> attempt by companies to make people associate cookie popups with GDPR
I think GDPR is generally good for individuals and the internet but if someone hates cookie banners, isn’t it fair to place the blame on GDPR?
Why can’t websites accept a special header which automatically accepts all cookies? I would enable it and handle clearing/retaining cookies myself through a browser feature/extension.
Because the GDPR already has a perfectly reasonable way to avoid the requirement for cookie banners. If you don’t collect information beyond what is strictly necessary to perform the task you are offering to users, and do not use that information other than in the performance of that task, then you don’t need a cookie banner. So Strava would not need a separate permission in order to collect location data for comparing your biking routes, but Strava would need a separate permission in order to use that location data for advertising, and Facebook would need a separate permission in order to collect the location data in the first place.
The GDPR doesn’t specify the technical means, only that permission must be explicit and freely given, with the default assumption being “no permission granted”. I think these conditions are entirely reasonable, and a header that could be set by somebody other than the user, then sent by the browser on behalf of the user, does not satisfy these conditions.
Most entrepreneurs believe that visibility over how your visitors are using your website is “strictly necessary” for running a functional/secure/performant website and surviving as a business, but GDPR disagrees. Hence, cookie banners everywhere.
Not deemed “strictly necessary” > “Statistics cookies — Also known as “performance cookies,” these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions.”
> but if someone hates cookie banners, isn’t it fair to place the blame on GDPR?
No, blame companies that set cookies for merely reading a website and then bothering users about it. They have a choice, they choose to make it obnoxious.
Your plan is what what maybe 3% of the population wants. It's a good idea, but it's not a solution to the issue.
You can already handle this yourself with a browser extension to click the consent buttons.
I use those. They work on about 10% of sites, because there are about 1,000 vendors of "cookie consent modals" so nothing about them is standardized. Also, none of them that I've seen actually do anything, since "blocking all cookies set by 72 different adtech scripts loaded before and after you init" is not a real thing that Javascript snippets can even do. While most adtech snippets do have APIs to carefully pass in the user's GDPR prefs, most people don't wire them up, or even knows what order the various scripts load.
The DNT header already exists. Go figure out why it is ignored (is it too user friendly?) And since the GDPR has a large reach (it covers PII in all form, not only stored digitally), it is not the place to mandate it.
I’m thinking of the opposite of a DNT header. Websites would be very happy to respect it because it’s like auto-accepting a cookie banner. You would need to manage your own cookies.
(not OP but) we want the opposite. I'm not naïve enough to think that those cookie banners will change much about what is being stored anyway, and browsers are more than capable of dropping cookies on the ground either instantly or at end of session.
So much could have been simplified if the GDPR rules, instead of imposing burdens on a million websites, required the 3-4 browser vendors to have a toggle for preserving first-party cookies on sites where the user submits a form with a password field, and simply cleared all others at session end or periodically.
Not sure why we should want to make companies less responsible in the first place. Anyway, as I said earlier, GDPR does not imposes burdens specifically on websites, but on any kind of PII processing. It is not the place to add provisions specifically for web browsers. I understand that the next ePrivacy regulation wants to make it more user friendly, but negotiations for this bill have stalled for years.
I don't want companies to be less responsible. I just think it's a fool's errand to ever expect every single webstore that runs a Shopify shop to understand how to add their 38 different adtech "tags" in a way that truly ensures that cookie consent is captured, stored, and conveyed to each entity that could come into contact with that data.
But by regulating browser vendors, they could have made it so that it doesn't matter what cookies they sent you. If the user hadn't consented in a browser UI, the browser would forget the cookies. Easy to verify compliance.
It's just like the ol' pathetic "Do Not Track" header. Same flaw. Asking "please don't give me a cookie that I'll have to keep and send back to you anytime you see me" instead of saying nothing, and just dropping the cookies you don't need on the ground.
There seems to be some serious misunderstanding here. For one, why do you think this is about cookies at all?
This is not something that can be solved client-side other than obfuscation etc. They can track you with other means than cookies. Even worse, you might have an account on their site. Having an account and using the site (and logged in) makes it trivial to follow you, but that does not give them the right to abuse that information for other purposes. You might have an unique IP and can't reasonably expect to do anything about it.
GDPR covers all of that.
"Just delete your cookies/session" is not relevant.
GDPR requires you to request consent for any cookies the “could” be used to identify you, which makes them personal information.
So if you want to use cookies to link a user’s sessions on your own website together (without actually identifying them) so every request doesn’t look like a totally anonymous, opaque request, then you must show a cookie banner.
You could (presumably) do this through browser fingerprinting and not require consent (since you don’t actually enrich/link the browser fingerprint to be become user data) but you need a cookie banner if you do it with a cookie.
> GDPR requires you to request consent for any cookies the “could” be used to identify you, which makes them personal information.
> So if you want to use cookies to link a user’s sessions on your own website together (without actually identifying them) so every request doesn’t look like a totally anonymous, opaque request, then you must show a cookie banner.
Wrong. The ePrivacy directive has an exception for strictly necessary cookies (Article 5.3), which is applicable for user sessions.
> You could (presumably) do this through browser fingerprinting and not require consent (since you don’t actually enrich/link the browser fingerprint to be become user data) but you need a cookie banner if you do it with a cookie.
Are you able to identify someone from the fingerprint of their browser? Then the fingerprint is PII. Consent (or any other legal basis from GDPR Article 6) is therefore required if the exemption from the ePrivacy directive is not applicable.
There’s a lot of conflation between the 2003 EU Cookie Directive, and the GDPR. The cookie directives specified a technical means (“cookies”) and actions that needed to be taken in order to use them. The GDPR specifies the ends (collecting and/or processing personal information) and the conditions (explicit and freely given consent), stating that anything achieving those ends must meet the conditions. It’s a much better written law than the 2003 Cookie Directive, because it avoids the need to irritate users for legitimate use cases, while also preventing legal loopholes (e.g. “We didn’t use a cookie, just the browser’s localStorage feature.”)
This is factually incorrect. The "Cookie Directive" wasn't from 2003, it was an amendment to the ePrivacy Directive. The ePrivacy Directive came into effect in 2002, and it was amendend in 2009. That amendment is what people generally call the "Cookie Directive" because it required consent for storage of information on end user devices.
It did not specify cookies, and did not actually specify any technical means. The ePrivacy Directive requires that companies get consent from users before storing information or gaining access to information stored on end user devices. This includes every kind of cookie you can think of, including LocalStorage. There is an exception for cookies necessary for the service requested, which typically includes things like auth cookies or shopping cart cookies, so long as that data is not used for anything else.
I share your optimism, but I think a lot of the OP’s concern here is in response to a generic non-medical LLM “passing” a medical exam. In that case I think it is fair to compare it to a medical “colleague”, at least for now.
I had serious neck problems for years then one change almost completely relieved them: going from multiple monitors to a single monitor. The horizontal neck swivel motion is very nasty.
Yes that slows the rate of change, but the rate of change adjusts based on the times (and hopefully it’s reasonably optimal but that would be hard to measure objectively because it’s a complicated risk-vs-reward, explore-vs-exploit trade-off). Eg Historical revolutions usually saw rapid changes in many areas like politics, art, culture, technology. Societies (like organisms and ecosystems) are extremely complicated so there are serious risks to evolving too fast so slow isn’t automatically bad.
Do simple hello-world HTML pages render ok? I found that rendering was slow-ish but totally acceptable for reasonably heavy HTML pages, so long as we weren't flooding page re-renders (eg by using React without any optimisation of render calls)
