Hacker News new | past | comments | ask | show | jobs | submit login

I'm not confident that this is a good thing after the mess that resulted me in having to navigate dozens of cookie popups on most days.

A fundamental problem with CCPA (and GDPR and other similar state legislation) is the definition of personal information.

For example, IP addresses are not really personal, but including them as such creates layers of ambiguity that undermines other positive aspects of the law. It's the typical outcome of politicians not really knowing the domain they're affecting.

Also what's especially interesting is that CCPA was effectively bankrolled by a single person, which should raise some alarms about political power used by the people.

Never understood the cookie popups mess. I remember back in the ages of internet explorer it showed a popup when a site tried to use cookies, why do the sites need to implement the cookie popups rather than let the users configure it in their browsers?

It's a classic example of a legislative loophole. What the cookie law was actually trying to do was provide a way for users to opt-out of cookie-based tracking. But, someone figured out that if you just ask for permission to use cookies (for any reason) and refuse service if the opt-out, you'd still be following the letter of law (but not the intent).

Arguably, this is one of the reasons why the GDPR was necessary.

> if you just ask for permission to use cookies (for any reason) and refuse service if the opt-out

Is that even true? If I never consent do I get no cookies left on my browser?

It (in theory) should be, but most often if you click "opt-out" they kick you off the site -- hence "refuse service". With GDPR (loosely) that is no longer allowed when it comes to the opt-in nature of data processing disclosures (if you opt-out, they can't refuse you service for not opting-in -- with certain limitations).

Most often there is no opt-out button. Just a big banner that you have to ignore, click accept, or block using ublock origin. Pretty sure that they use cookies regardless of your choice.

Interestingly, a strict reading of GDPR suggests that "consent gating" should not be permitted, but admittedly the wording is quite weak, and it isn't clear cut.

> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

This would suggest consent may not be freely given if it was obtained by conditionally providing a service based on consent bring obtained for processing of extraneous data.

Recital 42 adds:

> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

I don't think many users have a genuine free choice on many websites, although admittedly it's now mostly the worst offenders to blame here - the average site probably does have an opt-out now that actually works (!)

Recital 32 also appears to deal with the annoying, interrupting, semi modal nature of prompts we see on ad-laden sites:

> If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Because browsers make it an all or nothing setting (all, 1st party, none) and there are many more combinations. On top of that, the laws are there to prevent companies from tracking people at will, and the DNT header that was supposed to make that an easy browser setting completely failed.

> Because browsers make it an all or nothing setting (all, 1st party, none) and there are many more combinations.

Browsers can be changed, but instead of picking a reasonable well thought through solution the governments crammed a quite horrible solution through. I honestly don't see how that protects the people who are most vulnerable nor anyone else really.

> Because browsers make it an all or nothing setting (all, 1st party, none)

At least for Firefox this is not the case. Anyway, extensions like uMatrix exist.

> the DNT header

The DNT header is yet another way for sites to track you. I am glad it failed.

> The DNT header is yet another way for sites to track you. I am glad it failed.

And clicking decline on cookie banners or your unique combination on the multiple choice cookie disclaimers wont allow sites to track you?

Certainly it will, but I said already that I am against cookie banners.

Keep in mind that cookie banners are an implementation choice of the website.

People don't understand or care about cookies maintaining state in browsers. It was complete folly for politicians to focus on them instead of actual personal data used.

GDPR rectified some of it but added much more granularity which is why cookie popups have now turned into giant selection windows.

This is not a good thing indeed, because it's terribly naive. Passing a law that more or less forbid huge companies the very same activity that gets them the bread and butter. What are they expecting to happen? That the companies will surrender their business, just as that?

Fundamentally, the solution to cookie warning spam is simple: Stop letting these companies disclaim their way out of unethical business practices. Start making those business practices illegal and shut down companies built around them.

Companies built on surveillance capitalism should be shut down. Full stop.

What business practices? Cookies aren't just used for ads. You could get rid of adtech and not have any change in cookie notices because of how the laws are written.

I think the GP is suggesting that the laws should be written differently.

how? Functional cookies don't need permissions.

Not all cookies are functional or ad related. Also the EU cookie directive requires you to inform users that cookies are being used regardless of the reason why.

I'm pretty sure most sites that asked me to allow cookies in the past week were not "companies built on surveillance capitalism". Youtube rarely asks me about this and to be quite frank I don't mind adds on youtube nor that they are targeted adds - even if they are rather poorly targeted - I'm not sure why this should be illegal.

I think whatever problems the cookie laws that got us all the popups are trying to solve would be better solved in conjunction with some technical changes. Like I could say in my browser what sort of cookies I allow - or set up some rules. Sure sites can just break the law and disregard this - but they can do it now anyway by just saving cookies even if I click "don't allow" or "decline" on the dumb popups.

Yeah, that's basically how it should happen. In California, there's ample precedent for taking products off of the market when they're shown to harm consumers, and if that happens to kill off manufacturers who aren't diversified, then so be it. Are you really going to be sad if Facebook can't survive CCPA?

On the other hand, we also have things like Prop 65 warnings that have become so commonplace that they don't really impart useful information. Any useful signal is totally overwhelmed by noise. Putting the same warning on a restaurant that serves french fries and a pack of cigarettes diminishes the usefulness of the warning (unless parking garages, coffee, and fried food are actually significant carcinogens?)

CCPA isn't just about warnings, though. CCPA also affects the data-harvesting abilities of businesses, and requires that a business be prepared to explain which personal information is stored and for what purpose.

I suppose that, to draw a better analogy with Prop 65, the requirements of Prop 65 did supposedly cause some manufacturing materials, certain dyes, rubbers, foams, and plastics, to be drastically removed from the marketplace. The story of lead alone is worth considering; as usual, lead was in the pipes. [0] We are not expecting a wave of cookie warnings, and indeed CCPA's language doesn't allow for it. Some businesses will have to alter their practices; some products may have to be withdrawn from the market entirely. The worry that children might get used to clicking through EULAs and giving away their data has already been shown true by the previous generation of Internet users; at this point, we are merely trying to curb the damage continuing to be dealt and done.

And remember: For every ingredient that needs a warning label, that ingredient also can't be dumped into streams or rivers. It's not just about a prettier warning label on the product, but about real improvements to the manufacturing process.

[0] https://digitalcommons.law.ggu.edu/cgi/viewcontent.cgi?artic...

> Are you really going to be sad if Facebook can't survive CCPA?

Most people I know would be.

Are you really going to be sad if Facebook can't survive CCPA?

My point is that there's no chance it will happen. Any fallout will be just a new burden to users.

Agreed — CCPA makes the same primary mistake as GDPR, which is that while the spirit of the law (protecting users’ privacy) is reasonable, the ultimate consequence just ends up being bombarding users with popups, a worse UX for basically everyone.

To me, this indicates that the drafters of the law probably didn’t really think it through.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact