Hacker News new | past | comments | ask | show | jobs | submit login

This shows utter incompetence and detachment from reality by European legislators. Maybe it seemed like good idea in theory but the only practical significant impact is that browsing the web has become more annoying.

Surely there are solutions that don't require a popup on every webpage you visit? For example enforcing no tracking by default for advertising purposes?

Back in the early days, browsers used to prompt you for every cookie:


i don't think i ever saw that. which browser?

Konqueror did that when I used it in 2007-2010. I don't remember if it was the default behavior, but I had it configured by default.

These days I just block all third-party cookies, which solves most of the problem.

It was pretty common! Check out this Onion parody (from 2002), which refers to a website prompting you to accept cookies:

>"She goes apeshit whenever a pop-up window comes up. And one time, she paged me because she got a message about accepting cookies. She was all freaked out because now she thought she was being charged for actual cookies."


wow this is amazing. clearly this lady was ahead of her time typing cheesecake into the "address bar" and expecting search results.

I believe early versions of Internet Explorer did iirc. Maybe it was netscape.

Older versions of Internet Explorer did it (3 or 5 can’t recall) Konquerer, Netscape, and lynx too if I recall correctly.

Maemo's Web used to do that if I recall correctly.

lynx still does that.

When trying to view this I got a full page opt out (not gdpr complaint) dark patten based dialogue obscuring the entire page. The irony

> Surely there are solutions that don't require a popup on every webpage you visit?

I don't get any popups or cookie notices on visiting HN or several other sites. It's not like it's a fundamental need to set hundreds of tracking cookies on a visitor's browser to show them a website.

HN doesn't have ads though.

duck duck go has ads and doesn’t track you... you don’t need cookies to show ads; only to show intrusive “track you across the internet” ads

Don’t they have hiring advertisements for their startups?

True, but very different. That’s not the highly-targeted, audience-segmented approach to advertising that parent commenter (and most people on the internet) is referring to by saying “ads”.

> This shows utter incompetence and detachment from reality by European legislators.

> Surely there are solutions that don't require a popup on every webpage you visit? For example enforcing no tracking by default for advertising purposes?

Wait, what? There are such solutions. GDPR, and the "cookie law" before it, don't "require" any popups.

They allow cookies, 1x1 pixel images, browser fingerprinting, Flash supercookies, browser local storage, etc. without any need for stupid popups... as long as that's required to implement the site's functionality. Consent for these things is implied by the user's use of the functionality (e.g. game scoreboards, saving word processor documents, keeping track of a user's shopping cart, etc.).

What these laws do require is that handling such personal data without such implied consent, should require explicit consent. This acts as a disincentive for sites who want to continue spying on their visitors, by forcing the UX to be more annoying and dissuade visitors from staying.

> the only practical significant impact is that browsing the web has become more annoying.

Sounds like the dissuasion is working. Hopefully that is causing spyware sites to receive fewer visitors (and perhaps revenue), and potentially rethink their decisions.

What evidence is there it is working? That evidence only shows that people have change their web experience to be more annoying out of fear of the EU. It does not show there is less tracking or more public support for privacy.

Most people hate the UX change but don’t care about the privacy so probably a net loss for the EU.

I remember reading a report that trackers were down, but it was mostly the smaller European ones that are losing market share:


That's because the sites currently have an option (or think that they have an option) to make tracking mandatory for their visitors, so long as they consent - which is the easiest way for them to deal with it. It sounds like this Dutch agency is saying that it is not actually compliant with GDPR.

> Sounds like the dissuasion is working.

It clearly isn't. Vast majority of people (me too) are trained to automatically accept whatever cookie BS the website asks for, just to get rid of the popup as quickly as possible and get to content. And no, these "spyware" sites such as reddit.com or bloomberg.com won't switch to non-tracking ads to get rid of the popup.

well the GDPR does say many things about how the tracking consent can’t be the default right? so yeah it’s working if you just click through... of course if businesses are breaking the law, that’s different and enforcement will come

for reference there are at least 2 parts that make this outcome true:

“Consent must be freely given, specific, informed and unambiguous ... Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid”: a default choice if “i agree” is influence

“The withdrawal must be as easy as giving consent”: if you hit “i agree” in a box that automatically pops up to give consent, there must be a withdrawal mechanism that’s as easy as that to withdraw (and then they must delete your tracking data)


The EU has generally been a really positive force when it comes to consumer rights, but I'm not a fan of this either. The question I have is, what did web company do to deserve this kind of regulation? It is quite unusual to see governments enact regulations, without the existence of a measurable harm being caused - but solely on the premise, that the act of collecting data is 'unethical'. I mean this is really not normal, and quite unfair, if you look how regulations worked in the past for other industries, it has always been a response to very clear quantifiable harm being caused.

We have seen nothing of that, contrary, tech companies have improved our life's immensely, for free, and in my opinion, are the one of the biggest driving force towards improving the future. Data is not just being collected for advertisement, tracking, and evil purposes, but is a very important asset in the development of products.

Furthermore, historically it was governments, not companies, that were abusing private data for nefarious purposes. Yet there seems to be no effort to stop it happening from that direction? Well of course not, its way to useful, and you'd be a fool not to use it, but companies are 'bad' trying utilize it...

> The question I have is, what did web company do to deserve this kind of regulation?

Have you been asleep for the past decade? Pervasive tracking and spying on consumers has been the topic of discussion even long before that.

EU countries have had data protection laws since late 90s, and the web companies have taken a collective dump on them. So now the EU has created a single law that is quite sensible (if not without flaws) which says: you can only collect the data you absolutely require to work. If you collect other data and especially if you send to third parties, you must ask the person using your site if that's ok.

Oh my, did web company do to deserve this? Oh, I don't know. Open TechCrunch and opt out of ~300 tracking, data collection and ad companies, and tell me what they have done.

how does "TechCrunch" "~300 tracking, data collection and ad companies" impact you?

i'm asking because my government knows everything about me: my private and public IPs, what sites I visit, my comments on those sites, how old I am, how often I go downtown etc etc etc

Simply put: when we learn that NSA secretly spies on everyone, it's a huge scandal that calls government practices into question. When it's ~300 tracking companies per website, it's "how does this impact you"? ;)

the US government can literally take your life, imprison you, etc.

techcrunch just wants to sell you stuff.

there’s really no comparison.

So, the arbitrary line is drawn at “someone can imprison you”.

And no, it’s not TechCrunch who’s getting all that data.

the impact of 300 trackers is less than the impact of your government tracking you.

> if you look how regulations worked in the past for other industries, it has always been a response to very clear quantifiable harm being caused.

It should be straightforward to show quantifiable harm to people’s right to privacy. You could survey a large number of people to ask if they would be OK with having their online habits monitored in detail by unknown companies (whose websites they didn’t even visit) for the purpose of targeting ads to them at later dates. If close to 100% of respondents say this is an invasion of their privacy, then that’s what it is. You could also do some more technical research to work out how many times per week people’s privacy is invaded in this way. You’d probably arrive at a very big number, rising every year.

I installed a plugin in firefox that just autoclicks "yes" or closes (no clue which) either way it makes the web much less annoying.

yeah pretty sure it's that one. It works as advertised so far, basically restored the web back to how it used to be pre cookie spam.

uBlock Origin (and presumably other ad-blockers) lets you block arbitrary elements, including cookie dialogs.

How do you remember that a customer has responded to a popup if you don't give them a cookie? Even a cookie as a session identifier.

There’s a common misconception that any cookie of any type needs a pop up.

The rules are actually only concerned with tracking cookies. Session cookies and user preference cookies aren’t within its scope. They are still perfectly acceptable to use without explicit consent from the user.

"Cookies" are mentioned only once in GDPR, in a long list of examples. They're not targeted specifically.

The law talks about information that can be used to identify a person.

So a cookie such as "gdpr_response=ok" has ZERO effect on GDPR compliance.

> So a cookie such as "gdpr_response=ok" has ZERO effect on GDPR compliance.

I wouldn't be so certain about that. Before now, most people were pretty certain that an accept/decline warning was enough and that they had the right to refuse service to people who did not click OK on the warning.

If anyone believed that, they did not research more than 10 minutes.

This comes up in _every_ discussion about GDPR.

I honestly worry - are we as developers just extra stupid, or are other occupations (electricians, ship captains, architects) equally lax when it comes to reading and following regulations?

Those other occupations have been regulated for a long time, so the training and verification practices have had time to mature. This is still the early days of software development regulation, so there's not much history or tradition to fall back on -- I'm pretty sure that all the other industries had similar problems when their first regulations were enacted.

There’s different types of cookies. Cookies are not banned but the ones not needed to offer the service are optional.

You'll need to use fingerprinting and other much more intrusive tracking methods to track the cookie preferences of any user that refuses cookies.

Wrong on both accounts.

1. You ARE allowed to use any cookies you like without popup warnings, as long as the cookie can't be used to bind the session to personal identifiable information (PII) about the user. Session cookies are perfectly fine when used to manage webapp state, such as what page a user is on, what feature has been enabled and so on. Likewise are other identification methods, for this sort of purpose.

2. Any technical means used to make a connection to a user's PII does fall under GDPR.

Seeing the underlying intent? GDPR is about avoiding invisible tracking (connection to a european citizen). The regulation is written to bring that sort of behavior to an end. Your fingerprinting example, as well as any other "clever" technical ways of achieving the identification objective, when the purpose is that of invisible tracking; tracking where the user isn't in control of the profile information generated, is explicitly what the regulation aims to nail.

Do read the regulation document. It's actually a very well written document that even a non lawyer can understand: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...

GDPR is about users gaining control of the lifecycle of information pertaining to their identity, so if you or your proxies (googl/fb or other ad companies for example) have PII about a user, then the GDPR stipulates processing constraints on that information, which includes any information that can be associated with the user. E.g. building a profile about a user that can be tied to a user's PII becomes part of the user's PII, and thus subject to the intended end-user lifecycle control. What that control means is stated clearly in the document linked above.

When the web plays its normal chinese-whispers-game on any kind of fact, it's always best to go directly to the source to see what was actually said or written. In this particular case with GDPR, this is definitely the case. Not a single of my US colleagues nor friends had even an inkling of what GDPR actually is about, and it seems most of this community is in the same boat.

I guarantee that reading the actual doc will dispel a lot of unfounded fears.

If you happen to have even the slightest layman interest in law, or appreciate games / brain teasers, then you might actually be a bit impressed by the cleverness of the wording in parts of the document, and how it all comes together. Myself, having been in the dev field for 20 years, I've read my fair share of EULAs, licenses and contracts, and to me I saw some true genius shine through half way through the document, like watching a good chess player setup a board and guard against obvious attacks by the opponent. I felt I could almost see into the minds of the authors; what they sought to accomplish, loopholes they tried to close, and an attempt at creating a defensive shield that would be as "future proof" as they could make it, against new unknowns introduced by rapid technical innovation.

That's a bit of a chicken/egg thing, but it shouldn't matter if there's no pop-up in the first place right?

I should mention that I essentially browse this way due to a few privacy add-ons I use and it is absolutely infuriating having to deal with these pop-ups even on sites that I've already visited.

If they say yes, you store a cookie that says they said they accept cookies. If they say no, you keep asking them.

There should be a header that browsers can send to indicate wether the user does or does not consent to tracking.

“incompetence”, “detachment” right.

I, for one, am happy that bullshit like “hey, we send your data to 244 trackers uncontrollably” has become visible and is being called out.

I mean, visible only in the EU.

Dark patterns and site-blocking are anti-GDPR, so I’m hoping for some heavy fine across the board. And, hopefully, if not the end then curtailing of the intrusive and tracking cookies, ads etc.

Facebook hasn't made any more privacy or policy SANFU's over the last 12 months than they have any year before that, and yet interestingly this is the year where the people around me have been taking an interest in what I use instead of facebook and taking active steps to move away from it.

These laws force people who are attempting to take advantage of non-technical users to either stop it, or do so in an obvious way that lets even non-technical users see that /something/ is up.

It's good, I like it. It's driving social progress, as truth always does. I'll get downvoted for expressing that opinion here of course. Too many american software developers who want to inflict their freedom on others I guess.

I've rather radical thought: I don't think tracking itself is fundamentally a bad thing. I rather see useful relevant ads then irrelevant ones. Yes, it may be creepy but its not a bad thing that people in ad industry are working hard to figure out things that would be worth my time and interest. However, what is bad is how else is tracking data used? Who else has access to it and for what purpose? GDPR should have created law that tracking data may not be used for anything other than machine generated recommendations by same company and it would have been 1000X more beneficial.

Downvotes may begin now.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact