Hacker News new | past | comments | ask | show | jobs | submit login

In The Netherlands the Data Protection Authority announced this month that websites are no longer allowed to block access when people click "NO" in the cookie warning;

Clicking 'no' should still allow people to view the website, but without placing any tracking cookies.

Source (in Dutch): https://autoriteitpersoonsgegevens.nl/nl/nieuws/websites-moe...






Hmm, there are features that one literally can't provide without state (cookies).

I think the real problem here is that the technical feature of cookies providing browser state is a poor proxy for what EU/DPA _really_ wants to regulate, which is privacy-related tracking.

There are tons of sites I've written which use cookies, but have no ads and perform no user-tracking whatsoever, not even Google Analytics. It is true that cookies are the _easiest_ (if not the only) way to do the other; but making "cookies" the thing that gets effectively "regulated"... I realize this isn't necessarily the intent of the regulations, but I'm suggesting it's part of what results in the situation troy mentions. There are very few sites that don't use cookies; there are or at least could be more sites that don't track you in a privacy-compromising way, to train the user that this is the same thing is just too much noise for the user to actually make any discernments.


Most discussion about the EU cookie directive doesn't mention it, but not all cookies require consent. From https://privacypolicies.com/blog/eu-cookie-law/#some-cookies...:

"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

Of course, no website will ever tell you "Hey, we're using cookies to track you"; it's in most companies' (both legal consulting companies' and website owners') best interest to keep people ignorant. Consulting companies want website owners to be scared and buy legal consulting services, and website owners want people to think that the pop-ups are a result of stupid EU legislation and not because they are actually being tracked.


" in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

If I need to get explicit opt-in for "So, remembering your shopping cart when you come back requires cookies, that okay with you?" I'm not sure how much better that would be. It's still gonna be information overload "false positives".

But I think that is what the regulations actually intend. "We need cookies to give you: Shopping cart; search history; login to your account; whatever -- opt in or out to each one, you can still use the site just without those features if you go out."

A) That is actually fairly expensive to implement. B) I think it _still_ wouldn't accomplish the goals, it's still _way too much information_. Nobody cares whether or not you use cookies to implement a shopping cart. They care about things related to "tracking", especially aggregated tracking, and profiling. C) But you are exactly right that no company is ever going to tell you what you _really_ care about. Unless regulations make them maybe. These regulations were trying. Not there yet.


I'm fairly sure I agree with out that the law wouldn't achieve its purpose even if it was implemented "correctly", and it certainly doesn't achieve its purpose with how it's implemented by websites today. I considered adding a short sentence about that, but ended up not doing it. I'm just tired of the vast amount of misinformation out there, and people discussing as if the directive applies to all cookies and only to cookies.

I'm not entirely sure if a user account at an online store would require consent; in my view, cookies would be "strictly necessary" to provide the user experience a user expects which includes being able to create an account to save their shopping cart and view their order history, while using cookies to show tailored product suggestions wouldn't be. However, IANAL and I haven't even read through the text of the directive.

In any case, the vast majority of the times I see the cookie notice are times where there are exactly zero reason to use cookies (or other methods of persistent storage) other than tracking, such as blog posts and news articles. Every single one of those websites would be able to get rid of their annoying pop-ups if they just spied on their users a bit less.


> I'm not entirely sure if a user account at an online store would require consent; in my view, cookies would be "strictly necessary" to provide the user experience a user expects

You can 100% support a logged in account experience without cookies. Java, for example, supports jsession id in the URL for people with cookies disabled. This id belongs to a session that is managed by the app server, which you can use to store information such as the cart, logged in account id, etc. If Java can do it, other languages and web frameworks that currently only support cookies can do it too.

I think the better angle to look at it is: session cookies expire when someone closes their browser. They aren't that good at tracking people.


I'll quibble with the 100% thing. Yes, you can shove session ids into the URL but it's generally pretty terrible from a security and UX perspective, you can't share links, and caching becomes much more difficult.

In that light I tend to agree with GP. If you're just using cookies to run sessions for your site, I just can't see regulators coming down on you.

There's some potent mix legal and technical pedantry combining with the profit motive of consultants everywhere that has led to a huge wave of overblown FUD around GDPR.

The fact is, ad-tech has been running amok for years and I don't think it's that hard to draw a line if we're intellectually honest. Of course it will take years for case law to catch up, but it's not as hand-wringingly difficult as some would have us believe.


> If I need to get explicit opt-in for "So, remembering your shopping cart when you come back requires cookies, that okay with you?"

You don't provided you have a reasonably short retention period, are not storing personal information that is not directly needed for remembering the shopping cart and are only using it for that and not simply using that as a justification for something else.

> Nobody cares whether or not you use cookies to implement a shopping cart.

Nor do the regulations. You have to meet the exactly the same requirements to store personal information using some other mechanism that you do using cookies.


> Hmm, there are features that one literally can't provide without state (cookies).

The biggest lie in most cookie warning popups is that you need to accept them for the site to function. It is often not true. Those are session cookies and you don't need to warn users about them, they're just allowed.

I didn't know this, and neither do any of the cookie warnings mention this. So like many people I thought the cookie law was the stupidest thing ever because like you say, you gotta have state. But the session cookies used to make a site hold state, those aren't considered tracking. When I learned about this little fact, it changed my opinion about the cookie law considerably.


I went through a similar thing which resulted in me removing cookie warnings from all but one of the websites I manage, yet I still believe that the law is stupid. It's like outlawing guns to solve your murder problem without considering all the other murder weapons all while keeping the act of murder itself legal.

As far as I understand it, the GDPR does everything and more than the cookie law was supposed to, so IMO it's about time we put that disaster behind us.


The directive containing the cookie law (ePrivacy) was indeed being revised in 2017. I haven't heard much about it since though. It Essentially enshrined the Do Not Track header into law and also expanded the rules for privacy etc of sms to internet messeging services. I wonder how much of the information in this thread is about the original directive and how much is about the new one.

That's not quite right.

On the web, your approximate unique ID is your browser fingerprint. That can be used to join your activity to other activity. Your session cookie is your activity for your browsing session (or for users who never quit their browser, your entire computer uptime).

Think about it -- a cookie is information the web server gives to you; it's essentially a bookmark to your current position in the app. The server already knows where you were -- it saw you there!; it just doesn't know that you want to go back there on your next HTTP request.

Tracking data is data you give to the web server. Cookies are only one primitive to enable tracking. Cookies can be replicated by URL query parameters, subject to size constraints.


I'm not totally sure what you are arguing, but if you don't use the cookies for tracking, then you don't need to warn or inform the user. And if you use some other kind of tracking beside cookies, you still need to warn.

Yes, there is a lot of nonsense talked about this. The GDPR makes it clear that sites don’t have to ask for permisssion to place session cookies and other cookies that are essential to the functioning of the site.

Close to 100% of the cookies I see in the wild are not to provide state.

There’s only a handful that need them for logging in.

Most sites I visit I don’t want to interact with, I just want to read.


Tracking is state. It's just that the state is used for advertisers' benefit rather than yours.

Any site requiring a login will most likely use one.

Yes: One. Not 20-50, including cookies for ads, user tracking, and whatever else they're doing this week.

"Hmm, there are features that one literally can't provide without state (cookies)."

Silent cookies aren't completely banned by the GDPR/cookie laws, only cookies that aren't necessary to provide the service requested by the user. That's sort of vague, but I think mostly obvious what is intended there. It's pretty easy to operate within the spirit and letter of the law: Shopping baskets, load balancer cookies and login tokens are fine (provided you only use them for those purposes!), third party advertising tracking cookies are absolutely not (without consent). More info here: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...

Lawyers have told me that you do not even need consent for Google Analytics, unless you enable the data collection for advertising features.

It appears to me that there's intentional bad faith misunderstanding from some, regarding both the cookie law and GDPR, in order to try and paint it as unworkable.


Meanwhile, even though the _only_ user-tracking we do where I work is Google Analytics (no advertising features) (and you say your lawyers say you don't need consent for that) -- the official word on high where I work is all our websites need the stupid "i consent to cookies" banner if we use cookies.

So, yeah, it's a mess. These "extra" warnings are contributing to user fatigue, I agree with troy hunt that users are just gonna ignore them all. I also understand why a small organization can say "Well, I don't really understand if we need it or not, the lowest risk thing to do is just to supply it." And there's no law _preventing_ you from supplying an unnecessary pointless cookie warning banner...


That’s more the fault of the higher ups for not understanding the law correctly, which really, is on them because the EU went to quite a bit of length to make the document readable and if execs/managers aren’t smart enough to know the difference between necessary and tracking cookies on their own site, then that’s really their own fault.

> the EU went to quite a bit of length to make the document readable

It's 88 pages of legalese consisting of 99 articles distributed over 13 chapters. It also has dozens of footnotes which incorporate thousands of pages of other laws by reference.

> and if execs/managers aren’t smart enough

Clearly I am too stupid to operate a business and have reading comprehension problems. Thanks for letting me know.


> Meanwhile, even though the _only_ user-tracking we do where I work is Google Analytics (no advertising features) (and you say your lawyers say you don't need consent for that) -- the official word on high where I work is all our websites need the stupid "i consent to cookies" banner if we use cookies.

Google analytics feeds tracking data to google for advertising purposes and tracks you across sites, it's exactly the sort of crap the cookie warning was meant to stop.

> These "extra" warnings are contributing to user fatigue

Your need for analytics is contributing to user fatigue.

> I agree with troy hunt that users are just gonna ignore them all

So do websites putting up these silly warnings, do you actually wait for people to accept before they get their tracking cookie?


> Google analytics feeds tracking data to google for advertising purposes and tracks you across sites

That is why GP said "(no advertising features)." That is the name of the feature in GA that does that, and it can be disabled.


However, google is still a third party and I would argue this is not legal, as is using google maps or other external entities known to employ excessive tracking unless you have special data protection contracts with said entity.

But I also understand the law, that anonymous user statistics are just fine and don't need consent as long as you retain the data yourself and of course mention it in your privacy policy. Though you might still be obligated to respect "do not track" and adding an opt-out setting.


> It appears to me that there's intentional bad faith misunderstanding from some, regarding both the cookie law and GDPR, in order to try and paint it as unworkable.

Very much this. None of the cookie warning dialogs (I've seen) mention this, and a lot of them use the dialog to complain about the law.

Something seems to have changed when GDPR came around though. The cookie warning dialogs before just had angry or condescending warnings with only a big "I accept" button, and otherwise too bad. But recently I've begun to see more and more warning dialogs that both have more honest wording about what they're about, as well as providing a "Decline" button.

IIRC there is something in the GDPR about explaining the privacy choices in clear language to the user, as well as having to provide an alternative if possible. If that's the case then it really does smell like intentional bad faith.

Although to be fair in addition to bad faith, I think it's also a lot of webdevelopers just not doing research what is exactly required and just parroting the scary story off each other.

But there's certainly a large part that just want to scare their users into accepting Google Analytics tracking. I'm curious about what those lawyers told you, though. Analytics data flowing through a third party widget that is doing the same on almost every site anywhere, sure feels like tracking to me. But maybe if you disable the data collection for advertising option, Google really won't cross-correlate that data for their own purposes. Even then, doesn't Analytics track the path users take on a single site too? For measuring "conversions" and such, as well as just detect whether people get "lost" on the site, or something.

Now certainly that's useful information, but it is tracking. Also you can get a lot of that information (and more) by just doing basic usability testing on real users. No tracking required and if you ask 10 people to try your site, you get 90% of the usability issues, with diminishing returns (based on some usability research I once read somewhere). But the information is much higher quality because you can ask them questions, ask them to perform tasks, actually look over their shoulder, etc. Tracking website users through analytics is just numbers and doesn't tell the whole story in very many cases, anyway.


> if you ask 10 people to try your site, you get 90% of the usability issues, with diminishing returns (based on some usability research I once read somewhere)

https://www.nngroup.com/articles/why-you-only-need-to-test-w...


I'd distinguish between first and third party cookies.

Is there any legitimate and reasonably necessary purpose for third party cookies? And similarly is there any undesirably exploitative use of first party cookies? As I am not a web developer, these are not rhetorical questions.


There are many legal reasons for processing personal data. Consent is one, and that's what all this is about.

"Legitimate reasons" is another. You can process personal data (use cookies) under that reason, and you don't need to ask for consent.


If only we had a browser API which would identify user preference on tracking!

Oh wait https://en.m.wikipedia.org/wiki/Do_Not_Track


Oh wait. It's now used for fingerprinting and tracking, and Safari is removing it: https://developer.apple.com/documentation/safari_release_not...

--- quote ---

Removed support for the expired Do Not Track standard to prevent potential use as a fingerprinting variable.

--- end quote ---


What features? Is local data storage a possible substitute?

Which doesn’t mean they have to provide access for free, they are most likely allowed to ask a fee for that.

From the same website you link [1]: “Does anyone refuse tracking cookies? Then you still need to give this person access to your website or app, for example after payment.” (google translated)

[1]: https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne...


The problem with asking for a fee is that Europe operates under the "transaction takes place at the buyer's location" model for such transactions, meaning you have to collect and report VAT on those fees in each country you have a paying user in. (The same goes for state sales tax in most US states).

If a site makes its money from ads, on the other hand, the location of the visitors is irrelevant when it comes to taxation. The payments from the ad network will just be ordinary business income at the place the site is located.

I don't think the charge a fee model has a chance, except for a few large sites, until some sort of intermediate service is developed that isolates the sites from having to deal with taxes in a bazillion jurisdictions. Something like a Spotify for site access, where users can pay the service a subscription fee, and the service pays sites after taking care of the appropriate taxes on the user's subscription fees so that the sites don't have to deal with it.


And how does one track if payment has been made without using a cookie?

From cameron90 above:

Shopping baskets, load balancer cookies and login tokens are fine (provided you only use them for those purposes!).

Third party advertising tracking cookies are absolutely not (without consent).


By the information a payment provider sends back.

Edit: guess somebody never integrated a payment provider :-)


So websites are supposed to just absorb the cost? That seems like a ridiculous stance.

No, they're supposed to serve generic, non-tracking ads. Non-targeted, or whatever the terminology is.

It's hilarious how everyone has just forgotten that used to be a thing. The people on this website are literally the problem, you can't even conceive of a website that doesn't track every click you make across the whole internet, and you guys are the people building the new web.


It has never been a thing, that's why. Adverts have been targeted for decades before the internet existed at all.

Do you think TV adverts are placed randomly? They aren't. Different times of day have different value to different advertisers. TV ads are targeted based on detailed knowledge of audience demographics.

Do you think billboard ads are placed randomly? They aren't. Their placement is optimised based on the beliefs of the ad firms about who will drive past them or see them.

Do you think internet ads were placed randomly before AdSense? No, they were targeted by rough demographic guessed from the sites content just like TV and billboard ads were.

All that's changed on the internet is that targeted has got more precise and more sophisticated. But there's no bright line separating "generic" from "targeted" ads, like you imagine. And the better targeting is hardly an optional feature like the DPAs seem to imagine. It increases revenues which enables firms to provide new content and new features. Roll back the web to 1990s era ad techniques and now all the ads on generic sites like news or search with no clearly defined audience will be barrel-scraping "punch the monkey" animations, for those of us who remember that stuff.


I have my own ad that I made for a client. No third party is offering these kinda of ads because of fraud.

Is that really true?

I think it has more to do with an anti-authoritarianism attitude than anything else.

Which is what DuckDuckGo does, I think.

Data addiction. Just say no.

It’s not possible to do a lot of normal web stuff without session cookies.

The concepts of a session cookie is different then a cookie used for advertisemnet that tracks you across the internet. The problem is tracking and ads, not authentication and authorization for functional purposes. Cookies are just one way to track people and serve ads, there are many others.

Facebook is a great example on keeping diluting these concepts. They ask for your information for function security purposes and then go back and use that same data for ads - that is unethical and has to stop.


Which is irrelevant, because session cookies don't need a warning. There is no reason to equivocate session cookies with tracking cookies.

Cookies are allowed, tracking users without consent is now illegal in EU (regardless which technology is used).

The GDPR doesn't regard cookies that serve a bona-fide business purpose. You are free to use cookies to provide a shopping cart, or allow users to log in to an account at your store, or whatever. It's specifically tracking and advertising that is forbidden.

If the user is not getting something out of it (besides the generic "access to my website") then presumptively don't do it. GDPR is literally as easy as that.

GDPR understands full well that you need session cookies to provide a shopping cart or user account. That's why there's specific exemptions for it.


Define "a lot of normal web stuff". How did we ever do normal web stuff before session cookies?

I mean, we have had session cookies since the first version of netscape. Almost everything we think of as 'normal web stuff' is post cookies.

We telnetted into places.

Session cookie in the URL?

I think they would start another fire, and get another blanket

We didn't

"It's hilarious how everyone has just forgotten that used to be a thing"

Ads were always a thing, they're just going to be better targeted with more info.

There is no free lunch, so what this means is the 'no cookie' users may be exposed to more ads.

I understand the market dynamics are not working very well, but we have to remember that information provided is not free either.


you will get as many ads as the typical user is able to bare no matter what.

The underlying economics are unavoidable.

Companies are not trying to 'do inherent evil' - they just want to show relevant ads. And by the way, consumers definitely appreciate the relevance.

There is another side to the equation, and there are economic consequences to all of this that will come home to root.

Personally, I loathe Facebook and don't use it for personal reasons, but I have a small business and it's the only advertising mechanism that works for us: we have a neat little product for a niche category.

There are entire economies that can only exist with the ability to effectively get the word out, there is tremendous social good in this.

We just have to figure out a way to do it that fits within reasonable privacy guidelines.


Websites are allowed to charge you. They are also allowed to show (non-tracking) ads, and they can also track you if you agree to it.

What is not allowed is to withdraw services to those that want to exercise their right to privacy.


Thanks, this helps clear up some of my understanding. I still think its ridiculous that websites can't refuse to serve who they want.

Why? It's relatively common for governments to prohibit businesses and services from discriminating against certain types of users, why do you think it's ridiculous in this specific case?

Whether we like it or not, tracking data used for ads is the currency of the free internet. It is how things are paid for.

This is like a government saying to a restaurant "You can't discriminate against people who don't want to pay you money for the food. You can ask them if they are willing to give you money for the sandwich, but if they say no, you still have to give them the sandwich"


Tracking is not necessary to make money online. It’s just helpful.

It’s more like the government saying, you can’t discriminate against people who demand that their food is cooked in a kitchen that isn’t filled with cockroaches. It’s going to hurt the bottom line, and might kill some businesses, but it doesn’t reduce to a prohibition on making money.


> It’s more like the government saying, you can’t discriminate against people who demand that their food is cooked in a kitchen that isn’t filled with cockroaches

What?! Are you seriously speaking of prohibiting cockroaches?

Cockroaches are everywhere! They are essential to survival of businesses! And it would be impossible to completely get rid of them anyway. Prohibiting cockroaches in public restaurants would push immense cost upon eaters. Without cockroaches how could we possibly get rid of the food waste, that routinely accumulates in kitchens? Do you expect us to spray our kitchens with toxic pesticides? To hire some specialized people of to lick food scraps off kitchen stoves with their bare tongues?? Insane!

Clearly, you are the enemy of the people.


I think a better example would be: you can only get food if you give us your address and consent that all other restaurants in the vicinity send marketing mail to you. You also consent that we and they exchange information about when and what you ordered.

To me it sounds very sensible to make such a business practice illegal.


That actually sounds pretty good if you don't have much money. Free food in exchange for agreeing to receive free scrap paper.

I'd totally use this service if it existed.


"the government" as in >we the people< says to all the restaurants (and groceries): this stripping of all of our clothes before entering is nonsense and we can't choose not to eat, so we will force you.

If that's so, it's as if an unknown and possibly arbitrary amount of money was taken from your wallet every time you picked something up from a store. Yes, it's nice that I can walk into Whole Foods and just pick up a few oranges and leave, but if I get home and it turns put they cost $25 each, is it worth it? The data market is not mature and transparent enough for the transactions it's capable of making.

> Whether we like it or not, tracking data used for ads is the currency of the free internet. It is how things are paid for.

You're right, it's the currency now. It would be great if it wasn't. If there was some way to force the industry to come up with new, non-privacy-invasive methods... Hey maybe if we made a law to ban the old, bad, way....


>tracking data used for ads is the currency of the free internet

Advertisers will still pay for ads even without the tracking.


The only examples I can think of for the US where this happens have to do with historically discriminated classes of identities; e.g., gender, racial minority, etc.

Are there other examples?


Agreed. I think of it akin to smoking, drinking, drugs, speeding, or various other acts you can partake in. The government should largely stay out of your life but society has deemed some things "for your own good". In this case, I could see certain types of advertisements or data harvesting which is largely misunderstood to be managed by the government, where they decide that companies can't track you - whether you want them to or not.

Disclaimer: I'm not saying I agree with any of this. Nor that any of this is truth in any way. I just view the governments involvement here, saying how ad companies can behave, to be similar. Whether that is good or bad is complicated, and out of the scope of this conversation.


There's been laws about that sort of thing for decades. A business can no longer refuse to serve black people. So we, as a society, are using that logic.

They can refuse to serve you, however, they can't then turn around and claim that those who clicked "I consent" actually did freely opt-in to tracking because they genuinely wanted to be tracked - because, obviously, they most likely did not.

In essence, GDPR states that you're not allowed to violate the privacy of people unless they really want to (freely given, informed, narrow/specific opt-in consent) - and this time, all the oft-used loopholes to "extract consent" don't really fulfil the criteria, as forced consent is not considered consent.


If the cost is for hosting a bloated 14MB page, 30% of which is hostile JavaScript, let's talk about ridiculous. "But we need that JavaScript to scrape the data and run the ads to pay for hosting all that JavaScript!"

My stance is even more ridiculous: Deadbeats who can't afford hosting without begging, selling ads, or turning against their users, scale your site down to something that's cheap to host, or get the hell off the internet. Back to the amateur web of the 90s. It was fine.


Yes absolutely! Websites need to find revenue models that don’t depend on violating the privacy of their users. That stance makes a lot of sense to me.

There are tons of websites that have other revenue models. Subscriptions, referral models, etc.

Shouldn't people be able to choose what currency they want to pay for something in?


> Shouldn't people be able to choose what currency they want to pay for something in?

Thats a very libertarian position statement and I understand it. But the EU is much less capitalist/libertarian than you are. Their parliament made the call that they don't want people paying for services with their personal data.

There's valid arguments on both sides here. Some arguments supporting the EU's stance:

- If online newspapers get paid in proportion to views, they make more money by writing divisive clickbait

- Privacy is a fundamental right; not a currency. Treating it as currency means only wealthy people will be free from spying, and that is borderline dystopian.

- Advertising on the internet worked just fine before everyone was tracked and monitored through every click. Don't annoy me with cookie notices. Just don't use cookies for tracking and we'll get along fine.


How is it a fundamental right?

We as sovereign citizens of the EU decided it was so.

That doesn't make it a fundamental right.

Contracts of adhesion don't lead to very good choice. And pretty much no site lets you choose what currency to pay in when it comes to ads. Realistically that would mean an option to pay a fraction of a penny per page.

So 'choice' is already something that has failed in the free market. Bring on the privacy.


It's been proven over and over again that people won't pay for content that gets successfully monetised with advertising.

You only have to see the howling every time someone posts a subscription only newspaper link on HN to see how vehemently opposed people are to paying for stuff like news.


So that means consumers have chosen to forgo their privacy to avoid paying money for content. Why can't I make that choice myself?

Why doesn't MC Donalds sell pizza? (I know they did at some point and gave it up). Because their customers don't want it, or at least not enough of them do.

"Subscribe or fuck off" is a stupid business model when it costs practically nothing to implement multiple revenue streams. This is such an obvious point.

That is what Washington post does, I think. You can agree to tracking or pay money.

Well, saying it's ridiculous isn't an argument.

it's expensive and maybe non-viable for many websites. But it's not like all websites need to exist? There was a world wide web before cookies.


>There was a world wide web before cookies.

I like to think of that time as a great time too, but oh man so much we couldn't do.... I get what you're saying generally, but man I'd hate "before cookies" to be the standard.


The big use of cookies for re-authentication and carrying around a session id enabled clean URLs lacking your session id as a query param, but it wouldn't be that big of a deal to lose it. You'd need to be careful with copy-pasting URLs -- but given browsers standardized on cookies they could have standardized on a sessionId param name to filter out of copy-pastes or not even display it at all similar to Chrome's proposal to not display the protocol, just a "secure" flag or not. A similar "session context established" flag could have been made. And in the age of password managers and/or having your browser remember your login, it wouldn't be that much of a loss to require logging in to everything again every time you restart your browser... maybe more of a pain with 2FA.

I don't really see it as "what we couldn't do" but "what poor usability we have overcome". I'm glad we have cookies and other forms of local storage, especially for the latter there are many other benefits. Maybe one day we'll get Web SQL.

In the meantime people can still disable cookies entirely, or at least delete them when they close the browser, both with out of the box browser settings (and I have no idea what extensions are available to do even more) and return to that less-usable (if slightly more private) experience. The crucial idea of a "user agent" is I think the biggest mindset change the web brought, it's important to keep that even if on the dev side we constantly complain about being asked to support more than one configuration of anything.


>I don't really see it as "what we couldn't do" but "what poor usability we have overcome". I'm glad we have cookies and other forms of local storage, especially for the latter there are many other benefits. Maybe one day we'll get Web SQL.

Yeah I think that's accurate.

It's a little weird sometimes reading all these articles about cookies, JavaScript, etc and I always think "But I use those things to ... give people things, convenience, data, help them do things." But so many times it's not treated as a tool, it's almost implied to be a negative thing.


90% of web developers give the rest of you a bad name.

I really wonder if it is more 90% of really visible things give a bad name.

Most just do stuff nobody sees at any volume.


That’s a good point. One bad web developer at, say, Facebook cancels out millions of people working on less visible stuff.

give people things, convenience, data, help them do things

Have you ever reviewed how little you need in order to do all those things, outside of third-party dependencies? Any second guesses at all?


I don't know what you mean exactly.

This will work until the EU in decides you must ask the user permission before you can change the query string. Technology was not the cause of this problem and it won't be the solution.

The WWW before cookies was pretty limited, and didn't last long. I mean, the first web browser was released in 1990, and cookies were introduced in 1995.

We didn't have e-commerce before cookies.


There was e-commerce before cookies.

The same functionality of correlating multiple requests for a single request (building sessions upon packets) was just more difficult to use by encoding the session ID as a parameter in query string for each request. Many frameworks still support this mode.


Cookies pre-date SSL, so how were they securing that e-commerce that existed before cookies?

Nobody cared. I submitted CC numbers over http connections for years in the late 1990's. I emailed them sometimes, too. I also used telnet across the public internet and never got my passwords sniffed or mitm'd (only on hacker meetups where I would lure people into honeypots by doing fake telnet sessions :) )

By using secure networks? PPP is older than SSL and have been in widespread use for longer time.

SSL is largely irrelevant to banking security anyway. Actual security is built upon charge-back system. The underlying security model was designed when everyone trusted written checks.


Does placing an order on a website, then sending a check in the mail still count as e-commerce?

you can actually have an ad without tracking you know that right?

Believe me they are getting paid, read surveillance capitalism for the real story, http://www.shoshanazuboff.com/new/recent-publications-and-in... stop deferring your choice! to big technology monopolies, tell them stuff their cookies where the sun don't shine.

>So websites are supposed to just absorb the cost? That seems like a ridiculous stance.

The €0.00002 it took to serve that one page just because the user doesn't want to consent to cookie placement/tracking? Is it really that harmful?

NPR seems to do this just fine for GDPR reasons: Decline and Visit Plain Text Site


The cost to serve the page is a misleading number to use. You also have to factor in the cost to create the content, manage the service, etc.

I mean, by your argument, all digital goods should be free, since it never costs much to transmit the bits.


My argument was one user who requested one page and didn't want to consent to cookies/tracking in order to offset the ridiculously low cost of serving the actual page (I'm considering the cost to make it as having already been burdened, as it's already being served).

The OC didn't consider the fact that you can have advertising without cookies/tracking/fingerprinting and just reduced it to absrudism by saying that the company would bear the brunt of the cost but even the cost of that single event is marginally insignificant, overall.

So, no, my argument was never about all digital goods being free. However, if we want to play the devil's advocate and utilise your reduction to absurdism: By your argument, shouldn't all digital goods be paid for...? For example, Ubuntu costs money to host and serve, yeah?


In fairness it can add up pretty quickly on popular sites.

I do love NPRs approach though.


>In fairness it can add up pretty quickly on popular sites.

Aye, if they're only looking at it from a "cookie placement/tracking or nothing" hard-limit perspective, which is what the OC posited it as.

...but if other sites can absorb the costs, case in point: NPR, why is it such a dastardly evil thing to point out? Is there some foolhearted belief that if we cut tracking, tomorrow, the internet would cease to function? Is there absolutely no room for advertisements without cookies/pixels in the modern world...? Do we really believe that it's that expensive to serve webpages?


of course it's not expensive to serve pages. but creating content and services that are worth serving can be pretty expensive.

We are now in the middle game of GDPR. Companies whose business model depends on tracking users essentially have now an illegal business model, because practically no user will give informed consent when they are offered the same service without consenting.

So what can these - now shady - companies do? They probe the limits of the law, and try to keep their business model alive as long as they can. We need to wait and see. In my opinion, the most probable development is that European data protection agencies will start to hand out fines. Of course, the shady companies will fight them in court, and of course, they will lose. Then they will retreat a step, and try again with a little bit less intrusion into the user's privacy. Over time, courts will rule, and fines will increase, until the shady companies will give up in EU.

Then EU will essentially become free of tracking networks. It might take a few years, but I think the intermediate annoyance is worth it.


> Then EU will essentially become free of tracking networks. It might take a few years, but I think the intermediate annoyance is worth it.

I don't disagree with you but I think it is more likely that these companies will just not let EU peoples use their sites at all.

One BIG fine (and you know they're salivating at the prospect of getting multi-billions out of Google and/or FB) and doing business in the EU becomes too much of a gamble for a company to justify the risks.


Some will choose to adjust practices, others might choose to block the EU. If they're happy to lose that many users, as they think tracking is more important, would that be so terrible?

It might even encourage some more ethical alternatives, or some real attempts to solve micropayments.


It really depends on how heavy handed they get in their enforcement actions.

Everyone knows that FB and Google are expending serious resources to be in compliance yet they will more likely than not get some large fines anyway because politics. I doubt they will ever leave the EU but other, smaller, companies will not have the resources to throw at the problem so will be effectively locked out of the EU market.

It's probably in Google's best interest to pay a couple billion euro fine (to scare off the smaller fish) in order to lock in their de facto advertising monopoly.


I already encounter EU blocked sites almost daily. It would get much worse.

And yes, I do consider it terrible that my nanny state government decided what is best for me, over some hysterical fears about tracking. I don’t give a damn. I don’t consider tracking of me in the way the browser can do actual personal information.

I’m OK with a strict regime for actual personal information, like name+address, heck, even spam data like phone and email, but extending that to tracking cookies, at the enormous cost in usability we’re already seeing, is ridiculous.


I hope they do pull out of the EU. That would be one of the biggest business opportunities in history for privacy-respecting companies to fill the void that was left.

You’re be the first in line (if you even are in the EU) to bitch about loosing all that free content you can access now.

That is a desirable outcome too, because copycats will then start in EU, and citizens of all countries will prefer to use their tracking-free services instead of the tracking ones.

> So what can these - now shady - companies do?

As it looks to me, they are responding back by trying to push through articles 11 and 13 so that they can then all switch to paywalls. A paywall for a news company is practically useless as the internet currently stands as any major story 1 makes gets linked to and paraphrased by dozens of other news agencies within minutes. Why would users pay for a news website when they can get practically the same thing at a free one that did not work to come up with the story. And article 13 is to prevent 1 user who does pay for a website from copying the entire article and pasting it in a comment (I see that and archive/outline links all the time here and on reddit).


Oh, I so hope you're right!

DPA can track you for at least 31 days before their log files rotate and get aggregated. It is not via a tracking cookie, but unique enough in my opinion to track you, and that happens without consent.

For a privacy advocating party it would suit them to not log anything and be very clear about that.

Source: https://autoriteitpersoonsgegevens.nl/nl/over-deze-site/cook...


I haven't read the full decision but I'm always surprised at how little regard European courts have for property rights. If it's my website, I should be able to decide who has access and under what terms.

Don't like cookies? No one is forcing you to visit a particular website.

I also feel like tech companies could adopt an open standard for cookie acceptance preferencesin web browsers, but they're afraid to lest they be forced to deal with even more regulation later.


> If it's my website, I should be able to decide

to decide whether to track your users? through third parties? for advertising purposes?

Why? Why do you get to decide and not the users? I'd rather you didn't!

It really honestly does surprise me the amount of crap Americans are willing to swallow when it comes to advertising methods, or even just profit in general. Your whole society is rife with abuse. There's robo-calling, giant billboards, attack ads, pharma ads, ads or contests that are literally scams, just a few from the top of my head. Probably more I don't know about (ads to target children? there is NO good way to argue that children "should" be targeted by ads).

It's a small miracle you managed to push a mandatory "unsubscribe" link underneath mass email lists. I suppose it's mandatory because given the attitude to this kind of abuse I doubt they would put them there voluntarily.

Also, you've seen what happened to the online ad industry without this kind of regulation. If you don't make rules they're going to push it as far as they can. It's gotten to the point where people recommend adblockers for security not getting rid of annoyance. Or for saving about 95% of your mobile data plan surfing sites. Did you ever notice the most profitable ads pay for the shittiest content? The system isn't even working.


I'm a big fan of a lot of pro-consumer regulation in EU. For example the right to block junk mailers in Germany with a simple notice on your mailbox is amazing.

However I think websites should be able to block access to anyone they want. It doesn't seem fair to force websites to serve an audience if they do not wish to.


They can block access to anyone they want.

However, if they say "press here to forego your privacy or we'll block you", then that's not a freely given consent to forego your privacy, and in this case this "consent" doesn't count as consent. In this case they're not allowed to track people who "consented" because they didn't really consent (both in moral and in legal sense). Consent "counts" only if it's freely given, if people really want you to do that thing; in EU privacy rights are not something that can be sold or bartered away.

It's somewhat comparable to consent to sex - let's imagine that in a place where you can freely fire workers at will, you say "consent to have sex with me, or I'll fire you". You technically can fire them, but that "consent" isn't really consent, and even if they "agree", that's still nonconsensual. Privacy (in EU) is pretty much the same.


As an European, it honestly surprises me how much crap people are willing to put up with to advance the nanny state, and even support and advocate for that shit.

I'll take freedom any day over someone telling me that they know better.


This is an ignorant position. When you extend an open invitation to the public to enter your private property, it becomes subject to public regulation under common law due to the open invitation. Under civil law, they can just dictate the regulation. Regulations of businesses which are open to the public is not some uniquely European invention.

Obviously you cannot do whatever you want to a person who physically enters your business. This is a facile point. The same is true of websites: simply because a person navigates to your website, you do not automatically have the right to place tracking cookies into their browser.


That's a really naive view. I take it you would support segregation in shops etc. "It's their shop. If blacks don't like it they can visit a different shop".

Does that affect the use of the session & local storage?

No it's about tracking cookies. Session cookies for keeping login state or shopping carts, etc, are allowed.

I don't understand how this wasn't obvious from the start. GDPR was quite clear that you can't "punish" users who reject cookies.

What is the significance of this decision? This is already explicitly stated as disallowed in GDPR. Is this just an declaration of intention to enforce the existing law?

Could say Germany, decide differently?

GDPR seems like it could evolve quite quickly, and sort of fork a bit here...

Also makes me wonder, do they have to have access to the whole site?

This feels like a war on cookies, and there are bad things done with cookies, but I'm not sure if they're fighting on the right front long term here.

If people simply just say yes all the time / don't know, not sure we're making progress.


> This feels like a war on cookies, and there are bad things done with cookies, but I'm not sure if they're fighting on the right front long term here.

Problem is will-full misinformation. It's a war on tracking cookies, not session cookies for login state, etc. But all the cookie warning dialogs make it sound like it's a war on all cookies no matter what, so "just accept because otherwise this site won't work, also <insert clueless condescending remark about the cookie law>" (really, the amount of sites that use this dialog as a misinformation soapbox to vent against not being able to track their users...).


Maybe I'm just dense but I have my doubts that there are many cookie prompts that are intended to push misinformation about "cookie law".

> Clicking 'no' should still allow people to view the website, but without placing any tracking cookies.

No! It doesn't. Viewing a website isn't anyone's god-given right. The tracking cookies are part of the business model. If you don't agree with how a business makes money, stop patronizing them.

If this is serious, look for companies to just block all traffic from The Netherlands. Why even bother dealing with the hassle.


Siphoning up people's data isn't anyone's god-given right. If you don't like EU laws, then don't do business there.

Isn't that what "just block all traffic from The Netherlands" would mean?

Slavery and child labor were also just "part of the business model".

Some business models are predatory societal negatives and should be done away with at a government level of respecting individual rights. Behind-the-scenes tracking and data brokering are in that class.


Slavery and child labour are coercive. Not letting you use a website is only coercive if that website is Facebook or Google or some other monopoly core to a person's ability to function in modern society. If you can't access Bob's Bargain Basement Underwear then you've got plenty of competitors to go to.

It has nothing to do with being coercive, or any such specific facet of any implementation of rights violation. It's about being a rights violation, full stop.

Regarding options, in the current model it is generally unknown to the user what is happening with their seemingly private, personal, and "lock icon" encrypted activities on a site. While some here might consider it a "fair exchange" to give up PII in exchange for website services, the vast majority do not understand or even perceive that, and it is not an informed exchange at all. It violates the user, both in the nature of the exchange and in the privacy implications. It is a type of interaction that should rightly be barred in the absence of understanding and explicit, intentional consent.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: