Hacker News new | past | comments | ask | show | jobs | submit login
No cookie consent walls, scrolling isn’t consent, says EU data protection body (techcrunch.com)
1108 points by sohkamyung 11 months ago | hide | past | favorite | 974 comments



Tangent: I wish the idiom of "placing" cookies would go away. Websites don't "place" cookies. Websites can include cookies in their HTTP responses. Your browser can include them in future requests. But it doesn't have to. There is nothing in the HTTP spec that says you have to accept cookies or include them in subsequent requests. There certainly isn't any reason to "place" them on your computer.

If more browsers were still User Agents in the literal sense, maybe we wouldn't have needed this legislation. Browsers could have informed people about what cookies were, and could have presented the user with the option to never accept tracking cookies from Big Advertising. Every browser has the option to reject third party cookies or to clear all cookies at the end of the browser session.

This mischaracterization of cookies has, ironically, made life a lot less pleasant for people who don't accept cookies. The "opt-out" is just another cookie. There's nothing special about them either, they can be used to track return visitors just as well as any other cookie. I'm sure they're not, because that would be against the spirit of the law ...

Not tracking people without consent is definitely a Good Thing, but it shouldn't require everyone and their grandmother to put annoying cookie banners on every website under the sun. And I think it wouldn't have, had people been better informed.


Cookie banners have taken the internet back 20 years. Now every website has a mandatory popup. And you can’t block these new breed because they're part of the site.


> ”Cookie banners have taken the internet back 20 years.”

I agree. The EU cookie laws were well-meaning, but have had the unintended consequence of making the web more annoying, more difficult to use, and more fragmented.

The solution? Cookie consent should be a built-in feature of browsers and http, not something that is reimplemented in a slightly different way by every single website.

Your browser should pop up a standardised cookie consent request when you browse a new site, and enforce your selection as part of its security policy. If you choose to block all cookies (ie: private browsing mode) then the cookie consent request wouldn’t need to appear at all.


Yes, the browser is where cookie management should happen, we call the browser the user agent for many years, it is the piece of software which is meant to represent the user's best interests when surfing the web.

Unfortunately these days the browser would be better referred to as the advertiser's agent," or perhaps just Google's agent.* Owing to Google's control over both web standards and the advertising market, cookie management features have received little attention.

Google's monopoly power has prevented a competitive market of privacy-focused, user-first browsers from flourishing.

It's also probably unlawful, the irony is that not too many years ago we punished Microsoft for unlawfully leveraging its monopoly to control the browser, and when we stopped them we paved the way for Google to do the same thing!


> when we stopped [MS] we paved the way for Google to do the same thing!

Well, from a antitrust perspective, having TWO giants in the space is better than having only ONE giant.

Ideally we'd now apply to Google the same pressure and further split the field. Alas, politics are complicated.


A duopoly is hardly better than a monopoly. In fact I argue it is worse, because it gives the illusion of choice, yet there is no real choice.


Lynx still asks for each cookie iirc


I love Lynx, but unfortunately most websites don't work in Lynx these days.


Browsers used to have this, sort of: https://i.imgur.com/AAm3AJs.jpg


Now I'm wondering why you were running this in 2019. I watch a lot of nostalgia game reviews on Youtube and get the serious urge to build a '90s era computer from time to time.


Same here. Running some ancient OS/software in a VM can be pretty satisfying though, especially since I don't have a whole lot of space for physical hardware.

Many games wouldn't work well in a VM, of course, there's no getting around that.


Browsers never displayed such a pop-up for cookies by default. You had to tweak settings, just as you do today (in today’s world it might require a browser extension, I don’t know).


I don’t think this is true. I recall this being taken on the default settings for that web browser. Web browsers like IE in that era showed scary pop-ups for all sorts of things - like there would be a pop-up for when you connected to a site over https!


If this were Reddit, I would comment that: IE.. it only took it nearly two months to display that message /s :)


> I agree. The EU cookie laws were well-meaning, but have had the unintended consequence of making the web more annoying, more difficult to use, and more fragmented.

Only if you ignore the giant market of adtech tracking bullshit that that has been ruining the web since about 2000.

Every website that shows you a "cookie" banner (aka we-track-the-fuck-out-of-you banner), is part of this problem. The law is just bringing it to light. Don't be annoyed by the law, be annoyed by the websites, they are choosing to be annoying.

Look at those websites, they are the problem, not the law telling them they can't do it secretly behind your back any more.

The biggest problem was that this law didn't tell them to be fucking honest in the banners. "This website needs cookies to function" (when it's only about their mishandling of data to 3rd parties) is a straight up lie by omission. If they had to honestly tell in the banners what they were up to "we track your every breath on this site and then sell it to third parties, who sell it to other parties, and god knows what", people would be looking at these sites differently.

"We're forced by law to inform you that we crap on your privacy and are actively ruining the web by delivering the fundamental data that runs the adtech industry"


Completely agree that prompting permission should be the norm. Sadly, if Firefox did this, people would just move off firefox, since "it's broken".

And obviously Chrome would never do this kind of thing, since it hurts Google.


At the risk of being hyperbolic, isn't this a similar argument as saying that we shouldn't make burglary illegal and should instead build better doors?


No, it's more about having standard laws about burglary in every town so you don't have to re-read them every time you get in the car.


There already is a DNT (Do not track) HTTP Header, but advertisers ignore it.


So we really missed P3P Policy implemented on IE7.


> I agree. The EU cookie laws were well-meaning, but have had the unintended consequence of making the web more annoying, more difficult to use, and more fragmented.

TBH, I wouldn't blame GDPR for this. Here's a good analogy of what's tracking companies are doing:

    - Companies dump used batteries into the sea.  
    - Dumping batteries into the sea is banned.  
    - Companies start dumping batteries into lakes.
This basically shit on the law, and just though of another way to keep disrespecting consumer's privacy.


If only the regulators had been happy with (or even aware of?) the existing capabilities of browsers to manage cookie consent, like "Block 3rd party cookies" and "block all cookies" that have been around since the late 90's, we wouldn't even have needed to add anything new to websites or browsers!


The legislators haven't legislated for a particular mechanism, they've just said that any tracking has to be opt in, as opposed to opt out. Do Not Track was a technical solution for this, but when IE made do not track the default, and tracking something you had to opt in to, they panicked and stopped supporting the headers and instead preferring the cookie walls, rather than trusting the browser settings. If websites respected UA settings, and the UA implemented DNT in a way that's compatible with the law (so, DNT: 0 only when you opt in), then we wouldn't be here


Not sure what DNT has to do with it. Do Not Track was circa 2009, we were already "here" at that point. The cookie law was like 2002.


EU legislators avoid legislating particular technical solutions, since those tend to not age well (see the uproar on HN when it was reported that the EU legislated to mandate USB-C, when they didn't actually do that, they just mandated that the industry agree on a standard)


Czech Republic (EU member) data protection regulator is aware and ruled that if user has cookies enabled in his browser, that's enough and user gave cookie consent. If user doesn't want to have cookies stored, he can block them in the browser.


A simple off/on switch does not provide a sufficient level of control over cookie policy. It's reasonable to want to allow first-party cookies on certain sites, especially where they're needed for site functionality. But block third-party tracking cookies, or even block all cookies on others.

Cookie control/policy in browsers needs to become more sophisticated than what we have today.


They are not mandatory, it's a choice by the site owner to include them. They are only mandatory if you include tracking features that track users across the web (= ads and Google analytics).


One can include ads and analytics without consent being granted - they're "just" restricted to a method of delivering ads and performing analytics which don't track the user.

IANAL, mind you - but that's how we implemented it - you're opting-in to the ads that target you and analytics which track you, or you get the non-tracking/non-targeting ads and analytics.


What are some good non-tracking & non-intrusive ad providers? I've wondered about one day being able to put a few "ethical" ads on a blog site.


You don't need to look far. You can simply tell Adsense[1] to serve up non-personalised ads:

    (adsbygoogle=window.adsbygoogle || []).requestNonPersonalizedAds = true;
If you do this you don't even need to check for consent since you're not tracking the user or storing any PII. In my case this is what I call if the user doesn't accept advertising cookies, but there's no reason you can't disable them completely on your site if that's what you'd like.

You also have pretty tight control over the categories of ad that Adsense can display, and you can even go as far as to review individual adverts. I've booted a couple of ads that I found to be unethical/distasteful from my site using the review feature in Adsense.

The only issue with Adsense is that there are a gazillion ads it might show on your site, so I'd recommend filtering out any categories you don't much like first, and then reviewing ads sorted by popularity/impressions in descending order, otherwise you'll quickly go mad.

[1] Obviously not an option if you absolutely don't want to do business with Google.


> If you do this you don't even need to check for consent since you're not tracking the user or storing any PII.

Google seems to disagree [1]: Non-personalized ads are targeted using contextual information rather than the past behavior of a user. Although these ads don’t use cookies for ads personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the EU ePrivacy Directive’s cookie provisions apply.

What's not clear from Google's documentation, but what I assume, is that they also do not use the info about the context & visitor to serve them personalized ads on other websites.

[1] https://support.google.com/adsense/answer/7670013


Hmm, that's interesting because that would suggest that if somebody declines advertising cookies then you can't serve them ads via Adsense at all... which would be an odd decision by Google.


That's not the issue. The issue is that if the user has and sends Google cookies AdSense will use them. (And many people have third party cookies on, and AdSense might be using some tricky bypass there too.) Getting sneaky about tracking is their business model. And then cookie law is in full force.


Sure but it sounds like the only way to guarantee those cookies aren't sent by Adsense is simply not to use it in the event that consent is declined. Or am I missing something?


That's my understanding. You can't use most Google services without prior consent. Adsense, Youtube (even youtube-nocookie, which just uses localstorage for tracking), maps etc. Google is not in the business of not tracking users.


But this is what I find strange. It seems unlikely that Google would simply opt out of serving people who refuse to accept advertising or tracking cookies.

Granted, from measurements on my own site that's only 1 - 1.5% of people, but Google's ad revenue for 2019 was $134.81 billion, meaning that they'd potentially be leaving $1.3 - $2 billion on the table by not serving ads to these people. Maybe it would be half that or less because the ads aren't personalised, so they're a bit more hit and miss and therefore probably wouldn't attract the same level of bids from advertisers.

But still, they'd be leaving a lot more money on the table than it would cost to fix the problem (an order of magnitude? two orders of magnitude?). Whilst they might choose to leave it due to opportunity cost, it doesn't seem that likely to me. Here's an example: I once worked at a company whose revenue sat in the £250-300 million range, and they absolutely considered it worth supporting 1% of their userbase for the extra £2 - 3 million it brought in (this is back in the day when IE7 and 8 were still a thing), because it probably only cost them high 5 to low-ish 6 figures per year in PITA workarounds to do that[1].

So, as I say, it seems odd to me that Google don't have a solution for serving cookie-free ads that require no consent.

Going back to skrtskrt's original question, "What are some good non-tracking & non-intrusive ad providers?"

[1] Obviously all us devs hated this, but it was tough to argue against from a rational standpoint.


I don't know whether they really could. It's not just an issue of matching ads, it's also an issue of having relevant ads.

I use adblock by default, so I have no ad-profile at Adsense that they'd use to show me "relevant ads". When I occasionally have to debug some issue with ads somewhere, I'm essentially getting the context-sensitive, not-personalized ads, and they're terrible. At least to me they look as if they were using very simple keyword-matches with little regard to context and primary language. It may be that they don't care to invest more, but it may also be that they don't have enough ad buyers that care for unpersonalized ads so they simply don't have a large pool they can choose from.

I'm also not sure that "cookie-free" would be enough, really. If you're loading ads directly from Google, the user makes the request and can therefore be tracked by Google. Even with Google Analytics and anonymizeIp, at least in the medical sector in Germany, GA is considered opt-in only. In that sense, I'm not sure a central service that delivers ads for you can work without requiring consent.

What very much should work would be a server-side system that's sale/lead-based, where the service would crawl your site, manage your affiliate programs and create ads for you that you'd then insert into your site. That way, no third party learns anything about the individual user and you don't require consent.


Well, sure - you can still send some signals to see ads that are relevant to the _content_ as opposed to the _viewer_.

Example: you're seeing an article about devops and you get an ad about AWS instead of an ad that has followed you around from another website you visited previously.

The cookie used for frequency capping is considered to be a "technical cookie" and has no bearing on privacy, best I can tell.

The other types of cookies can be pretty much disabled at the point of calling the google tag, or enabled (along with more tracking/targeting ads) if the user consented to that.


> The cookie used for frequency capping is considered to be a "technical cookie" and has no bearing on privacy, best I can tell.

But the comment you're responding to says it right there: Even google is telling you it requires consent. It's a cookie, so it requires consent, period. Don't fool yourself.

Could google serve ads without cookies, and do fraud detection by other means? Yes, perhaps lowering payout due to increased risk. But it much better to pretend that a cookie-banner is needed, so that you might as well enable ad-tracking cookies.


Since it's a technical cookie that's required for ads/marketing, it very much falls under marketing, I believe. Imho "technical cookies" are e.g. Cloudflare's __cfduid or your framework setting a session cookie because it wants to be stateful.


> > What are some good non-tracking & non-intrusive ad providers?

> You don't need to look far. You can simply tell Adsense[1] to serve up non-personalised ads

This discussion describes exactly the problem. How long has this tracking consent law been there now??

And it's just an option in Adsense?!!!

So whenever I see a cookie banner, you can assume they are simply too greedy to flip the switch.

Clearly the adtech and adtech-supporting industry hasn't even slightly bothered to look for alternatives, instead opting to annoy the public with banners. It's pure propaganda in the hope that the annoyance will turn into defeat, and somehow they manage to turn people's disgust towards the EU law instead of them, simply continuing to do their useless crap business and pretending the EU got their hands tied ... when there's a literal boolean switch to tell their shit to behave.


Affiliate marketing is the best way to go. You have full control on how you advertise products.

For my website [1], I have build close relationships with local experts. They provide services my readers need, and I know they can be trusted. I get a commission from resulting sales. I like that model because advertisers have zero access to or control over the readers' data. Unfortunately, it's simply not applicable to all websites.

- [1] https://allaboutberlin.com/


I wouldn't say "ethical", but even Google's pubads can do non-tracking.

For pubads, look into "setCookieOptions(1)" and "setRequestNonPersonalizedAds(1)" for a good start on the matter.

It _can_ be done.


> across the web

That part is not necessary. They are mandatory if you collect any form of personal data without legitimate interest.


Which means any website that does anything useful. That doesn't mean ads, but Google Analytics (or another comparable service) is just about everywhere these days.


The only reason you need consent is when you're tracking people or storing data that isn't required for the functionality of the site.

Shopping carts, subscription services etc. will still work, you don't need to consent to that, as long as you're not tracking people or handling their data unecessarily.

When you see one of those cookie popups it is a sign that the website is trying to get more information out of you than they need.


> When you see one of those cookie popups it is a sign that the website is trying to get more information out of you than they need.

Or the owner of the website has failed to understand the nature of the law. Given the amount of confusion in this comment section this also seems likely.

The ones which deliberately make the flow for closing the popup and accessing the site without 'consenting' are the ones I think are actually acting malicously.


As with most law, you're not excused from following it if you fail to understand it.

If the admin of a site thinks they need a cookie banner when they don't, it's really because they haven't really bothered to give much thought to reducing the amount of data collection they do on their users.

But I bet it's not really that common, website admins who think they need a cookie banner when they really do not. What is WAY more common: the website admins that do need a cookie banner, but ONLY because they use Google Analytics, and don't realise this is a choice they get to make.

Or people (right here in this thread) saying "I can't make a useful website otherwise" -- it's not that the law is hard to understand, it's not. It's that they refuse to give the problem any thought. The ones "failing to understand the nature of the law", actually just don't give a crap. It's like a butcher complaining "Why do I have to label my meat with 'made from tortured animals', I have to kill them right? I can't possibly produce any meat without using this rusty spoon that I've used for decades".

> The ones which deliberately make the flow for closing the popup and accessing the site without 'consenting' are the ones I think are actually acting malicously.

You can easily not act maliciously, and still be a crucial part of the problem. That's also what laws are for, even if you cross them non-maliciously, you get punished. That's because people "not understanding the nature of the law", when it directly applies to their business, is undesirable, and really a responsibility they should carry.


> Or the owner of the website has failed to understand the nature of the law.

Oh, sure, but if they don't understand it then they probably shouldn't be gathering people's data either.

GDPR is pretty complex, but website operators have proved for years and years that they can't be trusted to do the right thing themselves, so here we are.


I'm still waiting to see the harm this tracking is causing that is requiring the GDPR and it's giant cost to society.


Giant cost to society?


An exageration, but in aggregate, the time wasted on this by users having to close yet another pop-up (and being more reluctant to browse new websites), and providers implementing the functionality on their websites is not negligible.


I hate the consent popups, but to me they signal something different to me than I think perhaps they do you or the parent commenter.

Bear in mind:

- Extra data collection or processing must be opt in.

- Not opting in must be as easy as opting in.

- The content must be available if the user chooses not to opt in.

Then:

For instance, you go to a site, tumblr.com for example. Why is not important. You get a consent popup. Opting in to extra data collection is easy but you don't want to. Navigating this consent popup is almost impossible. within a few clicks you are lost, you find a list of several hundred "partners" tumblr wants to share your data with. All are checked and need to be individually unchecked. You still can't work out how to opt out.

To me it's like someone's trying to scam you out of your data. They are so desperate to get your information that they are jumping through all sorts of hoops to try to trick you into giving it.

Do I really want to give my data so an entity that is acting so creepily? Nope. I close the window.


"Providers" that have previously wasted time on making sure all the data collection, tracking and adtech on their site worked perfectly.

That time "wasted" now, is time spent to fix their mistake.

The mistake of thinking they could collect data on me and sell it to third parties in perpetuity.


Both these time wasters are on website providers. If they stuck to collecting only what they need to provide the service, they wouldn't need to ask for consent. Alas, they're greedy, but then they don't get to complain.


How much time and effort have gone into compliance, it's insane. That's measurable. The real cost is the delay to new projects, uncertainty, increased costs - its what we wont have...


But the flip side is we get back control of our data. Having to treat users data and privacy with respect seems like a completely reasonable thing to ask, and it takes you longer to create something because you're now having to do that then that's good right?

It being inconvenient to you to treat people's data and privacy with respect seems like something it's hard to feel sorry for.


It's not about treating it correctly, it's about worrying about vageries in the law and complying with them.

Of course information should be protected, but there are all sorts of compliance procedures and processes that significantly increase complexity and cost.


Asking for consent doesn't significantly increase complexity and cost. The required level of audits to support a world without asking for consent - now that would increase complexity and cost.

And no, not asking for consent and collecting data without supervision is not an option, neither legally nor ethically.


There is a lot more to GDPR than the consent popup.


GDPR isn't about the popup, but is about consent, and having to get it to be allowed to process personal data.


The cost of compliance is directly proportional to the amount of personal data you're processing.

GDPR compliance is usually expensive because people ignore Art. 5.1.(c):

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)

If you choose to collect personal data, you're responsible for handling it with due care. If you don't want that responsibility, don't collect the data. If your business model is predicated on doing shady things with personal data, find a different business model.


I know some people in adtech, and the time they spend on "compliance" isn't really a very big chunk of the total time spent on why they need compliance in the first place.

But I'm eagerly awaiting your measurements ...

Truly. Even if it shows the really big numbers you seem to imply. Because that shows something about their choice. How much trouble they're willing to go through to track you regardless.


Tracking has a giant cost to society, the sole reason it exists is so we can be manipulated by advertisers into spending more than we otherwise would have.


GDPR isn't very hard to understand, it's just that website owners want to have their cake and eat it too. Looking around for loopholes to do analytics that aren't actually what the user came to the site for is fundamentally the thing that the legislation is targeting, and all this handwringing about cookie popups and consent and anonymized data is "complicated" simply because it is not in the nature of the law. You do that, you need permission, period, and you need to be OK with people saying "no, I'd really rather you not do that".


> GDPR isn't very hard to understand

It may not be terribly difficult to understand, but it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints.

> Looking around for loopholes to do analytics that aren't actually what the user came to the site for is fundamentally the thing that the legislation is targeting...

Totally agree, and this shouldn't be done.

> ...this handwringing about cookie popups and consent and anonymized data is "complicated" simply because it is not in the nature of the law. You do that, you need permission, period, and you need to be OK with people saying "no, I'd really rather you not do that".

This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.

Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?


> it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints

The only different "constraints" relevant here would be "we get to play fast and loose with the data we collect or allow to be collected about users, without repercussions".

If that wasn't the "constraints" they were operating under, they have no problem now either.

> Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.

> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?

This is indeed where we disagree, except the law also disagrees with you:

It's. Not. About. Cookies.

It's simply about collecting and storing more data on your users than you strictly need to run your business.

There's really nothing technological about it, if you did it with pen and paper, you'd be subject to the same GDPR. Talking about HTTP response headers or "waging a war against cookies" is just misleading.


> It may not be terribly difficult to understand, but it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints.

As a developer, I agree. As an end user, I am OK with this.

If organisations have to think hard about what data they collect, because it means they have to think hard about how to safely store and destroy it, then that's a good thing.

It has been easy to collect, store and disseminate user data without thought for a long time, and website operators have proved they can't (in general) act responsibly.

> This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive

My honest opinion about most of the consent popups I see is that they are at best trying to weasel out of having to comply with the regulations, or at worst applying dark patterns to trick the user into "consenting".

I am sure there are some honest people with consent popups out there, but I'm not generally generous enough to attribute anything other than malice or incompetence.

> this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution.

For sure, but it works both ways. There is a (potential) financial penalty for not taking care of user data, but at the same time, there's a pretty large cost to a user if their data is spaffed all over databases on the Internet when they didn't want that.

Also, I'm pretty sure if you are actually trying to be GDPR compliant then your first interaction with the information commissioners office will be them trying to help you comply, and you do always have the option of just deleting the data if you can't treat it safely.

> Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.

I feel like I read somewhere that telling the user to adjust their cookie settings in the browser was speficically discussed, and not allowed, but I could be wrong.

> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?

It would be a mistake to think that Cookies are the focus of the GDPR. See https://gdpr.eu/cookies/:

"However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30."

The GDPR is about user privacy, cookies are one of the primary tools for violating it, and the most prominent artefact seen on the web, so it's the focus of a lot of discussion, but the main thrust of the regulations aren't around cookies themselves.

It is significantly unlikely that there will be opt in banners for JS, HTTP, TCP, phone calls, cameras at the beach, or just looking at people with your eyes any time soon.


> I feel like I read somewhere that telling the user to adjust their cookie settings in the browser was speficically discussed, and not allowed, but I could be wrong.

Consent must be informed and specific, so simply asking users to set their browser to accept or reject all cookies (regardless of purpose) is not compliant.

On the other hand, if browsers get their act together and standardize a consent API with the necessary features, then browser-based consent management would surely be compliant. GDPR and ePrivacy don't address this explicitly, though GDPR Recital 32 considers consent by “choosing technical settings for information society services”.

Centralising consent in browsers is a key consideration in the proposal for an updated ePrivacy Regulation, but the EU is not going to mandate specific technologies. Everyone is well aware of the mess that is the Do-Not-Track header.


These are good points. It definitely cuts both ways.

I'm not against GDPR, and I'm glad these issues are getting attention. I just want to make sure we recognize there is a lot of nuance here, and there are real costs and second- and third-order consequences to consider.


> The only reason you need consent is when you're tracking people or storing data that isn't required for the functionality of the site.

You forgot one more... you're a citizen of an EU member state. I live in a sovereign nation and EU law doesn't apply to me.

It's been quite funny seeing Americans fall over themselves to comply with GDPR requirements. It won't be funny when they also fall in line behind Chinese law.


> Which means any website that does anything useful.

That's a ridiculous over-generalization. My bank's website doesn't have ads on it; is that not useful? Wikipedia doesn't either, can you earnestly say you've never found wikipedia useful?

There is much more to the web than shitty ad-riddled websites.


It doesn't have to be a modal popup either. If your default is truly "off" then you could have a banner on top or bottom or somewhere saying something like "please help us make the site better..." or whatever.


but that isn't intrinsic to useful services. it is possible to run a profitable bookstore or organise an event without tracking individual users.


Google Analytics doesn't do anything useful for the visitor of the website, only for the lazy administrator of the site. But the latter isn't the one giving up consent, are they?

Also it's kind of sad if you believe you can't make a useful website without having to hand over private user tracking data to Google. In fact you are using a website just like that, right now.


Google Analytics being everywhere is a at least an order of magnitude worse than the embedded like button spying.


I disagree. Facebook has much more power over advertising to their users (by personalizing the wall).


Facebook personalizes the Facebook wall. Google personalizes almost every other page you visit and mobile applications/games you use. Not sure how Facebook is more dangerous here.


No, it doesn't. I use adblock, as does a lot of other users. The FB wall is organized to my liking without any direct ads needed.


Or if you do Ab testing, or any e-commerce feature like a shopping cart. Internet is more than ad supported sites.


You don't have to assume your user wants to be A/B tracked, or wants to purchase anything. You can allow the user to enable them nicely and non-intrusively without a popup. You can ask the user intrusively when they actually initiate a purchasing action.

Most sites choose do popup instead because (they think) it is more effective. So be it, but don't say it's "mandatory" or that "they are forced to".


Both false.

A/B testing is allowed and doesn't need opt-in if the A-or-B preference is only recorded in aggregate form and not tied to the user.

Same for the purchasing scenario. In this case, you would be explicitly collecting personal data to fulfill the order.


Crazy how people whose job it is to build this crap, don't even know what the actual rules are.

It's almost as if they just want to collect all the data on all the users forever without any oversight, by continuously rehashing bad and misunderstood versions of the GDPR and pretending it's hard and complex and vague.


You don't have to warn the users for using a cookie for a shopping cart. That is considered basic functionality.


It's a choice so many site owners have made that the web is effectively ruined.


I refuse to include them. I am not a citizen of an EU country and I don't give a rats arse what the EU thinks of my website. They aren't the boss of me.


No. In the pursuit of pure greed incompetent designers have taken the internet back 20 years.

That people absolutely ruin the user experience of their site deliberately is an active decision they make themselves.

Make an effort not to visit those sites. You will be surprised to know that people that make such bad decisions for their site seldom have any valuable content anyway.


> Now every website has a mandatory popup.

Stop spreading this disinformation. It's just the filthy websites that track your every move on the site and then give it to third parties.

Would you rather they do that by default, extracting your data before you even notice, without even being able to distinguish the bad actor from the good actor?

The problem is that people think it's the cookie banner that's annoying, when it's in fact the very website that has been secretly abusing your privacy, except now they tell you.

The people think that agreeing to the tracking banner is a fair transaction because the adtech banner is being disingenuous. It's as if the entrance to a museum requires you to dump one empty battery in the ocean. It's a bit of a hassle but it doesn't cost you anything, and you get to see the museum which is what you want.

Except in 90% of the cases the museum is clickbait trash.

I mean I agree. No website should use cookie banners. None of them. Increasing fines all around for those adtech fuckheads.


> And you can’t block these

I beg to differ. I use AdBlockPlus (ABP) and I can block 99% of these banners, and proceed immediately to the website. One can also use NoScript to block some websites that are full of crap/trackers (like techcrunch).


AdBlock Plus is owned by eyeo GmbH which actively forces media and news agencies to pay fees to allow advertising in their "acceptable ads" program. You can look that up on northdata.

I would heavily recommend to switch to uBlock Origin (and maybe uMatrix) instead.

Disclosure: worked for eyeo in the past, and quit.


I usually use uBlock Origin's element blocking to remove such popups, even if only for one time, or I use inspector to remove elements. If afterwards nothing is visible of the content, I leave. Seems like someone forgot to put the content on the page. shrugs


What if browsers had an optional "consent to any cookie" setting that sent a `X-Cookie-Consent: Accept` header on every request? This header could be used by websites to decide whether to display the cookie consent popup. Would that be acceptable to EU regulators?


X-Cookie-Consent: Accept would be explicitly illegal; consent must be specific. However, I believe X-Cookie-Consent: Deny would be sufficient grounds to not bother with showing cookie popups and assuming the user does not consent. But you don't need that anyway; lack of consent is the default state.

I propose a better alternative: just stop doing things requiring consent (which are, by definition, unnecessary, and almost always support an unethical business model), and then you won't have to annoy users with consent popups anymore.


I'd say a better alternative would be to allow people who don't care about cookie tracking to opt out entirely from the consent popups. It wouldn't change anything for you but it would be a big improvement for people like me who don't mind tracking and are just annoyed by the popups. Too bad that it's now illegal...


It can't be, because we both know how would it end. If you allowed people to auto opt-in, then malicious actors on the web, which currently show you consent popups, would instead use dark patterns to get people who don't want to be tracked to permanently opt-in anyway.


You can easily block them with uBlock.


How can I do this?


There are blocklists dedicated to cookie request elements. You can install one of those in your uBlock Origin and the banners will disappear.

I use and appreciate this one: https://www.i-dont-care-about-cookies.eu/


Pretty sure GP is talking about the HTML elemenent blocker feature, which is not really a solution since you'd still have to use manually on each new site you visit.


Hint: You can use ublock origin. Go to its settings page, and check the "annoyances" lists. This hides all this BS.

(I do entirely agree with you, the default internet is pretty much like you said, sadly)


And all for what, some feel-good legislation that accomplishes nothing but making the web less profitable and entrenching big companies that can afford the wasted resources of their legal team navigating it. Nobody has ever been hurt by a tracking cookie in the history of the internet.

It reminds me a bit of legislation in other areas that aims to make something so inconvenient people give up on it, like the death by a thousand cuts to American gun owners with state laws making magazine limits smaller and smaller over time, banning this and that cosmetic feature that has no bearing on anyone's safety, etc. What is Europe's vested interest in doing this to the internet though, information control (regulate a few conglomerates instead of having to deal with a bunch of little sites, by stamping out the little sites) and spite towards America's much more prosperous tech sector?


> making the web less profitable

This could actually be a good thing. These days advertisers act as censors: all it takes is a bunch of complaints and a website's revenue stream gets pulled. The webmasters react by deleting the controversial content and avoiding the subject in the future. If this is what a profitable internet looks like it should probably die.

> Nobody has ever been hurt by a tracking cookie in the history of the internet.

How do you know?

> stamping out the little sites

Social media is responsible for this. Few people buy domains these days, it's much easier to register a name on some existing site. Most traffic originates from social media these days.


> This could actually be a good thing. These days advertisers act as censors: all it takes is a bunch of complaints and a website's revenue stream gets pulled. The webmasters react by deleting the controversial content and avoiding the subject in the future. If this is what a profitable internet looks like it should probably die.

This is how newspapers have operated for nearly a century, and how television operated for over 60 years.

What do you expect will replace it? A reversion to the patronage system? I don't think Bloomberg or Murdoch paying for content to be made in the way they want it is going to be an improvement.


> This is how newspapers have operated for nearly a century, and how television operated for over 60 years.

Yes. They depend on advertising revenue and are worse off for it.

Journalists have a duty to report facts accurately but they must also keep the advertisers happy. Due to this conflict of interest, newspapers lose trust and are perceived as having little integrity. Gotta wonder if the article is presenting a truth or some version of it that happens to be aligned with the interests of the people with the money.

TV shows are sanitized for maximum advertiser appeal. Even when they push boundaries, it's carefully controlled by the networks. There are numerous and well-documented cases where they actively influenced the creative process. Gotta wonder what shows would be like if creators had true free expression.

> What do you expect will replace it?

I don't know. Hopefully something better.

> A reversion to the patronage system?

Perhaps. Would be great if we had some kind of crowdfunding or patronage system that lets people directly fund the creators they like. Art should work like an investment: large numbers of people invest in the studios they like and the work starts once enough capital has been raised. Since the money is guaranteed, creators get more freedom to do what they want. Since they'd be compensated before the work starts, copyright becomes irrelevant.


The reality is that vested interests (Billionaires and nation states and establishment political parties) will have an easier time in buying more favourable journalism under a patronage system, than crowd-funders will.


I would love a return to patronage system, since now we have means to make it accessible and distributed.


Patrons whose interests are diametrically opposed to yours will outbid you. Patrons of billionaires will produce coverage favourable to them, and will have far broader reach than the guy begging for Patereon subs, likes, tweets, follows.


>> Nobody has ever been hurt by a tracking cookie in the history of the internet.

> How do you know?

Same way I know that that defining the ASCII code for T as 084 has never hurt anyone. It's an interpretation of information, independent of the human condition. Change my mind.


Cookies are used to track users. Tracking users generates a huge amount of personal information. This data is stored in databases which run on computers. The security of servers can be compromised, leading to database leaks and the publication of people's information.


The setting of the cookie (the HTTP protocol) is not responsible for hurting anyone. People are, through negligence.

I would have accepted a case wherein a user in the arctic, with limited bandwidth, was hurt due to the cookie data interfering with the communication. Hand waving about a series of human failings being connected to a technology is not compelling.

I guess it's the same argument as the "gun" isn't responsible for gun violence, excepting cookies aren't even designed to reveal information. Guns are definitely designed (in part) be used against people.


> The setting of the cookie (the HTTP protocol) is not responsible for hurting anyone. People are, through negligence.

It's not just any cookie though. You specifically mentioned tracking cookies.

> Nobody has ever been hurt by a tracking cookie in the history of the internet.

These cookies exist for no purpose other than information collection. They aren't even required for the website to function.

This isn't negligence, it's imprudence: being reckless with people's personal information, amassing large amounts of it in the name of profit without stopping to think about the consequences.

This isn't unique to cookies either. It applies to every browser fingerprinting method.


> And all for what, some feel-good legislation that accomplishes nothing but making the web less profitable and entrenching big companies that can afford the wasted resources of their legal team navigating it.

Ideally, big companies would be subject to the law just the same. However, small companies can get a head start by just not doing what they know they are not supposed to.

> Nobody has ever been hurt by a tracking cookie in the history of the internet.

It doesn't have to hurt me. I just don't like it and I don't want it, and that is a good enough reason for me to not give up my privacy.


There is a very good book that I am reading that might change your mind: The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power by Shoshana Zuboff. Another book I really recommend is Jenny Odell’s How to Do Nothing - Resisting the Attention Economy.

You make good points and I am not arguing with you, but I found theses two books really convinced me that some balance is required, and worthwhile.


This comment seems a little misinformed. I don’t like the banners either, but you could study a little about the GDPR and what’s been happening.

> some feel-good legislation that accomplishes nothing

It hasn’t been all 100% positive, and doesn’t apply to everyone, but GDPR has definitely had an overall positive impact on digital privacy practices globally. I say this as founder of a for-profit US web company affected by the legislation.

> Nobody has ever been hurt by a tracking cookie in the history of the internet.

This is really demonstrably false. Tracking cookies, tracking pixels, and other tracking technologies, have been and are still being used to de-anonymize people and cross-correlate browsing behavior of people visiting sites other than the one they’re on. The concern is over privacy, and tracking cookies are a real threat to privacy, hence the legislation.


Indeed. It doesn't make much difference to me if the pop-up I'm clicking out of is talking about cookies or offering me hot redheads in my area.


I should be able to set a browser preference that I only ever want functional first party cookies, unless I whitelist the site.


> The "opt-out" is just another cookie. There's nothing special about them either, they can be used to track return visitors just as well as any other cookie. I'm sure they're not, because that would be against the spirit of the law ..

How is a opt out cookie the same as tracking cookie?

Isn't there a clear difference for a cookie:

    is_opt_out: true
Compared to a cookie:

    tracking_id: 374739585483292
Sure the first one can tell server "this is a user that had visited the page in the past". But this is nothing compared to the second one which tells server "this is this specific user"


You might think it's just one bit of fingerprinting information, but if 99 of 100 users click "accept" and one user clicks "decline", it's suddenly become 6.6 bits. Now combine that with other fingerprinting data and you have uniquely identified the user.

It's the same problem with pages where most users are logged in: the few who aren't are suddenly such a small group that they become identifiable through other means.


Can you explain how you got 6.6 bits?


From Shannon's formula for information content[1]. The Idea is that the less likely an event is the more information it imparts.

  I = -log2(p)
In this case they used p = 1/100

1 - https://en.wikipedia.org/wiki/Information_content


Because it uniquely describes a user within a group of 100 other people. 2^(-6.6) ~ 1/100


log2(1/100)


I think the following should happen...

1. Do a study and check how many people want to be tracked. Don't trust the data from websites because everyone is currently being tricked into accepting. Go out on the street, talk to someone for 5 minutes about how tracking works, how it can lead to more relevant advertising and a potential increase in revenues for the service they're using, but in return their browsing history, purchases, and communication will be tracked and associated with them. How many want to be tracked?

2. If 80%+ of people do not want to be tracked, then just create a law saying it's not allowed. That's it, we're done.

3. If less than 80% of people don't want to be tracked, then force browsers to prompt users on install to ask if they want to accept tracking. Websites, analytics, advertisers, etc, then need to respect that setting or risk being fined. No need for every website in the world to invent their own cookie/tracking pop-up system, and no need for people to adjust their settings on a per-site basis.


> 1. Do a study and check how many people want to be tracked.

Ask the same people if they wanted websites to stay free.

I bet 80%+ would want to eat a cookie, a have it too. (No anti-pun intended!)

(Side note: the proposition of banning things if 80% don't want to use them is dangerous. No wanting something personally is not the same as banning it for everyone.)


I'm willing to bet that a lot of HN users block third-party trackers, but the average user has no idea how to do that. Why are we allowed the choice between (as you put it) "websites stay[ing] free" and privacy, and yet the average joe isn't? (To be clear, I don't even believe that's the choice we're facing.)


I don't block any tracking because I want the web to know me and serve me with the stuff I might want or need.

Logging out of youtube feels like falling kneedeep into the gutter. What I personally want is more and smarter tracking, not less.

When I'm at random site I rather see ads for electronics kits I considered purchasing recently, not liposuction or some other gross random things I would never want or need or even like to be aware of.


Because there isn't enough of "us" to topple the web economy. Once a critical mass is reached, we'll see a (slow) mass extinction in the open web as we know it. Then a bunch of new business models will fill the niche.

Disclosure: I'm a Googler. Not sure how that affects my fatalism here.


Not sure what you would describe as "the open web", but from my perspective, the "open web" died with the hypercommercialisation of the web. Nowadays everywhere you look there are walled gardens, if they aren't walled gardens they are honey traps to lure you to divulge private data.


I think Google is working off and promoting a peculiar definition of "open web", which is an ecosystem of a) commercial actors, and b) resources (individuals) to be exploited by said commercial actors. The "openness" of that web is focused mostly of making it easier for the commercial actors to make money off exploiting resources. Efficient and unencumbered exchange of information or culture doesn't even enter the picture.


That's not the impression I got. Note that Google does not need the hypercommercialization to earn money. The moment you allowed your site to be indexed, Google earned its cut.


I'm not sure that really answers the question, though. My point was that only those with enough technical know-how get to choose to remain private; shouldn't everyone be able to choose as to whether they believe free stuff is a good trade for their privacy?

Also, why do we assume that the choice is between the status quo and the total collapse of the internet ecosystem? That there's no way for digital advertising to generate a profit without gobbling up ever greater amounts of our personal data?


The websites aren't free, you pay by letting others track you.

This seems like it's a silly nitpicking point, but in this context that's the whole point of the discussion: whether your users understand and consent to paying that cost.


The onus is on the "website" to find an ethical business model, not the people who have been (rightly) trained that the web is free.


People say this (ads keep the Web free) but it's not true. What keeps the Web free is the altruism of the vast majority of people who pay for their server costs out of pocket. The long tail of sites won't reach the threshold necessary to receive a payout from their ad provider. So tracking makes Google money at the expense of users and most websites.

Example: my personal website costs me about $35/mo to run. If I put ads on it, Google would tell me I made about $5/mo, and then take that $5 for themselves because they have decided they don't need to pay out small amounts. So I basically get to pay to host ads for Google.


The vast majority of web usage these days happens on YouTube, Instagram, etc. Ads certainly keep those parts of the web free.


> The vast majority of web usage these days happens on YouTube, Instagram, etc. Ads certainly keep those parts of the web free.

Counterpoint: Wikipedia.


...or grab it for free (which you are obliged to provide) while you cover the cost. It doesn't sound like a fair deal to me.

If you were able to say "tracking or subscribe" it would made much more sense.


Not quite the same, because right now tracking is suppose to be opt-in. Free cookies are not.

A fair comparison would be a law saying people need to opt-in for paying for a cookie. You can't charge the customer or hide the information, they need to agree to pay for the cookies, and they need an equally clear option to not pay for them.

However, stores bend the rules. They have someone stand at the entrance saying, "Thanks for coming to our store, we have cookies for sale at $0.99. Would you like to come in?" If you say yes, then you're charged for cookies you buy. To get the cookies for free, you need to realize you can say "No" to entering the store, and then through a complex 5 minutes conversation, you can get the person to let you into the store for the free cookies every person is allowed to have according to the law.

Most people don't know about the free cookies. Others can't figure out the correct questions to ask to get permission to enter the store for the free cookies. Some people want the free cookies but they don't have 5 minutes to waste talking to the person, so they just decide to pay.

At the end of the day though, of course everyone wants the free cookies. I want them. You want them. The law says the store is required to give free cookies. Why introduce all the complex interactions and rules that businesses will not follow, and customers will find annoying? Just give everyone the cookies and be done with it.

If you don't want a blanket statement allowing free cookies everywhere, what's the ideal process? 97% of people want free cookies all the time. 2% of people want free cookies "sometimes". 1% of people never want free cookies. Asking people at each store for their preference (similar to a website cookies pop-up) is only beneficial to the 2% "sometimes" crowd. For the other 98%, they're just being annoyed and repetitively giving the same answer to every store. Require the banks to allow a setting on credit cards to toggle free cookies on or off, and have stores respect that setting without needing to ask.


> force browsers to prompt users

Given how many people think the EU did a bad job defining cookies, tracking, tracking methods and etc, it would be fun to see what they would think about he definition of a "browser" as something that can be forced to implement a certain feature.


> 1. Do a study and check how many people want to be tracked. Don't trust the data from websites because everyone is currently being tricked into accepting. Go out on the street, talk to someone for 5 minutes about how tracking works, how it can lead to more relevant advertising and a potential increase in revenues for the service they're using, but in return their browsing history, purchases, and communication will be tracked and associated with them. How many want to be tracked?

There's a very popular (it's a bit weird that number of reviews is so drastically different between Chrome and Firefox) extension called Honey. Apparently bunch of people install it because it provides free coupons. I don't believe people that use it know that ultimately they are the product.


I wonder if we need instead of a "big fat cookie jar" browsers should support authentication natively (i.e. they are aware that this is authentication, not that just there is some cookie called "session") and then we depreciate cookies entirely.

Now that the auth headers are known about, they can be treated as such and expired based on user preferences, but by default after 24h. There can be an alert "google.com has logged you in and now knows who you are until you log out".

Auth headers are then only sent for a single origin, so no scripts to track you around the web anyway.

The cookie workaround for those that need to genuinely use them are 1. session feature mentioned above - tie to that on the server side and 2. stick something in the URL and then keep tracking that via links, like most SPAs do anyway.

Want to do analytics? Anonymous-ish pixel or server logs.

Local storage is another issue, that should be permission based. (+ any other dodgy web apis).

Someone might say, what about a site you don't log into but needs to remember your prefence? A. Easy local storage, and it will ask for permissions AWS style e.g. "enter the name of the site to agree ____"

Maybe get rid of UA string?


I wish browsers worked in a way where placing a cookie on my computer came with a permission dialog like sending notifications, or using my location, microphone or camera does. I guess the browser could have some logic around detecting login screens, so it can tell that I just entered a username and password, so the session cookie from that site gets a pass (I think automatic popup blocking works in a similar way). Or move it up a notch, so it blanket blocks cookies anything that doesn't look like a login and shows a permission prompt only for the first time I do a login for a new site (which then gets whitelisted).


That's the way things used to work, but these popup dialogs became an annoyance as sites started using 3rd-party cookies pervasively, and the simpler "always accept"/"always deny" model took hold. Perhaps with 3rd-party cookies being increasingly limited by default browser configurations, we'll ultimately turn back to that model.


really? when? i don't remember.

and to this day, cookies in firefox are managed in a hidden box with a giant list of all the sites you've ever accepted. they don't want you to manage these permissions.

but for permissions they intent for you to manage, you click the security icon and you can revoke what you don't want. if the only permission you granted is the right to store cookies, it says you haven't granted any permissions, although this is a lie.


I remember at one point -- not sure exactly what year, I'd guess around 2010-2012 -- Firefox had a cookie option "ask me every time". It popped up a dialog each time a site wanted to set a cookie, with options to accept, decline, and whitelist/blacklist the site that was asking.

I used it for a week or two, maybe. I stopped because it made the web unbrowseable. If you think one banner per site is bad, imagine at least 5 consecutive popups to start, plus the possibility of more when you took any persistent action our the site loaded a new 3rd party resource. And if you don't choose the whitelist/blacklist option right away, it's the same thing the next time you visit.

I stuck with it until it became clear that I was not going to run out of domains to whitelist -- ie, this was a never-ending workload -- and switched to accepting only first-party cookies. I don't think there was an option to decline 3rd party and ask for 1st party; I probably would have used it.


Here are examples from IE3 and Netscape 3: https://twitter.com/uygarr/status/1003784413644316672


The problem is cookies are fine and necessary for legitimate functionality, e.g. if you want a persistent shopping basket. But a user or user agent have no way of knowing what a given cookie is used for. Therefore the legislation requires to warn if cookies are used for non-functional purposes like tracking.


You don't need cookies for a persistent shopping basket. If I want a persistent shopping basket, give me the option to create an account and store my shopping basket for later use. Otherwise, just nuke my shopping basket when my session cookie expires. This is a non-issue.

Of course it's not visitors who want persistent shopping baskets. It's sellers. And I don't really care about what they want. On ~100% of the websites I visit, I'm the visitor, not the seller. And given that webshops were a thing before persistent shopping baskets were a thing, I'll wager they can do without.


Logging into an account requires some kind of persistent identifier. And it is not just for shopping carts - you also have a login and cookie here on Hacker News.


Cookies were introduced as a hack to allow sessions. When HTTP/2 was being proposed phk raised this issue and asked why they didn't use this as an opportunity to make real fixes to http warts like this and eliminate cookies[1]. But given that it was pushed by Google, which didn't mind them, this of course was ignored.

[1] https://varnish-cache.org/docs/trunk/phk/http20.html


And such a cookie one that is necessary for the site to function, and as such not covered by cookie laws.


Yes, but elric is arguing that even those kind of cookies are unnecessary. Meaning I would have to log in every time I visited Hacker News.


I think they said it was unnecessary until you logged in, which was the thing that the Hacker News cookies were being used for?


Yeah agreed. I was just replying to elric who argued we shouldn't need cookies at all.


> Of course it's not visitors who want persistent shopping baskets. It's sellers.

That’s not so simple. Persistent shopping baskets create problems for sellers e.g. stock changes; price changes; products may become obsolete. Some of them let the cart expire at some point, even down to a couple hours for some (ASOS). As a visitor I do want a persistent cart accross sessions because I may need some time to make (nor not) my purchase. And no, I won’t give you my email just for that.


I run a game where you can play without creating an account, and going back to the game later will take you back to your previous state. How would I manage this without cookies? A lot of people don't want to create an account.


Can you ask them if they'd like to save their progress?


Save it where? What if there's no budget for server infrastructre? Say... a hobby project.


A query argument inside a URL that they can bookmark is one option.


Local storage?


I assume that whatever fate befalls cookies will happen to localStorage as well. But maybe not. localStorage is kind of better for this purpose in any case.


Shouldn't you be using localStorage for that?


The state is saved on a server. I only need an identifier to retrieve the state but sure, I could use localStorage instead for saving the identifier. What's the difference though?


For some reason I assumed that you've saved game state in cookies.


Ideally browsers would ask permission for cookies that lasted longer than the current session (where a session lasts until the tab closes). And ideally most webpages wouldn't just keep nagging until people clicked 'always allow'.


I still liked PHK's suggestion for removing cookies entirely from HTTP/2 [0]. I seem to remember that they advocated for instead having the user agent send a profile ID which is only meaningful to the user agent. That would allow the server to know which requests belong to which profiled user, but allow the user full control over which profile is presented.

[0] https://varnish-cache.org/docs/trunk/phk/http20.html#beating...


Everyone would've emulated cookies using HTML local storage, because it would be a pretty quick fix (just wrap all cookie API's). So you'd gain nothing except push people from a standard to an ad hoc solution.

Switching to server side storage would've been a too costly architectural change. What if the server side was stateless before?

And even if, web applications would still have needed to support the old model for interop reasons. It's not feasible for everyone to maintain code for both approaches when they are so different.

It'd also break many use cases, such as using a (signed) cookie as cache for some really frequently used data. Or more importantly authentication, where an auth service returns a token (in some cases a token that can be checked by a different service without contacting the auth service again).

So yeah, that was a non starter.


> What if the server side was stateless before?

Then that's a pretty bad design choice to begin with? If some state is required for operation, but the website keeps it only on client? Not least of all reasons, for security?


You can make such state cookies tamperproof with server side signing. Depending on the state in question, leaving it with the client, instead of in server storage, makes for good lifetime management. Of course, if you want the state to be synced between different clients (for a logged in user or something), you'll need to do something else.


Statelessness is often a good thing in designs in many ways, performance, reliability, maintainability, operating cost etc.

As a concrete example for a common use case, websites show your user or first name in the top right corner. It's common to put this in a cookie set on login/logout. This avoids querying the user directory service (from the frontend or a different backend service) on every pageload. Security wise it doesn't matter if the user tampers with it, it's a display only thing. (More often than not it's signed anyway, and the cookie contains other things as well.)

Cookies meant to be presented back to a server can be signed and (optionally) encrypted. This is also a very widely used pattern ("cookie secret" is a good search term for concrete implementations in frameworks).


You can't have your cookie and eat it, too; the browser has to store profile information or cookie information either way, so this was never about statelessness. This is about the expectation that user agents will not just consent to server tracking, but carry around papers which will identify themselves to each server so that they can be better tracked.


I'm sorry if I didn't explain what I meant well enough.

I was talking about statelessness on the server side. If you remove cookies from HTTP, you now need a database on the server side.

You also get extra communication (between the client/DB, or the web service/DB), whereas previously the data would've already been available in both (the client has the jar, and the web service gets it in each the request). Turning a local memory read into a network request can be a difficult architectural change.

Also, DynamoDB reads are priced per unit ;-)


That would mandate server-side storage for sessions and any kind of persistence though. It feels like that's throwing away the baby with the badwater.


Soon all cookies will be treated with SameSite=Lax policy, unless website specifies otherwise. That means that by default it won't be possible to track users on other websites. It's still possible to track users with cookies using SameSite=None, but it's expected that most cookies should not use this setting, so browsers theoretically could use an approach similar to allowing notifications or location services: ask user for permission before accepting that cookie.

So if that UI will be deployed, may be those popups won't make sense anymore.


> If more browsers were still User Agents in the literal sense, maybe we wouldn't have needed this legislation. Browsers could have informed people about what cookies were, and could have presented the user with the option to never accept tracking cookies from Big Advertising.

Unfortunately, cookies are not conveniently labeled as "advertising" or "federated login".

That said, yes, it'd be nice if the legislation in question had mandated proper labeling of cookies, and then let the user's browser handle rejecting them.


That sounds good, but an infrastructure needs to be developed first, particularly a way to label which cookie is which and then have a law to enforce it.

Ultimately though by default I use extension to destroy cookies as soon as I leave the page, I can place an exclusion for sites that I frequent but when I do that I just allow all cookies. My reasoning is that if I have credentials they can track me using these anyway.

Anyway the whole thing is moot though, since advertisers are beyond cookies and use many other ways to track users. Now seems what their primary goal is, is to be able to tie multiple devices of the same user together.


Is there a setting in Firefox that allows you to whitelist specific cookies and ignore all others?

That combined with Firefox Containers would make for a very powerful combination since you could have different containers that would be your logged-in interface to a specific site, without then having to allow other sites be able to set cookies.


I have the

> Delete cookies and site data when Firefox is closed

setting checked in preferences. There is a Manage Permissions button next to it that allows some more per-website control.

Websites can place however many cookies they want. It won't help them track me past a day.


Firefox also has a "always use private browsing" option that I've been using for about ~6 months with great success—with a password manager the only annoying thing to do is get through sms "2fa" gated auth—mostly banks, health insurance, etc.


Always private browsing as a default is a very good idea. I set Safari for auto-privacy. The overhead of manually opening a non-private browser when that is what I want is really a very small hassle.

Setting up Safari this way and using FireFox only with containers for each major web platform works really well for me and I have been able to talk non tech friends into trying it.


It's been a while since I went the whitelist approach on cookies, but I think you can do this in the "manage permissions" section of the cookie area in settings.

Whitelist a site and set default behavior to block will still allow that whitelisted site... I think so at least, maybe you need wildcards or something...


This used to be a feature of Firefox. You could get a pop-up asking if you wanted to allow, allow for session, or disallow cookies from a domain the first time it tried to create a cookie. This was removed for some reason.


The Cookie Autodelete extension does this.


uMatrix lets you whitelist cookies on a domain and subdomain basis, either per-site or for the whole web.


If this was a browser thing and not mandated by law, sites would just intentionally make their sites break if your browser didn't accept cookies and then tell you that you have to accept the cookie to make the site work.


Had this been implemented 15 years ago, people's awareness might have grown and they might have decided to not visit sites that are obviously broken. Many sites only worked properly in IE for ages. Other browsers reaching critical mass forced the issue, and the web became better for it.

You're probably right that it won't be happening now..the cat's out of the bag.


The only difference between this and the web ~15 years ago is that they didn't even tell you it was a cookie issue. If you couldn't access the site, then "uhh try using Internet Explorer?"


…and this is exactly what they used to do, so this isn't even a hypothetical.


There is a nifty Firefox extension (maybe it exists for chrome too, haven’t checked) called “I don’t care about cookies”

It discards most of these popups. Coupled with unlock origin and decentraleyes, I think you’re pretty well covered against tracking without too much hassle.

Of course temporary containers is the cherry on top (although amazon seems to have a way to recognize you anyway because it almost always only asks me for my email before logging me in)


This is what Chrome has announced they are doing with “privacy sandbox” which is going to replace 3rd party cookies in 2 years time.


I'll put money on Google bringing some of their own toys into that sandbox.

https://news.ycombinator.com/item?id=22245101

https://source.chromium.org/chromium/chromium/src/+/master:c...


Safari takes this seriously and now blocks all third party cookies by default.


"If more browsers were still User Agents in the literal sense, maybe we wouldn't have needed this legislation."

s/browsers/popular &/

There are browsers and other clients that are still User-Agents in the literal sense but they are not the popular ones.

The popular browsers measure their success by market share, not qualitative measures.

That is why Firefox tries to stay more or less in lock step with the leading browser on features.

This is not done out of fear of being inferior by some qualitative measure but out of fear of losing market share.


How can you reconcile this with the unfortunate situation that the world’s most popular browser is made by the world’s biggest tracking (aka spyware and adware with consent) company?


I do think this needs to be rethough from scratch.

When a website sends cookies, prompt the user "this website wants to track you, allow it? y/n".

The same way microphone/camera access it prompted. So it should be fine to reject this for news sites, a random museum, etc, but okay to accept for, eg: webmail, sites where you log in, etc.

We've simplified browsers UI so much, a SINGLE toggle button for this would be lovely!


It doesn't requite banners.

No tracking-by-default, no need for a banner.


Why don't you just disable the cookie in the browser you are running in the computer you own? If you can't, that means you have no control over the computer and software you own.


Except that many modern web modalities only "work" if there is a cookie to tell them the state of your session with respect to the current display. (Think displaying page 7 of 10 pages of results for example)

Too many people were using this as a way to get a blanket acceptance of cookies, which not only included specific state to make the web site work, but other tracking cookies. What I see when I read this ruling is that you can't bundle the two. You have to allow the user to say "No, I don't consent to any cookies that provide PII." and then stop using them.


> (Think displaying page 7 of 10 pages of results for example)

You don't need cookies for that. But, if you insist that you do, that can easily be a session cookie, not a stored cookie. And there's no need to obtain consent for a cookie like this, if it's not used to identify or track a (EU) person.


The legislation also covers things like sharing that Joe Bloggs living in Summerstone Drive, or the user with email address jennifer1983@gmail.com, is looking for a new car, even without advertising cookies. The GDPR would be necessary even if advertising cookies were not a thing.


I agree. The GDPR would be necessary. And it's a useful instrument (if still somewhat underused). The "cookie law" is what drove people to add cookie banners before GDPR was a thing. GDPR admittedly made them worse and more prevalent.


I'll also point out that vast swathes of cookies do not require a cookie popup, according to the European Commission's internal guidance; specifically, for their own websites, they believe that "cookies used for the sole purpose of carrying out the transmission of a communication" and "cookies that are strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service" do not require a cookie popup. So, for example, CSRF cookies, login cookies, and so on and so forth do not require a cookie popup.

That is - if you're building a website and using the bare minimum cookies you need to make the website function, you don't need a cookie popup. The default here is that you don't need a cookie popup, and when you start tracking users and/or selling their data, you need to comply with ePrivacy and the GDPR.


No, GDPR just forced website owners to air their dirty laundry. You don't need a cookie popup. See Basecamp.com, github.com etc. You only need one if you're asking the user for more data than is necessary to provide the service.


What's the meaningful difference to people who don't write their own HTTP agents?


GDPR is about the collection of people's personal data, regardless of the mechanism you use to do it.

There are plenty of ways to collect data about people without using cookies to do it, so GDPR would still be needed no matter what measures browsers took to block tracking cookies.


FWIW, GDPR has very little to do with cookies.


The EU cookie legislation is still mind blowing to me. In terms of widely used protocols with terrible designs it's up there with US payment card processing (want to make a $5 payment? Hand over the secret that gives the other party the ability to take an unlimited amount of money from you at any time in the next 4 years, and hope they don't misuse it).

Did no one involved in the cookie legislation think to run the idea by a technical expert before passing it? Why wouldn't they have done something like introduce an X-Allow-Tracking header in the http spec, and make the law require that sites respect that header instead of every site making their own cookie popup. Browsers could make that privacy setting as detailed as they want as far as which requests they included it with, and the EU could strongly recommend that everyone use browsers that they've approved as supporting that setting (or even force it in various ways, like require any OEM browser that ships with a device in the EU support that setting).


The law itself is perfectly sane. The problem is that everybody try to apply it in the worst possible way.

Let's imagine a world where a government force car builder to add speed limiter to cars. The car builders all decides to just cut the engine if you go over the limit. Will you say the law is bad or that car makers are trolling everybody ?

It's the same for this law. But curiously everybody is prompt to say that the law is bad. The reality is that a majority of internet actors are bad and are just trolling us.


> Let's imagine...the car builders all decides to just cut the engine if you go over the limit.

We don't need to imagine a world like that, because it has nothing to do with what we are talking about.

Let's stick to the real world. The EU implemented a law. Everybody is scared of the power of the government, so they implemented what they thought was the intention of the law, to avoid prosecution. The mom-and-pop flower shop down the street could care less about making troll political statements about technical internet topics.

Turns out, the law had stupid unintended consequences. Was the person who designed it stupid? Or is the entire world stupid?

If your answer is "the entire world is stupid," then I'd argue you don't understand how the field of design is supposed to work.


> so they implemented what they thought was the intention of the law

No, they didn't. They implemented something that they thought allows them to continue with the practices that the law was specifically designed to combat.

The user has very little motivation to accept tracking. The web site has a lot of motivation to track the user (because personalized ads = more money).

Thus, web sites make saying no as difficult as possible, while making saying yes as easy as possible.

A 100% compliant, user-friendly implementation would be showing non-personalized ads, then occasionally replacing one of those ads with a banner "want to receive ads that are actually relevant? click here to enable personalized ads" (which would lead to an informed consent dialog and set a cookie that would then apply to all web sites that use that ad provider).

But pop-ups coercing the user to consent are more profitable.

This could be fixed by enforcing the actual law (punishing the companies that tried to weasel out of it and processed data without valid consent) so that trying to weasel out of it is no longer a valid strategy.


The law has stupid unintended consequences because it would kill the business of the tracking companies it targets, if they where to follow the intention of the law.

The same companies have their customers convinced that they need data collection to turn a profit.

As a result we see all kinds of stupid attempt to circumvent the law because an entire industry of shady data collectors and brokers have convinced businesses that the only way of making money online is by tracking people.


You're starting with a false premise.

The basis of your argument is: All data collection is bad.

Therefore, in your model of the world, an evil conspiracy of bad actors are looking to strategically undermine the law with various dastardly convoluted schemes. I understand why you're arguing that, given the premise you're starting with.

However, the majority of business on the internet are not doing evil things with your data. They simply want to better target their offerings to their customers, allow for you to keep items in a shopping cart, etc. If they are providing better services to their customers, they make more money and the customers are happier. It's a win win for everybody involved.

Could it simply be that, most businesses put cookie popups on their sites because they don't want to get fined? Not because they are embroiled in an elaborate scheme to undermine the law?

Could it be that the EU should have created a smarter law that would actually help people be more aware of data tracking? Instead of stupid popups?


> However, the majority of business on the internet are not doing evil things with your data. They simply want to better target their offerings to their customers, allow for you to keep items in a shopping cart, etc. If they are providing better services to their customers, they make more money and the customers are happier. It's a win win for everybody involved.

I wouldn't be so sure. There aren't that many advertising and analytics companies, but they make products that are widely used (and clearly misused) everywhere. The websites using such tools were never told that they could avoid having the banner if they just didn't have tracking cookies.


> They simply want to better target their offerings to their customers,

As a user I don't want anyone to "better target me" - no single exception. Gosh I miss the time where we just burned the McDonald's...


I like ads tailored towards my interest much better than generic ads. Am I the only one?


At this point I've blocked ads so for so long that I don't think I could ever go back to not hating ads, targeted or otherwise…


I don't think I've ever seen a more overt straw man. At least try to be a little sneaky about it, will you?


> Therefore, in your model of the world, an evil conspiracy of bad actors are looking to strategically undermine the law with various dastardly convoluted schemes.

There's no need to straw man secret cabals of conspirators, when it's just business. (Or if you want to get political, capitalism). When big tobacco companies pour money into lobbyists, fund skewed studies, and buy ads to flout anti-smoking legislation, no one calls it conspiracy. Businesses are incentivized to respond in certain ways.


> They simply want to better target their offerings to their customers

They can do it without the cookie notice. For example, Amazon can track what I'm looking at on their site and what I'm buying and store it to their database. They can use this information to offer me what they think I'll like. Also, another user-friendly approach would be for a site to ask me to select categories/topics that I like. Whatever it is, GDPR gives me a right to export the data, review it, and ask for it to be deleted if I don't want the site to have it anymore. No need for cookies in this scenario. What they need cookies for is when one site wants to track what I do on other sites.

> allow for you to keep items in a shopping cart

This is a functional cookie and there's no need to ask for consent to store a shopping cart. This is just a perfidious argument that data tracking companies use to ridicule the law.

> Could it simply be that, most businesses put cookie popups on their sites because they don't want to get fined? Not because they are embroiled in an elaborate scheme to undermine the law? Not because they are embroiled in an elaborate scheme to undermine the law?

The law is very clear about when you need to ask for consent and when you don't need to ask for consent. Most sites implement it in a wrong way, many of them use deliberate dark patterns, for example, when you deny cookies you get a loading spinner that spins for a couple of minutes. These are all attempts to condition the user into avoiding pressing the "slow" button.


How about rephrasing this to: all data tracking that involves sharing a user’s data with third parties is bad and should be outlawed

Using user’s data within the confines of a web app is usually OK so we can put just small much smaller guardrails up to keep companies respecting the public good.

I generally just don’t like my data shared with third parties. A single web site can literally pass your data on to hundreds of companies (as discussed in the book on Surveillance Capitalism).


> stupid unintended

I don't think that's stupid, nor unintended.


That makes the law stupid, dude. I want my lawmakers to apply a slight modicum of systems thinking.


> so they implemented what they thought was the intention of the law, to avoid prosecution.

That's not what actually happened. Companies got scared that the law would impact their business model, for which the law was directly design to impact, and asked lawyers to find the minimum change which could be argued as being in compliance.

When you ask lawyers to find a solution to a problem you do not get the intention of the law. If you ask a lawyer to find a solution to tax law you don't get the intention of the tax law, you get tax avoidance, the direct opposite. And if you ask a lawyer about consent, as I have done during conferences, you get straight answers like "People can consent to a 20 page EULA they have not read or have the legal education to translate".

It not that the word is stupid or that the person who designed the law is stupid. It just happens that if you pay a lot of people who have studied and spent a large part of their life to find clever interpretations of words what you get is a clever interpretation that may or may not be what a judge will see.

To make a quick parallel, a bunch of lawyers for companies are arguing that while the company is having millions in profits and giving out a lot of dividends to shareholder, the company is at the same time in "economical crisis" and thus deserve government grant money in order to handle corona. The department in charge of giving out the money asked its lawyers and they agreed, but the politicians are now a bit upset since they disagree. And so now everyone is arguing/blaming each other and discussing if they should change the law to specify what an economic crisis is and isn't and if the change to the law should be retroactive or not.


So you're telling me the EU government, who's entire job is creating effective laws...couldn't have seen that coming?

It sounds like you're saying the lawyers are smart, but the government is still stupid.

Why didn't the government have any lawyers involved in writing the law?

Isn't that pretty...stupid?


Trying to make good laws is not easy, and trying to anticipate how companies will react to them is also not easy. Really, n a vacuum, I think I can forgive them for not anticipating that "people will put up so many banners that it will undermine our law and make it look like we wanted more banners rather than people not using tracking cookies".


Yes, that was entirely predictable, was in fact predicted, and was really the whole experience of the cookie banners which have already plagued the web for years before the GDPR.


For the GDPR to be effective, there will need to be several more rounds of “yes, we really need you to change”. It’s a big change in business practices, and businesses don’t like change when it come to their revenue. Lots of laws get passed and then not effectively enforced, and I can’t really blame businesses for not wanting to entirely upend their business model for something the EU might not care about in a few years.


  > If your answer is "the entire world is stupid,"
I have never say that and it's not correct to suggest it. Lots of people are abusing other people with tracking and they have a financial interest to say that the law is bad and to act in bad faith. And they are doing it.


> The EU implemented a law.

Only by using a very loose definition of "implemented" sans common implementation measures like clarification and enforcement.


It's being enforced. https://www.enforcementtracker.com/ The huge list of people or organisations that come into compliance after an admonishment from the data commissioner does not even make the news.

> implementation measures like clarification

No directive needs clarification to be implemented as law. That's the most absurd thing I've heard all year.


> The law itself is perfectly sane. The problem is that everybody try to apply it in the worst possible way.

You mean putting trust that a website behaves by implementing its own popup system versus enforcing it on the browser side with a single implementation? Doesn't sound sane to me.

Why don't we implement a law where visitors cannot enter your house when you are not at home, unless you consent. That way we can get rid of locks.

Very sane.


Nobody asks you to ask for that pop up at all. Just don’t track the users :)

Very sane.


Or I could just not give the popup and track you anyway. Nothing is stopping me (yeah the law will stop me haha).

Unless of course you block me from your browser, then I can't do anything.


You may also shoot me, law doesn’t stop you from doing that.


Sure, but why prefer a law over a technical solution?


Because it’s not always easy to see the technical solution.

Trying to say that the law is bad because it doesn’t conform to some idealised version of it you had in your head doesn’t mean the law is bad.


Konsoolo is right, this is the most stupid solution they could possibly come with. Every time I enter a website, I see the bloody useless cookie banner. Those who designed this law have no idea how people behave on the internet. Nobody is going to read a cookie policy on every single website they enter, people want to get to the content they are looking for as quickly as possible. Privacy controls should be available at a browser level, so that 1) you don't force me to accept/refuse each time, disrupting the user experience 2) I am not going to lose all settings if someone from customer support suggests to delete cookies 3) I only set my preferences once, instead of having to decide a million times. The outcome of this stupid regulation is that website owner can still find a million ways to trick users with all sorts of dark patterns and subtle manipulation of language, and users have no way to defend their privacy unless they are willing to spend time understanding the working of this on each website they visit.


Hahaha, the GDPR law itself is idealised! You have a weird take on the whole situation.


The solution to avoiding tracking can't be on the client side, because it's not the client side doing the tracking. So it should be obvious that the law can't target the browser, it must target the server.

This is not only sane, it is very obviously the only way it could be done. Remember, the law isn't about cookies or headers or anything specific: it is a law about user tracking. You're delivering JS that paints a font in a hidden area of the screen? It's then measuring the results and reporting data back to you to track this particular user? Then you need to ask for consent. The browser can't possibly know the intent of the code it is running, so the browser can't be made responsible for protecting user privacy.


How can you enforce it on the browser site? The issue is not the data stored on the client. In many ways it is impossible to implement.


This is about cookies, which are stored on the client.


Ok. So we drop the cookies and invent/use something else that works like the cookies(e.g an iframe that pings to Google's server) What's that good for? Are you considering including the CORS, iframes and whatever feature may leak information about the visitor in the law as well?


An iframe that pings Google is pointless if it doesn't send cookies.


How is that? Itcan send whatever it wants as query strings(e.g timestamp, current window etc)


Browser fingerprinting is a thing. In fact I suspect most of the supposedly GDPR compliant (so no cookies or local storage) still use fingerprinting in the background because you can't prove it's happening from the client (and the law is not being enforced anyway).


Most fingerprinting relies on Javascript (or maybe some CSS shenanigans) which you could prove from the client.

Using fingerprinting for tracking is not GDPR compliant.


It is not about cookies.

If you hire Harry Potters friend to create a totally magic way to track users and collect data from them GDPR still covers it.


The cookie law is the ePrivacy Directive 2002,[1] not GDPR. And as a user, I would much rather control my privacy preferences regarding cookies from my own browser, instead of within hundreds of different implementations across websites.

We already have P3P to allow websites to declare how they want to use your information. European legislation should have focused on leveraging these existing tools and protocols to give control to the user, instead of annoying them with endless pop-ups.

1. https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...


Interesting, I did not know that. Where is that covered? I want to read more.


GDPR is all about user data AFAIK. If I understand it correctly it avoided the trap that is to single out specific implementations.

Also it seems either I or someone else misread the context. I'm in the broader GDPR context while someone else seems to be in the older cookie law context.


> The law itself is perfectly sane. The problem is that everybody try to apply it in the worst possible way.

A law that doesn't take into account how people react to is not "perfectly sane". This was the obvious outcome before it passed.


There is no reason to submit to abusive people because we know in advance they will react in bad way. Pragmatism has some limits and tracking everybody is out of limit even if it makes some types of business more difficult.


> A law that doesn't take into account how people react to is not "perfectly sane".

Law is a back-and-forth process; you can’t just create a perfect law on day one then stop evolving.


> The law itself is perfectly sane. The problem is that everybody be technically complaint with ignoring purpose of the law.

FTFY


If the worst possible application of a law is insane, then the law itself is NOT perfectly sane.


I don't see why. People don't need laws to do insane things. Everybody can do insane things and respect the law. Law is not a magical thing that force everybody to act rationally and sanely.


Imagine the converse: if the worst possible application of a law is too sane, then the law itself is not _strong enough_.


I have never seen a cookie consent implementation that wasn’t annoying, and absolutely do not believe that this law has had any beneficial impact at all on anybody’s privacy. It is the very definition of a bad law. It makes the web worse and more user hostile, and achieves none of its objectives.


See the tracking consent page on https://basecamp.com/? No? That's because there isn't one.

Every time you see one of those cookie popups it is a sign, right there front and centre, that the website you are trying to use is trying to play fast and loose with your data.

Complaining about these notices would be like complaining that restaurants are forced to put up a sign on their front door "Kitchen employees don't wash their hands" when they get caught not doing so.


> Complaining about these notices would be like complaining that restaurants are forced to put up a sign on their front door "Kitchen employees don't wash their hands" when they get caught not doing so.

Brilliant. I might copy and reuse that.


I wouldn't recommend it. It's a bad analogy and if I saw someone use it I'd think they don't have a good grasp on web technologies. Cookie tracking is used to do things like persist shopping cart items without logging in, and plenty of other things users expect websites to do. It is also used in data collection, but that's more of a moral objection to advertising-based monetization than some sort of strictly-worse practices (like kitchen employees not washing hands).


Just to be clear, you can still use cookies, you don't need consent. Shopping carts and login sessions etc. will work just fine.

You can still display advertising, that also doesn't need consent.

You just can't collect and process people's data that isn't required for providing the service. If a site displays that notice, it's because they're attempting to do more with your data, or collect extra data, than is strictly needed for the service.


Perhaps in theory. But in practice, nobody wants to risk being fined because a court determines that some data wasn't required to provide the service. Do you really need to have persistent carts for non-logged-in customers? Can't you just only offer the cart for logged in customers? It's not required, just beneficial.

Thus, these cookie disclaimers are like Proposition 65 warnings in California. They're everywhere so people ignore them.


The most likely first steps in the UK is that ICO will get in touch and tell you you've done something wrong and need to fix it. Courts and enforcement penalties come later if you persist, or your infraction was signficant.

I run websites, and I don't feel in any way worried about it personally.


Right, and the easiest way to fix it is to throw up a cookie disclaimer and forget about it. So disclaimers become ubiquitous.

Are you familiar with Proposition 65 in California? Any product of business location that has any detectible amount of carcinogens needs to disclaim that it potentially contains carcinogens. Among other things, gas stoves and roasted coffee both contain trace amounts of carcinogens. So most restaurants and coffee shops display Proposition 65 warnings. Said warnings have become so ubiquitous that nobody cares about them. The same scenario is playing out with cookie disclaimers.

> Except there's no such thing as a cookie disclaimer as I said in another comment. Extra tracking/data processing has to be opt in, and you have to provide the service to the user even if they don't opt in, so you can't just throw up a notice that says you might not be compliant because you still need to be compliant.

Yeah, they do exist. And you can find them on plenty of sites that block content unless the disclaimer is accepted. You may be of the mind that this is not complaint with the legislation, but reality demonstrates otherwise.

> Prop 65 is different. The cookie law is like saying "if you sprinkle extra carcinogens in your product then you need to disclose it".

This is making the same error as the washing hands analogy. This ignores the fact that cookies are necessary to power user-facing features.


> Right, and the easiest way to fix it is to throw up a cookie disclaimer and forget about it. So disclaimers become ubiquitous.

Except there's no such thing as a cookie disclaimer as I said in another comment. Extra tracking/data processing has to be opt in, and you have to provide the service to the user even if they don't opt in, so you can't just throw up a notice that says you might not be compliant because you still need to be compliant.

> Are you familiar with Proposition 65 in California?

Yep, it's irellevant.


Prop 65 is different. The cookie law is like saying "if you sprinkle extra carcinogens in your product then you need to disclose it".


> This is making the same error as the washing hands analogy. This ignores the fact that cookies are necessary to power user-facing features.

I don't know if you're doing this deliberately or not at this point because I've said it so many times.

You. Are. Allowed. To. Use. Cookies. Under. GDPR.

There are times you need to ask for consent, but for login cookies, shopping carts etc. that follow some relatively simple guidelines, you don't need to ask for permission.

Do you really find that so hard to understand?


> You. Are. Allowed. To. Use. Cookies. Under. GDPR.

Until a government bureaucrat decides that your usage is not necessary and they threaten you with a fine.

You are not the one enforcing these laws. What you think is a reasonable interpretation of these "relatively simple guidelines" is no guarantee that a government commission is going to reach the same conclusion. Do you really find that so hard to understand?


If the ICO decides you're in breach of the rules, and has reached out to you to help you comply and you aren't receptive you're just going to end up in court and you can argue your case there, and if you can't trust your courts then you've got other problems.


If you allow users to add items to their cart without logging in, that isn't tracking them. It's just storing the information which the user wants you to store on their browser.

Many people click "add to cart" without logging in because that is the service they want. Nobody voluntarily clicks "track and analyze my activities on this site", because that is not a service people want.


> Many people click "add to cart" without logging in because that is the service they want. Nobody voluntarily clicks "track and analyze my activities on this site", because that is not a service people want.

You realize that in order to implement "add to cart" you have to track their activity on the site? That's what the cookie is for. To track customers and persist their cart. If you can't track customers then you can't associate them with their cart.

As far as analyzing activities, what is any isn't allowed is murky. Is it okay to do A/B testing and see their impact on sales? This requires tracking and analyzing user activity, but isn't necessary to provide the service. But it is necessary to actually determine whether changes to the service are positive or negative. So do you throw away A/B testing, do A/B testing and risk fines, or throw up a cookie disclaimer?

> If you can't work out what data is and isn't required for the functioning of your site then perhaps you shouldn't be running one.

I'm more than confident in developers' abilities to know what is and requires. I'm dubious of government bureaucrats' abilities of doing so.


If you can't work out what data is and isn't required for the functioning of your site then perhaps you shouldn't be running one.


A "cookie disclaimer" does not solve any of the problems you describe.

First, you can't avoid solving the murky analysis. You must be able to specify in clear language what personal data you're using for what purpose and which specific paragraph of the GDPR gives you the legal basis to do so.

Are you using that data for A/B testing because it's a legitimate need where you don't need consent or because the user consents to it? Well, you have to decide before implementing that disclaimer, because the disclaimer should clearly state that answer!

Furthermore, if you decide that some use case does not fit the legitimate need criteria and you need consent, then a "cookie disclaimer" does not reduce the risk of fines - because a disclaimer does not collect opt-in consent, it can (at best) record acknowledgement, so if you need consent but only have a disclaimer, then that still risks fines.

On the other hand, if you trust your developers to know what is required and what's not, and you have documented it properly (because it's not just a good idea, it's mandatory), then you should be able to run that documentation through your local data protection authority to validate any doubts, that's part of their job, and wherever I have seen them work it's something they eagerly do.


You can't implement carts, persistent or otherwise, without cookies (localstorage et al is a type of cookie), because clicking on a link would throw away the cart data. If people click "add to cart" then of course they want you to track the cart contents; that doesn't give you right to track anything else.


Right, and now you get sued by a group claiming that you don't need carts for non-logged in customers. Do you need to provide carts for non-logged in customers? No, says the lawyer, you selfishly used cookies to track people without consent in order to improve your sales. Or you can just throw up a cookie disclaimer to cover your ass.

Sure, the cart is perhaps a trivial case. But persistent tracking is also used to prevent abusive behavior, and other things that aren't strictly necessary. The risk that someone might try to claim that these are unnecessary far outweighs the cost of throwing up a cookie disclaimer. Thus, cookie disclaimers become pointless through their ubiquity.

Reply to your comment, since HN is rate limiting my work VPN:

> That's not it works. Someone complains to the Information Comissioners Office (ICO). ICO determine if the complaint is valid and will get in touch with the site owner to help them come into compliance.

And then they get sued if they don't come into compliance. This is just elaborating extra steps.

> There is no such thing.

> You have to make unecessary data collection and tracking opt in. You can't have a notice that says "we might do x unecessary data collection and/or tracking" and make the user click it or go away. You need to be compliant, or you need to not serve the European market.

Right, and websites don't display content unless this supposedly unnecessary data collection is opted into. Because nobody wants to risk being on the wrong side of ambiguous restrictions on necessary and unnecessary tracking. You insist that websites have to display content regardless. Reality demonstrates otherwise - this is a practice sites do all the time.

Again, cart's aren't actually necessary. They make it easier for users to buy multiple items, but you can make cart-less checkouts by having customers select all items on a single page. Thus, by adding cookies to implement a cart without consent you have violated user privacy for reasons unnecessary to provide your service.


> Right, and now you get sued by a group claiming that you don't need carts for non-logged in customers.

That's not it works. Someone complains to the Information Comissioners Office (ICO). ICO determine if the complaint is valid and will get in touch with the site owner to help them come into compliance.

> Or you can just throw up a cookie disclaimer to cover your ass.

There is no such thing.

You have to make unecessary data collection and tracking opt in. You can't have a notice that says "we might do x unecessary data collection and/or tracking" and make the user click it or go away. You need to be compliant, or you need to not serve the European market.


> That's not it works.

In some countries your competitors or some other third parties can just directly send you a cease-and-desist letter if they believe you're violating some law.

Even if that letter turns out to be unfounded because it turns out that implementing a shopping cart using cookies without an explicit consent is a legitimate use case, they're quite a bit more of a hassle to handle than your supposed friendly ICO just "get[ting] in touch with the site owner to help them come into compliance".

So one more reason to err on the side of over-caution and just put up a popup for any kind of cookie...


This is a reasonable grounds to discriminate. No one is required provide non-logged-in users a bulk product purchase interface. They could choose to buy each product separately, or sign in. Bulk purchase cart is not essential, it is a convenience.


> And then they get sued if they don't come into compliance. This is just elaborating extra steps.

If you don't come into compliance with data privacy laws after being helped to do so by the ICO, they yes, you deserve to end up in court.

> Right, and websites don't display content unless this supposedly unnecessary data collection is opted into.

That's literally not allowed under GDPR. You can't avoid the GDPR by doing soemthing that is in violation of the GDPR. It's like trying to avoid getting a speeding ticket by going faster.

> You insist that websites have to display content regardless. Reality demonstrates otherwise - this is a practice sites do all the time.

Yes, and they're not compliant with the GDPR. Not all sites will get the tap of the ICOs hammer though. Some are going to be too hard to enforce (non-EU only entities for instance) and some just won't get complaints.

> Again, cart's aren't actually necessary.

Nope, they are very much allowed.

> Thus, by adding cookies to implement a cart without consent you have violated user privacy for reasons unnecessary to provide your service.

Nope, totally incorrect.


> You can't avoid the GDPR by doing soemthing that is in violation of the GDPR. It's like trying to avoid getting a speeding ticket by going faster.

Well, it worked for the Dukes of Hazzard, and it seems to be working well for Facebook et al so far...


I do see a uuid cookie though.


This is based on your own interpretation of what the law is supposed to do, and not the stated intention of the law. The premise that use of any cookie that would require a consent banner can only possibly mean abusive tracking is simply false. The UK guidance on the law describes 4 categories [0], strictly necessary, performance, functionality and tracking. The presence of a cookie consent banner could mean nothing more than the specific functionality of the service requires it. Furthermore, the difference in categorization from one cookie to another depends in part on how the data is used rather than what types of collection are technically feasible. The absence of could also mean that the service is simply non-compliant, and the presence of one is not sufficient to make the judgements you're making. Compliance, even among those who choose to display a banner is incredibly low [1]. The law has simply had no impact at all on privacy, the way it has been implemented only services to nuisance and mislead consumers, and if you actually do use it to divine the information you're claiming to, then you're simply intentionally misleading yourself.

[0]: https://www.cookielaw.org/wp-content/uploads/2019/12/icc_uk_...

[1]: https://www.engadget.com/2020-01-13-websites-not-following-e...


I'm specifically talking about the GDPR which is the cause of all the popups we're seeing (but to be clear, doesn't require a popup), not the earlier "cookie law", which I agree is crap, and that you linked to.

However, that law does state that you don't need to get permission if the cookie is:

"Strictly necessary to provide a service explicitly requested by the user"


Which doesn't cover:

A cookie that remembers your shopping cart if you leave the site and return to it later. A cookie that remembers any preference you register if you leave a site and return to it later. A login cookie that persists after you leave the site doesn't explicitly require consent, but if you don't get it, then you are technically deviating from the guidelines that "[strictly necessary cookies] will generally be first-party session cookies" and that session cookies are "temporary and expire once you close your browser (or once your session ends)". If you had a persistent auth cookie, it would be reasonable to lean towards consent based on the published guidance.

from https://gdpr.eu/cookies/

> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.

> To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

> Receive users’ consent before you use any cookies except strictly necessary cookies.

Your stated understanding of when consent is and is not required is simply incorrect.


> Receive users’ consent before you use any cookies except strictly necessary cookies.

Yup.

> login cookies

Put an unchecked "Remember me" checkbox on your login page and link to your cookie/privacy policy. This is a good idea anyway as the user might be on a shared computer.

> Preferences cookies

Allowed to be persistent as long as they don't contain user identifiable information.

> A cookie that remembers your shopping cart if you leave the site and return to it later.

I couldn't find any specific guidance on this, so it seems reasonable to use a cookie that might last a few hours or so, then have a talk to your local Information Commissioners Office if someone complains.


The actual law can be found here: https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19

Emphasis mine:

However, such devices, for instance so-called ‘cookies’, can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

Where are you getting that some cookies don't require consent?


https://gdpr.eu/cookies/ says (emphasis mine)

> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

See the "Cookies and the GDPR" section for discussion.


Why are you so unwilling to read anything on that page except that specific paragraph. The next paragraph says:

> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.

and further down the page a little bit:

> Receive users’ consent before you use any cookies except strictly necessary cookies.

I sincerely hope that nobody reading this thread follows any of your terribly incorrect advice.


Preference cookies are not allowed to persist without consent. Not only is your interpretation of the regulations very highly opinionated, but it’s just outright wrong on some points. Your assertion that anybody who deviates from your opinions on the regulation, or doesn’t share your misunderstandings must be abusing data by asking for a cookie consent is frankly ridiculous. The guidelines also state that even for Strictly Necessary cookies, the site must explain why they are necessary, something your canonical example of a good site fails to do.


> Preference cookies are not allowed to persist without consent.

OK, I am willing to be educated, point me at the place in the regulations this is discussed.

> Not only is your interpretation of the regulations very highly opinionated, but it’s just outright wrong on some points.

s/opinion/interpretation/

> The guidelines also state that even for Strictly Necessary cookies, the site must explain why they are necessary, something your canonical example of a good site fails to do.

You don't need to do this in a cookie popup consent dialog. You are welcome to carry on thinking this if you want to though obviously.


> Preference cookies are not allowed to persist without consent.

> OK, I am willing to be educated, point me at the place in the regulations this is discussed.

It is not discussed, it is stated very explicitly:

>(66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:...

If you want to persist any preference information, you must get explicit consent. Whether you use that information for tracking or not, or whether it is combined with PII or not, has absolutely no bearing on your obligation. The act of persisting that information in the users browser requires consent. As this is a directive, it will be implemented independently by every member state, so if you want specific guidance for a specific state, you'll have to look it up. I linked the UKs guidance on this to you above, which you ignored. The facts are:

> If you want to persist any preference information, you must gain explicit consent

> The existence of cookie consent dialog is not a sign of malfeasance

> Lack of a cookie consent dialog is not a sign of lack of malfeasance

> Your stated interpretation of the regulations is very highly opinionated, and not supported by any jurisprudence

> Some of your stated interpretations are just demonstrably wrong

> The actual regulation is almost never followed

Based on those facts I would argue that the regulation has provided no benefit to the public at all, and has simple created a global nuisance that we all have to put up with now.


It's a little closer to "kitchen employees may touch pens or keyboards". Of course the restaurant is going to print off a sign and stick it to the door instead of asking staff to remind you that they're going to write down your order.


I think you are talking about wait staff not kitchen staff.

The thing is, wait staff need to use pens/keyboards to do their job. It's part of what it is to be a waiter or waitress.

GDPR doesn't make website owners ask people if they can use cookies, you can use cookies just fine without asking people. You have to ask people when you want to collect or process more data than is required to provide the service.

The point of the analogy was to make a comparison between being clean with data and being clean with food.


> GDPR doesn't make website owners ask people if they can use cookies, you can use cookies just fine without asking people. You have to ask people when you want to collect or process more data than is required to provide the service.

I don't have any first-hand knowledge here, but my guess would be that the corporate lawyer's recommendation is always going to be "just get consent for every cookie". The alternative is to risk lengthy litigation over whether specific cookies required the consent. If they ask every time, they can avoid that nightmare.

Because of this, the notice doesn't really serve any purpose of a signal of sysop goodwill. Virtually every business large enough to have lawyers will add it where there's the possibility it'd be required, regardless of the cookie's intention.

Well-intended law that causes many negative side effects is still bad law, just as well-intended software may very well still be bad software.


It's up to you if you want to stick unnecessary notices on your website. If your lawyers tell you to do this then do it, or get better lawyers.

Some lawyers make restaurants get waivers from customers before they order steak that's not fully cooked. It doesn't mean it's necessary (and I would definitely not eat at one).


@pembrook wrote this elsewhere in the thread [0]:

> If your answer is "the entire world is stupid," then I'd argue you don't understand how the field of design is supposed to work.

And I think it really sums the argument up. Good design and engineering is about building something that performs its function efficiently, reliably, and unobtrusively. If something is widely misunderstood or misused, it's a design flaw.

"Blame the [law-abiding] citizens" is just as much of a cop-out as "blame the user".

In this case, however, it's not a case of general misinterpretation or misunderstanding. It's a case of the law creating very strong -- like significant-millions-of-dollars-on-the-line strong -- incentives for every significantly-sized company to harass every visitor. That's a pretty huge flaw.

It sounds like your response is basically "well if they aren't doing anything wrong, they have nothing to fear! just go to the tribunal and prove that every cookie is innocent." And in that case, please refer back to pembrook's quote above.

[0] https://news.ycombinator.com/item?id=23095303


> want to make a $5 payment? Hand over the secret that gives the other party the ability to take an unlimited amount of money from you at any time in the next 4 years, and hope they don't misuse it

I don't understand this at all, and I always feel so nervous using my card at US retailers for this reason (these days I try to stick to PayPal where possible). Where I'm from, _all_ one-off online card transactions are 2FA'd between you and your bank; it was strange to say the least the first time I paid for something on Amazon and the transaction just...went through.


In the US this isn't a major issue due to very consumer friendly legislation. This is omitting some details, but effectively you call your card provider and say you didn't make a purchase. Then its effectively up to the merchant to prove you did.


That's not really consumer friendly. We wind up paying higher costs for everything because of this. The lost money doesn't magically disappear - the merchants have to include it in their costs.

Actually fixing the problem - 2FA etc. - would probably be more consumer friendly in the long run.


It really just depends on what you value most when it comes to "friendliness". If you value being able to just swipe your card or enter your details and be done with it, and not have to deal with 2FA prompts, remembering a PIN, digging in an app on your phone, or waiting for a code via SMS, then you might not mind the small price increases around the board to account for fraud.

Not saying that's the case for everyone, but you can't define "customer friendly" in a narrow way that conforms to your personal desires and assume that's that.

Also consider that if banks did have strong authentication around every purchase, there would be less of an incentive for banks or merchants to agree to roll over and eat the cost when there is fraud (and more ammunition for them against laws that require them to). No security/anti-fraud system is perfect, and something will always slip through; I wouldn't want to be a card holder stuck with a big bill because someone managed to clone/swap my SIM (for example) and make transactions using my card if I had no protection from that.


My local Costco still isn't set up to handle chip cards at the gas station. No Apple Pay, either. That's just silly.

Other countries had chip cards and contactless payments in widespread use a decade or more before the US even got support for them.


From what I can tell, most gas stations aren't set up for chip cards. I got gas last weekend at a Shell station in SF and was surprised to see the reader was chip-capable. Seems like it's still pretty rare. It's moderately insane that gas stations have been allowed to drag this out so much, considering that gas pump readers are a huge target for card skimmers.

(Then again, I guess a chip reader doesn't stop people from putting in a skimmer that just reads the card number as usual through the magstripe.)

The pump also had a pad for contactless payments, but I couldn't get it to work with either my phone or the NFC chip on my credit card. Maybe it only works with Shell's own card? Wasn't clear.

(And at the complete other end of the spectrum, I then went to top up my tire pressure, only to find that the air pump wanted quarters, and only quarters. Fortunately the attendant turned it on for me for free. I usually don't carry much cash around with me, and even more rarely have coins.)


> Then again, I guess a chip reader doesn't stop people from putting in a skimmer that just reads the card number as usual through the magstripe.

I'd imagine it would do though, as many chip readers only need you to insert your card far enough to read the chip, which isn't far enough to read the entire magnetic track and thus skim the track (am layman though)


Maybe US issuers were much better at on-line fraud detection and didn’t need the newer system?

Hoping someone from the industry can comment, but I was under the impression that US issuers were eventually forced into EMV, after dragging their heels, because the US became a prime market for cashing out mag stripe data from non-US issuers.


Not because they are better at fraud detection, but because US issuers levy much higher fees from their customers across the board and so can eat more fraud-related losses.


Yep. In US the interchange fee is more than 2% of the transaction. In the EU, interchange fees are capped to 0.3% of the transaction for credit cards and to 0.2% for debit cards. That's why in US they have those cash back options on credit cards, that are just not possible in Europe.


Consumers have been paying for merchant losses since before credit cards even existed. The price of shop lifting, robbery, burglary, ect... have always been factored into brick and mortar pricing (even if only via the cost of insurance). The cost of fraud is factored into online pricing. It’s not a problem that’s going to go away.


"It's not going away" is not a good reason not to mitigate.


2FA would also have higher costs for consumers, possibly much higher costs due to customer support staff and having to reset that second factor.


Speaking of omitting details. Consumer friendly legislation helps solve a problem that need not exist in the first place and saying this “isn’t a major issue” assumes:

a) the consumer catches it in time

b) the consumer has the time to deal with the bank (try calling Wells Fargo in the midst of COVID)

c) it doesn’t cause the consumer’s rent check to bounce

The US payment card system is not a good solution for the non-cash payments problem.


AFAIK you're talking about 3DS and under 3DS the code is treated like a PIN. So if you want to revert transaction protected by 3DS, you're out of luck, because you acknowledged it yourself. Now if your transaction is not 3DS (or PIN) protected, you can claim that your card was stolen and bank should revert transaction and issue new card.

So it's about who's responsible. Without 3DS or PIN a merchant is responsible. With 3DS or PIN a client is responsible.


Keep in mind that this difference only applies to fraud. You can still dispute transactions for other reasons (missing/wrong goods delivered, etc).


I have never had trouble getting a transaction I legitimately needed reverted to be reverted.


The banks have determined that the cost of preventing fraud is higher than the fraud itself. If you suspect fraud on your account, or if a card is stolen/lost, the fraudulent transaction is quickly reversed and a new card arrives in the mail in 2-3 days.

And it's pretty rare. I've had only once actual instance of electric fraud, and one stolen card in 20 years. That's 20 years of never having to remember or type in a PIN.


2fa has appearantly been found too expensive. Banks do a lot of fraud detection in the background.


I get your decision making but the annoying thing is that using PayPal will most likely reduce your legal protections? Fingers crossed PayPal don't screw you over...


Look up what a "chargeback" is. That's the mechanism (and which has been working well enough in practice to keep the system going, and everyone is happy (except for some merchants of course)) that is preventing the dangers you are thinking about from occuring too often to unsuspecting card holders.


Then it brings with it a whole list of different problems, like being incredibly susceptible to buyer fraud, the cost of which everybody then has to eat.

Meanwhile it causes the payment processors to not want to do business with merchants who get a large number of chargebacks, even if the problem isn't with the merchants but with their customers. In other words, it discriminates against merchants who do business with disadvantaged clientele who are more likely to have payment issues.


A merchant getting excessive numbers of chargebacks is not in and of itself an issue if you have all your ducks in a row.

I mean it's an interesting enough heuristic, but can you provide an example of a processor that would refuse to business with someone because they had excessive chargeback, but also had the information in place to prove the purchases in question?

I mean, if you've got crappy customers, I can understand where you're coming from, but I think your choice of customer base to market to may be more in question then whether the system as a whole is fit to transact in.

I don't have much firsthand experience in it though, so I'd be thrilled if you could share some insight on it.


> I mean it's an interesting enough heuristic, but can you provide an example of a processor that would refuse to business with someone because they had excessive chargeback, but also had the information in place to prove the purchases in question?

The problem in many cases is the difficulty in proving the purchases. For something like digital content, the only proof you'd really have is some server logs showing that it was transferred, which are naturally trivial to fabricate because they're entirely under the control of the seller, and so the payment processor may not give them much weight.

> I mean, if you've got crappy customers, I can understand where you're coming from, but I think your choice of customer base to market to may be more in question then whether the system as a whole is fit to transact in.

But then you run headlong into the efficient market hypothesis, because when everybody else is avoiding that customer base for those reasons there is less competition and thereby greater opportunity.

Also, from the perspective of the customer, just because 30% of similar customers are dirtbags doesn't mean you are or that you don't want to be able to buy your stuff.


I did not say it does not have any problems. The poster said that they don't understand why the whole system even works. I simply explained the mechanism by which it currently works. I did not say it was flawless.


>Did no one involved in the cookie legislation think to run the idea by a technical expert before passing it? Why wouldn't they have done something like introduce an X-Allow-Tracking header in the http spec, and make the law require that sites respect that header instead of every site making their own cookie popup. Browsers could make that privacy setting as detailed as they want as far as which requests they included it with, and the EU could strongly recommend that everyone use browsers that they've approved as supporting that setting (or even force it in various ways, like require any OEM browser that ships with a device in the EU support that setting).

Like with DNT? Nobody cares about that. Defaults matter too and DNT is default off. So it probably adds more entropy if you enable it.

Besides that: Technical cookies (or any other storage in your browser) that are required for your site to work do not require consent. Tracking from ads are obviously not included in that definition.


Wouldn't we just get pop-ups saying, "please enable X-Allow-Tracking for this website"? Same thing that some websites do in response to ad blockers.


Yes, it means that if you consent for cookies, you don't get annoying popups everywhere. Or, what actually would be interesting, a law explicitly disallowing "please enable X-Allow-Tracking for this website" popups.

Right now the web is broken anyway - some pay (in data and ads), some are free-riders. And everyone is pested by cookie popups. This "no tracking unless required for functionality" would make it nice to change a model for actually paying for use. (It promotes quality content, less distractions, less clickbaits; and thinking twice if you want to spend more time on yet another meme aggregator.)


It's malicious compliance.

Sites were supposed to stop using a shotgun method of grabbing all data they can, sharing it with everyone that will take it, and hoping something will stick. They were supposed to take responsibility for data they collect and share.

But instead of changing anything, sites went for the laziest workaround (which apparently isn't even legal), so that they could ignore the legislation and keep business as usual.


There is no "cookie law". Nothing in the law has to do anything specifically with cookies.


There absolutely is a cookie law. The UK legislation is "PECR" [1] which sits alongside the GDPR.

> PECR are the Privacy and Electronic Communications Regulations. Their full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003.

> They are derived from European law. They implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.

> PECR cover several areas:

> The use of cookies or similar technologies that track information about people accessing a website or other electronic service.

See "How does this fit with the GDPR?" for how the two relate, tl;dr:

> The GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply, but using the new GDPR standard of consent.

[1] https://ico.org.uk/for-organisations/guide-to-pecr/what-are-...


This is correct in GDPR. This is why you can’t use something like LocalStorage, ETags or something else as a loophole.


No, you can't, because the law concerns itself with data storage and processing, not whether you are using a cookie.


Ah that was a brain fart moment, sorry. I meant to say you cannot use, GDPR is something I handle daily. Thanks for correcting, I amended the answer.


This is not correct, in the UK at least. Similar technologies like LocalStorage fall under cookie law. [1]

[1] https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...


Parent edited their comment from "can" to "can't", and I got downvoted, yikes.


“introduce an X-Allow-Tracking header in the http spec” The DNT HTTP header is about 10 years old. It is widely ignore by many data collectors.

https://en.wikipedia.org/wiki/Do_Not_Track


I think they tried a cooperative approach with more technical design . It was called DNT .. the do not track header thingy. Failed because no one gave a shit. So they made it financially painful. It is the only language companies understand and respect.

Cookies are also just a method. GDPR is not specific about it.


4 years? You're lucky. My Argentian card expires in 2031. Yet I've never gone more than 2-3 years without having to cancel it due to some bad actor overcharging me.


Note that the law only requires this banners for cookies which e.g. track you. (Which by now require far more opt in than a cookie banner, thanks to GDPR).

For purly functional cookies like they are used for CSRF prevention or login cookies do not require any user notifications as far as I know.

(Be aware that this is only true for login cookies which are just used to handle a active login, which means they must set the right flags to not be send to a different domain, etc.)


Believing that there is such a thing as an "EU cookie legislation" is a clear sign that you don't know what you are talking about. You seriously want the EU to micro-manage the HTTP spec?


> You seriously want the EU to micro-manage the HTTP spec?

Well no, what you really want is browsers that do the right thing to begin with and e.g. block third party cookies by default. Then you don't need "cookie legislation" at all.

But if they're going to require something then it should at least be clear what the requirement is. If multiple large corporations who can obviously afford competent attorneys are doing something ridiculous, that's pretty good evidence that your legislation is drafted stupid.


But it is not just third-party cookies that are the issue. If that was the case it was easy to solve. But consider if you buy some books or sex toys or whatever from an online store. Do you want the store to sell information about your purchases to third parties? That is what the "cookie consent" is about.


But that has nothing to do with "cookies" at all. You could in principle implement purchasing using client-side javascript without any cookies, as long as you don't care that the customer's shopping cart disappears if they close their tab, and when the customer sends their purchase information you'd still have all their personal info even if you didn't use any cookies.

Meanwhile the actual problem with (third party) cookies is that they're used to correlate users across multiple sites for tracking purposes, which goes away when browsers stop accepting third party cookies by default.

> But consider if you buy some books or sex toys or whatever from an online store. Do you want the store to sell information about your purchases to third parties?

This is really a different problem, because how are you supposed to know if they're doing this anyway? How is the government? Once they have your information there is no real way to tell what they're doing with it if they're willing to lie to you.

So the answer is to make it so they never actually have your personal information. But for this we need some kind of anonymous digital payment system for small transactions, so that the vendor doesn't have to know who you are. If all they have is a transaction ID from a bank that lets them get paid and a virtual one-time-use PO box number you had the item shipped to which forwards to your real address for a week and then is deleted forever, they can do whatever they want with that information and you don't have to worry about it.


The obvious problem we all know, is that a browser cannot distinguish between a functional and an advertisement cookie. And honestly, cookies are a method. There are tracking methods where the user agent has no chance and is not involved.

Also GDPR is addressing much more than tracking consent.


> The obvious problem we all know, is that a browser cannot distinguish between a functional and an advertisement cookie.

Sure it can. Functional cookies come from the domain the user actually visited, advertising cookies come from other domains. That's not always true, but it's true often enough that those should be the defaults.

Firefox even does one better. It has a feature you can enable called "first party isolation" that allows third party cookies, but keeps a different set of them for each domain the user actually visits, so if the user visits a different site none of the third party cookies from the first site are there and they can't be used for tracking between sites.

> Also GDPR is addressing much more than tracking consent.

Next week we'll probably discuss some different part of it that would have been more effective if done some other way.


I'm very curious what leads you to believe that this law doesn't exist? And be so sure about it as to call out someone else for not knowing what they're talking about.

"Passed in the 2002 and amended in 2009, the ePrivacy Directive (EPD) has become known as the “cookie law” since its most notable effect was the proliferation of cookie consent pop-ups after it was passed."

https://gdpr.eu/cookies/


I think point is that there is only a need for a cookie pop-ups if the site try to exploit their users.

It is not the cookie that requires pop-ups. It's despicable behavior that does.


Well said.


To be frank I suspect that the answer is because that isn't their goal any more than a congressional fact finding session is to find facts - but to grandstand angrily about sour grapes.


Or it might have happened in the other direction, where there was an earnest goal, but opponents to that goal slipped a poison pill in


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: