Hacker News new | past | comments | ask | show | jobs | submit login
We made our SaaS home page cookie-free (leavemealone.app)
382 points by jivings on Nov 3, 2020 | hide | past | favorite | 181 comments

> But it's possible to hit this button again and re-enable Cloudflare forwarding temporarily if we find ourselves under attack, so I figure this is a good option.

Plan to redeploy your production server to a new IP address too since the attacker will still be able to hit it directly.

Can you not just reject or ignore all connections not coming from cloud flare? Or does that still do damage during a ddos?

That doesn't help if your pipe to the Internet is full (think Gbps) or if the router/switch can't process packets fast enough (think Mpps).

Considering that the website the articles refers to is hosted on DigitalOcean, in this case the problem would be DigitalOcean's DDoS policy, which is basically null route the IP traffic for 4 hours or so when an attack is detected.

> This means we are now just using Cloudflare for DNS. But it's possible to hit this button again and re-enable Cloudflare forwarding temporarily if we find ourselves under attack, so I figure this is a good option.

Without this enabled, attackers know what your backend IP address is, so even if you enabled it later, they could continue to DDOS your IP directly, without doing a DNS lookup.

You'd only get what you want if you both re-enabled this and switched to different IP addresses.

Also the Cloudflare cookie is clearly for technical purposes, not marketing. So no consent is needed under GDPR, in my understanding. Getting rid of it didn't accomplish anything useful.

> Also the Cloudflare cookie is clearly for technical purposes, not marketing.

How do you know that? Because they say so?

Here's what they say for anyone who's looking


You could firewall off non-Cloudflare requests: https://support.cloudflare.com/hc/en-us/articles/201897700-A...

A software firewall is useless against a DDoS attack. It will only serve to help your IP not get discovered in the first place.

It's interesting to see the visitor stats [0] on the blog itself , provided by Simple Analytics:

12K hits for the blogpost, HN is the top traffic source with 7,5K referrals.

[0]: https://simpleanalytics.com/blog.leavemealone.app

I enjoyed the post and appreciate that more people are looking for privacy focused alternatives to traditional vendors.

Though I'm disappointed hear that one of the conclusions seems to be there's no privacy-focused chat vendor that does something as simple as not collecting identifying information on users until they interact with the chat app, with integrated consent collection (which is essentially what they've implemented with their fork).

Maybe the wider HN community might know of such a service?

I think there's a gap in the market here!

Naively did not realise using cloudflare as a cdn meant subjecting users to cookies. I don't have a consent banner... Does Netlify?

At least under EU cookie laws and GDPR you shouldn't need a consent banner for Cloudflare cookies, as they provide essential functions (for availability and security) and don't track users. You might have to mention them and their purpose in your privacy policy though.

https://support.cloudflare.com/hc/en-us/articles/200170156-U... goes in some detail what the cookies do and (more importantly here) what they don't do.

You might be kind of wrong. I think you don't need consent. But the cookie law still requires notification banner (which is basically the same thing). That's because cookie usage by itself (no matter the purpose) requires notification.


Here's what the UK Regulator says.

It's a bit unfortunate, there was a follow-up to this law that much improved the cookie nagging, but unfortunately it seems to have been stopped in it's tracks by lobbyists because of its restrictions on ad tracking.

Following the link from there to https://ico.org.uk/for-organisations/guide-to-pecr/guidance-... you find this paragraph:

""" Are we required to provide information and obtain consent for all cookies?

No – PECR has two exemptions to the cookie rules. Regulation 6(4) states that:

    (4) Paragraph (1) shall not apply to the technical storage of, or access to, information -

    (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

    (b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Strictly nessesary includes "Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers (this is often referred to as ‘load balancing’ or ‘reverse proxying’)". That covers at least one of the Cloudflare cookies directly, and gives good indication that the other two also qualify.

But the regulator guide is about GDPR. And it's consistent with what I wrote - GDPR law does not require consent for such cookies. So the regulator is ok with no consent.

Apart from GDPR law, there's also separate EU Cookie Legislation which was passed before GDPR. This regulation require clear user notification (not consent) that cookies are used. As far as I know (but I might be wrong, I don't follow it) this law is still in place and GDPR did not replace it. So that means you still need cookie notification banner (but not with "I accept" button but with "I understand").

No that's not true, look at article 5(3) of the directive, it exempts strictly necessary cookies as well (it doesn't reference cookies in particular but applies to all kinds of storage technologies instead): https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...

I am not sure what exactly do you mean is not true. But in fact the article you linked says about pre-gdpr cookie consent. So it kind of contradicts what I said. But in practice to gather such consent it was allowed to say "if you don't consent, please disable cookies in your browser" and that's what I meant about "I understand" button. Regarding the exempt for this notification, I am not sure if CF cookies should be considered as strictly necessary.

> But the regulator guide is about GDPR.

The linked URL literally says "Guide to PECR." PECR is the cookie law you're referring to. It is not a guide to GDPR.

The cookie law is no more. GDPR superseded it. It requires user consent, but only in some cases. Under GDPR, cookies that are not "personal information" (those that do not track users) do not require consent.

This is a common misconception. The GDPR is about protecting user's information, it's not really about cookies (the entire 88 page law mentions cookies only once).

The ePrivacy Regulation is intended to replace the cookie law (ePrivacy Directive) eventually, but it hasn't yet.

GDPR superceded the Data Protection Directive. The "cookie law" is the ePrivacy Directive, which remains in force.

Netlify doesn't seem to have a consent banner but sites hosted on it don't set cookies, despite using Cloudflare (at least that's my experience hosting a blog on it).

Netlify doesn't use cloudflare. Their DNS[1] is managed by NS1 and they host their websites on the edge[2] instead of using a cdn.

[1]: https://ns1.com/blog/netlify-leverages-ns1-to-improve-perfor...

[2]: https://www.netlify.com/products/edge/

Ah, thanks. Didn’t realise that.

Is it necessary to get consent from the user about _cfduid?

From what I understand functional cookies are excluded from the consent banner.

The problem with _cfduid is that it is essentially a third-party cookie (even if it's set on your own domain).

So I think you are still required to inform users of the cookie usage, the purpose of the cookies and link to the relevant Cloudflare privacy/cookie policies.

This is what I assumed too.

They wanted to get rid of cookies as much as possible as that's part of their business plan (privacy). So they found a better CDN that didn't use cookies at all, so I'd say they made out like a bandit.

BunnyCDN is nice! Switched from Cloudflare one or two years ago and not looking back, it's a "real" CDN and doesn't require cookies.

I tried to use their push CDN service but I could never upload a file through their API. I went back and forth with support but nothing got solved.

Also, the API for their dashboard was super slow for me. I mean waiting up to 10 seconds for every click on the dashboard or API interaction.

You can upload files with their API using cURL and the --upload-file parameter. I wrote a shitty bash script to upload images[1] to it which should help you, if you still need it or want to give it a try.

[1] https://git.sr.ht/~jamesponddotco/dotfiles/tree/master/.loca...

I have a script [1] that uploads my website to BunnyCDN.

[1]: https://github.com/gkbrk/scripts/blob/master/bunnycdn-sync.p...

Thanks, I don't know Python but it looks pretty standard. It's similar to what I did in Node.

Ha I actually just came across my snippet - this is what I used in curl: curl -X PUT --data "@./<file>.html" -H 'AccessKey: <YOUR_KEY>' https://<REGION>.storage.bunnycdn.com/<SPACE>/<PATH>/<FILE>

Can't find it right now but I definitely uploaded some files via their API - weird you couldn't figure it out together with support.

Also their pages load as fast as anything these days, no problem there either.

Super happy with BunnyCDN - even the pricing!

This is a really good write up! I wish more companies and SaaS put this the cookie-less directive on top of their priorities. We are do the same, expect we have a jwt-cookie, but which is strictly bound to our domain. Additionally we avoid third-party scripts and apps, fonts or things like the facebook commenting system. Basically all stuff sending user traces to foreign parties. We did a write-up about this here, if you are interessted, how we did it: https://www.tredict.com/blog/we_do_not_track_you/

Isn't the problem about actual tracking and not the cookies? If you track someone without using any cookie you still need to ask for consent. I kind of don't understand the this post. Can someone explain why is it okay to track someone without cookie?

Exactly - cookies are only the most used because they have the largest support by browsers (going back 10 years). If you used purely local storage instead, you’d still need consent to track.

GDPR regulates tracking individuals, and is not particular about the means or form. On the whole, GDPR is pretty sensible.

There is an older law called the ePrivacy Directive that regulates cookies. Under this law, cookies require consent even if they are not used for tracking, unless they are strictly necessary for technical reasons. This law is a big pain the butt because many reasonable and legitimate uses for cookies aren't "strictly necessary."

The ePrivacy Directive technically applies to reading or writing data from a browser, so it will equally apply to any fingerprinting method you care to think of.

There's no cookie banner on apple.com, but they use cookies.

There's a cookie banner on google.com, but no way to decline.

Assuming Apple is only using cookies for technical purposes, like providing a way to log in or use a shopping cart, then there is no need to use a banner. Google needs the banner because they are using cookies for advertising and tracking purposes, and you can probably guess why there's no way to decline

I was recently tasked with making an "Accept our use of cookies" banner for our public site. Before that banner we did not store any cookies at all; now we have one to store their consent.

It's extra fun because there's really two options:

a) the cookies are necessary for technical reasons. This means you don't need to ask for permission

b) the cookies are for marketing, which means you must be able to decline without consequences

Half of the banners do neither of these things and are thus either unnecessary or insufficient.

b) the cookies are for marketing, which means you must be able to decline without consequences

Nope - 'decline' has to be the default assumption for GDPR compliance. You only need the banner if you want people to opt in.

That doesn't prevent dark UI patterns to highlight "Accept" and hide "Reject" as much as possible, or not having a "Reject all" button. Some sites deliberately make you manually click on "Reject" for each "ad partner", at which point I bail out or disable JS or scrape the text if I'm really interested in the content.

The web of 2020 has become a hostile and ad infested place. I miss the simplicity of the 90s, but it might be nostalgia bias.

> That doesn't prevent dark UI patterns to highlight "Accept" and hide "Reject" as much as possible

I giggle every time I find this dark pattern thinking it is the modern equivalent of the ballots for the Austrian Merging referendum of 1938 [1]

[1] https://en.wikipedia.org/wiki/1938_Austrian_Anschluss_refere...

To be fair the web of the early 2000s was full of ads too. I remember a time when people still used Yahoo as their homepage which was basically just a giant ad delivery platform with even more invasive ads than we have today. That's not to say that today is much better. It seems like most sites today try to walk the line between ad revenue and user retention.

Yes, it was full of ads, but not tracking. Some ads were targeted to the sites they were displayed, and not to the person reading it.

The new dark pattern is to default everything off, but then have a separate switch labelled "legitimate reasons", which are all turned on for default.

For example https://www.telegraph.co.uk/ (right wing UK newspaper). In the pop-up it says "You can also review where our partners claim a legitimate interest to use your data and, should you wish, object to them doing so.".

If you click manage it opens with "user consent" selected, where everything is turned off. Click save means they're not going to start tracking you, right?

Wrong, if you switch to "legitimate purpose", you'll see that everything is turned on. All those ad companies claim they have a legitimate purpose to be tracking you, even though you have zero business relationship with them.

Unless the ICO hands out some very heavy fines to those companies, the whole thing's become a farce, just like the cookie law was.

These dark patterns are very widespread, and are even seen on generally reputable websites like TomsHardware, but are they actually GDPR compliant?

GDPR enforcement is approximately zero, to my knowledge, so I don't know if there's even really an answer to the question.

For what it's worth, Wikipedia gives the impression no-one really knows. https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

Several regulators have made unambiguous statements that they are not compliant. However, they are not very high on the enforcement priorities.

ICO, the UK regulator, seems to take a dim view of dark patterns, but they're only outright banned for children's content: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...

(PDF) Irish DPA's sweep of thirty-odd websites under its jurisdiction. Lots of good guidance here, but for the point specifically under discussion, ctrl+f "nudge." https://www.dataprotection.ie/sites/default/files/uploads/20... by the DPC on the use of cookies and other tracking technologies.pdf

(PDF) English translation of Greek DPA cookie guidance. See in particular the last page, "Bad Practices." https://iapp.org/media/pdf/resource_center/Greek_DPA_Cookie_...

That's true, but in the context of a popup this means you must be able to deny or dismiss it without consequences.


sidenote: I wish California would pass a Right to be Forgotten like the EU has. That would be epic.

Maybe I make that ballot measure myself, given so many "digital measures" having so much interest here already.

Filed bankruptcy? No problem. Just make the credit companies forget about it!

After moving from the US to the EU, I've thought about trying to use that right on my credit history in the US. I don't think it would work, but it would be entertaining if they even responded.

That is why the law is somewhat longer than "People have the right to be forgotten".

The right is about search engines and data brokers

From https://ico.org.uk/for-organisations/guide-to-data-protectio...

When does the right to erasure not apply?

The right to erasure does not apply if processing is necessary for one of the following reasons:

    to exercise the right of freedom of expression and information;
    to comply with a legal obligation;
    for the performance of a task carried out in the public interest or in the exercise of official authority;
    for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
    for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:

    if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
    if the processing is necessary for the purposes of preventative or occupational medicine; for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services.
For more information about special categories of data please see our Guide to the GDPR.

GDPR and PECR (CCPA is primarily aimed at preventing selling of data)

If you don't store cookies at all then you don't need the banner, you don't need consent to be doing nothing.

Try explaining that to the non-technical people the requirement came from.

Respectfully, educating stakeholders is part of your job. Until you accept and embrace that, you're likely to remain stuck in roles doing useless things.

If they heard from legal they need it and legal hourly rate is greater than engineering hourly rate, they will rather waste engineering time than spend legal time to save engineering time.

Legal won't be maintaining this feature ad infinitum will it?

Also: it might be interesting to try and find some metrics on conversion impact for those stakeholders. You're making the product worse.

Attempting to educate stakeholders is part of your job. Forcing them to accept your reasoning may not be possible and they may have other reasons for their decisions that you may not know about or they may not wish to reveal (legal, marketing, internal politics, etc).

And at some point in pushing back, disagree-and-commit is the right thing to do.

How do you know so much about his job role?

That shouldn't be very difficult. It's not a complex situation.

I don't have a sign in front of my house saying "Beware of the dog", because I don't have a dog.

Since the topic touches law, it's more complex to some people than you might think. To us it's obvious, but someone else might think that they better be safe than sorry and not get sued for accidentally setting a (non-essential) cookie somewhere without letting the user know. I definitely know some people who'd rather implement such "unnecessary" things than exposing themselves to a potential legal trap.

I would recommend thinking like a lawyer and writing a memo like one. Legal writing and analysis follows a very common pattern known as IRAC (Issue, Rule, Analysis, Conclusion):

(1) Identify the issue; (2) Quote all relevant rules; (3) Analyze the rules in light of your specific factual circumstances; and (4) Reach a reasonable conclusion based on your analysis of the rules.

This is how your company's legal team is making recommendations to management. You have to fight fire with fire. The only advantage your legal department may have over you is access to more comprehensive legal research services like Westlaw and LexisNexis. But at the end of the day, all they're doing is researching what the law is and how the courts are interpreting the law. Search for the right terms on Google, and you can do a pretty damn good job at crafting credible arguments. We don't need the lawyers always acting like they're at the top of the food chain.

OTOH, if you got asked often enough if you had a scary dog, you may consider putting up a sign saying "There is no dog here."

At which point the more common question will become "what's with the sign?", and the sign may become the bigger source of concern.

(See also https://knowyourmeme.com/memes/a-lot-of-questions-already-an... .)

You might instead consider asking people why they're asking, and figuring out ways to promote more widespread understanding.

Concretely: you might actively promote adblockers and tell people why they should use them. And rather than saying "we don't use tracking cookies", you could explain "here's why so many sites have cookie banners, here's why we don't".

Or you could focus on your business goals... And just be safe legally.

I'm not suggesting doing it proactively; I'm suggesting doing it in response to the question, if people repeatedly ask the question. "No, and here are other ways to protect yourself" is stronger and more definitive than just "no".

Lawyers would argue that it might be a good idea to put up a sign if your neighbors have a dog that could attack them.

(weak argument but somewhat funny).

Lawyers are ultra cautious. If you can -guarantee- that no one is going to magically add tracking/google analytics or some such to your site than sure, tell them you don't need the banner.

I would say big picture wise it is wiser to add the banner unless it hurts your conversions.

What if you might consider adding some analytics later down the road, but are afraid someone will forget about the cookie banner at that point?

also perfect excuse to introduce some other usage of cookies


If you don't store cookies at all then you don't need the banner, you don't need consent to be doing nothing.

That was his point. He was illustrating the absurdity he has to deal with.

What if you might consider adding some analytics later down the road, but are afraid someone will forget about the cookie banner at that point?

Maybe the customer wants to not worry if some new developer is tasked with analytics and maybe this developer forgets about the cookie banner.

Before that banner we did not store any cookies at all; now we have one to store their consent.

Some of the web sites I manage have sections in their Terms of Service outlining how we handle cookies, and store user login information.

These are web sites that store no cookies, and do not have user logins.

But whatever the legal department wants, the legal department gets.

When I feel generous, I chock it up to Legal future-proofing the situation. When I'm not, I call it trendchasing.

> When I feel generous, I chock it up to Legal future-proofing the situation. When I'm not, I call it trendchasing.

In my even less charitable mood, I'd call it copy-pasting ToS templates to avoid doing work.

I am guilty of doing that for my MVPs. I just go extra safe everything, because I would rather get to market sooner.

Yeah, and I don't hold it against very early stage startups or Show HNs. But if your company has lawyers in-house preparing these texts, that's more surprising then.

I'll bite: So why did you need it in the first place?

Eventually we'll add an analytics plugin and need the banner. But at the time it was one of those "every site has one" decisions from non-technical folks. Similar frustration with arbitrary password requirements on the same site.

> password requirements

Tell your higher-ups I hate them. I decide what my password is and if its secure enough considering how much I value a given service.

Sometimes I really want my password to be 123123!

Sometimes I really want my password to be 123123!

Yes, I do.

For example, I have a laptop that is airgapped from the internet. But macOS still requires a password to differentiate between users.

Fortunately, Apple permits four-digit numbers to be used for logins, and doesn't impose its own views on the situation.

Linux mint tells you* your password isn't strong enough, but just lets you click "next" anyway. Best approach if you ask me.

* During user creation at least

Probably an unpopular opinion - but if you do not have a physical presence in the EU, and you're not the size of some Unicorn corp, you can completely ignore these silly cookie banners for now and instead focus on things that actually matter for your startup.

My "dysfunctional product design process" alarm is going off.

The idea of implementing an annoying popup to support something you _might_ do in the future for any reason is madness.

And do they not realize that user credentials are a huge liability? Why would you want to support anything related to user identity if you don't need to.

My "dysfunctional product design process" alarm is going off.

Very few companies are large enough to have a "product design process."

In situations like this, it's usually some paper-pusher saw it on his favorite web site and thinks it should be on the company's, too.

Middle managers gotta middle manage.

> Middle managers gotta middle manage

Hilarious, stealing it!

Originally at https://news.ycombinator.com/item?id=23797037

I don't think it is irrational ot madness at all. Imagine having to switch developers and then you ask for analytics from your new developer. Very easy to happen that they could forget about the cookie banner.

I would go as far as to say it is wise to deal with it once and for all.

Especially since implementing the banner takes such short amount of time. Worrying about it will waste many times more brain cycles and once again there is always a chance someone forgets about it in the future and legal worries will be infinitely more costly.

"We've used advanced technology design to ensure we are compliant without the need for the ugly banners other sites are forced to use"

What are we as technical operators even good for if our counsel, judgment and recommendations (things I thought we were even hired for as valuable key contribution points) are frequently overridden by non-technical people who in the best cases don’t understand the evidence shown, in the worst don’t even care to?

Well, if you use Cloud Armour and you try to change the password it apparently doesn't like the password to start with $ and then this blocks the whole request.

Two options to solve disable the specific rule or change the password requirements. Sometimes the latter is the easiest in some companies.

At least 90% of the banners I get hit with around the web are automatically not GDPR compliant because they require you to opt out. It's amazing to think of the effort that's been expended implementing them while still failing to follow the law.

I'd call it a legal fig leaf, but it doesn't cover up anything at all.

It's a legal face mask with the nose sticking out

i could see an excellent webcomic being made out of this

I've been thinking of trying to combine self-hosted analytics and adding ad info in the urls of ads so I can track if a user arrived at my site via an ad without divulging that to any third parties.

Has anyone tried something like that? Did it work? Obviously what you give up is retargeting but that may have to go anyhow.

Tracking ads via URL parameters is pretty standard (utm parameters), and self-hosted matomo can be set to run without cookies. This means that some metrics can't be tracked [1]. The most impactful of those is attributing people to a campaign if come via an ad, view your website, but only convert after leaving and coming back some time later.

If you leave cookies enabled everything just works just just as you would expect, with full conversion tracking etc. Some ad services try to optimize ads according to tracking data you send them, which obviously doesn't work if you don't run their tracking code.

1: https://matomo.org/faq/general/faq_156/

I always thought this was a fairly common practice so you can verify you are getting the ad traffic you paid for.

Isn't this basically UTM Tracking?

I store the url param in a DB and rewrite the Url to a cleaned one via JS in case the user bookmarks the page.

Urgh, the irony - can't open this page, because there is some problem to do with too many redirects. Which you can maybe fix by clearing cookies.

Ghost instance crashed, I assume HN hug of death! It's back now.

A little bit off topic, but this thing looks suspiciously a lot like https://lunchmoney.app/ and as far as I can tell is totally unrelated. Even the Lunch Money logo is used under the pricing section... Is this just a coincidence / did Lunch Money also use some stock illustrations that’re used here? Or is just good old fashioned copying?

Lunch Money founder here! Thanks for flagging :) My guess is that it was definitely inspired by Lunch Money as the founders here have reached out to me before about liking my branding.

I did not use any stock illustrations for our logo– the idea was thought up by me and subsequently digitally illustrated by me also. I've had my logo/branding both partly and fully copied time and time again, and while seeing this is a bit annoying, I'd chalk it up to "heavy inspiration" over out-right copying. That being said, Leave Me Alone is doing great stuff in a different space and I am rooting for their success.

This is just feedback as a user and fellow maker - so you can calibrate your target audience (given that only people who care about being tracked are vocal on this):

I love your service because I can easily get rid of crappy newsletter but I don't care if a website is tracking me and I'd prefer if you'd spend more time on the product instead of this bike shedding.

I understand the marketing plan and getting traffic from HN and I respect that, but as a user, I'm slightly put off by this.

I hate crappy emails like I hate cookie banners. It's not because of privacy concerns, it's because it's a PITA.

In case leavemealone.app is reading these messages, I will leave this here. I failed to sign up. After clicking the sign up button, the button began pulsing but did nothing more. When I tried reporting the failure via chat, nothing happened when I clicked send. After clicking send, I noticed that my initial chat message had been truncated halfway. I don’t know if these two failures are related.

I am using Firefox Focus on an iPhone 7 running iOS 14.1.

We're getting a bit smashed by HN traffic right now and server is running a little more slow than usual! I hope you check back in a little while.

Getting redirects too. The page on the Wayback Machine: http://web.archive.org/web/20201103140506/https://blog.leave...

Can anyone recommend and good articles on how to track paid advertising without being reliant on cookies?

The cloudflare cookie still persists.

It's currently still there on the blog site because I was worried that HN would smash my server and haven't moved it over to BunnyCDN yet ^^

I wish you luck on your move -- I love to see people dropping Cloudflare's MITM service that mistreats Tor users (among others).

FYI a site owner can whitelist Tor as a "country" to stop mistreatment of Tor users. Of course, hardly anyone that uses Cloudflare does that.

I wish cloudfare could allow removing this cookie. I'm willing to pay for that feature.

That cookie can be disabled on Cloudflare's Enterprise plan [0] (which, to be fair, starts at like $60k a year).

[0] https://support.cloudflare.com/hc/en-us/articles/200170156-U...

The enterprise plan is a very custom plan - if you only need access to one or two features and/or only have a few million requests a month, the price can be pretty cheap (much less than the 5k/mo price advertised on the CF dashboard), but if you want mission-critical features like bot management[0], access to China datacenters[1], etc. it definitely can get into the 6-figure range - and they do have over 550 customers paying 6 figures or more [2].

But just getting one to remove the cookie is probably not worth it since it will end up costing more than a business plan (200/mo) regardless.

0: https://www.cloudflare.com/products/bot-management/

1: https://www.cloudflare.com/network/china/

2: http://d18rn0p25nwr6d.cloudfront.net/CIK-0001477333/09769260... (page 63)

I think you can negotiate with them if you only need some enterprise features.

It's funny that you have to pay more in order to have less.

Cloudflare, if you are listening: Just give us an option to disable this cookie. Thanks!

Alright. I can budget 100€ per year so I will keep the cookie.

How would they know that you're you without the cookie?

I wasn't thinking as a visitor, but as a website owner who use cloudfare.

Cookies are not an issue for GDPR, it's all about respecting users' privacy. In fact you can freely store anonymous data to cookies, localStorage, and sessionStorage without issues. The problem comes when you are dealing with personally identifiable information such as permanent identifiers.

You definitely need a "cookie banner" when using Simple Analytics, Fathom, or Plausible. Any service that accesses the device information such as the URL needs a permission from the user according the ePrivacy directive.

We have consulted EU law specialists when building our upcoming analytics service that is as privacy-friendly as Simple Analytics, while still measuring important things like retention and conversions. More information:


Founder of Simple Analytics [1] here. There is a lot of information around cookie banners that is just not true. For example cookies are not limited to the technology of cookies, it contains any piece of information that you can use the track a user. An IP address, localStorage, sessionStorage, ... You are allowed to add a functional cookie with a dark mode setting for example without a cookie banner. You can't use an analytics cookie without a cookie banner.

What you are sharing is simply not true and I will clarify. A cookie banner is required when you store PII data. This is personal identifiable information. This includes, but is not limited to an IP address, a cookie with an user identifier, ... You are free to collect data that is not part of this without a cookie banner. You are also referring to a URL as being device information, this is not device information but basically a page view. You are allowed to collect page views and URLs that a linked to this page views with a cookie banner.

You are describing retention for your business. That's only possible with a cookie banner. It makes perfect sense because you need to calculate retention somehow. If you can calculate retention and conversions you are tracking a user. So you need a cookie banner.

Cookie banners are also a thing that are implemented on the web in many wrong ways. You should always have a way to disable cookies. Just a "accept all cookies" is legally invalid under the GDPR. The e-Privacy was already in place before the GDPR and the GDPR is somewhat a clarification of it.

Simple Analytics does not use cookies and does not require a cookie banner. We don't track your visitors and don't calculate retention or conversions. If your service does this, they a tracking your user and you might need a cookie banner.

[1] https://simpleanalytics.com

Hey. Founder of Volument[1] here. We consulted EU law specialists on this particular matter. You are right: you definitely need a cookie banner when you store or process PII data. But GDPR is just an extension to ePrivacy, which says that you also need the cookie banner when any of the device information is accessed (such as the browser URL) for non-essential purposes.

The ePrivacy is just a _directive_ and doesn't oblige to anything. It's the local laws of Europe that do. We have compiled a detailed list of all the European countries and the respective laws that require an analytics service for opt-in or opt-out style banner. [2]

Retention is not possible without cookies or localStorage, but you can measure retention without storing or processing any PII information.

[1] https://volument.com [2] https://volument.com/learn/data-privacy

I would argue that atleast for Czech Republic, the notice is not required if the processed data is crucial to providing the service the user requested. You cite Article 89(3) of the Electronic Communications Act, where it's stated that "... nor does it apply to the cases where such technical storage or access activities are needed for the provision of an information society service explicitly requested by the subscriber or user.". This part was also modified several times, most recently at 2018 in 20/2018 s. 687

The list is only for non-essential services such as website analytics. Is there a better cite for Czech Republic? Happy to edit.

Nope, you're spot on with the citation! I got confused and thought the discussion here is around essential cookies/data :)

> non-essential purposes

How is that defined? For many businesses it is essential to know conversion rates and which users buy, especially if they invest in ads so they can calculate their ROI and know if their campaigns bring in profit or loss, which I think it's pretty "essential".

It means essential for the usage of the website, as in technically essential, like login or shopping cart.

The law doesn't say anything about it, though: this is just the interpretation and how courts have been treating it, so I wouldn't try to find loopholes around the word "essential" if you intent to follow it.

A court has ruled that tracking cookies used by ad networks, analytics and retargeting require consent [1].

Nothing stopping you from analysing your logged-user data, though (as long as you disclose it to your customers and comply with the rest of GDPR), so it's possible to have those kinds of measurements even without those stupid cookie banners.

[1] https://techcrunch.com/2019/10/01/europes-top-court-says-act...

I am confused. What do you mean by “browser URL”? Do you mean the URL of the page that the user accessed? How is that not essential? How is it specific to the user’s device?

Yes: the location information on the browser. You cannot access it for non-essential purposes without user consent. See Article 5 / Statement 3 in the ePrivacy directive[1]

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

The browser sends the URL to the server to download the page so you can’t avoid receiving the URL before receiving consent from the user. You get to see the URL without accessing the user’s device.

Your citation does not mention URLs or clarify why they might be non-essential.

ePrivacy talks about "information stored in the terminal equipment", which includes any information you can get from the device. For example the user agent, location, and operating system. It's not about the information itself being essential or not, but what you do with it: is it for essential purposes (consent not needed) or non-essential purposes (consent needed).

An example:

If you're using it to display a page (say: React Router), then it's essential functionality.

If you're using the URL to propagate a unique hash between pages that is used to identify the user for marketing purposes, then it requires consent.

Ah, this would make sense. They mean if I put data in the url and retrieve it from there. www.example.com/search?q=abcd would be fine in that interpretation.

The GDPR is not a clarification of the ePrivacy directive, on the contrary. The ePrivacy directive "particularises" certain aspects of the GDPR. National implementations of the ePrivacy directive (which, unlike the GDPR, needed to be put in laws within each EU country) that e.g. regulate certain aspects of electronic communication have priority over the GDPR as a "lex specialis". Wherever such provisions do not exist, the GDPR takes precedence as a "fallback legislation".

If you don't trust my word on this you might want to check out the official stance of the European Data Protection Board on this (from 2019): https://edpb.europa.eu/sites/edpb/files/files/file1/201905_e...

The EU is working on an ePrivacy regulation btw, which will indeed replace the ePrivacy directive, but it's not likely that it will be passed before 2021 or 2022.

> You can't use an analytics cookie without a cookie banner.

In what country? There is certainly no US law to my knowledge, that says that.

Everyone's talking about EU law

That depends solely on what is an "analytics cookie". If it's a permanent identifier, then it's considered PII and requires a GDPR consent. Otherwise GDPR doesn't care. You can freely store foo=bar to a cookie.

Safari cannot open the page because too many redirects occurred.

I assume HN hug of death! It's back now.

Nice write-up on how to make a cookie-free page. Thanks

TL:DR; We set out to have a no-cookie homepage. Replaced Google Analytics, Crisp Chat and Cloudflare with privacy friendly alternatives!

Just out of curiosity, how important is live chat? I don't think I've ever had a good experience using a site's chat function.

We have a rather difficult onboarding process and users often message via the chat for help.

For the homepage I'd say visitors message rarely so it is less useful. That said, the ones that do are usually the same who convert as they are already fairly qualified leads and just want a little extra info before they sign up.

Back when I was doing web stuff for clients I got a lot of help through hostgator chat function and it was great. It all depends on how knowledgeable the person on the other side is. The medium is fine in and of itself.

I've had two types of experience.

One - the person on the other end works for a different company and they can answer a few common questions, but everything else is "call this 800 number." Cell phone companies do this.

Two - the person immediately says "give me your phone number and lets talk on the phone" (car dealers are terrible for this).

I guess there is a third type - companies using a laughably terrible bot. I encountered this with Sony after I bought a game online and it wouldn't start. I eventually called in and they instantly refunded my money because I think it was a common problem.

There is a fourth type. The MVNO I have my phone plan (and friends/family) with actually utilizes their live chat for support, and usually I get a very knowledgeable person in 30ish seconds. It's great. Red Pocket Mobile is the name.

How do you retarget on potentially interested customers?

I think the whole point of being privacy focused is that you don't retarget and your product sells by its own merits.

> your product sells by its own merits

This is a common yet naive thing to say that is rarely ever true in practice.

That's hard and I hope they can achieve this strategy!

How effective is retargeting? I’m understand that it varys from business to business, but from what I saw 5 years ago in consumer electronic, gaming and toys, it’s not really going to be a significate revenue source.

The retargeting most of us are see is the failed kind where you’re trying to sell a fridge to the person who already ordered one two days ago, and you’re the person who sold it, but your retargeting partner does actually support registering a purchases.

> The retargeting most of us are see is the failed kind where you’re trying to sell a fridge to the person who already ordered one two days ago

I’ve paid close attention over the past few years and have found >80% of the retargeted ads are for something I just purchased (and they are usually the “single purchase” type product, similar to the fridge analogy you used)

Very effective.

Even if a big share of your ad impressions falsely target someone who already bought (see sibling comment) the remaining impressions lead to an increase in conversions at a comparatively low cost per conversion.

As you said, this will vary from business to business, but I have seen very successful retargeting campaigns in b2c e-commerce as well as b2b lead generation.

It varies by advertiser. Smart ones do incrementality testing to prove its added value and optimize accordingly.

Super excited to see many websites exploring alternatives to the traditional services.

This is pretty much how I got started on https://panelbear.com

Feeling super lucky as I just launched last month and already several hundred websites are actively using it.

There is a free plan if you just want to try it out.

Well, cookies are not per se evil and you can use them in a privacy-friendly way. You should ask for consent for non-functional cookies (for the Cloudflare cookie you probably wouldn't need to ask for consent, for example) and make sure your consent workflow is compliant with the GDPR. The European Data Protection Board just published guidelines on this btw (in May): https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_gui...

We e.g. offer an open-source consent management solution that is compliant with GDPR (as much as you can say that with confidence) and which you can self host: https://github.com/kiprotect/klaro

Building sites without cookies is possible but it's a bit extreme IMHO. Properly scoped and limited first-party cookies do not pose a large privacy risk to indivuals and can make certain legitimate use cases like analytics much easier (or even possible, in some cases).

This is an awesome idea, I really love the writing and products presented (TLDR; SimpleAnalytics, BunnyCDN, Intergram). Good luck with LMA, this is an awesome product

IMO, the "cookies banner" does not help to make internet safer, only worsening UI, add a few more banners and there is no content left. How many people who don't know how internet works hit "Disagree" if we still refuse to pay for e-services

i like the idea of having a public analytics tracking page. How early in your journey did you introduce that?

From the start!

nice write-up with good suggestions on how to accomplish the no cookie page

how to make a website sans cookies:

don't use cookies.

saved you all a click.

Well... turns out, it's not that easy. I, too, removed the cookies from my website [1] and was thrilled to finally get rid of the cookie banner, but had to jump through some hoops:

- It's a WooCommerce store. WooCommerce stores one persistent cookie to keep track of your cart. I had to hack up a little snippet of PHP code to turn that into a session cookie. It's not quite documented behavior, but the hack feels robust enough that I can live with it. (Sessions cookies are allowed, as per GDPR.)

- YouTube embeds had to go, as even their youtube-nocookie domain sets cookies (thanks, YT). Vimeo has a "dnt" option that seems close to what I want, but it still sets some ID in localStorage, which the GDPR views as equivalent to cookies in this regard. So my current workaround is to just have the video thumbnail and link to the proper video on YT, but that sucks because now my visitors leave the website.

- Replaced Google Analytics with self-hosted Matomo, carefully configured to not set cookies (it's not trivial), which now regularly brings my cheap hosted server to the limit ;-)

So even a relatively simple website that does little fancy is not easy to get free of cookies.

[1] https://dascask.com

> Sessions cookies are allowed, as per GDPR.

Would you have a source? Reading through this page[0] I don't get the impression this is right. Session cookies are cookies nonetheless that can be used to identify users and if they are used that way, consent should be asked and given before usage.

[0]: https://gdpr.eu/cookies/

You could use localstorage and a script for setting/getting the info via xmlhttp. Technically not a cookie and there is nothing automatically send.

I think cookies are great if they weren't abused as much.

(not saying the site is using any alternative approaches, I think their ambition is laudable)

I believe localStorage is equivalent to cookies as far as the European cookie banner directive is concerned.

The eDirective states that the browser and device information (like the URL) is private data and you need a permission to access it for non-essential purposes such as analytics. This is why Simple Analytics also needs a cookie banner, contrast to what their marketing says.

I'm not quite up to date, was it passed since 2018? I remember it being delayed quite a bit.

My Google-Fu has proved insufficient.

EU is still working on a new version of the directive. I heard they have been doing it for three years now.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact