How ironic, websites have been breaking user experience for years by embedding always more trackers that took forever to load.
If a publisher doesn't want to display a GDPR notification to its users there's a simple trick : just don't collect and monetize personal informations!
Action, like "close your browser and clear your cookies, disable cookies, and then block further cookie dropping from that site as well"?
Exceptions like when you're being ratted out, to many other companies that perform surveillance on you, by a company you have no particular affection for?
Even if we use cookies for basic sessions (absolutely no personal tracking, just session ID) - Isn't it mandatory to show "Cookie bar" on the said site?
The operative phrase in that last one is "for logged‑in members", because in that case the cookies fall under the earlier
provider of an information society service explicitly required by the user to provide that service.
For a user logged-in to a social network, the user clearly consents to the social network providing a service. Note that it is not allowed if the user is not logged in to the social network.
Laws operate differently than code. If nobody actually associates session info with anything outside the application then that's enough, if you do then it's a problem.
Think of it as a 3rd dimension of what's going on where you can retroactively change what you did to something else. http://ansuz.sooke.bc.ca/entry/23
That is a really good writeup - and one of the reasons I'm sceptical of "code as law" until code can sucessfully model concepts like intent, origin or that articles' "color" that fundamentally rely on human - and often subjective - understanding.
(Though I'd argue that "color" still doesn't meet the core of the copyright problem. E.g., if you drew your own Micky Mouse sketch and published it, you'd probably still get in trouble for copyright violation, even though you never actually copied any material from Disney.
In that case the criteria seems that some humans (the lawyers and judges) believe some other humans (the general public) will reliably associate your drawing with their own concept of Micky Mouse...)
then there's reddit and its giant full page ad for the app before finally redirecting me to the content once i find the tiny link to continue instead of opening the app store...
yes reddit and fb and gmail and the like are intentionally crippled when viewed on mobile. why? maybe because the data an app can suck up off your phone is much more valuable. no pesky same-origin policies!
I noticed that reddit now has three separate "use our app" prompts, which don't seem to communicate so they can all appear on the same page. There's the loading-in system popup, the bottom-of-screen one, and the internal popup with a picture and two choices.
And then the bottom-bar one, instead of having two buttons, makes the entire field open the app store except for a tiny 'x' in the top right. Talk about unsubtle dark patterns.
The reddit redesign feels a lot like the Digg changes before everyone moved away. I think reddit still has a lot more going for it, and being able to opt out solves the problem, but I'm still every so slightly worried.
It hasn't been pushed very hard, but the new 'chat' feature - on a website that already had private messaging - strikes me as a fundamental misunderstanding of what reddit's value is, one bad enough that it makes me doubt for the future design of the site as a whole.
Agreed. It's only a matter of time before they get rid of the opt-out of the redesign. When that happens, I'll likely quit. I find the redesign absolutely impossible to use.
It certainly doesn't help that they've apparently adopted the game development definition of a 'beta'. (i.e. an alpha that you roll out to all users.) There are several core features of the existing site which simply haven't been implemented yet - I consider that unacceptable for an all-users beta, especially in a redesign where those features are expected.
Visiting a user page and checking 'top' simply doesn't work, with a note that it will someday. And that's made even worse because the new 'hot' on user pages has some sort of godawful logic that only shows a handful of posts from a given thread. This is painfully apparent with AMAs, where visiting the AMA account and checking all posts is a standard action - after trashing the AMA infrastructure on the business side (the Victoria mess), the same thing is now happening on the tech side.
The new redesign requires every sub to build a new theme just to maintain existing functionality, and is apparently harder to theme for also. I suspect it's an attempt at homogeneity to be more welcoming to new users, but the practical consequence is that sidebars (rules, links, info) have simply vanished. Which means more work for moderators, less info for visitors, and occasionally complete dysfunction for subs that used the sidebar for something important.
And, of course, the redesign is nakedly anti-user in much the same way as the recent TechCrunch one. It's designed to make sponsored-content ads harder to distinguish, sacrifice content space for site features space, and promote time-on-site over user choice and experience.
I retreated to a handful of low-use, well-moderated subs quite a while ago, and with the site changes tarring even those I'll probably give up soon also.
Completely agree, with all of it. I pretty much only use it for a few things that I have interest in, and don't really venture outside of there. Even then, I've tried to limit my posting and frequenting of the site; there are some weeks where the only thing I'll post is the weekly one on a sub I help moderate.
I've even gone to the point of deleting the app on my phone, and, if I have to, I'll open it in mobile browser (and deal with their shit) to check messages/etc in the morning. I need to start trying to wean myself away from it completely, if only to help kill off that online identity.
I've read lots of articles from companies like Pinterest and Flipkart about how lightweight PWAs increased user engagement by some huge amount, like 200%. So why are other companies like Reddit spoiling their mobile web experience by pushing their apps so hard?
We wouldn't be having this discussion if cookies were opt-in rather than opt-out. I don't sign into 90% of websites I visit, but why are all of them allowed to track me? If cookies were opt-in, then the legal issue of "consent" would be cleanly resolved, and the interface can be handled by the user agent rather than through obtrusive modals.
The problem is, the purpose of cookies isn't tracking, they're a hack to maintain state between requests for what's supposed to be a stateless protocol (and until HTML5 came along with session storage and local storage, they were the only way to do that in the browser.) So cookies are useful (and often used) for purposes besides tracking and advertising.
Having cookies be opt-in by default would just punish anyone using cookies for benign purposes.
Cookies were never the only way to do this. Before cookies became popular having the ability to create a session was still possible. The primary method of doing this was similar to cookies, have a sessionId parameter to your query. There were also passive ways of profiling a user's client to isolate it based on what it looked like (IP, User Agent, user agent Accept and Accept Charset, etc see [0]).
I'd be interested to know what percentage of sites would actually lose functionality.
At a crude estimate, >90% of the sites that show me cookie warnings do everything I actually want them to statelessly. And I have some backup for that, because when I block cookies by default very few sites actually seem to get worse.
Are there clever user-aiding tricks with cookies that I don't realize I'm losing? Or is the average site with cookies purely for tracking and advertising?
(This is all a separate question from "should cookies be blocked by default"; I know a few uses really do suffer badly.)
True, and logins (along with browser games) leap to mind as the most widespread issue with general cookie-blocking.
But I probably sign into <5% of sites I visit, and even many of those are actively user-hostile, like Quora. I understand why Quora wants me to sign in, but from my end of things it's no more worthwhile than being asked to sign into Wikipedia just to read articles.
Broadly, I guess this is a gripe about how my web-use experience has become fundamentally adversarial. Cookies are one of many perfectly reasonable features which I cripple or disable even on respectable top-100 sites because they're used almost exclusively against my interests, but I'm not sure there's a good tech-level fix to that for users in general.
Sure, but I do not log in to the vast majority of the websites that I visit, and cookies aren't required for them to function properly unless I choose ('opt in') to log in.
Exactly. No one -has- to add a cookie that tracks you across sites they don’t even own. They can easily be used for authentication and session management without scraping a bunch of personal information from every visitor, logged in or not
You visited them and you didn't turn off your browser's cookie requests; therefore you decided to accept the files that the site offer to your browser.
You make a fair point -- it's popular to take the same tack with web servers and ad blocking (a server makes content publicly available -- users can decide which parts to view). Not a stretch to apply the same logic both ways -- just because a server offers a file to you, doesn't mean you are forced to store and give the file back on demand.
If this view were more widely adopted, it would maybe pressure browser vendors into being more transparent with users on cookie management and proactively ask them how they want to handle them.
that's sort of what I do with cookie auto-delete, which keeps cookies until you close the tab. otherwise some sites dont play nice when you disable cookies entirely.
I'm a really big fan of geotargeting these notices only to the EU. If the EU wants cookie notices, give the EU cookie notices. Don't give anyone else cookie notices, because they're garish and few people reasonably care.
You can't do geotargetting here, because to perform geotargetting you need the user consent to use his location (which is a personal data ;) ) if he is european.
Is IP geolocation included in that? I'm genuinely curious, actually. That's how most websites do content filtering (even BBC iPlayer uses server side geolocation to filter people out).
You can use cookies for necessary operations of the website, which this almost certainly is. Also, country level location data isn't PII, and also doing a geoip lookup that you don't store anywhere also isn't in violation.
This isn't true either. If you're using an IP lookup to determine the user's current country, that's still processing PII (since many courts have already ruled that an IP address is unique enough to identify a person -- technical challenges notwithstanding).
However, you have a clear and stated use case for processing that PII so consent is not required, but you are required to mention this processing in your privacy policy. Not publishing this processing is (strictly speaking) a violation of the GDPR, but the processing itself isn't.
For the purpose of the GDPR, an IP is PII. However, one can get rough location using an anonymized version of an IP address (say one that has zeroed out the last octet or two).
> The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Policy is all about how it gets enforced and acted on. An imperfect cookie targeting scheme could probably fall down in court, but there isn't much caselaw about the cookie law right now. I can't recall any major cases where website operators were taken to court over it.
Are Cookie policy notifications a thing outside of the EU? I always assumed that websites geo target these notifications and life with the small risk of corner cases (like EU customer in the US). If anyone has experience, or numbers I’d find that highly interesting.
One datapoint from Germany:
We were largely unaffected by cookie notifications before GDPR, because of a local law (TMG) that superseded the EU “cookie law”.
Since GDPR we are in the curious situation that every small and medium sized business plasters it’s website with extravagant opt-in notification pop-ups while the worst privacy offenders, like the nations largest newspapers, bombard you with all kinds of cookies with no notification at all.
Just one example I tried a few moments ago:
spiegel.de one of the most widely read German-language news sites set 54 cookies from lots of different domains plus local storage usage. No cookie notification whatsoever.
Another example:
bundesregierung.de, the official government website, states in it’s privacy policy that they set a web analytics cookie (Matomo) but they don’t show a notification either.
HA, this made it to the front page right as I was composing this Ask HN submission about picking a de facto standard element CSS class so that ad blockers could just start including a simple rule to get rid of them: https://news.ycombinator.com/item?id=17679932
I figured, but maintaining that is such a waste of human life and parsing the list is a waste of my CPU time. Since no one on either side of the fence wants the notices to exist, web developers could just use a de facto standard element class and ad blockers can add a simple rule.
Is it a waste of human life? From a utilitarian perspective, it’s easy to see how one dev coding for an hour could save cumulatively many hours otherwise wasted by users clicking through GDPR/cookie pop-ups. From a purely “time invested” vs. “time saved” perspective, maintaining Adblock lists is likely a net benefit.
Ad/tracker block lists, yes, totally worth the effort because we have to fight against people that want to use our own machines against us. For the cookie notice, we're all on the same side, so we can make it easier for everyone.
Another useless attempt at reducing tracking I wish would be banished from the web. The amount of pollution in web standards; official, legal, or accidental; is becoming just as annoying as the annoying things they're trying to fix.
Here is an idea: instead of a cookie policy notification, have a setting in the browser with the user's cookie setting. That way a website can look at that setting and store cookies or not.
You can already have your website check for the Do Not Track header, don't set non-essential cookies and don't show a notice when it's set. Basically no website does that.
It would be cool if we could develop a protocol where users could flip a setting on their browser that tells every website they visit that the user has consciously, legally opted-in to all cookies. Heck, it would be cool to also have an option that says I accept all your Privacy Policies and Terms of Agreement, so don't show me any banners related to those either.
Many websites legally need opt-in permission to put (and use) a tracking cookie, so unless the user intentionally chooses to do opt in, they're not legally permitted to do so even if the internet technologies enable them to make it happen.
There are many things that are technically easily possible, but prohibited unless certain nontechnical conditions are met. Tracking cookies is one of them.
Opening a browser doesn't constitute freely opting in to your specific use of data; at most it constitutes not opting out, but that's not legally sufficient.
Not just cookie policy notifs but all bottom or top aligned overlays present on page load... like the one on this reddit page begging me to install a mobile app so they can get my advertising id
IMHO not really, GDPR isn't really about (and thus can't be satisfied by) notifications and click-OK-to-continue "consent".
For the common use cases of data by random websites, there really are two common scenarios GDPR-wise:
1) Whatever you're (not) doing with the user data falls under one of the multiple GDPR valid reasons for use that do not require user consent: in this case a clear and informative description in an easily accessible privacy policy is sufficient, and the notification/"agreement" isn't needed for GDPR compliance, the popup is useless.
2) Whatever you want to do with user data requires user consent, but you're not going to get GDPR-valid (informed, specific, freely given and opt-in) consent. There are specific sites that can get meaningful consent because users really want it (e.g. genealogy sites come to mind), but for the random "we want to track you for advertising purposes and share it with 200 third parties", it's not realistic. And the popups don't (can't) help you with that. A popup that allows you to opt out... well, if it's not opt-in, the consent isn't valid in the first place; if the user goes "meh, whatever", then that doesn't count as opt-in consent. If the user is required to "agree" to continue, then that doesn't count as freely given consent. If the user isn't clearly told everything before they intentionally opt-in to every single use case because they want you to do that particular thing, then that doesn't count as specific, informed consent. If you do implement all these things properly, then most users aren't going to opt-in in the "ad-tracking" scenario (which is the GDPR intended result), so companies don't want to implement it properly.
So the nasty popup doesn't really grant you consent anyway (the process is inevitably missing at least one of these key criteria for valid consent), so GDPR-wise it's useless anyway.
Given that (from my IANAL understanding) the GDPR requires opt-in and forbids "click I accept or leave our service" style forced opt-in, I'd say this is not even CYA - it's closer to magical cargo cult incantations.
> the GDPR requires opt-in and forbids "click I accept or leave our service"
That's an asinine law if I ever saw one. Telling me how I should run my business? Really? From what vantage point, if I may ask?
If I had a company, I would ignore the whole thing and invite them to cross the pond and try their crap in my jurisdiction, under my laws. Or just block them altogether. If they want to go back to the middle ages, let them.
It's called "regulation". Yes, I think, the GDPR is quite opinionated in that they want to discourage "pay with your data"/"surveillance capitalism" type business models - the reasons have been discussed enough in the last years.
I guess the authors understood that without that clause, there would be an obvious loophole that would indeed lead to nothing more than annoying pop-ups and reduce the desired consumer choice to name-only. So they took the logical step to close the loophole.
Of course many businesses are trying to counter with a pop-up anyway. But then, that's not the fault of the regulation.
GDPR compliance requires opt-out, so cookie notifications are useless as far as compliance now. If you don't/can't comply, then you might as well not mention cookies at all - in both cases you're in breach of GDPR but at least you won't be ruining your UX.
GDPR compliance can not be done by opt-out, if consent is required, it requires opt-in - recital 32 (https://gdpr-info.eu/recitals/no-32/) "Consent should be given by a clear affirmative act [...]", "Silence, pre-ticked boxes or inactivity should not therefore constitute consent."
No matter what your notifications and T&C says, the default UX path where the user clicks "meh, whatever, go on" until the popup disappears won't give the site any legal consent to use data because informed, specific, freely given opt-in consent didn't happen.
Definitely cover your ass, given how the fines are instant bankruptcy for a lot of companies.
I'm inclined to believe this + the cookie banners are also a lot of "well site X did it like that, we probably should do that as well" instead of reading and understanding the actual rules.
The easy way out would of course be to not violate the GDPR, but with 3rd party advertisers that's a bit painful.
I still don't know why big publishers don't just own the ads themselves, that is, have an ad department, have them approve ads and return statistics to the advertisers, have tracking all on the same domain, etc.
They don't state it clearly, but every cookie means: "By accepting this cookie you agree to be tracked on the Internet, and allow that data to be sold."
(or, "We don't really understand cookie-law, and we didn't actually need to put this up".)
Once you know that, it's easier to ask yourself: "Do I really need to read this? Also given that it's likely a sub-par publication, because tracking usually implies layouts and techniques optimised to keep you on the site and optimise data collection."
Particularly the egregious dark-pattern ones: "Click this giant green button to let us track you out the wazoo, or click this tiny misleadingly-named link to drag you through a six-hour hell of settings dialogs which will drop you out without actually changing anything the instant it thinks it can get away with it."
If a publisher doesn't want to display a GDPR notification to its users there's a simple trick : just don't collect and monetize personal informations!