
Cookie policy notifications have ruined user experience on the web - _davebennett
https://www.reddit.com/r/web_design/comments/93o0eg/cookie_policy_notifications_have_ruined_user/
======
littlestymaar
How ironic, websites have been breaking user experience for years by embedding
always more trackers that took forever to load.

If a publisher doesn't want to display a GDPR notification to its users
there's a simple trick : just don't collect and monetize personal
informations!

~~~
iKevinShah
Even if we use cookies for basic sessions (absolutely no personal tracking,
just session ID) - Isn't it mandatory to show "Cookie bar" on the said site?

~~~
pjc50
No.

[http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm](http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)

(Perhaps surprisingly there is an exemption for "third‑party social plug‑in
content‑sharing cookies, for logged‑in members of a social network.")

~~~
tremon
The operative phrase in that last one is "for logged‑in members", because in
that case the cookies fall under the earlier

 _provider of an information society service explicitly required by the user
to provide that service._

For a user logged-in to a social network, the user clearly consents to the
social network providing a service. Note that it is not allowed if the user is
not logged in to the social network.

------
modzu
then there's reddit and its giant full page ad for the app before finally
redirecting me to the content once i find the tiny link to continue instead of
opening the app store...

yes reddit and fb and gmail and the like are intentionally crippled when
viewed on mobile. why? maybe because the data an app can suck up off your
phone is much more valuable. no pesky same-origin policies!

i digress :(

~~~
Bartweiss
I noticed that reddit now has three separate "use our app" prompts, which
don't seem to communicate so they can all appear on the same page. There's the
loading-in system popup, the bottom-of-screen one, and the internal popup with
a picture and two choices.

And then the bottom-bar one, instead of having two buttons, makes the entire
field open the app store except for a tiny 'x' in the top right. Talk about
unsubtle dark patterns.

~~~
mercer
The reddit redesign feels a lot like the Digg changes before everyone moved
away. I think reddit still has a lot more going for it, and being able to opt
out solves the problem, but I'm still every so slightly worried.

~~~
Bartweiss
It hasn't been pushed very hard, but the new 'chat' feature - on a website
that already had private messaging - strikes me as a fundamental
misunderstanding of what reddit's value is, one bad enough that it makes me
doubt for the future design of the site as a whole.

~~~
dorchadas
Agreed. It's only a matter of time before they get rid of the opt-out of the
redesign. When that happens, I'll likely quit. I find the redesign absolutely
impossible to use.

~~~
Bartweiss
It certainly doesn't help that they've apparently adopted the game development
definition of a 'beta'. (i.e. an alpha that you roll out to all users.) There
are several core features of the existing site which simply haven't been
implemented yet - I consider that unacceptable for an all-users beta,
especially in a redesign where those features are expected.

Visiting a user page and checking 'top' simply _doesn 't work_, with a note
that it will someday. And that's made even worse because the new 'hot' on user
pages has some sort of godawful logic that only shows a handful of posts from
a given thread. This is painfully apparent with AMAs, where visiting the AMA
account and checking all posts is a standard action - after trashing the AMA
infrastructure on the business side (the Victoria mess), the same thing is now
happening on the tech side.

The new redesign requires every sub to build a new theme just to maintain
existing functionality, and is apparently harder to theme for also. I suspect
it's an attempt at homogeneity to be more welcoming to new users, but the
practical consequence is that sidebars (rules, links, info) have simply
vanished. Which means more work for moderators, less info for visitors, and
occasionally complete dysfunction for subs that used the sidebar for something
important.

And, of course, the redesign is nakedly anti-user in much the same way as the
recent TechCrunch one. It's designed to make sponsored-content ads harder to
distinguish, sacrifice content space for site features space, and promote
time-on-site over user choice and experience.

I retreated to a handful of low-use, well-moderated subs quite a while ago,
and with the site changes tarring even those I'll probably give up soon also.

~~~
dorchadas
Completely agree, with all of it. I pretty much only use it for a few things
that I have interest in, and don't really venture outside of there. Even then,
I've tried to limit my posting and frequenting of the site; there are some
weeks where the only thing I'll post is the weekly one on a sub I help
moderate.

I've even gone to the point of deleting the app on my phone, and, if I have
to, I'll open it in mobile browser (and deal with their shit) to check
messages/etc in the morning. I need to start trying to wean myself away from
it completely, if only to help kill off that online identity.

------
gruez
We wouldn't be having this discussion if cookies were opt-in rather than opt-
out. I don't sign into 90% of websites I visit, but why are all of them
allowed to track me? If cookies were opt-in, then the legal issue of "consent"
would be cleanly resolved, and the interface can be handled by the user agent
rather than through obtrusive modals.

~~~
krapp
The problem is, the purpose of cookies isn't tracking, they're a hack to
maintain state between requests for what's supposed to be a stateless protocol
(and until HTML5 came along with session storage and local storage, they were
the only way to do that in the browser.) So cookies are useful (and often
used) for purposes besides tracking and advertising.

Having cookies be opt-in by default would just punish anyone using cookies for
benign purposes.

~~~
Bartweiss
I'd be interested to know what percentage of sites would actually lose
functionality.

At a crude estimate, >90% of the sites that show me cookie warnings do
everything I actually want them to statelessly. And I have some backup for
that, because when I block cookies by default very few sites actually seem to
get worse.

Are there clever user-aiding tricks with cookies that I don't realize I'm
losing? Or is the average site with cookies purely for tracking and
advertising?

(This is all a separate question from "should cookies be blocked by default";
I know a few uses really do suffer badly.)

~~~
davidcbc
Pretty much any site with a login is using cookies to do it

~~~
kikoreis
Sure but to create a login there is a transaction of consent.

~~~
finaliteration
Exactly. No one -has- to add a cookie that tracks you across sites they don’t
even own. They can easily be used for authentication and session management
without scraping a bunch of personal information from every visitor, logged in
or not

------
Shank
I'm a really big fan of geotargeting these notices only to the EU. If the EU
wants cookie notices, give the EU cookie notices. Don't give anyone else
cookie notices, because they're garish and few people reasonably care.

~~~
littlestymaar
You can't do geotargetting here, because to perform geotargetting you need the
user consent to use his location (which is a personal data ;) ) if he is
european.

~~~
fasteddie
This isn't true.

You can use cookies for necessary operations of the website, which this almost
certainly is. Also, country level location data isn't PII, and also doing a
geoip lookup that you don't store anywhere also isn't in violation.

~~~
tremon
This isn't true either. If you're using an IP lookup to determine the user's
current country, that's still processing PII (since many courts have already
ruled that an IP address is unique enough to identify a person -- technical
challenges notwithstanding).

However, you have a clear and stated use case for processing that PII so
consent is not required, but you are required to mention this processing in
your privacy policy. Not publishing this processing is (strictly speaking) a
violation of the GDPR, but the processing itself isn't.

~~~
davidfischer
For the purpose of the GDPR, an IP is PII. However, one can get rough location
using an anonymized version of an IP address (say one that has zeroed out the
last octet or two).

From Recital 26 ([https://gdpr-info.eu/recitals/no-26/](https://gdpr-
info.eu/recitals/no-26/)):

> The principles of data protection should therefore not apply to anonymous
> information, namely information which does not relate to an identified or
> identifiable natural person or to personal data rendered anonymous in such a
> manner that the data subject is not or no longer identifiable.

------
weinzierl
Are Cookie policy notifications a thing outside of the EU? I always assumed
that websites geo target these notifications and life with the small risk of
corner cases (like EU customer in the US). If anyone has experience, or
numbers I’d find that highly interesting.

One datapoint from Germany: We were largely unaffected by cookie notifications
before GDPR, because of a local law (TMG) that superseded the EU “cookie law”.

Since GDPR we are in the curious situation that every small and medium sized
business plasters it’s website with extravagant opt-in notification pop-ups
while the worst privacy offenders, like the nations largest newspapers,
bombard you with all kinds of cookies with no notification at all.

Just one example I tried a few moments ago:

spiegel.de one of the most widely read German-language news sites set 54
cookies from lots of different domains plus local storage usage. No cookie
notification whatsoever.

Another example: bundesregierung.de, the official government website, states
in it’s privacy policy that they set a web analytics cookie (Matomo) but they
don’t show a notification either.

~~~
JeanMarcS
The « funniest » part is that Spiegel probably made several news article about
GDPR. In France it’s the same.

Sad thing for them, they won’t be able to pretend they didn’t knew (which will
be a good lesson taught)

~~~
weinzierl
Heise is even worse. They covered GDPR extensively, yet don't do any
notifications on their own websites.

------
jasonkostempski
HA, this made it to the front page right as I was composing this Ask HN
submission about picking a de facto standard element CSS class so that ad
blockers could just start including a simple rule to get rid of them:
[https://news.ycombinator.com/item?id=17679932](https://news.ycombinator.com/item?id=17679932)

~~~
NSAID
It'd be even better if my user agent could simply indicate my acceptance (or
lack thereof) for me

~~~
kylel
This is what Do Not Track was supposed to be. Unfortunately it never got much
momentum. Google, Facebook, Twitter, etc. ignore the DNT header.

~~~
jasonkostempski
Another useless attempt at reducing tracking I wish would be banished from the
web. The amount of pollution in web standards; official, legal, or accidental;
is becoming just as annoying as the annoying things they're trying to fix.

------
aaronarduino
Here is an idea: instead of a cookie policy notification, have a setting in
the browser with the user's cookie setting. That way a website can look at
that setting and store cookies or not.

~~~
detaro
You can already have your website check for the Do Not Track header, don't set
non-essential cookies and don't show a notice when it's set. Basically no
website does that.

------
aarongray
It would be cool if we could develop a protocol where users could flip a
setting on their browser that tells every website they visit that the user has
consciously, legally opted-in to all cookies. Heck, it would be cool to also
have an option that says I accept all your Privacy Policies and Terms of
Agreement, so don't show me any banners related to those either.

~~~
joobus
> a setting on their browser that tells every website they visit that the user
> has consciously, legally opted-in to all cookies

IMO, you do this when you open the browser. Why does every website need to
explain how the internet works?

~~~
PeterisP
Many websites legally need opt-in permission to put (and use) a tracking
cookie, so unless the user intentionally _chooses_ to do opt in, they're not
legally permitted to do so even if the internet technologies enable them to
make it happen.

There are many things that are technically easily possible, but prohibited
unless certain nontechnical conditions are met. Tracking cookies is one of
them.

Opening a browser doesn't constitute freely opting in to your _specific_ use
of data; at most it constitutes not opting out, but that's not legally
sufficient.

------
mobilehnuser
Not just cookie policy notifs but all bottom or top aligned overlays present
on page load... like the one on this reddit page begging me to install a
mobile app so they can get my advertising id

------
andrethegiant
What happens if you use cookies and don't show any banner?

Does this also apply to localStorage and other offline storage methods?

------
Bromskloss
I wish we could converge on a way to tag such notifications, so that those who
want to can filter them out.

------
SteveNuts
Do these notifications actually help with GDPR compliance or are they just a
CYA for the websites?

~~~
xg15
Given that (from my IANAL understanding) the GDPR requires opt-in _and_
forbids "click I accept or leave our service" style forced opt-in, I'd say
this is not even CYA - it's closer to magical cargo cult incantations.

~~~
etatoby
> _the GDPR requires opt-in and forbids "click I accept or leave our service"_

That's an asinine law if I ever saw one. Telling me how I should run my
business? Really? From what vantage point, if I may ask?

If I had a company, I would ignore the whole thing and invite them to cross
the pond and try their crap in my jurisdiction, under my laws. Or just block
them altogether. If they want to go back to the middle ages, let them.

~~~
xg15
It's called "regulation". Yes, I think, the GDPR is quite opinionated in that
they want to discourage "pay with your data"/"surveillance capitalism" type
business models - the reasons have been discussed enough in the last years.

I guess the authors understood that without that clause, there would be an
obvious loophole that would indeed lead to nothing more than annoying pop-ups
and reduce the desired consumer choice to name-only. So they took the logical
step to close the loophole.

Of course many businesses are trying to counter with a pop-up anyway. But
then, that's not the fault of the regulation.

------
jokoon
I can't count how many times i right clicked to hide element thanks to u block
origin

------
rasz
works for most:

    
    
        javascript:(function()%7Bvoid([].forEach.call(document.querySelectorAll('body *'),e=>/fixed|sticky/.test(getComputedStyle(e).position)&&e.parentNode.removeChild(e)))%3Bdocument.body.style.overflow%3D'auto'%3Bdocument.body.style.height%3D'auto'%7D)()

------
pupppet
They’re terrible. Who are we kidding, no one has backed out of the website
after seeing one of these notices.

~~~
mrec
I back out of them all time.

Particularly the egregious dark-pattern ones: "Click this giant green button
to let us track you out the wazoo, or click this tiny misleadingly-named link
to drag you through a six-hour hell of settings dialogs which will drop you
out without actually changing anything the instant it thinks it can get away
with it."

~~~
pupppet
The vast majority of people are not backing out. They're instinctively
clicking that button to get it out of the way, it's the new banner blindness.

