
No cookie consent walls, scrolling isn’t consent, says EU data protection body - sohkamyung
https://techcrunch.com/2020/05/06/no-cookie-consent-walls-and-no-scrolling-isnt-consent-says-eu-data-protection-body/
======
elric
Tangent: I wish the idiom of "placing" cookies would go away. Websites don't
"place" cookies. Websites can include cookies in their HTTP responses. Your
browser can include them in future requests. But it doesn't have to. There is
nothing in the HTTP spec that says you have to accept cookies or include them
in subsequent requests. There certainly isn't any reason to "place" them on
your computer.

If more browsers were still User Agents in the literal sense, maybe we
wouldn't have needed this legislation. Browsers could have informed people
about what cookies were, and could have presented the user with the option to
never accept tracking cookies from Big Advertising. Every browser has the
option to reject third party cookies or to clear all cookies at the end of the
browser session.

This mischaracterization of cookies has, ironically, made life a lot less
pleasant for people who don't accept cookies. The "opt-out" is just another
cookie. There's nothing special about them either, they can be used to track
return visitors just as well as any other cookie. I'm sure they're not,
because that would be against the spirit of the law ...

Not tracking people without consent is definitely a Good Thing, but it
shouldn't require everyone and their grandmother to put annoying cookie
banners on every website under the sun. And I think it wouldn't have, had
people been better informed.

~~~
dcow
Cookie banners have taken the internet back 20 years. Now every website has a
mandatory _popup_. And you can’t block these new breed because they're part of
the site.

~~~
Reason077
> _”Cookie banners have taken the internet back 20 years.”_

I agree. The EU cookie laws were well-meaning, but have had the unintended
consequence of making the web more annoying, more difficult to use, and more
fragmented.

The solution? Cookie consent should be a built-in feature of browsers and
http, not something that is reimplemented in a slightly different way by every
single website.

Your _browser_ should pop up a standardised cookie consent request when you
browse a new site, and _enforce_ your selection as part of its security
policy. If you choose to block all cookies (ie: private browsing mode) then
the cookie consent request wouldn’t need to appear at all.

~~~
bonyt
Browsers used to have this, sort of:
[https://i.imgur.com/AAm3AJs.jpg](https://i.imgur.com/AAm3AJs.jpg)

~~~
oceliker
Now I'm wondering why you were running this in 2019. I watch a lot of
nostalgia game reviews on Youtube and get the serious urge to build a '90s era
computer from time to time.

~~~
joeraut
Same here. Running some ancient OS/software in a VM can be pretty satisfying
though, especially since I don't have a whole lot of space for physical
hardware.

Many games wouldn't work well in a VM, of course, there's no getting around
that.

------
cactus2093
The EU cookie legislation is still mind blowing to me. In terms of widely used
protocols with terrible designs it's up there with US payment card processing
(want to make a $5 payment? Hand over the secret that gives the other party
the ability to take an unlimited amount of money from you at any time in the
next 4 years, and hope they don't misuse it).

Did no one involved in the cookie legislation think to run the idea by a
technical expert before passing it? Why wouldn't they have done something like
introduce an X-Allow-Tracking header in the http spec, and make the law
require that sites respect that header instead of every site making their own
cookie popup. Browsers could make that privacy setting as detailed as they
want as far as which requests they included it with, and the EU could strongly
recommend that everyone use browsers that they've approved as supporting that
setting (or even force it in various ways, like require any OEM browser that
ships with a device in the EU support that setting).

~~~
Rexxar
The law itself is perfectly sane. The problem is that everybody try to apply
it in the worst possible way.

Let's imagine a world where a government force car builder to add speed
limiter to cars. The car builders all decides to just cut the engine if you go
over the limit. Will you say the law is bad or that car makers are trolling
everybody ?

It's the same for this law. But curiously everybody is prompt to say that the
law is bad. The reality is that a majority of internet actors are bad and are
just trolling us.

~~~
pembrook
> Let's imagine...the car builders all decides to just cut the engine if you
> go over the limit.

We don't need to imagine a world like that, because it has nothing to do with
what we are talking about.

Let's stick to the real world. The EU implemented a law. Everybody is scared
of the power of the government, so they implemented what they _thought_ was
the intention of the law, to avoid prosecution. The mom-and-pop flower shop
down the street could care less about making troll political statements about
technical internet topics.

Turns out, the law had stupid unintended consequences. Was the person who
designed it stupid? Or is the _entire world_ stupid?

If your answer is "the entire world is stupid," then I'd argue you don't
understand how the field of design is supposed to work.

~~~
mrweasel
The law has stupid unintended consequences because it would kill the business
of the tracking companies it targets, if they where to follow the intention of
the law.

The same companies have their customers convinced that they need data
collection to turn a profit.

As a result we see all kinds of stupid attempt to circumvent the law because
an entire industry of shady data collectors and brokers have convinced
businesses that the only way of making money online is by tracking people.

~~~
pembrook
You're starting with a false premise.

The basis of your argument is: _All data collection is bad._

Therefore, in your model of the world, an evil conspiracy of bad actors are
looking to strategically undermine the law with various dastardly convoluted
schemes. I understand why you're arguing that, given the premise you're
starting with.

However, the majority of business on the internet are not doing evil things
with your data. They simply want to better target their offerings to their
customers, allow for you to keep items in a shopping cart, etc. If they are
providing better services to their customers, they make more money and the
customers are happier. It's a win win for everybody involved.

Could it simply be that, most businesses put cookie popups on their sites
because they don't want to get fined? Not because they are embroiled in an
elaborate scheme to undermine the law?

Could it be that the EU should have created a smarter law that would actually
help people be more aware of data tracking? Instead of stupid popups?

~~~
jcelerier
> They simply want to better target their offerings to their customers,

As a user I don't want anyone to "better target me" \- no single exception.
Gosh I miss the time where we just burned the McDonald's...

~~~
speleding
I like ads tailored towards my interest much better than generic ads. Am I the
only one?

~~~
__david__
At this point I've blocked ads so for so long that I don't think I could
_ever_ go back to not hating ads, targeted or otherwise…

------
esotericn
Can we kill off anything that takes more than a second or two to 'not opt-in'
as well?

It's obviously against the spirit of the law to have 200 different boxes that
must be individually unticked, or the sort of nonsense that Oracle were
pulling a while back (maybe still do) with the intentional delay spinner if
you don't 'opt-in'.

~~~
p410n3
Thats actually what the new ePrivacy regulation is planning. It's just not
been adopted still, although it originally should have been 2018.

To quote:

"Simpler rules on cookies: the cookie provision, which has resulted in an
overload of consent requests for internet users, will be streamlined. The new
rule will be more user-friendly as browser settings will provide for an easy
way to accept or refuse tracking cookies and other identifiers. The proposal
also clarifies that no consent is needed for non-privacy intrusive cookies
improving internet experience (e.g. to remember shopping cart history) or
cookies used by a website to count the number of visitors."

Source: [https://ec.europa.eu/digital-single-market/en/proposal-
epriv...](https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-
regulation)

~~~
peterhil
Finally! EU should have required browser vendors in the first place to handle
the intent of the privacy regulation on GDPR, to avoid having this
discussion...

~~~
PeterisP
A law requiring websites to honor 'do not track' header would be sufficient
and require no big changes to internet protocols or browsers.

People say that DNT failed because it was selected by default - but no, it
failed because compliance was voluntary. The EU principles require explicit
opt-in confirmation, so a browser setting that's set to "not track" by default
is a reasonable way to do it, it only needs enforcement to ensure that
websites (in EU jurisdiction) treat the DNT header as binding instruction to
not track that user.

~~~
contravariant
There are plenty of laws that would have been sufficient.

One of them would be to make browsers responsible for providing sensible
defaults. And while the public perception might think the webpages are at
fault it was the browsers that were responsible for storing and broadcasting
private data. Arguably without clear and informed consent.

Of course there are problems with requiring software to have sensible default
settings, but I reckon most problems with any legislation are due to the fact
that none of them address the fact that cookies are a perfectly private system
(with the user in full control of their own data) _provided_ browsers don't
send this data with every request without permission.

------
treve
It's time for a browser-level cookie consent API. The web interfaces are
almost always a pain, especially on mobile.

This would also open the door to extensions that just default consent to 'no'.
This can't be the default though, to avoid another failure like Do Not Track.

~~~
Deukhoofd
A browser setting replacing the popups is part of the new EU ePrivacy
Regulation, which is at the moment still being discussed. I hope it gets
finalized soon, because there's a number of improvements in there.

[https://ec.europa.eu/digital-single-market/en/proposal-
epriv...](https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-
regulation)

~~~
livre
What makes that different than the failed do not track header?

~~~
jchook
The DNT header must be honored by the remote service, similar to robots.txt.

Since the browser itself stores the cookies, it has the absolute authority to
stop them.

~~~
livre
So is this just going to be a different/easier way to configure per site
cookies?

------
RandomBacon
One of my favorite bookmarklets to remove cookie notifications or other
obnoxious overlays:

    
    
        javascript:(function(){(function () {var i, elements = document.querySelectorAll('body *');for (i = 0; i < elements.length; i++) {if (getComputedStyle(elements[i]).position === 'fixed') {elements[i].parentNode.removeChild(elements[i]);}}})();document.querySelector('body').style.setProperty('overflow','auto','important'); document.querySelector('html').style.setProperty('overflow','auto','important');})()

~~~
Sir_Substance
I'd really like to see an addon that just blocks the css overflow attribute.
I've only ever seen it used by websites that try to stop people who are
blocking their giant modal popups from scrolling.

It might be that I'm dumb and can't figure out how to add a ublock/umatrix
rule to block it, but I'd love a single purpose addon that just deletes
"overflow:hidden" in all cases.

~~~
timdorr
I think you mean position: fixed or sticky? Overflow controls what happens
when the contents of a bounding box exceed it's allowed size, which is usually
to hide or make the box scrollable.

~~~
barbecue_sauce
'overflow: hidden' is often used to make the content of a page unscrollable on
less technically adept news sites where the content is still present on the
page.

------
IgorPartola
This seems like it should have been handled as a browser feature, not an add-
on to every damn website. Especially since they tend to somehow forget that
you clicked accept or reject and keep asking you.

~~~
onli
This is handled as a browser feature. Regulators just did not care - and most
probably did not know about that.

~~~
Deukhoofd
It probably wasn't in 2002, when the current cookie law was written. The new
ePrivacy Regulation does want to replace it with a browser function though:

[https://ec.europa.eu/digital-single-market/en/proposal-
epriv...](https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-
regulation)

~~~
Mirioron
Internet Explorer 6 gave you control over your cookies. It was even
recommended that you would set the slider to block all or most cookies. I'm
unsure about previous versions.

------
1f60c
A lot of websites seem to place cookies before you can consent to them doing
so.

I just loaded up the home page of The New York Times (a random example), and
it had placed 23 cookies on my laptop before the "Your tracker settings"
window finished loading. Now I still haven't clicked "ACCEPT", and we're up to
43.

~~~
epanchin
23 tracking cookies? Cookies have other uses.

~~~
1f60c
My understanding has always been that no consent = no cookies of any kind. Am
I wrong?

~~~
holtalanm
most of the web wouldn't function at all without cookies.

my understanding is no consent = no tracking cookies. session cookies are
okay.

IANAL, though, so I could be incorrect.

~~~
yjftsjthsd-h
> most of the web wouldn't function at all without cookies.

To be fair, though, that's pretty clearly a bug; at a minimum, any site that's
just serving content should be _fine_ with no cookies. Of course, any site
that's just content should also be at least 95% functional with no JS and
barely any CSS, and we all know how that worked out...

~~~
holtalanm
> To be fair, though, that's pretty clearly a bug

No doubt. I was just making a statement about the current state of the web.
Not applauding it in the least. :)

------
evancox100
Please just let me opt out of this cookie consent idiocy. How are we making
anything better with all these cookie consent pop ups?

~~~
coldpie
NoScript goes a pretty long way to making the web usable again, especially on
mobile (attn web developers: don't like people using noscript? it's your
fault. fix it.). There's also this, although I can't vouch for it personally:
[https://www.i-dont-care-about-cookies.eu/](https://www.i-dont-care-about-
cookies.eu/)

~~~
aembleton
Or just add the list to uBlockOrigin [https://www.i-dont-care-about-
cookies.eu/abp/](https://www.i-dont-care-about-cookies.eu/abp/)

~~~
fireattack
Other similar filter lists:

EasyList Cookie: [https://easylist-downloads.adblockplus.org/easylist-
cookie.t...](https://easylist-downloads.adblockplus.org/easylist-cookie.txt)

AdGuard Annoyances filter:
[http://adguard.com/filters.html#annoyances](http://adguard.com/filters.html#annoyances)

(There is also "Fanboy’s Annoyance", but it blocks more than just cookie
notifications. For example, it blocks social media share buttons which I use a
lot. So I don't use it.)

------
simongr3dal
Pretty ironic that this is coming from techcrunch. I get the yahoo consent
wall every time I try to open their links.

~~~
csunbird
Their cookie wall is definitely not GDPR compliant, I am not sure why this is
not reported yet.

~~~
alkonaut
Why do they even run a story where the main takeaway is "The site you are
reading this on, is breaking the law"?

Is TechCrunch some kind of bot aggregated site? Or is the irony just lost on
them?

~~~
asdff
I'm willing to bet the writers have never seen the site in its modern form.

------
axegon_
While the cookie initiative has a good intention, I really don't think it's
actually useful. Large amounts of the population(willing to bet north of 99%)
have absolutely 0 clue what cookies are in the context of the web or what they
imply. Most people just click on "accept", just to get it out of their way.
And I do too often enough, granted I know the site I'm on.

Most people I've talked to who are not strictly technical are blown away by
the realization that facebook for instance knows any site you've visited so
long as it has a "like" button on it. "But wait how is this so?" is what I
often get. To which I take a deep breath and say "You know what... It's
magic".

Truthfully people concerned about privacy either know what they are doing or
use vpn's, tor and so on. The whole "consent" thing has simply turned into
another annoying popup at this point.

~~~
alkonaut
> Large amounts of the population(willing to bet north of 99%) have absolutely
> 0 clue what cookies are in the context of the web or what they imply. Most
> people just click on "accept", just to get it out of their way.

That's exactly the reason the law exists! And that's why it has to say that
the clueless option ("just clicking") should be the one _preserving_ your
privacy.

It's why the law goes through such lengths to make the dumb thing the right
thing: Because it's supposed to protect the privacy of people _without those
people even having to know what happens_.

~~~
axegon_
I disagree. Your argument is the theoretical one, while mine is the practical.
As I said, people do not know what cookies are and even if they did, everyone
who has done analysis on user behavior knows that none of that makes a
difference. Presented with two buttons, red and green, most users will click
on the green one, without reading what either one of them says or implies, if
they have some incentive to get to the other side. I've personally tried this
with countless A/B tests and the results are evident every time: mindless
clicking/tapping.

~~~
alkonaut
Then the law should be even stricter. The spirit of the law is that the no-op
or mindless click should be the non consent. That’s why it has to be the more
prominent option.

Even coloring the consent button green and the reject red is clearly against
the spirit of the law, if not the letter.

I’m all for having a law that’s so strict that or requires a more complex
action to consent (e.g if reject-but-continue is a click then consenting has
to be a checkbox first etc).

Mindless clicking is what should be handled. If users have to
search/read/think the law is not going to help - but it should be there to
help those who won’t/can’t.

~~~
axegon_
I'm principle I'm with you completely, you have my vote here. But as I said
there is a universe of difference between theory and practice. Make the law as
strict as you like, "Never underestimate the power of stupid people in large
groups". Your users are people in large groups, even if they are separated
physically. The political, social and as of recently the hygienic world has
hammered all the nails in this coffin in recent years I'm afraid.

~~~
eitland
This isn't about stupid users but about companies deliberately
"misunderstanding" while going out of their way to exactly what the law said
they shouldn't do and hoping they'll get away with it line they did with the
old "cookie law".

Edit: also, another observation from the field: Often the users aren't as
clueless as certain lazy admins claim. And I am a sysadmin :-)

~~~
axegon_
I'm a developer and given the things I've seen users do, calling most users
stupid would be a gross offense towards stupid people. It is precisely because
I know how twisted and convoluted a system could be that I'm incredibly...
"Meh" towards the whole cookie fiasco. What's more there's things such as
AmIUnique[1], which are pretty significant. In my case some stats:

User agent: <0.01% Content language: <0.01%

On the subject of content language alone I'm willing to believe I'm more
likely to be <0.00000001%. So combine all those together, and I'm pretty sure
you can narrow down my identity to a single digit number of possible
individuals, if not pin-point me exactly, without bothering with cookies at
all. Which makes the whole privacy argument pretty stupid to begin with. Take
someone like google and how many people use google analytics. Forget the
cookies, forget everything: "oh I know this guy"! Same story with facebook
like buttons and whatnot(if I hadn't blocked all traffic from facebook that
is).

[1][https://amiunique.org/](https://amiunique.org/)

------
jpswade
I'm still not convinced about this law. While I think the intention behind it
is noble, in many cases, it does not apply while in others it's simply
unenforceable.

Here's some examples: \-
[http://www.lingscars.com/images/pdf/icoletter.pdf](http://www.lingscars.com/images/pdf/icoletter.pdf)
\- [https://nocookielaw.com/](https://nocookielaw.com/)

~~~
icelancer
Yeah it's complete bullshit. We're not serving notifications on our sites.

------
Nursie
You don't need a banner or a dialogue.

You just need to stop tracking people.

If you don't engage in tracking - congrats, you get to have a website without
this shit.

Stop complaining that the GDPE has broken the web and start realising that
every site with a dialogue up os sharing your every move with anyone that will
pay.

------
beastman82
I don't know about you but I consider this cookie consent thing to be an
example of regulatory overreach and a giant pain in the butt

~~~
pedro_hab
yes, annoying as hell, I'd like to know stats on this, who cares about
cookies?

I sure as hell don't, my mom and aunts don't, they have a harder time using
the web because of this.

It makes everyone a privacy nut job, when most of us don't care.

~~~
belorn
I don't know anyone who care about cookies, but I know a lot that care about
their private information not being sold and ending up causing trouble. People
who are in the "elderly" demographic especially do not like when their data
end up being sold to call centers focusing on calling old people (in very
scummy ways), and in one case they basically had to give up answering the
phone because each day they received several calls that tried to sell one type
of crap after an other. A few years ago there was an article here on HN from a
person who worked such call center, and they straight up describe how they
bought information such as that in order to target vulnerable people.

An other person I know had issues of identify thefts and are now quite
concerned about their data being thrown around. Once a person has gotten
burned they tend to become a bit more concerned about the potential issues of
private data just floating around everywhere.

But neither person care about cookies. They don't work with computers or care
about web technology. The cookie existence or non-existence is completely
irrelevant.

~~~
pedro_hab
I can see that but it sounds like a long shot, I do get a lot of spam and the
"good ones" don't come from cookies, in my case none came from cookies.

Most come from places where you give them your info, like phone number and
address.

If you are going to do such a broad requirement, I'd like to see info on this,
how many scams are run on cookies? Is the price of adding these cookie walls
worth it?

To me this seems to be run on top of privacy nut jobs who don't get the real
privacy threats we are facing.

I am much more concerned on broad usage of facial recognition than I am of
cookies of recipes my mom reads online.

Now you can't exchange a service for data anymore, this is outlawed now, I
don't know if thats good.

~~~
belorn
If its such a long shot I would be very happy with simpler laws that just
address those issue. Let say:

If data a company collects about a person end up being used by scummy call
centers or data identity theft, then any victim should have the right to
compensation equal to 10x of any monetary losses, and for every 100 victims
the legal person responsible at the company that authorized the data
collection should get 1 year in prison. No consent needed, no exceptions
allowed. Just simple damages and jail time.

Sadly laws are not written like that and companies would not want to exist
with such sword hanging above them, so we end up with laws like gdpr that
tries to have enough threats to push companies in the right direction, with
mixed results.

~~~
pedro_hab
Yeah, that could have been better.

But the irony is what makes me angry, the government will create such nice
laws to protect us from the tyranny of corporations, when governments are
collecting all types of data, specially facial recognition, which IMO are way
worse than cookies.

------
fxtentacle
We need a service that'll visit the website for you, consent to all the stuff,
take a screenshot and then wipe all browser data. Of course, the service would
use the same browser and one static IP for all users.

And then on your actual device at home, you only ever look at the screenshots.

That way, it becomes technically impossible for these websites to collect data
on you, no matter how much fake consent they acquire.

------
alkonaut
Good. Now stop clarifying and start enforcing. Pick a few large players and
make examples of them. Just demonstrate how this law can actually be applied
to actual cookie wall cases.

So long as _any_ company thinks "I'll just use this dark pattern until we get
complaints, everyone else is doing that and I don't want to lose ad income for
no reason" the law is broken. The example has to be so clear that it is
percieved as _better_ to have the company die from lack of ad-revenue, than to
put up a cookie wall.

Companies should think "Ok we'll just have a discrete and compliant opt-in and
hope that people will actually use it, and if this kills our business that's
still better than the horror story that happened to FooCorp when they tried to
pull that cookie wall stunt."

~~~
MattGaiser
Yay, let the EU slaughter what remains of the content ecosystem.

~~~
MiroF
The "content ecosystem" slaughtered the print ecosystem. If their revenue
derives exclusively from invasive tracking, then "oops" they should have
planned better. So it goes.

No industry has a right to exist.

~~~
samoa42
> No industry has a right to exist.

very well put

------
eMSF
Somewhat ironically a consent wall is exactly what TechCrunch presents to an
EU visitor the first time, and there's no opting out; only way to get past the
consent dialog is to consent.

I know this especially well because I automatically clear all browsing data
each time I close my browser, and techcrunch.com is one of the domains I avoid
on HN because of the more annoying "welcome" on any page. (edit: +n)

~~~
fuzzy2
Oh, but you can opt out. You first need to click the other button. Then again.
Then you get the list of hundreds of “partners”, for each of which you have to
manually figure out how to opt out.

And then, in the end, you undo all your hard work opting out of hundreds of
services by having to press the accept button anyway. :-D

/edit: Heh, yea. It’s not just “hundreds”. It is _way more than 1000_
“partners”. Insane.

~~~
mcv
At some point I just stopped reading sites that make it too hard to opt out.
Though I would really like to have a browser that automatically opens links to
such sites in incognito mode, accepts the popup for me, and makes sure
everything is thoroughly deleted afterward.

~~~
BaitBlock
The chrome and firefox extension I made:
[https://baitblock.app](https://baitblock.app) has a feature called tracking
resistance. It deletes cookies on websites that you are not logged into
automatically

~~~
mcv
That sounds perfect. Login is the only legitimate use case for persistent
cookies that I can think of.

~~~
kerkeslager
Logins are a common enough use case that browsers should simply support it
directly, and drop support for cookies entirely.

There's no reason we can't have sites set an auth token, and send that in
under the Authorization header. And then when you want to sign out of a
website, you can have a button for that _in the browser_. The tooling already
exists in the HTTP standard, it's just that it's only widely used for server-
server communication.

~~~
antsar
Wouldn't advertisers just use the auth token as a cookie then?

~~~
developer2
Bingo. "Auth Token" simply becomes "Session ID", and the backend then tracks
anything it wants as part of the session.

I don't see much of a solution other than making it a matter of policy, eg.
Microsoft's "P3P" header. Otherwise authentication credentials need to be
supplied with every request. Not a session id or token as a cookie, but the
actual username and password being supplied with every request. Basically the
old http basic auth, but with a more modern system to replace it.

I understand the core idea behind the EU's desire, but the fact is that
cookies are absolutely required for login sessions, and it's impossible to
allow users to opt out. The EU doesn't understand the tech behind the laws
they are trying to enforce, and this is where it leads to. Absurdity.

------
austincheney
Continued use of cookies is evidence of just how incompetent web development
practices are.

Cookies allow storage of 4kb data in a file per single origin policy domain.
They are slow to access and require an archaic API. At one point this made
sense because it’s all we had.

Local storage features an amazingly primitive API, stores 5mb per domain, and
is dramatically faster to access. Local storage is achieved universal support
since IE8. From a storage perspective localStorage is a complete and superior
replacement for cookies.

The only remaining difference is that cookies are artifacts separate from the
browser. They can be sent in a an HTTP response without either a unique HTTP
request and without appending that data to another artifact, such as hidden
text in an HTML file. localStorage does not have that as it is meant to be
local and thus would require JavaScript to write data from an HTTP response
into storage. One extra step.

In practical terms all that means is that cookies can be written by a server
application by developers who lack basic understanding of browser
technologies. In software we call this kind of incompetence _”accepted
practice”_ , but other industries call it _negligence_. I suspect if end users
sued individual developers by name every time they were harmed or violated by
bad software there would be less negligence in the world.

~~~
STRML
It is not that simple. Cookies can have attributes such as "HTTPOnly" (don't
allow access from JavaScript), "Secure" (only send on TLS-enabled sites), and
expiry. While it may seem possible to replicate some of these with JavaScript,
there are a few problems:

1\. Not everybody has JS enabled (your content site shouldn't require it)

2\. If using localStorage, users can write their own data. Depending on how
you store data, this ranges from "not a problem at all" to "serious attack
vector". At the least, it increases risk if an attacker gets XSS.

3\. Data stored in localStorage can't be transmitted upon page load, it has to
be transmitted after the initial load, once scripts have executed. For some
things, this is fine, for e.g. auth, this is pretty bad.

They are different technologies: localStorage & sessionStorage are not a full
replacement for cookies.

That said, tracking is rampant across the web and with it, cookies. Getting
rid of them would make some of this harder - but not at all impossible - while
breaking other legitimate flows.

~~~
austincheney
> Not everybody has JS enabled (your content site shouldn't require it)

It is just as true that not everybody has cookies enabled.

> If using localStorage, users can write their own data. Depending on how you
> store data, this ranges from "not a problem at all" to "serious attack
> vector". At the least, it increases risk if an attacker gets XSS.

Users can write their own cookies as well: document.cookie = "whatever"; Users
should have control to access and edit the data they are storing on their own
devices.

> for e.g. auth, this is pretty bad.

Any data that is embedded in dynamically written HTML is fully available upon
page load, so you don't need cookies or any other storage mechanism to solve
that problem. You only need a way to send the data in the HTTP response.

> They are different technologies: localStorage & sessionStorage are not a
> full replacement for cookies.

They are a full replacement unless you lack confidence writing the necessary
mechanisms in JavaScript that are typically left to Spring MVC for Java
developers on the server.

~~~
duqd_
Name a localstorage auth mechanism on 1st request ?

~~~
austincheney
If you don’t already have a valid session cookie name a cookie solution to
first request authentication.

With a local storage solution I would embed a session hash in some dynamically
written HTML or a response header that is then stored in localStorage and then
on every subsequent page request in the current HTTPS session send back that
session hash prepended with a salt in the https request header. Then it’s
always on initial page request but only after the session is established by
the server.

------
acd
Can we also please do something to put an end to End user license agreements?

It used to be that in the late 1800s that for example an electricity contract
would be a simple one page A4 page which everyone could understand and you
signed.

Now its pages up and down of legal content, that you almost need an PhD in law
to understand. Many sign without even reading our understanding the contract.

I would call for the simple end user agreement act or put an end to the
practice as a whole and just fall back on national/eu law.

Why the contract signing is asymmetrical power and you cannot alter the
outcome either than simply opting out of the product.

Further you do tell if it was a person who signed the EULA or the persons cat.
Who did the consent?

------
brett-jackson
Have cookie consent pop ups made the web better?

If you're concerned (or aware) about your privacy, you likely have an addon
that blocks trackers enabled.

~~~
macinjosh
> Have cookie consent pop ups made the web better?

Unequivocally no.

~~~
notechback
How many sites have seriously thought about reducing Google analytics and
intrusive ads? If it's even 1% then the banners unequivocally HAVE made the
web better.

------
matheusmoreira
> You can’t make access to your website’s content dependent on a visitor
> agreeing that you can process their data

 _Finally!_ Sites that require payment for their content need to return HTTP
402 Payment Required. Sites that make users pay with data should be fined with
extreme prejudice.

"Continuing to use the website" isn't consent either. Why do these companies
insist on being deliberately obtuse? They know exactly what they need to do
but they would rather ask lawyers about how they can get away with not doing
it. How hard is it to avoid surveiling people?

~~~
Tade0
I guess it's not about what's hard, but what's more profitable.

Companies are not people - any ethics they have are only there because
otherwise it would be bad for business.

------
dredmorbius
[https://outline.com/LM8MTd](https://outline.com/LM8MTd)

------
encoderer
Will the EU please stop ruining the internet for the rest of us.

~~~
coldpie
The EU isn't ruining anything. The websites are choosing to abuse their users
and ruin your experience. It's their fault this legislation exists in the
first place. Aim your ire at the problem, not the fix.

~~~
defnotashton2
But it's not fixed and now all of us are here spending time talking about it
and implementing it even in the end have any of us accomplished anything

------
thoraway1010
What is up with having to CONSTANTLY sign off on all these privacy policies.

Why not just put control in users hands with their browser. Browse in
incognito mode if you want less tracking. Block javascript, use an adblocker
etc.

This doesn't require that websites allow you to do this, just do it, delete
your own cookies.

Am I missing something. The CONSTANT popups on websites that serve EU visitors
is SO SO annoying.

If this is meant to have people think big govt is competent and helpful... not
sure it's working.

------
MattGaiser
I get why so many content driven websites just block EU ips. This is a
compliance nightmare.

------
kerkeslager
Given my browser sends out a "Do Not Track" header with every request,
explicitly opting out of tracking, I'm not sure why I should ever even have to
click a button to opt out. DNT is supported by Firefox, IE, Chrome, and Opera,
and was supported by Safari until February 2019. The reason Apple dropped
support was insufficient support and adoption by sites.

The advertising industry is actively user-hostile.

~~~
csunbird
Apple actually dropped support for this, because advertisers were using this
setting to fingerprint users.

~~~
kerkeslager
Geez.

What's the HN advertiser spin on this? It's to help users find products they
want and need, despite the fact that they explicitly say they don't want your
help?

------
mankyd
> Hence cookie walls that demand ‘consent’ as the price for getting inside the
> club are not only an oxymoron but run into a legal brick wall.

This seems like a slippery slope situation. What if you require people to
login, signup, or pay to access your content?

There is certainly some sites out there that reasonably require this. How do
we define the boundary between the two?

~~~
C4stor
The cookie consent wall is only a solution for sites willing to drop third-
party cookies.

You can still require anything regarding your own website to access it,
including cookies, as long as those are needed for the correct functioning of
your website.

What this clarifies is that you can longer restrict your website access to
people "consenting" to have tens of other companies dropping cookies on them.

~~~
macinjosh
> What this clarifies is that you can longer restrict your website access to
> people "consenting" to have tens of other companies dropping cookies on
> them.

This is the same thing as forcing a religious baker to make a statement cakes
that violate their religion. If you don't like how a site works don't fucking
visit it! Every modern browser has a setting to block third party cookies as
well. Forcing web site owners to serve customers who don't like the business
model of the site is Orwellian.

~~~
C4stor
No, it's not orwellian at all.

There a ton of things you can't ask as payment for your services. It may be
physical (let's say body parts), or conceptual (let's say the user freedom of
speech). Those things can't be enforced by any contract, however you want to
write them, and even if you somehow got someone to sign on it, it would still
be void.

In the EU, we deemed suitable to add "privacy" to the list of things you can't
legally ask a payment for when providing a service in the form of a website.

That's it. Maybe that's shocking for you, but it's not for me, it's not for
the people I voted for, and apparently it's not for quite a number of people
and so, it passed.

If you don't like how the law works, well, don't live in the EU ? You can find
a lot of countries where this is isn't a consideration, and that may suit you
better. Otherwise, well, you've been pwned by democracy. Tough luck !

(I won't begin to adress your comparison with the baker, because, well, I
can't begin to make sense of it.)

~~~
Mirioron
> _If you don 't like how the law works, well, don't live in the EU ? You can
> find a lot of countries where this is isn't a consideration, and that may
> suit you better. Otherwise, well, you've been pwned by democracy. Tough luck
> !_

Democracy? The commission doesn't get elected. The commission is the one to
create the laws. Furthermore, most of the voting in the Parliament is done by
people not even in my own country. This means that they don't have to care
about what I want at all, as my vote has zero effect on them. And if the EU
keeps going the way it is then I'd definitely like to get out, because the
only thing the EU does is legislate while the bloc's economy has been doing
poorly.

~~~
notechback
Eu lawmaking in a nutshell:

Commission (leaders of which are selected by your government that you
presumably voted for) makes a draft.

Commission consults widely (usually online consultation) and all national
ministries comment.

Commission redrafts and sends to parliament and council.

In the council your government has (most of the time) veto power.

In the parliament your and other countries delegates vote on it.

Then parliament (people's representatives) and council (national government
representatives) sit together, find the middle ground of a final draft.

Parliament and council then each do a final vote.

Depending on the exact type of legal document it either enters into force
right away or your national administration, parliament and government create
their own national version of it conform to the EU document and make that a
national law.

That's a pretty heavy process but it's just wrong to say that the voters don't
have influence. National governments and delegates both can say no.

Now is the parliament representative just because people are not from just one
country? Is your national parliament representative even if there are people
from different regions/cities/...? Is your major democratically elected just
because that other suburb also got to vote? That's just an absurd position.

------
nkassis
The part about having a genuine choice is basically ignoring the choice of not
interacting with the website beyond reading the cookie message. I understand
that it's a shitty choice but it's at least there. This essentially forces the
site owner to provide content without it's side of the terms being allowed to
be required.

~~~
C4stor
That's not true. It forces the site owner to provide content under its own
terms as long as its terms does not involve non necessary functionalities
provided by other companies. You can still enforce you own terms, but you
can't enforce the GAFA cookies at the same time.

Said otherwise, your terms of service must be privacy-sensible, which is
indeed the very goal of the law.

------
throw03172019
The TechCrunch website is really bad.

Opening the link causes the back button to break. I need to double tap it
before the redirect kicks in (hint: don’t push this to HTML5 history, please).

Once you scroll down to the end of the article, it closes the article back to
the list view and does a bunch of awkward scrolls just to leave me at the
bottom of their list.

iOS Safari

------
sparkling
Anyone who is operating a website within EU juristication is either insane or
masochistic. Cookie laws, privacy laws, arbitration laws, 5-digit copyright
lawsuits over the use of a single unlicensed image, 5-digit lawsuits for a
tiny mistake in the imprint.

No thank you, happy to exclude all of EU to not deal with this nonsense.

------
zilongli
Well meaning politicians making life more difficult for everyone.

------
red_admiral
> You can’t make access to your website’s content dependent on a visitor
> agreeing that you can process their data — aka a ‘consent cookie wall’. Not
> if you need to be compliant with European data protection law.

Brought to you by TC, a site with a cookie consent wall (at least here in the
UK).

------
Kronmonker
As soon as I open the page I'm blocked by a cookie consent wall with no easy
option to opt out

------
Hitton
This will change nothing, because it's so easy to avoid it. The website won't
give visitors choice to agree or gtfo, they will instead give choice to agree
or pay instead (i.e. same result for 99.9 % of visitors), which is sufficient
to fulfil lawful obligations.

~~~
forgotmylogin2
One can only hope that is the case. Otherwise, this ruling is basically a
decree that journalists must give away their work for free.

------
jariel
The Cookie Consent banner is a terrible regulation, and it's just bad
practice, there is absolutely no need for it, it does not make the world a
better place, it makes it worse.

1st: almost nobody cares about cookies let alone knows what they are.

2cnd: people don't read the fine print.

3rd: it just creates an ugly barrier to the experience for 99% of people.

We can solve this 'problem' in a much simpler way:

What is needed for example is possibly a special image/token at the top of the
page, like a 'seal' that indicates the 'privacy rating' and whether or not
cookies are used. Like films are rated, sites can be rated. A little symbol
implies that cookies are used. People can then decide to 'move on or not' but
otherwise, the experience is not interrupted.

------
syncsynchalt
Why haven't any of the browser makers made cookie consent a browser-side
feature? Sites could detect the browser feature, skip displaying the pop-up,
and users could have a consistent UI experience for cookie consent.

Is this forbidden by the specifics of the legislation?

~~~
city41
I've wondered the same thing. The amount of annoyance, tedium and drop in
people's focus and flow clicking these things over and over and over again has
to really add up.

------
Piisamirotta
Damn I hate those cookie pop-ups so much. Bullshit.

------
itsajoke
I know these consent warnings are generally considered an annoyance, as well
as dangerous due to consent fatigue. Not to mention the little hacks I've seen
POCs of where clicking the consent button allows for lots of nasty things
since it works around the browser's autoloading javascript restriction since
the user has to interact with the page.

But I personally love these warnings and consent messages. I wish there were
more of them! I wish there was a consent message before any kind of cross-
origin action was allowed. Can you imagine how many there would be on any
sites that use ad networks?

------
Pxtl
I am waiting on the edge of my seat for somebody to come up with a way to kill
tracking cookies once and for all just so the EU will be able to drop this
stupid bill.

Honestly, the more things go on, the more I think the very fact that websites
allow fetching resources from 3rd parties is a misfeature. If I go to
example.com, my relationship is with example.com. This would eliminate cross-
site-scripting attacks, tracking cookies, tracking images, etc.

On the other hand, it would also kill CDNs.

Single sign-on would have to be explicit instead of implicit.

I'm not 100% sure those would be bad things.

~~~
hammington
couldnt the CDN issue be fixed by just having a little closer relationship
with the CDN? - i am no expert but maybe with a dns record or similar. that
way it is another host you are pulling from but within the same domain or
something maybe?

I don't know, overall i just wanted to say that i totally agree that it
doesn't seem like a good feature you go to site X and your browser loads data
and makes connections to wherever based on site x's instruction.

------
dirtydroog
To play devil's advocate... why should a publisher be forced to give away
their content for free? It costs money to produce and serve content. Like it
or not, advertising pays their bills.

~~~
anon98356
GDPR doesn't prevent a publisher charging for content, or displaying ads. What
it says is, if you want to use personal data about a user to determine what
ads to display, you have to get their explicit consent.

I have noticed a few of the consent pop ups couching the choice explicitly in
this manner. If you don't grant consent to us/our 3rd parties tracking you we
will still show you ads, they will just be less relevant.

Advertising doesn't actually require the detailed level of tracking that is
used today. Physical newspapers survived with a much more limited set of data
when convincing advertisers to place ads.

~~~
dirtydroog
Non-personalised ads command a far lower CPM than others.

One possible outcome is that publishers have to display even more ads to make
up the shortfall. That'll just annoy users even more and so they'll either
stop visiting the site make ad-blocking even more prevalent. Either way, the
publisher is really the one losing out.

------
zzo38computer
I agree they shouldn't have "cookie consent walls", although the user can be
assumed to consent if the user has enabled cookies in their browser (no
scrolling or notices or whatever should be required). The user can also
disable cookies if they do not want it, and viewing documents still should
work. If it uses cookies for multiple things, it may be a good idea to
document what each cookie does, in case the user wants to enable only some of
them, or delete only some of them.

------
throwawaysea
I am so sick of clicking "Accept" blindly on all these websites. The existing
consent legislation makes no sense and it is making the Internet worse for
everyone worldwide.

------
xwdv
As long as you return a 200 access to the site has not been denied. If you
want to see additional site features you can do so by consenting to a cookie.

------
Ciantic
Law that dictates a dialog / consent for individual website to implement has
shown already to be just a nuisance.

Instead EU should make mandatory that _browser vendors_ create standard
"blocker button" clearly visible in the toolbar from which user can globally
disable trackers, and perhaps preview them.

This way each site does not have to do the annoying dialogs which users just
mindlessly hit accept anyway.

~~~
notRobot
> Instead EU should make mandatory that browser vendors create standard
> "blocker button" clearly visible in the toolbar from which user can globally
> disable trackers, and perhaps preview them.

So basically, uBlock Origin?

~~~
Ciantic
For us, the geeks and tech people, why not? But for ordinary people it could
be simpler and easier to understand which had a standard icon etc. Idea would
be that it replaces _all_ dialogs in top of normal content.

Maybe it could have some other standardization too, e.g. that if you have
third-party trackers you must explicitely list them using <meta /> tags and
browsers could make the list of trackers for the "blocker button" like that.

The point being that having _every website_ to implement their own dialogs
(that just obscure the content) it has shown to become a terrible mess. None
is bothered to read the dialogs, they just hit what ever buttons to get to the
content.

------
jrochkind1
I am wondering when Google will get around to providing better "out of the
box" support for GPDR. I should be able to get UI to let users opt out, and
see/delete data, as easy as installing GA in the first place.

Most of my projects are non-commercial, but they still usually have GA, GA
tends to be the only thing I have that requires GPDR attention, that I'm aware
of anyway.

~~~
hadrien01
I believe that simply disabling IP address collection is enough to be GDPR
compliant with Google Analytics:
[https://developers.google.com/analytics/devguides/collection...](https://developers.google.com/analytics/devguides/collection/analyticsjs/field-
reference#anonymizeIp)

~~~
snowwrestler
The challenge with GA today is that the default code that Google gives you
includes Tag Manager, and they encourage you to include DoubleClick as well
(can't remember if that is in the default).

If you go out of your way, you can implement GA, by itself, the "old
way"\--which is GDPR compliant out of the box. It's Tag Manager and
DoubleClick that are not.

~~~
jrochkind1
I always find GA docs/instructions confusing, but when I try to see what
current GA instructions tell you about how to include GA in a page, I get
this:

    
    
        <!-- Global site tag (gtag.js) - Google Analytics -->
        <script async src="https://www.googletagmanager.com/gtag/js?id=[ID]"></script>
        <script>
          window.dataLayer = window.dataLayer || [];
          function gtag(){dataLayer.push(arguments);}
          gtag('js', new Date());
    
          gtag('config', '[ID]');
        </script>
    

Is that the "old way" or the "new way"? Maybe it's an even newer way, which is
essentially similar to the old way?

~~~
kuschku
That’s the new way, including the illegal Tag Manager.

The old way would load the JS from [https://ssl.google-
analytics.com/ga.js](https://ssl.google-analytics.com/ga.js) instead, and set
different options.

~~~
jrochkind1
What about Tag Manager violates GPDR in special ways GA does not?

------
severak_cz
I see massive irony in fact that article about consent wall is hidden behind
one of them... :-)

Your data, your experience

TechCrunch is part of Verizon Media. Click 'I agree' to allow Verizon Media
and our partners to use cookies and similar technologies to access your device
and use your data (including location) to understand your interests, and
provide and measure personalised ads.

------
butz
If anyone else is interested, the direct link to guidelines mentioned in
article is here:
[https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_gui...](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf)

------
cool-RR
What we need is a community-powered Chrome extension that can identify cookie
warnings on different sites and disable them.

~~~
hombre_fatal
Extensions like uBlock already use community-updated filter lists like
EasyList.

I would be very perplexed if none existed that removed cookie warnings.

Edit: If you open uBlock's options and go to the Filter Lists tab, you can see
that [https://kb.adguard.com/en/general/adguard-ad-
filters#annoyan...](https://kb.adguard.com/en/general/adguard-ad-
filters#annoyances) and Fanboy's Annoyances List are two that block some
privacy popups, but you'd probably need to enable them.

There are actually quite a lot of lists on that page (click the "+" marks to
expand the unchecked lists) that are opt-in rather than on by default, so it's
worthwhile to give them a whirl and see if any block cookie popups.

Easylist Cookie is another one I found in uBlock filter list that specifically
nukes cookie popups: [https://easylist-downloads.adblockplus.org/easylist-
cookie.t...](https://easylist-downloads.adblockplus.org/easylist-cookie.txt)
(disable by default as well).

------
jimbob45
Surely this all ends in a cap on advertising spending. Advertising contributes
no real output to a country and ties up its best minds in anti-citizen
activity. I know you can't blanket ban advertising because that would be
unenforceable (and some advertising is good) but a partial ban cannot be
controversial anymore.

------
kgin
The idea that more than 5% of people have any idea what they're consenting to
when they click these buttons is silly.

------
danimal88
Has there been any sort of research done on whether these changes have
actually done anything consequential and positive?

~~~
forgotmylogin2
I don't even live in Europe and these policies have still caused significant
harm to me. I can only imagine it's even worse for people accessing the web
from Europe.

------
collyw
Does anyone not accept cookies when they visit a website? If not why not? I
often clear mine out or use private mode to get around "you have read your
maximum 5 articles please subscribe now". What are genuine reasons for not
wanting to visit a website with cookies?

~~~
ninkendo
Usually when I'm visiting a website, it's one of many sites/articles/search
results I could be looking at. If a site tells me something like:

    
    
        - Sign up for a newsletter!
        - Please turn off your adblocker!
        - Please accept our use of cookies to continue
        - Pardon the interruption...
    

I close the tab and try the next search result/article/whatever I want to see.

Websites don't exist in a vacuum. Nearly always, they have to compete for my
attention with other possible uses of my time. I'm going to pick the one that
wastes my time the least.

~~~
collyw
I am the same with most of those. Medium being a particular pain in the butt.
But almost every website uses cookies, I don't see them being such a problem.

~~~
ninkendo
Yeah, I guess it's not that I don't want to accept cookies, it's that I don't
want to reject them either (I'd rather close the tab than do either one.)

This sounds like GDPR is a bad thing for people like me, but I view it as a
long game: as sites see increased bounce rates due to cookie popups, maybe
it'll change the equation in favor of not having tracking cookies in the first
place. I feel like I'm doing my part to help create that future every time I
close the tab when getting nagged about cookies.

(And GDPR doesn't require dialogs about _all_ cookies, you're allowed to use
cookies to have sessions/logons without nagging.)

------
sfifs
This is a foolish own goal. Publishers will simply implement a login based
wall - possibly with federated logins of Google and FB with consent in the
sign up giving even more accurate personally identifiable information. Cookies
are at least anonymizable

------
KorematsuFred
While surfing internet from India I am really upset with all those 1990s
styled banners with only "accept" button. I wish there was some browser
extension that would automatically hide these manners and make them completely
irrelevant.

------
brabel
There is no solution to the insanity the web has become other than an
alternative web.

Want a place you can go to find interesting websites, chat, share knowledge...
all that the web was supposed to allow, but without being constantly tracked
and bombarded with ads?

Try Gemini:
[https://gemini.circumlunar.space](https://gemini.circumlunar.space)

Gemini is an extremely simplified version of HTTP and HTML, in essence. It is
safe by default: the only way to allow user "sign in" is by using mutual TLS.
with mutual TLS, YOU control whether the server talking to you should know who
you are... and they can't know anything you don't tell them. And you can
simply stop using your TLS client certificate if you don't feel like telling
the server who you are anymore. This is what security looks like. Not what the
mess of the web is right now.

It's time to reboot the internet.

~~~
asdff
I find an aggressive ad blocker solves most issues with the modern web.
Haven't seen an advertisement in years. Any facet of any website can be
selectively blocked. You can pare anything down to plaintext if you really
want.

------
microcolonel
The more effective policy would be to regulate circumvention of tracking
protection filters.

Browsers could improve their UIs for default cookie/storage filtering, but
it's still a much more effective way to do this.

------
solinent
These days I just inspect the page and if I can delete the overlay and find
the overflow:hidden then I'm done! No accepting or scrolling required. It
takes me 20 seconds to do this now typically.

------
eitland
Is it just me who reads this wrong or everyone else?

The way I read this cookie "consent" banners are exposed as worthless so web
sites should be no better off using them compared to not using them.

~~~
alkonaut
No, using banners or popups is fine. Sites just need to use compliant ones.

The banner/popup has to say "Check this checkbox to continue with third party
cookies, otherwise just continue without". (checkbox has to be unchecked at
first)

Or "Click [this button] to visit with third party cookies or [this button] to
visit without" (buttons have to be the same size).

But yes - in this form banners and popup present an annoyance to the user AND
very few will actually consent (if they understand the question). So they will
be worthless for the site owner, which is a good thing because no one likes
these banners.

------
VWWHFSfQ
this cookie consent stuff does absolutely nothing but annoy people

~~~
notechback
Not because of the law but because those pushing tracking and designing the
banners intentionally make them intrusjve. Purely technical cookies (eg login,
spam protection) don't need a consent by the user.

------
paulie_a
Cookie consent needs to fuck off for the vast majority of the internet. If you
are in the eu or you do business there it probably applies. Everywhere it
doesn't.

------
FailMore
Can someone explain/give examples of what a "good" website does in this case?
For example, is StackOverflow doing the right thing (try in incognito mode)?

------
aerovistae
I have a Chrome extension called "No more cookies" I think, that just
eliminates those walls completely. Best install I've made the past year.

------
arendtio
I wish the prosecution of breaking the GDPR would be quicker. There are so
many sites out there that obviously do not comply with the spirit of the GDPR.

The GDPR is very clear, that it should be the users choice if he wants to be
tracked (freely given, so without any other negative consequences). But many
pages out there are trying to trick people into accepting their cookies by
accident (playing with buttons (size, color, arrangement, etc.)). Those
Paywalls are just the tip of the iceberg. And for those companies who comply
with the law, it is just a competitive disadvantage.

Sometimes I am more drawn to accepting some page's cookies, just because they
implemented the consent layer in a compliant way.

------
yllus
Is this a fair summary, then: A site with free-to-read content must by default
load no tracking scripts/cookies - aside from those that do so in anonymized
aggregate form - unless the website visitor positively confirm they're okay
with being tracked individually? That's how I'm reading it. Basically they
want to change the default behaviour of websites to collecting aggregate user
analytics only.

I suspect that a number of organizations that post free content and justify
some/all of that expense with the marketing data they collect are going to
look at changing that practice. More paywalls that require free user
registration are the obvious next step. I wonder if that's not a step
backwards for the Web.

------
wswin
Cookies consent should be build in to browsers, just like all other
permissions – auto play, camera, etc. This would save a lot of money and
annoyance.

~~~
akersten
It already is! At least in Firefox, about:preferences#privacy, you can choose
even to specifically block just tracking cookies.

------
asdff
What happens legally when I don't consent to cookies, and just zap the cookie
wall with my adblocker and proceed to the content?

------
dependenttypes
I am pretty sure that most sites assume that you have accepted and that
"accept" does nothing but close the consent window.

------
knorker
When will the EU just accept that this is a browser setting, not a mandate on
websites? It's been a browser setting since the '90s.

And what do they mean the user has "no choice"? What… don't they have a choice
about? They have as much choice as I have in a store. I have the choice of
paying for the thing and getting it, or not paying and not getting it. Why is
it mandated that the "get the thing without paying for it" MUST be a choice?

------
neilwilson
Would it have been too difficult to pass legislation that requires opt out as
the default and require people to opt-in?

------
chapium
There has to be a better way to regulate technology rather than changing the
document. Why not a browser plugin?

------
shinryuu
Am I the only one who finds it ironic being faced with a cookie consent wall
while visiting the website?

------
cm2187
The consent should really have been implemented at the browser level. That
would keep all sites honest.

------
Quanttek
The guidelines can be found here:
[https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_gui...](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf)

They are pretty great, beyond the examples brought up here. For instance, on
the criterion free/freely given, they write the following:

> The element “free” implies real choice and control for data subjects. As a
> general rule, the GDPR prescribes that if the data subject has no real
> choice, feels compelled to consent or will endure negative consequences if
> they do not consent, then consent will not be valid.13If consent is bundled
> up as anon-negotiable part of terms and conditions it is presumed not to
> have been freely given. Accordingly,consent will not be considered to be
> free if the data subject is unable to refuse or withdraw his or her consent
> without detriment.14The notion of imbalance between the controller and the
> data subject is also taken into consideration by the GDPR.

Regarding the last element they cite the examples of public authorities or
employment (e.g. monitoring systems) as situations where there is an imbalance
of power that may limit the ability to give consent freely (there are other
bases for processing data).

Also, I want to quickly remind HN that the GDPR applies to any data processing
and goes far beyond consenting to cookies but also to, e.g., any other
tracking, "selling" the email address to an advertising firm, taking a video
of you, etc.

~~~
notechback
Giving you the right to get a copy of data held by Facebook & co!

------
moomin
Of course, I didn’t read the article, because it’s behind a phenomenal Yahoo
consent wall.

------
maxwellito
How about we all agree to set an attribute on these popups (like *[data-
legal="gdpr-cookies"]) and let people have browser plugin to hide them? Or
HTTP headers to accept them straight from the initial request?

Let's be honest, people don't read them they are just annoyed, devs who
implement them feel bad about the experience.

------
Rounin
You realize the linked article IS a cookie consent wall, right?

------
tathougies
The EU has made things worse for the entire world. I hate the cookie bars.
They're annoying and I don't care that my browser is storing a Cookie header
in a database. If i didn't like that, I can turn it off.

~~~
swongel
I hate it when companies want to track me and put a pop-up on their first page
to ask my permission to do so. I don't care about cookies being placed on my
system by my browser and that in and of itself isn't illegal under GDPR, I
just don't want to consent to being tracked by corporations for profit or be
tracked for profit without my consent.

If companies choose to comply with EU law because they want to do business in
the EU that's up to them, they don't have to.

------
gcatalfamo
Funny thing this very page had a cookie wall welcoming me.

------
annoyingnoob
Can we get the same protections from 3rd party JS?

------
Vanayad
Accessing this site, requires a consent. :)))

------
oftenwrong
Perhaps it would be more appropriate for the EDPB to centrally track consent.
For example: If example.com wishes to use Alice's private information in a way
that is protected under GDPR, they would request consent from Alice via an
EDPB-managed service. To opt-in, Alice would use the EDPB-managed service to
accept the request. This way, the EDPB would have full control over how such
requests are presented to a person, and would have an auditable record of all
requests issued/declined/accepted.

------
superkuh
I'm glad I don't like in the EU. I don't allow cookies to function in my
personal browser and I don't use them on any of the websites that I make or
maintain. But when someone goes to a website they're not forced to use cookies
and they don't _have_ to go to the website. A law like GDPR brings in the
government's use of force to situations where there is no force, fraud, or
anyone being hurt. It's massively worse than the problem it solves.

------
ineedasername
I am the person such sites hope for: With all of the data breaches, with all
of the tracking over the years especially before GDPR, I have become numb &
apathetic to the issue.

I believe I'm in the majority on this (though not on HN) and most people
simply click the thing that will get them to the content fastest.

For this reason, I think the way to fix this is not with opt-out, but with
opt-ins, where the option has a highly specified, by regulation, size, color,
location and text for how it must be presented.

------
gtm1260
Am I the only one that seriously feels like the UX implications of GDPR should
have been more seriously considered? Did the creators of the law consider how
they were making the web like 5% more annoying to use? I just wish this stuff
was thought through in a more holistic way, right now what we have is just an
extra click through on every website, and no real sense that it is helping
privacy since most users just click 'ok' to get to their website anyways.

------
peterhil
I think the whole cookie consent thing of GDPR went backwards, and instead of
individual web services being required to show what they track, the browser
makers should have been requireed to make it much easier to manage user
cookies, and warn about users about tracking cookies, and offer a way to
remove, clean up and otherwise empower users to take care of their privacy.

------
hootbootscoot
ironic. I can't read this article without consenting to everything...

------
LunaSea
.

~~~
notechback
What's not conform? That's a language selection screen, not a cookie screen.
In the banner at the top you can click "decline".

------
rikroots
For what it's worth, this was my take on the GDPR requirements for site
cookies. I had to consider them when recoding my poetry website last year
(mainly for Facebook and Twitter sharing buttons)

[https://blog.rikworks.co.uk/2020/02/05/The-RikVerse-
rebuild-...](https://blog.rikworks.co.uk/2020/02/05/The-RikVerse-rebuild-Fun-
with-Cookies/)

... and this is how the cookie consents page looks on the site:

[http://rikverse2020.rikweb.org.uk/cookies](http://rikverse2020.rikweb.org.uk/cookies)

It's not a difficult task to comply with the GDPR requirements in a nice way.

------
finnthehuman
The GDPR has made it a bit easier to see the non-surveillance dark patterns
that software developers are addicted to.

Consumer software that respects your wishes has become such a dying breed that
I had forgotten just how deep we've fallen down the rabbit hole on everything
until surveillance was pulled back out.

~~~
MattGaiser
It respects the customer wish to not pay a penny for anything.

------
hammington
it amazes me how many hackernews readers/commenters seem to have no idea what
gdpr is or what it means for them.

if a site has a "gdpr popup" then that means they are doing something that the
know is morally and legally questionable - not that the law is wrong ffs.

~~~
crusso
That's because for many of us outside of the EU, it doesn't mean much besides
yet more email from content providers regarding changes to their privacy
policies that I just delete.

I wish you guys the best of luck with it, though. I would like for my
country's notion of "who owns my data?" resolve more to "me". I'm torn about
how much it'll cost me to own my own data, though, in a reduction of
frictionless free stuff on the internet.

~~~
hammington
have you had any reduction in emails you dont want? i get a lot less since
gdpr.

plus i can now get my data from lots of sites as they cant be bothered to
restrict non-eu people to not have the functionality.

plus quite a few more sites / services have options to delete my account and
data that only came about because of gdpr

plus it seems like other places are considering similar laws too so then the
"benifits" will be felt by even more people.

oh and now you get an indicator of how crumby a company is by how hard it is
to opt out of things.

dunno it just seems like a lot of wins. with the main downside being that my
person data abuse is regularly brought to my attention via popups etc. but
that doesn't seem sustainable - i am hoping its a transitional thing and
company actually just start complying.. but i guess that will take the EU
laying down some serious fines to make examples - which to be fair this
article seems to be a step towards. seems like many other control systems
(e.g. dangerous goods shipping or hazardous chemical controls) that the
governing bodies are careful in applying the law to make sure they don't just
fine companies into oblivion if they are making steps in the right direction
and fix anything specifically called out.

------
megiddo
A consent wall is consent and this ruling is why I hope European regulatory
bodies fall into a hole.

How do you think those "free" articles are paid for? They're paid for with
cookies.

This is the same wall that separates me from content on paywall sites - it's
just that you don't get out your credit card. Instead, you whip out your
cookie jar.

There is no universal "right" to view content. If the content is behind a
cookie wall, you have two choices - either accept cookies or fuck off.

~~~
anon98356
No they are paid for with ads. How a website determines what ad to show is
where it gets troublesome. There is no requirement to have 1000 trackers load
cookies every time I go to your website in order to show me an ad.

------
GiorgioG
This may be an unpopular view here but the GDPR has made the web experience
infinitely worse. I'd like to see some stats on how many folks abandon without
consenting. I'd guess the number is small, yet the majority of folks have to
suffer these stupid consent popups.

I'd as soon just not serve content to EU residents than have to make everyone
suffer through the nonsense. That won't fly for big companies of course.

Alternatively maybe make those popups only show for EU (geolocated) users.

------
whatsmyusername
I don't give the slightest fuck about GDPR because of the dumbass cookie
popups they forced on every single site.

~~~
bluGill
It is working. They are getting you willing to oppose your own best interests!

~~~
MattGaiser
I and I alone will decide my best interests.

------
aasasd
Pardon? Is this saying that closing the page is not a choice?

~~~
DagAgren
No.

~~~
aasasd
[https://techcrunch.com/wp-
content/uploads/2020/05/Screenshot...](https://techcrunch.com/wp-
content/uploads/2020/05/Screenshot-2020-05-06-at-12.28.43.png?resize=680,171)

Where does this extract allow for the user be guided off the site? As far as I
can see, it demands that the user can ‘freely give’ the choice to access the
site without using cookies.

~~~
DagAgren
I was saying it is not saying it is "not a choice", it is saying it is not an
_acceptable_ choice.

------
TomMarius
Can't they require a HTTP header that I would manage in my browser?

~~~
nathancahill
We had one. It didn't work. DNT: 1

~~~
TomMarius
I don't see any mention of that header in any law, nor any court resolution
regarding that header. If that does not exist, we did not try.

~~~
zorked
Laws are not written around protocols. The GDPR is not HTTP-, Web- or
Internet-specific.

~~~
TomMarius
Seems like we've uncovered the root cause of failure; besides, isn't the
concept of cookies a part of the HTTP protocol?

------
dontTellMyB0ss
Cookie Law is a great example of why government shouldn't be allowed to stick
its fingers into voluntary interactions.

Good intentions by dumb people do more damage than good.

------
zpeti
The amount of time the EU has taken away from internet users with this insane
policy is ridiculous. Yes, everyone in the fucking EU knows what a cookie is
now. I can't believe I have to waste 3-5 seconds of my life on most website
visits clicking a box. But obviously sitting in an office in Brussels making
an actual calculations of the years you take away from people is not something
you do.

~~~
nicbou
Don't blame the regulation, blame everyone who is trying to get you to click
the consent button.

Cookies are a simple yes/no question, with the default answer being no. If
everyone did what's in the users' best interests, it would be a non-issue.

~~~
zpeti
So how do you store user information then? Like logins? Sessions? Also rely on
cookies. Browser fingerprinting? Great - then you've switched one problem for
another.

This entire EU regulation is a non solution to a not really existing problem.
Yes, third party advertisers use cookies to track you. But they can build
technologies to use something else. In the meantime you are a) breaking the
internet b) wasting hours of each EU citizens time every year.

~~~
stan_rogers
Those are all allowed without explicit consent - it's right in the regulation.
What _isn 't_ allowed without consent is all of the tracking and data-sharing
nonsense that _isn 't actually required_ for the website to function.

~~~
zpeti
Theoretically. Practically almost all websites need third party cookies to use
any decent analytics platform (most often GA). So the end result is still that
100% of websites need cookie consent.

~~~
XCSme
There are also self-hosted alternatives so no third-party, or even cookie-less
tracking. Something like: [https://usertrack.net/](https://usertrack.net/)

~~~
myu701
Matomo is my user tracking of choice, it honors DNT by default and is self-
hostable or can be run as a hosted service.

Matomo was formerly known as Piwik

~~~
XCSme
Matomo is great and it's nice that it's open source. One advantage of
userTrack, which is also self-hosted, is that you get heatmaps and session
recordings at no extra cost, which on Matomo cost from 200eur/year.

