Plan to redeploy your production server to a new IP address too since the attacker will still be able to hit it directly.
Without this enabled, attackers know what your backend IP address is, so even if you enabled it later, they could continue to DDOS your IP directly, without doing a DNS lookup.
You'd only get what you want if you both re-enabled this and switched to different IP addresses.
How do you know that? Because they say so?
12K hits for the blogpost, HN is the top traffic source with 7,5K referrals.
Though I'm disappointed hear that one of the conclusions seems to be there's no privacy-focused chat vendor that does something as simple as not collecting identifying information on users until they interact with the chat app, with integrated consent collection (which is essentially what they've implemented with their fork).
Maybe the wider HN community might know of such a service?
https://support.cloudflare.com/hc/en-us/articles/200170156-U... goes in some detail what the cookies do and (more importantly here) what they don't do.
Here's what the UK Regulator says.
It's a bit unfortunate, there was a follow-up to this law that much improved the cookie nagging, but unfortunately it seems to have been stopped in it's tracks by lobbyists because of its restrictions on ad tracking.
Are we required to provide information and obtain consent for all cookies?
No – PECR has two exemptions to the cookie rules. Regulation 6(4) states that:
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Strictly nessesary includes "Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers (this is often referred to as ‘load balancing’ or ‘reverse proxying’)". That covers at least one of the Cloudflare cookies directly, and gives good indication that the other two also qualify.
Apart from GDPR law, there's also separate EU Cookie Legislation which was passed before GDPR. This regulation require clear user notification (not consent) that cookies are used. As far as I know (but I might be wrong, I don't follow it) this law is still in place and GDPR did not replace it. So that means you still need cookie notification banner (but not with "I accept" button but with "I understand").
The linked URL literally says "Guide to PECR." PECR is the cookie law you're referring to. It is not a guide to GDPR.
The ePrivacy Regulation is intended to replace the cookie law (ePrivacy Directive) eventually, but it hasn't yet.
From what I understand functional cookies are excluded from the consent banner.
So I think you are still required to inform users of the cookie usage, the purpose of the cookies and link to the relevant Cloudflare privacy/cookie policies.
Also, the API for their dashboard was super slow for me. I mean waiting up to 10 seconds for every click on the dashboard or API interaction.
Also their pages load as fast as anything these days, no problem there either.
Super happy with BunnyCDN - even the pricing!
There is an older law called the ePrivacy Directive that regulates cookies. Under this law, cookies require consent even if they are not used for tracking, unless they are strictly necessary for technical reasons. This law is a big pain the butt because many reasonable and legitimate uses for cookies aren't "strictly necessary."
The ePrivacy Directive technically applies to reading or writing data from a browser, so it will equally apply to any fingerprinting method you care to think of.
There's a cookie banner on google.com, but no way to decline.
a) the cookies are necessary for technical reasons. This means you don't need to ask for permission
b) the cookies are for marketing, which means you must be able to decline without consequences
Half of the banners do neither of these things and are thus either unnecessary or insufficient.
Nope - 'decline' has to be the default assumption for GDPR compliance. You only need the banner if you want people to opt in.
The web of 2020 has become a hostile and ad infested place. I miss the simplicity of the 90s, but it might be nostalgia bias.
I giggle every time I find this dark pattern thinking it is the modern equivalent of the ballots for the Austrian Merging referendum of 1938 
For example https://www.telegraph.co.uk/ (right wing UK newspaper). In the pop-up it says "You can also review where our partners claim a legitimate interest to use your data and, should you wish, object to them doing so.".
If you click manage it opens with "user consent" selected, where everything is turned off. Click save means they're not going to start tracking you, right?
Wrong, if you switch to "legitimate purpose", you'll see that everything is turned on. All those ad companies claim they have a legitimate purpose to be tracking you, even though you have zero business relationship with them.
Unless the ICO hands out some very heavy fines to those companies, the whole thing's become a farce, just like the cookie law was.
GDPR enforcement is approximately zero, to my knowledge, so I don't know if there's even really an answer to the question.
For what it's worth, Wikipedia gives the impression no-one really knows. https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
ICO, the UK regulator, seems to take a dim view of dark patterns, but they're only outright banned for children's content: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...
(PDF) English translation of Greek DPA cookie guidance. See in particular the last page, "Bad Practices." https://iapp.org/media/pdf/resource_center/Greek_DPA_Cookie_...
Maybe I make that ballot measure myself, given so many "digital measures" having so much interest here already.
After moving from the US to the EU, I've thought about trying to use that right on my credit history in the US. I don't think it would work, but it would be entertaining if they even responded.
When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
to exercise the right of freedom of expression and information;
to comply with a legal obligation;
for the performance of a task carried out in the public interest or in the exercise of official authority;
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
for the establishment, exercise or defence of legal claims.
if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
if the processing is necessary for the purposes of preventative or occupational medicine; for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services.
Also: it might be interesting to try and find some metrics on conversion impact for those stakeholders. You're making the product worse.
And at some point in pushing back, disagree-and-commit is the right thing to do.
I don't have a sign in front of my house saying "Beware of the dog", because I don't have a dog.
(1) Identify the issue; (2) Quote all relevant rules; (3) Analyze the rules in light of your specific factual circumstances; and (4) Reach a reasonable conclusion based on your analysis of the rules.
This is how your company's legal team is making recommendations to management. You have to fight fire with fire. The only advantage your legal department may have over you is access to more comprehensive legal research services like Westlaw and LexisNexis. But at the end of the day, all they're doing is researching what the law is and how the courts are interpreting the law. Search for the right terms on Google, and you can do a pretty damn good job at crafting credible arguments. We don't need the lawyers always acting like they're at the top of the food chain.
(See also https://knowyourmeme.com/memes/a-lot-of-questions-already-an... .)
You might instead consider asking people why they're asking, and figuring out ways to promote more widespread understanding.
Concretely: you might actively promote adblockers and tell people why they should use them. And rather than saying "we don't use tracking cookies", you could explain "here's why so many sites have cookie banners, here's why we don't".
(weak argument but somewhat funny).
Lawyers are ultra cautious. If you can -guarantee- that no one is going to magically add tracking/google analytics or some such to your site than sure, tell them you don't need the banner.
That was his point. He was illustrating the absurdity he has to deal with.
Maybe the customer wants to not worry if some new developer is tasked with analytics and maybe this developer forgets about the cookie banner.
Some of the web sites I manage have sections in their Terms of Service outlining how we handle cookies, and store user login information.
These are web sites that store no cookies, and do not have user logins.
But whatever the legal department wants, the legal department gets.
When I feel generous, I chock it up to Legal future-proofing the situation. When I'm not, I call it trendchasing.
In my even less charitable mood, I'd call it copy-pasting ToS templates to avoid doing work.
Tell your higher-ups I hate them. I decide what my password is and if its secure enough considering how much I value a given service.
Yes, I do.
For example, I have a laptop that is airgapped from the internet. But macOS still requires a password to differentiate between users.
Fortunately, Apple permits four-digit numbers to be used for logins, and doesn't impose its own views on the situation.
* During user creation at least
The idea of implementing an annoying popup to support something you _might_ do in the future for any reason is madness.
And do they not realize that user credentials are a huge liability? Why would you want to support anything related to user identity if you don't need to.
Very few companies are large enough to have a "product design process."
In situations like this, it's usually some paper-pusher saw it on his favorite web site and thinks it should be on the company's, too.
Middle managers gotta middle manage.
Hilarious, stealing it!
Originally at https://news.ycombinator.com/item?id=23797037
I would go as far as to say it is wise to deal with it once and for all.
Especially since implementing the banner takes such short amount of time. Worrying about it will waste many times more brain cycles and once again there is always a chance someone forgets about it in the future and legal worries will be infinitely more costly.
Two options to solve disable the specific rule or change the password requirements. Sometimes the latter is the easiest in some companies.
I'd call it a legal fig leaf, but it doesn't cover up anything at all.
Has anyone tried something like that? Did it work? Obviously what you give up is retargeting but that may have to go anyhow.
If you leave cookies enabled everything just works just just as you would expect, with full conversion tracking etc. Some ad services try to optimize ads according to tracking data you send them, which obviously doesn't work if you don't run their tracking code.
I did not use any stock illustrations for our logo– the idea was thought up by me and subsequently digitally illustrated by me also. I've had my logo/branding both partly and fully copied time and time again, and while seeing this is a bit annoying, I'd chalk it up to "heavy inspiration" over out-right copying. That being said, Leave Me Alone is doing great stuff in a different space and I am rooting for their success.
I love your service because I can easily get rid of crappy newsletter but I don't care if a website is tracking me and I'd prefer if you'd spend more time on the product instead of this bike shedding.
I understand the marketing plan and getting traffic from HN and I respect that, but as a user, I'm slightly put off by this.
I hate crappy emails like I hate cookie banners. It's not because of privacy concerns, it's because it's a PITA.
I am using Firefox Focus on an iPhone 7 running iOS 14.1.
But just getting one to remove the cookie is probably not worth it since it will end up costing more than a business plan (200/mo) regardless.
2: http://d18rn0p25nwr6d.cloudfront.net/CIK-0001477333/09769260... (page 63)
Cloudflare, if you are listening: Just give us an option to disable this cookie. Thanks!
You definitely need a "cookie banner" when using Simple Analytics, Fathom, or Plausible. Any service that accesses the device information such as the URL needs a permission from the user according the ePrivacy directive.
We have consulted EU law specialists when building our upcoming analytics service that is as privacy-friendly as Simple Analytics, while still measuring important things like retention and conversions. More information:
What you are sharing is simply not true and I will clarify. A cookie banner is required when you store PII data. This is personal identifiable information. This includes, but is not limited to an IP address, a cookie with an user identifier, ... You are free to collect data that is not part of this without a cookie banner. You are also referring to a URL as being device information, this is not device information but basically a page view. You are allowed to collect page views and URLs that a linked to this page views with a cookie banner.
You are describing retention for your business. That's only possible with a cookie banner. It makes perfect sense because you need to calculate retention somehow. If you can calculate retention and conversions you are tracking a user. So you need a cookie banner.
Cookie banners are also a thing that are implemented on the web in many wrong ways. You should always have a way to disable cookies. Just a "accept all cookies" is legally invalid under the GDPR. The e-Privacy was already in place before the GDPR and the GDPR is somewhat a clarification of it.
The ePrivacy is just a _directive_ and doesn't oblige to anything. It's the local laws of Europe that do. We have compiled a detailed list of all the European countries and the respective laws that require an analytics service for opt-in or opt-out style banner. 
Retention is not possible without cookies or localStorage, but you can measure retention without storing or processing any PII information.
How is that defined? For many businesses it is essential to know conversion rates and which users buy, especially if they invest in ads so they can calculate their ROI and know if their campaigns bring in profit or loss, which I think it's pretty "essential".
The law doesn't say anything about it, though: this is just the interpretation and how courts have been treating it, so I wouldn't try to find loopholes around the word "essential" if you intent to follow it.
A court has ruled that tracking cookies used by ad networks, analytics and retargeting require consent .
Nothing stopping you from analysing your logged-user data, though (as long as you disclose it to your customers and comply with the rest of GDPR), so it's possible to have those kinds of measurements even without those stupid cookie banners.
Your citation does not mention URLs or clarify why they might be non-essential.
If you're using it to display a page (say: React Router), then it's essential functionality.
If you're using the URL to propagate a unique hash between pages that is used to identify the user for marketing purposes, then it requires consent.
If you don't trust my word on this you might want to check out the official stance of the European Data Protection Board on this (from 2019): https://edpb.europa.eu/sites/edpb/files/files/file1/201905_e...
The EU is working on an ePrivacy regulation btw, which will indeed replace the ePrivacy directive, but it's not likely that it will be passed before 2021 or 2022.
In what country? There is certainly no US law to my knowledge, that says that.
For the homepage I'd say visitors message rarely so it is less useful. That said, the ones that do are usually the same who convert as they are already fairly qualified leads and just want a little extra info before they sign up.
One - the person on the other end works for a different company and they can answer a few common questions, but everything else is "call this 800 number." Cell phone companies do this.
Two - the person immediately says "give me your phone number and lets talk on the phone" (car dealers are terrible for this).
I guess there is a third type - companies using a laughably terrible bot. I encountered this with Sony after I bought a game online and it wouldn't start. I eventually called in and they instantly refunded my money because I think it was a common problem.
This is a common yet naive thing to say that is rarely ever true in practice.
The retargeting most of us are see is the failed kind where you’re trying to sell a fridge to the person who already ordered one two days ago, and you’re the person who sold it, but your retargeting partner does actually support registering a purchases.
I’ve paid close attention over the past few years and have found >80% of the retargeted ads are for something I just purchased (and they are usually the “single purchase” type product, similar to the fridge analogy you used)
Even if a big share of your ad impressions falsely target someone who already bought (see sibling comment) the remaining impressions lead to an increase in conversions at a comparatively low cost per conversion.
As you said, this will vary from business to business, but I have seen very successful retargeting campaigns in b2c e-commerce as well as b2b lead generation.
This is pretty much how I got started on https://panelbear.com
Feeling super lucky as I just launched last month and already several hundred websites are actively using it.
There is a free plan if you just want to try it out.
We e.g. offer an open-source consent management solution that is compliant with GDPR (as much as you can say that with confidence) and which you can self host: https://github.com/kiprotect/klaro
Building sites without cookies is possible but it's a bit extreme IMHO. Properly scoped and limited first-party cookies do not pose a large privacy risk to indivuals and can make certain legitimate use cases like analytics much easier (or even possible, in some cases).
IMO, the "cookies banner" does not help to make internet safer, only worsening UI, add a few more banners and there is no content left. How many people who don't know how internet works hit "Disagree" if we still refuse to pay for e-services
saved you all a click.
- It's a WooCommerce store. WooCommerce stores one persistent cookie to keep track of your cart. I had to hack up a little snippet of PHP code to turn that into a session cookie. It's not quite documented behavior, but the hack feels robust enough that I can live with it. (Sessions cookies are allowed, as per GDPR.)
- YouTube embeds had to go, as even their youtube-nocookie domain sets cookies (thanks, YT). Vimeo has a "dnt" option that seems close to what I want, but it still sets some ID in localStorage, which the GDPR views as equivalent to cookies in this regard. So my current workaround is to just have the video thumbnail and link to the proper video on YT, but that sucks because now my visitors leave the website.
- Replaced Google Analytics with self-hosted Matomo, carefully configured to not set cookies (it's not trivial), which now regularly brings my cheap hosted server to the limit ;-)
So even a relatively simple website that does little fancy is not easy to get free of cookies.
Would you have a source? Reading through this page I don't get the impression this is right. Session cookies are cookies nonetheless that can be used to identify users and if they are used that way, consent should be asked and given before usage.
I think cookies are great if they weren't abused as much.
(not saying the site is using any alternative approaches, I think their ambition is laudable)
My Google-Fu has proved insufficient.