In The Netherlands the Data Protection Authority announced this month that websites are no longer allowed to block access when people click "NO" in the cookie warning;
Clicking 'no' should still allow people to view the website, but without placing any tracking cookies.
Hmm, there are features that one literally can't provide without state (cookies).
I think the real problem here is that the technical feature of cookies providing browser state is a poor proxy for what EU/DPA _really_ wants to regulate, which is privacy-related tracking.
There are tons of sites I've written which use cookies, but have no ads and perform no user-tracking whatsoever, not even Google Analytics. It is true that cookies are the _easiest_ (if not the only) way to do the other; but making "cookies" the thing that gets effectively "regulated"... I realize this isn't necessarily the intent of the regulations, but I'm suggesting it's part of what results in the situation troy mentions. There are very few sites that don't use cookies; there are or at least could be more sites that don't track you in a privacy-compromising way, to train the user that this is the same thing is just too much noise for the user to actually make any discernments.
"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
Of course, no website will ever tell you "Hey, we're using cookies to track you"; it's in most companies' (both legal consulting companies' and website owners') best interest to keep people ignorant. Consulting companies want website owners to be scared and buy legal consulting services, and website owners want people to think that the pop-ups are a result of stupid EU legislation and not because they are actually being tracked.
" in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
If I need to get explicit opt-in for "So, remembering your shopping cart when you come back requires cookies, that okay with you?" I'm not sure how much better that would be. It's still gonna be information overload "false positives".
But I think that is what the regulations actually intend. "We need cookies to give you: Shopping cart; search history; login to your account; whatever -- opt in or out to each one, you can still use the site just without those features if you go out."
A) That is actually fairly expensive to implement.
B) I think it _still_ wouldn't accomplish the goals, it's still _way too much information_. Nobody cares whether or not you use cookies to implement a shopping cart. They care about things related to "tracking", especially aggregated tracking, and profiling.
C) But you are exactly right that no company is ever going to tell you what you _really_ care about. Unless regulations make them maybe. These regulations were trying. Not there yet.
I'm fairly sure I agree with out that the law wouldn't achieve its purpose even if it was implemented "correctly", and it certainly doesn't achieve its purpose with how it's implemented by websites today. I considered adding a short sentence about that, but ended up not doing it. I'm just tired of the vast amount of misinformation out there, and people discussing as if the directive applies to all cookies and only to cookies.
I'm not entirely sure if a user account at an online store would require consent; in my view, cookies would be "strictly necessary" to provide the user experience a user expects which includes being able to create an account to save their shopping cart and view their order history, while using cookies to show tailored product suggestions wouldn't be. However, IANAL and I haven't even read through the text of the directive.
In any case, the vast majority of the times I see the cookie notice are times where there are exactly zero reason to use cookies (or other methods of persistent storage) other than tracking, such as blog posts and news articles. Every single one of those websites would be able to get rid of their annoying pop-ups if they just spied on their users a bit less.
> I'm not entirely sure if a user account at an online store would require consent; in my view, cookies would be "strictly necessary" to provide the user experience a user expects
You can 100% support a logged in account experience without cookies. Java, for example, supports jsession id in the URL for people with cookies disabled. This id belongs to a session that is managed by the app server, which you can use to store information such as the cart, logged in account id, etc. If Java can do it, other languages and web frameworks that currently only support cookies can do it too.
I think the better angle to look at it is: session cookies expire when someone closes their browser. They aren't that good at tracking people.
I'll quibble with the 100% thing. Yes, you can shove session ids into the URL but it's generally pretty terrible from a security and UX perspective, you can't share links, and caching becomes much more difficult.
In that light I tend to agree with GP. If you're just using cookies to run sessions for your site, I just can't see regulators coming down on you.
There's some potent mix legal and technical pedantry combining with the profit motive of consultants everywhere that has led to a huge wave of overblown FUD around GDPR.
The fact is, ad-tech has been running amok for years and I don't think it's that hard to draw a line if we're intellectually honest. Of course it will take years for case law to catch up, but it's not as hand-wringingly difficult as some would have us believe.
> If I need to get explicit opt-in for "So, remembering your shopping cart when you come back requires cookies, that okay with you?"
You don't provided you have a reasonably short retention period, are not storing personal information that is not directly needed for remembering the shopping cart and are only using it for that and not simply using that as a justification for something else.
> Nobody cares whether or not you use cookies to implement a shopping cart.
Nor do the regulations. You have to meet the exactly the same requirements to store personal information using some other mechanism that you do using cookies.
> Hmm, there are features that one literally can't provide without state (cookies).
The biggest lie in most cookie warning popups is that you need to accept them for the site to function. It is often not true. Those are session cookies and you don't need to warn users about them, they're just allowed.
I didn't know this, and neither do any of the cookie warnings mention this. So like many people I thought the cookie law was the stupidest thing ever because like you say, you gotta have state. But the session cookies used to make a site hold state, those aren't considered tracking. When I learned about this little fact, it changed my opinion about the cookie law considerably.
I went through a similar thing which resulted in me removing cookie warnings from all but one of the websites I manage, yet I still believe that the law is stupid. It's like outlawing guns to solve your murder problem without considering all the other murder weapons all while keeping the act of murder itself legal.
As far as I understand it, the GDPR does everything and more than the cookie law was supposed to, so IMO it's about time we put that disaster behind us.
The directive containing the cookie law (ePrivacy) was indeed being revised in 2017. I haven't heard much about it since though. It Essentially enshrined the Do Not Track header into law and also expanded the rules for privacy etc of sms to internet messeging services. I wonder how much of the information in this thread is about the original directive and how much is about the new one.
On the web, your approximate unique ID is your browser fingerprint. That can be used to join your activity to other activity.
Your session cookie is your activity for your browsing session (or for users who never quit their browser, your entire computer uptime).
Think about it -- a cookie is information the web server gives to you; it's essentially a bookmark to your current position in the app. The server already knows where you were -- it saw you there!; it just doesn't know that you want to go back there on your next HTTP request.
Tracking data is data you give to the web server. Cookies are only one primitive to enable tracking. Cookies can be replicated by URL query parameters, subject to size constraints.
I'm not totally sure what you are arguing, but if you don't use the cookies for tracking, then you don't need to warn or inform the user. And if you use some other kind of tracking beside cookies, you still need to warn.
Yes, there is a lot of nonsense talked about this. The GDPR makes it clear that sites don’t have to ask for permisssion to place session cookies and other cookies that are essential to the functioning of the site.
"Hmm, there are features that one literally can't provide without state (cookies)."
Silent cookies aren't completely banned by the GDPR/cookie laws, only cookies that aren't necessary to provide the service requested by the user. That's sort of vague, but I think mostly obvious what is intended there. It's pretty easy to operate within the spirit and letter of the law: Shopping baskets, load balancer cookies and login tokens are fine (provided you only use them for those purposes!), third party advertising tracking cookies are absolutely not (without consent). More info here: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...
Lawyers have told me that you do not even need consent for Google Analytics, unless you enable the data collection for advertising features.
It appears to me that there's intentional bad faith misunderstanding from some, regarding both the cookie law and GDPR, in order to try and paint it as unworkable.
Meanwhile, even though the _only_ user-tracking we do where I work is Google Analytics (no advertising features) (and you say your lawyers say you don't need consent for that) -- the official word on high where I work is all our websites need the stupid "i consent to cookies" banner if we use cookies.
So, yeah, it's a mess. These "extra" warnings are contributing to user fatigue, I agree with troy hunt that users are just gonna ignore them all. I also understand why a small organization can say "Well, I don't really understand if we need it or not, the lowest risk thing to do is just to supply it." And there's no law _preventing_ you from supplying an unnecessary pointless cookie warning banner...
That’s more the fault of the higher ups for not understanding the law correctly, which really, is on them because the EU went to quite a bit of length to make the document readable and if execs/managers aren’t smart enough to know the difference between necessary and tracking cookies on their own site, then that’s really their own fault.
> the EU went to quite a bit of length to make the document readable
It's 88 pages of legalese consisting of 99 articles distributed over 13 chapters. It also has dozens of footnotes which incorporate thousands of pages of other laws by reference.
> and if execs/managers aren’t smart enough
Clearly I am too stupid to operate a business and have reading comprehension problems. Thanks for letting me know.
> Meanwhile, even though the _only_ user-tracking we do where I work is Google Analytics (no advertising features) (and you say your lawyers say you don't need consent for that) -- the official word on high where I work is all our websites need the stupid "i consent to cookies" banner if we use cookies.
Google analytics feeds tracking data to google for advertising purposes and tracks you across sites, it's exactly the sort of crap the cookie warning was meant to stop.
> These "extra" warnings are contributing to user fatigue
Your need for analytics is contributing to user fatigue.
> I agree with troy hunt that users are just gonna ignore them all
So do websites putting up these silly warnings, do you actually wait for people to accept before they get their tracking cookie?
However, google is still a third party and I would argue this is not legal, as is using google maps or other external entities known to employ excessive tracking unless you have special data protection contracts with said entity.
But I also understand the law, that anonymous user statistics are just fine and don't need consent as long as you retain the data yourself and of course mention it in your privacy policy. Though you might still be obligated to respect "do not track" and adding an opt-out setting.
> It appears to me that there's intentional bad faith misunderstanding from some, regarding both the cookie law and GDPR, in order to try and paint it as unworkable.
Very much this. None of the cookie warning dialogs (I've seen) mention this, and a lot of them use the dialog to complain about the law.
Something seems to have changed when GDPR came around though. The cookie warning dialogs before just had angry or condescending warnings with only a big "I accept" button, and otherwise too bad. But recently I've begun to see more and more warning dialogs that both have more honest wording about what they're about, as well as providing a "Decline" button.
IIRC there is something in the GDPR about explaining the privacy choices in clear language to the user, as well as having to provide an alternative if possible. If that's the case then it really does smell like intentional bad faith.
Although to be fair in addition to bad faith, I think it's also a lot of webdevelopers just not doing research what is exactly required and just parroting the scary story off each other.
But there's certainly a large part that just want to scare their users into accepting Google Analytics tracking. I'm curious about what those lawyers told you, though. Analytics data flowing through a third party widget that is doing the same on almost every site anywhere, sure feels like tracking to me. But maybe if you disable the data collection for advertising option, Google really won't cross-correlate that data for their own purposes. Even then, doesn't Analytics track the path users take on a single site too? For measuring "conversions" and such, as well as just detect whether people get "lost" on the site, or something.
Now certainly that's useful information, but it is tracking. Also you can get a lot of that information (and more) by just doing basic usability testing on real users. No tracking required and if you ask 10 people to try your site, you get 90% of the usability issues, with diminishing returns (based on some usability research I once read somewhere). But the information is much higher quality because you can ask them questions, ask them to perform tasks, actually look over their shoulder, etc. Tracking website users through analytics is just numbers and doesn't tell the whole story in very many cases, anyway.
> if you ask 10 people to try your site, you get 90% of the usability issues, with diminishing returns (based on some usability research I once read somewhere)
I'd distinguish between first and third party cookies.
Is there any legitimate and reasonably necessary purpose for third party cookies? And similarly is there any undesirably exploitative use of first party cookies? As I am not a web developer, these are not rhetorical questions.
Which doesn’t mean they have to provide access for free, they are most likely allowed to ask a fee for that.
From the same website you link [1]:
“Does anyone refuse tracking cookies? Then you still need to give this person access to your website or app, for example after payment.” (google translated)
The problem with asking for a fee is that Europe operates under the "transaction takes place at the buyer's location" model for such transactions, meaning you have to collect and report VAT on those fees in each country you have a paying user in. (The same goes for state sales tax in most US states).
If a site makes its money from ads, on the other hand, the location of the visitors is irrelevant when it comes to taxation. The payments from the ad network will just be ordinary business income at the place the site is located.
I don't think the charge a fee model has a chance, except for a few large sites, until some sort of intermediate service is developed that isolates the sites from having to deal with taxes in a bazillion jurisdictions. Something like a Spotify for site access, where users can pay the service a subscription fee, and the service pays sites after taking care of the appropriate taxes on the user's subscription fees so that the sites don't have to deal with it.
No, they're supposed to serve generic, non-tracking ads. Non-targeted, or whatever the terminology is.
It's hilarious how everyone has just forgotten that used to be a thing. The people on this website are literally the problem, you can't even conceive of a website that doesn't track every click you make across the whole internet, and you guys are the people building the new web.
It has never been a thing, that's why. Adverts have been targeted for decades before the internet existed at all.
Do you think TV adverts are placed randomly? They aren't. Different times of day have different value to different advertisers. TV ads are targeted based on detailed knowledge of audience demographics.
Do you think billboard ads are placed randomly? They aren't. Their placement is optimised based on the beliefs of the ad firms about who will drive past them or see them.
Do you think internet ads were placed randomly before AdSense? No, they were targeted by rough demographic guessed from the sites content just like TV and billboard ads were.
All that's changed on the internet is that targeted has got more precise and more sophisticated. But there's no bright line separating "generic" from "targeted" ads, like you imagine. And the better targeting is hardly an optional feature like the DPAs seem to imagine. It increases revenues which enables firms to provide new content and new features. Roll back the web to 1990s era ad techniques and now all the ads on generic sites like news or search with no clearly defined audience will be barrel-scraping "punch the monkey" animations, for those of us who remember that stuff.
The concepts of a session cookie is different then a cookie used for advertisemnet that tracks you across the internet. The problem is tracking and ads, not authentication and authorization for functional purposes. Cookies are just one way to track people and serve ads, there are many others.
Facebook is a great example on keeping diluting these concepts. They ask for your information for function security purposes and then go back and use that same data for ads - that is unethical and has to stop.
The GDPR doesn't regard cookies that serve a bona-fide business purpose. You are free to use cookies to provide a shopping cart, or allow users to log in to an account at your store, or whatever. It's specifically tracking and advertising that is forbidden.
If the user is not getting something out of it (besides the generic "access to my website") then presumptively don't do it. GDPR is literally as easy as that.
GDPR understands full well that you need session cookies to provide a shopping cart or user account. That's why there's specific exemptions for it.
Companies are not trying to 'do inherent evil' - they just want to show relevant ads. And by the way, consumers definitely appreciate the relevance.
There is another side to the equation, and there are economic consequences to all of this that will come home to root.
Personally, I loathe Facebook and don't use it for personal reasons, but I have a small business and it's the only advertising mechanism that works for us: we have a neat little product for a niche category.
There are entire economies that can only exist with the ability to effectively get the word out, there is tremendous social good in this.
We just have to figure out a way to do it that fits within reasonable privacy guidelines.
Why? It's relatively common for governments to prohibit businesses and services from discriminating against certain types of users, why do you think it's ridiculous in this specific case?
Whether we like it or not, tracking data used for ads is the currency of the free internet. It is how things are paid for.
This is like a government saying to a restaurant "You can't discriminate against people who don't want to pay you money for the food. You can ask them if they are willing to give you money for the sandwich, but if they say no, you still have to give them the sandwich"
Tracking is not necessary to make money online. It’s just helpful.
It’s more like the government saying, you can’t discriminate against people who demand that their food is cooked in a kitchen that isn’t filled with cockroaches. It’s going to hurt the bottom line, and might kill some businesses, but it doesn’t reduce to a prohibition on making money.
> It’s more like the government saying, you can’t discriminate against people who demand that their food is cooked in a kitchen that isn’t filled with cockroaches
What?! Are you seriously speaking of prohibiting cockroaches?
Cockroaches are everywhere! They are essential to survival of businesses! And it would be impossible to completely get rid of them anyway. Prohibiting cockroaches in public restaurants would push immense cost upon eaters. Without cockroaches how could we possibly get rid of the food waste, that routinely accumulates in kitchens? Do you expect us to spray our kitchens with toxic pesticides? To hire some specialized people of to lick food scraps off kitchen stoves with their bare tongues?? Insane!
I think a better example would be: you can only get food if you give us your address and consent that all other restaurants in the vicinity send marketing mail to you. You also consent that we and they exchange information about when and what you ordered.
To me it sounds very sensible to make such a business practice illegal.
"the government" as in >we the people< says to all the restaurants (and groceries): this stripping of all of our clothes before entering is nonsense and we can't choose not to eat, so we will force you.
If that's so, it's as if an unknown and possibly arbitrary amount of money was taken from your wallet every time you picked something up from a store. Yes, it's nice that I can walk into Whole Foods and just pick up a few oranges and leave, but if I get home and it turns put they cost $25 each, is it worth it? The data market is not mature and transparent enough for the transactions it's capable of making.
> Whether we like it or not, tracking data used for ads is the currency of the free internet. It is how things are paid for.
You're right, it's the currency now. It would be great if it wasn't. If there was some way to force the industry to come up with new, non-privacy-invasive methods... Hey maybe if we made a law to ban the old, bad, way....
The only examples I can think of for the US where this happens have to do with historically discriminated classes of identities; e.g., gender, racial minority, etc.
Agreed. I think of it akin to smoking, drinking, drugs, speeding, or various other acts you can partake in. The government should largely stay out of your life but society has deemed some things "for your own good". In this case, I could see certain types of advertisements or data harvesting which is largely misunderstood to be managed by the government, where they decide that companies can't track you - whether you want them to or not.
Disclaimer: I'm not saying I agree with any of this. Nor that any of this is truth in any way. I just view the governments involvement here, saying how ad companies can behave, to be similar. Whether that is good or bad is complicated, and out of the scope of this conversation.
There's been laws about that sort of thing for decades. A business can no longer refuse to serve black people. So we, as a society, are using that logic.
They can refuse to serve you, however, they can't then turn around and claim that those who clicked "I consent" actually did freely opt-in to tracking because they genuinely wanted to be tracked - because, obviously, they most likely did not.
In essence, GDPR states that you're not allowed to violate the privacy of people unless they really want to (freely given, informed, narrow/specific opt-in consent) - and this time, all the oft-used loopholes to "extract consent" don't really fulfil the criteria, as forced consent is not considered consent.
If the cost is for hosting a bloated 14MB page, 30% of which is hostile JavaScript, let's talk about ridiculous. "But we need that JavaScript to scrape the data and run the ads to pay for hosting all that JavaScript!"
My stance is even more ridiculous: Deadbeats who can't afford hosting without begging, selling ads, or turning against their users, scale your site down to something that's cheap to host, or get the hell off the internet. Back to the amateur web of the 90s. It was fine.
Yes absolutely! Websites need to find revenue models that don’t depend on violating the privacy of their users. That stance makes a lot of sense to me.
> Shouldn't people be able to choose what currency they want to pay for something in?
Thats a very libertarian position statement and I understand it. But the EU is much less capitalist/libertarian than you are. Their parliament made the call that they don't want people paying for services with their personal data.
There's valid arguments on both sides here. Some arguments supporting the EU's stance:
- If online newspapers get paid in proportion to views, they make more money by writing divisive clickbait
- Privacy is a fundamental right; not a currency. Treating it as currency means only wealthy people will be free from spying, and that is borderline dystopian.
- Advertising on the internet worked just fine before everyone was tracked and monitored through every click. Don't annoy me with cookie notices. Just don't use cookies for tracking and we'll get along fine.
What, to you, makes something a fundamental right?
The EU's document is "Charter of Fundamental Rights of the European_Union"[0], which does grant privacy as one. That pretty clearly does make it a "fundamental right".
Note the US Constitution's Bill of Rights does not offer right-to-privacy (but the 4th provides protection from searches-and-seizures without probable cause, which really doesn't deal with "privacy", especially from non-governmental actors).
Perhaps parent should have said "fundamental right granted by the EU", but in this context it's pretty clear.
Contracts of adhesion don't lead to very good choice. And pretty much no site lets you choose what currency to pay in when it comes to ads. Realistically that would mean an option to pay a fraction of a penny per page.
So 'choice' is already something that has failed in the free market. Bring on the privacy.
It's been proven over and over again that people won't pay for content that gets successfully monetised with advertising.
You only have to see the howling every time someone posts a subscription only newspaper link on HN to see how vehemently opposed people are to paying for stuff like news.
Why doesn't MC Donalds sell pizza? (I know they did at some point and gave it up). Because their customers don't want it, or at least not enough of them do.
"Subscribe or fuck off" is a stupid business model when it costs practically nothing to implement multiple revenue streams. This is such an obvious point.
I like to think of that time as a great time too, but oh man so much we couldn't do.... I get what you're saying generally, but man I'd hate "before cookies" to be the standard.
The big use of cookies for re-authentication and carrying around a session id enabled clean URLs lacking your session id as a query param, but it wouldn't be that big of a deal to lose it. You'd need to be careful with copy-pasting URLs -- but given browsers standardized on cookies they could have standardized on a sessionId param name to filter out of copy-pastes or not even display it at all similar to Chrome's proposal to not display the protocol, just a "secure" flag or not. A similar "session context established" flag could have been made. And in the age of password managers and/or having your browser remember your login, it wouldn't be that much of a loss to require logging in to everything again every time you restart your browser... maybe more of a pain with 2FA.
I don't really see it as "what we couldn't do" but "what poor usability we have overcome". I'm glad we have cookies and other forms of local storage, especially for the latter there are many other benefits. Maybe one day we'll get Web SQL.
In the meantime people can still disable cookies entirely, or at least delete them when they close the browser, both with out of the box browser settings (and I have no idea what extensions are available to do even more) and return to that less-usable (if slightly more private) experience. The crucial idea of a "user agent" is I think the biggest mindset change the web brought, it's important to keep that even if on the dev side we constantly complain about being asked to support more than one configuration of anything.
>I don't really see it as "what we couldn't do" but "what poor usability we have overcome". I'm glad we have cookies and other forms of local storage, especially for the latter there are many other benefits. Maybe one day we'll get Web SQL.
Yeah I think that's accurate.
It's a little weird sometimes reading all these articles about cookies, JavaScript, etc and I always think "But I use those things to ... give people things, convenience, data, help them do things." But so many times it's not treated as a tool, it's almost implied to be a negative thing.
This will work until the EU in decides you must ask the user permission before you can change the query string. Technology was not the cause of this problem and it won't be the solution.
The WWW before cookies was pretty limited, and didn't last long. I mean, the first web browser was released in 1990, and cookies were introduced in 1995.
The same functionality of correlating multiple requests for a single request (building sessions upon packets) was just more difficult to use by encoding the session ID as a parameter in query string for each request. Many frameworks still support this mode.
Nobody cared. I submitted CC numbers over http connections for years in the late 1990's. I emailed them sometimes, too. I also used telnet across the public internet and never got my passwords sniffed or mitm'd (only on hacker meetups where I would lure people into honeypots by doing fake telnet sessions :) )
By using secure networks? PPP is older than SSL and have been in widespread use for longer time.
SSL is largely irrelevant to banking security anyway. Actual security is built upon charge-back system. The underlying security model was designed when everyone trusted written checks.
Believe me they are getting paid, read surveillance capitalism for the real story, http://www.shoshanazuboff.com/new/recent-publications-and-in... stop deferring your choice! to big technology monopolies, tell them stuff their cookies where the sun don't shine.
My argument was one user who requested one page and didn't want to consent to cookies/tracking in order to offset the ridiculously low cost of serving the actual page (I'm considering the cost to make it as having already been burdened, as it's already being served).
The OC didn't consider the fact that you can have advertising without cookies/tracking/fingerprinting and just reduced it to absrudism by saying that the company would bear the brunt of the cost but even the cost of that single event is marginally insignificant, overall.
So, no, my argument was never about all digital goods being free. However, if we want to play the devil's advocate and utilise your reduction to absurdism: By your argument, shouldn't all digital goods be paid for...? For example, Ubuntu costs money to host and serve, yeah?
>In fairness it can add up pretty quickly on popular sites.
Aye, if they're only looking at it from a "cookie placement/tracking or nothing" hard-limit perspective, which is what the OC posited it as.
...but if other sites can absorb the costs, case in point: NPR, why is it such a dastardly evil thing to point out? Is there some foolhearted belief that if we cut tracking, tomorrow, the internet would cease to function? Is there absolutely no room for advertisements without cookies/pixels in the modern world...? Do we really believe that it's that expensive to serve webpages?
We are now in the middle game of GDPR. Companies whose business model depends on tracking users essentially have now an illegal business model, because practically no user will give informed consent when they are offered the same service without consenting.
So what can these - now shady - companies do? They probe the limits of the law, and try to keep their business model alive as long as they can. We need to wait and see. In my opinion, the most probable development is that European data protection agencies will start to hand out fines. Of course, the shady companies will fight them in court, and of course, they will lose. Then they will retreat a step, and try again with a little bit less intrusion into the user's privacy. Over time, courts will rule, and fines will increase, until the shady companies will give up in EU.
Then EU will essentially become free of tracking networks. It might take a few years, but I think the intermediate annoyance is worth it.
> Then EU will essentially become free of tracking networks. It might take a few years, but I think the intermediate annoyance is worth it.
I don't disagree with you but I think it is more likely that these companies will just not let EU peoples use their sites at all.
One BIG fine (and you know they're salivating at the prospect of getting multi-billions out of Google and/or FB) and doing business in the EU becomes too much of a gamble for a company to justify the risks.
Some will choose to adjust practices, others might choose to block the EU. If they're happy to lose that many users, as they think tracking is more important, would that be so terrible?
It might even encourage some more ethical alternatives, or some real attempts to solve micropayments.
It really depends on how heavy handed they get in their enforcement actions.
Everyone knows that FB and Google are expending serious resources to be in compliance yet they will more likely than not get some large fines anyway because politics. I doubt they will ever leave the EU but other, smaller, companies will not have the resources to throw at the problem so will be effectively locked out of the EU market.
It's probably in Google's best interest to pay a couple billion euro fine (to scare off the smaller fish) in order to lock in their de facto advertising monopoly.
I already encounter EU blocked sites almost daily. It would get much worse.
And yes, I do consider it terrible that my nanny state government decided what is best for me, over some hysterical fears about tracking. I don’t give a damn. I don’t consider tracking of me in the way the browser can do actual personal information.
I’m OK with a strict regime for actual personal information, like name+address, heck, even spam data like phone and email, but extending that to tracking cookies, at the enormous cost in usability we’re already seeing, is ridiculous.
I hope they do pull out of the EU. That would be one of the biggest business opportunities in history for privacy-respecting companies to fill the void that was left.
That is a desirable outcome too, because copycats will then start in EU, and citizens of all countries will prefer to use their tracking-free services instead of the tracking ones.
As it looks to me, they are responding back by trying to push through articles 11 and 13 so that they can then all switch to paywalls. A paywall for a news company is practically useless as the internet currently stands as any major story 1 makes gets linked to and paraphrased by dozens of other news agencies within minutes. Why would users pay for a news website when they can get practically the same thing at a free one that did not work to come up with the story. And article 13 is to prevent 1 user who does pay for a website from copying the entire article and pasting it in a comment (I see that and archive/outline links all the time here and on reddit).
I haven't read the full decision but I'm always surprised at how little regard European courts have for property rights. If it's my website, I should be able to decide who has access and under what terms.
Don't like cookies? No one is forcing you to visit a particular website.
I also feel like tech companies could adopt an open standard for cookie acceptance preferencesin web browsers, but they're afraid to lest they be forced to deal with even more regulation later.
to decide whether to track your users? through third parties? for advertising purposes?
Why? Why do you get to decide and not the users? I'd rather you didn't!
It really honestly does surprise me the amount of crap Americans are willing to swallow when it comes to advertising methods, or even just profit in general. Your whole society is rife with abuse. There's robo-calling, giant billboards, attack ads, pharma ads, ads or contests that are literally scams, just a few from the top of my head. Probably more I don't know about (ads to target children? there is NO good way to argue that children "should" be targeted by ads).
It's a small miracle you managed to push a mandatory "unsubscribe" link underneath mass email lists. I suppose it's mandatory because given the attitude to this kind of abuse I doubt they would put them there voluntarily.
Also, you've seen what happened to the online ad industry without this kind of regulation. If you don't make rules they're going to push it as far as they can. It's gotten to the point where people recommend adblockers for security not getting rid of annoyance. Or for saving about 95% of your mobile data plan surfing sites. Did you ever notice the most profitable ads pay for the shittiest content? The system isn't even working.
I'm a big fan of a lot of pro-consumer regulation in EU. For example the right to block junk mailers in Germany with a simple notice on your mailbox is amazing.
However I think websites should be able to block access to anyone they want. It doesn't seem fair to force websites to serve an audience if they do not wish to.
However, if they say "press here to forego your privacy or we'll block you", then that's not a freely given consent to forego your privacy, and in this case this "consent" doesn't count as consent. In this case they're not allowed to track people who "consented" because they didn't really consent (both in moral and in legal sense). Consent "counts" only if it's freely given, if people really want you to do that thing; in EU privacy rights are not something that can be sold or bartered away.
It's somewhat comparable to consent to sex - let's imagine that in a place where you can freely fire workers at will, you say "consent to have sex with me, or I'll fire you". You technically can fire them, but that "consent" isn't really consent, and even if they "agree", that's still nonconsensual. Privacy (in EU) is pretty much the same.
As an European, it honestly surprises me how much crap people are willing to put up with to advance the nanny state, and even support and advocate for that shit.
I'll take freedom any day over someone telling me that they know better.
This is an ignorant position. When you extend an open invitation to the public to enter your private property, it becomes subject to public regulation under common law due to the open invitation. Under civil law, they can just dictate the regulation. Regulations of businesses which are open to the public is not some uniquely European invention.
Obviously you cannot do whatever you want to a person who physically enters your business. This is a facile point. The same is true of websites: simply because a person navigates to your website, you do not automatically have the right to place tracking cookies into their browser.
That's a really naive view. I take it you would support segregation in shops etc. "It's their shop. If blacks don't like it they can visit a different shop".
DPA can track you for at least 31 days before their log files rotate and get aggregated. It is not via a tracking cookie, but unique enough in my opinion to track you, and that happens without consent.
For a privacy advocating party it would suit them to not log anything and be very clear about that.
> Clicking 'no' should still allow people to view the website, but without placing any tracking cookies.
No! It doesn't. Viewing a website isn't anyone's god-given right. The tracking cookies are part of the business model. If you don't agree with how a business makes money, stop patronizing them.
If this is serious, look for companies to just block all traffic from The Netherlands. Why even bother dealing with the hassle.
Slavery and child labor were also just "part of the business model".
Some business models are predatory societal negatives and should be done away with at a government level of respecting individual rights. Behind-the-scenes tracking and data brokering are in that class.
Slavery and child labour are coercive. Not letting you use a website is only coercive if that website is Facebook or Google or some other monopoly core to a person's ability to function in modern society. If you can't access Bob's Bargain Basement Underwear then you've got plenty of competitors to go to.
It has nothing to do with being coercive, or any such specific facet of any implementation of rights violation. It's about being a rights violation, full stop.
Regarding options, in the current model it is generally unknown to the user what is happening with their seemingly private, personal, and "lock icon" encrypted activities on a site. While some here might consider it a "fair exchange" to give up PII in exchange for website services, the vast majority do not understand or even perceive that, and it is not an informed exchange at all. It violates the user, both in the nature of the exchange and in the privacy implications. It is a type of interaction that should rightly be barred in the absence of understanding and explicit, intentional consent.
What is the significance of this decision? This is already explicitly stated as disallowed in GDPR. Is this just an declaration of intention to enforce the existing law?
> This feels like a war on cookies, and there are bad things done with cookies, but I'm not sure if they're fighting on the right front long term here.
Problem is will-full misinformation. It's a war on tracking cookies, not session cookies for login state, etc. But all the cookie warning dialogs make it sound like it's a war on all cookies no matter what, so "just accept because otherwise this site won't work, also <insert clueless condescending remark about the cookie law>" (really, the amount of sites that use this dialog as a misinformation soapbox to vent against not being able to track their users...).
To add insult to injury the big players with most trackers just refuse to show the cookie warnings at all. At least that's the situation Germany where most major news outlets are full of ads and trackers and handle all of it via opt-out(!) in the privacy policy. For a example see spiegel.de, the most widely read German-language news website.
It's mostly small and medium sized firms that show the cookie warning out of fear.
That's completely the opposite of what I want as a consumer as well as a small-time webmaster.
EDIT:
Just to be clear: spiegel.de never shows a cookie warning even if visit with a fresh browser. You can opt out by visiting their privacy page [1] (in English).
Anyone who didn't see this as the predictable end-result of requiring cookie awareness and consent was hopelessly naive about how large vs. small organizations respond to unfunded government mandates.
The money and time could have been a lot better spent on international awareness campaigns arming consumers with more privacy knowledge instead of expecting website owners to shoulder the informational burden (because those orgs in aggregate have no core incentive to treat user's privacy as an inherent good).
These organizations do have such an incentive. The very essence of GDPR is to create these incentives. The EU's goal with GDPR was to make user data a liability, and to encourage organizations to reconsider their need to hoover and hoard it.
The GDPR is unlikely to be overturned, and there are plenty in the EU who are eager to enforce it. Just because it's not being enforced right this second doesn't mean the law won't catch up to offenders.
Especially if Margrethe Vestager replaces Jean-Claude Juncker as president of the European Commission, you can expect a ton of action on this front.
we have definitely seen movement (plenty of data protection authorities have issued warnings), but it really hasn’t been that long (it’s been less than a year)
the only way that a law like the GDPR that’s purposefully vague and broad can work is to allow plenty of lead time for warnings and fixes before fines
it’s a process; you shouldn’t expect it to change everything overnight
>The EU's goal with GDPR was to make user data a liability, and to encourage organizations to reconsider their need to hoover and hoard it.
And as a consequence we're going to continue sinking into irrelevance.
>The GDPR is unlikely to be overturned, and there are plenty in the EU who are eager to enforce it.
I think it will be overturned a couple of decades from now, when an economic crisis hits and we find that we've fallen significantly behind other countries due to our fear of technology.
This is not the end-result at all. It is an intermediate result. European data protection agencies will start handing out fines, then courts will start ruling, and in a few years we will see the end-result.
My prediction is that these Cookie shenanigans will be ruled as illegal according to GDPR, and then they will disappear.
I’ve been hearing this since 1997 when the first Data Protection directive happened. The enforcement never happens unless it’s serving a political goal, such as singling out a Chinese company or whatever.
GDPR is the result of many lessons learned in prior attempts. The EU Commission put particular attention on not repeating the mistakes being made in the Cookies directive, which rendered it essentially useless and only annoying.
Fines are to be handed out by the national data protection agencies. In Germany, the data protection agency regularly goes after violators since the 1990s. They audit German administrations and companies with respect to data protection, and request changes where necessary. See here for yearly reports of one of the state agencies: https://lfd.niedersachsen.de/startseite/allgemein/taetigkeit....
So at least for Germany there is no foundation for your claim.
I have to concede that German regulators have set the pace, but the penalties are still negligible on the global or even regional scale. If every member state went in with as much conviction as Germany, we might see some results after two decades of mostly-empty promises.
It’s rather obvious it learned nothing. After seeing cookies banners, it was entirely evident and predictable that GDPR will result in more aggressive banners.
There's one important caveat you're missing: the vast majority of these cookie banners are illegal under GDPR. So yes, it's rather obvious the EU learned a lot.
The law forbids dark patterns, coercing into accepting, delegating opt-outs to third party sites, and requiring collection of more data than is strictly necessary to operate the site.
>players with most trackers just refuse to show the cookie warnings at all
The results of the legislation -in regard to cookies- are inconsistent, annoying, unevenly enforced, create a moral hazard and two-tier system, and I presume have negative overall utility.
This is why I do not consider the law to have been written with good intentions. The intentions were claimed to be good, but I don't see the lawmakers having had put in the necessary effort to ensure privacy improvement. Nor admit there are shortcomings to the legislation that need either fixing, or perhaps scrapping the legislation. Did they really intent on exerting enough effort to write the legislation well? To shoulder blame if it does not work out? To take the responsibility? Or to shore it up as situation develops?
Right now I perceive the cookie warnings to be merely EU's advertising banners - "Heeey, this is EU taking care of you!" - plastered all around the web just like banner ads used to be plastered all over the web. Morally the same - pompous self promotion, except paid for with legal rubberstamp rather than money.
Spiegel.de also sometimes refuses to serve you content if you have DNT flag set which in theory would be a convenient way of getting rid of cookie banners.
There is a window now when players can argue that the regulation text isn't clear (it is). Let's hope regulators pick a few high-profile targets that are in violations and hit them with massive fines.
The omnipresent "Please accept our privacy policy (or leave)" is worthless cargo cult GDPR pseudo-compliance. If it's neither freely given nor informed, it's not consent under GDPR.
See Art. 7: "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
See Recital 32: "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data ... This could include ticking a box when visiting an internet website ... Silence, pre-ticked boxes or inactivity should not therefore constitute consent."
If you want to use external tracking and be GDPR-compliant, you must offer a clear choice ("yes/no") and you must not use pre-ticked boxes (i.e. an opt-out approach).
Please feel free to downvote this if you don't like it, but I'm merely telling you what the law says. If you disagree factually, I'd appreciate a comment though.
> If you want to use external tracking and be GDPR-compliant, you must offer a clear choice ("yes/no") and you must not use pre-ticked boxes (i.e. an opt-out approach)
Exactly this. Basically what the GDPR says is: if your business doesn't require the data, you cant use it without the user's consent. And data used for better advertising is NOT essential to e.g. a news site.
What's more, the regulation syas that you can NOT simply say "accept or leave" in that case. You then have to provide the service to the user without storing that non essential data. You can't provide a service, even for free, that you condition on storing data not essential for that service. There is no "if you don't like it, leave" clause.
Basically: spiegel.de has to be prepared to show their news to anyone, including those that do not wish to be tracked by their ads. Right now we are in a period of denial where site owners believe they can have these "By entering you agree to..." banners. Once the first large fines are handed out, It'll be fun to watch.
This is the view of a US person: These are private owned and operated web sites. The site owner determines what is "essential." If you do not agree to to the terms, do not use the site. If you don't want to be tracked for advertising, that's on you to install ad blockers.
Are you allowed to sell your kidney in the US? (No, you aren't.)
This means that a site operator can't offer you access to a super awesome news site in exchange for your kidney. They can't get away by saying "but you can choose not to use the site".
Well, Europe does the same thing for your personal data.
Trading a kidney for access to a news site would obviously be insane, and we should have laws to prevent insane people from harming themselves.
On the other hand, if a person of sound mind decided they would rather have $1,000,000 than both of their kidneys, why shouldn't they be able to sell one, logically?
The idea of selling one's organs sets off the human involuntary disgust/outrage reaction ("of COURSE it should be illegal! how DARE you suggest such a thing?!"), but if we put that aside, is there a rational reason it shouldn't be allowed?
The news site was an obviously over-the-top example, but the more realistic $1,000,000 offer would be just as illegal.
The rational reason for that is that in the real world, not all choices are made by perfectly rational, superhumanely intelligent actors that have and consider all the information.
Also, not all decisions on a free market are truly freely made. If all standard housing/mortgage contracts contain that you have to sign away your kidney as a security deposit in case you can't pay your rent/mortgage rates, do you really have a choice?
With data on web sites, it's the same. Almost every web site collects data. You don't realistically have the option of going to a different news site if you don't like that deal.
>With data on web sites, it's the same. Almost every web site collects data. You don't realistically have the option of going to a different news site if you don't like that deal.
You have plenty of choice: make your own, feed them wrong information, feed them no information or find a site that doesn't. If enough people care about this niche then your website would succeed.
- I cannot just make a website or service. It is usually a huge project that only few people can solve.
- I have no way to feed wrong information without diving very deep into that website's code. We are not just talking about data I enter, also about things that are collected without conscious effort on my part. It is not practical at all to feed false or no information. If they sell my IP address, how can I feed wrong or no information?
- Finding a site that does not act like this is the only way left, and it is exactly what the parent explained does not exist, because realistically, there are many topics for which virtually every site does act like this.
Thought experiment: a multi-billionaire wants to beat a human to death, and offers $10 million for it. A grandfather decides he would like to take that offer, for his children and grandchildren. Would you allow that?
If you also would not allow it (that's what I hope), then where is the proper boundary? What should we outlaw, and what allow?
If the grandfather consents to it, then what is actually wrong with him taking up that offer?
Your thought experiment (or at least your "hope" re: the "correct" answer) presupposes that suicide is wrong. Personally, I believe the only one who is allowed to dictate whether I live or die is myself; if I want to die, and have good reason to want to die (financial security for my children and grandchildren would certainly be compelling!), then that's my right, and it ain't your place to deny me that right.
But those are fundamentally intertwined. If nobody's allowed to buy something, then how is anyone expected to be allowed to sell something? A purchase and sale are not independent events.
I fully agree. But still it makes a difference from a moral analysis point of view, because my aim is to condemn the buyer, and don't judge the seller.
So now you have to convince me that buying the right to beat someone to death is a morally justifiable action. It is not sufficient for you to judge selling as justifiable to make your point. I actually agree that selling is morally justifiable, and would never vote to make this a punishable offense.
Like I mentioned in another branch of this thread, if selling is allowed, then it would be immoral to not allow buying; punishing someone for buying something that's legal to sell would be entrapment.
In fact, doing so might even pass that immorality down to the grandfather seeking compensation for his suicide; if he's aware of the illegality of buying his life, and yet exercises his right to sell it anyway, then at best it's a meaningless gesture and at worst he's complicit in entrapping prospective buyers.
That's what I mean when I say buying and selling are intertwined. Without one, you can't have the other. If one is moral, the other must be moral as well. If one is immoral, the other must be immoral as well. Attempting to carve out an exception is inevitably going to run into all sorts of moralistic and/or logical snags.
Let me try to repeat your argument: whenever something is morally allowed for an individual, the moral system must ensure that the individual actually can do it.
This does not stand on its own, you need to provide a good argument why a moral system should be designed such that everything which is allowed can also actually be done. In particular, because our current system is not designed that way.
And even if you find such an argument, we end up with a moral dilemma, as long as you can't argue that buying is morally good in itself.
"whenever something is morally allowed for an individual, the moral system must ensure that the individual actually can do it"
More like "whenever one of an inherently-coupled pair of actions is morally allowed, the other of those actions is morally allowed". A moral system which allows one and not the other is self-contradictory.
In this case, a moral system which permits the right to sell a life but denies the right to buy a life self-contradicts; unless you believe that it's moral to trick someone into committing an immoral act (I do not), any attempt to exercise the right to sell one's own life would be inherently immoral because of the impossibility of doing so without causing someone else to perform an immoral act. The only way for the sale of one's own life to be moral is for the corresponding purchase to also be moral.
"we end up with a moral dilemma"
Only if you insist that buying is wrong while also insisting that selling is not wrong. When both are right or both are wrong, then there is no such self-contradiction.
> "whenever one of an inherently-coupled pair of actions is morally allowed, the other of those actions is morally allowed".
Why does that follow? I could understand it for actions you are morally obliged to do, but I fail to see why it follows for actions which are merely allowed.
A 6-year old boy is allowed to fall in love with his teacher, but she is not allowed to fall in love with him, so his love - even though morally allowed - can never be fulfilled. That is a perfectly fine situation, from a moral point of view.
My answer is that if it can be sold, then it must be able to be bought. My right to sell my existence is meaningless without the right for others to buy it.
Amy attempt to assert otherwise - i.e. to try to sell something which nobody is allowed to buy - would be entrapment and - IMO - immoral. Either ban both sides or allow both sides; in this case, I'd vote the latter.
Let me try putting the question a different way. Suppose there is a way that society as a whole can make some of these purchases, designed to be as fair and moral as humanly possible. Now it's possible to have individual personal sellers without needing individual personal buyers.
Now you can answer this question by itself:
Is it moral to let a multi-billionaire buy someone's life?
If it's not moral for one person to do it, then is it moral for all people to do it collectively? The outcome is the same either way (an old man voluntarily dies and his children/grandchildren are significantly richer as a result); why would it matter who made that outcome possible?
So, then:
> Is it moral to let a multi-billionaire buy someone's life?
In the scenario you've now posited - i.e. one in which society is allowed to buy someone's life - it is moral for a member of said society to buy someone's life. Why would it not be?
Yeah, but those things have a different outcome depending on whether it's a single individual or a society of individuals doing them (in that example: police being accountable to one person instead of the public as a whole).
This is different, since no matter what, an old man voluntarily dies for the financial benefit of his descendants. If the outcome is the same no matter who makes that happen, then I fail to see why one approach to doing so would be more or less moral than the other.
If anything, a single individual purchasing that old man's life would be more moral, since the alternative would be to compel an entire society (and specifically the members thereof) to bear that cost (both monetarily - i.e. via taxes - and the emotional cost of having killed someone). Given that the billionaire is (presumably) a member of society, the net impact is identical, but it's compartmentalized to a single individual who volunteered for those costs versus an entire society of individuals who might not have.
Illegal simply because it is murder, regardless how much money the murderer pays in advance.
Immoral because human life and dignity should not become a tradeable commodity. A society allowing this would quickly deteriorate into a system where the rich just buy the desired behavior from the poor, and we would end up with an oligarchy instead of a democracy.
Another angle to object would be Rawls's theory of justice: suppose you would have to design a society, but you wouldn't know into which place of this society you would be born into. You could be born as son of Bill Gates, or as daughter of the poor homeless beggar at the next corner. How would you design a society under these conditions?
Edit to state the central point clearly at the top: why do you think restricting their range of possible choices "protects the poor and weak" ?
If you have a shitty job, would you be better off getting fired? No, because presumably you already had the ability to quit. (Anticipating someone jumping on me for the analogy: I'm obviously not saying having a shitty job is equivalent to being in such dire straits that someone would consider selling their kidney. I recognize the a huge difference in degree. I'm just illustrating the point.)
> Immoral because human life and dignity should not become a tradeable commodity.
This is just restating your conclusion, not providing an argument.
> A society allowing this would quickly deteriorate into a system where the rich just buy the desired behavior from the poor
That's already the system we have. I can entice people to do all sorts of things that they would rather not do, because I have money, like cook food for me, build airplanes that I can fly in, and so on.
> and we would end up with an oligarchy instead of a democracy.
We're not talking about making it legal to spend money to influence voting or politics, so I don't follow this.
> How would you design a society under these conditions?
My argument doesn't even rely on this veil of ignorance! Even if I KNEW I was going to be reincarnated as a poor beggar, why wouldn't I design society to give myself more choices, rather than fewer? It's not like anyone would be forced to sell their kidneys if they don't want to.
The core idea is to limit the choices of the rich, not to limit the choices of the poor. You will be prosecuted if you buy a kidney, or if you kill a human, not if you sell a kidney or your life.
With respect to your interpretation of the veil of ignorance, if you knew you were going to be a beggar, why on earth would you want to design the society in such a way that selling your kidneys or life can become the best option left to you (or anybody else in that society)? And if you are able to design it in such a way that it is not the best option, then outlawing to buy such things would not impact your life as beggar negatively.
From your reply I think you did not entirely understand the parent's reasoning. I think you don't follow the consequences of your points to the end, where it becomes visible that they are not desirable. I believe that is what the parent is aiming at.
One scenario is easy to figure out: Once it's simple for poor beggars to sell their kidneys, it becomes normalized and common. It's expected that you'll sell your kidney or you clearly don't need help that badly. The price drops from abundant desperate supply until it's only enough to live on for a few months. A few years down the road and you have just as many poor beggars but all of them are missing a kidney and less resilient to illness.
The root problem here is that if people are put in desperate situations, some amount of choice is forcibly removed from them. Certain agreements can't be fairly negotiated unless you remove the desperation first.
This may be so for 'some' US based websites or companies, but those of us with users worldwide tend to find it very essential to not violate the right and privacy of our users, in accordance with their countries' laws.
If you went to a privately owned and operated restaurant do you think it should be up to them whether the follow health codes or not? Do you think a consenting adult should be allowed to eat at one that chooses not to follow them? Do you think this consent should be explicitly granted or will a sign in the corner of the menu suffice?
No matter your answer to those questions I think we can all agree that just because they are a privately owned and operated company they have the right to do whatever they want.
If that's how you want to look at it ... you can consider the EU to be making the same offer to businesses "accept our terms or you can not use the EU".
Actually, Art. 6 GDPR does leave doors open besides consent, e.g. if "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
In that case, it's simply not consent, so instead of collecting void consent, which will get you into trouble, you should display a simple privacy notice that links to your privacy policy, where you explain your legitimate interests. That is what you have to do for first-party tracking, for session cookies than can be associated with a specific person, and even for log files that contain IP addresses.
If you offer a free digital newspaper, you may argue in court that your ad-funded offering could not exist without third-party advertising and analysis tools, and that your legitimate interest (secure funding via ads) aligns well with the interests of the data subject (read free news). National Data Protection Authorities have suggested that they consider valid consent necessary for third-party tracking, so it's a somewhat bold strategy, but in the end, the ECJ will have to decide.
Until the ePrivacy regulation arrives with some clarifications, we're effectively living in a limbo. Cases of blatant abuse aside, I doubt that we will see waves of draconian fines regarding third-party tracking until then.
> 4 It shall be as easy to withdraw as to give consent.
If you prompt me to accept on every page then you must also prompt me to decline on every page, otherwise you fail this test. Hiding the option to withdraw consent in some random settings page is obviously not as easy as clicking yes when prompted.
Most sites have already created all their tracking cookies before the user even sees the opt-in form too, which isn't compliant with the GDPR or the old cookie law.
Well, no, if they're required to harass the "consenters" equally to the "nonconsenters", then that (a) removes the motivation for users to fake consent just to get away from the harassment; and (b) motivates the site developer to choose an amount of popups that's actually appropriate for the UX they want, since that'll affect all users all the time.
If a site doesn't wants to cover itself all the time with a popup regarding cookies, then they're not allowed to cover itself all the time for users who never consent to tracking.
> If you want to use external tracking and be GDPR-compliant, you must offer a clear choice ("yes/no") and you must not use pre-ticked boxes (i.e. an opt-out approach).
You can use absolutely no external tracking and be GDPR-noncompliant. In fact, an Apache web server running the default test page is technically noncompliant. Everyone loves to jump to the tracking ads and data selling, since they are easy targets, but the scope of the law is much broader than that.
This shows utter incompetence and detachment from reality by European legislators. Maybe it seemed like good idea in theory but the only practical significant impact is that browsing the web has become more annoying.
Surely there are solutions that don't require a popup on every webpage you visit? For example enforcing no tracking by default for advertising purposes?
It was pretty common! Check out this Onion parody (from 2002), which refers to a website prompting you to accept cookies:
>"She goes apeshit whenever a pop-up window comes up. And one time, she paged me because she got a message about accepting cookies. She was all freaked out because now she thought she was being charged for actual cookies."
> Surely there are solutions that don't require a popup on every webpage you visit?
I don't get any popups or cookie notices on visiting HN or several other sites. It's not like it's a fundamental need to set hundreds of tracking cookies on a visitor's browser to show them a website.
True, but very different. That’s not the highly-targeted, audience-segmented approach to advertising that parent commenter (and most people on the internet) is referring to by saying “ads”.
> This shows utter incompetence and detachment from reality by European legislators.
> Surely there are solutions that don't require a popup on every webpage you visit? For example enforcing no tracking by default for advertising purposes?
Wait, what? There are such solutions. GDPR, and the "cookie law" before it, don't "require" any popups.
They allow cookies, 1x1 pixel images, browser fingerprinting, Flash supercookies, browser local storage, etc. without any need for stupid popups... as long as that's required to implement the site's functionality. Consent for these things is implied by the user's use of the functionality (e.g. game scoreboards, saving word processor documents, keeping track of a user's shopping cart, etc.).
What these laws do require is that handling such personal data without such implied consent, should require explicit consent. This acts as a disincentive for sites who want to continue spying on their visitors, by forcing the UX to be more annoying and dissuade visitors from staying.
> the only practical significant impact is that browsing the web has become more annoying.
Sounds like the dissuasion is working. Hopefully that is causing spyware sites to receive fewer visitors (and perhaps revenue), and potentially rethink their decisions.
What evidence is there it is working? That evidence only shows that people have change their web experience to be more annoying out of fear of the EU. It does not show there is less tracking or more public support for privacy.
Most people hate the UX change but don’t care about the privacy so probably a net loss for the EU.
That's because the sites currently have an option (or think that they have an option) to make tracking mandatory for their visitors, so long as they consent - which is the easiest way for them to deal with it. It sounds like this Dutch agency is saying that it is not actually compliant with GDPR.
It clearly isn't. Vast majority of people (me too) are trained to automatically accept whatever cookie BS the website asks for, just to get rid of the popup as quickly as possible and get to content. And no, these "spyware" sites such as reddit.com or bloomberg.com won't switch to non-tracking ads to get rid of the popup.
well the GDPR does say many things about how the tracking consent can’t be the default right? so yeah it’s working if you just click through... of course if businesses are breaking the law, that’s different and enforcement will come
for reference there are at least 2 parts that make this outcome true:
“Consent must be freely given, specific, informed and unambiguous ... Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid”: a default choice if “i agree” is influence
“The withdrawal must be as easy as giving consent”: if you hit “i agree” in a box that automatically pops up to give consent, there must be a withdrawal mechanism that’s as easy as that to withdraw (and then they must delete your tracking data)
The EU has generally been a really positive force when it comes to consumer rights, but I'm not a fan of this either. The question I have is, what did web company do to deserve this kind of regulation?
It is quite unusual to see governments enact regulations, without the existence of a measurable harm being caused - but solely on the premise, that the act of collecting data is 'unethical'. I mean this is really not normal, and quite unfair, if you look how regulations worked in the past for other industries, it has always been a response to very clear quantifiable harm being caused.
We have seen nothing of that, contrary, tech companies have improved our life's immensely, for free, and in my opinion, are the one of the biggest driving force towards improving the future. Data is not just being collected for advertisement, tracking, and evil purposes, but is a very important asset in the development of products.
Furthermore, historically it was governments, not companies, that were abusing private data for nefarious purposes. Yet there seems to be no effort to stop it happening from that direction? Well of course not, its way to useful, and you'd be a fool not to use it, but companies are 'bad' trying utilize it...
> The question I have is, what did web company do to deserve this kind of regulation?
Have you been asleep for the past decade? Pervasive tracking and spying on consumers has been the topic of discussion even long before that.
EU countries have had data protection laws since late 90s, and the web companies have taken a collective dump on them. So now the EU has created a single law that is quite sensible (if not without flaws) which says: you can only collect the data you absolutely require to work. If you collect other data and especially if you send to third parties, you must ask the person using your site if that's ok.
Oh my, did web company do to deserve this? Oh, I don't know. Open TechCrunch and opt out of ~300 tracking, data collection and ad companies, and tell me what they have done.
how does "TechCrunch" "~300 tracking, data collection and ad companies" impact you?
i'm asking because my government knows everything about me: my private and public IPs, what sites I visit, my comments on those sites, how old I am, how often I go downtown etc etc etc
Simply put: when we learn that NSA secretly spies on everyone, it's a huge scandal that calls government practices into question. When it's ~300 tracking companies per website, it's "how does this impact you"? ;)
> if you look how regulations worked in the past for other industries, it has always been a response to very clear quantifiable harm being caused.
It should be straightforward to show quantifiable harm to people’s right to privacy. You could survey a large number of people to ask if they would be OK with having their online habits monitored in detail by unknown companies (whose websites they didn’t even visit) for the purpose of targeting ads to them at later dates. If close to 100% of respondents say this is an invasion of their privacy, then that’s what it is. You could also do some more technical research to work out how many times per week people’s privacy is invaded in this way. You’d probably arrive at a very big number, rising every year.
There’s a common misconception that any cookie of any type needs a pop up.
The rules are actually only concerned with tracking cookies. Session cookies and user preference cookies aren’t within its scope. They are still perfectly acceptable to use without explicit consent from the user.
> So a cookie such as "gdpr_response=ok" has ZERO effect on GDPR compliance.
I wouldn't be so certain about that. Before now, most people were pretty certain that an accept/decline warning was enough and that they had the right to refuse service to people who did not click OK on the warning.
If anyone believed that, they did not research more than 10 minutes.
This comes up in _every_ discussion about GDPR.
I honestly worry - are we as developers just extra stupid, or are other occupations (electricians, ship captains, architects) equally lax when it comes to reading and following regulations?
Those other occupations have been regulated for a long time, so the training and verification practices have had time to mature. This is still the early days of software development regulation, so there's not much history or tradition to fall back on -- I'm pretty sure that all the other industries had similar problems when their first regulations were enacted.
1. You ARE allowed to use any cookies you like without popup warnings, as long as the cookie can't be used to bind the session to personal identifiable information (PII) about the user. Session cookies are perfectly fine when used to manage webapp state, such as what page a user is on, what feature has been enabled and so on. Likewise are other identification methods, for this sort of purpose.
2. Any technical means used to make a connection to a user's PII does fall under GDPR.
Seeing the underlying intent?
GDPR is about avoiding invisible tracking (connection to a european citizen). The regulation is written to bring that sort of behavior to an end. Your fingerprinting example, as well as any other "clever" technical ways of achieving the identification objective, when the purpose is that of invisible tracking; tracking where the user isn't in control of the profile information generated, is explicitly what the regulation aims to nail.
GDPR is about users gaining control of the lifecycle of information pertaining to their identity, so if you or your proxies (googl/fb or other ad companies for example) have PII about a user, then the GDPR stipulates processing constraints on that information, which includes any information that can be associated with the user. E.g. building a profile about a user that can be tied to a user's PII becomes part of the user's PII, and thus subject to the intended end-user lifecycle control. What that control means is stated clearly in the document linked above.
When the web plays its normal chinese-whispers-game on any kind of fact, it's always best to go directly to the source to see what was actually said or written. In this particular case with GDPR, this is definitely the case. Not a single of my US colleagues nor friends had even an inkling of what GDPR actually is about, and it seems most of this community is in the same boat.
I guarantee that reading the actual doc will dispel a lot of unfounded fears.
If you happen to have even the slightest layman interest in law, or appreciate games / brain teasers, then you might actually be a bit impressed by the cleverness of the wording in parts of the document, and how it all comes together. Myself, having been in the dev field for 20 years, I've read my fair share of EULAs, licenses and contracts, and to me I saw some true genius shine through half way through the document, like watching a good chess player setup a board and guard against obvious attacks by the opponent. I felt I could almost see into the minds of the authors; what they sought to accomplish, loopholes they tried to close, and an attempt at creating a defensive shield that would be as "future proof" as they could make it, against new unknowns introduced by rapid technical innovation.
That's a bit of a chicken/egg thing, but it shouldn't matter if there's no pop-up in the first place right?
I should mention that I essentially browse this way due to a few privacy add-ons I use and it is absolutely infuriating having to deal with these pop-ups even on sites that I've already visited.
I, for one, am happy that bullshit like “hey, we send your data to 244 trackers uncontrollably” has become visible and is being called out.
I mean, visible only in the EU.
Dark patterns and site-blocking are anti-GDPR, so I’m hoping for some heavy fine across the board. And, hopefully, if not the end then curtailing of the intrusive and tracking cookies, ads etc.
Facebook hasn't made any more privacy or policy SANFU's over the last 12 months than they have any year before that, and yet interestingly this is the year where the people around me have been taking an interest in what I use instead of facebook and taking active steps to move away from it.
These laws force people who are attempting to take advantage of non-technical users to either stop it, or do so in an obvious way that lets even non-technical users see that /something/ is up.
It's good, I like it. It's driving social progress, as truth always does. I'll get downvoted for expressing that opinion here of course. Too many american software developers who want to inflict their freedom on others I guess.
I've rather radical thought: I don't think tracking itself is fundamentally a bad thing. I rather see useful relevant ads then irrelevant ones. Yes, it may be creepy but its not a bad thing that people in ad industry are working hard to figure out things that would be worth my time and interest. However, what is bad is how else is tracking data used? Who else has access to it and for what purpose? GDPR should have created law that tracking data may not be used for anything other than machine generated recommendations by same company and it would have been 1000X more beneficial.
The problem isn't dumb ol' grandpa EU's folly lawmaking. The lawmaking is on point and the cookie banners are the problem - not the symptom. EU regulations are trying to eliminate privacy-invasive practices like tracking. It's not about making users aware that they're being tracked. It's about making businesses cut that shit out.
Of course, on HN I have to acknowledge that half of the users on this website get their paychecks from invading the privacy of the general public. If you fall into this category: what you're doing has always been wrong and now the law is catching up to that.
It doesn't matter what they're trying to do. What matters is what actually ends up happening. The socialists in the Soviet Union tried to improve things as well.
It's also quite ironic that the EU now cares about privacy considering that a decade ago they passed the Data Retention Directive. I guess privacy didn't matter then, huh?
"It's also quite ironic that the EU now cares about privacy considering that a decade ago they passed the Data Retention Directive. I guess privacy didn't matter then, huh?"
This is a very astute observation, and is causing some angst among parts of the European population.
However, this seemingly conflicting behavior has a cultural rationale behind it.
In general, Europeans see government as trying to look out for their best interest, while they view corporate power with large skepticism. "Americans" hold the complete opposite view.
So when the governments in the EU tout sheepish clichés like "think about the children, catch terrorists, pedophiles" etc, by being able to retain data for those purposes, the public falls flat and lets Orwellian laws pass without much fuss. Because ... "the government is our ally, and we trust it, the claims, and that the data will be managed responsibly".
However, when corporations do the same, there's more fuss.
The one european people that is of sane mind here is those of germany, due to their history. Unfortunately germans are also deceived by their government through back-room deals on EU level, and with the national security excuse, when it can be kept out of the public eye; effect same as the other EU nations. The good thing however is that the german people are not as gullible as other parts of europe when it comes to surveilance and tracking, and they do tend to kick up a big fuss when this sh*t goes down. So they act as a sort of moral calibration for the other nations, such as mine.
Understanding this fundamentally different mindsets between US and European citizen will hopefully help explain quite a lot, for those who didn't already know this. This is why "american" views are insane to some europeans, and why EU is naive/retarded in the eyes of the US. (very generalized)
This is precisely it. It's not that the EU legislation is too restrictive, it's that it doesn't go far enough. Sites like these shouldn't be compliant, users should be prompted with a simple yes/no consent form without any dark patterns.
internet visitors must be asked for permission in advance for any tracking software to be placed — such as third-party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained... Is this really what we want?
Yes. I'm not even European, and I'm perfectly fine with this.
Ask me to track me. If I like you, your web site, or your content, then sure. I'll give you a little personal data.
So once you've determined that you like a site you are going through the hassle of figuring out how you can reenable the tracking after you disabled it on your first visit?
“you’ve visited this site a few times recently. are you still okay with these settings? (if you ever change your mind, click privacy at the bottom of the page)”
just because we don’t currently have solutions doesn’t mean they aren’t out there. i guarantee my 5 second developer definitely not UX idea is the LEAST that a real UX professional will come up with, when pushed
*EDIT: and yes this kind of cookie is okay with GDPR because it’s not tracking a “data subject”... it’s maybe a broad timestamp (the day you first accessed the site), and a counter for the number of articles/site loads... you don’t have to ask for this permission, because you can’t track someone with it
But the little personal data you mention is not only given to them but to 224 different ad networks. Most of them make it impossible or difficult to opt out.
>Ask me to track me. If I like you, your web site, or your content, then sure. I'll give you a little personal data.
You are asking them for the website. They are asking for your data in return which your browser provides because that's how it is configured. Your browser could simply refuse at any point.
I am not a fan of the cookie banners at all. If anything I feel like browsers should implement it as it already does with other security settings (access to location, camera, etc…) and then people can decide to allow all websites. Blacklist, whitelist whatever. Why are we making every site implement a completely unique interface with different verbiage?
Because its done under legal compulsion rather than web standards good faith. Cookies predated the more democratic process by which the web evolves today, and it was outside the EUs power to just ask the likes of the dying Netscape / Microsoft / etc to all standardize on this feature at the spec level, especially when nobody was really much following web standards at all in the early 2000s.
All those settings in browsers that let you control access to your camera, location, etc aren't part of legal compliance, they are just there because Google, Mozilla, sometimes Apple and Microsoft all agreed this is a good best behavior to avoid getting regulated on again.
If the EU started mandating an opt-in system for camera access you can bet most websites would start dumping pop up banners about it regardless of if all the browsers supported the regulation already just to avoid culpability.
Cookie warnings don't show up for any old cookie usage. HN has no cookie warnings, despite having accounts and logins. Cookie warnings are shown when the "evil bit" or the "color" of the cookie is set; that is, there is no way for the browser to know when a cookie should require a warning and when it shouldn't.
I find the clarification about cookie walls being out of compliance with GDPR to be a real headscratcher. Here's part of the Dutch authority's FAQs[0] thanks to Google Translate:
"At a cookie wall, website visitors have no real or free choice. It is true that they can refuse tracking cookies, but that is not possible without adverse consequences. Because refusing tracking cookies means that they cannot access the website. That is why cookie walls are prohibited under the AVG."
I find this fascinating. Is there really not a free choice to simply leave the website? A paywall is surely legal. But it is illegal for me to "pay" using something other than money.
Am I allowed to offer users additional functionality in exchange for access to their data?
Of course you have a choice, but in reality who leaves a site because they see that warning? I imagine almost no one. Hell, I understand the implications and I don't care because site X has what I'm after and perhaps no one else does (or they all have the same warning anyway.) I have no reasonable option but to accept whatever these sites want.
The warnings accomplish nothing. It's just another nag screen. It was a bad idea when it was thought up and it still is today. It's an attempt to seal a wound (misuse of personal data) with a piece of string. It wasn't even a half decent band-aid.
It's difficult for the average person to understand the long term implications of this sort of data collection. They don't realize how powerful all these little details can be when put together.
Not proud of it, but I fit somewhere in that bucket. I do consider it and I have made (slightly) inconventient choices in the name of privacy, but when it comes down to it, I typically say "screw it" because I want what I want.
The warnings under the old law were idiotic. Under the GDPR, however, you're required to have clear consent with an easy refusal option. But just like the cookie warning, so, so many sites are violating that requirement because, hey, you cannot go after everybody, right? I don't think there were really any consequences for violating the old cookie law, so the majority are maybe approaching the GDPR the same way (even though this time there are actual punishment options.)
That's how the GDPR is designed. I'm not a lawyer or a GDPR expert, but I believe this means that unless your service actually requires a particular type of data collection to function, you're not allowed to make access to that service contingent on that data collection.
> Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
In other words, people aren't allowed to sell their data in exchange for services. I suppose the argument is that people are really bad at valuing their own data. They don't know how it can be combined with other datasets and how it might be resold and repackaged and never go away. There are other things people can't legally sell, such as organs, votes and sex, so it's not an entirely brand new idea.
Consumer protection laws regularly put limits on the freedom of contracts between companies and consumers. A rental car agency can’t give you a rebate for renting an unsafe car.
The fact that no money changes hands doesn’t change this. If you’re offering free taster portions of bread to passer-bys, you can not use lead as an ingredient. Neither being free, nor putting up a sign with the list of ingredients will change that.
Agreed, but these rules are clearly defined, make sense to the common man and actually lead to what they should lead to, namely that I can, with great confidence, eat anywhere without being poisoned.
GDPR is terribly vague and creates a barrier-to-entry. Draconian measures may hurt large companies, but they threaten smaller ones.
EU is saying they don't like Silicon Valley behemoths' power but they want valley-like companies in the EU (sometimes even calling for a 'European Google', as if you could just pass a rule to make that happen). And then they create laws that make it easy for the large players and harder for their competition.
Everyone here spent a great deal of money for some compliance boo-hoo. FAANG has your consent and upgrades their policy, done.
To me, this seems like ineffective and incompetent lawmaking, no matter if the intentions were sound.
If you had you would know that the regulation isn't there to nail companies from other regions. Anyone doing business with Europeans is subject to the same rules of the game, and that naturally also includes European businesses.
No, it's not a free choice. You cannot pay with your personal data the same way that you cannot sell yourself into slavery, even if you wanted to.
These cookie notices are also almost invariably violating the GDPR. There must be a clear choice, and if you choose not to be tracked, you must be able to still use the service unimpeded; then there must be a clear and understandable description to the intents of data collection; and lastly, the opt-out choice must be accessible equally simply as the opt-in choice (none of this "Accept" vs. "Manage options" bullshit.) For example, one of the very few larger pages where I've seen it done right is Wikia/Fandom.
> Am I allowed to offer users additional functionality in exchange for access to their data?
In a way, yes, but you're phrasing it in a roundabout way. You can ask for personal data to enable additional functionality that requires that data. For example, you're allowed to ask for location if you want to show them some offers nearby. They are allowed to refuse and in that case they cannot use the particular function that's tied to their realtime location. If they've given permission to use their data, you, however, are not allowed to use that location data for any other purpose other than what they explicitly agreed to and what's actually needed to provide the service. I.e. you can ask for the location to provide a location based service but you don't need their age and income data; also you cannot use their location for other purposes they aren't informed about. And you certainly aren't allowed to sell it to someone else without an express permission.
In short - you need a clear and explicit permission for specific purposes, and you cannot deny access to those parts of your service that don't require personal data.
>You cannot pay with your personal data the same way that you cannot sell yourself into slavery, even if you wanted to.
So, what you're telling me is that GDPR actually limits my rights as a private citizens because that think I'm too stupid to make my own decisions? I guess I shouldn't be surprised.
That's how the GDPR works - unless the data being collected is required for the operation of the service, you cannot make data collection a requirement of using the service.
What if the ads are required for the operation of the website, because without them the site has to close? People are rarely willing to pay for big sites, they surely won't pay for many small sites separately.
Smaller sites don't have the resources to curate their own ads, that's why they use ad networks. If we are strict about this then this rule will eliminate small sites while tightening the grip of the big sites on the net, because they have the resources to adapt.
Most people don't care and just choose the default option to get to the site. If opt out is the default and opt in requires a conscious decision then the majority of users won't opt in, because most users don't read the options, only clicks on the default option or the close popup X.
> Yes, it absolutely can mean that the giants will expand and lots of small sites that use ad networks will die.
And we already see the current situation where Facebook is dominant. If more small sites die and the big ones get even stronger then the situation will continue to deteriorate.
My understanding is that something being 'required for product to function' refers to technical requirements, not revenue requirements. So, yes I agree that it's a problem for small sites (or really anyone who tries to make money on ads).
So this is a bad rule, because enforcing it will result in eliminating independent small sites which have no other means for financing themseves than ads.
In case of the advertising availabe for small sites with a handful of staff (ad networks) untargeted ads pay much less (even 50% less or more) and that revenue may not be enough to keep the sites operational.
Advertisement doesn't require profiling and surveillance. That is what GDPR and other efforts like some ad blockers are trying to protect against. The emerging consensus is surveillance capitalism is unethical and increasingly illegal.
> Advertisement doesn't require profiling and surveillance.
Targeted ads pay much more. Eliminating targeted ads can result in a revenue drop of 50% or more, effectively killing small sites which most of the time make not much more money from ads than what is needed for financing themselves.
The idea that a site should automatically generate revenue simply for existing, especially when it's relying on unwitting invasion of visitors' privacy in an increasingly illegal manner, is ridiculous at best; malicious and predatory at worst.
The site generates revenue by providing a service. That's why people visit it and that generates the revenue via ads. E.g. an independent news site provides news articles and people visit it.
People won't pay for many small sites separately, so until we have a viable alternative (e.g. automatic micropayments) eliminating targeted ads would effectively eliminate independent journalism as well (regular ads pay much less) and we'll only have sites financed by big corporations pushing their agendas.
I'm not a fan of targeted ads, but I rather have them if they allow independent publishers to operate, than having only new sites financed by big money.
The site does NOT directly generate revenue by providing a service to their visitors, nor even by selling space to advertisers. The site generates revenue by selling to 3rd parties intimate access to its visitors without the knowledge or consent of the "average" visitor. It is broken in principle, running afoul of the nature of marketplace regulation and privacy rights.
This is just "the ends justify the means", because the consequences fall on the visitors, not the site owners, advertisers, or data brokers. It's a disgusting, predatory rationalization for offloading the damage while reaping the rewards.
Patreon on its own delivers hundreds of millions of dollars of funding a year. Web ads existed long before individualized tracking, and still are that way in pretty much every other medium (print, billboards, broadcast media, product placement, etc). Independent journalism existed in websites, blogs, pre-monetization youtube, etc as well. Heck, SV investment is available and all about spending money without any real revenue plans anyway. :-P Just this one very particular ad model needs to be ended for everybody, big and small, and the advertising market still has everything else covered. The "big money" sites also still need to monetize somehow (and much more voraciously), and wouldn't be allowed tracking ads, either.
If you can't make money without violating your audience, then you don't get to make money at it, and all scales should be held to the same account if it is genuinely considered an issue of rights.
I, for one, am actively boycotting sites with invasive tracking technology. To a certain extent, I rely on Hacker News discussion to get the essence of many articles, even on prominent publications, where cinsenting to tracking technology is necessary to read the article. As soon as I see a tracking consent dialogue, I will often leave, and actiively avoid sites that I already know use tracker network tech.
If a sites business model depends on using their users' data without their consent/knowledge then why would we want regulation to protect it from being eaten and their seat at the table taken by facebook?
It's not even clear to me how they actually work. Usually what I do when there's no "Deny" button (which is most of the time) is just leave the dialog open in hopes that that qualifies as "not accepting". But then some of them say "by continuing to use this site you agree". But, what does that even mean? Do they wait for a scroll event before setting the cookie, or is it there already before I even click "Agree", and the dialog does nothing whatsoever?
Legally, you haven't consented. They're of course tracking you anyways because they're too lazy/greedy to implement it properly, so you should use the usual security measures (adblocker, PrivacyBadger), but they're breaking the law.
It's just that there's too many people doing that for the overloaded DPAs to take care of them all.
I feel the same way about California Prop 65 warnings. Any overused warning will result in warning fatigue. We'll just blindly click that OK button or lick that pewter candle stick.
In the vast majority of cases that's not how laws actually work from one nation to the next. That isn't how legal jurisdiction works. If it were, any nation could impose its laws on any other nation at any time.
> So geolocation is not a satisfactory option.
In fact it is. I can safely disregard the EU and nearly all of its laws including GDPR and privacy laws in the EU. I don't operate in the EU, either physically or in terms of hosting. They have no access to me, my finances, my business, and have zero jurisdiction over me as a US citizen. I'm bound by US law, not EU law.
I can do anything I want to with data from EU citizens that visit my US-based services, so long as I obey US laws. The exception to that is if I need to operate in the EU, then I should comply with EU law.
The EU also does not rule China (1.4 billion people, world's second largest economy), for a strong reference on how the EU's laws don't actually apply globally. While you're in China, as an EU citizen, you are not governed by EU law, you are governed by Chinese law. Give that a test run, you'll find out instantly how it works. If you visit sites located in China, they're going to obey Chinese law, not EU law. Millions of Chinese sites are not concerning themselves with GDPR compliance, because it does not apply to them at all.
Of course, if you fly to Paris for honeymoon they get access to you and can hold you responsible. Just like bankers coming to Las Vegas and being held responsible for aiding tax fraud overseas.
EU residents, actually, and yes, geolocation is satisfactory -- you can hit EU residents as long as you're not intending to hit them, and are doing nothing in contradiction to that intention (like translating your content into Polish, for example).
> like translating your content into Polish, for example
There are Polish speakers that aren't Polish citizens. Translating to Polish doesn't prove an intent to sell to Poland any more than having a page in English implies trying to sell to England.
There is nothing in the law that says that translating into Polish or another language common in the EU results in GDPR being applied. The actual law says,
"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behaviour as far as their behaviour takes place within the Union."
That's it. "Offering goods or services" can be interpreted in a variety of ways, but translating into a language doesn't mean anything. People speak German in communities all over the world. Even offering payment in Euros isn't necessarily targeting the EU. Plenty of EU expats have Euro accounts, particularly those based in Africa and Asia. So it's perfectly normal to have a German language site, selling products in Euros, targeting Germans in Shanghai and have that not be in GDPR scope. However, an English language site, selling in US dollars showing Berlin apartment listings targeting American expats in Germany -- that would be in GDPR Scope. The language and currency have nothing to do with it. It's the intended audience that matters and that can be often determined by the product/content being sold/delivered.
The point of my rant is that too many people are reducing GDPR into some ridiculously simplistic terms such as "can't use euros, can't use an EU language" or similar. However, the actual reality isn't so sophomoric.
Recital 23 digs into more detail about what is considered "targeting." Choice quote:
> Whereas [...] the use of a language generally used in
> the third country where the controller is established,
> is insufficient to ascertain such intention, factors
> such as the use of a language or a currency generally
> used in one or more Member States [...] may make it
> apparent that the controller envisages offering goods
> or services to data subjects in the Union.
You are correct that reality is a bit more nuanced, but I think that saying "language and currency have nothing to do with it" is not a supportable claim. Audience and intent matters, but if you have German-language content in a country without a large German-language population, you are going to need a very good excuse why you aren't targeting Germans.
People don't have time to type every single caveat and exception. Translating to Polish is going to be targeting Polish geography 99% of the time.
No, that not true. I am an EU citizen and live in the US. GDPR does not apply to me when I deal with US businesses! Likewise a non-EU citizen who lives and works in the EU is in fact covered by GDPR.
GDPR actually applies to companies which are doing business in the EU and storing personal data of anybody who resides in the EU.
> it applies to pages being served to EU citizens, wherever they happen to be at the moment.
So geolocation is not a satisfactory option.
Completely false. Citizenship has nothing to do with GDPR. It's all about location.
An EU resident visiting the United States is not covered by GDPR while in the United States. An EU Citizen living in Los Angeles is not covered by GDPR. A Tunisian illegal immigrant in Berlin is covered by GDPR.
The 2012 draft of GDPR founded jurisdiction on the passive responsibility principle, which, while highly controversial, would, in fact have applied GDPR protections based on nationality of the person and not the location. However, that's not in the final version of the law. In Article 3, "resident" has been replaced with "data subjects who are in the Union."
"In the Union" means, inside the European Union. Which means the law's protections do not extend to those not inside the EU. The jurisdiction is unambiguous and crystal clear. Not a single word in Article 3 suggests that a Frenchman in Peru is covered by GDPR. Which means that your statement "wherever they happen to be at the moment" is false.
It seems that there still exists an incredible amount of ignorance about GDPR. It feels like people are reading analysis from others who are reading analysis from others and very view have actually read the actual law themselves. Or worse, people are using their memory of years-ago discussions about provisions or language that isn't in the actual final regulation and contributing to this completely wrong narrative such as "The law doesn't just apply to pages being served to the EU, it applies to pages being served to EU citizens, wherever they happen to be at the moment." That's 100% false. It's the exact opposite of the truth.
The fact on territorial scope is that GDPR covers an identifiable natural person inside the EU. It doesn't care about nationalities. It only cares about location. Geolocation is absolutely a satisfactory option, because an EU resident, citizen or whatever sitting in a Starbucks in Seoul, is not covered by GDPR. No matter how badly people might wish that to be false, the words in the actual regulation say otherwise.
It only applies to sites outside the EU if the site "envisages" serving EU customers. The suggested test for this is if the site offers foreign language versions of the site for EU countries, allows payments in EU currencies, etc. For sites in the US that are intended for a US audience, compliance is unnecessary, regardless of the fact that some traffic may be coming from the EU.
From [1]:
Recital 23 provides a further clarification for cases where it’s unclear if a firm offers goods and services to EU data subjects:
Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
The sibling comment is right -- and furthermore, thanks to holdovers from colonialism, the EU is a vast area that the sun never sets on. Reunion, French Guinea, and Curacao are just as European as Bruxelles is.
> And the Dutch DPA’s guidance makes it clear internet visitors must be asked for permission in advance for any tracking software to be placed — such as third-party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.
Neither cookies, nor tracking pixels, nor browser fingerprinting are software. Your web browser is software. The server side runs software. These are data.
It seems pedantic, but I think it shows that the lawmakers have an underlying misunderstanding of how tech (and the world) works.
To make an analogy, cookies and tracking pixels are akin to license plates. I think the authors of this law thought they were more like cellular GPS beacons.
It's one thing to say, "no installing a device which actively communicates home on your visitors". It's quite another to say, "No remembering your visitor's face unless they tell you it's ok."
>> And the Dutch DPA’s guidance makes it clear internet visitors must be asked for permission in advance for any tracking software to be placed — such as third-party tracking cookies; tracking pixels; and browser fingerprinting tech — and that that permission must be freely obtained. Ergo, a free choice must be offered.
> Neither cookies, nor tracking pixels, nor browser fingerprinting are software. Your web browser is software. The server side runs software. These are data.
> It seems pedantic, but I think it shows that the lawmakers have an underlying misunderstanding of how tech (and the world) works.
It's in Dutch. I would not be surprised if "software" has a slightly different meaning or connotations than in English.
And even if it doesn't you don't need a precise command of technical jargon as a practitioner would use it to have a good understanding of an area. The meaning of TechCruch's translation was perfectly clear to me, and better than alternate formulations I can think of that avoid using "software" to refer to cookies. Maybe they should have just government-jargon and called them "tracking cybers."
Tracking cookies, pixels, etc., are implemented by server-side software; perhaps the matter you would like to contend is what the meaning of the word "placed" is.
Cookies are data that is placed on the visitor's computer. Tracking pixels are software instructions placed on the visitor's computer.
The tracking that is akin "remembering a face" is user agent and ip address tracking.
In my mind, a store that uses facial recognition software to track my movement within the store and purchasing habbits is still incredibly creepy and highly invasive of my privacy.
The government has automated license plate readers that do much the same thing. Their justification is, you're in a public place, you have no expectation of privacy. I'm a little more concerned about that.
If I don't want to be tracked, I can choose to shop at a different store. But I can't live in a system of underground tunnels.
In Germany, your privacy is protected in public places as well. A German court just recently ordered a German state to turn off an automated license plate reader: http://www.spiegel.de/auto/aktuell/b6-streckenradar-verwaltu... (only available in German)
> It seems pedantic, but I think it shows that the lawmakers have an underlying misunderstanding of how tech (and the world) works.
In Germany, they actually demanded an "Internet eraser" (https://www.heise.de/newsticker/meldung/Digitaler-Radiergumm...) [so ridiculous I don't think anyone ever attempted to translate] so content, mostly images, would somehow 'automatically expire'. Never worked, images could be screenshotted, etc. etc. Said this was "highest standards made in Germany". Never made sense, never took off.
This is honestly what your “regulated internet” looks like. None of the solutions ultimately address the real issue and are done purely for liability purposes.
I'm sure there's some good reason not do it, so I'll ask if anyone here knows: why doesn't the law just require some technical implementation that can be automated? Why can't the law just specify something similar to the DNT header (finer grained) and require compliance with that?
The GDPR offers a general privacy framework. Technological specifics may (or may not) become part of the upcoming, heavily embattled "ePrivacy regulation", which was intended to come in effect simultaneously with the GDPR. Right now, we have a somewhat unfortunate limbo.
The law should lay out principles, not techniques. The GDPR works for any kind of data processing, it is not specific to browsing on the Web.
The core issue is that the ~150 companies of the Oath network will effectively go out of business when they comply with GDPR. So now they try to play some games, until the fines handed out to them become too large to sustain in EU.
That post reminded me about the https://amiunique.org/ site for seeing how trackable you are with browser fingerprints.
I had remembered that I had installed a "Random User-Agent" plugin in Chrome, with privacy concerns in mind. Sometimes it sends a user-agent that causes a site to send me a page that can't actually be rendered by my browser, so I have to turn it off on some sites.
But I was curious to see what amiunique.org would make of the various random user-agent strings that the plugin would send it.
Ironically, the plugin seems to break the amiunique.org site, I can only get a whitescreen or occasionally a spinner forever, unless I disable the "random user-agent" plugin.
Most cookie warnings are beyond useless, in that they don't even try to actually comply with the GDPR.
The fact that your site uses cookies is irrelevant, and there's no need to tell anyone. However! If your site stores personal information (directly or via a partner), you need to have a valid reason.
The definitions of "personal information" and "valid reason" are, fortunately, not exhaustively enumerated in the GDRP. I say fortunately, because if they were exhaustively enumerated, Facebook would find a loophole, and the whole law would be worthless.
One of the 'valid reasons' for storing personal information, is a clear, freely given, consent from the user. This is the one that all the tracking companies want to get, because they think it allows them to do shady things if they can trick the user into pressing 'OK'. But if the user was tricked or coerced, the consent was not really clear or freely given. Hence the sort of court rulings that the article mentions.
So, if you store a cookie for your domain saying 'tracking_consent=false', this is probably not personally identifiable, so you can just do it. No reason for any banner.
But if you track the 'browser fingerprint' that Troy Hunt is talking about, without consent, you are probably in violation of the GDPR. Even if it's not a cookie. And you had a cookie banner.
Very true, that can't be stressed enough. One note though:
> The fact that your site uses cookies is irrelevant, and there's no need to tell anyone.
Let's not forget the infamous ePrivacy directive, e.g. Recital 66:
"Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. ... Exceptions to the obligation to provide information and offer the right to refuse should
be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user."
Of course, the relationship between GDPR and the old ePrivacy directive is rather ambiguous.
I think consent is important for tracking, but I noticed an implementation problem/annoyance:
On the same device, I consume news of the same sites from multiple sources or embeded browsers: Facebook, Google News, Chrome...
I don't want to go through the hassle of opting out of tracking from every partner of the very same site I visit. Now multiply the task by every site you visit and every device you use...
I now even suspect they intentionally remove the preference cookies so that you get tired of opting out
The browser fingerprint nonsense assumes Javascript is turned on and the user has allowed someone else to choose the user agent string and other headers.
Thought experiment: What would these "fingerprints" look like if on given day everyone were to turn off JS and set their user agent string and other headers to the same values?
The author writes that if I visit amiunique.org I "will almost certainly be" informed that I am unique.
Well that is not what happened. According to their test, I am "almost" unique, but still not unique. What the page says is that we can almost certainly be tracked. Does not say whether this would still be worth it to an advertiser.
The question is not "whether we can be tracked". Of course we can. Most people using the computers on the internet, in the same way as people using telephones on a landline or cellular network, are not expecting to be "untraceable".
The question is how easy we are making it for anyone to conduct tracking -- not just those who are properly authorised to do so -- and for what purpose are they collecting this information.
> Is this really what we want? To continue chucking up cookie warnings to everyone and somehow expecting them to make an informed decision about the risks they present? 99% of people are going to click through them anyway (note: this is a purely fabricated figure based on the common-sense assumption that people will generally click through anything that gets in the way of performing the task they set out to complete in the first place). And honestly, how on earth is your average person going to make an informed decision on a message like this:
I think the logic is "Yes, you're right, many regular people can't make freely informed consent for that sort of mass tracking... so the solution is to stop tracking people"
I often visit many sites every day and I often see big popups with full "ad partners" configuration. I don't have time for this! Sometimes, if I can see at least three lines of an article text in the middle, I try to read through it. Other times, I just confirm it so I can read the article. I think the providers should be forced to react to the "do not track" browser feature and then simple don't track and don't show any cookie prompts. Browsers are configurable so they should let people decide. Per-site web prompts like that do more harm than good unfortunately.
Standardize it. Policy makers should provide a standard message, or small set of messages websites can reuse and consumers recognize with links to an EU-run informational website easy to understand for consumers. I don't understand why it wasn't implemented this way, maybe to allow for more freedom of implementation, but we have seen that has hurt the policy effort. Just standardize it.
Incidentally, with all of the Organic / GMO-Free / et all certifiers out there, would a privacy badge be the way to go, or is that backwards thinking in the way of early internet site badges?
There's not a standard copy-paste-ready set of phrases because it would be impossible for the law makers to craft such.
They couldn't possibly know what site A or B respectively does with a user's data. That differs from site to site.
It is therefore of course the obligation of each site that directly or indirectly works with user PII to explain to its users how that specific site is using the data.
Can anyone explain to me why the browser isn't the one asking the user? Since, y'know, the browser is the only thing that actually prevents a cookie from being placed or sent in the first place?
The browser cannot distinguish between cookies that are necessary to support a feature you're using (e.g. a session cookie for a login or shopping cart) and a tracking cookie.
The former does not require consent. The latter does.
That's a technical problem, which shouldn't prevent solving the main usability issue.
For example, the CAN-SPAM act requires the words "SEXUALLY EXPLICIT" to accompany messages with sexual/adult content. A tracking cookie's name can simply have the word "tracking" in it, which would trigger a browser to throw up a consent pop-up. A long, useless message from the site about why the user should click it could be provided to the user in a number of ways. The law doesn't even have to specify that
I'm in the EU. I just dont bother looking at those sites anymore.. So, a lot of the links posted here for example.
ps. If I ever mention that the article had a ridiculous cookie warning system that I didnt bother getting through (eg. The techcrunch gif in the article), or that the site is just plain broken from EU, then I get downvoted to hell.
pps. If I really wanna read something, or need to for work or whatever then I use outline.com
You don't need an extension. You set cookies to deny all. Then you look at the list of blocked cookies when you on a website, and you can individually allow cookies on a per domain basis.
What if the EU instead mandated that browser makers have to keep up with, implement, and enable by default the highest levels of tracking protection possible? It would be far easier to enforce that on four or five organizations (half of which already do that) than to try and corral millions of websites into compliance.
GDPR applies to a lot of things that are not mediated by the data subject's web browser. For example, when your grocery store takes your purchase history (from your rewards card) and sells it to a marketing or credit reporting agency. Or when housing or job applications are rejected by error-prone automated background checks. The website stuff may be more visible, but it's not the main thrust of the legislation except insofar as it has exposed how many websites are collecting and trading in your information.
Congratulations, there's now a pop-up added to every single website on the internet that isn't blocked by adblockers. It makes zero difference to me whether the pop-up is telling me about cookies or advertising "huge anime tiddy" it's still an obstruction and a delay.
That last warning comes so close to being a good horror movie quote. "Something or somebody is making changes to your connection" should obviously be "Someone or ... something".
The true monster was the intrusive firewall/AV all along.
Do they expect a user to re-enter their password every time they click a button on a website? Without requiring cookies how do they expect a session to persist between pages?
At my company’s site[1] we have a non-intrusive banner at the bottom which lets you agree or disagree to tracking cookies, or just ignore it and browse the site.
You don’t get served any tracking cookies until you agree.
This fulfills the explicit consent requirement of GDPR as well as the requirement for people to be able to use your site even if they don’t accept cookies.
We get much less analytics then we used to - many people just ignore the cookies bar, either knowingly or just because they don’t notice it. But it’s totally worth it.
I hope the EU starts fining non-compliant (i.e. 99% of) sites aggressively, specifically those that pretend to care about your privacy, but don’t really (“Agree” button only).
What people miss about the new GDPR notices, compared to cookie warnings of yore, is that they offer you the choice of opting out.
In my experience, the option is usually hidden (look for “options”). But a surprising number of sites do actually comply and make this not prohibitively obscure.
It was my clear understanding that "pre-checked boxes" would be illegal. Meaning that if you want to have 200 trackers on a page, then the user needs to click accept to all 200 trackers. So that if you just dismiss the "Cookie warning", you would be default get no tracking. That pretty much solves the issue right there, most people would effectively have zero tracking.
Some of them make the process as slow and painful as possible (I've seen one where you need to deselect a huge number of pre-checked boxes, and then you need to wait through an excrutiatingly long and artificial 'applying preferences' process bar before you are permitted to continue. The website then forgets this preference the next time you visit it). This is directly against GDPR and I hope that companies engaging in these practices to try and make sure as few users as possible opt out get slapped as hard as they can by the regulators.
I think Troy's point though is that if you understand the situation. You already have lots of tools at your disposal to opt out. It's not easy, but you know and can to some extent do it.
Meanwhile everyone else doesn't understand these pop ups, doesn't know anything more post GDPR, and they just roll through them and get tracked just the same.
In effect we have big annoying pop ups and little seems to have changed. If we care about the ideas behind GDPR, I think we have to recognize that it may be failing miserably in practice.
ITT people are suggesting GDPR mandated cookie warnings are pointless because people have been trained to automatically tap "accept" or not gain access.
I don't buy it, and was the main point of this latest GDPR clarification [1]:
> "Cookie walls that demand a website visitor agrees to their internet browsing being tracked for ad-targeting as the “price” of entry to the site are not compliant..." [adding] "...There is no objection to software for the proper functioning of the website and the general analysis of the visit on that site... sharing of this information with 3rd parties is only allowed with permission."
Basically the mere presence of a cookie warning (regardless of the specifics) should not be signaling to the visitor "[agree] to enter" or "[agree] to enable features". They should be signaling "[agree] to us sharing some identity elements and browsing behavior with 3rd parties, mostly for ad targeting; or [decline] the aforementioned; either way, welcome to the site."
Once users realize they can still enter the site if they click deny, their (automatic) choice will better align with their actual preference.
this isnt very accurate. Usually, there is first a generic "this site uses cookies" popup, then an interstitial about how much they "care for your privacy", then a popup about their newsletter, and finally a sticky header to nag you to take their survey.
Troy’s statement that accepting one advertiser’s agreements means accepting all their partners’ agreements, and all their partners agreements, and so on is interesting.
It lead me to the idea that it might be interesting to build a bot that builds a “consent graph” which will tell you exactly how many (and perhaps draw connections visually) different companies you have to provide consent to from a given advertiser/company/website.
This is a pretty interesting argument against the clumsy rules of GDPR which exist, in my opinion, practically entirely outside reality.
The main problem here is that the GDPR is not enforced.
Those annoying cookie banners aren't actually GDPR compliant. GDPR mandates that consent should be freely given and should be opt-in, so forcing you to consent in order to view the site is illegal, and so is pre-checking the tick boxes or making it hard to opt-out (like having to explicitly visit the privacy policy, or uncheck hundreds of tick boxes).
If GDPR was actually enforced, fines would start flying out, and website operators will quickly start complying and cookie banners will become much less intrusive or annoying.
So I have a question regarding GDPR. I've recently done two projects for intergovernmental organizations (like the UN, to give you an example). Both organizations claim that they do not have to comply with GDPR. I kindof doubt that but IANAL. Short of reading the GDPR laws, or contacting an expensive lawyer, what's the best way to find out if they are right? I'd like to find out before I start the next project for such an organization. Thanks.
That's the cheapest. It's not really that hard to understand. I'm not a lawyer, read it and had a GDPR consulting firm review the tweaks we made of our systems. They were happy with it.
But if you're working for a larger company, then consult with their legal department or have the company hire a GDPR consulting firm. They should be able to afford it without a problem, and will likely be happy to support such an action if the non-compliance risk is deemed large enough. A business decision, not a technical one.
It's almost as if the GDPR were less a carefully designed way to increase the degree of freedom individuals experience while perusing the web, and more an expensive and highly visible way to demonstrate that EU functionaries are Doing Something About Scary Technology Companies. I mean, obviously, it's totally not that at all, of course but it's almost as if it were.
I disagree with a number of premises stated in the article:
> it essentially boils down to "take this cookie or no access for you"
This is something GDPR explicitly bans. "Consent" obtained this way is invalid; the site doesn't even have to bother asking at that point.
> To continue chucking up cookie warnings to everyone and somehow expecting them to make an informed decision about the risks they present? 99% of people are going to click through them anyway
No, sites don't have to chuck up cookie warnings. If the cookie warnings were actually compliant, i.e. didn't try to hide the "no" option behind several clicks, there would be very little incentive for the user to say yes, because "no" means the warning goes away just as well, plus the user doesn't get tracked.
Of course, the sites realize that, and are setting up non-compliant "consent" dialogs that try to trick or pressure the user into "consenting". The solution to that is to prosecute the ones that do that until they stop. (I bet many of the sites set and use tracking cookies even before you close the dialog.)
At that point, the sites can choose whether they want to annoy users or not, but since a large part of the users will click "no" at that point (since the sites can't really provide an incentive to click yes), they might as well stop using the trackers.
And sites using cookies for functionality the user actually wants don't have to ask for consent for those cookies. If the site asks, it's because it wants to track you, and you have no reason to agree.
Agreed. Not happy EU laws are affecting US business. We had to do a bunch of GDPR stuff even though we sell products only in the United States. I get if we are marketing to or selling in the EU, but we're not. What do I know though? I'm just some dude who lives in a terminal.
Well, only somebody completely out of touch with reality (=government folks) wasn't able to predict outcome of this law.
Good thing that there are browsers extensions which take care about removing these "cookies" notification so I don't have to deal with it.
Regular users absolutely do not care about privacy,cookies GDPR etc. When events like "cambridge analytica" occur they will be enraged, maybe even some "thumbs down" and "angry face" emotes will appear under facebook news notification before scrolling further down! Probably for HN users it is hard to comprehend because you are looking at the world from inside of your knowledge bubble.
More knowledgeable users know that this is total farce and masquerade and don't care about cookie notifications too.
I think what is missing from this discussion is possible solutions that don't involve allowing free for all surveillance.
The obvious one to me is to just ban consent. Make anything you would need consent for outright illegal. No one in the right mind would be giving consent for tracking without compensation (which is what the GDPR asks for) anyways.
Maybe leave a small prohibitively expensive loophole for projects that do need to track things (e.g. scientific studies). For instance requiring approval by an ethics committee and a contract signed in person by hand by both parties after jointly reviewing every term.
This is like a case study of well-intentioned, carefully designed regulation doing more harm than good. Honestly, I'd rather just have a browser addin that blocks the cookies I don't want. The market was working fine. Now every new website is a pain, and my organization has hired some amiable lady to be "GDPR expert". She doesn't appear to know anything about anything, but she sure seems nice.
The harm is being done by companies attempting to keep the status quo by nagging users unless they give consent. I hope some of the worst offenders in this regard get slapped by regulators. You can be 100% GDPR compliant and have a functional website without needing any cookie or GDPR consent boxes.
GDPR absolutely does not do "more harm than good". It extends well, well beyond these dumb cookie warnings.
GDPR puts the citizen/customer in power of their own data. They can ask for their data, they can ask for it to be deleted, they have (however shitty the UX) control over where it goes. They can contact large corporations and request these things and be heard out.
I don't know how to explain it any other way: These things are fucking important.
As for your organization's GDPR expert who doesn't know anything about anything, this sounds like a "your organization" problem. Replace GDPR with some other acronym such as HIPAA, PCI or even SEO or PHP, it's still your organization's fault for hiring someone who doesn't know their stuff. How is that GDPR's fault?
Edit: Yes, keep downvoting facts. GDPR isn't just cookie warnings, how is that controversial?
That they're not important to everyone doesn't make them unimportant for everyone.
It's kinda like other rights such as free speech. Some people don't need/use it. Some specific people might arguably be better off without it. But Everyone needs it; as in, it needs to be available to everyone for it to work.
You make a fair point, but the right to bear arms is mainly controversial for safety reasons. What safety issues are there with providing customers control (or at least visibility) over their data?
It's also worth pointing out that the right to bear arms, by its origin, should probably be called the "right to revolt". While this is still a controversial issue for governments (governments don't want revolt), it's less controversial for citizens.
I think the safety issues with GDPR compliance are minimal (there's a weak argument to be made for inefficiency introduction and contributing to warning blindness, but it is a weak argument).
Larger arguments are in the space of tradeoffs. What could companies be doing with the engineering resources devoted to GDPR compliance (including compliance with the consumer-frustrating applications of the law, like the cookie walls)? Since the US doesn't have a GDPR compliance law (and companies in the US only comply when they want to do business in the EU), we'll probably see with time whether the inefficiency introduced is worth the tradeoffs in a highly-competitive world of software services.
I agree with you that the whole thing is inefficient. I think every GDPR advocate, much like me, will agree that it still needs to be improved and worked on. We're nowhere done.
There is a safety issue in that data previously only visible internally is now also exposed to the customer/user and any unauthorized person successfully pretending to be them. The problem of "account compromised" now becomes a bigger (potentially much bigger) problem of "account compromised and juicy data is exfiltrated under a GDPR data dump request (and maybe followed by a request for deletion right after maybe making it so that the authorized user can't even know what was taken)".
That seems like a huge reach. Most of the data that affects users can be one way or another acquired if you're logged in. Furthermore GDPR requests are often handled outside the account itself, except by companies that have the resources to automate them (and those companies usually have a lot of security resources).
I'll give you though that the addition of human processes in there present more security risks. I'm doubtful about the addition of safety risks though.
I dunno, this all seems like an extension of the risks we already have. More data, what of it? If an account with sensitive data is compromised, you're most likely fucked regardless of whether the hacker gets a hold of that data.
It is kind of minor but still necessary to think about. The difference is that "sensitive data" now includes internal data that not even the account had access to or was aware of. You're right it's an extension of current risks rather than a new class, it's only one more attack vector against an existing surface. Before GDPR, the company itself would need to get compromised for that data to be exposed, and that happens often enough. After GDPR, the data for an individual can get exposed just from compromising that individual. Does that data matter? Maybe, maybe not, that's the question with all breaches too. In the good-spirited intention world, post-GDPR the company no longer gathers as much data in the first place, so they can actually reduce/eliminate the impact of that attack surface being broken in either way. I don't see this happening in practice, the desire for more and more data is strong.
Recently a company I trust was sold to a company I utterly dislike and have zero trust in.
Before the sale was executed, as a EU citizen I was informed that my consent was required for the transfer of my personal data to the new owners.
I did not consent. My data is not in the hands of the new owners. And under GDPR, I was able to request all the data they had on myself in order to make an archive of it before the execution of the sale.
None of this was possible a year ago. Know your rights, use them, you'll get to appreciate them.
But I think it might be a case where Troy notes, you're educated on the topic, and like cookie tracking, you probabbly could have dealt with cookie tracking before GDPR too on your own.
I'm not at all sure that applies to more than a handful of people. If that's the case, GDPR is not helping most people.
I entirely agree with the premise that citizens don't know their rights well enough. But that doesn't mean they shouldn't be available to them.
Most people don't know how to read nutrition labels either; they're still there and it's a good thing they're there. Do you think they should be removed simply because people don't know how to read them?
I can make the same argument as to why I believe open source is important. Most people don't know how to read source code.
I'm not saying remove them, but I wouldn't argue they're useful if people did not read them....
I've seen nutrition labels reworked repeatedly.
Privacy laws aren't going to be helpful if most people don't know. Even if I opt out on say my phone... it doesn't matter if they get much of the same data form my friend's phone, about me...
I think there's a lot of GDPR banner waving and it's really not helping. People think any criticism of GDPR is a suggestion that it shouldn't exist. You can belive in the ideas, and think GDPR has failed too.
As I said in other parts of the thread, I agree GDPR still needs work and improvements.
> People think any criticism of GDPR is a suggestion that it shouldn't exist
Untrue; what I do repeatedly see though is people who think that just because GDPR has flaws, the whole thing needs to be ripped to shreds and we were better off without it.
GDPR is actually 0% about cookie warnings, because that's an entirely separate piece of legislation. But yes, the online stuff in general is maybe 10% of GDPR tops, and half of that is what goes on behind your back.
> I don't know how to explain it any other way: These things are fucking important.
I think many people specially on HN understand the implications of using cookies and also understand the privacy concerns by 3rd parties taking their data. What I don't understand is why there are people who assume almost everyone has absolutely no idea or concern about any of these things and therefore advocate for pushing horrible and half-baked regulations like GDPR unto the dumb masses.
GDPR is neither horrible nor half baked. The word you're looking for is flawed. I don't know why you expected it to be perfect from the get-go when it's such a complex subject in the first place.
What it is however is a major step up from before. It's an excellent start. You won't do any better by scrapping the whole thing and starting over. You can improve it.
I don't get the hate either. I was AMAZED the first time I saw how easily I could opt-out to literally HUNDREDS of ad/tracking companies. And without breaking my browser, as I have to do sometimes (disable js or block all cookies-- see how long you can go without running into a completely broken website).
Cookie warning is probably the biggest thing for me, I can see the web slowly dying before my eyes little by little with dumb things like banners blocking 5% of all websites. All you need is 20 more dumb rules and there won't be anything to see on any website you first visit ever again.
I'm not saying cookie warning is 100% the result of GDPR but it as sure as hell is a side effect. We must be careful about possible outcomes of our actions no matter how noble our intentions. Go ahead downvote!
The famous difference between citizen-first EU and corporation-first US. Over here, we do believe that our data is ours. This is reflected in our legislation and regulation.
You don't want these rights and protections in the US? Well good news, you don't have them. They still apply to us however.
You walk down the street and pass by me waiting for the bus. I write down in my diary "Today, scrollaway walked by me while I was waiting for the bus." Who owns what I wrote in my diary?
What you believe "over there" is wrong; data about you isn't yours. You can pass all the laws you like, that doesn't change the moral fact of the matter.
I wouldn't call GDPR "carefully designed" at all. It is ridiculously broad and vague, and so far all implementations (including the cookie warnings all over the internet) are best guesses.
Most of the cookie warnings are clearly against guidance which says that consent must not be a condition of service to be considered freely given, must be opt in not opt out and that even with consent the use of pii must be in the user's interests.
Almost no cookie warnings meet the law and many of the ones that do could use a different lawful basis and not show a dialog at all.
Then you do not need to ask consent to use them. You only need consent for cookies or data collection if it is not necessary to the service (and 'necessary for tracking ads' does not count as necessary).
Because that's what the law says. Your business model is not allowed to infringe on the rights of your users to control their data. You can pay for the site to exist in other ways, but not by collecting your users data without their consent.
It's amazing what's personally identifiable though. Browser fingerprinting combined with ever present analytics scripts gets you most of the way there.
That type reductive reasoning can be trivially applied to any proposed solution (for nearly any problem). You can't really force anything, eventually you just have to accept that some folks won't go along with it, and let them make their own mistakes.
How would that solve anything? The comment you are replying to doesn't want to be asked for permission for cookies. The commentor wants all the cookie requests to be accepted automatically.
He's suggesting making the decision once, per-browser, not per-website, whether or not to allow cookies. Then the browser can include this information in the HTTP header, so the website never needs to ask you.
Oh, Ok. I initially read it as the browsers should ask the user whenever they send personally identifying info, which is basically the status quo. Thanks for correcting me.
Would be much nicer if the - already existing! - do not track header was interpreted to mean "Allow-Cookies: HELL_NO_WHY_ARE_YOU_EVEN_ASKING_FUCK_OFF".
Thanks to GDPR, the provider does NOT have to ask for consent for necessary cookies - only for the tracking stuff to which you have no incentive to agree. Every time a page pops up one of those "we value your privacy" screens, they're lying in your face - if they did, they wouldn't have to ask.
Everything in California is labeled carcinogenic, and so nobody pays it any mind, but it's still done anyway because that's what regulations and the law say. Similarly, this isn't just a bunch of people who operate websites deciding to write these wacky cookie banners because they think people really care about cookies.
When I implemented one of these it was because lawyers told my team to do it. We didn't want this, neither as developers nor as users of websites. Neither were our designers thrilled at the prospect of cluttering up our site with this dingus.
I get that this is just a general rant, and I agree that people just click through them and don't actually care. But it's important to keep in mind how this actually came about, and (as a somewhat separate point) that lots of things in our society operate this way. Which is not intended as a defense, but it's more common than just cookies.
Or do you read every terms of service document shoved in your face when you sign up for something?
this gdpr....argh.. all smoke and mirrors bs leftist incompetence, breaking the www experience, luring users into using even more more opaque 'apps' (usually simple ux making http api calls). The real question is who will be siphoning 'our' (eu) data in the near future (more), china, u.s. or full on balkanisation?
It's time GDPR is actually enforced. I tried to get my country's law enforcement on the tail of some violators but they're toothless.
I don't understand the downvotes though, are you disagreeing that certain countries do not have the manpower to enforce GDPR to the extent they could? Please.
I think they are currently going after the big ones. Personally, I expect that to change once they are through with them. It simply makes no sense to go after big companies when there is still google and facebook to go after. And well, medium and small? I think those still have another year or 2.
In addition to the practicality of choosing the big, obvious violators first, one or two actions against well-known targets should hopefully convince a lot of the secondary and tertiary potential enforcement targets that the EU is serious about enforcing these regulations. Some[1] companies might even decide that complying with the regulations be a better business plan than abusing their user's ignorance to undermine democracy[2].
[1] Unfortunately, experience suggests many will prefer bullheaded clinging to their surveillance capitalism business models to the bitter end.
Are those violators outside the EU? I'm interested to know if the EU would seriously try to enforce their laws in foreign lands that never agreed to them.
I feel like GDPR and such had some good spirit to it... but the result isn't what they had in mind and the consumers just click through everything / have no more clue. Piling on or malforming GDPR seems like it would just make the already unworkable situation more of a mess.
I like the "ideas" behind GDPR, it's just this isn't the way to do it and really accomplish anything that really helps an individual.
I wonder how often we'll repeat the error of treating user privacy as something the user cares deeply about (against all this observable evidence to the contrary) before we accept that the well-demonstrated-and-documented default is users do not care (and if we want the behavior of websites to change, step 1 is educating users as to why they should care and what the risk models are).
I mean, for the average person, it's pretty rational not to care. The only result they see from tracking is seeing more relevant ads. 99.99% of people for the foreseeable future will not have a bad experience from commercial tracking (that they wouldn't have from non-tracked ads anyway).
It kind of feels like Prop 65 here in California. So many things have a 'this could cause cancer' tag that it is ignored 100% of the time, the exact opposite of its intent.
Amusingly I actually just added a ton of Prop 65 warnings to a ton of things because someone got tired of thinking about if it should be applied to every third thing. So now it is on everything ....
That was kinda vauge as I don't want to get into specifics as it is job related, but man it was timely ;)
As a web developer I gotta say the only true solution to this is to stop using the internet altogether. Might as well shut the internet down.
We can't authenticate you without cookies or some other form of identification, so that throws out any site with an account.
Even if I am not even remotely interested in tracking what pages you view on my website if I need to have you login and authenticate I need some form of cookie / session ID.
If you need to be anonymous use a browser like Firefox Focus or similar but understand that you won't be able to log in for longer than a single session, if at all.
Cancel GDPR and similar privacy laws before we outlaw the [useful] internet completely. These laws are a mess written by people who honestly are not remotely qualified to make these kinds of decisions.
I'm all for the option of privacy but it's your own responsibility -- stop using the internet leave all your electronics at home and go ride your horse into the wilderness and breathe some fresh air if you want privacy.
While I'm certainly not going to argue in favor of the GDPR, the "cooking warning" actually specifically excludes cookies used for things like authentication. It covers cookies used for other purposes, such as trackers.
From my understanding if the cookie is for an account on a website (which usually is only required to store private information such as name, email, address, etc) you would need to display the cookie warning.
Cookies are only affected if they are not a core and essential part of the product's functionality, and can identify the user. You could also argue that authentication may not be an essential part of an app's functionality, but you would not be successful; it's well-established by now.
Exemptions to the consent requirement
Some cookies are exempt from the consent requirement and therefore are not subject to preventive blocking (though you’re still required to have the banner and cookie policy in place). The exemptions are as follows:
Technical cookies strictly necessary for the provision of the service. These include preference cookies, session cookies, load balancing, etc.
Statistical cookies managed directly by you (not third-parties), providing that the data is not used for profiling
Statistical (anonymized) third-party cookies (e.g. Google Analytics)*
*This exemption is may not be applicable for all regions and is therefore subject to specific local regulations.
Your post is at the bottom, as a proof of why we can't have nice things. People don't understand that it's MY webiste, not a property of the users or some EU's fattie bureaucrat. If they don't like my website they can just not visit instead of telling me how my w3bsite must behave.
Clicking 'no' should still allow people to view the website, but without placing any tracking cookies.
Source (in Dutch): https://autoriteitpersoonsgegevens.nl/nl/nieuws/websites-moe...