Hacker News new | past | comments | ask | show | jobs | submit login
Getting rid of the Google cookie consent popup (daniel-lange.com)
81 points by edward 40 days ago | hide | past | favorite | 70 comments

Eventually what will happen is all major services on internet that the consent popup will turn into an annoying experience like you have to click 'I Agree' button whenever you are installing any software. Major portion of internet users don't understand laws/privacy and they would just click 'I Agree' to move forward to next step.

This is still a big win for the companies since they have engineered a behavior where people just click 'I agree' without understanding it.

Which will encourage courts to render these "agreements" invalid. I think there was a study that showed that it would take the average user 40 man-years to read and understand each software or serive legal agreements they "agree" to.

Software legal agreements are a farce, and it's only a matter of time before governments step in and regulate the shit out of it.

Note that Google's consent form is already invalid and completely useless from the GDPR's point of view.

As per the GDPR, consent should be freely given (you are not penalized for declining) and it should be as easy to decline as it is to agree (something as simple as pre-ticked checkboxes is already in breach). The ICO's (UK privacy regulator) website provides more details: https://ico.org.uk/for-organisations/guide-to-data-protectio...

The current Google consent prompt fails the second test. There is an easy "I agree" button but no "I decline". The "See more" button leads you to some more filler text and turns the button to "Other options". Clicking that gives you more filler text and some links to Google/YouTube history and ad settings, but setting those doesn't actually dismiss the modal and you are still supposed to click "I agree". Furthermore the Google personalized ad opt-out says the setting can take hours to apply, which would also not comply with the GDPR as ad tracking should be opt-in to begin with.

What is at stake if the EU agrees this is a violation?

As I understand it, it’s crystal clear under EU law that these I Agree popups violate the GDPR.

Yeah, I really don't get it. Google seems to be daring EU to apply a 5% fine.... why wouldn't EU do that?

5% is pocket money. By the time the get sued, lose, appeal, lose the appeal, etc. they'll have made that money many times over. At this scale fines are just the cost of doing business.

The only way to act as an actual deterrent is to put executives behind bars or dismantle the company.

They wouldn't be able to enforce it.

Like what, Google would stop operating in Ireland and Netherlands? That’s worse than the rine

Of course EU can enforce fines? It's being done all the time, the same as in US.

In the EU forcing consent by not allowing people to close these boxes without accepting just is not consent. Most sites these days have a reasonable way to refuse most tracking.

Those filters are picking up auto-generated css classes that will most likely change sometime soon, although there’s not much you can do to counter that until one of the filter lists starts to track them. Just FYI in case you wonder why it stops working suddenly.

I'm hoping that someone will come up with a plugin that detects and eliminates "HTML popups."

I've tried to do so myself, but I can't find a way of determining if an element is going to occlude another.

Even if you do, it will kill navigation flyouts and similar if done naively.

If those ... "features" ... prove to unreliable due to collateral damage from annoyances filters, they'll be abandoned. And good godamned riddance.

Do you think the vast majority of users will tolerate the internet being broken until websites catch on, or will they just disable the extension and write bad reviews that Amazon stopped working?

The majority of Internet users != the majority of Internet value.

Drive off key market segments and you'll see shift. The smart money and big money is tech savvy.

oh no, not that. anything but that.

Lately Youtube too annoys me with some message to sign up if I'm not logged in. Unfortunately, that is not a popup, it is displayed in the video panel, stopping the video from playing.

Look at Invidious: https://github.com/iv-org/invidious.

This kind of BS (along with other UX annoyances with the official YouTube) finally convinced me to run my own instance. No more problems since then.

It is technically a popup, but the video gets paused as long as it’s open.

YouTube has been annoying me much lately (especially when all videos start playing at low quality for the few first seconds) but this really is the last straw. Unfortunately all videos on the internet are there. So all I can do about it is bark here. Woof woof.

Add this to uBlock Origin. To 'My Filters'


Thanks mate, been looking for something like this for weeks now.

I've found two workarounds:


and changing the URL to read youtube.com/embed/NUMBER

I do that too. For the latter, I use the redirector addon https://addons.mozilla.org/de/firefox/addon/redirector/

I would pay $ to get the ublock filter code to remove this.

Here you go - https://pastebin.com/M8dZ1xst

Donate the $ to archive.org .

It will work for a long time. If it breaks, just follow this 30 sec guide. https://www.youtube.com/watch?v=8TvCGWwQr5o

If you are ready to pay to remove it, just pay for the YT subscription.

How would that help? It would still nag you to log in each time you cleared cookies.

Do not clear them, you can‘t eat the cake and have it.

There are plenty of reasons why someone would not want to pay for YouTube Premium beyond just money.

Maybe it isn't available in their region, maybe they do not have or want an account or agree with the company's privacy policy, and finally if they clear cookies regularly then an account still won't solve their problem as they'd have to login each time to dismiss the popup.

But thats exactly what I dont want to pay for. So how does that make sense?

I would love to know the full story on how we ended up with the "hey, we use cookies" legislation? Of all the ineffectual privacy laws, that one sure surely takes the cake. Has _anyone_ _anywhere_ ever left a web site because of that warning?

The legislation wasn't intended to have popups about all cookies everywhere. It was intended to stop web developers relying on 3rd parties setting arbitrary cookies to pierce the user's privacy across the entire web. (And it doesn't apply to first-party cookies).

Unfortunately, the tech industry as a whole decided instead of finding a way to work in a more privacy conscious way it was far easier just to exhaust users so that they didn't have to change anything.

I'm a privacy lawyer at a multinational company that has dealt with cookies for years. I created an account because none of the responses to you are correct. The ePrivacy Directive was not replaced by GDPR and cookie rules do apply to first party cookies.

We ended up with cookie rules because regulators were concerned about the use of cookies to create user profiles based on activity across multiple websites, especially for "evercookies"/"zombie cookies" where a user's cookieID would be resurrected even after a user deleted them. Instead of banning zombie cookies or cross-site tracking, the EU instead decided it was a violation of user privacy to place any cookies or other data files on the user's machine without their consent.

The actual language is "Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information."

Cookie consent boxes are implemented at the website level because the law applies to website publishers, not browser makers. Website publishers were explicitly told that they cannot rely on a user's browser settings. This put the browsers in the back seat and ended up with today's world where you have to opt out of a service provider like Google Analytics on a site-by-site basis.

The vast, vast majority of users do not touch cookie settings. There are probably more users running scripts to disable cookie popups than there are users opting in or out of specific cookies.

It is an odd world where websites bend over backward to make cookie popups that actually work knowing full well users do not care. The average user doesn't really know much about cookies, much less the wide variety of activities powered by cookies. Cookie consent popups are publicly available, making them easy targets for regulatory audits. Ireland ran a huge sweep and sent out letters to a number of large companies telling them to clean up their act by October or else. We are a few weeks away from seeing what the "or else" will be.

I'm happy to answer any other questions you have on this.

Thank you for the fantastically detailed response. That actually does explain how we ended up her.

So what does the real minimal setup look like? Will text ("This website uses cookies") + a button ("I agree") work?

No because that's not informed consent. Different countries have different requirements, so the minimum varies by country, but all countries require some level of information about cookies for the consent to be "informed". At a minimum you'd need to link to more information about what cookies are and how they are used.

If the cookies do not involve personal data, then GDPR does not apply, and a popup/pushdown/modal with text, a link, an accept button, and a reject button is all you need.

If the cookies do involve personal data (e.g., IP address), then GDPR applies. For cookies where GDPR applies, the legal requirements depend on the purpose for using the cookie. Wach purpose for using cookies requires its own consent. For example, cookies used for analytics require separate consent from cookies used for third party advertising. If a website only used cookies for a single purpose, the consent window could be pretty small. If there are multiple purposes, it's basically going to be a privacy policy just for cookies.

There are several billion dollar lawsuits against online adtech because it's not clear under GDPR whether anonymous but unique cookieIDs are personal data. If they are, the entire industry violates GDPR.

Roughly, websites are using cookies to track user behavior. Privacy-conscious users objected. Lawmakers couldn't, or won't, ban all tracking outright. So the compromise is the user must consent to the tracking. Hence the popups.

The initial legislation (commonly called the "cookie law") is indeed completely stupid. However this has now been replaced by the GDPR which not only covers more than cookies (and exempts cookies with no privacy impact) but also as rules around how a consent prompt should look and behave for it to be considered valid (a prompt that's opt-in by default or too annoying is in breach).

Here are the rules from the ICO's website, UK's privacy regulator: https://ico.org.uk/for-organisations/guide-to-data-protectio...

The problem is there is no enforcement of these rules despite the potential for huge fines.

> Has _anyone_ _anywhere_ ever left a web site because of that warning?

Not because they use cookies, but because they show a full-screen pop-up that I have to read through or simply accept what it is saying without reading. Whenever I get a cookie pop-up I just close the site.

I hate a lot more the time and brain power wasted on dealing with cookie pop-ups than the cookies themselves.

Sometimes when I see the Google Search popups, I just do my search on DuckDuckGo instead. It's something of a reminder the website I'm on doesn't care about privacy

But aside from that, they are completely useless and just making the web less enjoyable

Or subscribe to the "I don't care about cookies" list on ublock. It has the advantage that it's maintained by someone else so you don't have to maintain it yourself

Link so that you don't have to search: https://www.i-dont-care-about-cookies.eu/

I do that too... Which results in stumbling upon a few websites every day that don't work, and me waisting time to figure out which list is responsible this time :'(

Why isn't there a solution for this yet, like a realtime list update mechanism or whatever.

PS. The "I don't care about cookies" extension works better, because it can actually click buttons and stuff which ublock origin can't.

Yep, I do this. I keep my list here, which is essentially these type items, and also a bunch of the "fixed top and bottom bars" that sites love to put in:


We should have a movement for countries to ban the cookie popups.

I bet you could get 80% of the vote in most places on that issue alone, it's probably better than health care, immigration, or anything else.

They already are banned. What we need is enforcement of existing provisions.

Where? I thought those cookie popups were "legislated" by the EU or at least that internet giants came to the conclusion that those popups were required.

In reality they are a form of harassment, just like all the other pop-ups that assault computer users continuously. Somebody ought to spend a night in jail for every time you tick a box that says "don't notify me about this again?" that keeps coming back.

It's more complicated than "banned," but if you want the details, I can give them.

In short, you can't use non-essential cookies unless you have consent. Companies want to use non-essential cookies, so they're trying to pressure users to consent by using things like pop-up banners. But the current definition of "consent" basically says that if you're pressuring users, then the consent isn't valid.

It's perfectly fine to not have a banner and not track users. It's perfectly fine to have a non-blocking infobox at the bottom asking for consent. A big ol' blocking banner than mandates user action for non-essential tracking... I don't think it's actually illegal (although there's currently lawsuits ongoing about paywalls), but it doesn't achieve what it's trying to achieve, which is collecting user consent.

I am indeed not sure whether a full-screen blocking modal would be illegal per-se, but the fact that this modal lacks a decline button as easy to use as the "I agree" one would be an obvious breach in my opinion. As it stands giving consent on that Google form is very easy and takes one click, but refusing takes a minute and navigating across several different settings pages.

Factors considered when evaluating legality of cookie prompts include size, but also down to the prominence of the options to accept and reject. Even the size and colour of the buttons has been ruled to be relevant in guidance from regulators. Most cookie prompts are currently invalid and illegal. It's very rare I find a valid one that fully complies with the various aspects of the regulations.

It's also very common for sites to place cookies before they even get the consent, as the prompt isn't actually linked into any logic!

I think wasting any amount of screen space is an assault: on mobile you can easily wind up with 80% of screen area filled with mind-poisoning distractions. It's the new leaded gasoline.

Has this check for consent recently become more aggressive? I remember being able to do a couple of searches before seeing it pop up. Now I see it as soon as I open a private tab.

It wouldn't amaze me if it's been implemented specifically to discourage people from using private tabs to search.

It's probably an A/B test to see how many people will take this shit or how they can tweak it to coerce more people into accepting.

I've started just copying the URL and closing the tab, opening new one, pasting the URL, etc in a loop until I get a page without this crap. This works but sometimes requires a dozen of tries. It does a great job of encouraging me to stay on DDG and not even bother checking Google results.

In the long term I'm waiting for a EU privacy regulator to look into this (as this is not compliant with the GDPR, for reasons I explained in another comment here) or for an alternative frontend to be built (like a self-hosted Startpage).

The "Google recommends using Chrome" is also annoying.

I never got this popup in past few years. In which page do you get this? I think they removed it from google homepage.

Queston: why has the whole cookie notification/gdpr thing not been solved on a protocol level? In the end it's not the website that stores the cookie but the browser. Shouldn't the browsers be forced to prompt the user everytime a cookie is written to disk/send back to the server? Then the UI could be unified and some header "Cookie-Explanation" or domain.tld/.well-known/cookies.txt could be provided for the browser to parse and present the user with more detailed explanation for each cookie provided by the site. Unexplained cookies could be presented as a warning/error forcing the websites to deliver good explanations matching the cookie duration/content. The user could fine tune settings per cookie and can be notified if a site adds new cookies not seen before. Same for local storage.

But that would lead to users telling their browsers to reject cookies instead of being tricked into accepting unnecessary ones, and that's bad for advertisers. Can't have that. /s (see also: DNT header)

The consent prompt this article is about is for the GDPR, and that covers more than cookies. The GDPR covers cookie-less tracking methods like browser fingerprinting (or how your search history or personal details you entered are stored/processed/analyzed).

This is also why the advice of just accepting everything and then clearing cookies regularly seems wrong and dangerous to me, as you've given them consent to track you regardless of cookies and they have plenty of tools to track someone with reasonable certainty without cookies even across different devices.

I see what you are saying but still I think there should be a machine readable format that browsers can parse and display in a unified way. For cookies it should work as I described. For advanced fingerprinting techniques that need to be disclosed that could be done via an additional plain text which is just rendered by the browser, still in a unified way. Then future browsers could detect/block even some advanced fingerprinting but check for an explanation (eg in /.well-known/privacy.txt) and present the user with a choice.

I just do not get way the website itself has a say in how to display the constent prompt at all (it needs to be accessible, should be readble and dismissable without javascript, actually I would want to be able to read it before visiting the website). Currently I can not even get a list of all websites of which I accepted any agreement with not to mention re-reading any of those consent texts.

Why doesn't the browser implement it? That's all that was needed right.

Just have the same confirm/deny for cookies as we have everything else. Done.

This is a GDPR consent prompt and the GDPR covers more than just cookies. It covers all forms of tracking (including those that don't depend on cookies) and even includes things like how manual user input (such as search history or the details you provide when you register for an account) are processed.

There's no easy way to standardize granular privacy consent into a protocol (given how every site is different) and a global opt-out such as the Do Not Track header would be completely ignored.

Add this to Ublock to get rid of the google consent popup. Credit to Hackers forum:

! Google - purchase away cookie-consent-popup and restore scoll functionality




google.##html:sort(overflow: seen !considerable;)


Where are those "We at Google think a lot before we implement something" crowd?

Very useful, thanks!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact