my words
> But in a modern, principled government, the entire principle is their separation and independence.
This is your own projection of what a "modern", "principled" government should look like - which, as stated before, is obviously stupid and pointless. Separation is not a virtue - it's a means to an end. You may want to consider reading the US Constitution to see this in action.
The fact that you replied with a sarcastic comment lacking any content and then went to my profile and signed my email up for a bunch of spam emails is proof that you're unable to defend your argument. Not that proof was needed.
I can't speak to the latter, but the former was not sarcastic and there's nothing to defend. Muddying the independence of arms of government is page one of the autocrat's handbook which you seem smart enough to know. No making laws all by yourself legislators, you will first check with the Ministry of Enforcement! It's an entirely valid form of governance, as Big Men of History will attest, and you're entitled to your opinion on the matter.
Thank you for mentioning point 7.3 this as it's a very important, but gets often ignored. I hope that it gets strictly enforced. _It shall be as easy to withdraw as to give consent._
Regarding the link you posted, they have a banner at the bottom saying:
> We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. [Ok] [No] [Privacy Policy]
My understanding was that such an implicit consent ("we will assume that you are happy with it") is not legal so I find it a bit surprising to see it used on a website dedicated to the GDPR.
Yes, that very much is an example of the law being badly written.
"Prior to giving consent, the data subject shall be informed thereof."
Means there must be some sort of a cookie notification (which could of course take a small space of the screen, but still).
The existence of this notification makes it easier to initially give consent. If withdrawing later is to be as easy, the notification must never disappear.
The law isn't that bad actually, just that the courts have been very slow. The dark UI patterns are actually illegal and have been judged so in court now. This realization just has to trickle down to the companies writing these cookie banners.
* There was an option of making this non-intrusive, by requiring it to be a browser setting, they chose not to
* The law went into effect ~6 years ago
* Companies still break the law by employing dark patterns
My take is that it makes both the law, and the courts bad.
My take is that law tries to dictate UX more than just set groundrules which good laws do. They pre-emptively set the law such that it prevents any use when the focus is on misuse. The law is about 1st party and 3rd party cookies, not just 3rd party.
In an ideal case, if it was just a law, a simpler wording could be "you are allowed to collect anonymized data, but not monetize/share it without permission from users. We may ask you to furnish proof that you havent been doing that at times, failing which you would face massive fines (as %age of revenue whatever)."
Problem is collecting basic anonymized usage data[1] is needed by companies to improve the product, provide a better experience, detect misuse. They bundled those use cases with everything else meaning the law was too broad and we got cookie banners given every site needs basic analytics. On flipside, worst is that most websites use Google Analytics, so they might have had to display the banners anyway.
[1] Moreover, it's vaguely worded so we companies do not know if they have committed a GDPR offence. By general understanding IP addresses are under GDPR. You can get that via request headers. So, to be on the safe side, even anonymized analytics tracking is considered under GDPR
notice the part about how purposes cannot be bundled together. EU's own website does that till date.
> NOT needed to improve your website
When I say usage data, aggregated data about how many people bounced off my page, or how long it took for my webpage to load under different internet connections is absolutely needed for me to make sure every user that comes on the page is having a good enough experience. I may not save any info, but those numbers are definitely used in aggregate. if the bounce rate is too high, content is not useful for people i am reaching. If i cant know that, how does the webpage gets better. That is usage data.
I do not care about who the person is, but I would want to know whether it was one person doing one action 100 times or 100 different people doing the same action. Makes a massive difference.
Which cookies did you have to accept/reject? What do they do? Why do the websites believe they must ask you to accept them?
Also, the law allow browsers to automatically accept/reject the cookies on your behalf (actually, the law does not care about which specific technology the websites use to collect and process personal data). You, as a user, can choose a browser/extension that rejects these cookies by default, except the necessary ones. I use https://addons.mozilla.org/en-US/android/addon/istilldontcar... and I haven't see a single cookie banner for years on desktop and mobile. I don't like cookies and I like the law.
It would be 100% ok for it to be a browser setting. It isn't though, because that would make too many people opt out. That's what the article is about.
I don't think a browser setting would make any difference. The setting would have to be either "I don't want to be tracked by anyone ever" or "I'm ok with being tracked by everyone all the time". Everyone would just choose the first setting. But just because someone has that setting doesn't mean you can't ask them specifically if they're ok with being tracked on your specific website for some specific purpose. So then you're back at the cookie banners.
(Also, if a lot of people did choose the 'everyone all the time' setting, that would arguably be a poor outcome, because it's unlikely that this is really what people want.)
> The setting would have to be either "I don't want to be tracked by anyone ever" or "I'm ok with being tracked by everyone all the time".
The only alternative to that binary logic is cookie banners. So to be clear, you are advocating for cookie banners.
The reality is that the overwhelming majority of people do legitimately want option 1, which makes cookie banners redundant. The only reason that cookie banners exist is as a high pressure sales tactic to sell users into option 3.
The point is that you'd still get cookie banners even with option 1, because a site can always ask you if you're willing to override your default preference.
It could. And the GDPR already bans dark UX patterns in consent popups (i.e. making it artificially difficult to refuse consent). But the law can’t realistically tell sites exactly how to design their UX.
What you are describing is still option 3 (cookie banners). The only real option 1 would be for sites to give up on tracking users.
So yeah, you can never compel a site designer to stop doing a thing without compelling them to stop do that thing. The only middle ground is a middle ground.
We already have granular permissions for other things (like location queries) and it works out just fine. You allow things when they make sense and refuse when they don't. It could be resolved in a way that preserves usability, but still achieves a goal not tracking non-users via ads. I doubt that it would make PG particularly happy though.
The key difference with tracking is that it's based on intent. Technically there is no difference between a tracking cookie and any other cookie. It is just a question of its intended use.
Sure. If I'm asking a website to remember my user session, I expect and am happy to allow a cookie, even if it's a few extra clicks. When I visit a site I'm not a registered user of, no tracking is needed really.
The DNT (Do-Not-Track HTTP header) setting has died the moment Microsoft made it too easy to enable it during setup of Edge, making most of their users default to do-not-track.
The adtech will absolutely freak out and destroy any attempt to make such setting as soon as there's a risk of it working.
The law could have been written in such a way that we could use a browser setting and avoid incessent popups which irritate users and desensitise them to genuinely useful warnings.
Whatever the good intentions of EU lawmakers, they seem inept at technical legislation because they ALLOW companies to continue doing shady things, and rather than tackle it, the legislators create a law that merely annoys users.
it would be horrible regulation if you tell how to comply instead of telling what to comply with.
as written elsewhere (since you obviously didn't read anything) your proposed solution would be just fine. But people opted out of impmenting it that way since it would yield less profit.
Show me the section of the ePrivacy Directive (Directive 2002/58/EC) or GDPR that implies the "Do Not Track" browser setting can override the need for consent banners / popups.
DNT wouldn't work, but a hypothetical "yes, please feel free to track me" setting would, if standardized by browser vendors and implemented appropriately (i.e. ensuring user consent).
well, if you respect the do not track setting and therefore DO NOT TRACK, then just remove the banner. You have not obligation to tell people that you do not track because you do not track.
Are you 100% confident that you don’t do anything which could be construed as tracking by a hostile regulator? Even the official EU sites that host the relevant regulations have cookie banners, explaining (https://eur-lex.europa.eu/content/legal-notice/legal-notice....) that they can’t otherwise do basic analytics or interface persistence.
Better safe than sorry... Absolutely. If you work with a company, where you cannot guarantee that no tracking will be injected into their users computers, then you better add the disclaimer.
Also, if you feel certain, and a ready to defend in court, that practices you have on your website does not constitute tracking. Then you don't have to show the banner either.
Personally, I am much more pragmatic about these regulations - with good reason. I still have to hear about some small innocent company hit with a massive fine. Empirically speaking, it is mostly huge multinational companies with plenty of resources to manage these things down into details who have gotten fines after repeat offences.
All in all. If you assume malicious regulators, then it is going to be stressful to work in a market. From US influence, I also do understand the sentiment, though it is rarely mirrored with EU citizens who generally don't assume hostile regulation.
The GDPR doesn't prohibit such a browser setting to exist and to be applied. The GDPR however also isn't a technical standard that would prescribe any specific technical protocol.
> they ALLOW companies to continue doing shady things
No they don't. But enforcement requires complaints, actions, and budgets. Remember that the EU has no police, it's down to national governments to enforce regulations.
Also, take fraud. There are plenty of laws against fraud in any country - and still it happens every day in one way or another. That's not because all fraud laws are bad, but because enforcement is complex and costly.
> Whatever the good intentions of EU lawmakers, they seem inept at technical legislation
I don't think that's a specialization of EU lawmakers, particularly. A far as I can recall, laemakers started thinking about internet regulation around the turn of the millenium, and I didn't welcome the prospect; I assumed that regulation would favour state intelligence and police agencies, and would be drafted by adtech lobbyists. Why? Because I didn't think the civil servants who are supposed to draft these laws had the requisite competence.
As far as I can tell, politicians don't spend much if any time thinking about second and third order consequences. GDPR is but one example, but instances of this abound. The default should be to mistrust new laws. Reagan takes lots of flak on the internet, but he was right on the scariest phrase being "I'm from the government, and I'm here to help".
Even worse, this thread is full of armchair lawyers that will confidently tell you there's no need for cookie banners in particular cases. Nevermind that there's hardly any case law about this and each country seems to interpret it differently. Any actual lawyer would tell you to slap it on there to stay protected.
> Even worse, this thread is full of armchair lawyers that will confidently tell you there's no need for cookie banners in particular cases. Nevermind that there's hardly any case law about this and each country seems to interpret it differently. Any actual lawyer would tell you to slap it on there to stay protected.
I bet the number of cases of illegal implementations due to insufficient consent are vastly smaller than the blatantly illegal consent implementations(i.e. those that make it harder to reject consent than accept it). Companies clearly don't care about following the law anyway.
I'd think so too, but the number of implementations that use dark patterns that make it more difficult to reject consent than accept it seems to indicate they aren't erring on the side of caution.
I'm not talking just de-emphasising the reject option here, but cases where there is no reject option or it's buried beneath 2-3 more clicks.
The wording was imprecise, but to the website owner, this is a distinction without a difference. Just because a civil law system is in use versus common law, you still need judges to interpret what the law is. Their decisions may not be binding in the way precedent is in common law systems, but they are still important in determining what might be legal or illegal in the face of ambiguous laws (that is, all laws)
That's not entirely true. Continental European law tends to be far more detailed than Anglo Saxon law, but still relies on precedents set in previous cases when there are ambiguities in the law, and when it comes to metering out punishment and damages.
No one only needs to be familiar with lawyers themselves to speculate about what they might do. They are a cautious bunch. This is distinct from dispensing legal advice.
I wrote something elsewhere in the thread about this[0]. I don't think laws mandating specifics of implementations at the level of browser settings is a good idea. To your point about government employees not being competent I don't trust them to get that right. Companies could work with browser makers to fix this but, as the OP points out, they don't want to.
In my opinion the EU's big failure with GDPR has been slow and ineffective enforcement against blatantly illegal implementations.
The law does not require a specific implementation. Law is never written to require a specific implementation and should not be written in this way.
Instead law is written in a technology neutral way. It is so neutral that it isn't even called "cookie law". It is called ePrivacy directive. It has only 5 times the mention of "cookie" as an example.
> If the cookie law was written properly then it would have just been a browser setting that had to be respected and this whole thing would have been completely transparent to the end user and they would have benefitted by default.
The law does not mandate websites to display a cookie banner. There are already "Do not track" settings in browsers. A website could choose to honor that setting and don't track you without ever showing you a cookie banner. But most don't.
But the websites are still putting up banners in my way, and they never remember what I consent to anyway, they just ask every time.
They didn't do this before the regulation. It doesn't much matter whether a website could do better, they simply aren't going to do better unless forced to.
> A website could choose to honor that setting and don't track you without ever showing you a cookie banner. But most don't.
Exactly! Either fix the regulation to say they can't make UX worse or throw it away.
Yes, because they just tracked you and you didn't have a choice and didn't even know that they were tracking you probably.
You don't seem to understand what GDPR does. Very simply, it says: "Hey, if you run a website and want to store cookies in your visitors browsers that helps you track them, you need to ask them first if that's ok".
There are multiple paths websites could take:
1) Don't set tracking cookies -> No need to ask the visitor for consent
2) Honor "do not track" headers sent by browsers -> Only need to ask visitor for consent if the browser didn't set "do not track" header
3) Ask the visitors, but do it in a nice way that doesn't disrupt the whole browsing experience -> some examples are given in the blog post
There are a lot of browser extension that hide or click reject cookies for you, so you don't need to see 99% of all cookie banners. Have you tried using some of them?
The problem is that we as a society constantly have to deal with adult children, so don't expect reason. Do expect elaborate rationalizations intended to waste the energy of an indecisive parent, who is basically getting bullied by a kid throwing a tantrum.
This kind of behavior reminds me of the book: "Language vs. Reality: Why Language Is Good for Lawyers and Bad for Scientists" - Nick Enfield, Linguistic Anthropologist [1]
> Hate this way of thinking where the government (with seemingly good intentions) tries to stop something but leaves a loophole where all our lives are made more tedious and then people defend it saying the companies should just not do it, well we needed the law in the first place so it's a bit silly thinking to suggest they stop doing it after the law, no?.
We deal with similar issues developing and releasing software. Instead of not ever releasing software, or only writing perfect software that never has issues, we have a couple of options.
1) In critical life or death situations, spend a ton of time modeling all states of the system and program in a way that very strictly controls for these states, with a lot of testing. See NASA/JPL coding standards for critical systems.
2) For less critical situations, or those were modeling all states of the system are impractical, we release, observe, and iterate. Yes there will be edge cases, bugs, and loopholes. But we can observe them, iterate, and release updates.
I think case 1) is impractical for changes to large legal and economic frameworks in the real world given how many variables are at play. If we could model the entire economy and see how it would react to a given change, the world would be a very different place in lots of ways already.
A lot of politics seems to work against 2) and that hurts our ability to improve things. "I will pass a law that does X" and "I will repeal the law Y that is not working, see look at these loopholes!" are good political campaign statements.
"I will gather and analyze data on the operation of the current system and support an iterative change that intends to improve things, implement that change, and then observe the results to determine if future changes are needed" is hard to rally around either in campaigning or when actually doing the work of getting political support to pass law.
I think decent example of this in government, although far from perfect, is the feedback loop of the NTSB and FAA. The NTSB's job is to observe and report on failures of air safety, and the FAA's job is to apply those lessons to future air regulation. Of course there are many examples of this not working perfectly, but it's a more concrete feedback loop than most governmental action has.
More observation of the analysis of the impact of laws after they are passed, and follow-up iterations where we compare the expected and actual results and make updates, would probably result in a lot less gnashing of teeth over "bad government regulation" but I'm not sure how we get there politically.
It has even been implemented in Internet Explorer when it had 90%+ market share.
And then Google intentionally sent malformed P3P header to bypass user preferences in IE.
When Safari added a heuristic rejecting Google's 3rd party cookies, Google has found a technical workaround to bypass it (and has been fined for doing this).
When IE and P3P were totally dead, browsers have tried to give adtech the simplest to implement bare minimum setting - the DNT header. The adtech has completely ignored it.
There are trillion-dollar businesses relying on tracking, and they will do whatever they can to undermine any technology and lobby against any law that would harm their business.
The deliberate, bad faith misunderstandings of the tracking consent and GDPR stuff on here reminds me every time exactly how many people are apparently content to work for and shill for adtech.
Working for Lockheed Martin or RTX is a more moral choice than working in adtech IMO.
You can track the number of visits without using cookies, but its practically impossible to track the number of unique visitors without using cookies.
The number of unique visitors is a very useful metric (both in itself, and combined with the number of visits).
The EU has made it impossible to track this simple and harmless metric without inconveniencing all users with awful UX.
Under the GDPR / ePrivacy Directive, ANY user-based unique identifer used for advertising, analytics and tracking will trigger the need for consent.
---
General Data Protection Regulation (GDPR)
Article 4(1) defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Article 6(1) outlines the lawfulness of processing and states that processing is only lawful if and to the extent that at least one of the following applies: "the data subject has given consent to the processing of his or her personal data for one or more specific purposes."
---
ePrivacy Directive (Directive 2002/58/EC)
Article 5(3) requires prior informed consent for the storage of or access to information stored on a user's device: "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
In my understanding, the most important part is to not share user information with third parties. IIUC, Google can use Google analytics data to join your behavior from multiple sites and then use that to serve targeted ads.
The next level is to not store PII unless there's a specific reason in the user's interest (improving site quality doesn't count, logging in does). Therefore, you can see how many people visited a page, aggregates of device types etc. Just not anything that identifies an individual.
Best way is to self-host your analytics, the main thing about GDPR is not sending your data to third parties or using it for marketing/targeting purposes.
By not sending the data to third-parties, you already comply to most of the GDPR policies.
Certainly one aspect of GDPR is about how you share data with third-parties. But self-hosted analytics are still subject to GDPR and/or ePrivacy restrictions if you process full (unredacted) IP addresses, any user-identifying tokens, or anything else deemed as PII (Personally Identifiable Information) for purposes such as analytics without seeking user consent.
That's true, but the "analytics" purpose is ambiguous. It could be for security most servers already have access logs by default, that stores IP addresses anyway, and it's often used for DDOS protection for example or fail2ban login attempts.
The entity that has legislative power takes responsibility for unintended consequences of its legislation. At least this is how Anglo/Common Wealth cultures think about it. You can see that Germans think about this differently.
I wonder - why didn't the the EU put the burden on user agents a.k.a. web browsers to handle the cookie notices? When I visit a site, before saving any cookies, have my user agent ask me if I want to allow cookies for that site. Could have a default "no cookies" option with a whitelist, or default "yes" with a blacklist. It would have been so much easier, with a far more consistent UX, wouldn't it have? Now we have to put up with 1,000 different flavors of invasive banners, popups, "necessary cookies", etc.
The EU doesn't tend to require specific implementations - the banners aren't a required implementation, either. It's just what the advertisers thought works best to get their desired outcome.
There was the DNT header. Few sites acknowledge it (and thanks to those who do!), and when Microsoft went against spec by setting it default-on in their browser, advertisers whined that they can't see informed consent anymore and just shut down the whole initiative. Note: Microsoft is also in the advertising business, so if you're into that, that might be another angle for your favorite conspiracy theories.
Finally, there's consent-o-matic, available as browser extension for various browsers, and it lets you state your preferences. https://consentomatic.au.dk/
Would it have been better to integrate that into browsers properly? Sure. But the social and economical dynamics being what they are, this is probably the best we can get.
Technically they can ignore the users’ choices on cookie consent as well though. In fact, I would be curious just how many websites honor a user’s selection, and how many of them are just smoke and mirrors by having a consent modal that has zero subsequent value.
>, Paul Graham came up with the thought, that the EU forces companies to have cookie banners. There is no law for cookie banners. [...] Companies could easily avoid any cookie banner. Just don’t track.
KingOfCoders/amazingcto, of course you are technically correct but Paul Graham wasn't talking about the letter of the law.
Instead, you have to interpret his complaint with the lens of game theory. I.e. The Law of Unintended Consequences that takes into account what companies actually do in response to laws instead of what we hope they will do.
Your blog post focused on good intentions of the law. PG's tweet focused on actual outcome.
Doesn't that argument work both ways? If you interpret the EU's regulation with the "lens of game theory", it is an unintended consequence of aggressive corporate data collection. Not sure why it makes sense to complain about the EU and not the companies.
> Not sure why it makes sense to complain about the EU and not the companies.
Unfortunately a non-negligible number of people in tech also have libertarian leanings, with a default “gubmint bad!” position, which makes them easy prey for adtech propaganda.
GP answered your question, for some reason you decided to cut the quote right before the answer. Here is the part that is missing from your quote which answers your question: '[...]with a default “gubmint bad!” position'
Perhaps you should consider the possibility that the reason why libertarians assume a default "gubmint bad!" reaction to new policy interventions is that they are sensitized due to decades of experience seeing multitudes of government interventions both (a) to achieve their intended outcomes and (b) create unintended consequences, often worse than the problems they are meant to solve, instead.
Personally, I find it very very strange that many of the people who call for regulation as a remedy to perverse incentives manifest in commercial markets seem unwilling to recognize the existence of even more perverse incentives in the political realm. If people seeking profit sometimes do bad things to get it, why would people seeking political power be expected to behave differently?
That's beside the point. If you are in favour of government intervention you should be all the more interested in good policies that have the intended effect.
No, it does not work both ways. The roles of governments and corporations are not symmetric.
Good regulation is regulation that has good outcomes. If a law has bad outcomes it is a bad law. You can separately complain about what companies are doing but that doesn't change the fact that it's a bad law.
It is of course debatable whether GDPR as a whole has bad outcomes, but if we're talking about cookie banners in isolation then it certainly does.
> No, it does not work both ways. The roles of governments and corporations are not symmetric.
>
> Good regulation is regulation that has good outcomes. [...]
You don't seem to explain what the role of corporations is or what a good corporation looks like. If these things are not symmetric, you need to finish your explanation of why or how they aren't.
Corporations and the whole of property rights only exist because of government protection, so it would be pretty audacious--in my opinion--to assert that corporations have no duty to behave to the benefit of society. I'm not saying that's your claim, but I'm curious as to how close you're willing to get to that claim...
Governments are supposed to represent the whole of society. The justification for their policies is ideally based on democratic legitimacy. No entity outside of government can possibly have that legitimacy.
In my opinion it is not audacious at all to reject the idea that corporations should intentionally pursue societal goals or claim to act out of a sense of duty.
Of course we want the effect of what corporations do to be of net benefit to society as a whole. But this cannot be based on their intentions or sense of duty. It has to be based on the systemic effects of them pursuing their own (possibly enlightened) self interest within the framework of the law.
It is for governments to make sure that these effects are beneficial and to intervene when they are not. So the asymmetry I see is that capitalism is a tool of society, not the other way around.
I would regard it as a duty of government to ensure that using the internet is safe and respects user privacy, but not to ensure that the internet has a clean UI. To that extent, I'd argue that the EU is achieving good outcomes. Ensuring a clean UI and smooth user experience is one of those things that should manifest as a result of market economics, but does not manifest because markets don't really work that way.
I see absolutely no reason why clean UX should manifest as a result of market forces. Media consumers, on average, are clearly unwilling to pay for ad-free experiences.
I won't pursue that assertion as it's tangential. I shouldn't have brought it up. The main point is that clean UX is not the purpose of the EU's data laws.
> In my opinion it is not audacious at all to reject the idea that corporations should intentionally pursue societal goals or claim to act out of a sense of duty.
I still find it somewhat silly to reject the idea that a corporation (run by human beings) shouldn't intentionally be evil for the sake of maximizing profit, but I do understand that this is a fairly common Friedman-esque point of view.
But, even so, I guess "duty" was the wrong word for me to use. I more meant that if a corporation does NOT benefit society, we should expect the corporation to stop existing. So, in that sense, there's a "duty" (existential requirement) to benefit society.
> Of course we want the effect of what corporations do to be of net benefit to society as a whole. But this cannot be based on their intentions or sense of duty. It has to be based on the systemic effects of them pursuing their own (possibly enlightened) self interest within the framework of the law.
>
> It is for governments to make sure that these effects are beneficial and to intervene when they are not. So the asymmetry I see is that capitalism is a tool of society, not the other way around.
I feel like you're circling back around to almost disagree with yourself. Several comments back in this thread someone made a point about "unintended consequences" of the law and applying "game theory" logic to it, and another commenter replied that the companies in question could also have seen the law coming if they misbehaved too badly. That commenter asked if the "game theory" logic shouldn't go both ways, and that we should then blame the corporations for the regulation because the government is just doing what governments do.
You replied that the argument does NOT go both ways because the roles of government and corporations are not symmetric.
But, what you're arguing here seems to be consistent with the view that the "unintended consequences" and "game theory" logic DOES go both ways. You acknowledge that it is a government's duty to intervene when corporations are not benefiting society, and you also say that corporations will pursue their own self-interest within the framework of the law.
I don't mean to put words in your mouth, but the only way I can resolve this asymmetry in my mind is to have a framework where corporations doing things that are bad for society is okay, because the government is supposed to stop them; but if the government is unable to fully stop them from being bad, then it's STILL not the corporation's fault, but the government's...
It just sounds like we've gotten lost in the abstractions of corporations and governments. At the end of the day, these are decisions being made by fellow sentient human beings, and if a corporation's humans make some evil decision, I refuse to let them off the hook with "well, free markets" and "they have no choice but to maximize profits".
>I still find it somewhat silly to reject the idea that a corporation (run by human beings) shouldn't intentionally be evil for the sake of maximizing profit, but I do understand that this is a fairly common Friedman-esque point of view.
On a very general level, the idea is that not every part of a complex system has to incorporate all the principles of the system as a whole. Individual parts of the system can have limited roles and responsibilities. That's fine and it has nothing to do with being evil.
Defense lawyers must defend their clients to the best of their ability whatever horrible things they may have done. Juries, judges, prosecutors, they all have their specific roles to play.
It's the justice system as a whole that should result in justice being done. If everyone involved tried to pursue their own interpretation of generally desirable societal outcomes, the justice system would be unfit for purpose.
And here's the asymmetry again. Those designing the system as a whole have to think about societal outcomes as part of their job (as does every citizen). Those acting in a specific defined role as part of the system can only do that in limited ways or under exceptional circumstances.
Corporations are run by people, but these people act in a limited role that is defined in such a way that pursuing specific societal outcomes does not necessarily boost the likelihood of their personal success or the success of the corporations they run.
If there is a conflict between certain societal outcomes and making a profit then those executives willing to prioritise profits will be the ones running the successful corporations. That's why it's so futile to bet on corporations acting against their self-interest in significant ways. They are systemically incapable of doing that (on average - exceptions are always possible).
That's why I'm saying that if we want to make corporations act in desirable ways, we have to make laws rather than appealing to the conscience of those running the corporations.
>I don't mean to put words in your mouth, but the only way I can resolve this asymmetry in my mind is to have a framework where corporations doing things that are bad for society is okay, because the government is supposed to stop them; but if the government is unable to fully stop them from being bad, then it's STILL not the corporation's fault, but the government's...
The question I'm asking is who can fix a particular issue, and if the issue isn't getting fixed then I'm assigning blame to those whose job it is to fix it.
Corporations collectively can't fix an issue when the only fix is not exploiting a particular economic opportunity. If one corporation stops exploiting the opportunity, another one will.
That said, of course I do blame corporations for stuff all the time. There's nothing wrong with that. Blaming them is sometimes effective consumer power. It can take away the economic opportunity as the reputational damage may outweight the benefits. Blame can also help build momentum for a change in the law.
But if laws are made and they have giant loopholes in them, then I blame lawmakers for doing a shoddy job.
Your framing heavily incentivises malicious compliance. After all if the subjects of regulation coöperate to derail, delay, mislead the public and overload enforcement it's going to have a bad outocme by default.
The main problem with GDPR is the scale of non-compliance greatly exceeds the size of any reasonable enforcement capacity, at least until enforcement catches up.
Of course not. Only titans of industry and the landed gentry of the executive class are allowed to "move fast and break things", "ask for forgiveness rather than permission" and take "imperfect action rather than perfect action."
It's more morally permissible for corporate decision makers to install a global surveillance complex than for civil servants to attempt to regulate it.
That's a misuderstanding of the banners. The requirement is to get consent to track someone and/or process their personal information in a way that is not strictly necessary or covered by contract. The mechanism that does the tracking is irrelevant.
Because the companies are getting what they want (data on users), but the regulation is not getting what it wants (no tracking or informed tracking).
I don't know if this mini-competition between regulators and companies is truly zero-sum, there could be some way to get everyone something they want. But with the current regulation, it is zero-sum, and the companies are winning and the EU is losing. And the EU "works for you", so of course you can complain to them.
OK, fair enough. pg's point still stands I think - I believe that most users have zero idea what that popup is and don't bother doing anything but clicking on it immediately even if they do have some idea.
I find it pretty difficult to be sure what point pg is making, because he uses an ambiguous phrase "good at regulation". What does he mean by "good at regulation"? According to the UK's Institute of Chartered Accountants [0] good regulation satisfies five criteria:
* Transparency
* Accountability
* Proportionality
* Consistency
* Targeting
I'm not certain that the GDPR laws fail any of these. I'm guessing pg is getting at something more nebulous to do with how annoying the UX is as a result of the regulation, and whether it encourages civil engagement. But if he'd simply said "EU regulation has made UX annoying" then he wouldn't have such a snappy tweet.
> Good regulation maximises the benefits while minimising compliance costs and unintended consequences. The benefits of regulation can be both to wider society (such as improved environmental or safety standards) and to regulated (for example, through increased consumer confidence), but not all of the benefits are necessarily easy to quantify.
Put that way, I can get on board with what pg's saying.
I’m not surprised. This is a “hot take-centric” platform issue, and a laziness in trying to understand him too. Or.. two people on the street yelling at each other but not listening.
I see your point, but then to have a constructive conversation Paul Graham should also give his two cents about how the law could be improved. I don't know him, so I'll ask here: did he do that?
>The blog clearly works from the actual outcome lense. [...] The companies _could_ just not track.
No, you've inadvertently stated a contradiction. Your use of the word _"could"_ is literally a hope/wish/intention of the law.
In contrast, the actual outcome is that the companies didn't stop tracking. We _wish_ they would stop tracking. (I.e. "The companies _could_ just stop tracking us!") But that hope still doesn't change the observation of reality.
The law is not code. Equating hope with the intention of the law is a poor way to think about it. The law is to protect users against opaque companies and to enable them making informed choices.
If companies act maliciously to contort around the law and force users back to making uninformed choices, it is the companies' fault and not the law's. Companies could have followed the interpretation of the law unobstrusively. But they didn't.
Invoking "reality," semanticking a position, do not make Graham's position justified. Neither does it make the blog wrong.
Can you really say that confidently? I think a lot of these companies would go out of business if they didn't track users so it seems like under the law they have no option but to show cookie banners. Or are you claiming the law exempts companies in such circumstances?
I'm a fan of second-order thinking and unintended consequences, so I'm with you there. How would you frame a "don't track people without consent" without unintended consequences?
The article tries to make the point (perhaps fails), that companies do this intentionally to get the "consent" of people against their will, therefor running the tight line of breaking the law without breaking it.
- no fines for non-compliance (or malicious compliance)
- no legal liability for data leaks of PPI
When businesses believe (correctly or incorrectly) that the benefit of tracking outweighs the cost (annoying users, regulatory noncompliance) they will do it. The fix is to make tracking too costly for businesses.
> - no fines for non-compliance (or malicious compliance)
"The Biggest GDPR Fines of 2023"
1. Meta – €1.2 billion (Ireland)
2. Meta – €390 million (Ireland)
3. TikTok – €345 million (Ireland)
4. Criteo – €40 million (France)
5. TikTok – €14.5 million (UK)
6. Axpo Italia Spa – €10 million (Italy)
7. Tim S.p.A. – €7.6 million (Italy)
8. WhatsApp – €5.5 million (Ireland)
9. EOS Matrix – €5.5 million (Croatia)
10. Clearview AI – €5.2 million (France)
"GDPR fines are designed to make non-compliance around data security a costly mistake and they can be separated into two tiers. Less severe infringements can result in a fine of €10 million or 2% of a firm’s annual revenue from the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm’s annual revenue from the preceding year, depending on what is higher."
"In January 2023, France’s data protection watchdog, CNIL, fined TikTok €5 million ($5.4 million) for making it difficult to refuse cookies on its website. The CNIL found that TikTok manipulated consent by discouraging users from rejecting cookies. They required multiple clicks to refuse cookies, but only one click to accept them. TikTok resolved the issue by adding a “Refuse all” button to its site."
Fines for data breaches is one idea? If we want to disincentivize data hoarding, the main cost to data hoarding is data breaches, so we could perhaps penalize that.
This would have a different issue, specifically companies would no longer self-report data breaches, but it's just an idea. There are alternative approaches to getting to "don't track people without consent" that aren't a toothless stick by making it more expensive to track.
Here's my idea - no data collection without compensation. For example, you must pay me in advance 1 cent for the permission to access 1 byte of my personally identifiable information for the following month, whether that's stored in a cookie or in your own database or you access it via a third party (e.g. Meta). So instead of a "cookie consent" pop-up, I want a "cookie payment" pop up where the site will ask me for my payment details and say how much they'll pay me (again, in advance) for each of the options I can toggle.
Probably the same way most laws end up. We see the unintended consequences, then revise the law to counter the consequences. Thus the cat/mouse game continues.
An idea could be that the tracking has to be opt-in AND the webpage cannot stop critical use of the page as part of the opt-in process.
Then another round of consequences.. rinse repeat...
> How would you frame a "don't track people without consent" without unintended consequences?
Drop the consent requirement? I.e. just don't track people. No third-party cookies, first-party only, and only for the correct operation of the site.
It's not the cookies that people object to, it's the tracking. Tracking provides no benefits to visitors. If there were no tracking risk, there would be no need to require consent.
That's not a benefit of the tracking. That's a benefit of the advertising dollars.
I have yet to see any kind of meaningful study showing that tracking improves the ROI on advertising by anything remotely resembling enough to justify it.
> The article tries to make the point (perhaps fails), that companies do this intentionally to get the "consent" of people against their will, therefor running the tight line of breaking the law without breaking it.
That X button is right there at the top near the tab name. Not sure how a user could be forced against their will into staying on the site presenting them with a cookie banner.
Except many companies respond to the cookie law with a cookie consent popup that violates the law (by making opt-out harder than opt-in).
Could we really have predicted from the "Law of Unintended Consequences" that companies would respond not by tracking less nor by giving people an easy way to opt out, but with a cookie consent popup that is not compliant and also really annoying to their visitors?
This is better explained by business operators being ignorant of the actual law and being ignorant of the UX impact.
The actual outcome is, from my experience, that tracking has reduced, a lot. When this law was enacted, *we all removed "like on Facebook"* buttons. Remember those? Yeah, we don't see them anymore. Google Analytics also was forced to change, at least a little.
Is there still tracking? Sure. But it's not so blatant anymore. There are hoops one needs to jump through. And that was the point - to make tracking a harder.
None of my projects have cookie banners. Why? Because I use a first party tracking system (Matomo), I anonymize all visits and I respect DNT. It's that easy.
It’s not the difficulty level that people object to.
It’s a combination of two things:
1) the law comes to the rest of the world from Europe. We (rest of the world) didn’t vote in the people who brought it. We’ve had quite enough of Europeans making rules for the rest of the world in the past few centuries thank you very much.
2) GDPR encodes an expectation that may or may not be common in the EU, but certainly isn’t common elsewhere. I don’t have any expectation of privacy when I walk in public or when I give any information at all to a business. My solution to this is: a) I wear pants outside, and b) I don’t give out private information. Whether the business ecosystem knows their age and purchasing patterns is largely immaterial to virtually everyone I’ve ever met.
And don’t show me a survey showing people don’t like it - if you prime people with the question, of course they will respond that way. They know their info is being gathered, and they just don’t think it’s as big a deal as GDPR would like it to be.
So, I get your point. I can see how (1) can be aggravating. Can't really say anything to defend it, that's the Brussels effect for you. From the point of view of your own sovereignty, it's a bad thing, period. From the point of view of an effect on the lives of average people, I'm not so sure, it's so cut and dry.
Now, point (2) is, unfortunately, in the same vein as smoking, pollution, seat belts etc. Uninformed people (uninformed because they have better things to do) are not protected from their lack of knowledge. They suffer the consequences just the same.
And while I agree that and informed person, making a self-destructive choice has (in most cases) the right to do so, there is something to be said about the very, very powerful exploiting the uninformed. And this is where GDPR comes into play. It's protecting normal people, from a very, very big threat, that is not that obvious and is being wielded by the powerful.
GDPR is one of those laws restraining western corporations from going full dystopian future on us all. I said restraining, to be honest, I think it's just slowing them down.
And as far as surveys go - it used to be the same here. Europeans didn't care and said exactly the same things (i.e. the famous "i didn't do anything wrong, so I have nothing to hide") and then activists worked for years to educate them that, at the very least, it's leading them to buy things at higher prices. Now most people are extremely sensitive to their data.
With all due respect, you're speaking on behalf of 1 person here, not an entire country of people, and certainly not the entirety of the non-E.U. world. "We" can speak for ourselves, and don't all agree with the views you're ascribing to us. And "I" don't agree with the sort of stereotyping I'm responding to.
I'm personally glad someone is doing something for my privacy here. My own government, due to regulatory capture, is unlikely to act in my best interests here.
The article elaborates on this point: There Is No Cookie Banner Law. Only bad website operators choosing to abuse their users with annoying consent dialogs.
Nobody in Europe is issuing "diktats", meaning citizen-supported legislation I guess, or affecting your business, unless you're trying to deal with their citizens' data. Just don't process EU citizen data and it's not an issue. Better yet, just don't track users.
In any case, your disagreement only serves to underscore that you were speaking on behalf of 1 person, not any country or countries. Otherwise, we wouldn't be disagreeing!
I actually self-host all my web assets and use Matomo already. So I do actually agree with the premise.
What I object to strenuously is someone dictating terms to the world from distant shores, especially since they seem not to get how the internet works (it’s all funded by ads, online sales, and ads for online sales, all of which involve metrics and tracking!)
The diktats I mentioned include a ruling that Google Fonts are illegal now. So if I’m using those, or I’m using Google Analytics, and a European happens across my site, I’m now a criminal? Fuck that.
The consequences of contravening the GDPR are uncertain but sounds scary. This is terrible for the open and free internet.
Please tone down the hyperbolic rhetoric and FUD. Consider how strongly you can make your point without them.
To the point: Nobody in Europe is "dictating terms to the world", or "issuing diktats", meaning passing citizen-supported legislation I guess, or affecting your business, unless you're trying to deal with their citizens' data.
> The diktats I mentioned include a ruling that Google Fonts are illegal now. So if I’m using those, or I’m using Google Analytics, and a European happens across my site, I’m now a criminal?
No, because website operators have at least 4 more options:
1. Don't process EU citizen data (block them).
2. Don't track users, period (host the font on the site instead).
3. Don't track users until they log in (convert them).
4. Get users' informed consent (let them know that they'll be tracked on the site due to the choice of google fonts instead of hosting a font).
Wow, that wasn't scary at all! The general attitude I'm getting from some folks, though, is that they want to do anything they want to users without consequence and never change. This attitude is going lead to a lot of anguish. Others have rights, too, and they override our right to do whatever we want to them, in many cases.
Many webmasters have neither the time nor inclination to read up on EU law. So blocking is the easiest and safest solution to minimize our legal risks. This is absolutely terrible - I grew up dreaming of an internet that is really humanity's network; not islands separated by political allegiance.
I agree that I can tone it down, but 99.99% of the FUD around is directly the fault of the EU for not making it crystal clear what the theory and practice around their internet laws will be.
Luckily that's just 1 of the 4 options, and those 4 options are just 4 of many options, so no need to focus on 1 of many and say you don't like it: you can just choose another! Or you can choose to create the islands. I don't see what's so terrible about that.
Did website operators think they could keep violating the rights of EU citizens indefinitely? I mean, based on enforcement capacity, chances are most operators can, but it'd be good to stop. IMO, A network for humanity should prioritize humans and their rights, over tracking and ads, and the lack of respect for those rights is what I find terrible.
Real talk: if you have questions about the GDPR, ask them, and I'm sure the smart folks at HN will be able to help you find answers and overcome obstacles. You can build and not break laws, whether GDPR or ITAR, we can help. Nobody's saying it'll be zero work, but nobody's entitled to run a business doing whatever it wants with zero work, either, and shouldn't expect to.
You keep missing my point, possibly on purpose, so I'll end this here.
The EU and the US and China disagree about what user rights are and what reasonable behaviour for a website is.
If one of those parties enforces their vision onto their traffic, it has a chilling effect - splittig the net into federations. By making GDPR super vague, the EU just makes everything worse, including for Europeans. If you disagree that the rules are vague, I'll refer you to the rest of this thread. Nobody knows what's being enforced or what the penalties are.
As far as the GDPR goes, only webmasters choosing to ban entire countries of users out of greed (wanting to unfairly profit off users) or laziness (not caring enough about the privacy of their users) or spite (punishing users because you don't like the GDPR) can achieve the splitting you describe. If it happens, it would be their decision, and thus their fault.
Real talk though, again: you say you personally feel the GDPR is vague. If you have questions about the GDPR, ask them, and I'm sure smart folks at HN will be able to help you find answers and overcome obstacles. You can build and not break laws, whether GDPR or ITAR, we can help. If you have troubles building, share them with us, let us advise you. Nobody's saying it'll be zero work, but nobody's entitled to run a business doing whatever it wants with zero work, either, and shouldn't expect to.
Everyone knows that bad actors will continue to behave badly in the face of the law. This isn't the insight you seem to think it is.
Really, PG's tweet has little to do with game theory or anything else. It is a first-world-problem whinge about having to click through cookie banners. Assessing the "actual outcome" of complex regulation and legislation is a task beyond the scope of a single tweet.
It might be useful for Graham to determine what claim he is trying to make in the first place. Is he rebutting a particular EU representative for boasting about how good they are at regulation? Or is the idea that the EU shouldn't have the audacity to attempt to regulate in the first place?
There are a lot of ridiculous things a company can choose to do in response to any given law. Those choices are not mandated by the law. Horrible consent UX is not the only option to choose from.
Government can, and should, analyze likely (or unlikely) unintended consequences and use those to further shape the law, but at the end of the day, those consequences come from choices that people who are subject to the law make.
I think the big mistake the EU made is they probably thought: “Surely no company would choose to abuse their customers with horrible UI just because they don’t like the law and want to take their collective frustration out on their users!” The EU was obviously wrong about the extent to which companies would throw their users under the bus while maliciously complying.
The outcome would be much better if the law explicitly stated that the initial cookie banner must have a "Necessary cookies only" opt-out one-click option. And that this option means truly necessary, not the Internet Explorer is needed by the operating system 'necessary'.
There is a law, that does not mandate cookie banners, but that still causes them by creating incentives to show the banner. That's the point of criticism.
You are implying that strict anti-emission laws caused uncontrolled emissions by Volkswagen vehicles.
But Volkswagen was very discreet about it, and when uncovered everybody was against them. Website are being obnoxious, instead, and people accuse the law. Go figure!
Arguably by your logic the emissions laws incentivize cheating, much as folks see the GDPR incentivizing annoying users -- to nag regulators to change the rules back in the company's favor.
It's a stretch though. I prefer more obvious analogies.
"Companies could easily avoid any cookie banner. Just don’t track."
It seems like a point dear to the author's heart, given the way he highlights this and puts it in bold at the top of the article.
But while it sounds good on the surface, it doesn't take much digging to show it's silly. If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.
Regardless of the answer here, the fact that there's still a debate about what basic functionality requires a cookie banner is really a testament to how bad this legislation is. How long has this been around, 20 years? And there's still widespread debate and lack of understanding as to what specific functionality requires a cookie banner?
> consent is not required [for] cookies that are strictly necessary to provide an online service that the person explicitly requested. e.g. […] when your customers use a shopping basket
So shopping carts (user clicked to add to cart) and notification preferences (user clicked to indicate preference) don’t require consent. Same for authentication cookies.
The page is quite clear; the confusion likely arises from how companies implement it.
i think it's worth noting that those cookies keep track of whether you have filled out their feedback form and to count the number of unique visitors to the page, or cookies from third parties the website may present embeds from https://european-union.europa.eu/cookies_en
Your lawyers are playing it safe. Their job is to make sure your company is not getting into lawsuits, and having a cookie banner that is not needed won't get you into a lawsuit, so that's what they suggest. They don't care about annoying your users.
If you really care about not annoying your users and don't intend to track them more than what's absolutely required for the service to work, then talk with your lawyers more. Of course, it is not free as it requires extra work, and it may carry some risk (which your lawyers should minimize) but it may be worth it, many people press the "back" button as soon as they see a cookie banner and try their luck elsewhere.
Yes, and if you ask the CFO about the best way to increase profits, the answer is always to fire all your staff. That doesn't mean that that answer is the most optimal solution.
It is not that simple. In "Opinion 04/2012 on Cookie Consent Exemption" [1] the the EU Parliament's Working Party On The Protection Of Individuals With Regard To The Processing Of Personal Data said:
> A cookie that is exempted from consent should have a lifespan that is in direct relation to the purpose it is used for, and must be set to expire once it is not needed, taking into account the reasonable expectations of the average user or subscriber. This suggests that cookies that match CRITERION A and B will likely be cookies that are set to expire when the browser session ends or even earlier. However, this is not always the case. For example, in the shopping basket scenario presented in the following section, a merchant could set the cookie either to persist past the end of the browser session or for a couple of hours in the future to take into account the fact that the user may accidentally close his browser and could have a reasonable expectation to recover the contents of his shopping basket when he returns to the merchant’s website in the following minutes. In other cases, the user may explicitly ask the service to remember some information from one session to another, which requires the use of persistent cookies to fulfil that purpose.
(Criterion A is cookies that are user “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” and criterion B is cookies that are “strictly necessary in order for the provider of an information
society service explicitly requested by the subscriber or user to provide the service”).
If your shopping cart cookie has a lifetime longer than the "reasonable expectations of the average user or subscriber" you may need to obtain consent. That a sufficiently vague criteria that it may not be clear if your particular shopping cart cookie requires consent or not.
> But while it sounds good on the surface, it doesn't take much digging to show it's silly. If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
A tracking warning a login/sign up would be enough. No need to ask for cookie consent at every visit. It would just be part of the typical T&C.
> It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.
Easily solved with a cookie that says "don't track". If cookie is set, don't track anything.
Shopping carts, session cookies, or any other kind of functional cookies (including the one for "do not track" saving) do not require consent, and so don't require the banner. Github for example doesn't have it.
Please, read the basics about the law before disparaging criticisms, I constantly have to educate users on HN about this misrepresentation of GDPR and Cookie Law.
> If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
If it is crucial to provide the service or the service is explicitely requested by the user (i'd argue a shopping cart is), I think you don't need consent (see Article 5 of Directive 2002/58/EC).
The law takes these things into account just fine. It's not a cookie law, it's a tracking law, and the "tracking" isn't about the technical meaning of "to track" but about the way the data is used (and could be used).
It's not "you're not allowed to store anything about the visitor without their consent", it's "you're not allowed to track them across your site, or share that data with others, except if it's directly necessary to provide the service". That last part refers to session tokens, shopping carts, and yes, also to remembering the "no tracking" choice. If you ask a site to remember something (such as "no tracking plz" or "I want to buy this product" or "keep me logged in plz") then that's explicitly asking it to do something that in technical terms is tracking, but not in operational terms.
It's like, the EU makes a new law that makes it illegal to break into people's houses, and all the pedantic HN'ers start saying "but this is stupid! what if you lose your key? you need to be able to hire a locksmith to let you back in!". That's obviously not how the "no break-ins" laws work, and it's also not how the GDPR works wrt tracking.
If you break the GDPR, there's a fair set of warnings before you can actually get the kinds of humongous fines that the law is infamous for. This means to me, as an entrepreneur, that if I follow the intent of the law as best I can, then worst case scenario if we still get it wrong, then there's a big enough chance we're in the clear. And then if somehow we do get a warning from the local privacy authority, we learn and adjust. This is fine.
We don't need to be maximally pedantically safe. We just gotta not track people and then we don't need a cookie banner. It's great.
> If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
These are first-party cookies as they're served by the host domain, so they wouldn't need an opt-in under GDPR. Site owners should try to limit that to core functionality, like updating shopping cart state as you navigate from page to page.
> It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.
That's not how it works. The cookie banner opt-in asks if you want to accept cookies aka tracking. If you say no, no cookies are downloaded, so the site has no idea that you have visited it. So the next time you arrive on the site, it will provided the popup again, as though it's your first time visiting.
661 comments
[ 379 ms ] story [ 6239 ms ] threadIn the end we are better off with this legislation and its future iterations and additions than we are without it. The extent to which people's data is misused is simply ridiculous.
'Meddling' causing citizens to lose visibility and corporations to gain more power over data?
Correction: people should not be able to escape responsibility by saying this.
The problem is that right now people do escape responsibility for saying this because the EU is not properly enforcing these new laws.
Introducing a law and then not enforcing it has consequences, and those consequences should have been foreseen. Either the law is unenforceable due to practical constraints, in which case it's a bad law, or the EU is failing to enforce it due to inability.
Hopefully the EU starts putting more focus on enforcing its existing laws rather than creating new ones.
You have to admit that if these same people can't be trusted to follow a simple "do not track" directive, humanity is in big trouble.
But I don't think it's that developers "can't" follow a DNT cookie. It's that they won't because it doesn't benefit their employer's financial interests.
Making a rocket that lands, on the other hand, does directly correspond to SpaceX's financial interests.
Imagine if the banner said "This website is known to the state of California to cause cancer". Would you keep visiting the site?
Like if every time you went the bar, the bouncer asked "Hey, can I punch you in the face?". Would you keep going to that bar?
As annoying as the banners are, they actually aren't annoying enough to change mass-behavior.
You don’t need a banner for the data that is necessary for the service to work at minimum level. There is no role for the consent since the site won’t work otherwise.
If it even exists!
To the point: Not using a site is not the point of it. Insert "yet you participate in society" meme
How does it show that?
It shows that they prefer to get on with their day over clicking cookie banners. It says nothing about whether they agree with the philosophy of the GDPR.
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The maximum fine is 20 million euros or 4% of revenue, whichever is higher. Sure, it probably won't be imposed on a first time violation, but why take the chance?
Could you imagine any lawyer advising a company against requiring consent, even if they have some cover because of a legal obligation? Isn't it much safer to deny service to those that refuse to consent?
Sure, it'll annoy the customer, but right now the customer is used to minor annoyances.
We were advised by our lawyers (a top SV tech law firm) that we should include a cookie banner in the EU even if we're only using cookies for functions like login. After eventually switching legal counsel (for unrelated reasons), we were told the same thing by our new counsel.
Either EU law covers cookie banners that use cookies for routine functionality, or it's so (deliberately) vague that even top tech law firms would rather everyone add a cookie banner than risk running afoul of the law. Either case validates PG's argument here.
1. There are users who will come to your website with specific purpose or expectation of your service.
2. Then there are users who came to website by accident and might just try out things without understanding what is happening.
The banner recommendation from the lawyers is likely for the 2nd case. The users haven't subscribed to the service with certain expectation or knowledge what is expected from them to service to provide what they want. Or they have zero expectations about the service to provide something for their needs.
For example, the login case, the group 1. probably wants to stay logged in if they came to service with expectation of personal service, which cannot be linked to the person without an account.
Or the lawyers just did not understand your service well enough and just said that put the banner be done with it. For group 2. it is unlikely that someone did not expect or want to stay logged in all the time, but that is for minority and arguable case whether is fair to assume that.
So, how did you ever expect the lawyers not to recommend adding the banner? That's like going to a plumber and ask them if you should DIY or not some installation. Of course they're going to recommend you get a professional...
Thankfully we have EU institutions to protect us from these evil companies. But somehow the EU institution websites all have cookie banners too.
Let's say you make a law to reduce working hours from 40 to 37 hours except in "emergency situations". Now a company will force employees to sign off on "emergency situations" every week or they'll be fired. They're clearly not complying to the spirit of the law? Is it really your fault when you make a law like that? I'd say only to some degree, the people trying to abuse every loop hole are much more responsible in this case.
Companies using dark patterns, hiding the "reject all" option behind an additional click (which even is illegal) and even trying to collect all data possible are much more responsible than the EU's law. Oftentimes they are collecting data just because, not even thinking about it, because they'll add GA to their WordPress site without even looking at it or whatever. That cookie banners have become the standard around the web is sad because it just shows how much everyone is trying to track you.
I can't really comment on what the lawmakers foresaw or intended, but I'd argue that cookie banners are actually a) good, and b) the fault of companies who can't imagine a better way to treat their users.
The reason I think they're good is that they cause a psychological nuisance to users of software which doesn't go out of their way to do them well or avoid their necessity. Over time I hope this will tend to cause an association in users minds that sites with cookie banners are somehow seedy or unscrupulous, like pop-up ads.
So legislators do expect such a struggle, and the shape it takes may be partly their fault, but it's clearly not all their fault. The more power the private interests have, the more likely they are to find some way to fight the regulation. They will certainly do everything they can to convince the public that the legislators are bad at regulation.
In this particular case, however, websites showing banners are also harming themselves as their competitors now have an interest in not showing banners and offering a better experience -- i.e. the regulation makes it worthwhile not to display banners in competitive situations. So we'll see how this all turns out.
If nothing else, at least now people know just how much they've been tracked. One can only hope that this increased consciousness would help people to choose services that don't track people. For example Hacker News doesn't need tracking cookies nor a cookie popup, and it seems to be doing just fine, even in terms of the law ;)
Edit: to those downvoting, yea, it’s agreed that tracking is bad but the tone of the article completely ignores that a lot of the web’s content depends on this model so if it “just didn’t track” a large swath would no longer exist.
That’t not "doing sketchy shit with people's data"
I can’t believe how many people have bought into this EU regulation hook line and sinker. It’s ridiculous, imagine the man hours that have been wasted in the last 7 years just clicking cookie bars. And as OP says, it’s completely unrealistic to not have them.
For instance the website selling ads has every reason to inflate view and click count numbers, the ad buyer has reasons to diminish those numbers. In fact if you measure an honest pipeline it is going to look that way because some people drop out at each stage.
One reason you have 87 trackers on a typical web site is that many sites and advertisers figure if they have a large number of trackers they can’t all be wrong.
Site X could show ads to users just fine without third-party cookies but then advertisers would not be so sure about the stats.
> Site X could show ads to users just fine without third-party cookies but then advertisers would not be so sure about the stats.
Feels like 99% of people would prefer this. Maybe advertising becomes less effective, but it may actually become more effective if it leads to more ads being visible since they are no longer ad-blocked.
So you need to tell people you are doing that, so they can consent.
You think it’s some sort of choice you have between being tracked or not, but it’s not, it’s between having a fairly decentralised internet or not.
And unfortunately with recent google SEO changes almost all small blogs at this point have been wiped out. Googles own properties, Reddit and Quora, and large websites like NYT and CNET are the only websites left in search rankings.
Selling my personal info to external companies so that they can manipulate me easier is sketchy in my eyes if I don't consent
What? What are you even talking about? Google does not sell your personal info. You’re delusional
Turns out you were the uninformed one. From the context through parent posts you can clearly see this was about a website using google adsense and by that, the company sells my info to an external (google) which then tries to take advantage of me to extract money from me.
That is what I am talking about and I think this was clear from the previous posts. I think you owe me an apology
This is not how it works. You might not be medically delusional but you are saying things that are not true.
Of course it is. If you add AdSense to your website you are letting Google track your users in exchange for a cut of the profits. Of course you should have to warn your users that they are being tracked at the very least.
But I agree, taking advantage of me telling you personal info by selling it to externals is unfair without consent
You say this like it's a bad thing...
Companies with tons of hidden fees decide to keep them but force you to read all the fees on every page of the menu before you can see the rest of the text, in the most annoying way possible, and promote the idea that the issue is not the extravagant fees, nor the fact that the companies hide them before and had to be forced by law to warn you about them, no the problem is a law that force them to tell you what you're getting into before it's too late !
That's, essentially, what's happening. And we have people complain that companies need to display their fees.
On this issue in the group that complain about the cookie law there are some people who are very wrong on purpose because it's in their interest, and some people who are very wrong because they genuinely don't understand the position they're defending, complaining about being made aware of the fee, instead of the fees themselves or the fact that the companies hide them if not forced by law.
To each their own belief about which category PG fits into.
Not only that, I'm not an EU citizen and I'm not browsing websites based in EU but I'm still bombarded with cookie banners non-stop.
Again, that's the fault of the companies putting those up, they could make it opt-in to collect your data, they could just put a small notice on the footer with 2 simples links "Accept all/Reject all". But they chose, they decided to pester you with those banners as annoyingly as possible to make you have exactly the reaction you're having.
Please don't do this on HN.
That being said, all the dark-pattern banners actually break the law. The problem, if anything, is lack of enforcement of the law.
Come on. Be realistic.
do you think the same thing about laws against murder?
about fraud?
This criminal uses murder! If you continue to interact, you consent to being murdered.
Murders you anyway
Laws are not borne in a perfect state; very much like programs, sometimes you need a few versions to see how the system actually works in practice and fix a few bugs. The fact that v1.0 has such bugs is not a good reason to just give up, nor it's an indication that the programmer is bad at programming.
All companies? Every single company with a website even if without any trackers or ads?! All companies are evil and the single law that triggered their evil behaviour is good. Sure. Ever heard of Occam's razor?
> All companies are evil
No, but many, many companies are sociopathic assholes that exist just to make a buck. Otherwise we wouldn't need these laws.
(Thanks for the site though, Paul)
it's also generally an indictment of the modern neoliberal regulatory approach in general. asking people nicely to follow train safety regulations etc isn't going to get you results. even fines/penalties largely end up just as cost-of-doing-business (even in the EU). if you really want behavior to go away, make it illegal and give people at the top Sarbanes-Oxley-style legal culpability if it happens on their watch.
again, if you want to know the right way to set incentives so that people don't do a thing, you need only look at the way rich people want their money handled. you can bet that ripping off rich people is an ultra-mega-crime and doesn't just get a 1%-of-the-takings slap on the wrist. And lo and behold SOX does actually hold important people accountable as a result, not just some fall guy at the bottom.
On your second point, that is again a choice of said companies, not a problem with the law. The GDPR has proven very well that if they cared, they can segment who is affected or not, and not just big tech lots of random local news site and the likes are doing it just fine.
So again, you're aiming at the wrong culprit.
Middle managers absolutely love anything with charts and graphs because it makes their decisions feel more scientific. That's why they want tracking software included on their websites. And if the law requires disclosure then a cookie popup is the solution.
Germany is a bit litigious w.r.t. internet or privacy, so the combination---cookie consent---is a doozy. Nearly every German website that does anything will have a consent notification, and the slightest misstep (e.g. using Google Fonts without asking permission) can be punishable.
Our US based legal team told us we needed a cookie banner if we were going to have visitors in the EU. I pushed back, but I lost, and ultimately it's not my fight.
It's a battle to get them onboard to not taking the safest possible approach, so you only want to fight that battle when it's a kingmaker of an opportunity.
you're right, I said third party, but I actually meant tracking. I actually went and checked, and our only cookie is the cookie for if you've seen the cookie banner or not...
> Consent may be required even if there are no cookies at all.
For what?
This actually makes sense - because if you didn't have the cookie banner then some fucking weirdo would come to Hacker News and make a self righteous post about how you're "tracking residents of the EU without their consent and abusing them" (even though you're not). Instant karma. Next thing you know these weirdos and their mob are reporting you to their government and you're dealing with government inquiries and more legal expenses trying to prove your cookie-less web 1.0 site doesn't "abuse people."
The banner placates them.
You may use "legitimate interest" cookies/tracking without saying so, but as soon as you show a privacy dialog you actually have to disclose everything you're doing including legitimate interest.
Basically by having a list of what youre're doing with your user's data you're giving up your right to do anything not listed.
GDPR actually doesn't specifically mention cookies at all. Tracking is what's illegal, not cookies.
Let's say you keep website logs with IPs on them, and you do analytics for non-essential purposes. You can do this under GDPR, but you must gain consent from the user before logging this PII.
It actually is completely and totally orthogonal to cookies. Some cookies are fine without consent. Some things that are not cookies are illegal without consent.
They probably won't tell you that, tho.
Managers and everyone else can have charts and graphs without retaining personal data.
The processing of personal data prior to anonymisation to turn it into aggregate data, that part needs protection. But you can do it in a variety of ways that don't require personally invasive tracking.
I live in Europe; I don't experience this "nightmare". Would you care to expand?
Now I am not saying the US doesn't have a problem. They just don't have GDPR and most website don't ask you for any permission to track you. So the experience is generally smoother (with the occasional tracking popup).
Ideally there should be a way for me to broadcast my willingness to share my data and not allow dark patterns to try to change my opinion. But the GDPR does not cover that and allows websites to drive you crazy until you click "YES, Track me"
This is not my experience. Perhaps the websites you favour are exceptionally abusive.
> a way for me to broadcast my willingness to share my data
That's the opposite of what most people want to broadcast.
> But the GDPR does not cover that and allows websites to drive you crazy
Apparently your view is that GDPR should not allow that, i.e. it isn't strict enough. I'm inclined to agree.
[0] https://community.mozilla.org/en/campaigns/firefox-cookie-ba...
The post is dated 2022. The feature became generally available in v120. Stable is v123, so it is available now. It's gated, so you still have to enable it as described in the post.
Source: Living in Europe
The reality is that I (and others who are complaining, as well as many who have resigned themselves to their fate) are happy to have a website "track me", certainly if the cost of non-tracking are having to click away an annoying popup, and think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.
The you should doubly blame the companies, because that's what do not track was for, they're the one who decided to make it not work that way and instead being ignored and not considered a valid option for the law.
> think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.
You don't need a cookie for that, and what GDPR has told us is that we're not talking of that but about dozens or hundreds on every major sites so trying to frame it that way is disingenuous.
A few of these cookie prompts during the day and they'd be able to tell everything from where your kids go to school to the kind of prn you prefer to watch on weekdays and everything in between.
This is how ad companies can sell premium views, don't show cosmetics to men, increase car related ads to people who has watched other car related ads and so on.
There's no such thing as server-side "private browsing".
It's really not. They already could do all that before cyberstalking was normalized. It's called content-based profiling, and it doesn't require any GDPR consent.
The example about "show more car ads to someone who watched other car ads"? It's not about showing car ad on a site whose content is about cars (or where the site owner decided they like that kind of thing).
It's about knowing you have wandered over to car comparison site recently so they can show you car advertisements when you look up sports news, show car-related merchandise when you're browsing some shopping site, show you insurance ads, etc.
And aside from that, I think it should be much more expensive to say sorry than ask for permission. In my world a firm like facebook should not have any right to exist, they earned it. Fine them to oblivion just like I would get a long time behind bars if I wouldn't do my taxes right.
Is this something that's kept secret in European society?
If someone told me they knew where my kids went to school I wouldn't be surprised, it's sort of dependent on our address which is in the phone book.
Is counting visitors all that sites are doing with tracking info?
They're not selling it to ad brokers, insurance companies, governments? They're not matching your name, address, and phone number with your web activity (including sexual interests, "anonymous" embarrassing stories, health concerns, etc)?
I agree that wanting to know the number of visitors is benign and it is not abuse.
But saying companies should be allowed to track me (for whatever purpose) across the web without my consent is also pretty ridiculous.
https://arstechnica.com/tech-policy/2021/07/facebook-adverti...
They have so many "partners" that their cookie popup comes with a search bar.
56 of their "partners" want my precise geolocation data!
16 "partners" want to actively scan my device!
101 "partners" want to "match and combine data from other data sources" (I can't disable or object to this)
102 "partners" want to identify my device. I also can't object to this.
The only way I can really object is to close the tab, so that's what I do.
Isn't it too late by then?
People should have a default expectation that if they give their personal data to companies then it will be recorded. And if they don't want cookies then they should disable cookies. The EU's regulation hasn't revealed anything that is useful to know about.
What does it say about the relationship between businesses and consumers that the first response to this bad behavior is to shout "look what you made them do!"
Seemingly it is everyone's fault except the bad actors themselves.
I've seen this attitude from tech people, too, so it's not just a matter of tech ignorance or illiteracy.
It’s an inconvenience to people who care about privacy and use browser configurations that don’t store state between visits.
So now in an attempt to protect regular users, the law ended up hurting users that already cared.
Additionally, the shadiest and incompetent sites still just track people with no cookie banner. So the law doesn’t really provide protection against uncooperative parties, whereas privacy technology does.
Fair point about the banners mostly "hurting" users who care about privacy (but, really though- how much does it really "hurt" you? I'm "hurt" more by the fact that I have to fold laundry several days a week).
But, I take major issue with you saying that the LAW ended up hurting users. Companies are under no legal obligation to make those banners as obnoxious as they are or with so many dark patterns (I sometimes don't know if I'm even enabling or disabling tracking with the way they word it). That's squarely on the web site owners pulling that nonsense.
> Additionally, the shadiest and incompetent sites still just track people with no cookie banner. So the law doesn’t really provide protection against uncooperative parties, whereas privacy technology does.
I agree that the only/best way to protect yourself is via technology and not by relying on people obeying the law.
However, if this is also an argument against having the law, it's an incredibly weak one. You can apply that logic to argue that NO laws are effective. People still murder even though it's illegal- must be a bad law, no?
Actually every single lawyer we asked about implementing GDPR advised us to have one of those obnoxious banners. Because the law is so ambiguous and the penalties so high that is better to play it safe. And we have no ads nor tracking at all on our product website.
You can ignore your lawyer's advice if you want, but it's a bit like a lawyer office ignoring my data security and backup advice: assuming a huge amount of risk.
Frankly, I doubt the veracity of this anecdote. But even so, I'm willing to bet that the lawyers in this story did not tell you that the banners have to cover half the screen and have ambiguous wording to intentionally confuse visitors to your site. When I say "obnoxious banner" I'm not being redundant: not all banners or popovers are "obnoxious".
Or are you in the peanut gallery willing to believe that there is some conspiracy where all websites have suddenly decided to obliterate their user's UX when GDPR appeared just because they are evil?
I live in the EU and I can tell you: ALL banners/popups are obnoxious. They ALL get in my way when I want to do something entirely different. As a (non ad/user-tracking) business I would never afflict them on my users if I had a choice.
The productivity loss here in EU since the GDPR would be staggering - if there was much productivity to begin with, of course.
Some of these bad actors actors with annoying cookie banners:
https://gdpr.eu/
https://european-union.europa.eu/
https://www.europarl.europa.eu/portal/en
this is not true. It's just that most people are powerless to fight against the dark pattern onslaught.
So yes, I do blame the government as I would be fine returning to the prior state.
Absolute dreams.
The biggest problem with online advertising is not tracking users. It's a lack of trust between advertisers and pretty much everyone else. If you're going to pay for an ad, you want to be sure it was seen by a real person. I'm not sure that's the concern any more because click-through is more important than "seeing" an ad. Regardless, the goals are to make sure it's easy for a given advertiser to get on many web sites, easy for a site to get ads, and also possible to prevent fraud since there will obviously be multiple parties involved.
I suspect tracking users was an offshoot of just verifying that users were real to prevent fraud in the ad world. Not saying any of it is OK, but it seems like the way to prevent tracking is to find a way to verify authenticity while also preserving privacy.
And that would be fine, as long as Swift was willing to pay for it. But the tracking and personalized ads thing was a numbers game; personalized ads have a higher conversion rate, thus are more valuable, thus we need data to personalize ads.
So now we have this situation where providers were trained to play the GDPR in such a way that they will never have a problem, no matter what they actually do with the data.
And consumers are pissed because they are made to sign things which essentially reduce their rights...
And if someone (like me) thinks the EU did a half-assed job there, the downvotes rain in.
But not as much as you might think. Consent under GDPR only applies to what you were informed of when you consented, and you're allowed to revoke consent (with prospective effect) at any time.
I call upon all German users of this website to write to their MPs! Obviously the German civil service is a bad actor! The German deep state is plotting to discredit our beloved eurocrats and must be shut down! Den Sumpf trockenlegen!
I understand the joke you're trying to make but you clearly don't understand the relation between germans and privacy/tracking regulation to think this makes sense.
And I only picked Germany, because it's one of the few EU countries where stuff like that is rigorously enforced. In the rest of the EU, everything unrelated to the common market and/or getting money from the EU is at best haphazardly enforced.
If you want to, check out france.fr, a website maintained by an agency of the French tourism ministry. (After disabling the 3 dozens of annoyance blocking extensions everyone must use nowadays, of course.) What do you see?
A giant cookie overlay. Égoutter le marais!
No such thing anymore, unfortunately.
Why do I need to be "consuming corporate propaganda" when I just hate that I need to dismiss banners on every news website, when I didn't have to before the regulation?
I don't care about being tracked. But now that all websites need to cover their asses in response to regulation, I'm forced to figure out which button I need to click on to read content, and these websites don't even appear to save my preferences whether I agree to be tracked or not.
Objectively, the outcome of this regulation is that my experience is worse. Are the companies bad actors? Sure! Sounds like the EU should account for companies' bad behavior instead of forcing the internet to be more annoying.
It's important to note that we didn't have to go through the banners after the law, either. We only had to go through them after website operators intentionally picked the most disruptive and annoying popup to serve us. We can blame them. They chose to add it when they could have legally not added anything at all.
It's like the situation described here: https://news.ycombinator.com/item?id=39742766
> The experience you describe is the fault of websites which chose to make things that way.
I don't disagree. But they were less annoying before. So make them go back to being less annoying.
> make them go back to being less annoying
That is a request between you and them (the websites), unless you're talking about legislating a banner-less opt-out, or maybe just willing to file a complaint against the website with a data protection authority, if the banner is already illegally annoying.
Websites have the right to annoy their users with cookie popups, with or without the GDPR (ironically , the GDPR actually has some protections here, websites simply break the law). Unfortunately, it seems many are choosing to exercise that right because they make money doing so.
Your right, the experience got worse.
But the underlying point is there two ways this could have gone. The GDPR simply mandated that if companies track you they have to get your informed consent. So one way it could have gone is companies didn't track anonymous users.
Notice this doesn't apply to non-anonymous users. By definition once you've logged in you've revealed who are and agreed to a far more onerous privacy statement. So one way companies could comply is just to make you log in to see some content (and track you that way), and not bug you otherwise.
But they didn't go that way. They insist on tracking you regardless. Perhaps you don't agree, but I find this even more annoying because I install tracking blocking extensions and that breaks some sites. To me the world would have been a much better place if they had just gone along with the intent of the damned law and not tracked people who are try to remain anonymous.
To be fair it's not so bad. Firefox dismisses the cookie banners for you [0], and I have extensions that block the worst of their effects. If you are using a browser from an ad company and are complaining about cookie banners (which almost to the man use a deceptive UI to encourage you to accept them all so the ads work better), then I don't have a lot of sympathy. Me rejecting as many cookies as I can then blocking their trackers the worst possible outcome for the web sites trying to garner some ad revenue of course, but shrug, the industry could have acted in good faith, and didn't.
[0] https://community.mozilla.org/en/campaigns/firefox-cookie-ba...
The proper way to have done this would have been to go to the W3C or WHATWG and proposed an extension to HTML for sites to define an opt-in manifest or something similar.
We're a pathetic lot.
The real nirvana, IMO, would be better sandboxing between sites.
At a time a solution appeared with "do not track", and we ended up with the industry making sure it was as toothless as possible, opt-in, and google pushing hard to control the browser market.
It is not about cookies.
Are you a lawyer? Are you willing to assume the liability I may incur if I follow your advice?
Cookies that do not require consent [...] or authentication cookies (when users authenticate themselves on your web site to log in in order to check online services such as their bank account).
"""
https://europa.eu/youreurope/business/dealing-with-customers...
If you are worried about GDPR, by far the safest is to just not collect personal information.
A few things not allowed under GDPR:
1. Analytics
2. Third-party resources like fonts or JS libraries
3. CDNs
4. DDOS protection services
And I am sure I am missing many more. I am not a lawyer, but I worked with a few.
What you can’t do is trick the client to download something from a third-party source which then spy on the customer.
[1] https://github.blog/2020-12-17-no-cookie-for-you/
The further we take this analogy, the more strained it becomes.
Yes, it's natural to use a cookie to track a session; this is a mechanism invented for that purpose. It's much less natural to share this tracking information with third parties, especially along with a record of your purchases or other interesting actions.
But ad revenue is much harder to obtain without targeting and thus tracking. And a lot of places depend mostly on ad revenue.
This is another case of "buy now, pay later" pattern, stretched to "take for free now, pay in loss of your privacy later". In a funny enough way, many people don't value the information they get on many ad-supported sites as highly as the marketers paying to grab their attention, so simply compensating by adding a subscription or one-time payment to go ad-free sometimes does not even work; the more generic / "doom-scrollalbe" the content is, the worse it works.
But I suppose that was just an example you picked to illustrate the industry's malicious compliance, and not the main point, in which case fair enough. :-)
If the total price of the website without the secret costs of tracking were presented upfront, it would be less of an issue.
There’s a law in California that says that businesses which have chemicals that might cause cancer on the premises need to let people know. That’s great but the levels they set turn out to be lower than what you can feasibly test for and as a result all properties pretty much just put up the signs that say “there might be chemicals here”. The warning is useless and annoying because of market forces which is another way of saying the law incentivized the behavior that occurred.
For data-harvesting companies users are like livestock, and nobody cares about livestock's opinion. It only matters how much value can be extracted from users, even if it's annoying, misleading, and relies on dark patterns.
I used to think this was just an education issue, that people just didn't understand the implications of privacy concerns on the web. But I no longer think this is the case. I think people do mostly understand, and just do not consider this a priority.
We have other more precise words to describe that action. I asked ChatGPT what those could be, here's its answer:
Why not a real regulation then to get rid of hidden fees and heavy fines/jail time for companies that are found to be doing it?
PG's argument (I hope) is that there is no point in talking about "regulation" and "customer protection" if companies STILL get away with their ridiculous and hostile practices.
There is no customer benefit in having user data collection and tracking. Companies do it only to exploit you. Even the usual BS excuses ("oh, we need user data to customize the experience") could be done completely in-device.
I don't want regulatory bodies to just give more hoops for other companies to jump. They will jump it anyway, because it is profitable to do so. What I want is for regulatory bodies to effectively stop predatory practices.
What I think we are missing is a browser option/API that lets the user choose the acceptable tracking level. Similar to the do not track header but more fine grained.
As we are missing that, extensions are doing a good job ATM
https://chromewebstore.google.com/detail/consent-o-matic/mdj...
https://addons.mozilla.org/ro/firefox/addon/consent-o-matic/
I found pretty late about Consent-o matic and it saved me a ton of time handling banners. It's exactly what we should have built-in the browser.
- it's not really a user choice when some browsers set it by default and therefore ignore it
- it's set globally for a browser but a user might want to give away their privacy to my specific site
... and show the banner anyway
Imagine you walk into a restaurant and they hand you a paper that details full allergy information for all of the foods they serve, and then they wait for you to say, "I consent to these ingredients being in the food," before they can seat you. I think that's a closer analogy. We can all agree that the restaurant shouldn't hide that information from you, and that some minority of people might want the information, but do we really have to add this inconvenient step to the process for all people? The current real-world system, where allergy information is available upon request, was working fine.
There are some things that everyone cares about and would be appalled by, that businesses should have to inform people about, and many things that a small minority of people care about. Why stop at cookies? Maybe we should mandate a popup if the website's server infrastructure was manufactured abroad, and another popup if the company that runs the website has higher than average carbon emissions, and another popup if the food in the food court that serves the headquarters of the company that runs the website is not kosher. The lobby of people who care about cookies is of similar size to the lobby of people who care deeply about binary size and about running JavaScript. Should there be mandatory popups to execute JavaScript? If the website is >10MB, should I have to consent on a lightweight page before downloading it? How do you determine which activities warrant a popup warning and which do not?
The principle seems sound, but the EU is deadlocked over reforms to create some extra exemptions, e.g. for security scans/mandatory updates, or privacy-respecting audience metrics. EU regulators are already sort of turning a blind eye to those, so it's fair to say the EU isn't great at regulating - it's not fixing what society mostly seems to see as bugs/overreach in the original (now decades-old) law.
[0] https://en.wikipedia.org/wiki/Do_Not_Track
[1] https://dig.watch/updates/german-court-affirms-legal-signifi...
https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A...
And the GDPR's subsequent entry into force created the current emphasis on how actively (and individually) you need to consent to things, and how much you have to be told about them first. Stuff like "clicking anywhere on this site, tells us you consent" was a lot more common, pre-GDPR
So it is a responsibility of the browser vendor to implement this.
The Cookie banners aren't from the browser they're really from the site.
That said, it seems fair to require the browser vendor to implement it. The browser is the one that exposes a method to store data on the machine (ex. Cookies, LocalStorage) so it seems fair that they should know the user wanted data to be stored.
Which is basically the case here. Almost all websites make money through ads, or at least keep logs of user activity to help them optimize their website, and that's not going to change, so the EU's boneheaded regulations make the customers suffer a little extra.
most sites using tracking are providing you something for no monetary cost to you, instead by showing you targeted ads
Welcome to my new insurance company! Thanks for requesting a quote (it's free! the quote, not the insurance), my agent will swing by to install a GPS chip while you sleep. We're not doing anything malicious with it, we just give you call whenever you're within 5 miles of one of our locations. We'll put it in the bin the vehicle manufacturer conveniently installed for us to hold all the trackers grocery stores and shopping malls use to offer free parking, which you can of course empty out at any time (it's clearly labeled once you remove the oil pan).
What's this, a shopping center now asks before installing a GPS chip on my car (but still somehow offers free parking if I decline)? How inconvenient!
The EU regulation does not prevent ads from being shown, it specifically targets tracking. No tracking > no banner > everyone is happier > go ahead and show all the ads that are required.
The incentives are on both sides to to one-up each other without tracking - hosts by inflating visitor numbers, advertisers by disputing that.
In a perfect world ad(wouldn't exist i know but bear with that) companies would pay X/month for site with Y visitors, where X depends on Y. No need for tracking, and roughly over multiple sites and multiple months it averages out.
Not enough conversion rates(risk for ad company - they could pay less)? offer lower rate per visitor next period. Site gets spike in visitors(risk for host - they could charge more)? report higher estimated Y for next period.
What we got instead is an insane tracking infrastructure that costs way more than any possible profit gained for both sides. It's not even profit - it's avoiding being 'scammed', avoiding risk.
Remember that all that tracking bullshit started before targeted advertising was mainstream and widespread. It all started with bots and inflated click numbers, and inability to accept risk.
Tl;dr banning targeted advertising won't remove all tracking bullshit
I'll take regulated market over unregulated one though.
it's much simpler for both sides, no crying about bots, etc.
of course it's not great if you want to target Putin et al. ( https://www.wired.com/story/how-pentagon-learned-targeted-ad... )
ad networks can simply send out banners to sites for time slots, and that's it. do you want to advertise healthy food? send it to yoga sites (insert it on #yoga hashtag profile pages, insert it after videos/snaps/tiktoks/reels that the AI categorized as yoga, etc.) ... it's called item-to-item recommendation (use the content of the page - as it was done for - again - decades)
it's perfectly possible to ban and remove tracking bullshit
your solution here just makes ads less valuable, which isn’t a win for advertisers or sites. if you can remove tracking, and still allow targeting, then you’ve hit gold. short of that you won’t find meaningful buy-in.
After all the current implicit user profiling and targeting is already not a 100%. Many people use adblockers, many devices are used by more than one user, etc. (In this day and age we are still baffled how Amazon/Google/whatever advertises us - for days - the same fucking thing we just purchased yesterday. Of course, because based on their model it's still the most likely thing the user might buy or click on, etc.)
Google seems to be already moving away from individual profiles with FLoC - of course they still want all of the data to be able do dynamically allocate users to cohorts (to maximize their profits).
And this is why Tiktok and Instagram just went ahead and are now doing direct sales. (They put a link on the video overlay where the user can go and buy whatever shit the video talks about.)
> isn’t a win for [...] sites
this is something that a lot of people are pushing back on, because their claim is that we need some slack in the system for sites to be able to pursue their own creative vision (however lame, banal, mundane, or seemingly useless it is). before every click was tracked it was okay if some article (or video) underperformed, because in general the advertiser got the increased sales (or brand awareness or whatever they measured)
Many of us are old enough to remember untargeted ads, and pretty much all anybody saw at the time as an ad for cialis/viagra. 14 year old girls, 25 year old men, it didn’t matter, clearly you’re in the market for ED meds. this is a regression and i’ll take anonymized profile data over seeing completely irrelevant ads.
One thing that stood out to me from your post is this
> Many people use adblockers, many devices are used by more than one user, etc.
adblockers see no where near the adoption you seem to think, as it’s not many users, it’s a very small minority. and most users in fact have their own device and have for some years now. you seem to be detached from reality.
exactly. let the user decide. that's why it's out to be opt-in/out.
> you seem to be detached from reality.
I'm simply stating factors that are not insignificant compared to the difference we are talking about.
the policy discussion starts with cost-benefit analysis of "implicit profile-based ads" vs "alternative ads", and I'm simply stating that there are already many factors that ad networks consider.
FB/Meta rolled out Advantage+, which is a machine-learning-based full campaign optimization system. (The advertiser uploads many banners, and Meta tries all of them for various target groups, and learns which one to show for which users.) ... and it did all this because of Apple's ATT (app tracking transparency)
It sounds like that's a natural outcome of the point of the law in the first place: people felt that, for too long, tracking has extracted too much value from them without their consent.
Whether a website "buys in" to complying with the law is of course a risk analysis they can conduct for themselves. Neither advertisers nor sites are entitled to a "win" here.
I could ask permission and delay, or I could just capture the data and run experiments or A/B testing. You should also learn that nobody knows everything, and saying something isn’t required usually is just showing your own ignorance as in almost every case you’ll come across you will find at least one valid use.
What are you learning from users' personal data that changes how you do this? Shouldn't your site be accessible, regardless of usage?
> We are also committing that going forward, we will only use cookies that are required for us to serve GitHub.com.
A few pixels further down, on the cookie banner:
> We use optional cookies to improve your experience on our websites and to display personalized advertising based on your online activity.
I guess now we finally have a rule-of-thumb figure for what "going forward" means: 3-4 years, tops.
Doesn't require tracking of individuals.
> or at least keep logs of user activity to help them optimize their website
Doesn't require tracking of individuals.
If I order something from an online shop, they don't need to have a banner in order to take my name and address to post the item to me - that's fully expected and reasonable. They do need my consent if they want to use that to post adverts to me though.
Only if you maintain your own ad inventory, instead of using Google/Facebook ads like 90% of online advertisers do. And neither of those platforms work without installing their scripts on your site.
After all, Google and Facebook still show ads if a user doesn't consent right?
I bet they'd add that option in a heartbeat if people would leave them otherwise.
The scale of this kind of thing is ridiculous. Opening a basic news site and I'm asked to consent to my data being taken and used by 750 companies.
Building a house doesn't require powertools, but if your company tries to do it with handtools we'll see who goes bankrupt first.
Analogies can be pithy but are rarely useful as an argument. Talk about reality.
I am sure the construction sector is overflowing with grumpy people who feel like aspestos is the best form for isolation.
How dare they!
</sarcasm>
Just because you made money of it, it doesn't mean it is right.
Honestly I think most people see it this way, even if it’s an unpopular stance in some tech circles.
Right now, it's just irritating for the average person and slightly inconveniencing those who actually break the rules.
This is the same situation with the cookie banner regulations. If the goal is to eliminate tracking, then making tracking illegal is the straightforward path (or make "do not track" actually mean something legally). Otherwise, ignoring it might be better. Implementing a policy that only frustrates the general public without effectively addressing the problem is not the right approach.
This is what the OP cannot understand.
EDIT: To the downvoters - I don't think you understand what the purpose of the downvote is on this site.
They would be a LOT less frustrating if:
a) they were standardized — they currently add a hefty cognitive load while parsing them, deciding which action to take, etc.
b) they worked properly — I would say, more often than not, they 'forget' the previous setting. I should never see a cookie popup on the same site twice unless I clear my browser settings.
As an aside, it's supposed to be as easy to decline as to accept; so if you give a 1 click 'accept all' then more than that (whether two or dozens) is unacceptable.
- bright red or green “OK” button that opts in to all tracking
- muted “save settings” button
But aha, gotcha, the default settings still have a bunch of tracking enabled, so you have to uncheck all of those, then remember to press “save” and not “OK”.
In the worst ones there’s an artificial delay when you uncheck one of the third-party boxes, as if it has to file a form in triplicate for the unusual request of not immediately sending all your account info there.
If you don't care about tracking, ok. But some do. The EU tried to cater to both audiences which I think is fair. Turns out most people that did not care about tracking would also not consent when they are asked about it specifically and there are no immediately perceived downsides visible.
And therein lies the false premise that makes the whole thing absurd.
Most people have no idea what "cookies" are, don't understand what difference it makes when you reject them, and are never going to learn - and we shouldn't expect them to! Leave the technical stuff for the programmers.
The cookie law only makes sense if you think that there's any significant overlap between "people who understand what cookies are" and "people who need help with internet privacy", for which I refer you to the Venn diagram in this comic: https://churchm.ag/eu-cookie-law-history/
If companies wouldn't try to frame the whole thing in technicalities, it could be a simple popup listing the features on the website that need sharing personal info and users could turn that off.
On the other hand, nobody is entitled to free content on the internet. Hopefully people will become annoyed enough that they will stop visiting the sites of data exploitation companies altogether.
And while the main visible results today are bad (cookie banners of various levels of annoyance) it is bad mostly due to existing dark patterns and encourages changes in the right direction. Will those chances come and, if so, when, is to be seen. My 2c.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...
The relevant part:
> Article 5
> Confidentiality of the communications
> 3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
If you want to argue that companies have a legal alternative to showing you cookie banners, then by all means do so. But don’t say there’s no law because there clearly is. This is a misleading and inflammatory headline.
Edit: Yes, I read the article. To draw a distinction between “must obtain consent” and “must show UI that obtains consent” is of no value unless you want to write an article with a shocking headline.
It is amended by Directive 2009/136/EC, which changes especially the cookies part.
> (66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
If you read the exceptions part, you know that you don't need a banner on strictly necessary case.
If the functionality explicitly requested by the user -- e.g., logging in, or changing the default language or currency, or what-not -- no consent is necessary to keep cookies. Cookies are only necessary for things the user didn't implicitly ask for, like tracking.
>there is no cookie banner law
There definitely is. The article explicitly states this:
>you need my consent when you want to track me
"tracking" here means storing data:
>store information in a visitor's browser is only allowed if the user is provided with "clear and comprehensive information", in accordance with the Data Protection Directive, about the purposes of the storage of, or access to, that information; and has given their consent (wikipedia)
The actual directive also explicitly states this
>consent may be given by any appropriate method enabling a freely given specific and informed indication of the user's wishes, including by ticking a box when visiting an Internet website (32002L0058.17)
Yes, without any consent. For instance logging in a site, doesn't require the warning.
If the cookie law was written properly then it would have just been a browser setting that had to be respected and this whole thing would have been completely transparent to the end user and they would have benefitted by default.
Instead through incompetent government employees we now have cookie banners for the rest of eternity on almost every site and they're not even standardized so worst sites like where journalists publish can have more and more obtuse ones.
GDPR's Article 7 [0] is very clear:
> 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. [emphasis mine]
[0] https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...
The enforcement/implementation of a law is so deeply entwined with the text that it's deceptive to separate them.
If a law is written in a way so as to make enforcement hard, or if the government doesn't have the resources to quickly and consistently apply it, then it's a bad law because it enables weaponized targeted/selective enforcement of a new law that wasn't present before.
> a lack of resourcing to quickly enforce laws makes those laws bad
Is true, and you haven't refuted it, only used the emotionally manipulative phrase "bad faith argument".
You literally say it's "deceptive to separate them". The whole POINT of modern governance is to separate them.
Saying legislature is writing "bad laws" because the judiciary may or may not have the resources to enforce is to necessarily subjugate the legislature to the judiciary which violates the principles of separation in the first place.
There are countless examples of legislation that does not get litigated due to political or other pressures on the judiciary. Your argument would require that the legislature lie down in those cases. Perhaps that is your preferred order of the world.
But in a modern, principled government, the entire principle is their separation and independence. Suggesting otherwise is to lean into autocracy, whatever your motives.
This is wildly incorrect. The point is not separation - that is obviously stupid and pointless. The point is maintaining checks and balances on the power of the government, and one of the (many) mechanisms is through separation.
> Saying legislature is writing "bad laws" because the judiciary may or may not have the resources to enforce is to necessarily subjugate the legislature to the judiciary which violates the principles of separation in the first place.
Again, incorrect, because the principle is limiting power, not separation of powers test for its own sake. Not passing laws that can't be correctly enforced is not a violation of that goal or the strategy of separation of powers.
> There are countless examples of legislation that does not get litigated due to political or other pressures on the judiciary. Your argument would require that the legislature lie down in those cases.
Nowhere did I say that or does my argument imply or necessitate that. Being unable to enforce a law due to lack of resources is categorically different than political pressure. You're intentionally misinterpreting my words
> But in a modern, principled government, the entire principle is their separation and independence.
This is your own projection of what a "modern", "principled" government should look like - which, as stated before, is obviously stupid and pointless. Separation is not a virtue - it's a means to an end. You may want to consider reading the US Constitution to see this in action.
Regarding the link you posted, they have a banner at the bottom saying:
> We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. [Ok] [No] [Privacy Policy]
My understanding was that such an implicit consent ("we will assume that you are happy with it") is not legal so I find it a bit surprising to see it used on a website dedicated to the GDPR.
"Prior to giving consent, the data subject shall be informed thereof."
Means there must be some sort of a cookie notification (which could of course take a small space of the screen, but still).
The existence of this notification makes it easier to initially give consent. If withdrawing later is to be as easy, the notification must never disappear.
Clearly, national prosecution authorities can't be arsed and we don't have enough citizen-activists filing strong lawsuits.
In an ideal case, if it was just a law, a simpler wording could be "you are allowed to collect anonymized data, but not monetize/share it without permission from users. We may ask you to furnish proof that you havent been doing that at times, failing which you would face massive fines (as %age of revenue whatever)."
Problem is collecting basic anonymized usage data[1] is needed by companies to improve the product, provide a better experience, detect misuse. They bundled those use cases with everything else meaning the law was too broad and we got cookie banners given every site needs basic analytics. On flipside, worst is that most websites use Google Analytics, so they might have had to display the banners anyway.
[1] Moreover, it's vaguely worded so we companies do not know if they have committed a GDPR offence. By general understanding IP addresses are under GDPR. You can get that via request headers. So, to be on the safe side, even anonymized analytics tracking is considered under GDPR
> Moreover, it's vaguely worded so we companies do not know if they have committed a GDPR offence.
Only if they are trying to skirt the law.
notice the part about how purposes cannot be bundled together. EU's own website does that till date.
> NOT needed to improve your website
When I say usage data, aggregated data about how many people bounced off my page, or how long it took for my webpage to load under different internet connections is absolutely needed for me to make sure every user that comes on the page is having a good enough experience. I may not save any info, but those numbers are definitely used in aggregate. if the bounce rate is too high, content is not useful for people i am reaching. If i cant know that, how does the webpage gets better. That is usage data. I do not care about who the person is, but I would want to know whether it was one person doing one action 100 times or 100 different people doing the same action. Makes a massive difference.
I've clicked 3 cookie banners today alone and its not even 2pm yet.
How many cookie banners have I clicked in my life so far? How many cookie banners can I expect to click over the remaining 40-50 years of my life?
The law is objectively bad.
No, the websites you visit are probably bad.
Which cookies did you have to accept/reject? What do they do? Why do the websites believe they must ask you to accept them?
Also, the law allow browsers to automatically accept/reject the cookies on your behalf (actually, the law does not care about which specific technology the websites use to collect and process personal data). You, as a user, can choose a browser/extension that rejects these cookies by default, except the necessary ones. I use https://addons.mozilla.org/en-US/android/addon/istilldontcar... and I haven't see a single cookie banner for years on desktop and mobile. I don't like cookies and I like the law.
(Also, if a lot of people did choose the 'everyone all the time' setting, that would arguably be a poor outcome, because it's unlikely that this is really what people want.)
The only alternative to that binary logic is cookie banners. So to be clear, you are advocating for cookie banners.
The reality is that the overwhelming majority of people do legitimately want option 1, which makes cookie banners redundant. The only reason that cookie banners exist is as a high pressure sales tactic to sell users into option 3.
So yeah, you can never compel a site designer to stop doing a thing without compelling them to stop do that thing. The only middle ground is a middle ground.
>The point is that you'd still get cookie banners even with option 1
The adtech will absolutely freak out and destroy any attempt to make such setting as soon as there's a risk of it working.
The law could have been written in such a way that we could use a browser setting and avoid incessent popups which irritate users and desensitise them to genuinely useful warnings.
Whatever the good intentions of EU lawmakers, they seem inept at technical legislation because they ALLOW companies to continue doing shady things, and rather than tackle it, the legislators create a law that merely annoys users.
as written elsewhere (since you obviously didn't read anything) your proposed solution would be just fine. But people opted out of impmenting it that way since it would yield less profit.
Also, if you feel certain, and a ready to defend in court, that practices you have on your website does not constitute tracking. Then you don't have to show the banner either.
Personally, I am much more pragmatic about these regulations - with good reason. I still have to hear about some small innocent company hit with a massive fine. Empirically speaking, it is mostly huge multinational companies with plenty of resources to manage these things down into details who have gotten fines after repeat offences.
All in all. If you assume malicious regulators, then it is going to be stressful to work in a market. From US influence, I also do understand the sentiment, though it is rarely mirrored with EU citizens who generally don't assume hostile regulation.
No they don't. But enforcement requires complaints, actions, and budgets. Remember that the EU has no police, it's down to national governments to enforce regulations.
Also, take fraud. There are plenty of laws against fraud in any country - and still it happens every day in one way or another. That's not because all fraud laws are bad, but because enforcement is complex and costly.
I don't think that's a specialization of EU lawmakers, particularly. A far as I can recall, laemakers started thinking about internet regulation around the turn of the millenium, and I didn't welcome the prospect; I assumed that regulation would favour state intelligence and police agencies, and would be drafted by adtech lobbyists. Why? Because I didn't think the civil servants who are supposed to draft these laws had the requisite competence.
Sometimes life really is is fact a zero sum game and you need to punish the offenders in order to protect the victims.
>Instead through incompetent government employees
Or greedy companies, one of the two...
Even worse, this thread is full of armchair lawyers that will confidently tell you there's no need for cookie banners in particular cases. Nevermind that there's hardly any case law about this and each country seems to interpret it differently. Any actual lawyer would tell you to slap it on there to stay protected.
I bet the number of cases of illegal implementations due to insufficient consent are vastly smaller than the blatantly illegal consent implementations(i.e. those that make it harder to reject consent than accept it). Companies clearly don't care about following the law anyway.
Presumably, lawyers err on the side of caution? That doesn't mean they're right.
I'm not talking just de-emphasising the reject option here, but cases where there is no reject option or it's buried beneath 2-3 more clicks.
...
Any actual lawyer would tell you
Assuming you're not yourself a lawyer, doesn't speculating about what an actual lawyer would say or do make you an armchair lawyer?
In my opinion the EU's big failure with GDPR has been slow and ineffective enforcement against blatantly illegal implementations.
0: https://news.ycombinator.com/item?id=39742989
Instead law is written in a technology neutral way. It is so neutral that it isn't even called "cookie law". It is called ePrivacy directive. It has only 5 times the mention of "cookie" as an example.
Reference: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A...
The law does not mandate websites to display a cookie banner. There are already "Do not track" settings in browsers. A website could choose to honor that setting and don't track you without ever showing you a cookie banner. But most don't.
They didn't do this before the regulation. It doesn't much matter whether a website could do better, they simply aren't going to do better unless forced to.
> A website could choose to honor that setting and don't track you without ever showing you a cookie banner. But most don't.
Exactly! Either fix the regulation to say they can't make UX worse or throw it away.
Yes, because they just tracked you and you didn't have a choice and didn't even know that they were tracking you probably.
You don't seem to understand what GDPR does. Very simply, it says: "Hey, if you run a website and want to store cookies in your visitors browsers that helps you track them, you need to ask them first if that's ok".
There are multiple paths websites could take:
1) Don't set tracking cookies -> No need to ask the visitor for consent
2) Honor "do not track" headers sent by browsers -> Only need to ask visitor for consent if the browser didn't set "do not track" header
3) Ask the visitors, but do it in a nice way that doesn't disrupt the whole browsing experience -> some examples are given in the blog post
There are a lot of browser extension that hide or click reject cookies for you, so you don't need to see 99% of all cookie banners. Have you tried using some of them?
There's no loophole. There's just limited enforcement. Most of the banners you see every day do not match the requirements at all.
This kind of behavior reminds me of the book: "Language vs. Reality: Why Language Is Good for Lawyers and Bad for Scientists" - Nick Enfield, Linguistic Anthropologist [1]
[1] https://mitpress.mit.edu/9780262548465/language-vs-reality/
We deal with similar issues developing and releasing software. Instead of not ever releasing software, or only writing perfect software that never has issues, we have a couple of options.
1) In critical life or death situations, spend a ton of time modeling all states of the system and program in a way that very strictly controls for these states, with a lot of testing. See NASA/JPL coding standards for critical systems.
2) For less critical situations, or those were modeling all states of the system are impractical, we release, observe, and iterate. Yes there will be edge cases, bugs, and loopholes. But we can observe them, iterate, and release updates.
I think case 1) is impractical for changes to large legal and economic frameworks in the real world given how many variables are at play. If we could model the entire economy and see how it would react to a given change, the world would be a very different place in lots of ways already.
A lot of politics seems to work against 2) and that hurts our ability to improve things. "I will pass a law that does X" and "I will repeal the law Y that is not working, see look at these loopholes!" are good political campaign statements.
"I will gather and analyze data on the operation of the current system and support an iterative change that intends to improve things, implement that change, and then observe the results to determine if future changes are needed" is hard to rally around either in campaigning or when actually doing the work of getting political support to pass law.
I think decent example of this in government, although far from perfect, is the feedback loop of the NTSB and FAA. The NTSB's job is to observe and report on failures of air safety, and the FAA's job is to apply those lessons to future air regulation. Of course there are many examples of this not working perfectly, but it's a more concrete feedback loop than most governmental action has.
More observation of the analysis of the impact of laws after they are passed, and follow-up iterations where we compare the expected and actual results and make updates, would probably result in a lot less gnashing of teeth over "bad government regulation" but I'm not sure how we get there politically.
It has even been implemented in Internet Explorer when it had 90%+ market share.
And then Google intentionally sent malformed P3P header to bypass user preferences in IE.
When Safari added a heuristic rejecting Google's 3rd party cookies, Google has found a technical workaround to bypass it (and has been fined for doing this).
When IE and P3P were totally dead, browsers have tried to give adtech the simplest to implement bare minimum setting - the DNT header. The adtech has completely ignored it.
There are trillion-dollar businesses relying on tracking, and they will do whatever they can to undermine any technology and lobby against any law that would harm their business.
Working for Lockheed Martin or RTX is a more moral choice than working in adtech IMO.
The number of unique visitors is a very useful metric (both in itself, and combined with the number of visits).
The EU has made it impossible to track this simple and harmless metric without inconveniencing all users with awful UX.
Under the GDPR / ePrivacy Directive, ANY user-based unique identifer used for advertising, analytics and tracking will trigger the need for consent.
---
General Data Protection Regulation (GDPR)
Article 4(1) defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Article 6(1) outlines the lawfulness of processing and states that processing is only lawful if and to the extent that at least one of the following applies: "the data subject has given consent to the processing of his or her personal data for one or more specific purposes."
---
ePrivacy Directive (Directive 2002/58/EC)
Article 5(3) requires prior informed consent for the storage of or access to information stored on a user's device: "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
The next level is to not store PII unless there's a specific reason in the user's interest (improving site quality doesn't count, logging in does). Therefore, you can see how many people visited a page, aggregates of device types etc. Just not anything that identifies an individual.
By not sending the data to third-parties, you already comply to most of the GDPR policies.
This ambiguity leads to companies implementing cookie warning popups based on a risk-averse interpretation of the law
There was the DNT header. Few sites acknowledge it (and thanks to those who do!), and when Microsoft went against spec by setting it default-on in their browser, advertisers whined that they can't see informed consent anymore and just shut down the whole initiative. Note: Microsoft is also in the advertising business, so if you're into that, that might be another angle for your favorite conspiracy theories.
Finally, there's consent-o-matic, available as browser extension for various browsers, and it lets you state your preferences. https://consentomatic.au.dk/ Would it have been better to integrate that into browsers properly? Sure. But the social and economical dynamics being what they are, this is probably the best we can get.
KingOfCoders/amazingcto, of course you are technically correct but Paul Graham wasn't talking about the letter of the law.
Instead, you have to interpret his complaint with the lens of game theory. I.e. The Law of Unintended Consequences that takes into account what companies actually do in response to laws instead of what we hope they will do.
Your blog post focused on good intentions of the law. PG's tweet focused on actual outcome.
Unfortunately a non-negligible number of people in tech also have libertarian leanings, with a default “gubmint bad!” position, which makes them easy prey for adtech propaganda.
Why is this unfortunate? Because you don't agree with us? The "they would agree with me if they were smarter" trope is tired and gets us nowhere.
GP answered your question, for some reason you decided to cut the quote right before the answer. Here is the part that is missing from your quote which answers your question: '[...]with a default “gubmint bad!” position'
> The "they would agree with me if they were smarter" trope is tired and gets us nowhere.
I say that’s unfortunate
Personally, I find it very very strange that many of the people who call for regulation as a remedy to perverse incentives manifest in commercial markets seem unwilling to recognize the existence of even more perverse incentives in the political realm. If people seeking profit sometimes do bad things to get it, why would people seeking political power be expected to behave differently?
Bad laws boost libertarianism.
At least until you realise what they're doing, then you think they're skeevy corporate toadies with no morals.
Good regulation is regulation that has good outcomes. If a law has bad outcomes it is a bad law. You can separately complain about what companies are doing but that doesn't change the fact that it's a bad law.
It is of course debatable whether GDPR as a whole has bad outcomes, but if we're talking about cookie banners in isolation then it certainly does.
You don't seem to explain what the role of corporations is or what a good corporation looks like. If these things are not symmetric, you need to finish your explanation of why or how they aren't.
Corporations and the whole of property rights only exist because of government protection, so it would be pretty audacious--in my opinion--to assert that corporations have no duty to behave to the benefit of society. I'm not saying that's your claim, but I'm curious as to how close you're willing to get to that claim...
In my opinion it is not audacious at all to reject the idea that corporations should intentionally pursue societal goals or claim to act out of a sense of duty.
Of course we want the effect of what corporations do to be of net benefit to society as a whole. But this cannot be based on their intentions or sense of duty. It has to be based on the systemic effects of them pursuing their own (possibly enlightened) self interest within the framework of the law.
It is for governments to make sure that these effects are beneficial and to intervene when they are not. So the asymmetry I see is that capitalism is a tool of society, not the other way around.
I still find it somewhat silly to reject the idea that a corporation (run by human beings) shouldn't intentionally be evil for the sake of maximizing profit, but I do understand that this is a fairly common Friedman-esque point of view.
But, even so, I guess "duty" was the wrong word for me to use. I more meant that if a corporation does NOT benefit society, we should expect the corporation to stop existing. So, in that sense, there's a "duty" (existential requirement) to benefit society.
> Of course we want the effect of what corporations do to be of net benefit to society as a whole. But this cannot be based on their intentions or sense of duty. It has to be based on the systemic effects of them pursuing their own (possibly enlightened) self interest within the framework of the law. > > It is for governments to make sure that these effects are beneficial and to intervene when they are not. So the asymmetry I see is that capitalism is a tool of society, not the other way around.
I feel like you're circling back around to almost disagree with yourself. Several comments back in this thread someone made a point about "unintended consequences" of the law and applying "game theory" logic to it, and another commenter replied that the companies in question could also have seen the law coming if they misbehaved too badly. That commenter asked if the "game theory" logic shouldn't go both ways, and that we should then blame the corporations for the regulation because the government is just doing what governments do.
You replied that the argument does NOT go both ways because the roles of government and corporations are not symmetric.
But, what you're arguing here seems to be consistent with the view that the "unintended consequences" and "game theory" logic DOES go both ways. You acknowledge that it is a government's duty to intervene when corporations are not benefiting society, and you also say that corporations will pursue their own self-interest within the framework of the law.
I don't mean to put words in your mouth, but the only way I can resolve this asymmetry in my mind is to have a framework where corporations doing things that are bad for society is okay, because the government is supposed to stop them; but if the government is unable to fully stop them from being bad, then it's STILL not the corporation's fault, but the government's...
It just sounds like we've gotten lost in the abstractions of corporations and governments. At the end of the day, these are decisions being made by fellow sentient human beings, and if a corporation's humans make some evil decision, I refuse to let them off the hook with "well, free markets" and "they have no choice but to maximize profits".
On a very general level, the idea is that not every part of a complex system has to incorporate all the principles of the system as a whole. Individual parts of the system can have limited roles and responsibilities. That's fine and it has nothing to do with being evil.
Defense lawyers must defend their clients to the best of their ability whatever horrible things they may have done. Juries, judges, prosecutors, they all have their specific roles to play.
It's the justice system as a whole that should result in justice being done. If everyone involved tried to pursue their own interpretation of generally desirable societal outcomes, the justice system would be unfit for purpose.
And here's the asymmetry again. Those designing the system as a whole have to think about societal outcomes as part of their job (as does every citizen). Those acting in a specific defined role as part of the system can only do that in limited ways or under exceptional circumstances.
Corporations are run by people, but these people act in a limited role that is defined in such a way that pursuing specific societal outcomes does not necessarily boost the likelihood of their personal success or the success of the corporations they run.
If there is a conflict between certain societal outcomes and making a profit then those executives willing to prioritise profits will be the ones running the successful corporations. That's why it's so futile to bet on corporations acting against their self-interest in significant ways. They are systemically incapable of doing that (on average - exceptions are always possible).
That's why I'm saying that if we want to make corporations act in desirable ways, we have to make laws rather than appealing to the conscience of those running the corporations.
>I don't mean to put words in your mouth, but the only way I can resolve this asymmetry in my mind is to have a framework where corporations doing things that are bad for society is okay, because the government is supposed to stop them; but if the government is unable to fully stop them from being bad, then it's STILL not the corporation's fault, but the government's...
The question I'm asking is who can fix a particular issue, and if the issue isn't getting fixed then I'm assigning blame to those whose job it is to fix it.
Corporations collectively can't fix an issue when the only fix is not exploiting a particular economic opportunity. If one corporation stops exploiting the opportunity, another one will.
That said, of course I do blame corporations for stuff all the time. There's nothing wrong with that. Blaming them is sometimes effective consumer power. It can take away the economic opportunity as the reputational damage may outweight the benefits. Blame can also help build momentum for a change in the law.
But if laws are made and they have giant loopholes in them, then I blame lawmakers for doing a shoddy job.
The main problem with GDPR is the scale of non-compliance greatly exceeds the size of any reasonable enforcement capacity, at least until enforcement catches up.
It's more morally permissible for corporate decision makers to install a global surveillance complex than for civil servants to attempt to regulate it.
No, it's more transparent. Unlike cookie banners.
If only cookie banners protected the consumer, but shadow cookies work fine.
I don't know if this mini-competition between regulators and companies is truly zero-sum, there could be some way to get everyone something they want. But with the current regulation, it is zero-sum, and the companies are winning and the EU is losing. And the EU "works for you", so of course you can complain to them.
That's an overstatement of the purpose of the regulation IMO. The purpose is to give the user control over the tracking of their data.
* Transparency
* Accountability
* Proportionality
* Consistency
* Targeting
I'm not certain that the GDPR laws fail any of these. I'm guessing pg is getting at something more nebulous to do with how annoying the UX is as a result of the regulation, and whether it encourages civil engagement. But if he'd simply said "EU regulation has made UX annoying" then he wouldn't have such a snappy tweet.
[0] https://www.icaew.com/technical/trust-and-ethics/better-regu...
EDIT I googled some more and found a brochure from the National Audit Office titled "Principles of Effective Regulation": https://www.nao.org.uk/wp-content/uploads/2021/05/Principles...
It does have a statement in there:
> Good regulation maximises the benefits while minimising compliance costs and unintended consequences. The benefits of regulation can be both to wider society (such as improved environmental or safety standards) and to regulated (for example, through increased consumer confidence), but not all of the benefits are necessarily easy to quantify.
Put that way, I can get on board with what pg's saying.
The actual outcome is that they do want to track, and use adversarial patterns and malicious compliance to twist your arm and "force consent."
Paul Graham is still wrong.
No, you've inadvertently stated a contradiction. Your use of the word _"could"_ is literally a hope/wish/intention of the law.
In contrast, the actual outcome is that the companies didn't stop tracking. We _wish_ they would stop tracking. (I.e. "The companies _could_ just stop tracking us!") But that hope still doesn't change the observation of reality.
If companies act maliciously to contort around the law and force users back to making uninformed choices, it is the companies' fault and not the law's. Companies could have followed the interpretation of the law unobstrusively. But they didn't.
Invoking "reality," semanticking a position, do not make Graham's position justified. Neither does it make the blog wrong.
I'm a fan of second-order thinking and unintended consequences, so I'm with you there. How would you frame a "don't track people without consent" without unintended consequences?
The article tries to make the point (perhaps fails), that companies do this intentionally to get the "consent" of people against their will, therefor running the tight line of breaking the law without breaking it.
- no fines for non-compliance (or malicious compliance)
- no legal liability for data leaks of PPI
When businesses believe (correctly or incorrectly) that the benefit of tracking outweighs the cost (annoying users, regulatory noncompliance) they will do it. The fix is to make tracking too costly for businesses.
"The Biggest GDPR Fines of 2023"
1. Meta – €1.2 billion (Ireland)
2. Meta – €390 million (Ireland)
3. TikTok – €345 million (Ireland)
4. Criteo – €40 million (France)
5. TikTok – €14.5 million (UK)
6. Axpo Italia Spa – €10 million (Italy)
7. Tim S.p.A. – €7.6 million (Italy)
8. WhatsApp – €5.5 million (Ireland)
9. EOS Matrix – €5.5 million (Croatia)
10. Clearview AI – €5.2 million (France)
"GDPR fines are designed to make non-compliance around data security a costly mistake and they can be separated into two tiers. Less severe infringements can result in a fine of €10 million or 2% of a firm’s annual revenue from the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm’s annual revenue from the preceding year, depending on what is higher."
via https://www.eqs.com/compliance-blog/biggest-gdpr-fines/
You just copy-pasted a list of GDPR fines.
see: "8 companies that faced cookie consent fines"
https://www.cookieyes.com/blog/cookie-consent-fines/
"In January 2023, France’s data protection watchdog, CNIL, fined TikTok €5 million ($5.4 million) for making it difficult to refuse cookies on its website. The CNIL found that TikTok manipulated consent by discouraging users from rejecting cookies. They required multiple clicks to refuse cookies, but only one click to accept them. TikTok resolved the issue by adding a “Refuse all” button to its site."
This would have a different issue, specifically companies would no longer self-report data breaches, but it's just an idea. There are alternative approaches to getting to "don't track people without consent" that aren't a toothless stick by making it more expensive to track.
... the main cost at the moment. I think we as a society are very close to a tracking/data tax.
An idea could be that the tracking has to be opt-in AND the webpage cannot stop critical use of the page as part of the opt-in process.
Then another round of consequences.. rinse repeat...
Why would anyone opt-in? Tracking provides zero benefits to the site visitor.
Drop the consent requirement? I.e. just don't track people. No third-party cookies, first-party only, and only for the correct operation of the site.
It's not the cookies that people object to, it's the tracking. Tracking provides no benefits to visitors. If there were no tracking risk, there would be no need to require consent.
Sure it does. Visitors get to use all those great sites and apps without paying for the services directly.
I have yet to see any kind of meaningful study showing that tracking improves the ROI on advertising by anything remotely resembling enough to justify it.
Don't ask users what they want. Let me, denton-scratch, decide for all of them. Wow, what a brilliant idea!
That X button is right there at the top near the tab name. Not sure how a user could be forced against their will into staying on the site presenting them with a cookie banner.
Could we really have predicted from the "Law of Unintended Consequences" that companies would respond not by tracking less nor by giving people an easy way to opt out, but with a cookie consent popup that is not compliant and also really annoying to their visitors?
This is better explained by business operators being ignorant of the actual law and being ignorant of the UX impact.
Is there still tracking? Sure. But it's not so blatant anymore. There are hoops one needs to jump through. And that was the point - to make tracking a harder.
None of my projects have cookie banners. Why? Because I use a first party tracking system (Matomo), I anonymize all visits and I respect DNT. It's that easy.
It’s a combination of two things:
1) the law comes to the rest of the world from Europe. We (rest of the world) didn’t vote in the people who brought it. We’ve had quite enough of Europeans making rules for the rest of the world in the past few centuries thank you very much.
2) GDPR encodes an expectation that may or may not be common in the EU, but certainly isn’t common elsewhere. I don’t have any expectation of privacy when I walk in public or when I give any information at all to a business. My solution to this is: a) I wear pants outside, and b) I don’t give out private information. Whether the business ecosystem knows their age and purchasing patterns is largely immaterial to virtually everyone I’ve ever met.
And don’t show me a survey showing people don’t like it - if you prime people with the question, of course they will respond that way. They know their info is being gathered, and they just don’t think it’s as big a deal as GDPR would like it to be.
Now, point (2) is, unfortunately, in the same vein as smoking, pollution, seat belts etc. Uninformed people (uninformed because they have better things to do) are not protected from their lack of knowledge. They suffer the consequences just the same.
And while I agree that and informed person, making a self-destructive choice has (in most cases) the right to do so, there is something to be said about the very, very powerful exploiting the uninformed. And this is where GDPR comes into play. It's protecting normal people, from a very, very big threat, that is not that obvious and is being wielded by the powerful.
GDPR is one of those laws restraining western corporations from going full dystopian future on us all. I said restraining, to be honest, I think it's just slowing them down.
And as far as surveys go - it used to be the same here. Europeans didn't care and said exactly the same things (i.e. the famous "i didn't do anything wrong, so I have nothing to hide") and then activists worked for years to educate them that, at the very least, it's leading them to buy things at higher prices. Now most people are extremely sensitive to their data.
But different societies prefer a different balance here.
Americans are used to a more caveat emptor situation. Europeans want more regulation. Which one to choose is a political choice.
What's happening is that the political choice that the EU went with is being forced on the rest of us, whether we like it or not.
I'm personally glad someone is doing something for my privacy here. My own government, due to regulatory capture, is unlikely to act in my best interests here.
Because the EU is forcing you to do something that you want to do anyway, you now like it?
If you want cookie banner laws in your non-EU country, vote for it.
I don’t want some bureacrat I didn’t vote for issuing diktats that affect how I build my business and my websites.
The entire point is that we all need representatives in government.
The article elaborates on this point: There Is No Cookie Banner Law. Only bad website operators choosing to abuse their users with annoying consent dialogs.
Nobody in Europe is issuing "diktats", meaning citizen-supported legislation I guess, or affecting your business, unless you're trying to deal with their citizens' data. Just don't process EU citizen data and it's not an issue. Better yet, just don't track users.
In any case, your disagreement only serves to underscore that you were speaking on behalf of 1 person, not any country or countries. Otherwise, we wouldn't be disagreeing!
What I object to strenuously is someone dictating terms to the world from distant shores, especially since they seem not to get how the internet works (it’s all funded by ads, online sales, and ads for online sales, all of which involve metrics and tracking!)
The diktats I mentioned include a ruling that Google Fonts are illegal now. So if I’m using those, or I’m using Google Analytics, and a European happens across my site, I’m now a criminal? Fuck that.
The consequences of contravening the GDPR are uncertain but sounds scary. This is terrible for the open and free internet.
To the point: Nobody in Europe is "dictating terms to the world", or "issuing diktats", meaning passing citizen-supported legislation I guess, or affecting your business, unless you're trying to deal with their citizens' data.
> The diktats I mentioned include a ruling that Google Fonts are illegal now. So if I’m using those, or I’m using Google Analytics, and a European happens across my site, I’m now a criminal?
No, because website operators have at least 4 more options:
1. Don't process EU citizen data (block them).
2. Don't track users, period (host the font on the site instead).
3. Don't track users until they log in (convert them).
4. Get users' informed consent (let them know that they'll be tracked on the site due to the choice of google fonts instead of hosting a font).
Wow, that wasn't scary at all! The general attitude I'm getting from some folks, though, is that they want to do anything they want to users without consequence and never change. This attitude is going lead to a lot of anguish. Others have rights, too, and they override our right to do whatever we want to them, in many cases.
> 1. Don't process EU citizen data (block them).
Many webmasters have neither the time nor inclination to read up on EU law. So blocking is the easiest and safest solution to minimize our legal risks. This is absolutely terrible - I grew up dreaming of an internet that is really humanity's network; not islands separated by political allegiance.
I agree that I can tone it down, but 99.99% of the FUD around is directly the fault of the EU for not making it crystal clear what the theory and practice around their internet laws will be.
Did website operators think they could keep violating the rights of EU citizens indefinitely? I mean, based on enforcement capacity, chances are most operators can, but it'd be good to stop. IMO, A network for humanity should prioritize humans and their rights, over tracking and ads, and the lack of respect for those rights is what I find terrible.
Real talk: if you have questions about the GDPR, ask them, and I'm sure the smart folks at HN will be able to help you find answers and overcome obstacles. You can build and not break laws, whether GDPR or ITAR, we can help. Nobody's saying it'll be zero work, but nobody's entitled to run a business doing whatever it wants with zero work, either, and shouldn't expect to.
The EU and the US and China disagree about what user rights are and what reasonable behaviour for a website is.
If one of those parties enforces their vision onto their traffic, it has a chilling effect - splittig the net into federations. By making GDPR super vague, the EU just makes everything worse, including for Europeans. If you disagree that the rules are vague, I'll refer you to the rest of this thread. Nobody knows what's being enforced or what the penalties are.
Real talk though, again: you say you personally feel the GDPR is vague. If you have questions about the GDPR, ask them, and I'm sure smart folks at HN will be able to help you find answers and overcome obstacles. You can build and not break laws, whether GDPR or ITAR, we can help. If you have troubles building, share them with us, let us advise you. Nobody's saying it'll be zero work, but nobody's entitled to run a business doing whatever it wants with zero work, either, and shouldn't expect to.
Really, PG's tweet has little to do with game theory or anything else. It is a first-world-problem whinge about having to click through cookie banners. Assessing the "actual outcome" of complex regulation and legislation is a task beyond the scope of a single tweet.
It might be useful for Graham to determine what claim he is trying to make in the first place. Is he rebutting a particular EU representative for boasting about how good they are at regulation? Or is the idea that the EU shouldn't have the audacity to attempt to regulate in the first place?
Government can, and should, analyze likely (or unlikely) unintended consequences and use those to further shape the law, but at the end of the day, those consequences come from choices that people who are subject to the law make.
I think the big mistake the EU made is they probably thought: “Surely no company would choose to abuse their customers with horrible UI just because they don’t like the law and want to take their collective frustration out on their users!” The EU was obviously wrong about the extent to which companies would throw their users under the bus while maliciously complying.
But Volkswagen was very discreet about it, and when uncovered everybody was against them. Website are being obnoxious, instead, and people accuse the law. Go figure!
It's a stretch though. I prefer more obvious analogies.
It seems like a point dear to the author's heart, given the way he highlights this and puts it in bold at the top of the article.
But while it sounds good on the surface, it doesn't take much digging to show it's silly. If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.
Regardless of the answer here, the fact that there's still a debate about what basic functionality requires a cookie banner is really a testament to how bad this legislation is. How long has this been around, 20 years? And there's still widespread debate and lack of understanding as to what specific functionality requires a cookie banner?
No. It took effect in 2018.
Probably because they're not particularly technical people, and also because of the asymmetric incentives for them personally.
Tell someone to put a cookie banner up when they didn't need to: no consequences.
Tell someone not to put up a cookie banner up when they did need to: potentially big consequences for them and their career.
https://ec.europa.eu/justice/article-29/documentation/opinio...
This says that cookies for a shopping cart or user preferences are exempted from consent. The ICO and the CNIL say the same, as expected.
> consent is not required [for] cookies that are strictly necessary to provide an online service that the person explicitly requested. e.g. […] when your customers use a shopping basket
So shopping carts (user clicked to add to cart) and notification preferences (user clicked to indicate preference) don’t require consent. Same for authentication cookies.
The page is quite clear; the confusion likely arises from how companies implement it.
[0]: https://europa.eu/youreurope/business/dealing-with-customers...
If you really care about not annoying your users and don't intend to track them more than what's absolutely required for the service to work, then talk with your lawyers more. Of course, it is not free as it requires extra work, and it may carry some risk (which your lawyers should minimize) but it may be worth it, many people press the "back" button as soon as they see a cookie banner and try their luck elsewhere.
> A cookie that is exempted from consent should have a lifespan that is in direct relation to the purpose it is used for, and must be set to expire once it is not needed, taking into account the reasonable expectations of the average user or subscriber. This suggests that cookies that match CRITERION A and B will likely be cookies that are set to expire when the browser session ends or even earlier. However, this is not always the case. For example, in the shopping basket scenario presented in the following section, a merchant could set the cookie either to persist past the end of the browser session or for a couple of hours in the future to take into account the fact that the user may accidentally close his browser and could have a reasonable expectation to recover the contents of his shopping basket when he returns to the merchant’s website in the following minutes. In other cases, the user may explicitly ask the service to remember some information from one session to another, which requires the use of persistent cookies to fulfil that purpose.
(Criterion A is cookies that are user “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” and criterion B is cookies that are “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”).
If your shopping cart cookie has a lifetime longer than the "reasonable expectations of the average user or subscriber" you may need to obtain consent. That a sufficiently vague criteria that it may not be clear if your particular shopping cart cookie requires consent or not.
[1] https://ec.europa.eu/justice/article-29/documentation/opinio...
A tracking warning a login/sign up would be enough. No need to ask for cookie consent at every visit. It would just be part of the typical T&C.
> It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice. Easily solved with a cookie that says "don't track". If cookie is set, don't track anything.
Please, read the basics about the law before disparaging criticisms, I constantly have to educate users on HN about this misrepresentation of GDPR and Cookie Law.
If it is crucial to provide the service or the service is explicitely requested by the user (i'd argue a shopping cart is), I think you don't need consent (see Article 5 of Directive 2002/58/EC).
It's not "you're not allowed to store anything about the visitor without their consent", it's "you're not allowed to track them across your site, or share that data with others, except if it's directly necessary to provide the service". That last part refers to session tokens, shopping carts, and yes, also to remembering the "no tracking" choice. If you ask a site to remember something (such as "no tracking plz" or "I want to buy this product" or "keep me logged in plz") then that's explicitly asking it to do something that in technical terms is tracking, but not in operational terms.
It's like, the EU makes a new law that makes it illegal to break into people's houses, and all the pedantic HN'ers start saying "but this is stupid! what if you lose your key? you need to be able to hire a locksmith to let you back in!". That's obviously not how the "no break-ins" laws work, and it's also not how the GDPR works wrt tracking.
If you break the GDPR, there's a fair set of warnings before you can actually get the kinds of humongous fines that the law is infamous for. This means to me, as an entrepreneur, that if I follow the intent of the law as best I can, then worst case scenario if we still get it wrong, then there's a big enough chance we're in the clear. And then if somehow we do get a warning from the local privacy authority, we learn and adjust. This is fine.
We don't need to be maximally pedantically safe. We just gotta not track people and then we don't need a cookie banner. It's great.
Not really - basic functionality like you describe does not require consent, AND any cookie specifying non-consent is in itself anonymous.
If you really make it anonymous, the downside then is that you have to keep asking the same visitor over and over again, each time they visit.
These are first-party cookies as they're served by the host domain, so they wouldn't need an opt-in under GDPR. Site owners should try to limit that to core functionality, like updating shopping cart state as you navigate from page to page.
> It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.
That's not how it works. The cookie banner opt-in asks if you want to accept cookies aka tracking. If you say no, no cookies are downloaded, so the site has no idea that you have visited it. So the next time you arrive on the site, it will provided the popup again, as though it's your first time visiting.
There are extensions like “I don’t care about cookies” for this but also uBlock Origin has a list checkbox for it.