
The GDPR Is a Cookie Monster - adrian_mrd
https://www.emarketer.com/content/the-gdpr-is-a-cookie-monster
======
snowwolf
The dark patterns in play now to get explicit consent are pretty bad now
though. Take Mashable for example.

On first visiting the site you are presented with the option to "Consent" or
view more Options (where you can Opt Out of all - except you can't really
because some require Opting Out on the specific Advertisers site). But if you
do choose to Opt Out all, they will then show you the initial Option box on
every visit to the site, where you have to go through the More Options route
every time. And if you ever accidentally click I Consent, then they opt you
back in to everything again and then never show you that option box ever
again.

Note: I just picked on Mashable, but there are many, many sites following this
same dark pattern.

~~~
aars
I had an interesting encounter recently:

[https://imgur.com/a/i1hm1TQ](https://imgur.com/a/i1hm1TQ)

~~~
Spare_account
I'm not sure what conclusion you're drawing, the final two screenshots didn't
have any explanation.

As far as I can tell, you've observed that if you force your browser to stop
displaying the cookie preferences overlay, the hidden page becomes visible
again.

Does this reveal something controversial that I haven't inferred?

------
iicc
The "Factsheet" this is about (7 page pdf -
[https://reutersinstitute.politics.ox.ac.uk/sites/default/fil...](https://reutersinstitute.politics.ox.ac.uk/sites/default/files/2018-08/Changes%20in%20Third-
Party%20Content%20on%20European%20News%20Websites%20after%20GDPR_0_0.pdf))

>All results presented here reflect site activity prior to obtaining consent;
the picture may change dramatically once the user provides the affirmative
opt-in GDPR requires.

So, meh.

~~~
4ad
Yep. If anything, things are worse now. You HAVE to give consent to do
anything useful on the website (so blocking the notice won't work), and in the
consent form it's usually very hard to turn tracking off, full of dark
patterns.

Not legal from the perspective of GDPR, sure, but it seems that everyone is
doing it.

/edit: downvoted for stating basic facts, amazing.

~~~
cyborgx7
And I hope they will all get heavy fines for doing so. Let's see how well the
EU will enforce the GDPR.

~~~
paulie_a
I honestly don't get why so many sites are even paying attention to GDPR. If
they don't have a presence in the EU, it is irrelevant.

~~~
legitster
Because GDPR includes provisions for handling US GDPR violators, a lot of
security vendors were touting up the idea that if a European fills out a form
on your site or gets cookied for any reason, you could be sued.

~~~
jwineinger
So they'd file suit in the EU and... what would happen? Some sort of judgment
that would prevent a company from starting business in the EU at a later date?

~~~
pluma
I don't know. Why are EU companies paying attention to American laws, again?

~~~
frockington
Largest economy and military in the world are big reasons to play nice with
America

~~~
patrickmcnamara
Military doesn't come in to this at all.

And similar arguments could be made for why American companies would play nice
to the EU.

~~~
frockington
If I were a company I would target America first and Asia second. Due to
increasing regulations, political uncertainty and lack of growth I'd shift the
EU to third (it used to be an obvious second to me).

~~~
patrickmcnamara
Fair enough, but you'd be missing out on a huge market. And unlike Asia, it
has a single regulation to follow for things like data protection.

If your company was unable to comply with GDPR, many wouldn't want business
with your company anyway, especially other companies who _are_ trying to
comply with it.

------
codedokode
I don't understand why there is so much negative impression of GDPR. Most
businesses do not need to track users; they do it only because they can and it
is not forbidden. Let me give you some examples:

\- Wikipedia can serve you pages without knowing anything about you

\- You can download and use Debian distribution without providing any data
about yourself. Microsoft can do the same.

\- Internet shops like Amazon or Ebay don't need to track you. They earn money
when you buy something and if they delete PII after the order is completed
they still have the money. GDPR is not taking them away.

\- Google can work just fine without tracking users. They show advertisement
in search results, they get paid for it and they don't need to collect
everything you have typed to earn profit

\- Youtube can show ads and get paid for it to completely anonymous users

\- Android and Google Maps don't need to track you. You paid for them when you
bought your device, you don't have to pay once more with your data and opt
into dubious "help us improve your user experience" scams.

\- Netflix gets money from you anyway and doesn't need to track you

\- Facebook doesn't need to track you across the web. It can show ads and get
paid for it anyway.

Look around. Most of businesses can earn money without collecting any personal
information. The ones who can lose because of GDPR are only shady marketing
agencies, legal spam conpanies, data brokers and three-letter agencies. I
don't feel sorry for any of them.

We should think about better protection of privacy and anonimity rather than
worry about profits of Californian corporations wanting to make everyone their
product.

~~~
baseballdork
If you're looking for advertisers, all other things being equal, do you go
with the advertiser who guarantees your ads will go to those most likely to
have interest in your product, or do you go with the advertiser that will send
your ads to random people?

Of course they _can_ serve ads randomly, but they're competing to provide the
best value for those buying ads.

~~~
codedokode
Corporations want cheaper ads; I understand that but I don't understand why I
should be tracked. They should develop better ads without violating someone's
privacy or anonymity.

~~~
mrep
Companies aren't paying just to show you ads. They are almost always paying
for clicks on those ads that lead users to their website.

That tracking allows them to build more accurate models on what ads a user
will click on and then tailor ads to the user causing increased ad click rates
which results in more revenue.

And I'm not really concerned about the big companies. I'm concerned about all
the news agencies that are barely scraping by with targeted advertising
revenue. Remove the targeting and web journalism will get even worse as they
have to layoff more people and resort to even more clickbaity news.

~~~
codedokode
Without tracking the ad won't disappear, just some kinds of it can become more
expensive and less effective; that is not a big problem. Companies can still
show relevant ads: Google can show ads matching current search query, Youtube
can show ads relevant to the video, and so on.

Regarding news sites, they have a lot of opportunities to earn money, for
example, publish sponsored articles. They can also use subscription model. It
is better than have mobile apps that scrap data from your phone, Google Maps
that track every your step, and data brokers you never heard of but they have
full information about you. We should not sacrifice our privacy only because
someone out there cannot make the ends meet.

Google won't shut down if you stop it from tracking users' location. People
will still search the internet and buy smartphones.

------
cyborgx7
I'm glad the GDPR actually manages to enforce one of it's lesser talked about
principals: data minimasation. What is worrying about this article is that it
implies companies are using other, even less consensual ways of tracking
users. Or maybe I'm reading too much into it.

~~~
Spare_account
That was my take on it as well:

> _In a September 2017 study of 250 US digital marketers by Viant, about 60%
> of respondents said they will no longer rely on cookies for the majority of
> their digital marketing within the next two years._

The absence of any description about what they will use instead is
frustrating.

~~~
woud420
Considering you cannot use cookies for mobile traffic, it's understandable
that most firms are moving away from it. Fingerprinting and device IDs have
been common for a few years and I don't think it will go away any time soon.

~~~
sleavey
Why can't you use cookies for mobile traffic?

~~~
woud420
I wasn't clear enough and I apologize. You _can_ use cookies but they will
only be within the context of a singular app's browser. For example, suppose
that you use two web browsers on your Desktop, Chrome and Firefox. If you
visit xyz.com on FF, some cookie information will most likely be stored.
However, if at a later time, you visit the domain on Chrome, it will not have
access to the same cookie store.

This becomes important in the context of third party cookies that want to
track you across apps. Hence why cookies are not a reliable method of
identification on mobile.

Hope this clears it up. :)

------
yeukhon
I fucking hate GDPR policy making every website to show "Cookie Policy" ad pop
modal. STOP. Every single time after I have accepted it, I come back the next
day, I see the same modal again. I just accept it anyway, so stop. Stop this
horrible UX. Sorry, but it really annoys the shit out of me. It does and I am
pissed off every single time. If I accept, stop asking.

~~~
simias
Are you using a browser extension that may be interfering with the website? I
haven't had issues with website forgetting my preferences yet.

Also being in the EU I'm used to these cookie dialogues, except before GDPR if
I wanted to opt-out (assuming that it was even an option) I'd often have to
wade through multiple pages, opting-out of the tracking which would take a
while, especially since they were usually using every dark pattern in the
book.

Now with GDPR I still get the messages but everything is opt-in instead of
opt-out and I can just click the (sometimes obfuscated) "I refuse" and carry
on. It's actually a huge quality of life improvement as far as I'm concerned.

~~~
yeukhon
At work I don't have any third-party blocking extensions (I use Chrome). At
home and on my mobile I do (I use Firefox Focus), but neither let websites to
"remember".

Is there something I need to configure?

~~~
r3bl
Firefox Focus deletes all data upon closing. That includes cookies where your
consent was locally stored. That's why you're seeing it every time.

~~~
yeukhon
Yeah, but this problem exists even on Chrome which I have no extension.So
Chrome has some built-in blocker interferring it?

------
TeMPOraL
My country is so great. How on Earth did we register 30% _positive_ growth of
third-party domains and 20% growth of third-party cookies?

(Good that I don't generally visit the local Internet much anyway.)

~~~
blfr
Third party scripts for dealing with GDPR requirements perhaps?

------
jarfil
The GDPR made me switch my cookie policy, to using two Chrome extensions in
tandem:

\- I don't care about cookies: auto accepts all cookies

\- Cookie AutoDelete: auto deletes all cookies

So now you can track me all you want... until I leave your website and all the
cookies are gone (unless whitelisted).

~~~
Jerry2
Chrome and these extensions give you a false sense of privacy. Currently, no
extension can remove local storage and tracking information contained within
them.

[https://bugs.chromium.org/p/chromium/issues/detail?id=78093](https://bugs.chromium.org/p/chromium/issues/detail?id=78093)

You'll either have to clear local storage manually or get a privacy-oriented
browser.

------
legitster
Honestly, the upcoming ePrivacy regulation is much needed- the cookies opt-
in/out needs to be handled at the browser level. The current setup is lose-
lose for businesses and end users.

As a site admin, I have no problem honoring your request to not be tracked. I
just can't wait until I don't have to deal with the nightmare that is OneTrust
anymore.

~~~
Lio
You mean like the "do not track" request header?

[https://en.wikipedia.org/wiki/Do_Not_Track](https://en.wikipedia.org/wiki/Do_Not_Track)

It never ceases to amaze me the number of companies that "value" my privacy
but still somehow ignore the do not track header.

~~~
pluma
Well, Microsoft kinda dropped the ball on that one by making it the default
(although they later changed that).

~~~
Lio
I don't feel like they did drop the ball there. By default I don't want to be
tracked. I think that tracking across the internet should be opt in and users
should be made aware of what websites are doing _before_ they start doing it.

I also find the idea of secret shadow profiles to slightly immoral for the
same reason.

~~~
pluma
DNT is a flawed idea in the first place. DNT is based on the idea that users
can opt out of being tracked by sending that header. But (e.g.) European
privacy law requires having users explicitly opt in to being tracked -- the
message DNT is meant to assert is the legal default under GDPR.

DNT only works if the assumption is that users who make no choice can be
treated as consenting (which is no longer the case under GDPR). But if you set
DNT by default you're not asserting "this user doesn't want to be tracked",
you're just making it impossible to tell whether the user explicitly opts out
or hasn't made a choice (and therefore actually do consent).

If tracking is opt-out rather than opt-in (i.e. if we disregard GDPR and
similar privacy laws and go with how US startups have operated so far) that
means DNT is no longer a reliable signal for opting out and thus meaningless.

Implications about consent and privacy aside, DNT only works if it is used
with intent. In the absence of intent, by making it the default without the
user's knowledge, it becomes ambiguous and therefore pointless.

To put it differently: if there had never been any browsers that set DNT by
default (except maybe browsers explicitly marketing themselves as "privacy
first" like Brave does), you could use DNT as an explicit assertion that you
do not consent to being tracked. This means it could actually serve as a
technical implementation to opt-out of any "implied consent" allowed by the
GDPR and making use of your right to control your data.

But thanks to Microsoft randomly slapping on the header to piss off Google,
DNT is now too ambiguous to infer any of that.

------
barbegal
The methodology behind this study looks okay but it isn't necessarily
representative of real world use. The study looks at the front page of around
200 news sites in Europe with a browser cleaned of all cookies. However in all
cases the IP address belonged to a machine at the university of Oxford so it
probably had some history attached to it.

It shows some reduction in cookies served before user interaction but it isn't
clear is this is due to GDPR or other changes that have been made over the 3
month period.

My summary is that the data found is not statistically significant given the
relatively limited sample size and lack of any control sample to compare
against showing usual variation over a 3 month period.

------
crazygringo
I just HATE all the pop-ups asking for permission to use cookies now.

Seriously, having to opt-in on a per-site basis has led me to loathe the GDPR.
It's a usability disaster. I never thought I'd hate anything more than the
"sign up for our newsletter" pop-ups... but these are even more pervasive.

If I'm the kind of person who hates cookies/tracking, I'll just install a
blocker and block it everywhere, and then whitelist any domains I need to.

It just makes me feel like the GDPR was a win for lawyers and legalese, and
nobody else.

~~~
jasonkostempski
I think we should have a de facto standard element class for legal notices
with no required user action, like legal-notice-no-action-required. Webistes
use the css class, uBlock Origin makes it a built-in default element filter.
Website owners can fulfill their legal obligations and users that proactively
shape their browsing experience are all set. Neither side wants these things
messing up the browsing experience so, unlike the ad wars, we can work
together.

~~~
chriswarbo
> I think we should have a de facto standard element class for legal notices
> with no required user action, like legal-notice-no-action-required. Webistes
> use the css class, uBlock Origin makes it a built-in default element filter.
> Website owners can fulfill their legal obligations and users that
> proactively shape their browsing experience are all set.

Sounds like P3P (
[https://en.wikipedia.org/wiki/P3P](https://en.wikipedia.org/wiki/P3P) )

> Neither side wants these things messing up the browsing experience so,
> unlike the ad wars, we can work together.

Personally, I absolutely want to know when sites are trying to spy on me and
sell the data. Despicable crap like that should be forced out into the public,
not quietly agreed to by the browser. That's exactly what GDPR is for.

~~~
jasonkostempski
> Personally, I absolutely want to know when sites are trying to spy on me and
> sell the data.

It's best to assume they're all doing that to some degree whether they tell
you they are or not. For one, most of the world isn't beholden to EU law.
Also, bad players don't play by the rules and by the time you know they're
bad, it's too late.

> Despicable crap like that should be forced out into the public, not quietly
> agreed to by the browser.

But the cookie law doesn't fix that problem, or any problem for that matter.
The notifications are 100% pointless and we're stuck with them because of a
stupid law. If anything, having a standard way to block the notices might
encourage more users towards a real fix for the tracking problems, which is
using something like uBlock Origin (just don't tell that to the site owners
that don't want users having tracking blockers).

------
alkonaut
The GDPR should get one important update and that’s QUICK:

You shouldn’t be allowed to ask for consent to do tracking or targeting as a
pop up. The site must be completely usable using only “required” cookies (to
which no consent should be required if it only tracks a limited set of data)
and any option to consent to anything outside this must be a hidden option.

That is: sites should have to work 100% without popups and shouldn’t be
allowed to use “marketing cookies” (for tracking and ad targeting)

Otherwise we just traded one nuisance for another.

~~~
chriswarbo
> The site must be completely usable using only “required” cookies (to which
> no consent should be required if it only tracks a limited set of data)

I think GDPR does actually say this.

> any option to consent to anything outside this must be a hidden option.

You're right that this would be a difference (although I imagine sites would
still end up covered in dark patterns trying to get users to enable it)

~~~
alkonaut
Right. And ”hidden option” is perhaps the wrong word, but let’s say one that
doesn’t prevent using the site/service in full.

Even supposedly serious outlets like WaPo does this. Full screen splash that
says “by using the site you agree to targeted ads”. Why even bother with that
when it’s so blatantly in violation? Isn’t it almost better to not look like
you are _deliberately_ in violation like that?

It’s not even a dark pattern, it’s just a big fat splash explaining how they
don’t care about the GDPR and intend to show me targeted ads using tracking
cookies.

------
amaccuish
I feel like the DNT header could have been made a lot better if it worked
alongside GDPR. Like, 0 = haven't chosen/prompt me (I want to pick exactly
what cookies I want), 1 = don't care give me everything, 2 = functional, 3 =
please don't track me at all. You could then just surface this per-site even
in the browser, maybe in a way resembling the IE Security Zone settings with
their nice sliders.

~~~
patrickmcnamara
I don't think this would work as it makes it too easy to not be fully tracked.
There are so many hoops to go through now because companies want to
incentivise being tracked and punish those who don't wish to be.

If this was brought in through regulation, that's a different story.

------
dstroot
Yeesh... 80 cookies on average for news sites! Down to 60... how many
different ways do they need to track one person?

~~~
Uw7yTcf36gTc
each ad network needs to track you separately. so most of those 60 cookies are
not sending data to the news site, but rather to the ad network which bids to
display the ad to you.

~~~
ravenstine
There's ad networks, but there's also the plethora of vanity metrics that
management likes to collect to fill their charts which they will then use to
impress stakeholders, with the hope of getting paid more than the engineers.

I could probably make a million dollars selling companies a "customer
acquisition score" using phony baloney math if they place my script on their
website.

------
simplecomplex
GDPR doesn’t help anyone, so let’s pass more half baked regulations!

Let’s just ban companies from using the internet! That will stop internet
advertising for good. Thank God smart politicians like me care so much.

~~~
patrickmcnamara
In what way does it not help anyone?

It certainly seems to help EU citizens, like myself.

