Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why have we accepted the cookie pop-up situation across the web?
445 points by LightG 37 days ago | hide | past | favorite | 338 comments
You know what I'm talking about. Even at their best, the pop-ups for every single website to accept or choose cookies is ridicuous.

Can you imagine how much time in total we all lose to this?

And yet, these "solutions" to the data privacy questions have become widespread.

It's bad enough at normal times, let alone those who double triple quadruple bluff you into choosing the wrong setting.

This is a tech board.

Why have we all accepted this ridiculous situation?

Isn't there a better solution?

Well, it's basically malicious compliance. They're supposed to be super annoying because the people which need them do things which have been deemed unacceptable from the legislature. Instead of complying, they choose this obnoxious practice so they could continue with what they've been doing for years, which is monitoring every action a visitor does.

You don't need a cookie banner to be allowed to create Cookies. You only need them if you're using them for something like tracking.

A session cookie, selected theme etc is all fine without that banner

> Well, it's basically malicious compliance.

Agreed. I can't think of a more widespread and effective campaign by an entire industry to gaslight their customers into hating a regulation more than the invasive practice that is being regulated.

Exactly. We should attack the core issue here; tracking is a form of invaison of privacy and should be banned in general.

The core issue is people want free shit.

No, the core issue is that advertisments are not enough for them, they want personal data too.

Giving someone with a website an image that they put up there is simple and requires zero cookies. If your goal is to have people see that banner this is literally all you need to do.

But of course advertisers want targeted ads, they want to get metrics (they don't care how truthful those metrics are, but who cares right?).

I don't think most websites honestly care about personal data. What most sites want to know is what anonymous users are doing on their sites so they can improve them.

I for one need this data on a daily basis to help me decide how to make products better. I think the legislation doesn't do it's job properly. Why not force it so that like apple, the browser informs the websites that they don't want to be tracked, then it is the websites issue if they are caught tracking. Or all browsers forcibly obscure a users PII.

I have made a living selling a software product for more than ten years without any behavior tracking at all. I just don't think tracking users is necessary.

Analytics companies that try to sell their analytics will of course tell you that you need analytics, but I just don't think it's true.

The only analytics I need are sales numbers. When they go up, I know I'm on the right track :)

The way I learn about my customers is that I put my email address on every page of my website. And then I read emails that folks send me, and this way I learn way more about my customers than any analytics could tell me, all without invading someones privacy.

(There is one exception: My apps do send crash reports, but they only send stack traces, no user data, and I don't log any identifiable info like IP addresses.)

No idea what product you make, but thank you! Yours is a company I would like doing business with.

The advertisers who’s advertisements are shown care. And because they pay more for targeted ads the website cares.

The ad industry believes targeted ads are cheaper and more effective in aggregate than un-targeted ads.

Also if the website is selling PII to “partners” as another revenue stream the the website cares.

The ad industry used to target ads by aiming at a publication’s audience or subscriber base. The publication would conduct surveys or do Nielsen rating type measures to get a sense who their audience was.

When publications online went from trying to build an audience to trying to drive traffic we ended up with the situation we have now. They don’t have audiences anymore, they have atomized bits of content without much in the way of editorial voice or culture to tie it together. They care not one whit about making their site a destination, just trying to chum the waters for whatever will bring in a catch of fresh eyeballs.

Exactly. I think even if people were to pay for visiting a website, there would still be ads or tracking because that's too profitable a thing to let go.

Or maybe billions of venture funding created unrealistic growth expectations. This turned otherwise good businesses into data hogs.

Nah. People have always wanted free shit. I once volunteered at an event for fancy people. Occasionally we would put out some moderately cool free shit. I saw a lot people worth millions to hundreds of millions leaping into the scrum for things that they could buy for $50-100.

People wanting free shit is a constant. The problem is how we channel that desire, which is very much in our control.

This "you can't have free stuff" argument I've seen way too many times now is based on a false premise.

You _absolutely_ can have free stuff. I remember the web when it was run by hobbyists, and that's exactly how it worked. What people who use the "no free stuff" argument really mean is that there are those who are on the web to make money, and you can't have their stuff for free.

To that I'd say; take your stuff and go home. Your stuff is exactly what ruined the web in the first place.

That stuff that you've consumed wasn't free, those hobbyists paid for it out of the pocket. Sure, some can afford to do this to this day, but this doesn't scale. Nowadays internet is too populous and expectations are set too high for this to keep working.

Sure, I was one of the ones that paid for it out of my own pocket.

> Nowadays internet is too populous and expectations are set too high for this to keep working.

I agree with you on both counts, and would like to see a return to a niche web that doesn't work for most people.


P.S. I realise how unlikely that is, so it's not something I'd waste energy on. What I do think is worth thinking about though, is how impossible certain companies are making it for the niche web of the early days to even exist in its own little corner.

> I agree with you on both counts, and would like to see a return to a niche web that doesn't work for most people.

That would be a web without Google, and in fact any search engine at all. Do you really want to go back to 1990 level of functionality?

A thousand times yes, but again, I know that's not something that's possible.

What I'm objecting to is it not being possible for even the old farts like me who want it. Google and co.'s contributions to things like e-mail and websites have made it more and more unfeasible to self-host and manage these services. It's a bit like how you're _technically_ free to farm your own food, only not really because you can't comply with the regulations surrounding growing crops (no I'm not kidding, Google and gasp).

I think expectations are set too low nowadays.

Man, that's so "unclassy" of those millionaires.

It was a surprise to me for sure. On the other hand, maybe being aggressively, pathologically grabby is how a lot of people become millionaires.

Exactly. I know at least one that bought a box of paper clips 30+ years ago and still uses the same ones today.

Nothing is free.

So people pay with their privacy, some because they are tricked into it, some because they don't care.

Point is that invaison of privacy is bad and you should not have even an option to trade it for "free shit".

That is far from certain. I happily pay for Netflix and other services that provide high quality content without ads. Consider reading Jaron Lanier's books or content, there is another way.

And there lies problem. You pay 10 bucks a month to behemoth, but would you pay 1 cent to the site which gives you less value than Netflix? That would be way impractical. So the smaller sites have to turn to ads and tracking to keep the lights on

That's the problem Brave is trying to solve. Micropayments have been a potential niche for cryptocurrencies, it just hasn't taken off (yet), even though there's a lot of crypto related "innovations" (DeFi, NFT's, whatnot).

You're posting this as a HN contributor or as a freeloader?

That's so weird, I don't pay any money to Ycombinator. And yet, no cookie popups!

That's because Hacker News _is_ the ad. It helps promote YCombinator itself, by adding prestige.

But as ads go its really benign. No tracking, no constant in your face reminders, no retargeting etc...

I'm not sure if that was their goal when launching HN, but it definitely helps their brand image now.

We're talking about tracking cookies, not ads.

You're being pedantic. Tracking cookies are, in general, in support of ads.

Which is irrelevant, since the converse does not need to be true - we are talking about tracking cookies.

Postulate 1: This website is free.

Postulate 2: This website does not use tracking cookies.

Theorem 1: Tracking cookies are not required for free websites to exist.

Postulate 3: This website is an ad.

Theorem 2: Ads do not require tracking cookies.

Note that my original comment asserted Theorem 1 only.

There are many forms of free. One of them is that the free product supports the paid product in some manner which is the case with HN and Y Combinator. Something similar applies with the lightly branded content marketing sites and reports that many companies sponsor. Ad-supported is just one approach, albeit a common one.

It was advertising companies that started this trend of giving shit away for “free”. Before then people were used to paying for services.

> "Before then people were used to paying for services."

… and/or were more often genuinely grateful for things that were given freely and generously …

Hah, as a European I feel that way about how sales tax is handled by businesses in the US.

Sounds like the McDonald's character assassination of that woman that got burned

Gotta love American's way of doing business

Tangentially-related, but it's funny that you should say that, and in as many words.


the us tax system would like a word with you.

What’s a better design for asking for consent?

Don't prompt for consent unless there is a concrete benefit to the particular user you are asking, and in that case make the trade off clear.

In other words, for all these news sites doing it, "just stop".

1. Default deny – to begin with.

2. In the event (1) is too much to ask, all website importing our privacy setting from a unified service where we can do our privacy customisation once and for all.

Most of the banners swap the confirmation, cancel and allow all buttons. Don’t do this. Most of the banners also swap the direction of the on off toggles so it looks opposite of what action you’re taking. Don’t do this either.

Instead, have a simple modal with confirm and cancel in the proper locations, and just use checkboxes. Have every one deselected to start with as if someone is viewing that modal they’re likely about to disable all of them.

Standardized consent first of all, so I know how to get out of useless modal windows as fast as possible.

I think this is key. The opt out must be as easy as the opt in. The common practice seems to be press "ok" to opt in. Then click on "more information" to opt out. But "more information" takes you to a Byzantine click through maze. If it were legally mandated what the allowed language and also graphic design language for this was then much of the problem would be alleviated.

Take the DNT (do-not-track) request for an answer.

> You don't need a cookie banner to be allowed to create Cookies. You only need them if you're using them for something like tracking.

That is a common misunderstanding of the ePrivacy Directive [1][2]. It applies to all cookies (and "similar devices") that are not "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user". And "strictly necessary" is quite a high bar.

(not a lawyer)

[1] https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...

[2] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... See especially (25).

It’s not that high. Here’s an official opinion on some usecases that meet the bar and some that don’t: https://ec.europa.eu/justice/article-29/documentation/opinio...

Generally, it matches my expectations. Shopping carts, sessions, and even most user preferences are fine and don’t need a banner. Worst case a small “uses cookies” text next to a language change button is enough.

It is still very strict. For example, here is what the document you link has to say about cookie lifetimes for shopping carts:

"A cookie that is exempted from consent should have a lifespan that is in direct relation to the purpose it is used for, and must be set to expire once it is not needed, taking into account the reasonable expectations of the average user or subscriber. This suggests that cookies that match CRITERION A and B will likely be cookies that are set to expire when the browser session ends or even earlier. However, this is not always the case. For example, in the shopping basket scenario presented in the following section, a merchant could set the cookie either to persist past the end of the browser session or for a couple of hours in the future to take into account the fact that the user may accidentally close his browser and could have a reasonable expectation to recover the contents of his shopping basket when he returns to the merchant’s website in the following minutes."

So? That's totally what I'd expect from a shopping cart cookie. I don't expect something I put in a cart to be there the next day (I will have bought it somewhere else).

I was using the website for a Dutch big box hardware store (Gamma) today, and it had a door stopper I was looking to purchase half a year ago in my shopping cart. I never finished that transaction. That kind of retention is just pointless.

While I do agree keeping items in the cart for a year is not what users expect, if someone puts something in their cart, closes the browser, and then comes back the next day, I think most e-commerce sites would still list the item. And I think that's generally something users want.

It’s worth noting that you do not need cookies to store shopping cart details if you have a user account system. You can store their cart in a database and associate it with a user account.

A session based cookie can then be used to store your identity in a short term session, and the server can easily gather long-term storage on its own.

I think it’s a fair compromise to say “if you want to save this cart, please log in”, which satisfies opt-in data tracking in a user friendly way. You aren’t mandating a user account, but if you opt in you get something potentially useful.

My principle complaint about most of the discourse on this topic is that it is superficial. There are reasonable workarounds for most user-friendly tracking that allow for tacit opt-in via responsible and clear UX. The “hard parts” seem to generally concern the type of tracking that isn’t so clearly user-friendly, such as behavior tracking and PII collection, which is a conversation we should be having anyways without obfuscating the issue by pretending it’s about the easy stuff.

I think just about the only "essential" cookies to ensure functionality would be session cookies. But I would be surprised to learn that the point is to eliminate useful cookies. Shopping cart cookies, when designed so they are not shared with 3rd parties, are benign and should not require an opt-in. That's my opinion on most cookie-based functionality, really. Client-side state is useful for a lot of user-friendly functionality.

For example, remembering things like Dark Mode, pop-up re-sizing, slider locations (volume for example) are all legitimate use cases that I would prefer as a user to be isolated per client.

I think that works if the site clearly says that your preference will be stored. On the other hand, if it's just a "dark mode" checkbox or something, my reading of the directive is that isn't enough?

I don't want to have to make accounts on websites just for them to remember what is in my cart for my next visit. I don't like having more accounts, especially if I'm not yet sure if I'm going to buy from them.

Since the site does not know you are leaving, it doesn't have any opportunity to prompt you and ask whether you would like to save your cart (and if it did I would find it pretty annoying)

If I go to an e-commerce website and I am not signed in to, add a bunch of stuff to my cart and leave, I have absolutely no expectation the cart will persist until the next day, and I really don’t think you should either. Not only is it in an unreasonable expectation as an end user, but also it sounds like an absolute nightmare for businesses (Do you hold physical inventory for things in the cart? What about price changes or products are discontinued? Etc).

In practice, sellers do deal with this. The most common approach is that putting something in the cart does not reserve it or maintain a fixed price. Then if availability or pricing changes, they flag that to the user when viewing the cart.

Also, you initially asserted that the regulations were strict for any and all cookie usage. The person replying to you provided plenty of evidence to the contrary, and now you’re bringing up incredibly niche edge cases, to what end I’m not sure. I think it would be more productive to just concede that the regulations aren’t as strict as you stated.

Most companies will not be compliant unless they do one of (a) get consent from users or (b) hire a lawyer to review each of the things they do in the context of ePrivacy, and make corresponding changes to keep everything within the bounds of "strictly necessary". I'm bringing up these 'edge cases' as part of showing that most sites would have changes they would need to make if they wanted to stop asking for consent from users, and that these changes are not obvious and go beyond removing tracking.

> I don't expect something I put in a cart to be there the next day

I do. I use the shopping cart as a staging area sometimes when deciding what to buy. In fact, I don't really see a good reason for a shopping cart ever lose items I put in it until I explicitly remove them or they stop being available, since the whole point of a cart is to express intent to buy.

The whole point of a shopping cart is for items that you are going to buy--not for things you may (or may not) buy tomorrow. It's a shopping cart. Not a bookmarking service. You don't go into a physical grocery store, put things in your shopping basket, leave, and expect them to be there when you walk in the next day.

That is your interpretation of shopping carts in web stores. Other people add things to their cart as they need to replace eg: items in the stationery cupboard, then checkout once a week. Some people use the cart as a form of Wishlist, or a picking list while evaluating similar products.

At the very least if a site doesn’t offer Wishlist, shipping list or other bookmarking facilities I would expect the shipping cart to give me a cookie that lasts at least three days to cover the weekend or the option to create an account to save that shopping list/cart to come back to later.

The metaphor is imperfect. It is a staging area for orders in practice, and people like to be able to use it that way. I often build up a shopping cart on several sites while trying to figure out where is the best place to buy from (especially in cases with a shipping is a large proportion of the overall price) and sometimes this takes me several days.

Often you need only the session cookie. Everything else can go into the database indexed by that cookie. This is especially safe if the user has an account and won't lose the data if the cookie is lost.

I think I would understand was is meant by an "information service", but what exactly is an "information society service"? Such odd wording -- does it have a specific meaning?

It's a legal term the EU came up with to cover things like websites and apps in a technology-agnostic manner.

Surely if someone has instructed the website to remember a setting, then that cookie was explicitly requested by the user?

Storing something in response to an explicit user request seems fine without additional consent, though you still need to explain to users how the cookies are used to fulfill their request. [1]

On the other hand, there are many things that sites do that are not fully explicit. For example, shopping sites often show you items you have recently viewed to facilitate comparisons, or a news site showing ads might want to make sure they don't show you the same one over and over. That doesn't sound to me like it is strictly necessary for the functioning of the site?

[1] "users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using"

Couldn't sites wait to ask for cookie permission until the actually user tries to do something that may benefit from a cookie? Like put text and a link with an explanation next to buttons to change the theme or regions which may contain recently viewed items.

Preferably this would use a browser cookie setting. I know you use cookies to store my settings, I don't need you to ask. Please stop asking.


I've been wondering about that. I have a simple web app and I'd like to gather some basic statistics about what users do, which pages they visit... Not to spy on people, not to share with anyone else, just to have some insight on how to make the app better. The app is just a toy program people use for fun, you couldn't possibly argue that any stats I'd be collecting could be used maliciously. It seems to be difficult to do that while respecting the GDPR and without some annoying pop-up though?

Technical answer: You can use Differential Privacy[1] to collect such data (“what percentage of users used this feature?”, “What is the distribution of time between visits?”, etc) without collecting any data about individuals. Some projects already do this and there are open source libraries that do the math for you.

However, I don’t think the regulations have an explicit safe harbor along the lines of “You’re fine as long as the math checks out”. Perhaps if it did, we wouldn’t be in such a mess.

(A passive observer that sees a JSON POST wouldn’t know that you’re using differential privacy. It would look like typical telemetry. They’d have to read your code or look at multiple samples and notice that the data looks random)


Do you really need cookies for this or could you also use your server logs for this?

Per default you could not gather statistics but ask inside you app if people are willing to participate in making the app better and if they would agree to accept some cookies for this reason.

I don't need cookies for this. However, AFAIK the GDPR doesn't just apply to cookies, it applies to any data retention, or at least anything that could be tied to an IP address or a certain user.

Maybe the key is to have stats that are purely anonymous, eg, how many people visited this page.

Right, I focused on cookies here. Yes you could just cut the IP out of the logs and check the visited sites and requested resources.

If you're using server logs, without any cookies or other client-side storage, then the ePrivacy Directive is not relevant and you're thinking about the GDPR. Unlike ePrivacy, the GDPR is specifically concerned with personal data, so if you are careful in how you set up your logs you can generally still collect good analytics on how people use your site without accidentally collecting data on how a specific person uses your site.

(still not a lawyer)

plausible analytics claims to not need consent as it does not do user level tracking or issue clienside state.


Do you really need to know which pages a particular user visits, or just which pages are visited frequently.

The latter is easily gathered from web server logs, the former sounds like a case of "I want to do this bad thing (spying on users) for good reasons", and the law only cares that it's a bad thing, not about your reasons (or arguably it does care slightly about your reasons, but not in enough detail to accommodate your use case). Laws being rather blunt tools and reasons being rather hard to divine.

You might want to know, in aggregate, which paths users take through your site so you can make it better. This requires cookies, and the cookies are not, in my reading, essential for the site to function.

Yes... Agreed on both points.

You can get a bit of that via referrers, but not as much as you would like.

Just do it server side, with a unique session token.

How do you assign individual web requests to a session without cookies?

Add a session id to the URL and all generated links, I'd guess. Still probably not any more legit than a cookie, though.

I wouldn't be surprised if that fell under "similar devices", just like localStorage.

generate a random ID in js when your page starts, set it in the context and send it as a header on every request

While might not be caught easily, you‘r still not compliant with GDPR by doing it all on the server without consent.

GDPR only applies to PII. If you're just collecting anonymous session tokens you're fine (it's what comes "out of the box" if you host your webapp on AWS for example, you'll see an AWS correlator ID in the request headers)

Cookie banners predate the GDPR: they were initially for the (much older) ePrivacy Directive, though many sites now have combination consent gathering flows for ePrivacy+GFPR.

For your specific question, I think the Planet49 ruling gets pretty close. "It does not matter whether the cookies constitute personal data or not - Article 5(3) of the e-Privacy Directive (i.e. the cookie consent rule) applies to any information installed or accessed from an individual's device." [1]

(still not a lawyer)

[1] https://www.twobirds.com/en/news/articles/2019/global/planet...

Yeah, item 25 is interesting, but the way I read this it's more about the informative links instead of the click-to-allow ones

> strictly necessary in order to provide an information society service explicitly requested by the subscriber or user".

Sounds to me then that login/customizations are allowed

I was under the impression that for something like a session token stored in a first-party cookie you don't need consent. The second paragraph refers to both GDPR and ePrivacy directive.

> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user. [1]

> Receive users’ consent before you use any cookies except strictly necessary cookies. [1]

[1] https://gdpr.eu/cookies/

It depends on what you're doing with the session cookie. If it is just for holding shopping cart items or tracking whether you are logged in, I agree with you. But there are many first-party things sites want to do which are probably not "strictly necessary".

This is the correct answer. Nobody needs to ask for cookies that are required for providing the service. They choose to annoy people.

Nobody is thinking about it that hard. Half the sites don't need it but they don't know for certain they don't need it, so they stick it in to be on the safe side because throwing a plugin on that adds it is about a 2 minute job and actually figuring out if they need it requires a lot more work.

Path of least resistance wins.

> Half the sites don't need it but they don't know for certain they don't need it, so they stick it in to be on the safe side...

That's a pretty bold claim, even steel-manning it. I personally only ever see it on sketchy sites. If you're right, then it would just take a campaign of education to halve the annoyingness rate of the internet.

StackOverflow and the StackExchange sites have one. Not sure how you define “sketchy sites” but the practice is pretty widespread among sites that are regularly linked on HN.

Not sure what you're getting at?

I looked just now on StackOverflow in incognito and saw no obnoxious pop-up.

Agreed. The practice is widespread among sites regularly linked on HN.

I get a popup every single time I visit Stackoverflow because I click reject all every time.

Just checked again (not even incognito) and it's there.

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.

Accept all cookies

Customize settings

They are the worst of any collection of sites I regularly use. They take up a quarter of the screen, refuse to remember your opt out choices from day to day, regardless of whether you are signed in or not, and don't respect your choice when you go between different StackExchange communities.

OK, so where is this education?

I've read this entire thread and I still don't know when I would need to prompt for cookies, or even if I need to prompt if I store everything serverside and id the visitors with a session token in URLs.

There is no easy-to-understand definitive answer for the common use cases.

> I've read this entire thread and I still don't know when I would need to prompt for cookies...

Well that's the problem, right there! You're reading random HN threads to get this information. Why not go to the source?


The law itself is fairly easy to read and understand if you're a software developer.


Here is what looks to be pretty respectable commentary on when it triggers. Essentially, if you collect any sort of personal data whatsoever: https://gdpr-info.eu/issues/personal-data/

If you store information that can identify the user, e.g. if you collate a user's IP address, you are almost certainly collecting personal data.

Don't, if you can help it. If you must, that same site has some general guidance on how to collect consent: https://gdpr-info.eu/issues/consent/

Read there more info on how to comply with the data collection. Essentially, if it is personal data, you must give the person informed control over their data, including the ability to withdraw consent at any time, in which case you must delete it.

  $ wc cookie-regs 
    4198  54871 354380 cookie-regs
54,000 words? Significant fines for non-compliance, even in the form of errors? And this is a legal spec, not a software spec, so there's no validating my implementation? And the terms are subject to possible change and different interpretations as one could get sued in any country?

Or just put up the cookie notice and not worry.

Dotan, I'm dropping into this thread after all that drama. I'm upset that you were insulted like that. That was unnecessary.

Anyway, if you feel the need to implement a cookie pop-up to feel safe, I get it.

The GDPR is really meant to protect users' rights to control their own data. If you implement that single principle in good faith, there won't be any gotcha moments where the EU cyber police fines you over some obscure clause in 50 thousand words of legalese.

It's really the people who ignore or circumvent that principle who will be crushed.

In my opinion, you will be serving your clients better if you take the time to understand the GDPR rather than annoying your client's users by cargo-culting UX from companies that are skirting or ignoring the law.

If you do want to cargo-cult anyway, you could do worse than to crib from the EU website itself. Just saying.


Thanks, but I don't mind the insult. Quite the opposite, I do think that those who display an inability or unwillingness to learn should be shunned from the profession. I should have invested the time to write a response that clarified my position that legal compliance should be taken liberally, rather than just declaring that I don't understand law.

For what it's worth, I completely agree with the spirit of the GDPR and don't really have an issue with the implementation - it's far better than not having it.

>And the terms are subject to possible change and different interpretations as one could get sued in any country?

Do you have examples of this? I mean the different interpretations meaning that one country could sue you for an implementation that was deemed fine in another one.

I do not have examples, my field is software not law. My skill is identifying possible attack vectors, whether or not they've been exploited.

>My skill is identifying possible attack vectors, whether or not they've been exploited.

Ok, but EU legal systems (after Brexit) I think are all Napoleonic systems and not common law, furthermore as the 'cookie law' is a directive and not an actual law and is thus supposed to be imposed the same way across all EU lands I don't think this could be as exploitable as it might otherwise be.

  > ...Napoleonic systems and not common law, furthermore as the
  > the 'cookie law' is a directive and not an actual law...
And the fact that I have no idea what "Napoleonic systems" are, nor what "common law" is and how that differs from non-common law, nor what the difference would be between a "directive" and an "actual law", all shows why I won't understand that fifty thousand word spec.

Of course, I could go get an education in law. Or I could implement the cookie popup.

You are supposed to know what civil law and common law is, this is part of general school education. The same goes for the difference between regulation, directive and national law, in case you are an EU resident.


You don't appear to have the aptitude to educate yourself when you notice that something confuses you or you are ignorant about a topic, c.f. post id=29529880.

I think it would be reasonably charitable to assume that when the poster uses I in that post they are using it as shorthand for a hypothetical person that needs to decide whether or not they should implement cookie popup, and not a complete admission of ignorance or disinterest in learning anything on their part.

To me it reads GGP meant exactly as he wrote it. You have given no reason to back the assumption that the pronoun "I" refers not to himself, but to some other hypothetical person. Therefore I find that unreasonably charitable.

You are correct, I am using the literal "I" to refer to myself specifically.

I actually don't mind the personal attack, as I also believe that we should encourage a higher bar to entry than is currently acceptable for software developers.

I do not live in the EU. I did not learn what civil law nor common law is, neither did I learn the difference between regulation, directive and national law. Out of interest, I work with people who grew up in France, Russia, the United States, and Argentina in addition to locals. I'll ask them if these terms are familiar to them.

Perhaps in fact I don't have the aptitude. Or more likely, I see the tradeoff between "understanding every nuance of a 50,000 word document in a field I'm unfamiliar with that carries severe penalties for my client" vs. "implement cookie warning" differently than you do.

OTOH, enlightenment about both terms is a simple Internet search away. Literally at your fingertips.

I could give you layman definitions good enough for this discussion in about half a dozen words each... But, hey, let's not reward auotingrained helplessness.

Ireland, Malta and Cyprus are common law jurisdictions.

Ok, thanks, I wasn't aware of that, although I guess I should have thought in the case of Ireland it was so. Still a pretty narrow problem area.

But even so as it's a directive I don't think it is open to interpretation the way a law might be.

The cookie notices as implemented are not, in most cases, valid.

> Well, it's basically malicious compliance.

I get what you mean but technically its not compliance, as the law requires a simple yes no option. Definitively malicious though.

But even those ones are annoying and push the boundaries of “simple yes/no”.

Or deceitful, where the reject all only covers the "consent" option, but every vendor has a second "legitimate interest" option.

Unfortunately in Germany that’s not true. Putting anything in someone’s computer without their approval is now considered illegal. Therefore even if you’re just using Matomo stats or anything that isn’t tracking and just functional you need to ask for permission. That is idiotic and doesn’t solve the issue at hand at all

That is a common misconception in the industry here in Germany but that doesn't make it true. I was often told to add a Cookie Consent banner even for sites that don't use any Cookies at all. Fact is, you don't need a Cookie Consent banner for functional cookies.

The issue with Matomo is that even though nicer than Google Analytics it is optional for the working of the website, so it should only activate if the user consents.

There is some serious cargo culting regarding these kind of laws going on. I remember back in the day that you would add "I don't take responsibility for the external links" kind of disclaimers on every website. Or everyone thinking they need a Impressum (legal info/contact info) page on their website because it is required by law. (No only for commercial sites, which is reasonable.)

I largely agree. An Impressum/Imprint is however not only needed for explicitly commercial sites, but also for sites that are not purely personal. E.g. just earning some cents with an ad banner on your personal site means you need an imprint. There have been lots of lawsuits, it's really ugly, and I totally can understand that people want to be on the safe side.

Yeah it still good style to always provide Imprint.

I just listed it as an example where people don't understand the nuance around an issue. "You better provide some Imprint if you are in doubt" becomes "You are required by law to always have an Imprint"

Even if you don't earn a cent but the website is not only intended for close friends and family...

> Unfortunately in Germany that’s not true.

It is. There is no other law about cookies.

    This shall not prevent any technical storage or access for the sole purpose 
    of carrying out the transmission of a communication over an electronic 
    communications network, or as strictly necessary in order for the provider 
    of an information society service explicitly requested by the subscriber or 
    user to provide the service.
English version of the response from the EU court:


Part of this case at the german 'Bundesgerichtshof'.


There is now Art 25 TTDSG Deals with it. The law Was passes this month

TTDSG is finally a correct implementation of the 2005 ePrivacy directive. § 25 TTDSG literally just rephrases the exact ePrivacy requirements. The pendant to the above quote is § 25 Abs 2 Nr 1:

> Die Einwilligung nach Absatz 1 ist nicht erforderlich, wenn der alleinige Zweck [der Speicherung oder des Zugriffs] die Durchführung der Übertragung einer Nachricht über ein öffentliches Telekommunikationsnetz ist oder wenn [sie] unbedingt erforderlich ist, damit der Anbieter eines Telemediendienstes einen vom Nutzer ausdrücklich gewünschten Telemediendienst zur Verfügung stellen kann.

This shifts the consent down to the the feature:

>vom Nutzer ausdrücklich >gewünschten Telemediendienst >zur Verfügung stellen kann.

Now we have to document that the user wanted the feature that needs the cookie...

> Putting anything in someone’s computer without their approval is now considered illegal.

Citation needed.

Agreed that doesn’t make a lot of sense. You need to “put” html, css, images in the visitor’s computer just as much as you do a session cookie. How is one allowed and not the other?

It doesn't make a lot of sense. Now we have to interpret what was intended with the law.

What about In Browser databases? Or Javascript?

It's much more than just cookies that are stored on computers.

Art 25 TTDSG

"The storage of information in the end-user's terminal equipment or the access to information already stored in the terminal equipment shall only be allowed if the end-user has consented on the basis of clear and comprehensive information. The information to the end-user and the consent shall be provided in accordance with Regulation (EU) 2016/679."

There is a second paragraph to this article that contains exceptions to this.

If it is absolutely necessary for the requested functionality then it is allowed. Therefore it doesn't really change anything.

I bet this will be settled in court

There is like 15 years of official guidance and case law on ePrivacy, with relevant guidance from the Art 29 Working Party (precursor to the current EDPB) published around 2014. But I don't think regulators are in a hurry to get into arguments about the finer points when the ePrivacy Regulation could be passed any year now, which would allow a more nuanced approach to cookies (e.g. allowing legitimate interest instead of consent).

Any year now for the last 4 years. I don't think the regulators want to got to court over this but noyb will


Why do you think this would result in a different outcome in Germany?

The language of the new law in Germany is virtually identical to the language of the EU directive. So why would it be different in Germany versus other countries in the EU that also have to implement the directive?

Following the German debate the courts and watchdogs interpretation of the law is that strictly necessary means that the functionality is not possible without cookies or other technology and the consent has to be of the same quality as per GDPR.

Privacy law in Germany is usually stricter than in other EU country's even if the text is identical.

Which is exactly what the EU directive intends. You are literally just stating the acceptable exceptions from the EU directive.

And the main argument of this thread initially was that you don't need to ask if you are only using cookies for such use cases.

I assume from your handle that you understand German (?):

This Podcast explains the topic much better than I could:

Rechtsbelehrung - Recht, Technik & Gesellschaft: TTDSG – Cookies unter Aufsicht – Rechtsbelehrung 102 https://rechtsbelehrung.com/102-ttdsg-cookies/

Matomo calls its cookies "tracking cookies":

> It’s possible to disable tracking cookies in Matomo by adding a line on the javascript code. When cookies are disabled, Matomo data will become slightly less accurate

So it seems there's no "functional cookies" in Matomo, and so all cookies from Matomo without consent popup is not in compliance. You can disable all Matomo cookies and allow for compliance:

> By disabling tracking cookies, you may also use Matomo without needing to display a cookie consent screen.

"Therefore even if you’re just using Matomo stats"

That's not functional though, is it?

I understand entirely the desire to use such a thing, to understand how your site is being used, but it's not functional in a "delivering service to the end user" way.

(Personally I like the way it sounds, analytics without signing over the world to Google, but it's still not functional)

Don't get me wrong, I love self-hosted analytics like Matomo, but there is never a situation where a cookie for any form of analytics is "functional".

What about affiliate systems? Knowing who referred you to the site when you purchase so they can get their cut.

Arguable either way in my opinion, but irrelevent because not analytics

False, since the BGH ruling in the "Planet49" case (judgment dated May 28, 2020 - I ZR 7/16), the following applies: Cookies and comparable technologies may only be used with consent in Germany as well, regardless of the processing of personal data. This is only different if the cookies are "absolutely necessary" for the technical provision of the respective service or they serve solely to transmit a message via a public telecommunications network.

So technically necessary cookies still don't need consent.

When you load a webpage you're putting images, text, and other files "in someone's computer."

I don't think it's as simple as that.

That sounds nonsensical, when people visit your website they run your code using their CPUs and electricity. You also get their attention and may even influence their heart rates and breathing patterns.

> Putting anything in someone’s computer without their approval is now considered illegal

Selling Windows by default with every computer is now illegal in Germany then?

I wish it was, but no, selling a computer system with Windows installed is consensual, either by explicit customer request or by the customer agreeing to a sale offer as advertised.

No one gets tricked into approval (here: buying) because every customer is able to request a different or no OS, or to reject an immutable sale offer; except if you think that not knowing what an operating system is and what it implies constitutes a trick, but that does not meet the legal definition.

Not malice, just lazy ass covering. It's easier to throw up a cookie banner and not get fined rather than reading laws and changing business practices instead and potentially get fined.

Also lawyers are expensive and many of them will just tell you to add a cookie banner to your site. They're also lazy and just trying to cover their asses too.

This could have easily been a requirement for web browsers.

Imagine if instead of the obnoxious cookie banner, browsers ship with a default “don’t accept cookies” or “don’t accept 3rd party cookies” setting. When a website needs to establish a session, the browser would prompt the user, “this website uses cookies to track…”

If the user gets annoyed with that setting, they could change the default to let any website use cookies.

It’s really obnoxious how this issues was pushed into website operators and not browsers.

"we value your privacy" I am offended every time I read that.

Most if not all legislation comes with unintended consequences, if it has any consequences at all. Usually they are entirely predictable. Then, when people adapt their behavior to stay out of trouble by doing objectionable but legal things, we don't blame the careless legislators, we blame those we knew or should have known would respond this way to the legislation as it was written.

And so it marches on - most legislation ends up making things worse instead of better, and there is no accountability because we blame the wrong people for it.


My favorite example are sites which require you to opt out of hundreds of third party processors individually (advertising partners who may receive data). That's as dark a pattern as it gets.

It's also in clear violation of how opt-out is actually supposed to work, at least in the EU.

And with the Do Not Track header, I shouldn't even have to opt out in the first place. A GDPR decision to that effect could solve this banner madness once and for all.

I don't remember the exact timeline but MS decision to enable DNT header by default was basically a poison pill for the entire concept before it had a chance. It would have failed one way or another though. Adtech industry doesn't give up that easily.

That's the argument I've heard from the ad industry, but I don't really buy it. Previously, the DNT header was missing by default, so it's presence could be seen as user intent to forbid tracked, while its absence is ambiguous. Afterwards, the DNT header was present by default, so its absence could be seen as user intent to allow tracking, while its presence is ambiguous. That's exactly what should be the case should be, where only explicit consent to be tracked counts.

Safari/Chrome/Firefox enable by default some ad-blocking today, just like they disable popups or screen for phishing sites.

The whole "users didn't opt in" thing was a false narrative manufactured by the ad industry. You don't need to ask a customer to disable bad behaviors without asking.

Or in others word, opt-in is not an option for the ad industry.

Do Not Track was a joke from the word go.

"Let's ask these bad actors to play nice, I'm sure they'll respect that, I mean, they probably think we all want to be tracked so let's just tell them we don't and it'll all be fixed. And make sure the option isn't obvious enough that normal people start to use it and ruin the whole thing".

> And with the Do Not Track header, I shouldn't even have to opt out in the first place. A GDPR decision to that effect could solve this banner madness once and for all.

Enforced DNT is part of the ePrivacy Regulation, which was supposed to launch alongside GDPR, but got delayed. Expect it to arrive somewhat soon.


IIRC, DNT header was such a failure that not even Firefox has it anymore: I think it's an abandoned feature.

No, Firefox still has it

Thanks for the correction!

At the very least, I've stopped setting it since no website respects it.

With DNT on, Medium actually behaves differently! When viewing an article with embeds (like an iframed YT video), each embed is replaced with a small privacy warning, then clicking it loads the embed.

> choose this obnoxious practice so they could continue with what they've been doing for years, which is monitoring every action a visitor does.

You're right, but I'd like to mention that, in pretty much every jurisdiction with laws like this, you cannot set or retrieve information from a user's computer without getting their consent first. Which means that accessing cookies on page load, then showing a consent banner, is no more protection then just not having a consent banner. I would always tell clients this, and even send them the relevant wording, but I don't believe it ever made the tiniest bit of difference because, as you say, they just want to keep tracking users.

The consent data collected by the cookie preference pane may not be GDPR compliant. IAB who created the TCF protocol appears to be losing the battle. https://techcrunch.com/2021/11/05/iab-europe-tcf-gdpr-breach...

I'm not a lawyer, but I bet those buttons are legally binding.

Clicking "I accept" means you can't sue a website if they have your data.

I'm not sure but I don't see why those websites would annoy users.

> You don't need a cookie banner to be allowed to create Cookies. You only need them if...

You don't need a "banner." The requirement, as I understand it, is to be conspicuous. Conspicuous just means visible, easy to notice. Contrary to the industry's apparent position, conspicuous and obnoxious are not synonyms.

There already is a better solution and always has been, it's called setting cookie preferences at the browser level and then leaving it.

Trying to regulate the option for cookie preferences at the individual site level was always a stupid idea. The average person visits thousands of websites every year. Of course nobody is going to take the time to do that.

If the lawmakers in the EU were intelligent, they would have created a law that forced all web browsers to provide "X" privacy setting features for EU-domiciled users (where X is what they were aiming to achieve).

In addition to not burdening the entire world with time wasting popups all day, this option would have also had the bonus of not burdening millions of small businesses around the globe with complex regulation and legal liability.

Not to mention the total lack of enforceability of the current law when it comes to websites operated outside of the EU.

If done at the browser-level you really only have to police <10 companies.

I totally agree that this should be a browser setting.

However it’s not only about cookies: What we abusively call the cookie law and cookie popups are about tracking, and there are many ways to track you without cookies, some of which are not easily blocked by browsers.

Ideally the browsers would indicate the user’s preference via a headers (e.g. the DNT header) and websites would be constrained by law to obey that.

Sites could provide a cookies-manifest.json with the entities they provide data to. Then the browser could show a standardized cookie banner, if needed. The user could also disable the cookie banner completely, if they so desire.

> There already is a better solution and always has been, it's called setting cookie preferences at the browser level and then leaving it.

This. I've always had 3rd party cookies disabled at the browser level, and never noticed any website breaking. The "solution" by the EU has been terrible, and everyone just clicks "accept all".

3rd party cookies are orthoganal to tracking. There are tracking methods that don't need them, or need any cookie.

> If the lawmakers in the EU were intelligent

If bureaucrats helping create these laws were less out of touch. I think they are reasonably intelligent, they just don't know anything about technology. The criteria for selecting them is outdated.

Honestly this legend needs to die.

I've worked as a consultant for the EU Parliament and they are a lot more knowledgeable than you think and for things they are not, they hire consultants (like me)

There are a number of people directly elected in EU Parliament that have a background in technology, I personally know a couple or computer scientists, with lots of publications in their curricula.

Problem is the law cannot be written the way you are arguing about, that could be in the form of a directive not as a regulation[1], the regulation must be general enough and cannot address issues that have different legal bindings in the 24 EU countries.

[1] A "Regulation" is defined as a binding legislative act. It is immediately applicable in its entirety in all Member States and it overrules national laws. A "Directive" is a legislative act setting objectives that all EU countries must reach and translate into their national legislation within a defined time frame.

So if the law couldn't be written in a rational way without creating bizarre outcomes, then why create it at all?

When you create legislation, you're implicitly saying; "these rules we're writing down are important enough to enforce with the full monopoly on violence given the powers of government." The cookie popups seem extremely silly in that context.

I don't doubt you've run across some well-intentioned people. But as the saying goes, the road to hell is paved with good intentions.

Seeing a structurally dysfunctional system from the inside, and being able to empathize with the individuals in it, does not make the design of the system any less dysfunctional.

Cookie popups are bad, but they're pretty similar to a no smoking or no parking sign. In this case, it's the reverse. The whole internet bans cookies, but it informs you that you're entering a cookie zone.

These companies may think they're protesting the cookie law with popups but it's achieved what I expected it to achieve. It's given me fair warning that the site intends to track and monetize me, so I can walk away if I don't think it's worth it. And it adds a higher cost to it too.

> So if the law couldn't be written in a rational way without creating bizarre outcomes, then why create it all?

Nobody said that, I don't know why you're saying it, because it also makes no sense.

Do you also believe that we shouldn't have made murder illegal because murderer still exist?

There are always gonna be bizzare outcomes, pop-ups only speak about how lousy advertisers and tracking freaks are, but there have been certainly more bizzare outcomes, think about people refusing vaccines...

Compared to that pop-ups are just an annoyance that we can avoid by punishing the perpetrators directly not visiting their websites.

> But as the saying goes, the road to hell is paved with good intentions

it's all simple, until you have to convince hundreds of politicians to agree on a law that's gonna be enforced on 450 million people from 27 different countries, with 27 different legal systems.

Especially because many people that consider themseleves tech savy are more out of touch, e.g., thinking the privacy aspects could be solved through local cookie policies only, or that it would be a suitable solution to solve even just the cookie aspect in a nuanced, non-techie friendly manner.

Cookie consent should be the responsibility of user-agent cookie policy. And virtually all of the consent banners I've seen are about cookies. And I certainly think it has a better shot of being comprehensible by users in general than having a separate UI for consent for every site. Especially when it's in those sites' interest to confuse or annoy users into allowing the cookies.

In this thread I had the impression that the discussion widened to more than just cookie-banners, more general privacy on the web.

One of the problems I have with the pure-local approach is that I want certain cookies (or certain cookie functionality) of sites but not others. Some functionality I want and some I don't want can be implemented with the same cookie.

I think I would need tagged cookies (so I can disallow those that are used for things I don't want) as well as an assurance to not use the other cookies in the "wrong" ways.

That's why I think purely local cookie management is severly lacking and not suitable to tackle the problem in a user-friendly and nuanced manner - beyond an all-or-nothing approach.

I personally do not think a browser level approach can enforce the privacy goals without cooperation of (and therefore enforcement against the companies providing) the serverside implementation.

That, of course, does not mean that a browser level setting that has to be honored by the server side and can be transfered between sites would not be preferable to clicklists and banners.

Haha. Exactly. I just commented above that the better way to have written the regulation was to say, “Thou shalt honor Do Not Track.”

>There already is a better solution and always has been, it's called setting cookie preferences at the browser level and then leaving it

GDPR is not only about browsers , it applies outside our web dev bubble. Then if the law was is only about cookie some "smart" webdev would use localStorage , if then we add localStorage then some other dev (probably working on Google Chrome) would create something new... so maybe those EU politicians and consultants are a bit smarter then you(no offense, maybe you are a smart person but either you are having the wrong perspective or you did not really thought more then 5 seconds about the problem).

Sorry, you’re mistaken.

Cookie popups weren’t the result of GDPR.

They were the result of the earlier “ePrivacy” directive from 2002 and revised in 2009.

Many people confuse these two pieces of legislation, but cookie popups were already an endemic problem long before GDPR.

I know that, my point still relevant because it was related to:

>There already is a better solution and always has been, it's called setting cookie preferences at the browser level and then leaving it.

This is really not a solution, browser already had a black and white option to allow cookies or not, or allow JS or not. The proposed idea is to give only 1 place where you can accept or not accept tracking, then you want to really read a website or your work/bank forces you to read a page and you have no choice then allow cookies for everything and accept all possible tracking because some HN web dev did thinks is mmuch smarter then a group of consultants. lawers and privacy advocates.

If tracking is legal then Allow/Disallow tracking should be per website and always should be 100% transparency on what is tracked and shared with, Tech people could create browser APIs for example, you could have a in browser cookie popup where web devs could populate the text message about "We care about privacy" , an array where web devs can populate with the names, links and terms of use for the 100+ partners. Then all websites will share same native popup, and implement it correctly with no dark patterns, there could be a 3 line extension to click allow or not allow for people that really want to accept or not accept. But this browser APIs won't happen because Google controls the web , Mozilla is on it's last breath and Safari is still screwing around with missing JS and Webgl features and other bullshit.

Edit: Also a simple law as propsed with "make cookies a setting for all websites per browser) is not good since you can use the localstorage,fingerprinting or other tricks to go around the law, so proposed idea is bad.

That true, but simion314 is still right that the law doesn't specifically target browsers.

The question is how would you regulate browsers? I would personally hate any regulation that government would try to do for software, because we know that the next thing they would do is ban encryption. No browser/IETF member would voluntarily do this for sure, not even firefox.

Firefox, safari, etc. already have pretty advanced anti-tracking and privacy features in place.

If you care about that sort of thing, you use those browsers and automatically make all cookie popups irrelevant. After that they simply turn into pure annoyances.

And no regulation was needed at all, since the free market has already satisfied those customer wants and found the optimal solution for all parties.

Legislation should be the absolute last resort to a problem that has proved otherwise unsolvable. This was not one of those problems.

I agree with what you said, but I was wondering about a little detail you mentioned:

> The average person visits thousands of websites every year.

Is this true? Is there any data that would back this? A commonly used argument comes to my mind, that for most internet users the internet is about a handful sites...

But you can't create an industry selling faux-compliance with only 10 companies!

In Finland, the law implementing the GDPR used to be interpreted so that browser settings were enough to opt out of cookies and you just had to inform the user about what cookies you were setting. This interpretation was suggested by Traficom (the government office in charge of traffic and telecommunications). Some individual complained to the Helsinki Administrative Court, which issued rulings (H1515/2021 and H1516/2021) stating that this interpretation is incorrect - as far as I understand, this is because browser settings cannot differentiate between necessary and optional cookies. The new Traficom advice requires the same annoying pop-ups as everywhere else in the EU.

But I agree it shouldn't technically be too hard to standardize the settings so that your browser could communicate to each site what the user consents to. The hard part is enforcing compliance - we already had Do Not Track, which had very little effect.

Laws that require software companies to implement a user choice should really contain some wording against dark patterns. EU lawmakers could have been warned: A similar thing happened back when Microsoft was forced to give users in the EU a choice of browsers, when they created the most confusing dialog possible and hoped that users would just click OK to Internet Explorer out of desperation.

For me personally, when those data protection laws where implemented, seeing the extent of the market for user tracking was a shock to me. The respect that I lost for actually quite a lot of companies as a consequence has informed some purchasing decisions. And I don’t think anybody would mind those banners if the opt-out option you want to click is reachable with a single, easily visible button.

Edit: Responses suggest that the GDPR already contains something to that effect. Glad to know. If that’s true, then I guess it’s time for court cases to sort this out.

By law, users must be given a clear yes/no option, companies just ignore that.

Support noyb if you want to improve the situation: https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-is...

There's a reason why facebook/meta/whatever calls Max Schrems "The Devil" internally, at least the Ireland division.

This. noyb.eu is doing an incredible work. I was hoping to see a link to their GDRP/cookie page in the comments. Thank you.

> Laws that require software companies to implement a user choice should really contain some wording against dark patterns

They do.

GDPR explicitly requires

- that denying is easier than accept

- that all choices are denied by default

- that there has to be a single "no" button, but individual "yes" buttons for every single choice

Just everyone breaks the law.

To add to that, we have the effect that some large $megacorps used these dark patterns in the beginning to see if they can get away with it and others unknowingly just copy it. I work as a webdev contractor and very often get requests by customers to implement the same (illegal) tracking popup, thinking they would be lawful as it is identical to what $megacorp uses.

> - that denying is easier than accept

> - that there has to be a single "no" button, but individual "yes" buttons for every single choice

GDPR requires neither of those explicitly, this is just the interpretation by most regional Data Protection Commissioners.

> but individual "yes" buttons for every single choice

This is misleading at best - there can be an "Accept All" Button.

You wrote:

> GDPR requires neither of those explicitly, this is just the interpretation by most regional Data Protection Commissioners.

No. https://gdpr-info.eu/recitals/no-32/ says:

> When the processing has multiple purposes, consent should be given for all of them

You wrote:

> This is misleading at best - there can be an "Accept All" Button.

No. https://gdpr-info.eu/recitals/no-32/ says:

> Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

The legal text of the GDPR explicitly bans pre-ticked boxes for types of consent. You have to manually tick each box individually.

> should really contain some wording against dark patterns Something like: "Default option must be 'no tracking cookies'"? Software companies would find a way to complicate things.

They should just make the tracking forbidden in general.

They should have just said, honor the “Do Not Track” signal from the browser.

This is all it should have ever been. People say don't blame the cookie law but no, indeed, the architects of the cookie law are to blame. When you have crafted a bad law with poor enforcement, it looks like the consent nightmare we live with today.

Click yes or no? I don't want to waste a click more than once to say no everywhere. The pain and fallout of these rules and regulations is squarely on Schrems and others who have "pioneered" these awful laws.

I haven't accepted it. Out of all the websites i've designed over the years, exactly 0 have cookies for visitors. When there is login for members, then there is a cookie which is not used for tracking (but rather for providing the service the member asked for) and therefore legally does not require a consent banner.

Would that I could give you more than an upvote. Are these your personal or business sites, or for employers and clients? If the latter, how do you combat the hunger for analytics that drive non-users into users?

It's not all personal, but it's all unrelated to business. As an anarchist, I refuse to work on projects i find unethical, which includes any form of profit-driven project. Sorry i can't give you pointers on how to hack around capitalism, my only solution is pure abolition :-)

I should note that i'm also not a professional hacker. Programming/sysadmin is more of a passion than a trade to me, and i'm just a lowly amateur unworthy of much praise.

But to be fair, there's amazing non-profits and worker cooperatives building cool software (Framasoft comes to mind). If only more fellow hackers stopped working for evil bosses and started to work for public interest...

How does one find out more about this scene, and more importantly does it actually provide you with enough income to live on? (Rent is expensive in cities)

There's not exactly a centralized directory of cool tech coops, but there's a few places that list some or where they hang out. [1] There's also a fair bunch of coop orientation in the XMPP/ActivityPub ecosystems.

Some projects are driven by direct donations, some others via grants (all NLNet-supported projects) and business partnerships (Blender foundation), some provide paid services to fund R&D (SourceHut).

Overall, it's technically possible to derive a decent income from such schemes, but that's not exactly widespread. Many dedicated hackers will work for minimum wage or less, but some will arrange either:

- to reduce their expenses, by moving to cheaper places [2] or living in shared flats or communities; if you're organized as a collective even food and furniture can have close-to-zero cost [3]

- or to have a high-wage part-time job on the side, or support contracts to pay the bills; if you get half-time to work on your pet projects, that's already quite an achievement

Overall, building a cooperative economy asks the question of where does the money go? The more autonomy we can achieve, and the more money we can "recycle" into other cooperatives, the less of our resources leak into the pockets of the 1%.

So yes, if you make a really cool project people appreciate and/or can depend on for their business, you can sure make a living out of it: just be sure to use copyleft licenses (eg. aGPLv3) so you're not scammed out of your work by big businesses. But personally, i'm more interested in non-profits driving R&D with a vision (like Framasoft does with the Degooglize Internet campaign and eg. Peertube/Mobilizon project).

[1] for example libreho.st, chatons.org (french-speaking) for hosting coops

[2] for example in France, if you don't insist on living in the big cities, you can find places to rent for close to free once you subtract housing support from the rent ; i guess the same is true in many places

[3] skipping unsold food from (super)markets or growing food in the backyard; we could also mention utility hacking for free electricity/water but i can't say most devs i know do that

Thanks for this. Didn't know about the 'tech co-op' scene, so appreciate the detailed info!

Hmmm...so you are an anarchist (so don't want government) but also think profit seeking is unethical?

I'm genuinely curious what mechanism you would like society to function under? Like why would people...do stuff if not for value in exchange?

Honestly the only thing I came up with is basically if you forcibly modified humans in one generation, making people want to help each other for no benefit to themselves. Then, abolish the government I'm the next generation so this group of modified-humans runs with no profit motive or government. So it's like super dark and authoritarian, but only for a little bit?

Anyway, this was a fun thought exercise for me so thanks!

> Like why would people...do stuff if not for value in exchange?

People do stuff because they're curious or bored. Because they want to help and feel useful. Sure if you've worked all your life, you may spend a few months just doing nothing and just reconnecting with your inner feelings and environment. But after a while i can assure you you won't be able to stand lying around: pathological laziness is very rare. [0] Many people without employment suffer from not having a sense of purpose.

But what about the tasks nobody wants to do, like collecting garbage? Why can't we distribute those tasks? Why would a certain caste of people have to do the unpleasant tasks for others? If some task is a burden to the community, it's only fair the unpleasantness is distributed somewhat-equally. If i lived in a big city, i personally wouldn't mind collecting garbage once or twice a year, and the value i would derive from that would be that all garbage including mine is duly collected. [1]

Likewise, why would i help another person with some task i'm competent with? It can come out of simple empathy, but there's another way to look at it. The capitalist system treats exchanges as a zero-sum game where if i don't get my share at every step of the way i'm getting screwed because someone else will have it. A Commune without private property [2] treats exchanges as some form of creative process: the more we share, the more we have, and the more we can share... the better off everyone is in the end.

> Honestly the only thing I came up with is basically if you forcibly modified humans in one generation, making people want to help each other for no benefit to themselves.

Haha, that sounds like a pretty cool scenario for a movie in which you're not sure if it's a utopia or dystopia. Can't wait for the trailer to come out ;)

> Anyway, this was a fun thought exercise for me so thanks!

Cool! It can be more than a thought experiment, though. No person (myself included) is going to come up with the solutions to all our problems. The point of anarchism is that distributing power (so that everyone has a voice) is a prerequisite for finding the better outcomes for everyone. This can be practiced in every field of life on a daily basis.

If you enjoyed the thought experiment, i can only recommend to read some more anarchist literature: i've personally profoundly enjoyed Emma Goldman's autobiography, among others. Submedia's Trouble [3], in video form, documents various questions/practices related to anarchism.

[0] I hear Devon Price has some good works lately on that topic, but i haven't given it a read yet.

[1] Of course in a better world, we wouldn't have a garbage-oriented society. Capitalism produces waste on so many levels it's hard to imagine a less-efficient system. I take this example because that's something all people who live in cities can relate to.

[2] Private property does not designate personal belongings. Of course in a free Commune everyone still has personal stuff. Property is the authority derived from a piece of paper over resources you have no use of.

[3] https://sub.media/c/trouble

Why do you find profits unethical as an anarchist? Capitalism is not a form of government.

TLDR: Capitalism is a form of government historically and in the present. Even if it was not (as suggested by right-wing libertarians like Ayn Randt), anarchism stands against all power over others (read authority/domination/privilege/exploitation) not just government.

"Property is theft" is a famous quote by Proudhon [0], who was the first person to coin the term "anarchist" to describe a desire for Freedom & Equality as complementary goals which should never be opposed. By this, he means that profit is always derived from someone else's exploitation downstream: for example, as computer people, even by working "ethical" jobs, we still widely profit from the exploitation of miners and factory workers in the Global South who produce our devices, and from the pollution and climate change (that also mostly affects the Global South) derived from that. It's also worth noting, as we've seen at the height of the COVID lockdowns, that the people the most essential to society (food/health, logistics, maintenance/construction workers) are also those who get the smallest share of the pie.

Private property is the State religion that makes it possible to have homeless people yet millions of empty dwellings, and that core tenet of capitalism is enforced by the Nation State and its police/military forces [1]. This, despite the fact that many jurisdiction (including the law in France since the liberation in 1945) explicitly allows authorities to requisition empty dwellings to prevent civil disorder ("trouble à l'ordre public"). Capitalism relies on early indoctrination (via childhood education) and a great amount of physical force/threats in order to perpetuate itself. Why do we have to pay to live? Because if you don't pay rent, some psychopaths with guns are gonna knock down your door and kick you out.

Would there be equality without a centralized government? Sure, some influential person could employ a militia (as already happens despite our having a central police [2]), but:

- the scale of that would be fairly limited to crush popular unrest, compared to a Nation State's forces

- without a central State to indoctrinate since childhood (preparing us for competition in a cruel world) and ensure millions of people live in misery (and have to take the job) it would be harder to mount such schemes

- the incentives would be more balanced: if we can live decently and quietly (as most people desire), what interest would i have to attack someone else's community for a corrupt overlord?

- power would be more balanced: in many parts of the world (including France), the State has a legal monopoly on justified violence which makes community vulnerable by not having a right to arm and defend themselves

Both outcomes are possible if we abolish the State from one day to the next (anarcho-capitalism and anarcho-communism). However, given the history of capitalism and the sheer amount of national force it took to set that up (eg. armies colonizing foreign countries, public schools to teach the young to fuck other people before they fuck you and that "copying is cheating"), i would argue that tearing down such centralized structures may bring us closer to our tendencies for empathy and mutual aid which are common throughout animal societies. [3]

Overall, anarchism is focused on distribution of power, responsibilities, and resources: in society at large, in the family, in the workplace, in interpersonal relationships... It's not focused on "rights" as a legal construct but on the practical power you can yield as an individual. Sure, in a capitalist society we are all "free" to own a castle just like we are all "free" to get decent healthcare: but if we aren't given the practical means to achieve this "right", it's entirely meaningless.

Or, as Bakunin put it: "liberty without socialism is privilege, injustice; socialism without liberty is slavery and brutality.”

To finally answer your question, i'm not morally opposed to making a profit in this profit-driven society in order to survive. I'm also not morally opposed to cooperatives making a profit in order to build a parallel economy. What matters to me is the next step: how to build a society based on needs and desires, not profit. Or, as the old anarchist saying goes: "To each according to their needs, from each according to their capacity".

On a high-level, you need money because everybody else needs money: the carpenter needs to pay the peasant, who needs to pay the plumber, who needs to pay the baker... Workers cooperatives, when they have a sense of revolutionary purpose [4], can be a trojan horse that extracts money form our overlords in order to build material autonomy that can lead to the irrelevance of profit. Money is an abstract layer of indirection, and at each step leaks into the pockets of the owners.

Having lived for quite a while in communities where money is irrelevant [5], I personally feel that in order to achieve our goals, it's much more efficient to base the discussion on actual needs and how to build concrete autonomy [6] rather than center the talk about monetary goals in which we can loose sight of what we were trying to accomplish in the first place.

I hope to have answered your question.

[0] If you're interested in cooperative economy and don't read what he has to say about women and the jews, his writings are sound. Fortunately the more recent anarchist movement (since the last quarter of the 19th century) has evolved to be fundamentally incompatible with misogyny and racist sentiment and to be on the frontlines against such power structures (see for example the rise of anarcha-feminism since the 1930s).

[1] The military is not just a construct against foreign invasion, as seen throughout the history of the workers emancipation movement and the many times armies have been called to bloodily suppress strikes and other forms of popular uprising. Although since the second half of the 20th century, modern Nation States have developed "counter-insurgency" techniques in which the military becomes a last resort, and focus is placed on both propaganda and cooptation on one hand, and more vicious political repression on the other hand (targeted assassinations, legal proceedings, mutilation by police forces, etc).

[2] In the squatting scene, that's not unheard of. Bigger landlords often have ties to different strains of mafia. In other spheres of life, you could probably read about Pinkerton (the history as well as modern occurrences such as Amazon's anti-union campaign), about the Coca-Cola murders in South America, or about companies such as Ikea mounting their own intelligence agency.

[3] See also the recent HN threads about Kropotkin and his studies on mutual aid.

[4] Unlike recent straits of workers coops who have been coopted by capitalism (so-called social economy) which is only concerned about working conditions and not about broader social questions.

[5] We do use money to interface with some segments of society, but in a squat/Commune you can as an individual live without money if you don't have any, and still find purpose and access to resources. Also worth noting, some interactions with neighboring structures is not necessarily based on money: it's not uncommon for a local market/bakery to give away "dying" foods, for neighbors to help out one another on construction work, etc.

[6] Autonomy is not independence. Noone is truly independent, and autonomy accepts and accounts for inter-dependence relationships.

I was worried by the size of this reply that it was some kind of copy-pasta at first. That doesn't seem the case. I am genuinely interested in digesting this and giving you a thoughtful reply, but it will take some time.

I use Plausible, which gives me enough useful information to run my website, but doesn't collect any more than needed. It's a lot less useful than Google Analytics, but it's a big privacy and UX improvement for my readers.

My personal website has no tracking at all.

I use the "I don't care about cookies" browser extension with "Cookie AutoDelete". Cookies are managed client-side, those banners are redundant. The purpose of open standards is that you can have a user-agent that does whatever you want it to do, so take advantage of that.

Cookie banners are the dictionary definition of a meme. They give the site makers a piece of mind, helping them sleep better at night, even if they may have no other practical purpose. Other site makers see them and reproduce them because it gives them the same piece of mind, exposing the banners to more site makers. Obviously, there are better ways to get a piece of mind as webmaster, but you'd need first to explain the problem to a lot of people before anything changes.

Cookies are not the only way to tack you.

Websites can track you with localStorage, ETag headers and other cache-based methods, etc.

Some methods don’t event require any persistence on the client side, e.g. fingerprinting.

Cookie Autodelete also takes care of things like local storage and various caches.

There's not much you can do about fingerprinting though. You can try to limit it in firefox with the resist-fingerprinting option, but that has its limits.

And besides all that, most people use the same public IP address anyway…

peace of mind, not a piece of mind

I like them. They are a sure signal which websites to avoid. Same as 'allow notification' banners.

Although, to be honest, some (smaller) sites do it just because 'everybody does that' and they think they have to to comply to the law.

It hasn't made me stop visiting any sites because the banners are almost omnipresent, but I've started using incognito mode way more, so I can blindly accept whatever the site wants me to.

An ad provider might connect your incognito session with your regular session. Especially if you blindly click “accept”, since then you might agree to being tracked across sessions and devices.

Well, many sites include cookies to link devices as required cookies anyway. So even if you reject the rest, you are still accepting some form of "device linking". It's hopeless.

A clickbaitey site I visited recently detected incognito mode and would not let me in. I don't remember if it had a simple overlay or missing content, since I immediately went away.

> I like them. They are a sure signal which websites to avoid. Same as 'allow notification' banners.

Agreed. I learned to ignore banners, but when I see a modal forcing me to do an action before proceeding, I can be 100% sure they're up to something slimy. So most of the time I just give up, I don't care that much about your website to lose my precious time clicking on stupid buttons.

Same here. It's very off-putting, no matter how interested I am in the content. Some other such deterrents for me are the usual autoplaying media, newsletter popups, and blog-spam recommendations.

Lately, I've also included in-your-face code of conduct or diversity rules, and fixed-position author portraits in blogs.

For YouTube it's opening with "hey guys!11!", forced hand gestures, manic editing (where pauses between phrases are shorter than between words), and superfluous stock imagery.

Life's too short and it's only getting shorter.

yeah, i've set firefox to always reject notification and location requests unless i override it (for e.g: notifications for whatsapp web or a few other websites) - i'd rather not waste the mental energy being grumpy at a site for requesting location for the most trivial crap.

This approach doesn’t seem viable. The banners are on >95% of the sites I visit.

Same for me. But now it's mostly 'used to visit'.

I hate them. But yes, whenever I see a banner, I close the browser tab. And that happens to more and more sites, which tell me: more and more sites are crap. I'm better off living without them.

It's a checklist item in marketing agencies

The worst part is, after all this time, most users are desensitized by all the banners and ads that pop up so they click whatever button they can to get rid of it. I’m guilty of it myself.

This isn’t the privacy solution we needed. It hasn’t changed the way users are tracked — it’s only annoyed people. The law needs to be reshaped to punish abusive companies, not users.

California has a warning for cancer-causing chemicals and sites. It's called the Prop 65 Warning.

And it's _everywhere_. Turns out there are qualifying cancer-causing agents around every corner. Including gas stations, and no one doesn't go to the gas station because of the posted Prop 65 Warning.

So everyone ignores it. It has no effect for all the trouble they took to implement it.

There's a great Safari extension for this called Hush[1].

After installing this, I rarely see any cookie popups.

[1] https://oblador.github.io/hush/

And this https://www.i-dont-care-about-cookies.eu/ for a number of other platforms like Firefox and Chrome, and it's recommended by Firefox.

uBlock Origin will take care of blocking tracking popups/banners for you if you enable the "EasyList cookie" filterlist in the settings. It is not activated by default.

My life became so much better when I activated EasyList. Makes me wonder why is it not activated by default.

There is too much to gain from tracking website visitors. Most companies that run websites would rather subject visitors to the pop-up in order to satisfy the law, than to remove tracking.

The blame is at least partly on the economic models of the modern web. Tracking increases the payout of ads, ads are the main source of revenue... cookie popups allow this all to continue.

Without a fundamental reshaping of the web economy, this isn't likely to change.

> Without a fundamental reshaping of the web economy

That's actually quite easy: leave any webpage with cookie banners as fast as possible. Or at least disable everything.

That's exactly what makes it hard: you need everybody to do the same (ok, a majority, but that's not as dramatic :)).

Of course that's true too :)

The problem is that most people blame 'the EU'.

To add to that, the world's economy depends on capital growth, at any cost(pun intended). Considering the blow to GDP if those trillions disappeared, the governments & policy makers would never let that happen.

I love the banners! Sites don't need them for basic functionality, so when you see one you know that you're at a site out to sell your data and violate your privacy.

I feel like I can immediately tell how shady a site is by how annoying and passive aggressive their cookie banners are.

You can't, really. Analytics, and the type of compliance that comes with it, may be the responsibility of site operators, but it is usually never in the operators' wheelhouse. So instead of tailoring a solution for their specific sites, operators outsource this to an industry leader. The banners tell you little about the site operators, and a lot about the adjacent industry.

What do you generally do when you get faced by a popup and the site has the content you need? If you just click yes, then it would have been better if EU just regulated privacy policy to be more readable. It would be easier for sites and better for users who don't care about privacy, and in some ways better for users like you who care about privacy.

But 99 % of websites use cookie banners, even when it’s unnecessary, so it doesn’t really tell you anything.

I am bitterly disappointed by Atlas Obscura in that respect. I really liked them before their GDPR malicious compliance dark pattern revealed themselves to be sketchy.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact