This should be handled at the browser level. There's no reason for most users to ever be burdened with even a fantastically designed cookie consent window.
First, every shady website that despite the UX detriments decide that they want to sell their users must publicly state that. That is a feature. I want to know that, I want to see how far in dark patterns they are willing to go to absolutely ruin any trust they imagine they could exploit.
Second, while (most of) these popups are illegal it is so abundantly clear what and how they are trying to get away with it. If the "browser" did this for me I wouldn't know what absolute illegal nonsense they would try to sneak in via "legitimate interest".
Third, normal decently behaved sites/operators obviously don't have cookie-banners at all. That is also a feature, it is an edge. If you see two sites for X one with a cookie-banner and one without it is clear as day which one you'd close and forget.
The times I've backed out of sites because of cookie banners is uncountable. And it is liberating.
I believe by "handling at the browser level" people generally mean the option in the Settings that allow autoaccept "necessary" or "all" cookies. If you care, just leave it unchecked.
No you don't. What site operators try to push as legitimate interest isn't by any definition legitimate interest.
To have it set in the browser is quite detrimental to online privacy. Legitimate interest is an attempt to circumvent the law. It is not like your browser is sentient and could recognize that.
Oh double negations... When you decline legitimate interest, you declare to your browser: "no website has a legitimate interest." And the browser passes this information on.
Also I said this in the context of GPs statement in that legitimate interest couldn't be handled. So it without saying it goes alongside a general advertisement cookie rejection.
This all assumes websites won't just ignore your choices or deceive you either way, which is a real risk whether you do it via browser or not. The only real difference is UX. Users want a "no and never ask me again" button, and that's not possible if every website has to ask you separately.
> If the "browser" did this for me I wouldn't know what absolute illegal nonsense they would try to sneak in via "legitimate interest".
Of course you would, if it's done properly. The browser would be able to list the cookies too, but in this case in one consistent UI that wasn't built with malicious intent.
Sure, that is true. But given the wide-spread use of banners it is at least obvious that they care enough to ruin their own UX.
Which is also a huge cost. As you say, users want a "no and never ask me again". Well, you can have that today. Just don't do anything that requires anyone to say no.
And again, if a site chooses that path then the banner is a feature. It is disrespectful and although it is a royal pain it is very good for users to know up front what kind of entity they are dealing with. Remove that and people will become apathetic to it.
>Third, normal decently behaved sites/operators obviously don't have cookie-banners at all. That is also a feature, it is an edge. If you see two sites for X one with a cookie-banner and one without it is clear as day which one you'd close and forget.
The fact that almost all websites use cookie banners kinda disproves your theory.
Website operators need analytics and advertising to do their job and generate revenue. Most media runs at razor thin profits, so building those tools in-house or not using interest-based advertising would make those websites economically not viable.
I understand that your argument will be "so close down those websites". But how about you do not visit them instead?
> Building those tools in-house or not using interest-based advertising would make those websites economically not viable.
Interest-based advertising is a huge con, and in my opinion an egregious waste of energy doing all the data processing, an affront to people’s privacy, and has spent decades now distracting people who could be working on things with actual value.
Sure, you can track my every move on the internet and burn vast amounts of energy analysing that data to say “this is someone with disposable income who likes technology”, or you could just… advertise directly on the sites I frequent, and on YouTube channels I watch. The “targeted” ads I’m exposed to are invariably utterly irrelevant to me anyway. I had a recent spate of adverts for head of department teaching jobs in Dubai… I’ve never taught in my life, and I’ve got no idea what got interpreted as wanting to move to the Middle East.
I doubt it will happen, but I’d love nothing more than advertisers to stop drinking the kool-aid on targeted ads.
> an egregious waste of energy doing all the data processing, an affront to people’s privacy, and has spent decades now distracting people who could be working on things with actual value
> The fact that almost all websites use cookie banners kinda disproves your theory.
Really not true. And it gets better for every year.
Analytics and advertising does not need tracking.
> I understand that your argument will be "so close down those websites". But how about you do not visit them instead?
I try to avoid. I'm not perfect, sometimes I can't be bothered. Cookie-banners helps me decide which sites not to visit and is a constant reminder of what crappy companies still rely on them.
It is a feature. And it is pretty damning to see which developers ruins their UX for this.
Here is the thing, this has run unchecked for far too long and it takes time to change. Just look in this thread (or any other cookie-related thread on this site or on any site on the internet). People that are supposed to know still are confused and have absolute no idea that cookie-banners is an active choice for site operators. They have/had no incentive to care. Now they do, but they are so deep in denial that it will take years and years for them to even realize that the "cookie-law" was never about cookies or that these banners are an active choice.
The default is tracking, for no real reason. Sites that earn on the order of cents absolutely wreak havoc on the internet just because developers are clueless.
But the best part is that it gets better for every year. Really, it is so slow so you barely notice but if you you'd take a snapshot today and one from a year ago the difference is stark.
Only last month google of all places (because of fines, obviously) changed the youtube banner so that rejecting is the same number of clicks as acceptance. Previously rejecting took five clicks (or was it six?) and some scrolling to be able to perform all those clicks.
I want to know if people who consumed X bit of the website also consumed Y. If those are correlated, it's a good idea to give Y-like content to people who like X-like content. If they aren't correlated, it's a huge waste of everyone's time and money.
You're taking this as if every business is a huge faceless corporation.
If my employer pushed out garbage there's gonna be a real hit to our reputation (we work in a deeply technical sector - the backlash would really hurt the long term profitability).
The website itself is well organized. There's good reason to believe that people who want some X info will also be interested into Y info (due to legislation or standards set by the industry or simply because there are domain specific trends).
There really is a mutual interest in knowing these correlations. That way some segments won't be pushed useless stuff that they aren't likely to be interested in.
They said we wouldn't need tracking. How would we get those info without tracking?
No, we are not selling that data to anyone and it could be anonymous for all we care (IMO this is more an issue with the http protocol than anything else, but good luck changing that)
>I understand that your argument will be "so close down those websites". But how about you do not visit them instead?
Ah yes, "the leave my money printer alone" defense. Nevermind the exploitive underpinnings and utility through which surveillance capitalism is made possible! Just go over in your corner, and let me exploit the rest of the ignorant rubes.
No. Sorry. Absolutely not. Sometimes a foot has to be put down in the name of common decency, and clearing out a behavior that creates even greater problems. This is one of those times.
> That is a feature. I want to know that, I want to see how far in dark patterns
I get the idea, but is this really what you want, all the time? Maybe you do, but if I'd ask myself the same question - I think I'd disagree.
If I want to satisfy my interest in how scummy some website is, I sure can do my research. But typically I just don't care, it's an one-click stay. Some random article or some random website happens to pique my interest, I check it out, and all those banners and stuff are misfeatures because I don't care who runs this website and what they're willing to do to earn some money - not for a split second. All I want is to have what I came for, with the best possible signal-to-noise ratio. So read (or maybe I click the "reader view" if the site is too bad), see if the content that I came for is what I wanted, and close the tab. Maybe the content suggests that the site is really good (happens if I notice I've already seen that site more than once or twice) so I'm enticed to stay - then I'd do my research whenever it's worth to bookmark it or subscribe to something, etc.. But that's rare.
This is why I have an ad-blocker - because life is too short to be constantly distracted with all those ads. Even though some can argue they're an indicator of website scumminess. Let me judge that from the actual content, not the paraphernalia around it.
And this is the logic why I want to see that utopic world where browsers are back to being user agents, acting on my behalf and my instructions for my personal benefit. Sadly, I doubt this is ever going to be the case.
But I do want my browser to automatically act based on the decisions I've informed it about. And I don't particularly mind if it would explicitly ask me to pick "yes or no" on a few questions the very first time I start it, if that's what's needed for the consensus. I think all the noise about DNT from the ad industry was about it having some default setting - okay, if it would ask me "do you want to be tracked? yes/no" (or even "yes/no/it's complicated, show me some advanced settings...") one single time I start the browser - I guess I can live with that, if this would get those banners out and my choice will be properly respected everywhere.
> Third, normal decently behaved sites/operators obviously don't have cookie-banners at all. That is also a feature, it is an edge. If you see two sites for X one with a cookie-banner and one without it is clear as day which one you'd close and forget.
This is nonsense, there are plenty of legitimate reasons why a site operator may want to use digital analytics, advertising, etc.
There are plenty of scenarios where tracking is useful though. For example a product team may want to know how a particular segment of customers use their product vs a different segment.
Unless I am misunderstanding things rather deeply, I do not believe you need consent to track individuals' activity in your own app, with server-side logging.
You need consent to set cookies that are not relevant to the (user-side) functioning of your app/website—and since that's the only way for you to track users outside your own site (an oversimplification, but close enough), naturally you need it to track them beyond there.
> Unless I am misunderstanding things rather deeply, I do not believe you need consent to track individuals' activity in your own app, with server-side logging.
You would require consent for this as far as I understand.
I cannot name a website which has no cookie banner. This is not to say that I have not j such websites, it's just that there is no easy way for me to tell the difference between "I have visited the website long time ago and accepted a banner" vs "I was never presented a banner there".
Something browser-based that would show icon in address bar similar to http:// protocl would be far more effective in letting me prefer banner-less websites.
Yes, the regulators screwed this up. It's the browser that decides to store a cookie or not. And if the browser UI sucks people can switch and go on with their lives.
This is not about storing cookies or not alone, it is about consent to do so. And to give this consent the site has to tell me what it does and for which purposes it does that.
Good, there could have been a standardized way to ask for that consent — but to me the way a site tries to trick you into consenting is yet another data point whether I want to be on this site.
It was complicated and never caught on. I'd say the basic problem (visible also in the DNT fiasco) is that if you ask a user in a global and easy to understand way if he wants to accept tracking cookies, he'll say "no" once and for all, and that's it: you just disabled all tracking cookies everywhere. The only way it can work from the point of view of the tracking companies is to use these obnoxious dialogs everywhere: that way, at least some people will accept the cookies from lazyness.
Dubbing this “cookie consent” is almost conspiracy level misguiding of the public by advertisers. It’s not about cookies at all, they’re fine, it’s about using those cookies to track people around the internet and sell their data.
Frustratingly it seems to have worked. Recently I had to explain cookies vs tracking to a data protection analyst at work.
If you are not using incognito then you are getting tracked. These consent popups are close to useless because only good actors will obey the law, and as we’ve seen the vast majority of websites are somewhere between grey hat (asking but in a way that breaks the law) and black hat (not asking at all).
What we need is better isolation at the browser and web protocol level. This is a technical problem, not a regulatory problem. You cannot regulate actors who don’t obey the law in the first place.
Those who disobey the law can be sued. People just need to start doing it.
The goal of the law is partly to make people who run websites aware of what they do with the data of their visitors. And that means for one part that they need to know what happens with things they embed in thwir site like google analytics and google fonts (for which someone has been sued already). But it also means that once website owners are informed they can decide wheter they want to ask people for their consent or whether they just remove those third party options.
In reality many don't inform themselves at all and just slap a cookie thing onto their page, because that's what all the others are doing — just like they did with google analytics et al.
Not knowing the law is not an excuse which will help you once someone sues you tho.
There are not enough lawyers or court capacity to take the entire www to court, and even if there were, there's no way to enforce injunctions or collect on judgments when websites are operated in different countries.
This is evidenced by the fact that the GDPR already made these actions illegal with huge penalties and it has had scarcely any effect. Most websites just ignore it completely as a "strange foreign law", including this one.
> Good, there could have been a standardized way to ask for that consent — but to me the way a site tries to trick you into consenting is yet another data point whether I want to be on this site.
I get really annoyed at having to care. The economics for content sites are so poor I feel bad for a lot of them.
> This is not about storing cookies or not alone, it is about consent to do so.
Yes, and regulators misjudged the incentives. Relying on each website to create the consent UI leads to a bad outcome for users.
Login. That should be the time at which cookies are authorized. If you have an account you also presumably agreed to the use of cookies or anything else to store the session data.
While I agree on it from a logical Engineering point of view, the problem is that IMHO it'd follow the way of Do Not Track; browsers will by default set it to "1" (meaning do not track the user), so then with the power of defaults the vast majority of browsers signal do not track, and so websites ignore it and track it anyway.
If it's gonna happen at all, there will be a law enforcing that, because it's not in the interest of website owners (which also leads to the dark patterns in the dialogues).
If there is law, people can sue, which usually is enough for companies to (usually) follow it
You'd create a web standard for categorizing cookies (required, performance, login/session, metrics, etc). Meta tags? Naming scheme? .well-known? Lots of ways to do it.
If the website conforms to the standard, then the browser could use its own UI to ask the user for their preference. Importantly, the user would be able to state global preferences like: "only required and login cookies, don't ask about others", and then they wouldn't need to be prompted by every new site. If the website doesn't conform, then they'd need custom UI to comply with existing cookie laws, same a today.
So, the website could lie and say that their tracking cookies are in the required category, but they can do that already by not using a cookie banner, or miscategorizing the cookie in the banner.
I think the users who hate cookie banners and the sites that don't want custom cookie banner UI would like this approach. Sites desperate to trick users into allowing tracking cookies: they'll still find a dark pattern and we'll hate them for it.
Then people will converge on implementation patterns that couple the tracking cookie to a necessary cookie. You cannot keep one without opening the door to the other.
An easy compromise is for the default behavior to be to drop cookies when the session ends and to disallow third-party cookies. That gets you most of the privacy benefits while breaking a low percentage of sites.
A browser never creates a cookie or of thin air. A browser stores a cookie only when it's sent by the server, or set by JavaScript code sent by the server.
Right, but the browser is code you control on a machine you control. If the serve says "please store a cookie" and the browser is configured to drop all cookies when the session ends then the cookies are going to be dropped, and there's nothing short of a CVE that's going to allow the webmaster to change that behavior.
That's a moved goalpost though. We started by saying that cookies are fundamentally different from "do not track" because in the case of the latter the browser doesn't have the technical means to enforce anything and in the former it does. Your point is something rather different -- as best as I can tell you're arguing that any attempt to do something browser-side will break too many things to be useful.
I think the original point still stands (that this is fundamentally different from "do not track"), and moreover I disagree with the contents of that moved goalpost:
As a compromise solution, the vast majority of sites work fine if you delete their cookies when you're done with a session. If the browser did that by default we'd have a significant improvement in privacy and a negligible amount of breakage.
The most obvious counterpoint is login flows. That's not antithetical to the idea for a couple reasons. First, we'd all be a bit more secure if we logged out more frequently. Second, if you do want persistent sessions you've already given up exactly the same amount of privacy as if all cookies were blindly allowed since you're manually tying your visits together with that login information. With that in mind, there's no harm in having a setting somewhere for allowing cookies from the few sites you actually login to frequently. For convenience that could be tied to the existing password box detection, and otherwise it'd be something you have to dive into a menu and fiddle with to keep it from turning into the same kind of annoyance as browsers asking for notification privileges.
That would break a few things, but browsers have had a trend lately of breaking a few things for privacy gains. I don't think it's obvious that we couldn't meaningfully reduce cookie setting.
It was. That was the original design, to ask the user for each site. Then people downloaded browsers that did not ask them ... and browser developers switched it off by default.
Not for each site, for each HTTP request. So if you loaded a page with ten inline images Netscape would ask you eleven times if you wanted to accept cookies, unless you said "yes" at some point, and then it would stop asking you for that site.
The main motivator there is actually Google Chrome's abysmal tab management and navigation, as it is all but impossible to clear out tabs in a reasonable manner.
On Firefox, with Tree-Style Tabs, the problem still exists, though it is less severe.
There's still ample opportunity for tracking, unfortunately. I consider both Chrome and Android to be actively user-hostile and privacy-hostile, for what I hope are evident and well-founded reasons. Google's advertising motiviation is powerful.
Totally agree. This is as simply as discarding non-identity (even all) cookies on closing the browser by default. But the thing is that all mainstream browsers are controlled by giants and unfortunately all of which have huge interests in advertisement industry. So unless we can create a browser ourselves or we are going to have such scratching the boot solutions again and again.
Discarding cookies wouldn't work. Browsers have many ways to store data locally - cookies is the simplest, but there's localstorage, IndexDB, and webdb too. It's trivial to put a tracking ID in any of them, and send it to a third party when a user loads a page. It's one line of JS code.
To solve this problem in the browser you'd need to discard all locally stored information when the user closes it.
Thia comes with two prpblems
- first, users rarely close their browsers. They may close a tab, or a window, but the app is still running. I'm pretty sure Chrome has been running on my Macbook for months.
- second, this mechanism would break every app that actually respects user privacy. Apps that don't upload data or track people need the users content and prefs to be held locally between sessions. By wiping it you'd force app developers to implement mechanisms to put that data in the cloud, which is the opposite of your intent.
I feel like we should probably have the concept of an "intent" for any bit of data that we'd like to store in a browser and partition the storage by that:
Intents:
- REQUIRED_FOR_SITE_FUNCTIONALITY (translation "Required For Site Functionality")
- FIRST_PARTY_ANALYTICS (translation "First Party Analytics")
- THIRD_PARTY_ANALYTICS (translation "Third Party Analytics")
- FIRST_PARTY_MARKETING (translation "First Party Marketing")
- THIRD_PARTY_MARKETING (translation "Third Party Marketing")
Let the browsers themselves provide UI for accepting or denying these (maybe the users should be able to choose their own defaults per intent):
Message:
https://some.site would like to use your browser to store data for these intents:
Required For Site Functionality [X] Yes [ ] No
First Party Analytics [X] Yes [ ] No
Third Party Analytics [ ] Yes [X] No
Unspecified [ ] Yes [X] No
[ Submit ]
Which could then correspond to how everything is stored in the browser:
And extend the JavaScript API for cookies (and also all other mechanisms for storage, this is an example):
document.cookie = "user_id=1234"; // this would go under Unspecified
document.cookie = "intent=REQUIRED_FOR_SITE_FUNCTIONALITY; user_id=1234"; // this would go in the proper group
document.cookie = "intent=THIRD_PARTY_MARKETING; uid=1234"; // this would throw something like an IntentViolationError
And ideally something for checking these intents as well:
let canUseRequired = document.intents["REQUIRED_FOR_SITE_FUNCTIONALITY"].accepted; // true
let canUseTPAnalytics = document.intents["THIRD_PARTY_ANALYTICS"].accepted; // false
Who would define these types? Well, i think that there are two ways:
- have some international body decide on these types
- allow custom types per site, maybe with different UI for that
And then just prosecute those who don't follow the convention and abuse the mechanisms.
Do you want another useless feature in your browser? Because they tried that with Do Not Track, and it is absolutely useless, because a website can ignore it.
You infer that the browser makers, and the content suppliers are not aligned.
But this is not the case. The biggest browser maker is also the biggest cookie tracker.
In theory this would be a point of differentiation for say Firefox, but then again the biggest funder of Firefox is also.... Da dum.... That's right, the biggest beneficiary of cookie tracking...
I imagine there are browsers out there that offer what you want, but you'd have to go looking for them.
Google gets no money from people using Chrome, what they get is the ability to track you directly. They turn that tracking into adverts, which is ultimately their revenue stream. They absolutely _could_ do a good job to prevent you being tracked - they absolutely have no incentive to do so.
Likewise Firefox. They _could_ implement tracking protection. But they (so far) clearly choose not to. You say they'd do a good job, and I agree, but it's not like they haven't thought of it, or they're waiting for approval from the HN forums before implementing it. Given they have chosen not to do it, it makes you think maybe there's a reason for that. And maybe that has to do with the wishes of their biggest benefactor...
Of course I might be wrong. Perhaps they're just thinking that tracking everyone is good for the end user, and so they want to provide a browser which offers users the best possible experience. That's obviously a possibility as well.
Google avoids losing money by having a large Chrome user base. It's the same as making money. They have to write checks to Firefox and Apple to maintain access to those users, but not with Chrome.
> Likewise Firefox. They _could_ implement tracking protection.
I stand corrected, that looks like a jolly good start.
Reading Firefox, Google gets money from chrome by a second order effect - from users using Google as their search engine. They also get money when you browse the web from adverts. The value of those adverts goes up the note they can track you.
Google avoids losing money by keeping tracking in the browser high.
Just as an thought experiment: What would happen, if legislation would make it mandatory for cookie layers to accept the DNT header (Do Not Track) [1] as input and forbid to ask the user if such a header is present?
Like
DNT: 1 == no cookies, except technical required cookies, like sessions
DNT: 0 == accept all cookies
If you don't like repurposing the DNT header you could also imagine introducing a new header for this purpose.
https://geizhals.eu/ is one of the few websites I know which automatically respects DNT settings. Small info notifications informs me about my do not track settings and is closed automatically. With DNT = 0 they ask if it's ok to set cookies. I agree, that with DNT 0 they shouldn't be required to ask.
I kind of like the idea, but fear this would not be viable for two reasons - although interestingly they are somewhat opposed:
1. DNT’s already failed as a opt out since less scrupulous actors either ignored it, or used it an an extra tracking signal (!)
2. More scrupulous actors would likely take the view that DNT can’t express adequate consent for tracking (no granularity or evidence of informed consent to privacy policies).
I want the dialog to be part of the browser, not the website. Similar or same as the "corporation.com wants to know your location" pop-up box.
in the browser's settings:
[] only allow login cookies (and maybe some other standard essential)
[] ask every time
[] gimme all the cookies...
How would this work? Maybe a w3m-standard for various cookie types? An
API for the common things that are done with cookies?
The browsers need to provide a method to persist those essential data such that it can only be used for that intended purpose. Then all 'un-standard' cookies can be blocked per User's preference. Sites that really do need extra cookie features must convince the user.
An old XUL addon for Firefox called Cookie Monster had this perfect.
First, set a default of either accepting all cookies, accepting cookies but deleting them after you close all the tabs from that site, or accepting no cookies. Then, per site, you can change that site default to a different setting than your global default. Then, you can temporarily override the site default, but that override will revert after you close the browser session (or you can manually clear the override so it goes back to the site default.)
These settings are separate for first-party and third-party cookies. It didn't handle localStorage because that wasn't a thing when it was written. IIRC you could also delete all cookies from the current site manually, or open up a window to view all of them (and delete them individually from that window.) All of these functions were a click and a drag away, and none deeper than a secondary menu.
What I'm saying is if the bizarre restrictions that both Firefox and Chrome have put on browser extensions keep this from being packaged as an addon any more, build a browser that has it built in.
edit: add to that a global toggle for popups when sites make cookie/localStorage requests that you've set to be denied, and that's a pretty complete featureset for me.
Still not ready to enable the scheduled deletion but I clear it once a week to find new things I need to whitelist. It can handle all storage types and even has some limited support for tab containers. Setting up the rules is time consuming though.
If an extension supports user-defined rules, rules lists could be crowdsourced and/or delegated to dynamic lists downloaded from a server (like uBlock Origin). The “I don’t care about cookies” extension is a good example: https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a... . The extension even has UI for users to report websites whose cookie popup are not known by the extension.
The first step might be creating a shared JS library for generic remote list management (periodically checking for updates, downloading lists, managing local list versioning) that extension developers can use in their extensions.
Eula and cookie constent have an legal issue in that it does not legaly prove who clicked on the license. A traditional paper signature or a bank signature do proves its you who signed the document.
Cookie approve, eula it could be have been anyone who clicked the approve link. So it does not bind the approve action to the person.
It could be your spouse, kid, cat, dog who clicked approve.
I think the argument is a bit pointless: most likely somebody’s bonus or career prospects depend on getting a high opt-in results.
Even worse, often the banner is outsourced to parties like onetrust or quantcast. In that case, the site will only ask if the supplier claims to be compliant, and how successful they are in coercing visitors to comply.
OneTrust is a funny one: every single OneTrust banner I have seen has been GDPR non-compliant in that the "reject cookies" option requires clicking through a de-emphasised button and finding the "save" button below the fold, while "accept" (aka take all my data) is highlighted and right there.
However, on their own website, they get it right.
So they do know the rules, they just don't actually follow them in their products.
> But designers have learned to get around this law and are using different design techniques to make users accept all cookies (trackers) anyway.
These companies are not getting around the law, they are simply breaking the law. If a consent popup allows you to accept all tracking immediately, but requires an additional step to opt out of tracking, then it is illegal under GDPR.
We don't need to plead to UX designers, but immediately report companies that don't have a "Reject all" button next to "Accept all", and only show a "More options" button that leads to a maze of settings for opting out of tracking.
And the obscurantism of it is troubling too, think of someone who is not familiar with computers/tech and trying to access a webpage and being confronted with a "Do you want to accept cookies" dialogue. It sounds utterly mysterious.
I honestly think we need to remove the consent to cookies thing completely. There needs to be a switch in your browser to enable or disable cookies, similar to how to can enable or disable location tracking or notifications, on a site by site basis or completely. I have never in my life not just clicked accept on whatever cookie popup there was.
same! I also was thinking of enabling such stuff in a browser and not need to click accept on every friggin website... These windows are annoying and I never cared about the text or settings inside these messages. They want my cookies? ok no problem here, just let me see the site because I am in hurry. I don't care if someone is tracking me. My time is more precious and I need the information from a website than reading all the consent first and selecting which cookie I want to enable or disable.
I am using a browser extension called "I don't care about cookies" which is kinda a popup blocker for these messages. But I wish there was something better, like a setting in browser. Right now the internet is broken with these consent popups.
Cookies are not bad, and in fact are required for basically any website. What is the point of agreeing to them over and over again, when your only alternative is to not use the internet, or at least not to use that site?
Some companies might do bad things with cookies, but how does it help to condition us to agree to cookies on every website we visit.
Passively rather than actively agreeing (i.e "continuing to use this site means you agree to our terms" vs "click here to agree to our terms" doesn't pass the sniff test when it comes to contract law... at least in my jurisdiction.
tl:dr; making the user click "I agree" would work more for you in a court setting
Here’s the kicker: if you need tracking ads to keep the lights on, that’s fine. But that’s a transaction I’m entering into when I visit the site, and I want to see the sticker price.
The fact that the law basically says you can’t cookie wall it (I.e accept or leave) just means that you either convince enough people that the price is acceptable, or you get off the internet. It’s not complicated.
If it’s illegal that explains why everything is moving towards a subscription model. Well, that, and online retailers are realizing that ads don’t have as much effectiveness as they thought so market prices are falling precipitously.
We had a great thing going when websites ran on tracking. Nobody was actually harmed in any tangible way. Now every news site wants me to pay $20/month to read it.
To me it seems that the more the web has become monetised the less useful it has become. Low-effort blogspam that only exists to draw ad revenue increasingly drowns out “real” content. So I’m not so sure we “had a great thing going”.
If cookie consent forms reduce privacy violations, lower ad revenue and push these “content creators” off the web, that seems like a win-win to me.
> we had a good thing going when websites ran on tracking
Yeah, and you'll be damned if you ever have to adjust how your business works in order to satisfy the desires of customers not to be tracked and monitored.
I, and most people, have UNIVERSALLY found that we can just skip paying by skipping reading and lose out on nothing. And now we're not being tracked! Hooray! What's not to love? We can't read as much poorly-written op-eds? I think we'll be fine.
You can still run ads on your site without requiring user consent. It’s the personalisation of those ads that requires consent.
TV, Radio, Magazines, Newspapers etc have worked for years just fine with generic, non-personalised ads. Or in the case of cable/sat, non-personalised ads + subscription fees.
Radio, and print media worked for years, but the Internet absolutely eviscerated their funding models. It's a bit late to imagine closing the Pandora's box of personalized advertising without the mother of all temper tantrums and PR campaigns from the ad industry.
Dont close your blinds, I need to pay my bills and photographing you through your windows is how I do that. Or do you not care about my children eating?
Yes I'd say that is a bad thing. It also normalizes tracking. For one you don't have to track users to understand how they are using your website.
Also, it is extremely hard to imagine any beneficial outcomes that tracking would enable to outweigh the UX improvement of removing the consent-banner.
Of course you would use your own website, but you understand it in a way your users don't. From experience I can say you won't anticipate many of the ways things could go wrong. Some of that can be done by recruiting individual test users to observe, but aggregate stats on usage are also incredibly valuable to understand how people are using the site, where they get stuck, what features are important to them, and more. There's no need to identify particular users, but tracking user behaviour in general is incredibly valuable when operating a serious website.
Congratulations, you got taken in by the advertisers.
One should take care when writing a law aimed at advertisers, because they will find ways to make the greatest laws look stupid; no matter how sane they were on paper. (and this law was very sane indeed, but sadly still far too nice)
I don't want to outright force them out of business, since we do still need advertisers occasionally. But laws will definitely need to be yet even more strict.
Asshole companies flagrantly breaking a law with a low relative level of enforcement can also simply mean that you need to properly enforce that law.
Both the size, rate and amount of the fines needs to increase by orders of magnitude. The problem (and the internet in general) is simply much bigger than the current enforcement agencies can ever hope to keep up with.
If you look more closely at the dialog, they usually break the cookies down into "necessary" and "optional" cookies. Necessary cookies are used for things like maintaining you login state. Optional cookies are used for things like advertising tracking. When you decline cookies access, you're only declining the optional cookies.
The fix is to have the law recognize that data is extremely valuable personal property, that stealing it is a criminal act and that the predatory "buying" of it (such as offering a $ service in exchange for $$$$$$ worth of data) should be highly regulated.
Trying to legislate it in the way that you propose opens up a lot of problems. For example, using cookies to track users based on information that their browsers willingly provide. If this is considered "theft", then copying anything without removing the original would be theft, which would be a huge problem for anyone advocating for free file sharing or "piracy".
Secondly, not all data can be treated as equally valuable, let alone "extremely" valuable. That depends on factors such as what the data is, who is using it, and how. A dump of user activity on a cosmetics site might be useless to a layman, moderately valuable to an academic researcher, and highly valuable to a fashion marketer.
Finally, if all data is extremely valuable, then anyone entering bogus data should be persecuted for fraud.
The solution is to educate the population on how these technologies work so that they understand the risks involved with surfing the web. These consent boxes are beyond useless because consent should be implicit when simply using the Internet. Ad block technology takes care of a lot of this already
>using cookies to track users based on information that their browsers willingly provide.
Browsers do not "willingly provide" anything. Code is written to trigger functionality. You're ascribing motivation where there is none. Developers willingly write that code.
>If this is considered "theft", then copying anything without removing the original would be theft, which would be a huge problem for anyone advocating for free file sharing or "piracy".
Non-sequitur. Just because the API is there, does not mandate it's use. Free file sharing or even "piracy" can still happen without cognitive dissonance. It isn't the copying that is the problem, but rather the storing, caching, processing and monetization that taken together create a surveillance apparatus that is the problem. The connection to piracy, while undoubtedly seductive, fails to pass muster, because ultimately, entertainment wants to reach audience, and reap value, even if only in brand recognition.
Everyone else does not. Advertising fails to realize, the world is not full of brands looking to be recognized.
> Browsers do not "willingly provide" anything. Code is written to trigger functionality. You're ascribing motivation where there is none. Developers willingly write that code.
Actually, it does. That is how cookies work. This is where my sentiment of increased education around browsers and cookies would help.
> Non-sequitur. Just because the API is there, does not mandate it's use. Free file sharing or even "piracy" can still happen without cognitive dissonance.
You should have labeled this paragraph as a tangent rather than a non-sequitur. Copying the data keeps the original in place, but makes a new one for someone else. Thus, that is now their data and they can use it how they please
The problem is, where I worked, my boss forced us to add a cookie banner even though we do not actually have any tracking cookies at all, and have no plans to add them, because that’s not our business model. It is just a legal CYA, because the business we’re in is highly regulated.
It’s the problem with government solutions. Everybody’s so paranoid that they wind up overcorrecting.
If the law carried penalties for having a tracking cookie consent banner and no tracking cookies, then the solution would be to add tracking cookies. :-)
My previous comment may have been slightly misaligned, but my point is that if tracking and personalised advertising were prohibited, and user intent via required browser features were legally mandated and binding, the question simply would not exist.
Seriously, no one’s life has been harmed by tracking cookies. The fears are overblown. Plus we can find alternative ways to track people. Aside from that, most people just consent to cookies anyway, and they’re fine.
Entire populations have been wiped out on the basis of _much_ less invasive data-gathering (eg. an innocuous question about faith on a census). All forms of PII-gathering are potentially dangerous and needs to be regulated. Do we really need to have a discussion about "but what if we do it this way? " "what if we do it this other fractionally different way?".
Nah. Put a thumb in the eye of the advertising industry at every chance, at every step, and take joy at the occasional sight of their simmering rage boiling to the surface at their annual conferences.
Nope. Most of the services you use are supported by advertising, including this very site. Thankfully these out of touch, delusional opinions are a minority.
The objective is to reduce the need for advertising, whenever possible (most of the time, it's not).
> Most of the services you use are supported by advertising
Advertising (static banners, in-house analytics by different companies) is fine but tracking the entire human population across the entire web and aggregating the data is not. Things might seem stable right now, but do you really trust corporations and governments to keep that data safe in perpetuity and to never use it for nefarious purposes?
To give you an example, right now you have the US on backwards path of banning abortions, how would you feel about the government using browsing history and analytics collected by Google and other corporations to track down women who are seeking or thinking about an abortion? Regimes and laws change, data stays forever.
> Thankfully these out of touch, delusional opinions are a minority.
Considering the progress we're making with EU regulations such as GDPR, you're certainly wrong. People are starting to become more informed with every passing year and are starting to pay more attention. Industry practices are also slowly changing to make it easier to opt-out of intrusive tracking, which is a net win even for those who don't pay much attention to their privacy posture.
> Seriously, no one’s life has been harmed by tracking cookies.
I would argue that privacy is a basic human right and tracking (stalking) should be taken seriously.
Would you say the same thing about stalkers following you on the street, watching you from a distance and browsing through your trash? As long as they don't do anything to you, is it all okay?
No, it's not and you would get a restraining order (i.e. GDPR)
> The fears are overblown. Plus we can find alternative ways to track people.
The most unethical thing about cookie consent windows is that website developers have to develop them in the first place. Cookies are fully opt-in from the client side, it would be trivial for a browser to have settings to ignore or adopt cookies based on preferences of the user. It is a total farce having these warnings, at great cost to developers and users alike.
EU has laws that threaten millions of euros of fines for not having things like cookie banners. They are required by law for even the most basic user-customizations. And no allowing users to save state on your page is not unethical.
you don't need consent but you still have to notify users of all their functionality, often this is done with a banner. Still a burden to everyone involved.
IANAL but the legal advice at my last two places was that cookies that were necessary for the functionality of the product and its features were exempt from opt-in consent under both ePrivacy and GDPR. This includes sessions and preferences.
Cookie banners on page load are not necessary for consent. The user can provide consent at the point of enabling the feature or setting. Of course, non-exempt cookies can not be stored until consent has been obtained.
That design is still broken. There should be a Reject All option.
Irrespective, here's the fundamental problem – the whole thing is about a technical detail – cookie – rather than meaningful outcome for the user.
A modern online app has to keep shared inter-related state on client-side and server-side and persists for several months and use that state for doing various things like security, abuse prevention, personal preferences (and other types of automated personalisation), monetary incentives optimisations (free-trial, limited offers, conditional offers etc.). Then there is commercial product ads cost optimisation based on expressed and inferred interests of the users. IMO, all this should be okay.
But then what is not okay? –
The line between personalisation vs discrimination is a thin one. In ecommerce, insurance etc – there are regulations restricting price personalisation to protect consumer interests. In other domains, different users can get different experiences and those decisions are opaque to the consumer.
Then there is targeted psychological manipulation at scale.
People have instinctual fear/discomfort about companies amassing longitudinal demographic/behavioural data associated with their PII data. There is a real risk of companies using that data against users interests in both direct material and indirect non-material ways. Companies have a motive to increase their profits and without guardrails they will go to extremes in seeking profits that will hurt the users. There are a lot of examples of insidious behaviour – they may want to cover up flaws that could be harmful to humans/animals directly or harm environment and hence harm humans/animals indirectly, flaws that render the product useless and hence cost them support costs or be forced to recall the product etc. Recently, I was shocked to learn about how lead being mixed into petrol/diesel in US was marketed effectively for decades. With the power of big data, how much more effective such a campaign would have been. (It is easier to look at an example from decades ago more objectively than an example from our current time).
There have been information wars in all ages – in the age of verbally narrated stories, then stage drama with touring companies, then printing press, then telegraph, then broadcast radio, then distributed cinema, then broadcast tv, then broadcast cable tv, and now Internet. The different between all the previous ones and Internet today is the speed, intensity and effectiveness of it at scale. That's what makes it much more scarier than all those previous attempts.
In this context, fighting cookies is a very nice strawman distraction.
Honestly, I think the only real chance for progress here is from better laws and us using better terminology in the conversation. There real problems are not "cookies" or even "third-party cookies" per se, but the tracking and data sharing going on with that data. Cookies are just a technology, with many legitimate reasons, what happens to the data is the real problem.
An online store keeping track of what products you looked at before a purchase on their own website is similar to a physical store watching for shopper patterns, and is completely different than a Facebook shadow profile correlated all over the web.
Cookie consent is like putting a list of all pesticides on vegetables: it's nice to know, but honestly why put the burden on the population to be experts in chemistry? And all pure-tech solutions always fail when the company you want to stop makes the browser.
The fix is not to change the design of the dialog box, nor is it to change the law.
The fix is to simply to not track any users in any way, shape, or form. Don't have to worry about opting in or out if there is nothing to opt in to in the first place.
edit: It’s not, just the page! Hush is meant to reduce the hassle associated with cookie requests, so I am assuming that there must be some example of offending code in the blog post. I’ll check it out later.
I am a lawyer and I have worked on this for the past several years. I have advised on the deployment of cookie pop-ups into multiple EU and UK markets (and some that have similar laws, e.g. Turkey).
I am a former web developer and back-in-the-day I wrote the cookies / session handling logic for an agency's homebrew framework. I understand the DOM, the data layer, tag management, local storage objects etc.
Giving people more control about how their data is used is laudable. In Europe, privacy is considered a human (cf. citizen or consumer) right. Clickstream data can be highly revealing of a person's interests and behaviours. The “invisible processing” of huge datasets of such personal data has the potential to surreptitiously erode privacy and impact on people’s lives.
Nevertheless, ‘cookies law’ is bad law:
1. It regulates the technology not the activity. It applies whether the use of cookies is for basic webstats, or to hive data off to data aggregators for profiling for remarketing, fraud prevention etc. Having to explain and control all cookie-based activities from the benign to the potentially intrusive, through the same UX, is difficult. It impedes one’s ability to have a proper discussion with the user about fair value exchange for their data.
2. It is written in out-of-date terminology (“terminal equipment”) and confuses the concept of “cookies” (storing AND retrieving information) with the actual regulated activity (storing OR retrieving information from a device). I recently saw a proposal from a BigTech which fundamentally misunderstood the scope of the regulation – perhaps deliberately – and I see this confusion arise time and time again in practice.
3. Its exemptions and exclusions are narrow and ambiguous. Consent is needed unless the information collection is “strictly necessary in order to provide an information society service explicitly requested by the subscriber or user”. GDPR’s legitimate and public interest grounds are not therefore available for the collection of data, even if they later become available for the use of that data (even that is controversial and lacking in clarity: bifurcating approach to e-PD and GDPR may not find favour with regulators).
Then there’s a whole other debate about browser vendors, APIs and the various misaligned interests which conspire to prevent industry-led solutions to this problem. And vendors and consultants who go around recommending widgets, seemingly armed with only an elementary understanding of the underlying law. The result is to push the problem onto individuals through ugly, jarring UX which is often ineffective, both in communicating and delivering its intent. I often still see data collection notwithstanding which buttons I click.
Basically, everyone could do better. (I am sure us lawyers are not blameless either!)
This should be handled at the browser level. There's no reason for most users to ever be burdened with even a fantastically designed cookie consent window.