Hacker News new | past | comments | ask | show | jobs | submit login

Hmm, there are features that one literally can't provide without state (cookies).

I think the real problem here is that the technical feature of cookies providing browser state is a poor proxy for what EU/DPA _really_ wants to regulate, which is privacy-related tracking.

There are tons of sites I've written which use cookies, but have no ads and perform no user-tracking whatsoever, not even Google Analytics. It is true that cookies are the _easiest_ (if not the only) way to do the other; but making "cookies" the thing that gets effectively "regulated"... I realize this isn't necessarily the intent of the regulations, but I'm suggesting it's part of what results in the situation troy mentions. There are very few sites that don't use cookies; there are or at least could be more sites that don't track you in a privacy-compromising way, to train the user that this is the same thing is just too much noise for the user to actually make any discernments.






Most discussion about the EU cookie directive doesn't mention it, but not all cookies require consent. From https://privacypolicies.com/blog/eu-cookie-law/#some-cookies...:

"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

Of course, no website will ever tell you "Hey, we're using cookies to track you"; it's in most companies' (both legal consulting companies' and website owners') best interest to keep people ignorant. Consulting companies want website owners to be scared and buy legal consulting services, and website owners want people to think that the pop-ups are a result of stupid EU legislation and not because they are actually being tracked.


" in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

If I need to get explicit opt-in for "So, remembering your shopping cart when you come back requires cookies, that okay with you?" I'm not sure how much better that would be. It's still gonna be information overload "false positives".

But I think that is what the regulations actually intend. "We need cookies to give you: Shopping cart; search history; login to your account; whatever -- opt in or out to each one, you can still use the site just without those features if you go out."

A) That is actually fairly expensive to implement. B) I think it _still_ wouldn't accomplish the goals, it's still _way too much information_. Nobody cares whether or not you use cookies to implement a shopping cart. They care about things related to "tracking", especially aggregated tracking, and profiling. C) But you are exactly right that no company is ever going to tell you what you _really_ care about. Unless regulations make them maybe. These regulations were trying. Not there yet.


I'm fairly sure I agree with out that the law wouldn't achieve its purpose even if it was implemented "correctly", and it certainly doesn't achieve its purpose with how it's implemented by websites today. I considered adding a short sentence about that, but ended up not doing it. I'm just tired of the vast amount of misinformation out there, and people discussing as if the directive applies to all cookies and only to cookies.

I'm not entirely sure if a user account at an online store would require consent; in my view, cookies would be "strictly necessary" to provide the user experience a user expects which includes being able to create an account to save their shopping cart and view their order history, while using cookies to show tailored product suggestions wouldn't be. However, IANAL and I haven't even read through the text of the directive.

In any case, the vast majority of the times I see the cookie notice are times where there are exactly zero reason to use cookies (or other methods of persistent storage) other than tracking, such as blog posts and news articles. Every single one of those websites would be able to get rid of their annoying pop-ups if they just spied on their users a bit less.


> I'm not entirely sure if a user account at an online store would require consent; in my view, cookies would be "strictly necessary" to provide the user experience a user expects

You can 100% support a logged in account experience without cookies. Java, for example, supports jsession id in the URL for people with cookies disabled. This id belongs to a session that is managed by the app server, which you can use to store information such as the cart, logged in account id, etc. If Java can do it, other languages and web frameworks that currently only support cookies can do it too.

I think the better angle to look at it is: session cookies expire when someone closes their browser. They aren't that good at tracking people.


I'll quibble with the 100% thing. Yes, you can shove session ids into the URL but it's generally pretty terrible from a security and UX perspective, you can't share links, and caching becomes much more difficult.

In that light I tend to agree with GP. If you're just using cookies to run sessions for your site, I just can't see regulators coming down on you.

There's some potent mix legal and technical pedantry combining with the profit motive of consultants everywhere that has led to a huge wave of overblown FUD around GDPR.

The fact is, ad-tech has been running amok for years and I don't think it's that hard to draw a line if we're intellectually honest. Of course it will take years for case law to catch up, but it's not as hand-wringingly difficult as some would have us believe.


> If I need to get explicit opt-in for "So, remembering your shopping cart when you come back requires cookies, that okay with you?"

You don't provided you have a reasonably short retention period, are not storing personal information that is not directly needed for remembering the shopping cart and are only using it for that and not simply using that as a justification for something else.

> Nobody cares whether or not you use cookies to implement a shopping cart.

Nor do the regulations. You have to meet the exactly the same requirements to store personal information using some other mechanism that you do using cookies.


> Hmm, there are features that one literally can't provide without state (cookies).

The biggest lie in most cookie warning popups is that you need to accept them for the site to function. It is often not true. Those are session cookies and you don't need to warn users about them, they're just allowed.

I didn't know this, and neither do any of the cookie warnings mention this. So like many people I thought the cookie law was the stupidest thing ever because like you say, you gotta have state. But the session cookies used to make a site hold state, those aren't considered tracking. When I learned about this little fact, it changed my opinion about the cookie law considerably.


I went through a similar thing which resulted in me removing cookie warnings from all but one of the websites I manage, yet I still believe that the law is stupid. It's like outlawing guns to solve your murder problem without considering all the other murder weapons all while keeping the act of murder itself legal.

As far as I understand it, the GDPR does everything and more than the cookie law was supposed to, so IMO it's about time we put that disaster behind us.


The directive containing the cookie law (ePrivacy) was indeed being revised in 2017. I haven't heard much about it since though. It Essentially enshrined the Do Not Track header into law and also expanded the rules for privacy etc of sms to internet messeging services. I wonder how much of the information in this thread is about the original directive and how much is about the new one.

That's not quite right.

On the web, your approximate unique ID is your browser fingerprint. That can be used to join your activity to other activity. Your session cookie is your activity for your browsing session (or for users who never quit their browser, your entire computer uptime).

Think about it -- a cookie is information the web server gives to you; it's essentially a bookmark to your current position in the app. The server already knows where you were -- it saw you there!; it just doesn't know that you want to go back there on your next HTTP request.

Tracking data is data you give to the web server. Cookies are only one primitive to enable tracking. Cookies can be replicated by URL query parameters, subject to size constraints.


I'm not totally sure what you are arguing, but if you don't use the cookies for tracking, then you don't need to warn or inform the user. And if you use some other kind of tracking beside cookies, you still need to warn.

Yes, there is a lot of nonsense talked about this. The GDPR makes it clear that sites don’t have to ask for permisssion to place session cookies and other cookies that are essential to the functioning of the site.

Close to 100% of the cookies I see in the wild are not to provide state.

There’s only a handful that need them for logging in.

Most sites I visit I don’t want to interact with, I just want to read.


Tracking is state. It's just that the state is used for advertisers' benefit rather than yours.

Any site requiring a login will most likely use one.

Yes: One. Not 20-50, including cookies for ads, user tracking, and whatever else they're doing this week.

"Hmm, there are features that one literally can't provide without state (cookies)."

Silent cookies aren't completely banned by the GDPR/cookie laws, only cookies that aren't necessary to provide the service requested by the user. That's sort of vague, but I think mostly obvious what is intended there. It's pretty easy to operate within the spirit and letter of the law: Shopping baskets, load balancer cookies and login tokens are fine (provided you only use them for those purposes!), third party advertising tracking cookies are absolutely not (without consent). More info here: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...

Lawyers have told me that you do not even need consent for Google Analytics, unless you enable the data collection for advertising features.

It appears to me that there's intentional bad faith misunderstanding from some, regarding both the cookie law and GDPR, in order to try and paint it as unworkable.


Meanwhile, even though the _only_ user-tracking we do where I work is Google Analytics (no advertising features) (and you say your lawyers say you don't need consent for that) -- the official word on high where I work is all our websites need the stupid "i consent to cookies" banner if we use cookies.

So, yeah, it's a mess. These "extra" warnings are contributing to user fatigue, I agree with troy hunt that users are just gonna ignore them all. I also understand why a small organization can say "Well, I don't really understand if we need it or not, the lowest risk thing to do is just to supply it." And there's no law _preventing_ you from supplying an unnecessary pointless cookie warning banner...


That’s more the fault of the higher ups for not understanding the law correctly, which really, is on them because the EU went to quite a bit of length to make the document readable and if execs/managers aren’t smart enough to know the difference between necessary and tracking cookies on their own site, then that’s really their own fault.

> the EU went to quite a bit of length to make the document readable

It's 88 pages of legalese consisting of 99 articles distributed over 13 chapters. It also has dozens of footnotes which incorporate thousands of pages of other laws by reference.

> and if execs/managers aren’t smart enough

Clearly I am too stupid to operate a business and have reading comprehension problems. Thanks for letting me know.


> Meanwhile, even though the _only_ user-tracking we do where I work is Google Analytics (no advertising features) (and you say your lawyers say you don't need consent for that) -- the official word on high where I work is all our websites need the stupid "i consent to cookies" banner if we use cookies.

Google analytics feeds tracking data to google for advertising purposes and tracks you across sites, it's exactly the sort of crap the cookie warning was meant to stop.

> These "extra" warnings are contributing to user fatigue

Your need for analytics is contributing to user fatigue.

> I agree with troy hunt that users are just gonna ignore them all

So do websites putting up these silly warnings, do you actually wait for people to accept before they get their tracking cookie?


> Google analytics feeds tracking data to google for advertising purposes and tracks you across sites

That is why GP said "(no advertising features)." That is the name of the feature in GA that does that, and it can be disabled.


However, google is still a third party and I would argue this is not legal, as is using google maps or other external entities known to employ excessive tracking unless you have special data protection contracts with said entity.

But I also understand the law, that anonymous user statistics are just fine and don't need consent as long as you retain the data yourself and of course mention it in your privacy policy. Though you might still be obligated to respect "do not track" and adding an opt-out setting.


> It appears to me that there's intentional bad faith misunderstanding from some, regarding both the cookie law and GDPR, in order to try and paint it as unworkable.

Very much this. None of the cookie warning dialogs (I've seen) mention this, and a lot of them use the dialog to complain about the law.

Something seems to have changed when GDPR came around though. The cookie warning dialogs before just had angry or condescending warnings with only a big "I accept" button, and otherwise too bad. But recently I've begun to see more and more warning dialogs that both have more honest wording about what they're about, as well as providing a "Decline" button.

IIRC there is something in the GDPR about explaining the privacy choices in clear language to the user, as well as having to provide an alternative if possible. If that's the case then it really does smell like intentional bad faith.

Although to be fair in addition to bad faith, I think it's also a lot of webdevelopers just not doing research what is exactly required and just parroting the scary story off each other.

But there's certainly a large part that just want to scare their users into accepting Google Analytics tracking. I'm curious about what those lawyers told you, though. Analytics data flowing through a third party widget that is doing the same on almost every site anywhere, sure feels like tracking to me. But maybe if you disable the data collection for advertising option, Google really won't cross-correlate that data for their own purposes. Even then, doesn't Analytics track the path users take on a single site too? For measuring "conversions" and such, as well as just detect whether people get "lost" on the site, or something.

Now certainly that's useful information, but it is tracking. Also you can get a lot of that information (and more) by just doing basic usability testing on real users. No tracking required and if you ask 10 people to try your site, you get 90% of the usability issues, with diminishing returns (based on some usability research I once read somewhere). But the information is much higher quality because you can ask them questions, ask them to perform tasks, actually look over their shoulder, etc. Tracking website users through analytics is just numbers and doesn't tell the whole story in very many cases, anyway.


> if you ask 10 people to try your site, you get 90% of the usability issues, with diminishing returns (based on some usability research I once read somewhere)

https://www.nngroup.com/articles/why-you-only-need-to-test-w...


I'd distinguish between first and third party cookies.

Is there any legitimate and reasonably necessary purpose for third party cookies? And similarly is there any undesirably exploitative use of first party cookies? As I am not a web developer, these are not rhetorical questions.


There are many legal reasons for processing personal data. Consent is one, and that's what all this is about.

"Legitimate reasons" is another. You can process personal data (use cookies) under that reason, and you don't need to ask for consent.


If only we had a browser API which would identify user preference on tracking!

Oh wait https://en.m.wikipedia.org/wiki/Do_Not_Track


Oh wait. It's now used for fingerprinting and tracking, and Safari is removing it: https://developer.apple.com/documentation/safari_release_not...

--- quote ---

Removed support for the expired Do Not Track standard to prevent potential use as a fingerprinting variable.

--- end quote ---


What features? Is local data storage a possible substitute?



Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: