Clicking 'no' should still allow people to view the website, but without placing any tracking cookies.
Source (in Dutch): https://autoriteitpersoonsgegevens.nl/nl/nieuws/websites-moe...
I think the real problem here is that the technical feature of cookies providing browser state is a poor proxy for what EU/DPA _really_ wants to regulate, which is privacy-related tracking.
"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
Of course, no website will ever tell you "Hey, we're using cookies to track you"; it's in most companies' (both legal consulting companies' and website owners') best interest to keep people ignorant. Consulting companies want website owners to be scared and buy legal consulting services, and website owners want people to think that the pop-ups are a result of stupid EU legislation and not because they are actually being tracked.
If I need to get explicit opt-in for "So, remembering your shopping cart when you come back requires cookies, that okay with you?" I'm not sure how much better that would be. It's still gonna be information overload "false positives".
But I think that is what the regulations actually intend. "We need cookies to give you: Shopping cart; search history; login to your account; whatever -- opt in or out to each one, you can still use the site just without those features if you go out."
A) That is actually fairly expensive to implement.
C) But you are exactly right that no company is ever going to tell you what you _really_ care about. Unless regulations make them maybe. These regulations were trying. Not there yet.
I'm not entirely sure if a user account at an online store would require consent; in my view, cookies would be "strictly necessary" to provide the user experience a user expects which includes being able to create an account to save their shopping cart and view their order history, while using cookies to show tailored product suggestions wouldn't be. However, IANAL and I haven't even read through the text of the directive.
You can 100% support a logged in account experience without cookies. Java, for example, supports jsession id in the URL for people with cookies disabled. This id belongs to a session that is managed by the app server, which you can use to store information such as the cart, logged in account id, etc. If Java can do it, other languages and web frameworks that currently only support cookies can do it too.
I think the better angle to look at it is: session cookies expire when someone closes their browser. They aren't that good at tracking people.
In that light I tend to agree with GP. If you're just using cookies to run sessions for your site, I just can't see regulators coming down on you.
There's some potent mix legal and technical pedantry combining with the profit motive of consultants everywhere that has led to a huge wave of overblown FUD around GDPR.
The fact is, ad-tech has been running amok for years and I don't think it's that hard to draw a line if we're intellectually honest. Of course it will take years for case law to catch up, but it's not as hand-wringingly difficult as some would have us believe.
You don't provided you have a reasonably short retention period, are not storing personal information that is not directly needed for remembering the shopping cart and are only using it for that and not simply using that as a justification for something else.
Nor do the regulations. You have to meet the exactly the same requirements to store personal information using some other mechanism that you do using cookies.
The biggest lie in most cookie warning popups is that you need to accept them for the site to function. It is often not true. Those are session cookies and you don't need to warn users about them, they're just allowed.
I didn't know this, and neither do any of the cookie warnings mention this. So like many people I thought the cookie law was the stupidest thing ever because like you say, you gotta have state. But the session cookies used to make a site hold state, those aren't considered tracking. When I learned about this little fact, it changed my opinion about the cookie law considerably.
As far as I understand it, the GDPR does everything and more than the cookie law was supposed to, so IMO it's about time we put that disaster behind us.
On the web, your approximate unique ID is your browser fingerprint. That can be used to join your activity to other activity.
Your session cookie is your activity for your browsing session (or for users who never quit their browser, your entire computer uptime).
Think about it -- a cookie is information the web server gives to you; it's essentially a bookmark to your current position in the app. The server already knows where you were -- it saw you there!; it just doesn't know that you want to go back there on your next HTTP request.
Tracking data is data you give to the web server. Cookies are only one primitive to enable tracking. Cookies can be replicated by URL query parameters, subject to size constraints.
There’s only a handful that need them for logging in.
Most sites I visit I don’t want to interact with, I just want to read.
Silent cookies aren't completely banned by the GDPR/cookie laws, only cookies that aren't necessary to provide the service requested by the user. That's sort of vague, but I think mostly obvious what is intended there. It's pretty easy to operate within the spirit and letter of the law: Shopping baskets, load balancer cookies and login tokens are fine (provided you only use them for those purposes!), third party advertising tracking cookies are absolutely not (without consent). More info here: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...
Lawyers have told me that you do not even need consent for Google Analytics, unless you enable the data collection for advertising features.
It appears to me that there's intentional bad faith misunderstanding from some, regarding both the cookie law and GDPR, in order to try and paint it as unworkable.
So, yeah, it's a mess. These "extra" warnings are contributing to user fatigue, I agree with troy hunt that users are just gonna ignore them all. I also understand why a small organization can say "Well, I don't really understand if we need it or not, the lowest risk thing to do is just to supply it." And there's no law _preventing_ you from supplying an unnecessary pointless cookie warning banner...
It's 88 pages of legalese consisting of 99 articles distributed over 13 chapters. It also has dozens of footnotes which incorporate thousands of pages of other laws by reference.
> and if execs/managers aren’t smart enough
Clearly I am too stupid to operate a business and have reading comprehension problems. Thanks for letting me know.
Google analytics feeds tracking data to google for advertising purposes and tracks you across sites, it's exactly the sort of crap the cookie warning was meant to stop.
> These "extra" warnings are contributing to user fatigue
Your need for analytics is contributing to user fatigue.
> I agree with troy hunt that users are just gonna ignore them all
So do websites putting up these silly warnings, do you actually wait for people to accept before they get their tracking cookie?
That is why GP said "(no advertising features)." That is the name of the feature in GA that does that, and it can be disabled.
Very much this. None of the cookie warning dialogs (I've seen) mention this, and a lot of them use the dialog to complain about the law.
Something seems to have changed when GDPR came around though. The cookie warning dialogs before just had angry or condescending warnings with only a big "I accept" button, and otherwise too bad. But recently I've begun to see more and more warning dialogs that both have more honest wording about what they're about, as well as providing a "Decline" button.
IIRC there is something in the GDPR about explaining the privacy choices in clear language to the user, as well as having to provide an alternative if possible. If that's the case then it really does smell like intentional bad faith.
Although to be fair in addition to bad faith, I think it's also a lot of webdevelopers just not doing research what is exactly required and just parroting the scary story off each other.
But there's certainly a large part that just want to scare their users into accepting Google Analytics tracking. I'm curious about what those lawyers told you, though. Analytics data flowing through a third party widget that is doing the same on almost every site anywhere, sure feels like tracking to me. But maybe if you disable the data collection for advertising option, Google really won't cross-correlate that data for their own purposes. Even then, doesn't Analytics track the path users take on a single site too? For measuring "conversions" and such, as well as just detect whether people get "lost" on the site, or something.
Now certainly that's useful information, but it is tracking. Also you can get a lot of that information (and more) by just doing basic usability testing on real users. No tracking required and if you ask 10 people to try your site, you get 90% of the usability issues, with diminishing returns (based on some usability research I once read somewhere). But the information is much higher quality because you can ask them questions, ask them to perform tasks, actually look over their shoulder, etc. Tracking website users through analytics is just numbers and doesn't tell the whole story in very many cases, anyway.
Is there any legitimate and reasonably necessary purpose for third party cookies? And similarly is there any undesirably exploitative use of first party cookies? As I am not a web developer, these are not rhetorical questions.
Oh wait https://en.m.wikipedia.org/wiki/Do_Not_Track
--- quote ---
Removed support for the expired Do Not Track standard to prevent potential use as a fingerprinting variable.
--- end quote ---
From the same website you link :
“Does anyone refuse tracking cookies? Then you still need to give this person access to your website or app, for example after payment.” (google translated)
If a site makes its money from ads, on the other hand, the location of the visitors is irrelevant when it comes to taxation. The payments from the ad network will just be ordinary business income at the place the site is located.
I don't think the charge a fee model has a chance, except for a few large sites, until some sort of intermediate service is developed that isolates the sites from having to deal with taxes in a bazillion jurisdictions. Something like a Spotify for site access, where users can pay the service a subscription fee, and the service pays sites after taking care of the appropriate taxes on the user's subscription fees so that the sites don't have to deal with it.
Shopping baskets, load balancer cookies and login tokens are fine (provided you only use them for those purposes!).
Third party advertising tracking cookies are absolutely not (without consent).
Edit: guess somebody never integrated a payment provider :-)
It's hilarious how everyone has just forgotten that used to be a thing. The people on this website are literally the problem, you can't even conceive of a website that doesn't track every click you make across the whole internet, and you guys are the people building the new web.
Do you think TV adverts are placed randomly? They aren't. Different times of day have different value to different advertisers. TV ads are targeted based on detailed knowledge of audience demographics.
Do you think billboard ads are placed randomly? They aren't. Their placement is optimised based on the beliefs of the ad firms about who will drive past them or see them.
Do you think internet ads were placed randomly before AdSense? No, they were targeted by rough demographic guessed from the sites content just like TV and billboard ads were.
All that's changed on the internet is that targeted has got more precise and more sophisticated. But there's no bright line separating "generic" from "targeted" ads, like you imagine. And the better targeting is hardly an optional feature like the DPAs seem to imagine. It increases revenues which enables firms to provide new content and new features. Roll back the web to 1990s era ad techniques and now all the ads on generic sites like news or search with no clearly defined audience will be barrel-scraping "punch the monkey" animations, for those of us who remember that stuff.
Facebook is a great example on keeping diluting these concepts. They ask for your information for function security purposes and then go back and use that same data for ads - that is unethical and has to stop.
If the user is not getting something out of it (besides the generic "access to my website") then presumptively don't do it. GDPR is literally as easy as that.
GDPR understands full well that you need session cookies to provide a shopping cart or user account. That's why there's specific exemptions for it.
Ads were always a thing, they're just going to be better targeted with more info.
There is no free lunch, so what this means is the 'no cookie' users may be exposed to more ads.
I understand the market dynamics are not working very well, but we have to remember that information provided is not free either.
Companies are not trying to 'do inherent evil' - they just want to show relevant ads. And by the way, consumers definitely appreciate the relevance.
There is another side to the equation, and there are economic consequences to all of this that will come home to root.
Personally, I loathe Facebook and don't use it for personal reasons, but I have a small business and it's the only advertising mechanism that works for us: we have a neat little product for a niche category.
There are entire economies that can only exist with the ability to effectively get the word out, there is tremendous social good in this.
We just have to figure out a way to do it that fits within reasonable privacy guidelines.
What is not allowed is to withdraw services to those that want to exercise their right to privacy.
This is like a government saying to a restaurant "You can't discriminate against people who don't want to pay you money for the food. You can ask them if they are willing to give you money for the sandwich, but if they say no, you still have to give them the sandwich"
It’s more like the government saying, you can’t discriminate against people who demand that their food is cooked in a kitchen that isn’t filled with cockroaches. It’s going to hurt the bottom line, and might kill some businesses, but it doesn’t reduce to a prohibition on making money.
What?! Are you seriously speaking of prohibiting cockroaches?
Cockroaches are everywhere! They are essential to survival of businesses! And it would be impossible to completely get rid of them anyway. Prohibiting cockroaches in public restaurants would push immense cost upon eaters. Without cockroaches how could we possibly get rid of the food waste, that routinely accumulates in kitchens? Do you expect us to spray our kitchens with toxic pesticides? To hire some specialized people of to lick food scraps off kitchen stoves with their bare tongues?? Insane!
Clearly, you are the enemy of the people.
To me it sounds very sensible to make such a business practice illegal.
You're right, it's the currency now. It would be great if it wasn't. If there was some way to force the industry to come up with new, non-privacy-invasive methods... Hey maybe if we made a law to ban the old, bad, way....
Advertisers will still pay for ads even without the tracking.
Are there other examples?
Disclaimer: I'm not saying I agree with any of this. Nor that any of this is truth in any way. I just view the governments involvement here, saying how ad companies can behave, to be similar. Whether that is good or bad is complicated, and out of the scope of this conversation.
In essence, GDPR states that you're not allowed to violate the privacy of people unless they really want to (freely given, informed, narrow/specific opt-in consent) - and this time, all the oft-used loopholes to "extract consent" don't really fulfil the criteria, as forced consent is not considered consent.
My stance is even more ridiculous: Deadbeats who can't afford hosting without begging, selling ads, or turning against their users, scale your site down to something that's cheap to host, or get the hell off the internet. Back to the amateur web of the 90s. It was fine.
Shouldn't people be able to choose what currency they want to pay for something in?
Thats a very libertarian position statement and I understand it. But the EU is much less capitalist/libertarian than you are. Their parliament made the call that they don't want people paying for services with their personal data.
There's valid arguments on both sides here. Some arguments supporting the EU's stance:
- If online newspapers get paid in proportion to views, they make more money by writing divisive clickbait
- Privacy is a fundamental right; not a currency. Treating it as currency means only wealthy people will be free from spying, and that is borderline dystopian.
The EU's document is "Charter of Fundamental Rights of the European_Union", which does grant privacy as one. That pretty clearly does make it a "fundamental right".
Note the US Constitution's Bill of Rights does not offer right-to-privacy (but the 4th provides protection from searches-and-seizures without probable cause, which really doesn't deal with "privacy", especially from non-governmental actors).
Perhaps parent should have said "fundamental right granted by the EU", but in this context it's pretty clear.
So 'choice' is already something that has failed in the free market. Bring on the privacy.
You only have to see the howling every time someone posts a subscription only newspaper link on HN to see how vehemently opposed people are to paying for stuff like news.
it's expensive and maybe non-viable for many websites. But it's not like all websites need to exist? There was a world wide web before cookies.
I like to think of that time as a great time too, but oh man so much we couldn't do.... I get what you're saying generally, but man I'd hate "before cookies" to be the standard.
I don't really see it as "what we couldn't do" but "what poor usability we have overcome". I'm glad we have cookies and other forms of local storage, especially for the latter there are many other benefits. Maybe one day we'll get Web SQL.
In the meantime people can still disable cookies entirely, or at least delete them when they close the browser, both with out of the box browser settings (and I have no idea what extensions are available to do even more) and return to that less-usable (if slightly more private) experience. The crucial idea of a "user agent" is I think the biggest mindset change the web brought, it's important to keep that even if on the dev side we constantly complain about being asked to support more than one configuration of anything.
Yeah I think that's accurate.
Most just do stuff nobody sees at any volume.
Have you ever reviewed how little you need in order to do all those things, outside of third-party dependencies? Any second guesses at all?
We didn't have e-commerce before cookies.
The same functionality of correlating multiple requests for a single request (building sessions upon packets) was just more difficult to use by encoding the session ID as a parameter in query string for each request. Many frameworks still support this mode.
SSL is largely irrelevant to banking security anyway. Actual security is built upon charge-back system. The underlying security model was designed when everyone trusted written checks.
The €0.00002 it took to serve that one page just because the user doesn't want to consent to cookie placement/tracking? Is it really that harmful?
NPR seems to do this just fine for GDPR reasons: Decline and Visit Plain Text Site
I mean, by your argument, all digital goods should be free, since it never costs much to transmit the bits.
The OC didn't consider the fact that you can have advertising without cookies/tracking/fingerprinting and just reduced it to absrudism by saying that the company would bear the brunt of the cost but even the cost of that single event is marginally insignificant, overall.
So, no, my argument was never about all digital goods being free. However, if we want to play the devil's advocate and utilise your reduction to absurdism: By your argument, shouldn't all digital goods be paid for...? For example, Ubuntu costs money to host and serve, yeah?
I do love NPRs approach though.
Aye, if they're only looking at it from a "cookie placement/tracking or nothing" hard-limit perspective, which is what the OC posited it as.
...but if other sites can absorb the costs, case in point: NPR, why is it such a dastardly evil thing to point out? Is there some foolhearted belief that if we cut tracking, tomorrow, the internet would cease to function? Is there absolutely no room for advertisements without cookies/pixels in the modern world...? Do we really believe that it's that expensive to serve webpages?
So what can these - now shady - companies do? They probe the limits of the law, and try to keep their business model alive as long as they can. We need to wait and see. In my opinion, the most probable development is that European data protection agencies will start to hand out fines. Of course, the shady companies will fight them in court, and of course, they will lose. Then they will retreat a step, and try again with a little bit less intrusion into the user's privacy. Over time, courts will rule, and fines will increase, until the shady companies will give up in EU.
Then EU will essentially become free of tracking networks. It might take a few years, but I think the intermediate annoyance is worth it.
I don't disagree with you but I think it is more likely that these companies will just not let EU peoples use their sites at all.
One BIG fine (and you know they're salivating at the prospect of getting multi-billions out of Google and/or FB) and doing business in the EU becomes too much of a gamble for a company to justify the risks.
It might even encourage some more ethical alternatives, or some real attempts to solve micropayments.
Everyone knows that FB and Google are expending serious resources to be in compliance yet they will more likely than not get some large fines anyway because politics. I doubt they will ever leave the EU but other, smaller, companies will not have the resources to throw at the problem so will be effectively locked out of the EU market.
It's probably in Google's best interest to pay a couple billion euro fine (to scare off the smaller fish) in order to lock in their de facto advertising monopoly.
And yes, I do consider it terrible that my nanny state government decided what is best for me, over some hysterical fears about tracking. I don’t give a damn. I don’t consider tracking of me in the way the browser can do actual personal information.
I’m OK with a strict regime for actual personal information, like name+address, heck, even spam data like phone and email, but extending that to tracking cookies, at the enormous cost in usability we’re already seeing, is ridiculous.
As it looks to me, they are responding back by trying to push through articles 11 and 13 so that they can then all switch to paywalls. A paywall for a news company is practically useless as the internet currently stands as any major story 1 makes gets linked to and paraphrased by dozens of other news agencies within minutes. Why would users pay for a news website when they can get practically the same thing at a free one that did not work to come up with the story. And article 13 is to prevent 1 user who does pay for a website from copying the entire article and pasting it in a comment (I see that and archive/outline links all the time here and on reddit).
For a privacy advocating party it would suit them to not log anything and be very clear about that.
Don't like cookies? No one is forcing you to visit a particular website.
I also feel like tech companies could adopt an open standard for cookie acceptance preferencesin web browsers, but they're afraid to lest they be forced to deal with even more regulation later.
to decide whether to track your users? through third parties? for advertising purposes?
Why? Why do you get to decide and not the users? I'd rather you didn't!
It really honestly does surprise me the amount of crap Americans are willing to swallow when it comes to advertising methods, or even just profit in general. Your whole society is rife with abuse. There's robo-calling, giant billboards, attack ads, pharma ads, ads or contests that are literally scams, just a few from the top of my head. Probably more I don't know about (ads to target children? there is NO good way to argue that children "should" be targeted by ads).
It's a small miracle you managed to push a mandatory "unsubscribe" link underneath mass email lists. I suppose it's mandatory because given the attitude to this kind of abuse I doubt they would put them there voluntarily.
Also, you've seen what happened to the online ad industry without this kind of regulation. If you don't make rules they're going to push it as far as they can. It's gotten to the point where people recommend adblockers for security not getting rid of annoyance. Or for saving about 95% of your mobile data plan surfing sites. Did you ever notice the most profitable ads pay for the shittiest content? The system isn't even working.
However I think websites should be able to block access to anyone they want. It doesn't seem fair to force websites to serve an audience if they do not wish to.
However, if they say "press here to forego your privacy or we'll block you", then that's not a freely given consent to forego your privacy, and in this case this "consent" doesn't count as consent. In this case they're not allowed to track people who "consented" because they didn't really consent (both in moral and in legal sense). Consent "counts" only if it's freely given, if people really want you to do that thing; in EU privacy rights are not something that can be sold or bartered away.
It's somewhat comparable to consent to sex - let's imagine that in a place where you can freely fire workers at will, you say "consent to have sex with me, or I'll fire you". You technically can fire them, but that "consent" isn't really consent, and even if they "agree", that's still nonconsensual. Privacy (in EU) is pretty much the same.
I'll take freedom any day over someone telling me that they know better.
Obviously you cannot do whatever you want to a person who physically enters your business. This is a facile point. The same is true of websites: simply because a person navigates to your website, you do not automatically have the right to place tracking cookies into their browser.
GDPR seems like it could evolve quite quickly, and sort of fork a bit here...
Also makes me wonder, do they have to have access to the whole site?
This feels like a war on cookies, and there are bad things done with cookies, but I'm not sure if they're fighting on the right front long term here.
If people simply just say yes all the time / don't know, not sure we're making progress.
Problem is will-full misinformation. It's a war on tracking cookies, not session cookies for login state, etc. But all the cookie warning dialogs make it sound like it's a war on all cookies no matter what, so "just accept because otherwise this site won't work, also <insert clueless condescending remark about the cookie law>" (really, the amount of sites that use this dialog as a misinformation soapbox to vent against not being able to track their users...).
No! It doesn't. Viewing a website isn't anyone's god-given right. The tracking cookies are part of the business model. If you don't agree with how a business makes money, stop patronizing them.
If this is serious, look for companies to just block all traffic from The Netherlands. Why even bother dealing with the hassle.
Some business models are predatory societal negatives and should be done away with at a government level of respecting individual rights. Behind-the-scenes tracking and data brokering are in that class.
Regarding options, in the current model it is generally unknown to the user what is happening with their seemingly private, personal, and "lock icon" encrypted activities on a site. While some here might consider it a "fair exchange" to give up PII in exchange for website services, the vast majority do not understand or even perceive that, and it is not an informed exchange at all. It violates the user, both in the nature of the exchange and in the privacy implications. It is a type of interaction that should rightly be barred in the absence of understanding and explicit, intentional consent.
It's mostly small and medium sized firms that show the cookie warning out of fear.
That's completely the opposite of what I want as a consumer as well as a small-time webmaster.
Just to be clear: spiegel.de never shows a cookie warning even if visit with a fresh browser. You can opt out by visiting their privacy page  (in English).
The money and time could have been a lot better spent on international awareness campaigns arming consumers with more privacy knowledge instead of expecting website owners to shoulder the informational burden (because those orgs in aggregate have no core incentive to treat user's privacy as an inherent good).
The GDPR is unlikely to be overturned, and there are plenty in the EU who are eager to enforce it. Just because it's not being enforced right this second doesn't mean the law won't catch up to offenders.
Especially if Margrethe Vestager replaces Jean-Claude Juncker as president of the European Commission, you can expect a ton of action on this front.
the odds of this are essentially zero
she's in a minor EU party and her own country won't put her forward as candidate
But we haven't yet seen it enforced, have we?
the only way that a law like the GDPR that’s purposefully vague and broad can work is to allow plenty of lead time for warnings and fixes before fines
it’s a process; you shouldn’t expect it to change everything overnight
And as a consequence we're going to continue sinking into irrelevance.
>The GDPR is unlikely to be overturned, and there are plenty in the EU who are eager to enforce it.
I think it will be overturned a couple of decades from now, when an economic crisis hits and we find that we've fallen significantly behind other countries due to our fear of technology.
My prediction is that these Cookie shenanigans will be ruled as illegal according to GDPR, and then they will disappear.
Fines are to be handed out by the national data protection agencies. In Germany, the data protection agency regularly goes after violators since the 1990s. They audit German administrations and companies with respect to data protection, and request changes where necessary. See here for yearly reports of one of the state agencies: https://lfd.niedersachsen.de/startseite/allgemein/taetigkeit....
So at least for Germany there is no foundation for your claim.
Which it, surprising no one competent, did.
The law forbids dark patterns, coercing into accepting, delegating opt-outs to third party sites, and requiring collection of more data than is strictly necessary to operate the site.
The results of the legislation -in regard to cookies- are inconsistent, annoying, unevenly enforced, create a moral hazard and two-tier system, and I presume have negative overall utility.
This is why I do not consider the law to have been written with good intentions. The intentions were claimed to be good, but I don't see the lawmakers having had put in the necessary effort to ensure privacy improvement. Nor admit there are shortcomings to the legislation that need either fixing, or perhaps scrapping the legislation. Did they really intent on exerting enough effort to write the legislation well? To shoulder blame if it does not work out? To take the responsibility? Or to shore it up as situation develops?
Right now I perceive the cookie warnings to be merely EU's advertising banners - "Heeey, this is EU taking care of you!" - plastered all around the web just like banner ads used to be plastered all over the web. Morally the same - pompous self promotion, except paid for with legal rubberstamp rather than money.
See Art. 7: "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
See Recital 32: "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data ... This could include ticking a box when visiting an internet website ... Silence, pre-ticked boxes or inactivity should not therefore constitute consent."
If you want to use external tracking and be GDPR-compliant, you must offer a clear choice ("yes/no") and you must not use pre-ticked boxes (i.e. an opt-out approach).
Please feel free to downvote this if you don't like it, but I'm merely telling you what the law says. If you disagree factually, I'd appreciate a comment though.
Exactly this. Basically what the GDPR says is: if your business doesn't require the data, you cant use it without the user's consent. And data used for better advertising is NOT essential to e.g. a news site.
What's more, the regulation syas that you can NOT simply say "accept or leave" in that case. You then have to provide the service to the user without storing that non essential data. You can't provide a service, even for free, that you condition on storing data not essential for that service. There is no "if you don't like it, leave" clause.
Basically: spiegel.de has to be prepared to show their news to anyone, including those that do not wish to be tracked by their ads. Right now we are in a period of denial where site owners believe they can have these "By entering you agree to..." banners. Once the first large fines are handed out, It'll be fun to watch.
This means that a site operator can't offer you access to a super awesome news site in exchange for your kidney. They can't get away by saying "but you can choose not to use the site".
Well, Europe does the same thing for your personal data.
On the other hand, if a person of sound mind decided they would rather have $1,000,000 than both of their kidneys, why shouldn't they be able to sell one, logically?
The idea of selling one's organs sets off the human involuntary disgust/outrage reaction ("of COURSE it should be illegal! how DARE you suggest such a thing?!"), but if we put that aside, is there a rational reason it shouldn't be allowed?
The rational reason for that is that in the real world, not all choices are made by perfectly rational, superhumanely intelligent actors that have and consider all the information.
Also, not all decisions on a free market are truly freely made. If all standard housing/mortgage contracts contain that you have to sign away your kidney as a security deposit in case you can't pay your rent/mortgage rates, do you really have a choice?
With data on web sites, it's the same. Almost every web site collects data. You don't realistically have the option of going to a different news site if you don't like that deal.
You have plenty of choice: make your own, feed them wrong information, feed them no information or find a site that doesn't. If enough people care about this niche then your website would succeed.
- I cannot just make a website or service. It is usually a huge project that only few people can solve.
- I have no way to feed wrong information without diving very deep into that website's code. We are not just talking about data I enter, also about things that are collected without conscious effort on my part. It is not practical at all to feed false or no information. If they sell my IP address, how can I feed wrong or no information?
- Finding a site that does not act like this is the only way left, and it is exactly what the parent explained does not exist, because realistically, there are many topics for which virtually every site does act like this.
Thought experiment: a multi-billionaire wants to beat a human to death, and offers $10 million for it. A grandfather decides he would like to take that offer, for his children and grandchildren. Would you allow that?
If you also would not allow it (that's what I hope), then where is the proper boundary? What should we outlaw, and what allow?
Your thought experiment (or at least your "hope" re: the "correct" answer) presupposes that suicide is wrong. Personally, I believe the only one who is allowed to dictate whether I live or die is myself; if I want to die, and have good reason to want to die (financial security for my children and grandchildren would certainly be compelling!), then that's my right, and it ain't your place to deny me that right.
It is about the question: should one be allowed to buy everything, or are there limits? To emphasize: NOT should one be allowed to sell everything.
So now you have to convince me that buying the right to beat someone to death is a morally justifiable action. It is not sufficient for you to judge selling as justifiable to make your point. I actually agree that selling is morally justifiable, and would never vote to make this a punishable offense.
In fact, doing so might even pass that immorality down to the grandfather seeking compensation for his suicide; if he's aware of the illegality of buying his life, and yet exercises his right to sell it anyway, then at best it's a meaningless gesture and at worst he's complicit in entrapping prospective buyers.
That's what I mean when I say buying and selling are intertwined. Without one, you can't have the other. If one is moral, the other must be moral as well. If one is immoral, the other must be immoral as well. Attempting to carve out an exception is inevitably going to run into all sorts of moralistic and/or logical snags.
This does not stand on its own, you need to provide a good argument why a moral system should be designed such that everything which is allowed can also actually be done. In particular, because our current system is not designed that way.
And even if you find such an argument, we end up with a moral dilemma, as long as you can't argue that buying is morally good in itself.
More like "whenever one of an inherently-coupled pair of actions is morally allowed, the other of those actions is morally allowed". A moral system which allows one and not the other is self-contradictory.
In this case, a moral system which permits the right to sell a life but denies the right to buy a life self-contradicts; unless you believe that it's moral to trick someone into committing an immoral act (I do not), any attempt to exercise the right to sell one's own life would be inherently immoral because of the impossibility of doing so without causing someone else to perform an immoral act. The only way for the sale of one's own life to be moral is for the corresponding purchase to also be moral.
"we end up with a moral dilemma"
Only if you insist that buying is wrong while also insisting that selling is not wrong. When both are right or both are wrong, then there is no such self-contradiction.
Why does that follow? I could understand it for actions you are morally obliged to do, but I fail to see why it follows for actions which are merely allowed.
A 6-year old boy is allowed to fall in love with his teacher, but she is not allowed to fall in love with him, so his love - even though morally allowed - can never be fulfilled. That is a perfectly fine situation, from a moral point of view.
So what's your answer?
Amy attempt to assert otherwise - i.e. to try to sell something which nobody is allowed to buy - would be entrapment and - IMO - immoral. Either ban both sides or allow both sides; in this case, I'd vote the latter.
Now you can answer this question by itself:
Is it moral to let a multi-billionaire buy someone's life?
> Is it moral to let a multi-billionaire buy someone's life?
In the scenario you've now posited - i.e. one in which society is allowed to buy someone's life - it is moral for a member of said society to buy someone's life. Why would it not be?
This is different, since no matter what, an old man voluntarily dies for the financial benefit of his descendants. If the outcome is the same no matter who makes that happen, then I fail to see why one approach to doing so would be more or less moral than the other.
If anything, a single individual purchasing that old man's life would be more moral, since the alternative would be to compel an entire society (and specifically the members thereof) to bear that cost (both monetarily - i.e. via taxes - and the emotional cost of having killed someone). Given that the billionaire is (presumably) a member of society, the net impact is identical, but it's compartmentalized to a single individual who volunteered for those costs versus an entire society of individuals who might not have.
As it turns out consent isn't enough in modern society (though, apparently, cannibalism is ok).
Immoral because human life and dignity should not become a tradeable commodity. A society allowing this would quickly deteriorate into a system where the rich just buy the desired behavior from the poor, and we would end up with an oligarchy instead of a democracy.
Another angle to object would be Rawls's theory of justice: suppose you would have to design a society, but you wouldn't know into which place of this society you would be born into. You could be born as son of Bill Gates, or as daughter of the poor homeless beggar at the next corner. How would you design a society under these conditions?
If you have a shitty job, would you be better off getting fired? No, because presumably you already had the ability to quit. (Anticipating someone jumping on me for the analogy: I'm obviously not saying having a shitty job is equivalent to being in such dire straits that someone would consider selling their kidney. I recognize the a huge difference in degree. I'm just illustrating the point.)
> Immoral because human life and dignity should not become a tradeable commodity.
This is just restating your conclusion, not providing an argument.
> A society allowing this would quickly deteriorate into a system where the rich just buy the desired behavior from the poor
That's already the system we have. I can entice people to do all sorts of things that they would rather not do, because I have money, like cook food for me, build airplanes that I can fly in, and so on.
> and we would end up with an oligarchy instead of a democracy.
We're not talking about making it legal to spend money to influence voting or politics, so I don't follow this.
> How would you design a society under these conditions?
My argument doesn't even rely on this veil of ignorance! Even if I KNEW I was going to be reincarnated as a poor beggar, why wouldn't I design society to give myself more choices, rather than fewer? It's not like anyone would be forced to sell their kidneys if they don't want to.
With respect to your interpretation of the veil of ignorance, if you knew you were going to be a beggar, why on earth would you want to design the society in such a way that selling your kidneys or life can become the best option left to you (or anybody else in that society)? And if you are able to design it in such a way that it is not the best option, then outlawing to buy such things would not impact your life as beggar negatively.
The root problem here is that if people are put in desperate situations, some amount of choice is forcibly removed from them. Certain agreements can't be fairly negotiated unless you remove the desperation first.
No matter your answer to those questions I think we can all agree that just because they are a privately owned and operated company they have the right to do whatever they want.
If you offer a free digital newspaper, you may argue in court that your ad-funded offering could not exist without third-party advertising and analysis tools, and that your legitimate interest (secure funding via ads) aligns well with the interests of the data subject (read free news). National Data Protection Authorities have suggested that they consider valid consent necessary for third-party tracking, so it's a somewhat bold strategy, but in the end, the ECJ will have to decide.
Until the ePrivacy regulation arrives with some clarifications, we're effectively living in a limbo. Cases of blatant abuse aside, I doubt that we will see waves of draconian fines regarding third-party tracking until then.
Recommended reading: https://ico.org.uk/for-organisations/guide-to-data-protectio...
> 4 It shall be as easy to withdraw as to give consent.
If you prompt me to accept on every page then you must also prompt me to decline on every page, otherwise you fail this test. Hiding the option to withdraw consent in some random settings page is obviously not as easy as clicking yes when prompted.
Most sites have already created all their tracking cookies before the user even sees the opt-in form too, which isn't compliant with the GDPR or the old cookie law.
If a site doesn't wants to cover itself all the time with a popup regarding cookies, then they're not allowed to cover itself all the time for users who never consent to tracking.
You can use absolutely no external tracking and be GDPR-noncompliant. In fact, an Apache web server running the default test page is technically noncompliant. Everyone loves to jump to the tracking ads and data selling, since they are easy targets, but the scope of the law is much broader than that.
Surely there are solutions that don't require a popup on every webpage you visit? For example enforcing no tracking by default for advertising purposes?
These days I just block all third-party cookies, which solves most of the problem.
>"She goes apeshit whenever a pop-up window comes up. And one time, she paged me because she got a message about accepting cookies. She was all freaked out because now she thought she was being charged for actual cookies."
I don't get any popups or cookie notices on visiting HN or several other sites. It's not like it's a fundamental need to set hundreds of tracking cookies on a visitor's browser to show them a website.
> Surely there are solutions that don't require a popup on every webpage you visit? For example enforcing no tracking by default for advertising purposes?
Wait, what? There are such solutions. GDPR, and the "cookie law" before it, don't "require" any popups.
They allow cookies, 1x1 pixel images, browser fingerprinting, Flash supercookies, browser local storage, etc. without any need for stupid popups... as long as that's required to implement the site's functionality. Consent for these things is implied by the user's use of the functionality (e.g. game scoreboards, saving word processor documents, keeping track of a user's shopping cart, etc.).
What these laws do require is that handling such personal data without such implied consent, should require explicit consent. This acts as a disincentive for sites who want to continue spying on their visitors, by forcing the UX to be more annoying and dissuade visitors from staying.
> the only practical significant impact is that browsing the web has become more annoying.
Sounds like the dissuasion is working. Hopefully that is causing spyware sites to receive fewer visitors (and perhaps revenue), and potentially rethink their decisions.
Most people hate the UX change but don’t care about the privacy so probably a net loss for the EU.
It clearly isn't. Vast majority of people (me too) are trained to automatically accept whatever cookie BS the website asks for, just to get rid of the popup as quickly as possible and get to content. And no, these "spyware" sites such as reddit.com or bloomberg.com won't switch to non-tracking ads to get rid of the popup.
for reference there are at least 2 parts that make this outcome true:
“Consent must be freely given, specific, informed and unambiguous ... Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid”: a default choice if “i agree” is influence
“The withdrawal must be as easy as giving consent”: if you hit “i agree” in a box that automatically pops up to give consent, there must be a withdrawal mechanism that’s as easy as that to withdraw (and then they must delete your tracking data)
We have seen nothing of that, contrary, tech companies have improved our life's immensely, for free, and in my opinion, are the one of the biggest driving force towards improving the future. Data is not just being collected for advertisement, tracking, and evil purposes, but is a very important asset in the development of products.
Furthermore, historically it was governments, not companies, that were abusing private data for nefarious purposes. Yet there seems to be no effort to stop it happening from that direction? Well of course not, its way to useful, and you'd be a fool not to use it, but companies are 'bad' trying utilize it...
Have you been asleep for the past decade? Pervasive tracking and spying on consumers has been the topic of discussion even long before that.
EU countries have had data protection laws since late 90s, and the web companies have taken a collective dump on them. So now the EU has created a single law that is quite sensible (if not without flaws) which says: you can only collect the data you absolutely require to work. If you collect other data and especially if you send to third parties, you must ask the person using your site if that's ok.
Oh my, did web company do to deserve this? Oh, I don't know. Open TechCrunch and opt out of ~300 tracking, data collection and ad companies, and tell me what they have done.
i'm asking because my government knows everything about me: my private and public IPs, what sites I visit, my comments on those sites, how old I am, how often I go downtown etc etc etc
techcrunch just wants to sell you stuff.
there’s really no comparison.
And no, it’s not TechCrunch who’s getting all that data.
It should be straightforward to show quantifiable harm to people’s right to privacy. You could survey a large number of people to ask if they would be OK with having their online habits monitored in detail by unknown companies (whose websites they didn’t even visit) for the purpose of targeting ads to them at later dates. If close to 100% of respondents say this is an invasion of their privacy, then that’s what it is. You could also do some more technical research to work out how many times per week people’s privacy is invaded in this way. You’d probably arrive at a very big number, rising every year.
The rules are actually only concerned with tracking cookies. Session cookies and user preference cookies aren’t within its scope. They are still perfectly acceptable to use without explicit consent from the user.
The law talks about information that can be used to identify a person.
So a cookie such as "gdpr_response=ok" has ZERO effect on GDPR compliance.
I wouldn't be so certain about that. Before now, most people were pretty certain that an accept/decline warning was enough and that they had the right to refuse service to people who did not click OK on the warning.
This comes up in _every_ discussion about GDPR.
I honestly worry - are we as developers just extra stupid, or are other occupations (electricians, ship captains, architects) equally lax when it comes to reading and following regulations?
1. You ARE allowed to use any cookies you like without popup warnings, as long as the cookie can't be used to bind the session to personal identifiable information (PII) about the user. Session cookies are perfectly fine when used to manage webapp state, such as what page a user is on, what feature has been enabled and so on. Likewise are other identification methods, for this sort of purpose.
2. Any technical means used to make a connection to a user's PII does fall under GDPR.
Seeing the underlying intent?
GDPR is about avoiding invisible tracking (connection to a european citizen). The regulation is written to bring that sort of behavior to an end. Your fingerprinting example, as well as any other "clever" technical ways of achieving the identification objective, when the purpose is that of invisible tracking; tracking where the user isn't in control of the profile information generated, is explicitly what the regulation aims to nail.
Do read the regulation document. It's actually a very well written document that even a non lawyer can understand: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
GDPR is about users gaining control of the lifecycle of information pertaining to their identity, so if you or your proxies (googl/fb or other ad companies for example) have PII about a user, then the GDPR stipulates processing constraints on that information, which includes any information that can be associated with the user. E.g. building a profile about a user that can be tied to a user's PII becomes part of the user's PII, and thus subject to the intended end-user lifecycle control. What that control means is stated clearly in the document linked above.
When the web plays its normal chinese-whispers-game on any kind of fact, it's always best to go directly to the source to see what was actually said or written. In this particular case with GDPR, this is definitely the case. Not a single of my US colleagues nor friends had even an inkling of what GDPR actually is about, and it seems most of this community is in the same boat.
I guarantee that reading the actual doc will dispel a lot of unfounded fears.
If you happen to have even the slightest layman interest in law, or appreciate games / brain teasers, then you might actually be a bit impressed by the cleverness of the wording in parts of the document, and how it all comes together. Myself, having been in the dev field for 20 years, I've read my fair share of EULAs, licenses and contracts, and to me I saw some true genius shine through half way through the document, like watching a good chess player setup a board and guard against obvious attacks by the opponent. I felt I could almost see into the minds of the authors; what they sought to accomplish, loopholes they tried to close, and an attempt at creating a defensive shield that would be as "future proof" as they could make it, against new unknowns introduced by rapid technical innovation.
I should mention that I essentially browse this way due to a few privacy add-ons I use and it is absolutely infuriating having to deal with these pop-ups even on sites that I've already visited.
I, for one, am happy that bullshit like “hey, we send your data to 244 trackers uncontrollably” has become visible and is being called out.
I mean, visible only in the EU.
Dark patterns and site-blocking are anti-GDPR, so I’m hoping for some heavy fine across the board. And, hopefully, if not the end then curtailing of the intrusive and tracking cookies, ads etc.
These laws force people who are attempting to take advantage of non-technical users to either stop it, or do so in an obvious way that lets even non-technical users see that /something/ is up.
It's good, I like it. It's driving social progress, as truth always does. I'll get downvoted for expressing that opinion here of course. Too many american software developers who want to inflict their freedom on others I guess.
Downvotes may begin now.