Hacker News new | past | comments | ask | show | jobs | submit login

It's a classic example of a legislative loophole. What the cookie law was actually trying to do was provide a way for users to opt-out of cookie-based tracking. But, someone figured out that if you just ask for permission to use cookies (for any reason) and refuse service if the opt-out, you'd still be following the letter of law (but not the intent).

Arguably, this is one of the reasons why the GDPR was necessary.

> if you just ask for permission to use cookies (for any reason) and refuse service if the opt-out

Is that even true? If I never consent do I get no cookies left on my browser?

It (in theory) should be, but most often if you click "opt-out" they kick you off the site -- hence "refuse service". With GDPR (loosely) that is no longer allowed when it comes to the opt-in nature of data processing disclosures (if you opt-out, they can't refuse you service for not opting-in -- with certain limitations).

Most often there is no opt-out button. Just a big banner that you have to ignore, click accept, or block using ublock origin. Pretty sure that they use cookies regardless of your choice.

Interestingly, a strict reading of GDPR suggests that "consent gating" should not be permitted, but admittedly the wording is quite weak, and it isn't clear cut.

> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

This would suggest consent may not be freely given if it was obtained by conditionally providing a service based on consent bring obtained for processing of extraneous data.

Recital 42 adds:

> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

I don't think many users have a genuine free choice on many websites, although admittedly it's now mostly the worst offenders to blame here - the average site probably does have an opt-out now that actually works (!)

Recital 32 also appears to deal with the annoying, interrupting, semi modal nature of prompts we see on ad-laden sites:

> If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact