Ask HN: Someone have gotten troubles for not show “We use cookies, Ok?” message? - edgartaor
======
amriksohata
The cookie law is a symbol of EU red tape that adds no value to citizens.
Browser tech is fast moving, there are so many other ways of finger printing a
user, from canvas finger printing, session storage and background apps and
extensions. The cookie law was invented by some EU non-technocrat that got
offended when they found out they were being tracked. The fact is companies
are getting away with it in other ways anyway, its a pointless regulation that
cost companies thousands to implement across their sites but does nothing for
no one.

[http://nocookielaw.com/](http://nocookielaw.com/)

~~~
kayimbo
Thousands? Message me I'll add 2 sentences of dismissable text for only 1
thousand

~~~
amriksohata
Developer here, worked at a ticketing company that had to update various sites
with different styling for the popup box. Probably cost us a week or so or
more work. Multiply that by tens of thousands of businesses.

------
p49k
We have had advertisers/advertising networks refuse to work with us until we
added it. I don't know if that counts, but it sure makes it difficult to opt
out if you depend on ad revenue.

------
kenbaylor
It's from the EU Cookie Directive, updated in 2015:
[https://www.cookielaw.org/the-cookie-law/](https://www.cookielaw.org/the-
cookie-law/)

and it's going to get more complicated under GDPR and the ePrivacy directive:

[https://www.informationweek.com/big-data/cookie-law-vs-
gdpr-...](https://www.informationweek.com/big-data/cookie-law-vs-gdpr-whats-
the-difference/a/d-id/1328344)?

GDPR is NOT limited to the EU, but is focused on protecting EU data subjects
no matter where they are, so US companies may be affected. Many US companies
are signing up for Privacy Shield, which is updated annually, so it will
spread beyond the EU in the years to come.

------
zeta0134
I've always wondered why these cookie warnings are required to be displayed at
the website level, with large, sweeping changes, and not the browser level.
That seems much smaller, just as visible, and easier to enforce.

~~~
Theodores
What do you mean by at the browser level? Should Chrome/IE/Safari 'know' the
site uses cookies and show something in the browser as per the https padlock?

As an aside I do find it funny how 'bosses' insist on the cookie notice to
make their website official looking.

~~~
imron
> What do you mean by at the browser level? Should Chrome/IE/Safari 'know' the
> site uses cookies

Absolutely! How else does it know to store the cookie on the user's machine.

~~~
dingaling
Storing cookies isn't the trigger for the warning; no notification is required
for cookies that are essential for the basic navigation and operation of the
website.

So how would the browser differentiate those cookies from ones which are being
used for data collection and tracking, which do require the warning message?
It would require some sort of intent-signalling protocol between the website
and the browser, which is probably more complicated than just requiring the
site operator to include a bit of HTML.

~~~
TheCoelacanth
For practical purposes, you could approximate it based on whether the cookie
is first-party or third-party and on the amount of time until the cookie's
expiration. For the most part, first-party cookies with a short time to
expiration are allowed without warning under the EU law, all other cookies
require the warning.

------
LeoPanthera
It appears not, even this site which is deliberately breaking the law as a
protest:

[http://nocookielaw.com](http://nocookielaw.com)

~~~
GalacticDomin8r
With Brexit, it seems this protest is largely meaningless.

------
adventured
This is the type of law that only starts getting regularly enforced when
there's a big headline worthy egregious privacy event that happens, that
prompts the authorities to have to posture to save face and pretend they're
acting to protect the well-being of the people. Until then, it isn't going to
be meaningfully enforced, it's too comically absurd to be worthy of the effort
for now. Enforcing it now would be herding cats. To do it properly they'd need
a sizable target or three to hammer down upon, to scare everyone else into
compliance; those target/s will be connected to the source of said egregious
privacy violation, that will be the chain of events.

------
MiddleEndian
For those interested, you can use [http://prebake.eu/](http://prebake.eu/) to
get a filter subscription to block cookie banners with your adblocker.

------
NumberCruncher
I heared about Germany lawyers being on the hunt for sites breaking the laws
like the cookie law. In Germany being sued can get pretty expensive pretty
quickly, especielly for small sites. I wouldn't put anything online without a
corporate body protecting my private wealth, which can be sued and go
bankrupt.

~~~
germanier
Note that in Germany no corporate structure will protect the owner-operator of
a small company from personal liability. This is through something called
Geschäftsfüherhaftung which explicitly applies to mistakes regarding
competition law (which are the legal actions you talk about) the director of
the company makes personally.

The correct way to shield oneself from liability in Germany is to have
appropriate insurance plus paying a lawyer to continuously check the business
for compliance.

------
sdfjkl
My solution was to not use cookies. For a static (generated) blog, that's very
viable.

------
thehoneybadger
Generally, when a visitor visits a website, which I call an interaction, then
they must agree to its terms of service. This forms a contractual
relationship. Contracts are private, and outside of things like not promising
to do something illegal, it is up to each party to decide on its terms. In
this case the website generally decides on the terms, and then the visitor
opts into them through use of the website. Much of the issue lies within
contract formation. When a lawsuit happens later, one thing that is frequently
questioned is whether the contract is valid. A common angle is to claim the
the contract is invalid because it was not correctly formed. Bad contract
formation. For example, in a different setting, you didn't sign your name on
the dotted line when buying a house or something like that, so there was never
a contractual agreement, so there was never an actual sale, etc.

However, there is case law (law made by judges who hear cases and issue
opinions) that says that sometimes contracts can be implicitly formed. For
example, if you as a website visitor are given proper notice of a website's
terms of use, and then you continue to the use website, you have implicitly
agreed to the terms of the use. Even if you didn't sign anything, or check any
box somewhere saying you agree. No explicit action has to take place.

Except, that is not exactly worldwide statutory law (laws passed by government
and written down in the books with codes like Law #1234.56). While the issue
of formation is mostly settled, there is still some room for creative legal
maneuvering. Aka lawyering the shit of things. Aka screwing things up because
someone with deep pockets is paying you to win using any angle you can get.

This cookies notice and agreement probably falls right into this category. And
while it is generally settled law that the contract is formed even without
this agreement, some schmuck somewhere still thinks there is wiggle room, but
it is merely case law and not exactly authoritative, especially not in the
international setting.

When in doubt, lawyers adhere to CYA. Cover your ass. Use the narrowest, most
conservative, safest interpretation of the law. In this case, there is this
tiny bit of doubt, so CYA. Just in case.

I personally believe you can make a good argument that contract is implicitly
formed merely from continued use, and the notion of requiring express consent
is outdated. The law is catching up to how things are done online, the trend
is rather obvious, and anyone whining about it is probably just some
established cash cow business that somehow wants to manipulate the market to
further extend its antiquated business practices and is willing to spend
millions on dollars on go screw yourself legal teams.

So, yes, you could theoretically get in trouble. But you are not likely to,
and anyone suggesting otherwise probably has an ulterior motive.

~~~
bryanrasmussen
case law is generally not as relevant in Europe as it is in the US.

~~~
rbrtl
Not quite as true in England, where Common Law is meaningful; e.g. only in the
last 2 years or so have private car parking companies been able to put
pressure on consumers to pay their fines because the Supreme Court ruled in
favour of a private parking company.

------
12Ar
test

------
aaron695
They would have front paged HN if they had, so no.

It's possible an obscure case might have slipped through the cracks (ie as
part of a larger case) but unlikely since it'd be great clickbait on a story.

