It's wild to me there's all this document sniffing song and dance, rather than just creating some standardized request headers. How many CPU cycles are spent setting up and tearing down these pointless banners?
Observing the do not track would have fulfilled the EU requirement.
You are falling into the trap that Americans normally do that think that the directive have anything to do with cookies or that the cookie banner was requested by the EU.
The requirement is simply
> You may not collect personal information without consent.
If they have an obnoxious advertising and data harvesting cookie banner then that was a design decision to make you opt in.
EU should've mandate that providing the header is enough. And no window should be shown in this case (you can still ask to allow on top of a page, but it should not be overlay). And yea, it should _never_ be an overlay, because overlays is a predatory design practice (EU, please, could you be useful one more time?). Except after GDPR web designers gone mad and we have modal overlay windows for cookies, for newsletter, for ads (always had these), for paid subscription, for go follow us on Twitter.
Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
It has been planned for a long time to replace the ePrivacy Directive with the ePrivacy Regulation (https://en.wikipedia.org/wiki/EPrivacy_Regulation) which was actually going to replace the cookie banners with browser settings, but so far the ePrivacy Regulation is kind of stuck because of successfull lobbying by ad companies.
Banners are in no way mandated, though. As the quoted text states, you need to have a policy easily available - the same as you'd have any other legal information on your website. Typically it isn't served on banners or popups, but e.g. in the page footer.
You also need to have the right to refuse, which is a non-issue if tracking is opt-in, or only happens in a necessary context like user login, where you can inform the user that it's about to happen.
It's a more or less deliberate misunderstanding to claim that you need popup banners because of EU regulation, and it seems to be said mainly in order to mask the fact that applications are designed to be hostile to privacy in the first place.
IANAL, but this is not entirely correct. For example, if you have server logs, that's processing personal information, most likely under GDPR Art. 6 lit 1f (legitimate interest). Under Art 13 the user must be informed of this. Because of the information requirement the Do-Not-Track is not enough unless you really, truly do not track any PII (which includes the IP address).
Equally, this is incorrect:
> You may not collect personal information without consent.
There are a whole host of reasons listed in Art. 6 when you do not need consent.
It didn't help that no one could agree on what constituted 'tracking', and what activities should be skipped on receiving that header. This was supposed to be part of the DNT standardization process, but was too contentious.
The reason DNT failed is because the companies that benefit from tracking users also build web browsers, and can influence how the web is built. DNT directly impacts their revenue, so they have no incentive to make it a standard.
Having worked on the backends of some of these systems, I think I'm fine with being tracked, especially in the general analytics sense. The issue I have is in being targeted or getting content that is too personalized based upon the tracking.
> the companies that benefit from tracking users also build web browsers
It is generous that they still refer to it as a "User Agent" in their self serving standards. In a functioning market, things like AdBlock and Privacy Badger would be default features in any respectable web browser and the browser would actively attempt to frustrate efforts at fingerprinting.
What ever happened to Opera as a paid product? I guess I'll have to click through their cookie preferences banner to find out...
What matters is the intended purpose for which the data was collected. It is a violation to use it for another purpose than the one you collected consent for (or have another reason for collecting).
The "cookie banner" is to work around the fact that there are 3rd parties who would have access to your information without your consent and they want it to be awkward so that you consent.
If your application is a fitness tracker then of course you are going to have a lot of personal information. You are not allowed to sell it without consent, tracking in this case is selling information to Google et al.
You tracking a logged in user, via a shopping cart as a cookie, does not violate the GDPR.
As an American living in Europe who supports the GDPR, I suspect that most of the violations are driven by American companies and these violations are in part ideological.
The concept of a government sincerely passing a law that genuinely and competently protects the privacy of its individual citizens seems absurdly unlikely to many of us. Laws are not created for individuals except when a cynical politician wants votes from the gullible. Circumventing such a "stupid", "anti-business" law as the GDPR is almost an American duty.
You may be able to argue a GDPR Art. 6 lit 1b (necessary to perform a contract) or a 1f (legitimate interest) reason to track, but you will need to, at the very least, inform the user. Storing data on the user's device (cookies, local storage, etc) also requires the user to be notified thanks to the ePrivacy directive.
Huh? We're talking about what sites should do on receiving a Do Not Track header, not about European privacy regulations. First party personation is something that some people considered to be within the DNT scope and others didn't.
The problem is rather, that they didn't decide yet (e-privacy directive). The gdpr was meant to be general, it was designed to not have technical details because it applies to everything.
It's noteworthy that in the Sephora case for California the AG explicitly called out the Global Privacy Control (gpc) as something that companies need to honor.
From https://oag.ca.gov/news/press-releases/attorney-general-bont...: "“Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale,” said Attorney General Bonta. “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable."
There should have been a standardized way for a browser to respond in exactly the way that these plugins behave. Basically "allow only functional/minimum cookies, never anything else".
Regulators of course should enforce the simple fact that this is also a requirement for anyone who dismisses a consent popup, has a browser setting that suppresses it, or even someone who clicks the biggest most obvious button - since all those actions (or non-actions) must result in "no consent".
But they're not required to obey it, so they ignore it, presumably because they expect that more people will agree if they are annoyed with a dialog by each website they visit.
How about this: I've configured Firefox with DNT and frequently, when I land on a site that blocks my view with a modal cookie popup, I just push the back button and try another link. While my browsing behaviour might be less typical than just pressing "OK", I'm sure it's a statistic they are keeping an eye on.
So while the dark pattern approach has merits to sites that want to track you, they must also be aware this is a balance. And a percentage of users will generally prefer to go to sites that leave them alone. That is: the cookie dialogue never widens the funnel.
But, this behavior does not protect your privacy at all, because those websites already put tracking information in your cookies claiming that they fall into “Legitimate Interest”. You need to interact with the modal and claw your way into the hidden settings where you can disable “Legitimate Interest” toggles.
You are correct, but just some additional information:
Those cookie banners are illegal under GDPR, btw.
Real "Legitimate Interest" does not even require consent, and you can't claim that tracking or marketing is "legitimate interest". An example of legitimate interest is keeping your address in the records after a purchase, or storing a receipt for accounting reasons.
and they expectation is correct, I click whatever green button that i'm presented and expect that my combination of private browser sessions, different profilers and adblock extensions messes them enough. It sucks, I know, but the quantity of time people has loss with those banners, both on the client side and both on the developer side (even If is paid work that i did, I would have preferred to do anything more valuable) is enormous, and the culprits responsable of this should be taken to the courts, if not presented with a cumputer and sentenced to pass the rest of their lives clicking consent banners.
I suppose that is a matter that strikes a chord with me.
Compliant with GDPR doesn't seem to mean much. The comment I'm leaving now is compliant with GDPR. The question is, does it fulfill a cookie-using website's requirements under GDPR without additional UI? Wikipedia at least says it does not ("DNT is not widely adopted by the industry, with companies citing the lack of legal mandates for its use")
> The question is, does it fulfill a cookie-using website's requirements under GDPR without additional UI
It cannot. That's the whole point of the GDPR. It forbids tracking without informed, explicit user consent. Users cannot be informed or agree with the header setting.
Sites can, of course, not track users, or not track users who set do not track. They don't want to, that's why they try to annoy and/or mislead anyone into agreeing with their horrible banners.
(Using Cookies for site settings or even logins can be done without explicit consent and without banners)
The problem is that regulators were influenced by industry then. The proper regulation would have required that the default state be that users are shown no consent banners without explicit action and also not tracked.
But there is a need for clarification here for the most often encountered consent case: web sites.
Basically the regulation could say: you must have consent to collect data, but you must ALSO observe specific standardized method X of of blanket disallowing all consent in specific contexts. For example, "if do-not-track is used in a web browser, then the user should not be shown a consent dialog but instead provided the service as if they had rejected the consent dialog".
I realize that regulators (for good reason!) are very reluctant to specify specific technologies. It's not their home turf, and it's likely to be quickly outdated. But I'm ready to accept that this would be a time when there is a good reason to make an exception to that rule.
I sort of agree with you on that. I guess I'd like to see it not in the main body of the regulation, but as an additional law/regulation/addendum that reflects the current state.
Wikipedia is not saying it's not compliant, just that people don't use it because it's not required.
GDPR requires that the user is able to refuse non-essential cookies. A banner, if used, needs two buttons, "Accept" and "Refuse" or something similar. Refusing should be as easy as accepting. And you MUST not serve the cookies unless the user really clicks on "Accept". This means that by default your website must work without those cookies.
So, if you want to honor the "Do Not Track" header, all you have to do is not show the banner at all, and don't use cookies that the user should be able to refuse. Done. You're compliant.
Why companies don't do it? Because companies want to force users to accept tracking. Cookie banners are nothing but a dark pattern, period. GDPR doesn't mandate them.
The banners are there not because they are required, but because websites want to badger you into agreeing to tracking. Websites don't need to show a banner if tracking is opt-in or if first-party cookies are only used for functionality not tracking!
This is why even though DNT exists, nobody respects it. The point is to make it annoying so people cave in to agreeing to allow tracking. Any standard that is not "by default allow tracking" will not get adoption from the site owners because it reduces the tracking they can do. Obviously, the whole point of the EU cookie regulation / GDPR is to not have tracking by default (which is unfair to the user), but at the same time, being a regulation, it also doesn't want to default to "no tracking until opt in" as that would then be unfair to the sites. If you can't allow by default and can't deny by default, the the only remaining option is to ask.
It literally is "no tracking until opt in" under the GDPR, and websites voluntarily choose to force the dialogue on you in the hope you might accept. Nobody is forcing them to do so.
I also asked myself the same question. What I gather from the answers here is that browser vendors are to blame for not providing a mechanism. The law only says there's got to be explicit opt-in, but not the mechanism.
Curious to know if this also handles that nasty pattern where all "legitimate interest" opt-out toggles are hidden under the expanded details of each individual third party. The only live example of one variation on it I can remember right now is on msn.com (sort of fits their theme, got to give them that).
A naiive search for "legitimate" in the repo shows 10 files [0] hard-coded into specific rules sets.
Which I interpret as: it's only available on those. Which is a real shame. I'm so damn sick of manually deselecting all of the hidden consent toggles :C
What I usually do is to select a parent HTML element of the list of third parties using the browser's dev console and then use JS to find, loop, and click each of those toggles automatically in one go. The script would look something like this:
Where $0 is an automatic reference to the selected parent element. The pseudocode/example string passed to querySelectorAll should be a selector (same syntax as selectors in CSS) to get each individual toggle element. Then forEach of those toggles it simulates a mouse click event.
That said, whatever is on these websites isn't usually even worth all this effort and it doesn't always work.
Oh god, I thought that some of those sites had finally been slapped or scared by others getting slapped by regulators when the legitimate interest buttons under each subheading disappeared and was even feeling good that reject all might actually reject all now. But I checked a few and nope, they've just moved it to per vendor like you said.
Cool, next they'll add recaptcha to change/reject cookies.
Dark patterns are everywhere and there's seemingly no widespread boycott against them. Open source projects should have banners about them on their homepage, as they've had for other social issues.
The button that says "Do not sell my information" means YES DO sell my information when it's "on."
I complained to them directly and said I'd pursue a complaint with the CA state's attorney, and to my surprise they actually changed it. But you still see this: https://i.imgur.com/fx0pqxA.png
That's the worst, both examples have the toggles being confusing for sure. But hey, kudos to you for talking to them and making something better, even if it's still not perfect!
When the Global Privacy Control (gpc) is set, websites should not show a banner and should default to opt-out. If companies followed this (and some do: https://imgur.com/a/kKkiaVm), this wouldn't be as necessary.
But alas, Consent-O-Matic is a cool tool for the present
For both Firefox and Brave, you don't need any add-ons or extensions.
For Firefox, you can enable GPC in `about:config`. You'll want to flip
`privacy.globalprivacycontrol.functionality.enabled` and `privacy.globalprivacycontrol.enabled` both to `true`
For Brave, GPC is enabled by default.
You can test your browser by going to https://globalprivacycontrol.org. It'll tell you at the top of the page if you have GPC turned on.
I think this is fundamentally the wrong way to deal with it. Cookie persistence should be a client side permission. If user does not want to keep cookies, it is stored for the session and cleared on exiting browser, just like in incognito mode. With these permission dialogs controlled by the website, you are trusting these buttons to do what they say they do.
These consent forms are not about cookies. They cover all forms of tracking, whether by cookie, local storage, ip adres, browser fingerprint, or any other technique.
I'd rather just set most sites to wipe cookies per page and then just click whatever button they like.
Almost all websites have this "necessary cookies" song and dance going on. There are no necessary cookies, I view your page and then close it and we can delete everything. It's total nonsense.
I want to stay logged into some websites long term and not go through the entire 2FA login song and dance every time I want to e.g. check HN. Unfortunately since web browsers don’t have a usable authentication store we are stuck with using cookies for this. All other uses for cookies are basically invalid.
My solution was to write a bash script that runs something like "delete from moz_cookies where host not in 'ycombinator.com');" in the Firefox cookies.sqlite file. I run that every time I suspend my computers.
I read thousands of websites submitted to HN and I do so without ever processing or sending cookies (except the one to HN itself). I am not convinced cookies are required for recreational web use or generally when using the web to retrieve information. Tasks like e-commerce or webmail are different matters. But 99.9% of the time I'm using the web, it's not for e-commerce, nor am I "logging in" to websites. And for webmail, I control sending the necessary cookies via a localhost-bound TLS proxy, not a "tech" company web browser. I can check webmail from the command line. No graphical browser required. I am a text-only browser user; the browser has no support for cookie or other storage. Yet I read thousands of websites. Cannot speak for others, but it seems 99.9% of the time I do not need cookies. Yet the second I use a popular graphical Javascript-enabled browser from a "tech" company, the cookies come fast and furious. i just block them using a localhost-bound proxy. Others use extensions of whatever. With respect to so-called "UX", i.e., user sanity, IME it certainly makes a difference which client/browser one choose to read the web. The so-called "tech" company employees are hell-bent on every last web user choosing the same handful of advertising-friendly web browsers. To see those cookie banners one needs to use the "correct" browser, with "correct" being determined by people who profit from selling online advertising services. I use the "incorrect" ones and I never see cookie banners.
Cookies are only the easy to understand part, tracking has far more options available, including the similar other storage mechanisms, but also advanced techniques for fingerprinting.
I actually hate that it gets distilled down to cookies in discourse.
Meanwhile, I'm using noscript like it's still the 90's and get no such prompts. Granted most of the websites are crippled, but you can't have your cookie and eat it too.
He said he's "using noscript like it's still the 90's", as in he's using NoScript as if he was still in the 1990s. Problem with that is NoScript did not exist in the 1990s.
As an aside, NoScript did not exist, "browser extensions" in general did not exist (not counting toolbars...), and ads, Shockwave Flash, and some JavaScript were already very much a thing in the 1990s.
Consent-O-Matic is a great project, and near completely solves the cookie banner issue while still giving the user the choice of which types of cookies that are desirable.
There are too many plugins that need access to all my data on all websites. Doesn't matter that it's open source, I'm not going to review every update of every plugin. Why can't I sandbox a plugin to a whitelist of domains?
Honestly Manifest v3 was contentious because it essentially nerfed adblockers completely -- and for that reason I really despise it.
But it sounds like exactly what you're asking for.
What is your alternative though? Surely things like this would need to access basically every website in order to be useful, and more-so on websites you'd never visited before.
You can always use something like chrome/firefox profiles which enable different plugins for different uses if that makes you feel safer.
Seems like a poor excuse for v3. Changing the permissions should be a browser side thing not something that requires an update on the extension side.
E.g. You can have extensions always ask for the max permissions needed, as long as the users can go in and un-permit stuff as needed. No need to change any aspect of the existing extension system...
> Surely things like this would need to access basically every website in order to be useful, and more-so on websites you'd never visited before.
Probably some kind of blacklist instead. E.g. This extension cannot run on these websites. We already have a more basic version of this with the allow running incognito option.
I find the development of personal information management quite intriguing. The hidden wars in a browser. Hiding away information autonomy handling. In lax IT terms, "website handshake" becomes a new meaning.
Right now, consent means a contractual agreement.
In the near future, with systems becoming more sophisticated and regulated (EU, I look at you), visiting a website in this sense means two lawyers negotiating a contract you simply agree to.
From "personal homepage" featuring almost anything from silly stuff to personal disclosures to "Sign here before you can see my content!" in less than 15 years.
Pretty cool, but installing it also means letting an extension have permission to "all data from all sites". Android has this "allow while app is open" method, which I think would be nice here, e.g. if you click the icon of the extension then it gets permissions for that site&tab&session, otherwise it can't run.
That would be the dream. Websites won't use it, though, and making a specific protocol mandatory by law would be quite bad in a couple of years when greedy data brokers figure out new ways to exploit people and their data.
P3P was an early version of this concept: a browser-native privacy control system. No websites used it, it was only ever implemented by Microsoft, and has been removed from the last remaining browsers a while back.
I think Apple, Google, Microsoft, and Mozilla coming together to set up a privacy protocol to replace cookie banners would be the right way to handle things. Until usable browser UI exists, there's no way to force the companies currently employing dark patterns to comply.
The EU can’t forbid web sites from informing you about the purposes for which they may want to store data on your browser. Even if the EU mandated a technical browser protocol, there would still be popups.
The predictable result of that will be for the requests to be ignored and the enforcement system will work even more poorly.
A solution which might actually improve enforcement would be to have someone filter the requests that come into Consent-O-Matic and forward them to the authorities in a monthly digest. Quality reports from a human who actually put effort into making them will get more traction than automated, low-quality reports. Make it easier to enforce the law, not harder.
One of the funniest things to me is that the EU organs that made this sort of thing ALL HAVE tracking cookies and analytics on their websites and ALL HAVE these annoying banners. To the last one.
> In most cases, the add-on just blocks or hides cookie related pop-ups. When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do). It doesn't delete cookies.
Well, no, because there are non-cookie mechanisms of tracking to which you'd want to refuse permission, and because for sites where you do want to have some cookies (e.g. to log in to an account) you'd want to refuse permission to use that information for other purposes.
You have no way of proving whether any cookie or non-cookie mechanism is employed for a purpose you did not give permission for.
What you can do is eg. not enable the microphone when the website asks for it, not send the GA cookie back with requests to spin the visitor counter, or make the browser pretend that you have a bog-standard screen resolution and font selection. They will not have the information, so only the lack of information can be used.
If the cookie that stores your logged-in status is used for other purposes like getting more relevant ads in front of your eyeballs, that sucks. One can only hope that they are separated by functionality, or the candidates for more dubious activities are given out by a third party.
The main limitations on companies are legal, not technical, imposing costs on them that make it not worth to break the law.
There are obvious ways of proving whether any cookie or non-cookie mechanism is employed for a purpose you did not give permission for, namely, audits of their systems and testimonies of their employees, which has resulted in quite a few huge fines being assessed and the illegal activity stopped, and will result in more.
We simply have to not legitimize this being done as "business as normal" and have to make it clear that they are not permitted to do so - all the really big impact comes from the large megacorps who eventually have to stay above the board legally.
Just tried it. The toolbar icon has colors. Should be updated to be a template icon. For it needs to be a template icon. I cannot remove it from toolbar as I don't want to allow it on every website.
I think the EU is trying to regulate something can’t be regulated because incentives don’t align. Want a free internet? That means ads and tracking. Want no ads? That means you paying… and young or poor or anonymous people get excluded
You can still do ads, there are no rules regarding ads (other than there are things you can not advertise, like in the real world).
The main issue really is that publishers and ad networks conflate tracking and ads. I'm pretty tired of sites popping up a message saying: "We need to talk about your ad blocker". I don't block ads, I block tracking, remove the tracking and we're good.
Context based ads works almost as well as those based on endless amounts of personal information. They are good enough, they worked well for decades. The problem is that they are a lot hard to sell/buy and modern online ad specialist aren't qualified to do it, they can only click around the Google AdWords or Facebook Ads.
I have a very simple response to this: fix the business model or just take the site off the web. If your site or service is popular enough I'm sure there is a way of monetizing it without tracking ads. Contextual ads, Really dumb ads, product referrals, subscriptions, the options are endless.
The usual response I get to this position is "but I don't want to pay with money and I don't mind ads, and I really like the content, should you be making the decision for me that I can't participate in that transaction?"
To which my answer is yes.
Why do jumped-up little bureaucrats always appropriate other people’s power of choice? It’s like there’s some dark instinct to issue diktats so that everyone must follow The One True Way… as defined by you.
> Why do jumped-up little bureaucrats always appropriate other people’s power of choice
They don't. What they say is that businesses shouldn't assume that people's private data is theirs for the taking. People still have the choice to opt-in to pervasive tracking.
You can participate in transaction. If the business asks you if you want to participate in the transaction, literally no one is stopping you from saying yes.
Basically: I think it would be fine for anyone to participate in market transactions with transparency. But I don’t think there can be transparency here, or that if we really tried then almost no one would accept the transaction anyway.
So I’m thinking a ban of the transactions is the lesser evil.
We already ban e.g sale of your own organs. I’m fine with that too. Now, am I the right person to decide whether people value their kidneys like their integrity? Yes.
I think this is disingenuous. There are ways to do advertising without invasive and excessive tracking. We just accepted that getting tracked is the default and has to be that way. But there are alternatives. Sure, those alternatives would probably be less effective but also more respectful of user privacy.
And I know the change won’t happen. I’m aware of that. I’m just saying that alternatives are out there.
GDPR does not ban tracking. It requires that user is informed how their personal data will be used, and, where the processing of their personal data is not strictly needed, explicitly consents to it.
I truly believe that the EU has ruined the internet. There are many ways they could have addressed the privacy issues of tracking cookies. But they decided to mandate the absolute most annoying, user-hostile mechanism possible. And now we can't get rid of it.
No, unscrupulous adtech businesses have ruined the internet. I had a business website that would not track users, and thus needed no cookie banner. If more business owners (especially the large ones) would stay away from shady practices they know full well their own children would object to, I'd say the web would still be a fine place today.
Actually, it's a bit more nuanced than that, because merely by using the #1 analytics solution, even without shady practices on your part, you already put your visitors' data at risk. Other example: embeds. I used Vimeo rather than YouTube to embed videos, using their rather honest do-not-track option, but went the extra mile and disabled localStorage for them, to ensure no data whatsoever was left. So almost all business owners need to actively want to protect their users' privacy, but this is a consequence of a few big players' explicit choices. See above.
They did not mandate consent banners. Websites are completely free to either A) not collect private information or B) Only track users on an opt-in basis.
What’s “nanny” about at least trying to do something to fight the omnipresent tracking?
We can criticize the solution, sure. We can also criticize the end result. But the intention was a good one and it was worth doing imo because at some point something has to be done.