If more browsers were still User Agents in the literal sense, maybe we wouldn't have needed this legislation. Browsers could have informed people about what cookies were, and could have presented the user with the option to never accept tracking cookies from Big Advertising. Every browser has the option to reject third party cookies or to clear all cookies at the end of the browser session.
This mischaracterization of cookies has, ironically, made life a lot less pleasant for people who don't accept cookies. The "opt-out" is just another cookie. There's nothing special about them either, they can be used to track return visitors just as well as any other cookie. I'm sure they're not, because that would be against the spirit of the law ...
Not tracking people without consent is definitely a Good Thing, but it shouldn't require everyone and their grandmother to put annoying cookie banners on every website under the sun. And I think it wouldn't have, had people been better informed.
I agree. The EU cookie laws were well-meaning, but have had the unintended consequence of making the web more annoying, more difficult to use, and more fragmented.
The solution? Cookie consent should be a built-in feature of browsers and http, not something that is reimplemented in a slightly different way by every single website.
Your browser should pop up a standardised cookie consent request when you browse a new site, and enforce your selection as part of its security policy. If you choose to block all cookies (ie: private browsing mode) then the cookie consent request wouldn’t need to appear at all.
Unfortunately these days the browser would be better referred to as the advertiser's agent," or perhaps just Google's agent.* Owing to Google's control over both web standards and the advertising market, cookie management features have received little attention.
Google's monopoly power has prevented a competitive market of privacy-focused, user-first browsers from flourishing.
It's also probably unlawful, the irony is that not too many years ago we punished Microsoft for unlawfully leveraging its monopoly to control the browser, and when we stopped them we paved the way for Google to do the same thing!
Well, from a antitrust perspective, having TWO giants in the space is better than having only ONE giant.
Ideally we'd now apply to Google the same pressure and further split the field. Alas, politics are complicated.
Many games wouldn't work well in a VM, of course, there's no getting around that.
Only if you ignore the giant market of adtech tracking bullshit that that has been ruining the web since about 2000.
Every website that shows you a "cookie" banner (aka we-track-the-fuck-out-of-you banner), is part of this problem. The law is just bringing it to light. Don't be annoyed by the law, be annoyed by the websites, they are choosing to be annoying.
Look at those websites, they are the problem, not the law telling them they can't do it secretly behind your back any more.
The biggest problem was that this law didn't tell them to be fucking honest in the banners. "This website needs cookies to function" (when it's only about their mishandling of data to 3rd parties) is a straight up lie by omission. If they had to honestly tell in the banners what they were up to "we track your every breath on this site and then sell it to third parties, who sell it to other parties, and god knows what", people would be looking at these sites differently.
"We're forced by law to inform you that we crap on your privacy and are actively ruining the web by delivering the fundamental data that runs the adtech industry"
And obviously Chrome would never do this kind of thing, since it hurts Google.
TBH, I wouldn't blame GDPR for this. Here's a good analogy of what's tracking companies are doing:
- Companies dump used batteries into the sea.
- Dumping batteries into the sea is banned.
- Companies start dumping batteries into lakes.
Cookie control/policy in browsers needs to become more sophisticated than what we have today.
IANAL, mind you - but that's how we implemented it - you're opting-in to the ads that target you and analytics which track you, or you get the non-tracking/non-targeting ads and analytics.
(adsbygoogle=window.adsbygoogle || ).requestNonPersonalizedAds = true;
You also have pretty tight control over the categories of ad that Adsense can display, and you can even go as far as to review individual adverts. I've booted a couple of ads that I found to be unethical/distasteful from my site using the review feature in Adsense.
The only issue with Adsense is that there are a gazillion ads it might show on your site, so I'd recommend filtering out any categories you don't much like first, and then reviewing ads sorted by popularity/impressions in descending order, otherwise you'll quickly go mad.
 Obviously not an option if you absolutely don't want to do business with Google.
What's not clear from Google's documentation, but what I assume, is that they also do not use the info about the context & visitor to serve them personalized ads on other websites.
Granted, from measurements on my own site that's only 1 - 1.5% of people, but Google's ad revenue for 2019 was $134.81 billion, meaning that they'd potentially be leaving $1.3 - $2 billion on the table by not serving ads to these people. Maybe it would be half that or less because the ads aren't personalised, so they're a bit more hit and miss and therefore probably wouldn't attract the same level of bids from advertisers.
But still, they'd be leaving a lot more money on the table than it would cost to fix the problem (an order of magnitude? two orders of magnitude?). Whilst they might choose to leave it due to opportunity cost, it doesn't seem that likely to me. Here's an example: I once worked at a company whose revenue sat in the £250-300 million range, and they absolutely considered it worth supporting 1% of their userbase for the extra £2 - 3 million it brought in (this is back in the day when IE7 and 8 were still a thing), because it probably only cost them high 5 to low-ish 6 figures per year in PITA workarounds to do that.
So, as I say, it seems odd to me that Google don't have a solution for serving cookie-free ads that require no consent.
Going back to skrtskrt's original question, "What are some good non-tracking & non-intrusive ad providers?"
 Obviously all us devs hated this, but it was tough to argue against from a rational standpoint.
I use adblock by default, so I have no ad-profile at Adsense that they'd use to show me "relevant ads". When I occasionally have to debug some issue with ads somewhere, I'm essentially getting the context-sensitive, not-personalized ads, and they're terrible. At least to me they look as if they were using very simple keyword-matches with little regard to context and primary language. It may be that they don't care to invest more, but it may also be that they don't have enough ad buyers that care for unpersonalized ads so they simply don't have a large pool they can choose from.
I'm also not sure that "cookie-free" would be enough, really. If you're loading ads directly from Google, the user makes the request and can therefore be tracked by Google. Even with Google Analytics and anonymizeIp, at least in the medical sector in Germany, GA is considered opt-in only. In that sense, I'm not sure a central service that delivers ads for you can work without requiring consent.
What very much should work would be a server-side system that's sale/lead-based, where the service would crawl your site, manage your affiliate programs and create ads for you that you'd then insert into your site. That way, no third party learns anything about the individual user and you don't require consent.
Example: you're seeing an article about devops and you get an ad about AWS instead of an ad that has followed you around from another website you visited previously.
The cookie used for frequency capping is considered to be a "technical cookie" and has no bearing on privacy, best I can tell.
The other types of cookies can be pretty much disabled at the point of calling the google tag, or enabled (along with more tracking/targeting ads) if the user consented to that.
But the comment you're responding to says it right there: Even google is telling you it requires consent. It's a cookie, so it requires consent, period. Don't fool yourself.
Could google serve ads without cookies, and do fraud detection by other means? Yes, perhaps lowering payout due to increased risk. But it much better to pretend that a cookie-banner is needed, so that you might as well enable ad-tracking cookies.
> You don't need to look far. You can simply tell Adsense to serve up non-personalised ads
This discussion describes exactly the problem. How long has this tracking consent law been there now??
And it's just an option in Adsense?!!!
So whenever I see a cookie banner, you can assume they are simply too greedy to flip the switch.
Clearly the adtech and adtech-supporting industry hasn't even slightly bothered to look for alternatives, instead opting to annoy the public with banners. It's pure propaganda in the hope that the annoyance will turn into defeat, and somehow they manage to turn people's disgust towards the EU law instead of them, simply continuing to do their useless crap business and pretending the EU got their hands tied ... when there's a literal boolean switch to tell their shit to behave.
For my website , I have build close relationships with local experts. They provide services my readers need, and I know they can be trusted. I get a commission from resulting sales. I like that model because advertisers have zero access to or control over the readers' data. Unfortunately, it's simply not applicable to all websites.
-  https://allaboutberlin.com/
For pubads, look into "setCookieOptions(1)" and "setRequestNonPersonalizedAds(1)" for a good start on the matter.
It _can_ be done.
That part is not necessary. They are mandatory if you collect any form of personal data without legitimate interest.
Shopping carts, subscription services etc. will still work, you don't need to consent to that, as long as you're not tracking people or handling their data unecessarily.
When you see one of those cookie popups it is a sign that the website is trying to get more information out of you than they need.
Or the owner of the website has failed to understand the nature of the law. Given the amount of confusion in this comment section this also seems likely.
The ones which deliberately make the flow for closing the popup and accessing the site without 'consenting' are the ones I think are actually acting malicously.
If the admin of a site thinks they need a cookie banner when they don't, it's really because they haven't really bothered to give much thought to reducing the amount of data collection they do on their users.
But I bet it's not really that common, website admins who think they need a cookie banner when they really do not. What is WAY more common: the website admins that do need a cookie banner, but ONLY because they use Google Analytics, and don't realise this is a choice they get to make.
Or people (right here in this thread) saying "I can't make a useful website otherwise" -- it's not that the law is hard to understand, it's not. It's that they refuse to give the problem any thought. The ones "failing to understand the nature of the law", actually just don't give a crap. It's like a butcher complaining "Why do I have to label my meat with 'made from tortured animals', I have to kill them right? I can't possibly produce any meat without using this rusty spoon that I've used for decades".
> The ones which deliberately make the flow for closing the popup and accessing the site without 'consenting' are the ones I think are actually acting malicously.
You can easily not act maliciously, and still be a crucial part of the problem. That's also what laws are for, even if you cross them non-maliciously, you get punished. That's because people "not understanding the nature of the law", when it directly applies to their business, is undesirable, and really a responsibility they should carry.
Oh, sure, but if they don't understand it then they probably shouldn't be gathering people's data either.
GDPR is pretty complex, but website operators have proved for years and years that they can't be trusted to do the right thing themselves, so here we are.
Bear in mind:
- Extra data collection or processing must be opt in.
- Not opting in must be as easy as opting in.
- The content must be available if the user chooses not to opt in.
For instance, you go to a site, tumblr.com for example. Why is not important. You get a consent popup. Opting in to extra data collection is easy but you don't want to. Navigating this consent popup is almost impossible. within a few clicks you are lost, you find a list of several hundred "partners" tumblr wants to share your data with. All are checked and need to be individually unchecked. You still can't work out how to opt out.
To me it's like someone's trying to scam you out of your data. They are so desperate to get your information that they are jumping through all sorts of hoops to try to trick you into giving it.
Do I really want to give my data so an entity that is acting so creepily? Nope. I close the window.
That time "wasted" now, is time spent to fix their mistake.
The mistake of thinking they could collect data on me and sell it to third parties in perpetuity.
It being inconvenient to you to treat people's data and privacy with respect seems like something it's hard to feel sorry for.
Of course information should be protected, but there are all sorts of compliance procedures and processes that significantly increase complexity and cost.
And no, not asking for consent and collecting data without supervision is not an option, neither legally nor ethically.
GDPR compliance is usually expensive because people ignore Art. 5.1.(c):
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
If you choose to collect personal data, you're responsible for handling it with due care. If you don't want that responsibility, don't collect the data. If your business model is predicated on doing shady things with personal data, find a different business model.
But I'm eagerly awaiting your measurements ...
Truly. Even if it shows the really big numbers you seem to imply. Because that shows something about their choice. How much trouble they're willing to go through to track you regardless.
It may not be terribly difficult to understand, but it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints.
> Looking around for loopholes to do analytics that aren't actually what the user came to the site for is fundamentally the thing that the legislation is targeting...
Totally agree, and this shouldn't be done.
> ...this handwringing about cookie popups and consent and anonymized data is "complicated" simply because it is not in the nature of the law. You do that, you need permission, period, and you need to be OK with people saying "no, I'd really rather you not do that".
This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.
Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?
The only different "constraints" relevant here would be "we get to play fast and loose with the data we collect or allow to be collected about users, without repercussions".
If that wasn't the "constraints" they were operating under, they have no problem now either.
> Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.
> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?
This is indeed where we disagree, except the law also disagrees with you:
It's. Not. About. Cookies.
It's simply about collecting and storing more data on your users than you strictly need to run your business.
There's really nothing technological about it, if you did it with pen and paper, you'd be subject to the same GDPR. Talking about HTTP response headers or "waging a war against cookies" is just misleading.
As a developer, I agree. As an end user, I am OK with this.
If organisations have to think hard about what data they collect, because it means they have to think hard about how to safely store and destroy it, then that's a good thing.
It has been easy to collect, store and disseminate user data without thought for a long time, and website operators have proved they can't (in general) act responsibly.
> This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive
My honest opinion about most of the consent popups I see is that they are at best trying to weasel out of having to comply with the regulations, or at worst applying dark patterns to trick the user into "consenting".
I am sure there are some honest people with consent popups out there, but I'm not generally generous enough to attribute anything other than malice or incompetence.
> this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution.
For sure, but it works both ways. There is a (potential) financial penalty for not taking care of user data, but at the same time, there's a pretty large cost to a user if their data is spaffed all over databases on the Internet when they didn't want that.
Also, I'm pretty sure if you are actually trying to be GDPR compliant then your first interaction with the information commissioners office will be them trying to help you comply, and you do always have the option of just deleting the data if you can't treat it safely.
> Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.
I feel like I read somewhere that telling the user to adjust their cookie settings in the browser was speficically discussed, and not allowed, but I could be wrong.
It would be a mistake to think that Cookies are the focus of the GDPR. See https://gdpr.eu/cookies/:
"However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30."
The GDPR is about user privacy, cookies are one of the primary tools for violating it, and the most prominent artefact seen on the web, so it's the focus of a lot of discussion, but the main thrust of the regulations aren't around cookies themselves.
It is significantly unlikely that there will be opt in banners for JS, HTTP, TCP, phone calls, cameras at the beach, or just looking at people with your eyes any time soon.
Consent must be informed and specific, so simply asking users to set their browser to accept or reject all cookies (regardless of purpose) is not compliant.
On the other hand, if browsers get their act together and standardize a consent API with the necessary features, then browser-based consent management would surely be compliant. GDPR and ePrivacy don't address this explicitly, though GDPR Recital 32 considers consent by “choosing technical settings for information society services”.
Centralising consent in browsers is a key consideration in the proposal for an updated ePrivacy Regulation, but the EU is not going to mandate specific technologies. Everyone is well aware of the mess that is the Do-Not-Track header.
I'm not against GDPR, and I'm glad these issues are getting attention. I just want to make sure we recognize there is a lot of nuance here, and there are real costs and second- and third-order consequences to consider.
You forgot one more... you're a citizen of an EU member state. I live in a sovereign nation and EU law doesn't apply to me.
It's been quite funny seeing Americans fall over themselves to comply with GDPR requirements. It won't be funny when they also fall in line behind Chinese law.
That's a ridiculous over-generalization. My bank's website doesn't have ads on it; is that not useful? Wikipedia doesn't either, can you earnestly say you've never found wikipedia useful?
There is much more to the web than shitty ad-riddled websites.
Also it's kind of sad if you believe you can't make a useful website without having to hand over private user tracking data to Google. In fact you are using a website just like that, right now.
Most sites choose do popup instead because (they think) it is more effective. So be it, but don't say it's "mandatory" or that "they are forced to".
A/B testing is allowed and doesn't need opt-in if the A-or-B preference is only recorded in aggregate form and not tied to the user.
Same for the purchasing scenario. In this case, you would be explicitly collecting personal data to fulfill the order.
It's almost as if they just want to collect all the data on all the users forever without any oversight, by continuously rehashing bad and misunderstood versions of the GDPR and pretending it's hard and complex and vague.
That people absolutely ruin the user experience of their site deliberately is an active decision they make themselves.
Make an effort not to visit those sites. You will be surprised to know that people that make such bad decisions for their site seldom have any valuable content anyway.
Stop spreading this disinformation. It's just the filthy websites that track your every move on the site and then give it to third parties.
Would you rather they do that by default, extracting your data before you even notice, without even being able to distinguish the bad actor from the good actor?
The problem is that people think it's the cookie banner that's annoying, when it's in fact the very website that has been secretly abusing your privacy, except now they tell you.
The people think that agreeing to the tracking banner is a fair transaction because the adtech banner is being disingenuous. It's as if the entrance to a museum requires you to dump one empty battery in the ocean. It's a bit of a hassle but it doesn't cost you anything, and you get to see the museum which is what you want.
Except in 90% of the cases the museum is clickbait trash.
I mean I agree. No website should use cookie banners. None of them. Increasing fines all around for those adtech fuckheads.
I beg to differ. I use AdBlockPlus (ABP) and I can block 99% of these banners, and proceed immediately to the website.
One can also use NoScript to block some websites that are full of crap/trackers (like techcrunch).
I would heavily recommend to switch to uBlock Origin (and maybe uMatrix) instead.
Disclosure: worked for eyeo in the past, and quit.
I propose a better alternative: just stop doing things requiring consent (which are, by definition, unnecessary, and almost always support an unethical business model), and then you won't have to annoy users with consent popups anymore.
I use and appreciate this one: https://www.i-dont-care-about-cookies.eu/
(I do entirely agree with you, the default internet is pretty much like you said, sadly)
It reminds me a bit of legislation in other areas that aims to make something so inconvenient people give up on it, like the death by a thousand cuts to American gun owners with state laws making magazine limits smaller and smaller over time, banning this and that cosmetic feature that has no bearing on anyone's safety, etc. What is Europe's vested interest in doing this to the internet though, information control (regulate a few conglomerates instead of having to deal with a bunch of little sites, by stamping out the little sites) and spite towards America's much more prosperous tech sector?
This could actually be a good thing. These days advertisers act as censors: all it takes is a bunch of complaints and a website's revenue stream gets pulled. The webmasters react by deleting the controversial content and avoiding the subject in the future. If this is what a profitable internet looks like it should probably die.
> Nobody has ever been hurt by a tracking cookie in the history of the internet.
How do you know?
> stamping out the little sites
Social media is responsible for this. Few people buy domains these days, it's much easier to register a name on some existing site. Most traffic originates from social media these days.
This is how newspapers have operated for nearly a century, and how television operated for over 60 years.
What do you expect will replace it? A reversion to the patronage system? I don't think Bloomberg or Murdoch paying for content to be made in the way they want it is going to be an improvement.
Yes. They depend on advertising revenue and are worse off for it.
Journalists have a duty to report facts accurately but they must also keep the advertisers happy. Due to this conflict of interest, newspapers lose trust and are perceived as having little integrity. Gotta wonder if the article is presenting a truth or some version of it that happens to be aligned with the interests of the people with the money.
TV shows are sanitized for maximum advertiser appeal. Even when they push boundaries, it's carefully controlled by the networks. There are numerous and well-documented cases where they actively influenced the creative process. Gotta wonder what shows would be like if creators had true free expression.
> What do you expect will replace it?
I don't know. Hopefully something better.
> A reversion to the patronage system?
Perhaps. Would be great if we had some kind of crowdfunding or patronage system that lets people directly fund the creators they like. Art should work like an investment: large numbers of people invest in the studios they like and the work starts once enough capital has been raised. Since the money is guaranteed, creators get more freedom to do what they want. Since they'd be compensated before the work starts, copyright becomes irrelevant.
> How do you know?
Same way I know that that defining the ASCII code for T as 084 has never hurt anyone. It's an interpretation of information, independent of the human condition. Change my mind.
I would have accepted a case wherein a user in the arctic, with limited bandwidth, was hurt due to the cookie data interfering with the communication. Hand waving about a series of human failings being connected to a technology is not compelling.
I guess it's the same argument as the "gun" isn't responsible for gun violence, excepting cookies aren't even designed to reveal information. Guns are definitely designed (in part) be used against people.
It's not just any cookie though. You specifically mentioned tracking cookies.
These cookies exist for no purpose other than information collection. They aren't even required for the website to function.
This isn't negligence, it's imprudence: being reckless with people's personal information, amassing large amounts of it in the name of profit without stopping to think about the consequences.
This isn't unique to cookies either. It applies to every browser fingerprinting method.
Ideally, big companies would be subject to the law just the same. However, small companies can get a head start by just not doing what they know they are not supposed to.
It doesn't have to hurt me. I just don't like it and I don't want it, and that is a good enough reason for me to not give up my privacy.
You make good points and I am not arguing with you, but I found theses two books really convinced me that some balance is required, and worthwhile.
> some feel-good legislation that accomplishes nothing
It hasn’t been all 100% positive, and doesn’t apply to everyone, but GDPR has definitely had an overall positive impact on digital privacy practices globally. I say this as founder of a for-profit US web company affected by the legislation.
This is really demonstrably false. Tracking cookies, tracking pixels, and other tracking technologies, have been and are still being used to de-anonymize people and cross-correlate browsing behavior of people visiting sites other than the one they’re on. The concern is over privacy, and tracking cookies are a real threat to privacy, hence the legislation.
How is a opt out cookie the same as tracking cookie?
Isn't there a clear difference for a cookie:
It's the same problem with pages where most users are logged in: the few who aren't are suddenly such a small group that they become identifiable through other means.
I = -log2(p)
1 - https://en.wikipedia.org/wiki/Information_content
1. Do a study and check how many people want to be tracked. Don't trust the data from websites because everyone is currently being tricked into accepting. Go out on the street, talk to someone for 5 minutes about how tracking works, how it can lead to more relevant advertising and a potential increase in revenues for the service they're using, but in return their browsing history, purchases, and communication will be tracked and associated with them. How many want to be tracked?
2. If 80%+ of people do not want to be tracked, then just create a law saying it's not allowed. That's it, we're done.
3. If less than 80% of people don't want to be tracked, then force browsers to prompt users on install to ask if they want to accept tracking. Websites, analytics, advertisers, etc, then need to respect that setting or risk being fined. No need for every website in the world to invent their own cookie/tracking pop-up system, and no need for people to adjust their settings on a per-site basis.
Ask the same people if they wanted websites to stay free.
I bet 80%+ would want to eat a cookie, a have it too. (No anti-pun intended!)
(Side note: the proposition of banning things if 80% don't want to use them is dangerous. No wanting something personally is not the same as banning it for everyone.)
Logging out of youtube feels like falling kneedeep into the gutter. What I personally want is more and smarter tracking, not less.
When I'm at random site I rather see ads for electronics kits I considered purchasing recently, not liposuction or some other gross random things I would never want or need or even like to be aware of.
Disclosure: I'm a Googler. Not sure how that affects my fatalism here.
Also, why do we assume that the choice is between the status quo and the total collapse of the internet ecosystem? That there's no way for digital advertising to generate a profit without gobbling up ever greater amounts of our personal data?
This seems like it's a silly nitpicking point, but in this context that's the whole point of the discussion: whether your users understand and consent to paying that cost.
Example: my personal website costs me about $35/mo to run. If I put ads on it, Google would tell me I made about $5/mo, and then take that $5 for themselves because they have decided they don't need to pay out small amounts. So I basically get to pay to host ads for Google.
If you were able to say "tracking or subscribe" it would made much more sense.
A fair comparison would be a law saying people need to opt-in for paying for a cookie. You can't charge the customer or hide the information, they need to agree to pay for the cookies, and they need an equally clear option to not pay for them.
However, stores bend the rules. They have someone stand at the entrance saying, "Thanks for coming to our store, we have cookies for sale at $0.99. Would you like to come in?" If you say yes, then you're charged for cookies you buy. To get the cookies for free, you need to realize you can say "No" to entering the store, and then through a complex 5 minutes conversation, you can get the person to let you into the store for the free cookies every person is allowed to have according to the law.
Most people don't know about the free cookies. Others can't figure out the correct questions to ask to get permission to enter the store for the free cookies. Some people want the free cookies but they don't have 5 minutes to waste talking to the person, so they just decide to pay.
At the end of the day though, of course everyone wants the free cookies. I want them. You want them. The law says the store is required to give free cookies. Why introduce all the complex interactions and rules that businesses will not follow, and customers will find annoying? Just give everyone the cookies and be done with it.
If you don't want a blanket statement allowing free cookies everywhere, what's the ideal process? 97% of people want free cookies all the time. 2% of people want free cookies "sometimes". 1% of people never want free cookies. Asking people at each store for their preference (similar to a website cookies pop-up) is only beneficial to the 2% "sometimes" crowd. For the other 98%, they're just being annoyed and repetitively giving the same answer to every store. Require the banks to allow a setting on credit cards to toggle free cookies on or off, and have stores respect that setting without needing to ask.
Given how many people think the EU did a bad job defining cookies, tracking, tracking methods and etc, it would be fun to see what they would think about he definition of a "browser" as something that can be forced to implement a certain feature.
There's a very popular (it's a bit weird that number of reviews is so drastically different between Chrome and Firefox) extension called Honey. Apparently bunch of people install it because it provides free coupons. I don't believe people that use it know that ultimately they are the product.
Now that the auth headers are known about, they can be treated as such and expired based on user preferences, but by default after 24h. There can be an alert "google.com has logged you in and now knows who you are until you log out".
Auth headers are then only sent for a single origin, so no scripts to track you around the web anyway.
The cookie workaround for those that need to genuinely use them are 1. session feature mentioned above - tie to that on the server side and 2. stick something in the URL and then keep tracking that via links, like most SPAs do anyway.
Want to do analytics? Anonymous-ish pixel or server logs.
Local storage is another issue, that should be permission based. (+ any other dodgy web apis).
Someone might say, what about a site you don't log into but needs to remember your prefence? A. Easy local storage, and it will ask for permissions AWS style e.g. "enter the name of the site to agree ____"
Maybe get rid of UA string?
and to this day, cookies in firefox are managed in a hidden box with a giant list of all the sites you've ever accepted. they don't want you to manage these permissions.
but for permissions they intent for you to manage, you click the security icon and you can revoke what you don't want. if the only permission you granted is the right to store cookies, it says you haven't granted any permissions, although this is a lie.
I used it for a week or two, maybe. I stopped because it made the web unbrowseable. If you think one banner per site is bad, imagine at least 5 consecutive popups to start, plus the possibility of more when you took any persistent action our the site loaded a new 3rd party resource. And if you don't choose the whitelist/blacklist option right away, it's the same thing the next time you visit.
I stuck with it until it became clear that I was not going to run out of domains to whitelist -- ie, this was a never-ending workload -- and switched to accepting only first-party cookies. I don't think there was an option to decline 3rd party and ask for 1st party; I probably would have used it.
Of course it's not visitors who want persistent shopping baskets. It's sellers. And I don't really care about what they want. On ~100% of the websites I visit, I'm the visitor, not the seller. And given that webshops were a thing before persistent shopping baskets were a thing, I'll wager they can do without.
That’s not so simple. Persistent shopping baskets create problems for sellers e.g. stock changes; price changes; products may become obsolete. Some of them let the cart expire at some point, even down to a couple hours for some (ASOS). As a visitor I do want a persistent cart accross sessions because I may need some time to make (nor not) my purchase. And no, I won’t give you my email just for that.
Switching to server side storage would've been a too costly architectural change. What if the server side was stateless before?
And even if, web applications would still have needed to support the old model for interop reasons. It's not feasible for everyone to maintain code for both approaches when they are so different.
It'd also break many use cases, such as using a (signed) cookie as cache for some really frequently used data. Or more importantly authentication, where an auth service returns a token (in some cases a token that can be checked by a different service without contacting the auth service again).
So yeah, that was a non starter.
Then that's a pretty bad design choice to begin with? If some state is required for operation, but the website keeps it only on client? Not least of all reasons, for security?
As a concrete example for a common use case, websites show your user or first name in the top right corner. It's common to put this in a cookie set on login/logout. This avoids querying the user directory service (from the frontend or a different backend service) on every pageload. Security wise it doesn't matter if the user tampers with it, it's a display only thing. (More often than not it's signed anyway, and the cookie contains other things as well.)
Cookies meant to be presented back to a server can be signed and (optionally) encrypted. This is also a very widely used pattern ("cookie secret" is a good search term for concrete implementations in frameworks).
I was talking about statelessness on the server side. If you remove cookies from HTTP, you now need a database on the server side.
You also get extra communication (between the client/DB, or the web service/DB), whereas previously the data would've already been available in both (the client has the jar, and the web service gets it in each the request). Turning a local memory read into a network request can be a difficult architectural change.
Also, DynamoDB reads are priced per unit ;-)
So if that UI will be deployed, may be those popups won't make sense anymore.
Unfortunately, cookies are not conveniently labeled as "advertising" or "federated login".
That said, yes, it'd be nice if the legislation in question had mandated proper labeling of cookies, and then let the user's browser handle rejecting them.
Ultimately though by default I use extension to destroy cookies as soon as I leave the page, I can place an exclusion for sites that I frequent but when I do that I just allow all cookies. My reasoning is that if I have credentials they can track me using these anyway.
Anyway the whole thing is moot though, since advertisers are beyond cookies and use many other ways to track users. Now seems what their primary goal is, is to be able to tie multiple devices of the same user together.
That combined with Firefox Containers would make for a very powerful combination since you could have different containers that would be your logged-in interface to a specific site, without then having to allow other sites be able to set cookies.
> Delete cookies and site data when Firefox is closed
setting checked in preferences. There is a Manage Permissions button next to it that allows some more per-website control.
Websites can place however many cookies they want. It won't help them track me past a day.
Setting up Safari this way and using FireFox only with containers for each major web platform works really well for me and I have been able to talk non tech friends into trying it.
Whitelist a site and set default behavior to block will still allow that whitelisted site... I think so at least, maybe you need wildcards or something...
You're probably right that it won't be happening now..the cat's out of the bag.
It discards most of these popups. Coupled with unlock origin and decentraleyes, I think you’re pretty well covered against tracking without too much hassle.
Of course temporary containers is the cherry on top (although amazon seems to have a way to recognize you anyway because it almost always only asks me for my email before logging me in)
There are browsers and other clients that are still User-Agents in the literal sense but they are not the popular ones.
The popular browsers measure their success by market share, not qualitative measures.
That is why Firefox tries to stay more or less in lock step with the leading browser on features.
This is not done out of fear of being inferior by some qualitative measure but out of fear of losing market share.
When a website sends cookies, prompt the user "this website wants to track you, allow it? y/n".
The same way microphone/camera access it prompted. So it should be fine to reject this for news sites, a random museum, etc, but okay to accept for, eg: webmail, sites where you log in, etc.
We've simplified browsers UI so much, a SINGLE toggle button for this would be lovely!
No tracking-by-default, no need for a banner.
Too many people were using this as a way to get a blanket acceptance of cookies, which not only included specific state to make the web site work, but other tracking cookies. What I see when I read this ruling is that you can't bundle the two. You have to allow the user to say "No, I don't consent to any cookies that provide PII." and then stop using them.
You don't need cookies for that. But, if you insist that you do, that can easily be a session cookie, not a stored cookie. And there's no need to obtain consent for a cookie like this, if it's not used to identify or track a (EU) person.
That is - if you're building a website and using the bare minimum cookies you need to make the website function, you don't need a cookie popup. The default here is that you don't need a cookie popup, and when you start tracking users and/or selling their data, you need to comply with ePrivacy and the GDPR.
There are plenty of ways to collect data about people without using cookies to do it, so GDPR would still be needed no matter what measures browsers took to block tracking cookies.
Did no one involved in the cookie legislation think to run the idea by a technical expert before passing it? Why wouldn't they have done something like introduce an X-Allow-Tracking header in the http spec, and make the law require that sites respect that header instead of every site making their own cookie popup. Browsers could make that privacy setting as detailed as they want as far as which requests they included it with, and the EU could strongly recommend that everyone use browsers that they've approved as supporting that setting (or even force it in various ways, like require any OEM browser that ships with a device in the EU support that setting).
Let's imagine a world where a government force car builder to add speed limiter to cars. The car builders all decides to just cut the engine if you go over the limit. Will you say the law is bad or that car makers are trolling everybody ?
It's the same for this law. But curiously everybody is prompt to say that the law is bad. The reality is that a majority of internet actors are bad and are just trolling us.
We don't need to imagine a world like that, because it has nothing to do with what we are talking about.
Let's stick to the real world. The EU implemented a law. Everybody is scared of the power of the government, so they implemented what they thought was the intention of the law, to avoid prosecution. The mom-and-pop flower shop down the street could care less about making troll political statements about technical internet topics.
Turns out, the law had stupid unintended consequences. Was the person who designed it stupid? Or is the entire world stupid?
If your answer is "the entire world is stupid," then I'd argue you don't understand how the field of design is supposed to work.
No, they didn't. They implemented something that they thought allows them to continue with the practices that the law was specifically designed to combat.
The user has very little motivation to accept tracking. The web site has a lot of motivation to track the user (because personalized ads = more money).
Thus, web sites make saying no as difficult as possible, while making saying yes as easy as possible.
A 100% compliant, user-friendly implementation would be showing non-personalized ads, then occasionally replacing one of those ads with a banner "want to receive ads that are actually relevant? click here to enable personalized ads" (which would lead to an informed consent dialog and set a cookie that would then apply to all web sites that use that ad provider).
But pop-ups coercing the user to consent are more profitable.
This could be fixed by enforcing the actual law (punishing the companies that tried to weasel out of it and processed data without valid consent) so that trying to weasel out of it is no longer a valid strategy.
The same companies have their customers convinced that they need data collection to turn a profit.
As a result we see all kinds of stupid attempt to circumvent the law because an entire industry of shady data collectors and brokers have convinced businesses that the only way of making money online is by tracking people.
The basis of your argument is: All data collection is bad.
Therefore, in your model of the world, an evil conspiracy of bad actors are looking to strategically undermine the law with various dastardly convoluted schemes. I understand why you're arguing that, given the premise you're starting with.
However, the majority of business on the internet are not doing evil things with your data. They simply want to better target their offerings to their customers, allow for you to keep items in a shopping cart, etc. If they are providing better services to their customers, they make more money and the customers are happier. It's a win win for everybody involved.
Could it simply be that, most businesses put cookie popups on their sites because they don't want to get fined? Not because they are embroiled in an elaborate scheme to undermine the law?
Could it be that the EU should have created a smarter law that would actually help people be more aware of data tracking? Instead of stupid popups?
I wouldn't be so sure. There aren't that many advertising and analytics companies, but they make products that are widely used (and clearly misused) everywhere. The websites using such tools were never told that they could avoid having the banner if they just didn't have tracking cookies.
As a user I don't want anyone to "better target me" - no single exception. Gosh I miss the time where we just burned the McDonald's...
There's no need to straw man secret cabals of conspirators, when it's just business. (Or if you want to get political, capitalism). When big tobacco companies pour money into lobbyists, fund skewed studies, and buy ads to flout anti-smoking legislation, no one calls it conspiracy. Businesses are incentivized to respond in certain ways.
They can do it without the cookie notice. For example, Amazon can track what I'm looking at on their site and what I'm buying and store it to their database. They can use this information to offer me what they think I'll like. Also, another user-friendly approach would be for a site to ask me to select categories/topics that I like. Whatever it is, GDPR gives me a right to export the data, review it, and ask for it to be deleted if I don't want the site to have it anymore. No need for cookies in this scenario. What they need cookies for is when one site wants to track what I do on other sites.
> allow for you to keep items in a shopping cart
This is a functional cookie and there's no need to ask for consent to store a shopping cart. This is just a perfidious argument that data tracking companies use to ridicule the law.
> Could it simply be that, most businesses put cookie popups on their sites because they don't want to get fined? Not because they are embroiled in an elaborate scheme to undermine the law? Not because they are embroiled in an elaborate scheme to undermine the law?
The law is very clear about when you need to ask for consent and when you don't need to ask for consent. Most sites implement it in a wrong way, many of them use deliberate dark patterns, for example, when you deny cookies you get a loading spinner that spins for a couple of minutes. These are all attempts to condition the user into avoiding pressing the "slow" button.
Using user’s data within the confines of a web app is usually OK so we can put just small much smaller guardrails up to keep companies respecting the public good.
I generally just don’t like my data shared with third parties. A single web site can literally pass your data on to hundreds of companies (as discussed in the book on Surveillance Capitalism).
I don't think that's stupid, nor unintended.
That's not what actually happened. Companies got scared that the law would impact their business model, for which the law was directly design to impact, and asked lawyers to find the minimum change which could be argued as being in compliance.
When you ask lawyers to find a solution to a problem you do not get the intention of the law. If you ask a lawyer to find a solution to tax law you don't get the intention of the tax law, you get tax avoidance, the direct opposite. And if you ask a lawyer about consent, as I have done during conferences, you get straight answers like "People can consent to a 20 page EULA they have not read or have the legal education to translate".
It not that the word is stupid or that the person who designed the law is stupid. It just happens that if you pay a lot of people who have studied and spent a large part of their life to find clever interpretations of words what you get is a clever interpretation that may or may not be what a judge will see.
To make a quick parallel, a bunch of lawyers for companies are arguing that while the company is having millions in profits and giving out a lot of dividends to shareholder, the company is at the same time in "economical crisis" and thus deserve government grant money in order to handle corona. The department in charge of giving out the money asked its lawyers and they agreed, but the politicians are now a bit upset since they disagree. And so now everyone is arguing/blaming each other and discussing if they should change the law to specify what an economic crisis is and isn't and if the change to the law should be retroactive or not.
It sounds like you're saying the lawyers are smart, but the government is still stupid.
Why didn't the government have any lawyers involved in writing the law?
Isn't that pretty...stupid?
> If your answer is "the entire world is stupid,"
Only by using a very loose definition of "implemented" sans common implementation measures like clarification and enforcement.
> implementation measures like clarification
No directive needs clarification to be implemented as law. That's the most absurd thing I've heard all year.
You mean putting trust that a website behaves by implementing its own popup system versus enforcing it on the browser side with a single implementation? Doesn't sound sane to me.
Why don't we implement a law where visitors cannot enter your house when you are not at home, unless you consent. That way we can get rid of locks.
Unless of course you block me from your browser, then I can't do anything.
Trying to say that the law is bad because it doesn’t conform to some idealised version of it you had in your head doesn’t mean the law is bad.
This is not only sane, it is very obviously the only way it could be done. Remember, the law isn't about cookies or headers or anything specific: it is a law about user tracking. You're delivering JS that paints a font in a hidden area of the screen? It's then measuring the results and reporting data back to you to track this particular user? Then you need to ask for consent. The browser can't possibly know the intent of the code it is running, so the browser can't be made responsible for protecting user privacy.
Using fingerprinting for tracking is not GDPR compliant.
If you hire Harry Potters friend to create a totally magic way to track users and collect data from them GDPR still covers it.
We already have P3P to allow websites to declare how they want to use your information. European legislation should have focused on leveraging these existing tools and protocols to give control to the user, instead of annoying them with endless pop-ups.
Also it seems either I or someone else misread the context. I'm in the broader GDPR context while someone else seems to be in the older cookie law context.
A law that doesn't take into account how people react to is not "perfectly sane". This was the obvious outcome before it passed.
Law is a back-and-forth process; you can’t just create a perfect law on day one then stop evolving.
Every time you see one of those cookie popups it is a sign, right there front and centre, that the website you are trying to use is trying to play fast and loose with your data.
Complaining about these notices would be like complaining that restaurants are forced to put up a sign on their front door "Kitchen employees don't wash their hands" when they get caught not doing so.
Brilliant. I might copy and reuse that.
You can still display advertising, that also doesn't need consent.
You just can't collect and process people's data that isn't required for providing the service. If a site displays that notice, it's because they're attempting to do more with your data, or collect extra data, than is strictly needed for the service.
Thus, these cookie disclaimers are like Proposition 65 warnings in California. They're everywhere so people ignore them.
I run websites, and I don't feel in any way worried about it personally.
Are you familiar with Proposition 65 in California? Any product of business location that has any detectible amount of carcinogens needs to disclaim that it potentially contains carcinogens. Among other things, gas stoves and roasted coffee both contain trace amounts of carcinogens. So most restaurants and coffee shops display Proposition 65 warnings. Said warnings have become so ubiquitous that nobody cares about them. The same scenario is playing out with cookie disclaimers.
> Except there's no such thing as a cookie disclaimer as I said in another comment. Extra tracking/data processing has to be opt in, and you have to provide the service to the user even if they don't opt in, so you can't just throw up a notice that says you might not be compliant because you still need to be compliant.
Yeah, they do exist. And you can find them on plenty of sites that block content unless the disclaimer is accepted. You may be of the mind that this is not complaint with the legislation, but reality demonstrates otherwise.
> Prop 65 is different. The cookie law is like saying "if you sprinkle extra carcinogens in your product then you need to disclose it".
This is making the same error as the washing hands analogy. This ignores the fact that cookies are necessary to power user-facing features.
Except there's no such thing as a cookie disclaimer as I said in another comment. Extra tracking/data processing has to be opt in, and you have to provide the service to the user even if they don't opt in, so you can't just throw up a notice that says you might not be compliant because you still need to be compliant.
> Are you familiar with Proposition 65 in California?
Yep, it's irellevant.
I don't know if you're doing this deliberately or not at this point because I've said it so many times.
You. Are. Allowed. To. Use. Cookies. Under. GDPR.
There are times you need to ask for consent, but for login cookies, shopping carts etc. that follow some relatively simple guidelines, you don't need to ask for permission.
Do you really find that so hard to understand?
Until a government bureaucrat decides that your usage is not necessary and they threaten you with a fine.
You are not the one enforcing these laws. What you think is a reasonable interpretation of these "relatively simple guidelines" is no guarantee that a government commission is going to reach the same conclusion. Do you really find that so hard to understand?
Many people click "add to cart" without logging in because that is the service they want. Nobody voluntarily clicks "track and analyze my activities on this site", because that is not a service people want.
You realize that in order to implement "add to cart" you have to track their activity on the site? That's what the cookie is for. To track customers and persist their cart. If you can't track customers then you can't associate them with their cart.
As far as analyzing activities, what is any isn't allowed is murky. Is it okay to do A/B testing and see their impact on sales? This requires tracking and analyzing user activity, but isn't necessary to provide the service. But it is necessary to actually determine whether changes to the service are positive or negative. So do you throw away A/B testing, do A/B testing and risk fines, or throw up a cookie disclaimer?
> If you can't work out what data is and isn't required for the functioning of your site then perhaps you shouldn't be running one.
I'm more than confident in developers' abilities to know what is and requires. I'm dubious of government bureaucrats' abilities of doing so.
First, you can't avoid solving the murky analysis. You must be able to specify in clear language what personal data you're using for what purpose and which specific paragraph of the GDPR gives you the legal basis to do so.
Are you using that data for A/B testing because it's a legitimate need where you don't need consent or because the user consents to it? Well, you have to decide before implementing that disclaimer, because the disclaimer should clearly state that answer!
Furthermore, if you decide that some use case does not fit the legitimate need criteria and you need consent, then a "cookie disclaimer" does not reduce the risk of fines - because a disclaimer does not collect opt-in consent, it can (at best) record acknowledgement, so if you need consent but only have a disclaimer, then that still risks fines.
On the other hand, if you trust your developers to know what is required and what's not, and you have documented it properly (because it's not just a good idea, it's mandatory), then you should be able to run that documentation through your local data protection authority to validate any doubts, that's part of their job, and wherever I have seen them work it's something they eagerly do.
Sure, the cart is perhaps a trivial case. But persistent tracking is also used to prevent abusive behavior, and other things that aren't strictly necessary. The risk that someone might try to claim that these are unnecessary far outweighs the cost of throwing up a cookie disclaimer. Thus, cookie disclaimers become pointless through their ubiquity.
Reply to your comment, since HN is rate limiting my work VPN:
> That's not it works. Someone complains to the Information Comissioners Office (ICO). ICO determine if the complaint is valid and will get in touch with the site owner to help them come into compliance.
And then they get sued if they don't come into compliance. This is just elaborating extra steps.
> There is no such thing.
> You have to make unecessary data collection and tracking opt in. You can't have a notice that says "we might do x unecessary data collection and/or tracking" and make the user click it or go away. You need to be compliant, or you need to not serve the European market.
Right, and websites don't display content unless this supposedly unnecessary data collection is opted into. Because nobody wants to risk being on the wrong side of ambiguous restrictions on necessary and unnecessary tracking. You insist that websites have to display content regardless. Reality demonstrates otherwise - this is a practice sites do all the time.
Again, cart's aren't actually necessary. They make it easier for users to buy multiple items, but you can make cart-less checkouts by having customers select all items on a single page. Thus, by adding cookies to implement a cart without consent you have violated user privacy for reasons unnecessary to provide your service.
That's not it works. Someone complains to the Information Comissioners Office (ICO). ICO determine if the complaint is valid and will get in touch with the site owner to help them come into compliance.
> Or you can just throw up a cookie disclaimer to cover your ass.
There is no such thing.
You have to make unecessary data collection and tracking opt in. You can't have a notice that says "we might do x unecessary data collection and/or tracking" and make the user click it or go away. You need to be compliant, or you need to not serve the European market.
In some countries your competitors or some other third parties can just directly send you a cease-and-desist letter if they believe you're violating some law.
Even if that letter turns out to be unfounded because it turns out that implementing a shopping cart using cookies without an explicit consent is a legitimate use case, they're quite a bit more of a hassle to handle than your supposed friendly ICO just "get[ting] in touch with the site owner to help them come into compliance".
So one more reason to err on the side of over-caution and just put up a popup for any kind of cookie...
If you don't come into compliance with data privacy laws after being helped to do so by the ICO, they yes, you deserve to end up in court.
> Right, and websites don't display content unless this supposedly unnecessary data collection is opted into.
That's literally not allowed under GDPR. You can't avoid the GDPR by doing soemthing that is in violation of the GDPR. It's like trying to avoid getting a speeding ticket by going faster.
> You insist that websites have to display content regardless. Reality demonstrates otherwise - this is a practice sites do all the time.
Yes, and they're not compliant with the GDPR. Not all sites will get the tap of the ICOs hammer though. Some are going to be too hard to enforce (non-EU only entities for instance) and some just won't get complaints.
> Again, cart's aren't actually necessary.
Nope, they are very much allowed.
> Thus, by adding cookies to implement a cart without consent you have violated user privacy for reasons unnecessary to provide your service.
Nope, totally incorrect.
Well, it worked for the Dukes of Hazzard, and it seems to be working well for Facebook et al so far...
However, that law does state that you don't need to get permission if the cookie is:
"Strictly necessary to provide a service explicitly requested by the user"
A cookie that remembers your shopping cart if you leave the site and return to it later. A cookie that remembers any preference you register if you leave a site and return to it later. A login cookie that persists after you leave the site doesn't explicitly require consent, but if you don't get it, then you are technically deviating from the guidelines that "[strictly necessary cookies] will generally be first-party session cookies" and that session cookies are "temporary and expire once you close your browser (or once your session ends)". If you had a persistent auth cookie, it would be reasonable to lean towards consent based on the published guidance.
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
> To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:
> Receive users’ consent before you use any cookies except strictly necessary cookies.
Your stated understanding of when consent is and is not required is simply incorrect.
> login cookies
> Preferences cookies
Allowed to be persistent as long as they don't contain user identifiable information.
> A cookie that remembers your shopping cart if you leave the site and return to it later.
I couldn't find any specific guidance on this, so it seems reasonable to use a cookie that might last a few hours or so, then have a talk to your local Information Commissioners Office if someone complains.
However, such devices, for instance so-called ‘cookies’, can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.
Where are you getting that some cookies don't require consent?
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
See the "Cookies and the GDPR" section for discussion.
and further down the page a little bit:
I sincerely hope that nobody reading this thread follows any of your terribly incorrect advice.
OK, I am willing to be educated, point me at the place in the regulations this is discussed.
> Not only is your interpretation of the regulations very highly opinionated, but it’s just outright wrong on some points.
> The guidelines also state that even for Strictly Necessary cookies, the site must explain why they are necessary, something your canonical example of a good site fails to do.
You don't need to do this in a cookie popup consent dialog. You are welcome to carry on thinking this if you want to though obviously.
> OK, I am willing to be educated, point me at the place in the regulations this is discussed.
It is not discussed, it is stated very explicitly:
>(66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
If you want to persist any preference information, you must get explicit consent. Whether you use that information for tracking or not, or whether it is combined with PII or not, has absolutely no bearing on your obligation. The act of persisting that information in the users browser requires consent. As this is a directive, it will be implemented independently by every member state, so if you want specific guidance for a specific state, you'll have to look it up. I linked the UKs guidance on this to you above, which you ignored. The facts are:
> If you want to persist any preference information, you must gain explicit consent
> The existence of cookie consent dialog is not a sign of malfeasance
> Lack of a cookie consent dialog is not a sign of lack of malfeasance
> Your stated interpretation of the regulations is very highly opinionated, and not supported by any jurisprudence
> Some of your stated interpretations are just demonstrably wrong
> The actual regulation is almost never followed
Based on those facts I would argue that the regulation has provided no benefit to the public at all, and has simple created a global nuisance that we all have to put up with now.
The thing is, wait staff need to use pens/keyboards to do their job. It's part of what it is to be a waiter or waitress.
The point of the analogy was to make a comparison between being clean with data and being clean with food.
I don't have any first-hand knowledge here, but my guess would be that the corporate lawyer's recommendation is always going to be "just get consent for every cookie". The alternative is to risk lengthy litigation over whether specific cookies required the consent. If they ask every time, they can avoid that nightmare.
Because of this, the notice doesn't really serve any purpose of a signal of sysop goodwill. Virtually every business large enough to have lawyers will add it where there's the possibility it'd be required, regardless of the cookie's intention.
Well-intended law that causes many negative side effects is still bad law, just as well-intended software may very well still be bad software.
Some lawyers make restaurants get waivers from customers before they order steak that's not fully cooked. It doesn't mean it's necessary (and I would definitely not eat at one).
> If your answer is "the entire world is stupid," then I'd argue you don't understand how the field of design is supposed to work.
And I think it really sums the argument up. Good design and engineering is about building something that performs its function efficiently, reliably, and unobtrusively. If something is widely misunderstood or misused, it's a design flaw.
"Blame the [law-abiding] citizens" is just as much of a cop-out as "blame the user".
In this case, however, it's not a case of general misinterpretation or misunderstanding. It's a case of the law creating very strong -- like significant-millions-of-dollars-on-the-line strong -- incentives for every significantly-sized company to harass every visitor. That's a pretty huge flaw.
It sounds like your response is basically "well if they aren't doing anything wrong, they have nothing to fear! just go to the tribunal and prove that every cookie is innocent." And in that case, please refer back to pembrook's quote above.
I don't understand this at all, and I always feel so nervous using my card at US retailers for this reason (these days I try to stick to PayPal where possible). Where I'm from, _all_ one-off online card transactions are 2FA'd between you and your bank; it was strange to say the least the first time I paid for something on Amazon and the transaction just...went through.
Actually fixing the problem - 2FA etc. - would probably be more consumer friendly in the long run.
Not saying that's the case for everyone, but you can't define "customer friendly" in a narrow way that conforms to your personal desires and assume that's that.
Also consider that if banks did have strong authentication around every purchase, there would be less of an incentive for banks or merchants to agree to roll over and eat the cost when there is fraud (and more ammunition for them against laws that require them to). No security/anti-fraud system is perfect, and something will always slip through; I wouldn't want to be a card holder stuck with a big bill because someone managed to clone/swap my SIM (for example) and make transactions using my card if I had no protection from that.
Other countries had chip cards and contactless payments in widespread use a decade or more before the US even got support for them.
(Then again, I guess a chip reader doesn't stop people from putting in a skimmer that just reads the card number as usual through the magstripe.)
The pump also had a pad for contactless payments, but I couldn't get it to work with either my phone or the NFC chip on my credit card. Maybe it only works with Shell's own card? Wasn't clear.
(And at the complete other end of the spectrum, I then went to top up my tire pressure, only to find that the air pump wanted quarters, and only quarters. Fortunately the attendant turned it on for me for free. I usually don't carry much cash around with me, and even more rarely have coins.)
I'd imagine it would do though, as many chip readers only need you to insert your card far enough to read the chip, which isn't far enough to read the entire magnetic track and thus skim the track (am layman though)
Hoping someone from the industry can comment, but I was under the impression that US issuers were eventually forced into EMV, after dragging their heels, because the US became a prime market for cashing out mag stripe data from non-US issuers.
a) the consumer catches it in time
b) the consumer has the time to deal with the bank (try calling Wells Fargo in the midst of COVID)
c) it doesn’t cause the consumer’s rent check to bounce
The US payment card system is not a good solution for the non-cash payments problem.
So it's about who's responsible. Without 3DS or PIN a merchant is responsible. With 3DS or PIN a client is responsible.
And it's pretty rare. I've had only once actual instance of electric fraud, and one stolen card in 20 years. That's 20 years of never having to remember or type in a PIN.
Meanwhile it causes the payment processors to not want to do business with merchants who get a large number of chargebacks, even if the problem isn't with the merchants but with their customers. In other words, it discriminates against merchants who do business with disadvantaged clientele who are more likely to have payment issues.
I mean it's an interesting enough heuristic, but can you provide an example of a processor that would refuse to business with someone because they had excessive chargeback, but also had the information in place to prove the purchases in question?
I mean, if you've got crappy customers, I can understand where you're coming from, but I think your choice of customer base to market to may be more in question then whether the system as a whole is fit to transact in.
I don't have much firsthand experience in it though, so I'd be thrilled if you could share some insight on it.
The problem in many cases is the difficulty in proving the purchases. For something like digital content, the only proof you'd really have is some server logs showing that it was transferred, which are naturally trivial to fabricate because they're entirely under the control of the seller, and so the payment processor may not give them much weight.
> I mean, if you've got crappy customers, I can understand where you're coming from, but I think your choice of customer base to market to may be more in question then whether the system as a whole is fit to transact in.
But then you run headlong into the efficient market hypothesis, because when everybody else is avoiding that customer base for those reasons there is less competition and thereby greater opportunity.
Also, from the perspective of the customer, just because 30% of similar customers are dirtbags doesn't mean you are or that you don't want to be able to buy your stuff.
Like with DNT? Nobody cares about that. Defaults matter too and DNT is default off. So it probably adds more entropy if you enable it.
Besides that: Technical cookies (or any other storage in your browser) that are required for your site to work do not require consent. Tracking from ads are obviously not included in that definition.
Right now the web is broken anyway - some pay (in data and ads), some are free-riders. And everyone is pested by cookie popups. This "no tracking unless required for functionality" would make it nice to change a model for actually paying for use. (It promotes quality content, less distractions, less clickbaits; and thinking twice if you want to spend more time on yet another meme aggregator.)
Sites were supposed to stop using a shotgun method of grabbing all data they can, sharing it with everyone that will take it, and hoping something will stick. They were supposed to take responsibility for data they collect and share.
But instead of changing anything, sites went for the laziest workaround (which apparently isn't even legal), so that they could ignore the legislation and keep business as usual.
> PECR are the Privacy and Electronic Communications Regulations. Their full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003.
> They are derived from European law. They implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.
> PECR cover several areas:
See "How does this fit with the GDPR?" for how the two relate, tl;dr:
> The GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply, but using the new GDPR standard of consent.
Cookies are also just a method. GDPR is not specific about it.
For purly functional cookies like they are used for CSRF prevention or login cookies do not require any user notifications as far as I know.
(Be aware that this is only true for login cookies which are just used to handle a active login, which means they must set the right flags to not be send to a different domain, etc.)
Well no, what you really want is browsers that do the right thing to begin with and e.g. block third party cookies by default. Then you don't need "cookie legislation" at all.
But if they're going to require something then it should at least be clear what the requirement is. If multiple large corporations who can obviously afford competent attorneys are doing something ridiculous, that's pretty good evidence that your legislation is drafted stupid.
Meanwhile the actual problem with (third party) cookies is that they're used to correlate users across multiple sites for tracking purposes, which goes away when browsers stop accepting third party cookies by default.
> But consider if you buy some books or sex toys or whatever from an online store. Do you want the store to sell information about your purchases to third parties?
This is really a different problem, because how are you supposed to know if they're doing this anyway? How is the government? Once they have your information there is no real way to tell what they're doing with it if they're willing to lie to you.
So the answer is to make it so they never actually have your personal information. But for this we need some kind of anonymous digital payment system for small transactions, so that the vendor doesn't have to know who you are. If all they have is a transaction ID from a bank that lets them get paid and a virtual one-time-use PO box number you had the item shipped to which forwards to your real address for a week and then is deleted forever, they can do whatever they want with that information and you don't have to worry about it.
Also GDPR is addressing much more than tracking consent.
Sure it can. Functional cookies come from the domain the user actually visited, advertising cookies come from other domains. That's not always true, but it's true often enough that those should be the defaults.
Firefox even does one better. It has a feature you can enable called "first party isolation" that allows third party cookies, but keeps a different set of them for each domain the user actually visits, so if the user visits a different site none of the third party cookies from the first site are there and they can't be used for tracking between sites.
> Also GDPR is addressing much more than tracking consent.
Next week we'll probably discuss some different part of it that would have been more effective if done some other way.
"Passed in the 2002 and amended in 2009, the ePrivacy Directive (EPD) has become known as the “cookie law” since its most notable effect was the proliferation of cookie consent pop-ups after it was passed."
It is not the cookie that requires pop-ups. It's despicable behavior that does.