After consulting with a legal team they made it clear this was not the case. And for the next 2 years there was a lot of pain.
We had too many cookies that were important to UX and analytics. If you don't understand why, imagine trying to run a store but not be allowed to look at your customers. We were fine not chasing them into the parking lot with a Polaroid camera, but GDPR didn't make a distinction really invasive tracking and "normal" un-creepy QOL cookies.
Before tools like OneTrust or Trustarc were available, it was also not even clear how you actually handle consent. TL:DR; you basically have to set a semi-anonymous cookie that tells you it's okay to load other cookies. But at the time it was not even clear if this was legal (since there are somewhat conflicting advice as to what could constitute PII in this situation).
To this day, we still deal with a lot of GDPR edge cases. Specifically what constitutes PII at a technical level when you are talking about session IDs, users IDs, or client addresses. It's still really tricky and we're always afraid the rug will be pulled out from under us. And even the most expensive lawyers will be experts in the law but need constant hand-holding through even the most basic technology.
(Data removal requests are another story - if people only knew, man)
The lesson I have learned:
- Anyone who says GDPR is simple has no real experience
- Do exactly what other companies are doing - do not try to stand out
- The only real winners were the lawyers
Kind of a context-aware private browsing mode, I guess.
I don’t even use an adblocker normally, but the cookie banners are insanely annoying.
Yes, please fork http...EU, you can do that...I know it...
Until the GDPR a lot of this went on anyway, but totally invisible, now at least we have some idea of the magnitude of the problem and companies have an incentive to at least try to get it right. Not that many of them do. People that are categorically against government regulation tend to point at this and say 'see: that's what you get'. But they forget that in the relationship between companies and individuals it is the companies that on balance have the most power and there is ample evidence that this power then gets abused. Hence regulation. I'm all for tightening the rules another notch or two and adding a zero to the average fine. Because there is still a lot of room for improvement.
No, it's the EU that mandated those popups - an asinine solution to the tracking problem. The EU gets the blame.
Many websites seem to break this law.
As an EU citizen, I am actually somewhat delighted that our legislation that attempts to improve privacy is being successfully exported. But similarly to how I find the US exporting their legislation quite loathsome---at least at times---I understand your beef.
It's hard to dynamically figure out if you're an EU citizen or not via the browser. Hence, websites play it "safe" by showing it to pretty much the whole world.
Oh, the suffering of having to click "OK."
The popu repeating is definitely not due to EU legislation. You should only get it once and it shjould offer you the choice to accept all or reject all or optionally the complex choosing.
If it pops up every minute it is the website that is doing it wrong sue them.
Same difference. Semantics.
> You could simply not track and then you wouldn't need consent.
Not all tracking is malicious. It's not going to disappear, hence the popups.
As I said, it's an asinine solution. It's as useless as the default browser nonsense. The EU seems to make one of these annoying blunders every decade or so, next one should be coming up.
That's simply not true.
The EU legislated solution is directly responsible for the popup spam. There were other alternate solutions that would not lead to popup spam.
Your site may not need a popup, but many more complex sites do, and not because they are doing nefarious things.
It's OK to admit the EU makes bonehead decisions sometimes.
When the EU regulation came up, I was shocked that a single article was being shared with 100+ "partners". I knew it was bad, but I didn't know it was that bad. At least now I get the choice to opt-out. Sidenote: Google got fined for that pop-up because it should have a "do not accept" option [1].
Companies know they don't need those pop-ups. They are putting them there to anger you and demand for things to go back. Do you want to blame the EU for not anticipating that companies would act maliciously? Sounds fair to me. But don't let the companies off the hook for acting maliciously!
[1] https://www.taylorwessing.com/en/insights-and-events/insight...
Whoever made the initial video must be a shill for the tracking companies because they didn't click on the 'do not accept' options, otherwise people would see how pervasive and thoroughly ridiculous the trackers are.
You're giving these companies much more credit than they deserve. They're just going through the motions in an attempt to avoid lawsuits, but clearly not even Google can get it right 100%.
Hanlon's razor: "Never attribute to malice that which is adequately explained by stupidity."
Having worked for a number of companies implementing these measures, there's no malicious intent, they are rolling their eyes the whole time. It's just a box they need to tick. Everyone wishes it would just go away.
Yes, I think we should clearly hold legislators accountable for unintended consequences. And I think it would be crazy not to.
If the law didn't have the desired effect, and makes everyone miserable, we should fix or amend it.
A simple page request results in almost a thousand requests being made to third parties, just to show you some bad ads.
[1] https://pagexray.fouanalytics.com/q/pathofexile.fandom.com?f...
This gets repeated a lot. However, even one of the pages on the official site of the EU has a cookie banner:
https://commission.europa.eu/index_en
Is the EU itself acting maliciously in putting up that cookie banner?
Then came GDPR and these retarded cookie banner companies decided to offer that as a service as well... Basically the same thing right? Well for many of the sites it is, because their goal is find a way to do nothing, or as little as possible, they don't want things to change and here's someone offering them just that.
I hate that it when people are blaming the EU for the nightmare that is consent popups. They aren't required, unless you doing stupid shit. Companies love presenting this as: The EU is making us do this. NO, you want to track people online and the EU is simply asking for you to declare that.
It's truly amazing that companies don't see to problem telling people that they care about their privacy, yet presents them with a list of 600 "partners" whom which they share our data.
So yes, it's laziness, these sites don't want to chance the way they deal with advertisers, because that would be slightly harder. It's also partly incompetence, there's an entire generation of ad people who don't know the first thing about advertising, they know Google Adwords and Facebook Ads.
https://duckduckgo.com/?q=i+still+don%27t+care+about+cookies
People will choose convenience over mostly everything else.
If companies DoNotTrack, they will have fewer people opting-in for tracking.
The design of these consent forms is often so obscure I end up in some menu system with too much information I didn't want, and no hotkeys to go back except leave the website.
The argument is transparent self-serving BS, though.
Unlike do-not-track to 1, as far as I know, it is never set to 0 by default. So it should represent actual consent.
Not the best for privacy, but at least, it would make the web less annoying.
It's google, facebook etc that are trying to shove these things down your throat, not the EU.
- most people are tracked on almost all websites by a small number of US megacorps (e.g. google analytics could probably reproduce complete browser histories for most Europeans, and most likely does for some intelligence agency)
- AND most people have their time wasted by consent banners
- AND small companies worry about compliance costs (my least favourite aspect of EU law is it doesn't understand the need to exclude small companies from complex requirements)
It's non-confrontational to a fault and therefore ineffective.
Most of this crap is the same everywhere, not just in the EU.
I find it interesting that, in the cookie case, people blame the EU for making the problem visible, rather than blaming the people who created the problem. The cookies are the horseburger, in this instance.
If they really wanted to do something successful they should've been more strict on the situation. "Accept or Decline front and center" "No tracking cookies without specific UNFORCED opt in" "No annoying popups"
Like I don't know what they added to my experience. I already knew cookies existed and what they were used for. I guess now I can at least opt out in some cases. But who knows what is classified as a "strictly necessary cookie" which is the lowest amount of cookie tracking you can get on most of those sites.
Strictly necessary means necessary to provide the service the user requested or comply with other laws. It is stricter than your suggested no tracking standard.
We literally use zero cookies (local storage, et. al.) in our latest products. The user's state is entirely managed on the server, and we pass their session identifier forward through hidden form fields or URL query parameter as appropriate. The only way this works is to go all-in on SSR-style web applications. 100% of user interactions must be satisfied with boring-ass form get/post. The microsecond you start thinking about SPA or holding onto even the merest of boolean facts between page loads, the whole magic experience vanishes in an instant. That isn't to say you can't use javascript, but you certainly don't start with it.
Our initial reasoning for going to this extent was due to weird behavior around cookie lifetime we were seeing on iOS/safari devices as of iOS13. If you don't use any client-side state, other than what is loaded into the current window/document/URL, who could ever ruin your day? They'd literally have to cripple 100% of the internet to start causing trouble for our newest approach. Over time, it became obvious this style also provides a better user & development experience. For instance, I no longer have to put the Apple WWDC event on my work calendar in anticipation of a refactoring effort. Pending legislation is also something I do not worry about anymore.
I find it interesting that the most compliant web experience is also the easiest (aka most boring) to develop and also usually provides the best end user experience. To me, cookie banners ultimately seem to be a higher order consequence of splitting the product into front-end/back-end and farming out every possible consideration to a 3rd party.
The EU does it's best to at least let you know what's happening. What I would like is for browsers out of the box to auto reject cookies and tracking behavior. But that is probably the reason all the prompts are not standardized.
I like it, and Everytime I will go through and reject all of them. If the extension doesn't catch them already.
There could be browser configuration for the cookie consent popup (accept, essential, reject all) that websites could follow but now - they prefer to be obnoxious about it hoping that everyone will click "allow" pit of boredom (not to mention that at the beginning it was only visible option and reject was hidden, which was illegal)...
(I wouldn't lament the loss of invasive analytics, but the job losses would be saddening)
Ads, Reddit popup, bad cambridge.org design are experienced by non EU too
A more accurate title like ""Sigh, this is what browsing the web looks like nowadays"" would not have gotten you criticism
It's truly amazing that websites are so insanely difficult to just... read, these days. Ads that pop up covering the screen, videos (irrelevant to the article) which I scroll past, and which then suddenly decide to pin themselves to cover the top 1/3 of the screen and autoplay, along with ads covering the bottom 1/4 of the screen, while cookie reminders pop up and the page keeps jumping around because ads take so long to load... It's truly astonishing how bad of an experience I was missing out on.
Artifact is a pretty nice app, all in all, but the browsing experience without content blockers is so terrible that I just can't bring myself to use it anymore.
Sure, I know there's counter-examples, there are sites that do interesting things with personal data, even. But I know the vast, vast majority of sites that have these banners are not those sites, and I don't accept these corner cases as a fig leaf for this elephant (whose name is incompetence and greed) sitting on the couch, moaning about this law, since day one.
"this is what someone who considers themselves a webmaster, or even a web developer, writes nowadays (2021)"
We might have tried similar things if Europe was as dominant in American tech markets.
Web is already hostile enough nowadays with all the tracking, scams, abuses of consent and bad ux designed to sell shit nobody needs.
Edit: also, non targeted NON INTRUSIVE ads will do too. Or would have done. If the ad industry wouldn't have burned any shred of credibility they ever had.
I do question the incentive of a number of sites. Reddit technically don't need to track you, they know all they need to based on which subreddit you're currently on. It's mainly sites that have no context to your activities that really need the tracking to attempt to provide ads that makes sense. Maybe having these sites should be financed differently?
Consent-O-Matic helps a lot with not having to see this nonsense though.
Users have always been in control of whether they accept cookies. There have been settings in your browser since (at least) Netscape 3.0. It's only because of dumb EU laws that cookie control has been pushed up into "user space" with these idiotic banners that no one reads.
Besides, GDPR isn't about cookies, it's about what companies are allowed to do with your personal information. Functional cookies don't require consent, abuse of your personal data does.
Did Netscape 3.0 have per-site options to enable cookies and specifically allow/block third party cookies?
If so, that’s impressive.
Any other cookies are not "table stakes".
> The commonly seen method of using a checkbox and a simple information note such as “remember me (uses cookies)” next to the submit form would be an appropriate means of gaining consent therefore negating the need to apply an exemption in this case.
If it is 'table stakes', like "remember me" checkbox, you don't need a separate cookie banner
https://ec.europa.eu/justice/article-29/documentation/opinio... via https://law.stackexchange.com/questions/32152/gdpr-cookie-fo...
https://commission.europa.eu/index_en
Is the EU itself acting maliciously in putting up that cookie banner?
That's like hating a rock for rolling downhill. Regulation is the only way.
It's the same tired nonsense as when regulators try to tax a business that's already operating on thin margins and act surprised when the business passes the cost to their customers instead of eating it.
I'm not upset with the intent of what they were trying to do, which was noble; the upsetting thing is that it was patently obvious their hamfisted implementation would lead to this outcome, and they did it anyway, knowing they could count on people to deflect blame away from them.
It's not as if these companies are kicking in your door and violating your right to privacy. You're accessing their site with a device that is configured to transmit whatever you have it set to.
If you don't want cookies, disable cookies. If you want greater control, go and configure it yourself. Stop forcing your preferences on everyone.
The reality is that outside of a vocal contingent on HN, most people simply do not care. They won't pay a cent for their ad supported services. And I for one hate the endless consent popups and GDPR hoops I have to jump through. As an expat in London, I can't read many local news stories in the US because those sites simply block the traffic instead of trying to comply with a foreign law.
This is not how it works.
Me visiting a website does not mean I want that website to send my personal identifiers to hundreds of unknown (both to me and the website operator in question) third parties.
If website uses cookies just for legit purposes (e.g auth, language choice), then it doesn't need to show cookie consent.
Webmasters should get awarness on this or stop spying
Just ban tracking for advertising purposes entirely, or at the last least mandate that sites respect the do not track header and require browser manufacturers implement it as opt-in.
The cookie pop-up is a dumb law.
1. Ensure that you’re perfectly abiding by all “legit purposes” and be prepared to update your policies and software each time those change, at the risk of huge fines. Or,
2. Just put an annoying banner up and have no risk.
Which do you do?
Government created this problem. Yes, it was in response to bad behavior from industry, but that doesn’t absolve the bureaucrats from responsibility for the results of their “solution”. If someone lights your kitchen on fire and the fire department’s response is to burn down the entire house, there is plenty of blame to go around.
No, but let's blame them for coming up with an asinine 'solution' to that problem.
Speak for yourself. I never consent to marketing or analytical cookies. I appreciate the option to turn them off.
I agree with you that the non-compliant approach teaches a bad security practice to the general population. The fix is better enforcement of existing law, without a new law actually being needed except possibly a better procedure for more effective enforcement.
Unfortunately, achieving that is hard for political reasons. The EU’s politicians, and therefore the data protection authorities whom they oversee, care mostly about seeming to protect privacy, whatever the reality, and don’t want to deal with the economic + lobbying + PR + political donation + therefore electoral consequences of routinely taking proper and timely action. This is especially true for some of the most regulatorily captured data protection authorities in the EU, such as Ireland’s.
Is it the perfect system? No. Is it better than no system at all. I think so.
But big corps know what they wanted and do and lead the rest of the pack..
Given a binary choice, more users are willing to accept tracking compared to mechanisms that require them to allow cookie use for each category or company individually
Stop blaming the government for something private companies are doing to you. All the government did was require them to be honest about it.
Maybe the EU should be more aggressive with GDPR, and start fining these companies out of existence for not being 100% compliant. That would put a stop to the maze of dark patterns pretty quickly. Either every shitty company would go bankrupt overnight, or they would learn how to make very simple "yes cookies" and "no cookies" buttons.
False. Cookies aren't there only to maliciously track your actions and show add. They solve lots of technical issues in various scenarios.
This is your typical premature compliance for a technically incompetent formalistic regulation. Better be safe than sorry - so thats why you see that stupid "this website uses cookies" on every other site that merely has a login form, a captcha, or a cdn - because of course it fucking does.
I've stopped quite some time ago, basically my collection of apps is set in stone once I configure a new phone. If something seismic happens in real world I may add app in average rate 1 app/year, and that's about it.
Not using apps is so cool, some crappy webs that don't support mobile firefox with ublock origin don't even get my time, the rest is well curated. Due to reasons behind I am more than fine clicking on consent popups, the way they are designed to get to reject consent dialog tells you outright how moral/amoral business is behind it. So this is actually time-saving feature.
The thing is, life is short. No, its darn short, ask any old person. Definitely too short to waste too much of it on regretful things like phones.
See, everybody (who matters) wins.
Marketing is a funnel. People who bother to download the app are heavier users of the site. Finding those users is the point.
> Cookie Pal includes the following features:
> Automatically and transparently accepts or rejects cookies from all or specified servers without user interaction.
> Cookies received from unspecified servers can be automatically accepted or rejected without user interaction, or the user can be asked for confirmation.
> "On the fly" adding of servers to the accept from and reject from lists, allows you to manually accept or reject a cookie the first time it is received and then have it automatically accepted or rejected every time it is received thereafter.
[0] https://web.archive.org/web/19971012223847/http://www.kburra...
[1] https://web.archive.org/web/20010331050614/http://www.kburra...
The more relevant aspect, I think, is that there's an essential/non-essential distinction in the law, which differs from 1st-party/3rd-party.
You'd want that to be the case, but in practice they do. Just look up how vague the definition of functional cookies is.
No one wants to risk insane fines.
If you don’t want fingerprinting, disable canvas, fonts, or JS entirely. My point is that you are downloading code and then executing it. You have control.
It is the website owners fault when they choose not to turn that feature on.
(Leaving aside that sites should just not have these banners, which provides the best user experience. Just delete all the tracking and the banners along with it.)
All you need to do is not store cookies. That's it. It's not difficult at all. If you do want to cover your ass and use a consent dialog, there's a million options that are non-disruptive to your users and allow them to one click opt out.
The banners usually don't provide you with an all-or-nothing approach. Choice is usually between reject everything *except essential*, accept everything, or something in between.
That means the analysis for point 1 has been made. They know exactly which cookies need consent.
In fact, many of the websites that have these obnoxious cookie banners are NOT in compliance because don't offer a simple and unambiguous opt-out option.
These cookie banners and cookie popups are intentionally made to be maximally annoying. That's not good faith behavior by companies. That's malicious and an attempt to get consumers to blame regulators for breaking their browsing experience. The worst thing is that some people totally fall for it!
> Which do you do?
Given that 2 goes out of its way to violate the law and make your users miserable I would suggest 1. But that is just the opinion of a non lawyer.
For how many years they can pretend to be dumb and act like they dont know?
They just want to do shady stuff with the data, that's it.
If the "reject all" button isn't as easy to click as the "accept all" button, then the popup is illegal. The big players have all been forced into compliance, but there's a long tail of publishers who are chancing their arm on the assumption that the regulators don't have the resources to deal with everyone. That's probably a reasonable assumption in the short term, but the EU are playing the long game.
That's what they say, but even government websites do the same thing.
Anyway, my point wasn't so much about the pop up itself but rather that if you make it easy to reject, then everyone will reject. So what's the point of allowing it? It's like having a cashier asking everyone "would you like to get kicked in the balls?" with the hope that someone misunderstands, and then they get to kick them in the balls.
You should watch the video in the linked article. The options are accept all and "customize". I'd be willing to bet a lot of money that accepting is one click and rejecting is more than one
Random example from more than a decade ago: I worked at an online retailer, and we did a nice redesign of our cart page. Looked great, much more readable, but we started losing sales. Did people hate the redesign? It was certainly easier to use and navigate.
Our marketing guy looked at our analytics and saw that there was a massive drop in checkouts from users whose displays were set to 1024x768. He changed his resolution and, sure enough, the 'Checkout' button was something like four pixels below the bottom of the screen, if you were using Internet Explorer or Chrome and you had your browser maximized.
I get that analytics can seem creepy and gross, and stuff like that is 'none of [retailers'] business' to a lot of people, but without those analytics we would have had no idea why we lost those sales, and would have had to simply revert the redesign with no real opportunity to change it.
I'd expect a bit more from smart people who see very well into what kind of society we are going full speed, with no way out once in (if you don't consider going back to caves as a good option, I don't).
Its very fabric of whole society our kids will live in we are talking about here, nothing less. Is pretty clear what directions the biggest corporations are taking, hey are not even trying to hide what's in plain sight. If we common folks don't at least attempt to stop it or steer it in other direction I am worried nobody else ever will.
I'd have sympathy for these people if they weren't also primarily responsible for the many darkpatterns, traps, and user-hostile aspects of modern interactivity.
That's not really my problem as a (viciously tracked) user. Now, is it?
Everyone thinks that but in practice most folks don't have a clue what they're looking at and just use the numbers as a crutch for whatever opinion they already had.
Of course, this problem isn't just a web analytics one.
Yes, but the cost of doing that through GA is that a single US megacorp outside EU jurisdiction can reconstruct most users entire browsing history for whatever US intelligence wants to do with it.
And at small small cost of privacy violations and spying on users.
If you want analytics, just get consent for be tracked.
[0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/DN...
Hint: buy the cheapest crappiest laptop you can find. Test your site on it.
You are clearly confusing the issue here.
No one cares for your smartass solution for the problem - it's obvious enough once you are aware of the problem itself. The issue is tracking the problem in the first place.
Hints like "oh you should have just been totally aware of it in the first place" are plain naive.
I'll believe that when they don't have a huge banner that's covering a fourth of the page.
But because one really big early intenet player disrespected it [2] it became mostly useless.
> What is P3P?
> The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.
> Why is P3P useful?
> P3P uses machine readable descriptions to describe the collection and use of data. Sites implementing such policies make their practises explicit and thus open them to public scrutiny. Browsers can help the user to understand those privacy practises with smart interfaces. Most importantly, Browsers can this way develop a predictable behavior when blocking content like cookies thus giving a real incentive to eCommerce sites to behave in a privacy friendly way. This avoids the current scattering of cookie-blocking behaviors based on individual heuristics imagined by the implementer of the blocking tool which will make the creation of stateful services on the web a pain because the state-retrievel will be unpredictable.
[2] https://support.google.com/accounts/answer/151657?hl=en
> P3P and Google's cookies
> In some situations, the cookies we use to secure and authenticate your Google Account and store your preferences may be served from a different domain than the website you're visiting. This may happen, for example, if you visit websites with Google +1 buttons.
> Some browsers require third party cookies to use the P3P protocol to state their privacy practices. However, the P3P protocol was not designed with situations like these in mind. As a result, we've inserted a link into our cookies that directs users to a page where they can learn more about the privacy practices associated with these cookies.
Requiring the opt-in to happen on the side creates an avenue to critique and dispute whether the website does the thing they say they do.