29 comments

[ 3.3 ms ] story [ 51.0 ms ] thread
Related: https://news.ycombinator.com/item?id=45667866

Personally, I find this a move in the wrong direction where hostile behavior by websites is normalized and hidden. Cookie banners show web site true colors. When someone asks me to share data with a thousand of "partners", I leave.

> Personally, I find this a move in the wrong direction where hostile behavior by websites is normalized and hidden. Cookie banners show web site true colors. When someone asks me to share data with a thousand of "partners", I leave.

I kind of agree, but at the same time basically all websites are using some kind of tracking to know what kind of users visit, and I'm tired of clicking "allow all" just to read an article. Many websites don't even work if you refuse non-essential trackers, because their tag manager is configured incorrectly, or because by law if there's even a single textbox where users can put their email or name, they need to have the consent to show that and allow input on it.

Having a browser default of "nope" with the option to whitelist a broken website would save a ton of time for people and machines the same, and also reduce website latency a lot. There's a nice website that "tracks" this cost: https://cookiecost.eu/

> all websites are using some kind of tracking to know what kind of users visit

Server side analytics exists, its the ad optimization and feeding data brokers which is the reason. You can disable cookies for google analytics (storage none).

This was the correct decision and could have been made a decade ago. An .. institutional deficiency was trying to make the GDPR as completely general as possible rather than doing a technology mandate. But this had two consequences: bad actors could circumvent it, and good actors just trying to comply ended up horribly confused (e.g. is logging an IP address in an Apache log "personal data"?).

DNT header. Legally binding. Out of the way of the end user. Unambiguous for enforcement purposes. Probably the end of targeted advertising, but that was always the logical conclusion of GDPR.

> This is not a real choice made by citizens

This is something which courts should consider more about other things, such as EULA and Terms and Conditions. Same reasons.

In the meantime, if you're browsing the web with uBlock Origin, you should definitely enable cookie list filters in Dashboard > Filter lists > Cookie Notices. Haven't seen a banner in ages.
yes. everyone install Cookie Auto Delete.

the problem is a plugin like that would take out entire industries because it would basically end anonymous tracking cookies.

An outcome I'm entirely fine with. Those industries are _not_ divinely entitled to fabulous wealth by violating one's privacy. I won't shed a tear if they don't survive once they are blocked from spying.
LOL the EC mandarins have finally had enough of the endless nagging!
Much like the current cookie banner shitshow, a "centrally configured" setting which "websites must respect" will accomplish nothing. There is no consent, informed or otherwise. Advertisers and their ilk are still hoovering up all the data they can, with or without cookies or consent.

Locking up a few people who don't respect their users' privacy would be a much more effective way of achieving actual results. AFAIK no big adtech or data brokers have been punished in any way.

Only thing that actually worked against advertisers is ad blocker. Everything else made them laugh.
Me telling you that I don't want to be tracked, no matter what your argument is, is as informed as it gets. You just don't like the answer so you feel entitled to ask again.
You can't lock people up if they're not doing anything illegal. The first step is to write a law making what they're doing illegal. Then if they keep doing it, you'll be able to lock them up.
> says the EU. “This will drastically simplify users’ online experience.”

They are proudly removing the annoyance they mandated 7 tears ago.

Do we have to congratulate them?

[dead]
IMO there isn't a cookie nightmare but rather a tracking nightmare. I'm not fully up-to-date on if there is a separate EU directive on cookies on the internet specifically, but the GDPR is the _General_ Data Protection Regulation. Meaning that if I go and collect your info on pen and paper, I must then ask your permission on how I process and share that data, especially if sharing that data is not necessary to complete the main transaction but is somehow done auxiliary to the main purpose. (e.g. I buy a pillow online, my info is used to target ads for me.)

GDPR itself doesn't require consent for functional cookies. For example, Apple.com does not have a cookie consent box _at all_.

On tracking specifically, I feel there are at least two levels. One that happens in-browser by third party companies. These are your classic advertisements. The other is more first-party backend-heavy. These would be your local grocery store using your purchase history linked to your membership card and using that data to create analytics and targeted ads etc.

So creating a browser setting would likely not toggle all tracking away, just the ones that are "annoying" while browsing.

"Europe's cookie nightmare" has nothing to do with Europe and everything to do with companies assuming that they have god-given right to all your data in perpetuity.

Things like "precise location information stored for 12 years": https://x.com/dmitriid/status/1817122117093056541

Europe literally said: we're not going to force specific tech decisions on you. All we ask is to let people opt-in if they want to be tracked. What we got is "we care about your privacy, we're sending all your data to 15000 partners" from the industry.

To people crying "but this should've been mandated as a browser setting": Which world's largest advertising company has dominating browser marketshare and subsumes all web standards committees? What exactly prevented that company to come up with a browser setting that isn't "we sell your data by default and use dark patterns to trick you to agree" https://x.com/dmitriid/status/1664682689591377923?

Our industry is shit, and we blame governments for regulations that ... assume that industries shouldn't be shit. There's literally no need for EU to regulate browser settings. And yet here we are.

Just ban individually targeted advertising and be done with it.
I like the cookie law as a sort of 4D chess move.

Step 1: force websites to add an opt-out flow for privacy-minded users.

Step 2: websites don't complain too much because they can implement it in obnoxious and dark-pattern-laden ways, so that few users actually opt-out.

Step 3: now that websites have proven there's no technical barrier and the flows are already implemented, slowly retire unnecessary user tracking and data sharing.

I'd be surprised if this was planned ahead of time, but it's not a bad strategy.

Users will overwhelmingly use browsers in vanilla config. The question here will be how browser vendors show this option. If - say - a company that gives away a browser for free but makes money from ads designed this, then they'll hide the option deep in some obscure menu, never remind people it exists, and reset it on every update.

So the devil is in the details. The best option I think isn't a secret setting in a browser, but a standardized consent dialog. Basically the sites communicate to the browser a standardized data format for consent. Then the browser shows that query in a popup that looks the same for every site. That means 1) the sites no longer have a chance to do dark patterns 2) it's less confusing for end users since the UX is always the same 3) it allows users to check a "Automatically reject for all sites". The site should not know whether the user has auto-rejected this, or manually rejected it. There should be no option to automatically consent for all sites (Can't have that). So the only ergonomic choice is to set it to auto reject.

Having this "use this choice (reject) for all sites" is the really important part here. Because it means that ALL users of ALL browsers will quickly see this choice, so in short order a huge chunk of users will have made this permanent rejection choice.

Here's my proposal:

* Let websites do whatever they want with cookies/local storage.

* Let browsers delete them as often as they want.

* Make other kinds of fingerprinting illegal.

We need clear, direct punishments based on %revenue for websites not taking "NO!" for an answer.

Don't fucking rush, you useless bureaucrats.

"A mix of European legislation has resulted in cookie notices that use dark patterns to nudge people into accepting online tracking. And regulators aren’t taking strong action"

Wired, 20/5/2020:

https://www.wired.com/story/gdpr-cookie-consent-eprivacy/

It wasn't a "Europe's" nightmare, it was website's nightmare. There is literally no legitimate reason to collect and store PII in excess of allowed by GDPR. No data harvesting - no cookie banners absolutely legally.
(comment deleted)