Hacker News new | past | comments | ask | show | jobs | submit login
Dear Email Industry, We’ve Got a GDPR Problem (jacquescorbytuech.com)
129 points by iamacyborg 26 days ago | hide | past | web | favorite | 212 comments

"This stressed out a lot of email marketers, who quite rightly realised that the new regulations would have a significant effect on their ability to acquire and market to customers via their email address"

"The overwhelming majority of commercial email sent today contains tracking pixels and tracking links, these are used to uniquely identify individuals so that opens and clicks can be correctly attributed to them"


While spammers may have a problem, people don't.

If I want your tracking pixels and emails then I'll opt in.

If they send you an email it means that they obviously have your email address, which I believe is considered personal data.

Now, what additional personal data are collected by tracking pixels?

> these are used to uniquely identify individuals

I would say that this isn't the case. It is to check that the email was read.

> Now, what additional personal data are collected by tracking pixels?

In theory, an IP can be captured, which is considered PII, but most mailbox providers use proxies so this isn't reliable.

You can tracking pixels to track per-user engagement. You can also use tracking links to connect the email address to website activity. As you say, it's possible to use these to track in the aggregate, but many platforms allow tracking by individual.

You are correct that the email was already personal data. But, GDPR requires that each new use of data be transparently communicated and legally justified (which may or may not mean consent), even if it's only using data you already have. The fact that they have already identified the user does not resolve the issue--GDPR still cares when you collect more data about a known user.

Meaning, even though you are justified using the email address to send the newsletter, you may not be in the clear building an engagement profile associated with that email. Which, apparently, some email marketers do.

Not some, all email marketers do.

There's nothing stopping them either, they're entitled to do so, given they obtain consent for that data processing.

Do they? Remember that under the GDPR, a five-page ToS with a "I consent" button at the end is not considered valid. In particular, the user must consent for each use of the PI separately. I don't remember ever seeing a specific consent box for building an engagement profile.

I meant that all marketers are collecting the data, and in the overwhelming number of cases they're doing so without consent.

I'm yet to see a single marketer only do tracking by opt-in, and I work in the industry.

The problem is that we're:

A) Collecting the data without consent

B) In most cases, unable to not collect the data because ESP's do it by default with no option to switch it off

I would argue that pixel trackers for the purpose of checking whether the email is read is covered by the consent to receive marketing by email in the same way as what emails were sent to whom and when will likely also be tracked.

Thats correct. But Tracking or Profiling is Opt-In too

> Now, what additional personal data are collected by tracking pixels?

If I read it, when I read it, where I read it from (location, device, etc)

None of these are personal data if not liked to the email address, which they do not have to.

If linked to email address and considered personal data then the argument is what is covered by consent to receive email marketing? IMHO tracking whether the email was opened is covered (in the same way as agreeing to receive phone marketing should imply they can track whether you answered the phone...). They will also obviously keep track of what emails they sent you and when.

> in the same way as agreeing to receive phone marketing should imply they can track whether you answered the phone.

But agreeing to receive a snail mail does not imply consent to track if it was read. I feel that email is closer to that.

It's impossible to track letter so the point is moot.

The point is that tracking emails, like tracking phone calls, is inherent to that communication medium and there is absolutely nothing wrong with it.

I agree, this is a good thing, the GDPR was design to stress those people and give the control back to the user.

What surprises me more is that tracking pixels even work anymore. What email clients don't bother to filter them out?

Gmail, among others. Gmail proxies remote content when the email is opened, so the IP address of the user is not disclosed, but the time and number of opens can be tracked.

Google could proxy and cache remote content in emails when they are accepted by Gmail servers, and that would render Gmail users untrackable by third-parties.

The decision to not cache was a compromise with email marketers after many years. Originally, gmail would not show embedded images by default at all: https://nakedsecurity.sophos.com/2013/12/16/gmail-takes-imag...

Do any email clients block tracking pixels? My understanding is that they block images by default but if you choose to view them you will load all the tracking pixels.

Article author here - Tracking pixels aren't blocked per se in most email clients but you're correct that they rely on images being loaded.

Thanks for answering, it's curious enough that I'm now looking into Thunderbird plugins to see if there's one to block (or try to) tracking pixels.

Thunderbird blocks images per default. I never bother to load them.

Just to be clear, it blocks remote images by default. Images embedded in a mail are displayed.

I guess I'm just not that familiar with HTML email anymore in general, and when I do read it I generally do not have images regardless.

I always assumed that disabling 1x1px images would be first on the list of mitigations against this technique. I was under the impression that email clients, in addition to an option to block images in general (usually on by default for an address or origin), generally prevented the loading of remote images. Embedding images directly into emails is fine, isn't it?

Depending on the platform used to send the email, it's trivial to change that pixel to any other image, ie a brand logo in the template.

On the whole, disabling images entirely is the only real defence against email tracking.

Or I guess the mail server could just always precache all images at the time of receipt. Then nothing new happens when the mail is read. I think somebody here is describing GMail's approach that way.

Then email servers would have to download billions of images of which 99% the corresponding email won't even be opened

gmail's cache hides a users location but you can still tell when they've opened an email, and you can still get a ton of information if they click a tracked link within the email as well.

You can't tell if an image is a 1x1 pixel until you load it from the server. At that point, the pixel has already done its job.

Most email clients these days don't block images by default unless it ends up in the spam mailbox.

They never embed images directly into emails either.

At least Thunderbird and Outlook on Mac block images by default and you can whitelist people from your address book.

The easiest way is to disable them by default which is why Thunderbird defaults to not loading from senders not yet whitelisted, which thankfully most HTML email has the text on the email, it's those darn emails that have all the text in an image that I get suspicious of and delete (usually spam / probably malware). It would be nice to see plugins to block them for sure. I use Thunderbird for work, keep forgetting to use it for regular email. At least even webmail email services block pictures by default now, probably to prevent browser exploitation, never know when someone finds some rogue PNG exploit.

Well recently they were used in an underhanded means by the DOJ against a Seal team member they were prosecuting, they did it to his lawyers


I am surprised that Apple's built-in email clients on both macOS and iOS load remote content by default. One of the first things I disable when I set up a new machine.

Do they? I've just loaded a gmail email on my phone, it says "This message contains unloaded emails", with an option to load them.

> While spammers may have a problem, people don't.

Marketing spammers maybe, but now scammers and malware spammers have the floor instead. Laws only stop the law abiding citizens from doing their thing, it sure doesn't stop the criminals from.... being criminals.

Sure… but that is always true when it comes to law. I just don't see how that makes the situation worse for the people?

I don't want to be tracked by marketing emails without consent (or, more realistically, ever, because please). If you want to do it anyway, from here on out you have to violate the law.

If you had no trouble with doing that before (being a filthy spammer/scammer), you still won't. If you do, then you will stop tracking me. Hooray.

Not having marketing spammers is still better than having spammers and scammers

There's usually an unsubscribe button for marketing spam, and if there isn't I usually block their email. You can't do that with scammers / illegal spam.

Fuck the unsubscribe button. I never subscribed in the first place.

It’s one disgusting thing when people hide signup behind email confirmation without clearly marked opt-in spam confirmation. It’s another when I get home from a professional event and I have a dozen new “subscriptions” and people “just reaching out” or “following up on our prior conversation” to a single-purpose email address I gave to one place and used a fake name and fake company name.

Email marketing can get fucked.

Marketers, spammers and scammers are the same thing - sources of unsolicited e-mail, engaging with whom is not good for you. Eliminating marketers from the trio means only that much less messages to worry about.

I guess I must not be important enough or something because I don't recall the last time I got any marketing emails without sharing my email with a marketing person. The only marketing outside of "Rewards" programs that I get is marketing from the one conference I go to every year, and I get plenty of free swag from them, then I unsubscribe.

Did you take a look at your Spam folder? On my primary address (one I used for almost two decades), 90% of my spam is unsolicited marketing communication. Quickly skimming it, roughly half of that 90% is from parties I may have interacted with in the past, the other half is from apparently legit companies that I haven't interacted with, that pulled my address from somewhere (possibly because I used it to register my business).

Outside of spam, I spent some time and unsubscribed from most of the pseudo-solicited communications I got (i.e. the kind of pre-GDPR bullshit where I register for some service and this automatically counts as consent to receive marketing communication). About solicited marketing messages I don't whine much (except that they exist), that's on me.

(I actually used this occasion to softly threaten one of the marketers from the top of my box with legal action, because they are clearly breaking Polish law - they tried the "this message is only request for consent to sent the actual message" trick, but executed it badly.)

Have you ever clicked one of those? I've never been sure if that wouldn't have worsened the situation by giving feedback that this is an active mail address managed by somebody.

If it's from a legitimate company in American jurisdiction they are legally obligated to stop sending emails if you click unsubscribe. I suppose that piece of information has some nonzero value that you are giving up in exchange to not be contacted by that company.

If you filter just a single address that address can change. If you filter their domain you might lose legitimate correspondence.

I’ve had several groupings of unsolicited marketing emails over the years where I’ve clicked Unsubscribe and ended up on what’s very clearly a Totally Not That Email List, Honest...but it’s advertising the same things, in the same way, just from a slightly different email and possibly different company name. They have all been American in origin.

You can complain under the CAN-SPAM Act.

It's so asymmetrical though. The amount of effort it takes to spam someone is vastly lower than a complaint.

What would be great is a third-party site where you can somehow document/log unsubscribe requests. Then, if the company still spams you, document that. A few hundred users is pretty good proof, and the company can't just argue a glitch. It'd pay for that.

Easy enough to fix: use a unique address for a company, unsubscribe, then take the related company to court later. Works even better in a GDPR location.

Right; with my unlimited resources, time, and understanding of the legal system.

I mean, I'd love to be able to, but do you think I'd even be able to determine what the company's actual address is?

I click it all the time when I feel I'm getting way too many emails. If I feel like it's not some malware spam at least but genuine marketing trying to sell me something. Every now and then I go back to all those "rewards programs" emails and unsubscribe to the least relevant ones to me.

It's not like legitimat-ish email marketing will suddenly switch to scammers or illegal spam, they would actually get in trouble for violations. Companies that don't rely on scams aren't desperate enough to risk getting fined for such a weak lead (I'd hope).

Not that I'll ever configure my email client to automatically download images, as far as I'm concerned downloaded images is just making your email address more valuable to the spammer by confirming you got it.

So GDPR would solve some of the problems? That sounds great to me. It can also cut some borderline grey data companies.

True, but the "law abiding" corporations are the problem for my privacy, not spammers.

You're right, but this law isn't targeted at scams and malware. It's meant to stop broader commercial tracking, and leaves us better off on that front, while criminals were going to do what they do anyway so we're no worse off there.

Actually it does, because if industry stops using tracking pixels, it demotivates email clients from having to support it, and makes it easier to block bad actors. Same with tracking on websites and browser support. Chrome would instantly put in a tracking blocker if Google couldn't do tracking any more. But so far Google's strategy is fighting and working around the law because they think they would lose a huge amount of revenue without tracking.

> it demotivates email clients from having to support it.

Hardly. It's just the abuse of being able to display images in HTML-formatted mail. You would have to remove every tag and attribute that is able to request an external URL from a mail HTML dialect to counteract tracking.

Laws don't stop criminals from being criminals (except when they do of course), but it isolates them so they can't easily blend into the crowd of non-abusive individuals.

Plus, if something is illegal there's less likely to be an industry driving down the price of that activity. If something is more expensive and less convenient, then people (including criminals) are less likely to do it.

Have the floor? How does this change the behaviour of scammers in the slightest?

> but now scammers and malware spammers have the floor instead.

That's a non-sequitur and complete nonsense unless you want to suggest that GDPR automatically turns marketers into criminals.

Also, just because it can't solve all of the problems at once doesn't mean it's a bad thing.

Since the headline misled me, this is about the email marketing industry and their use of tracking pixels, as opposed to issues with generic emails.

It is more than just tracking pixels - there is also things like personalized links that proxy the underlying link that are generated by the email provider to track clicks.

This isn't bound to email marketing, unless you put all commercial communication dealt via email as email marketing.

I think any email that uses tracking pixels could be classified as either spam or marketing, or possibly both.

If you use tracking pixels in your receipts, I think you're doing it wrong.

What about mandatory service announcements where you want to know if you reached clients before breaking them?

Have them click a link to acknowledge receipt.

A tracking pixel hit only means that that the email was received and loaded in some email client, not that it was read (in detail, or at all), understood, or acted on.

Moreover, a lack of tracking pixel hit doesn't mean the e-mail wasn't loaded, much less that it wasn't read, understood or acted on.

For important stuff like that, you want an active and affirmative response. You can't rely on an incidental reply.

Why would you want to rely on a thoroughly unreliable mechanism primarily used by marketers for a case where it's actually important for the user that you know you reached them? Maybe just ask them instead, record responses, and deal with people who don't respond (and with autoresponders).

I don't think anybody would call generic emails "the email industry"

It’s only people who are in the email marketing industry who think that they are the email industry.

The email industry would comprise a lot more than just marketing.

You have email providers. You have email clients. You have non commercial newsletters. You have evites. You have e-cards. You have emails related to ticketing and reservations.

The email industry is far larger than email marketing, despite what the email marketeers would like us to believe.

I don't think email marketers think they encompass the entirety of the email industry, I was writing that article from the perspective of being an email marketer proposing something to my peers, ie others in the industry.

The article title, "Dear Email Industry, We’ve Got a GDPR Problem", implies that.

Either you do think email marketing comprises the entire industry, or the article title (and HN submission) are (or give the impression of) clickbait.

At least it doesn't seem you are doing any direct tracking on the post though ...

(I used to work for an ISP with a pretty large email service, so it touches nerves that were exposed when our enemies, those companies who try and find ways to irritate our customers, think they are the only important parts of the actual email industry)

I think you might have a bit of a bias in this instance though, given your confessed work history.

This is something I wish ISP's took more care of, they could easily protect users by blocking image loading by default and warning users when links in emails are tracked, for example.

Browsing the web in Europe is like experiencing the rebirth of the pop-up ads era. It has lead to compulsory acceptance. This too shall pass.

There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and services.

> There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and services

Certainly not. If I didn't check a box saying "I want to receive commercial emails related to your products and services" I expect not to receive those. I might unsubscribe from the whole thing if I don't have any other means of avoiding those useless commercial emails.

I generally report such "you bought something and so we signed you up to the mailing list" activity as spam in Gmail, and if the unsubscribe button links me to a third party vendor, list "I never signed up for this list" as the reason.

This is how at least local businesses do here now, I don't have problem with marketing emails from them. You actually have to check the input, not accidentally forget.

The issue here is "relating to their products and services". Per GDPR, the consent can not be "bundled". When you signup for an account you consent to communications about your account only and things like product updates or tips for using product should be under their own explicit consent.

Most email marketing service providers don't even support multi-interest opt-out page, or charge a lot for configuring your unsubscribe page this way (like a multiple of list size for each option gasp), so this makes it impossible for email recipients to choose what emails types to opt-out of so marketers in turn don't bother to collect unbundled consent.

Comparison of some market leading ESPs (see multi interest opt out row): https://www.bigmailer.io/bulk-email-marketing-services/

>Browsing the web in Europe is like experiencing the rebirth of the pop-up ads era.

Very much so; the pop-ups interrupt and obstruct, breaking immersion. I sincerely hope a browser gets brave enough to start blocking those obstructions by default.

It irks me how every "Cookies" banner is an unpaid advertising billboard saying, "Your privacy is valuable to us. Yours faithful, EU".

>This too shall pass.

For now, uBlock Origin[1] + the ruleset from I Don't Care About Cookies[2].


[1] https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...

[2] https://www.i-dont-care-about-cookies.eu/

> the pop-ups interrupt and obstruct, breaking immersion.

Here is a trick for website owners: don't track your users. No need for any popup anymore.

This is incorrect, an EU website must provide notification of cookies if they use cookies at all, even for basic session tracking of authenticated users.

Incorrect. I guess this must be a lie pushed by bad actors who are inconvenienced by the regulation and want the public to perceive the regulation negatively.

You do not need consent for cookies that power basic website functionality or a feature the user is trying to use. So setting a cookie when someone logs in or adds an item to their shopping cart.

See for example this site, which is the privacy regulator in the UK:


Note that they provide notification of necessary cookies, and default opt-out of analytics cookies.

> You do not need consent for cookies that power basic website functionality or a feature the user is trying to use.

This is correct, you do not need consent for necessary cookies. You do, however, have to provide notification that necessary cookies are being set.

You do not actually need to provide notification for necessary cookies. See https://ico.org.uk/for-organisations/guide-to-pecr/guidance-... and the following few sections. Most clearly, this paragraph on the ICO’s recommendations (quite unreasonable, in my opinion—if all you’re storing is a necessary session cookie, notifying the user in a non-actionable way is just being foolishly annoying):

> Although the exemption applies to both the provision of information and the gaining of consent, it is good practice to continue to provide clear information about all cookies including those that are strictly necessary, and if personal data is involved then you will be required to do this under the fairness and transparency requirements of data protection law.

I was directed to that ICO cookie banner as an example of what I need to do, by an EU law firm who we're paying to guide our compliance activities.

I'm not a lawyer and I can't give you legal advice. I can just report that the legal advice that was given to me was that any cookie setting activity needs to be notified, even if consent is not required.

One potential discrepancy is that we are being prepared for the e-Privacy Regulation (which is not yet in effect), while it looks like the page you linked to covers the e-Privacy Directive.

It should be noted that's related to the cookie law (ie, the ePrivacy Directive), not the GDPR, and there is a proposed replacement (the ePrivacy Regulation), since basically everyone agrees the current situation is not good. Unfortunately it's taking longer than initially expected.

Immersion into what, the internet?

> It has lead to compulsory acceptance.

No. It leads to non-acceptance by default. If you are seeing forms where you are opted in to data capture by default that isn't a core part of the service, that's a breach.

Great, so how do we fix that and stop them doing it?

Wait for a small number of companies practicing the “by using this service you agree to” thing to be fined a large part of their turnover. After that companies will adapt.

Now we are in a sort of transition phase where laws are written but companies interpret them themselves (badly) and there are few guiding cases.

I look forward to the next phase when the notices will be gone or say “did you know you can enable tracking so we show more relevant ads that we get more money for showing?”. I’ll say no regardless of how much I enjoy that content.

My point was that the laws are in place now, but appear to be toothless. I received a marketing email disguised as an order update after an explicit opt out, and reported it to ICO in the UK. ICO told me I had to take it up with the provider, and if they didn't resolve it to get in touch. The provider said sorry and closed my ticket, and I contacted ICO again who just mothballed me.

Laws are only effectivr if they're enforced, and right now the tracking laws of the GDPR don't appear to be enforced, or have any sort of method for reporting, which is really really disappointing

> the laws are in place now, but appear to be toothless

Currently the country's regulators (such as ICO in the UK) are swamped with GDPR complaints and are prioritising the most egregious cases. I imagine cookies are a way down the list.

In terms of reporting, you tell the company itself first, if you don't get satisfaction you report to your own European country's regulator, or that where the company is based.

The agencies responsible are unable to deal with requests, so for all intends and purposes, the laws are toothless until they start cracking down on it, and there's nothing I can do/nobody I can tell about it.

We generally fine them big for breaking it, and may forbid them from doing business at all if they keep breaking it

Who is "we", how do "we" decide who is breaking the laws and how can _I_ tell themof a blatant disregard for the laws?

Every country implements their version of GDPR and it's sanctions. You can tell your authorities or dedicated organization about violations. Not all countries have yet implemented procedures for them however.

I've been very satisfied to the extent to which these popups allow you to not opt in to everything and still use the site. I think the previous popups have trained us to assume that the popups are meaningless and we just have to click yes on everything. This is not so!

As an european who rejects ad trackers on every website, I can confirm that a good 95% of them are correctly implemented and will let you keep browsing. Some of them (usually americans with a poor understanding of why they even implemented that) will kick you out or ask you again on every page load until you accept.

We need a standard for managing these controls on the browser side, which major browsers can then implement. It wouldn't surprise me if people were already working on something like that. If I reject ads from google doubleclick specifically, they should be pre-rejected for every subsequent website that asks the same question. Likewise for the various cookie purposes.

(I do understand the unfortunate potential for fingerprinting here...)

> As an european who rejects ad trackers on every website, I can confirm that a good 95% of them are correctly implemented and will let you keep browsing.

Really? Any chance you could share some examples, because my strong impression is that a clear 95% of those I see are not compliant.

How does that work anyway? If you decline to allow the site to store a cookie on your machine, how does the site know that you already rejected the popup to avoid showing it to you on your next action?

They store that information on a cookie! Some websites try to break their own permission manager on purpose (or at least I can only imagine it's on purpose) by burying the cookie that stores the permission manager's settings within the list of cookies you have to accept or reject, so if you "reject all" you will be asked again and again. Non malicious implementations either include the permission manager among the essential cookies or list it at the very top so you can choose to keep it.

If the permissions were managed by the browser then cookies could be managed directly on the client side without server side interference, and preferences could be communicated to the website via headers (like DNT but GDPR requires a lot more granularity, and is also legally enforceable in the EU).

There's a browser extension which clicks away the consent dialogues for you:


It lets you specify a global setting to what extent you want to be tracked, and communicates that to sites that support the extension's "standard".

But there is no reason for most websites to be compliant when they know that by default they will get what they want (blanket permission)...

> We need a standard for managing these controls on the browser side, which major browsers can then implement.

Like the "Do Not Track" header field?


Perhaps it will work if introduced as a GDPR header field.

That is a good point. If my browser is sending a do not track header, why is your server even asking me how much tracking I want?

Clearly they are asking because they hope that you click "Yes". Once you click "Yes" they give you a cookie and stop bugging you. It's a nasty trick of the tracking industry.

GDPR does not forbid websites to ask or even deteriorate your experience (afaik). Perhaps that should change.

GDPR does forbid providing a lesser experience for people who do not consent to tracking. (Obviously aside from the direct consequences of not having tracking, like getting different adverts.)

Then the question is: does (needlessly) asking for permission result in a lesser experience?

I like the way you're thinking there. But sadly I suspect not.

i don't think its a problem that people don't let you use the site if you don't opt-in. thats a design choice, not a fault or problem or bad implementation. just a show of that they would really really like to track you. if you don't want to be tracked, then it's a clear indicator to avoid such site in the future.

I wholeheartedly agree on your point though, that if i reject 'A' on one site, it could be assumed by the browser i'd like to reject 'A' on the next site. Perhaps the same kind of block could occur like they do with faulty ssl settings, just stating that you blocked 'A' on some site ,and this site is using the same, with a button to proceed if you accept that fact.

> i don't think its a problem that people don't let you use the site if you don't opt-in. thats a design choice

It's illegal. End of.

That's not how GDPR is designed. In Europe, the business model to 'sell' Web content for the permission to track has now become illegal. Web site owners will need to change their business model, or they will be fined.

Note that you can still 'sell' Web content for forcing your customers to see advertisments. You just aren't allowed anymore to track that on a person-by-person basis.

I find that some vendors will have a section for "information storage and access" and list both the cookie used to remember your gdpr setting and cookies from doubleclick in there.

Or the opt out page just leads to instructions to disable cookies in your browser.

Every single website seems to have a slightly different layout for the permission manager thing, even when the software for multiple websites is (in name) the same software developed by the same company. Why? Tricking the user into accepting something they wouldn't want to seems to be a major reason. It drives me nuts. If there was a single permission manager whose layout is controlled by the Firefox devs this wouldn't be a problem.

Both of those are illegal, and may get the site fined.

> There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and services.

not true, i mark all those as spam, if there is a "newsletter checkbox" i check it out, but if they have hidden it somewhere i dont care, mark as spam and next.

Yes, I always hope that if enough people do this the company might get blacklisted by gmail and find it hard to get it reverted.

Same here, for the same reason.

Which is not a problem with the regulation in and of itself but instead just highlights how ubiqitous tracking has become.

That, and many implementations are deliberately inconvenient in the hope that you will eventually capitulate or accidentally opt-in, while trying to make it look like the legislation is the problem rather than their implementation.

I don’t really find that reasonable, the email is for identifying and securing my account, not marketing.

> There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and services.

No. Most of the services out there require an email to sign up to the service itself. Using that email for anything beyond the core provision of the service I signed up for is a breach. If I bought a fucking pencil sharpener from your website, any communication beyond keeping me abreast of (and optionally checking if I was happy with) my order is abusive.

> Browsing the web in Europe is like experiencing the rebirth of the pop-up ads era.

And this by itself says a lot, but not what people usually think it says.

In fact, you don't need any kind of cookie popups _unless_ they're tracking cookies. Any reasonable use of cookies for site-specific reasons (authentication, session, csrf, load-balancing, settings) is already allowed with no need to opt-in[1].

The reason why cookie popups are so widespread is two-fold:

1. Because indeed most sites track you to death, and are unwilling to back off even if it costs them visits (many people just close the tab upon being presented with all but the least obnoxious popups). In this perspective, the GDPR is working as intended;

2. General ignorance about the cookie exceptions. You can hardly blame the regulators for that. In fact, AFAIK the GDPR clarified a few things that were ambiguous WRT cookies. That backfired horribly, but just beacause ignorance is rampant.

[1] https://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

So much this. Every time I see a popup with "We respect your privacy", I think "no you don't" and try to see if it is something I can block in privacy badger to remove the popup.

If the site respect users privacy it will not track the users and don't need the warning

More accurate - "We value your privacy".

In other words, your privacy has value to them, and they are eager to shaft you that privacy to extract the value.

They value your privacy the same way a mugger values your wallet. They'll often even offer you a degraded experience if you don't consent.

> It has lead to compulsory acceptance

I have a simple heuristic: if there is a big overlay preventing me from looking at the content, I just disable javascript altogether for the site. Most of the time this result in a clean experience with just the text I was interested in in the first place. If it breaks the article I close the tab.

> There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and service

"Communications" as in "valuable information", like letting you know somebody logged into your account. That's fine and unaffected by the GDPR.

If by "communication" you mean unsolicited advertisements about the company you are describing illegal behavior that was already illegal before the GDPR. "I agree to be contacted for marketing purposes" checkboxes are ubiquitous precisely because without my opt-in they can't.

> It has lead to compulsory acceptance. This too shall pass.

Indeed, mandatory acceptance is not a meaningful choice and hence explicitly ruled out by the GDPR.

> There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and services.

Sure, and all necessary use of information is just fine and unproblematic. Just the additional spying on top of that requires an additional, unforced opt-in.

> There is a reasonable expectation that when you submit your email to a company in exchange for their service

By banning consent bundling GDPR is designed to make this exchange of value illegal.

And no, it's not "reasonable" because it leads to situations where the only way to pay for a service is with your PII.

There is the Email Industry - that is the problem.

Just because you associate emails with spam doesn't solve the problem of every charity, business, church, school and group needing to communicate with large numbers of email subscribers. Like anything, bad actors make it worse.

Somehow all those groups managed to get by without email in the past. I'm sure they would be fine today as well.

Just because you don't want to hear from anyone via email doesn't mean I don't.

That's fair. I'm guessing those groups can all manage to communicate with you without spying on you.

They also got by without electricity or running water.

No "industry" is needed for pub/sub news. The GDPR only affects the companies abusing current system for unsoliticed advertising

> GDPR only affects the companies abusing current system for unsoliticed advertising

No. Have you looked at the thing? It affects every organization willing to do business or communicate with the EU.

The rules dictated in GDPR have been the best practices this far, now they're simply being enforced by law.

The only ones that are (negatively) affected are the companies that are not wanted by the EU in the first place.

> The only ones that are (negatively) affected are ...

Not true. GDPR imposes costs on every company. Specifically there are the legal compliance costs, software compliance costs, support costs, and that's if you're a "good guy."

I work in the "email industry" and what my company does has nothing to do with marketing.

Off-topic: I absolutely love the design choices made by the author of this site. It's the basic browser stylesheet with some nice refinements. A real triumph of minimalism and incredibly readable.


Font is too big.

Quite. It's like I've wondered into the Large Print section of the library. What's wrong with normal sized fonts, and letting the minority with impaired eyesight or curious hardware resize as desired? Or maybe browsers could expose some standard config info to sites saying "yeah, extra normal for me please"? I could use reader mode for everything, except it breaks some sites.

Their normal paragraph is 24px. Which is huge compared to the average content you find on web. The title is 48px. I find it more legible than the average web content, yet it's a little jarring. Some 22px/40px worked very well for me. Still a good example of minimal design.

Just make it smaller? Ctrl + mouse wheel down or minus in chrome.

Totally. Not sure though, why. 1.2em would have just been fine, but instead 24px (which is 1.5em) is too large.

Mostly just me being lazy and writing the stylesheet for my 1440p screen at home, I've done very little optimisation for other screens/devices.

I'm also on 1440p and seeing your website with that "huge" font made my instantly happy.

My Firefox is scaled up using layout.css.devPixelsPerPx with a value of 1.2 and even then I've to scale up most websites to at least 120% in order to see anything.

It's very pleasant on QHD. I agree that they probably should have a different sheet for lower resolutions.

In principle, using resolution-independent units like points should be fine; it's using px instead of pt that leads to problems.

(And the site is using px; it shouldn't.)

You are incorrect. All CSS units are defined in a resolution-dependent way. (I think there has only every been one exception to this, an experimental unit `mozmm`, now discontinued, that attempted to be resolution-independent, representing one physical millimetre.) On screen, the px unit is king, being defined however the device chooses to define it—most commonly one or two device pixels. All other units are defined in terms of it: 1in = 96px = 72pt, &c. On print, the ratios are the same, but physical length units actually have meaning now, corresponding to physical measurements—well, maybe they do; in practice browsers play fast and loose with it all, second-guessing the website’s stylesheets all over the place, which is normally a good thing for users because few websites take care for print stylesheets, but is utterly debilitating if you actually care and want precision.

Now the question of what the root font-size is (a unit I like to call “browser em” or “bem”—I’ve never heard anyone else give it a proper name)—that’s a much more interesting question. It’s almost always 16px (I have no stats ready to hand, but I’d suggest >99% of page views), but there are devices out there that have other values, mostly between 13px and 19px, and you can change the value in some browsers also. However, website layouts commonly break if the value is not 16px, if the font sizes are based in bems and media queries in px, or font sizes in px and media queries in bems, and the developers have assumed 16px (which is completely normal). The ideal situation is to use either px everywhere or bem everywhere.

In theory, using relative units everywhere is potentially nicer. In practice, you’re fine using pixel units everywhere.

But 24px is still way too big.

I'm sure you're right - I am only ever a front end CSS dev in an emergency, and then only for desktop. That said, when I see a relative discrepancy between sizes on different media, px vs pt is where I'd look. That is, two things that might e.g. look the same size on a desktop browser but look different sizes on mobile.

As a web developer in the past I found - though maybe that has changed in recent years, let me know if that is the case - there aren't any real resolution-independent units you can use to design an interface that is comfortable on every medium. You can peg your design to things like viewport width or font size, but you always end up having to make an arbitrary decision at some point, because there is no way for the web browser to know the physical dimensions of the screen the webpage is actually being displayed on. You have to make educated guesses based on the relationship between width and height, user agent and other headers, stuff like that, and create different stylesheets for each case. The style for the 1920x1080 screen (rotated horizontally) of the smallest smartphones can't have the same font size as the style of a 1920x1080 30 inch desktop monitor.

Hey man, I work in email dev, I'm at least a decade behind current web dev standards.

This is what kills me about web developers of 2017-2019 (maybe farther back to 2015 or 2016?). We had this awesome hype about supporting mobile resolutions with CSS years ago but now it seems like nobody accounts for the various screen form factors available when designing websites.

Like those sites with the overly huge logos that look ridiculous and annoying on 1080p but I'm sure on 2k and higher they look fine. I don't want to scroll down an entire page worth of scrolling to read your article, it should be immediately available.

Thankfully there's Firefox's Reader Mode.

Everything is mobile first these days

We had to write a line of business app used by office staff opening mail to feed high speed scanners to support mobile first with a responsive design.

What worries me more is that, it's not always mobile first either. Sometimes it's just 4K first.

I don't think I've encountered that yet, though I could see how someone living in a 4k would could overlooked us 1080plebs. It's like when the world switched from 640x480 to 800x600 and then to 1024x768.

I'm more curious though if what you're experiencing might also be sites designed for high res phones. Most phones these days are 1080p or better.

It's been over a year now and so many sites are not in compliance. I'm surprised the EU doesn't start collecting fines from companies like Yahoo and TechCrunch (and all oath sites). Just two that come to mind that are blatantly violating the gdpr with absolutely no way to not consent to their tracking. Mass email spammers are another issue. Why isn't the EU collecting this money from these large orgs that are clearly in violation? It could do a lot to help the people here.

I think the GDPR is a good opportunity to reflect how much tracking we really need.

Tracking has become so ubiquitous, it's become the default to put Google Analytics on a site, to put a tracking pixel into every email, to personalize every link we send out...

But so much of that tracking isn't really necessary. I've stopped tracking website visitors and stopped including tracking pixels in emails a few years ago, and nothing has really changed.

So, I guess I won't know if 10% open my marketing emails or 50%. But who cares? I wouldn't even know what to do with the information anyway. I'd rather focus on making my product better.

> So, I guess I won't know if 10% open my marketing emails or 50%.

You didn't know before either since many mail programs block tracking pixels. This was always garbage data to a large extent.

Gmail doesn’t (kind of), and that’s a big enough slice of email users these days...

Only for the US market, outside of that there are lots of mail providers which are instead used. GMail addresses are a scarcity in Europe.

Doesn't gmail load images when the email get to the server and not when the email is opened? (That is at least what some who know more about email than I do say) So the only thing tracking pixel really have shown is if the user uses gmail or not

Nope, the image loads when the email is opened by the unique recipient.

> But so much of that tracking isn't really necessary.

I've just launched my e-commerce platform and I see 34 unique visitors and no sales. Analytics is key to figure out if something is wrong and I'm not talking about the code.

> I'd rather focus on making my product better.

How do you make it better? Having numbers without analyzing user engagement is shooting in the dark with a shotgun.

> How do you make it better?

How about asking? What about some live chat to gather information?

We have found this to be highly valuable for our shop(s). It automatically pops up after 30 seconds on a product page, on other pages the badge is always present. Lot of good chats, lots of "I'm looking for XY"-feedback that helped us improve.

They are not substitutes. It's one thing what users say they do or want and another what they actually do.

Do you need to know that they were 34 unique visitors or would properly anonymised data be enough?

I suspect it would be. The GDPR doesn't say you can't have analytics, but it quite rightly tries to prevent the kind of tracking you're talking about without explicit consent from the user being tracked.

Yes, properly anonymised data would be enough. I'm not talking about anything intrusive. I don't care who they are, I care about how they use my product. That can be done in a GDPR complaint way.

That's a good point and not one that is expressed often enough. Usage data and user data aren't the same thing.

Just because you don’t know what to do with the information doesn’t mean we all don’t.

Analytics provide great insight and enable optimization that companies who are serious need to actively engage in to grow and succeed.

Dismissing analytics is like saying you don’t need a debugger. Just put log statements all over the place... (or, write classic ASP :))

> But so much of that tracking isn't really necessary.

The problem with Google Analytics and tracking is it's hard to tell what the motive is for putting it onto your site from the visitor's POV.

Not everyone who uses GA is using it for evil purposes.

They use it because GA makes it easy to gain useful business metrics, such as 100 people visited this page, 30 people filled out the account form, 5 people completed the checkout. Now you have a way to measure how good or bad your checkout flow is working and implementing this took almost no work at all. Rigging up your own DB model and tracking this stuff locally is a huge burden (especially if you account for bot traffic).

GA is also really useful to track referring URLs (with UTMs) because if you use these links from Youtube videos or blog posts, suddenly you can see exactly which posts are doing well. And "doing well" isn't just being more profitable if you're selling something. It helps you know what to write about or make videos on because this is what people want.

At the very least it's also good for just answering "am I growing?" where you look at unique visitors on a monthly basis and hope to see your chart moving up per month.

I just see it as a pragmatic tool to help you measure things. It's unfortunate it can also be used in other more malicious ways.

From the POV of someone who's both just a visitor on most sites and used GA himself: GA is often used for evil purposes, and as a tool it's optimized to enable and support evil purposes. Therefore, it's reasonable to assume, in absence of evidence to the contrary, that the site that loads it uses it for evil purposes.

Does it inconvenience honest people who'd like to use those tools for honest purposes? Sure. But think of it this way: it would be much more convenient for me if I could just give a merchant or service provider my on-line banking login and password, so they could take care of billing me directly. Would I ever do this if asked? No fucking way (even ignoring that my bank would consider it a TOS violation).

Problem is, there's no good way to signal honest intentions between parties that aren't already in a long-term relationship (and no, "we only use cookies to improve your experience" doesn't count; in fact, it's an anti-signal; thank marketers for that). So the only option for honest people is to not do the same things evil people would do.

>So, I guess I won't know if 10% open my marketing emails or 50%. But who cares? I wouldn't even know what to do with the information anyway.

So you were tracking people without even needing the information? Why?

>I'd rather focus on making my product better.

Yeah, analytics are useless for that. Use your gut! Everyone knows that's better than using data.

GDPR wants 0 tracking. That's wrong too, the internet can't work that way, even governments can't work that way. EU wants advertising to go back to the popup / animated gifs & flash / interstitial era to maximize clickthroughs in the off-chance one of them is actually interested in your ads. That's regression

GDPR wants 0 tracking without explicit, informed consent. That's the key thing in this regulation: informed consent. Dealing with people fairly.

> EU wants advertising to go back to the popup / animated gifs & flash / interstitial era to maximize clickthroughs in the off-chance one of them is actually interested in your ads.

Not true, unfortunately. EU wants the ads to not track people without their explicit, informed consent. GDPR isn't an anti-advertising law, it's a data protection law (says so literally in the name).

> That's regression

No. That's remission.

- users could always install an adblocker if they dont consent.

- users could consent once for each tracker if thats what the law cared for. Consenting for each tracker x for each website is purposeful obstruction in order to make advertising optional

> - users could always install an adblocker if they dont consent.

- To consent, one must be informed, so the sites would have to advertise adblockers, why they exist and how can they be used.

- Current adblockers rely on volunteers compiling lists of ads, and sites trying to evade those lists. That's not a reasonable way to ensure a legal right, so sites / networks would have to publish those lists themselves.

- The GDPR is about way more than website access tracking, so you'd still need all the same rules about the rest of the use of personal information. Seems like a duplication of effort and complexity.

> - users could consent once for each tracker if thats what the law cared for.

Just because I'm OK with a network knowing I visit nytimes.com doesn't mean I'm OK with them knowing (and using the information) that I visit pornhub.com. Consent per site is crucial.

> GDPR wants 0 tracking. That's wrong too, the internet can't work that way, even governments can't work that way.

How did it work like that all the time? It can work perfectly without all the tracking. Tracking is just so omni-present that some people can not imagine a world without it.

> EU wants advertising to go back to the popup / animated gifs & flash / interstitial era to maximize clickthroughs in the off-chance one of them is actually interested in your ads. That's regression

Actually that would be a great regression! I'd soooo love to have static images delivered to me again, instead of some JS bullshit which is tracking me all over the web.

Let's just kill all the ad networks over night. It will be a great time and we have a second chance to make the internet a great place.

> GDPR wants 0 tracking

That's wrong.

You're allowed to track users. You just need a legal basis to do so.

I thought GDPR required tracking to be opt in? I can't see how tracking pixels on emails comply at all.

While conducting a GDPR review I discovered that our email service provider (Campaign Monitor) was logging IP addresses of our list members associated with each email open. My jaw dropped when I noticed that they were doing geo-ip enrichment, so that I could drill into any subscriber, see a history of their opening of our newsletters, and a map of their approximate location. I could see if "Bruce" was in Melborne or Petaluma on April 23rd. That kind of data is straight up dangerous and would be very hard to justify on a Legitimate Interest Assessment. That said, I haven't found a way to disable or purge that data thus far, and have been having a hard time finding an ESP that doesn't log IPs for its open tracking. We legitimately need open tracking, but certainly not with non-hashed IPs exposed. Realistically, just overall open rate reporting would suffice for our use case, not tracking of individual list member's activity.

Personal opinion: Pictures and HTML have no place in email. Full stop.

True that the European user should be able to opt-out just from tracking. Our platform MailUp (ESP) is handling this in the preference center (that can be customized). Here is a sample: https://updates.mailup.com/frontend/preferencecenter/363734/...

By default the European user should be opted out of tracking

This and only this is a valid, legal solution according to the GDPR.

Especially all the "by continuing to use our site, you'll agree to getting the shit tracked out of you"-messages are highly illegal, because the GDPR requires explicit consent.

Sadly there have been no big legal cases up till now. But the time will come.


The last thing I need is another godforsaken preferences center inside a product I was forced to become a "user" of just because some asshole bought my email address.

> True that the European user should be able to opt-out just from tracking.

No, and if that's how it's implemented by you then you're breaking the rules here. It should be opt-in. And yes, I know that at that point you could probably just delete the tracking. If that breaks your business model, all I have to say to you is bye.

> This might be one of the very few instances in which I’d recommend SFMC

What is SFMC?

GPDR missed a massive opportunity to standardize encrypted email. Instead we're now stuck with crappy 3rd party "secure mail" systems.

I have a startup in Denmark, and the incubator we're part of applied for an EU funding scheme. The bureaucracy for these programs is out of control, and there are claims out there that 90% of state innovation funding is blown on administration.

Long story short, I had to fill out some timesheets, and because of GDPR print out the sheets filling in everything except the personally identifying information, and then fill the rest of them out with a PEN.

My friends in IM told me I was stupid for not "building an email list" for my high traffic website.

Still see no good reason to do it.

GDPR is europe's problem, not of the entire "email industry"

It is a problem when you are targeting users from Europe, which you are doing almost certainly.

We already have more than enough cookie popups and "heads up" emails whenever a company changes a comma in their ToS. GDPR is a bureaucratic madness and not something to be imitated.

Want to educate users about privacy? do it with extensive educational campaigns, not by ruining everyone's experience on the web

What really infuriates me is this: "We respect your privacy, click here".

But the general idea of GDPR is not only to educate. It also aims to give you tools at your disposal to control how and if your data is processed and stored. That is the most remarkable feat of GDPR. To complain that this is "bureaucratic madness" is not a problem with the regulation, it is a problem with your perception of personal data. If you didn't have tools before to enable users to control _their_ personal data, you are the problem and it is definitively good that you now have to invest into making sure you create those tools.

> do it with extensive educational campaigns

And the point of GDPR is to give users the information to let consumers make informed choices and to make companies abide by those choices.

There's no point in 'extensive education' if the consumer is still powerless to exercise that knowledge.

It's not GDPR's fault that websites have awful user experience. If they really cared about privacy then they wouldn't use popups that required multiple clicks to remove tracking cookies.

If you have to untick boxes they're not in compliance with GDPR. If the button to not have tracking is gray and "accept all" is green, you're not in compliance. Many websites deliberately try to make it harder to opt-out, which is directly against the GDPR.

GDPR wants to ensure that user privacy is protected. If you do that in your business, you don't need to show any cookie popups.

A honest cookie popup would ask "Do you want to be tracked for advertising purposes? yes/no", and any sane person would klick "no". No education needed at all, if the advertisement industry would play honest.

If the Web experience is ruined now, the Web advertisement industry needs to fix it.

Cookie popups are not caused by GDPR.

GDPR is Europe's (attempted) solution to a problem. It affects companies globally [1].

[1] https://www.americanbar.org/groups/international_law/publica...

So what, so do American tax-lawes (targetting Americans) and affect the rest of the world's citizens, FACTA.

I was arguing against two points made above:

1) "GDPR is europe's problem" --> I'm saying it's an attempted solution, not a problem

2) "not of the entire 'email industry'" --> the whole 'email industry' is in fact, affected. Where you operate from isn't a factor. Only if you don't email EU citizens (which is quite unlikely), you don't have to worry about it. If you do (which is very likely), you should know and implement GDPR rules.

I understand your FACTA analogy, but don't see how you disagree with me.

I misunderstood the fact that you don't see it a as a problem.

I don't think the GDPR solves much or anything, iff you want to play on the internet, almost [there are good exceptions, where you can just choose to have a 'lesser' experience] all of the time you'll have to click "I agree".

The GDPR is much more than an EU regulation that forces a cookie wall. In fact, there is no cookie wall obligation anywhere. The fact that companies are so uncreative and can only come up with these silly solutions shows how broken the internet is and how widespread tracking is.

GDPR does solve some problems, in my view. For example, it allows EU citizens to ask companies to disclose what they know about them and how it is being used. You can ask companies (and they must comply) to delete your records. Data must be pseudonymized / anonymized in many cases. Those are all real effects. It offers transparency and gives more control to individuals.

If you want to learn more about what the GDPR does do, what protection and control it brings EU citizens, I refer you to the wikipedia page which has all of that and more.


> I don't think the GDPR solves much or anything, iff you want to play on the internet, almost … all of the time you'll have to click "I agree".

That in itself is a GDPR violation. If you care enough, report it. That said, this is not what happens “almost all of the time” at all. In my experience most websites are completely or partially usable when you disagree with being tracked. At worst (and also in violation of GDPR), the tracking dialog makes it intentionally difficult to refuse being tracked.

The problem is that some places in the world don't have the GDPR, or something equivalent.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact