Hacker News new | past | comments | ask | show | jobs | submit login
Consent-O-Matic: Automatic cookie management (au.dk)
204 points by DerekBickerton on April 13, 2023 | hide | past | favorite | 151 comments



It's wild to me there's all this document sniffing song and dance, rather than just creating some standardized request headers. How many CPU cycles are spent setting up and tearing down these pointless banners?


That header exists, but the EU decided to go in a different, and much more annoying, direction.

https://en.wikipedia.org/wiki/Do_Not_Track


Observing the do not track would have fulfilled the EU requirement.

You are falling into the trap that Americans normally do that think that the directive have anything to do with cookies or that the cookie banner was requested by the EU.

The requirement is simply

> You may not collect personal information without consent.

If they have an obnoxious advertising and data harvesting cookie banner then that was a design decision to make you opt in.


You’re falling into the trap Europeans normally do that imagine that companies want to do the right thing. You want something to stop? Ban it.

American companies are adversarial actors who always do the least effort to continue on.


I don't think it does. Consent as a basis for data processing requires explicit opt-in. A 'do-not-track' header is opt-out.


Yes but if the header is present you already know the user will not consent so there is no need to even ask.


Exactly. So if the header is present, don't ask because it's a no. If the header is not present then ask the users consent. Easy as pie


Yes, it would need to be a header saying "I authorise".

A technicality on linguistics in this case as a header would still satisfy the requirement.


EU should've mandate that providing the header is enough. And no window should be shown in this case (you can still ask to allow on top of a page, but it should not be overlay). And yea, it should _never_ be an overlay, because overlays is a predatory design practice (EU, please, could you be useful one more time?). Except after GDPR web designers gone mad and we have modal overlay windows for cookies, for newsletter, for ads (always had these), for paid subscription, for go follow us on Twitter.


But you can ask a user at browser install, if they want to be trackd or not, so it's one opt-in/opt-out for all pages.


Cookie banners exist not because of the GDPR, but because of Article 5(3) of the ePrivacy Directive (https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...):

Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

It has been planned for a long time to replace the ePrivacy Directive with the ePrivacy Regulation (https://en.wikipedia.org/wiki/EPrivacy_Regulation) which was actually going to replace the cookie banners with browser settings, but so far the ePrivacy Regulation is kind of stuck because of successfull lobbying by ad companies.


Banners are in no way mandated, though. As the quoted text states, you need to have a policy easily available - the same as you'd have any other legal information on your website. Typically it isn't served on banners or popups, but e.g. in the page footer.

You also need to have the right to refuse, which is a non-issue if tracking is opt-in, or only happens in a necessary context like user login, where you can inform the user that it's about to happen.

It's a more or less deliberate misunderstanding to claim that you need popup banners because of EU regulation, and it seems to be said mainly in order to mask the fact that applications are designed to be hostile to privacy in the first place.


IANAL, but this is not entirely correct. For example, if you have server logs, that's processing personal information, most likely under GDPR Art. 6 lit 1f (legitimate interest). Under Art 13 the user must be informed of this. Because of the information requirement the Do-Not-Track is not enough unless you really, truly do not track any PII (which includes the IP address).

Equally, this is incorrect:

> You may not collect personal information without consent.

There are a whole host of reasons listed in Art. 6 when you do not need consent.


I was answering in the context of the statement that the EU made this cookie banner mess and that the do not track header died because of the GDPR.

I didn't feel that logs would be relevant in this case because you would log that the Do Not Track header was present.

As a distilled version of the GDPR I still feel it hits the point.


DNT died the moment Microsoft decided to enable it by default in IE10. That was more than half a decade before the GDPR.


> that the EU made this cookie banner mess

It didn't.

Companies not willing to comply with GDPR did. As they didn't want to comply with Do Not Track header and used it for fingerprinting.


Exactly this.


It didn't help that no one could agree on what constituted 'tracking', and what activities should be skipped on receiving that header. This was supposed to be part of the DNT standardization process, but was too contentious.


No, it's pretty clear what tracking means.

The reason DNT failed is because the companies that benefit from tracking users also build web browsers, and can influence how the web is built. DNT directly impacts their revenue, so they have no incentive to make it a standard.


> No, it's pretty clear what tracking means.

Having worked on the backends of some of these systems, I think I'm fine with being tracked, especially in the general analytics sense. The issue I have is in being targeted or getting content that is too personalized based upon the tracking.

> the companies that benefit from tracking users also build web browsers

It is generous that they still refer to it as a "User Agent" in their self serving standards. In a functioning market, things like AdBlock and Privacy Badger would be default features in any respectable web browser and the browser would actively attempt to frustrate efforts at fingerprinting.

What ever happened to Opera as a paid product? I guess I'll have to click through their cookie preferences banner to find out...


Two things happened to Opera: - nobody wants to pay. - google breaks their web apps on Opera (and many companies don't test stuff on Opera).


How about simply "any cookies that aren't required for the service to function"

Same cookies that get set by the annoying banner when you click through their BS to the "save my preferences" button


What if cookies which are required for a service to function are also used for tracking?


What matters is the intended purpose for which the data was collected. It is a violation to use it for another purpose than the one you collected consent for (or have another reason for collecting).


Remove the word cookie as that has nothing to do with the GDPR.

The EU rule was to prevent someone collecting personal identifying information and then sell it on without consent.

A really simple read can be found at the ICO.

https://ico.org.uk/for-organisations/guide-to-data-protectio...

The "cookie banner" is to work around the fact that there are 3rd parties who would have access to your information without your consent and they want it to be awkward so that you consent.

If your application is a fitness tracker then of course you are going to have a lot of personal information. You are not allowed to sell it without consent, tracking in this case is selling information to Google et al.

You tracking a logged in user, via a shopping cart as a cookie, does not violate the GDPR.


> You tracking a logged in user, via a shopping cart as a cookie, does not violate the GDPR.

Not the GDPR, the ePrivacy Directive. More: https://www.jefftk.com/p/why-so-many-cookie-banners


The reality is most EU cookie banners aren’t cookie banners but requests for consent under GDPR


I think you'd have trouble finding a banner that wasn't also asking for cookie consent.


That doesn't mean the banner is correct though - many just ask for Cookie Consent when they need a wider consent

Event making a TCP connection to a non-critical third-party requires consent


It looks like you have identified the workaround that a ton of sites are using to track even users who deny non-essential cookies.


Doing that is a clear GDPR violation


As an American living in Europe who supports the GDPR, I suspect that most of the violations are driven by American companies and these violations are in part ideological.

The concept of a government sincerely passing a law that genuinely and competently protects the privacy of its individual citizens seems absurdly unlikely to many of us. Laws are not created for individuals except when a cynical politician wants votes from the gullible. Circumventing such a "stupid", "anti-business" law as the GDPR is almost an American duty.


You may be able to argue a GDPR Art. 6 lit 1b (necessary to perform a contract) or a 1f (legitimate interest) reason to track, but you will need to, at the very least, inform the user. Storing data on the user's device (cookies, local storage, etc) also requires the user to be notified thanks to the ePrivacy directive.


Then the site is probably violating the GDPR.


What is "function"? If you have a media site is it a function to be able to recommend other articles you might wanna read based on user history.


Could something like Facebook track which links you click on so they can try to show you ones you're likely to click on again in the future?


This sounds like you should read the rule.

https://ico.org.uk/for-organisations/guide-to-data-protectio...

It's really simple.


Huh? We're talking about what sites should do on receiving a Do Not Track header, not about European privacy regulations. First party personation is something that some people considered to be within the DNT scope and others didn't.


We're talking about applying the do not track header to GDPR regulation


And there was P3P before DNT:

https://en.wikipedia.org/wiki/P3P


The problem is rather, that they didn't decide yet (e-privacy directive). The gdpr was meant to be general, it was designed to not have technical details because it applies to everything.


It's noteworthy that in the Sephora case for California the AG explicitly called out the Global Privacy Control (gpc) as something that companies need to honor.

From https://oag.ca.gov/news/press-releases/attorney-general-bont...: "“Technologies like the Global Privacy Control are a game changer for consumers looking to exercise their data privacy rights. But these rights are meaningless if businesses hide how they are using their customer's data and ignore requests to opt-out of its sale,” said Attorney General Bonta. “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable."


There should have been a standardized way for a browser to respond in exactly the way that these plugins behave. Basically "allow only functional/minimum cookies, never anything else".

Regulators of course should enforce the simple fact that this is also a requirement for anyone who dismisses a consent popup, has a browser setting that suppresses it, or even someone who clicks the biggest most obvious button - since all those actions (or non-actions) must result in "no consent".


Websites are free to use it. It is 100% compliant with the GDPR.


But they're not required to obey it, so they ignore it, presumably because they expect that more people will agree if they are annoyed with a dialog by each website they visit.


How about this: I've configured Firefox with DNT and frequently, when I land on a site that blocks my view with a modal cookie popup, I just push the back button and try another link. While my browsing behaviour might be less typical than just pressing "OK", I'm sure it's a statistic they are keeping an eye on.

So while the dark pattern approach has merits to sites that want to track you, they must also be aware this is a balance. And a percentage of users will generally prefer to go to sites that leave them alone. That is: the cookie dialogue never widens the funnel.


But, this behavior does not protect your privacy at all, because those websites already put tracking information in your cookies claiming that they fall into “Legitimate Interest”. You need to interact with the modal and claw your way into the hidden settings where you can disable “Legitimate Interest” toggles.


You are correct, but just some additional information:

Those cookie banners are illegal under GDPR, btw.

Real "Legitimate Interest" does not even require consent, and you can't claim that tracking or marketing is "legitimate interest". An example of legitimate interest is keeping your address in the records after a purchase, or storing a receipt for accounting reasons.


and they expectation is correct, I click whatever green button that i'm presented and expect that my combination of private browser sessions, different profilers and adblock extensions messes them enough. It sucks, I know, but the quantity of time people has loss with those banners, both on the client side and both on the developer side (even If is paid work that i did, I would have preferred to do anything more valuable) is enormous, and the culprits responsable of this should be taken to the courts, if not presented with a cumputer and sentenced to pass the rest of their lives clicking consent banners.

I suppose that is a matter that strikes a chord with me.


Which in my case is entirely true.


I was pleasantly suprised to see websites like medium.com disable their embeds and seemingly their tracking scripts when you have DNT enabled.

Most websites that use ads or (opt-out) tracking choose to ignore the header because there's no technical or legal reason why they can't.


Compliant with GDPR doesn't seem to mean much. The comment I'm leaving now is compliant with GDPR. The question is, does it fulfill a cookie-using website's requirements under GDPR without additional UI? Wikipedia at least says it does not ("DNT is not widely adopted by the industry, with companies citing the lack of legal mandates for its use")

https://en.wikipedia.org/wiki/Do_Not_Track


> The question is, does it fulfill a cookie-using website's requirements under GDPR without additional UI

It cannot. That's the whole point of the GDPR. It forbids tracking without informed, explicit user consent. Users cannot be informed or agree with the header setting.

Sites can, of course, not track users, or not track users who set do not track. They don't want to, that's why they try to annoy and/or mislead anyone into agreeing with their horrible banners.

(Using Cookies for site settings or even logins can be done without explicit consent and without banners)


The problem is that regulators were influenced by industry then. The proper regulation would have required that the default state be that users are shown no consent banners without explicit action and also not tracked.


GDPR. Does not. Mandate. Browser. Or website. Cookies. Banners. Or UIs.

In it's simplest form it says: if you want to collect more data than is required, you have to ask users for consent.

This applies in equal measure to sites, banks, grocery stores, shopping malls, shit processing plants, nuclear reactors etc.


I'm. Fully. Aware.

But there is a need for clarification here for the most often encountered consent case: web sites.

Basically the regulation could say: you must have consent to collect data, but you must ALSO observe specific standardized method X of of blanket disallowing all consent in specific contexts. For example, "if do-not-track is used in a web browser, then the user should not be shown a consent dialog but instead provided the service as if they had rejected the consent dialog".

I realize that regulators (for good reason!) are very reluctant to specify specific technologies. It's not their home turf, and it's likely to be quickly outdated. But I'm ready to accept that this would be a time when there is a good reason to make an exception to that rule.


I sort of agree with you on that. I guess I'd like to see it not in the main body of the regulation, but as an additional law/regulation/addendum that reflects the current state.


Wikipedia is not saying it's not compliant, just that people don't use it because it's not required.

GDPR requires that the user is able to refuse non-essential cookies. A banner, if used, needs two buttons, "Accept" and "Refuse" or something similar. Refusing should be as easy as accepting. And you MUST not serve the cookies unless the user really clicks on "Accept". This means that by default your website must work without those cookies.

So, if you want to honor the "Do Not Track" header, all you have to do is not show the banner at all, and don't use cookies that the user should be able to refuse. Done. You're compliant.

Why companies don't do it? Because companies want to force users to accept tracking. Cookie banners are nothing but a dark pattern, period. GDPR doesn't mandate them.


It's not for lack of trying. When the DNT header came out, trackers said they would refuse to honor it if it was made opt-out rather than opt-in.


Fortunately consent managers can still enforce restrictions onto non-compliant trackers whenever this signal is detected.


Because the incentives are not aligned.

The banners are there not because they are required, but because websites want to badger you into agreeing to tracking. Websites don't need to show a banner if tracking is opt-in or if first-party cookies are only used for functionality not tracking!

This is why even though DNT exists, nobody respects it. The point is to make it annoying so people cave in to agreeing to allow tracking. Any standard that is not "by default allow tracking" will not get adoption from the site owners because it reduces the tracking they can do. Obviously, the whole point of the EU cookie regulation / GDPR is to not have tracking by default (which is unfair to the user), but at the same time, being a regulation, it also doesn't want to default to "no tracking until opt in" as that would then be unfair to the sites. If you can't allow by default and can't deny by default, the the only remaining option is to ask.

This is really a no-win situation.


It literally is "no tracking until opt in" under the GDPR, and websites voluntarily choose to force the dialogue on you in the hope you might accept. Nobody is forcing them to do so.


I also asked myself the same question. What I gather from the answers here is that browser vendors are to blame for not providing a mechanism. The law only says there's got to be explicit opt-in, but not the mechanism.


Curious to know if this also handles that nasty pattern where all "legitimate interest" opt-out toggles are hidden under the expanded details of each individual third party. The only live example of one variation on it I can remember right now is on msn.com (sort of fits their theme, got to give them that).


Exactly my first question about this.

A naiive search for "legitimate" in the repo shows 10 files [0] hard-coded into specific rules sets.

Which I interpret as: it's only available on those. Which is a real shame. I'm so damn sick of manually deselecting all of the hidden consent toggles :C

[0] https://github.com/search?q=repo%3Acavi-au%2FConsent-O-Matic...


What I usually do is to select a parent HTML element of the list of third parties using the browser's dev console and then use JS to find, loop, and click each of those toggles automatically in one go. The script would look something like this:

  $0.querySelectorAll('.thirdparty button.optoutToggle').forEach(({click}) => click())
Where $0 is an automatic reference to the selected parent element. The pseudocode/example string passed to querySelectorAll should be a selector (same syntax as selectors in CSS) to get each individual toggle element. Then forEach of those toggles it simulates a mouse click event.

That said, whatever is on these websites isn't usually even worth all this effort and it doesn't always work.


There are a lot of websites doing that, like 30-60% of the websites with cookie popups in my experience. Pretty skummy imo


Oh god, I thought that some of those sites had finally been slapped or scared by others getting slapped by regulators when the legitimate interest buttons under each subheading disappeared and was even feeling good that reject all might actually reject all now. But I checked a few and nope, they've just moved it to per vendor like you said.


Cool, next they'll add recaptcha to change/reject cookies.

Dark patterns are everywhere and there's seemingly no widespread boycott against them. Open source projects should have banners about them on their homepage, as they've had for other social issues.


My favorite is the big button that says "Do not sell my information," which takes you to a panel that has "Sale of personal information" turned ON.

Even worse, look at this BS: https://i.imgur.com/Q0Hlzk3.png

The button that says "Do not sell my information" means YES DO sell my information when it's "on."

I complained to them directly and said I'd pursue a complaint with the CA state's attorney, and to my surprise they actually changed it. But you still see this: https://i.imgur.com/fx0pqxA.png


That's the worst, both examples have the toggles being confusing for sure. But hey, kudos to you for talking to them and making something better, even if it's still not perfect!


Ironically, ReCaptcha is not GDPR compliant and would require consent before use.


When the Global Privacy Control (gpc) is set, websites should not show a banner and should default to opt-out. If companies followed this (and some do: https://imgur.com/a/kKkiaVm), this wouldn't be as necessary.

But alas, Consent-O-Matic is a cool tool for the present


> Global Privacy Control

Notably, the popular mainstream browsers haven't implemented this and so you need an add-on for it. Irritating.


For both Firefox and Brave, you don't need any add-ons or extensions.

For Firefox, you can enable GPC in `about:config`. You'll want to flip `privacy.globalprivacycontrol.functionality.enabled` and `privacy.globalprivacycontrol.enabled` both to `true`

For Brave, GPC is enabled by default.

You can test your browser by going to https://globalprivacycontrol.org. It'll tell you at the top of the page if you have GPC turned on.


Right, I didn't say all browsers, just the popular mainstream ones. Safari, Chrome of any kind, including Edge.


Depending on your country, FF counts as mainstream on Desktop. Hi from Germany ;)


I think this is fundamentally the wrong way to deal with it. Cookie persistence should be a client side permission. If user does not want to keep cookies, it is stored for the session and cleared on exiting browser, just like in incognito mode. With these permission dialogs controlled by the website, you are trusting these buttons to do what they say they do.


These consent forms are not about cookies. They cover all forms of tracking, whether by cookie, local storage, ip adres, browser fingerprint, or any other technique.


I'd rather just set most sites to wipe cookies per page and then just click whatever button they like.

Almost all websites have this "necessary cookies" song and dance going on. There are no necessary cookies, I view your page and then close it and we can delete everything. It's total nonsense.


I want to stay logged into some websites long term and not go through the entire 2FA login song and dance every time I want to e.g. check HN. Unfortunately since web browsers don’t have a usable authentication store we are stuck with using cookies for this. All other uses for cookies are basically invalid.


Sure, that makes sense.

99% of websites I visit that do the cookie crap I never log in to, though. The banner could easily be kept until that point.


My solution was to write a bash script that runs something like "delete from moz_cookies where host not in 'ycombinator.com');" in the Firefox cookies.sqlite file. I run that every time I suspend my computers.


There's Cookie AutoDelete extension for Firefox And Chromium-based browsers - it does that automatically


I read thousands of websites submitted to HN and I do so without ever processing or sending cookies (except the one to HN itself). I am not convinced cookies are required for recreational web use or generally when using the web to retrieve information. Tasks like e-commerce or webmail are different matters. But 99.9% of the time I'm using the web, it's not for e-commerce, nor am I "logging in" to websites. And for webmail, I control sending the necessary cookies via a localhost-bound TLS proxy, not a "tech" company web browser. I can check webmail from the command line. No graphical browser required. I am a text-only browser user; the browser has no support for cookie or other storage. Yet I read thousands of websites. Cannot speak for others, but it seems 99.9% of the time I do not need cookies. Yet the second I use a popular graphical Javascript-enabled browser from a "tech" company, the cookies come fast and furious. i just block them using a localhost-bound proxy. Others use extensions of whatever. With respect to so-called "UX", i.e., user sanity, IME it certainly makes a difference which client/browser one choose to read the web. The so-called "tech" company employees are hell-bent on every last web user choosing the same handful of advertising-friendly web browsers. To see those cookie banners one needs to use the "correct" browser, with "correct" being determined by people who profit from selling online advertising services. I use the "incorrect" ones and I never see cookie banners.


Cookies are only the easy to understand part, tracking has far more options available, including the similar other storage mechanisms, but also advanced techniques for fingerprinting.

I actually hate that it gets distilled down to cookies in discourse.


Meanwhile, I'm using noscript like it's still the 90's and get no such prompts. Granted most of the websites are crippled, but you can't have your cookie and eat it too.


>I'm using noscript like it's still the 90's and get no such prompts.

NoScript came out in 2005.[1]

[1]: https://en.wikipedia.org/wiki/NoScript


He's saying the result of using noscript is that the web is like it was in the 90's.


That is not what he said.

He said he's "using noscript like it's still the 90's", as in he's using NoScript as if he was still in the 1990s. Problem with that is NoScript did not exist in the 1990s.

As an aside, NoScript did not exist, "browser extensions" in general did not exist (not counting toolbars...), and ads, Shockwave Flash, and some JavaScript were already very much a thing in the 1990s.


I didn't say that's what he said, I said that's what he's saying. There's a difference.


Proxitok gives the same experience to that dumpster fire of a UI we call TikTok.


Consent-O-Matic is a great project, and near completely solves the cookie banner issue while still giving the user the choice of which types of cookies that are desirable.


There are too many plugins that need access to all my data on all websites. Doesn't matter that it's open source, I'm not going to review every update of every plugin. Why can't I sandbox a plugin to a whitelist of domains?


Wasn't that the whole point of manifest v3?

Honestly Manifest v3 was contentious because it essentially nerfed adblockers completely -- and for that reason I really despise it.

But it sounds like exactly what you're asking for.

What is your alternative though? Surely things like this would need to access basically every website in order to be useful, and more-so on websites you'd never visited before.

You can always use something like chrome/firefox profiles which enable different plugins for different uses if that makes you feel safer.


Seems like a poor excuse for v3. Changing the permissions should be a browser side thing not something that requires an update on the extension side. E.g. You can have extensions always ask for the max permissions needed, as long as the users can go in and un-permit stuff as needed. No need to change any aspect of the existing extension system...

> Surely things like this would need to access basically every website in order to be useful, and more-so on websites you'd never visited before.

Probably some kind of blacklist instead. E.g. This extension cannot run on these websites. We already have a more basic version of this with the allow running incognito option.


Just mentioning that FF will allow V3 manifest (without the blocker nerf, not sure if it already happened).


On Safari at least, you can configure it to ask whether you want to run an extension on each domain.


if you're already using uBlock Origin just enable the EasyList Cookies filter and you'll never see a cookie popup again.


I find the development of personal information management quite intriguing. The hidden wars in a browser. Hiding away information autonomy handling. In lax IT terms, "website handshake" becomes a new meaning.

Right now, consent means a contractual agreement.

In the near future, with systems becoming more sophisticated and regulated (EU, I look at you), visiting a website in this sense means two lawyers negotiating a contract you simply agree to.

From "personal homepage" featuring almost anything from silly stuff to personal disclosures to "Sign here before you can see my content!" in less than 15 years.


Pretty cool, but installing it also means letting an extension have permission to "all data from all sites". Android has this "allow while app is open" method, which I think would be nice here, e.g. if you click the icon of the extension then it gets permissions for that site&tab&session, otherwise it can't run.


You'd then have to click the extension once for every site you visit. Is that really much of an improvement?


The EU should have mandated that browser vendors be the ones to implement cookie preferences, not every single website.


It defeats the point, management of personal data is sole responsibility of companies. Why should browsers take responsibility for that?


A standardized protocol with a nice browser native UI?


That was called Do Not Track headers, and websites decided to both ignore it and use it for additional tracking.

The current situation is purely a result of advertising companies fucking you over, not because of Europe.


That would be the dream. Websites won't use it, though, and making a specific protocol mandatory by law would be quite bad in a couple of years when greedy data brokers figure out new ways to exploit people and their data.

P3P was an early version of this concept: a browser-native privacy control system. No websites used it, it was only ever implemented by Microsoft, and has been removed from the last remaining browsers a while back.

I think Apple, Google, Microsoft, and Mozilla coming together to set up a privacy protocol to replace cookie banners would be the right way to handle things. Until usable browser UI exists, there's no way to force the companies currently employing dark patterns to comply.


These companies consider the big green "I consent" button to be the nice UI. Or rather, they want to make sure it's the nicest UI.


The EU can’t forbid web sites from informing you about the purposes for which they may want to store data on your browser. Even if the EU mandated a technical browser protocol, there would still be popups.


This is great, I'd kind of like an option when dark patterns are detected to opt in then immediately submit gdpr data requests though.


The predictable result of that will be for the requests to be ignored and the enforcement system will work even more poorly.

A solution which might actually improve enforcement would be to have someone filter the requests that come into Consent-O-Matic and forward them to the authorities in a monthly digest. Quality reports from a human who actually put effort into making them will get more traction than automated, low-quality reports. Make it easier to enforce the law, not harder.


Why would that make the enforcement system work worse? These would be to the offending organisations.


And then automate reporting to the ICO when they ignore the request?


You'd need to automate the next escalation path when the ICO turns out to be doing what they do best: being useless.


One of the funniest things to me is that the EU organs that made this sort of thing ALL HAVE tracking cookies and analytics on their websites and ALL HAVE these annoying banners. To the last one.


What they usually have is a tidy banner saying something like "We use analytics cookies. Reject. Accept".

Compare it to the abominations that the greedy tracking leaches from OneTrust, IAB etc. are presenting.


What’s the difference with “I don’t care about cookies” extension?


Idcac is the extension advertisers want you to install ;)


That one is equivalent to always clicking accept all


From https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies a spinoff since the original extension got bought out:

> In most cases, the add-on just blocks or hides cookie related pop-ups. When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do). It doesn't delete cookies.


The browser can always decide to remove any cookie associated with the site or not store it outright.


Well, no, because there are non-cookie mechanisms of tracking to which you'd want to refuse permission, and because for sites where you do want to have some cookies (e.g. to log in to an account) you'd want to refuse permission to use that information for other purposes.


You have no way of proving whether any cookie or non-cookie mechanism is employed for a purpose you did not give permission for.

What you can do is eg. not enable the microphone when the website asks for it, not send the GA cookie back with requests to spin the visitor counter, or make the browser pretend that you have a bog-standard screen resolution and font selection. They will not have the information, so only the lack of information can be used.

If the cookie that stores your logged-in status is used for other purposes like getting more relevant ads in front of your eyeballs, that sucks. One can only hope that they are separated by functionality, or the candidates for more dubious activities are given out by a third party.


The main limitations on companies are legal, not technical, imposing costs on them that make it not worth to break the law.

There are obvious ways of proving whether any cookie or non-cookie mechanism is employed for a purpose you did not give permission for, namely, audits of their systems and testimonies of their employees, which has resulted in quite a few huge fines being assessed and the illegal activity stopped, and will result in more.

We simply have to not legitimize this being done as "business as normal" and have to make it clear that they are not permitted to do so - all the really big impact comes from the large megacorps who eventually have to stay above the board legally.


consent dialogs aren't only about storing cookies


If one only uses cookies for required thing (eg: auth-session) do we even need those cookie warnings?

No ads, no third parties.


You don't need a consent dialog for purely functional cookies. You may need to explain what that cookie does in your privacy policy, though.

You can even show ads; ads don't require tracking, or even third parties.


Good thing no companies use tracking methods that don't use cookies.


Cookie or LocalStorage or whatever is irrelevant, what matters is tracking a session when it's not necessary to provide the service.


Does Consent-O-Magic also keep a record of each such automated action for me as the user?


It keeps a log locally on your computer of how many of a certain type of pop-up it has handled (and how many clicks it has made for you).

You can access it through the 'about' tab in the extension.


Next plot twist : the addon is integrated in the browser. /lelz


Just tried it. The toolbar icon has colors. Should be updated to be a template icon. For it needs to be a template icon. I cannot remove it from toolbar as I don't want to allow it on every website.


I think the EU is trying to regulate something can’t be regulated because incentives don’t align. Want a free internet? That means ads and tracking. Want no ads? That means you paying… and young or poor or anonymous people get excluded


You can still do ads, there are no rules regarding ads (other than there are things you can not advertise, like in the real world).

The main issue really is that publishers and ad networks conflate tracking and ads. I'm pretty tired of sites popping up a message saying: "We need to talk about your ad blocker". I don't block ads, I block tracking, remove the tracking and we're good.

Context based ads works almost as well as those based on endless amounts of personal information. They are good enough, they worked well for decades. The problem is that they are a lot hard to sell/buy and modern online ad specialist aren't qualified to do it, they can only click around the Google AdWords or Facebook Ads.


I have a very simple response to this: fix the business model or just take the site off the web. If your site or service is popular enough I'm sure there is a way of monetizing it without tracking ads. Contextual ads, Really dumb ads, product referrals, subscriptions, the options are endless.

The usual response I get to this position is "but I don't want to pay with money and I don't mind ads, and I really like the content, should you be making the decision for me that I can't participate in that transaction?" To which my answer is yes.


Why do jumped-up little bureaucrats always appropriate other people’s power of choice? It’s like there’s some dark instinct to issue diktats so that everyone must follow The One True Way… as defined by you.


> Why do jumped-up little bureaucrats always appropriate other people’s power of choice

They don't. What they say is that businesses shouldn't assume that people's private data is theirs for the taking. People still have the choice to opt-in to pervasive tracking.


> “should you be making the decision for me that I can't participate in that transaction?" To which my answer is yes.”


You can participate in transaction. If the business asks you if you want to participate in the transaction, literally no one is stopping you from saying yes.


No-one but alkonaut and their autocratic fellow-travellers


Yea I’m sticking to that argument.

Basically: I think it would be fine for anyone to participate in market transactions with transparency. But I don’t think there can be transparency here, or that if we really tried then almost no one would accept the transaction anyway.

So I’m thinking a ban of the transactions is the lesser evil.

We already ban e.g sale of your own organs. I’m fine with that too. Now, am I the right person to decide whether people value their kidneys like their integrity? Yes.


I think this is disingenuous. There are ways to do advertising without invasive and excessive tracking. We just accepted that getting tracked is the default and has to be that way. But there are alternatives. Sure, those alternatives would probably be less effective but also more respectful of user privacy.

And I know the change won’t happen. I’m aware of that. I’m just saying that alternatives are out there.


There are many people posting without any payment or ads… and usually the content is way better.


GDPR does not ban tracking. It requires that user is informed how their personal data will be used, and, where the processing of their personal data is not strictly needed, explicitly consents to it.


I truly believe that the EU has ruined the internet. There are many ways they could have addressed the privacy issues of tracking cookies. But they decided to mandate the absolute most annoying, user-hostile mechanism possible. And now we can't get rid of it.


No, unscrupulous adtech businesses have ruined the internet. I had a business website that would not track users, and thus needed no cookie banner. If more business owners (especially the large ones) would stay away from shady practices they know full well their own children would object to, I'd say the web would still be a fine place today.

Actually, it's a bit more nuanced than that, because merely by using the #1 analytics solution, even without shady practices on your part, you already put your visitors' data at risk. Other example: embeds. I used Vimeo rather than YouTube to embed videos, using their rather honest do-not-track option, but went the extra mile and disabled localStorage for them, to ensure no data whatsoever was left. So almost all business owners need to actively want to protect their users' privacy, but this is a consequence of a few big players' explicit choices. See above.

[edit: style]


They did not mandate consent banners. Websites are completely free to either A) not collect private information or B) Only track users on an opt-in basis.


>But they decided to mandate the absolute most annoying, user-hostile mechanism possible.

Which parts of it are user-hostile? The consenting part, or the opt-out part?


Their nanny state is leaking.


What’s “nanny” about at least trying to do something to fight the omnipresent tracking?

We can criticize the solution, sure. We can also criticize the end result. But the intention was a good one and it was worth doing imo because at some point something has to be done.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: