The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.
"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be.
https://www.techspot.com/news/108043-german-court-takes-stan...
Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.
Not a radical idea. The EU is already working on it.
> […] the Commission is pondering how to tweak the rules to include more exceptions or make sure users can set their preferences on cookies once (for example, in their browser settings) instead of every time they visit a website.
DNT header already does this. Explicit denial of consent. Reaches their servers before everything else so they have no excuse and zero room for maneuvering.
Now the EU just needs to turn it into an actual liability for corporations. Otherwise it will remain as an additional bit of entropy for tracking.
They can't. The website may very well do the opposite of the preference DNT signals. Meanwhile, proving in a court of law that the tracking still happens will be hard.
Services should be denied the capacity to track and fingerprint, not just told about a preference against it.
DNT will always be an "evil bit", regardless of any law behind it.
DNT is considered deprecated in favor of GPC, which has legal backing in places with internet privacy laws. Funnily, Chrome still supports DNT but you need an extension to send a GPC header. Almost like the advertisement company wouldn't want people enabling legal privacy protections.
GPC compliance is already the law in California. I don’t know why the EU has been so slow at making it legally binding. That said, existing cookie popups that don’t have “Reject All” as prominently placed as “Accept All” are already illegal but widespread, in no small part due to deliberate sabotage by the Irish DPA, so don’t expect GPC compliance to fare any better until consumer rights associations like NOYB.eu are allowed to initiate direct enforcement actions.
The fact that it was turned on by default in edge really hurt it as an argument under these laws, because it then turned into a 'well we don't know the user actually selected this' thing. Making it explicitly have the force of law regardless would still be a good thing, though.
No, this wrong. The law says that by default you can't process personal data, unless the user gave consent. That setting matched both the expectation of users and the default as specified by the law.
The story that advertisers don't know what users selected and that somehow allows them to track the user is disingenous.
It doesn't allow them to track, but it does allow them to more convincingly argue that they can nag them about it (I think some regulators in some EU countries have rejected this, but I don't think this is universal). i.e. it makes it ineffective as a means of stopping the annoying pop-ups. Because the companies are basically belligerent about it there needs to be a clear declaration of 'if this header is set you may not track _and_ you may not bug the user about it'
Counteropinion: agile laws would be absolutely terrible. Either people wouldn't take them seriously because they're going to change in a few minutes anyway, or people would take them seriously and be bound by law by the equivalent of late-night untested code that seemed like it should work.
Laws should be enforceable, but at some point "it's a bad law if it can be bypassed with corruption" just completely surrenders any hope of holding powerful people / companies accountable to anything at all.
That's a very absolute outlook. The fact is that they were very naive and, althoug they seem to be adjusting, it's been painfully slow and the harm has been done and the public is suffering meanwhile.
Law making is a way of predicting the future and setting up incentives to achieve a goal. You need to foresee what can go wrong, talk to incumbents and anticipate the response. It's a technical matter and this has been a debacle.
It's useless to put the blame in the advertisers. Even if they're evil, that doesn't make the situation any better for the public.
Well almost all websites in France do the legal thing now with an obvious "decline all" button, which was not the case at first.
It took just a pair of ruling that made it clear this illegal pattern was going to actually be cracked down upon, and now these popups are just a small annoyance rather than the absolutely enraging trap that they were at first.
Of course I still wish they were unnecessary, but they serve as a reminder that these websites are still trying to prey upon their visitors.
> That's like saying "don't visit places where people get murdered if you don't want to get murdered."
Nope. Murder is an action after which the victim can not make any more actions. It would be like saying "don't go to the bakery where they spit in your food and slap you in the face every time you order something". You are enraged by the behavior of the websites you visit and you still keep going there every day. Either you are a masochist or "voting with your wallet" or, in this instance with you attention, doesn't really work. Why do you give your attention to those that treat you like shit?
> How about you just enforce consumer protections for everyone?
They are. What gave you the idea they aren't? Because some pages still behave illegally? You understand that murder still happens?
> Because that is clearly not the law.
Do you know anything about GDPR? Because it seems that you do not. Could you point to the text of the regulation that you object to? I'll wait but I'm sure I'll be waiting for godot here.
Lawmakers should have a limit on the number of laws they can write. Say it's 100. They can regulate 100 things, so they need to consider importance. If they want to regulate something new, they have to give up something else. Which one is more important?
The vast majority of laws are never enforced, so in practice this isn't as absurd as it sounds. It would make people consider what laws they spend time writing.
I do love the irony of reading a headline "Administrative court: Cookie banner must contain "Reject all" button" on a website that does a completely blocking cookie banner with no such option. I suppose if I lived in Germany I would be pleased with the results of reporting that to the authorities.
More generally, I actually did organically notice the massive increase in "Reject all" buttons and found out about these court decisions myself some time ago. Certainly a small win for the internet, although it should not have taken 9 years(!) from the implementation of GDPR for these violations of it to be cracked down on.
But the laws do allow this. It's illegal to make the user experience worse if you decline tracking, or to make it harder to decline tracking than to accept it, but it's not illegal to annoy the user on every page load.
Viewing corporations as amoral bots that are justified in squeezing every bit of profit out of humans is exactly what is wrong with our society. Someone in a big tech was the inventor of this dark pattern and they think they're awesome for finding a loophole in the well-meaning regulation, at the cost of the costumer they supposedly should serve. That person is the problem, and so are the people that followed them
How else should we view them? Walks like a duck, quacks like a duck, probably a duck.
Nobody justified the behavior, only stated that corporations have proven over time to generally seek profits over all else. They provide legal cover to bad-faith actions. That wasn't the original intention, but it is absolutely the current state of the world.
> Viewing corporations as amoral bots that are justified in squeezing every bit of profit out of humans
Literally what a corporation is.
This is capitalism mate. People will do basically anything with the "for the company" excuse. If they don't, they will be out of a job and eventually starve.
Laws are the only things that can limit corporations. Without those we'd still have children working, 14 hour shifts and no weekends.
corporations are the mechanism by which bad actors are shielded from responsibility. limited liability is used in bad faith in these cases; regulating this bad-faith usage should impact the individuals responsible for the implementation, but should also impact those not directly involved for allowing it to happen in the first place, including board members, management and investors (if you really want to see change, start fucking with peoples' money when they allow bad things to happen through inaction).
Why is that person a problem? That is why rule of law exists, ideally, so that we don't run society on arbitrary outraged moral judgement. E.g. many people are morally outraged by presence of any illegal immigrants and others are outraged by any enforcement against undocumented immigrants. If we base decisions on arbitrary outraged moral judgement it's not going to go well.
A "loophole" is only a "loophole" to someone who agrees with yours. And I say it as someone who agrees in this particular instance.
That person is a problem because low-trust environments are inherently low-privacy and low-efficiency environments. Allowing a small portion of the population to destroy trust and then justifying it with "well there was no explicit rule against it" is parasitic on the whole society. It's better to stand up and say "this is unacceptable and clearly not what was asked for".
For this "modern" view, you have to look back to 1896, when New Jersey made it easy to create for-profit corporations beholden only to shareholders as a way to attract investment to the state.
It's really not even primarily the privately-held corporations that are the problem. Some family business, even if it's big, is more likely to care about its reputation because that's their family's company and it's still going to be their family's company in 50 years or more.
Whereas you get publicly-traded companies and the primary shareholders are investment funds, whose managers get bonuses based on short-term results and who may not be in the same job or having the fund hold the same companies in as little as a year from now. So their incentive is to have companies squeeze customers for short-term gains and then choose the right time to pawn the shares off on some bag holders who see strong recent numbers and don't realize what that strategy does to the company's long-term prospects.
Yes and sometimes it's subtly different from the letter of the law. The point is, if I understand it correctly, that in the US, courts always literally interpret the law as written, whereas in the EU there's a culture of sometimes, when the letter of the law super clearly differs from the intent it was obviously written with, siding with the intent of the law rather than the precise wording.
No. US courts consider both, to the extent that it’s a bright-line divider between “conservative” judges and “liberal” ones, where the former are far more likely to profess strict adherence to the text of the law (particularly constitutional law).
In any case, there is always a difference between the “intent” of a large and diverse body of politicians, and the actual text of a law. Any practical legal system must take it into consideration.
> where the former are far more likely to profess strict adherence to the text of the law (particularly constitutional law)
This is a fiction and just an excuse conservative justices use to make conservative rulings when they don't like a law.
They are perfectly fine to abandon the text of the law whenever it doesn't move forward a conservative agenda. The shining example of this is the voting rights act. Something never amended or repealed by congress but slowly dismantled by the court counter to both the intent and the text of the law.
And if you don't believe me, I suggest reading over the Shelby County v. Holder [1] decision because they put it in black and white.
> Nearly 50 years later, they are still in effect; indeed, they have been made more stringent, and are now scheduled to last until 2031. There is no denying, however, that the conditions that originally justified these measures no longer characterize voting in the covered jurisdictions.
IE "We know the law says this, and it's still supposed to be in effect. But we don't like what it does so we are canceling it based on census data".
> This is a fiction and just an excuse conservative justices use to make conservative rulings when they don't like a law.
Isn't this the other way around? If you cite "the spirit of the law" then you're ignoring the text in order to do whatever you want.
Finding a "conservative" judge who does the latter is evidence that the particular judge is hypocrite rather than any argument that ignoring what the law actually says is the right thing to do.
But you also picked kind of a bad example, because that wasn't a case about how to interpret the law, it was about whether the law was unconstitutional.
I’m not saying it’s true or false. Hypocrisy is universal to politics, and it’s trivial to find examples throughout US history on all sides of the political spectrum. I’m just saying that the issue of strict interpretation is so fundamental to the US legal system that it’s a core philosophical debate for judges.
It’s the same problem as those reading the Scripture literally. You can’t. You are reading a translation, for starters. To come even close, you need a subtle understanding of semite languages, culture and Greek, depending on your denomination. You need some guidance when reading, whether that is the Holy Ghost, your pastor, or a decade or two of yeshiva school.
That doesn't jibe with my understanding. For one thing, "interpreting the law as written" is impossible on its face. You need to have an understanding of what it means, i.e. interpret it. And not only that, isn't the whole deal with Common Law that the judge, judges?
IIRC a common law maxim oft repeated said something like: “a judge doesn’t make a ruling because it is right, the ruling is right because the judge has ruled it.”
I think he meant to say the spirit of the law is the law.
If you read GDPR in it's complete form [1], there are 173 paragraphs before the actual law begins at CHAPTER I, almost half way down the page. Those are the reasons why the law was created, what's it trying to achieve, how it is intended to work, responsibilities of govenrnments, etc.
The EU provided us the spirit of the law - in writing.
If you can't enforce the law, then it is a bad law. Also, this is a problem that naturally solves itself over time, so no law was ever needed. The UX of the web degraded for everyone after GDPR was passed and that I think everyone can agree on.
If people care about privacy, then over time they will migrate to companies and services that respect their privacy. Government laws are broad based policies that always lack nuance. This is why it is better to let markets drive better outcomes organically.
> If you can't enforce the law, then it is a bad law.
Or, alternatively, you _could_ enforce the law but the resources to do so (people) are no longer available. This happens a lot in the US when the current admin doesn't feel it's important, so doesn't fund the enforcement agencies. And is particularly true more of codes/regulations (I get them confused) than of laws.
The government has outlawed murder but your local law enforcement isn't investigating the murders. You're blaming the lawmakers for writing "bad laws" in this situation, why?
First order of blame goes to the national DPAs for not carrying out their duties.
Second order of blame goes go to whichever EU authority is responsible for penalizing EU member states for non-compliance. There should be serious consequences for non-enforcement like frozen funding. (I don't know what the actual legal process is)
> If people care about privacy, then over time they will migrate to companies and services that respect their privacy.
This is just a libertarian fairy-tale that is designed to sound sensible and rational while being malicious in practice. It exploits information asymmetry, human ignorance, network effects, and our general inability to accurately assess long-term consequences, in order to funnel profits into the hands of the most unscrupulous businesses.
In other words, there's a reason why we have to have regulations that protect people from themselves (and protect well-being of society as a whole).
> Laws need to be written well to achieve good outcomes.
This is a critical failure point which should get more attention. Laws (and regulations) are like computer code in some key ways. Early computer code was written assuming it would be run by experts in trusted, benign environments that were relatively fixed in size and complexity. Our legislative law-making structures were created with similar assumptions. As the world changed, code changed but law-making structures didn't.
At a minimum, while being drafted laws should be subject to independent red-teaming and penetration testing to A) Assess their ability to actually accomplish their stated intent over time in the real world, and B) Surface likely unintended perverse consequences. Of course, that still wouldn't solve the issue of intentional weakening of laws with vague terminology, incomplete scoping, inserting loopholes, exceptions, etc by special-interest-driven legislators.
Sadly, these days I think intentional nerfing of laws during drafting is the biggest cause of 'bad laws'. But at least the red-teaming concept might prevent some unintended bugs on top of lobbyist-driven nerfing.
> No, the problem is 100% the law, because it was written in a way that allows this type of malicious compliance.
There is no malicious compliance here, just breaking the law. So if it is the problem of laws that they are broken then according to you all laws are 100% the problem. That stance, IMO, is beyond stupid.
You think websites like having this crap? You think they haven't considered alternatives? What greedy corporate executive is thinking "yes, let's make our product considerably worse just to prove a point"
They obviously looked at the alternatives and decided that the benefits of cookies or the cost of compliance is bad enough to allow for this crappy experience. And they all pretty much decided across the board.
So what problem is this cookie crap trying to solve? No one asked for it, no one wants to comply and now we're just making the web worse off as a result.
Well written laws are difficult to create. You usually wind up with one of
- The law allows things it shouldn't, or
- The law disallows things it should
And the later gets swept under the rug as "we won't enforce it that way"... and then it winds up getting enforced exactly that way because someone has an agenda, and this is a hammer.
Like mentioned by sibling comments, GDPR explicitly does not allow this. It's just the fact that enforcement is spotty and complicated by the fact that the responsibility is shared across all EU member states with limitations what each country can do by itself, with some countries' data protection authorities intentionally dragging their feet to protect multinationals.
It's the same issue as with most EU-wide issues, where there's always countries competing with each other at the benefit of others.
Also GDPR is not exclusive to browsers or internet, it's applicable universally, for both online and offline businesses and processes, which is why it can't and doesn't prescribe exact technical implementation details.
browsers should be developed so they do not provide the web server any more information than any other visitor.
web browsers should curl the website and process it locally without telling the server anything else.
It seems like web browsers were developed in a pre-surveillance capitalism world
> ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Meaning if you force users into pressing a button or let them scroll through 1000 no options, with one easy yes option, you have not collected their free consent. Congrats you broke the law.
Meaning if you just have them click yes, but not informed them about the harmful data collection you did not collect free consent.
I may be missing something, but I don't see how this clearly precludes that behavior.
Which descriptor do you think is unambiguously violated by making it easier to provide consent than withhold it? To my eyes, both 'freely' and 'informed' are plausibly upheld.
It would be very straightforward to specify that consent and withholding must be equally accessible in the interface, instead of splitting hairs about definitions of "freely given". This is what people refer to when they say the law is poorly written
> Which descriptor do you think is unambiguously violated by making it easier to provide consent than withhold it?
> Art 7(3) It shall be as easy to withdraw as to give consent. [0]
But legal interpretation of GP I believe is reaching the consensus that that phrasing too is broken by that implementation:
> Free and informed consent (Art. 7 GDPR): Consent is valid only if it is freely given. When the option to decline is hidden or unnecessarily cumbersome, the user's choice is affected and consent is no longer "free." [1]
Wouldn't this also mean that if a user was using one of those browser extensions that automatically click "yes" to close the pop, then the site would not have informed consent, and therefore would not be allowed to collect the data?
Be careful with just clicking the big “decline” button. That skips past your opportunity to “object to legitimate interests”¹ in many cases.
--------
[1] Here “legitimate interest” essentially means “we see your preference not to be stalked, but we want to so we are going to make it that bit more faf to opt out, because fuck you and the privacy we lie about caring about”.
If a child wearing stilts and a long coat walks into a movie theater where children can enter for free, and buys an adult ticket, then watches the movie, is he entitled to sue the theater and claim a refund?
Programming your computer to automatically click "yes" sounds like affirmatively giving consent to all popups to me. The standard for consent here is lower than for things like sex.
That seems too clever. If you set up a browser extension that automatically writes your signature on any contract people email to you and returns it, I'm pretty sure you're bound by those contracts.
I think that does eventually solve it. If clicking "deny" is as easy as clicking "accept", people will mostly just do the former.
As that will erode most worth derived from tracking, sensible operators will decide to stop annoying users and just ditch the tracking altogether. Or so I hope. I wouldn't know, as Brave does a pretty good job of hiding cookie banners in the mean-time.
>If clicking "deny" is as easy as clicking "accept", people will mostly just do the former.
Unfortunately, I don't actually think people realize the law is on their side here. My girlfriend never clicked "Reject All" until I told her to because she thought something wouldn't work if she did that!
Although I agree the law isn’t as good as it could be. It’s also impossible to create perfect law when websites are looking to avoid the spirit of the law to begin with.
Otherwise how can we explain “please see our privacy policy and send us a sneaker email to opt out” kind of tracking options.
Of course the politicians share a portion of the blame, but we cannot ignore the fact that websites are just playing the blame game as well.
We’re also seeing tracking despite the lack of user consent as well. This could be a fluke but when I make anonymous search on website and switch to another, I’m seeing the product I have just searched in the ads. With all the tracking disabled I mind you.
The difference between a law an a program is that the computer isn't a malicious actor trying to do everything in it's power to subvert the law. A law is nothing like a program, because a computer will do nothing without a program, but societies do all sorts of things regardless of laws.
The world a program works in and the computer it runs on are often very malicious, or they sure act like they are. Not to talk about users, some are pure evil :-)
We put a lot of safeguards, exception handling and all kind of measures to control errors.
Yeah law is kinda like the rules in sports leagues. You have to keep updating it as the meta shits.
It's impossible to write things correctly the first or final time and especially with the interpretation of words changing over time it doesn't matter if you could.
Rules in sports are always being adjusted, and participants are always looking for (barely legal) ways to get around them.
Example: In cycling, they banned narrow handlebars. There's an aero advantage, but it was seen as a safety problem. So cyclists canted their brake hoods way inside, rested their hands on the brake hoods, and got an aero advantage.
And now there's a rule about brake hoods. Laws are meant only be living things that change as society changes, and also change to patch what we might call "exploits." You are perfectly correct: It's never one and done, it's an ongoing process.
This is part of why a lot of EU directives are almost 50% "why this law is necessary and what we're trying to achieve", 30% "what needs to be implemented", and then 20% "who's going to look after all of this and how".
That way, a misplaced comma or a wonky sentence doesn't allow for easy loopholes that need tighter laws to fix issues.
Now law text will work forever, but this format makes for a very solid foundation.
And you write 100% bug free and secure software right? There is no way a law can account for every malicious tech bro trying to subvert it on first pass, or even after that. It is always a constant battle with bad actors.
They're legally bound to what's best for their shareholders, that includes being absolute weasel scum and abuse the law to maximize profits. At least that seems to be how it's interpreted by every big public company.
You're missing the subtlety here. There is no legal precedent requiring corporate fiduciary duty to focus solely on shareholders. In practice, however, it's a reference to the Realpolitik of being ousted by a Board, enabled to do so by arguing a fiduciary responsibility to shareholders.
If it wasn't, the ghoulish masquerade of Corporate Social Responsibility wouldn't be a thing - it in itself a response to Milton Friedman's 1970 article “The Social Responsibility of Business Is to Increase Its Profits” which argued that corporate executives are agents of shareholders and should focus solely on maximizing returns, not social responsibility.
Ford lost this case because he overtly admitted that he wasn't pursuing profit and because he was deliberately trying to prevent minority shareholders from getting money to start up a rival car company.
If he had just made some vague claim that what he was doing was in the long-term interest of shareholders, he probably would have gotten away with it.
> While it is certainly true that a central objective of for-profit corporations is to make money, modern corporate law does not require for-profit corporations to pursue profit at the expense of everything else, and many do not do so. For-profit corporations, with ownership approval, support a wide variety of charitable causes, and it is not at all uncommon for such corporations to further humanitarian and other altruistic objectives. Many examples come readily to mind. So long as its owners agree, a for-profit corporation may take costly pollution-control and energy-conservation measures that go beyond what the law requires. A for-profit corporation that operates facilities in other countries may exceed the requirements of local law regarding working conditions and benefits.
——
The best I understand it, what this ultimately means is that, yes; if the shareholders hold a vote to say "you need to focus on profits over X thing you're doing now/planning to do", you have to do that, but absent a specific shareholder mandate, you are not in any way obligated to seek profit over all else.
Of course. The law is clear, the intent is clear and the guidelines are clear.
I think the biggest challenge (and the reason why it feels this is everywhere) is because of the handful of "big corporations" controlling the browsers. Neither Apple nor Google have any interest in making tracking opt-in or working to make this into a standard.
In my view, the situation will be greatly improved with policy like the DMA being amplified even further to prevent cartel-like reactions from the FAANGs (whatever the acronym is today). We have a deep "culture difference" with the US, where everyone expects everything to be spelled out for them in the law so they can sue each other into oblivion, but the reality is this doesn't work. We need to reduce the influence of bigger players and install guardrails so it will never be possible again for a single company to have such dramatic influence over the world.
Imagine how many of these consent prompts can be removed if it wasn't for the fact that even loading a Google Font exposes one to a few hundred "partners"?
> everyone expects everything to be spelled out for them
Strictly speaking, that's how civil law works, spelling out explicitly the statutes.
By contrast, common law statutes can be (but are not always), more concise but more vague, putting greater emphasis on the courts to interpret them.
That is one reason USA is more litigious, but it probably isn't the only reason. After all, Germany has the infamous legal bounty hunters (one of the words may be "Abmahnanwälte" but I think there's a different one), and Germany is a civil law country, so USA being common law can't fully explain it.
My point was that the approach is not effectual when the guilty party is a corporation with near infinite resources.
Take Apple for example, it takes years just to complete a single “unlawful termination” suit, and it would be … decades before the world can equalise the damage from their App Store practices. And all while this is going on, corps are pouring huge amount of money into lobbying so by the end they nerf or even reverse the very policy that keeps them accountable.
> Neither Apple nor Google have any interest in making tracking opt-in or working to make this into a standard.
Apple has taken steps to make it harder to track, both in iOS apps and in the browser.
It's Google whose revenue depends entirely on surveillance advertising.
The problem is that the technical methods surveillance ad networks use within the browser to track us are features that are useful for many other things.
Trying to redefine this as a technical problem, that can be solved purely by getting the browser makers to change how browsers work, rather than a sociopolitical problem, will fail. Sure, there are more things that Google—and probably Apple—could be doing to protect us, but they can't completely stop the tracking.
The way to stop the tracking is to make laws banning targeted advertising.
Apple engages in “privacy washing” - they take steps in the name of privacy when it disadvantages their competitors. At the same time, Apple has no problem collecting say Spotlight and Safari search terms … or “features” from Photos etc.
I agree that ads as a monetisation channel were a mistake. But beyond that, privacy is a human right and should be applied without exception.
Is there any actual evidence that Apple is collecting this information and either using it for tracking purposes, or selling it to others who do? As opposed to processing it in aggregate to improve their services?
If there is, I'll be the first to say they shouldn't be doing that, and I would definitely prefer them not to be collecting it in the first place, but there are different kinds and purposes of data collection.
I don’t think they’re selling it (at least that) but it’s spotlight and the browser … exactly where one tends to type sensitive things. It’s unsettling to know everything I typed becomes a dataset to circulate all divisions within a big corp for years to come, for data analysis, unit tests and who knows what else.
Counterpoint - making every website you visit ask you about cookies still absolutely sucks. Even when they are fully in compliance it's a bad experience that makes using the internet worse.
And it's all because the law was written by lawyers who care less about user experience or privacy than the companies that have to enforce it.
Tracking by default is not an acceptable solution, so I would say respecting the Do-Not-Track header must be mandatory and enforced by laws and percentage of global revenue fines.
That wouldn’t help much in terms of annoyance, because you need the option of per-site or per-service opting-in to tracking cookies (like “remember me” checkboxes and similar functionality), and then you can’t really prevent web pages showing a banner offering that opt-in option. It wouldn’t be exactly the same as today’s cookie banners, but websites would made it similarly annoying.
We cannot rule by law if the websites don’t want to abide by the rule of law.
The level of tracking is insane and would never happen in real life, and companies would be fined to oblivion had they tried, if not forced to close by an angry mob of people.
Kinda… but between credit cards (and any cards serviced by them—debit cards aren’t safe) and widespread facial recognition with cameras everywhere in stores these days, and things like “loyalty cards” being required to just get what should be normal prices on things, we’re pretty heavily tracked in physical space now, too. People just don’t realize how much, and don’t see this stuff being sold and aggregated then re-sold.
We really need to crack down on stalking-but-automated.
> widespread facial recognition with cameras everywhere in stores these days, and things like “loyalty cards” being required to just get what should be normal prices on things
Which is why this is also illegal in the same jurisdiction.
The big difference there is that unlike, say, Price Chopper, Google, Facebook, and Xitter can track not only what you do with them, but everything you do on thousands and thousands of sites across the internet, through analytics packages that send data back to them and/or the scripts loaded by their "social buttons".
If I buy baby food at Price Chopper, they might send me an email offering me discounts on diapers, but at least I (probably!) won't also get shown such ads literally everywhere I go on the web.
I’m pretty sure the loyalty-card thing has become so big because they’re selling the data.
So many things are like that now. Like Roku sticks and TVs are subsidized by selling user data. You want to make a Roku competitor that doesn’t spy? Your product will struggle to get on shelves and to stay there, in part because the price for your product will be higher even if you get just as good a price on your components as they do, because you’d have to price them at-cost to match Roku’s pricing. Meanwhile 99% of people looking at the products don’t realize that one’s cheaper than the other because it’s going to spy on them and sell the data.
> Meanwhile 99% of people looking at the products don’t realize that one’s cheaper than the other because it’s going to spy on them and sell the data.
And this, plus the fact that it's so abstract and opaque what the negative consequences of that spying are, is a huge part of the problem with all of it.
We need better regulations on this, but sadly, even before the recent fascist takeover, the regulators have been largely asleep at the wheel for decades.
The website has to be able to inform you about what exactly you are opting in to (like saving your shopping cart, and/or who they will be sharing the respective information with). This can’t be covered by a predefined set of options.
Browser-level permissions are about what the browser is sharing with the website, which is a different thing. For one, the browser sharing information with the website isn’t a blanket permission legally for the website to do anything with that information it likes.
You can login and buy things.
But how do you choose whether the shop can kleep track of what you have bought to suggest rebuying or for you to keep a shoopping list. Requestion those is more than login.
If it's not a third party cooking, then it's not a tracking cookie. So logins and other site functionality will be perfectly fine. They're not subject to GDPR and similar laws.
In my opinion, it would be best to regulate the browsers themselves... preinstalled browser on a device sold in EU? Cookies are silently stored to a temporary jar, deleted on tab/window close. One jar per domain. Then add a button by the address bar to enable the "I want this site to remember me", and it'll make the cookies from that domain 'permanent' (with an additonal 'advanced' setting if you want to allow 3rd party cookies too or not).
But hey, when the regulators are lawyers who have no idea what cookies and browser are, we get consent forms on every domain visit.
Tracking now happens with fingerprinting, focusing on cookies won't provide a benefit.
> when the regulators are lawyers who have no idea what cookies and browser are, we get consent forms on every domain visit.
In this case the regulators have considered the problem and implemented the law independent of the used technology. The software developers/companies were the clueless/malicious ones here.
That is a terrible proposal. The GDPR is not about cookies, it's about tracking. Websites can track you through cookies, through browser fingerprinting, through your IP adres, through your login, through your local storage, and various other ways. They could probably find ways to track you by your mouse movements or how you type, if all other methods were somehow made unavailable.
That websites track you and then sell that data has nothing to do with how long your browser stores cookies. Cookies are just one of many, many ways that websites do tracking.
That's true, but at least then we could rid the internet of all those shitty cookie consent banners plastered all over. Those are almost more annoying to me than some company making a fraction of a penny on selling my mouse movement history to some chump.
GPC (Global Privacy Control) is the header that's actually being enforced in (parts of) the US. DNT is considered deprecated by many, due to the nonconsensual way that Microsoft rolled it out.
Why is Microsoft's implementation a problem? Having the setting default to a safe value is the rational choice.
It's like saying having a secure OS/browser would deprive malware authors of revenue, and thus vulnerabilities should be preserved unless the user explicitly opts into patching them.
This combined with governments ignoring it, and actively enforcing GPC... it's questionable whether compliance is necessary (I still suggest treating it the same as a GPC signal).
But future work and effort should be put towards the GPC signal.
For a new corporate website we just completed, we used GPC signals as the opt out mechanism. If your browser sends GPC, the site just opts you out of everything and loads zero tracking scripts. If it doesn't, you see a popup that explains how to turn it on if you want, or an "I understand" button.
An approach like this seems ideal to me, the problem is that it's only natively supported in Firefox. Our instructions for Chrome and Edge are basically "install Privacy Badger."
And Safari is the WORST, which as an Apple customer it pains me to say. Not only does the browser not support it, there are ZERO Safari browser extensions, NONE, on ANY platform (mac/iphone/ipad), that you can install that will send a simple GPC signal with the HTTP headers. There is a paid Safari extension on iOS called ChangeTheHeaders that you can configure to send a GPC signal, but come on, you can't ask normal people to buy an app and manually enter a specific HTTP header. (ChangeTheHeaders is made by Jeff Johnson, the same dev as StopTheMadness. I asked him whether he'd consider adding user-friendly GPC signals to that (or any other) plugin and he said it would just be "duplicating functionality" :-/ )
It's sounding like California is going to require browser manufacturers to support the GPC signal. The privacy movement in California has a lot of political power and backing; it's pretty likely this will change in the next couple years.
From what I understand, their AG has said the GPC signal must be honored if sent and that it is an acceptable opt-out mechanism under the CCPA. I haven't heard anything concrete about requiring browsers to support it, but that would be a welcome development.
California's "Opt Me Out Act" (AB 566) requires that by January 1, 2027, internet browsers must provide a built-in, easy-to-use setting that allows users to send an opt-out preference signal, such as Global Privacy Control.
(copied from a search, but wanted to let you know)
The Global Privacy Control (GPC) is the header that actually has enforcement behind it in the US, and there are already companies getting fined. California has partnered with several other states to broaden enforcement.
Would love something better than GPC, but in the interim, the EU should start considering it as a proper signal of (lack of) consent, obviating the need for a banner altogether.
I would blame ad providers more than individual website owners. From my experience, ad providers have made it very difficult to serve their ads unless you use an ad-supported cookie consent manager. I tried to write my own simple cookie consent form and gave up after realising how obscenely complicated TCF is. And since most ad-compatible cookie consent banners are provided by the ad companies themselves, you kinda just get stuck with bad options. I even tried to pay for a commercial cookie consent manager but it wasn’t supported by my ad provider.
If I had more time I probably could have figured it out. But unfortunately I’m just running a hobby project and do not have weeks to spend on this. The revenue from the ads is what pays for hosting. I imagine lots of websites are in a similar boat.
I would love if there was a simpler option that could respect people’s privacy more, be less annoying, and that would still allow websites like mine to survive by running ads. Targeting browsers instead of websites could have been that option.
The problem here is the problem everywhere; we still as a world have no remotely effective way to actually punish companies-as-bad-actors on the internet or in tech generally.
None of any technical ANYTHING matters until we (meaning law and government) inflict truly meaningful consequences. Fines, breaking up companies, perhaps even jail time, etc.
Yes. The problem isn't the letter of the law, it's that governing bodies like the EU need something like an enforcement czar who tells companies in no uncertain terms that if they're going to try to be clever they're going to get the ol' Jack Ma treatment. Stop letting the tail wag the dog.
And before someone says that it will hamper innovation, I used to live in China and talk to investors often, they would always stress that for every guy with a billion who can't play by the rules there's a thousand guys with a million who have no problem taking the market share, that's hardly an issue
We just refuse to use them, because our politicians either believe that companies should have more rights than we do, or are terrified that if they actually try to enforce the law on them they'll lose out on massive amounts of campaign contributions (whether direct or indirect).
My default firefox settings rejected content tracker and in the end no cookies were created at all, plus there was just one failed CDN request outside original domain.
Don't worry, you are still being tracked by IP + browser fingerprinting... and using a browser with a low single-digit marketshare stands out like a sore thumb.
(which is also why framing GDPR discussions around cookies misses the point - the point is to determine the user's consent to being tracked regardless of technical ability, whether cookies, IP address, fingerprinting, or even some magic crystal ball)
Everyone states this. At the same time, any official site I have ever visited for the EU government/regulators _has cookie banners_. Why would the EU malicious compliance itself?
That law has "discovered" that these rules for these sites suck because nobody wants to sit and decide what they want on a site by site basis and thus the "just get out of my face" kinda clicking and annoyance works.
The idea that just visiting any given site I visit means I have to make some legal agreement makes no sense.
Or we could stop the charade of that cookie laws prevents tracking and get rid of all the stupid banners. All the beacons are firing in the back(server to server) now and all session data is passed on the inbound URL and stored. Browsers banning third party beacons, cookies laws, etc don't do anything. You can't even tell your being tracked.
GDPR is not about Cookies, it's about all tracking, including the examples you mention. As far as I understand the GDPR, the things you mention would also require the user to opt-in to be legal
> but malicious compliance by websites that don't want to give up tracking
It isn't even compliance, they are just breaking the rules by as much as they think they can get away with and so far, for the most part, they are getting away with it.
Important not to confuse the actual result vs. the hoped-for result.
You HOPED that websites' top priority is to provide the best possible experience. The REALITY is that not getting sued is way more important than removing all possible user inconveniences.
> Given a free choice, how many people actually want to be tracked?
Good question. But there isn't enough information to answer the question. Are these people properly informed about what "tracking" means, or do they think this means companies are passing around their full names and addresses on post-it notes?
I wonder why people don't build a collection of scripts into a browser plugin, like Adblock that auto rejects all tracking info to the greatest extent possible?
Isn't that the inverse? Ie auto-accept just to get rid of the UI box?
Edit: their FF-page says,
Set your preferences once, and let the technology do the rest!
This add-on is built and maintained by workers at Aarhus University in Denmark. We are privacy researchers that got tired of seeing how companies violate the EU's General Data Protection Regulation (GDPR). Because the organisations that enforce the GDPR do not have enough resources, we built this add-on to help them out.
We looked at 680 pop-ups and combined their data processing purposes into 5 categories that you can toggle on or off. Sometimes our categories don't perfectly match those on the website, so then we will choose the more privacy preserving option.
This is the problem, the law clearly recognizes tracking as something people don't want. The fact that they let every website beg you to allow tracking instead of banning all but functional cookies is the problem. They capitulated to advertisers and this is the result.
The regulation actually specifies what counts as informed consent. Annoying users into accepting tracking does not count.
The problem is that there's a chronic lack of enforcement, so the winning strategy is to breach the regulation. Worst case scenario, you will merely be forced to clean house at some point (but can enjoy the rewards of tracking until then).
> The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.
If that was the case, then why does the site from the EU first off track... and secondly why does it use a cookie banner rather than some other solution that would not be malicious compliance with the law?
If there was a solution to having cookies and some other way of informing visitors of it, shouldn't that be demonstrated on the official EU government explaining GDPR?
> If that was the case, then why does the site from the EU first off track
If you are asking why there isn't a "reject all" button on their webpage then the answer is simple. There is one. The "Accept only essential cookies".
> and secondly why does it use a cookie banner rather than some other solution that would not be malicious compliance with the law?
GDPR (general data protection regulation) is about general data protection, not about technology. It applies the same no matter if you are using cookies or something else.
> Can a company go wrong implementing the same approach as https://european-union.europa.eu/index_en uses? Why is that considered malicious compliance with the law?
The example you've given is an example of compliance since there is a button to reject all tracking cookies. Whenever you read the words malicious compliance within the context of this discussion you can just swap it with the word illegal which is the correct word for the behavior that is being bemoaned here.
I'm asking "if cookie consent banners are the less than idea solution, why isn't the official EU government site implementing it in a way that is ideal?"
If a company is deciding how to comply with the GDPR on its website, can it go wrong with copying how that site does it? Alternatively, if it tries something that is new, do they risk getting sued by the EU for not following the GDPR?
My claim that it isn't malicious compliance to use cookie consent banners, but rather the least risky approach since that is exactly how europa.eu complies with their own laws.
> I'm asking "if cookie consent banners are the less than idea solution, why isn't the official EU government site implementing it in a way that is ideal?"
Cookie banners are perfectly valid solution to the problem. GP originally said that the ideal solution is to avoid cookie banners by not tracking users. Not that if you want to track users there is a better solution than presenting them with a cookie banner.
> If a company is deciding how to comply with the GDPR on its website, can it go wrong with copying how that site does it?
No, because that is how it is spelled out in the law. Rejecting tracking must be as simple as accepting it. On the EU website both those options are presented in a clear way.
> My claim that it isn't malicious compliance to use cookie consent banners, but rather the least risky approach since that is exactly how europa.eu complies with their own laws.
There is no malicious compliance. If it is done as it is done on the EU site then it is compliant. If it isn't then it is illegal. Malicious compliance means that the letter of the law is strictly followed so to cause/do something not intended by the law. In case of hiding the reject button, that is illegal.
> Whenever you read the words malicious compliance within the context of this discussion you can just swap it with the word illegal which is the correct word for the behavior that is being bemoaned here.
I don't think that's the case. A number of people downthread are quite explicit that they find being asked at all annoying and don't think websites should be allowed to throw up cookie banners all the time.
"The problem is not the law but with the people who don't follow it."
I mean... uh.
If the world would only consist of people who want to cooperate and don't have malicious intentions, then WE WOULDN'T NEED THE LAW AT ALL.
The law exists BECASUE OF the people who don't want to comply. So if the law doesn't control those people who don't want to comply, then the problem is with the law.
Because if we're saying that the problem is with the people, then the discussion is pointless like a black hole.
One thousand percent yes. And I'll repeat because people need to see it called out as often as possible: this is due to malicious compliance by websites. Period.
I'm so cynical now that I can't read articles like this without my first reaction being to look at how it benefits companies that profit from ads.
My two theories here?
1. An attempt to shift liability from companies having to comply with GDPR to browsers having to comply.
2. An attempt to consolidate all cookie consent into the three (?) browser engines we have... so efforts to thwart it can be focused on just those places.
The problem is exactly the law then because it was written so incompetently that it left the loopholes to allow websites to try and trick accepting.
Should have been written in the law that it’s a one toggle in browser settings.
If government is going to impose on the internet the least they could do is be competent in what they impose. Not writing laws that waste lifetimes in collective hours a day as every person in Europe deals with multiple of these dialogs a day and thousands a year.
> it left the loopholes to allow websites to try and trick accepting.
It did not. These practices are illegal under the GDPR, the problem is a chronic lack of enforcement by most national enforcement agencies in all but the most severe cases.
Some are just ineffective but others have gone completely rogue. Swedish Data Protection Authority (DPA) for example takes the position that commercial data brokers like Mrkoll are allowed to publish and sell people's personal information (including your current home address, hello stalkers!) [1] and that this is somehow protected under the pretense of "journalism" [2].
[2] Doesn't fully capture the negligence of the Swedish DPA ("IMY"), here's a better source:
> IMY’s practice of simply “forwarding” complaints.
> The IMY’s way of dealing with complaints since the Supreme Administrative Court ruling is to attach an “appeal form” to their (non-)decisions. But it still doesn’t investigate the complaints. Instead, the authority simply forwards the complaint to the entity that illegally processes personal data and then immediately closes the case. This also happened in the case preceding noyb’s current legal action against the IMY. After a data subject filed a complaint regarding a recorded phone call, the authority forwarded it to the respondent without investigating.
> Should have been written in the law that it’s a one toggle in browser settings.
No!
For crying out loud..... The law says if you want to track me (advertisers take a bow) then in each case, you must have my explicit opt-in permission to do so. And so you should!
Having a browser toggle setting isn't explicit opt-in consent.
Maybe not a single browser toggle, but it really should be handled at the browser level. There are browser APIs for opt-ins like your current location, using the camera and microphone - why not one for tracking consent?
The problem isn't technical - the problem is that ultimately spyware operators want to track people so it isn't in their interest to support these solutions and won't do so unless they are forced to. Since enforcement is significantly lacking, operators adopt the pragmatic strategy of non-compliance or pseudo-compliance with the current banners.
Or just ban this kind of data collection. Is there any reason anyone would willingly click "Accept" when a website asks to share your data with 500+ partner sites?
For that matter, companies should be banned from referring to selling off your data to random spam companies as "sharing with partners." Partners comes with an implication of being somewhat equal or at least on trusting terms. The companies selling our data don't trust these companies. They probably don't even know their names.
If the data is being sold, it should be legally required to word it in that way. If there's even the slightest possibility of your data being leaked to spammers, it should be worded to reflect that.
"Do you consent to us selling your data to any party that wishes to buy your data? Do you consent to the possibility that your data will be used to spam you or steal your identity in the future? Yes/No"
The word "partner" lost its meaning completely. Each business relation is a "partner" these days. Guess it sounds nicer than "company that pays me to do stuff and bug you about"
I'm not sure all these relationships are monetary.
It may even be the case that the website pays X company to perform the tracking for their own analytics purposes. Or that it's X company's own freemium model where if you add their tracker they grant you a bunch of cross-site information for free.
In 99.9% of cases defining legitimate use is simple. There should be legal consequences for data sharing that is not actual legitimate use. I see companies making absurd claims about what consent based on "legitimate interest" can mean. No, sharing data with advertising "partners" is not based on any legitimate interest. If these companies were getting some strong fines for illegal stuff like this, then they would cut the bs.
I think banned it a bit too strong. However there needs to be strong regulations on what can be shared.
If I go to an ER in a different area (read different medical system) I want my doctor to share personal data. I don't want my doctor to share my personal data with a random doctor in the same medical system unless that other doctor is an expert being consulted on something about me. (that is just being a doctor doesn't give you access to my private information, it needs to be on a need to know).
The above is the obvious case. There are likely other cases that are not obvious where after looking closely private information should be shared. Advertisement is never one of those reasons though, and analytics is only a reason if they anonymize the data with prison terms for mistakes.
Indiscriminate sharing of personal data IS banned under the GDPR.
If you collect personal data, you must only collect it for the stated purpose and can't sell or share it for any other reason.
I continue to be astounded at the ignorance some people have of the GDPR; a vital privacy law and one that is fundamental to modern data use and respect for the customer.
> companies should be banned from referring to selling off your data to random spam companies as "sharing with partners."
They are under the GDPR.
If you ask for my data, you must do so fairly and tell me what you are using it for.
In the examples you site, if you read the small print "sharing with partners" will go on to say advertising 'letting you know about products and services' and other such shite.
Targeted ads generally bring in 3x the revenue of generic ads. Personally speaking, I'd rather have 1/3rd the ads on a page and allow my data to be tracked. I don't mind my data being tracked, and I'd rather see ads for keyboards / mens clothes (what I buy) than diapers / ladies shoes (who knows what tomorrow holds, but this is not what I'm buying at the moment).
1. Targeted ads being more profitable has no relevance to the number of ads on the page. Advertisers will always try to maximize the number of ads and potential profits regardless of profitability.
2. Contextual ads are not targeted and would not be showing you adverts for diapers or ladies shoes- unless you are reading about diapers or ladies shoes.
The same could be said with all advertising and surveillance.
No one wants to be advertised to, but powerful lobbies argue that ending ads will lower consumption and thus harm the economy; and no politician wants to lower GDP.
No one wants to be spied on, but powerful lobbies argue tracking people allow better security; and no politician wants to be soft on crime and terrorism.
The single most powerful lobby, by far, to the point that it is essentially the only lobby, is the enormous mass of people who refuse to pay money for content. Absolutely refuse.
Even when you give them the option to pay, with no ads or tracking, the conversion rate is still around 0.5-1%.
People are willing to pay for things they value. Those people who "refuse to pay money for content" probably go to the cinema, perhaps purchase magazines, purchase drinks with friends, etc.
We should however make it easier to pay for content online; let's implement HTTP 402 and integrate it into the users' browser and internet bill to reduce friction. Who wants to create an account and enter their credit card details to read a single article or watch a single video?
No, they overwhelmingly are not. When given the opportunity to not pay, and do so anonymously (no social shame), the actual pay rates drop to the 1-5% range.
This is a clear trend from thousands of creators who give simple payment options to those who wish to support them directly. The conversion rates from "ad-supported (but blocked)" to "paying member" are usually around 5% of the active audience.
The numbers are atrocious despite the deafening virtue signalling of comment sections ("I always pay creators to support them!")
You just assert "no" to my suggestion that people don't pay for these things because they just don't value them enough to pay for them, which doesn't really move the conversation forward. There's loadsa stuff more important in life than youtube videos so it's unsurprising the conversion rate is low.
My point is that the value prop breaks when people can shamelessly be dishonest.
If people actually didn't value the content, they wouldn't devote their time to it. I don't know anyone who regularly devotes hours a day to something they get zero value from...
Eh. I've not seen any convincing arguments about this, especially because the quality of said content was dragged down specifically to support ad revenue and SEO. We really never saw the potential of an internet with microtransactions, largely because Google explicitly decided to force people to use ads.
>> No one wants to be advertised to, but powerful lobbies argue that ending ads will lower consumption and thus harm the economy; and no politician wants to lower GDP.
I doubt that. People tend to spend their money regardless. Advertising just determines what they spend it on.
Yes, but then you might consume beer based on how it tastes rather than the likelihood of winding up in an impromptu volleyball game with a bunch of Nordic bikini models. So you see where the entrenched players want to keep the status quo.
Our culture values the act of buying things for social status (consumerism), and one of the main reasons for that is advertising.
You're assuming people would still have the same amount of money, but for most money is not a given, and people strive to earn money precisely because they want to buy the things they were advertised.
Without the social pressure to acquire things one doesn't need, it's very possible people might simply work less and use that time for other things.
Advertising is only used heavily when all products are similar, otherwise the best would naturally rise to the top.
For example, washing powder/liquid is advertised heavily on TV, yet do you really believe one brand of powder/liquid gets your clothes cleaner than any other?
not so sure about that, I am pretty sure ads promote materialism and consumerism, probably even leading to people working more to be able to afford more
In some sense, "no one wants to be advertised to" is similar to "no one wants to pay for stuff". Like yeah it'd be nice if my groceries were free, but that's not very realistic, the grocery store would just close if they had to give everything away. Advertising is similar - a cost we pay so that websites can make some money in exchange for their services. Most ad supported websites would just disappear without them.
In some sense I agree but there is a fundamental difference. I pay for my groceries because I have the fundamental need for sustenance, and that requires land and toil. I have neither and therefore I pay someone else; but for me to survive it is necessary that _someone_ perform that work.
My need for websites is much less predominant and really I could live without. So of course I bounce when mildly interesting websites ask to host cookies on my browser or want me to create an account and enter my card details.
If one considers maximizing utility the goal of economic science, then this is in fact good, as it redirects me to more useful venues like doing chores I'd been putting off instead of mindlessly scrolling online. Some metrics such as GDP however might suffer.
Guess what, those banners are still up because it's pretty hard to actually bring the banhammer. At best you have too small team working with huge backlog
Some websites, mostly news outlets, can legally withhold access completely, and do, unless you accept all cookies or pay for membership.
If my 'data' is a no logs vpn address with a privacy hardened browser running in a VM on an isolated VLAN with encrypted DNS then why wouldn't I just laugh and click accept cookies in a sandboxed tab (so said cookies only exist for that tab and are cleared when it is closed.
What youre saying most users dont have this level of privacy by default? Why not?
>Some websites, mostly news outlets, can legally withhold access completely, and do, unless you accept all cookies or pay for membership.
GDPR article 7, section 4: When assessing whether consent is freely given, utmost account
shall be taken of whether, inter alia, the performance of a contract,
including the provision of a service, is conditional on consent to the
processing of personal data that is not necessary for the performance of
that contract.
basically: A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service
Yes, we live in a society. You aren't allowed to do anything you want. But you are wrong. You had no option before, now you have. How is that taking away freedom from you?
On this note, this is a good reminder that if you don’t collect information in this way, your website is under no obligation to provide a cookie banner.
Any website that uses a cookie banner is going above and beyond what they need to do to run a functional website in order to track you.
The thing people need to understand here is that the annoyance is not due to lack of technical solutions, or regulations forcing something. It is explicitly wanted by the industry so they can maximize the consent rate. The browser solution is probably the best technical/user friendly one, but ad tech/data gathering industry won't have any consent. As they control most of the web, they will never do that
It was implemented in browsers and ignored by sites. Chrome help says:
Turn "Do Not Track" on or off
When you browse the web on computers or Android devices, you can send a request to websites not to collect or track your browsing data. It's turned off by default.
However, what happens to your data depends on how a website responds to the request. Many websites will still collect and use your browsing data to improve security, provide content, services, ads and recommendations on their websites, and generate reporting statistics.
Most websites and web services, including Google's, don't change their behavior when they receive a Do Not Track request. Chrome doesn't provide details of which websites and web services respect Do Not Track requests and how websites interpret them.[1]
About the best we have browser side is a mode where all cookies are cleared at browser exit.
> About the best we have browser side is a mode where all cookies are cleared at browser exit.
No. The best we have are adblockers and scripts like consent-o-matic.
Clearing cookies does mostly clear cookies, tracking goes far beyond that. Clearing cookies has always been a red herring enabling adtech submarines like "I don’t care about cookies".
That's not an implementation. That's a request to sites that you visit to comply willingly. An implementation would be defensive.
It's what you would do if you had the crazy idea that a browser should be a client for the user, and only a client for the user. It should do nothing that a user wouldn't want done. The measure of a client's functionality is indistinguishable from the ability of the user to make it conform to the their desires.
It's not realistic to completely prevent tracking solely on the client-side. Every time that you interact with a server, that's an opportunity to track you. You can't prevent unless you just completely stop interacting with the server.
Correct. Age verification and privacy consents belong on the browser. The issue is that on the browser, things work a bit too well (remember https://en.wikipedia.org/wiki/P3P ?), so the big players are incentivized to ignore completely the browser-based mechanisms and say/do nothing whenever they see lawmakers going on a dumb direction (risking fines is a reasonable price to pay in order to kill adoption of an actual browser/OS based control that would cause a dent to their tracking operations) that puts the onus on individual website operators.
I believe Medium's DNT implementation showed a little confirmation button on embedded Youtube players. That's the kind of consent screen you may still need with proper DNT handling.
None of those cookie popups, though. That's all malicious compliance.
I don't think this is true. DNT being absent or set to consenting is not enough to infer the user has given specific and informed consent under the GDPR.
> Explicit consent: Under the GDPR and similar laws, consent must be specific, informed, and an unambiguous, affirmative action from the user. Consent cannot be assumed by a user's continued browsing or inaction, which is what DNT would require.
if DNT is absent you could show GDPR-compliant consent screen (ofc, it would still need to be actually compliant, i.e. with "reject all" button front and center)
> Your browser becomes your personal privacy enforcer, and the law would require it to act on your behalf. Based on your one-time choice, it would be responsible for allowing or declining cookies from every site you visit. If a website tries to use a cookie with an unclear or undeclared purpose?
Browsers are something the end-user installs. Inserting the government into that doesn't make sense.
This sounds like the idea is for the site to add extra metadata that's not there now, about what each cookie does. Which would still involve mandating site owners to do things.
That distinction doesn't make sense. You could just as easily say websites are not always commercials products, whereas browsers often are made by for-profit corporations.
A website is non-commercial when it isn't doing commerce.
A browser doesn't have that simple test. It can be used to do anything.
Therefore, the commercial website made by someone who chose to make it commercial needs to be regulated, as opposed to trying to regulate every browser.
(As an aside, you likely don't know how many browsers exist.)
Websites that collect personal data on their servers are data controllers. They have to ask for consent for this reason. Browsers also need to ask for consent if they collect personal data but that is indepedent from the data websites collect. Being commercial or not is irrelevant. The point is collecting and processing personal data. Furthermore, a browser runs on your machine. Unless they send data to some server, any data processing on the browser is happening on your machine.
Let's be honest: most users don't know what they don't know. Even tech-literate people have no real idea of the enormity and scale of tracking which goes on across the web. And the tech giants love it that way.
The provider of the "alternative" browser is also completely supported by the same advertising company, and since this arrangement has begun has shown itself completely uninterested in solutions like this. If anything, it tries to make control over cookies, localstorage, or javascript harder, and to demonize people who would dare to care about such a thing.
I've come up with an easy solution, which works almost all the time. When a cookie consent dialog interferes with me using the website, I close the tab and move on.
I've found a high correlation between cookie consent notices and low-signal content, so this strategy has actually saved me a lot of time I would've spent reading/watching something that doesn't help me.
But to the flights example, I was just looking for flights starting at Google Flights, which doesn't have cookie banners, and the two sites I went to for booking also did not have cookie banners.
That’s certainly possible. I don’t deny occasionally clicking them. I just don’t bother most of the time.
Edit: I just tried the flight ordering flow again (starting at google.com/flights) in a private/incognito tab, and did not encounter any cookie banners.
Which booking website are you going to that doesn't have cookie banners? I spot checked multiple EU and US airlines just now (Ryanair, Air France, United, Alaska) and all of them had a cookie banner.
I disagree that this should be in the scope of a browser.
Cookie banner are called cookie banners because they‘re most frequently associated with the opt in for tracking cookies, but this kind of opt in is required for any kind of third party involvement that goes beyond technical necessity.
Your browser has no way to tell what third party present on the site is a technical necessity and which one isn‘t. So you‘d have to tell it - making it part of the site providers problem as well. But this time its worse, because responsibilities are mixed between the site operator and the third party.
DNT doesn't solve all problems, though. Not only is DNT being deprecated, it also lacks the proper customisability the law actually prescribes for data processing.
There's no value you can give DNT that says "you can do your own on-site tracking and telemetry and I accept sharing my data with Sendgrid for your newsletter, but I do not want third-party trackers".
As a practical example: there are news sites that will not play videos if you hit "deny all" because their video host does some viewership analytics. I'm fine with that, but not the 750 other advertisers the news site tries to have me track.
Of course, "deny all" should be an option, "accept all or deny all" isn't control.
For the longest time we had https://en.wikipedia.org/wiki/P3P as a basis to build on, but that officially died the day Edge became Chromium-based.
> you can do your own on-site tracking and telemetry and I accept sharing my data with Sendgrid for your newsletter, but I do not want third-party trackers
I'm sorry, but does a user who would want this actually exist? This seems like a hypothetical dreamed up by the marketing team to avoid having to accept that a large group of users hate all their tracking shit.
At my first job I took phone calls for an insurance carrier and agents definitely didn't like finding out that all the unhandled exception screens the rater had simply disappeared into the abyss.
You download a specific tool which only has the purpose of collecting your local error reports and sending them to Microsoft". Later on that tool became just a button in your control panel that submitted all your local errors and told you if those errors had an already developed solution.
That's how they did all their error telemetry until like late XP era, and it worked just fine.
All the people insisting that they need* this telemetry is also horse shit. Companies are demonstrably not producing better and more bug fixed software, and demonstrably are not using that data to make serious improvements, but demonstrably ARE using that data to choose where to focus dark pattern and other sales funnel based efforts.
If Unity and Unreal and GPU drivers can ask me "Do you want to send this error report" with a default no, nobody else has any excuse.
Even now, a significant amount of companies use the system of "Please upload your error log and the output of this command to this forum" as their bug report solution and it works just fine if that company actually intends to fix bugs.
The solution is not to turn your software into spyware. Stop being entitled. You don't have a right for me to QA your software for you, that's your job. Even with all this telemetry, companies only fix the most common and most obvious bugs anyway, so the perfect telemetry is utterly useless. Those bugs would have surfaced anyway.
Developers in the 80s did not need telemetry to get bug reports and fix things and release patches. Learn some history of your profession people.
Has throwing a hundred thousand bugs onto your sprint backlog actually helped anyone develop better software? No. Meanwhile it has exposed all your customers and users to predatory bullshit from your marketing and sales departments, and enabled your worst product managers to optimize hostility and extraction.
Yes, it's quite common for users to want this. I think a lot of people don't realize functionality like "remember I want dark mode every time I visit" or "keep me logged in when I reopen my browser tomorrow" constitutes first-party tracking and requires consent under EU law.
It's already seen as a valid opt-out signal against this sort of thing in Germany. LinkedIn got in trouble and lost a court case for not respecting the DNT header if memory serves me right.
A web browser is technically incapable, by design, of knowing whether any piece of a website (1) is there for the purpose of having the website actually work, or for the purpose of tagging and tracking the end user. Only the website owner chooses those purposes, and only the website owner is in a position to determine (or maliciously hide) which technologies are being used for which tracking or technical purposes.
(1) Cookie laws apply to: Cookies, gif pixels, JS fingerprints, and any other tehcnical means that can be technically exploited to track an individual
Right, the it would be legally required have to have "third-party" vs "strictly necessary" tags on the cookie itself, which someone could challenge if they were inaccurate (in the same way that the GDPR can in theory be enforced now). Then the browser could simply do what the user wanted with the tags. This could even be a status item in the URL bar, similar to the HTTP / HTTPS icon, that would allow you to enable or disable tracking on a per-site basis (if you didn't want a global policy).
Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged; this would ultimately come down to ad networks / analytics companies documenting the behavior of the cookies they add.
> Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged
While enforcement is effectively nill, they already need to do that according to the actual EU "cookie law" (ePrivacy Directive rather than GDPR). If you set cookies, you have to explain to the user what they're there for.
Hilariously, many websites have no idea what the cookies their trackers set are for, and I've caught a bunch of them use language like "seemingly" and "apparently" when describing what purposes cookies actually serve.
If only browsers gave P3P[1] the attention it deserved. The protocol isn't exactly perfect and the unmistakable footprint of early 2000s XML obsession are there, but it could've prevented cookie banners from ever being accepted if only browsers had designed proper UI around an updated version of the protocol.
I believe this is already starting to be solved via Global Privacy Control (GPC) [1], and has already been implemented in Firefox to replace Do Not Track [2]. All that remains is to see if lawmakers will catch up and make it a legal requirement to follow...
DNT already had legal weight in the EU. I don't see what problem is being solved by sending a slightly-renamed version of DNT instead, other than the weird privacy law a few American states have implemented that says "if the browser sends the signal by default it's not a legal signal and you should therefore ignore it" (which will probably be updated to neuter GPC if that ever gets any serious attention, the las were clearly written to give trackers the advantage).
So either: The EU commission is including trackers on their websites. And they should stop OR they acknowledge that it's almost impossible to build a website without some form of tracking that falls under the law, and they should look into the law itself.
I created a production web application which does tracking (although not necessary, could remove it within minutes from the application and probably nobody would notice) without needing a "cookie" banner.
How? I don't track any personal data, just anonymous interaction.
But unfortunately they won't. This will not happen. They ultimately shift to fingerprinting our browsers instead of using Cookies but they will keep on tracking...
The problem with making it a law is tracking is in the eye of the beholder, so site owners are heavily incentivized to err on the side of caution and put up the box just in case.
Right?! I have a website for a music studio. I never worry about any of this shit because it's just a static site with no tracking or analytics. It's just that simple. It's there if someone searches for me and that's enough. Rely on being a good business and organic search, word of mouth, and reputation will bring you business. You don't need to seo the shit out of everything and sell your visitors.
It’s not like it would be any more work to figure it out with a complex site. You still have to enumerate everything you’re tracking, add the ability to disable it, and make sure the site works without it. All you have to do is turn them all off rather than presenting an alert asking the user.
I understand why companies don’t do it that way. Tracking is worth money and they like money. What I don’t understand is why ordinary people make excuses for them.
California now has a law that requires browsers to have an opt-out setting (effective in 2027) [1]. So far, websites are required to respect opt outs via browser settings or extensions in California, Connecticut, and Colorado [2]. That is also the case for New Jersey [3].
Browsers have no way to determine what code or cookie is tracking and what isn't, and if websites are not targeted, they don't have any incentive to tell browsers "oh, this is for tracking, and this, no, it's not for tracking".
The best we have is heuristics content blockers currently use. But heuristics are not good enough for complying to such laws because there's no guarantee they work in 100% of the cases.
It follows that such laws can't target browsers and not websites.
Wasnt this a benefit of the semantic web we were pushing for? Standardized tags exactly for stuff like this? Just another example of the mess that web dev is - trying to coerce a markup language into a fully fledged programming language.
OP has a nice idea but hes short on technical details, which in this case is where the devil resides.
Is there any evidence that this law is achieving the goals it was designed to tackle? If not, is there any reason it still exists? Why don't laws have to continually justify themselves as a matter of procedure?
Even a "Reject All" button is one more annoyance than I had before these laws. The dialogs previously didn't exist at all.
I'm willing to accept that some amount of personal data is being sold less, at least by some market participants. I'm still not sure how I could possibly measure even the tiniest improvement in my life, though.
I was being tracked by thousands of sites before these laws were in place and had no measurable negative impact on my life. I’m also skeptical how much practical reduction of tracking has occurred for me in the US.
What I’m 100% sure of is that the UX of the web has been made worse, and I don’t think it’s sufficiently acknowledged.
If your asking if the GDPR is effective, yes, it is.
The only ones ignoring it completely are either dodgy companies, or the clueless. The companies exercising malicious compliance are now (quite rightly) increasingly seen as dodgy and need to up their game if they want to become respectable.
For example, my insurance company can no longer get away with selling my details to financing companies behind my back. Such shenanigans are no more in the UK and EU thanks to the GDPR.
I believe that part of why Google is so invested in Chrome is this very thing. They don't want users to have more control over cookies and tracking via the browser.
One of the first things people would do if they really had control over their browsers is start blocking Google Ads. Google realized this early on, it's a huge potential threat to their main source of revenue, so they launched Chrome to influence, and eventually dominate, the browser market.
Google doesn't want users to have more control when it threatens their bottom line. It's part of why they've been trying to block ad-blockers.
uBlock Origin can block these if you check the "Annoyances" filter in the filter list. I think it's disabled by default because it has a higher risk of breaking sites, but I never have a problem. I haven't seen a cookie banner in a long time!
Cookies are now stickers with writing on them and computers are now cars. Businesses that you drive up to or close to have license to slap a sticker on you whenever they want with whatever they want.
So we write a law to say "hey you gotta at least ask before you slap a sticker on, most of the time".
We all know why we didn't just make a sticker proof car. As long as the largest ad company in the world is also the defacto king of the internet we will have these issues.
Why is this on the front page? The author apparently did not do any research or they would have discovered that was tried with the DNT header [0]
Also there is no cookie law, just that websites need consent to track you (simplified).
There is effectively an EU cookie law, though it's not the GDPR like many people think it is; rather, it's an extension to the ePrivacy Directive[1] :
> ‘3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’;
Of course this also applies to flash cookies, local storage, and other browser data stores, not just cookies. The legal requirements for data storage that doesn't violate anyone's privacy are a lot looser, though.
This law states storing or accessing stored data needs user consent when the data is not strictly necessary for the website in order to provide the service.
It doesn't mention banners or cookies or that every website needs it.
My least-favourite is websites with the "Pay or OK" model: "If you don't want more companies tracking you than were people in your high school, teachers and students both, you must pay us! [Pay] [Accept tracking]"
*Copy URL, close window, open private browsing session, paste*
As an aside, is anyone else getting LLM-writing-style vibes from the linked page, or is that just me?
The thing is, these sites that give you an option to pay only let you pay to opt out of advertising (and some only partially!). It does nothing to stop tracking you.
There are several sites I would not hesitate to pay for, but the most that will net me is generally "content with invasive tracking". Sometimes with no ads and sometimes with "fewer ads". But in either case, still a non-starter because it's still capturing the same data about me and sharing it.
> My least-favourite is websites with the "Pay or OK" model
Which doesn't respect the GDPR.
> As an aside, is anyone else getting LLM-writing-style vibes from the linked page, or is that just me?
The multiple 3-item lists with the item's first sentence in bold, the logic not perfectly following from one sentence to another, the numerous comparisons/metaphores, the em dashes, and the general, distinctive tone are certainly clues.
Policing the tools instead of policing what is being done with them is the problem for me.
Third party cookies have a valid reason to be used in federated authentication for instance, or a bunch of other valid purposes. Just ban shitty data collection practices.
Knives can be used to chop vegetables or stab someone. Don't ban their sale, ban their usage.
It isn't needed, but third-party cookies were phased out by Chrome specifically to undermine their competitors, all under the veil of doing the right thing, and everyone that was using them for something ok got screwed.
I'm surprised at how often this needs to be restated.
By-and-large you only need to allow people to opt out of cookies if you're tracking _their_ activity and/or selling details of _their_ activity to your "partners".
Partly it’s because we’ve simplified the discussion to “cookie banners” when it’s about more than cookie tracking or cookie-like tracking (local storage). So it misses all the other ways tracking occurs.
The other thing is that it benefits those who wish the law would just go away to have it misunderstood this way.
Indeed. Nor is GDPR about cookies at all. GDPR is about identifiable user profiles and information. A piece of paper with someone's name falls under the GDPR; a cookie that hides a shown alert doesn't.
There is no requirement for 'cookie banners'. You are free to use whatever cookies you want to run your site. HOWEVER, if you are using those cookies to track me (advertisers take a bow) then you need my clear, opt-in informed consent to do so. And so you should!
I continue to be astounded at the ignorance some people have of the GDPR; such a vital privacy law and one that is fundamental to modern data use and respect for the customer.
We'll have to keep clicking cookie buttons as long as there are idiots who think that sites can "just" give up tracking (and go out of business because without targeting, internet ads are virtually worthless).
I think there’s a small detail missing. Most browsers also track user behavior and use your data. I can’t imagine big tech companies fighting each other in court just to give you the best internet experience. The idea sounds good in theory, but in practice, I don’t think it would change much. What we really need are regulations that truly understand business models and target and punish those that abuse them.
For example, right now any company can ask for your consent ten times a day until you give up, and once you click “yes” even once, your data begins an eternal journey.
A few months ago, my Samsung TV (which I bought four years ago) suddenly blocked everything and displayed a new agreement on the screen with only two options: Read and Agree. There was no way to use the TV without accepting the agreement.
You can't have laws that dictate the desired outcome in broad terms and trust companies to implement in good faith. Not when they have a direct financial incentive to implement it as obtusely as possible.
It's really unfortunately that in the public's eye the legislative attempt to steer towards a positive outcome is seen as the cause of the pain.
While we're talking about cookies, can anyone explain what legitimate interest is? And if it's an exception to consent then why can I reject legitimate interest?
It just seems like another hurdle to rejecting all non essential cookies.
Legitimate interest as interpreted by most companies making (IMO non-compliant) cookie dialogs as just a second attempt at consent that they think doesn’t have to obey the top level reject all they’ve finally been penalised into having.
Legitimate Interest per the law is intended for use cases like, having a list of people who owe you money, or keeping IP address access metrics long enough to use them for anti bot or paywall measures.
As others have said, we already tried this with DNT. Unless websites are legally compelled to honor the signal, the signal is worthless.
But here's an interesting wrinkle that may illustrate further complexity:
> Essential Only: "Only allow data necessary for websites to function (e.g., keeping me logged in, remembering my shopping cart)."
I would never have called either of those examples "necessary for websites to function". They are both just convenience things, not essential things. So there may be a lot of discussion needed about category definitions here.
The point is whether or not "shopping cart" cookies are "essential". I argue that there is nothing about them that qualifies as essential. The contents of your cart can be kept server-side, which means that using cookies to do it is not essential at all.
Making them part of the "essential" set in cookie banners is a category error. This is an important point, in my opinion, because if we allow websites to get away with saying nonessential cookies are essential, then the more obnoxious cookies people widely object to will just be counted as "essential" to evade people's preferences.
Websites seem strongly predisposed to pulling the wool over user's eyes whenever they think they can get away with it, so this category problem is not without meaning.
> The contents of your cart can be kept server-side, which means that using cookies to do it is not essential at all.
The sane way to keep the cart contents server-side still involves a cookie on the client.
It's possible to do it in a glitchy way server-side-only, but if that makes a cookie stop being essential then by that definition there's no such thing as an essential cookie.
"Cookies" is just a colloquial way of talking about this tracking. What actually matters legally is what you are tracking, not how you implement it. It is completely irrelevant whether your shopping cart uses cookies or not.
That is completely false unless you are talking about the pre-GDPR e-privacy directive.
GDPR only uses the word cookies once and it comes immediately after the phrase "such as", i.e. it's a non-exhaustive list of examples of ways that you could track someone.
For a shopping cart you need link the visitor to their cart in your database. The cart doesn’t need a cookie and these identification is not what is meant by tracking
>We all do the same thing. We sigh, our eyes glaze over, and we click "Accept All" with the muscle memory of a weary soldier.
No. When I see a cookie banner that doesn't have a "Reject all" or at least "Reject non-necessary", I leave the website. When you look into the "Reject..." section, it often contains 1000+ of adtech shit you have to untick individually. Aren't these actually non-compliant with regulations? Makes you think twice about website owners if they choose to sell your data to adtech - seems like law does exactly what it was supposed to do. The problem is adtech which encourages to collect data websites have no business at collecting. If anything, non-compliant sites should be fined into ground and adtech outlawed.
People like the author are part of the problem. Blindly clicking consent is allowing site owners to bully you into consent. It works, so they keep doing it.
If you're going to blindly click anything it should be decline all.
The interface definitely should be implemented at the browser level.
If a user sets "allow performance telemetry, deny fingerprinting, ads, tracking" or "decline everything non-vital" once in the browser settings, he should never see a cookie banner ever again - with all of that communicated to the websites by the browser for him, and the websites being obligated to respect the user preferences.
The cookie banner vomit should be reserved only for browsers that don't support that. The fact that this obnoxious behavior somehow became the Internet's default is an atrocity.
> A pop-up, a slide-in, a full-screen overlay demanding you "Accept All," "Manage Preferences," or navigate a labyrinth of toggles designed by a corporate lawyer.
It's the dark patterns and lack of consistency that makes it worse. Some websites even refuse to allow you to reject data collection unless you pay to use their service (i.e. news websites)!
As others have echoed, we just need to make this large data collection illegal.
> As others have echoed, we just need to make this large data collection illegal.
It *IS* illegal under the GDPR.
Article 5(1) requires that personal data shall be (b) collected for specified, explicit and legitimate purposes ... (c) adequate, relevant and limited to what is necessary ...
In plain English, you can't go trawling for personal data.
Hey, I'm the lead developer on DataGrail's(1) Consent product (cookie banner). I know a fair bit from having been involved with this for years, and talking to a lot of customers.
Happy to answer questions and clear up misconceptions, especially the one about "giving DNT force of law": we already have Global Privacy Control (GPC), and it's already required in (significant parts of) the US, and it's being enforced.
I can say we've tried really hard to prevent a lot of the malicious user interface issues, and to respect the GPC and DNT signal (no banner pop). We've tried to balance the company's need to keep compliant (because frankly, many of the complaints here about "legalese" aren't just deceptive UI (dark patterns), but done on the advice of counsel), and still operating (marketing needs analytics/ad tracking). And we're concerned about the user experience for what is admittedly an intrusive tool, but required.
(1) I'm not a spokesperson for the company, experiences and opinions are mine.
A lot of consent banner implementations have a clear accept all and then an intentionally obtuse alternative where you have to manually untick every "partner" you don't want to give data to. Presumably this is more profitable, as a lot of people will just click accept all instead of wasting their time.
A lot of people in the thread are speculating that this approach is illegal, but it seems to have widespread use across the web. Why doesn't DataGrail do this? Was it something requested by advertisers/management that your team pushed back on?
It's pretty clear from my reading of the (EU) laws that giving prominence to "Accept all" and not having the same level of prominence for "Essential only" is not acceptable. US is a whole different story, but has some bright points: GPC is already required in several states, and spreading. This removes the need for a consent banner to show on screen, which is great.
Our primary job is to make our customers compliant, so we try to "push them into the valley of success". That means GPC and DNT "do the right thing" by default, no deceptive design (dark patterns), etc.
Deny All, Accept All, but I never (except in a handful of cases) see the Accept Required. Let us admit that there are cookies required for maintaining state within a web site and account.
I default to Deny All, but click on Accept Required when I see it (trusting that it does do what it says it does)
GDPR already mandates that "Refuse non essential" button should be the same size and prominence than the "Accept all" button, every website around the globe does not care (apart from major players like Google, Apple or Amazon) and national data protection authorities absolutely do not care.
We already had one attempt with "Do not track" header, nobody was willing to commit to it because it impaired business. Same would go with OP proposal.
Websites are forcing this banner on us because they are greedy morons that would rather drain our data for money than incite us to pay for their work.
Since there are a handful (maybe dozens) of companies who implement this popup feature as a service (e.g. CookieYes), a browser plugin to automate the "no to all" could be handy. That is, the plugin would know the provider and navigate the labyrinth of settings to disable all of them.
And then a handful of companies can offer a service to let advertisers punch through the plugins. And then another plugin could block that!
Thing is you’re probably right. The modern web is made of middlemen inserting themselves into user experiences to divert and extract revenue from the primary stream between consumer and producer. There’s always room for another layer.
That's not always enough, sometimes you need some code simulating the "deny all" clicks or tweaking CSS class lists on the body and html elements.
Otherwise, you might end up with some unscrollable page because for instance there's a CSS rule that blocks scrolling when the modal is there and restores it when the modal closes and this handling is unfortunately done in JS.
Yes, same with access restrictions. Parents should be able to limit types of content accessed at the device level and websites and app makers are just provided that.
Remove any notion of age blocks that kids just lie about, and let parents determine what is suitable for their kids.
> Your browser becomes your personal privacy enforcer, and the law would require it to act on your behalf. Based on your one-time choice, it would be responsible for allowing or declining cookies from every site you visit. If a website tries to use a cookie with an unclear or undeclared purpose? The browser simply blocks it—no questions asked.
ChatGPT writing aside, how does the author expect browsers to do this exactly? It's not as if website developers are declaring the purpose of each individual cookie. Browser developers already added a Do Not Track header option and to the surprise of no one, it was a massive failure because websites have every incentive to skirt this stuff.
And today the GDPR law extends much more than cookies, it requires explicit consent for processing personal data in general. Your browser has absolutely no bearing on whether a website's backend will save the pages you visited, the text you entered, your IP address, and whether it shares it with 500 partners or not. This problem fundamentally requires cooperation from website developers and that's why we have the law targeting websites as it is today.
current malicious compliance by websites aside, would this not put the onus on browser devs to, site by site, identify which cookies are actually "necessary"?
side note: ublock origin has optional filter lists for blocking these banners
I think targeting web sites was the right move because it was the web sites who were doing all the tracking.
Of course now we also have browsers to worry about as well, being products of the same ad companies that were clogging up the web sites in the first place.
But if cookie laws pushed data collecting web sites to malicious compliance, surely similar laws would do the same to (also data collecting!) browser providers. I’d prefer to avoid inviting browsers to add another layer of bullshit. And there’s no reason it would make web sites behave differently… if I’m a web site bound to comply with laws, I’m probably going to cover my own ass and keep doing what I’m doing without assuming the browser will handle it. Rendering the browser controls redundant and ineffective.
If we want to look for core flaws, look at allowing a handful of giant companies to control the market for personal data — or to traffic in personal data at all.
Ad companies have convinced the whole economic system of the Internet that they are inevitable and essential. They are neither. But we won’t fix that either.
The solution is to get off the damn internet, but short of doing that, I’ll prefer to keep my options open to disable telemetry on my own terms.
Here’s something I would like, though: total sandboxing per web site. Let every domain be alone in its own room of cookies and telemetry. Let it think I only ever visit that site, and optionally always for the first time. I shouldn’t have to blow away all my cookies all the time just to keep Facebook from following me all over the web.
It's also the case that really making cookies painful just pushes more tracking to other places such as browser fingerprinting, which is much, much more difficult to defeat than cookies.
For Knuth's sake: The GDPR is NOT about cookies! The older 'cookie directive' is also NOT about cookies! They're about a third party storing their data on your computer, or storing your personal data on their computers - no matter what technology is used.
Nothing in the GDPR stops websites from honoring "Do not track" and then _not asking_ if it's present. They don't have to ask if they don't track you! They don't have to ask for a technically necessary session cookie that appears after you actively log in!
Websites ask because they want to track you! A 'law targeting browsers' would not help because people would say no to cookies, and then websites would ask about some other way to track you. Because they want to track you.
Amen to that, and to Age verification mentioned by @vmaurin. I get cookie rage sometimes from those banners. Most definitely I suffer from consent fatigue.
My 2c: actually it’s the problem of mixing security and identity mgmt with tracking and marketing
The main reason I don’t turn off cookies everywhere is so many sites put my login token in a cookie. Hopefully as a random nonce but even so, it’s using cookies for security.
We are all so used to it is a massive blind spot.
We should move to Fido/webauthn - everywhere. Most all the population has a really impressive Secure Enclave in their pockets
> The main reason I don’t turn off cookies everywhere is so many sites put my login token in a cookie. Hopefully as a random nonce but even so, it’s using cookies for security.
AFAIK there is no need for a cookie banner for a login token. It is necessary for the functioning of the website.
The annoyances are dependant in part on the software (browser) used
I do not use a popular browser to make HTTP requests or to read HTML. I never see these annoyances. I don't store cookies except for HN and a few other exceptions. Nor do I run Javascript. The annoyances cited in the OP appear to be targeted at people who use certain web browsers that enable these "features" by default
This demonstrates to me that the annoyances are in part contingent on the browser, e.g., browser "features" such as Javascript
Perhaps convincing all www users to use the same small set of Silicon Valley-controlled browsers is prudent according to some Silicon Vallley logic. But when these browsers are all provided by commercial entities that profit from "advertising services" and each has "business" interests^1 that run counter to the interests of some www users,^2 then it makes sense for www users to consider alternatives
1. For example, data collection, surveillance and targeted advertising
2. Thereby prompting government regulation
For example, it is possible to retreive information from websites, e.g. "check a product price or read an article", using software that does not not serve an internet advertising objective. No cookies or Javascript required
> Imagine if every time you got into your car, you had to manually approve the engine's use of oil, the tires' use of air, and the radio's use of electricity. It’s absurd, right? You’d set your preferences once, and the car would just work.
A funny comparison to me. Actually, I have to manually disable some EU regulated features every time I get into my car. The alerts every time I go 1kmph over the speed limit aren't very relevant for me, and the lane keep alert buzzes as soon as I'm slightly over halfway to the left, but lets me drive along fine if I'm even over the line on the right.
I'd actually like to use both of these, but only if I could calibrate them to my needs.
Search on forums/etc for your particular car brand about which compatible scan tool to get (you want the manufacturer-specific one to be able to change settings, not the generic OBD2 which only lets you read engine & emissions data), get one and then disable the setting. Those are typically controlled via settings so that the same car can be sold in different regions.
The cookie laws make it so that web sites have to ask permission to track you, surveil you, sell your data, etc. And surprise, almost every website wants to track you, surveil you, and sell you data. The EU should have just banned the unethical behaviour, the middle ground of every single website asking for unethical tracking is a travesty.
The GDPR people want the banner noise to make you feel like cookies are bad. Without that, we would go back to the status quo from ~five years ago when websites just worked and did whatever with cookies, and there weren't stupid banners everywhere.
What about by default web browsers are required to have Javascript disabled and uBlock installed and running? They could do a reverse Google, and make it so its impossible to uninstall uBlock.
If we are going to go down the path of mandating legal liability on software makers of a neutral communication medium, then the EU should just break the commercial web.
This seems like a good opportunity for a browser company like Mozilla to offer a GDPR compliant library that is easy to integrate that automatically applies user privacy preferences instead of showing the GDPR prompt. Opensource the library, and promote it. Try to make it an open protocol so other browser can implement this.
To be real though I'm sure that many sites would not want this because they rely on GDPR fatigue and users to just accept instead of taking a few seconds to opt-out.
It's pretty sad that Europe basically weakened the web experience for everyone. Pure vanity. Pat themselves in the back and tell themselves we're all more privacy oriented now. Great.
Except that the noble cause has not been achieved but it has made the web worse.
> Imagine if every time you got into your car, you had to manually approve the engine's use of oil, the tires' use of air, and the radio's use of electricity
Metaphor is incorrect. Tracking you is not essential to the function of the website. A more appropriate one would be:
> Imagine if everytime you got into your car, you had to approve or reject GM tracking your trip, the number of people in the car, recording your conversations, and sharing all of that with 500 indiscriminate partners including your insurance, law enforcement, supermarkets in the area, and why not your spouse or partner.
Or better even
> imagine if every time you entered a physical store they asked for your id and made you sign a contract that allows them to track you and sell that information
The proposal in that article sets a default tracking preference, it's trying to fix a UX issue with more UX. What it's missing is that there's no EU mandated UX. You don't have to show a banner if your cookies are not used to track random people on your website. The reason why it's bad UX is that it's bad on purpose, skimming the line of legality by deploying as many dark patterns as possible to trick you into consenting to your soul and your children's, in a desperate attempt to make that god awful banner go away and finally access your shot of endorphins.
Websites could very well decide to use only non tracking storage by default, and not show you a banner. Or have everything checked off with a single click to make the banner go away. Sending you to a separate page full of checkboxes and legalese is a choice, and a nefarious one, because most people don't want to be tracked.
If anything I think the law should be strengthened: make tracking default-off, and allow users to consent to more if they so wish. Not consenting should be a single, obvious click (or no click at all), rather than a sub menu. Your information should not be shared or sold by default, or even better, not sellable at all.
So why didn't GDPR require Do Not Track to be honored? It was already there, to be expanded on if needed.
But I can't imagine copmanies would want that. They benefit from cookie dialogs fatigue, and for some reason people blame GDPR of all things for surveillance tech being annoying in how they ask for permission.
GDPR does not mandate specific technical solutions.
But actually honoring DNT properly would immediately mean no consent banner, but the consent banner is there to fool you into giving up your rights while providing (flimsy) legal cover for the company.
The banner is also there to make you complain about EU bureaucrats, for having the law changed. And it works: Outrage is often on EU cookie banners, not in people selling our data.
While this is true, the EU does have a tendency to step in and start enforcing technical requirements if the industry doesn't respond. USB-C, for instance, has been standardised, because attempts to tell the industry "one plug, you people figure out which one" didn't work.
It's still early days for the GDPR (relatively speaking), but I can see the EU enforcing a particular privacy-related mechanism eventually.
It also doesn't help that DNT is just a boolean signal, it doesn't give you the control over your data that the GDPR demands.
Relatively speaking GDPR at this point is just shy of 30 years old - that's when most of the effective rules came into play.
What changed the most with GDPR is that enforcement now has teeth. Not as big teeth as say, NIS2, which actually has executives more concerned than middle level about being compliant, but still big.
Also, a lot of people forget that you don't need a cookie popup. apple.com or tesla.com doesn't have one. Plenty of others, but they're quite rare.
I absolutely hate unnecessary cookie popups, e.g. when you're already signed in and have accepted privacy policy. Or, when accessing a parcel tracking service or similar.
It's always annoying, but there are clear cases when you don't need to track users and it probably just drives them away or makes them angry.
This screams of classic techno-optimist "just build one simple solution" mindset.
Yes, consent fatigue is real and nobody likes these cookie banners. Which is also the exact reason why I think they are important. Making tracking visible to the user is the point. It creates an actual "cost" for tracking by forcing websites to actively ask the user to consent. The moment you hide it in a one-time set-and-forget browser setting is the moment when informed consent dies, tracking becomes invisible, and accountability disappears.
We are also looking at very perverse incentives here: Who controls the biggest browsers? Google's Chromium is basically the engine behind 80% of the browser market right now. Apple and Microsoft aren't exactly neutral parties either. Google is an advertising company, and Apple and Microsoft still have a huge interest in data. The idea that you should trust these parties to implement a "simple" consent system that runs counter to their business model is... optimistic, to put it mildly.
You would also have to trust websites to accurately categorize their cookies. If your cookie preferences are a set-and-forget setting in your browser, are you sure that random website you just visited didn't declare Google Analytics as "essential" for their website to work? Are you going to check?
The blog post also assumes cookie preferences are universal, but perhaps I'm okay with analytics on a random tech blog but absolutely not on a website about medical issues.
The funniest part: The "Do Not Track" signal already exists, and it failed spectacularly. The post even mentions it. DNT was supposed to be exactly this simple, browser-level signal. And websites just ignore it.
Sidenote:
> Imagine if every time you got into your car, you had to manually approve the engine's use of oil, the tires' use of air, and the radio's use of electricity. It’s absurd, right? You’d set your preferences once, and the car would just work.
Yes, absurd. Except that's more or less happening with different features. Every time I start my car, I need to manually disable the speed limit warning because it's annoying, and the lane keep assist because I feel like it is overly aggressive and sometimes genuinely dangerous.
Also, the analogy is exceptionally weak. The author compares mechanical necessities (oil, air) with optional data extraction. That's hardly the same thing. Cookies required for basic functionality of websites is usually enabled by default. A more appropriate equivalent would be a popup by the car's dealership asking you to track everywhere you drive, and how fast, and if you looked at some billboards along the way.
>> Most people do the same thing: sigh, their eyes glaze over, and they click "Accept All" with the muscle memory of a weary soldier.
My instinct is to find the other option is either easy or obfuscated a little bit. But the EU regulation requires that it not take more than 2 clicks to do the other thing.
I thought cookies were kind of evil back in the 1990's and I still think they need to go away entirely.
The purpose of the laws (GDPR et al) is to give me control over who does what with my data, data about me. The operator of the website is who the law binds. It's not even about the website - if I phoned or emailed, the same laws would apply. You need my explicit consent to process my data in a number of ways that you'd like to, it makes you money, but I don't want you to.
The processors of this data can't make as much money off selling access to data about me, if I have these rights. So they petulantly get in my face as much as possible, via banners on websites, to annoy me and confuse me as to why these banners are even there, and try and trick me into letting them make more money.
The banners, which a browser could block or autofill, are just the surface. And they're an attack surface, so even if we agreed a way for the browser to pass on your preferences (we already did this, it's called the Do-Not-Track or DNT header, and it was a complete failure because website-owners just ignored it), website-owners would add a second layer of "ah, I see you said no automatically, but are you REALLY sure you don't want to let me make more money from your data?"
NOYB is very good for chasing after such charlatans, and forcing companies to obey data protection laws. Here is some of their guidance, and listing of the dark patterns used by non-compliant companies: https://noyb.eu/sites/default/files/2024-07/noyb_Cookie_Repo...
There can't be a blanket consent. You cannot consent to contracts you've never seen. You can't waive your rights away. Browsers could only implement a blanket deny, but that wouldn't stop websites from showing cookie banners, because they want you to click Accept All.
That's literally the GDPR? But the problem is that enforcement is severely lacking, so it is more profitable to breach the GDPR than to comply with it.
The author's idea is "A Simple, Radical Idea: Put Consent in the Browser". So when you set up your browser, you get a single choice of whether you want websites to track you and sell your data.
Here's an even more radical idea: the browser doesn't even ask you this, and by default it just respects the user's privacy and blocks all third party tracking.
Can you imagine an internet where the user is put first?
> Here's an even more radical idea: the browser doesn't even ask you this, and by default it just respects the user's privacy and blocks all third party tracking.
DNT is legally void in several US states because it was enabled by default.
If we do set up a browser-oriented solution, browsers like Firefox and Brave would default to the most privacy-friendly options practical, of course, but they already mostly do that anyway.
Unfortunately there's simply no way this is going to happen:
* advertising is profitable for advertisers — they buy ad slots because it brings revenue
* advertising is profitable for publishers — some of the biggest companies in the world (Google, Meta) make most of their revenue from ads
* most people are reluctant to spend money, but they're ok to "spend" their attention and their data
There were multiple attempts with micro-payments and nothing has worked so far. Monthly subscription is preferred by customers and companies, but there are only so many outlets that anyone will subscribe to.
Sure, advertising is profitable. Yet, there are various regulations or social norms telling what is available and what is not. For example, we can think of covering a landmark "because it is profitable" - e.g. think of dressing the Statue of Liberty in clothes of a given brand, or covering the Greek Pantheon in free-to-play game ads.
Of course, tastes matter. The US is littered with (in real world) advertising banners, my native Poland - even more. But there are quite a few places in the Europe in which people would consider it off putting to use a glowing sign on a historical or otherwise clean design.
So it is about both tastes and regulations.
> most people are reluctant to spend money, but they're ok to "spend" their attention and their data
This is a tricky part. Kind of miss times when we were buying paper newspapers.
But let's take an example - devs were reluctant to pay $ for services. Not everyone and their dog pays for tokens.
Tracking will always be more profitable, because that allows you to know whom to target exactly. It’s the fundamental question of business, who are my customers etc.
Tracking should be considered equivalent to putting an electronic tracking into every customer’s pocket when they visit your brick and mortar store. Then the question of privacy becomes more obvious. It is simply not acceptable to track people this deeply and invade their privacy so much.
But there is a dark difference if it is de facto the main source of revenue, or some scammy addition.
In the later case, it can be regulated - the same way as we have safety regulation for food or equipment. In some sense, the analogy is not that far off - the current web is made to be addictive. A lot distractions have well known, negative impact on mental health.
>"Imagine if every time you got into your car, you had to manually approve the engine's use of oil, the tires' use of air, and the radio's use of electricity. It’s absurd, right? You’d set your preferences once, and the car would just work."
This is an excellent analogy of the problem!
>"Yet, that’s exactly what we do online. We are asked the same questions, by every single website, every single day. This approach is broken for three simple reasons:
Consent Fatigue is Real: We're so bombarded with these requests that they’ve become meaningless. The banners are an obstacle to be cleared, not a choice to be considered. True consent requires a conscious, informed decision, not an exasperated click to get the pop-up out of the way."
Consent Fatigue -- That phrase is going into my 2025 lexicon! I love it! (Well, the phrase itself, not what it stands for! You know, the words, not the meaning -- the symbol, not the referent! :-) )
Now I like the article's ideas and all (good ideas, very thought provoking, etc., etc.) -- but if cookie consent is delegated to people's browsers, then what if a court case comes up where someone is being sued for a cookie they agreed to, they're asked in court if they agreed to the cookie, and they respond with something like the following:
"No Your Honor, I personally did not agree to that! The browser agreed to it! The browser is guilty, not me!"
:-)
(The same problem could occur outside of browsers, with AI's, if they are acting on behalf of someone... or chain of other AI's...)
Why would this need to be law? My browser already does this, because I, the "user" in "user agent", wanted it that way. Some sites don't work, but that's their choice, not mine, as it should be.
But if we target only fifty browsers instead of five million websites, we cut ourselves off that sweet sweet punitive monies. it's much more lucrative for lawyers to have a 5-million-strong pool to sue rather than a 50-strong crew, which has significant money to pay lawyers of their own.
Remember how many members of parliaments have a legal background. That's not a coincidence. It is safe to assume laws are deliberately written badly to create more work for their caste.
The point of the 'annoy with consent banners' was to get people to 'allow (to be tracked) '.
Denying would, in many cases, go up to hundreds of yes/no options, with no 'deny all'. Makes getting coerced permission easy, and active denial almost impossible.
Of course, by not tracking, they dont need any of this crap. But surveillance capitalism must continue. Sigh.
It depends. Denying consent should be as easy as giving consent, and consent needs to be informed. Without an "accept all" button/default, you don't need a "deny all" button.
The GDPR doesn't really care about implementations like that.
Most people miss that the Cookie Law was essentially the training phase for GDPR. It conditioned users to reflexively click “Agree” just to make popups disappear. Once that behaviour was normalised, GDPR arrived - now those same clicks legally authorise data collection and trade that used to exist in a grey area.
That's why the more logical and simpler ideas were never on the table.
Instead of forcing those cookie banners Europe should have had an Airbus moment and fully funded a privacy first web browser, then Europe would be a player in the web and not looking in from the outside.
I feel this would go down pretty bad considering the recent attempts to break E2E encryption on messaging.
Also a very tempting vector for hackers and governments to track user’s behaviour
I hate to sound like Andrea Dworkin but I don't think consent is possible between a human individual and a 500-headed corporate hydra. It is much more straightforward to turn off third party cookies entirely or "respect DNT or go to jail"
Out of 500 companies that access your data the majority might obey the law, but 50 of them won't.
There's also a basic imbalance of power -- for instance, if you don't fill out the paperwork to get medical care that says (1) everybody who could possibly have a reason to access your data can, and (2) we're going to do that at a cost 1000x more than just leaving all the paperwork out on the curb you don't get medical care.
People don't really real all those clickwrap licenses, I mean, Sony makes you scroll to the bottom of a 50 page contract just to play a video game.
It already exists. It is called an ad blocker, or content blocker, whatever you want to call it.
And we don't need a law for that, it is already working. We may need a law to protect that freedom, and for most part, it is on that side as we already have rulings saying that ad blocking is not illegal, and enforcement of browser choice, some of them having built-in blockers.
You need to understand that GDPR and consent requirements affect far more than just online ads and ad-related tracking. For example a website is legally required to ask for consent if they want to share your purchase history with data brokers. Collection of this data is unaffected by ad blockers.
As the name says, it's a General Data Protection Regulation. It covers all types of processing from all types of entities, everything from big tech websites to your local yoga instructor who doesn't have any online presence.
My comment was in reaction to the article, which suggests that the browser shall act as a "privacy guardian", which I believe is already the case.
It is also kind of ironic that the article suggests a technical solution to a legal problem, arguing that a legal solution doesn't work (consent fatigue, DNT, ...) and then suggests legislating on it.
I wasn't implying that ad blockers are a substitute for GDPR, which goes way beyond cookies and things that can be done at the browser level.
This is the way. The law is broken and was built on misunderstandings and is not enforceable, and also caused a ton of headache for internet browsing (no one really wants to enable cookies just to read a news article?). Enforce it at the browser level (by law) to prevent private information BY DEFAULT unless the user really wants to give their private information, and if they want to, then they can comply.
Sorry for all the companies that like to track personal information, but this is how it has to be (not sorry).
Maybe it will one day lead to elimination of (most) cookies and lead to cleaner browsing experience.
Remember DNT? We already had that in the browser but websites started to ignore in when MS announced that their browser would set it to true by default.
Let’s face it, users don’t want to be tracked, websites want to track. The cookie banners are the middle ground and the law already tries to prevent all those dark patterns to enforce „accept all“.
I remember the early days when the cookie banner on Tumblr forced the user to deselect every single tracker of the hundreds of trackers they listed.
The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.
"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...
Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.
No, the problem is 100% the law, because it was written in a way that allows this type of malicious compliance.
Laws need to be written well to achieve good outcomes. If the law allows for malicious compliance, it is a badly written law.
The sites are just trying to maximize profit, as anyone could predict. So write better laws.
But the courts are saying: the law does NOT allow this.
So maybe “malicious compliance” is a misnomer. We should just call it "illegal dark pattern".
Not a radical idea. The EU is already working on it.
> […] the Commission is pondering how to tweak the rules to include more exceptions or make sure users can set their preferences on cookies once (for example, in their browser settings) instead of every time they visit a website.
https://www.politico.eu/article/europe-cookie-law-messed-up-...
DNT header already does this. Explicit denial of consent. Reaches their servers before everything else so they have no excuse and zero room for maneuvering.
Now the EU just needs to turn it into an actual liability for corporations. Otherwise it will remain as an additional bit of entropy for tracking.
They can't. The website may very well do the opposite of the preference DNT signals. Meanwhile, proving in a court of law that the tracking still happens will be hard.
Services should be denied the capacity to track and fingerprint, not just told about a preference against it.
DNT will always be an "evil bit", regardless of any law behind it.
DNT is considered deprecated in favor of GPC, which has legal backing in places with internet privacy laws. Funnily, Chrome still supports DNT but you need an extension to send a GPC header. Almost like the advertisement company wouldn't want people enabling legal privacy protections.
Plus, all GPC extensions advertised by the offical GPC pack other unsolicited privacy features and freemium models. I ended up building an extension https://chromewebstore.google.com/detail/gpc-enabler/ilknagn...
In Germany, DNT is legally binding, but GPC is not.
GPC compliance is already the law in California. I don’t know why the EU has been so slow at making it legally binding. That said, existing cookie popups that don’t have “Reject All” as prominently placed as “Accept All” are already illegal but widespread, in no small part due to deliberate sabotage by the Irish DPA, so don’t expect GPC compliance to fare any better until consumer rights associations like NOYB.eu are allowed to initiate direct enforcement actions.
It’s not just corporations. Look how much tracking nonsense goes into a recipe blog.
The fact that it was turned on by default in edge really hurt it as an argument under these laws, because it then turned into a 'well we don't know the user actually selected this' thing. Making it explicitly have the force of law regardless would still be a good thing, though.
No, this wrong. The law says that by default you can't process personal data, unless the user gave consent. That setting matched both the expectation of users and the default as specified by the law.
The story that advertisers don't know what users selected and that somehow allows them to track the user is disingenous.
It doesn't allow them to track, but it does allow them to more convincingly argue that they can nag them about it (I think some regulators in some EU countries have rejected this, but I don't think this is universal). i.e. it makes it ineffective as a means of stopping the annoying pop-ups. Because the companies are basically belligerent about it there needs to be a clear declaration of 'if this header is set you may not track _and_ you may not bug the user about it'
> pondering how to tweak the rules to include more exceptions
“Hey what do you think? I dunno, what do you think? How about more tea?!”
Pondering how to tweak, unbelievable.
The alternative is that they tweak the laws without much thought...
Isn’t that the current status quo?
The GDPR has over 100k words, and those words are certainly less than 0.01% of the thought that has gone into this problem.
Agile laws might not be so terrible.
Counteropinion: agile laws would be absolutely terrible. Either people wouldn't take them seriously because they're going to change in a few minutes anyway, or people would take them seriously and be bound by law by the equivalent of late-night untested code that seemed like it should work.
Lawmakers must consider enforcement. What are the practical consequences of those rulings?
Laws should be enforceable, but at some point "it's a bad law if it can be bypassed with corruption" just completely surrenders any hope of holding powerful people / companies accountable to anything at all.
That's a very absolute outlook. The fact is that they were very naive and, althoug they seem to be adjusting, it's been painfully slow and the harm has been done and the public is suffering meanwhile.
Law making is a way of predicting the future and setting up incentives to achieve a goal. You need to foresee what can go wrong, talk to incumbents and anticipate the response. It's a technical matter and this has been a debacle.
It's useless to put the blame in the advertisers. Even if they're evil, that doesn't make the situation any better for the public.
Well almost all websites in France do the legal thing now with an obvious "decline all" button, which was not the case at first.
It took just a pair of ruling that made it clear this illegal pattern was going to actually be cracked down upon, and now these popups are just a small annoyance rather than the absolutely enraging trap that they were at first.
Of course I still wish they were unnecessary, but they serve as a reminder that these websites are still trying to prey upon their visitors.
> now these popups are just a small annoyance rather than the absolutely enraging trap
Disagree. The popup is the enraging problem. It's not a small annoyance. I click them multiple times every single day and it's ludicrous.
I don't need a "reminder". The last thing I want is some "reminder" day after day after day. I want a law that protects consumers in the first place.
> Disagree. The popup is the enraging problem. It's not a small annoyance. I click them multiple times every single day and it's ludicrous.
Then don't visit webpages that do illegal things and are hostile to their users.
> I want a law that protects consumers in the first place.
This is that law.
That's like saying "don't visit places where people get murdered if you don't want to get murdered."
How about you just enforce consumer protections for everyone? Because that is clearly not the law.
> That's like saying "don't visit places where people get murdered if you don't want to get murdered."
Nope. Murder is an action after which the victim can not make any more actions. It would be like saying "don't go to the bakery where they spit in your food and slap you in the face every time you order something". You are enraged by the behavior of the websites you visit and you still keep going there every day. Either you are a masochist or "voting with your wallet" or, in this instance with you attention, doesn't really work. Why do you give your attention to those that treat you like shit?
> How about you just enforce consumer protections for everyone?
They are. What gave you the idea they aren't? Because some pages still behave illegally? You understand that murder still happens?
> Because that is clearly not the law.
Do you know anything about GDPR? Because it seems that you do not. Could you point to the text of the regulation that you object to? I'll wait but I'm sure I'll be waiting for godot here.
Lawmakers should have a limit on the number of laws they can write. Say it's 100. They can regulate 100 things, so they need to consider importance. If they want to regulate something new, they have to give up something else. Which one is more important?
The vast majority of laws are never enforced, so in practice this isn't as absurd as it sounds. It would make people consider what laws they spend time writing.
Please post some judicial decisions regarding your claim.
Sometimes I understand these kind of comments, sometimes I don’t. In this case, it’s quicker to find such decisions than writing your comment.
https://www.heise.de/en/news/Administrative-court-Cookie-ban...
I do love the irony of reading a headline "Administrative court: Cookie banner must contain "Reject all" button" on a website that does a completely blocking cookie banner with no such option. I suppose if I lived in Germany I would be pleased with the results of reporting that to the authorities.
More generally, I actually did organically notice the massive increase in "Reject all" buttons and found out about these court decisions myself some time ago. Certainly a small win for the internet, although it should not have taken 9 years(!) from the implementation of GDPR for these violations of it to be cracked down on.
https://noyb.eu/en has a nice tracker!
883 total cases
468 pending cases
€ 2B billion fines imposed
But the laws do allow this. It's illegal to make the user experience worse if you decline tracking, or to make it harder to decline tracking than to accept it, but it's not illegal to annoy the user on every page load.
> illegal to make the user experience worse
> not illegal to annoy the user on every page load
This looks like a contradiction to me.
> if you decline tracking
please read the second half of the clause, kthx
OP loves to claim how almost everything is illegal and then not give any useful sources when asked.
Viewing corporations as amoral bots that are justified in squeezing every bit of profit out of humans is exactly what is wrong with our society. Someone in a big tech was the inventor of this dark pattern and they think they're awesome for finding a loophole in the well-meaning regulation, at the cost of the costumer they supposedly should serve. That person is the problem, and so are the people that followed them
"Viewing corporations as amoral bots..."
How else should we view them? Walks like a duck, quacks like a duck, probably a duck.
Nobody justified the behavior, only stated that corporations have proven over time to generally seek profits over all else. They provide legal cover to bad-faith actions. That wasn't the original intention, but it is absolutely the current state of the world.
Publically traded companies are inherently aligned with the traits of psychopathy.
They are exactly the Paperclip Maximizer thought experiment, except it's dollars (or euros or whatever) instead of paperclips.
> Viewing corporations as amoral bots that are justified in squeezing every bit of profit out of humans
Literally what a corporation is.
This is capitalism mate. People will do basically anything with the "for the company" excuse. If they don't, they will be out of a job and eventually starve.
Laws are the only things that can limit corporations. Without those we'd still have children working, 14 hour shifts and no weekends.
I don't think the malicious compliance is "justified", but I do think it was predictable. What did the lawmakers think would happen?
corporations are the mechanism by which bad actors are shielded from responsibility. limited liability is used in bad faith in these cases; regulating this bad-faith usage should impact the individuals responsible for the implementation, but should also impact those not directly involved for allowing it to happen in the first place, including board members, management and investors (if you really want to see change, start fucking with peoples' money when they allow bad things to happen through inaction).
Why is that person a problem? That is why rule of law exists, ideally, so that we don't run society on arbitrary outraged moral judgement. E.g. many people are morally outraged by presence of any illegal immigrants and others are outraged by any enforcement against undocumented immigrants. If we base decisions on arbitrary outraged moral judgement it's not going to go well.
A "loophole" is only a "loophole" to someone who agrees with yours. And I say it as someone who agrees in this particular instance.
That person is a problem because low-trust environments are inherently low-privacy and low-efficiency environments. Allowing a small portion of the population to destroy trust and then justifying it with "well there was no explicit rule against it" is parasitic on the whole society. It's better to stand up and say "this is unacceptable and clearly not what was asked for".
For this "modern" view, you have to look back to 1896, when New Jersey made it easy to create for-profit corporations beholden only to shareholders as a way to attract investment to the state.
It's really not even primarily the privately-held corporations that are the problem. Some family business, even if it's big, is more likely to care about its reputation because that's their family's company and it's still going to be their family's company in 50 years or more.
Whereas you get publicly-traded companies and the primary shareholders are investment funds, whose managers get bonuses based on short-term results and who may not be in the same job or having the fund hold the same companies in as little as a year from now. So their incentive is to have companies squeeze customers for short-term gains and then choose the right time to pawn the shares off on some bag holders who see strong recent numbers and don't realize what that strategy does to the company's long-term prospects.
But the law never allowed this. Enforcement just turned out to be an issue due to the enormity of it all.
Also, please remember that in Europe there is no such thing as "the spirit of the law versus the letter of the law." The intent of the law IS the law.
Honest question, isn't the spirit of the law the same as the intent of the law?
Yes and sometimes it's subtly different from the letter of the law. The point is, if I understand it correctly, that in the US, courts always literally interpret the law as written, whereas in the EU there's a culture of sometimes, when the letter of the law super clearly differs from the intent it was obviously written with, siding with the intent of the law rather than the precise wording.
No. US courts consider both, to the extent that it’s a bright-line divider between “conservative” judges and “liberal” ones, where the former are far more likely to profess strict adherence to the text of the law (particularly constitutional law).
In any case, there is always a difference between the “intent” of a large and diverse body of politicians, and the actual text of a law. Any practical legal system must take it into consideration.
> where the former are far more likely to profess strict adherence to the text of the law (particularly constitutional law)
This is a fiction and just an excuse conservative justices use to make conservative rulings when they don't like a law.
They are perfectly fine to abandon the text of the law whenever it doesn't move forward a conservative agenda. The shining example of this is the voting rights act. Something never amended or repealed by congress but slowly dismantled by the court counter to both the intent and the text of the law.
And if you don't believe me, I suggest reading over the Shelby County v. Holder [1] decision because they put it in black and white.
> Nearly 50 years later, they are still in effect; indeed, they have been made more stringent, and are now scheduled to last until 2031. There is no denying, however, that the conditions that originally justified these measures no longer characterize voting in the covered jurisdictions.
IE "We know the law says this, and it's still supposed to be in effect. But we don't like what it does so we are canceling it based on census data".
[1] https://supreme.justia.com/cases/federal/us/570/529/
> This is a fiction and just an excuse conservative justices use to make conservative rulings when they don't like a law.
Isn't this the other way around? If you cite "the spirit of the law" then you're ignoring the text in order to do whatever you want.
Finding a "conservative" judge who does the latter is evidence that the particular judge is hypocrite rather than any argument that ignoring what the law actually says is the right thing to do.
But you also picked kind of a bad example, because that wasn't a case about how to interpret the law, it was about whether the law was unconstitutional.
I’m not saying it’s true or false. Hypocrisy is universal to politics, and it’s trivial to find examples throughout US history on all sides of the political spectrum. I’m just saying that the issue of strict interpretation is so fundamental to the US legal system that it’s a core philosophical debate for judges.
Is this a different meaning of "conservative" and "liberal" from the political sides, or is this reply blatantly partisan?
> in the US, courts always literally interpret the law as written
I think lots of courts claim this, and none actually do.
It’s the same problem as those reading the Scripture literally. You can’t. You are reading a translation, for starters. To come even close, you need a subtle understanding of semite languages, culture and Greek, depending on your denomination. You need some guidance when reading, whether that is the Holy Ghost, your pastor, or a decade or two of yeshiva school.
That doesn't jibe with my understanding. For one thing, "interpreting the law as written" is impossible on its face. You need to have an understanding of what it means, i.e. interpret it. And not only that, isn't the whole deal with Common Law that the judge, judges?
IIRC a common law maxim oft repeated said something like: “a judge doesn’t make a ruling because it is right, the ruling is right because the judge has ruled it.”
I think he meant to say the spirit of the law is the law.
If you read GDPR in it's complete form [1], there are 173 paragraphs before the actual law begins at CHAPTER I, almost half way down the page. Those are the reasons why the law was created, what's it trying to achieve, how it is intended to work, responsibilities of govenrnments, etc.
The EU provided us the spirit of the law - in writing.
[1] https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng
If you can't enforce the law, then it is a bad law. Also, this is a problem that naturally solves itself over time, so no law was ever needed. The UX of the web degraded for everyone after GDPR was passed and that I think everyone can agree on.
If people care about privacy, then over time they will migrate to companies and services that respect their privacy. Government laws are broad based policies that always lack nuance. This is why it is better to let markets drive better outcomes organically.
> If you can't enforce the law, then it is a bad law.
Or, alternatively, you _could_ enforce the law but the resources to do so (people) are no longer available. This happens a lot in the US when the current admin doesn't feel it's important, so doesn't fund the enforcement agencies. And is particularly true more of codes/regulations (I get them confused) than of laws.
The government has outlawed murder but your local law enforcement isn't investigating the murders. You're blaming the lawmakers for writing "bad laws" in this situation, why?
First order of blame goes to the national DPAs for not carrying out their duties.
Second order of blame goes go to whichever EU authority is responsible for penalizing EU member states for non-compliance. There should be serious consequences for non-enforcement like frozen funding. (I don't know what the actual legal process is)
> If people care about privacy, then over time they will migrate to companies and services that respect their privacy.
This is just a libertarian fairy-tale that is designed to sound sensible and rational while being malicious in practice. It exploits information asymmetry, human ignorance, network effects, and our general inability to accurately assess long-term consequences, in order to funnel profits into the hands of the most unscrupulous businesses.
In other words, there's a reason why we have to have regulations that protect people from themselves (and protect well-being of society as a whole).
> If you can't enforce the law, then it is a bad law.
It isn't that this can't be enforced, it just lagged because of the size and changes that this law brought.
> Also, this is a problem that naturally solves itself over time, so no law was ever needed.
How does it solve itself?
> The UX of the web degraded for everyone after GDPR was passed and that I think everyone can agree on.
Due to website operators doing illegal things.
> If people care about privacy, then over time they will migrate to companies and services that respect their privacy.
Why would people care about something they don't know about?
Cookie banners are not GDPR.
> No, the problem is 100% the law, because it was written in a way that allows this type of malicious compliance.
What are you referring to here? Where in the law is this allowed?
> Laws need to be written well to achieve good outcomes.
This is a critical failure point which should get more attention. Laws (and regulations) are like computer code in some key ways. Early computer code was written assuming it would be run by experts in trusted, benign environments that were relatively fixed in size and complexity. Our legislative law-making structures were created with similar assumptions. As the world changed, code changed but law-making structures didn't.
At a minimum, while being drafted laws should be subject to independent red-teaming and penetration testing to A) Assess their ability to actually accomplish their stated intent over time in the real world, and B) Surface likely unintended perverse consequences. Of course, that still wouldn't solve the issue of intentional weakening of laws with vague terminology, incomplete scoping, inserting loopholes, exceptions, etc by special-interest-driven legislators.
Sadly, these days I think intentional nerfing of laws during drafting is the biggest cause of 'bad laws'. But at least the red-teaming concept might prevent some unintended bugs on top of lobbyist-driven nerfing.
> No, the problem is 100% the law, because it was written in a way that allows this type of malicious compliance.
There is no malicious compliance here, just breaking the law. So if it is the problem of laws that they are broken then according to you all laws are 100% the problem. That stance, IMO, is beyond stupid.
You think websites like having this crap? You think they haven't considered alternatives? What greedy corporate executive is thinking "yes, let's make our product considerably worse just to prove a point"
They obviously looked at the alternatives and decided that the benefits of cookies or the cost of compliance is bad enough to allow for this crappy experience. And they all pretty much decided across the board.
So what problem is this cookie crap trying to solve? No one asked for it, no one wants to comply and now we're just making the web worse off as a result.
Well written laws are difficult to create. You usually wind up with one of
- The law allows things it shouldn't, or
- The law disallows things it should
And the later gets swept under the rug as "we won't enforce it that way"... and then it winds up getting enforced exactly that way because someone has an agenda, and this is a hammer.
Like mentioned by sibling comments, GDPR explicitly does not allow this. It's just the fact that enforcement is spotty and complicated by the fact that the responsibility is shared across all EU member states with limitations what each country can do by itself, with some countries' data protection authorities intentionally dragging their feet to protect multinationals.
It's the same issue as with most EU-wide issues, where there's always countries competing with each other at the benefit of others.
Also GDPR is not exclusive to browsers or internet, it's applicable universally, for both online and offline businesses and processes, which is why it can't and doesn't prescribe exact technical implementation details.
browsers should be developed so they do not provide the web server any more information than any other visitor. web browsers should curl the website and process it locally without telling the server anything else.
It seems like web browsers were developed in a pre-surveillance capitalism world
No. The law does not allow it.
To quote Article 4(11) – Definition of Consent
> ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Meaning if you force users into pressing a button or let them scroll through 1000 no options, with one easy yes option, you have not collected their free consent. Congrats you broke the law.
Meaning if you just have them click yes, but not informed them about the harmful data collection you did not collect free consent.
The law is pretty clear on that.
I may be missing something, but I don't see how this clearly precludes that behavior.
Which descriptor do you think is unambiguously violated by making it easier to provide consent than withhold it? To my eyes, both 'freely' and 'informed' are plausibly upheld.
It would be very straightforward to specify that consent and withholding must be equally accessible in the interface, instead of splitting hairs about definitions of "freely given". This is what people refer to when they say the law is poorly written
> Which descriptor do you think is unambiguously violated by making it easier to provide consent than withhold it?
> Art 7(3) It shall be as easy to withdraw as to give consent. [0]
But legal interpretation of GP I believe is reaching the consensus that that phrasing too is broken by that implementation:
> Free and informed consent (Art. 7 GDPR): Consent is valid only if it is freely given. When the option to decline is hidden or unnecessarily cumbersome, the user's choice is affected and consent is no longer "free." [1]
[0] https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...
[1] https://www.ictrechtswijzer.be/en/complaint-about-cookies-wi...
Wouldn't this also mean that if a user was using one of those browser extensions that automatically click "yes" to close the pop, then the site would not have informed consent, and therefore would not be allowed to collect the data?
Yes. Who the hell uses such a browser extension, though? I use an extension, that always clicks no, but why would anyone want to always be tracked?
Be careful with just clicking the big “decline” button. That skips past your opportunity to “object to legitimate interests”¹ in many cases.
--------
[1] Here “legitimate interest” essentially means “we see your preference not to be stalked, but we want to so we are going to make it that bit more faf to opt out, because fuck you and the privacy we lie about caring about”.
And that is breaking the law. The decline button means decline all.
If a child wearing stilts and a long coat walks into a movie theater where children can enter for free, and buys an adult ticket, then watches the movie, is he entitled to sue the theater and claim a refund?
Programming your computer to automatically click "yes" sounds like affirmatively giving consent to all popups to me. The standard for consent here is lower than for things like sex.
That seems too clever. If you set up a browser extension that automatically writes your signature on any contract people email to you and returns it, I'm pretty sure you're bound by those contracts.
The law was written by lobbyists to be this way. We were never going to get a global 'just serve needed cookies' browser button.
The GDPR clearly states that denying consent has to be as easy as giving it.
The problem is the pop up banner. Having a big "deny" button does not solve the GDPR cookie banner problem.
I think that does eventually solve it. If clicking "deny" is as easy as clicking "accept", people will mostly just do the former.
As that will erode most worth derived from tracking, sensible operators will decide to stop annoying users and just ditch the tracking altogether. Or so I hope. I wouldn't know, as Brave does a pretty good job of hiding cookie banners in the mean-time.
>If clicking "deny" is as easy as clicking "accept", people will mostly just do the former.
Unfortunately, I don't actually think people realize the law is on their side here. My girlfriend never clicked "Reject All" until I told her to because she thought something wouldn't work if she did that!
Although I agree the law isn’t as good as it could be. It’s also impossible to create perfect law when websites are looking to avoid the spirit of the law to begin with.
Otherwise how can we explain “please see our privacy policy and send us a sneaker email to opt out” kind of tracking options.
You don't need to write the perfect law. Just write a law that has more or less the intended effect.
Imagine you write a program to do something and it doesn't work at all as expected and at the same time it causes endless annoyance to users.
A law is very similar to a program. It's software for the society. It didn't work and the authors are blaming everybody except themselves.
Of course the politicians share a portion of the blame, but we cannot ignore the fact that websites are just playing the blame game as well.
We’re also seeing tracking despite the lack of user consent as well. This could be a fluke but when I make anonymous search on website and switch to another, I’m seeing the product I have just searched in the ads. With all the tracking disabled I mind you.
But, but... we're the good guys, we're just fighting those evil advertisers!
I don't know if they'll finally find a way to control the spying, but how many years have passed since they made the law?
The difference between a law an a program is that the computer isn't a malicious actor trying to do everything in it's power to subvert the law. A law is nothing like a program, because a computer will do nothing without a program, but societies do all sorts of things regardless of laws.
The world a program works in and the computer it runs on are often very malicious, or they sure act like they are. Not to talk about users, some are pure evil :-)
We put a lot of safeguards, exception handling and all kind of measures to control errors.
> You don't need to write the perfect law. Just write a law that has more or less the intended effect.
What is the unintended consequence of GDPR?
Yeah law is kinda like the rules in sports leagues. You have to keep updating it as the meta shits.
It's impossible to write things correctly the first or final time and especially with the interpretation of words changing over time it doesn't matter if you could.
Rules in sports are always being adjusted, and participants are always looking for (barely legal) ways to get around them.
Example: In cycling, they banned narrow handlebars. There's an aero advantage, but it was seen as a safety problem. So cyclists canted their brake hoods way inside, rested their hands on the brake hoods, and got an aero advantage.
And now there's a rule about brake hoods. Laws are meant only be living things that change as society changes, and also change to patch what we might call "exploits." You are perfectly correct: It's never one and done, it's an ongoing process.
This is part of why a lot of EU directives are almost 50% "why this law is necessary and what we're trying to achieve", 30% "what needs to be implemented", and then 20% "who's going to look after all of this and how".
That way, a misplaced comma or a wonky sentence doesn't allow for easy loopholes that need tighter laws to fix issues.
Now law text will work forever, but this format makes for a very solid foundation.
Surely you cannot absolve those websites of all blame. They don’t have to engage in malicious compliance, yet they do.
And you write 100% bug free and secure software right? There is no way a law can account for every malicious tech bro trying to subvert it on first pass, or even after that. It is always a constant battle with bad actors.
I agree with you
But we see how some companies cough cough Apple cough throw massive hissy fits and tries to find the most minuscule opening on the law
They're legally bound to what's best for their shareholders, that includes being absolute weasel scum and abuse the law to maximize profits. At least that seems to be how it's interpreted by every big public company.
This "big companies have to screw everybody over! It's their fiduciary duty!" meme really has to stop. It's a lie, don't propagate it.
You're missing the subtlety here. There is no legal precedent requiring corporate fiduciary duty to focus solely on shareholders. In practice, however, it's a reference to the Realpolitik of being ousted by a Board, enabled to do so by arguing a fiduciary responsibility to shareholders.
If it wasn't, the ghoulish masquerade of Corporate Social Responsibility wouldn't be a thing - it in itself a response to Milton Friedman's 1970 article “The Social Responsibility of Business Is to Increase Its Profits” which argued that corporate executives are agents of shareholders and should focus solely on maximizing returns, not social responsibility.
> They're legally bound to what's best for their shareholders
People always say this, but as far as I can tell it's not true.
In 1919, Michigan, USA court ruled shareholders matter more than employees or customers.
https://en.wikipedia.org/wiki/Dodge_v._Ford_Motor_Co.
True, but only to a very limited extent.
Ford lost this case because he overtly admitted that he wasn't pursuing profit and because he was deliberately trying to prevent minority shareholders from getting money to start up a rival car company.
If he had just made some vague claim that what he was doing was in the long-term interest of shareholders, he probably would have gotten away with it.
In 2014, SCOTUS ruled that there is no blanket obligation to consider profits first:
Burwell v. Hobby Lobby Stores, Inc. - https://www.law.cornell.edu/supremecourt/text/13-354
> While it is certainly true that a central objective of for-profit corporations is to make money, modern corporate law does not require for-profit corporations to pursue profit at the expense of everything else, and many do not do so. For-profit corporations, with ownership approval, support a wide variety of charitable causes, and it is not at all uncommon for such corporations to further humanitarian and other altruistic objectives. Many examples come readily to mind. So long as its owners agree, a for-profit corporation may take costly pollution-control and energy-conservation measures that go beyond what the law requires. A for-profit corporation that operates facilities in other countries may exceed the requirements of local law regarding working conditions and benefits.
——
The best I understand it, what this ultimately means is that, yes; if the shareholders hold a vote to say "you need to focus on profits over X thing you're doing now/planning to do", you have to do that, but absent a specific shareholder mandate, you are not in any way obligated to seek profit over all else.
People always say they're bound to maximize profits, which is an interpretation of "doing what's best for your shareholders".
And people are wrong. It's a misunderstanding (or purposeful distortion) of fiduciary duty that gets increasingly perpetuated in comments.
This is a myth. I don't think there is a single court ruling that would support this interpretation anywhere on the planet.
> The problem here is not the law
Of course. The law is clear, the intent is clear and the guidelines are clear.
I think the biggest challenge (and the reason why it feels this is everywhere) is because of the handful of "big corporations" controlling the browsers. Neither Apple nor Google have any interest in making tracking opt-in or working to make this into a standard.
In my view, the situation will be greatly improved with policy like the DMA being amplified even further to prevent cartel-like reactions from the FAANGs (whatever the acronym is today). We have a deep "culture difference" with the US, where everyone expects everything to be spelled out for them in the law so they can sue each other into oblivion, but the reality is this doesn't work. We need to reduce the influence of bigger players and install guardrails so it will never be possible again for a single company to have such dramatic influence over the world.
Imagine how many of these consent prompts can be removed if it wasn't for the fact that even loading a Google Font exposes one to a few hundred "partners"?
> everyone expects everything to be spelled out for them
Strictly speaking, that's how civil law works, spelling out explicitly the statutes.
By contrast, common law statutes can be (but are not always), more concise but more vague, putting greater emphasis on the courts to interpret them.
That is one reason USA is more litigious, but it probably isn't the only reason. After all, Germany has the infamous legal bounty hunters (one of the words may be "Abmahnanwälte" but I think there's a different one), and Germany is a civil law country, so USA being common law can't fully explain it.
My point was that the approach is not effectual when the guilty party is a corporation with near infinite resources.
Take Apple for example, it takes years just to complete a single “unlawful termination” suit, and it would be … decades before the world can equalise the damage from their App Store practices. And all while this is going on, corps are pouring huge amount of money into lobbying so by the end they nerf or even reverse the very policy that keeps them accountable.
> Neither Apple nor Google have any interest in making tracking opt-in or working to make this into a standard.
Apple has taken steps to make it harder to track, both in iOS apps and in the browser.
It's Google whose revenue depends entirely on surveillance advertising.
The problem is that the technical methods surveillance ad networks use within the browser to track us are features that are useful for many other things.
Trying to redefine this as a technical problem, that can be solved purely by getting the browser makers to change how browsers work, rather than a sociopolitical problem, will fail. Sure, there are more things that Google—and probably Apple—could be doing to protect us, but they can't completely stop the tracking.
The way to stop the tracking is to make laws banning targeted advertising.
> Apple has taken steps
Apple engages in “privacy washing” - they take steps in the name of privacy when it disadvantages their competitors. At the same time, Apple has no problem collecting say Spotlight and Safari search terms … or “features” from Photos etc.
I agree that ads as a monetisation channel were a mistake. But beyond that, privacy is a human right and should be applied without exception.
Is there any actual evidence that Apple is collecting this information and either using it for tracking purposes, or selling it to others who do? As opposed to processing it in aggregate to improve their services?
If there is, I'll be the first to say they shouldn't be doing that, and I would definitely prefer them not to be collecting it in the first place, but there are different kinds and purposes of data collection.
I don’t think they’re selling it (at least that) but it’s spotlight and the browser … exactly where one tends to type sensitive things. It’s unsettling to know everything I typed becomes a dataset to circulate all divisions within a big corp for years to come, for data analysis, unit tests and who knows what else.
Counterpoint - making every website you visit ask you about cookies still absolutely sucks. Even when they are fully in compliance it's a bad experience that makes using the internet worse.
And it's all because the law was written by lawyers who care less about user experience or privacy than the companies that have to enforce it.
Tracking by default is not an acceptable solution, so I would say respecting the Do-Not-Track header must be mandatory and enforced by laws and percentage of global revenue fines.
That wouldn’t help much in terms of annoyance, because you need the option of per-site or per-service opting-in to tracking cookies (like “remember me” checkboxes and similar functionality), and then you can’t really prevent web pages showing a banner offering that opt-in option. It wouldn’t be exactly the same as today’s cookie banners, but websites would made it similarly annoying.
We cannot rule by law if the websites don’t want to abide by the rule of law.
The level of tracking is insane and would never happen in real life, and companies would be fined to oblivion had they tried, if not forced to close by an angry mob of people.
Kinda… but between credit cards (and any cards serviced by them—debit cards aren’t safe) and widespread facial recognition with cameras everywhere in stores these days, and things like “loyalty cards” being required to just get what should be normal prices on things, we’re pretty heavily tracked in physical space now, too. People just don’t realize how much, and don’t see this stuff being sold and aggregated then re-sold.
We really need to crack down on stalking-but-automated.
> widespread facial recognition with cameras everywhere in stores these days, and things like “loyalty cards” being required to just get what should be normal prices on things
Which is why this is also illegal in the same jurisdiction.
You came up with a good term there. Maybe we should start calling it “digital stalking” instead of just “tracking”
The big difference there is that unlike, say, Price Chopper, Google, Facebook, and Xitter can track not only what you do with them, but everything you do on thousands and thousands of sites across the internet, through analytics packages that send data back to them and/or the scripts loaded by their "social buttons".
If I buy baby food at Price Chopper, they might send me an email offering me discounts on diapers, but at least I (probably!) won't also get shown such ads literally everywhere I go on the web.
I’m pretty sure the loyalty-card thing has become so big because they’re selling the data.
So many things are like that now. Like Roku sticks and TVs are subsidized by selling user data. You want to make a Roku competitor that doesn’t spy? Your product will struggle to get on shelves and to stay there, in part because the price for your product will be higher even if you get just as good a price on your components as they do, because you’d have to price them at-cost to match Roku’s pricing. Meanwhile 99% of people looking at the products don’t realize that one’s cheaper than the other because it’s going to spy on them and sell the data.
> Meanwhile 99% of people looking at the products don’t realize that one’s cheaper than the other because it’s going to spy on them and sell the data.
And this, plus the fact that it's so abstract and opaque what the negative consequences of that spying are, is a huge part of the problem with all of it.
We need better regulations on this, but sadly, even before the recent fascist takeover, the regulators have been largely asleep at the wheel for decades.
Unless it was a browser level permission, like asking to access the user's location.
The website has to be able to inform you about what exactly you are opting in to (like saving your shopping cart, and/or who they will be sharing the respective information with). This can’t be covered by a predefined set of options.
Browser-level permissions are about what the browser is sharing with the website, which is a different thing. For one, the browser sharing information with the website isn’t a blanket permission legally for the website to do anything with that information it likes.
I’m sorry but no.
Don’t track me means don’t track me, period.
Asking if you could track me etc. regardless is against the spirit of it and simply user hostile.
So you want to make it illegal for websites to inform you about the services they offer that work with tracking cookies?
Users often want some level of tracking, like not having to log in to services they use across sites each time.
No, the essential cookies were never subject to such limitations. Even today you don’t need a banner for them.
Digital stalking under the disguise of essential functions or calling it just tracking doesn’t do any good.
Some websites even purposely break their functionality when 3rd party cookies are disabled.
So, no, do-not-track is an order, do not stalk me, period.
I as a user, don't want ANY kind of tracking. That is why i check the No Tracking options of the browser.
> log in to services
That's functional, and doesn't need additional consent. The consent for that is given by pressing the login button.
What about a grocery shop.
You can login and buy things. But how do you choose whether the shop can kleep track of what you have bought to suggest rebuying or for you to keep a shoopping list. Requestion those is more than login.
The shopping list to display the shopping list is fine, Using the shopping list for analytics is not.
> track of what you have bought to suggest rebuying
You know what you sold, no need to track user behaviour.
If it's not a third party cooking, then it's not a tracking cookie. So logins and other site functionality will be perfectly fine. They're not subject to GDPR and similar laws.
The border is not first party/third party, but purpose. But yes site functionality is fine.
In my opinion, it would be best to regulate the browsers themselves... preinstalled browser on a device sold in EU? Cookies are silently stored to a temporary jar, deleted on tab/window close. One jar per domain. Then add a button by the address bar to enable the "I want this site to remember me", and it'll make the cookies from that domain 'permanent' (with an additonal 'advanced' setting if you want to allow 3rd party cookies too or not).
But hey, when the regulators are lawyers who have no idea what cookies and browser are, we get consent forms on every domain visit.
Tracking now happens with fingerprinting, focusing on cookies won't provide a benefit.
> when the regulators are lawyers who have no idea what cookies and browser are, we get consent forms on every domain visit.
In this case the regulators have considered the problem and implemented the law independent of the used technology. The software developers/companies were the clueless/malicious ones here.
That is a terrible proposal. The GDPR is not about cookies, it's about tracking. Websites can track you through cookies, through browser fingerprinting, through your IP adres, through your login, through your local storage, and various other ways. They could probably find ways to track you by your mouse movements or how you type, if all other methods were somehow made unavailable.
That websites track you and then sell that data has nothing to do with how long your browser stores cookies. Cookies are just one of many, many ways that websites do tracking.
That's true, but at least then we could rid the internet of all those shitty cookie consent banners plastered all over. Those are almost more annoying to me than some company making a fraction of a penny on selling my mouse movement history to some chump.
And that is a different view - I prefer the privacy and no tracking unless I give explicit permissions.
GPC (Global Privacy Control) is the header that's actually being enforced in (parts of) the US. DNT is considered deprecated by many, due to the nonconsensual way that Microsoft rolled it out.
Why is Microsoft's implementation a problem? Having the setting default to a safe value is the rational choice.
It's like saying having a secure OS/browser would deprive malware authors of revenue, and thus vulnerabilities should be preserved unless the user explicitly opts into patching them.
https://en.wikipedia.org/wiki/Do_Not_Track#Internet_Explorer...
This combined with governments ignoring it, and actively enforcing GPC... it's questionable whether compliance is necessary (I still suggest treating it the same as a GPC signal).
But future work and effort should be put towards the GPC signal.
Yeah, and according to most privacy laws, not tracking should be the default.
For a new corporate website we just completed, we used GPC signals as the opt out mechanism. If your browser sends GPC, the site just opts you out of everything and loads zero tracking scripts. If it doesn't, you see a popup that explains how to turn it on if you want, or an "I understand" button.
An approach like this seems ideal to me, the problem is that it's only natively supported in Firefox. Our instructions for Chrome and Edge are basically "install Privacy Badger."
And Safari is the WORST, which as an Apple customer it pains me to say. Not only does the browser not support it, there are ZERO Safari browser extensions, NONE, on ANY platform (mac/iphone/ipad), that you can install that will send a simple GPC signal with the HTTP headers. There is a paid Safari extension on iOS called ChangeTheHeaders that you can configure to send a GPC signal, but come on, you can't ask normal people to buy an app and manually enter a specific HTTP header. (ChangeTheHeaders is made by Jeff Johnson, the same dev as StopTheMadness. I asked him whether he'd consider adding user-friendly GPC signals to that (or any other) plugin and he said it would just be "duplicating functionality" :-/ )
It's sounding like California is going to require browser manufacturers to support the GPC signal. The privacy movement in California has a lot of political power and backing; it's pretty likely this will change in the next couple years.
From what I understand, their AG has said the GPC signal must be honored if sent and that it is an acceptable opt-out mechanism under the CCPA. I haven't heard anything concrete about requiring browsers to support it, but that would be a welcome development.
https://oag.ca.gov/privacy/ccpa/gpc
It doesn't matter what the law is, it's setup to allow these malicious practices. It's bad legislation.
> "Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is!
Do any browsers support running a minified LLM on device through an extension?
Training an LLM to reject optional cookies (or better yet, fuck with the telemetry) would seem highly doable nowadays.
You have Consent o matic firefox extension which works quite well, it works well on most websites
The Global Privacy Control (GPC) is the header that actually has enforcement behind it in the US, and there are already companies getting fined. California has partnered with several other states to broaden enforcement.
Would love something better than GPC, but in the interim, the EU should start considering it as a proper signal of (lack of) consent, obviating the need for a banner altogether.
Ah, I was wondering why I was seeing more dialogs default to opt out when I hadn’t heard of any notable EU slap downs when it started
I would blame ad providers more than individual website owners. From my experience, ad providers have made it very difficult to serve their ads unless you use an ad-supported cookie consent manager. I tried to write my own simple cookie consent form and gave up after realising how obscenely complicated TCF is. And since most ad-compatible cookie consent banners are provided by the ad companies themselves, you kinda just get stuck with bad options. I even tried to pay for a commercial cookie consent manager but it wasn’t supported by my ad provider.
If I had more time I probably could have figured it out. But unfortunately I’m just running a hobby project and do not have weeks to spend on this. The revenue from the ads is what pays for hosting. I imagine lots of websites are in a similar boat.
I would love if there was a simpler option that could respect people’s privacy more, be less annoying, and that would still allow websites like mine to survive by running ads. Targeting browsers instead of websites could have been that option.
The problem here is the problem everywhere; we still as a world have no remotely effective way to actually punish companies-as-bad-actors on the internet or in tech generally.
None of any technical ANYTHING matters until we (meaning law and government) inflict truly meaningful consequences. Fines, breaking up companies, perhaps even jail time, etc.
Yes. The problem isn't the letter of the law, it's that governing bodies like the EU need something like an enforcement czar who tells companies in no uncertain terms that if they're going to try to be clever they're going to get the ol' Jack Ma treatment. Stop letting the tail wag the dog.
And before someone says that it will hamper innovation, I used to live in China and talk to investors often, they would always stress that for every guy with a billion who can't play by the rules there's a thousand guys with a million who have no problem taking the market share, that's hardly an issue
We have ways to do these things.
We just refuse to use them, because our politicians either believe that companies should have more rights than we do, or are terrified that if they actually try to enforce the law on them they'll lose out on massive amounts of campaign contributions (whether direct or indirect).
The irony being this site doesn't offer a decline all option.
My default firefox settings rejected content tracker and in the end no cookies were created at all, plus there was just one failed CDN request outside original domain.
Not bad.
Don't worry, you are still being tracked by IP + browser fingerprinting... and using a browser with a low single-digit marketshare stands out like a sore thumb.
(which is also why framing GDPR discussions around cookies misses the point - the point is to determine the user's consent to being tracked regardless of technical ability, whether cookies, IP address, fingerprinting, or even some magic crystal ball)
Everyone states this. At the same time, any official site I have ever visited for the EU government/regulators _has cookie banners_. Why would the EU malicious compliance itself?
I feel like the law plays into that.
That law has "discovered" that these rules for these sites suck because nobody wants to sit and decide what they want on a site by site basis and thus the "just get out of my face" kinda clicking and annoyance works.
The idea that just visiting any given site I visit means I have to make some legal agreement makes no sense.
Or we could stop the charade of that cookie laws prevents tracking and get rid of all the stupid banners. All the beacons are firing in the back(server to server) now and all session data is passed on the inbound URL and stored. Browsers banning third party beacons, cookies laws, etc don't do anything. You can't even tell your being tracked.
GDPR is not about Cookies, it's about all tracking, including the examples you mention. As far as I understand the GDPR, the things you mention would also require the user to opt-in to be legal
Ironic, I opened that article to be greeted with a cookie banner that didn't have a "Decline All" button.
> but malicious compliance by websites that don't want to give up tracking
It isn't even compliance, they are just breaking the rules by as much as they think they can get away with and so far, for the most part, they are getting away with it.
Important not to confuse the actual result vs. the hoped-for result.
You HOPED that websites' top priority is to provide the best possible experience. The REALITY is that not getting sued is way more important than removing all possible user inconveniences.
> Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better
Best way to get rid of the cookie banner is to just forbid tracking completely. Given a free choice, how many people actually want to be tracked?
> Given a free choice, how many people actually want to be tracked?
Good question. But there isn't enough information to answer the question. Are these people properly informed about what "tracking" means, or do they think this means companies are passing around their full names and addresses on post-it notes?
I allow tracking for a small selection of apps
I wonder why people don't build a collection of scripts into a browser plugin, like Adblock that auto rejects all tracking info to the greatest extent possible?
These exist. There is "Consent-O-Matic" for example
Direct link, works on mobile as well: https://addons.mozilla.org/en-US/firefox/addon/consent-o-mat...
There’s probably also a version for the adtech browser somewhere.
Isn't that the inverse? Ie auto-accept just to get rid of the UI box?
Edit: their FF-page says,
Set your preferences once, and let the technology do the rest!
This add-on is built and maintained by workers at Aarhus University in Denmark. We are privacy researchers that got tired of seeing how companies violate the EU's General Data Protection Regulation (GDPR). Because the organisations that enforce the GDPR do not have enough resources, we built this add-on to help them out.
We looked at 680 pop-ups and combined their data processing purposes into 5 categories that you can toggle on or off. Sometimes our categories don't perfectly match those on the website, so then we will choose the more privacy preserving option.
> Isn't that the inverse? Ie auto-accept just to get rid of the UI box?
no, that's "I don't care about Cookies"
There IS an optional list for ublock origin that tries to get rid of cookie nonsense.
I would install that in a heartbeat!
Then enable the cookie banner lists in uBlock Origin. Do expect occasional breakages and remember to temporarily disable the blocking to get through.
Ghostery does exactly that.
uMatrix for Firefox and friends.
NoScript too.
And AdGuard.
This. And the ones that mean you have to manually switch off multiple legitimate interest toggles mean I just press the back button.
I do this as well, but in case I do want to read the site, I just delete the node from the DOM.
+1 it's a win-win situation. The website announces upfront that they are malicious so I can just leave
> I just press the back button
I do this more and more, and I think it's the right and best thing to do.
Since "legitimate interest" means you don't need consent, they do not let you toggle it off.
If they are showing you a toggle and calling it for "legitimate interest", they are most likely lying.
They love to put cookies under "performance and enhancements" as if that isn't bullshit as well.
All legitimate interest cookies are in the greyed out toggle for "required cookies".
By law, you can decline all and the site should still work fine, which again means they won't allow you to turn off actually needed cookies.
No. I absolutely do not want to be asked to accept cookies for every single website I visit.
This is the problem, the law clearly recognizes tracking as something people don't want. The fact that they let every website beg you to allow tracking instead of banning all but functional cookies is the problem. They capitulated to advertisers and this is the result.
Nobody wants this crap.
The regulation actually specifies what counts as informed consent. Annoying users into accepting tracking does not count.
The problem is that there's a chronic lack of enforcement, so the winning strategy is to breach the regulation. Worst case scenario, you will merely be forced to clean house at some point (but can enjoy the rewards of tracking until then).
> The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.
If that was the case, then why does the site from the EU first off track... and secondly why does it use a cookie banner rather than some other solution that would not be malicious compliance with the law?
If there was a solution to having cookies and some other way of informing visitors of it, shouldn't that be demonstrated on the official EU government explaining GDPR?
https://europa.eu/youreurope/business/dealing-with-customers...
Can a company go wrong implementing the same approach as https://european-union.europa.eu/index_en uses? Why is that considered malicious compliance with the law?
> If that was the case, then why does the site from the EU first off track
If you are asking why there isn't a "reject all" button on their webpage then the answer is simple. There is one. The "Accept only essential cookies".
> and secondly why does it use a cookie banner rather than some other solution that would not be malicious compliance with the law?
GDPR (general data protection regulation) is about general data protection, not about technology. It applies the same no matter if you are using cookies or something else.
> Can a company go wrong implementing the same approach as https://european-union.europa.eu/index_en uses? Why is that considered malicious compliance with the law?
The example you've given is an example of compliance since there is a button to reject all tracking cookies. Whenever you read the words malicious compliance within the context of this discussion you can just swap it with the word illegal which is the correct word for the behavior that is being bemoaned here.
I'm asking "if cookie consent banners are the less than idea solution, why isn't the official EU government site implementing it in a way that is ideal?"
If a company is deciding how to comply with the GDPR on its website, can it go wrong with copying how that site does it? Alternatively, if it tries something that is new, do they risk getting sued by the EU for not following the GDPR?
My claim that it isn't malicious compliance to use cookie consent banners, but rather the least risky approach since that is exactly how europa.eu complies with their own laws.
> I'm asking "if cookie consent banners are the less than idea solution, why isn't the official EU government site implementing it in a way that is ideal?"
Cookie banners are perfectly valid solution to the problem. GP originally said that the ideal solution is to avoid cookie banners by not tracking users. Not that if you want to track users there is a better solution than presenting them with a cookie banner.
> If a company is deciding how to comply with the GDPR on its website, can it go wrong with copying how that site does it?
No, because that is how it is spelled out in the law. Rejecting tracking must be as simple as accepting it. On the EU website both those options are presented in a clear way.
> My claim that it isn't malicious compliance to use cookie consent banners, but rather the least risky approach since that is exactly how europa.eu complies with their own laws.
There is no malicious compliance. If it is done as it is done on the EU site then it is compliant. If it isn't then it is illegal. Malicious compliance means that the letter of the law is strictly followed so to cause/do something not intended by the law. In case of hiding the reject button, that is illegal.
> Whenever you read the words malicious compliance within the context of this discussion you can just swap it with the word illegal which is the correct word for the behavior that is being bemoaned here.
I don't think that's the case. A number of people downthread are quite explicit that they find being asked at all annoying and don't think websites should be allowed to throw up cookie banners all the time.
"The problem is not the law but with the people who don't follow it."
I mean... uh.
If the world would only consist of people who want to cooperate and don't have malicious intentions, then WE WOULDN'T NEED THE LAW AT ALL.
The law exists BECASUE OF the people who don't want to comply. So if the law doesn't control those people who don't want to comply, then the problem is with the law.
Because if we're saying that the problem is with the people, then the discussion is pointless like a black hole.
One thousand percent yes. And I'll repeat because people need to see it called out as often as possible: this is due to malicious compliance by websites. Period.
I'm so cynical now that I can't read articles like this without my first reaction being to look at how it benefits companies that profit from ads.
My two theories here?
1. An attempt to shift liability from companies having to comply with GDPR to browsers having to comply.
2. An attempt to consolidate all cookie consent into the three (?) browser engines we have... so efforts to thwart it can be focused on just those places.
The problem is exactly the law then because it was written so incompetently that it left the loopholes to allow websites to try and trick accepting.
Should have been written in the law that it’s a one toggle in browser settings.
If government is going to impose on the internet the least they could do is be competent in what they impose. Not writing laws that waste lifetimes in collective hours a day as every person in Europe deals with multiple of these dialogs a day and thousands a year.
> it left the loopholes to allow websites to try and trick accepting.
It did not. These practices are illegal under the GDPR, the problem is a chronic lack of enforcement by most national enforcement agencies in all but the most severe cases.
Some are just ineffective but others have gone completely rogue. Swedish Data Protection Authority (DPA) for example takes the position that commercial data brokers like Mrkoll are allowed to publish and sell people's personal information (including your current home address, hello stalkers!) [1] and that this is somehow protected under the pretense of "journalism" [2].
[1] https://mrkoll.se/resultat?n=Otto&c=&min=16&max=120&sex=a&c_...
[2] https://noyb.eu/en/swedish-data-brokers-claim-journalists-le...
[2] Doesn't fully capture the negligence of the Swedish DPA ("IMY"), here's a better source:
> IMY’s practice of simply “forwarding” complaints.
> The IMY’s way of dealing with complaints since the Supreme Administrative Court ruling is to attach an “appeal form” to their (non-)decisions. But it still doesn’t investigate the complaints. Instead, the authority simply forwards the complaint to the entity that illegally processes personal data and then immediately closes the case. This also happened in the case preceding noyb’s current legal action against the IMY. After a data subject filed a complaint regarding a recorded phone call, the authority forwarded it to the respondent without investigating.
[3] https://noyb.eu/en/noyb-takes-swedish-dpa-court-refusing-pro...
> Should have been written in the law that it’s a one toggle in browser settings.
No!
For crying out loud..... The law says if you want to track me (advertisers take a bow) then in each case, you must have my explicit opt-in permission to do so. And so you should!
Having a browser toggle setting isn't explicit opt-in consent.
Maybe not a single browser toggle, but it really should be handled at the browser level. There are browser APIs for opt-ins like your current location, using the camera and microphone - why not one for tracking consent?
There was Do-Not-Track which is a header that could be set at the browser level: https://en.wikipedia.org/wiki/Do_not_track
And way before that (before spyware became common on the web) there was P3P: https://en.wikipedia.org/wiki/P3P
Now there is Global Privacy Control: https://en.wikipedia.org/wiki/Global_Privacy_Control
The problem isn't technical - the problem is that ultimately spyware operators want to track people so it isn't in their interest to support these solutions and won't do so unless they are forced to. Since enforcement is significantly lacking, operators adopt the pragmatic strategy of non-compliance or pseudo-compliance with the current banners.
Ideally opt-in would be explicit, but a browser toggle could bypass even showing the opt-in button if the Do-Not-Track header is sent.
Or just ban this kind of data collection. Is there any reason anyone would willingly click "Accept" when a website asks to share your data with 500+ partner sites?
For that matter, companies should be banned from referring to selling off your data to random spam companies as "sharing with partners." Partners comes with an implication of being somewhat equal or at least on trusting terms. The companies selling our data don't trust these companies. They probably don't even know their names.
If the data is being sold, it should be legally required to word it in that way. If there's even the slightest possibility of your data being leaked to spammers, it should be worded to reflect that.
"Do you consent to us selling your data to any party that wishes to buy your data? Do you consent to the possibility that your data will be used to spam you or steal your identity in the future? Yes/No"
The word "partner" lost its meaning completely. Each business relation is a "partner" these days. Guess it sounds nicer than "company that pays me to do stuff and bug you about"
I always read it as "partner in crime".
I'm not sure all these relationships are monetary.
It may even be the case that the website pays X company to perform the tracking for their own analytics purposes. Or that it's X company's own freemium model where if you add their tracker they grant you a bunch of cross-site information for free.
True, but having to be explicit about a monetary relationship would still be a step forward.
>> If the data is being sold...
Nah. Personal data sharing needs to be banned. It's the right way forward.
That's a bit overzealous, isn't it?
> Hey, please send the shipment to my customer. No, I can't tell you the address, it's personal data.
Some data sharing will always be necessary. What needs to be banned is the unnecessary sharing, but it's hard to 100% define what counts as necessary
In 99.9% of cases defining legitimate use is simple. There should be legal consequences for data sharing that is not actual legitimate use. I see companies making absurd claims about what consent based on "legitimate interest" can mean. No, sharing data with advertising "partners" is not based on any legitimate interest. If these companies were getting some strong fines for illegal stuff like this, then they would cut the bs.
I think banned it a bit too strong. However there needs to be strong regulations on what can be shared.
If I go to an ER in a different area (read different medical system) I want my doctor to share personal data. I don't want my doctor to share my personal data with a random doctor in the same medical system unless that other doctor is an expert being consulted on something about me. (that is just being a doctor doesn't give you access to my private information, it needs to be on a need to know).
The above is the obvious case. There are likely other cases that are not obvious where after looking closely private information should be shared. Advertisement is never one of those reasons though, and analytics is only a reason if they anonymize the data with prison terms for mistakes.
> Personal data sharing needs to be banned.
Indiscriminate sharing of personal data IS banned under the GDPR.
If you collect personal data, you must only collect it for the stated purpose and can't sell or share it for any other reason.
I continue to be astounded at the ignorance some people have of the GDPR; a vital privacy law and one that is fundamental to modern data use and respect for the customer.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
Then you need to start directly paying for 90%+ of the websites you visit.
People don't want this, so there is a quick reversion to "pay with your data".
The Internet somehow managed to run without our computers spying on us for quite some time, I think it will manage with normal ads.
> People don't want this, so there is a quick reversion to "pay with your data".
Which, since 2018, is illegal in EU.
> companies should be banned from referring to selling off your data to random spam companies as "sharing with partners."
They are under the GDPR.
If you ask for my data, you must do so fairly and tell me what you are using it for.
In the examples you site, if you read the small print "sharing with partners" will go on to say advertising 'letting you know about products and services' and other such shite.
> Or just ban this kind of data collection
Targeted ads generally bring in 3x the revenue of generic ads. Personally speaking, I'd rather have 1/3rd the ads on a page and allow my data to be tracked. I don't mind my data being tracked, and I'd rather see ads for keyboards / mens clothes (what I buy) than diapers / ladies shoes (who knows what tomorrow holds, but this is not what I'm buying at the moment).
1. Targeted ads being more profitable has no relevance to the number of ads on the page. Advertisers will always try to maximize the number of ads and potential profits regardless of profitability.
2. Contextual ads are not targeted and would not be showing you adverts for diapers or ladies shoes- unless you are reading about diapers or ladies shoes.
But you know well that they'll keep the same number of ads and just profit from the better targeting. They're not going to cut back on the ads
The same could be said with all advertising and surveillance.
No one wants to be advertised to, but powerful lobbies argue that ending ads will lower consumption and thus harm the economy; and no politician wants to lower GDP.
No one wants to be spied on, but powerful lobbies argue tracking people allow better security; and no politician wants to be soft on crime and terrorism.
The single most powerful lobby, by far, to the point that it is essentially the only lobby, is the enormous mass of people who refuse to pay money for content. Absolutely refuse.
Even when you give them the option to pay, with no ads or tracking, the conversion rate is still around 0.5-1%.
People are willing to pay for things they value. Those people who "refuse to pay money for content" probably go to the cinema, perhaps purchase magazines, purchase drinks with friends, etc.
We should however make it easier to pay for content online; let's implement HTTP 402 and integrate it into the users' browser and internet bill to reduce friction. Who wants to create an account and enter their credit card details to read a single article or watch a single video?
>People are willing to pay for things they value
No, they overwhelmingly are not. When given the opportunity to not pay, and do so anonymously (no social shame), the actual pay rates drop to the 1-5% range.
This is a clear trend from thousands of creators who give simple payment options to those who wish to support them directly. The conversion rates from "ad-supported (but blocked)" to "paying member" are usually around 5% of the active audience.
The numbers are atrocious despite the deafening virtue signalling of comment sections ("I always pay creators to support them!")
You just assert "no" to my suggestion that people don't pay for these things because they just don't value them enough to pay for them, which doesn't really move the conversation forward. There's loadsa stuff more important in life than youtube videos so it's unsurprising the conversion rate is low.
My point is that the value prop breaks when people can shamelessly be dishonest.
If people actually didn't value the content, they wouldn't devote their time to it. I don't know anyone who regularly devotes hours a day to something they get zero value from...
Micropayments and judging the value of content before viewing it remain unsolved problems.
This is a false dichotomy. You can have ads without tracking.
Eh. I've not seen any convincing arguments about this, especially because the quality of said content was dragged down specifically to support ad revenue and SEO. We really never saw the potential of an internet with microtransactions, largely because Google explicitly decided to force people to use ads.
>> No one wants to be advertised to, but powerful lobbies argue that ending ads will lower consumption and thus harm the economy; and no politician wants to lower GDP.
I doubt that. People tend to spend their money regardless. Advertising just determines what they spend it on.
Yes, but then you might consume beer based on how it tastes rather than the likelihood of winding up in an impromptu volleyball game with a bunch of Nordic bikini models. So you see where the entrenched players want to keep the status quo.
Our culture values the act of buying things for social status (consumerism), and one of the main reasons for that is advertising.
You're assuming people would still have the same amount of money, but for most money is not a given, and people strive to earn money precisely because they want to buy the things they were advertised.
Without the social pressure to acquire things one doesn't need, it's very possible people might simply work less and use that time for other things.
Famously....
Advertising is only used heavily when all products are similar, otherwise the best would naturally rise to the top.
For example, washing powder/liquid is advertised heavily on TV, yet do you really believe one brand of powder/liquid gets your clothes cleaner than any other?
not so sure about that, I am pretty sure ads promote materialism and consumerism, probably even leading to people working more to be able to afford more
In some sense, "no one wants to be advertised to" is similar to "no one wants to pay for stuff". Like yeah it'd be nice if my groceries were free, but that's not very realistic, the grocery store would just close if they had to give everything away. Advertising is similar - a cost we pay so that websites can make some money in exchange for their services. Most ad supported websites would just disappear without them.
In some sense I agree but there is a fundamental difference. I pay for my groceries because I have the fundamental need for sustenance, and that requires land and toil. I have neither and therefore I pay someone else; but for me to survive it is necessary that _someone_ perform that work.
My need for websites is much less predominant and really I could live without. So of course I bounce when mildly interesting websites ask to host cookies on my browser or want me to create an account and enter my card details.
If one considers maximizing utility the goal of economic science, then this is in fact good, as it redirects me to more useful venues like doing chores I'd been putting off instead of mindlessly scrolling online. Some metrics such as GDP however might suffer.
I suspect that most people would not vote for a government policy that puts their favorite websites out of business so they can do more chores :)
> Or just ban this kind of data collection
It is banned.
Unless I give me explicit permission otherwise (though as you say, why anybody would is beyond me, but then "there's nowt as queer as folk")
Guess what, those banners are still up because it's pretty hard to actually bring the banhammer. At best you have too small team working with huge backlog
Yes, of course, the reason is pretty simple - someone would willingly accept that to access ad-surveilance-financed content!
Some websites, mostly news outlets, can legally withhold access completely, and do, unless you accept all cookies or pay for membership.
If my 'data' is a no logs vpn address with a privacy hardened browser running in a VM on an isolated VLAN with encrypted DNS then why wouldn't I just laugh and click accept cookies in a sandboxed tab (so said cookies only exist for that tab and are cleared when it is closed.
What youre saying most users dont have this level of privacy by default? Why not?
>Some websites, mostly news outlets, can legally withhold access completely, and do, unless you accept all cookies or pay for membership.
GDPR article 7, section 4: When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
basically: A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service
anyone who does that is in violation of GDPR
There could be a multitude of reasons, mobile browsing for example.
This law was supposed to give me control of my data. If I have control of my data, why can't I use it to pay the owner of the website?
Click-through "I agree" buttons are almost never a matter of informed consent and almost always a matter of convenience-driven rape.
You can freely share your data under GDPR but the owner of the website can not request data as form of payment for the access to the website.
That doesn’t seem to give me much freedom about my data - in fact it seems like it took freedom away from me.
Yes, we live in a society. You aren't allowed to do anything you want. But you are wrong. You had no option before, now you have. How is that taking away freedom from you?
On this note, this is a good reminder that if you don’t collect information in this way, your website is under no obligation to provide a cookie banner.
Any website that uses a cookie banner is going above and beyond what they need to do to run a functional website in order to track you.
Same goes for age verification.
There was the DNT header, that was a bit to simplistic, but was never implemented https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
The thing people need to understand here is that the annoyance is not due to lack of technical solutions, or regulations forcing something. It is explicitly wanted by the industry so they can maximize the consent rate. The browser solution is probably the best technical/user friendly one, but ad tech/data gathering industry won't have any consent. As they control most of the web, they will never do that
It was implemented in browsers and ignored by sites. Chrome help says:
Turn "Do Not Track" on or off
When you browse the web on computers or Android devices, you can send a request to websites not to collect or track your browsing data. It's turned off by default.
However, what happens to your data depends on how a website responds to the request. Many websites will still collect and use your browsing data to improve security, provide content, services, ads and recommendations on their websites, and generate reporting statistics.
Most websites and web services, including Google's, don't change their behavior when they receive a Do Not Track request. Chrome doesn't provide details of which websites and web services respect Do Not Track requests and how websites interpret them.[1]
About the best we have browser side is a mode where all cookies are cleared at browser exit.
[1] https://support.google.com/chrome/answer/2790761
In chrome, saving anything to your device can be blocked completely:
chrome://settings/content/siteData
Here's an extension to block at a per-site granularity (despite it saying cookies, it blocks it all including local storage):
https://chromewebstore.google.com/detail/disable-cookies/lkm...
> About the best we have browser side is a mode where all cookies are cleared at browser exit.
No. The best we have are adblockers and scripts like consent-o-matic.
Clearing cookies does mostly clear cookies, tracking goes far beyond that. Clearing cookies has always been a red herring enabling adtech submarines like "I don’t care about cookies".
That's not an implementation. That's a request to sites that you visit to comply willingly. An implementation would be defensive.
It's what you would do if you had the crazy idea that a browser should be a client for the user, and only a client for the user. It should do nothing that a user wouldn't want done. The measure of a client's functionality is indistinguishable from the ability of the user to make it conform to the their desires.
It's not realistic to completely prevent tracking solely on the client-side. Every time that you interact with a server, that's an opportunity to track you. You can't prevent unless you just completely stop interacting with the server.
Correct. Age verification and privacy consents belong on the browser. The issue is that on the browser, things work a bit too well (remember https://en.wikipedia.org/wiki/P3P ?), so the big players are incentivized to ignore completely the browser-based mechanisms and say/do nothing whenever they see lawmakers going on a dumb direction (risking fines is a reasonable price to pay in order to kill adoption of an actual browser/OS based control that would cause a dent to their tracking operations) that puts the onus on individual website operators.
Fun fact - if you handle DNT properly, you don't need to show the consent screen... because you're not doing anything requiring said consent.
I believe Medium's DNT implementation showed a little confirmation button on embedded Youtube players. That's the kind of consent screen you may still need with proper DNT handling.
None of those cookie popups, though. That's all malicious compliance.
I don't think this is true. DNT being absent or set to consenting is not enough to infer the user has given specific and informed consent under the GDPR.
> Explicit consent: Under the GDPR and similar laws, consent must be specific, informed, and an unambiguous, affirmative action from the user. Consent cannot be assumed by a user's continued browsing or inaction, which is what DNT would require.
if DNT is absent you could show GDPR-compliant consent screen (ofc, it would still need to be actually compliant, i.e. with "reject all" button front and center)
At this point browsers should become publicly owned. Theres zero benefit in private ownership. Its a utility and nows the time to accept that.
Utilities are not public either anymore in most western countries.
Tell me more about your theory that the Trump administration should control everyone's browsing
> Your browser becomes your personal privacy enforcer, and the law would require it to act on your behalf. Based on your one-time choice, it would be responsible for allowing or declining cookies from every site you visit. If a website tries to use a cookie with an unclear or undeclared purpose?
Browsers are something the end-user installs. Inserting the government into that doesn't make sense.
This sounds like the idea is for the site to add extra metadata that's not there now, about what each cookie does. Which would still involve mandating site owners to do things.
.
Also, both private mode and https://addons.mozilla.org/en-US/firefox/addon/multi-account... are a thing already, without government meddling.
> Inserting the government into that doesn't make sense.
On what basis? What difference is there between regulating website code and browser code? How a website functions and how a browser functions?
Because a browser is not always a commercial product, whereas a website often is.
I should not need to follow a ridiculous law to give away some software.
That distinction doesn't make sense. You could just as easily say websites are not always commercials products, whereas browsers often are made by for-profit corporations.
You seem to be anti-regulation period.
A website is non-commercial when it isn't doing commerce.
A browser doesn't have that simple test. It can be used to do anything.
Therefore, the commercial website made by someone who chose to make it commercial needs to be regulated, as opposed to trying to regulate every browser.
(As an aside, you likely don't know how many browsers exist.)
> A website is non-commercial when it isn't doing commerce.
So Chrome is non-commercial? Edge is non-commercial?
That doesn't make a lot of sense to me. Those browsers exist specifically for the commercial advantage they bring the corporations that create them.
And please don't make asides that make assumptions about my knowledge. You might want to take a look at the HN guidelines.
Websites that collect personal data on their servers are data controllers. They have to ask for consent for this reason. Browsers also need to ask for consent if they collect personal data but that is indepedent from the data websites collect. Being commercial or not is irrelevant. The point is collecting and processing personal data. Furthermore, a browser runs on your machine. Unless they send data to some server, any data processing on the browser is happening on your machine.
People throw “Anti-regulation” around in HN as if it were a slur.
Except that the provider of the most popular browser is also an advertising agency. A conflict there, surely?
So that would mean that most users must not actually care that much, then?
Let's be honest: most users don't know what they don't know. Even tech-literate people have no real idea of the enormity and scale of tracking which goes on across the web. And the tech giants love it that way.
The provider of the "alternative" browser is also completely supported by the same advertising company, and since this arrangement has begun has shown itself completely uninterested in solutions like this. If anything, it tries to make control over cookies, localstorage, or javascript harder, and to demonize people who would dare to care about such a thing.
I've come up with an easy solution, which works almost all the time. When a cookie consent dialog interferes with me using the website, I close the tab and move on.
I've found a high correlation between cookie consent notices and low-signal content, so this strategy has actually saved me a lot of time I would've spent reading/watching something that doesn't help me.
How do you book airline tickets? Ir other critical business ? My doctors office has a cookie banner . Should I just stop going ?
That's why I said "almost all of the time".
But to the flights example, I was just looking for flights starting at Google Flights, which doesn't have cookie banners, and the two sites I went to for booking also did not have cookie banners.
any site with a cart or user prefs should have a cookie disclosure
Google, including Google Flights, does have a cookie banner. It's just likely that you already accepted/denied the prompt at some point.
That’s certainly possible. I don’t deny occasionally clicking them. I just don’t bother most of the time.
Edit: I just tried the flight ordering flow again (starting at google.com/flights) in a private/incognito tab, and did not encounter any cookie banners.
Which booking website are you going to that doesn't have cookie banners? I spot checked multiple EU and US airlines just now (Ryanair, Air France, United, Alaska) and all of them had a cookie banner.
I started with Google Flights and went to two other sites that it directed me to.
Just to reiterate, I'm not religious about this practice. If I need to click a cookie banner to book a plane ticket, so be it.
I just treat cookie banners as a strong negative signal.
Yeah I agree, that sentiment works if you only consume content online. But for real stuff? Good luck
I disagree that this should be in the scope of a browser.
Cookie banner are called cookie banners because they‘re most frequently associated with the opt in for tracking cookies, but this kind of opt in is required for any kind of third party involvement that goes beyond technical necessity.
Your browser has no way to tell what third party present on the site is a technical necessity and which one isn‘t. So you‘d have to tell it - making it part of the site providers problem as well. But this time its worse, because responsibilities are mixed between the site operator and the third party.
Legally compel websites to respect the DNT header. Bam, done. This is a simple problem, and should be solved in a simple way.
DNT doesn't solve all problems, though. Not only is DNT being deprecated, it also lacks the proper customisability the law actually prescribes for data processing.
There's no value you can give DNT that says "you can do your own on-site tracking and telemetry and I accept sharing my data with Sendgrid for your newsletter, but I do not want third-party trackers".
As a practical example: there are news sites that will not play videos if you hit "deny all" because their video host does some viewership analytics. I'm fine with that, but not the 750 other advertisers the news site tries to have me track.
Of course, "deny all" should be an option, "accept all or deny all" isn't control.
For the longest time we had https://en.wikipedia.org/wiki/P3P as a basis to build on, but that officially died the day Edge became Chromium-based.
> you can do your own on-site tracking and telemetry and I accept sharing my data with Sendgrid for your newsletter, but I do not want third-party trackers
I'm sorry, but does a user who would want this actually exist? This seems like a hypothetical dreamed up by the marketing team to avoid having to accept that a large group of users hate all their tracking shit.
At my first job I took phone calls for an insurance carrier and agents definitely didn't like finding out that all the unhandled exception screens the rater had simply disappeared into the abyss.
Microsoft solved this decades ago.
You download a specific tool which only has the purpose of collecting your local error reports and sending them to Microsoft". Later on that tool became just a button in your control panel that submitted all your local errors and told you if those errors had an already developed solution.
That's how they did all their error telemetry until like late XP era, and it worked just fine.
All the people insisting that they need* this telemetry is also horse shit. Companies are demonstrably not producing better and more bug fixed software, and demonstrably are not using that data to make serious improvements, but demonstrably ARE using that data to choose where to focus dark pattern and other sales funnel based efforts.
If Unity and Unreal and GPU drivers can ask me "Do you want to send this error report" with a default no, nobody else has any excuse.
Even now, a significant amount of companies use the system of "Please upload your error log and the output of this command to this forum" as their bug report solution and it works just fine if that company actually intends to fix bugs.
The solution is not to turn your software into spyware. Stop being entitled. You don't have a right for me to QA your software for you, that's your job. Even with all this telemetry, companies only fix the most common and most obvious bugs anyway, so the perfect telemetry is utterly useless. Those bugs would have surfaced anyway.
Developers in the 80s did not need telemetry to get bug reports and fix things and release patches. Learn some history of your profession people.
Has throwing a hundred thousand bugs onto your sprint backlog actually helped anyone develop better software? No. Meanwhile it has exposed all your customers and users to predatory bullshit from your marketing and sales departments, and enabled your worst product managers to optimize hostility and extraction.
Yes, it's quite common for users to want this. I think a lot of people don't realize functionality like "remember I want dark mode every time I visit" or "keep me logged in when I reopen my browser tomorrow" constitutes first-party tracking and requires consent under EU law.
It's already seen as a valid opt-out signal against this sort of thing in Germany. LinkedIn got in trouble and lost a court case for not respecting the DNT header if memory serves me right.
This is the best suggestion here with the least friction in my opinion
Companies ARE legally compelled to comply with the GPC header.
You are exactly correct.
A web browser is technically incapable, by design, of knowing whether any piece of a website (1) is there for the purpose of having the website actually work, or for the purpose of tagging and tracking the end user. Only the website owner chooses those purposes, and only the website owner is in a position to determine (or maliciously hide) which technologies are being used for which tracking or technical purposes.
(1) Cookie laws apply to: Cookies, gif pixels, JS fingerprints, and any other tehcnical means that can be technically exploited to track an individual
Right, the it would be legally required have to have "third-party" vs "strictly necessary" tags on the cookie itself, which someone could challenge if they were inaccurate (in the same way that the GDPR can in theory be enforced now). Then the browser could simply do what the user wanted with the tags. This could even be a status item in the URL bar, similar to the HTTP / HTTPS icon, that would allow you to enable or disable tracking on a per-site basis (if you didn't want a global policy).
Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged; this would ultimately come down to ad networks / analytics companies documenting the behavior of the cookies they add.
> Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged
While enforcement is effectively nill, they already need to do that according to the actual EU "cookie law" (ePrivacy Directive rather than GDPR). If you set cookies, you have to explain to the user what they're there for.
Hilariously, many websites have no idea what the cookies their trackers set are for, and I've caught a bunch of them use language like "seemingly" and "apparently" when describing what purposes cookies actually serve.
If only browsers gave P3P[1] the attention it deserved. The protocol isn't exactly perfect and the unmistakable footprint of early 2000s XML obsession are there, but it could've prevented cookie banners from ever being accepted if only browsers had designed proper UI around an updated version of the protocol.
[1] https://www.w3.org/TR/P3P11
The EU’s principal contribution to the web in a decade has been these shitty cookie popups.
I believe this is already starting to be solved via Global Privacy Control (GPC) [1], and has already been implemented in Firefox to replace Do Not Track [2]. All that remains is to see if lawmakers will catch up and make it a legal requirement to follow...
[1] https://globalprivacycontrol.org/
[2] https://support.mozilla.org/en-US/kb/global-privacy-control
DNT already had legal weight in the EU. I don't see what problem is being solved by sending a slightly-renamed version of DNT instead, other than the weird privacy law a few American states have implemented that says "if the browser sends the signal by default it's not a legal signal and you should therefore ignore it" (which will probably be updated to neuter GPC if that ever gets any serious attention, the las were clearly written to give trackers the advantage).
+1 to this, Firefox has been pushing this for a while but my understanding is really the legal side
Of course companies could just - I know, weird idea - stop tracking you. Then you don't need those dumb consent boxes.
Please ask the EU to lead by example then. The official EU commission website has a cookie banner (https://commission.europa.eu/index_fr)
So either: The EU commission is including trackers on their websites. And they should stop OR they acknowledge that it's almost impossible to build a website without some form of tracking that falls under the law, and they should look into the law itself.
So they have work on their plate.
> OR they acknowledge that it's almost impossible to build a website without some form of tracking
Why would it be almost impossible to "build a website" without tracking?
Why doesn't the EU do it ?
I created a production web application which does tracking (although not necessary, could remove it within minutes from the application and probably nobody would notice) without needing a "cookie" banner. How? I don't track any personal data, just anonymous interaction.
But unfortunately they won't. This will not happen. They ultimately shift to fingerprinting our browsers instead of using Cookies but they will keep on tracking...
And companies could just -- each give me $10,000. Then I wouldn't need to work.
But companies generally do whatever is in their best interest. I don't know why anyone would expect them to do otherwise with regards to tracking.
Another weird idea: make this kind of tracking illegal. Why would anyone willingly agree to be tracked?
> Why would anyone willingly agree to be tracked?
To avoid paying actual money, even the smallest sum of it.
Good thing that it's not an option with the GDPR. Pay or consent doesn't allow informed, free consent.
The problem with making it a law is tracking is in the eye of the beholder, so site owners are heavily incentivized to err on the side of caution and put up the box just in case.
God forbid they err on the side of caution and not set any cookies.
Right?! I have a website for a music studio. I never worry about any of this shit because it's just a static site with no tracking or analytics. It's just that simple. It's there if someone searches for me and that's enough. Rely on being a good business and organic search, word of mouth, and reputation will bring you business. You don't need to seo the shit out of everything and sell your visitors.
It’s not like it would be any more work to figure it out with a complex site. You still have to enumerate everything you’re tracking, add the ability to disable it, and make sure the site works without it. All you have to do is turn them all off rather than presenting an alert asking the user.
I understand why companies don’t do it that way. Tracking is worth money and they like money. What I don’t understand is why ordinary people make excuses for them.
At least here on HN, keep in mind some of the commenters may be working in adtech or operators of ad-supported sites. I.e., not ordinary people.
California now has a law that requires browsers to have an opt-out setting (effective in 2027) [1]. So far, websites are required to respect opt outs via browser settings or extensions in California, Connecticut, and Colorado [2]. That is also the case for New Jersey [3].
[1] https://legiscan.com/CA/text/AB566/2025.
[2] https://portal.ct.gov/ag/press-releases/2025-press-releases/....
[3] https://www.njconsumeraffairs.gov/ocp/Pages/NJ-Data-Privacy-....
Browsers have no way to determine what code or cookie is tracking and what isn't, and if websites are not targeted, they don't have any incentive to tell browsers "oh, this is for tracking, and this, no, it's not for tracking".
The best we have is heuristics content blockers currently use. But heuristics are not good enough for complying to such laws because there's no guarantee they work in 100% of the cases.
It follows that such laws can't target browsers and not websites.
Wasnt this a benefit of the semantic web we were pushing for? Standardized tags exactly for stuff like this? Just another example of the mess that web dev is - trying to coerce a markup language into a fully fledged programming language.
OP has a nice idea but hes short on technical details, which in this case is where the devil resides.
As much I like the semantic web, you can embed tracking parameters in images and links put in a perfectly semantic HTML structure :-)
I think we need strong privacy laws, removing the incentive to track, or both, I don't see a technical way around.
is there a standard for those tracking parameters?
There are some usual suspects like the utm_* parameters, but a website could be using whatever it wants.
Actually, you don't event need parameters to track, you could just use the IP of the requester and for instance do some IP geolocation.
Is there any evidence that this law is achieving the goals it was designed to tackle? If not, is there any reason it still exists? Why don't laws have to continually justify themselves as a matter of procedure?
I wanted to ask something like this, but I think you framed it better.
I am convinced these laws have just made my life and the Internet marginally worse, with no measurable positive impact.
Not the laws but the way companies complied.
Still too few just show a simple „Reject All“ button.
And they ignored things like DNT in the browser on purpose.
So if someone made the Internet is worse it’s them and they successfully shifted the blame.
Even a "Reject All" button is one more annoyance than I had before these laws. The dialogs previously didn't exist at all.
I'm willing to accept that some amount of personal data is being sold less, at least by some market participants. I'm still not sure how I could possibly measure even the tiniest improvement in my life, though.
So you were ok if thousand of sites would track which sites you visit?
Before the law most didn’t even know how much the get tracked.
And you misunderstand something, the law doesn’t improve you life it prevents it from getting worse.
Just look what happens when companies know everything about you
https://pluralistic.net/2024/12/17/loose-flapping-ends/#luig...
Exploitation beyond your wildest nightmares.
That’s what those laws try to protect you from
I was being tracked by thousands of sites before these laws were in place and had no measurable negative impact on my life. I’m also skeptical how much practical reduction of tracking has occurred for me in the US.
What I’m 100% sure of is that the UX of the web has been made worse, and I don’t think it’s sufficiently acknowledged.
What do you mean by achieve?
Do sites stop tracking you if you reject the cookies?
Some do, some don’t.
Is the goal still valid.
Yes.
If your asking if the GDPR is effective, yes, it is.
The only ones ignoring it completely are either dodgy companies, or the clueless. The companies exercising malicious compliance are now (quite rightly) increasingly seen as dodgy and need to up their game if they want to become respectable.
The days of not protecting user data are over.
GP asked for evidence.
The evidence is all around you.
For example, my insurance company can no longer get away with selling my details to financing companies behind my back. Such shenanigans are no more in the UK and EU thanks to the GDPR.
I believe that part of why Google is so invested in Chrome is this very thing. They don't want users to have more control over cookies and tracking via the browser.
One of the first things people would do if they really had control over their browsers is start blocking Google Ads. Google realized this early on, it's a huge potential threat to their main source of revenue, so they launched Chrome to influence, and eventually dominate, the browser market.
Google doesn't want users to have more control when it threatens their bottom line. It's part of why they've been trying to block ad-blockers.
uBlock Origin can block these if you check the "Annoyances" filter in the filter list. I think it's disabled by default because it has a higher risk of breaking sites, but I never have a problem. I haven't seen a cookie banner in a long time!
Cookies are now stickers with writing on them and computers are now cars. Businesses that you drive up to or close to have license to slap a sticker on you whenever they want with whatever they want.
So we write a law to say "hey you gotta at least ask before you slap a sticker on, most of the time".
We all know why we didn't just make a sticker proof car. As long as the largest ad company in the world is also the defacto king of the internet we will have these issues.
Why is this on the front page? The author apparently did not do any research or they would have discovered that was tried with the DNT header [0] Also there is no cookie law, just that websites need consent to track you (simplified).
[0] https://en.wikipedia.org/wiki/Do_Not_Track
There is effectively an EU cookie law, though it's not the GDPR like many people think it is; rather, it's an extension to the ePrivacy Directive[1] :
> ‘3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’;
Of course this also applies to flash cookies, local storage, and other browser data stores, not just cookies. The legal requirements for data storage that doesn't violate anyone's privacy are a lot looser, though.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
This law states storing or accessing stored data needs user consent when the data is not strictly necessary for the website in order to provide the service.
It doesn't mention banners or cookies or that every website needs it.
My least-favourite is websites with the "Pay or OK" model: "If you don't want more companies tracking you than were people in your high school, teachers and students both, you must pay us! [Pay] [Accept tracking]"
*Copy URL, close window, open private browsing session, paste*
As an aside, is anyone else getting LLM-writing-style vibes from the linked page, or is that just me?
The thing is, these sites that give you an option to pay only let you pay to opt out of advertising (and some only partially!). It does nothing to stop tracking you.
There are several sites I would not hesitate to pay for, but the most that will net me is generally "content with invasive tracking". Sometimes with no ads and sometimes with "fewer ads". But in either case, still a non-starter because it's still capturing the same data about me and sharing it.
> My least-favourite is websites with the "Pay or OK" model
Which doesn't respect the GDPR.
> As an aside, is anyone else getting LLM-writing-style vibes from the linked page, or is that just me?
The multiple 3-item lists with the item's first sentence in bold, the logic not perfectly following from one sentence to another, the numerous comparisons/metaphores, the em dashes, and the general, distinctive tone are certainly clues.
> If a website tries to use a cookie with an unclear or undeclared purpose?
How is the browser supposed to determine a cookie's purpose?
Policing the tools instead of policing what is being done with them is the problem for me. Third party cookies have a valid reason to be used in federated authentication for instance, or a bunch of other valid purposes. Just ban shitty data collection practices.
Knives can be used to chop vegetables or stab someone. Don't ban their sale, ban their usage.
Cookie consent is not required for technical cookies like auth.
It isn't needed, but third-party cookies were phased out by Chrome specifically to undermine their competitors, all under the veil of doing the right thing, and everyone that was using them for something ok got screwed.
I'm surprised at how often this needs to be restated.
By-and-large you only need to allow people to opt out of cookies if you're tracking _their_ activity and/or selling details of _their_ activity to your "partners".
Partly it’s because we’ve simplified the discussion to “cookie banners” when it’s about more than cookie tracking or cookie-like tracking (local storage). So it misses all the other ways tracking occurs.
The other thing is that it benefits those who wish the law would just go away to have it misunderstood this way.
Indeed. Nor is GDPR about cookies at all. GDPR is about identifiable user profiles and information. A piece of paper with someone's name falls under the GDPR; a cookie that hides a shown alert doesn't.
Once again....
There is no requirement for 'cookie banners'. You are free to use whatever cookies you want to run your site. HOWEVER, if you are using those cookies to track me (advertisers take a bow) then you need my clear, opt-in informed consent to do so. And so you should!
I continue to be astounded at the ignorance some people have of the GDPR; such a vital privacy law and one that is fundamental to modern data use and respect for the customer.
For people who have reasonable browsers (i.e. you can install extensions) you can already live in this world. For example: https://addons.mozilla.org/en-US/firefox/addon/consent-o-mat...
We'll have to keep clicking cookie buttons as long as there are idiots who think that sites can "just" give up tracking (and go out of business because without targeting, internet ads are virtually worthless).
> and go out of business because without targeting, internet ads are virtually worthless
Good riddance to bad rubbish. I'll take an Internet 1/10th (or 1/100th (or 1/1000th)) the size as long as it's not ad-supported.
You know HN is indirectly ad-supported, don't you?
I think there’s a small detail missing. Most browsers also track user behavior and use your data. I can’t imagine big tech companies fighting each other in court just to give you the best internet experience. The idea sounds good in theory, but in practice, I don’t think it would change much. What we really need are regulations that truly understand business models and target and punish those that abuse them.
For example, right now any company can ask for your consent ten times a day until you give up, and once you click “yes” even once, your data begins an eternal journey.
A few months ago, my Samsung TV (which I bought four years ago) suddenly blocked everything and displayed a new agreement on the screen with only two options: Read and Agree. There was no way to use the TV without accepting the agreement.
> Most browsers also track user behavior and use your data
Tell me about these browsers that are in breach of the GDPR and use my data without explicit opt-in permission?
Google Chrome? They breach the GDPR on the web, why is it so far-fetched to think they wouldn't do it in local software too?
Firefox is no better, with their telemetry being opt-out and I believe even if you opt-out some telemetry is sent to let them know you've opted out.
The whole debacle is a lesson in incentives.
You can't have laws that dictate the desired outcome in broad terms and trust companies to implement in good faith. Not when they have a direct financial incentive to implement it as obtusely as possible.
It's really unfortunately that in the public's eye the legislative attempt to steer towards a positive outcome is seen as the cause of the pain.
While we're talking about cookies, can anyone explain what legitimate interest is? And if it's an exception to consent then why can I reject legitimate interest? It just seems like another hurdle to rejecting all non essential cookies.
Legitimate interest as interpreted by most companies making (IMO non-compliant) cookie dialogs as just a second attempt at consent that they think doesn’t have to obey the top level reject all they’ve finally been penalised into having.
Legitimate Interest per the law is intended for use cases like, having a list of people who owe you money, or keeping IP address access metrics long enough to use them for anti bot or paywall measures.
As others have said, we already tried this with DNT. Unless websites are legally compelled to honor the signal, the signal is worthless.
But here's an interesting wrinkle that may illustrate further complexity:
> Essential Only: "Only allow data necessary for websites to function (e.g., keeping me logged in, remembering my shopping cart)."
I would never have called either of those examples "necessary for websites to function". They are both just convenience things, not essential things. So there may be a lot of discussion needed about category definitions here.
If your website is a shop then being able to put things in a cart is pretty necessary no?
You don’t need cookies for that.
The point is that you need to track the person. The technology used is irrelevant.
The point is whether or not "shopping cart" cookies are "essential". I argue that there is nothing about them that qualifies as essential. The contents of your cart can be kept server-side, which means that using cookies to do it is not essential at all.
Making them part of the "essential" set in cookie banners is a category error. This is an important point, in my opinion, because if we allow websites to get away with saying nonessential cookies are essential, then the more obnoxious cookies people widely object to will just be counted as "essential" to evade people's preferences. Websites seem strongly predisposed to pulling the wool over user's eyes whenever they think they can get away with it, so this category problem is not without meaning.
> The contents of your cart can be kept server-side, which means that using cookies to do it is not essential at all.
The sane way to keep the cart contents server-side still involves a cookie on the client.
It's possible to do it in a glitchy way server-side-only, but if that makes a cookie stop being essential then by that definition there's no such thing as an essential cookie.
Such a definition is a bad definition.
"Cookies" is just a colloquial way of talking about this tracking. What actually matters legally is what you are tracking, not how you implement it. It is completely irrelevant whether your shopping cart uses cookies or not.
Except that the topic at hand is the cookie permission banners, which are about cookies specifically, not tracking generally.
The banners are about tracking. They can't just sneak in localstorage instead and claim they're following the rules.
That is completely false unless you are talking about the pre-GDPR e-privacy directive.
GDPR only uses the word cookies once and it comes immediately after the phrase "such as", i.e. it's a non-exhaustive list of examples of ways that you could track someone.
For a shopping cart you need link the visitor to their cart in your database. The cart doesn’t need a cookie and these identification is not what is meant by tracking
If there is an identification cookie that is used to find the cart in the database, that is the cart needing a cookie.
>We all do the same thing. We sigh, our eyes glaze over, and we click "Accept All" with the muscle memory of a weary soldier.
No. When I see a cookie banner that doesn't have a "Reject all" or at least "Reject non-necessary", I leave the website. When you look into the "Reject..." section, it often contains 1000+ of adtech shit you have to untick individually. Aren't these actually non-compliant with regulations? Makes you think twice about website owners if they choose to sell your data to adtech - seems like law does exactly what it was supposed to do. The problem is adtech which encourages to collect data websites have no business at collecting. If anything, non-compliant sites should be fined into ground and adtech outlawed.
If I could, I'd downvote the article.
Exactly.
People like the author are part of the problem. Blindly clicking consent is allowing site owners to bully you into consent. It works, so they keep doing it.
If you're going to blindly click anything it should be decline all.
The interface definitely should be implemented at the browser level.
If a user sets "allow performance telemetry, deny fingerprinting, ads, tracking" or "decline everything non-vital" once in the browser settings, he should never see a cookie banner ever again - with all of that communicated to the websites by the browser for him, and the websites being obligated to respect the user preferences.
The cookie banner vomit should be reserved only for browsers that don't support that. The fact that this obnoxious behavior somehow became the Internet's default is an atrocity.
https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies
> A pop-up, a slide-in, a full-screen overlay demanding you "Accept All," "Manage Preferences," or navigate a labyrinth of toggles designed by a corporate lawyer.
It's the dark patterns and lack of consistency that makes it worse. Some websites even refuse to allow you to reject data collection unless you pay to use their service (i.e. news websites)!
As others have echoed, we just need to make this large data collection illegal.
> As others have echoed, we just need to make this large data collection illegal.
It *IS* illegal under the GDPR.
Article 5(1) requires that personal data shall be (b) collected for specified, explicit and legitimate purposes ... (c) adequate, relevant and limited to what is necessary ...
In plain English, you can't go trawling for personal data.
Hey, I'm the lead developer on DataGrail's(1) Consent product (cookie banner). I know a fair bit from having been involved with this for years, and talking to a lot of customers.
Happy to answer questions and clear up misconceptions, especially the one about "giving DNT force of law": we already have Global Privacy Control (GPC), and it's already required in (significant parts of) the US, and it's being enforced.
I can say we've tried really hard to prevent a lot of the malicious user interface issues, and to respect the GPC and DNT signal (no banner pop). We've tried to balance the company's need to keep compliant (because frankly, many of the complaints here about "legalese" aren't just deceptive UI (dark patterns), but done on the advice of counsel), and still operating (marketing needs analytics/ad tracking). And we're concerned about the user experience for what is admittedly an intrusive tool, but required.
(1) I'm not a spokesperson for the company, experiences and opinions are mine.
A lot of consent banner implementations have a clear accept all and then an intentionally obtuse alternative where you have to manually untick every "partner" you don't want to give data to. Presumably this is more profitable, as a lot of people will just click accept all instead of wasting their time.
A lot of people in the thread are speculating that this approach is illegal, but it seems to have widespread use across the web. Why doesn't DataGrail do this? Was it something requested by advertisers/management that your team pushed back on?
It's pretty clear from my reading of the (EU) laws that giving prominence to "Accept all" and not having the same level of prominence for "Essential only" is not acceptable. US is a whole different story, but has some bright points: GPC is already required in several states, and spreading. This removes the need for a consent banner to show on screen, which is great.
Our primary job is to make our customers compliant, so we try to "push them into the valley of success". That means GPC and DNT "do the right thing" by default, no deceptive design (dark patterns), etc.
Or simply stop tracking and selling user data… sell real services or native ads
Deny All, Accept All, but I never (except in a handful of cases) see the Accept Required. Let us admit that there are cookies required for maintaining state within a web site and account.
I default to Deny All, but click on Accept Required when I see it (trusting that it does do what it says it does)
Deny all should be equivalent to accept required, to my understanding anyway.
And it would solve nothing.
GDPR already mandates that "Refuse non essential" button should be the same size and prominence than the "Accept all" button, every website around the globe does not care (apart from major players like Google, Apple or Amazon) and national data protection authorities absolutely do not care.
We already had one attempt with "Do not track" header, nobody was willing to commit to it because it impaired business. Same would go with OP proposal.
Websites are forcing this banner on us because they are greedy morons that would rather drain our data for money than incite us to pay for their work.
Since there are a handful (maybe dozens) of companies who implement this popup feature as a service (e.g. CookieYes), a browser plugin to automate the "no to all" could be handy. That is, the plugin would know the provider and navigate the labyrinth of settings to disable all of them.
And then a handful of companies can offer a service to let advertisers punch through the plugins. And then another plugin could block that!
Thing is you’re probably right. The modern web is made of middlemen inserting themselves into user experiences to divert and extract revenue from the primary stream between consumer and producer. There’s always room for another layer.
uBlock Origin's cookie banner lists do this.
Ah, yeah, I suppose just blocking the domains of those cookie services would take care of it.
That's not always enough, sometimes you need some code simulating the "deny all" clicks or tweaking CSS class lists on the body and html elements.
Otherwise, you might end up with some unscrollable page because for instance there's a CSS rule that blocks scrolling when the modal is there and restores it when the modal closes and this handling is unfortunately done in JS.
Does uBO take care of this?
There are occasional breakages, but yes.
edit: documentation:
https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#...
https://github.com/gorhill/uBlock/wiki/Resources-Library#tru...
It's actually given in example:
> example.com##+js(trusted-click-element, button.reject-all)
Great, thanks for the information. I'm guessing uBO lite can't do this, but then again I doubt anything using manifest V3 could.
Yes, same with access restrictions. Parents should be able to limit types of content accessed at the device level and websites and app makers are just provided that.
Remove any notion of age blocks that kids just lie about, and let parents determine what is suitable for their kids.
I simply do not care if advertisers form an accurate view of my desires and beliefs.
> "2. It Punishes the Little Guys"
Yeah ... I just don't do it. I'm not based in the UK or EU and I don't care if they try to "punish" me.
> Your browser becomes your personal privacy enforcer, and the law would require it to act on your behalf. Based on your one-time choice, it would be responsible for allowing or declining cookies from every site you visit. If a website tries to use a cookie with an unclear or undeclared purpose? The browser simply blocks it—no questions asked.
ChatGPT writing aside, how does the author expect browsers to do this exactly? It's not as if website developers are declaring the purpose of each individual cookie. Browser developers already added a Do Not Track header option and to the surprise of no one, it was a massive failure because websites have every incentive to skirt this stuff.
And today the GDPR law extends much more than cookies, it requires explicit consent for processing personal data in general. Your browser has absolutely no bearing on whether a website's backend will save the pages you visited, the text you entered, your IP address, and whether it shares it with 500 partners or not. This problem fundamentally requires cooperation from website developers and that's why we have the law targeting websites as it is today.
current malicious compliance by websites aside, would this not put the onus on browser devs to, site by site, identify which cookies are actually "necessary"?
side note: ublock origin has optional filter lists for blocking these banners
I think targeting web sites was the right move because it was the web sites who were doing all the tracking.
Of course now we also have browsers to worry about as well, being products of the same ad companies that were clogging up the web sites in the first place.
But if cookie laws pushed data collecting web sites to malicious compliance, surely similar laws would do the same to (also data collecting!) browser providers. I’d prefer to avoid inviting browsers to add another layer of bullshit. And there’s no reason it would make web sites behave differently… if I’m a web site bound to comply with laws, I’m probably going to cover my own ass and keep doing what I’m doing without assuming the browser will handle it. Rendering the browser controls redundant and ineffective.
If we want to look for core flaws, look at allowing a handful of giant companies to control the market for personal data — or to traffic in personal data at all.
Ad companies have convinced the whole economic system of the Internet that they are inevitable and essential. They are neither. But we won’t fix that either.
The solution is to get off the damn internet, but short of doing that, I’ll prefer to keep my options open to disable telemetry on my own terms.
Here’s something I would like, though: total sandboxing per web site. Let every domain be alone in its own room of cookies and telemetry. Let it think I only ever visit that site, and optionally always for the first time. I shouldn’t have to blow away all my cookies all the time just to keep Facebook from following me all over the web.
It's also the case that really making cookies painful just pushes more tracking to other places such as browser fingerprinting, which is much, much more difficult to defeat than cookies.
note that the GDPR doesn't make a difference between cookies and browser fingerprinting. It doesn't concern itself with the technical details.
Whatever applies to cookies also applies to browser fingerprinting.
Makes me wish we had something like in the US. But, thanks for letting me know, I wasn't aware!
Crossing my fingers for you mates!
A browser extension or addon that automatically sets the user's preferences and hides the site's popup. Does it exist?
uBlock Origin settings, enable the Cookie Banner and Annoyances filters.
The browser doesn't know what each of the cookies are for so that's still relying on the sites to properly accept this new setting.
For Knuth's sake: The GDPR is NOT about cookies! The older 'cookie directive' is also NOT about cookies! They're about a third party storing their data on your computer, or storing your personal data on their computers - no matter what technology is used.
Nothing in the GDPR stops websites from honoring "Do not track" and then _not asking_ if it's present. They don't have to ask if they don't track you! They don't have to ask for a technically necessary session cookie that appears after you actively log in!
Websites ask because they want to track you! A 'law targeting browsers' would not help because people would say no to cookies, and then websites would ask about some other way to track you. Because they want to track you.
Amen to that, and to Age verification mentioned by @vmaurin. I get cookie rage sometimes from those banners. Most definitely I suffer from consent fatigue.
My 2c: actually it’s the problem of mixing security and identity mgmt with tracking and marketing
The main reason I don’t turn off cookies everywhere is so many sites put my login token in a cookie. Hopefully as a random nonce but even so, it’s using cookies for security.
We are all so used to it is a massive blind spot.
We should move to Fido/webauthn - everywhere. Most all the population has a really impressive Secure Enclave in their pockets
> The main reason I don’t turn off cookies everywhere is so many sites put my login token in a cookie. Hopefully as a random nonce but even so, it’s using cookies for security.
AFAIK there is no need for a cookie banner for a login token. It is necessary for the functioning of the website.
Interesting idea.
Regulating browsers could regulate a free and open internet though as well.
Only permitted to use certain browsers that can do certain things.
The annoyances are dependant in part on the software (browser) used
I do not use a popular browser to make HTTP requests or to read HTML. I never see these annoyances. I don't store cookies except for HN and a few other exceptions. Nor do I run Javascript. The annoyances cited in the OP appear to be targeted at people who use certain web browsers that enable these "features" by default
This demonstrates to me that the annoyances are in part contingent on the browser, e.g., browser "features" such as Javascript
Perhaps convincing all www users to use the same small set of Silicon Valley-controlled browsers is prudent according to some Silicon Vallley logic. But when these browsers are all provided by commercial entities that profit from "advertising services" and each has "business" interests^1 that run counter to the interests of some www users,^2 then it makes sense for www users to consider alternatives
1. For example, data collection, surveillance and targeted advertising
2. Thereby prompting government regulation
For example, it is possible to retreive information from websites, e.g. "check a product price or read an article", using software that does not not serve an internet advertising objective. No cookies or Javascript required
Letting the browser handle cookie consent makes it feel like part of a privacy operating system.
> Imagine if every time you got into your car, you had to manually approve the engine's use of oil, the tires' use of air, and the radio's use of electricity. It’s absurd, right? You’d set your preferences once, and the car would just work.
A funny comparison to me. Actually, I have to manually disable some EU regulated features every time I get into my car. The alerts every time I go 1kmph over the speed limit aren't very relevant for me, and the lane keep alert buzzes as soon as I'm slightly over halfway to the left, but lets me drive along fine if I'm even over the line on the right.
I'd actually like to use both of these, but only if I could calibrate them to my needs.
...
Just like cookie banners.
Search on forums/etc for your particular car brand about which compatible scan tool to get (you want the manufacturer-specific one to be able to change settings, not the generic OBD2 which only lets you read engine & emissions data), get one and then disable the setting. Those are typically controlled via settings so that the same car can be sold in different regions.
The cookie laws make it so that web sites have to ask permission to track you, surveil you, sell your data, etc. And surprise, almost every website wants to track you, surveil you, and sell you data. The EU should have just banned the unethical behaviour, the middle ground of every single website asking for unethical tracking is a travesty.
With all the AI we have, shouldn't browsers be able to click the cookie banners for us? In a way that we want?
uBlock Origin's cookie banner lists do this without AI.
The GDPR people want the banner noise to make you feel like cookies are bad. Without that, we would go back to the status quo from ~five years ago when websites just worked and did whatever with cookies, and there weren't stupid banners everywhere.
I wanted to read the article about cookies but gave up after seeing this many ads.
What about by default web browsers are required to have Javascript disabled and uBlock installed and running? They could do a reverse Google, and make it so its impossible to uninstall uBlock.
If we are going to go down the path of mandating legal liability on software makers of a neutral communication medium, then the EU should just break the commercial web.
This seems like a good opportunity for a browser company like Mozilla to offer a GDPR compliant library that is easy to integrate that automatically applies user privacy preferences instead of showing the GDPR prompt. Opensource the library, and promote it. Try to make it an open protocol so other browser can implement this.
To be real though I'm sure that many sites would not want this because they rely on GDPR fatigue and users to just accept instead of taking a few seconds to opt-out.
It's pretty sad that Europe basically weakened the web experience for everyone. Pure vanity. Pat themselves in the back and tell themselves we're all more privacy oriented now. Great.
Except that the noble cause has not been achieved but it has made the web worse.
Daily reminder that no law requires websites to show popups. They could simply stop tracking users. Your website will still work, trust me!
> Imagine if every time you got into your car, you had to manually approve the engine's use of oil, the tires' use of air, and the radio's use of electricity
Metaphor is incorrect. Tracking you is not essential to the function of the website. A more appropriate one would be:
> Imagine if everytime you got into your car, you had to approve or reject GM tracking your trip, the number of people in the car, recording your conversations, and sharing all of that with 500 indiscriminate partners including your insurance, law enforcement, supermarkets in the area, and why not your spouse or partner.
Or better even
> imagine if every time you entered a physical store they asked for your id and made you sign a contract that allows them to track you and sell that information
The proposal in that article sets a default tracking preference, it's trying to fix a UX issue with more UX. What it's missing is that there's no EU mandated UX. You don't have to show a banner if your cookies are not used to track random people on your website. The reason why it's bad UX is that it's bad on purpose, skimming the line of legality by deploying as many dark patterns as possible to trick you into consenting to your soul and your children's, in a desperate attempt to make that god awful banner go away and finally access your shot of endorphins.
Websites could very well decide to use only non tracking storage by default, and not show you a banner. Or have everything checked off with a single click to make the banner go away. Sending you to a separate page full of checkboxes and legalese is a choice, and a nefarious one, because most people don't want to be tracked.
If anything I think the law should be strengthened: make tracking default-off, and allow users to consent to more if they so wish. Not consenting should be a single, obvious click (or no click at all), rather than a sub menu. Your information should not be shared or sold by default, or even better, not sellable at all.
So why didn't GDPR require Do Not Track to be honored? It was already there, to be expanded on if needed.
But I can't imagine copmanies would want that. They benefit from cookie dialogs fatigue, and for some reason people blame GDPR of all things for surveillance tech being annoying in how they ask for permission.
GDPR does not mandate specific technical solutions.
But actually honoring DNT properly would immediately mean no consent banner, but the consent banner is there to fool you into giving up your rights while providing (flimsy) legal cover for the company.
The banner is also there to make you complain about EU bureaucrats, for having the law changed. And it works: Outrage is often on EU cookie banners, not in people selling our data.
While this is true, the EU does have a tendency to step in and start enforcing technical requirements if the industry doesn't respond. USB-C, for instance, has been standardised, because attempts to tell the industry "one plug, you people figure out which one" didn't work.
It's still early days for the GDPR (relatively speaking), but I can see the EU enforcing a particular privacy-related mechanism eventually.
It also doesn't help that DNT is just a boolean signal, it doesn't give you the control over your data that the GDPR demands.
Relatively speaking GDPR at this point is just shy of 30 years old - that's when most of the effective rules came into play.
What changed the most with GDPR is that enforcement now has teeth. Not as big teeth as say, NIS2, which actually has executives more concerned than middle level about being compliant, but still big.
It is entirely possible the lawmakers who put together GDPR were bad at their jobs and didn't consider better technical solutions.
gdpr does mandate any technical solution
technical solutions are chosen by companies to have as much dark patterns as possible to force you to consent
companies that want to sell user data are bad guys trying to make gdpr look bad
Can anyone make out who writes nednex.com articles?
we had it already, it was "do not track" header, whole ads industry worked very hard so in the end it went nowhere...
cookie laws shouldn't exist. all browsers have privacy settings and have had them for many years.
Internet's biggest annoyance: AI slop blogposts
Also, a lot of people forget that you don't need a cookie popup. apple.com or tesla.com doesn't have one. Plenty of others, but they're quite rare.
I absolutely hate unnecessary cookie popups, e.g. when you're already signed in and have accepted privacy policy. Or, when accessing a parcel tracking service or similar.
It's always annoying, but there are clear cases when you don't need to track users and it probably just drives them away or makes them angry.
This screams of classic techno-optimist "just build one simple solution" mindset.
Yes, consent fatigue is real and nobody likes these cookie banners. Which is also the exact reason why I think they are important. Making tracking visible to the user is the point. It creates an actual "cost" for tracking by forcing websites to actively ask the user to consent. The moment you hide it in a one-time set-and-forget browser setting is the moment when informed consent dies, tracking becomes invisible, and accountability disappears.
We are also looking at very perverse incentives here: Who controls the biggest browsers? Google's Chromium is basically the engine behind 80% of the browser market right now. Apple and Microsoft aren't exactly neutral parties either. Google is an advertising company, and Apple and Microsoft still have a huge interest in data. The idea that you should trust these parties to implement a "simple" consent system that runs counter to their business model is... optimistic, to put it mildly.
You would also have to trust websites to accurately categorize their cookies. If your cookie preferences are a set-and-forget setting in your browser, are you sure that random website you just visited didn't declare Google Analytics as "essential" for their website to work? Are you going to check?
The blog post also assumes cookie preferences are universal, but perhaps I'm okay with analytics on a random tech blog but absolutely not on a website about medical issues.
The funniest part: The "Do Not Track" signal already exists, and it failed spectacularly. The post even mentions it. DNT was supposed to be exactly this simple, browser-level signal. And websites just ignore it.
Sidenote:
> Imagine if every time you got into your car, you had to manually approve the engine's use of oil, the tires' use of air, and the radio's use of electricity. It’s absurd, right? You’d set your preferences once, and the car would just work.
Yes, absurd. Except that's more or less happening with different features. Every time I start my car, I need to manually disable the speed limit warning because it's annoying, and the lane keep assist because I feel like it is overly aggressive and sometimes genuinely dangerous. Also, the analogy is exceptionally weak. The author compares mechanical necessities (oil, air) with optional data extraction. That's hardly the same thing. Cookies required for basic functionality of websites is usually enabled by default. A more appropriate equivalent would be a popup by the car's dealership asking you to track everywhere you drive, and how fast, and if you looked at some billboards along the way.
The GPC flag is a setting in browsers that attempts to alleviate the cookie popup issue
>> Most people do the same thing: sigh, their eyes glaze over, and they click "Accept All" with the muscle memory of a weary soldier.
My instinct is to find the other option is either easy or obfuscated a little bit. But the EU regulation requires that it not take more than 2 clicks to do the other thing.
I thought cookies were kind of evil back in the 1990's and I still think they need to go away entirely.
I said the same years ago
And this article is full of another failure of the internet - adds…
Uh... no.
The purpose of the laws (GDPR et al) is to give me control over who does what with my data, data about me. The operator of the website is who the law binds. It's not even about the website - if I phoned or emailed, the same laws would apply. You need my explicit consent to process my data in a number of ways that you'd like to, it makes you money, but I don't want you to.
The processors of this data can't make as much money off selling access to data about me, if I have these rights. So they petulantly get in my face as much as possible, via banners on websites, to annoy me and confuse me as to why these banners are even there, and try and trick me into letting them make more money.
The banners, which a browser could block or autofill, are just the surface. And they're an attack surface, so even if we agreed a way for the browser to pass on your preferences (we already did this, it's called the Do-Not-Track or DNT header, and it was a complete failure because website-owners just ignored it), website-owners would add a second layer of "ah, I see you said no automatically, but are you REALLY sure you don't want to let me make more money from your data?"
NOYB is very good for chasing after such charlatans, and forcing companies to obey data protection laws. Here is some of their guidance, and listing of the dark patterns used by non-compliant companies: https://noyb.eu/sites/default/files/2024-07/noyb_Cookie_Repo...
By far from the biggest annoyance, to me that would be ads, and the slop that it incentivizes.
Although, I too had enough of the cookie popups. Let's just ban (and enforce banning) cookie tracking, and be done with this nonsense.
There can't be a blanket consent. You cannot consent to contracts you've never seen. You can't waive your rights away. Browsers could only implement a blanket deny, but that wouldn't stop websites from showing cookie banners, because they want you to click Accept All.
I would not trust browsers to keep my preferences though. Firefox keeps resetting stuff I disabled before. Zero trust zone unfortunately.
HIPAA for all personal data. Period.
You want to share it? Get my express consent.
> You want to share it? Get my express consent.
That's literally the GDPR? But the problem is that enforcement is severely lacking, so it is more profitable to breach the GDPR than to comply with it.
GDPR is pretty annoying for sure, a close second being websites that have as many ads as this one.
If you hand me a book, you can't then complain I have your book.
The author's idea is "A Simple, Radical Idea: Put Consent in the Browser". So when you set up your browser, you get a single choice of whether you want websites to track you and sell your data.
Here's an even more radical idea: the browser doesn't even ask you this, and by default it just respects the user's privacy and blocks all third party tracking.
Can you imagine an internet where the user is put first?
> Here's an even more radical idea: the browser doesn't even ask you this, and by default it just respects the user's privacy and blocks all third party tracking.
DNT is legally void in several US states because it was enabled by default.
If we do set up a browser-oriented solution, browsers like Firefox and Brave would default to the most privacy-friendly options practical, of course, but they already mostly do that anyway.
To solve the root problem, we need to steer away from the ad-based revenue model.
We use websites for "free" paying with data. A cynical take on that is "if you are not a customer, you are a product".
If there were no adverts, quite a few things would change:
* much less incentive to track users
* way less distractions
* higher quality content (since it is less about clickbaits and shear volume of visitors)
Yes, it means paying for stuff. Would love to pay per visit or type spent, provided it is easy.
Unfortunately there's simply no way this is going to happen:
* advertising is profitable for advertisers — they buy ad slots because it brings revenue
* advertising is profitable for publishers — some of the biggest companies in the world (Google, Meta) make most of their revenue from ads
* most people are reluctant to spend money, but they're ok to "spend" their attention and their data
There were multiple attempts with micro-payments and nothing has worked so far. Monthly subscription is preferred by customers and companies, but there are only so many outlets that anyone will subscribe to.
Sure, advertising is profitable. Yet, there are various regulations or social norms telling what is available and what is not. For example, we can think of covering a landmark "because it is profitable" - e.g. think of dressing the Statue of Liberty in clothes of a given brand, or covering the Greek Pantheon in free-to-play game ads.
Of course, tastes matter. The US is littered with (in real world) advertising banners, my native Poland - even more. But there are quite a few places in the Europe in which people would consider it off putting to use a glowing sign on a historical or otherwise clean design.
So it is about both tastes and regulations.
> most people are reluctant to spend money, but they're ok to "spend" their attention and their data
This is a tricky part. Kind of miss times when we were buying paper newspapers.
But let's take an example - devs were reluctant to pay $ for services. Not everyone and their dog pays for tokens.
Tracking will always be more profitable, because that allows you to know whom to target exactly. It’s the fundamental question of business, who are my customers etc.
Tracking should be considered equivalent to putting an electronic tracking into every customer’s pocket when they visit your brick and mortar store. Then the question of privacy becomes more obvious. It is simply not acceptable to track people this deeply and invade their privacy so much.
Tracking will be more profitable.
But there is a dark difference if it is de facto the main source of revenue, or some scammy addition.
In the later case, it can be regulated - the same way as we have safety regulation for food or equipment. In some sense, the analogy is not that far off - the current web is made to be addictive. A lot distractions have well known, negative impact on mental health.
>"Imagine if every time you got into your car, you had to manually approve the engine's use of oil, the tires' use of air, and the radio's use of electricity. It’s absurd, right? You’d set your preferences once, and the car would just work."
This is an excellent analogy of the problem!
>"Yet, that’s exactly what we do online. We are asked the same questions, by every single website, every single day. This approach is broken for three simple reasons:
Consent Fatigue is Real: We're so bombarded with these requests that they’ve become meaningless. The banners are an obstacle to be cleared, not a choice to be considered. True consent requires a conscious, informed decision, not an exasperated click to get the pop-up out of the way."
Consent Fatigue -- That phrase is going into my 2025 lexicon! I love it! (Well, the phrase itself, not what it stands for! You know, the words, not the meaning -- the symbol, not the referent! :-) )
Now I like the article's ideas and all (good ideas, very thought provoking, etc., etc.) -- but if cookie consent is delegated to people's browsers, then what if a court case comes up where someone is being sued for a cookie they agreed to, they're asked in court if they agreed to the cookie, and they respond with something like the following:
"No Your Honor, I personally did not agree to that! The browser agreed to it! The browser is guilty, not me!"
:-)
(The same problem could occur outside of browsers, with AI's, if they are acting on behalf of someone... or chain of other AI's...)
Anyway, great article!
Why would this need to be law? My browser already does this, because I, the "user" in "user agent", wanted it that way. Some sites don't work, but that's their choice, not mine, as it should be.
But if we target only fifty browsers instead of five million websites, we cut ourselves off that sweet sweet punitive monies. it's much more lucrative for lawyers to have a 5-million-strong pool to sue rather than a 50-strong crew, which has significant money to pay lawyers of their own.
Remember how many members of parliaments have a legal background. That's not a coincidence. It is safe to assume laws are deliberately written badly to create more work for their caste.
lawmakers are mostly tech ignorant maybe that's why.
The point of the 'annoy with consent banners' was to get people to 'allow (to be tracked) '.
Denying would, in many cases, go up to hundreds of yes/no options, with no 'deny all'. Makes getting coerced permission easy, and active denial almost impossible.
Of course, by not tracking, they dont need any of this crap. But surveillance capitalism must continue. Sigh.
Isn't not having a deny all button against the gdpr already?
It depends. Denying consent should be as easy as giving consent, and consent needs to be informed. Without an "accept all" button/default, you don't need a "deny all" button.
The GDPR doesn't really care about implementations like that.
Most people miss that the Cookie Law was essentially the training phase for GDPR. It conditioned users to reflexively click “Agree” just to make popups disappear. Once that behaviour was normalised, GDPR arrived - now those same clicks legally authorise data collection and trade that used to exist in a grey area.
That's why the more logical and simpler ideas were never on the table.
Instead of forcing those cookie banners Europe should have had an Airbus moment and fully funded a privacy first web browser, then Europe would be a player in the web and not looking in from the outside.
I feel this would go down pretty bad considering the recent attempts to break E2E encryption on messaging. Also a very tempting vector for hackers and governments to track user’s behaviour
Except it's not about privacy.
It's about consent.
I hate to sound like Andrea Dworkin but I don't think consent is possible between a human individual and a 500-headed corporate hydra. It is much more straightforward to turn off third party cookies entirely or "respect DNT or go to jail"
> I don't think consent is possible between a human individual and a 500-headed corporate hydra.
Hard disagree.
Legitimate companies will obey the law; be that the GDPR, anti-corruption or anti-pollution laws to pick a few examples.
Out of 500 companies that access your data the majority might obey the law, but 50 of them won't.
There's also a basic imbalance of power -- for instance, if you don't fill out the paperwork to get medical care that says (1) everybody who could possibly have a reason to access your data can, and (2) we're going to do that at a cost 1000x more than just leaving all the paperwork out on the curb you don't get medical care.
People don't really real all those clickwrap licenses, I mean, Sony makes you scroll to the bottom of a 50 page contract just to play a video game.
It already exists. It is called an ad blocker, or content blocker, whatever you want to call it.
And we don't need a law for that, it is already working. We may need a law to protect that freedom, and for most part, it is on that side as we already have rulings saying that ad blocking is not illegal, and enforcement of browser choice, some of them having built-in blockers.
You need to understand that GDPR and consent requirements affect far more than just online ads and ad-related tracking. For example a website is legally required to ask for consent if they want to share your purchase history with data brokers. Collection of this data is unaffected by ad blockers.
As the name says, it's a General Data Protection Regulation. It covers all types of processing from all types of entities, everything from big tech websites to your local yoga instructor who doesn't have any online presence.
My comment was in reaction to the article, which suggests that the browser shall act as a "privacy guardian", which I believe is already the case.
It is also kind of ironic that the article suggests a technical solution to a legal problem, arguing that a legal solution doesn't work (consent fatigue, DNT, ...) and then suggests legislating on it.
I wasn't implying that ad blockers are a substitute for GDPR, which goes way beyond cookies and things that can be done at the browser level.
Of course we need a law otherwise companies just need to circumvent ad blockers and they act legal.
And media companies like Axel Springer SE already try to make ad blockers illegal.
This is the way. The law is broken and was built on misunderstandings and is not enforceable, and also caused a ton of headache for internet browsing (no one really wants to enable cookies just to read a news article?). Enforce it at the browser level (by law) to prevent private information BY DEFAULT unless the user really wants to give their private information, and if they want to, then they can comply.
Sorry for all the companies that like to track personal information, but this is how it has to be (not sorry).
Maybe it will one day lead to elimination of (most) cookies and lead to cleaner browsing experience.
Remember DNT? We already had that in the browser but websites started to ignore in when MS announced that their browser would set it to true by default.
Let’s face it, users don’t want to be tracked, websites want to track. The cookie banners are the middle ground and the law already tries to prevent all those dark patterns to enforce „accept all“.
I remember the early days when the cookie banner on Tumblr forced the user to deselect every single tracker of the hundreds of trackers they listed.
Exactly that, and how regulations are a sinking costs, at times for absurdly poor impact.
the solution is simple, shift the cost of compliance, onto regulators!
it would work like this:
1/ Somewhat competent but disconnected from reality politicians vote for adding yet another rule.
2/ Incompetent, disconnected from reality, so called Experts articulate how to implement the rule.
3/ Estimate costs and report back to clouded brains up there.
4/ Clouded brains but budget wise acute, look at the numbers, and say no way
I bet we would get regulations that would always be welcomed by industries.
We could start by rolling everything back, the "economy", you bet, would finally "recover".
Without incentive to make it right, it can't be a surprise you get what you seeded for.