I am kind of frustrated by the widespread misunderstandings in this thread.
Laws are best when they are abstract, so that there is no need for frequent updates and they adapt to changing realities. The European "cookie law" does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.
There is no doubt that the goals set by the law are sensible. It is also not evident that losing time over privacy is so horrible. In fact, when designing a law that enhances consumer rights through informed consent, it is inevitable that this imposes additional time spent on thinking, considering and acting.
It's the whole point, folks! You cannot have an informed case-by-case decision without spending time.
What I find funny about the whole thing is that the grand majority of companies with cookie banners are not implementing them correctly, and therefore are still in breach of the law.
I see constantly banners on sites that set tracking cookies by default, and delete them if you reject them in the banner (or even worse, not delete them at all!) – this is not compliant as the cookies were set before consent was given
Also see banners where there is only a big "OK" button, with no visible option to reject, this is also not compliant!
The whole law should have been forcing sites to not ignore DoNotTrack bworser settings. It's a prime example of the EU being utterly useless because they don't understand the underlying issue and then choose a "solution" that's as much in your face as possible but doesn't change anything about the original problem. It's the whole plastic straw thing in digital form.
If only those websites just didn't use cookies when 99% of them don't need them. Easy to display the cookie terror banner and blame the EU while you're using it for "analytics".
And the majority isn't even compliant, without a big disable button, instead hiding it through 10 different dark patterns in the cookie setting, where every misclick leads to accepting the whole array of spyware.
I don't think DNT settings were not considered – they were probably discarded as they hurt user privacy. Fingerprinting tools use the DNT setting as an extra flag to identify the user, so having it set to a non-default means you actually get tracked more, not less.
And possibly requiring browser vendors to implement Do Not Track in an accessible and user-friendly way. (Those whose business models are reliant on ads might need a firm nudge there.)
Its lazy engineering. Most sites dont need such functionality, but devs are either incompetent to rip it out of libraries they use, are stuck in web design patterns from 20 years ago themselves or its a simple business decision to trade user data. When was the last time you really needed cookies for your business and couldnt get around it with (usually better) tech?
Dont blame the system (nonideal but darn good to be in place, compared to literally rest of the world where humans have simply less rights), when its companies failing knowingly basic rules.
While I appreciate your workarounds, the issue is not fixed. Almost everyone is going to keep clicking these stupid banners. It’s not okay, it’s not fixed until the rules are adjusted and we have less tracking and’s less pointless banners.
So many pop-ups these days, for every little thing. Tracking. OS permissions. Browser permissions. Take a survey. Speak to our AI assistant. Do you agree to this. Donate. Sign up. Pay. So many clicks. Used to be viruses, but we have the same result with our complexity.
It's not complex. It's simple. It's greed. It's absolutely ridiculous that we as a species put up with all of this nonsense because we have a faulty foundational understanding of what is and should be normal. The brain rot that we've subjected ourselves to is absolutely ludicrous.
Do Not Track header? It's the silver bullet but the stakeholders will argue it is invalid and cannot possibly be used to inform the server that the client wishes not to be tracked
It’s not a tracking banner but a cookie banner and some applications have a legitimate need for cookies. They abuse what is legitimate, but you can’t ask regulators to check every site without a national (European?) white liste firewall (shouldn’t give them ideas…).
Also, most tracking used to use cookies but if that becomes illegal there’s others ways.
the same way that they interact with any other web page? which never need banners? You don't need a banner to opt in or out (or ignore).
By this I mean the law is what it is but the implementation is deliberately hurting the visitors in the hope that they will click "yeah sure whatever" to be let through to the content. The harm does not come from the legislation but is deliberately anti-user by the web site owner. (Fine, in some cases it might be out of the box and merely lazy.)
Filters are unreliable, it is better to have the cookies banners automatically filled out via Consent-O-Matic: https://consentomatic.au.dk/
Which works on Chrome, Firefox and iOS.
The best part is that you can actually specify your preferences, but globally for all websites. I actually prefer to have the functionality cookies enabled.
> Hop into your uBlock Origin settings and enable the Cookie Banner filters (and enable the Annoyances filters too, while you're in there). Fixed.
Except for the pesky sites that somehow disable (or rather "not enable") certain things until you've "answered" the banner. Can't remember what site I hit that on most recently, but I had to disable uBlock, reload the page, click "Deny", and then the video/element worked.
And by hitting that ”deny” button, you have ”consented” to hundreds if not thousands of data brokers around the world processing all your personal data gathered throughout your life across all your devices. They can now freely buy your data from other brokers to enrich their profile of you.
Should have unchecked those 973 legitimate interest checkboxes they hid under the ”affiliates” or ”vendors” or ”providers” or whatever.
Next, they will resell that profile to political campaigns, advertisers, law enforcement, private dicks and security providers, the military, foreign intelligence services and drug cartel hit squads, to name a few. You could buy it too! Or your friends, enemies, neighbors, colleagues, bosses…
If they're doing that after you clicked Deny, the government can come down hard on them. Sadly, only the government - individuals can't sue companies for GDPR violations.
Legitimate interest checkboxes are technically not asking for consent, they are considered informational. OneTrust popups are especially inflammatory in this regard.
Legitimate interest can absolutely be opted-out of:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Let’s team up the pissed off individuals and raid-sue one of the obviously abusing. One is nothing, but that could at least make more visibility of the borderline legality. And at best we win and go to the next one.
The most recent iOS (18) introduced a feature that lets you hide distracting things on the page. (Tap left side of the url field and select “Hide distracting items.” Then just tap what you want to remove and hit done.) I believe that they will stay hidden next time you visit the site.
Regardless, I use Hush and another blocker and it has still come in very handy several times already, so I thought others would want to know about it.
I just figured it out. You bookmark a normal website. Then you go to your bookmarks and edit the new entry you created; you can then change the URL to the javascript code. Finally, to activate the bookmarklet you have to tap on the address bar and then manually browse to the bookmark entry (it doesn’t work if you just type its name in the address bar and press Go, or if you select it from the suggestions list).
That's not true. On average any overhead in browsing performance introduced by ad blocking is compensated by the elimination of tracking and ads elements of the pages. It saves bandwidth and are better for UX. We can argue about business models but claiming it requires tremendous resources is not true.
And content-based ad blocking still works in chrome but in much more limited capability compared to superior browser like Firefox.
Switched to edge at work and Safari at home/mobile hasn't been a huge issue. Firefox is my secondary. Although I no longer do much web debugging, the switch from edge to chrome wasn't too painful.
If websites respected Do Not Track then things would be a lot easier. I think we need a right to be listened to. Right now it's enough online to insist on only accepting information in one particular way, like having a noreply email and making people login and submit since shitty web form to respond. Putting your hands over your ears and tape over your mail slot doesn't work in real life, it shouldn't work on the web either.
I agree with you 100%, but to be ideologically consistent, we should admit that websites have as much of a right to ignore Do Not Track as we have to ignore their tracking scripts.
Not if it comes from "consumer protection", as opposed to "your computer, your rules."
Treading down the latter too far leads into weird realms like "Hacking? I didn't make your computer do X, I simply sent it messages, it's your fault for not controlling its behavior."
"Rights" are sort of a hollow concept compared to how society ought to function and are just a crappy workaround our society's inability to resolve basic conflict.
Why should websites even be trusted with implementing these banners in the first place? Browser vendors should be responsible for implementing these controls per-origin. Give a little banner pop-up built into Chrome, Firefox, Safari, and the rest. Have it display every time a new site sets a cookie for the first time. Or have it reject every cookie by default, unless I whitelist a site. This would result in a consistent user-experience across the board, and I'd actually be able to trust that I'm not being tracked.
Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls. So now every website gets a shitty banner - on top of all the other annoying in-page banners and popups which are a staple of 2020s web design - that asks us if we want cookies. All these banners look different, are positioned differently on the page, appear at different times after the page is loaded, and function differently. So there's no consistency. And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies." How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?
So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.
So again, why isn't this the responsibility of browser vendors? Am I taking crazy pills? Am I going insane or is the world going insane?
Essentially because the people drafting the laws are ignorant about technology, and have a kind of weird snobbery towards it. They like the shiny, but don't try and engage them in a conversation about what actually makes it tick.
Knowing and caring how the plumbing actually works marks you out as a plumber, and sophisticated people don't concern themselves with those kind of details.
(Also various corruptions in the drafting process itself, of the sort which tend to arise when you have a mega-nation with competing interests and power blocs, but in this case it's mostly just ignorance.)
The title originally claimed 575M hours spent every year by Europeans on cookie banners. That's 12 seconds on average a day per person. Hardly anything to complain about.
The whole thing is a colossal waste too, it was a law written by people who don't understand tech for special interest groups who don't want to actually make things better.
If you don't want a website doing something on your computer, you start with the browser, not the website.
That's why they created DoNotTrack initially. Then browsers turned that on by default, ad revenue lowered, and sites/adcompanies decided to ignore it because it was turned on by default.
1. Do not track was not the browser deciding what to do (that would be a similar shape as Firefox multi-account containers and incognito mode). It was a machine-readable way to tell the site what to do; ie the same incorrect model as the click-through banners we have now, just non-interactive.
2. It was intended to be a way to communicate an actual intent from the user. Once it was set by default, it ceased to be an indicator of user intent.
> Once it was set by default, it ceased to be an indicator of user intent.
This presumes that it isn’t the default user position. There are three people on the planet who actually want ad tracking, and they’re welcome to go change the setting, but default off was the correct setting.
You shouldn't need any kind of law here. Consumers have 100% of the power as it stands in regards to browser tracking. The innovation should be in browsers and plugins, not donottrack flags or compliance laws.
Enforced by companies who are doing shady things with data in the most inconvenient way, rather than listening to DoNotTrack or https://globalprivacycontrol.org/
Because if they can say "hey look over there, regulation bad"; they can escape regulation if it is repealed
People blame the cookie banners themselves or the legislation that "made them necessary" but somehow never seem to blame the web companies for doing the naughty things on their websites that make them subject to the law.
The "cookie banner problem" exists because it's primarily end users that are shouldering the burden of them, and not the companies. For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner. For everyone else, it's thousands of wasted seconds per year. Make the law hit companies where it hurts: their balance sheets.
They don't technically even need a banner per se, just respect the user's "do not track" browser setting, or put it in a settings screen, or don't use any 3rd party trackers.
But a lot of businesses assume they need to ask permission for placing any cookies, which is simply not correct. Local analytics tracking is fine, it's only when the user can be tracked across multiple separate websites that they need explicit permissions. And the user should not be annoyed into making that decision.
This seems like the best way to go. Companies should have to respect "do not track" and browsers should have to enforce it to the extent that it is technically possible. And "do not track" should be per-domain at least.
And I blame the EU for not making this the law. Just force everyone to adhere to the setting and be done with it. But no, instead we got this bullshit.
> never seem to blame the web companies for doing the naughty things on their websites
Part of the problem is that the law didn't seek to distinguish between tame first-party cookies and the really naughty third-party cookies so the burden is equal regardless of how malicious the service is.
> For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner.
This is actually not true. There's a lot more that goes into a cookie banner than you might realize, and there's now an industry dominated by a small handful of players (Osano vs OneTrust)
The elephant in the room is that almost no one wants to host website without at least some sort of website analytics service, which does not fall under legitimate use. So that's why even a small blog is going to have a cookie banner.
There are some analytics companies out there that advertise cookieless analytics, but they are either a) too simple for enterprise or b) a much, much worse privacy and compliance risk.
The other elephant is that while everyone has analytics, only one in five companies pays someone with an actual clue how to interpret them to look at them regularly, and only one in five of those companies has a decision making structure that allows them to act meaningfully in response to insights gained.
Even this can be done without a banner, as long as these analytics do not contain any way to link them to individuals/specific users
It's admittedly sound advice to create a banner for such a usecase however, as sanitizing all user data from these events is hard to guarantee, and you'd have to do just that to keep it legal
I keep seeing this misinformation going around, and it has been going around since almost day 1 of when the directive became known. I'm not sure where it's coming from, or who initially thought it worked like that, but judging by the comments in this submission it seems like a ton of people are very misinformed about how these things actually work.
> There's a lot more that goes into a cookie banner than you might realize, and there's now an industry dominated by a small handful of players (Osano vs OneTrust)
Isn't this industry for those, who want to share their website data automatically with 100+ partners? For others, who don't really share that much data with others, less relevant.
If you are just running a static websites, maybe. But if you are going to run a website with any services on it (video content, eCommerce, member management, etc) you are going to have partners. Establishing a browser session with every single one would be pretty onerous (and honestly much worse for privacy) so a first-party cookie is a pretty good compromise.
> Part of the problem is that the law didn't seek to distinguish between tame first-party tokens and the really naughty third-party tokens
Maybe I'm an outlier, but ideally I don't want them collecting any "tokens" without my consent. I don't care if they're first party or third party or birthday party. I should be able to browse web sites in peace without some company collecting anything. If the web site doesn't work exactly the way I'd expect because I did not provide that consent, then that's on me.
Well that's a thought everyone can identify with, but objectively
speaking, they're paying with their energy to build the website, and
paying their money to host it. Yet you would want to browse it for no
cost at all.
> you don't need a banner even of you do track users for anybody with DNT
This is not true. The specific text of the law requires that websites have to provide details about their cookies, and then document and store user preferences.
If you just honored the DNT, you would still be out of compliance.
> and there's now an industry dominated by a small handful of players (Osano vs OneTrust)
Because of that there are now neat categories of cookies / cookie purposes.
Would be nice if we could select one time in our browser “necessary cookies only”, and that would be communicated to every website visited, without the need for a banner. But that’s user friendly and that’s anathema to the modern web :)
Instead of requiring companies to put up a banner if they did certain tracking activities via cookies the law should have simply outright banned the tracking activities entirely.
All you can get this way is that you'll still have temporary cookies,
removed after closing the tab, you will still have the banner, but this
time the banner will popup each time you'll enter the website, because
there's no cookie that will tell the banner that it has already been
displayed.
I have it like this. But with that, I'm using a banner autoclicker. So
the company gets my data, although different each time I enter the
website, and I don't see any banners. Win/win?
How can the banners be necessary because of “naughty things” when the banners do absolutely nothing to mitigate those things in any way? All those things are still happening AND people have to waste time clicking useless banners.
This is it. This isn't the EU's fault and the post isn't quantifying the benefit of requiring explicit consent in these banners. It's all about efficiency and productivity as if it's all that matters in the world. It doesn't care about users' right to privacy or their right to control their own data.
I hope you'll be glad to know that this law already hits companies where it hurts, because many people will close the tab after the slightest annoyance.
I hope you're happy that this law already encourages people to stay within a few big websites (where they've already clicked away the cookie banner) and not explore anything new (where they'd have to click away a cookie banner every time).
Or, crazy idea, don't have invasive user-tracking cookies? Github doesn't even have a cookie banner and they're one of the largest websites on the planet.
After seeing websites pull shit like "legitimate interest" where they share data with 9 trillion of their "partners", they can all rot for all I care.
> It's like piracy, there's only so much you can do plugging holes
I say keep on plugging. When you make a law and bad actors find loopholes, the solution isn't to throw up your hands and say "Well, we tried!" The solution is to continuously refine the law as loopholes are found. Laws should get regular patch releases.
Yes that seems to standard practice in modern government. Impose a series of ineffective rules that do more harm on the public than helps them, and when it fails just invent new ones without considering why the last one failed. And most importantly don't get rid of the previous rules, just let them stick around a decade after it's been apparent they were ineffective.
Well yeah because the "naughty things" are totally allowed. Can you blame them for trying to make money legally, and most people would say fairly morally (most people in the real world; not on HN).
I think 90% of the blame lies with the EU. They had experience from the cookie law that this would happen.
It like... say you would rather people didn't drink alcohol in pubs (because of all the scary violence it leads to). You can
1. Ban alcohol in pubs.
2. Allow alcohol in pubs.
3. Allow alcohol in pubs but only if people recite the lord's prayer before every purchase.
3. is obviously a dumb choice, yet it's the one they chose.
Sure, and that's a perfectly reasonable law. There's no "oh you actually can sell alcohol after 10pm as long as your customers fill in a 5 page form, which is what the EU has caused.
Scummy companies won't magically disappear or stop scummy practices. We can and should blame them, but it's pretty much obvious that the legislation (despite good intents!) resulted in a de-facto shitshow that failed to recognize basic social/behavior sciences, technical details, or anything else.
It should've been an user-agent centered feature rather than individual website gimmick - that's the only way it could've possibly worked. After that, companies can try to continue doing whatever shit they want to try, but none of their identifiers would be persisted unless user agent allows it. (This does not account for fingerprinting, but that's a whole other story.)
Instead, legislators made some weird decisions that failed to account for human and corporate nature (greed), and we ended up with more popups and banners than ever.
Am I literally the only person who this doesn't bother? When I go to a site I click all the xs and buttons until I can see content, without any conscious engagement at all really.
Sometimes when you go for a walk in the country there are stiles or gates to climb over and that is also fine.
I feel like there's some kind of implied belief here that all interactions with the world should be perfectly frictionless which I think may be more of a niche view than is realised?
No. Same here and I agree with you. I think websites having to disclose what third party cookies they save is worth the small inconvenience. And if they maliciously comply, that hopefully leads to further regulations.
I would like to present my opinion that this amount of time is spent dealing with website malicious compliance with EU rules. And it is in general asking people to get tracked and present them with personalized track or share/sell the data to their partners. All of these does not happen and you don't have to do that if you don't track and collect information about your users. Well there are some genuine websites that needs that but I am talking about the general case.
Around the time this started, Google was going to penalize sites in its search ranking if they greeted users with an obtrusive popup. I thought that would strongly discourage cookie banners but then suddenly there was an explosion of stupid popups everywhere - newsletter signups, cookie banners, "special offers", overlaid ads, etc. I guess Google never did that thing?
The internet is broken and I don't think it's only in the EU. In the last years I found myself just avoiding using websites I'm not familiar with or confident they're not filled with ads and trackers, I've set-up some aggregators and custom readers to find and get the information I'm interested in. If I open a page that has the cookie banner that blocks me from reading the content or forces me to agree I just close it, it wouldn't have been that important anyway.
I am about as far from Europe as you can get, and I think my fellow kiwis also spent an inordinate about of time clicking EU mandated cookie banners.
Cookies should be enforced in the browser. I think all the major browsers block third party cookies now. Bad actors can use other fingerprints to do tracking.
Exemptions from cookie banners for small and medium-sized businesses (SMBs) using analytics, tracking user interactions on their websites, and managing basic advertising are imperative to mitigate unnecessary economic and productivity losses.
Yeah, right. You don't have to use cookie banners if you don't use cookies.
Unless you are running ads or profiling users, you can get equivalent data from server logs.
There's a more insidious effect of cookie banners, which is that they make it annoying to follow external links, especially to websites that you haven't visited before. This disadvantages websites built for external links, like HN.
They do already, and big companies have already been fined for not offering them, which led to some smaller parties adding them. See here [0] for a list, amongst which was Microsoft getting a $65 million fine for not having an easy opt-out on Bing, or $162 million to Google for the same thing. Noncompliance should be reported.
the angle of wasted productivity on the end-user's side seems ridiculous. If anything, count wasted resources in implementation for little gain for the end-user.
"Assuming it takes an average of 5 seconds per interaction with a cookie banner".
People don't spend 5 seconds clicking accept. They start reading their website, notice the banner in their periphery shortly after, and click it to go away.
The banner often obscures the view, and the user need to dismiss it in
order to know if the page contains the information user looks for. But
in order to dismiss it, you can click "Accept all" easily and job done,
OR you need to enter options by clicking the "manage" button, find your
way around the banner, understand what are the options and which ones
are checked and which are unchecked, then click "consent" or whatever
terminology is used, but only after finding the button.
This easily can take up to a minute.
Yes, sometimes there's the "reject all" button, but not always. Also you
need to know how they define the "reject all" button, because sometimes
it probably may be defined as "reject some".
It's not a problem for me, because I autoclick them away with browser
plugins, but when I'm on a mobile, the web is really hard to browse
because of those banners.
Because I use fresh incognito mode for each browsing session, I have to click through those consent popups on every website I visit. Quite frustrating to say the least.
Now count how much money and time is wasted loading all the spyware of typical commercial websites to generate a tiny value from selling ads and personally identifying information (the mobile data costs alone ...)
> This situation calls for an urgent revision of the ePrivacy Directive
Shame companies cannot live without tracking cookies, and shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss".
You know the best way of not having to put up cookie banners on your website? Don't store PII in cookies. You know the best way of not having to care about GDPR? Don't store PII.
> Shame companies cannot live without tracking cookies
Most cookies are entirely benign. Many cookies (or something like a cookie) are required for a website to operate normally. The EU law, while good intentioned, was/is too broad and failed to understand the realities of operating websites. This regulation has caused the entire world to be annoyed with useless cookie banners that 99% of people just reflexively click through - just like all of California's Prop65 warnings are ignored today.
> Don't store PII.
These hard-line statements defy reality. Many websites have legitimate need to store PII.
> You know the best way of not having to care about GDPR?
Don't be in the EU?
Just ignore it. There are no consequences. If you don't have physical presence within the EU - there's little-to-zero the EU can do about it. The EU can think it's laws apply to the world all it wants - but the world disagrees.
> Many cookies (or something like a cookie) are required for a website to operate normally
"Essential Cookies" do not need a consent banner.
Case in point: Hacker News is 100% compliant AFAIK and has no banner.
> Many websites have legitimate need to store PII.
If there is actual legitimate interest or legal requirements, such as collecting an address for delivering a package or performing fraud-prevention, there is also no need for cookie banners.
And if that data is "transferred" to a 3rd party for that analysis (aka. a REST call into their API) then you are back to requiring these annoying banners.
Or, more common for ecommerce, "transferred" into an advertising algorithm so the business can gain more similar customers. Oh the horror!
What does "for that analysis" refers to? Fraud prevention?
If so, it is legitimate interest to do fraud prevention, so there's no need for a consent banner, first or third-party. Naturally you can't go and use this data for a purpose that has no basis under legitimate interest.
Another example: Cloudflare is running DDoS prevention under our noses here at HN, for example, but there's no need to ask for consent, even though Cloudflare is a third-party. Why? Because this is considered legitimate interest.
> Or, more common for ecommerce, "transferred" into an advertising algorithm so the business can gain more similar customers
For this you do need consent, if you transfer PII. If you don't want a banner you can replace it with a simple checkbox during the checkout process. Not only less hostile, but also more transparent than a banner.
To understand how customer's shop on my website. Heatmaps, view port, device type, screen resolution, frequency of browsing, where their mouse hovers the most, page dwell time, etc.
These are impossible tasks for most website operators to do themselves.
> For this you do need consent, if you transfer PII. If you don't want a banner you can replace it with a simple checkbox during the checkout process. Not only less hostile, but also more transparent than a banner.
Or... you can just ignore the EU because the EU doesn't matter. You know, like I originally asserted?
> If you don't want a banner you can replace it with a simple checkbox during the checkout process
This is the sort of mindset that crafted this poorly designed regulation in the first place. Most website operators are not going to willingly add a barrier at the final step of a conversion.
If you are going to use my property and resources - it's my rules or don't come. Pretty simple...
You don't need banners just because something is third-party. If there is no PII and/or legitimate consent, you don't need a banner. There are GDPR compliant analytics platforms, fraud prevention, third-party payment gateways, for example. They don't need banners.
As for the rest, it's quite inflammatory and I don't know how it relates to my comment, so I'll refrain from answering.
You don’t need banners period. The EU doesn’t get to tell people how to operate their web properties. If EU citizens don’t like it, they can stop visiting those properties. Even simpler.
> Most cookies are entirely benign. Many cookies (or something like a cookie) are required for a website to operate normally. The EU law was/is too broad - and has caused the entire world to be annoyed with useless cookie banners.
Give reading the actual implementations a try. You'll quickly notice they actually thought of this. I wouldn't say it's "expertly crafted" by any means, but the banner is for a specific "class" of cookies, not just "abc=123" as you seem to think.
You might try to argue many types of cookies are non-essential - but that would be because you lack experience in this domain.
Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.
The EU law compels a popup for these types of services/scripts and 99% of people just click through them because they are noise.
Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.
> Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.
I think reasonable people can disagree about this, and if enough reasonable people think that a web site operator should not have that "right" then they should be able to pass legislation to curtail it.
As a user, I say I should have the right to control what data is collected by what company, and what they should be allowed to do with it. I should be empowered to decide what kind of data is "essential" for a company to collect about me, not the company. Reasonable people could disagree with me, too. These are not laws of physics.
Why is this different than a brick-and-mortar to you? Do people feel they are "private" when shopping in a retail store with AI cameras tracking patterns and behavior, names and purchases collected at checkout, loyalty "discount" cards to get even more data, etc? Even without your name, they can identify you by recognition alone, aka. an anonymized cookie used to track a specific user's behavior.
Somehow people think visiting someone else's private website grants them privileges to be entirely anonymous - it does not anymore so than shopping in a physical retail store.
If we keep going down this path, websites will require a full ToS/EULA just to access the site...
For the record, I don't think brick and mortar stores should have an automatic right to surveil and study the personal information of in-person customers without their consent but I agree that ship has largely sailed.
> Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.
This can be done without a cookie banner, as long as no PII is collected for the purposes of that analysis.
> You might try to argue many types of cookies are non-essential - but that would be because you lack experience in this domain.
I'm not arguing anything, read the directives and implementations yourself, then get back to me. While some might lack experience, others seem to lack reading comprehension. That's fine, we can always learn :)
> Website operators have a right to study how people use their website
In the EU, that depends. As a website operator at a certain scale, you cannot do whatever you want with personal data.
> Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.
Yeah, I mean that's cool and all, but maybe you're spending time discussing in the wrong HN submission then? I don't go around in submissions about "Golang is bad" commentating how you wouldn't have those issues if you didn't use Golang in the first place. Not my idea of curious conversation at all.
The EU designed these regulations to be viral and compel the world into compliance. The world does not need to comply, and largely does not. Multinational corporations with physical presence within the EU need to comply - but nobody else does, nor should they.
> read the directives and implementations yourself, then get back to me.
So we're arguing this down-thread of an article claiming our fuzzy European friends wasted nearly 600,000,000 hours last year clicking "I Accept" over and over? Seems like a well-designed regulation that's totally working super-duper well for the EU. Totally cut down on cookies!
> shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss"
You can wish upon a star that humans weren’t the way we are. In the real world, this was a predictable response to a stupid rule. (And in some cases a necessary one. For example, for websites requiring a login or reliant on ads.)
> know the best way of not having to care about GDPR? Don't store PII
This is a nothing to hide argument [1]. Proving compliance with GDPR is tedious and expensive even if you’re fully compliant. (Proving no jurisdiction is easier.)
Yes. For me, this has been eye-opening about how many different ad agencies there are snooping on my browsing history. It was bad enough when it was just the (UK) government passing a law to do that, now I've got websites with more "trusted partners" monitoring my every move than my high school had students.
> This is a nothing to hide argument
"Don't store PII" does not seem to be that, to me?
If anything, the opposite party gets that criticism, given that the default is allowing private agencies to spy on everyone?
Saying you don’t need to worry about GDPR if you don’t keep PII is the “nothing to hide” argument. There is still a cost to demonstrating compliance that goes beyond complying.
Maybe an analogy will make it click: If you have marijuana on you in a country where marijuana is illegal, then finding marijuana on you is illegal. If you don't have marijuana on you, you're not doing anything illegal.
Replace marijuana with "personal data" and imagine it is about websites with visitors within EU. If they're not storing, processing and/or transmitting personal data, there is no compliance requirements (from GDPR at least).
> If you have marijuana on you in a country where marijuana is illegal, then finding marijuana on you is illegal. If you don't have marijuana on you, you're not doing anything illegal
This is a good analogy. By making the marijuana illegal, you also implicitly widen search powers. You can’t arrest someone you think smells like weed if weed is legal. (Or answer a neighbor’s complaint that they suspect they’re growing weed.)
Same idea. If you say you aren’t storing personal data and I say you are, someone’s got the authority to check. Those checks and confirmations cost time and money. With a complain-investigate set-up like GDPR (and American securities law), the burden is on the respondent.
> this was a predictable response to a stupid rule
It was predictable that ultimately people would blame the regulation instead of the companies? Not sure I understand what you mean, and even if you meant what I think you meant, not sure what the point is? People blame all sorts of things all the time...
Edit since you've added more to your comment
> Proving compliance with GDPR is tedious
That's my point. No need to prove compliance if GDPR doesn't apply.
> predictable that ultimately people would blame the regulation instead of the companies
It was predictable this would result in disclosure/consent spam.
> No need to prove compliance if GDPR doesn't apply
If you are in the EU, GDPR applies. It may not be relevant. But you’re subject to it and its regulatory arms. (And if you have a competitor in the EU, it’s known practice you can waste time and money with requests and complaints.)
Both laws’ aims are noble. But they require tweaks. Starting with the cookie banners would be smart.
> If you are in the EU, GDPR applies. It may not be relevant. But you’re subject to it and its regulatory arms.
I think you might be missing that I'm talking about this from the companies perspective, not from the perspective of a person inside EU.
If the company doesn't store any "personal data", GDPR has nothing to do with it. It's strictly about "personal data" as defined here: https://gdpr.eu/article-4-definitions/
> (And if you have a competitor in the EU, it’s known practice you can waste time and money with requests and complaints.)
Happen to have any quotes/sources for this? Would be the first time I've come across it myself. I'm genuinely interested in if it's being misused like that.
> If the company doesn't store any "personal data", GDPR has nothing to do with it. It's strictly about "personal data"
You’re still obligated to respond to requests, even if it’s no response. And data regulators will still follow up on groundless complaints.
DMCA is strictly about copyright violation. If you’re not violating copyrights it should have nothing to do with you. But that isn’t how things play out in reality.
> have any quotes/sources for this?
No, just anecdotal. Every Magic Circle firm, however, will happily file complaints in multiple jurisdictions for you.
I’ll admit I’ve used GDPR a touch vindictively after a customer service interaction went poorly. Lots of requests, wait for a minor fuck-up, escalate to multiple data regulators because I technically have multiple nexuses. European equivalent of copying your state AG on a letter, except the burden to respond is on the company.
I built a GDPR request deletion system for a company right as GDPR came into effect. In the first year the only requests that came in were from privacy advocates and competitors.
I don’t know if after that it saw more natural usage but I doubt it.
Except it's not that black and white. If you follow the regulation too loosely, you get warnings. If you then ignore the problem, you'd get bigger problems. But no one is gonna put a "10% of global turnover" as a fine immediately.
After multiple warnings and lawsuits, sure. Conform to the rules if you don't want the fines. But these companies are so big and rich, they'd rather break the rules and risk a fine than give up on their sweet data. And even if they get sued, they have armies of lawyers - still cheaper to spend millions on lawyers than pay a hundreds of millions fine.
> You're dealing with the EU. Stupidly high fines happen weekly.
Thank you for making it clear you wasn't taking the conversation seriously, I almost thought someone could hold opinions like that in real life, but I'm happy it wasn't so.
Tell that to Emanuel Macron, who has openly said that the EU might literally die functionally, if not politically, in just 2-3 years due to sheer economic lack of competitiveness.
"Our former model is over. We are overregulating and underinvesting. In the two to three years to come, if we follow our classical agenda, we will be out of the market."
"If we want clearly to be more competitive and have our place in this multipolar order; first, we need a simplification shock."
"The EU could die, we are on a verge of a very important moment."
> I've worked with two firms that have faced GDPR complaints. It's "up to", not "immediately on your first offence".
It's not specifically GDPR - it's the degree of overregulation in every sector, for almost every aspect of doing business. I was also speaking facetiously about large companies in particular - for example, just 12 hours ago, Facebook got hit with another $700 million fine. You don't have to be Facebook for the chilling effect. Or, the EU's stuff with Apple, the $12 billion fine against the will of Ireland, which has Apple assessing the profitability of even being in Europe.
> for example, just 12 hours ago, Facebook got hit with another $700 million fine. You don't have to be Facebook for the chilling effect
This one?
"The EU fined online giant Meta almost 800 million euros on Thursday for breaching antitrust rules by giving users of its Facebook social network automatic access to classified ads service Facebook Marketplace." - https://fortune.com/europe/2024/11/14/eu-fines-meta-840-mill...
Because if so, that's going to have the opposite of a chilling effect, as it is anti-trust.
Likewise, what Apple got with Ireland, while Apple has to pay, it's something Ireland did wrong by illegally giving Apple a tax dodge to encourage it to base itself in Ireland rather than anywhere else in Europe — if that's "chilling": good. We don't want tax-dodgers. If Apple can't be profitable in Europe without dodging taxes, something's gone very badly wrong for them.
Now, I'm not saying the EU doesn't over-regulate, as that kind of claim about any government is like saying that a software project contains zero functions that are never invoked by a user. But I am saying the scope of your rhetoric is not sufficiently supported by the evidence provided.
> You know the best way of not having to care about GDPR? Don't store PII.
I hear this a lot. As an American that hosts casual personal websites, I can't help but worry that I'm in violation of the GDPR.
For example, my router logs connections for debugging. And my NGinx server maintains server logs for debugging.
These contain IP addresses. I'm pretty sure those are considered PII under GDPR. And there are a lot of things I think that follow from that, things I haven't bothered to look into or implement. Like whatever policies, disclaimers, notifications, request handling processes, etc. that need to be in place to gather those logs.
Whether or not I need a registered agent in the EU to host my website seems to be rather fuzzy too. It seems to come down to how "sensitive" the data I store in my logs are?
Its also not clear to me whether my home router is subject to GDPR if it receives and logs a packet that was sent to it by an EU citizen, regardless of whether there was a public internet service hosted on that router or not.
I mostly choose to not think about these things - but that nagging concern that my entire self-hosted digital presence violates European law does linger.
Actually, all the cases you mentioned does not necessitate any consent from European users as long as you don't send these data to any third party. The only thing is, if you plan to store logs over time, it should be anonymized after 25 months. It's not that bad.
I get it, but you’re not in violation if you never pass those logs to anyone.
GDPR is intentionally obfuscated and made scary by people who have an interest in others thinking the regulation is onerous and silly (so that it is eventually changed/removed).
The regulation is not very hard to read, I would recommend you do it if you haven’t and boils down to: “don’t pass on (process) information without informed consent, if someone requests that you remove their account you should do so- and also don’t keep records around, and do your best not to let anyone access personal information”, the last one is technically unenforceable, but exists to prevent people leaving open access to data processors and bypassing consent more than anything else. A secondary benefit is that people take access controls a little more seriously by forcing breach disclosures.
Even the cookie banners are not needed unless you’re setting cookies for data collection, especially for third-parties!
There is a distinct irony in that all the online simplifications (“gdpr for dummies”, “the 7 things to comply with for gdpr”) are misleading and harder to read than the actual text of the regulation.
EDIT; I was foolish to post this during the peak time for US people. It feels like the Americans want the GDPR to be perceived as a pain.
My opinion is that cookie banners are so bad because of GDPR and not getting rid of the cookie law when GDPR was enacted.
Then everybody kept their cookie banners around and folded GDPR requirements into it, making it more complex, and more necessary all over the place, and less likely for people to think do we need these cookies or not and do we need to show this banner because of fear of GDPR (potential fines are big!!)
"All" the EU needs to do is to mandate adherence to the Do Not Track setting in browsers, but then vast swathes of businesses based on unwanted and unethical tracking would go bust, so we have this really shitty stalemate.
All websites we build adhere to the Do Not Track setting and don't even show a cookie banner if it's set. The only question is whether we should show a message to say that we're not tracking people because we see they've asked us not to! It's possibly a bit easier for us because we work primarily in the non-profit sector where ethics are perhaps a little higher up the agenda.
“Analysis of economic and productivity losses caused by companies implementing dark patterns in order to extort used consent”
FTFY
And you could add an analysis of the productivity cost of those “Subscribe to out newsletter” and “The experience is better on the app” pop-ups please?
> actively tracking a user beyond their visit to a website is difficult or borderline impossible for website owners, as it would require a court order.
I am skeptical of this claim. Partially due to the existence of trackers, beacons, 3rd party cookies and fingerprinting methods.
> Identifying users typically requires a court order to process IP addresses
This destroyed the world wide web, which was the major driver of the internet as a consumer application. I'm referring to the experience of intelligent & creative publishers sharing content openly on the web. This did far more to destroy the world wide web than ads or tracking
Has Facebook ever not been hidden behind a login? Because even if that doesn't count as "intelligent & creative publishers", it certainly set a much harder trend to get around than the banners.
I think you two are talking about different things and are both correct. Facebook indeed had a login page back then, but you could use direct links to read public posts. Today it's roughly the same, but when you go to a direct link it shows a "Login Wall" that pesters you to sign up.
These calculations read like an episode of Silicon Valley.
Sure the banners are a stupid idea and a little annoying, but these figures have no merit. There's no way 500m hours of productivity are going to materialize from removing the banners. Removing 'please subscribe' popups, and other ads, now that's altogether different...
Analysis of economic and productivity losses caused by Youtube ads in <world>.
<S>OMFG!!! YOUTUBE IS COSTING THE WORLD *750B EUR* PER YEAR. </S>
How many hours of productivity are lost to Youtube ads?
2.49 billion active users, average seems to be 29 hours per month, reddit reports 4 ads/10 minutes lately - so 24 ads/hour, 5 seconds each (even though that went up!), so 2mins of ads/hour or 1 hour of ads per month, 12 hours of ads per year!
12 hours * 25 Eur/hour * 2.5B = 750B Eur
(probably made some mistakes)
Also, this article is ridiculous - like assuming all 400M European internet users are "productive" at 25Eur/h (30% are probably < 15 or > 65), people clicking 1200 banners per year because they visit 100 sites/month (12*100, right?!) and so on.
Also quite a few people (mostly from the north) fighting this idiocy.
In general: Southern+Central EU wants to build a new USA. Northern states meanwhile want to reduce the power of the EU. A common market is really the only thing we want.
> In general: Southern+Central EU wants to build a new USA. Northern states meanwhile want to reduce the power of the EU. A common market is really the only thing we want.
As someone from the north (specifically Sweden) who now lives in the south (specifically Spain), I'm not sure there is majority in either places, either directions, to state this with confidence. Lots of swedes are happy with EU and wants to make it stronger, and lots of Spaniards who had enough of EU and wants it weaker.
Maybe it looks differently in the center/eastern parts, haven't spent much time there admittedly.
I can't believe any of this made a difference in privacy. There is ZERO chance that the law can be enforced here. I've worked in few startups in Europe, no one understand their obligation, let alone the consequences from third party services.
This whole cookie banners, and GDPR in general, is as good as literature.
I don't even have the words to express how little I care if companies serve me targeted ads with cookies. On the other hand I absolutely despise what the average visit to website with a cookie banner has become.
If that's true, I'd have to agree that the EU is doing very, very, very well if that is the biggest fail. Unlikely to be true though, for better or worse.
This is an example of the potential double-edged sword of passing legislation without input from lobbyists. On one hand, without an industry voice, they passed an amazingly ambitious set of protections. On the other hand, it doesn't seem like there was a technical industry expert who warned them of the implications.
(I say that, but the EU bureaucrats that passed this law may actually see the immense numbers of popups as a win still - who knows).
A revision is patently obvious to seemingly everyone - revise the law to instead mandate that websites respect the Do Not Track header, or at least have designed a more granular replacement. There's no reason you shouldn't just be able to set it once and your browser tracks it for you.
I know that I'm in the minority, especially here, but I generally welcome paying with my data. it seems to me that companies need to generate revenue and they do this by extracting something of value from the user and that this thing by definition almost would be something the user isn't happy to just hand over: money, watching ads, electricity for mining crypto, personal data etc. It's some form of payment.
for me personally out of all these options giving my data is my least painful payment option for one off services.
I am kind of frustrated by the widespread misunderstandings in this thread.
Laws are best when they are abstract, so that there is no need for frequent updates and they adapt to changing realities. The European "cookie law" does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.
There is no doubt that the goals set by the law are sensible. It is also not evident that losing time over privacy is so horrible. In fact, when designing a law that enhances consumer rights through informed consent, it is inevitable that this imposes additional time spent on thinking, considering and acting.
It's the whole point, folks! You cannot have an informed case-by-case decision without spending time.
What I find funny about the whole thing is that the grand majority of companies with cookie banners are not implementing them correctly, and therefore are still in breach of the law.
I see constantly banners on sites that set tracking cookies by default, and delete them if you reject them in the banner (or even worse, not delete them at all!) – this is not compliant as the cookies were set before consent was given
Also see banners where there is only a big "OK" button, with no visible option to reject, this is also not compliant!
The whole law should have been forcing sites to not ignore DoNotTrack bworser settings. It's a prime example of the EU being utterly useless because they don't understand the underlying issue and then choose a "solution" that's as much in your face as possible but doesn't change anything about the original problem. It's the whole plastic straw thing in digital form.
No, it's not a prime example of the EU being utterly useless. It's a prime example of companies engaging in shady practises. This is what all the websites should have done: https://github.blog/news-insights/company-news/no-cookie-for...
Quote from the blog post:
> Well, EU law requires you to use cookie banners if your website contains cookies that are not required for it to work.
If only those websites just didn't use cookies when 99% of them don't need them. Easy to display the cookie terror banner and blame the EU while you're using it for "analytics".
And the majority isn't even compliant, without a big disable button, instead hiding it through 10 different dark patterns in the cookie setting, where every misclick leads to accepting the whole array of spyware.
I don't think DNT settings were not considered – they were probably discarded as they hurt user privacy. Fingerprinting tools use the DNT setting as an extra flag to identify the user, so having it set to a non-default means you actually get tracked more, not less.
This, exactly.
And possibly requiring browser vendors to implement Do Not Track in an accessible and user-friendly way. (Those whose business models are reliant on ads might need a firm nudge there.)
Its lazy engineering. Most sites dont need such functionality, but devs are either incompetent to rip it out of libraries they use, are stuck in web design patterns from 20 years ago themselves or its a simple business decision to trade user data. When was the last time you really needed cookies for your business and couldnt get around it with (usually better) tech?
Dont blame the system (nonideal but darn good to be in place, compared to literally rest of the world where humans have simply less rights), when its companies failing knowingly basic rules.
Hop into your uBlock Origin settings and enable the Cookie Banner filters. Fixed. Enable the Annoyances filters too, while you're in there.
If you're on iOS, the Kill Sticky bookmarklet does a decent job of cleaning these up without breaking most sites: https://www.smokingonabike.com/2024/01/20/take-back-your-web...
While I appreciate your workarounds, the issue is not fixed. Almost everyone is going to keep clicking these stupid banners. It’s not okay, it’s not fixed until the rules are adjusted and we have less tracking and’s less pointless banners.
So many pop-ups these days, for every little thing. Tracking. OS permissions. Browser permissions. Take a survey. Speak to our AI assistant. Do you agree to this. Donate. Sign up. Pay. So many clicks. Used to be viruses, but we have the same result with our complexity.
Most of them I don’t get because I don’t use a user hostile operating system.
And it’s not really complexity, it’s deliberate choices being made.
The internet used to be run by technologists.
Now it’s run by project managers and web monkeys
It's not complex. It's simple. It's greed. It's absolutely ridiculous that we as a species put up with all of this nonsense because we have a faulty foundational understanding of what is and should be normal. The brain rot that we've subjected ourselves to is absolutely ludicrous.
You're right, but I can't fix that. What I can do is help HN readers who didn't know about that filter list. Maybe they can help the people they know.
I’m happy! I didn’t know about it! Thx
So remove the consent exception against tracking? Simply make it illegal, banner or no?
Do Not Track header? It's the silver bullet but the stakeholders will argue it is invalid and cannot possibly be used to inform the server that the client wishes not to be tracked
Someone needs to put a stake in those stakeholders.
I don’t know how to fix it, but I know it isn’t fixed now. We have both tracking and cookie banners.
It’s not a tracking banner but a cookie banner and some applications have a legitimate need for cookies. They abuse what is legitimate, but you can’t ask regulators to check every site without a national (European?) white liste firewall (shouldn’t give them ideas…).
Also, most tracking used to use cookies but if that becomes illegal there’s others ways.
Cookies necessary to function properly don't require consent. It's only optional ones (ones that benefit the site, not the user).
And these (optional ones) don't require a banner.
How do you figure? How does the user opt in or out without an option to opt in or out?
the same way that they interact with any other web page? which never need banners? You don't need a banner to opt in or out (or ignore).
By this I mean the law is what it is but the implementation is deliberately hurting the visitors in the hope that they will click "yeah sure whatever" to be let through to the content. The harm does not come from the legislation but is deliberately anti-user by the web site owner. (Fine, in some cases it might be out of the box and merely lazy.)
Filters are unreliable, it is better to have the cookies banners automatically filled out via Consent-O-Matic: https://consentomatic.au.dk/
Which works on Chrome, Firefox and iOS.
The best part is that you can actually specify your preferences, but globally for all websites. I actually prefer to have the functionality cookies enabled.
> Hop into your uBlock Origin settings and enable the Cookie Banner filters (and enable the Annoyances filters too, while you're in there). Fixed.
Except for the pesky sites that somehow disable (or rather "not enable") certain things until you've "answered" the banner. Can't remember what site I hit that on most recently, but I had to disable uBlock, reload the page, click "Deny", and then the video/element worked.
And by hitting that ”deny” button, you have ”consented” to hundreds if not thousands of data brokers around the world processing all your personal data gathered throughout your life across all your devices. They can now freely buy your data from other brokers to enrich their profile of you.
Should have unchecked those 973 legitimate interest checkboxes they hid under the ”affiliates” or ”vendors” or ”providers” or whatever.
Next, they will resell that profile to political campaigns, advertisers, law enforcement, private dicks and security providers, the military, foreign intelligence services and drug cartel hit squads, to name a few. You could buy it too! Or your friends, enemies, neighbors, colleagues, bosses…
If they're doing that after you clicked Deny, the government can come down hard on them. Sadly, only the government - individuals can't sue companies for GDPR violations.
Legitimate interest checkboxes are technically not asking for consent, they are considered informational. OneTrust popups are especially inflammatory in this regard.
Legitimate interest can absolutely be opted-out of:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
https://eur-lex.europa.eu/eli/reg/2016/679/oj#006.001
Yes, by unchecking the 973 hidden checkboxes.
Article 79 [1] gives individuals a right to sue for GDPR violations.
[1] https://gdpr-info.eu/art-79-gdpr/
That’s inspiring.
Let’s team up the pissed off individuals and raid-sue one of the obviously abusing. One is nothing, but that could at least make more visibility of the borderline legality. And at best we win and go to the next one.
Any law-worker?
One of my favourite HN threads is Confiks exercising his GDPR rights under the threat of litigation against Spotify: https://news.ycombinator.com/item?id=24764371
Yeah right, legalized bribery means the elected leaders have priorities other than citizens.
The most recent iOS (18) introduced a feature that lets you hide distracting things on the page. (Tap left side of the url field and select “Hide distracting items.” Then just tap what you want to remove and hit done.) I believe that they will stay hidden next time you visit the site.
Regardless, I use Hush and another blocker and it has still come in very handy several times already, so I thought others would want to know about it.
I use Hush on iOS.
Oh nice, thanks. I'll give that a shot.
Since when do bookmarklets work on iOS? How exactly do I use that?
I just figured it out. You bookmark a normal website. Then you go to your bookmarks and edit the new entry you created; you can then change the URL to the javascript code. Finally, to activate the bookmarklet you have to tap on the address bar and then manually browse to the bookmark entry (it doesn’t work if you just type its name in the address bar and press Go, or if you select it from the suggestions list).
content-based adblocking requires tremendous resources, and no longer works in Chrome, which is the primary browser.
> content-based adblocking requires tremendous resources
That's not true. On average any overhead in browsing performance introduced by ad blocking is compensated by the elimination of tracking and ads elements of the pages. It saves bandwidth and are better for UX. We can argue about business models but claiming it requires tremendous resources is not true.
And content-based ad blocking still works in chrome but in much more limited capability compared to superior browser like Firefox.
So use Firefox.
tell that to the billion internet users who suffer from cookie banners. I'm talking about the network effect.
I do tell them that. I can't help everyone, but I can help some.
I'd think anyone capable of installing an adblocker in Chrome would be able to install Firefox + an adblocker.
Obviously it would be better if adblocking wasn't required in the first place.
Those resources are well spent.
my point is that it's not "fixed". The issue plagues 99.9% of internet users.
Switched to edge at work and Safari at home/mobile hasn't been a huge issue. Firefox is my secondary. Although I no longer do much web debugging, the switch from edge to chrome wasn't too painful.
If websites respected Do Not Track then things would be a lot easier. I think we need a right to be listened to. Right now it's enough online to insist on only accepting information in one particular way, like having a noreply email and making people login and submit since shitty web form to respond. Putting your hands over your ears and tape over your mail slot doesn't work in real life, it shouldn't work on the web either.
I agree with you 100%, but to be ideologically consistent, we should admit that websites have as much of a right to ignore Do Not Track as we have to ignore their tracking scripts.
> but to be ideologically consistent, we should
Not if it comes from "consumer protection", as opposed to "your computer, your rules."
Treading down the latter too far leads into weird realms like "Hacking? I didn't make your computer do X, I simply sent it messages, it's your fault for not controlling its behavior."
"Rights" are sort of a hollow concept compared to how society ought to function and are just a crappy workaround our society's inability to resolve basic conflict.
Websites aren't human.
Neither are browsers.
Why should websites even be trusted with implementing these banners in the first place? Browser vendors should be responsible for implementing these controls per-origin. Give a little banner pop-up built into Chrome, Firefox, Safari, and the rest. Have it display every time a new site sets a cookie for the first time. Or have it reject every cookie by default, unless I whitelist a site. This would result in a consistent user-experience across the board, and I'd actually be able to trust that I'm not being tracked.
Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls. So now every website gets a shitty banner - on top of all the other annoying in-page banners and popups which are a staple of 2020s web design - that asks us if we want cookies. All these banners look different, are positioned differently on the page, appear at different times after the page is loaded, and function differently. So there's no consistency. And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies." How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?
So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.
So again, why isn't this the responsibility of browser vendors? Am I taking crazy pills? Am I going insane or is the world going insane?
/rant
Essentially because the people drafting the laws are ignorant about technology, and have a kind of weird snobbery towards it. They like the shiny, but don't try and engage them in a conversation about what actually makes it tick.
Knowing and caring how the plumbing actually works marks you out as a plumber, and sophisticated people don't concern themselves with those kind of details.
(Also various corruptions in the drafting process itself, of the sort which tend to arise when you have a mega-nation with competing interests and power blocs, but in this case it's mostly just ignorance.)
>Am I going insane or is the world going insane?
You haven't been reading the news lately, have you?
> You haven't been reading the news lately, have you?
If you're referring to the US elections, then you might be interested in the fact that not everyone on HN is from US, and not everyone cares.
You think the wars in Ukraine or the middle east only affect Americans?
You think the change of administration in the US isn't going to affect the global economy?
> So again, why isn't this the responsibility of browser vendors?
It should be, but then legislators don't get to brag about having Done Something and enforcers don't get to brag about punishing Bad People.
The title originally claimed 575M hours spent every year by Europeans on cookie banners. That's 12 seconds on average a day per person. Hardly anything to complain about.
An alternative interpretation:
"575M hours spent every year by Europeans" = 850 average human lifespans per year
Cookie banners in Europe have an effect vaguely comparable to "wasting" 850 human lives per year.
The whole thing is a colossal waste too, it was a law written by people who don't understand tech for special interest groups who don't want to actually make things better.
If you don't want a website doing something on your computer, you start with the browser, not the website.
That's why they created DoNotTrack initially. Then browsers turned that on by default, ad revenue lowered, and sites/adcompanies decided to ignore it because it was turned on by default.
Maybe the legislation simply should have required DoNotTrack to be honored.
1. Do not track was not the browser deciding what to do (that would be a similar shape as Firefox multi-account containers and incognito mode). It was a machine-readable way to tell the site what to do; ie the same incorrect model as the click-through banners we have now, just non-interactive.
2. It was intended to be a way to communicate an actual intent from the user. Once it was set by default, it ceased to be an indicator of user intent.
> Once it was set by default, it ceased to be an indicator of user intent.
This presumes that it isn’t the default user position. There are three people on the planet who actually want ad tracking, and they’re welcome to go change the setting, but default off was the correct setting.
Future headlines after a browser compliance law made - “EU is destroying innovation!”
You shouldn't need any kind of law here. Consumers have 100% of the power as it stands in regards to browser tracking. The innovation should be in browsers and plugins, not donottrack flags or compliance laws.
The company that dominates the browser market also makes billions off of tracking people. That might be part of the problem.
Enforced by companies who are doing shady things with data in the most inconvenient way, rather than listening to DoNotTrack or https://globalprivacycontrol.org/
Because if they can say "hey look over there, regulation bad"; they can escape regulation if it is repealed
People blame the cookie banners themselves or the legislation that "made them necessary" but somehow never seem to blame the web companies for doing the naughty things on their websites that make them subject to the law.
The "cookie banner problem" exists because it's primarily end users that are shouldering the burden of them, and not the companies. For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner. For everyone else, it's thousands of wasted seconds per year. Make the law hit companies where it hurts: their balance sheets.
They don't technically even need a banner per se, just respect the user's "do not track" browser setting, or put it in a settings screen, or don't use any 3rd party trackers.
But a lot of businesses assume they need to ask permission for placing any cookies, which is simply not correct. Local analytics tracking is fine, it's only when the user can be tracked across multiple separate websites that they need explicit permissions. And the user should not be annoyed into making that decision.
This seems like the best way to go. Companies should have to respect "do not track" and browsers should have to enforce it to the extent that it is technically possible. And "do not track" should be per-domain at least.
>But a lot of businesses assume they need to ask permission for placing any cookies, which is simply not correct.
Partly because of laziness, partly because of pessimistic legal compliance.
And I blame the EU for not making this the law. Just force everyone to adhere to the setting and be done with it. But no, instead we got this bullshit.
Businesses are stupid. More at 11.
Yay capitalism.
> never seem to blame the web companies for doing the naughty things on their websites
Part of the problem is that the law didn't seek to distinguish between tame first-party cookies and the really naughty third-party cookies so the burden is equal regardless of how malicious the service is.
> For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner.
This is actually not true. There's a lot more that goes into a cookie banner than you might realize, and there's now an industry dominated by a small handful of players (Osano vs OneTrust)
It did though? You don't need a banner for actually legitimate use (session Cookie, settings, etc)
The things they're calling legitimate use just isn't, which is why they need banners.
The elephant in the room is that almost no one wants to host website without at least some sort of website analytics service, which does not fall under legitimate use. So that's why even a small blog is going to have a cookie banner.
There are some analytics companies out there that advertise cookieless analytics, but they are either a) too simple for enterprise or b) a much, much worse privacy and compliance risk.
The other elephant is that while everyone has analytics, only one in five companies pays someone with an actual clue how to interpret them to look at them regularly, and only one in five of those companies has a decision making structure that allows them to act meaningfully in response to insights gained.
Even this can be done without a banner, as long as these analytics do not contain any way to link them to individuals/specific users
It's admittedly sound advice to create a banner for such a usecase however, as sanitizing all user data from these events is hard to guarantee, and you'd have to do just that to keep it legal
I keep seeing this misinformation going around, and it has been going around since almost day 1 of when the directive became known. I'm not sure where it's coming from, or who initially thought it worked like that, but judging by the comments in this submission it seems like a ton of people are very misinformed about how these things actually work.
So how to these things actually work?
Anything goes as long as it is useful for the user.
Funny example: If they chose not to accept your spying cookies you get to set a cookie to store that choice.
Someone might think: surely seeing ads targeted for them instead of random ads must be useful / beneficial for the user!
If this is true, you have not helped them to understand in any way.
> There's a lot more that goes into a cookie banner than you might realize, and there's now an industry dominated by a small handful of players (Osano vs OneTrust)
Isn't this industry for those, who want to share their website data automatically with 100+ partners? For others, who don't really share that much data with others, less relevant.
If you are just running a static websites, maybe. But if you are going to run a website with any services on it (video content, eCommerce, member management, etc) you are going to have partners. Establishing a browser session with every single one would be pretty onerous (and honestly much worse for privacy) so a first-party cookie is a pretty good compromise.
> Part of the problem is that the law didn't seek to distinguish between tame first-party tokens and the really naughty third-party tokens
Maybe I'm an outlier, but ideally I don't want them collecting any "tokens" without my consent. I don't care if they're first party or third party or birthday party. I should be able to browse web sites in peace without some company collecting anything. If the web site doesn't work exactly the way I'd expect because I did not provide that consent, then that's on me.
Well that's a thought everyone can identify with, but objectively speaking, they're paying with their energy to build the website, and paying their money to host it. Yet you would want to browse it for no cost at all.
How to resolve this?
It totally does make the distinction.
If you use cookies for auth, no need to disclail it.
Better, you don't need a banner even of you do track users for anybody with DNT. So you can offer a seamless experience.
They just don't care.
> you don't need a banner even of you do track users for anybody with DNT
This is not true. The specific text of the law requires that websites have to provide details about their cookies, and then document and store user preferences.
If you just honored the DNT, you would still be out of compliance.
The cookie banner has nothing to do with first -party vs third-party.
The cookie banner is required depending on the purpose of the cookies, not the party setting them.
> and there's now an industry dominated by a small handful of players (Osano vs OneTrust)
Because of that there are now neat categories of cookies / cookie purposes.
Would be nice if we could select one time in our browser “necessary cookies only”, and that would be communicated to every website visited, without the need for a banner. But that’s user friendly and that’s anathema to the modern web :)
The problem is the law didn't go far enough.
Instead of requiring companies to put up a banner if they did certain tracking activities via cookies the law should have simply outright banned the tracking activities entirely.
> somehow never seem to blame the web companies for doing the naughty things on their websites that make them subject to the law.
If I do not want a website to set any cookies, the correct course of action is to tell my user-agent to not keep any cookies from it.
All you can get this way is that you'll still have temporary cookies, removed after closing the tab, you will still have the banner, but this time the banner will popup each time you'll enter the website, because there's no cookie that will tell the banner that it has already been displayed.
I have it like this. But with that, I'm using a banner autoclicker. So the company gets my data, although different each time I enter the website, and I don't see any banners. Win/win?
How can the banners be necessary because of “naughty things” when the banners do absolutely nothing to mitigate those things in any way? All those things are still happening AND people have to waste time clicking useless banners.
This is it. This isn't the EU's fault and the post isn't quantifying the benefit of requiring explicit consent in these banners. It's all about efficiency and productivity as if it's all that matters in the world. It doesn't care about users' right to privacy or their right to control their own data.
I hope you'll be glad to know that this law already hits companies where it hurts, because many people will close the tab after the slightest annoyance.
I hope you're happy that this law already encourages people to stay within a few big websites (where they've already clicked away the cookie banner) and not explore anything new (where they'd have to click away a cookie banner every time).
Or, crazy idea, don't have invasive user-tracking cookies? Github doesn't even have a cookie banner and they're one of the largest websites on the planet.
After seeing websites pull shit like "legitimate interest" where they share data with 9 trillion of their "partners", they can all rot for all I care.
The second cookies are blocked the industry moved to fingerprinting and other methods
It's like piracy, there's only so much you can do plugging holes
Cookie banners always felt like a feel-good solution. Made worse by inconsistent UIs, differing button texts, long explanations, etc.
> It's like piracy, there's only so much you can do plugging holes
I say keep on plugging. When you make a law and bad actors find loopholes, the solution isn't to throw up your hands and say "Well, we tried!" The solution is to continuously refine the law as loopholes are found. Laws should get regular patch releases.
Yes that seems to standard practice in modern government. Impose a series of ineffective rules that do more harm on the public than helps them, and when it fails just invent new ones without considering why the last one failed. And most importantly don't get rid of the previous rules, just let them stick around a decade after it's been apparent they were ineffective.
Well yeah because the "naughty things" are totally allowed. Can you blame them for trying to make money legally, and most people would say fairly morally (most people in the real world; not on HN).
I think 90% of the blame lies with the EU. They had experience from the cookie law that this would happen.
It like... say you would rather people didn't drink alcohol in pubs (because of all the scary violence it leads to). You can
1. Ban alcohol in pubs.
2. Allow alcohol in pubs.
3. Allow alcohol in pubs but only if people recite the lord's prayer before every purchase.
3. is obviously a dumb choice, yet it's the one they chose.
D: Drink in pubs till 10pm including no alcohol purchases after 10.
That's the law here in Scotland. As annoying as it is, the same law doesn't apply in the rest of the UK but it's reasonable.
Sure, and that's a perfectly reasonable law. There's no "oh you actually can sell alcohol after 10pm as long as your customers fill in a 5 page form, which is what the EU has caused.
Scummy companies won't magically disappear or stop scummy practices. We can and should blame them, but it's pretty much obvious that the legislation (despite good intents!) resulted in a de-facto shitshow that failed to recognize basic social/behavior sciences, technical details, or anything else.
It should've been an user-agent centered feature rather than individual website gimmick - that's the only way it could've possibly worked. After that, companies can try to continue doing whatever shit they want to try, but none of their identifiers would be persisted unless user agent allows it. (This does not account for fingerprinting, but that's a whole other story.)
Instead, legislators made some weird decisions that failed to account for human and corporate nature (greed), and we ended up with more popups and banners than ever.
Misleading headline: It's productivity loss caused by non-essential data collection.
The EU does not mandate banners, it's the businesses choosing to bully their customers into accepting all tracking and profiling.
Am I literally the only person who this doesn't bother? When I go to a site I click all the xs and buttons until I can see content, without any conscious engagement at all really.
Sometimes when you go for a walk in the country there are stiles or gates to climb over and that is also fine.
I feel like there's some kind of implied belief here that all interactions with the world should be perfectly frictionless which I think may be more of a niche view than is realised?
No. Same here and I agree with you. I think websites having to disclose what third party cookies they save is worth the small inconvenience. And if they maliciously comply, that hopefully leads to further regulations.
Correct headline: User-hostile websites waste 575M hours of Europeans' time every year.
I would like to present my opinion that this amount of time is spent dealing with website malicious compliance with EU rules. And it is in general asking people to get tracked and present them with personalized track or share/sell the data to their partners. All of these does not happen and you don't have to do that if you don't track and collect information about your users. Well there are some genuine websites that needs that but I am talking about the general case.
Around the time this started, Google was going to penalize sites in its search ranking if they greeted users with an obtrusive popup. I thought that would strongly discourage cookie banners but then suddenly there was an explosion of stupid popups everywhere - newsletter signups, cookie banners, "special offers", overlaid ads, etc. I guess Google never did that thing?
https://www.amazingcto.com/cookie-banners-are-not-needed/
That is dumb. The EU already knew this was the likely outcome because we already had stupid cookie warnings from the previous law.
Regulation exists in the real world, not in some fantasy land where companies do what you want.
The internet is broken and I don't think it's only in the EU. In the last years I found myself just avoiding using websites I'm not familiar with or confident they're not filled with ads and trackers, I've set-up some aggregators and custom readers to find and get the information I'm interested in. If I open a page that has the cookie banner that blocks me from reading the content or forces me to agree I just close it, it wouldn't have been that important anyway.
I am about as far from Europe as you can get, and I think my fellow kiwis also spent an inordinate about of time clicking EU mandated cookie banners.
Cookies should be enforced in the browser. I think all the major browsers block third party cookies now. Bad actors can use other fingerprints to do tracking.
"cookie" banners are required for any tracking, not just teaching based specifically on technical cookies.
Blocking 3rd party cookies has no impact. Everyone and their cousin can technically track you with first party cookies.
> I think all the major browsers block third party cookies now. Bad actors can use other fingerprints to do tracking.
One would hope so. Google cancelled the plans https://www.reuters.com/technology/google-scraps-plan-remove...
Exemptions from cookie banners for small and medium-sized businesses (SMBs) using analytics, tracking user interactions on their websites, and managing basic advertising are imperative to mitigate unnecessary economic and productivity losses.
Yeah, right. You don't have to use cookie banners if you don't use cookies. Unless you are running ads or profiling users, you can get equivalent data from server logs.
There's a more insidious effect of cookie banners, which is that they make it annoying to follow external links, especially to websites that you haven't visited before. This disadvantages websites built for external links, like HN.
Can recommend consent-o-matic Chrome extension which automatically selects "no" to everything!
https://chromewebstore.google.com/detail/consent-o-matic/mdj...
A lot of those hours might be saved if they mandate a “reject all cookies” button on the cookie banner.
They do already, and big companies have already been fined for not offering them, which led to some smaller parties adding them. See here [0] for a list, amongst which was Microsoft getting a $65 million fine for not having an easy opt-out on Bing, or $162 million to Google for the same thing. Noncompliance should be reported.
[0] https://www.cookieyes.com/blog/cookie-consent-fines/
Everyone should just geo block EU visitors instead.
I know a lot of people that wouldn't mind that.
1. There are ways to bypass geo-block.
2. People would build alternatives specifically for EU (with few exceptions).
3. They could even offer those alternatives to US, but with better privacy out of the box.
Yeah, fuck everybody else's privacy. /s Why are you like this?
the angle of wasted productivity on the end-user's side seems ridiculous. If anything, count wasted resources in implementation for little gain for the end-user.
"Assuming it takes an average of 5 seconds per interaction with a cookie banner".
People don't spend 5 seconds clicking accept. They start reading their website, notice the banner in their periphery shortly after, and click it to go away.
I hope you're joking.
The banner often obscures the view, and the user need to dismiss it in order to know if the page contains the information user looks for. But in order to dismiss it, you can click "Accept all" easily and job done, OR you need to enter options by clicking the "manage" button, find your way around the banner, understand what are the options and which ones are checked and which are unchecked, then click "consent" or whatever terminology is used, but only after finding the button.
This easily can take up to a minute.
Yes, sometimes there's the "reject all" button, but not always. Also you need to know how they define the "reject all" button, because sometimes it probably may be defined as "reject some".
It's not a problem for me, because I autoclick them away with browser plugins, but when I'm on a mobile, the web is really hard to browse because of those banners.
Because I use fresh incognito mode for each browsing session, I have to click through those consent popups on every website I visit. Quite frustrating to say the least.
You can use Consentomatic to have it automatically handled. It's from Aarhus University, open source.
https://consentomatic.au.dk/
uBlock's cookie filters might be even more effective if you don't care to fine tune.
Now count how much money and time is wasted loading all the spyware of typical commercial websites to generate a tiny value from selling ads and personally identifying information (the mobile data costs alone ...)
So like 1hr per person per year?
Correct URL: https://legiscope.com/blog/hidden-productivity-drain-cookie-...
> This situation calls for an urgent revision of the ePrivacy Directive
Shame companies cannot live without tracking cookies, and shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss".
You know the best way of not having to put up cookie banners on your website? Don't store PII in cookies. You know the best way of not having to care about GDPR? Don't store PII.
Thanks, somehow the URL was truncated :(
You know the best way to protect your PII from websites? Don’t use the internet.
> Shame companies cannot live without tracking cookies
Most cookies are entirely benign. Many cookies (or something like a cookie) are required for a website to operate normally. The EU law, while good intentioned, was/is too broad and failed to understand the realities of operating websites. This regulation has caused the entire world to be annoyed with useless cookie banners that 99% of people just reflexively click through - just like all of California's Prop65 warnings are ignored today.
> Don't store PII.
These hard-line statements defy reality. Many websites have legitimate need to store PII.
> You know the best way of not having to care about GDPR?
Don't be in the EU?
Just ignore it. There are no consequences. If you don't have physical presence within the EU - there's little-to-zero the EU can do about it. The EU can think it's laws apply to the world all it wants - but the world disagrees.
> Many cookies (or something like a cookie) are required for a website to operate normally
"Essential Cookies" do not need a consent banner.
Case in point: Hacker News is 100% compliant AFAIK and has no banner.
> Many websites have legitimate need to store PII.
If there is actual legitimate interest or legal requirements, such as collecting an address for delivering a package or performing fraud-prevention, there is also no need for cookie banners.
And if that data is "transferred" to a 3rd party for that analysis (aka. a REST call into their API) then you are back to requiring these annoying banners.
Or, more common for ecommerce, "transferred" into an advertising algorithm so the business can gain more similar customers. Oh the horror!
What does "for that analysis" refers to? Fraud prevention?
If so, it is legitimate interest to do fraud prevention, so there's no need for a consent banner, first or third-party. Naturally you can't go and use this data for a purpose that has no basis under legitimate interest.
Another example: Cloudflare is running DDoS prevention under our noses here at HN, for example, but there's no need to ask for consent, even though Cloudflare is a third-party. Why? Because this is considered legitimate interest.
> Or, more common for ecommerce, "transferred" into an advertising algorithm so the business can gain more similar customers
For this you do need consent, if you transfer PII. If you don't want a banner you can replace it with a simple checkbox during the checkout process. Not only less hostile, but also more transparent than a banner.
> What does "for that analysis"
To understand how customer's shop on my website. Heatmaps, view port, device type, screen resolution, frequency of browsing, where their mouse hovers the most, page dwell time, etc.
These are impossible tasks for most website operators to do themselves.
> For this you do need consent, if you transfer PII. If you don't want a banner you can replace it with a simple checkbox during the checkout process. Not only less hostile, but also more transparent than a banner.
Or... you can just ignore the EU because the EU doesn't matter. You know, like I originally asserted?
> If you don't want a banner you can replace it with a simple checkbox during the checkout process
This is the sort of mindset that crafted this poorly designed regulation in the first place. Most website operators are not going to willingly add a barrier at the final step of a conversion.
If you are going to use my property and resources - it's my rules or don't come. Pretty simple...
You don't need banners just because something is third-party. If there is no PII and/or legitimate consent, you don't need a banner. There are GDPR compliant analytics platforms, fraud prevention, third-party payment gateways, for example. They don't need banners.
As for the rest, it's quite inflammatory and I don't know how it relates to my comment, so I'll refrain from answering.
You don’t need banners period. The EU doesn’t get to tell people how to operate their web properties. If EU citizens don’t like it, they can stop visiting those properties. Even simpler.
> The EU doesn’t get to tell people how to operate their web properties.
Well, except for all the people in the eu. I'm pretty sure the eu does get to tell those people to do or not do things, online or not.
> Most cookies are entirely benign. Many cookies (or something like a cookie) are required for a website to operate normally. The EU law was/is too broad - and has caused the entire world to be annoyed with useless cookie banners.
Give reading the actual implementations a try. You'll quickly notice they actually thought of this. I wouldn't say it's "expertly crafted" by any means, but the banner is for a specific "class" of cookies, not just "abc=123" as you seem to think.
You might try to argue many types of cookies are non-essential - but that would be because you lack experience in this domain.
Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.
The EU law compels a popup for these types of services/scripts and 99% of people just click through them because they are noise.
Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.
> Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.
I think reasonable people can disagree about this, and if enough reasonable people think that a web site operator should not have that "right" then they should be able to pass legislation to curtail it.
As a user, I say I should have the right to control what data is collected by what company, and what they should be allowed to do with it. I should be empowered to decide what kind of data is "essential" for a company to collect about me, not the company. Reasonable people could disagree with me, too. These are not laws of physics.
Why is this different than a brick-and-mortar to you? Do people feel they are "private" when shopping in a retail store with AI cameras tracking patterns and behavior, names and purchases collected at checkout, loyalty "discount" cards to get even more data, etc? Even without your name, they can identify you by recognition alone, aka. an anonymized cookie used to track a specific user's behavior.
Somehow people think visiting someone else's private website grants them privileges to be entirely anonymous - it does not anymore so than shopping in a physical retail store.
If we keep going down this path, websites will require a full ToS/EULA just to access the site...
For the record, I don't think brick and mortar stores should have an automatic right to surveil and study the personal information of in-person customers without their consent but I agree that ship has largely sailed.
You have a right to not visit websites that you think are collecting to much information about you. That’s about it.
> Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.
This can be done without a cookie banner, as long as no PII is collected for the purposes of that analysis.
> You might try to argue many types of cookies are non-essential - but that would be because you lack experience in this domain.
I'm not arguing anything, read the directives and implementations yourself, then get back to me. While some might lack experience, others seem to lack reading comprehension. That's fine, we can always learn :)
> Website operators have a right to study how people use their website
In the EU, that depends. As a website operator at a certain scale, you cannot do whatever you want with personal data.
> Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.
Yeah, I mean that's cool and all, but maybe you're spending time discussing in the wrong HN submission then? I don't go around in submissions about "Golang is bad" commentating how you wouldn't have those issues if you didn't use Golang in the first place. Not my idea of curious conversation at all.
Obviously EU directives and laws apply in EU
> Obviously EU directives and laws apply in EU
The EU designed these regulations to be viral and compel the world into compliance. The world does not need to comply, and largely does not. Multinational corporations with physical presence within the EU need to comply - but nobody else does, nor should they.
> read the directives and implementations yourself, then get back to me.
So we're arguing this down-thread of an article claiming our fuzzy European friends wasted nearly 600,000,000 hours last year clicking "I Accept" over and over? Seems like a well-designed regulation that's totally working super-duper well for the EU. Totally cut down on cookies!
> shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss"
You can wish upon a star that humans weren’t the way we are. In the real world, this was a predictable response to a stupid rule. (And in some cases a necessary one. For example, for websites requiring a login or reliant on ads.)
> know the best way of not having to care about GDPR? Don't store PII
This is a nothing to hide argument [1]. Proving compliance with GDPR is tedious and expensive even if you’re fully compliant. (Proving no jurisdiction is easier.)
[1] https://en.m.wikipedia.org/wiki/Nothing_to_hide_argument
> for websites requiring a login
They don't need consent for that.
> reliant on ads
Yes. For me, this has been eye-opening about how many different ad agencies there are snooping on my browsing history. It was bad enough when it was just the (UK) government passing a law to do that, now I've got websites with more "trusted partners" monitoring my every move than my high school had students.
> This is a nothing to hide argument
"Don't store PII" does not seem to be that, to me?
If anything, the opposite party gets that criticism, given that the default is allowing private agencies to spy on everyone?
Saying you don’t need to worry about GDPR if you don’t keep PII is the “nothing to hide” argument. There is still a cost to demonstrating compliance that goes beyond complying.
Maybe an analogy will make it click: If you have marijuana on you in a country where marijuana is illegal, then finding marijuana on you is illegal. If you don't have marijuana on you, you're not doing anything illegal.
Replace marijuana with "personal data" and imagine it is about websites with visitors within EU. If they're not storing, processing and/or transmitting personal data, there is no compliance requirements (from GDPR at least).
> If you have marijuana on you in a country where marijuana is illegal, then finding marijuana on you is illegal. If you don't have marijuana on you, you're not doing anything illegal
This is a good analogy. By making the marijuana illegal, you also implicitly widen search powers. You can’t arrest someone you think smells like weed if weed is legal. (Or answer a neighbor’s complaint that they suspect they’re growing weed.)
Same idea. If you say you aren’t storing personal data and I say you are, someone’s got the authority to check. Those checks and confirmations cost time and money. With a complain-investigate set-up like GDPR (and American securities law), the burden is on the respondent.
> this was a predictable response to a stupid rule
It was predictable that ultimately people would blame the regulation instead of the companies? Not sure I understand what you mean, and even if you meant what I think you meant, not sure what the point is? People blame all sorts of things all the time...
Edit since you've added more to your comment
> Proving compliance with GDPR is tedious
That's my point. No need to prove compliance if GDPR doesn't apply.
> predictable that ultimately people would blame the regulation instead of the companies
It was predictable this would result in disclosure/consent spam.
> No need to prove compliance if GDPR doesn't apply
If you are in the EU, GDPR applies. It may not be relevant. But you’re subject to it and its regulatory arms. (And if you have a competitor in the EU, it’s known practice you can waste time and money with requests and complaints.)
Both laws’ aims are noble. But they require tweaks. Starting with the cookie banners would be smart.
> If you are in the EU, GDPR applies. It may not be relevant. But you’re subject to it and its regulatory arms.
I think you might be missing that I'm talking about this from the companies perspective, not from the perspective of a person inside EU.
If the company doesn't store any "personal data", GDPR has nothing to do with it. It's strictly about "personal data" as defined here: https://gdpr.eu/article-4-definitions/
> (And if you have a competitor in the EU, it’s known practice you can waste time and money with requests and complaints.)
Happen to have any quotes/sources for this? Would be the first time I've come across it myself. I'm genuinely interested in if it's being misused like that.
> If the company doesn't store any "personal data", GDPR has nothing to do with it. It's strictly about "personal data"
You’re still obligated to respond to requests, even if it’s no response. And data regulators will still follow up on groundless complaints.
DMCA is strictly about copyright violation. If you’re not violating copyrights it should have nothing to do with you. But that isn’t how things play out in reality.
> have any quotes/sources for this?
No, just anecdotal. Every Magic Circle firm, however, will happily file complaints in multiple jurisdictions for you.
I’ll admit I’ve used GDPR a touch vindictively after a customer service interaction went poorly. Lots of requests, wait for a minor fuck-up, escalate to multiple data regulators because I technically have multiple nexuses. European equivalent of copying your state AG on a letter, except the burden to respond is on the company.
I built a GDPR request deletion system for a company right as GDPR came into effect. In the first year the only requests that came in were from privacy advocates and competitors.
I don’t know if after that it saw more natural usage but I doubt it.
Imagine you are a company.
Follow the regulation too strictly: Zero consequences.
Follow the regulation too loosely: Up to 10% of global turnover.
Pick wisely. Who's fault is it for putting companies in this dilemma?
Except it's not that black and white. If you follow the regulation too loosely, you get warnings. If you then ignore the problem, you'd get bigger problems. But no one is gonna put a "10% of global turnover" as a fine immediately.
> But no one is gonna put a "10% of global turnover" as a fine immediately.
You're dealing with the EU. Stupidly high fines happen weekly.
After multiple warnings and lawsuits, sure. Conform to the rules if you don't want the fines. But these companies are so big and rich, they'd rather break the rules and risk a fine than give up on their sweet data. And even if they get sued, they have armies of lawyers - still cheaper to spend millions on lawyers than pay a hundreds of millions fine.
> You're dealing with the EU. Stupidly high fines happen weekly.
Thank you for making it clear you wasn't taking the conversation seriously, I almost thought someone could hold opinions like that in real life, but I'm happy it wasn't so.
Tell that to Emanuel Macron, who has openly said that the EU might literally die functionally, if not politically, in just 2-3 years due to sheer economic lack of competitiveness.
"Our former model is over. We are overregulating and underinvesting. In the two to three years to come, if we follow our classical agenda, we will be out of the market."
"If we want clearly to be more competitive and have our place in this multipolar order; first, we need a simplification shock."
"The EU could die, we are on a verge of a very important moment."
https://www.politico.eu/article/emmanuel-macron-france-europ...
Link does not support claim "Stupidly high fines happen weekly."
I've worked with two firms that have faced GDPR complaints. It's "up to", not "immediately on your first offence".
> I've worked with two firms that have faced GDPR complaints. It's "up to", not "immediately on your first offence".
It's not specifically GDPR - it's the degree of overregulation in every sector, for almost every aspect of doing business. I was also speaking facetiously about large companies in particular - for example, just 12 hours ago, Facebook got hit with another $700 million fine. You don't have to be Facebook for the chilling effect. Or, the EU's stuff with Apple, the $12 billion fine against the will of Ireland, which has Apple assessing the profitability of even being in Europe.
> for example, just 12 hours ago, Facebook got hit with another $700 million fine. You don't have to be Facebook for the chilling effect
This one?
"The EU fined online giant Meta almost 800 million euros on Thursday for breaching antitrust rules by giving users of its Facebook social network automatic access to classified ads service Facebook Marketplace." - https://fortune.com/europe/2024/11/14/eu-fines-meta-840-mill...
Because if so, that's going to have the opposite of a chilling effect, as it is anti-trust.
Likewise, what Apple got with Ireland, while Apple has to pay, it's something Ireland did wrong by illegally giving Apple a tax dodge to encourage it to base itself in Ireland rather than anywhere else in Europe — if that's "chilling": good. We don't want tax-dodgers. If Apple can't be profitable in Europe without dodging taxes, something's gone very badly wrong for them.
Now, I'm not saying the EU doesn't over-regulate, as that kind of claim about any government is like saying that a software project contains zero functions that are never invoked by a user. But I am saying the scope of your rhetoric is not sufficiently supported by the evidence provided.
Yeah, GDPR is tedious. Not expensive nor even onerous.
> You know the best way of not having to care about GDPR? Don't store PII.
I hear this a lot. As an American that hosts casual personal websites, I can't help but worry that I'm in violation of the GDPR.
For example, my router logs connections for debugging. And my NGinx server maintains server logs for debugging.
These contain IP addresses. I'm pretty sure those are considered PII under GDPR. And there are a lot of things I think that follow from that, things I haven't bothered to look into or implement. Like whatever policies, disclaimers, notifications, request handling processes, etc. that need to be in place to gather those logs.
Whether or not I need a registered agent in the EU to host my website seems to be rather fuzzy too. It seems to come down to how "sensitive" the data I store in my logs are?
Its also not clear to me whether my home router is subject to GDPR if it receives and logs a packet that was sent to it by an EU citizen, regardless of whether there was a public internet service hosted on that router or not.
I mostly choose to not think about these things - but that nagging concern that my entire self-hosted digital presence violates European law does linger.
Actually, all the cases you mentioned does not necessitate any consent from European users as long as you don't send these data to any third party. The only thing is, if you plan to store logs over time, it should be anonymized after 25 months. It's not that bad.
> it should be anonymized after 25 months
Unless traffic volume causes truncation, turns out I’m not compliant!
I get it, but you’re not in violation if you never pass those logs to anyone.
GDPR is intentionally obfuscated and made scary by people who have an interest in others thinking the regulation is onerous and silly (so that it is eventually changed/removed).
The regulation is not very hard to read, I would recommend you do it if you haven’t and boils down to: “don’t pass on (process) information without informed consent, if someone requests that you remove their account you should do so- and also don’t keep records around, and do your best not to let anyone access personal information”, the last one is technically unenforceable, but exists to prevent people leaving open access to data processors and bypassing consent more than anything else. A secondary benefit is that people take access controls a little more seriously by forcing breach disclosures.
Even the cookie banners are not needed unless you’re setting cookies for data collection, especially for third-parties!
There is a distinct irony in that all the online simplifications (“gdpr for dummies”, “the 7 things to comply with for gdpr”) are misleading and harder to read than the actual text of the regulation.
EDIT; I was foolish to post this during the peak time for US people. It feels like the Americans want the GDPR to be perceived as a pain.
Agree with you. My only addition is to remember to read PECR (https://ico.org.uk/for-organisations/direct-marketing-and-pr...) alongside GDPR.
Huh? You're still a personal data processor.
For a start: Section 18 directly indemnifies the GP because they’re not a commercial entity.
Section 49 gives, additionally, specific carve outs for logging even if they were a commercial entity.
Consent is needed to pass logging data to third parties or to process it beyond end user functionality.
Its easier to just read the regulation: https://eur-lex.europa.eu/eli/reg/2016/679/oj
Unfortunately, even without consent banners, there's plenty of unnecessary clicking in this new golden age of (CSS) popups.
My opinion is that cookie banners are so bad because of GDPR and not getting rid of the cookie law when GDPR was enacted.
Then everybody kept their cookie banners around and folded GDPR requirements into it, making it more complex, and more necessary all over the place, and less likely for people to think do we need these cookies or not and do we need to show this banner because of fear of GDPR (potential fines are big!!)
The previous headline was better
This doesn’t take into account the fact that some people just close the website, saving countless minutes of rabbit hole browsing…
Oh and 5 seconds is unrealistically high.
"All" the EU needs to do is to mandate adherence to the Do Not Track setting in browsers, but then vast swathes of businesses based on unwanted and unethical tracking would go bust, so we have this really shitty stalemate.
All websites we build adhere to the Do Not Track setting and don't even show a cookie banner if it's set. The only question is whether we should show a message to say that we're not tracking people because we see they've asked us not to! It's possibly a bit easier for us because we work primarily in the non-profit sector where ethics are perhaps a little higher up the agenda.
Let those fuckers go out of business.
I'm sorry, but if we are really so worried about businesses failing that we can't restore some amount of sanity, then something is wrong with society.
> but then vast swathes of businesses based on unwanted and unethical tracking would go bust, so we have this really shitty stalemate
They’d be supplanted by foreign competitors. That’s the actual stalemate.
> They’d be supplanted by foreign competitors. That’s the actual stalemate.
Most of the ad trackers I'm aware of are already foreign to the EU, so that doesn't seem to be even an economic threat from the EU's perspective.
new URL
https://legiscope.com/blog/hidden-productivity-drain-cookie-...
404ing for me... did this site get hugged to death?
That what always happens when you give too much power to government - stupid people making stupid ineffective decisions.
Link is dead now?
There is cookie banners in the US and canada
“Analysis of economic and productivity losses caused by companies implementing dark patterns in order to extort used consent”
FTFY
And you could add an analysis of the productivity cost of those “Subscribe to out newsletter” and “The experience is better on the app” pop-ups please?
> actively tracking a user beyond their visit to a website is difficult or borderline impossible for website owners, as it would require a court order.
I am skeptical of this claim. Partially due to the existence of trackers, beacons, 3rd party cookies and fingerprinting methods.
> Identifying users typically requires a court order to process IP addresses
And this one as well.
This destroyed the world wide web, which was the major driver of the internet as a consumer application. I'm referring to the experience of intelligent & creative publishers sharing content openly on the web. This did far more to destroy the world wide web than ads or tracking
If your site has no tracking, it does not need a cookie banner in the EU. AFAIK Wikipedia or Archive of our Own have none.
Ads/tracking didn't destroy the web per se - besides the performance impact - but did/do destroy people's privacy.
Has Facebook ever not been hidden behind a login? Because even if that doesn't count as "intelligent & creative publishers", it certainly set a much harder trend to get around than the banners.
> Has Facebook ever not been hidden behind a login?
Yes. Not sure when they added the loginwall, but it was relatively recently, compared to my birth.
Hm. Could've sworn it had one back in 2009…
I think you two are talking about different things and are both correct. Facebook indeed had a login page back then, but you could use direct links to read public posts. Today it's roughly the same, but when you go to a direct link it shows a "Login Wall" that pesters you to sign up.
These calculations read like an episode of Silicon Valley.
Sure the banners are a stupid idea and a little annoying, but these figures have no merit. There's no way 500m hours of productivity are going to materialize from removing the banners. Removing 'please subscribe' popups, and other ads, now that's altogether different...
rip
>404 Not Found
Analysis of economic and productivity losses caused by Youtube ads in <world>.
<S>OMFG!!! YOUTUBE IS COSTING THE WORLD *750B EUR* PER YEAR. </S>
How many hours of productivity are lost to Youtube ads?
2.49 billion active users, average seems to be 29 hours per month, reddit reports 4 ads/10 minutes lately - so 24 ads/hour, 5 seconds each (even though that went up!), so 2mins of ads/hour or 1 hour of ads per month, 12 hours of ads per year!
12 hours * 25 Eur/hour * 2.5B = 750B Eur
(probably made some mistakes)
Also, this article is ridiculous - like assuming all 400M European internet users are "productive" at 25Eur/h (30% are probably < 15 or > 65), people clicking 1200 banners per year because they visit 100 sites/month (12*100, right?!) and so on.
Europe: Thoughtless regulations for yesterday's problems at tomorrow's expense.
Or, as Emanuel Macron was recently saying, today's expense in precipitously declining economic competitiveness.
The EU regulatory regime is just comedic.
This is the EU in a nutshell. You also have quite a few people defending this.
GDPR is basically exactly what Bill Gurley talks about here ; https://www.youtube.com/watch?v=F9cO3-MLHOM
Regulatory capture.
Also quite a few people (mostly from the north) fighting this idiocy.
In general: Southern+Central EU wants to build a new USA. Northern states meanwhile want to reduce the power of the EU. A common market is really the only thing we want.
UK had enough and quit.
> In general: Southern+Central EU wants to build a new USA. Northern states meanwhile want to reduce the power of the EU. A common market is really the only thing we want.
As someone from the north (specifically Sweden) who now lives in the south (specifically Spain), I'm not sure there is majority in either places, either directions, to state this with confidence. Lots of swedes are happy with EU and wants to make it stronger, and lots of Spaniards who had enough of EU and wants it weaker.
Maybe it looks differently in the center/eastern parts, haven't spent much time there admittedly.
It's weird that you're fixated on that, but yes, I am Swedish and live in Sweden.
I can't believe any of this made a difference in privacy. There is ZERO chance that the law can be enforced here. I've worked in few startups in Europe, no one understand their obligation, let alone the consequences from third party services.
This whole cookie banners, and GDPR in general, is as good as literature.
I don't even have the words to express how little I care if companies serve me targeted ads with cookies. On the other hand I absolutely despise what the average visit to website with a cookie banner has become.
they could have made the law:
>if you collect users data
>you must ask first
>add a yes or no button on a banner so they can pick
but instead the eu citizens were let down by the legislators
This is indeed how it should be, and courts have consistently found enforced this.
French law for example specifically says that any implementation must "allow the user to refuse the deposit of cookies as easily as to accept it." [1]
[1] https://www.termsfeed.com/blog/cookie-consent-decline-reject...
That's, in a nutshell, what the law says since 2018.
Whatever you see in cookie banners is either malicious compliance or directly illegal (and already being prosecuted and resulting in fines).
Uhh, what do you think the law is?
This is probably the biggest fail in the history of the European Union.
If that's true, I'd have to agree that the EU is doing very, very, very well if that is the biggest fail. Unlikely to be true though, for better or worse.
At least the most visible one!
Nah that’s the tethered bottle caps
How's that a fail?
This is an example of the potential double-edged sword of passing legislation without input from lobbyists. On one hand, without an industry voice, they passed an amazingly ambitious set of protections. On the other hand, it doesn't seem like there was a technical industry expert who warned them of the implications.
(I say that, but the EU bureaucrats that passed this law may actually see the immense numbers of popups as a win still - who knows).
A revision is patently obvious to seemingly everyone - revise the law to instead mandate that websites respect the Do Not Track header, or at least have designed a more granular replacement. There's no reason you shouldn't just be able to set it once and your browser tracks it for you.
I know that I'm in the minority, especially here, but I generally welcome paying with my data. it seems to me that companies need to generate revenue and they do this by extracting something of value from the user and that this thing by definition almost would be something the user isn't happy to just hand over: money, watching ads, electricity for mining crypto, personal data etc. It's some form of payment.
for me personally out of all these options giving my data is my least painful payment option for one off services.