Before the discussion descends into the usual "that's stupid and will kill all tech startups" vs. "that's right because all cookies are evil incarnate", I'll say again:
This is a perfect example of the kind of legal processes we have now.
The EU and Germany in particular have decades of privacy regulation and core values behind them. These core values won't change. Regulation for the past decades has ignored that tech routinely violates these values, and it's catching up now. Rules won't be as dramatic as in the past, but will differ widely from the us.
In this context, it's legally important to account for entrepreneurial freedom (guaranteed by the constitution), but if there's an overriding reason to protect consumers, then it is entirely irrelevant how long companies have been doing this, how many do this and in what other countries they do it.
To sum up, the law sometimes bites late, but it bites hard, and arguments surrounding competitiveness, business culture or internet culture are legally completely irrelevant.
To add to that. Data Protection is "kind of" in the constitution of Germany. In the constitution there is a part about free development of personality. The German constitution court thinks that data protection is necessary to achieve the free development of personality, which is why data protection is constitutional right in Germany.
The legal wheels are grinding on Amazon for a while because it’s a unique case in america. American courts check if something harms consumers, and Amazon is able to show that it transfers the lowest cost to its customers.
One of the biggest legal changes in the past few years was a new direction altogether to determine anticompetitive behavior.
If I recall correctly, FB’a recent acquisition of giphy (?) was also stopped on anti competitive grounds.
Point being that this stuff isn’t necessarily easy, the other side has very good lawyers who tell them what not to do on top of this being novel.
> The legal wheels are grinding on Amazon for a while because it’s a unique case in america. American courts check if something harms consumers...
It’s not unique at all. The old trusts that were broken up at the dawn of antitrust (that’s where the name comes from) were of a similar structure and even more dominant.
The “consumer harm” test (really “short term consumer cost” test) was a deliberate crippling of antitrust doctrine during the Reagan era. The process is only now starting to return to its roots.
Consumers can be harmed by a low price when it is predatory, either to drive out competitors (so price can go up later) or to transfer business to a monopolist who can charge higher prices elsewhere and/or stave off competitive technological or entrepreneurial threats. This doctrine blessed such predatory tactics while pretending to be a high-minded consumer-friendly approach.
> The process is only now starting to return to its roots.
I'd like to cynically say that the rhetoric and arguments have finally started to return to their roots within this particular administration, but there's no evidence of a process actually being carried to completion yet.
There’s been legal theory movement over the past 15 years or so to revisit this shift. All you’re seeing now is some of the peaks of an undersea mountain range. This movement has been gaining in different agencies for years. I think it’s a secular shift rather than something administration-specific.
Of course the rentiers can still squash things, and will. But I think the tide is against them.
Matt Stoller has done great work both documenting this and contributing.
The best would be to read Stoller's massive book on antitrust from the days of the standard oil trust to today, "Goliath: The 100-Year War Between Monopoly Power and Democracy". I suppose you could just skip ahead to Reagan and Bork, but the whole book is fascinating.
Failing that, you could read his blog. He's the most succinct and thoughtful writer on the topic today.
This is not some "hidden history" -- they were quite proud of it. I watched it unfold in real time.
I find it fascinating that the Reagan administration (and the bevy of organizations around it) moved taxonomy and models such that the democrats (in particular Clinton) discussed economics and antitrust using the republicans' framework, just as the republicans still think of the economy from a Victorian/Marxist framework (Labor Theory of Value, capital expressed only in smokestack industries and finance, etc etc).
I'm hopeful. "The logic of political survival" (https://mitpress.mit.edu/books/logic-political-survival ) is one of many books that make a decent case for democratic systems simply being better than authoritarian (in the long run), the more democratic the better. This old journal article while dated and possibly no longer accurate about the arab world give a military perspective on the same dynamics https://www.meforum.org/441/why-arabs-lose-wars
It's important to remember that 100 years ago (if you squint, 150 years no contest, there basically was no democracy in the modern sense (universal suffrage, no special rights), kings and queens and aristocrats still held most power and wealth in most places around the world. It's very easy to forget that the descendants of these aristocrats in places where lasting measures against the lingering power of the old rich weren't taken (i.e., they weren't executed and their wealth was left intact) are usually still in the richest 100 families of the country and wield considerable political influence.
I will stop here now because dang has repeatedly asked me not to make statements likely to inflame "boring" political discussions but I do think that as more and more people realize that they are not in fact temporarily embarrassed millionaires the old power bases of corruption and uncapped dynastic wealth will follow the way of dynastic hegemony over nations.
I no longer believe this to be the case. I am pro-democracy but I am not a suffrage maximalist. During the last election cycle I looked at the myriad of obscure positions I had the right to vote for on the ballot and I realized most of what I was voting for I was unqualified to weigh in on.
For instance, why do I vote for the Railroad Commissioner? Why do I vote for my local county's community college board of trustees seat 5 and 6? You could say that I should be informing myself before I go to cast the ballot. While you wouldn't be wrong for saying that is my responsibility as a voter, I can assure you virtually no one actually does this. I also find the down ballot candidate's pitches so generic and milquetoast that there isn't enough substance to actually distinguish between them.
What's worse is that the obscure positions have either unopposed candidates or just two. And most of the time, people just look for the (R) or the (D) by the name and that's what they go on.
More democracy does not necessarily mean more committees in a big centralised state. One problem I personally have with representative democracy is that the representative class will proliferate. If e.g. the railroad/community was organised as a co-op with special legislative constraints, you could have democratic oversight without these meaningless elections. Compulsory, random chance representation or coercive voting with a review by your successors are also mechanisms which could be explored. Even a well designed market could serve that purpose.
"more democracy" simply means we do not just give one dude (and it's still most often a dude) the keys to power and call it a day and instead think about how to distribute this power so that it stays functional enough to produce public goods, but smeared around finely enough that it's hard to abuse.
While HN might not be the place for "boring" political discussions (no doubt that flame wars and conspiracy theories cloy), do you have another venue that you publish your thoughts on? I quite enjoyed this comment and learned quite a bit reviewing the linked information. Thoughtful political dialogue is ever necessary and frequently absent.
I'm reworking my website (see my profile/email) and will try to put them there as I finish my PhD. Just need to find rhr time to do it properly. It's one thing to type out comments, it's another to publish self contained text and claims.
I want to believe this, but I sense this is just a comfortable platitude we tell ourselves. There are countless examples of both high and low profile injustices that have been carried out with no substantial consequences. You could say it is selection bias that I look towards those, but in the case of refuting an assertion, I think they count.
> it is entirely irrelevant how long companies have been doing this
I always thought this. I was recently introduced to the concept of “practice prevails” whereby if you’ve been routinely flouting a rule, and that rule has never been enforced that you can claim the rule is obsolete. I think it’s mainly confined to contract law but it does help to explain the standpoint of those who oppose such retrospective regulatory measures.
These laws are new enough, and clear enough that flouting them routinely isn't going to go down well in court and 'your honor, we've been doing this for years' might get you some extra sanctions. The best way to deal with it is to simply become compliant, it isn't all that hard, 100's of thousands of businesses have adapted and the remainder really has no excuse other than that they are trying to extend their bottom line as long as the legal fees and fines do not exceed their income. The sooner that changes, the better.
> but if there's an overriding reason to protect consumers, then it is entirely irrelevant how long companies have been doing this, how many do this and in what other countries they do it.
I hear what you're trying to say, but there are problems with this basis.
There is no clear established legal-nexus between the your purported statement of "protecting consumers", and banning the use of any data center owned by multi-national corporate entities who host protected data exclusively internal to the EU in accordance with all known EU data-protection regulations. Now to be clear, I'm not saying this is your statement or position.... but it's what you wrote.
So it boils down to a false-dichotomy; This is protectionism, but not to be confused with consumer protection. The protectionism is the kind protecting EU owned & operated data centers.
I think analogies are awful, but to give an analogy it's like banning a product sold by any multi-national corporation simply on the basis they are not originally EU multi-national corporations. For instance, banning the sale of McDonald's chicken-nuggets, because McDonald's is a foreign corporation, and then alleging the corporation violate the consumer data protection laws because the nuggets are not EU nuggets
It makes no sense because there is no causal-link or rational basis, it's all irrational. Just because irrational laws have been the norm for a while, as you say particularly in Germany, doesn't make them rational now. That's a variation of the ad-populism fallacy.
> It makes no sense because there is no causal-link or rational basis, it's all irrational.
I think you are mistaken here. Strong privacy laws in Germany are decades older than Facebook et al., and to some degree have constitutional level. Similar for other EU countries before the europization of the variants of national law (which actually weakened German privacy and consumer protection law in some minor details).
Big Ad companies have a core business model that is simply incompatible with the values implemented here. That is the whole secret of why there are so few Big Ad companies founded in the EU. Calling that anticompetitive is mistaking cause and effect.
Well, your use of the word "irrational" is for a very specific definition of rational. The German legal system is said to draw on the roman tradition, so there's about 2000 years of development in this. Some of the concepts of rationality might be more correct, but they are comparatively very young.
I also think you are overestimating our ability to rationally observe, understand and predict things in society. Part of the reason why we have these laws is that it is so incredibly hard to predict the outcomes of any intervention.
Of course there is the threat of over-reach, but it's always there. On the other hand, we have plenty examples where lack of regulation lead to massive harm (environmental pollution, medical experiments, monopolies etc). So there is no easy solution, and "irrational" regulation is definitely on the spectrum of sane ones.
Evidence-based policy-making is rare because there is lots of policy-based evidence-making.
As a slight point of contention one of the big differences between German data centers in the US vs in the rebellious state of west Taiwan, is that Germany is part of NATO so at the end of the day when all of the project management reports hit the fan German land and citizens are guaranteed protection by US guns, in the China case they are a foreign directly hostile power. So although many Euro countries might not love they way the US is data harvesting, and with good reason, and the US does have some human rights abuses ultimately US military might stands as a protection against other foreign powers. An apt analogy is, "you aren't allowed to pick on my little brother that's my job." type situation.
Lithuania is trying hard to troll China, but realistically, they don’t have anything to say wrt where their data is stored, because they are just too small to have a say.
As a consumer I feel more trapped than protected. Instead of really disincentivizing the abuse of data, there is now a complicated network of bureaucracy that has been externalized from the EU via companies to the consumer. For the industry it is now about gathering consent from the user through dark patterns and making sure that each of n rules is fulfilled, while the data itself is most likely just as abused as before.
I work in Germany as a data analyst as well as a freelancer. It is trivially easy to comply.
The moment you want to monitor your users' behavior for whatever reason, though you need to ask them. They are not your guinea pigs.
I strongly believe you can have a great business, even do advertising, without selling out your customers/visitors.
And blaming the law because industry is using dark patterns to circumvent it seems odd to me.
Do I like these consent banners? Most of them not. Neither as consumer, nor as the one implementing them. But the hiddeous ones to me are a symptom of a rotten company not valuing their customers. Not a symptom of a bad law.
Not OP, but the sweet spot is there: For anything under your control, that does not collect personal information, or shares data with third parties, you don't need any consent at all.
But you might find it easier (or whatever) to integrate Google Analytics than set up your own Matomo instance, so you'll have to ask the users if they want their data shared with Google.
It's not as complicated as most companies want to portray it.
edit: I had our company website at this point. Locally hosted fonts, no external tracking, own Matomo instance, everything was great and I could finally remove the cookie banner. Then marketing came around the corner, wanted to run paid ads on LinkedIn and Xing, also it was "sooooo comfortable" to link Google Analytics with Google Ads and see how your campaigns perform. Now there are more external scripts than ever, we have Cookiebot (let's see for how much longer :-D) and a cookie banner with the usual settings and lawyer copy on it. I hate it.
We implemented a banner on a website that is using our own Matomo instance, but on a different domain, because some other customer projects use the same Matomo instance. We weren't sure if that counts as owned by a third party, so it was decided to implement the banner. Better be safe than sorry.
I don't think that it is always trivially obvious how to correctly comply, like some other comments claim. Especially when you really want to eliminate all legal risk and avoid Abmahnfallen.
> We weren't sure if that counts as owned by a third party
IANAL, but if the people/company running it is the same entity I think you should be fine. Browers on the other hand will only look at the domains and think it's somebody else... So... Yes, better safe than sorry.
> Then why would you implement them (assuming your company is not rotten), if not for compliance with regulation that failed to find the sweet spot?
Because they are the path of least resistance. Companies don't want to spend any time figuring out how to actually be compliant, so they slap these cookie banners on, most of which aren't compliant.
Also they're not "cookie banners". You don't need to show a banner to set cookie that your site needs to function (such as login, etc.).
They're "we're doing stuff you didn't ask us to and sharing your data with over 300 other companies" - banners.
For example I have a Matomo instance running on my own server. I need to ask for consent (and since this month would even need to ask for consent, if I were doing the cookie less thing). Maybe I am just a little bit vain, because I like to see the days I have one to three visits on my blog.
I use klaro.js as a consent tool. No need for a CDN.
I configured it such that on the first screen you can opt in, opt out or choose to choose.
I hate the ones (them being not in line with the regulations btw) that force you to go to the second screen for saying "no".
It needs to be as easy as one click for yes or no.
> I hate the ones (them being not in line with the regulations btw) that force you to go to the second screen for saying "no".
Absolutely. At the very least it should be legally required that "Reject all" is at least as easy and prominent as "Accept All" if we already started to legally require clicks for consent.
Because the industry is in a Wil-E-Coyote moment. Their business model has always been more than shady, a shadiness that has now officially been defined as illegal.
Industry response to "you are not allowed to do this" has been "but I really wanna", and they think that they can get out of complying with the law via these dark patterns about tricking the user into giving them "consent".
All of this crap is illegal.
Tricking users into "giving" you "consent" is illegal, as is coercing them. The law is very clear about this.
It will take a while for the wheels of justice to grind, but grind they will.
In the meantime, we apologise for the inconvenience, but the world will be a better place.
In general, it's trivial to comply with any regulation: just don't do anything like the bad thing. In the US, It's nearly impossible to trip over any major EPA regulation if you just don't produce industrial chemicals, or do heavy manufacturing, or transport goods, or own real estate.
For obvious reasons, companies choose not to comply in that way, and ambitious companies will instead often test the limits of what the regulation actually prohibits.
But what competitive advantages do they unlock if they choose to non-trivially comply with the law?
This situation was wholly predictable the minute it was decided to pass laws to codify what were previously best practices. We now get to enjoy the same benefits the law has granted in the past on environmental protection, civil rights, labor practices, patents, and copyright... With similar grey areas, fuzzy and contradictory outcomes, and but-what-if attempts to augur the legal process. Not to imply any of those laws should never have been passed! Merely observing that when we use this tool to solve our problem, this is how this tool operates. The pattern is well-established and basically at least as old as rule-of-law.
If you don’t collect personal data (and 99% of those that do shouldn’t), you don’t need to do anything to be compliant. If you need personal data and don’t do anything weird with it (weird being systematic violation of your users’ privacy), compliance is straightforward (I’ve lead two GDPR compliance projects in the past 2-3 years).
If a company has to show 300 banners and asks for consent multiple times, it’s because they are doing extremely weird stuff. Legislation just made it visible.
Where the letter of the law is more important than the intent, there's always more wiggle room to screw over the consumer. But where intent and interpretation is given more weight, things tend to be less predictable for businesses.
There was a story yesterday about someone getting terribly upset about researchers probing the GDPR compliance of the website of a blogger. Some froth developed around people's mouths as the site in question was called a "victim" and any shrugs seen as "victim-blaming". (And I was thoroughly downvoted for pointing out that calling website owners "victims" was a bit more drama than was called for)
GDPR and similar legislation has, as you correctly pointed out, had disappointing results. There is no doubt that stronger regulation is needed to stop companies essentially spying on users for financial gain - just as there is no doubt that regulating this in a way that both helps, and doesn't just become an expensive waste of time, is hard.
> GDPR and similar legislation has, as you correctly pointed out, had disappointing results. There is no doubt that stronger regulation is needed to stop companies essentially spying on users for financial gain - just as there is no doubt that regulating this in a way that both helps, and doesn't just become an expensive waste of time, is hard.
And that's why I find the line of argumentation that says 'the consent law is fine, just give it more time' a bit frustrating. It is such a waste of time and energy, while it does not really tackle the core issue of data abuse, but it negatively impacts everyone's user experience.
I think that the law is not well adjusted plays a major role in the situation that we have today. We are in the fourth year of the law and I see no impulses that would lead to a world without full page overlays on most websites on first visit, where the only primary action is "Accept all". While I as a techie take the time to reject most cookies, the more tech-illiterate part of my family has already sold my firstborn child for a couple of news articles.
I've stopped reading several online publications, and using several service providers because they either try to dark-pattern-bully me into consenting, or just can't seem to "remember" my choices.
Every time I see one of the GDPR popups it incentivizes me to think "do I really need to access this content?" - and more and more often I just think "no" and delete the bookmark or make a mental note that "this website isn't worth the click".
That's actually a good question... how would you do that. I guess the website would need explicit consent to save a cookie with the information that you consent to nothing else.
And that's how cookie consent management platforms (CMP) were born. Storing your privacy preferences on yet another third-party platform since 2017. I always found this kind of ironic.
Only, much of the time they don't actually seem to work.
They remind me of those little fan-like gadgets people sell online that goes in your car air intake and supposedly gives you more horsepower. I've always been amazed that there is enough of a market for things, that rather obviously do not work, for companies to actually bother making and selling these things.
If the full reject is easy and I am not logged in to a website then personally I like it if the website does not remember my choices: I asked not to be tracked and now they are not tracking me.
FWIW my stance on privacy regulation is that it is severely needed, both for consumers AND for businesses, because data deregulation can only lead to unbreakable monopolies, while fully applied GDPR allows user to resell the private data Google got on them, to the next, newcomer, bidder.
That being said I don't really agree with the premise of your comment. A law that isn't applied shouldn't be considered a law, and saying "you should just have applied the law from the start" isn't always fair. For instance, in France, woman were not allowed to wear trousers until maybe 5 or 10 years ago. French privacy laws 1980s already had a real scope on privacy, but it was barely applied. Applying a 40 years old law out of nowhere would simply be targeted attacks to the current disgraced company.
Now, GDPR is really recent, so I won't put it in the "hasn't been used for so long it's dead" basket. Though I kinda think that the portability part of GDPR will (I'm crossing fingers it will still happen, because I think it's the best part)
> For instance, in France, woman were not allowed to wear trousers until maybe 5 or 10 years ago.
That law was a dead letter from 1800. It’s the equivalent of the old English law memes, like that you can shoot an arrow at a Welshman within the precinct of Hereford.
It's been 44 years in France. It was older than current facebook's age when facebook appeared. France abolished the guillotine more recently than this privacy law pased in France. When I was born, it was already no longer discussed.
While true in essence, I don’t think that the German society broadly shares the value of privacy to a level that warrants such excessive restrictions. It is important to note that Germany‘s tradition of data protection originates from a fear of government overreach through excessive data collection (the original constitutional court decision concerned the census).
In my opinion data protection got out of hand when the same standards were applied to private entities while increasingly neglecting the proportionality test, or — less legalese — a risk benefit analysis.
It is common in German jurisprudence to widen the scope of protection (‚everything‘ is personal data) but the proportionality test is strict (it’s okay to transfer personal data because the gains outweigh the risks as the data is only moderately private). I think that softening of the proportionally criterion has been influenced by a general fear that every datapoint might be somehow relevant even if there is little evidence.
(Disclaimer: Legal theory is slightly simplified, but true to principle)
I agree that there is a widespread feeling that legal protections are missing reality (wirklichkeitsfremd).
But I'd argue that the roots of Germany's focus on privacy are not only rooted in protection against the state. Yes, constitutional fundamental rights are protections against the state (Abwehrrechte), but the legal interpretation established by the supreme court also draws on an ideal-typical perception of citizens as informed, rational and responsible people (mündige Bürger), who - through education, intelligence, moral values, dedication and pro-social behavior - create and sustain society.
Such self-determined citizens cannot exist in the face of overbearing, and especially invisible or intractable (!) external coercion. That's also the root of informed consent, of course. So in this sense, privacy protections are a safeguard against dumbing down citizens, and I think the general intent is indeed valid.
> perception of citizens as informed, rational and responsible people (mündige Bürger), who - through education, intelligence, moral values, dedication and pro-social behavior - create and sustain society. [...] Such self-determined citizens cannot exist in the face of overbearing, and especially invisible or intractable (!) external coercion.
That's excellent, it's these type of arguments that get too little attention when digital "privacy" gets discussed today.
In support of the ideal of citizens as informed, rational and responsible people (mündige Bürger).
This is a foundational assumption of post-Hobbesian democracy, which asserts that power originates from the people and is delegated to the government (contrast to other political philosophies such as divine right of rule etc).
so the consequence of 'dumbing down citizens' is a destruction of the legitimacy of the government. Just as if the king rules by divine right, he would be silly to promote atheism.
> I don’t think that the German society broadly shares the value of privacy to a level that warrants such excessive restrictions
I live here. Privacy awareness is very high, compared to everywhere else I've personally been. Nobody likes having their picture taken, nobody likes being filmed, nobody likes answering questions for strangers. And they'll tell it to your face too.
Go onto Google street maps for Germany and see how far you get.
The germans' attitude to privacy is... incoherent, to put it mildly. People get up in arms about the weirdest things, such as the Google Street View you mention. Thousands of people see an apartment building's facade every day, so what does blurring it on Google Maps give the residents, privacy-wise?
And yet, people are amazingly complacent în other aspects ("War halt immer so"). For example, your apartment's doorbell has to have your last name on it: someone with an unusual name could conceivably be tracked down just by postal code. For another example, when I was blogging, I had to display my full name and address in an Impressum on the website - dox myself, so to speak.
And, of course, the Berlin government forces people to register their address, and allows everyone to query it, because why wouldn't they:
> And, of course, the Berlin government forces people to register their address
Meldepflicht is in all of Germany, it's not a Berlin thing.
> and allows everyone to query it, because why wouldn't they:
This is highly controversial, for exactly the reasons you might think.
However, this is an "Einzelauskunft", so you get one address per query, and you are not allowed to trade in those addresses or use them for advertising. Also, if you want more detailed info, you have to provide a valid reason for wanting them.
>so what does blurring it on Google Maps give the residents, privacy-wise?
ephemerality. If you think your neighbor is violating your privacy you can take it up with them, you think you can take on Google? There is no incoherence here. If you live in a neighborhood, there are of course certain natural limits to your privacy given that you're part of a community.
But digital privacy laws first and foremost protect citizens from entities well beyond their control, they protect them from automated processing, storage of their data beyond their own borders, and privacy erosion in ways they cannot control and at a scale that creates entirely new problems. Of course nobody has absolute privacy, everyone can overhear a conversation, but this does not end with a surveillance state or control society. Corporate entities or governments processing billions of messages in real time does.
It doesn't allow "everyone" to query it. You need to be a german citizen. You also need to provide either "gender and birth date" or the "address" of the person you're looking for, along with their full name.
There is no such law that requires you to put your name on your doorbell in Germany. You are free to use Santa Clause or whatever. Perhaps the post man will at some point put dog shit in your letter box but otherwise there is nothing that would compell you to use your name.
Well, I live in a place where doorbells are attached to people. It's not "necessary" but, just for starters, you might not even get your mail if a signature for something is required.
Maybe it's different in some places but your delivery example seems like it would rarely cause problems as deliveries are usually addressed to addresses with a house name/house number and/or flat number, so they'd ring the corresponding bell for the house/flat number and then ask for the signature connected to the named recipient.
I've never heard of a delivery person say they wouldn't delivery an item because there was no name on the bell or that the bell name wasn't consistent with the recipient, and those guys are experts at excuses for why they can't/won't make a delivery!
> I've never heard of a delivery person say they wouldn't delivery an item because there was no name on the bell or that the bell name wasn't consistent with the recipient
That's exactly what our post will do to you. (And not just because they don't know what doorbell to use if there's no name on it.)
I absolutely hate the attitude towards privacy here. The street view example is just perfect: people require google to blur their building facade but the same people have no problem having their full name (incl. partners name), phone number and address on a publicly searchable online phonebook.
People constantly complain about the greedy tech companies collecting data where ever they can and proceed to complain about the strict privacy regulations in the EU in their next sentence. Forcing private individuals to put their full name and address into the imprint of their personal website, which often enough isn’t even run for profit, seems absolutely absurd and very publishing hostile.
To me it’s more and more starting to seem like people don’t actually care about their privacy, they just want to be against something.
> people require google to blur their building facade but the same people have no problem having their full name (incl. partners name), phone number and address on a publicly searchable online phonebook
Wait...so people can decide which facts about their life they want to remain private and which they're fine with you knowing? I thought that was the whole idea of self-determination. Where's the catch?
Please explain, what about my building facade is so incredible private? Sensitive information is blurred anyways and google won’t publish anything that is private, they are just taking pictures of public spaces, which is totally legal.
> Please explain, what about my building facade is so incredible private?
Your building's facade is whatever you decide it to be. It doesn't matter what other people think, it's not up to them. So, likewise, you're not the one to say that someone's building's facade is not private. A major part of respect for other people's privacy is letting them decide what they're private about. I mean, sure, lots of impolite things you may be doing are still legal. Laws don't define courtesy.
In my case it is actually the other way around. I had no problem with street view but would never list my number in the public phone book.
I selectively decide what to attribute to my name as long as I am able to. So that I for example decided that I am OK with the need to have an imprint on my website and my full name and address being tied to what I write there.
I understand that this isn't for everybody, but I decided that I was okay with attaching my name to my writing.
But I am not okay with random businesses being allowed to spam me via online generated profiles without me knowing or consenting.
I know there are a lot of things that still should be massively better in Germany. But knowing how easy it is to comply with the GDPR and relevant other regulations I actually like them.
To be fair, recent tech has eroded that a lot. People are still not happy about all of it, but the resistance has been dropping - usage of Facebook and Google products is now pretty widespread and people (especially young ones) seem to be far more lenient in that regard.
Unfortunately true. The steady, slow and, in everyday live, invisible erosion of privacy is what might ultimately bring an end to online privacy. Especially once certain politicians see the benefit of outsourcing surveillance to third parties. Despite privacy being generally held up a lot in Europe, there are definitely a lot of people in power all over the place that would love to have access to the kind of data ad-companies have.
That courts are ruling against this, in whatever way, is still a good sign.
I think this is less due to a genuine change of heart and more because the lack of enforcement by the government in regards to big tech has left people without much choice.
You always have a choice. But you can't deny that the services offered by these companies are really good and, not to mention, completely free. It's easy to give up long term drawbacks for short term benefits.
On the other hand, the proliferation of hacking and fraud could drive a swing to the opposite direction. It's got to the point where being hacked, blackmailed, or being the target of fraud is a regular occurrence, and a lot of that is driven by hackers having easy access to private data which lends plausibility to emails or text messages.
When you get to the point where judges and lawmakers have, more likely than not, personal experience of threatening emails containing private information, there's a lot of incentive to reduce the amount of data collection - and correspondingly, a lot of popular support for the idea.
> While true in essence, I don’t think that the German society broadly shares the value of privacy to a level that warrants such excessive restrictions.
You are wrong. I have been living in Germany for almost a decade and it absolutely does. In fact, it is one of the things that I appreciate the most about German culture.
Maybe privacy preferences are a bit incoherent sometimes, but nothing is perfect, and I much prefer that we err on the side of protecting privacy too much than too little. Especially in this brave new world we live in, were culture is being slowly but surly manipulated by powerful interests to erode the right to privacy more and more.
10 year old survey, but it seems the data disagrees with your perception. I'd imagine since then awareness has risen massively, so if anything people would likely be more concerned today.
> I'd imagine since then awareness has risen massively, so if anything people would likely be more concerned today.
It's sadly the opposite; It's so normalized that a whole generation was born into it and don't even see anything wrong about it.
All a lot of them see is how Google is giving them "free services" and how Facebook allows them to make "free friends", and then they declare; That's the web, and that's how the web has always been and how it should be.
And who can blame them; They never knew any other web than the glorified digital mall [0] it has mostly become.
I understand your argument and I agree that all of this is excessive and maybe spiraling out of control. However the core of the case is "I'm German, that web site is Danish, my personal data have no reason to be in the reach of the US government." By the way, Germany and Denmark share a land border. I think it's difficult to argue that even with the cloud it's not easy to explain why to access a Danish university from Germany one couldn't use an EU only set of technology providers. Of course using Akamai (a well known company) is easier than researching, assessing and using some relatively unknown European solution. I'm European, I'd have to Google (ironically) for one.
The university is German, their website is therefore "German". They just use a "cookie consent tool" by a Danish company, which in turn processes data using Akamai's infrastructure.
I find it problematic that the university requires any cookie consent whatsoever in the first place. They are a public institution (Körperschaft des öffentlichen Rechts), not even a "company" but state-owned, and they run basically a static website and shouldn't have a need for cookies. Any "member" area (students and faculty) would require an account anyway, where you can and have to ask for all kinds of consent during signup anyway.
I get the Danish company doesn't want to run a CDN (with DDoS mitigations and all that) on their own, and it's a real problem that the EU economy snoozed when it came to creating competitors to Akamai, Cloudflare, AWS/GCP/Azure. There is a sliver of hope that court decisions like this will create a "demand" for such platforms within the EU, and that finally some companies with some "investment" money to spare (we still have plenty "rich" companies) will fund that. Or maybe at least the US providers will find way to create EU "subsidiaries" which are actually legally shielded from US (and other non-EU) law.
> I find it problematic that the university requires any cookie consent whatsoever in the first place.
Totally right, and also
> If someone else is okay with the data transfer, he can opt-in if he wants to. I should not carry the burden of having to opt-out of it.
so much this. If something is spiraling out of hands it is the cookie usage, which is 99% AD tracking.
The current law is badly implemented, or lead to bad implementation. Now almost every site asking your for their necessary or "helping" cookies, most often using dark patterns to trick you into just accepting all - and because you get this stupid cookie prompt on every page now, everybody just wants to click it away as fast as possible, which misses the target totally, too :(
Still, its not data protection spiraling out of hand, but that basically every site, even ones where I don't login to or want to drop off any other data, but just fetch a small information, wants to set cookies is ridiculous. We all should have never accepted that, but too late?
The case is about a German public university, owned by and located in the state of Hessia, that uses a Danish service provider to manage cookies on their website, which in turn uses Akamai. That by the way is the reason this whole thing is tried at the administrative court - the defendant is the state itself.
I disagree. Aside from the possiblity of collected data landing in the hands of government fairly easily, this isn't the only reason for privacy protection. I would also dispite that it got out of hand in some cases, although it is often just applied wrongly. It isn't as popular anymore since the normal user is just annoyed by the cookie popups and in his mind data protection instead of the site owner tracking people like there is no tomorrow.
As Google Maps Street View showed back then [0], the public at large cares exactly as much about privacy as the media tells them to care about.
[0] a huge amount of misinformation going on, making people think there would be live cameras showing them on street view. At least to me, it felt like manufactured outrage by people who didn't understand what was going on (neither the instigators, nor the outraged).
edit: It was mainstream enough that there were articles about it: "Webforscher Humer glaubt, die deutsche Skepsis basiere auf falschen Vorstellungen zu Street View. Viele Menschen würden davon ausgehen, dass Google Live-Bilder übertragen wolle" - https://www.onlinekosten.de/news/webexperte-deutsche-versteh...
I remember more from the local press back then. But it's hard to find sources about it now.
I really never understood why Germans don't like to expose the outside of their public facing houses to Street View. It would be very frustrating not to be able to see in advance where I'll be going to the next day and prepare accordingly. Examples: Is that shop really at that address? Is there some parking in front of that house? I've been using Street View like that for ages.
The residents should decide because they are, welll, residents. My partner's parents had their house photographed with the garage door open showing a rock & roll poster with the f-word on the inside of the door. A French guy was photographed while taking a leak in the bushes in front fo his house, that he was trimming. He sued Google and won.
The linked article says people thought Street View was a live feed of their houses. This is pure conjecture coming from a single person, and sounds like a massive straw-man.
I know several people who have blocked their houses on Google and absolutely none of them had this assumption. Anecdotal, I know, but in the article there is zero data backing that assertion.
I was working in online media back then. They loved these crazy ideas and promoted them because of massive outrage. Outrage generates clicks and clicks === €.
And then they wrote pieces about what kinds of idiots didn't want to have their houses filmed. And about people who had their shop front blurred, because people in the 5th floor didn't want the house to be in the clear on street view.
It was outrage porn at it's best.
And one of the things that made me decide that I maybe should do something else with my life.
Yeah, agreed. As a teen I did an internship in journalism, way before becoming a coder, and crazy stories like those were the bread and butter of newsrooms. :(
Oh yes it was! Did you talk to „normal people“ in Germany back then? It’s not like that was the way it was reported by the media, but that’s what people understood.
I disagree with both (longer) replies — but sure appreciate the style of debate.
The reason to allow data transfer to the US for (arguably) trivial data is that a private entity might choose Akamai as their subjectively best option. Restricting data flow for (arguably) no good reason puts restrictions on other who can invoke their own fundamental rights. Leaving aside that it’s also not great to force the technologically inferior solution for (arguably) moot policy reasons.
As to the argument of informed consent, I think that’s another severe misconception. In my opinion, consent is only one option to legalise data processing. The fact that GDPR (and older German legislation) lists legitimate interest is important. We should — in my opinion — not fall for the fallacy that data is a whole different universe that can be split off from everything else. For most of our lives, data just flows with contracts, relationships, torts and whatnot.
I do acknowledge that in the case, the university is Public and does not have (relevant) fundamental rights. Also that web analytics is likely one of the consent only scenarios. But we’re drifting into theory anyway.
Your argument hinges on the fact that you consider data privacy rights as "moot", "trivial" etc.. That ignores the fact that many people and the lawmakers disagree. In Germany for instance there is the fundamental right for "informelle Selbstbestimmung", the right to have governance over the information related to ones self.
Now you could certainly argue that this right is irrelevant/not needed, but you didn't bring forth arguments to this extend. Without this your argument is largely about businesses being inconvenienced (many European countries don't give businesses fundamental rights like they do for people)
Also, the reasons these laws exist in the first place is because not too long ago, privacy was massively eroded in the eastern half of europe and intensively used for suppression.
>"The reason to allow data transfer to the US for (arguably) trivial data is that a private entity might choose Akamai as their subjectively best option"
And what if it's China/Russia, and its 'best' because it pays for private data? Does the argument still hold?
At the end of the day, this is simple: is it my data, or not? If it's my property, why should someone elae have freedom over it?
Or, for a not-far-fetched example, say the data goes to a country where
1) you have relatives, and
2) homosexuality is a capital offense,
and your search results may be use to implicate you of homosexuality, or by extension your relatives in that country, and the country's police are monitoring search histories.
It's also interesting as an example of jurisdictional conflict.
US law grants the US government broad (some would argue over-broad) reach into the digital activities of US-based companies independent of where those companies physically house their data. The great truth of the Internet is that it's a location-disrupting technology: modulo latency, the computer next to me on my desk and a computer in Sydney, Australia are logically exactly as close (by which I mean: fully equivalent whether I'm fetching data from one or the other as a client). But of course location still matters for the oldest location-focused institutions on the planet.
I predict that unless higher courts just decide to disregard the reasoning in this case, the resolution here will be either an international treaty between the US and the EU to clarify data access rules here or a simple jurisdictional mess: whether an EU citizen's data can be sniffed by a US company from computers in the US will be entirely up to who's government cares most.
What I am thinking right now: How will this affect me as European wanting to access US sites? There are already a bunch of sites that completely exclude European traffic on IP level.
It's great to have data privacy. I am totally for it. But it comes at a cost. People are not willing to talk about this cost, let alone take it into account when making a decision.
But isn't that a little bit like having your cake and eating it?
You get to live in a place that has (democratically) decided to put a particular cost on privacy. That cost being that you don't get to benefit from the cheap-ness of low-privacy offered in other places.
Yes, absolutely and I am aware that it is a trade-off. I am complaining that in discussions these trade-offs don't come up. I wish we would deliberately discuss trade-offs and make conscious decisions.
That sounds like you're against international trade in general, since most countries benefit from buying varying amounts of cheap stuff from other countries, where the rules (and conditions in general) are different. Somehow, for most people, that's not been a problem so far, though.
This is actually a very important point: international trade can and does bypass many local regulations. For example, a lot of countries banned slavery and child labour, and yet import plenty of products created by slavery and child labour in other countries.
And we don't talk about this nearly enough. Everybody loves being able to buy super cheap clothes from sweatshops in Bangladesh. Everybody is still going to enjoy the football world championship in Qatar, played in stadiums built by what's effectively a form of slave labour.
We should definitely enforce our humanitarian values also through our trade and other agreements, otherwise they're meaningless.
I don't think it's really comparable - as the rules at play here are designed to protect the privacy of EU persons. There are plenty of things that I could buy from parts of the US that are considered unsafe in the EU for example, and so it is forbidden for me to engage in trade and get them. They would (theoretically) be confiscated at a border.
Despite some politicians best efforts and desires, there's no practical way to stop someone 'importing' privacy damaging web traffic, so the risk of non-compliance is being loaded onto foreign website operators. Therefore should a US website desire to follow EU laws, there would be no restriction on them being accessible to EU people.
But with international trade you're also eating your cake and having it, too. Doesn't necessarily mean it's the exactly identical cake, and I didn't even claim that. Just that eating your cake and having it too happens all the time.
Of course there is a cost to market regulations. If you require proper waste management, some industries will have to pay an additional cost compared to just dumping the waste. Few companies in the world have ever said "we will continue to hurt the environment despite the costs". The political gamble with regulations is that there exist competition and through that there will be companies willing to follow the regulation in order to access the market and earn profits.
No matter how much privacy laws and regulations occurs within EU, it is unlikely that companies like google, apple, Microsoft or amazon will ever be willing to completely give up on the European market. There is simply too much money to give it up and have competitors take it. The websites that might be willing to exit the market is those that already have very little stakes to remain, like American news sites that focus on specific regions and demographics in the United States. For HN readers we tend to see those for time to time, but I doubt many other Europeans notice much of sites that already exclude European traffic.
"I'm sorry, you can't access this site because we do shady stuff with your data and can't get away with it in the EU."
changes VPN location to US
"Ah, an American, welcome!"
Everyone should be using a VPN. Of course, "Which VPNs can you trust?" ends up being a valid question and I'm sure that landscape will continue to evolve for the foreseeable future.
You miss the point. Many USA based companies happily comply with EU regulations and offer their services. Some do not, because they do not want to comply with the regulation, which specifically forbids generating revenue from user data.
What you are complaining against is that some sites are built around selling user data and EU makes it hard to do so. The cost you are talking about is your inability to form certain contracts. Every regulation comes at certain cost. However, in this particular case the data protection and safeguards against selling of such data are the basis of regulation, not the consequence. GDPR is born to enforce this cost and this cost has been integral part of surrounding debate.
It is not people who are not willing to talk about this cost, but rather data broker lobbyists, who try to sweep this cost (data protection) under the rug who do not want to talk about this cost. Every time someone makes a counterpoint against broad statements protecting data broker interests (e.g. personalized-ad supported websites cannot exist profitably), that is the debate you are looking for.
This is a misinterpretation of my comment. I am complaining that people make decision optimizing one KPI without considering collateral damages. I am criticizing the thought process leading to a decision. Not its outcome.
I'm very pro-privacy, but I think you made a valid point. Just adding my opinion as a voice.
If I understand your example correctly, you refer purely to the point of view of a citizen, not a company. In that case, I think you are right. It has drawbacks for those citizens that also benefit from it. This was considered when the regulation was created, and some balance resulted.
I think the basic problem is that GDPR is one of those "global" laws - everyone has to follow it, everywhere. This is similar to what the US has (effectively) been doing for a while, perhaps the reason why it became similar. Either way, I consider it as wrong. No law should go beyond a country's border, unless a separate agreement between countries was made. From my point of view, it would suffice to force European companies to not use any services by those who do not comply.
The arguments you list in the end are not legal arguments, but political ones, so it’s not a big surprise they are „legally completely irrelevant“ - unless politics turns them into law.
Perfect summary of what is happening right now in Europe. German citizen in particular have a strong privacy-oriented culture after what happened during WWII.
I'm always amazed by my countrymen chest-pounding themselves about their alledged cultural resilience against the surveilance state.
Not only did none of us live during the Nazi-Era, but most of us that lived at least during the Stasi-Era (in the West) are routinely falling short of living up to their own moral standards.
They champion getting rid off tax-privacy, they champion getting rid off non-digital currency, they champion blocking social-networks because of "foreign desinformation" (i.e. domestic opposition), they take no offense that a think-tank owned for-profit media-conglomerate does the domestic deletion and blocking of social media accounts (Bertelsmann > Arvato -> FB/Twitter/…).
And most hilariously, progressive luminaries like Daniel Cohn-Bendit or Volker Beck – which during the 1980s gained political traction by "fighting" against having A NATIONAL CENSUS AT ALL – are nowadays championing throwing out medical-data privacy alltogether and having to hand out your unlocked phone to the police at their whim.
(Needless to say how cultural chest-pounding thouse luminaries were in the 1980s)
> And most hilariously, progressive luminaries like Daniel Cohn-Bendit or Volker Beck – which during the 1980s gained political traction by "fighting" against having A NATIONAL CENSUS AT ALL – are nowadays championing throwing out medical-data privacy alltogether and having to hand out your unlocked phone to the police at their whim.
Can you provide some sources for that, I haven't closely followed German politics in recent years (as I've been living overseas), but I'm quite surprised that DCB would champion police search powers like that.
I think the idea that germans are the victims of history (and that's why they're so sensitive about oppression) is actually older than the stasi, or the nazis. Hitler, for instance, uses the theme an awful lot in his speeches. It just got a big boost from the post-holocaust psychological judo where germans recast themselves as the victims of the nazi dictatorship, rather than the enthusiastic supporters.
It leads to some funny statements, to be sure. The woman who said she felt like Sophie Scholl because she had been in coronavirus lockdown was one example - but honestly, if you mess with somebody's parking place, they're about two sentences away from saying you're literally the NS-diktatur.
Still, if it leads to a sense of urgency over privacy, I'm all for it.
Do we actually have any proof of this, over the past years?
Most of these legislation are a big hurdle for startups (e.g. you have to have a "chief privacy officer" for GDPR) but at best a hiccup for big tech (no, million, even billion dollar fines are nothing but a hiccup to their uninterrupted business models).
> Most of these legislation are a big hurdle for startups (e.g. you have to have a "chief privacy officer" for GDPR) but at best a hiccup for big tech (no, million, even billion dollar fines are nothing but a hiccup to their uninterrupted business models).
I am a consultant. My colleagues and I work for a number of smaller and larger companies in the Nordic countries and elsewhere.
My feeling is this isn't as big a problem as HN makes it out to be.
As a small company it seems you'll get questions and free advice first, and then only you'll get fined unless the violation is intentional or so severe that you should have realized.
I guess that it is much bigger problem for the megacorportations. I guess in addition to the fines doled out so far they've also spent countless hours both at work and at night to try to get passed GDPR, and also I guess it has slowed down internal processes quite a bit just like the Sarbanes-Oxley Act (SOX) did a couple of decades ago.
I can only agree. I work for an agency (part of a big consultancy) as well as a freelancer for small businesses.
It is really easy to comply. Even if you want to use specific services for which there is no alternative.
But more often than not there are alternatives (for cookie consent, for analytics, for hosting, for CMS, for newsletters, and so on).
Marketing conversion tracking becomes more effort, though. That's true. Because that would mean handing your user's data to the big monopolies like Google or FB.
> it's legally important to account for entrepreneurial freedom (guaranteed by the constitution)
Is this even true for any european country? Don't get me wrong, this is vastly applies right now and the only problems appear at a high level, but If i'm not mistaken no european country has a fundamental text that protects what you're talking about.
All "cookie management providers" should be banned. Cookies are meant for a specific website to remember information about a visitor, every website should manage their cookies themselves. Together with the HTTP referer field (and referral URL parameters perhaps, maybe also IP addresses geolocation - this is questionable but let's be honest) first-party cookies are sufficient for all reasonable visitor tracking. Both can be disabled by a user who doesn't want to be tracked but are enabled by default.
A user can delete cookies but can't change the fingerprint reliably. Fingerprints also are easier to secretly share between multiple conspiring parties. Using cookies is a legitimate and more-or-less civilized practice, fingerprints are by definition meant to spy on users against their will. Why do we have cookie warnings but no fingerprinting warnings? Browser fingerprinting should be strictly outlawed for non-police use and require a court order. It's more like eavesdropping rather than like cookies.
Cookies are only mentioned once in the GDPR, as an example in the preamble (paragraph 30). Article 4. defines personal data and identifiers without referencing specific technologies:
> (1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
In the English speaking sphere people get hung up on "cookie laws" because the UK had a specific implementation of such a law in 1998 or so.
GDPR and many of the non-UK privacy laws that preceded it in Europe didn't concentrate on cookies but on the user identification concept, but "cookie law stupid" is a meme by now.
They have their own pixel that presumably helps them match users to visitors; also most sites have a Facebook like button somewhere.
The FB app ID is also one of the most common meta tags behind Open Graph.
A nice small example of what this can do can be seen with Clearbit [0] which does a good job of telling you where someone works based off of nothing but their IP address. Imagine that but with the exponentially larger data warehouses of Facebook or Google, paired with referrer tags (FB has CLIDs that allow them but not you to match clicks to actual users) and meta tags (FB can tell exactly what app, page etc a website is associated with and use that data to advertise to users).
Since I started using Safari and iCloud Private Relay, hiding my IP address, this no longer works, since the IP they see changes a lot and is only vaguely in your area. I think FB etc. knows the address range of the IP that are exposed and just gave up using them as it gives no useful information.
You are thinking like a software engineer that an illegal practice should be completely impossible to do, but socially it always sufficed to just put a reasonably high penalty on something and fine offenders regularly.
And, unlike some other computer crimes, it is sufficient to prevent local companies from using the technique. While someone who's hacking or laundering money might simply use a proxy in the Bahamas without problems, a company local company won't risk fines for using it. Sure, companies from far away can still advertise to you via tracking, but the value of their advertisements will go down sharply if no business near you can buy them.
Ok, so follow up question then is what about the same techniques used for finger printing but done so legitimately and then gray areas in between? Because I think relying on legislation cuts both ways, no?
I'm not an expert on front end technologies, but all those capabilities exist, I think, for some legitimate technical purposes. Now the only question is how is the data used...
Obviously using media queries to display a page correctly is fine.
Someone's preferred language and user agent detection also fine.
And then eventually you do all this legitimate stuff and maybe cache it to improve page speed. (Bear with me haha, I'm out of my depth)
Until, eventually, the same laws get used to do something kinda bad... I could see security heuristics being used as sort of an excuse to do actual fingerprinting and storing and sharing that data... all with promises of free stuff and totally safe and trustworthy partners.
Maybe a good way to help alleviate the situation is for browser vendors to provide an actual good way to track people without identifying them... what's it called? Differential Privacy? I think that's like a mathematically proven way to do this.
Even better would be if you could some how also poison the utility of finger printing in a persisted format, although I don't know how you could do that... I guess fully holomorphic encryption?
Maybe browser vendors could provide some kind of "clearing house" for operations that utilize these fingerprinted traits to take place. Like you, the developer, supply a function that accepts some fingerprinted input, to sort of a black box that then performs the work but hides the inputs. I just guess one problem with this is that the same developer could sample before and after and intuit what the original input was.
At any rate, I do sort of prefer well architected technical solutions, and would rather see the legislation demand that, then demand good behavior when good behavior can be so wishy washy.
"Cookie Management Providers" are Cookie-Management-As-A-Service. Now it suddenly sounds hip and cloud-based and something your can buy and easily integrate instead of having to develop it in-house. Plus you are able to shift the blame to the "Cookie Management Provider" when issues arise.
I hope they fine the everliving crap out of these platforms that go "oh suuuure you can opt out of all this tracking, just spend 5 days turning off millions of individual settings in this maximally inconvenient dialog!"
"Legitimate Interest" is when you need to collect personal information, but not for shady stuff. An example is for Fraud prevention, network security (eg: Cloudflare), or for legal reasons (eg: purchase information). As long as you don't use this information for anything else you're in the clear, and don't need a cookie banner.
Another example: "An organisation is looking into the way it stores job applicants’ personal details. It is legally required to store this information for six months, in case a candidate lodges a discrimination case."
The problem described by Ekaros is that TrustArc and other cookie banner companies have interpreted this as meaning "I can add a checkbox so the user can say it is in their legitimate interest for ad-networks to harvest their data".
This interpretation of GDPR is incorrect. Legitimate interest does not need a checkbox. Also, asking customers if something is legitimate interest or not doesn't make it so. Also, the fact that the "Legitimate Interest" checkbox is checked by default goes against the spirit of GDPR.
"Legitimate interest" is a grounds for data processing under GDPR.
Someone seemed to cotton on to the (incorrect, per my understanding) notion that it was applicable to placement of cookies. That's covered by the ePrivacy Directive (and national implementing laws), and they don't make any provision for "legitimate interest".
Nonetheless, regulators move slowly, and companies want cookies. Having this gives them two bites at the same cherry (in their eyes), and enforcement is a long way off, and unlikely to scale.
There's only 2 exceptions to the strict requirement for consent - to communicate the data to the user, and to deliver functionality directly requested (i.e. shopping basket, login session). But enough people try to claim "legitimate interest" that others think it's OK...
> enforcement is a long way off, and unlikely to scale.
Companies want cookies because it gives them an expected economic profit. The expected profit minus the expected fine (risk of a fine times its expected size) is the expected net.
To make this equation result in a negative net you can both increase the risk of being fined, or the size of the expected fine. So first of all, there should be a few massive (As in company-ending) fines, and they shouldn't be for some unusual or extreme violation - they should be for common practices such as using a common cookie banner service that blatantly misinterprets the legal text.
Next, the scaling of the enforcement. It's difficult to scale, but considering how much money could actually be made from these fines, it does seem possible to have a massive self-funding organization do this.
Also, quite a few companies probably right now think something like "Well, without tracking ads we'd be out of business anyway and I don't see how we can change business model to subscriptions or similar, so let's just try to keep using dark patterns for as long as we can rather than just ceasing operations". To counter this, you'd need to add a factor to the equation that makes busineesses think "Ok, we should probably just get off the internet rather than use these dark patterns to keep margins". I'm not sure what would push the thinking in that direction, but probably personal legal responsibility rather than simply financial risk (i.e. risk of personal fines or prison for decisionmakers).
I keep getting emails from those LinkedIn scraping sites that construct your email from common emails conventions (e.g. $firstname.$lastname@$popularEmailProvider), and when I look through their sites, they always claim that what they're doing is legal as far as GDPR is concerned because of "legitimate interest". Ridiculous that I have to contact them to force them to stop selling my data when they shouldn't have the details in the first place.
“Sadly”, I no longer have a Windows computer. The script was just a loop over querySelector and .click() – once to open all the things, then another time to click all the buttons.
The video wouldn't be that funny; most of the time was spent with the screen frozen while the fan spun at max (for no reason I bothered to identify). If you want to recreate it on a powerful desktop gaming rig – something almost powerful enough to browse the web smoothly – then I'll have a go at making a new script for you.
Note that this ruling is unrelated to handling of opt-outs. Instead, they are saying that you can't build on top of any US-affiliated services like Akamai.
You can't build on top of any US-affiliated services like Akamai before getting consent. The cookie banner was presented using Akamai, so (naturally) it was done before getting consent.
Consent about data processing can be done by third parties as a service, but not in the simplistic fashion that is currently in use. It would have to be moved to the first-party, i.e. have the third-party cookie service provider develop a solution that is then deployed by the first-party company itself.
The ruling may actually be broader than that: I think this also means you can't serve your main html via Akamai or any other US-affiliated service, since that happens before gathering consent?
The cookie banner on iapp.org is provided by OneTrust via cookiepro.org[1]. This thing figures out your location (by IP address) and displays a banner at the bottom of the page with specific buttons for the laws based on where you live. It captures data from around 42k websites[2], with a unique user-specific ID, so OneTrust can track people across all those sites. If OneTrust operate other services, or if they share the data with other organizations, they can track you more widely.
Cookie banners that seek to improve privacy for users by limiting what third parties can do have become another way to track people. Limiting the activity of cookie banner providers would not be a terrible idea.
"Here, however, the court reasoned that since data “are processed on Akamai servers, a data transfer to a third country is occurring,” simply because “Akamai Technologies Inc., as an American company, is subject to the CLOUD Act.”"
This consideration is key, even when Akamai servers are hosted in the EU.
> This consideration is key, even when Akamai servers are hosted in the EU.
Is the fix as easy as that Akamai creating a subsidiary in the EU?
I am in the EU and use AWS a lot, but I am not a customer of Amazon Inc. Instead, it sees this on the bill as who is the seller: "Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg".
Yes it is. The whole point of that decision is to make sure Akamai cannot says "we're an US entity, so EU privacy laws don't apply to us". That's why they are now forced to create a local subsidy, which will then be forced to follow local laws.
The way I read the article, this will only work if the EU entity is legally able to tell the parent US entity to "get lost" in case the US government has decided it wants something from the EU entity. So it needs to be truly independent, at least that's the sense I got from the court's decision.
I don't know whether they can, but Microsoft tried to work around that by having (one of?) their German Azure DCs be managed bei Deutsche Telekom for exactly that reason: their relationship would be defined by a contract, but Microsoft does not own Telekom and thus can't send them a memo to ignore the contract.
I don't know the details, but I'm sure Microsoft considered whether it would be enough to just stick a "Microsoft Deutschland GmbH" label on it.
I am not sure, doing my business taxes in Germany (of course not the same as here), a lot of rules are applied in a way or another depending on the majority stake holder in the company. So, if the subsidiary is fully owned by a US company, this may still not be accepted.
This is why at some point (I am not sure if this is still the case), the Azure cloud in Germany was fully owned and operated by Deutsche Telekom. Microsoft was basically providing software, consulting and brand. This way, it was legally not possible for Microsoft to access the data.
> It must be fully acceptable. There is zero legal distinction between foreign-owned companies and local ones. This is not China.
Who is the "this" you're referring to? The US has forced this distinction into existence via the CLOUD Act, which applies to US-owned companies operating abroad.
The EU ought to deal with this fait accompli, and if that means reducing US companies' ability to operate in the EU as if they were in their home country, so be it. They can complain to their government about it.
But there are already many laws in many countries that distinguish. For example airlines where for example to count as a EU Airline more than 50% must be owned by EU citizens.
The following assumes that the subsidiary is incorporated in a jurisdiction other than the US and so is legally an entity of that jurisdiction that happens to be owned by a US company.
Was the data put there by Amazon Inc and retrievable by Amazon Inc?
If so then yes, Amazon Inc can be ordered by the US government to retrieve it.
If not, then the US government would have to ask the subsidiary directly for it or ask whoever is using the subsidiary to hold the data. How whoever they ask responds to that would be determined by the law of wherever the responder is incorporated or located.
There's nothing really special about the cloud in these matters. It works similarly with data stored on paper. If I am in the US and store my papers in a box that I send to a storage company in the US to hold for me the US government could (1) subpoena the documents from me, and I'd have to retrieve them from the storage company and give copies to the US government, or (2) get a search warrant to grab the documents themselves from the storage company.
If instead I pick a storage company that is incorporated and located in another country that eliminates the search warrant option because US search warrants don't apply in that other country.
It doesn't affect the subpoena option because the subpoena is not asking the non-US storage company to do anything. It is just asking a US entity (me) to turn over documents I legally control.
I think this question is moot. If you are a US citizen, the US government has effectively ordered any bank, anywhere in the world, to report the status of your bank account to them. It may just be a matter of time until they find a way to strong-arm EU data protections, if they haven't already.
> Is the fix as easy as that Akamai creating a subsidiary in the EU?
The article has "Importantly, the Wiesbaden court appeared to accept that Akamai may have stored Cookiebot data on EU servers, and not in the U.S., which suggests Cookiebot’s agreement is with Akamai’s German affiliate."
Here's an idea for the EU: mandate that all major browsers ship with third-party cookies disabled by default and drop the whole cookie-banner nonsense.
Other idea: make browsers have a proper cookie banner and not one that tricks me into selling my soul, I never got why pages would need individual banners.
Evil sites will use localStorage or some third party API and continue tracking you.
I am sure people here will find at least 20 solutions on the problem on "how can a group of evil websites track a user across if cookies do not work but JS is On", the solution would involve something like drop this lines in your html page and the js code there will connect to some server and store some fingerprint there, Google might decide to give your browser a fingerprint to help with their ad business.
I wouldn't approach this problem from a technical direction.
If there is a browser based vendor agnostic opt-in popup for user tracking (not only cookies) you can outlaw and severely punish attempts to circumvent that.
Given the time and resources courts really dislike the "welllll technically..." Argument.
I know, I tried(and probably failed) to explain to OP why his simple idea to "just make the browsers disable third pary cookies" or other technical solutions are not going to work, you need GDPR like laws to focus on the actual problem and not some technical implementation because developers will find workarounds for technical only stuff.
Browsers could help by implementing a standard GDPR popup for this shitty websites to share , at least it will not be same dark pattern UX, broken implementation shit this sites use today.
Browsers could do a lot of good things if they would focus on the actual users needs and not on what some developer feels cool to work on or what soem giant company ants to implement next.
Gotcha. FYI, the post you replied to suggested "make browsers have a proper cookie banner", which seems like you agree with? The one that says "disable third party cookies" was two levels above your post.
>Gotcha. FYI, the post you replied to suggested "make browsers have a proper cookie banner", which seems like you agree with? The one that says "disable third party cookies" was two levels above your post.
Ah, sorry ,I messed up. I am trying to force myself to always quote the text I am replying, sometimes I do not do it and is causing issues, I will try to do better.
It would be nice to have browser support for cookie popup that is uniform and not worded differently everywhere. Maybe even a default setting and ability to auto-reject. The popups have ruined the experience.
> Maybe even a default setting and ability to auto-reject.
We sort of have auto-reject, with the Do Not Track header. Which pretty much everyone has decided to ignore, because then people just say no and that's not the result they want.
> The popups have ruined the experience.
And behind every popup is a company that decided that ruining your experience was the correct thing to do.
The problem is that both the client and the server is controlled in large part by Google and they like to optimize the user experience into whatever allows them to sell ads.
Lynx is about the only browser that still notifies you and has you accept each cookie manually.
As long as the most widely used browser is owned by Google? No way that could possibly end up being intentionally broken and misleading. The law would have to specify the exact shape of the cookie dialogue down to the pixel and I still would expect Google to find a way to fuck it up.
> The law would have to specify the exact shape of the cookie dialogue down to the pixel and I still would expect Google to find a way to fuck it up.
In the EU it's more usual for judges to take the "spirit of the law" into account for rulings rather than the "letter of the law" that is more common in Common Law systems.
I don't know enough and IANAL to state that with sureness about the whole legal system of all EU countries but it's a rule-of-thumb, the law doesn't need to be absurdly specific to avoid loopholes, it just needs to be good enough to cover ground for judges to judge if the accused is following its spirit.
> Sure, then we change the law again and/or sue Google.
Which generally seems to have an almost 10 year delay for every iteration since Google will appeal on every instance and do its best to slow down every curt issued request heading its way to the fullest amount possible. The result: Not happening in the next century or two.
That is... doubling down on a bad idea. Moving the stupid cookie banners to the browser itself so we can not block them. It's so idiotic, the EU bureaucrats will probably consider it.
I think it's the other way around, if the cookie banners were implemented at the browser level, there would be "auto-reject" extensions on day 0. Or, worst case, auto-rejecting forks of Chromium and Firefox.
Cookies, including first-party ones, that are not "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user" still require banners under the ePrivacy Directive [1]. Ex: if you're counting unique visitors with a first-party cookie, you need to gather consent.
Browsers do, it's the do-not-track header. It's on by default, as it should be. Websites just refuse to honour the header.
Not all, websites, though; I believe medium, of all websites, will actually not embed some content if you sent it a DNT header. Not sure if they still do that, though, because their UX for readers has become absolute trash.
The do-not-track header is just another bit for fingerprinting you, I don't believe any ad-company actually honors it. Also, why trust that they do, when there's a solution that doesn't need trust?
I want the browser to not let any other party get more bits of entropy than I agree to. My ip is a few bits of entropy. Now I want my browser to give not-that-many-more bits of entropy to any remote server. If it allows a remote server to list my system fonts, render something on a canvas and read back the bytes,or do some audio mixing on my machine and read back low level results, then my browser has failed me. I want it to say "I'm not showing this webpage at all because it tried to read back a canvas".
Sounds simple. Could you elaborate? Among all of the problems that this legislation aims to solve, what problems can be solved by simply blocking third-party cookies? And what can not?
That kind of technical countermeasure only works when you're a statistical minority and adtech doesn't care enough to chase after you. If everyone were to block 3p cookies, the adversary would create new ways to share data on the backend, without clientside involvement, and we'd be right back where we started (other a small increase in friction).
The cookie-banner simply means that there's no enough competitive advantage in improved UX over tracking the user.
We don't see many websites who opt out out of the "track the users all across the web" scheme in order to remove the cookie banners altogether.
On the other hand, thanks to the banner everyone has become aware that the are being tracked. This is good because it brings people into the discussion, so that when EU says "stop tracking" people are not puzzled about what tracking those Eurocrats are talking about. How people are supposed to know if they should support the actions of their government if they don't know what's happening behind the scenes?
Funny thing is that Internet Explorer used to have these banners. But users started disabling them and accepting the cookies when they got too annoying.
That wouldn't accomplish anything, as cookie banners have to do with tracking and not inherently with third-party cookies. Tracking via first-party cookies is still illegal and would require consent.
This would work if cookies was the only way to track people. There is also localStorage, ETag (and other cache-oriendted methods), fingerprinting, owning a browser, etc.
What we need is a low that forces websites to obey the "do not track" header.
Heh. You’re absolutely right, I misspelt the domain. Point being, sometimes you have different domains that belong to the same entity and you need to bridge them; this seems strange to small companies, but happens quite often in enterprise.
Blizzard's Battle.net does, or at least did at one point.
In 2020 my friend couldn't add a new credit card to his account because browsers updated their same-site cookie behavior.
They were setting their JSESSIONID cookie wrong when doing oauth behind-the-scenes which caused a nice 302 redirect loop.
For whatever reason the API calls required both *.battle.net and account.blizzard.com.
The law here is totally reasonable to protect people's right to data privacy. It's just that every damn website is trying its best to trick their users into consenting despite the law. Half the solution look illegal anyway, as you can't deny cookies with a single click. Plus the US Cloud Act is an authoritarian overreach and rightfully gives US providers a competitive disadvantage.
I too think these consent solutions are problematic, but the law as it is use here is a catastrophic overreach, if applied broadly.
If you take the article at face value, it is illegal to create any kind of TCP/IP connection with a server that is operated by a company which does not operate exclusively in the EU.
This is a strong interpretation, but it‘s really not far off from what the court did here: they declared it illegal that an IP Adress (!) was transmitted (not stored?) to a company that could potentially (?) be subject to non EU subpoenas.
If NOYB managed to make the entire internet illegal just so they have a sharp axe to go after the things they don‘t like (Google Analytics, cookie "consent" banners), congratulations. They have built a slope so slippery it should have an ICU at the bottom.
It’s not noyb who built the slope, it’s the ever greedy companies trying to trick people I to all kinds of shady shit. Everything they get they deserve and I truly hope trustarc, onetrust and whatever their names are end up in bankruptcy.
Sure those companies can go to hell, but is it really worth it?
In my view there is no crime bad enough that it justifies having laws on the books that criminalize everyone just so we can selectively enforce them against the bad ones.
It may be worth noting that this doesn‘t involve a fine, only that they cease the activity. That is my personal silver lining as someone operating services within the EU that clearly are not lawful.
If you honestly believe this cause is worth a scorched earth approach, fair enough.
It‘s literally a scorched earth, because it will be pretty tricky to provide even gopher services to a global internet until we develop a TOR like alternative to TCP/IP.
Please detail your claim that implementing Gopher in a GDPR-compliant way is “tricky”. It’s difficult to tell if you seriously believe this or if you’re exaggerating for polemic effect, and those details will help evaluate the merit of your viewpoint.
I am both exaggerating and serious. Say you are a US company and you run a gopher site. You are not allowed to have the IP addresses of European visitors transmitted to you, that is what this decision is saying right? You are not allowed to allow them to establish a connection to you at all. This seems impossible, but this is how I am reading this. I would (honestly) like to for someone to point out my error here, without any "they probably won't do this because it doesn't make sense" arguments.
I don't know what makes a US company eligible to be sued in a EU member court. I guess you have to be doing some kind of business with European customers, so a non profit blog may be ok?
How do you solve this? You have to create a legal entity not connected to you that can purchase a server within the EU and then somehow syndicate your content to them without establishing a strong legal connection.
(Apologies, a medical event delayed my reply by a week. I appreciate the time you spent replying, and I’ll try to keep it brief.)
I think this only impacts EU providers who sublicense to US providers, if/when they record any ephemeral data collected prior to the user consenting.
So an EU business logging the IP addresses of visitors might be not-okay until they consent, though GDPR has some flexibility around “IPs power the Internet”, so long as you don’t try to convert them into personal identifiers.
That applies whether US or EU providers are involved, but as the courts point out, any non-ephemeral data within US territory or corporate boundaries is an automatic GDPR violation for an EU company.
So, in the gopher example, as a US provider you can do whatever you want, and as long as you’re approximately complying with CCPA, you’ve got GDPR in the bag as well, especially if you just offer the same rights to all users (to not be tracked by default).
But as an EU provider, if you host your Gopher server in the US, you may well be violating GDPR as a citizen of a signatory country, since a U.S. provider can’t honor the choice to not record ephemeral data, and therefore compliance is impossible even if the provider currently honors it.
This means that AWS is probably not a legal provider for GDPR purposes, since they can be compelled to ignore GDPR, unless the US signs a new treaty. And that’s the terrifying reality of that safe harbor agreement expiring that may result in Amazon having to restructure itself to avoid losing the market; the US entity would have to become a subsidiary of a parent in a treaty-signed country.
Sure those companies can go to hell, but is it really worth it?
In my view there is no crime bad enough that it justifies having laws on the books that criminalize everyone just so we can selectively enforce them against the bad ones.
Do you mean it was the processing by Akamai, not Cookiebot that was problematic?
If so, that's my point. As far as I understand what Akamai does, they where probably just the conduit for establishing a TCP/IP connection to the Cookiebot service. The court neither felt the need to establish that Akamai stored the data, nor that it left the EU. The mere fact a non-EU company was involved in the connection was enough. I'm probably wrong, and I would like to know how, to maintain my sanity.
Cookiebot is unambiguously using its own trustworthiness to let Akami access their users' personal data. There's nothing fuzzy or dubious here.
The only news is that what many people expected to be perfectly legal, that is doing that with a confidentiality clause and never having the data leave the EU actually wasn't, because of a different detail.
It‘s a CDN, so it very well may be a "conduit". Maybe they offer edge computing services, I don‘t know. I‘m almost certain they don‘t offer data processing services though. They provide hosting-like services and process data in the normal course of that operation.
If I serve images from Akamai (or Cloudinary, FileStack…). Do you think that‘s problematic?
Do you think apple is is deceiving me when I download a song from iTunes?
As much as the banner stuff annoys me i am thankful that the EU is at least trying to manage the whole tracking mess against privacy. Far from perfect but at least they’re trying
All I know is that at this point I'm getting Cookie Rage every time I have to click on those cookie consent popups. Some are better than others. Some are so bad I give up and leave the site (Admiral, I'm looking at you). It's so annoying I don't even bother reading or thinking about what I'm clicking, which in effect reaches the opposite outcome of what these cookie consents were meant to do. None of them remember my choice, none of them are "not annoying". I get annoyed just "talking" about it...
See, you rage against the Cookies - I rage against the braindead politicians who made them basically mandatory and a legal framework that allows malevolent actors to use even slightest hints of (disputable) violations to ruin me if I don't have a banner.
It made me a proponent of leaving the EU. Not because I don't think European unity would be beneficial, but because the current implementation is deeply faulty and little more than a convenient scapegoat of national governments pushing through changes they are too afraid of doing at home without democratic oversight.
I hear you. And I understand. I chose to remain but I get and accept the choice to leave as well. I'm not disputing the law around it is insane. I'm finding myself more and more ticked off every time I get a consent banner. The more I get ticked off the more I forget why that banner is there.
The scope here is far, far higher than cookie management providers, If the scope is that a company with a us presence can’t have extraordinary access to data.
Google analytics is going to be essentially outlawed in the EU.
Hosting with any company with a US presence is going to be questionable. No Aws, Google Cloud, Digital Ocean, linode, azure, hetzner… (Leading to the further question of who you can host with — what big EU cloud providers are there without a us presence)
I’m not sure where that leaves the EU, other than possibly hardware in a local data center.
You bring up a very good point: Hetzner potentially made a big mistake by opening US datacenters. We have helped customers who picked Hetzner, because it was legal for them to do so, and because they absolutely knew that their data would be safe in Germany... Now they question how much access the US employees might have.
Similarly with OVH. A client is working on migrating stuff to OVH, because they felt confident enough that US employees of OVH would have to easy access to EU data. Then staff at OVH in the US takes down all of OVH for a few hours on a monday, that have made them reconsider.
Google Analytics and similar has already in practice been outlawed in EU since Schrems II. This is just a long line of similar judgements that state the same.
The problem here is that a website is built in such a way that implementing the (admittedly annoying) cookie consent mechanisms goes through three different subcontractors/API providers.
The needless dispersion of your users’ browsing history is in itself disrespectful. Yes, privacy regulation do make life complicated if you choose to ignore their core, and instead create some Frankensteinian caricature of an infrastructure to continue doing business exactly as before.
I also find the "We care about your privacy" message disrespectful, when the next step is "Please allow us to share information about you with these 628 other companies". Those two sentences are complete opposites.
If your company is considering involving foreign "cookie management providers" in the way it handles customer data, it is evidence of bad faith and intent to steal (and keep offshore, e.g. in the USA as described in the article) sensitive information.
These "foreign" CMPs are located in the EU (Denmark in this case) and as such totally legal. There's no evidence of bad faith, no intent to steal and keep anywhere but inside the EU.
I'm afraid a separate company in a different country (or even in the same country) is "offshore" enough to be a barrier to proper compliance to privacy law, and it is clearly an intentional barrier.
Of course. And in some places in the world I definitely would prefer my data being processed far away.
But like OP (I assume) I have the privilege to live in a society where, every few years, I have the opportunity to elect our leaders and discussion about laws happens in the public and needs to find a majority in parliament. In the EU my country has a voice and our elected representatives help shape the directives and regulations.
While the US is also a democracy, I don't have any influence there at all (which is fine) and my data is foreign and is treated differently than that of US citizens. Furthermore, even if an American company does something blatantly illegal my practical recourses are severely limited by costs and distance (try suing someone in California)
I am not ready to accept that when interacting with a local business any data needs to flow across the Atlantic.
I really like the idea of having a local independent data handler who operates European infrastructure on behalf of companies like Microsoft did a few years back.
> In a sence it's also a move towards limiting user's freedom to chose where to store data, isn't it?
It's not, users can of course consent to data being stored elsewhere. The article explicitely points this out:
> Instead, the court took the approach that data could only be lawfully transferred to the U.S. via a mutual legal assistance treaty (Article 48 GDPR), or under Article 49 GDPR’s derogations, such as consent. It confined its lawfulness analysis to those grounds alone.
It's actually already the case but everyone prefers to put their heads in the sand and hope for the best. It's not like we have real alternatives to AWS or Azure in Europe right now.
AWS/GCP/Azure are very keen on keeping the business in Europe, so they have European datacenters, try to keep them GDPR-and-other-laws-compilant, and will even sign a legally binding agreement with you swearing to keep all data on EU servers only.
The Azure service fully operated by Deutsche Telekom seems pretty appealing right about now, but as far as I know they cancelled that. Maybe cloud providers will move to a kind of franchise model, effectively allowing smaller European companies to license an Outposts type software.
Yeah they do that. But at the same time they have the patriot act law to respect, and the European privacy shield is dead. So right now it's challenging to know whether using Azure is GDPR compliant or not. Most people I talked with on this topic think it's probably not compliant, but they prefer to wait and pay a fine if necessary as they are not lawyers.
Good. For the first time, the courts have actually reacted to the death of Privacy Shield and its replacements. These crappy "consent managers" shouldn't exist in the first place, but here we are.
The only viable solution would be for the EU and USA to come to an agreement that guarantees privacy for citizens of either jurisdiction. So far, nothing of the sort has been accomplished because the US does not like to give up their power over US companies; I can't say I wouldn't do the same in their position.
Setting aside corporate sovereignty, the US government also specializes in collecting personal data without consent, and pays private US companies to do so when privacy protection laws are passed by their leaders. It is not clear whether they have the political will to sign the GDPR or a reasonable equivalent into law, and very rich companies like Google and Verizon would spend their entire fortune suing to stop it block it, suspend it, and otherwise drag their feet in court for a decade.
This looks like a temporary injunction only and doesn't by itself establish any precedent. IANAL, but my understanding is that the court usually only evaluates whether that claim of harm is plausible and whether the burden put on the other party is too big to be justified when the final ruling is in their favor. The merits of the main arguments in the case aren't considered - that's what the main trial is for.
From my (German) point of view it isn't the decision of the German court that prevents American companies from doing business in Europe but rather the ridiculous laws that allow American spy agencies to request data from American companies even if it is saved overseas. Obviously having shitty internet laws will drive internet companies away from a country. The same thing is happening in Australia.
This disallows EU websites from using those US cookie management popups that users universally hate. You know, the ones where you have to un-tick 20 items by hand and then some more on the hidden "legitimate interest" page.
Instead, EU websites will now be forced to buy their cookie management from EU providers who adhere to EU privacy laws. So in effect, they are merely putting more of the spirit of the GDPR into laws.
And for US providers, they can always open up a local EU subsidy, implement the relevant regulations, and then sell their service to EU customers again. So this is specifically to allow people to circumvent the EU rules by using "I'm an US provider" as an excuse.
Also, I like how they called out that transmitting the visitor's IP and referrer URL to a US service might enable them to build a profile which would be legal under US law and illegal under EU law. That's why they now block the transfer of the visitor's information out of the EU in the first place.
> This disallows EU websites from using those US cookie management popups that users universally hate. You know, the ones where you have to un-tick 20 items by hand and then some more on the hidden "legitimate interest" page.
As a (EU) user, I hate all cookie management popups. And those aren't brought by evil US companies. They a forced by dumb law that tries to "protect" me. This law specifically mentions that I need to be nagged for every single new domain I visit (dozens per day) and specifically mentions that having a single setting I can tweak is not OK.
The amount of thought that has gone in the law to ensure that people are nagged on every. single. page. they. visit. and. that. there. is. no. way. to. shortcut. this. boring. and. useless. process. is maddening...
They are not forced by law, they are actually entirely unnecessary, and the ones nagging you are probably not following the law, since GDPR says that saying "No" should be as easy as saying "Yes".
There is a way to shortcut this: Do-Not-Track header. But nobody follows it. There is also GPC (https://globalprivacycontrol.github.io/gpc-spec/) but browsers need to implement it. There are also several other ad-hoc ways of shortcutting it, like third-party cookies, for example. But that cookie would only allow "shortcutting" the "no" answer, not the "yes". So companies simply don't implement it.
There is also the possibility of not tracking at all. So the ball is entirely on the businesses' court.
The law is fine actually. The only issue is that it's not strict enough.
> This law specifically mentions that I need to be nagged for every single new domain I visit (dozens per day) and specifically mentions that having a single setting I can tweak is not OK.
This is also false. But humour me, where in the law does it say that? Concrete citation, please.
And behind every nag is a company whose employees decided they'd rather you have the nag experience than not use tracking cookies or respect Do Not Track settings.
> This law specifically mentions that I need to be nagged for every single new domain I visit (dozens per day)
No it does not.
The company behind the website decided that nagging you is worth it to get your data. They have the very simple option to not track you and provide a better user experience, save you data, save you battery power, save you time and respect you. They don't.
Sidenote: I did laugh at "dozens", I'd urge you to keep count for a day or two. If true you are a strong outlier.
There are 27 unique domains on the front page of HN right now, ~14 of which I've never visited before. I expect many visitors of this site visit dozens of new domains per day.
This is because of a law, but also because nearly all commercial websites try to track you. I would be completely fine with forbidding it in any case and destroying a very parasitic advertising industry if the popup is too much.
Whether you think it's a good thing or a bad thing, I think eventually sites will look at their viewership from specific countries with additional regulations and simply geoblock them if the economic cost of compliance is more than the advertising gained from them.
This the obvious result of the CLOUD Act vs the rights of people who aren't Americans.
The CLOUD act is built on the presumption that non-americans don't have the right to privacy, and so it includes language to the effect of "you must provide data that you or your subsidiaries have access to".
This means Akamai storing data on EU servers is not sufficient (Akamai has access to the data), nor is an EU-based Akamai subsidiary sufficient because the US parent company is required to pass data from their subsidiaries to the US gov.
This is a direct result not of EU over-regulation (which I'll admit, they love), but the US government deciding that every company that works overseas should be an extension of their intelligence services.
I am not sure if Europeans can even take this article seriously after reading about "cookie management requirements apply for EU websites generally" which is wrong in at least three major ways: GDPR is not just about cookies, GDPR is about data processing and its purposes rather than management and storage, and GDPR applies to all websites (including American) who serve European customers.
"Per the Court of Justice of the European Union, IP addresses are personal data (the court also considered Cookiebot’s “user key” to be personal data)."
They seem to be using the term personal data (correctly) but I cannot help but sense some disdain for it in the writing as if the writer was still thinking personal data being PII (which it's not). A 5-star rating I give a driver is also personal data because it generated by me or obtained from me (and that's why you can get it when you request an export of your data under GDPR). But then the article goes on to nitpick on the definitions: "Because the Wiesbaden court cited the CLOUD Act as a reason to limit U.S.-based services, we note that the claim for “any US connection” is incorrect, because the CLOUD Act only applies under U.S. law where there is possession, custody, or control in the U.S." Possession, custody, or control pretty much covers everything when it comes to cloud computing infra.
"NOYB has filed over 100 complaints alleging improper transfers to the U.S., for a range of data analytics and cookie plug-ins that are pervasive in the current online ecosystem."
I am a happy supporter of NOYB and glad to see my donation being used well. Though I am a bit worried about being able to use Cloudflare in the future.
This whole mess could be avoided if the EU would ask/force the browser vendors to implement a single setting. Then they can simply ordain that web sites should follow that setting.
There are a bunch of details to work out (i.e. what should be the default setting, will this be an HTTP header or some API, what granularity, etc) but I'm sure the end result will be far more beneficial to society than a zillion companies each implementing their own cookie handling logic and researching their own compliance.
And I say this as a free market liberal who is skeptical of government intervention.
Seems appealing to exclusively accept users from Europe using iCloud Private Relay and Sign in with Apple with hidden e-mail and offload this whole shit show to Apple (or Google if they have something like this).
Not touching PII (as defined by german courts) with a ten feet pole seems like the only reasonable course of action for a company without a legal department.
Good point. Apple can be compelled to provide the link. IP addresses are PII because ISPs can be compelled to provide the link, so it‘s the same thing.
The problem is stretching the definition of PII beyond it‘s breaking point to include shortened (!) IP addresses, anonymous identifiers and fingerprintable http headers. Now this forbids the transmission, not the storage, of such data. What‘s even the point anymore?
This is a really common misunderstanding of the differences between GDPR and US privacy laws.
In the US, what is generally regulated is "posession" of data, with narrow definitions of what PII is and no restrictions on anything that isn't. In GDPR, what is regulated instead is the possible justifications for processing of that data.
For example, (IANAL caveat aside, speak to an actual privacy lawyer) it is fine for me to store full, unredacted IP addresses in my access logs for diagnostic purposes.
However I, for example:
- have to be able to provide information on what is stored and under what justification
- have to provide information on who that data is transmitted to
- have to be able to show an authority it is really necessary for me to store this data unredacted
- must put in place adequate measures to protect it
- am liable for exposure of that data
and may not:
- store the data longer than necessary
- use that data for other reasons, such as marketing
- transmit that data to a third party unless it is contractually bound to the same restrictions as me
When something is personal information, the only thing that means is that it is illegal to not have a justification for processing or storing it.
So for your example, processing headers is fine, fingerprinting headers is probably not. Recording shortened ip addresses is fine, unnecessarily sending them to the US is probably not. Anonymous identifiers are fine, tracking people with them is probably not, etc.
Yeah, that's exactly my problem, practically. It is hard not to send IP addresses to US affiliated companies. You are probably right that it is not as simple as what the definition of PII is.
In my privacy policies, I try to follow what I think is the spirit of the law and hope/pray for the best. I list point for point what data I use, why and to what third party tools I send it. That's like 2 sentences per point. I have never checked with a lawyer and don't copy and paste any legalese like everyone else seems to do. After reading through the court decision here, I'm almost certain that what I do, and how much I explain it, is not legally acceptable, but I feel fine about it.
Good. Many "cookie management providers" deliberately act in bad faith. See for example the now standard requirement to "object" to so-called legitimate interest uses of personal data. The GDPR was intended to ban such behaviour and I, for one, welcome seeing the law enforced in line with its general intention.
> One significant aspect of the new decision is it seems to prohibit data processing even when the personal data is stored in the EU and never leaves the EU.
I don't get why the article is so whiny about the court holding the US companies liable for the permissions the US government gave itself.
The US has assumed jurisdiction and is trying / has succeeded ("legally") to kidnap people extraterritorially for decades now - Kim Dotcom, Julian Assange, Alexandra Elbakyan, a whole lot of Russian hackers that had been fake-invited to security conferences or job interviews: none of them has committed crimes on US soil or in an US territory, and yet the US is still trying to get people deported to the US so that they can be tried by the regime. The US government heaps piles of dung upon sovereignty of other countries. The US mega-corporations ignore tax laws wherever they can while destroying local markets with price dumping only affordable because of immense amounts of pension fund money being poured into venture capital. US advertising giants act like European legislation doesn't even affect them. The US threatened to sanction a German harbor for providing services to ships building North Stream 2 (not that I like that project very much, quite to the contrary, but nevertheless it is a disturbing overreach!).
The EU is now beginning to assume the US and any entities based in it cannot be trusted for all of these reasons (even if no one says it in the open), and suddenly all the tech companies cry and complain. All I have to say is, the US is at fault here. You made your bed, now sleep in it. Or redirect some of the lobbying budget to campaigns of politicians willing to end the madness.
> immense amounts of pension fund money being poured into venture capital
Is this still true? When ERISA was amended/relaxed and most pensions were defined benefits it was probably true.
But aren't the vast majority of pension plans defined contribution now?
Are defined contribution plans being funneled into venture capital (is that even allowed?)
Certainly social security money is not -- they're required to invest that in US treasuries.
> Are defined contribution plans being funneled into venture capital (is that even allowed?)
At least according to [1] about 20% of VC funding came from pension funds, and per [2] about 10% of pension fund assets are invested in "private equity". Given that we're talking about ~ 35 trillion US-$ in total pension fund assets [3], it's safe to say that it is an immense amount of money.
And by the way, it's not just the startup/VC market that is being completely undermined by dumb pension fund money from the US. Real estate across the world is bought up by pension funds, driving up prices - good for those who sell to the pension funds, bad for those wishing to obtain their own home or renting.
The way US pensions are set up is fucking over the entire world.
Honestly as long they react to concerns of other businesses who may genuinely need cookies for sessions etc, I admire that the EU is trying to get some experience on tech regulation. Catch is they must be willing to adapt and listen to feedback.
I recently spent an inordinate amount of time implementing effective self-hosted cookie control (as in: actually deferring loading of offending scripts until after being accepted, and then loading and executing after being accepted without having to trigger a page reload)
It would be absolutely asinine to assume that a layman could understand, much less implement the currently available solutions in an effective manner, so here are the two scenarios that small businesses are faced with:
a) They still wanna make use of cookie powered tech and just do it without consent, which opens them up to legal trouble
b) They don't do it and give up on functionality, which big biz will be able to provide, putting them at a disadvantage and making the web less democratic in the process once again.
While I have no particular thoughts about the type of providers targeted here, I am certain that the last thing the current setup needs is additional complication.
Getting consent for functionality is pretty easy. EU data regulations specifically allow you to set cookies in a scenario that this enables functionality that would otherwise not be possible to provide to a user. Like a classic session cookie, for example. What's affected negatively is the UX for tracking and spying on users – and so it should be. If this forces companies out of business who rely on that for their business model, good.
As long as we are clear, that the businesses who can (and absolutely will) find the narrowest way around any legislation and continue to work in the slimmest legal margins are FANG and increasingly not your local businesses, cool.
Everything tech and privacy is pretty easy looking from the HN ivory tower. Meanwhile half the world runs WP installations that date back to 2016 and can't change a paragraph on their "about us" page without contacting "the web guy".
This whole "won't someone think of the small businesses" shtick is so transparent. I don't want "my" local businesses tracking me any more than the non local ones. I don't want a fiercely competitive market of data leeches any more than five big ones. Big tech can and should still be felled once the bulk of the weeds are chopped.
> I don't want "my" local businesses tracking me any more than the non local ones.
I get that. Seems we have a good news/bad news situation.
The good news is that 99% of local businesses do no systematic privacy invasive tracking of anything, because they have no fucking clue how to do it. Really. That might be hard to believe in a crowd that is fluent in SQL JOINS but in the real world people look at a Google Analytics accounts and learn... well, round about nothing.
It turns out that at small scale it's actually quite hard to invade peoples privacy in a way that you end up with positive ROI: You need enough data AND you need to be competent enough to analyze the data AND you need to be agile enough to act on your findings. You will be hard pressed to find local businesses that check even one of these boxes.
So most privacy "invasion" at this level happens because people are bad with complicated stuff and also at dealing with increasingly complicated regulations, and privacy regulations check both boxes (despite HN claiming otherwise, but alas, the ivory tower strikes again).
The bad news is that that is increasingly less relevant, because while the above is going on, the big businesses are exploiting any of the increasingly hard to catch openings and advancing their market position.
There's a few aspects to this. The first is that Google Analytics is a great example, because while an individual company may not have the competency they may hire another one that does. And while previously some of these companies may have simply added analytics plugins to their site because there was no reason not to, being liable for that processing is a great deterrent.
The second aspect is that this idea of "small businesses" that you are portraying does not really reflec reality. In the anti-regulation lobbyist mythology, small business are all friendly mom and pop stores that are just trying their best. But for example Whatsapp, before it's sale to Facebook, had 55 Employees and half a billion active users. Many hedge funds count as small businesses, as do franchises. Even beyond that, there are plenty of 100-1000 employee businesses here that have more than enough data on hand to cause serious privacy violations.
The third is that violating people's privacy does not have to be for profit as it is in advertising. As the case of a local pharmacy using insurance data to send their customers Christmas cards reminds me, even the smallest business is very capable of violating privacy by treating customer data sloppily.
Yeah, it's super easy, I don't know what OP has any issues with. All he has to do is finish law school and go through the laws and regulations of GDPR, there's only like a hundred of them plus references so it shouldn't take more than a few years maximum.
I think that could actually be a problem. NOYB, a nonprofit GDPR watchdog in Austria, has firmly set its sights in enforcement on Google Analytics and Facebook/Twitter buttons because they are easy to remove. I think small mom&pop shops would have to go back to getting analytics via web server logs. Even small hosters like https://www.dogado.de/website/hosting (wanted to actually link to CampusSpeicher but they seem to have been acquired) offer this (see under Highlights > Website-Statistiken).
To be clear, NOYB allows 60 days after notification for removal (instead of 30 allowed by the law) before complaining to the national data protection agency and even then agencies rarely give out serious fines if you are ready to comply and did not grossly misuse the data, at least in Sweden: https://www.enforcementtracker.com.
There is legitimate business concern. Amazon can collect my home address without consent (i.e. I type in my address but don't need to tick any consent checkbox; see [1]) and even pass it to DHL but without consent they can only use it to deliver me the package, not train ML models in the future. If you have a feature that needs data and the user understands the need AND the user themselves want to use the feature (excluding the legal acrobatics like FB claiming that users sign up to watch ads), you don't need consent (unless the data is biometric, which is another chapter in GDPR).
[1] In fact, I try to use a lot of services without consent while providing my personal data. The trick is that I want to ensure it will ONLY be processed for a legitimate business need.
Absolutely. You will find that I was very specific about the unfairness these regulations impose on the ill equipped.
Amazon is always going to find a way to work within the limits of whatever the EU throws at them. Begrudgingly, certainly, but eventually in strides, and with the confidence that an army of lawyers and other smart people does offer. They can even willingly chose to work outside of it, because heck, breaking the law is just another business expense.
Your typical local mom and pop store is likely unaware of what the boundaries are, where they are, what it all means, how to implement any of it. They are mostly looking in horror at the incomprehensible monster that is GDPR.
The point being: Restrictions on SaaS solutions are not gonna hit Amazon. Amazon does not need a SaaS cookie banner. They can have their own team that does nothing but build well tailored cookie banners for any country in the world and update them daily to whatever standards are required today.
Alas, a small business can not. The rules are the same, and thus the burden is distributed incredibly unfairly.
> This consideration is key, even when Akamai servers are hosted in the EU.
Does this mean that for those of us that manage our own cookie banner and overall website in Cloudflare (also US company) will have the same issue? And be deemed unlawful?
Cookies are especially important at Christmas. They taste good but it's best to bake your own.
This topic is important but I guess it's so behind to today's fingerprinting that this whole topic is getting polemic.
Very interesting. I see lots of hate to CMP's here in the comments (which as an EU consumer I totally get) but I have to ask, what's the alternative? CMP's seem like the least worst solution right now (I'm sure we can debate lots of potential better alternatives that could be baked into the browser - which is where I think this will eventually end up).
CookieBot are probably one of the better CMP's I've used, but I'm surprised they haven't yet implemented full EU isolation - which surely is the short term solution here. Fathom have written extensively about their work on EU isolation which I think is very relevant here
https://usefathom.com/features/eu-isolation
Why is this even a service that needs to be offloaded to a third party? Implementing this properly obviously requires a ton of work, and no site is going to be able to dodge it by simply putting a banner service in front.
Using these automated services that pretend to "automatically" block various categories of cookies is also a ripoof. They use simple keyword searches and similar to try to establish whether a specific script is used for statistics, preferences, etc.
A properly implemented banner (i.e. hand-crafted for the site, and obviously updated each time any script is updated) would be pretty expensive to create and maintain. But if one doesn't see that as one of the key purposes of the law (i.e. push web sites towards using fewer of them because the technological and legal overhead is costlier than whatever the gain is) then I think it's being read a bit naively.
I agree that CMPs are better than everybody rolling their own solution (lots of time wasted by developers and lawyers).
However, CookieBot is terrible imho. They delay page load by about a second (!) because their APIs are so slow. Their tech is incredibly fragile, if their crawler has an issue and doesn't crawl your page completely, they'll silently (!) remove all cookies from the consent and leave you completely non-compliant until the next successful crawl (crawls take hours to days and are automatically done once a month). Their support has a response time of 3-5 business days (!) for commercial users and consists of people who barely know the product and definitely don't know anything about web tech.
I don't have a favorite vendor in that market, but CookieBot is definitely the worst one I have worked with.
So this does mean that you basically are not allowed to use big cloud providers like AWS, Google Cloud and Azure as a company based in the EU. They are going to do so much economical damage with this decision.
Am I reading this incorrectly? This logic seems to apply equally to simply using EU-based servers from a US-based cloud provider for storing EU personal data.
Judging by several comments in this thread it I feel it's important to highlight the historical dimension of data protection in Germany. The roots of privay rights in post war Germany are mainly in the famous "census ruling" in 1983, where the constitutional court established the right of informational self determinatio, based on Art. 1 (human dignity) in combination with Art. 2 (personal freedom) German Constitution. One of the first acts of the Nazis in 1933 was in fact a census, which partly paved orhanizationally the way to an even greater collection of data and atrocities we're all well aware of. That data protection is a constitutional right has to be seen in this histocial context. If someone is interested here's a deepl translation of passage of the "census ruling":
The right to informational self-determination would not be compatible with a social order and a legal order enabling it in which citizens can no longer know who knows what, when and on what occasion about them. Those who are uncertain whether deviant behaviour will be noted at any time and permanently stored, used or passed on as information will try not to attract attention through such behaviour. [...] This would not only impair the individual's chances of development, but also the common good, because self-determination is an elementary functional condition of a free democratic community based on the ability of its citizens to act and participate. It follows from this: Under the modern conditions of data processing, the free development of the personality presupposes the protection of the individual against unlimited collection, storage, use and disclosure of his or her personal data. This protection is therefore encompassed by the fundamental right of Article 2 (1) in conjunction with Article 1 (1) of the Basic Law. In this respect, the fundamental right guarantees the individual's right to determine for himself or herself the disclosure and use of his or her personal data.
As a european i am always baffled by the amount of support that the GDPR cookie laws gets from co-europeans. I understand it as a way to create busywork for lawyers, lowly developers and copywriters but it doesnt provide me anything tangible as a developer in return, nor as a consumer (in fact browsing the web without a anti-anti-cookie browser extension is horrible).
What do people get as benefit from all this irrelevant madness? Do people think they are really not being tracked or their communications not spied? And, has it helped european tech in a way that i have missed?
> Do people think they are really not being tracked or their communications not spied?
I imagine most people think that the companies doing the spying will get a nice fine in the near future. I don't think anybody believes there's no spying, even more because the law also made the spying quite explicit.
> And, has it helped european tech in a way that i have missed?
I also imagine most believe it has helped European people. I'm not even one and I believe it has helped me.
Summary: a preliminary ruling from a German court says that you aren't allowed to collect GDPR consent using a US-affiliated service, even if the data never leaves the EU. Their argument is that because, as a US service, it is required under US law to share information in some situations where German law would prohibit it.
At least for now it seems that most American companies are trying to respect the gdpr instead of fighting it, so I am not sure that the American capitalism will win this battle.
I am ambivalent and torn about what to think of European digital policies. On one hand there's GDPR and regulations like these that are absolutely overdue and EU is probably the only entity in the world who can improve situation given the current meta.
On other hand, there's encryption regulation and absurd piracy strictness.
Please someone with a formed perspective tell what's happening? What is a general vector of European policy on the internet?
> On other hand, there's encryption regulation and absurd piracy strictness.
Could you give an example of an EU regulation which actually restricts encryption? There have certainly been discussions about adding backdoors to encryption (as is typical for any jurisdiction that doesn't have them), but my understanding is that these proposals have reached a dead end. Here's an update from last week:
> The lead committee for the internal market and consumer protection (IMCO) in the EU Parliament spoke out on Monday evening with a large majority with its current position on the planned Digital Services Act (DSA). ... It also includes the right to end-to-end encryption. “The member states must not prevent providers of switching services from offering end-to-end encrypted services,” demanded the representatives. This is essential for trust in the network and cybersecurity.
> What is a general vector of European policy on the internet?
Generally the EU is very pro-privacy but sadly companies like Facebook bribe our "data protection officers" (sorry idk how to translate) and individual EU countries also just break the EU law on a regular.
They're called "data protection authorities" or "data protection commissions", and because lots of US tech companies are incorporated in Ireland, they get to "use" the Irish DPC.
Have the EU cookie regulations actually bring any measurable improvement to anything at all? The only effect I see is that now I have to go through hundreds of cookie related popups that include contracts, ToS and pages of legalese that will never be understood or even read by anyone.
I was building a simple website for my team recently and the biggest problem I had was ensuring the compliance of cookies - I had to spend days reading through all kinds of laws and regulations only to eventually end up going through a "Cookie Policy Generator" which produced a 10-page legal text that I dont understand. Apparently I'm not the only one since there are a lot of business that offer "cookie policy management" as a service for companies. Here is the generator if anyone wants to try it out for themselves: https://www.activemind.de/datenschutz/generatoren/datenschut...
> Have the EU cookie regulations actually bring any measurable improvement to anything at all?
We do see companies assessing whether certain cookies are actually needed, e.g. Cloudflare[0]. Also products advertise themselves as cookie-free[1]. That probably wouldn‘t have happened without legislation adding a lot of friction to having cookies.
I used cookies to remember the language of the site. In addition i used one free webfont and added a contact form. That alone required me to put 3 pages worth of "security policy" which I am now legally responsible for.
Show me such a simple website that's more than a static website with your postal address on it, and I will show you which rope it provides me to hang you with thanks to EU web regulation.
That's absolutely not the spirit of the law. I suggest you read an intro to the GDPR, or GDPR itself, which is quite approachable.
In short: you shouldn't track the user, unless the user opts into it. Cookies are one of the many ways that can be used for tracking.
There are other regulation pertaining to data retention, processing, etc. But since you focus on cookies, that's the gist of it.
You don't have to ask permission to deposit a login cookie, since that's functional and non-tracking. Using that cookie to track across websites requires consent. Depositing a Google Analytics cookie requires consent.
Any website that shows me a cookie popup screams "we want to track you! We collect data on your online behavior and sell it to third parties!"
Here is just a part of the legal text that I had to put in the webpage because I have a contact form. Honestly I don't even know if that's all I was supposed to include or if there were any updates to the articles, so at this point it might even be noncompliant and therefore illegal. Trust me I couldn't care less about your data, I just wanted a contact form without possibly getting sued.
Contact form
Type and purpose of the processing
The data you enter are used for individual communication with you. A valid e-mail address and your name are required for this communication, which serves to organize your inquiry and the respective subsequent reply. Providing additional information is optional.
Legal basis
The processing of the data entered in the contact form occurs on the basis of a legitimate interest (Art. 6 Para. 1 (f) GDPR).
By providing the contact form, our aim is to facilitate an uncomplicated means for you to contact us. The information you enter will be used to process the inquiry and saved for possible follow-up questions.
If you contact us to request an offer, the processing of the information provided in the contact form will occur in order to implement pre-contractual measures (Art. 6 Para. 1 (b) GDPR).
Recipients
Recipients of the data may be processors.
Retention period
The data will be deleted no later than 6 months after processing the inquiry.
Provided that we enter into a contract together, we will use the statutory retention periods in the German Commercial Code (Handelsgesetzbuch) and delete your data according to the respective stipulated deadlines.
Mandatory or required provision
The provision of your personal data is voluntary. However, we can only process your inquiry if you provide us with your name, e-mail address and the reason for your inquiry.
There is not really a EU cookie regulation. I guess you think about GDPR. Then yes improving privacy is an improvement, at least from my point of view.
About your strugglings, cookie compliance is extremely simple if you plan to not track your users. Technical cookies for sessions and application states are allowed without requesting user consent. So just respect your users.
Imagine would it be like if anyone could just use free webfonts or contact forms without consulting with their legal department. I can't even imagine it. Absolute chaos. It would be like living in the jungle. Thank heavens for the regulations and the countless lives they saved.
> Have the EU cookie regulations actually bring any measurable improvement to anything at all ?
As a user ? No. As a business ? I brought additional costs and risks, but didn't change anything in the data we collect. But some pencil pusher is convinced he made the world a better place, so there is that.
> Apparently I'm not the only one since there are a lot of business that offer "cookie policy management" as a service for companies.
Those companies exist solely to prey on people who can't find their way to a site like gdpr.eu
Let me give you all of the law you couldn't understand in simple statements:
1. you don't track your users by default. period. no consent is needed
2. you need to store some data about a user because that is crucial to the core functionality of the website (e.g., keep user logged in, keep a user's shopping cart etc.), then you can use those cookies, and those cookies alone, for that functionality, and that functionality alone.
2.2. Do not store personally identifiable data. If you do, you're liable for protecting and not leaking it. When a user requests this, you must delete al of that user's data
3. For literally everything else you have to ask the user's consent.
If you were actually building a simple website, you could've stopped at 1.
This is a perfect example of the kind of legal processes we have now.
The EU and Germany in particular have decades of privacy regulation and core values behind them. These core values won't change. Regulation for the past decades has ignored that tech routinely violates these values, and it's catching up now. Rules won't be as dramatic as in the past, but will differ widely from the us.
In this context, it's legally important to account for entrepreneurial freedom (guaranteed by the constitution), but if there's an overriding reason to protect consumers, then it is entirely irrelevant how long companies have been doing this, how many do this and in what other countries they do it.
To sum up, the law sometimes bites late, but it bites hard, and arguments surrounding competitiveness, business culture or internet culture are legally completely irrelevant.