Cookie dialogs are the contemporary equivalent of popup ads, in terms of the annoyance to users. I'd love to find a browser that makes them go away, just like browsers blocked popups years ago.
And look at Apple; they pushed a change on the app store and their apps where privacy is now the default, and they do not bully and annoy you into accepting anyway.
Yes, the purpose of the law is to end the shady practice which doesn't seem to be happening and no one is caring about the outcome. Popup seems to be just like a second ToS which existed in web for years. If the law doesn't track its real world effect or doesn't do an analysis on the benefit to annoyance ratio, yes it's the law which is to be blamed.
Keep in mind too that I am not a citizen of an EU country. I have to put up with these dialogs and I get nothing in return. The upside for EU citizens is that they have a law to protect them. All I get is the downside.
Typically if a company wishes to do business with EU residents they have to comply with the EU regulations. Many larger companies choose to incorporate somewhere in the EU to make this easier or in some cases they will even incorporate in each country that they do business in.
This might be a shocker, but even American companies have to obey the local law of the country they operate in. Big tech runs offices, has infrastructure and profits of a huge market in those countries. All of this is leverage a country can use to enforce their law.
Or, if they wanted to go all out, could issue EU wide arrest warrants for top Google and Facebook executives, and start seizing their assets. I’m sure top exec at both companies have a bunch of holiday homes on the south coast of France they like to visit.
The vast majority of cookie popups are illegal.
Hopefully the EU will continue enforcing until people actually either implement them legally or realise the tracking isn't worth the cost
GDPR applies to all tracking, not just cookies. My browser's settings don't, and can't.
In this case, compliance is in the law: albeit not perfect and people trying to game it, you have to comply or be fined (if you do business in the EU).
EDIT: reference to DnT header https://wikipedia.org/wiki/Do_Not_Track
Would be much easier if there were a normalised DOM structure/wrapper for these cookie popups so an extension can be made to choose the preferred choice, with possible exceptions.
Between the cookie popups and a "sign up to our newsletter" as soon as your pointer leaves the viewport- they're a huge time suck.
I've seen some extensions advertised but unsure whether they're able to cater for all the variations of layout.
Keep in mind that a lot of websites and technology in general is basically copying from others. Google and Facebook are leaders in that area, and a lot of companies try to emulate them and follow their lead. Cargo cult? A bit.
If they don't want the fines, they could do what you and I do every day and follow the law.
But automating thus wasn't intended by the GDPR. It specifically requires a reject all button and specifically bans an accept all button. Rejection has to always be easiest and the default, accepting has to be hard and slow.
Seems like a ton of websites are using the same cookie framework and they all do this. You get a pop up with with a button to allow all, or a button to customize your preference and you have to go through a bunch of accordions and grey patterns to make sure everything but "essential" cookies are disabled.
One thing I'm slightly worried about is that they are not going to do the symmetric "accept"/"decline" all but actually make you click 3-4 times and accept/decline each cookie category (similar to how you have to refuse the google one currently atm), that would be properly annoying.
But let's hope not! This will certainly improve the situation.
A website can not “set a cookie” in the browser. The website can include a cookie that the user (agent) optionally can include in future requests. The user does not “accept” or “reject” cookies, but rather chose to include them in future messages, or not.
Dark patterns should be suppressed, but balancing attention on all such patterns.
GDPR isn't complicated, it only sounds complicated if you want to find a loophole without breaking the law. If you just comply, it's super easy and simple to follow.
The same companies with cookies: "here's consent dialog, on every visit, multiple times"
Results in many Americans complaining about how difficult to interpret the regulation is, due to lack of specificity (US regulation tends to be highly specific). But makes it much harder to people skirt the intent of the law, because the intent is written into the law and used as the benchmark to determine compliance. This approach does require a transition process so businesses and regulators can figure out how to meet the intent of law in their specific situation, and create implement guidelines. But over the long term produces more flexible law that adapts to technical and social change better.
> This constitutes an infringement of Article 82 of the French Data Protection Act.
As we can see from Apple's changes recently, the vast majority of people do not agree to being tracked. The cookie banners bully people into allowing it anyway, because the opt-out is so convoluted.
I'm sure some part will go toward keeping the CNIL properly staffed (which is great), but where is the rest going ?
It already is. Processing personal data requires a legitimate basis. Freely given consent is one of those, and the reason these companies are being fined is because "freely given" requires symmetry in accepting/rejecting. Without the symmetry, the companies had no legal basis for processing the data, so they got these fines.
It is harder to prove "evil things" in general, but the first step is preventing users from being coaxed into agreeing to "evil things" (or rather, making clear that this is illegal and will be punished).
Seriously, the people downvoting this should try it. It frees up your mind to think about things that actually matter.
It is that you create a small but real possibility to suffer from it in the future. Like getting a lottery ticket to win something like paying more for your flight, being denied insurance or bank loan, being subjected to political manipulation, having your name published alongside your sexual preferences, or, to nicely round it up, being selected for participation in a governmental work camp. All of this did happen in the past, albeit not to everyone of course, of course.
If my government wants to put me in a work camp will Europe's cookie consent laws protect me? None of this makes sense.
Facebook made 6.5 Billion dollar in Q1 2021 [1] in Europe, so maybe around 1-1.5 Billion dollar.
[0] https://businessquant.com/google-revenue-by-region (Didn't find a better source or one that lists the revenue for France only)
[1] https://www.statista.com/statistics/223279/facebooks-quarter...
Edit: I tested the banners:
Facebook: "More Options" -> "Allow only essential cookies" (1 click more than necessary)
Google: "Anpassen" -> Switch off "Suchanpassung" -> Switch off "Youtube-Verlauf" -> Switch off "Personalisierte Werbung" -> "Bestätigen" and then there are 3 seconds of delay with progress bar. (4 clicks more than necessary + delay). This delay does not occur, if I simply press "Accept all"
Your strategy for protesting the (totally sensible) EU law seems strange: "Let us openly break the law, let the EU announce that we broke the law, refuse to do anything about it, let the EU announce that they will fine us until we stop doing business in EU and then hope that the users take our side". Seriously, I'm interested in what PR message you intend to come up with that convinces users the EU is at fault for you mishandling people's data.
It's long overdue an update but its intended replacement, the ePrivacy Regulation, is taking a while to be agreed by EU legislators. In the meantime we're stuck with out of date legislation that's applied and enforced without the benefit of the GDPR's "one stop shop" enforcement coordination rules - neither of these things is ideal!
These aren’t “rights”. There’s no confusion either. And people aren’t entitled to getting a service for free so they lost nothing.
> Consider how many lawyers are on payroll or retention at these companies who are aware of the requirements of the law, then consider that G/FB made a cynical, calculated decision to ignore it.
Irrelevant
1. Client asks for something that is a dark pattern.
2. I outline that it is morally questionable to do that and give a suggestion on how it can be done otherwise.
3. Client insists that they don’t care or don’t agree because they feel as it will bring in more money.
4. I end up building it.
I do have the choice to outright say no, but I’ve found that it normally comes down to a compromise. Some clients are not willing to budge but we can always steer them in the right direction.
I understand it’s hard to say no but it would perhaps be easier to say “we’ll build that but it’ll cost you 5x more because we would be taking a legal risk”.
Making the option to follow the regulation cheaper has to be the goal.
They might complain to their manager, even log a formal notice that they believe this feature to be breaking the law (if they are smart), but quitting a company for this specific dark pattern seems a bit unusual.
There’s a lot of a-moralistic attitude towards FAANG on Hacker News, which honestly I find strange; Google and Facebook in particular are just giant douchebags with lots of cash.
If I tell my boss that doing xyz is illegal and he doesn't dispute it, I'm absolutely certain he would not ask me to implement it.
Certainly there will be shittier bosses that will ask anyway, demand it, and perhaps even go so far as to fire someone for not violating the law, but I should hope those in the last category are few and far between and there would be internal and/or external outcry over it. Even if you have a boss that wants to fire you over it and nobody cares internally or externally (I'd find this situation very unlikely), you'd still get unemployment benefits / severance / whatever is typical in your jurisdiction, since you were fired rather than choosing to leave yourself.
I don't quite understand what you're trying to say. If you were asked to kill someone, clearly you wouldn't say "what are you supposed to do anyway" and go off to find a murder weapon since the answer there is rather obvious. What makes being asked to violate a different law different? (Assuming you find the request morally objectionable, I've probably violated laws that I thought were counterproductive for everyone.)
I think a lot of this dark patterns would be even darker but for the push-back by some developers. Though I've been at companies where some workers are like robots and will carry out management's desires down to a T, even when the idea is total insanity. Some workers are immigrants who cannot afford to lose their employment or they will be thrown out of the country and potentially lose their partner and children.
When I have to work on my own projects, I generally avoid all dark patterns - I try to go as far in the opposite direction as possible, while still generating revenue. Though, with the torrent site I built once, it was "Anything Goes". You're already running an illegal site, might as well write something that bleeds the users dry if you can.
EDIT: I want to add that most of it was down to lack of technical knowledge by management. They were business guys who didn't know the Web. Most of the time they weren't trying to be assholes, it just appeared that way.
- Only a tiny fraction of all web devs read HN
- If business wants something done, the devs are rarely in a position to oppose the decision
I think so. There are many devs who are against government regulating the web and will happily code around them. HN is pro regulations so it's either keep quiet or get down voted to hell.
The customer in this case was rather non-technical and just wanted his tracking, so he wanted to have it like everyone else does. I/We actually told him very clearly that this is most likely illegal and talked it down a notch (from having "reject" hidden in the text), but he said he checked that with legal and we should do it. Loosing the customer over this was really not worth it (especially since this is basically the way cookie dialogs are done everywhere), so we did what he asked, with our asses covered in case it backfires. I might send him this case, though.
On a side note, it was really hard to implement the cookie dialog correctly so that it only loads Google Analytics and our tracking when ok is clicked. We thought this was a solved problem, but nope. Especially when you want to delete cookies when consent is revoked. I would not be surprised at all if most dialogs actually don't work at all.
Often what happens is that someone (hopefully you) will raise the issue internally, but if the company decided to ignore regulations and take the risk of legal punishment, well it's not an engineer that will be able to stop it from being implemented. Hopefully such fines will make product owners and upper management consider the problem more seriously, but I wouldn't bet on it.
I made a client side firewall-esque library for Transcend Consent Manager so that site owners can load trackers immediately and locally quarantine tracking events for replay once consented.
This makes it possible to track like before but move the annoying cookie banner into an integrated UI so that site owners can ask for consent when the user is more invested in the site (e.g. during signup/checkout).
each these people may have a different viewpoint on what they want to happen and why
And they're thinking: "Yup, that's me. That's my handiwork, my impact on the world." And then they think: "But what can you do? R&V, R&V, R&V ..."
As in: rest & vest
These types of engineers will also build stupid stuff that doesn't work, because that's what the specification written by a group of business people who have never even looked at code before said.
It's also why frameworks like React are popular.
It's a bit sad, but each time you try to be nice and friendly, you get "raped" I feel, so well, might as well make some money off of some people to pay for when we get scammed ourselves.
The original saying (that I don’t necessarily agree with) is not about competence but about ethics: if every ethical person refuses to work in weapon manufacturing/ advertising / whatever is deemed morally unacceptable, then the only people that will do it are people with no morals and we will be worse off as a society.
So really, in this case the person just shutting up and doing it is already the worse fallback.
IMHO, as long as devs weren't trained on cookie law, they are not morally responsible.
If you want to block third party cookies you have always had a switch there in your browser options.
If 5 years after GDPR went into effect you still don't know what it is and why it exists, your company deserves to be sued into oblivion.
If that's not bad enough, having an "Accept all" button but requiring another click to have the option of refusing, then making us manually select each category to turn off, then confirming, is certainly not symmetric.
These large sites know exactly what they're doing. They're hoping people will become fed up enough to just accept, or they're hoping there'll be enough accidents where people click "Accept all". It's rather shitty.
No, not a single person has a legitimate interest in being subscribed to your 160 marketing companies. Even the people that "like ads" know this is just blanket stalking.
The amount of those popups elements I have hidden using ublock with right click, it's staggering.
Some websites introduce a vertical-scroll: hidden; rule on <body> that I often need to remove manually, or to introduce a CSS rule in ublock.
Reader view often help a lot, but some websites, like yahoo, make it so that reader view won't work (it will display the consent thing in reader view).
Some websites in france went another route: they ask users to accept cookies or to pay instead. It's crazy. It really shows data really, really matters to them.
Other gimmick, I had big troubles using the mozilla matrix server because of cookies, since I've set up firefox to delete all cookies at shutdown, except those in a whitelist.
I have a bookmarklet saved that simply deletes fixed elements, making it faster and easier to get rid of those[0]. However I have noticed sites are starting to make their banners more akin to shrinkwrap agreements where they state that dismissing the popup or continuing to read without making a choice is equivalent to acceptance.
[0] What I find most interesting is how many websites become much more readable by this - I hate sites that use a good third of the screen real-estate for headers and footers, nevermind those awful menus that only appear on scroll-up and cover the top few lines of content.
this will not fly with gdpr (which is the whole point of the popup) as consent has to be explicit.
Thanks for articulating a feeling I hadn't managed to put a label on yet.
Is there some exception for 'meta services' like this? It's not the service/app itself, but is required if you want to read T.O.S. details, get help, etc for WhatsApp itself. Or should Facebook open their checkbook again?
/cookie-tracking/all/accept
/cookie-tracking/all/info
/cookie-tracking/essential/accept
/cookie-tracking/essential/info
As a bonus we might witness the first ever televised government bikeshed over API/naming/is it really REST though?
I didn't realize there was that delay, I thought the rule was supposed to be enforced years ago.
It might seem inefficient but generally this is the only sane way to roll out changes across a society. Having people coordinate and "change habits" (as deplorable as the present habits may be) is best done gently. Providing ample time and warning for people to find a good course forwards.
Even better if you visit sites from a Danish IP, I noticed there often exists an actual "reject" buttom which doesn't appear when you use a Swedish IP.
Afaik the different data protection agencies cooperate, meaning they can join in, and compliance means compliance in the whole union.
See: https://gdpr-info.eu/art-60-gdpr/
Point 10: "...the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union".
But I'm not a lawyer so I might be understanding that wrongly.
You don't see engineering firms ignoring safety regulations because they know the repercussions will destroy their business. Before that was the case (and in places where it still isn't the case) you see it all the time.
Expecting some random line-worker to stand up against changes that bring in this kind of money for the firm is just delusional.
1- Accept cookies and access the website.
2- Refuse cookies and pay 2€ per month to access the website.
How is that less hostile than having to click a few extra buttons?
- I don't have to tell you about tracking
- I'll tell you but assume you accept
- I'll ask you but make it extremely frustrating to opt-out
- (Hopefully soon-ish) I'll ask you and make it equally easy to opt-in and opt-out
It's enough money that they will probably employ / deploy a small army of lawyers to get them to reduce or dismiss the fine, or stall it for as long as possible. 150 million buys you a lot of lawyers' time.
How's not that an infringement?
Carrefour got a spicy +3M€ fine in November 2020.
You can find a non-exhaustive list here (FR) > https://www.nextinpact.com/recherche;q=cnil%20amende
Also, GDPR applies as long as the company runs a business in EU. It doesn't matter where the company is originally from. They will be more than happy to fine the french entity if it made sens. Instead, they fine the Irish entity that performs social dumping. Not bad.
Carrefour has revenue of 80bn/year (Google has 68bn/year in Europe).
Very spicy indeed.
"The complainants argued that Carrefour (1) did not comply with their data access or erasure requests; (2) sent them direct marketing communications despite the fact that the complainants had objected to receiving those communications; or (3) in one case, did not allow the complainant to unsubscribe to marketing emails."
This all seems a lot worse to me than making one button harder to press than the other.
I wish they’d also go after one of the smaller fish that use a “cookie dialog provider” in default configuration. Effectively saying “if you think you can get away with buying this scam service you were wrong and the fine that could show up any day could end your business”.
While it's true they are a bit low compared to those companies revenues, they are pretty much higher than what we are used to until now.
Would I like to litter, the fine would be slightly annoying (maybe worth busting my ass to a proper trashcan to avoid this fine), but also being in the news about it.
A better browser could just make cookies more visible. I should be able to configure what kind of cookies I save or don't. Oh wait, I can. It just takes an extension.
Anyway the cookie banners are a nuisance. Every site has their own banner but they all do the same thing. And I can do that thing by myself in the browser.
It would be nice to go back to that, but I strongly suspect that Google has no incentive to do that.
Every site should get to ask for cookie permissions only once - through the browser - (like with notifications or location), and the browser should remember the user’s preferences and never ask again.
Don't they all do that? Per-site cookie management in the browser has been around since IE6 if not earlier:
Instead of it being something the user has to manually find in settings and configure, the browser can show an unobtrusive prompt for the user to agree whenever a site tries to store a cookie for the first time.
There could also be changes to the cookie standard that allow specifying if a cookie is “essential”, so browsers can permit them by default, or “non-essential”, so the browser should prompt the user.
EU law very much is about cookies.
> ... the ePrivacy Directive (EPD) has become known as the “cookie law” since its most notable effect was the proliferation of cookie consent pop-ups after it was passed.
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> However, properly informing your users about the cookies your site is using and, when necessary, receiving their consent will keep your users happy and keep you GDPR-compliant.
We the people, through our democratic processes, have asked companies for transparency of their tracking process, the industry have decided as a whole to say fuck off and made the process as painful as possible.
Yes, the companies are evil/stupid villains on this case. Not everything needs bloody philosophy.
Discussion of this point at the time:
Right. We should just be able to set a blanket "No" in our browser preference tab, and be done.
All of these garbage cookie banners are just as noncompliant as ignoring that setting would be. You wouldn't have cookie banners to deal with, but at least clicking through those now supposedly results in less data being tracked.
Not devs.
That, and if there is a “reject all” button it is often only equivalent to flicking all the base check-boxes off, leaving their mirror “legitimate interest” options enabled. In fact, the “legitimate interest” checks irritate on their own: they basically say to me “we see your preference, but fuck you we still wanna”.
Agreed. The way the EU has handled this is naive at best.
> These large sites know exactly what they're doing. They're hoping people will become fed up enough to just accept, or they're hoping there'll be enough accidents where people click "Accept all". It's rather shitty.
Yes, and there need to be new regulations to prevent them from doing this. Something like:
(1) all web browsers should have a setting allowing users to accept or reject advertising/tracking cookies.
(2) this must default to not accepting them.
(3) in headers of http GET/POST requests, if the user allows advertising/tracking cookies, it should indicate this; if the user doesn't allow such cookies, it should be silent.
(4) all websites would be forbidden from using advertising/tracking cookies unless explicitly permitted
(5) all websites and web browsers would be banned from nagging the user or giving them a worse user experience for not allowing advertising/tracking cookies
(6) The spirit of these regulations is that users need do nothing and they will automatically have a tracking-free experience; any work-around by companies attempting to find a loophole in this is a violation of the regulations.
(7) Violation of any of the above would result in heavy fines; and if infractions continue, further crippling fines would be levied.
How so? The law is explicit that it should be just as easy to refuse the cookies as it is to accept them. Companies are ignoring the letter of the law anyway.
The EU could have started fining everybody and unleash hell at unseen levels. They would have ended up bankrupting companies and people who added google analytics or AdWords to their site in good faith, without understanding the privacy implications.
So the regulators initially notified companies and gave them time to implement whatever change they were required to. To this day, if they aren’t satisfied with the changes, they contact the company again, they don’t just issue fines. This happened to a company I used to work for, that initially just added a cookie banner, then was asked to make the “deny all” and “accept all” buttons of equal size and with equal accessibility.
After years of experiencing cookie popup hell, I’d say that a better way forward would be allowing users to configure their browsers to automatically communicate cookie preferences and consent, but regulators would have to work with the tech industry to make that happen.
And meanwhile companies will keep inventing workarounds like FLoC to track users without cookies.
We tried that once before. Advertisers joined the board investigating making the "Do Not Track" header have legal weight, as an apparent sign of good faith, and then murdered it with endless bureaucracy that went nowhere.
We're trying to again with the Global Privacy Control headers [0], and I fully expect the same thing to happen again.
Yes. I should only have to say once (or better still not at all) that I don't want to be tracked, and then it would automatically apply to everything.
> regulators would have to work with the tech industry to make that happen
"work with the tech industry" sounds a bit too much like the regulators think they get what they want, but the tech industry really get what they want.
Regulators need to be able to impose a solution on an unwilling tech industry, who'll never agree to it unless forced.
> And meanwhile companies will keep inventing workarounds like FLoC to track users without cookies.
Any such workarounds need to be explicitly make illegal.
So it's sensible to allow a per-website configuration. Arguably, it would be better that this is included in the browser (like DoNotTrack was) with a configurable default (refuse all/always ask/accept all... and "always ask" ticked out of the box) and a widget showing if the website is in accept all/refuse all and allowing to change it... a bit like the uBlock extension
All browsers already have a setting whether to accept third-party cookies. It's just a matter of changing its default value.
No it doesn't. Such cookie popups are illegal under GDPR. What credit should EU legislation take?
EU has been too slow in hitting these sites with fines though.
It's mostly the fault of companies trying everything possible to trick people into agreeing even if they don't want to and shifting blaimn away.
Also GDPR is not technology specific, so it doesn't matter if the company tracks you using cookies or fingerprinting. (Through there are local predcessors of GDPR which are technology specific.)
The current consent dialog doesn't behave at all as you describe, I'm not sure if there were previous versions that behaved in a different way.
[1]: https://alexanderdunkel.com/iframe.php?url=https://stackover...
Refusing all cookies would of course cause a prompt on every visit, because that's what cookies are for.
>giant cookie popup takes up half the window
>figure out how to reject and close it
>another popup "allow this webshit to access your location"
>close it
>another popup "allow this webshit to send you notifications"
>close it
>another popup, allow this webshit to login using your google account
>close it
>another popup, autoplaying video, screeching into my ears at max volume
>scroll for 5 mins to find what i'm looking for buried deep at the bottom (and its probably not even there)
The business model of generated content + algorithmic ads made the internet a worse place to find information/purchase products/etc. These sites crowd out small, specialist and hobbyist websites in search results and don't usually provide the content they advertise. They exist to earn microcents per impression and use any trick possible to look like a legitimate search result. It's these websites which are the worst offenders - opting out of tracking is drawn out and they prompt with every visit.
On the topic of cleaning up the crud - I also think search engines could play a better role here, as there are many sites that will turn up in just about any search request, despite not really having meaningful content (e.g. pinterest, amazon, etc.)
Otherwise, IMHO, the cookie prompts are a huge pain in the ass, and this should be dealt with client-side - eg., browsers silently accepting cookies, and wiping them on tab/window close, with a special button/toggle for that specific website, to save cookies for longer than that session (eg. if you want to log in or stay logged in). I know there are extensions that do this, but this should be the default in browsers everywhere.
Finally the regulators do something.
Well, not sure if that's fair. Until you accept at least the "strictly necessary" cookies, it makes sense that you get prompted the consent at every visit, since no cookies are saved.
EDIT: the reality is that it should actually be a "can we track you?" consent box. sites using the word "cookie" instead of "tracking" in the consent banner/popup are using technobabble to confuse you into just clicking "ok". users are not supposed to understand what it means.
it hurts me deeply that even programmers, who do understand what cookies are, have seen these misleading cookie banners so often that they think that's what GDPR prescribes. it's not, it's a lie.
Agreed about the fines though, but it is good to see that it will be 100k a day for non compliance.
The article only mentions France though, is that excluding all other EU countries then ?
Easy solution: UBlock Origin > eye dropper tool > highlight cookie div in lower left corner > click Create button
I agree that they're very annoying.
Anyone who actually worked on browser engines knew it was bullshit that the big internet advertisers (google, Facebook, etc) were using to deflect whichever privacy disaster was in the press at the time.
The rule required DNT not be enabled by default. It was optional for advertisers to follow it, and it was very clear that if there was any significant population that enabled DNT the advertisers would start ignoring it.
And they did. They went even further: they used the DNT state to to track users.
Nothing like this on the client side has any value unless it is made illegal to ignore such flags, and that is actually enforced.
Google's ultimate move however is killing cookies, so they can push their own concept of a supercookie that only they will be able to access.
Hopefully every EU state fines these companies and continues to do so until they comply.
The nasty ones are the likes of Google's more recent interstitial, which you can't easily hide with a blocker even if you've chosen to disallow cookies through your browser settings anyway, and which also requires several clicks to turn everything off explicitly before continuing, and which then redirects to a link on a domain most ad blockers will intercept causing further hassle for the user to override.
I'd have some sympathy for sites being put in a difficult position if visitors have disabled cookies entirely because putting up some sort of prompt on every visit if they need one is probably then required to comply with the letter of the law. But there's really no need for the obnoxious many-clicks-to-clear-it things like Google is doing and I don't believe for a moment that they weren't fully aware of the implications when they made the change.
I'm sure the code they use to do this is throttled. It certainly seems to run more slowly than the "Accept All" option.
It should be illegal. Not accepting cookies is the default and should be a no-op. Accepting cookies is the one that should take a while, since only then do all the 3rd party scripts load in and do their thing.
Cookie banners should be made as much annoying as possible so that people hate it and begin to protest that law.
This is exactly what the advertising industry wants: You are confusing GDPR requirements with advertisers' malicious interpretations. GDPR doesn't require annoying your users; advertisers have chosen to require that all on their own.
We need to stop calling them cookie pop ups as that’s a misnomer. You can use cookies. You can store site state, login sessions, shopping carts and much more without asking at all.
They are tracking consent popups.
However that said the cookie preferences "cookie" can be considered a strictly necessary cookie so that it can be used to remember your cookie choices. This is the UK's Information Commissioner's guidance on such cookies:
https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...
While this is an interesting question/argument, I'd argue that adding a cookie to represent that you have rejected all cookies might be considered an acceptable essential cookie, since it's expected you need to reject them all only once. See here for example:
Especially accepting tracking should NOT, under any circumstances, be automated.
To me, it sounds like the purpose of this suggestion:
> Browsers could hook into these or making a browser extension would be easy enough.
Is that browsers can dictate the UI and so you wouldn't have these dark patterns to fight on each individual website.
I don't know if this would be a good or a bad idea, because indeed I can see people making an extension at minimum and a browser (*cough*chrome) at worst that would allow accepting everything automatically (which would not be legally valid because the consent was not 'informed', but the site owners would have no way of knowing that). On the other hand, there is also the advantage of no dark pattern being possible at all if you implement the API correctly. I don't know. Either way, this is what I think GP meant to suggest.
GET /cookie-tracking/all/info
You can choose not to voice objection with DNT, but you can not give consent using it, and that's what these cookie walls are asking for.
(If you have a legitimate interest, legal requirement, technical requirement, or other ground for processing data while the user does nothing more than browse your website, an up-front banner to ask for consent is never required.)
You could say that the law is failing because it opened the loopholes allowing businesses to choose to behave badly, externalising the decision making to users. If that's your opinion, can you be a bit more specific, so we can dig into that issue and explore solutions and objections?
That's why a lot of websites don't show those banners while however using cookies to store session tokens, user preferences...
But, yes, when you are browsing content without being logged in or without having the need to store something, the law forbids the website to send you cookies. Because they are not needed to execute the service, they are just there to track you. And even if you consider that tracking is necessary to monetize your content, well, in this case, you have to require the consent.
To me it's a totally legitimate law. It's easy not to deal with cookie popup : just respect your users and don't track them without notification.
As a user, you can rant about the law. Or you can just decide that a website enforcing you to accept cookies to read some junk content is totally missing to respect you as an individual.
You haven't understood the laws. It's not about cookies, it's about tracking and personal data. If you are annoyed with the popups, be annoyed with the companies' disregard for your privacy.
Why does every little site I visit ask for my consent to track me? The problem isn't the law, it's those stupid sites wanting to exploit users.
GDPR is a pretty simple law, if you want to collect personal data on people, you need to get their informed consent. Just like you need their informed consent to have sex with them.
How you get that consent is up to each company, but GDPR lays some pretty clear rules about what doesn’t count as informed consent. Such as creating flows or pop ups that encourage people to click accept button, or by trying to bundle multiple unrelated consents together under a single button. How you present that UI isn’t specified, you could use a cookie banner, or you could just respect Do No Track headers etc.
Equally the law doesn’t care if you use cookies, or local storage or anything else. It only cares if your collecting personal data. Not how you’re collecting it. If you’re using cookies for legitimate reasons like enabling user sessions, no need for a banner, you’re not collecting personal data without consent.
Companies have chosen this hellscape of cookie banner etc in an attempt to skirt the law and avoid doing what should be doing. Letting people use the internet without having their every click tracked and aggregated.
Thankfully we’re now starting to see more enforcement showing this type of bullshit won’t be tolerated. Soon people will start getting rid of cookie banner etc, once it becomes clear that their a fig leaf that won’t protect them from legal repercussions, and that they’ll make more money by asking for consent nicely and not punishing people for refusing.
> The experience of browsing the web in Europe is shit due to all the popups asking you about [some technical thing that you can, indeed, control in your browser].
I just made this overview of when a cookie wall is required, hoping that it might help clear this up.
(Edit: for mobile https://pastebin.com/raw/gDn5AwuV )
+-------------------------------------+
| Do you store data about users which |
| are merely viewing pages? |
+-------------------------------------+
| \ ________________________
yes `-no->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+---------------------------+
| Can this data be traced |
| to an individual person? |
+---------------------------+
| \ ________________________
yes `-no->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+------------------------------------+
| Are you legally required to do so? |
+------------------------------------+
| \ ________________________
no `-yes->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+--------------------------------------+
| Is it necessary, e.g. to make site |
| features work that the user enabled? |
+--------------------------------------+
| \ ________________________
no `-yes->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+---------------------------------------+
| Is it to protect the user's vital |
| interest, or are you a government and |
| the processing is necessary? |
+---------------------------------------+
| \ ________________________
no `-yes->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+---------------------------------+
| Considering recital 47, do you |
| have a legitimate interest? |
+---------------------------------+
| \ ________________________
no `-yes->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+----------------------------------------+
| Then processing their personal data is |
| none of your business but you can ask |
| for their permission ("consent"). |
+----------------------------------------+
\ _________________________
`----->|You need a cookie wall.|
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Reality: website wants to do something that you don't want them to do, and now the websites are required to let you make an informed decision.
FAANG (and any VC funded company that touches ad revenue) is already selecting for developers who are willing to overlook these kinds of things. It's one of the reasons why they need to pay people so much more.
I whitelist the sites which I need cookies for.
In the spirit of the law, yes maybe it should be less about mechanism and more about policy. The law they got fined over was that "accepting tracking cookies should be as easy as refusing them". I do think its possible to amend that to say _something_ like "both accepting and refusing should offer a simple program accessible mechanism to do so". Combined with the existing law, it would mean the mechanism/API can't be made arbitrarily difficult to reject but easy to accept. There will be room for debate here too, but it fundamentally is possible because the banners have to use such a mechanism.
People who run websites really should know what they're doing, at least in broad strokes.
> without understanding the privacy implications.
Regarding Adwords, maybe the EU could've just mandated Google to serve ads based only on the web page and not on the visitor? That would've allowed websites to continue with minimal disruption.
Google's profits might be a few billion less, but frankly I'd count that as a plus.
You can't just change a law and start issuing fines as if everybody was a criminal. You need to allow time for people to adapt, especially the guy who set up his personal site, installed Google Analytics because everybody used to do that, and forgot about it.
> Regarding Adwords, maybe the EU could've just mandated Google to serve ads based only on the web page and not on the visitor? That would've allowed websites to continue with minimal disruption.
That would be a ban of targeted ads, which I'm all for, but it's not what GDPR is about.
Paying 200M fines is nothing if it discourages competitors from innovating and creating the next Facebook, after all.
It's a bit like what happened with VATMOSS. It was meant to hit Amazon and force them to pay VAT in each customer's country and not just in Luxembourg - and it ended up complicating the life of small e-commerces so much that they all moved to sell on Amazon instead of running their own e-commerce.
Then the site has no memory of the user, displays another pop-up, and people complain about constant pop-ups.
In a sense, StackOverflow are giving users too much control over the cookies being set!
Same as a site that sends you spam, and one of the opt-out options includes ALL emails, including password reset, etc. Users get scared that they don't know what they will miss, and don't opt out.
It gives them plausible deniability for the wrong, while pretending to look good. The result is commonly as OP described - users eventually opting in.
But I don't believe it is innocent, nor do I believe that they somehow have convinced themselves that this is good for the user.
Perhaps I am just cynical, but I think that there exists reasonable doubt.
Not usually, but if you use session cookies to do tracking you still need consent for the tracking itself. You can set the session cookie by default, but before you do any extensive tracking (more than technically necessary) you still need a consent dialog.
Of course this is exactly how most websites use session cookies, but I've also seen server side tracking frameworks that abuse session cookies necessary for operation.
This is just wrong.
The Cookie Law (ePrivacy Directive of 2002 and 2009) is distinct from the GDPR. It really is a law against unconsented cookies: not just "tracking" ones but also anything that stores the user's preference: anything not "strictly necessary for the delivery of a service requested by the user".
That said, websites could certainly do a bit better here and give users a clear option of "I request a service delivered without the use of cookies, apart from the one necessary to remember this request".
[0]https://gdpr.eu/cookies/?cn-reloaded=1
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
You're saying that without obtaining consent, you can't store the cookie consent preference which is a ridiculous catch 22 explicitly rejected by the first link you shared (which states that the consent choice must be stored)
Also does it make sense for you that one region can make fines based on global revenue? Would it be OK if Iceland also gave companies fines based on global revenue rather than the revenue they have in Iceland?
Which is what the orange jumpsuits + baloney sandwiches are for. See my other recommendations in this thread.
Being fully compliant is very hard. Or requires lots of bribes or both.
Ads never were problem unlike GDPR.
You'd have to block requests to third parties. This is hard because it breaks most websites - all those that rely on cdns. You can wade through this with a script blocker like ublock origin and a whitelist but you don't really know what's happening unless you investigate each domain and script.
Even then you'd still be exposed to fingerprint tracking served through the original domain passing on to a third party at the back end.
Tracking isn't fixable with technological solutions alone.
It's been the default in Safari since day one.
It is necessary but insufficient, because otherwise tracking Safari users would never have been possible. Despite that WebKit has had to consistently devote engineering effort into making these privacy invasions impossible.
WebKit, and I think Firefox now?, had to do further work to isolate same domain cookies to specific contexts.
At the same time there is Chrome, aggressively pushing new features that often happen to add new tracking mechanisms.
Google and Facebook depend on invading user privacy, that is their primary source of income. If there is any way they can track you, they will use it.
The only solution is legal, coupled with actual enforcement.
Now, how severe is this? You're not a lawyer, you can bring it up, and the company lawyers (that are paid maybe more than you are) say they reviewed the spec and it's legal. What standing do you have, as a developer, to say "no it's not legal, I won't do it!". Do you really know better than the lawyers?
[edit]
> If you were asked to kill someone, clearly you wouldn't say "what are you supposed to do anyway" and go off to find a murder weapon since the answer there is rather obvious.
What if you were a soldier? Or a drone pilot? Is the answer still obvious?
I'd be very surprised if anyone thought this was clearly legal after reading the law. But yeah, that would be a valid answer to the question: legal team says it's legal. If something is legal, you cannot be prosecuted for it, and you can have some reasonable confidence in lawyers reading the law and providing legal council correctly.
However, you were saying "I have implemented things that are illegal. I objected against it in meetings", so I was more thinking from the scenario where everyone knows it's illegal but the dev is asked to do it anyway. Presumably not even explicitly, just implicit "we need this feature" without ever bringing up "and we know it's illegal, but if you want to keep your healthcare..."
I skimmed this [paper](https://epub.wu.ac.at/7523/1/HCIS2020_A%20Human-centric%20Pe...) which, among its main topic, argues the issue being intentional and ubiquitous, but I am unconvinced.
GDPR (which is basically all such acts from across EU in one legislation) has been around since 2016.
If in 2021 your company pretends not to understand the law, your company deserves to be sued into oblivion
some/ most implement directives in cut and paste manner some don't.
It only shows how disrespectful almost all companies are by attempting to shape the end users opinion on this law by attacking them with dark patterns.
If France is now expecting companies to equalize the opt-in and the opt-out behavior, they're essentially attacking these dark patterns, which is very welcome by almost all end users.
I hope that there will come a point in time when I can go into the settings of my browser, tell it what the default behavior (answer) should be and possibly even express interests in certain ad categories to whitelist them, like "biking". It would be a granular "Do Not Track" option which must be respected by the website.
Sites: implement things that are actually illegal under the law
HN, en masse: the law is bad, how can you say it's good?
EU has been very slow in going after websites, but I do hope they pick up the pace.
How exactly did it overreach? Every country in Europe had data protection laws prior to GDPR. All these shitty sites ignored them.
So EU created a single law. If you want to sell people's data without their consent, go <expletive deleted>.
The US will eventually have similar laws as well (CCPA is one if them)
They are legally enforcing the reinventing of the wheel.
It could have been done at browser level, which would have been a relatively negligible cost of compliance.
See smartphone connectors where they will demand USB-C soon. When the news hit HN quite a few people were calling EU anti innovation.
This is a massive loophole that the likes of Google can drive a coach and horses though. Doing it per website means that in practice 99% of web uses just press the "accept cookies" button without thinking.
Same with peddling with the web. They ruined the browsing experience for everyone and they're messing up with the market model of allowing people to sell their activity information in exchange for free stuff online.
The advertising model is what made the web possible. The more restrictions you apply to how websites finance themselves the more you constrain the web to be built by big actors with money and stifle innovation.
Can you expand on that? If you mean the GDPR, my reading is that it is unlawful to collect identifiable user data without informed consent. If a website does not collect data, then no problem. If a website wants to collect data, it must ask permission and give control to the user over the data. How the website implements this is not mandated.
what happens when xyz isn’t illegal?
I was specifically talking about the scenario where you're asked to do something illegal and immoral, and its illegality is not disputed by the boss or legal team or something.
When they get fined in France the basis is a French law. Probably a law to implement an EU directive. The cookies directive (don't remember the official name) is older than and different from GDPR.
Edit: I'm amazed this comment is being downvoted. Go read the CJEU's ruling in the Planet49 case if you disagree with me!
PS: You might be misinterpreting that what the court said about "personal data" (aka Question 2). The crucial bit here is this
>That interpretation is borne out by recital 24 of Directive 2002/58, according to which any information stored in the terminal equipment of users of electronic communications networks are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. That protection applies to any information stored in such terminal equipment, regardless of whether or not it is personal data, and is intended, in particular, as is clear from that recital, to protect users from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.
This just means that cookies containing personal data and cookies containing no personal data have to be handled the same. This still means essential cookies are still fine. It just means there is no difference between putting some static text, random string (which could be an identifier), or the users home address (personal data) in a cookie. Planet49 tried to claim that their tracking ids were not personal data and therefore they do not need any consent, and they failed, that's all.
1- If I count page views on my site, no consent necessary.
2- If I count sessions on my site, no consent necessary.
3- If I count page views per sessions on my site, is consent necessary?
4- If I count return visits on my site, consent necessary?
5- if I remember what people bought on my site, consent necessary?
Related to 3 and 4, how long is a reasonable cookie expiration?
6- Am I looking at this issue the right way?
Thx.
First, you do not need consent for anything deemed essential to your site. Furthermore, you kind of get to say what is essential and what isn’t, as long as you can reasonably defend it.
For example a shopping cart is certainly essential. Previous purchases, page views, etc all essential.
“Page views per session”, most likely not essential (though you can make the argument they are), but if you’re not installing an identifier on the user to track them (for example, they’re signed in and you’re aggregating as such), then you don’t need to ask for consent.
If this sounds like there are loopholes that’s because there are loopholes. Concretely, tracking consent dialog are one of the looser parts of gdpr.
So what I usually tell clients is: You do not need a consent dialog, unless you use a first or third party analytics library.
If you add a third party analytics library (google analytics, Facebook pixel, piwik, plausible, …), [edit: or third party ads, they come with their own tracking], do not load it until you’ve asked for consent.
Ask for consent once per account or per logged out device.
Give the option to accounts to revoke consent.
GDPR might allow for this but other data protection laws might not. In the UK if you want to use an authentication cookie for any other purpose you're required to request permission[0]. Weirdly the guidance also states that consent is also required for persistent login cookies.
[0] https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...
While it has been nicknamed the "Cookie Law", the ePrivacy Directive is about trackers that contains PII (Personally Identifiable Information) and the reason some cookie exist.
On a high-level, the spirit of the law is:
- if the cookie is essential to the site, consent is not needed
- if the cookie doesn't contain PII / isn't used for tracking, it is not impacted by the law, and thus consent is not needed
Now several examples you detailed could be done server-side, without any tracking cookie, or with a cookie if the user is logged (which implies accepting the website conditions and could be deemed essential). In those cases, no consent is needed. If on the other hand you use a tracking cookie, like a Google Analytics tracking cookie, yes consent is needed.
But generally speaking, you do not need a tracking consent banner unless you use tracking, directly or via 3rd parties.
If return counts are nothing more than "this user has visited the site before" and there is some benefit to the user (say, remembering their address or username) then I don't see why you'd need consent. This is in the legitimate interest of you and your user. This "legitimate interest" exception doesn't go as far as many of the nasty tracking companies pretend it does, though.
A history of purchases for an account is an obvious feature, but you need consent before you can use that data to generate a marketing strategy for example. So a cart history is perfectly fine, but training your recommendation algorithm in that needs consent.
You can use whatever you like to achieve the technical requirements for your site to operate from the user's perspective. Theoretically you could even use advanced device fingerprinting techniques without consent as long as the purpose isn't to gather data, but to serve an end goal.
As soon as you start aggregating data for your own benefit, you need explicit, optional consent from the user to use their data to your benefit.
Anonimised data can be used without consent, but good anonimisation is very very difficult to achieve. Data is considered PII if the data can be linked back to the individual user if you have a theoretical second database. Pseudonymisation, which is what most frameworks actually seem to do instead of anonimisation, is not enough to not need consent, because the data can easily be linked back to actual user data using a backup of your site database afterwards.
Tl;dr: as long as you use cookies and other features only to directly benefit the user, you need no consent. If the data you collect cannot possibly be connected to a user, you don't need consent. Based on my reading of the GDPR (not a lawyer but it was covered in an IT law class), that means 1: yes, 2: yes, 3: no, 4: possibly, 5: probably, 6: you've got the right idea.
You can find more details here: https://gdpr.eu/cookies/ You can also try reading the GDPR text itself, it's quite readable as far as legal documents go in my opinion.
Not when the only choices they present are to allow or disallow nonessential cookies.
Display ads aligned to content on the page and thats it.
Which is what Google promised us when it rolled out AdSense. That's why its called "Ad" "Sense" — By crawling your page ahead of time, Google could "sense" what ads were appropriate to match the content.
But at some point, Google ditched content matching and went after people matching.
https://ec.europa.eu/info/law/law-topic/data-protection_en
> This site uses cookies to offer you a better browsing experience. Find out more on how we use cookies.
> Accept all cookies
> Accept only essential cookies
https://www.europarl.europa.eu
> Dear visitor, We use analytics cookies to offer you a better browsing experience. You have the choice to refuse or accept them.
> I refuse analytics cookies
> I accept analytics cookies
https://www.echr.coe.int has a small, non-intrusive banner about at the bottom (good), but their cookie policy does say they “generate anonymous analytics such as the number of documents downloaded.” Hopefully that’s not per user — if so that’s pretty much best-practice.
But clearly there’s a lot of variation even among EU institutions in how they approach cookie prompts.
Cookie popups such as these wouldn’t be a problem if we had a handful of websites. But they’re not helpful on the modern web with tens or even hundreds of sites visited by nontechnical or simply busy / task-focused users every day.
Please have a look at the comment chain to get context about why I brought this up. The point is that the EU’s guidance around cookie popups is part of the problem today (I know they had good intentions though).
Yes. Yes, they should. No idea why you think that some EU institutions doing something incorrectly absolves everyone else.
Implicitly, I think signal11 is making this argument:
Prior assumption: You cannot read primary legislation and understand it correctly, unless you're a lawyer specialising in that area of law.
Instead, you should copy people who've probably received competent legal advice.
Observation: A great many websites, including those of EU government bodies, use cookie consent modals.
Conclusion: Cookie consent modals must be legal.
That's why a solution needs to be imposed on the industry. They won't agree to anything in good faith.
Tracking was imposed on end-users, not the tools/legislation that have had to emerge because of that.
somehow this particular industry can get away with standards and regulations that for any other industry would be the wildest dream of deregulatory heist
the "innovation" shtick has worn thin, its time to clean up the mess
That was exactly what they were used for.
And then DNT was used to fingerprint users :(
Apple did that with their tracking preventer and something like 96% of people left it that way.
Off would be rare, and those people would be the ones who wanted to be tracked anyways.
If the site allows you to visit it, is it working incorrectly?
If a site works correctly, but would work even better with a cookie, is that cookie essential?
Obviously this isn't the way the lawmakers intended the law to be interpreted, but it is probably considered a valid interpretation of the law.
The banners are there for you to opt-in to your activity on the website and beyond to be tracked by a 3rd party, possibly across multiple other websites.
We do not need to discuss whether a cookie is essential, because it's a red herring. It's not about cookies, it's about behavioural tracking, it's about your browser activity being sent to 3rd parties, being collated and used to e.g. serve you advertisements to sell you shit.
The problem is that individuals and small businesses would rather interpret the law in a way that isn't going to get them in trouble, even if it is over-reaching. There has been a level of paranoia stirred up, caused by other companies interpreting the law badly.
It's like staying away from all bodies of water because someone sometime drowned while swimming in the sea. It's a vast overreaction, but it works.
In short, we have lots of armchair lawyers giving idiot-in-a-hurry interpretations, and everyone is doing it wrong because everyone is scared of doing it wrong.
It doesn't matter what the banners were intended for.
Thanks for clarifying.
Also, these are general guidelines and may not be compliant to 100%. But the clients I deal with do not usually need to worry about absolute compliance, otherwise they'd be hiring teams of actual lawyers, not me.
They provide a public dis-service and the world is better off without them.
Yes, there needs to me a new business model for monetising content.
Why don't we let users decide instead of letting a vocal minority dictate laws that ruin everyone's browsing experience?
No. The fact that the last letter in "GDPR" is not "D" is a pretty good hint that it's not a Directive ;)
It's a Regulation. Regulations apply directly, and are not translated into local law.
But omgitsabird is correct that GDPR is not the relevant basis here, but a clause in French Data Protection Law. And this clause exists because of the ePrivacy Directive.
I hadn't realised that regulations existed in this manner
https://en.wikipedia.org/wiki/Regulation_(European_Union)
so the EU regulations come into Law of all EU countries via "Article 288 of the Treaty on the Functioning of the European Union"
There is in fact case law which interprets the legislation and says explicit consent is required[1] but of course it doesn’t mandate modals.
However it does note[2] that
> That decision is unaffected by whether or not the *information stored or accessed on the user’s equipment is personal data*. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.
This sets a fairly high bar for getting consent for any identifier-laden cookie. So I can understand why people choose to use modals as a risk-reduction approach, and why it has become accepted practice. If you do end up in court, it’s reasonable to expect courts to consider established practice is while formulating their judgement.
However, I do fundamentally disagree with the notion that explicit consent at the time of first visit is a good model for ordinary internet users. It was a good first effort but regulators need to do better, and strengthen ways for users to effectively pre-set their consent preferences in advance, think ‘Do Not Track’ but with teeth.
[1] https://curia.europa.eu/juris/liste.jsf?num=C-673/17
[2] https://curia.europa.eu/jcms/upload/docs/application/pdf/201...
* Advertising companies are taking a loss, and are funding free websites out of the good of their hearts. (we know that this is not true)
* Advertising companies make a killing, but the money still somehow doesn't come from you, so it is somehow being taken from somewhere else, or the companies paying for the advertising are taking a huge loss.
* The money actually still comes from you, but most of it is going to the advertisers instead of the content that you actually want to support, and it comes from you in a roundabout way over a longer period of time so you don't even notice it.
In short, if the companies are getting the money to run their "free content" AND the advertising companies are making a big profit, where does the money actually come from? It has to come from somewhere, it isn't being printed and gifted to the advertising companies. There's only one place I can see that this money comes from, and that's the people being advertised to.
Why is anybody okay with being psychologically manipulated knowing that the benefits of the manipulation primarily come to the manipulators rather than the content that they like? And also knowing that the manipulation itself continually warps and corrupts the content as everything is being optimized toward pure "Engagement" rather than actual useful information? Wouldn't you rather pay directly for the thing that you like than be subtly manipulated into paying some weird third party longer down the line?
A vocal minority that gets paid a cushy upper middle class wage and can afford to “pay for every website view”.
Sub-processors are not allowed to sign data processing agreements.
So not that clear it would seem ...
If GDPR allows controllers to slip out of their obligations by using sub-contractors to firewall their legal responsibilities, then it would be useless as a data protection law. If you want to run a data processor that relies of byzantine structures in an attempt to create plausible deniability, then you’re gonna have a bad time.
Ultimately this is just a problem of dependency resolution, and conflicting dependency requirements, but it’s an unavoidable problem if you want to have truly accountable data controllers. Accountability is far more important than operational convenience. Remember GDPR exists to protect EU citizens, not businesses. It explicitly makes life hard for business, to ensure protection for citizens. Don’t like it, then leave, go exploit some other population.
Sub-processors are not allowed to sign data processing agreements.
So not that clear it would seem ...
Consent != Informed Consent. The medical community is very well aware of this, it’s time tech realised it as well.
And that's why it is.
Because it didn't take into account how companies work in practice.
A SaaS company has both individuals as well as organisation as customers and thus operates as a data controller and data processor.
Reality is that you can't ask each individual company to sign a document for each new subprocessor or data processing agreement modifications.
What on earth are you talking about? I’m making fundamental statement about accountability, you can’t allow companies to outsource their data protections responsibilities, because history has shown time and time again, if let companies outsource responsibilities, they’ll outsource it to someone who just ignores the law and provides a fig to protect execs.
> Because it didn't take into account how companies work in practice.
The whole point of GDPR is to prevent shitty business practices, not enable them. How companies work in practice is most irrelevant, GDPR protects people, not companies.
> A SaaS company has both individuals as well as organisation as customers and thus operates as a data controller and data processor.
Yes, so what?
> Reality is that you can't ask each individual company to sign a document for each new subprocessor or data processing agreement modifications.
Yes you can. If your customer has given you explicit instructions on how they want their data processed, in the form of a data processing agreement, then you’re contractually bound to that agreement. You want to change it, the you need to ask all your customers. You can’t unilaterally just start doing something new with data you’ve been given because you feel like it. Otherwise what prevents you from just deciding that selling all the data your customers gave you is how you now handle their data?
I don’t know you find this so difficult to understand. Your not even taking issue with something unique to GDPR. Modern day slavery laws work in a similar manner, so does financial regulation, so does any contract where you customer gives you instructions, and you want to modify those instructions. Companies update their T&Cs and force customers to explicitly accept the new one all the time, this is not a new concept.
This was while working at a bank, where the level of scrutiny from financial regulators, privacy regulators, and customers with a bone-to-pick with us was sky high. It’s was a total pain in arse dealing with data protection agreements, and vetting them (both the agreement, and company) to make sure they met the standards. But you can bet your bottom dollar we did it.
No, the solution is jail time for the founders and board members of these companies. Along with extremely harsh and vindictive confiscation of their assets.
And generous incentives for developers (such as the GP commenter) to snitch on these people for asking them to be knowingly complicit in their immoral activities.
It's about focusing on people with (1) the most leverage over the decision-making process and (2) perfect visibility into the consequences (legal and otherwise) of their actions.
That is -- when you're dealing with the mob, you doing go after the delivery boy. You go after the foot soldiers and kingpins.
There's potentially a lot of inherited DNA out there that could cause damage to society in the future.
I'm not sure that's the right thing here. You'd end up with some poor junior dev getting punished for what is essentially a decision by their boss.
"The client didn't want to pay for a GFI so it's not my fault he got electrocuted ¯\_(ツ)_/¯"
Modern weapons require cutting edge engineering. Going after web devs but leaving alone engineers who created litteral death machines would be an interesting position.
Now, engineers could decide to make software engineering a real discipline by getting a regulatory body with and start enforcing the tittle properly (but this is widely unpopular and as far as I know, not done anywhere).
Also, weapons manufacturing isn’t illegal I can’t see how there could be a case for going after anyone for it? We don’t have a morality and ethics police (at least not in most western countries)
That quickly turns in to, the rich guy who will profit from the lawbreaking needs a scapegoat. Always more dignified to tell important people they're out of line by punishing their serfs, don't you know.
I don’t mean developer as in an individual contributor, I mean an implementor, often contractor, which will normally be a company too.
Right now it’s too easy to cut out a niche of selling snake oil services like “automatic cookie banners” with dark patterns and batteries included. Meanwhile companies are fooled by these companies into thinking that if they just pay the $ for their “compliance solution” they are done. Here is where I’d like to see the sellers of the snake oil take part of the responsibility and not just the buyers.
Unless, of course, they have some weasel note in the terms, which is far easier to do in the B2B space.
There will be room in prisons when they let people out who used <blink> tags 20 years ago…
The developer knew what s/he was doing. We're not talking jaywalking here--this person (!!) made it slightly more difficult to make a choice that most users don't understand or care about anyway! And the result is more targeted advertising! How can you stand idly by?
You sound like a Stalin (I came from an authoritarian country).
Imprisonment usually does an amusingly bad job at "teaching a lesson". If you want to "teach a lesson", then why not torture?
https://en.wikipedia.org/wiki/Slippery_slope
There's nothing "authoritarian" about imposing criminal penalties on those responsible for not just violations -- but as in this case, egregious, massive and intentional violations of consumer protection regulations. It's just how a civil society works.
The vast majority of users like free websites and do not feel like targeted advertising is a serious problem. This was true before GDPR and these silly cookie warnings, and it continues to be true. Likewise, implementing a cookie dialog that requires more clicks to opt out completely is not so morally questionable as to justify the discussion I had responded to.
Are they aware that this is when they stop complying, to the point that they could just as well have ignored buying the banner service and just shoved cookies on people quietly like they did before? Perhaps. It's possble that lawsuits could work here too. I'm (like you) guessing there is some fine print saying that you absolutely cannot use the switch that makes the "reject" button disappear under the mouse and have a delay of 60 seconds. And if you do then you are responsible yourself.
Just that about 99 percent of our resources should be focused on those with the most leverage over the situation.
However a large amount of dark patterns aren't legally forbidden anyway.
That's not how the world works. When she says no, they just find someone else.
That they don't have leverage over the decision-making process seems like a cop out.
No one said they have "no" leverage. Just that those at the executive level have infinitely more.
I never liked the "will find another" trope.
The Chinese , after the opium wars, simply executed dealers and users.
Very radical, but you bet dealers wouldn't just find the next user and vice versa
Imagine your own mother being subjected to this kind of thing. Wouldn't you want jail time for the perpetrator? Would you stop there?
You're not being subjected to some kind of torture; in fact, you are responsible for sending the HTTP request and executing it on your computer.