Hacker News new | past | comments | ask | show | jobs | submit login

Well, it's basically malicious compliance. They're supposed to be super annoying because the people which need them do things which have been deemed unacceptable from the legislature. Instead of complying, they choose this obnoxious practice so they could continue with what they've been doing for years, which is monitoring every action a visitor does.

You don't need a cookie banner to be allowed to create Cookies. You only need them if you're using them for something like tracking.

A session cookie, selected theme etc is all fine without that banner




> Well, it's basically malicious compliance.

Agreed. I can't think of a more widespread and effective campaign by an entire industry to gaslight their customers into hating a regulation more than the invasive practice that is being regulated.


Exactly. We should attack the core issue here; tracking is a form of invaison of privacy and should be banned in general.


The core issue is people want free shit.


No, the core issue is that advertisments are not enough for them, they want personal data too.

Giving someone with a website an image that they put up there is simple and requires zero cookies. If your goal is to have people see that banner this is literally all you need to do.

But of course advertisers want targeted ads, they want to get metrics (they don't care how truthful those metrics are, but who cares right?).


I don't think most websites honestly care about personal data. What most sites want to know is what anonymous users are doing on their sites so they can improve them.

I for one need this data on a daily basis to help me decide how to make products better. I think the legislation doesn't do it's job properly. Why not force it so that like apple, the browser informs the websites that they don't want to be tracked, then it is the websites issue if they are caught tracking. Or all browsers forcibly obscure a users PII.


I have made a living selling a software product for more than ten years without any behavior tracking at all. I just don't think tracking users is necessary.

Analytics companies that try to sell their analytics will of course tell you that you need analytics, but I just don't think it's true.

The only analytics I need are sales numbers. When they go up, I know I'm on the right track :)

The way I learn about my customers is that I put my email address on every page of my website. And then I read emails that folks send me, and this way I learn way more about my customers than any analytics could tell me, all without invading someones privacy.

(There is one exception: My apps do send crash reports, but they only send stack traces, no user data, and I don't log any identifiable info like IP addresses.)


No idea what product you make, but thank you! Yours is a company I would like doing business with.


The advertisers who’s advertisements are shown care. And because they pay more for targeted ads the website cares.

The ad industry believes targeted ads are cheaper and more effective in aggregate than un-targeted ads.

Also if the website is selling PII to “partners” as another revenue stream the the website cares.


The ad industry used to target ads by aiming at a publication’s audience or subscriber base. The publication would conduct surveys or do Nielsen rating type measures to get a sense who their audience was.

When publications online went from trying to build an audience to trying to drive traffic we ended up with the situation we have now. They don’t have audiences anymore, they have atomized bits of content without much in the way of editorial voice or culture to tie it together. They care not one whit about making their site a destination, just trying to chum the waters for whatever will bring in a catch of fresh eyeballs.


Exactly. I think even if people were to pay for visiting a website, there would still be ads or tracking because that's too profitable a thing to let go.


Or maybe billions of venture funding created unrealistic growth expectations. This turned otherwise good businesses into data hogs.


Nah. People have always wanted free shit. I once volunteered at an event for fancy people. Occasionally we would put out some moderately cool free shit. I saw a lot people worth millions to hundreds of millions leaping into the scrum for things that they could buy for $50-100.

People wanting free shit is a constant. The problem is how we channel that desire, which is very much in our control.


This "you can't have free stuff" argument I've seen way too many times now is based on a false premise.

You _absolutely_ can have free stuff. I remember the web when it was run by hobbyists, and that's exactly how it worked. What people who use the "no free stuff" argument really mean is that there are those who are on the web to make money, and you can't have their stuff for free.

To that I'd say; take your stuff and go home. Your stuff is exactly what ruined the web in the first place.


That stuff that you've consumed wasn't free, those hobbyists paid for it out of the pocket. Sure, some can afford to do this to this day, but this doesn't scale. Nowadays internet is too populous and expectations are set too high for this to keep working.


Sure, I was one of the ones that paid for it out of my own pocket.

> Nowadays internet is too populous and expectations are set too high for this to keep working.

I agree with you on both counts, and would like to see a return to a niche web that doesn't work for most people.

EDIT:

P.S. I realise how unlikely that is, so it's not something I'd waste energy on. What I do think is worth thinking about though, is how impossible certain companies are making it for the niche web of the early days to even exist in its own little corner.


> I agree with you on both counts, and would like to see a return to a niche web that doesn't work for most people.

That would be a web without Google, and in fact any search engine at all. Do you really want to go back to 1990 level of functionality?


A thousand times yes, but again, I know that's not something that's possible.

What I'm objecting to is it not being possible for even the old farts like me who want it. Google and co.'s contributions to things like e-mail and websites have made it more and more unfeasible to self-host and manage these services. It's a bit like how you're _technically_ free to farm your own food, only not really because you can't comply with the regulations surrounding growing crops (no I'm not kidding, Google and gasp).


I think expectations are set too low nowadays.


Man, that's so "unclassy" of those millionaires.


It was a surprise to me for sure. On the other hand, maybe being aggressively, pathologically grabby is how a lot of people become millionaires.


Exactly. I know at least one that bought a box of paper clips 30+ years ago and still uses the same ones today.


Nothing is free.

So people pay with their privacy, some because they are tricked into it, some because they don't care.

Point is that invaison of privacy is bad and you should not have even an option to trade it for "free shit".


That is far from certain. I happily pay for Netflix and other services that provide high quality content without ads. Consider reading Jaron Lanier's books or content, there is another way.


And there lies problem. You pay 10 bucks a month to behemoth, but would you pay 1 cent to the site which gives you less value than Netflix? That would be way impractical. So the smaller sites have to turn to ads and tracking to keep the lights on


That's the problem Brave is trying to solve. Micropayments have been a potential niche for cryptocurrencies, it just hasn't taken off (yet), even though there's a lot of crypto related "innovations" (DeFi, NFT's, whatnot).


That's so weird, I don't pay any money to Ycombinator. And yet, no cookie popups!


That's because Hacker News _is_ the ad. It helps promote YCombinator itself, by adding prestige.


But as ads go its really benign. No tracking, no constant in your face reminders, no retargeting etc...


I'm not sure if that was their goal when launching HN, but it definitely helps their brand image now.


We're talking about tracking cookies, not ads.


You're being pedantic. Tracking cookies are, in general, in support of ads.


Which is irrelevant, since the converse does not need to be true - we are talking about tracking cookies.

Postulate 1: This website is free.

Postulate 2: This website does not use tracking cookies.

Theorem 1: Tracking cookies are not required for free websites to exist.

Postulate 3: This website is an ad.

Theorem 2: Ads do not require tracking cookies.

Note that my original comment asserted Theorem 1 only.


There are many forms of free. One of them is that the free product supports the paid product in some manner which is the case with HN and Y Combinator. Something similar applies with the lightly branded content marketing sites and reports that many companies sponsor. Ad-supported is just one approach, albeit a common one.


You're posting this as a HN contributor or as a freeloader?


It was advertising companies that started this trend of giving shit away for “free”. Before then people were used to paying for services.


> "Before then people were used to paying for services."

… and/or were more often genuinely grateful for things that were given freely and generously …


Hah, as a European I feel that way about how sales tax is handled by businesses in the US.


Sounds like the McDonald's character assassination of that woman that got burned

Gotta love American's way of doing business


Tangentially-related, but it's funny that you should say that, and in as many words.

https://youtu.be/hX2aZUav-54


the us tax system would like a word with you.


What’s a better design for asking for consent?


Don't prompt for consent unless there is a concrete benefit to the particular user you are asking, and in that case make the trade off clear.

In other words, for all these news sites doing it, "just stop".


1. Default deny – to begin with.

2. In the event (1) is too much to ask, all website importing our privacy setting from a unified service where we can do our privacy customisation once and for all.


Most of the banners swap the confirmation, cancel and allow all buttons. Don’t do this. Most of the banners also swap the direction of the on off toggles so it looks opposite of what action you’re taking. Don’t do this either.

Instead, have a simple modal with confirm and cancel in the proper locations, and just use checkboxes. Have every one deselected to start with as if someone is viewing that modal they’re likely about to disable all of them.


Standardized consent first of all, so I know how to get out of useless modal windows as fast as possible.


I think this is key. The opt out must be as easy as the opt in. The common practice seems to be press "ok" to opt in. Then click on "more information" to opt out. But "more information" takes you to a Byzantine click through maze. If it were legally mandated what the allowed language and also graphic design language for this was then much of the problem would be alleviated.


Take the DNT (do-not-track) request for an answer.


> You don't need a cookie banner to be allowed to create Cookies. You only need them if you're using them for something like tracking.

That is a common misunderstanding of the ePrivacy Directive [1][2]. It applies to all cookies (and "similar devices") that are not "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user". And "strictly necessary" is quite a high bar.

(not a lawyer)

[1] https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...

[2] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... See especially (25).


It’s not that high. Here’s an official opinion on some usecases that meet the bar and some that don’t: https://ec.europa.eu/justice/article-29/documentation/opinio...

Generally, it matches my expectations. Shopping carts, sessions, and even most user preferences are fine and don’t need a banner. Worst case a small “uses cookies” text next to a language change button is enough.


It is still very strict. For example, here is what the document you link has to say about cookie lifetimes for shopping carts:

"A cookie that is exempted from consent should have a lifespan that is in direct relation to the purpose it is used for, and must be set to expire once it is not needed, taking into account the reasonable expectations of the average user or subscriber. This suggests that cookies that match CRITERION A and B will likely be cookies that are set to expire when the browser session ends or even earlier. However, this is not always the case. For example, in the shopping basket scenario presented in the following section, a merchant could set the cookie either to persist past the end of the browser session or for a couple of hours in the future to take into account the fact that the user may accidentally close his browser and could have a reasonable expectation to recover the contents of his shopping basket when he returns to the merchant’s website in the following minutes."


So? That's totally what I'd expect from a shopping cart cookie. I don't expect something I put in a cart to be there the next day (I will have bought it somewhere else).

I was using the website for a Dutch big box hardware store (Gamma) today, and it had a door stopper I was looking to purchase half a year ago in my shopping cart. I never finished that transaction. That kind of retention is just pointless.


> I don't expect something I put in a cart to be there the next day

I do. I use the shopping cart as a staging area sometimes when deciding what to buy. In fact, I don't really see a good reason for a shopping cart ever lose items I put in it until I explicitly remove them or they stop being available, since the whole point of a cart is to express intent to buy.


The whole point of a shopping cart is for items that you are going to buy--not for things you may (or may not) buy tomorrow. It's a shopping cart. Not a bookmarking service. You don't go into a physical grocery store, put things in your shopping basket, leave, and expect them to be there when you walk in the next day.


That is your interpretation of shopping carts in web stores. Other people add things to their cart as they need to replace eg: items in the stationery cupboard, then checkout once a week. Some people use the cart as a form of Wishlist, or a picking list while evaluating similar products.

At the very least if a site doesn’t offer Wishlist, shipping list or other bookmarking facilities I would expect the shipping cart to give me a cookie that lasts at least three days to cover the weekend or the option to create an account to save that shopping list/cart to come back to later.


The metaphor is imperfect. It is a staging area for orders in practice, and people like to be able to use it that way. I often build up a shopping cart on several sites while trying to figure out where is the best place to buy from (especially in cases with a shipping is a large proportion of the overall price) and sometimes this takes me several days.


While I do agree keeping items in the cart for a year is not what users expect, if someone puts something in their cart, closes the browser, and then comes back the next day, I think most e-commerce sites would still list the item. And I think that's generally something users want.


It’s worth noting that you do not need cookies to store shopping cart details if you have a user account system. You can store their cart in a database and associate it with a user account.

A session based cookie can then be used to store your identity in a short term session, and the server can easily gather long-term storage on its own.

I think it’s a fair compromise to say “if you want to save this cart, please log in”, which satisfies opt-in data tracking in a user friendly way. You aren’t mandating a user account, but if you opt in you get something potentially useful.

My principle complaint about most of the discourse on this topic is that it is superficial. There are reasonable workarounds for most user-friendly tracking that allow for tacit opt-in via responsible and clear UX. The “hard parts” seem to generally concern the type of tracking that isn’t so clearly user-friendly, such as behavior tracking and PII collection, which is a conversation we should be having anyways without obfuscating the issue by pretending it’s about the easy stuff.


I think just about the only "essential" cookies to ensure functionality would be session cookies. But I would be surprised to learn that the point is to eliminate useful cookies. Shopping cart cookies, when designed so they are not shared with 3rd parties, are benign and should not require an opt-in. That's my opinion on most cookie-based functionality, really. Client-side state is useful for a lot of user-friendly functionality.

For example, remembering things like Dark Mode, pop-up re-sizing, slider locations (volume for example) are all legitimate use cases that I would prefer as a user to be isolated per client.


I think that works if the site clearly says that your preference will be stored. On the other hand, if it's just a "dark mode" checkbox or something, my reading of the directive is that isn't enough?


I don't want to have to make accounts on websites just for them to remember what is in my cart for my next visit. I don't like having more accounts, especially if I'm not yet sure if I'm going to buy from them.

Since the site does not know you are leaving, it doesn't have any opportunity to prompt you and ask whether you would like to save your cart (and if it did I would find it pretty annoying)


If I go to an e-commerce website and I am not signed in to, add a bunch of stuff to my cart and leave, I have absolutely no expectation the cart will persist until the next day, and I really don’t think you should either. Not only is it in an unreasonable expectation as an end user, but also it sounds like an absolute nightmare for businesses (Do you hold physical inventory for things in the cart? What about price changes or products are discontinued? Etc).


In practice, sellers do deal with this. The most common approach is that putting something in the cart does not reserve it or maintain a fixed price. Then if availability or pricing changes, they flag that to the user when viewing the cart.


Also, you initially asserted that the regulations were strict for any and all cookie usage. The person replying to you provided plenty of evidence to the contrary, and now you’re bringing up incredibly niche edge cases, to what end I’m not sure. I think it would be more productive to just concede that the regulations aren’t as strict as you stated.


Most companies will not be compliant unless they do one of (a) get consent from users or (b) hire a lawyer to review each of the things they do in the context of ePrivacy, and make corresponding changes to keep everything within the bounds of "strictly necessary". I'm bringing up these 'edge cases' as part of showing that most sites would have changes they would need to make if they wanted to stop asking for consent from users, and that these changes are not obvious and go beyond removing tracking.


Often you need only the session cookie. Everything else can go into the database indexed by that cookie. This is especially safe if the user has an account and won't lose the data if the cookie is lost.


I think I would understand was is meant by an "information service", but what exactly is an "information society service"? Such odd wording -- does it have a specific meaning?


It's a legal term the EU came up with to cover things like websites and apps in a technology-agnostic manner.


Surely if someone has instructed the website to remember a setting, then that cookie was explicitly requested by the user?


Storing something in response to an explicit user request seems fine without additional consent, though you still need to explain to users how the cookies are used to fulfill their request. [1]

On the other hand, there are many things that sites do that are not fully explicit. For example, shopping sites often show you items you have recently viewed to facilitate comparisons, or a news site showing ads might want to make sure they don't show you the same one over and over. That doesn't sound to me like it is strictly necessary for the functioning of the site?

[1] "users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using"


Couldn't sites wait to ask for cookie permission until the actually user tries to do something that may benefit from a cookie? Like put text and a link with an explanation next to buttons to change the theme or regions which may contain recently viewed items.


Preferably this would use a browser cookie setting. I know you use cookies to store my settings, I don't need you to ask. Please stop asking.


Yes.


I've been wondering about that. I have a simple web app and I'd like to gather some basic statistics about what users do, which pages they visit... Not to spy on people, not to share with anyone else, just to have some insight on how to make the app better. The app is just a toy program people use for fun, you couldn't possibly argue that any stats I'd be collecting could be used maliciously. It seems to be difficult to do that while respecting the GDPR and without some annoying pop-up though?


Technical answer: You can use Differential Privacy[1] to collect such data (“what percentage of users used this feature?”, “What is the distribution of time between visits?”, etc) without collecting any data about individuals. Some projects already do this and there are open source libraries that do the math for you.

However, I don’t think the regulations have an explicit safe harbor along the lines of “You’re fine as long as the math checks out”. Perhaps if it did, we wouldn’t be in such a mess.

(A passive observer that sees a JSON POST wouldn’t know that you’re using differential privacy. It would look like typical telemetry. They’d have to read your code or look at multiple samples and notice that the data looks random)

https://en.m.wikipedia.org/wiki/Differential_privacy


Do you really need cookies for this or could you also use your server logs for this?

Per default you could not gather statistics but ask inside you app if people are willing to participate in making the app better and if they would agree to accept some cookies for this reason.


I don't need cookies for this. However, AFAIK the GDPR doesn't just apply to cookies, it applies to any data retention, or at least anything that could be tied to an IP address or a certain user.

Maybe the key is to have stats that are purely anonymous, eg, how many people visited this page.


Right, I focused on cookies here. Yes you could just cut the IP out of the logs and check the visited sites and requested resources.


If you're using server logs, without any cookies or other client-side storage, then the ePrivacy Directive is not relevant and you're thinking about the GDPR. Unlike ePrivacy, the GDPR is specifically concerned with personal data, so if you are careful in how you set up your logs you can generally still collect good analytics on how people use your site without accidentally collecting data on how a specific person uses your site.

(still not a lawyer)


plausible analytics claims to not need consent as it does not do user level tracking or issue clienside state.

https://plausible.io/


Do you really need to know which pages a particular user visits, or just which pages are visited frequently.

The latter is easily gathered from web server logs, the former sounds like a case of "I want to do this bad thing (spying on users) for good reasons", and the law only cares that it's a bad thing, not about your reasons (or arguably it does care slightly about your reasons, but not in enough detail to accommodate your use case). Laws being rather blunt tools and reasons being rather hard to divine.


You might want to know, in aggregate, which paths users take through your site so you can make it better. This requires cookies, and the cookies are not, in my reading, essential for the site to function.


Yes... Agreed on both points.

You can get a bit of that via referrers, but not as much as you would like.


Just do it server side, with a unique session token.


How do you assign individual web requests to a session without cookies?


Add a session id to the URL and all generated links, I'd guess. Still probably not any more legit than a cookie, though.


I wouldn't be surprised if that fell under "similar devices", just like localStorage.


generate a random ID in js when your page starts, set it in the context and send it as a header on every request


While might not be caught easily, you‘r still not compliant with GDPR by doing it all on the server without consent.


GDPR only applies to PII. If you're just collecting anonymous session tokens you're fine (it's what comes "out of the box" if you host your webapp on AWS for example, you'll see an AWS correlator ID in the request headers)


Cookie banners predate the GDPR: they were initially for the (much older) ePrivacy Directive, though many sites now have combination consent gathering flows for ePrivacy+GFPR.

For your specific question, I think the Planet49 ruling gets pretty close. "It does not matter whether the cookies constitute personal data or not - Article 5(3) of the e-Privacy Directive (i.e. the cookie consent rule) applies to any information installed or accessed from an individual's device." [1]

(still not a lawyer)

[1] https://www.twobirds.com/en/news/articles/2019/global/planet...


Yeah, item 25 is interesting, but the way I read this it's more about the informative links instead of the click-to-allow ones

> strictly necessary in order to provide an information society service explicitly requested by the subscriber or user".

Sounds to me then that login/customizations are allowed


I was under the impression that for something like a session token stored in a first-party cookie you don't need consent. The second paragraph refers to both GDPR and ePrivacy directive.

> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user. [1]

> Receive users’ consent before you use any cookies except strictly necessary cookies. [1]

[1] https://gdpr.eu/cookies/


It depends on what you're doing with the session cookie. If it is just for holding shopping cart items or tracking whether you are logged in, I agree with you. But there are many first-party things sites want to do which are probably not "strictly necessary".


This is the correct answer. Nobody needs to ask for cookies that are required for providing the service. They choose to annoy people.


Nobody is thinking about it that hard. Half the sites don't need it but they don't know for certain they don't need it, so they stick it in to be on the safe side because throwing a plugin on that adds it is about a 2 minute job and actually figuring out if they need it requires a lot more work.

Path of least resistance wins.


> Half the sites don't need it but they don't know for certain they don't need it, so they stick it in to be on the safe side...

That's a pretty bold claim, even steel-manning it. I personally only ever see it on sketchy sites. If you're right, then it would just take a campaign of education to halve the annoyingness rate of the internet.


StackOverflow and the StackExchange sites have one. Not sure how you define “sketchy sites” but the practice is pretty widespread among sites that are regularly linked on HN.


Not sure what you're getting at?

I looked just now on StackOverflow in incognito and saw no obnoxious pop-up.

Agreed. The practice is widespread among sites regularly linked on HN.


I get a popup every single time I visit Stackoverflow because I click reject all every time.

Just checked again (not even incognito) and it's there.

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.

Accept all cookies

Customize settings


They are the worst of any collection of sites I regularly use. They take up a quarter of the screen, refuse to remember your opt out choices from day to day, regardless of whether you are signed in or not, and don't respect your choice when you go between different StackExchange communities.


OK, so where is this education?

I've read this entire thread and I still don't know when I would need to prompt for cookies, or even if I need to prompt if I store everything serverside and id the visitors with a session token in URLs.

There is no easy-to-understand definitive answer for the common use cases.


> I've read this entire thread and I still don't know when I would need to prompt for cookies...

Well that's the problem, right there! You're reading random HN threads to get this information. Why not go to the source?

https://ec.europa.eu/info/law/law-topic/data-protection_en

The law itself is fairly easy to read and understand if you're a software developer.

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

Here is what looks to be pretty respectable commentary on when it triggers. Essentially, if you collect any sort of personal data whatsoever: https://gdpr-info.eu/issues/personal-data/

If you store information that can identify the user, e.g. if you collate a user's IP address, you are almost certainly collecting personal data.

Don't, if you can help it. If you must, that same site has some general guidance on how to collect consent: https://gdpr-info.eu/issues/consent/

Read there more info on how to comply with the data collection. Essentially, if it is personal data, you must give the person informed control over their data, including the ability to withdraw consent at any time, in which case you must delete it.


  $ wc cookie-regs 
    4198  54871 354380 cookie-regs
54,000 words? Significant fines for non-compliance, even in the form of errors? And this is a legal spec, not a software spec, so there's no validating my implementation? And the terms are subject to possible change and different interpretations as one could get sued in any country?

Or just put up the cookie notice and not worry.


Dotan, I'm dropping into this thread after all that drama. I'm upset that you were insulted like that. That was unnecessary.

Anyway, if you feel the need to implement a cookie pop-up to feel safe, I get it.

The GDPR is really meant to protect users' rights to control their own data. If you implement that single principle in good faith, there won't be any gotcha moments where the EU cyber police fines you over some obscure clause in 50 thousand words of legalese.

It's really the people who ignore or circumvent that principle who will be crushed.

In my opinion, you will be serving your clients better if you take the time to understand the GDPR rather than annoying your client's users by cargo-culting UX from companies that are skirting or ignoring the law.

If you do want to cargo-cult anyway, you could do worse than to crib from the EU website itself. Just saying.

https://ec.europa.eu/info/law/law-topic/data-protection/data...


Thanks, but I don't mind the insult. Quite the opposite, I do think that those who display an inability or unwillingness to learn should be shunned from the profession. I should have invested the time to write a response that clarified my position that legal compliance should be taken liberally, rather than just declaring that I don't understand law.

For what it's worth, I completely agree with the spirit of the GDPR and don't really have an issue with the implementation - it's far better than not having it.


>And the terms are subject to possible change and different interpretations as one could get sued in any country?

Do you have examples of this? I mean the different interpretations meaning that one country could sue you for an implementation that was deemed fine in another one.


I do not have examples, my field is software not law. My skill is identifying possible attack vectors, whether or not they've been exploited.


>My skill is identifying possible attack vectors, whether or not they've been exploited.

Ok, but EU legal systems (after Brexit) I think are all Napoleonic systems and not common law, furthermore as the 'cookie law' is a directive and not an actual law and is thus supposed to be imposed the same way across all EU lands I don't think this could be as exploitable as it might otherwise be.


  > ...Napoleonic systems and not common law, furthermore as the
  > the 'cookie law' is a directive and not an actual law...
And the fact that I have no idea what "Napoleonic systems" are, nor what "common law" is and how that differs from non-common law, nor what the difference would be between a "directive" and an "actual law", all shows why I won't understand that fifty thousand word spec.

Of course, I could go get an education in law. Or I could implement the cookie popup.


You are supposed to know what civil law and common law is, this is part of general school education. The same goes for the difference between regulation, directive and national law, in case you are an EU resident.

<https://upload.wikimedia.org/wikipedia/commons/9/92/Map_of_t...>

You don't appear to have the aptitude to educate yourself when you notice that something confuses you or you are ignorant about a topic, c.f. post id=29529880.


I think it would be reasonably charitable to assume that when the poster uses I in that post they are using it as shorthand for a hypothetical person that needs to decide whether or not they should implement cookie popup, and not a complete admission of ignorance or disinterest in learning anything on their part.


To me it reads GGP meant exactly as he wrote it. You have given no reason to back the assumption that the pronoun "I" refers not to himself, but to some other hypothetical person. Therefore I find that unreasonably charitable.


You are correct, I am using the literal "I" to refer to myself specifically.


I actually don't mind the personal attack, as I also believe that we should encourage a higher bar to entry than is currently acceptable for software developers.

I do not live in the EU. I did not learn what civil law nor common law is, neither did I learn the difference between regulation, directive and national law. Out of interest, I work with people who grew up in France, Russia, the United States, and Argentina in addition to locals. I'll ask them if these terms are familiar to them.

Perhaps in fact I don't have the aptitude. Or more likely, I see the tradeoff between "understanding every nuance of a 50,000 word document in a field I'm unfamiliar with that carries severe penalties for my client" vs. "implement cookie warning" differently than you do.


OTOH, enlightenment about both terms is a simple Internet search away. Literally at your fingertips.

I could give you layman definitions good enough for this discussion in about half a dozen words each... But, hey, let's not reward auotingrained helplessness.


Ireland, Malta and Cyprus are common law jurisdictions.


Ok, thanks, I wasn't aware of that, although I guess I should have thought in the case of Ireland it was so. Still a pretty narrow problem area.

But even so as it's a directive I don't think it is open to interpretation the way a law might be.


The cookie notices as implemented are not, in most cases, valid.


> Well, it's basically malicious compliance.

I get what you mean but technically its not compliance, as the law requires a simple yes no option. Definitively malicious though.


But even those ones are annoying and push the boundaries of “simple yes/no”.


Or deceitful, where the reject all only covers the "consent" option, but every vendor has a second "legitimate interest" option.


Unfortunately in Germany that’s not true. Putting anything in someone’s computer without their approval is now considered illegal. Therefore even if you’re just using Matomo stats or anything that isn’t tracking and just functional you need to ask for permission. That is idiotic and doesn’t solve the issue at hand at all


That is a common misconception in the industry here in Germany but that doesn't make it true. I was often told to add a Cookie Consent banner even for sites that don't use any Cookies at all. Fact is, you don't need a Cookie Consent banner for functional cookies.

The issue with Matomo is that even though nicer than Google Analytics it is optional for the working of the website, so it should only activate if the user consents.

There is some serious cargo culting regarding these kind of laws going on. I remember back in the day that you would add "I don't take responsibility for the external links" kind of disclaimers on every website. Or everyone thinking they need a Impressum (legal info/contact info) page on their website because it is required by law. (No only for commercial sites, which is reasonable.)


I largely agree. An Impressum/Imprint is however not only needed for explicitly commercial sites, but also for sites that are not purely personal. E.g. just earning some cents with an ad banner on your personal site means you need an imprint. There have been lots of lawsuits, it's really ugly, and I totally can understand that people want to be on the safe side.


Yeah it still good style to always provide Imprint.

I just listed it as an example where people don't understand the nuance around an issue. "You better provide some Imprint if you are in doubt" becomes "You are required by law to always have an Imprint"


Even if you don't earn a cent but the website is not only intended for close friends and family...


> Unfortunately in Germany that’s not true.

It is. There is no other law about cookies.

    This shall not prevent any technical storage or access for the sole purpose 
    of carrying out the transmission of a communication over an electronic 
    communications network, or as strictly necessary in order for the provider 
    of an information society service explicitly requested by the subscriber or 
    user to provide the service.
English version of the response from the EU court:

https://curia.europa.eu/juris/document/document.jsf?docid=21...

Part of this case at the german 'Bundesgerichtshof'.

https://www.bundesgerichtshof.de/SharedDocs/Pressemitteilung...


There is now Art 25 TTDSG Deals with it. The law Was passes this month


TTDSG is finally a correct implementation of the 2005 ePrivacy directive. § 25 TTDSG literally just rephrases the exact ePrivacy requirements. The pendant to the above quote is § 25 Abs 2 Nr 1:

> Die Einwilligung nach Absatz 1 ist nicht erforderlich, wenn der alleinige Zweck [der Speicherung oder des Zugriffs] die Durchführung der Übertragung einer Nachricht über ein öffentliches Telekommunikationsnetz ist oder wenn [sie] unbedingt erforderlich ist, damit der Anbieter eines Telemediendienstes einen vom Nutzer ausdrücklich gewünschten Telemediendienst zur Verfügung stellen kann.


This shifts the consent down to the the feature:

>vom Nutzer ausdrücklich >gewünschten Telemediendienst >zur Verfügung stellen kann.

Now we have to document that the user wanted the feature that needs the cookie...


> Putting anything in someone’s computer without their approval is now considered illegal.

Citation needed.


Agreed that doesn’t make a lot of sense. You need to “put” html, css, images in the visitor’s computer just as much as you do a session cookie. How is one allowed and not the other?


It doesn't make a lot of sense. Now we have to interpret what was intended with the law.

What about In Browser databases? Or Javascript?

It's much more than just cookies that are stored on computers.


Art 25 TTDSG

"The storage of information in the end-user's terminal equipment or the access to information already stored in the terminal equipment shall only be allowed if the end-user has consented on the basis of clear and comprehensive information. The information to the end-user and the consent shall be provided in accordance with Regulation (EU) 2016/679."


There is a second paragraph to this article that contains exceptions to this.

If it is absolutely necessary for the requested functionality then it is allowed. Therefore it doesn't really change anything.


I bet this will be settled in court


There is like 15 years of official guidance and case law on ePrivacy, with relevant guidance from the Art 29 Working Party (precursor to the current EDPB) published around 2014. But I don't think regulators are in a hurry to get into arguments about the finer points when the ePrivacy Regulation could be passed any year now, which would allow a more nuanced approach to cookies (e.g. allowing legitimate interest instead of consent).


Any year now for the last 4 years. I don't think the regulators want to got to court over this but noyb will

https://noyb.eu/en/noyb-files-422-formal-gdpr-complaints-ner...


Why do you think this would result in a different outcome in Germany?

The language of the new law in Germany is virtually identical to the language of the EU directive. So why would it be different in Germany versus other countries in the EU that also have to implement the directive?


Following the German debate the courts and watchdogs interpretation of the law is that strictly necessary means that the functionality is not possible without cookies or other technology and the consent has to be of the same quality as per GDPR.

Privacy law in Germany is usually stricter than in other EU country's even if the text is identical.


Which is exactly what the EU directive intends. You are literally just stating the acceptable exceptions from the EU directive.

And the main argument of this thread initially was that you don't need to ask if you are only using cookies for such use cases.


I assume from your handle that you understand German (?):

This Podcast explains the topic much better than I could:

Rechtsbelehrung - Recht, Technik & Gesellschaft: TTDSG – Cookies unter Aufsicht – Rechtsbelehrung 102 https://rechtsbelehrung.com/102-ttdsg-cookies/


Matomo calls its cookies "tracking cookies":

> It’s possible to disable tracking cookies in Matomo by adding a line on the javascript code. When cookies are disabled, Matomo data will become slightly less accurate

So it seems there's no "functional cookies" in Matomo, and so all cookies from Matomo without consent popup is not in compliance. You can disable all Matomo cookies and allow for compliance:

> By disabling tracking cookies, you may also use Matomo without needing to display a cookie consent screen.


"Therefore even if you’re just using Matomo stats"

That's not functional though, is it?

I understand entirely the desire to use such a thing, to understand how your site is being used, but it's not functional in a "delivering service to the end user" way.

(Personally I like the way it sounds, analytics without signing over the world to Google, but it's still not functional)


Don't get me wrong, I love self-hosted analytics like Matomo, but there is never a situation where a cookie for any form of analytics is "functional".


What about affiliate systems? Knowing who referred you to the site when you purchase so they can get their cut.


Arguable either way in my opinion, but irrelevent because not analytics


False, since the BGH ruling in the "Planet49" case (judgment dated May 28, 2020 - I ZR 7/16), the following applies: Cookies and comparable technologies may only be used with consent in Germany as well, regardless of the processing of personal data. This is only different if the cookies are "absolutely necessary" for the technical provision of the respective service or they serve solely to transmit a message via a public telecommunications network.

So technically necessary cookies still don't need consent.


When you load a webpage you're putting images, text, and other files "in someone's computer."

I don't think it's as simple as that.


That sounds nonsensical, when people visit your website they run your code using their CPUs and electricity. You also get their attention and may even influence their heart rates and breathing patterns.


> Putting anything in someone’s computer without their approval is now considered illegal

Selling Windows by default with every computer is now illegal in Germany then?


I wish it was, but no, selling a computer system with Windows installed is consensual, either by explicit customer request or by the customer agreeing to a sale offer as advertised.

No one gets tricked into approval (here: buying) because every customer is able to request a different or no OS, or to reject an immutable sale offer; except if you think that not knowing what an operating system is and what it implies constitutes a trick, but that does not meet the legal definition.


Not malice, just lazy ass covering. It's easier to throw up a cookie banner and not get fined rather than reading laws and changing business practices instead and potentially get fined.

Also lawyers are expensive and many of them will just tell you to add a cookie banner to your site. They're also lazy and just trying to cover their asses too.


This could have easily been a requirement for web browsers.

Imagine if instead of the obnoxious cookie banner, browsers ship with a default “don’t accept cookies” or “don’t accept 3rd party cookies” setting. When a website needs to establish a session, the browser would prompt the user, “this website uses cookies to track…”

If the user gets annoyed with that setting, they could change the default to let any website use cookies.

It’s really obnoxious how this issues was pushed into website operators and not browsers.


"we value your privacy" I am offended every time I read that.


Most if not all legislation comes with unintended consequences, if it has any consequences at all. Usually they are entirely predictable. Then, when people adapt their behavior to stay out of trouble by doing objectionable but legal things, we don't blame the careless legislators, we blame those we knew or should have known would respond this way to the legislation as it was written.

And so it marches on - most legislation ends up making things worse instead of better, and there is no accountability because we blame the wrong people for it.


Exactly.

My favorite example are sites which require you to opt out of hundreds of third party processors individually (advertising partners who may receive data). That's as dark a pattern as it gets.

It's also in clear violation of how opt-out is actually supposed to work, at least in the EU.

And with the Do Not Track header, I shouldn't even have to opt out in the first place. A GDPR decision to that effect could solve this banner madness once and for all.


I don't remember the exact timeline but MS decision to enable DNT header by default was basically a poison pill for the entire concept before it had a chance. It would have failed one way or another though. Adtech industry doesn't give up that easily.


That's the argument I've heard from the ad industry, but I don't really buy it. Previously, the DNT header was missing by default, so it's presence could be seen as user intent to forbid tracked, while its absence is ambiguous. Afterwards, the DNT header was present by default, so its absence could be seen as user intent to allow tracking, while its presence is ambiguous. That's exactly what should be the case should be, where only explicit consent to be tracked counts.


Safari/Chrome/Firefox enable by default some ad-blocking today, just like they disable popups or screen for phishing sites.

The whole "users didn't opt in" thing was a false narrative manufactured by the ad industry. You don't need to ask a customer to disable bad behaviors without asking.


Or in others word, opt-in is not an option for the ad industry.


Do Not Track was a joke from the word go.

"Let's ask these bad actors to play nice, I'm sure they'll respect that, I mean, they probably think we all want to be tracked so let's just tell them we don't and it'll all be fixed. And make sure the option isn't obvious enough that normal people start to use it and ruin the whole thing".


> And with the Do Not Track header, I shouldn't even have to opt out in the first place. A GDPR decision to that effect could solve this banner madness once and for all.

Enforced DNT is part of the ePrivacy Regulation, which was supposed to launch alongside GDPR, but got delayed. Expect it to arrive somewhat soon.

https://digital-strategy.ec.europa.eu/en/policies/eprivacy-r...


IIRC, DNT header was such a failure that not even Firefox has it anymore: I think it's an abandoned feature.


No, Firefox still has it


Thanks for the correction!

At the very least, I've stopped setting it since no website respects it.


With DNT on, Medium actually behaves differently! When viewing an article with embeds (like an iframed YT video), each embed is replaced with a small privacy warning, then clicking it loads the embed.


> choose this obnoxious practice so they could continue with what they've been doing for years, which is monitoring every action a visitor does.

You're right, but I'd like to mention that, in pretty much every jurisdiction with laws like this, you cannot set or retrieve information from a user's computer without getting their consent first. Which means that accessing cookies on page load, then showing a consent banner, is no more protection then just not having a consent banner. I would always tell clients this, and even send them the relevant wording, but I don't believe it ever made the tiniest bit of difference because, as you say, they just want to keep tracking users.


The consent data collected by the cookie preference pane may not be GDPR compliant. IAB who created the TCF protocol appears to be losing the battle. https://techcrunch.com/2021/11/05/iab-europe-tcf-gdpr-breach...


I'm not a lawyer, but I bet those buttons are legally binding.

Clicking "I accept" means you can't sue a website if they have your data.

I'm not sure but I don't see why those websites would annoy users.


> You don't need a cookie banner to be allowed to create Cookies. You only need them if...

You don't need a "banner." The requirement, as I understand it, is to be conspicuous. Conspicuous just means visible, easy to notice. Contrary to the industry's apparent position, conspicuous and obnoxious are not synonyms.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: