Hacker News new | past | comments | ask | show | jobs | submit login
Dark patterns in GDPR consent boxes (arxiv.org)
328 points by vincent_s 31 days ago | hide | past | favorite | 122 comments



I just click agree and then flush the cookies regularly which usually is much easier than find the way to deny. The EU should better force them to respect the do-not-track header - this would be a way handier. I hope the law gets an upgrade soon requiring everybody to offer an easy "deny all tracking and proceed" button. The only case when I actually don't mind to be tracked (by the first party only, anyway) is when I register and sign-in.


This interface should be all handled by the browser. It was a mistake not to do this. It makes no sense that blocking cookies should be done via inconststent and dubious interfaces implemented by the websites themselves. Much better that the law would specify minimum standards for browser interfaces to make those choices (which btw would be trivially implemented, vs forcing the sites to spend time and money to implement a shitty js pop-up). Plus you are assured that cookies are really blocked.

As for server-side fingerprinting, the browser, upon the user's choice, would send the allow/deny information to the website, which is forced by law to honor it (as it is today).


How can a browser differentiate between a first-party cookie needed for login and a first-party cookie for tracking?

It's legal to use cookies for behaviour such as login which is necessary but you need consent for tracking.

If a browser blocked all cookies until the user turned them on you'd have the choice of "no login" or "login works, but so does all the tracking".

Not saying the current state of affairs is good, it's awful.


If we're going down the route of regulation, and browser control, would it be a step too far to require standardised metadata in a cookie?

That way, each cookie could describe itself as login, tracking, optional functionality etc.

You can then penalise on cookies that purposefully violate this, and allow the user to centrally opt in or out of each type.


Aha, place trust in the site to label their cookies correctly?

I see you've covered that with penalising sites who mislabel. Who maintains this list? If it's the browser vendor remember which company owns the largest share in this market.


The evil bit is currently little used, I suggest repurposing that: https://en.wikipedia.org/wiki/Evil_bit


"Evil" is subjective and too broad (most of it has already been outlawed anyway and that works: e.g. a competing business is going to think twice before DDoSing you as they know they are doomed if that gets discovered and proven). Surveillance, however, is a much more specific thing. Stalking people already is illegal for people, it should also be made illegal for companies.


One simple factor could be "does the user have a password (or WebAuthN credential) stored for this web site".

Otherwise have a way for the web site to trigger a browser-controled consent UI. This would be a one-shot thing and clicking "no" would trigger a spam signal. Too many of these and the web site loses its "ask for cookies" permission.

Cookies for anything not trusted have a lifetime of "until the tab is closed".


> This would be a one-shot thing and clicking "no" would trigger a spam signal. Too many of these and the web site loses its "ask for cookies" permission.

Don't be too rough on them. You should look for a viable and sustainable solution, not a radical GtFO doomed to end here.

> Cookies for anything not trusted have a lifetime of "until the tab is closed".

"until the tab is closed" policy isn't convenient even for the user. I tried it and reverted to "until the browser is closed" quickly.


This is a very naive response. Rarely is anything "trivially implemented". And if it's so trivially implemented, why haven't we seen a browser vendor implement something already? Websites have been circumventing attempts to prevent fingerprinting for a long, long time. To act like this is some simple task is hugely misleading.


I think you may have misunderstood my comment. I meant that the "consent forms" should be a browser-side feature, consistent across websites and such that things like cookie blocking are guaranteed to be honoured. This is trivial.

Things like server-side fingerprinting must be enforced through legislation, e.g. it's against the law to track users if they've selected not to in the consent form.


Old man programmer here. I also think it is trivially implemented. What is hard is having the world agree to and craft such a standard.


Young person programmer here. There are a couple of privacy-oriented browsers. If it were really trivial, it’d have been implemented already. Just look at the cat and mouse game between Apple and advertisers around Safari, and the new fingerprinting techniques that show up every now and then. Not much is trivial in web browsers.

There is zero need for standards, which won’t happen anyway because of the power Google has with Chrome.


I think you didn't understand the proposition. Browser authors cannot unilaterally implement a proposal that has server-side and legislative components.


We cannot rely on server-side protections, because the people who control the servers are often acting against us. Standards won't change that; the linked article is about how website go against a law. We know what change a standard and gentleman's agreement can bring. We've seen it with Do not Track.

The only protections we can have right now are client-side.


1) Implement the Do-Not-Track header on the client side

2) Pass a law making it illegal for a company with business in the EU to not honor a Do-Not-Track header, with a transition period of several years.

Step 1 is technically very easy. Step 2 is legislative.


I agree with the browser implementation. Automatically blocking the cookies will likely not work because sites frequently combine tracking and required cookies.

1. When the user starts the browser for the first time, ask if they want to allow tracking cookies on all websites.

2. When the user visits a website, pass that tracking answer as true or false. Firefox and Chrome have buttons beside the URL already for 'Site Settings'. Allow users to override their global tracking setting with a per site settings there.

This would be infinitely better than the mess we have now, where every website gives us a pop-up with an intentionally confusing interface. Why can't I say 'No' to tracking once? Why do I need to do it countless times a day, each time navigating a new and confusing interface?


> When the user starts the browser for the first time, ask if they want to allow tracking cookies on all websites.

Would it be legal/ethical to allow automated pre-commitment to all terms and conditions that nefarious sites may choose to scatter around their pages, many of which won't have been written until after the user had ticked this "agree to everything" box?

> every website gives us a pop-up with an intentionally confusing interface

Any site doing this is breaking the law. Report them please.

> Why can't I say 'No' to tracking once?

Because sites which track you don't want it. After all, they're the ones who invented "cookie banners"; and they could choose to get rid of them by just, you know, not tracking people. Yet they don't.


> Any site doing this is breaking the law. Report them please.

To who? What do I say? The issue with GDPR is that it's for all intents and purposes unpoliced and unpoliceable unless you happen to have sway with a local regulatory body.

I live in the UK, and ICO are toothless. Ive filed multiple complaints - inability to opt out, misuse of PII for advertising purposes, and each time have received a cookie cutter response telling me to report it to the company and respond to ICO if it's not to my satisfaction. That was the last I heard of every complaint, despite me following up.


It's a shame; but good on you for trying anyway. It's similar to how I treat my vote: not much use on the grand scale of an election; but I need to use it, to avoid undermining any political complaints I have. It's the entry fee to get in the door. What can we do once inside? I'm not sure.


Thanks. I really felt deflated on the second complaint. Amazon sent a voucher for a video game from order-update@amazon.co.uk, which was clearly a marketing ploy. I contacted amazon, they said "oh we're sorry you feel that we misused your email", and I contacted ICO, got the cookie cutter response, replied with details, transcripts from amazon, and never heard back.


> Would it be legal/ethical to allow automated pre-commitment to all terms and conditions that nefarious sites may choose to scatter around their pages, many of which won't have been written until after the user had ticked this "agree to everything" box?

Isn't everyone 'agreeing to everything' outside of the GDPR when they visit sites now, without the option of saying 'no'? Isn't everyone covered by GDPR being tricked into 'agreeing to everything' at the moment? Giving users the ability to disable the tracking aspect across all sites with one simple setting seems like a plus here.

> Any site doing this is breaking the law. Report them please.

Has any action been taken against a site for making their opt-out option more complicated than their opt-in option? Why try to regulate how millions of sites prompt users for consent instead of a few browsers?

> Because sites which track you don't want it. After all, they're the ones who invented "cookie banners"; and they could choose to get rid of them by just, you know, not tracking people. Yet they don't.

They didn't invent cookie banners, they added them because they were required by law. The same law could remove cookie banners and require the sites to respect a browser cookie.


> Isn't everyone 'agreeing to everything' outside of the GDPR when they visit sites now, without the option of saying 'no'?

If there's no option to refuse consent, then it's not compliant with GDPR. In countries which implement GDPR (mostly EU countries, but I'm the UK and our law implements GDPR but we're no longer an EU member) those sites are breaking the law (that country's implementation of GDPR).

If you're talking about those in countries which don't implement GDPR (or equivalent), then yes; those people are generally not protected by EU law.

> Giving users the ability to disable the tracking aspect across all sites with one simple setting seems like a plus here.

I agree. Again, good luck getting surveillance companies to pay any attention, or prevent them implementing technically-legal workarounds: "Just a moment! We see you've opted out of our advanced partner network. You may be missing out on the latest tailored brand recommendations! Click here to opt back in."

> Has any action been taken against a site for making their opt-out option more complicated than their opt-in option?

Not as far as I'm aware (and I can't see any on https://www.enforcementtracker.com )

> Why try to regulate how millions of sites prompt users for consent instead of a few browsers?

1) Browsers aren't surveillance companies (OK, not all browsers are; e.g. I'm pretty sure lynx isn't meant to be spying on me).

2) GDPR is bigger than any particular technology. It seems reasonable to make some regulation like "The public considers your business model to be exploitative; from now on this requires explicit consent." It seems less reasonable make a regulation like "The technology/product/process/service you provide could potentially be used by others in these specific ways that the public does not favour; you must provide this specific mechanism/option/etc. in case it does get used for that purpose". It's not necessarily a bad idea, but it would be a pretty big ask. Even looking at the current situation, how would this handle apps? What about tracking pixels? What about scanning nearby WiFi network IDs? What about research or hobbyist operating systems? etc.

> They didn't invent cookie banners, they added them because they were required by law.

The intent of the law was to reduce the prevalence of surveillance-based business models. They've always had the option to stop. That would be the preferred option, for those who wrote GDPR, for members of the public who don't want to be tracked, for members of the public annoyed by popups, etc. They chose banners and, to a lesser extent, to gaslight the victims of their surveillance into thinking that GDPR required all these sites chose to break their own UX.

> The same law could remove cookie banners and require the sites to respect a browser cookie.

Again, it would be nice, but I imagine there would be an industry established overnight to provide opt-back-in banners, under whatever guise they can get away with.


> This interface should be all handled by the browser. It was a mistake not to do this. It makes no sense that blocking cookies should be done via inconststent and dubious interfaces implemented by the websites themselves.

I 1000% agree. And usability is not the only reason. I would also name the obvious responsibility delegation/abstraction principle and the original semantic concept of a web site: 1. the functionality every website is meant to have should be implemented at the browser level 2. no website (those using tracking elements included) should be required to have interactive elements (like the consent button) or off-topic texts (like the cookie notification).


From the technical side:

We had this ( https://en.wikipedia.org/wiki/P3P ). It didn't catch on.

> It makes no sense that blocking cookies should be done via inconststent and dubious interfaces implemented by the websites themselves.

It also makes no sense that authentication should be done via inconsistent and dubious interfaces implemented by the websites themselves. Browsers have offered login prompts for years, yet they're usually avoided. Some sites hijack scrollbars, so it's not particularly surprising.

From the legal side:

GDPR is not about "cookie banners". It's perfectly fine to use cookies, or any other personal/tracking data, if the user's consent is implied. For example login sessions, shopping carts, game highscores, etc. would break without cookies or something equivalent, and those are features that users want, so we can assume their implicit consent for such cookies. GDPR is perfectly unobtrusive (for end users, at least).

On the other hand, users don't want to be tracked and surveilled. Hence anyone collecting personal data for those reasons cannot assume implicit consent. The choice is simple: either stop doing it, or ask for explicit consent. If you're seeing obnoxious "cookie banners", it's because the operators of those sites would rather mess up their UX with annoying crap, rather than entertain the idea of not being a creepy stalker.

From a pragmatic point of view, making it easier (or even automatic!) for users to give up their rights, in a blanket way to anyone who asks them to, just so unscrupulous corporations don't have to experience negative repercussions of their user-hostile decisions, would seem to defeat the whole point of GDPR.

If you don't want to see "cookie banners", ask the site operators to stop being creeps; that way, they wouldn't need to ask.


The problem with clicking agree is that you give them legal basis to track you which goes beyond cookies and involves IP addresses & browser fingerprinting.


Next time you return with no cookies they have no way knowing it's you even if you keep the IP address.

The way to know if someone gave consent if by looking at the cookie.


But that's exactly the OPs point: with browser fingerprinting, they could know it's you even if you have no cookies, because they could have enough information to identify you anyway. Sure, you deleted your cookies, but since you agreed to be tracked anyway they can do it via other means.

Unless you mean that consent must be stored as a cookie because the law says so. If that's the case my comment doesn't apply, but I'm not sure whether that is what you mean.


Even if consent is stored in a cookie, given that you always accept, they can use fingerprinting right after you pressed accept the second time to link all your sessions together even if consent itself is indeed stored as cookies.


They can fingerprint your browser when you accept, and when you come back after having cleared your cookies and accept again, match the two fingerprints and know you've come back.


> I hope the law gets an upgrade soon requiring everybody to offer an easy "deny all tracking and proceed" button

That's effectively what there should be, right next to the "accept" button, and after a plain, simple piece of text that says "We would like to share your data with advertisers and trackers, because we get paid for that, can we have your permission?"

There shouldn't even be any cookie-flushing necessary, the kind of functional cookie that effectively says "do not track" is allowed without notification or consent. That should be enough to stop the harassment.

It never is though.


All cookies are allowed, with no popups required, if they provide functionality that the user wants (e.g. shopping carts, login sessions, etc.). Remembering that the user has refused to consent to spying is perfectly valid functionality, so no consent is required to store that in a cookie.

Explicit consent is only required when the user's personal data will be used for purposes other than implementing the functionality the user wants to use. In other words, spying.

If you see a "cookie banner", it's because the site you're visiting wants to act against your interests, and GDPR made that illegal by default. Ask the site to stop acting maliciously, and then they won't need a banner.


>and GDPR made that illegal by default

Why didn't GDPR make it illegal in general then, if it is such a no-brainer?


Why don't you make it illegal? Presumably because you don't have the political clout to do so. I would bet the EU didn't either (e.g. actions by EU member states like the UK seem to be heavily in favour of surveillance-capitalism, so they would presumably veto any outright ban).

It would also be an incredibly restrictive thing to do. Consider copyright laws as an analogy: they are "all rights reserved", making it illegal to copy, distribute, perform, etc. a copyrighted work by default. That is very different to an outright ban on copying, distributing, performing, etc. a copyrighted work (it would be illegal to show movies in theaters, or to publish books!).

Interestingly, GDPR doesn't allow incentives to be given in exchange for consent. People can incentive publishers to distribute copies of copyrighted books, by providing money (i.e. buying the books). Surveillance networks cannot pay users to give up their personal data. This is a nice asymmetry of GDPR, in the public's favour.


>I just click agree and then flush the cookies regularly

I have this automated with Firefox + the Temporary Containers addon. Every new tab is a new, disposable container, which gets deleted some time after I close the tab.


It's going to be interesting to see how the world changes if it was easy to just disable all types of tracking.

Most people, if asked would just block all ads on TV, radio, print, and web.

But then prices for products themselves would skyrocket. There wouldn't be any free webapps, etc.

For example, Facebook would have to charge money.

It might make the world a better place. Might not.

If I were forced to be though I suspect it would be a good thing


Context based advertising doesn’t require cookies or storing/transmitting personal information. Advertising would be just fine.

Facebook netted $18 billion in 2019, there’s a long ways to go before they aren’t making money.


> There wouldn't be any free webapps, etc.

Sure there would. The pattern would be "pay for more features", the free version being more of a limited demo.

This used to be a common pattern among Android apps, even without ads on the free version in the early days.


DNT also needs an equivalent "Do Track" header (dnt: 0?). That way people who want to opt in without clicking boxes can, and lack of the header can't be misconstrued as consent.

edit: uallo points out below that this is the specification. I didn't realize because none of the browsers implement it.


> dnt: 0

Yes, that is exactly how it was specified:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/DN...


Although I'm very anti-tracking, I don't think the don-not-track policy should be the default. This is not going to work this way. The whole DNT thing has actually been killed by Microsoft setting it on by default. Let the people who don't care to go and toggle the checkbox in the browser settings be tracked. It also should be possible to set the DNT field on per-domain basis.


It absolutely shouldn't. Advertisers STILL cite that Microsoft incident as the reason they don't support DNT, even though this happened 8 years ago. Just goes to show how dishonest they are. Ironically they don't ignore DNT - they use it as part of their fingerprinting...

I think if DNT was per Domain, advertisers would let your browser make a bunch of requests to different domains and check for which you have DNT set, which should give a fairly unique fingerprint...


DNT wasn't killed by Microsoft. DNT was killed by advertisers looking for any reason to kill DNT. They just found Microsoft's default as their excuse to ignore DNT.


Do Not Track was always a joke. As if asking nicely ever worked with the ad industry.

The point of the law changes is that it becomes the website's responsibility to act properly, and ensure real opt-in.

If DNT was default off and was respected, most people would have never heard of it to switch it on. That's the only reason the ad industry even comment on it - it was designed to do nothing.


> The point of the law changes is that it becomes the website's responsibility to act properly, and ensure real opt-in.

Yet they still don't. They just manipulate the user into clicking yes without reading, again. I couldn't even find how to deny "the Oath" no matter how hard I tried.


The Oath pages are the worst. Blatant violation.

Hopefully sometime it will be prosecuted. Until then treat as a big red flag.


That seems very sour grapes - a major vendor said that it's gonna ship a browser with a setting configured, and everyone chooses to ignore that setting because it's common? That's pathologic thinking.


Nothing to do with MS. Moreover, Safari is removing DNT because DNT is now used as an extra parameter in browser fingerprinting ... to better track users.


> I didn't realize because none of the browsers implement it.

It's in Firefox under Preferences -> Privacy and Security -> bottom of Enhanced Tracking Protection. Or just search for "do not track".

Privacy Badger has a separate setting (enabled by default) if you have that addon installed, and the header is sent if it's enabled in either place.

I know about these because I had a hell of a time at work adding Mixpanel to something. They respect this header. Unfortunately, I think it also means we underestimate the number of Firefox users we have.


Firefox lets you set 'DNT: 1' if you don't want to be tracked, using the setting you describe, but does not have a setting to send 'DNT: 0', indicating that you are okay being tracked. As a result, there is ambiguity about whether lack of a header means nothing or means "tracking is ok". If browsers let you broadcast your willingness to be tracked, advertisers wouldn't be able to make the (bad faith) argument that it's ok to track just because someone didn't set the header.


Yeah but they'll save your IP, OS, screen resolution, etc, so they have an extremely good chance of being able to reidentify you.


>I just click agree and then flush the cookies regularly

Could also use private/incognito windows for new domains. That's what I do.


I use ublock origin to selectively block the consent boxes. I've never yet seen a website which says "our backend has noticed you have not yet consented, you may not continue".


I too wish opt-in/opt-out could be browser settings, and communicating user intent to websites using the

  DNT: 1
request header could be respected as a legally significant signal.


Not counting the sites that require login. There is NO web sites that Need cookies to function. Please don't show me that there are cookies that the site need to function.


Explicit consent isn't needed if the cookies are required for the site to function. Logins, highscores, shopping carts, etc. can assume implied consent.

Only malicious activity like surveillance requires explicit consent (e.g. via a banner).


The whole "Privacy Controls" box is a dark pattern, and appears designed to confuse the non technical.

What these boxes should say is "Please can we track you and sell your data to third party advertising services?"

Because that's what's really happening here, they're begging for your permission, but dressing it up like it's some sort of technical decision about cookies and trusted partners.


Would be nice if there was some uniformity to these and you could set granularized default preferences at your browser just the once, and have them applied universally in all cases where site options match the norm, and just requires interaction for the few instances were there are some granular permissions that need to be set outside of the default set. Bonus points for adding those new rules to your default set for future use.


What would have been really nice, would have been for for those 'cookie consent' forms to be managed at the browser level. It's not like browsers don't already have infrastructure in place to manage cookies. All they need is to make it more accessible.


I wonder how often granular permissions are chosen in the first place. i.e. when someone doesn't give the automatic full yes-to-all consent, how likely are they to leave _some_ boxes unticked?


For me at least there are some things I'm fine with. Google Analytics doesn't bother me. Random ad networks and selling my data to 3rd parties does. (Yes I realize google uses analytics data for Google Ads, but I don't have as many issues with google ads as I do with J-Random Ad Network ran by some-unknown-shady-org)


And are you fine enough with them to actively go looking through all the items to see what they are? Personally I know that there are sometimes things I might be ok with, but that'd require me to read every checkbox's label - so I just uncheck them all.


All that's really missing to make that possible is a way for websites to mark a cookie as either "essential" or "other". Then you can move the UI for accepting/denying cookies to the browser without forcing the user to throw the baby out with the water. You can also add more cookie categories to enable more informed choices (I might be OK with tracking for UX purposes, but not with tracking for marketing).


The consent dialogs aren't really about cookies, though. They are about tracking personal information. Many cookies aren't used for tracking and you can track without using cookies.


Cookies that aren't used for tracking don't require consent though (except for weird corner cases). That only leaves us with "tracking without cookies" which is technically already solved by the "do not track" header (though of course in practice it isn't really solved, mostly because of how browsers implemented it)


Frankly at this point all I want is a way to signal "Yes I have looked at the cookie settings in my browser and I know what I'm doing".


There is at least one way that I know of to realize your dream. First, disable "do-not-track" header in your browser. Secondly, lobby for organizations to honor the "do-not-track" header. The whole world will thank you.


How does disabling the do-not-track header help me? I can't indicate that I take responsibility for handling the cookies by not sending a header, that would be passive 'consent' which doesn't qualify.

Also it's not that I'm consenting to being tracked I just don't care whether they set cookies as I will delete them automatically anyway. That's very different from telling them to go ahead and figure out my identity.


Use on of the anti cookie consent banner blocklists with your ad blocker?


I mean I do, but some of them still get through.



TBH I'd be likely to accept this. I have no issues sharing reasonable statistics about me. What I'm personally against is:

1. Sharing them with Google, trough GA

2. Sharing PII. I have zero faith in big commercial sites. They'll likely try their hardest to fingerprint me, and track my every move across the web.

You have to draw a line somewhere. And since most HW info can be used for fingerprinting, I don't feel like sharing it with unknown websites.

I've looked for it, but couldn't find a screenshot of the old internet explorer prompt, that, by default, used to ask you every time a website wanted to drop some cookie on your computer. Why did we move away from it? Are we going back there? What is different now?


> 1. Sharing them with Google, trough GA

I have a blog post I'm thinking about writing about this due to launching my last app.

It's basically impossible to make everyone happy so much so that it's a bit of an absurdism.

There are people that don't want to be tracked, then there are people that don't want to be tracked by a specific company because they are doing a boycott.


Oh, right, hence the customization options. Defaulting to no tracking is likely a sane choice.

Let me insist that I am okay with statistics, but against tracking. GA is tracking. I do opt-in into statistics in software like Mozilla Firefox, etc. I just don't want to be tracked. I'm fine with giving away some information about myself so that websites know my 1680x1050 resolution is still being used, or that someone still uses Firefox, or on which page I landed, if I visited a few more pages. But nobody needs to know exactly what websites I visited today, where I ate, when I woke up, etc. It's my business and only mine. Would you be interested in such data about me? If not, why would you help Google achieve that very goal?

Other trackers (twitter, facebook, most other social networks, analytics companies and advertiser networks) are just the same to me. But maybe some people boycott Google specifically.


Tracking should be set and respected at the browser level. Consent forms on every single website we visit is absurd.


Just build websites that comply to GDPR per default and leave that crap away. Many people don't even seem to know this is possible. They believe Cookie consent is something everybody has to do on their website and if they don't do it they are in danger.


I hate when you browse through 10-15 websites and for all of them you quickly click the "Accept" button in the bottom banner to get rid of the irritating cookie banners.

And then suddenly, on the 16th website they put a fucking "Buy our thing" button in a bottom bar that you quickly click on without even thinking twice.


There needs to be a way to punish deliberate subversion of expectation. The whole "haha gotcha" mentality is harmful to society in general. The problem is much wider than just dark UI patterns on the web.


It's an impossibility given how our society is structured. A hundred years ago, if Tim's General Store did something shady, there was both social (hey Tim, wtf we're buddies this town only has 50 people) and economic (I'm never going back there and I'm 10% of Tim's regular customers). In this circumstance, our system works very well. But because of increased communication and transportation, pretty much everywhere you can consume from is a multi-national corporation. If Walmart overcharges you for a shovel, you can get your money back, but otherwise don't have any meaningful say about your experience, and probably don't have a meaningful alternative. Same with the internet, there are millions of people hitting up Google the same way you are, even if you blacklist "spamshitblog.net"; most people won't. People like RMS realized this a long time ago, but they basically got shouted down, and I definitely don't think we're gonna stop the train of unchecked free markets anytime soon.

TLDR: The market always wins, just download an adblocker.


I agree completely. It's just a shame.


Oh yeah the other day I saw a website that was showing ads in the fsking GDPR popup (when I tried to "customize" the experience).

Great job guys


I think at this point a total ban on tracking users for marketing purposes might be the only way forward. We tried half measures and this is what we got.


Really dislike these things. Hoping that we eventually get a good browser extension that handles them automatically.


I wrote a comment[0] in a different thread about just this and how I am excited that, at least on iOS, Apple are helping fix these consent prompts.

0: https://news.ycombinator.com/item?id=23757498


What's the use case here that isn't solved by configuring your browser to prohibit third-party cookies? Obviously browser fingerprinting and all of that can be used to try to extract the information, so browser should be strengthening their anti-fingerprinting measures.

But it strikes me that this is almost entirely a client-side problem. If a server wants to give me a cookie or put something in local storage, or serve me URLs with a tracking parameter in the url, so be it -- there's no privacy violation unless they can ask another website if they know who I am, and blocking third party cookies stops that.


You are tracked by more means that just cookies.

Fingerprinting is not solved by clearing your cookies. The GDPR is not about cookies but about data retention and processing using cookies or not.

Accepting to be tracked allows the website to store legally your personal data and probably use fingerprinting to follow you around.


Do I consent if the slider is to the left or the right? After done sliding every option to the left, I still have to press “I agree”, but I do not know what I agreed to.


There's one mainstream site I've been to recently, where you have to select "reject" in the sliders, then navigate away. If you click "I agree" button at the bottom you're agreeing to navigate away from the page and silently revert all your choices!

Even the BBC do shenanigans wrt cookies, they don't have a reject button. You have to navigate to a settings page, the page shows all non-essential settings as off, then you navigate back. So, you'd think that non-essential cookies are off by default, but if course they're not; AFAICT if you don't visit the page on which you do nothing then it turns the cookies on ... so you don't need to turn then off, but if you don't not-turn-them-off then they're silently enabled.

Properly compliant sites have "no/reject" buttons and still show all content after you press it.


Should have just been a browser option from the start. Although on the plus side these popups do expose just how slimy the journalism industry is.


It’s rare to find one that isn’t dark pattern like.


It's gotten so bad I have I almost feel like we need something like pihole for these boxes.


This is a mess, I absolutely loath consent boxes both as a user and developer. The ultimate failure of a design is when you need to put up a sign, and this is insipid idea is basically a billion stupid signs. They totally break the UX of any site you place them on. You pour time into a design and try to make something beautiful and then you're force to put this ugly stupid block over it by a bunch bureaucrats. Likely 99% of users don't even understand what it is supposed to do, and it is probably a flip of a coin whether or not it is even implemented "correctly". I really really hate these things, and the fact that a handful of nerds continue to discuss innocuous web metrics tracking like it is some kind of conspiracy are the cause of all of this and the reason my sites will forever bear this shameful blight.


Or you could not track people and not ask for consent. Like Mozilla, or Wikipedia.


I've seen dozens of companies that do not even do tracking insist on having a banner out of some cargo cult legal fears.



It's important to note that most of these consent boxes are not GDPR compliant.


Yes, the most "funny" ones are the ones which pretend you can decline/configure the tracking but only sets you on a long chain of "configure here" links until you end up in a dead end. Or they let you configure non-essential tracking but the essential tracking you can not switch off contains all the worst tracking sites and is definitely not essential for the technical operation of the site... Also this site tend to have over 100 different trackers which is totally insane.


... and once you are through with it they need a few minutes to "save" the choices.


And at the end "saving" fails "for technical reasons. Try again later."


I see that we are talking about Oath... what they are doing is so blatantly illegal.


Any site giving me the Oath popup i just instaclose. Even if it's linked from a site i regularly check, like HN.


And flag the HN article.


Me, too.


And they probably don't handle the case where you have instructed your browser to not accept any cookies - that is at least an option lynx gives me and an option I seem to remember from my youth in Netscape.


I wish there was a browser extension that would file a complaint with the Information Commissioner's Office for me whenever I encounter one!


The ICO is the UK's regulator. Complaints can be made online: https://ico.org.uk/make-a-complaint/cookies/


is this a real possibility? can you file a complaint online?


> can you file a complaint online?

Via email, yes.


I just saw that that's UK, I guess one would have to file per country, or in multiple countries? There is no EU-wide point to file complaints?


There is: https://edps.europa.eu/data-protection/our-role-supervisor/c...

There is also an online dispute resolution center: https://ec.europa.eu/consumers/odr/

This allows you to complain about a European company if you deal with it from another EU country.


The first one isn't what you think it is. It is, AFAIK, only for complaints against EU institutions. For everything else (national, local, private and non profit entities) you need to contact the relevant national data protection authority


You only need to know who your own regulator is for the country you live in. You file complaints to your regulator, and they collaborate with the regulator for the country where the company is established. This is called the "One-Stop Shop Mechanism" for GDPR: both consumers and companies only have one regulator to contact.


Exactly, the issue is enforcement.

GDPR is actually quite clear and logical on the notion of consent. Implicit consent is implied for anything essential for a service, everything else has to be opt-in.


And while "dark patterns" (making it difficult to opt-out of tracking) might frustrate some, this practice won't help offenders before a court. GDPR isn't tied to any one mechanism (such as cookies) but for collecting PII of any kind; required. free consent can legally only be given if the instructions and consequences are clear.


I feel like we won't be able to call these "dark patterns" for much longer.

Maybe "manipulation patterns" would be a better informative term.


I have a Firefox plugin[0] that I click on whenever a GDPR -- or, well, any obtrusive modal or overlay -- gets too much in the way of things. It's hit and miss, but when it does work it makes life so much easier.

[0] https://addons.mozilla.org/en-US/firefox/addon/behind-the-ov...


I have a related question: how on earth is Der Spiegel's consent box GDPR-compliant? Try accessing the website here:

https://www.spiegel.de

It gives you two options: 1) consent to tracking and data collection, with a vague promise that you can withraw your consent later; 2) become a paying subscriber.

GDPR says that "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract". Shouldn't that mean that forcing consent in order to allow someone to read an article is not consent freely given?

https://gdpr.eu/gdpr-consent-requirements/


I hope they already see their page hit number decline. There is no way to get over this box with DNT in the header either. If it would be only for me, Der SPIEGEL can die already.


To me the box itself is the dark pattern. That what GDPR actually changed about the world was making modals showing up in front of content completely ubiquitous is hysterical in a very dark comedy sort of way. The WWW part of the internet is nearing uselessness to me lately. :(


Technically if they do that, they are illegal.


Ok so they are just eating screen real estate instead of literally being on top of the content? This doesn't improve things any in my mind.


Nope that is illegal too.

Basically anything that makes you want to just rage close it is illegal.

The trick noone seems to understand is that this is not about getting your consent.

It is about making things that cannot get your consent in "good" ways illegal. Anything that needs to be big and visible means that they are doing things that are too much for informed consent to be given.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: