Dumb question - I always come on HN, where lots of web devs hang out, and see people decrying dark patterns. So who builds this stuff? Where are the devs defending it? Or do they just take a check and keep quiet?
I have had to build things I consider to be dark patterns.
Normally, it goes something like this:
1. Client asks for something that is a dark pattern.
2. I outline that it is morally questionable to do that and give a suggestion on how it can be done otherwise.
3. Client insists that they don’t care or don’t agree because they feel as it will bring in more money.
4. I end up building it.
I do have the choice to outright say no, but I’ve found that it normally comes down to a compromise. Some clients are not willing to budge but we can always steer them in the right direction.
So the solution here would be a fine that is also affecting the developer. Knowinbly aiding in breaking a law is usually frowned upon. “I did what they said because they won’t pay me otherwise” usually doesn’t fly.
I understand it’s hard to say no but it would perhaps be easier to
say “we’ll build that but it’ll cost you 5x more because we would be taking a legal risk”.
Making the option to follow the regulation cheaper has to be the goal.
So the solution here would be a fine that is also affecting the developer.
No, the solution is jail time for the founders and board members of these companies. Along with extremely harsh and vindictive confiscation of their assets.
And generous incentives for developers (such as the GP commenter) to snitch on these people for asking them to be knowingly complicit in their immoral activities.
It’d be quite the three ring circus to see France attempt to arrest Mark Zuckerberg or Larry Page. I’m 100% sure the US would flat out refuse to extradite such people, they might as well try to arrest John Roberts.
Doesn't matter that much if the US doesn't extradite them ( of course they won't, like France doesn't Polanski), they still have to avoid every EU member and close to France country, which can be pretty limiting.
Weird that the people who actually produce these things get let off the hook though, right? So you build it and don't get in trouble, just that mean ol' CEO.
Nothing to do with "mean". There's no need to emotionalize.
It's about focusing on people with (1) the most leverage over the decision-making process and (2) perfect visibility into the consequences (legal and otherwise) of their actions.
That is -- when you're dealing with the mob, you doing go after the delivery boy. You go after the foot soldiers and kingpins.
I would argue that when it comes to developing software, usually the one with the most leverage is the worker who develops it. If she says no, then it doesn't get developed. Maybe in team environments it's a bit trickier when you're looking at a feature as a whole, but each individual has full leverage over the code they produce. That they don't have leverage over the decision-making process seems like a cop out.
The mean ol' CEO has several orders of magnitude more resources in his control than the person that builds it, hence must be considered responsible to a greater degree.
I can agree that he needs to be punished to a greater extent due to his broad responsibility. But nothing at all for the ones who actually performed the work to build these illegal sites?
I think that just leaves everyone with an incentive to keep it quiet. A monetary reward for the reporting dev and a fine for the person authorizing the build puts incentives in the right place, IMO.
I was waiting for someone to make this point; It's funny how in other engineering disciplines there are clear repercussions for designing something that breaks the law, but software engineers are somehow exempt.
"The client didn't want to pay for a GFI so it's not my fault he got electrocuted ¯\_(ツ)_/¯"
> Knowinbly aiding in breaking a law is usually frowned upon. "I did what they said because they won't pay me otherwise" usually doesn't fly.
Modern weapons require cutting edge engineering. Going after web devs but leaving alone engineers who created litteral death machines would be an interesting position.
Now, engineers could decide to make software engineering a real discipline by getting a regulatory body with and start enforcing the tittle properly (but this is widely unpopular and as far as I know, not done anywhere).
I’m talking about going after developers in the sense of “subcontractors”, not humans.
Also, weapons manufacturing isn’t illegal I can’t see how there could be a case for going after anyone for it? We don’t have a morality and ethics police (at least not in most western countries)
Yes but prior to that you need to make software developers "professionals" with licensing and an ethics board. Without the ability to say, "I won't build this, and you can't replace me with someone who will" putting the onus on individual devs is pointless.
That quickly turns in to, the rich guy who will profit from the lawbreaking needs a scapegoat. Always more dignified to tell important people they're out of line by punishing their serfs, don't you know.
The developer (contractor) can be at least as big and wealthy as the buying company.
I don’t mean developer as in an individual contributor, I mean an implementor, often contractor, which will normally be a company too.
Right now it’s too easy to cut out a niche of selling snake oil services like “automatic cookie banners” with dark patterns and batteries included. Meanwhile companies are fooled by these companies into thinking that if they just pay the $ for their “compliance solution” they are done. Here is where I’d like to see the sellers of the snake oil take part of the responsibility and not just the buyers.
What is it's a small company, perhaps even a single person company? Punishing them would have a disproportionally greater negative effect on their livelihood than it would for the people in charge of the company ordering the illegal thing to be built.
You mean, a company in the business of selling cookie banners that are deliberately in violation of regulations, should be spared because its owner needs to eat? I can't see why anyone would have that sympathy.
I'm arguing against going after small business contractors implementing stuff that is deliberately in violation of regulations and instead going after the large business that is ordering such an implementation.
The products work like so: you can buy them and not put the switches in the dark pattern mode (Not called that). Or you can flick on the switches and make the experience of rejecting 3rd party cookies annoying and unlikely. Called "optimizing visitor experience mode" or similar. And companies that buy them obviously want to do that.
Are they aware that this is when they stop complying, to the point that they could just as well have ignored buying the banner service and just shoved cookies on people quietly like they did before? Perhaps. It's possble that lawsuits could work here too. I'm (like you) guessing there is some fine print saying that you absolutely cannot use the switch that makes the "reject" button disappear under the mouse and have a delay of 60 seconds. And if you do then you are responsible yourself.
Breaking EU directives isn’t merely morally questionable. This is as close to law as we’ll see on EU level. States implement laws to enforce directives.
Nitpick: you can't break an EU directive. Directives are frameworks of laws that the states have to implement. Here it's the French implementation of the EU directive what was violated.
Maybe imprisonment would be better. Just a few years to teach the lesson. I mean this developer knowingly aided in getting users to see more targeted ads!
It’s not a petty crime to trade in peoples private information. Prison sounds a bit harsh though. Especially for the cookie banner end of the spectrum. I’d save that for execs of companies that actually make money in the actual trade of PII.
There will be room in prisons when they let people out who used <blink> tags 20 years ago…
> Prison sounds a bit harsh though. Especially for the cookie banner end of the spectrum.
The developer knew what s/he was doing. We're not talking jaywalking here--this person (!!) made it slightly more difficult to make a choice that most users don't understand or care about anyway! And the result is more targeted advertising! How can you stand idly by?
Tell that to the numerous people who see an ad for something actually relevant to them instead of something only vaguely relevant to the site's primary audience.
Imagine your own mother being subjected to this kind of thing. Wouldn't you want jail time for the perpetrator? Would you stop there?
> Tell that to the numerous people who see an ad for something actually relevant to them instead of something only vaguely relevant to the site's primary audience.
You're not being subjected to some kind of torture; in fact, you are responsible for sending the HTTP request and executing it on your computer.
There's nothing "authoritarian" about imposing criminal penalties on those responsible for not just violations -- but as in this case, egregious, massive and intentional violations of consumer protection regulations. It's just how a civil society works.
I was being sarcastic, but yes, I do think these threads tend to encourage a groupthink mentality.
The vast majority of users like free websites and do not feel like targeted advertising is a serious problem. This was true before GDPR and these silly cookie warnings, and it continues to be true. Likewise, implementing a cookie dialog that requires more clicks to opt out completely is not so morally questionable as to justify the discussion I had responded to.
I think the solution would be to make software development be more like engineering. Have a licensing body that includes an ethical code of conduct, and breaking it will result in fines or having your license revoked
IMHO there are multiple moral boundaries, and making a dark pattern like requiring an extra click to reject cookies is unlikely a hill to die on for most devs.
They might complain to their manager, even log a formal notice that they believe this feature to be breaking the law (if they are smart), but quitting a company for this specific dark pattern seems a bit unusual.
There’s a lot of selection bias, since a great many developers who would quit when asked to brazenly disregard privacy also wouldn’t interview at Google or Facebook in he first place.
There’s a lot of a-moralistic attitude towards FAANG on Hacker News, which honestly I find strange; Google and Facebook in particular are just giant douchebags with lots of cash.
This is huge, there are a ton of us out here writing software at non-profits, edus, etc., willingly making much less because we don't want to ever be involved.
FAANG (and any VC funded company that touches ad revenue) is already selecting for developers who are willing to overlook these kinds of things. It's one of the reasons why they need to pay people so much more.
The question isn't who builds it but who orders it. Would you leave your job just to fight back against this particular dark pattern? Do you ask about this dark pattern in interviews in order to make a decision about a potential employer?
Good point. Especially if they tell me we’ll get $X more revenue and my RSUs will be worth that much more…not sure I would say anything to be honest. Although I feel some shame saying that.
If I tell my boss that doing xyz is illegal and he doesn't dispute it, I'm absolutely certain he would not ask me to implement it.
Certainly there will be shittier bosses that will ask anyway, demand it, and perhaps even go so far as to fire someone for not violating the law, but I should hope those in the last category are few and far between and there would be internal and/or external outcry over it. Even if you have a boss that wants to fire you over it and nobody cares internally or externally (I'd find this situation very unlikely), you'd still get unemployment benefits / severance / whatever is typical in your jurisdiction, since you were fired rather than choosing to leave yourself.
In the US there are very few, if any, laws against dark patterns and data collection. The only real fine seems to be FAANG execs need to spend half a day on Zoom talking to Congress who are seeking soundbites more than change.
We work for very different companies if you expect your boss to lie outright. I'm not disputing this will exist, I'm just not sure this is the common case in skilled IT jobs.
Then we'll have a nice discussion about whether it is or not (or we ask the legal team). If it's legal then it's still up to me whether I find it okay, and then it's really my personal choice if I want to leave the company over this or if I want to try to get someone else to implement it or whatever. However, that wasn't really the point being discussed.
I was specifically talking about the scenario where you're asked to do something illegal and immoral, and its illegality is not disputed by the boss or legal team or something.
I have implemented things that are illegal. I objected against it in meetings, and it was one of the reasons I left that company. What exactly are you supposed to do as a developer? In general, I think all these trickster managers are just making things harder for everybody. It often feels like their decisions are based on a mindset rather than something that they can back up with real data.
> What exactly are you supposed to do as a developer?
I don't quite understand what you're trying to say. If you were asked to kill someone, clearly you wouldn't say "what are you supposed to do anyway" and go off to find a murder weapon since the answer there is rather obvious. What makes being asked to violate a different law different? (Assuming you find the request morally objectionable, I've probably violated laws that I thought were counterproductive for everyone.)
Because it _is_ different. If you asked me to kill someone for 1 Mil. $, I wouldn't do it. If you asked me to drive 20km/h faster than the legal limit for 10K $, I wouldn't even blink, it's a easy choice.
Now, how severe is this? You're not a lawyer, you can bring it up, and the company lawyers (that are paid maybe more than you are) say they reviewed the spec and it's legal. What standing do you have, as a developer, to say "no it's not legal, I won't do it!". Do you really know better than the lawyers?
[edit]
> If you were asked to kill someone, clearly you wouldn't say "what are you supposed to do anyway" and go off to find a murder weapon since the answer there is rather obvious.
What if you were a soldier? Or a drone pilot? Is the answer still obvious?
> company lawyers [say] they reviewed the spec and it's legal. [...] Do you really know better than the lawyers?
I'd be very surprised if anyone thought this was clearly legal after reading the law. But yeah, that would be a valid answer to the question: legal team says it's legal. If something is legal, you cannot be prosecuted for it, and you can have some reasonable confidence in lawyers reading the law and providing legal council correctly.
However, you were saying "I have implemented things that are illegal. I objected against it in meetings", so I was more thinking from the scenario where everyone knows it's illegal but the dev is asked to do it anyway. Presumably not even explicitly, just implicit "we need this feature" without ever bringing up "and we know it's illegal, but if you want to keep your healthcare..."
I mean, you don't even talk directly to lawyers, it's the managers telling you that "this underwent legal review". What are you going to do, say "no it didn't"? Maybe it did. Maybe they did say it was ok.
If you have your direct manager outright lying to you and you're indeed not absolutely certain about the legal situation yourself, yeah that's a tough situation. I don't readily have advice in that case, aside from 'shit manager, might want to consider leaving' (which is obviously only possible in luxury positions).
Done this several times. It's always been when I've had to take paid employment between building and failing at my own startups. I will always argue up and down with the client and almost always will get significant reduction in the nastiness of whatever thing they were trying to do, through education.
I think a lot of this dark patterns would be even darker but for the push-back by some developers. Though I've been at companies where some workers are like robots and will carry out management's desires down to a T, even when the idea is total insanity. Some workers are immigrants who cannot afford to lose their employment or they will be thrown out of the country and potentially lose their partner and children.
When I have to work on my own projects, I generally avoid all dark patterns - I try to go as far in the opposite direction as possible, while still generating revenue. Though, with the torrent site I built once, it was "Anything Goes". You're already running an illegal site, might as well write something that bleeds the users dry if you can.
EDIT: I want to add that most of it was down to lack of technical knowledge by management. They were business guys who didn't know the Web. Most of the time they weren't trying to be assholes, it just appeared that way.
I think so. There are many devs who are against government regulating the web and will happily code around them. HN is pro regulations so it's either keep quiet or get down voted to hell.
the unpopular opinion, however well presented, gets heavily downvoted so there is no incentive for them to share their views - healthy discussions are rare.
I actually implemented one of those. It's not as bad as the Google one, but still asymmetrical (accept is just a large button and reject is small, non-highlighted text next to it).
The customer in this case was rather non-technical and just wanted his tracking, so he wanted to have it like everyone else does. I/We actually told him very clearly that this is most likely illegal and talked it down a notch (from having "reject" hidden in the text), but he said he checked that with legal and we should do it. Loosing the customer over this was really not worth it (especially since this is basically the way cookie dialogs are done everywhere), so we did what he asked, with our asses covered in case it backfires. I might send him this case, though.
On a side note, it was really hard to implement the cookie dialog correctly so that it only loads Google Analytics and our tracking when ok is clicked. We thought this was a solved problem, but nope. Especially when you want to delete cookies when consent is revoked. I would not be surprised at all if most dialogs actually don't work at all.
I don't know about the user you mentioned, but the “why” is patently clear: Tricking and bullying users into being the milking cows of the surveillance economy.
You can be paid for the task and keep quiet, or be paid for the same task and still complain online about it. You don't have to be aligned with the company that employs you, and a lot of workers aren't.
Often what happens is that someone (hopefully you) will raise the issue internally, but if the company decided to ignore regulations and take the risk of legal punishment, well it's not an engineer that will be able to stop it from being implemented. Hopefully such fines will make product owners and upper management consider the problem more seriously, but I wouldn't bet on it.
A proper solution to this problem requires a completely new perspective.
I made a client side firewall-esque library for Transcend Consent Manager so that site owners can load trackers immediately and locally quarantine tracking events for replay once consented.
This makes it possible to track like before but move the annoying cookie banner into an integrated UI so that site owners can ask for consent when the user is more invested in the site (e.g. during signup/checkout).
depends on the person(s) or company creating the site, for larger companies, there'll be various people who would have a say on how the site works or flows, eg marketing people, UX, graphic designers, architects, product owners etc... Not just developers
each these people may have a different viewpoint on what they want to happen and why
These types of engineers will also build stupid stuff that doesn't work, because that's what the specification written by a group of business people who have never even looked at code before said.
Who creates malicious software, hijacking websites, computer viruses? There exist morally murky demographics in every profession, and it's mostly for money otherwise not available to them.
I've implemented 1000+% payday loan promotion in Mexico, with credit score check etc, stuff I find absolutely abject myself. I don't think I cared much: if it's not illegal, I do it, even if it's "immoral". Especially in remote jurisdictions I have interest to see fail miserably rather than succeed.
It's a bit sad, but each time you try to be nice and friendly, you get "raped" I feel, so well, might as well make some money off of some people to pay for when we get scammed ourselves.
Increasing risk of what exactly ? Since you are already doing it anyway ?
The original saying (that I don’t necessarily agree with) is not about competence but about ethics: if every ethical person refuses to work in weapon manufacturing/ advertising / whatever is deemed morally unacceptable, then the only people that will do it are people with no morals and we will be worse off as a society.
So really, in this case the person just shutting up and doing it is already the worse fallback.
But if you can't be bothered to read a RFC, 40ish pages of GDPR will be too much for you. You've got code to write, reading and learning is for schmucks.
These fines have nothing to do with GDPR. GDPR introduced one stop shopping with EU for data controllers. Google does that in Ireland. GDPR is a regulation, legally binding all over EU. And for others offering services to EU residents, although that's probably unenforcable.
When they get fined in France the basis is a French law. Probably a law to implement an EU directive. The cookies directive (don't remember the official name) is older than and different from GDPR.
Situations like needing signed pre-approval of all your customers in a data controller position or giving the possibility to refuse when you act as a sub processor and need to update your own subprocessors.
That’s because you’re trying to do something fundamentally unsafe. A data controller is responsible for all the data they control and how it’s processed, as a result it needs to control and vet the entire data processing chain, regardless of how many processors or sub-processors there are.
If GDPR allows controllers to slip out of their obligations by using sub-contractors to firewall their legal responsibilities, then it would be useless as a data protection law. If you want to run a data processor that relies of byzantine structures in an attempt to create plausible deniability, then you’re gonna have a bad time.
Ultimately this is just a problem of dependency resolution, and conflicting dependency requirements, but it’s an unavoidable problem if you want to have truly accountable data controllers. Accountability is far more important than operational convenience. Remember GDPR exists to protect EU citizens, not businesses. It explicitly makes life hard for business, to ensure protection for citizens. Don’t like it, then leave, go exploit some other population.
> If GDPR allows controllers to slip out of their obligations by using sub-contractors to firewall their legal responsibilities, then it would be useless as a data protection law
And that's why it is.
Because it didn't take into account how companies work in practice.
A SaaS company has both individuals as well as organisation as customers and thus operates as a data controller and data processor.
Reality is that you can't ask each individual company to sign a document for each new subprocessor or data processing agreement modifications.
What on earth are you talking about? I’m making fundamental statement about accountability, you can’t allow companies to outsource their data protections responsibilities, because history has shown time and time again, if let companies outsource responsibilities, they’ll outsource it to someone who just ignores the law and provides a fig to protect execs.
> Because it didn't take into account how companies work in practice.
The whole point of GDPR is to prevent shitty business practices, not enable them. How companies work in practice is most irrelevant, GDPR protects people, not companies.
> A SaaS company has both individuals as well as organisation as customers and thus operates as a data controller and data processor.
Yes, so what?
> Reality is that you can't ask each individual company to sign a document for each new subprocessor or data processing agreement modifications.
Yes you can. If your customer has given you explicit instructions on how they want their data processed, in the form of a data processing agreement, then you’re contractually bound to that agreement. You want to change it, the you need to ask all your customers. You can’t unilaterally just start doing something new with data you’ve been given because you feel like it. Otherwise what prevents you from just deciding that selling all the data your customers gave you is how you now handle their data?
I don’t know you find this so difficult to understand. Your not even taking issue with something unique to GDPR. Modern day slavery laws work in a similar manner, so does financial regulation, so does any contract where you customer gives you instructions, and you want to modify those instructions. Companies update their T&Cs and force customers to explicitly accept the new one all the time, this is not a new concept.
Are you kidding? I’ve dealt with half a dozen, like FrontApp, Looker (before it was bought), Stripe etc
This was while working at a bank, where the level of scrutiny from financial regulators, privacy regulators, and customers with a bone-to-pick with us was sky high. It’s was a total pain in arse dealing with data protection agreements, and vetting them (both the agreement, and company) to make sure they met the standards. But you can bet your bottom dollar we did it.
Oh please. One might argue that the GDPR is a bit vague on some points, but it is very readable for ordinary people, and it clearly states that opting out should not be harder than opting in. So no, these dark patterns that push you into accepting by introducing extra friction for users that reject tracking (by adding artificial delays, having a lot of manual clicking to opt-out, etc) are not a case of genuine confusion. The people who build this functionality are just assholes.
This article is about the French Data Protection Act, not GDPR. They might be lex specialis, I don't know. I am just giving a benefit of the doubt that it is a more difficult problem than people make it out to be.
From my understanding GDPR and all other EU wide ideas or "Laws" are issued as Directives, each country then has to implement the directives in their own countries laws.
some/ most implement directives in cut and paste manner some don't.
> GDPR and all other EU wide ideas or "Laws" are issued as Directives,
No. The fact that the last letter in "GDPR" is not "D" is a pretty good hint that it's not a Directive ;)
It's a Regulation. Regulations apply directly, and are not translated into local law.
But omgitsabird is correct that GDPR is not the relevant basis here, but a clause in French Data Protection Law. And this clause exists because of the ePrivacy Directive.
My experience is that devs generally lack the desire and expertise to read and interpret legal texts. According to GDPR isn't not their job either. Each company needs to employ or hire a Data Protection Officer (DPO) who is responsible for keeping track of data protection regulations and ensuring they are applied company-wide.
IMHO, as long as devs weren't trained on cookie law, they are not morally responsible.
I haven’t built any of those, but I feel like the cookie law is profoundly stupid and I think that it’s fair to punish users for their bad voting choices.
If you want to block third party cookies you have always had a switch there in your browser options.
It’s neither a cookie law, nor about cookies. It’s about tracking and is far more comprehensive. The adtech industry is just engaging in collaborative gaslighting and very successful at it.
Many third parties are now relying on information forwarded to them through first party systems and cookies. This forces sites to isolate those and provide a way of disabling the flow of personal data regardless.
The commenters here seem to take for granted that this cookie law is a good thing and Google/Facebook are evil villains, but there is a difference between a law and a good/just/reasonable law. I would argue interrupting the experience and wasting billions of peoples time clicking on cookie banners is also a form of harm. That’s certainly been my perception as an end user under this policy. I don’t work in ad tech and have no financial stake in this, I’m just sick to death of these fucking cookie popups.
But the law isn't about cookies, it's about tracking and making sure you, the user, know you are being tracked. The poor UX is malicious compliance and seems to be working since so many people complaining about cookie banners and the law but not companies tracking you, the actual bad guys.
It doesn’t matter what the law is about, what matters are the actual consequences and the impact that the law has had. So far it has had quite a negative impact for users. I really don’t see how this was a win for anyone.
The consequences only highlight the problem. We're currently in the first stage in a transition towards allowing the end user to express their wishes about tracking which then companies need to respect.
It only shows how disrespectful almost all companies are by attempting to shape the end users opinion on this law by attacking them with dark patterns.
If France is now expecting companies to equalize the opt-in and the opt-out behavior, they're essentially attacking these dark patterns, which is very welcome by almost all end users.
I hope that there will come a point in time when I can go into the settings of my browser, tell it what the default behavior (answer) should be and possibly even express interests in certain ad categories to whitelist them, like "biking". It would be a granular "Do Not Track" option which must be respected by the website.
You have any arguments beyond ad hominem?
This law exposes a very serious problem: even sites like Oracle's news blog or Volvo's corporate site, or British Airways's profile pages are selling your data to hundreds of advertisers.
I wonder if you're playing Devil's advocate or you really are defending this.. They could skip the "burden" users face by just not using so many dang tracking cookies. If you want information about how your customers use the site, or what their interests are, you can just _ask_ and try to solicit feedback explicitly. Most of the people will likely decline, but that _should be_ their choice to do so. And providing feedback _should be_ opt-in, not opt-OUT.
> ... the ePrivacy Directive (EPD) has become known as the “cookie law” since its most notable effect was the proliferation of cookie consent pop-ups after it was passed.
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> However, properly informing your users about the cookies your site is using and, when necessary, receiving their consent will keep your users happy and keep you GDPR-compliant.
You are complaining that the allergens information takes room on your restaurant menu.
We the people, through our democratic processes, have asked companies for transparency of their tracking process, the industry have decided as a whole to say fuck off and made the process as painful as possible.
Yes, the companies are evil/stupid villains on this case.
Not everything needs bloody philosophy.
Who is "we" though? I certainly had no part in a European democratic process that led to these laws but I still have to get nagged by popups every day.
Practically everyone tracks. Not practically everyone prepares food in a facility that also handles shellfish, etc. It's not philosophical that op reports (being sick of) clicking cookie banner ads in each site they visit. It's not even surprising empirically.
A lot of websites don't show cookie banners (DuckDuckGo, GitHub, HN, gitlab, etc.). Sure, the law has some minor mistakes, but it is the fault of the websites. If they didn't track the user, they wouldn't have to display a banner.
GitHub’s approach is really dubious and probably violates GDPR as well. They “only use necessary cookies” but then do (unnecessary) analytics on those necessary cookies. But doing the unnecessary part still requires explicit consent.
And all of the businesses can proceed to ignore that setting. At which point you're back to where we are now - an issue of enforcement.
All of these garbage cookie banners are just as noncompliant as ignoring that setting would be. You wouldn't have cookie banners to deal with, but at least clicking through those now supposedly results in less data being tracked.
Those cookie popups are only there because websites are collecting non-essential information from visitors. If you only use essential cookies that perform functions like remembering the contents of a shopping cart, or providing security when you log in, without which the process could not work, then you are exempt from the consent requirement and quite happily have a website with no cookie consent banner.
The popups are there because most devs are determined to stuff user tracking and analytics which they really, really need (despite never looking at them) into absolutely everything they develop, even though 99% of the time there's eff all point.
It's a shame there aren't more big fines for shitty sites, like stackoverflow.com, that punish people who don't accept all cookies by prompting on every visit.
If that's not bad enough, having an "Accept all" button but requiring another click to have the option of refusing, then making us manually select each category to turn off, then confirming, is certainly not symmetric.
These large sites know exactly what they're doing. They're hoping people will become fed up enough to just accept, or they're hoping there'll be enough accidents where people click "Accept all". It's rather shitty.
I mean that's the obvious solution, which for some reason most companies seem to forget about. I've done a number of projects where we had to rush a cookie banner, but with a lot of them, if they just did away with Google Analytics or click tracking or whatever, they wouldn't need any of it.
The spirit of the law is to protect users. The spirit of the interpretation is malicious compliance designed to annoy users into advocating against their own rights and interests.
Note that ads don't inherently need tracking. DuckDuckGo has ads, but no cookie banner - what ad to show is based purely on what you're searching for (and some other ephemeral data, like your location, I assume).
Display ads aligned to content on the page and thats it.
Which is what Google promised us when it rolled out AdSense. That's why its called "Ad" "Sense" — By crawling your page ahead of time, Google could "sense" what ads were appropriate to match the content.
But at some point, Google ditched content matching and went after people matching.
I don't know the specific implementation of stack exchange/overflow ads, but given the blatant disregard they've shown for the community I'm not expecting they've done the privacy-preserving thing
Stackoverflow has a really strong user-generated ad signal, like Google. Users literally tell them what they're interested in. They don't need tracking.
Webshites [sic] that include multiple pop-ups, privacy violations, and other nastiness that get in the way of me reading the text on the page ought to go bankrupt.
They provide a public dis-service and the world is better off without them.
Yes, there needs to me a new business model for monetising content.
Mostly because it's not free. The money still comes from you, otherwise targeted tracking and advertising wouldn't make a profit, and wouldn't exist. For advertising supporting "free stuff", you have to accept one of a handful of potential realities:
* Advertising companies are taking a loss, and are funding free websites out of the good of their hearts. (we know that this is not true)
* Advertising companies make a killing, but the money still somehow doesn't come from you, so it is somehow being taken from somewhere else, or the companies paying for the advertising are taking a huge loss.
* The money actually still comes from you, but most of it is going to the advertisers instead of the content that you actually want to support, and it comes from you in a roundabout way over a longer period of time so you don't even notice it.
In short, if the companies are getting the money to run their "free content" AND the advertising companies are making a big profit, where does the money actually come from? It has to come from somewhere, it isn't being printed and gifted to the advertising companies. There's only one place I can see that this money comes from, and that's the people being advertised to.
Why is anybody okay with being psychologically manipulated knowing that the benefits of the manipulation primarily come to the manipulators rather than the content that they like? And also knowing that the manipulation itself continually warps and corrupts the content as everything is being optimized toward pure "Engagement" rather than actual useful information? Wouldn't you rather pay directly for the thing that you like than be subtly manipulated into paying some weird third party longer down the line?
The power gained over people when they submit to being monitored by pocket 1984 telescreens leads to totalitarian bullshit, inevitably. Free stuff for now, lost rights forever. It doesn't matter who is recording you, the information will end up in the wrong hands, and has. Maybe I seem hyperbolic, but on longer time scales there is certainly a trend towards taking our agency from us as we become more dependent on tech. There is no free lunch. What I would give, to be the guy everyone hates for taking their free shit away and saving democracy...
Websites had ads before analytics, they just weren't targeted specifically to you. They had to make educated guesses based on the content of their site, in the same way magazines did.
Exactly. And it's also frankly absurd we've been accustomed to the idea of ad networks autonomously publishing content on websites. The idea that a serious magazine would have printed an ad that no-one had seen before would have been bizarre. Today however you see this "get rich fast" and "miracle weight loss" ads on otherwise reputable news sites.
Ads are OK but it's the tracking of me which is what I hate. An ad you can ignore but tracking is at the least annoying at the worst feels invasive, dangerous, security implications.
> having an “Accept all” button but requiring another click to have the option of refusing, then making us manually select each category to turn off, then confirming, is certainly not symmetric
That, and if there is a “reject all” button it is often only equivalent to flicking all the base check-boxes off, leaving their mirror “legitimate interest” options enabled. In fact, the “legitimate interest” checks irritate on their own: they basically say to me “we see your preference, but fuck you we still wanna”.
> It's a shame there aren't more big fines for shitty sites, like stackoverflow.com, that punish people who don't accept all cookies by prompting on every visit.
Agreed. The way the EU has handled this is naive at best.
> These large sites know exactly what they're doing. They're hoping people will become fed up enough to just accept, or they're hoping there'll be enough accidents where people click "Accept all". It's rather shitty.
Yes, and there need to be new regulations to prevent them from doing this. Something like:
(1) all web browsers should have a setting allowing users to accept or reject advertising/tracking cookies.
(2) this must default to not accepting them.
(3) in headers of http GET/POST requests, if the user allows advertising/tracking cookies, it should indicate this; if the user doesn't allow such cookies, it should be silent.
(4) all websites would be forbidden from using advertising/tracking cookies unless explicitly permitted
(5) all websites and web browsers would be banned from nagging the user or giving them a worse user experience for not allowing advertising/tracking cookies
(6) The spirit of these regulations is that users need do nothing and they will automatically have a tracking-free experience; any work-around by companies attempting to find a loophole in this is a violation of the regulations.
(7) Violation of any of the above would result in heavy fines; and if infractions continue, further crippling fines would be levied.
Agreed. The way the EU has handled this is naive at best.
How so? The law is explicit that it should be just as easy to refuse the cookies as it is to accept them. Companies are ignoring the letter of the law anyway.
The EU does not want to say how it has to be done. It's a bad idea to put something into law because changing the law is incredibly slow. They only do that when the market failed over a long time.
See smartphone connectors where they will demand USB-C soon. When the news hit HN quite a few people were calling EU anti innovation.
> The EU does not want to say how it has to be done.
This is a massive loophole that the likes of Google can drive a coach and horses though. Doing it per website means that in practice 99% of web uses just press the "accept cookies" button without thinking.
Of course, demanding a specific format is the definition of being anti-innovation.
Same with peddling with the web. They ruined the browsing experience for everyone and they're messing up with the market model of allowing people to sell their activity information in exchange for free stuff online.
The advertising model is what made the web possible. The more restrictions you apply to how websites finance themselves the more you constrain the web to be built by big actors with money and stifle innovation.
It was actually refused by ad & publisher networks. They really wanted the capacity to "convince" the user that their tracking is very special and good for them.
> By forcing every website to implement the same functionality for cookie prompts.
Can you expand on that? If you mean the GDPR, my reading is that it is unlawful to collect identifiable user data without informed consent. If a website does not collect data, then no problem. If a website wants to collect data, it must ask permission and give control to the user over the data. How the website implements this is not mandated.
> Agreed. The way the EU has handled this is naive at best.
The EU could have started fining everybody and unleash hell at unseen levels. They would have ended up bankrupting companies and people who added google analytics or AdWords to their site in good faith, without understanding the privacy implications.
So the regulators initially notified companies and gave them time to implement whatever change they were required to. To this day, if they aren’t satisfied with the changes, they contact the company again, they don’t just issue fines. This happened to a company I used to work for, that initially just added a cookie banner, then was asked to make the “deny all” and “accept all” buttons of equal size and with equal accessibility.
> They would have ended up bankrupting companies and people who added google analytics or AdWords to their site in good faith,
People who run websites really should know what they're doing, at least in broad strokes.
> without understanding the privacy implications.
Regarding Adwords, maybe the EU could've just mandated Google to serve ads based only on the web page and not on the visitor? That would've allowed websites to continue with minimal disruption.
Google's profits might be a few billion less, but frankly I'd count that as a plus.
> People who run websites really should know what they're doing, at least in broad strokes.
You can't just change a law and start issuing fines as if everybody was a criminal. You need to allow time for people to adapt, especially the guy who set up his personal site, installed Google Analytics because everybody used to do that, and forgot about it.
> Regarding Adwords, maybe the EU could've just mandated Google to serve ads based only on the web page and not on the visitor? That would've allowed websites to continue with minimal disruption.
That would be a ban of targeted ads, which I'm all for, but it's not what GDPR is about.
The EU legislation that mandated cookie consent popups has to take some “credit” for this state of affairs though. Custom cookie-consent UI per website has limitations.
After years of experiencing cookie popup hell, I’d say that a better way forward would be allowing users to configure their browsers to automatically communicate cookie preferences and consent, but regulators would have to work with the tech industry to make that happen.
And meanwhile companies will keep inventing workarounds like FLoC to track users without cookies.
> After years of experiencing cookie popup hell, I’d say that a better way forward would be allowing users to configure their browsers to automatically communicate cookie preferences and consent, but regulators would have to work with the tech industry to make that happen.
We tried that once before. Advertisers joined the board investigating making the "Do Not Track" header have legal weight, as an apparent sign of good faith, and then murdered it with endless bureaucracy that went nowhere.
We're trying to again with the Global Privacy Control headers [0], and I fully expect the same thing to happen again.
what level of awareness do you think the "majority of people" have about the implications of online tracking, of detailed behavioral profiling, of biased algorithmic influences on all online information experience etc.
somehow this particular industry can get away with standards and regulations that for any other industry would be the wildest dream of deregulatory heist
the "innovation" shtick has worn thin, its time to clean up the mess
Apple's App Tracking Transparency (if that's what you're referring to, as opposed to Intelligent Tracking Prevention) doesn't even default to anything. It asks you and gives you two equally-prominent options, but indeed even in that case the acceptance rate is still just 4% which I assume is either misclicks or ad-tech people.
> a better way forward would be allowing users to configure their browsers to automatically communicate cookie preferences and consent
Yes. I should only have to say once (or better still not at all) that I don't want to be tracked, and then it would automatically apply to everything.
> regulators would have to work with the tech industry to make that happen
"work with the tech industry" sounds a bit too much like the regulators think they get what they want, but the tech industry really get what they want.
Regulators need to be able to impose a solution on an unwilling tech industry, who'll never agree to it unless forced.
> And meanwhile companies will keep inventing workarounds like FLoC to track users without cookies.
Any such workarounds need to be explicitly make illegal.
Actually, you may wish to have an "extended" experience on some websites and not on others: all cookies are not either technically essentials or pure ad-junk tracking!!!
So it's sensible to allow a per-website configuration. Arguably, it would be better that this is included in the browser (like DoNotTrack was) with a configurable default (refuse all/always ask/accept all... and "always ask" ticked out of the box) and a widget showing if the website is in accept all/refuse all and allowing to change it... a bit like the uBlock extension
You can be tracked without cookies (or localstorage) trivially, it is commonplace.
You'd have to block requests to third parties. This is hard because it breaks most websites - all those that rely on cdns. You can wade through this with a script blocker like ublock origin and a whitelist but you don't really know what's happening unless you investigate each domain and script.
Even then you'd still be exposed to fingerprint tracking served through the original domain passing on to a third party at the back end.
Tracking isn't fixable with technological solutions alone.
People suggesting a user-based solution to this problem is like someone suggesting “well, you should just comprehensively read the terms of service and privacy policy for every website and product you use, and if you don’t agree, don’t use the site.” It’s an absurdly naive solution at best, and downright malicious solution at worst. In any case, people who believe this should be in the hands of the user don’t give a shit about the user, either actually or practically.
It is necessary but insufficient, because otherwise tracking Safari users would never have been possible. Despite that WebKit has had to consistently devote engineering effort into making these privacy invasions impossible.
WebKit, and I think Firefox now?, had to do further work to isolate same domain cookies to specific contexts.
At the same time there is Chrome, aggressively pushing new features that often happen to add new tracking mechanisms.
Google and Facebook depend on invading user privacy, that is their primary source of income. If there is any way they can track you, they will use it.
The only solution is legal, coupled with actual enforcement.
> Dear visitor, We use analytics cookies to offer you a better browsing experience. You have the choice to refuse or accept them.
> I refuse analytics cookies
> I accept analytics cookies
https://www.echr.coe.int has a small, non-intrusive banner about at the bottom (good), but their cookie policy does say they “generate anonymous analytics such as the number of documents downloaded.” Hopefully that’s not per user — if so that’s pretty much best-practice.
But clearly there’s a lot of variation even among EU institutions in how they approach cookie prompts.
The first two have two buttons of the same size, color and prominence at the bottom of the site allowing you to accept or refuse cookies. These are not cookie popups, and they don't promote one option over the other unlike what Facebook and Google were fined for here. So I'm not sure where you see a problem with these sites?
The problem with these is the cognitive overload that comes from dealing with cookie prompts on every website you visit, aka “cookie consent popup fatigue”. Regulators need to do better.
Cookie popups such as these wouldn’t be a problem if we had a handful of websites. But they’re not helpful on the modern web with tens or even hundreds of sites visited by nontechnical or simply busy / task-focused users every day.
Please have a look at the comment chain to get context about why I brought this up. The point is that the EU’s guidance around cookie popups is part of the problem today (I know they had good intentions though).
Yes well that is exactly why they are ensuring the "NO" button is at least as large as the "yes" button. It's still not critical since the point, again, is to make them annoying to use; offering choice is secondary.
A cookie popup allowing you to easily either accept or deny (you do not need consent for truly essential cookies) is legal and the intended way to do it, so at least those first two are perfectly fine - not sure about the last one. It is not fine or legal to have a giant accept button and hide the option to refuse behind a dozen buttons like "More information" or requiring you to spend two minutes denying consent for each individual cookie provider.
Thank you, yes that’s pretty much it. Except instead of “consent modals must be legal” I’d say “consent modals must be *established practice*”.
There is in fact case law which interprets the legislation and says explicit consent is required[1] but of course it doesn’t mandate modals.
However it does note[2] that
> That decision is unaffected by whether or not the *information stored or accessed on the user’s equipment is personal data*. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.
This sets a fairly high bar for getting consent for any identifier-laden cookie. So I can understand why people choose to use modals as a risk-reduction approach, and why it has become accepted practice. If you do end up in court, it’s reasonable to expect courts to consider established practice is while formulating their judgement.
However, I do fundamentally disagree with the notion that explicit consent at the time of first visit is a good model for ordinary internet users. It was a good first effort but regulators need to do better, and strengthen ways for users to effectively pre-set their consent preferences in advance, think ‘Do Not Track’ but with teeth.
his argument is that if not even the commission, which presumably would adhere to the regulation they themselves have written do it correctly, it suggests that the rules for cookies are different from what you claim.
There is no EU legislation that mandates cookie consent. In fact with the GDPR the old cookie-banner law that required you to inform of the usage of cookies was abolished. The cookie banners is the industries own perverted solution to the problem of asking for consent when there is no other legal basis for processing personal information.
This way to communicate it does exist and companies can decide to respect it. (Do but track flag).
It's mostly the fault of companies trying everything possible to trick people into agreeing even if they don't want to and shifting blaimn away.
Also GDPR is not technology specific, so it doesn't matter if the company tracks you using cookies or fingerprinting. (Through there are local predcessors of GDPR which are technology specific.)
Or regulators could stop micromanaging tech as a way to extort fines and pander to the public. Let those who care go elsewhere or use browser tech (like Firefox containers) and client side solutions to control privacy. 95%of people could care less about tracking and find the cookie popups a PITA. Regulating these things is a slow whack-a-mole game resulting in very poor use experience.
Most likely true, tech companies are probably secretly lobbying for these idiotic laws which end up increasing the cost of starting competitors. Ruining the end users experience on the web is just a side-effect, which may still help people to use apps with login into private gardens instead of browsing an open web.
Paying 200M fines is nothing if it discourages competitors from innovating and creating the next Facebook, after all.
It's a bit like what happened with VATMOSS. It was meant to hit Amazon and force them to pay VAT in each customer's country and not just in Luxembourg - and it ended up complicating the life of small e-commerces so much that they all moved to sell on Amazon instead of running their own e-commerce.
I just tried that, and Stack Overflow clearly saves the consent preference and doesn't ask again. It also doesn't ask to select each category individually, if you go to "customize settings" all optional categories are off by default.
The current consent dialog doesn't behave at all as you describe, I'm not sure if there were previous versions that behaved in a different way.
Perhaps the confusion stems from that StackExchange sites will ask once per site (which makes sense, as they're all different domains). So I've now seen probably half a dozen of those dialogs on their sites.
I don't see the behavior you describe on those sites so it suggests it's something unique to your setup. For instance: if your browser is set to clear cookies then they won't be able to store the preference for you and will have to prompt every time.
A fun micro-task: Specifically for stackoverflow.com I created a php-script on my site [1] to live-include a sample-iframe in a python lecture [2], with removed noiframe-header/cookies/login.
Saving the decision is an example of a cookie which is technically necessary, you can have those without consent. Consent and the option for opt-out is only needed for cookies that are not needed to run the page. You also don't need permission for session cookies.
The problem is that, even though they're not obliged to, they give the option to opt out of necessary cookies alongside the tracking ones, and I guess people de-select necessary cookies because they think all cookies are bad.
Then the site has no memory of the user, displays another pop-up, and people complain about constant pop-ups.
In a sense, StackOverflow are giving users too much control over the cookies being set!
Yes, they are giving users too much control over the cookies being set.
Same as a site that sends you spam, and one of the opt-out options includes ALL emails, including password reset, etc. Users get scared that they don't know what they will miss, and don't opt out.
It gives them plausible deniability for the wrong, while pretending to look good. The result is commonly as OP described - users eventually opting in.
But I don't believe it is innocent, nor do I believe that they somehow have convinced themselves that this is good for the user.
Perhaps I am just cynical, but I think that there exists reasonable doubt.
> You also don't need permission for session cookies.
Not usually, but if you use session cookies to do tracking you still need consent for the tracking itself. You can set the session cookie by default, but before you do any extensive tracking (more than technically necessary) you still need a consent dialog.
Of course this is exactly how most websites use session cookies, but I've also seen server side tracking frameworks that abuse session cookies necessary for operation.
I'd be pretty happy if regulators followed these all the way down into other operators (especially as uneven application of law tends to look a little like a shakedown.) It would do a lot for the internet in general.
The business model of generated content + algorithmic ads made the internet a worse place to find information/purchase products/etc. These sites crowd out small, specialist and hobbyist websites in search results and don't usually provide the content they advertise. They exist to earn microcents per impression and use any trick possible to look like a legitimate search result. It's these websites which are the worst offenders - opting out of tracking is drawn out and they prompt with every visit.
On the topic of cleaning up the crud - I also think search engines could play a better role here, as there are many sites that will turn up in just about any search request, despite not really having meaningful content (e.g. pinterest, amazon, etc.)
And the joy of having to go through the list of “legitimate interest” that contains every tracker and advertisement platform, with no button to reject all
The solution is not to rely on fining site owners, the solution is to support user agents that act in the interests of the user. Regulation will never keep up with the infinite ways sites can be shitty, browsers (and extensions) are much better placed to do this.
There are far too many ways of tracking users, automated solutions just perpetuate a continuous escalation. Making the behavior illegal in itself, as the GDPR does in absence of explicit opt-in consent, is a much better solution over the long term.
Yep... but the only question here is, will those tracking cookies (and in turn, advertising to those people) earn them more than 60/150mio.
Otherwise, IMHO, the cookie prompts are a huge pain in the ass, and this should be dealt with client-side - eg., browsers silently accepting cookies, and wiping them on tab/window close, with a special button/toggle for that specific website, to save cookies for longer than that session (eg. if you want to log in or stay logged in). I know there are extensions that do this, but this should be the default in browsers everywhere.
"In most cases, it just blocks or hides cookie related pop-ups. When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do). It doesn't delete cookies. "
I usually dig through the shit sites do to reject. But Facebook, Google and previously TechCrunch are so bad I actually accept on a whim (in private tabs, of course). Each time wishing for a strong punishment since it's clearly illegal.
> like stackoverflow.com, that punish people who don't accept all cookies by prompting on every visit
Well, not sure if that's fair. Until you accept at least the "strictly necessary" cookies, it makes sense that you get prompted the consent at every visit, since no cookies are saved.
it doesn't. there's no law against cookies, there's a law against tracking. you can perfectly well store the cookie banner consent choice in a cookie.
EDIT: the reality is that it should actually be a "can we track you?" consent box. sites using the word "cookie" instead of "tracking" in the consent banner/popup are using technobabble to confuse you into just clicking "ok". users are not supposed to understand what it means.
it hurts me deeply that even programmers, who do understand what cookies are, have seen these misleading cookie banners so often that they think that's what GDPR prescribes. it's not, it's a lie.
> it doesn't. there's no law against cookies, there's a law against tracking. you can perfectly well store the cookie banner consent choice in a cookie...they think that's what GDPR prescribes. it's not, it's a lie.
This is just wrong.
The Cookie Law (ePrivacy Directive of 2002 and 2009) is distinct from the GDPR. It really is a law against unconsented cookies: not just "tracking" ones but also anything that stores the user's preference: anything not "strictly necessary for the delivery of a service requested by the user".
That said, websites could certainly do a bit better here and give users a clear option of "I request a service delivered without the use of cookies, apart from the one necessary to remember this request".
This is just FUD. Storing the cookie consent in a cookie is obviously "strictly necessary" if that's all you do with the cookie. Strictly necessary cookies do not, themselves, require consent.
You're saying that without obtaining consent, you can't store the cookie consent preference which is a ridiculous catch 22 explicitly rejected by the first link you shared (which states that the consent choice must be stored)
Moralising the topic doesn't help. Talking of punishment for showing a cookie notice is just plain ridiculous. Stackoverflow.com makes it very simple to opt-out, everything is unselected by default and the list of options is very short.
Why isn't there a browser setting that passes a standard header to declare what types of cookies you consent to? You set it up _once_ for your browser and you're done.
Anyone who actually worked on browser engines knew it was bullshit that the big internet advertisers (google, Facebook, etc) were using to deflect whichever privacy disaster was in the press at the time.
The rule required DNT not be enabled by default. It was optional for advertisers to follow it, and it was very clear that if there was any significant population that enabled DNT the advertisers would start ignoring it.
And they did. They went even further: they used the DNT state to to track users.
Nothing like this on the client side has any value unless it is made illegal to ignore such flags, and that is actually enforced.
I was also negatively effected by stackoverflow's refusal to comply with the law until I blocked the pop up using ublock orgin. Users shouldn't be forced to do this but here we are.
Hopefully every EU state fines these companies and continues to do so until they comply.
For most sites I find not accepting persistent cookies at all and using a blocker to hide the prompts is sufficient. This avoids tracking (at least via cookies) whether the site is compliant or not.
The nasty ones are the likes of Google's more recent interstitial, which you can't easily hide with a blocker even if you've chosen to disallow cookies through your browser settings anyway, and which also requires several clicks to turn everything off explicitly before continuing, and which then redirects to a link on a domain most ad blockers will intercept causing further hassle for the user to override.
I'd have some sympathy for sites being put in a difficult position if visitors have disabled cookies entirely because putting up some sort of prompt on every visit if they need one is probably then required to comply with the letter of the law. But there's really no need for the obnoxious many-clicks-to-clear-it things like Google is doing and I don't believe for a moment that they weren't fully aware of the implications when they made the change.
Cookies are not the only way of tracking, and you've just indicated your consent to whatever server side fingerprinting the ad platforms might be doing, so I would say no.
>> If that's not bad enough, having an "Accept all" button but requiring another click to have the option of refusing, then making us manually select each category to turn off, then confirming, is certainly not symmetric.
I'm sure the code they use to do this is throttled. It certainly seems to run more slowly than the "Accept All" option.
That's another dark pattern that some sites use (used?), making the process of "storing your cookie preferences" take a long time - you see a spinner for a long time, while the 'accept and dismiss' button stays active and available throughout.
It should be illegal. Not accepting cookies is the default and should be a no-op. Accepting cookies is the one that should take a while, since only then do all the 3rd party scripts load in and do their thing.
> It's a shame there aren't more big fines for shitty sites, like stackoverflow.com, that punish people who don't accept all cookies by prompting on every visit.
Cookie banners should be made as much annoying as possible so that people hate it and begin to protest that law.
> Cookie banners should be made as much annoying as possible so that people hate it and begin to protest that law.
This is exactly what the advertising industry wants: You are confusing GDPR requirements with advertisers' malicious interpretations. GDPR doesn't require annoying your users; advertisers have chosen to require that all on their own.
“Cookie dialogs” are supposed to be about trackers of all sorts (not just cookies); there to ask for permission to store non-essential trackers in general.
We need to stop calling them cookie pop ups as that’s a misnomer. You can use cookies. You can store site state, login sessions, shopping carts and much more without asking at all.
I’m not a lawyer, so take this with a grain of salt. But I have implemented gdpr for several companies.
First, you do not need consent for anything deemed essential to your site. Furthermore, you kind of get to say what is essential and what isn’t, as long as you can reasonably defend it.
For example a shopping cart is certainly essential. Previous purchases, page views, etc all essential.
“Page views per session”, most likely not essential (though you can make the argument they are), but if you’re not installing an identifier on the user to track them (for example, they’re signed in and you’re aggregating as such), then you don’t need to ask for consent.
If this sounds like there are loopholes that’s because there are loopholes. Concretely, tracking consent dialog are one of the looser parts of gdpr.
So what I usually tell clients is: You do not need a consent dialog, unless you use a first or third party analytics library.
If you add a third party analytics library (google analytics, Facebook pixel, piwik, plausible, …), [edit: or third party ads, they come with their own tracking], do not load it until you’ve asked for consent.
Ask for consent once per account or per logged out device.
> “Page views per session”, most likely not essential (though you can make the argument they are), but if you’re not installing an identifier on the user to track them (for example, they’re signed in and you’re aggregating as such), then you don’t need to ask for consent.
GDPR might allow for this but other data protection laws might not. In the UK if you want to use an authentication cookie for any other purpose you're required to request permission[0]. Weirdly the guidance also states that consent is also required for persistent login cookies.
Yes, you're quite right; I'm talking about GDPR, but other data protection laws may apply and may be stricter.
Also, these are general guidelines and may not be compliant to 100%. But the clients I deal with do not usually need to worry about absolute compliance, otherwise they'd be hiring teams of actual lawyers, not me.
6. No, you are not really looking at this issue the right way.
While it has been nicknamed the "Cookie Law", the ePrivacy Directive is about trackers that contains PII (Personally Identifiable Information) and the reason some cookie exist.
On a high-level, the spirit of the law is:
- if the cookie is essential to the site, consent is not needed
- if the cookie doesn't contain PII / isn't used for tracking, it is not impacted by the law, and thus consent is not needed
Now several examples you detailed could be done server-side, without any tracking cookie, or with a cookie if the user is logged (which implies accepting the website conditions and could be deemed essential). In those cases, no consent is needed.
If on the other hand you use a tracking cookie, like a Google Analytics tracking cookie, yes consent is needed.
The answer is no, unless you use a 3rd party like Google Analytics, then you need to look closely at legislation and their settings about whether you need to ask your end user for consent.
But generally speaking, you do not need a tracking consent banner unless you use tracking, directly or via 3rd parties.
As long as you don't connect the statistics you collect to individual user data, you should be fine. A server-side hit counter that just increments a row per page visit in the database doesn't need consent, as long as that row isn't directly connected to any user accounts.
If return counts are nothing more than "this user has visited the site before" and there is some benefit to the user (say, remembering their address or username) then I don't see why you'd need consent. This is in the legitimate interest of you and your user. This "legitimate interest" exception doesn't go as far as many of the nasty tracking companies pretend it does, though.
A history of purchases for an account is an obvious feature, but you need consent before you can use that data to generate a marketing strategy for example. So a cart history is perfectly fine, but training your recommendation algorithm in that needs consent.
You can use whatever you like to achieve the technical requirements for your site to operate from the user's perspective. Theoretically you could even use advanced device fingerprinting techniques without consent as long as the purpose isn't to gather data, but to serve an end goal.
As soon as you start aggregating data for your own benefit, you need explicit, optional consent from the user to use their data to your benefit.
Anonimised data can be used without consent, but good anonimisation is very very difficult to achieve. Data is considered PII if the data can be linked back to the individual user if you have a theoretical second database. Pseudonymisation, which is what most frameworks actually seem to do instead of anonimisation, is not enough to not need consent, because the data can easily be linked back to actual user data using a backup of your site database afterwards.
Tl;dr: as long as you use cookies and other features only to directly benefit the user, you need no consent. If the data you collect cannot possibly be connected to a user, you don't need consent. Based on my reading of the GDPR (not a lawyer but it was covered in an IT law class), that means 1: yes, 2: yes, 3: no, 4: possibly, 5: probably, 6: you've got the right idea.
You can find more details here: https://gdpr.eu/cookies/
You can also try reading the GDPR text itself, it's quite readable as far as legal documents go in my opinion.
It's not about remembering a user's cookie options. The point the parent is making is that "Reject All" should be upfront and centre along with "Accept All" so you don't need to then navigate extra layers to refuse cookies. i.e. it's just one click instead of many.
However that said the cookie preferences "cookie" can be considered a strictly necessary cookie so that it can be used to remember your cookie choices. This is the UK's Information Commissioner's guidance on such cookies:
Punish bad pop-ups, so people are wary of them ('wait is this bad') and discover (and find attractive) the possibility of not having one (can't be fined for a bad thing that doesn't exist) & network effects ('wait how do they have no pop-up')?
It's not about cookies. The legislation and the consent popups are not about cookies. They're not even about whether they're essential.
The banners are there for you to opt-in to your activity on the website and beyond to be tracked by a 3rd party, possibly across multiple other websites.
We do not need to discuss whether a cookie is essential, because it's a red herring. It's not about cookies, it's about behavioural tracking, it's about your browser activity being sent to 3rd parties, being collated and used to e.g. serve you advertisements to sell you shit.
That's what I'm saying. I recognise that's not what the law was intended to do.
The problem is that individuals and small businesses would rather interpret the law in a way that isn't going to get them in trouble, even if it is over-reaching. There has been a level of paranoia stirred up, caused by other companies interpreting the law badly.
It's like staying away from all bodies of water because someone sometime drowned while swimming in the sea. It's a vast overreaction, but it works.
In short, we have lots of armchair lawyers giving idiot-in-a-hurry interpretations, and everyone is doing it wrong because everyone is scared of doing it wrong.
It doesn't matter what the banners were intended for.
It's not that simple though. Even though I agree with you that it is not JUST about cookies, the legislation and guidelines do go into some cookie specific details such as when you can use session cookies vs. long lived cookies as an example.
It's not accepting cookies vs not accepting cookies; it's accepting non-essential (tracking + others) cookies vs rejecting those.
While this is an interesting question/argument, I'd argue that adding a cookie to represent that you have rejected all cookies might be considered an acceptable essential cookie, since it's expected you need to reject them all only once. See here for example:
You don't need to store an identifying cookie to remember someone clicked "no" on a popup. Storing a cookie or localstore that says "cookiePrompt = rejected" should be sufficient.
The rules in question apply to any storage of information to, or reading of information from, an Internet-connected device. It doesn't have to be "identifying" information.
Edit: I'm amazed this comment is being downvoted. Go read the CJEU's ruling in the Planet49 case if you disagree with me!
The Planet49 case has not much at all to do with that. They were using tracking cookies that they also shared with third-parties, i.e. "non-essential cookies, i.e. not was OP suggested, and they were using a pre-checked checkbox for consent. The CJEU (and German BGH) decided that having such an "opt-out" does not constitute active consent.
PS: You might be misinterpreting that what the court said about "personal data" (aka Question 2). The crucial bit here is this
>That interpretation is borne out by recital 24 of Directive 2002/58, according to which any information stored in the terminal equipment of users of electronic communications networks are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. That protection applies to any information stored in such terminal equipment, regardless of whether or not it is personal data, and is intended, in particular, as is clear from that recital, to protect users from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.
This just means that cookies containing personal data and cookies containing no personal data have to be handled the same. This still means essential cookies are still fine. It just means there is no difference between putting some static text, random string (which could be an identifier), or the users home address (personal data) in a cookie. Planet49 tried to claim that their tracking ids were not personal data and therefore they do not need any consent, and they failed, that's all.
I think we're talking at cross purposes. I am specifically picking up on the mention of "identifying" cookies in the OP. As you've flagged, the Planet49 case said that doesn't matter (your post: "cookies containing personal data and cookies containing no personal data have to be handled the same"). I'm not commenting on the essential cookie aspect.
You're right, I read your response quite differently than what you seem to have meant. I read it as "cookies need consent, no exceptions", which was my misreading and my bad.
At least under UK/EU law, you could likely justify such a cookie under exemptions allowing nonconsensual cookies - that's explicitly stated in the French regulator's guidance, for example.
As the sibling comment mentions, Stackoverflow would not know you have refused to save cookies on your previous visit, so it displays the banner again. That's precisely how it should be. If they want to know you without a cookie, they have to store your browser fingerprint, UA, IP,and more. I guess, that's not what you'd want.
If it has to be asked every time, then it could be easily classified as essential functionality and allowed. The rules are about sharing private / identifiable information, not about preventing client-side storage from working.
Good. I for one am sick of tidiously applying my cookie guidlines and popups "correctly" only to see dark patterns everywhere.
No, not a single person has a legitimate interest in being subscribed to your 160 marketing companies. Even the people that "like ads" know this is just blanket stalking.
'legitimate interest' is such a bad description because most (uneducated) people will think that it means they have to accept it because it is legitimately allowed. Those cookies are only legitimately interesting to the ad networks, and it's incredible how many companies are listed under that banner when you click through.
I never accept those, because I highly suspect they're legally binding.
The amount of those popups elements I have hidden using ublock with right click, it's staggering.
Some websites introduce a vertical-scroll: hidden; rule on <body> that I often need to remove manually, or to introduce a CSS rule in ublock.
Reader view often help a lot, but some websites, like yahoo, make it so that reader view won't work (it will display the consent thing in reader view).
Some websites in france went another route: they ask users to accept cookies or to pay instead. It's crazy. It really shows data really, really matters to them.
Other gimmick, I had big troubles using the mozilla matrix server because of cookies, since I've set up firefox to delete all cookies at shutdown, except those in a whitelist.
> The amount of those popups elements I have hidden using ublock with right click, it's staggering.
I have a bookmarklet saved that simply deletes fixed elements, making it faster and easier to get rid of those[0]. However I have noticed sites are starting to make their banners more akin to shrinkwrap agreements where they state that dismissing the popup or continuing to read without making a choice is equivalent to acceptance.
[0] What I find most interesting is how many websites become much more readable by this - I hate sites that use a good third of the screen real-estate for headers and footers, nevermind those awful menus that only appear on scroll-up and cover the top few lines of content.
I noticed at the start of the WhatsApp T.O.S. change frog-marching that https://www.whatsapp.com had (edit: AND STILL HAS!) a single click 'Accept' and some weaselling links about 'Checking your Browser settings'. Super--and I might even go so far as to say--hella assymetrical.
Is there some exception for 'meta services' like this? It's not the service/app itself, but is required if you want to read T.O.S. details, get help, etc for WhatsApp itself. Or should Facebook open their checkbook again?
The next step in these laws should be mandating program consumable APIs for essential functions. What if every website showing a cookie banner also had to expose a few endpoints:
I disagree. We don't need a technical solution to a people problem. If you start going on the level of how to use individual mechanisms, companies will develop new ones which are not going to be covered by law.
Especially accepting tracking should NOT, under any circumstances, be automated.
To me, it sounds like the purpose of this suggestion:
> Browsers could hook into these or making a browser extension would be easy enough.
Is that browsers can dictate the UI and so you wouldn't have these dark patterns to fight on each individual website.
I don't know if this would be a good or a bad idea, because indeed I can see people making an extension at minimum and a browser (*cough*chrome) at worst that would allow accepting everything automatically (which would not be legally valid because the consent was not 'informed', but the site owners would have no way of knowing that). On the other hand, there is also the advantage of no dark pattern being possible at all if you implement the API correctly. I don't know. Either way, this is what I think GP meant to suggest.
It seems reasonable - until you actually look at the specifics.
Some site may be just static files with no server-side api handling. Some may use GraphQL exclusively. Security. Government dictated API design will be an absolute shitshow. Etc.
Fair enough. I'm not particularly good at web dev so maybe there are better ways.
In the spirit of the law, yes maybe it should be less about mechanism and more about policy. The law they got fined over was that "accepting tracking cookies should be as easy as refusing them". I do think its possible to amend that to say _something_ like "both accepting and refusing should offer a simple program accessible mechanism to do so". Combined with the existing law, it would mean the mechanism/API can't be made arbitrarily difficult to reject but easy to accept. There will be room for debate here too, but it fundamentally is possible because the banners have to use such a mechanism.
API call that GP suggested. Therefore, any DNT:"please track me baby one more time" values are legally invalid, because it could not possibly be an informed decision.
You can choose not to voice objection with DNT, but you can not give consent using it, and that's what these cookie walls are asking for.
(If you have a legitimate interest, legal requirement, technical requirement, or other ground for processing data while the user does nothing more than browse your website, an up-front banner to ask for consent is never required.)
Honestly these cookie laws are a shit show. The experience of browsing the web in Europe is shit due to all the popups asking you about cookies. Browsers have extensions to manage cookies, why force website to come up with their own unique UI for cookies? Furthermore cookies are not even user-friendly concepts, they are made to be digested by machines, it’s such a misunderstanding of regulators type of situation.
The intent of the laws is to force businesses to make better decisions about how they monetise and how they manage user data. Most businesses have reacted by refusing to make these decisions in favour of users, instead choosing to make the experience of using their sites unpleasant to generate a backlash against the law. Like you're doing.
You could say that the law is failing because it opened the loopholes allowing businesses to choose to behave badly, externalising the decision making to users. If that's your opinion, can you be a bit more specific, so we can dig into that issue and explore solutions and objections?
The law is failing because it created a worst situation. This has been going on for what seems like a decade. Nobody won from this. This is a bad law QED.
I don't see how the situation is altogether worse. Now everyone is aware about the extent of tracking and can opt out, even if most sites don't make it as easy as it should be. Is clicking "yes"/"no" such a big hassle that you'd rather have blanket tracking everywhere?
That law never forced companies to worsen user-experience, it forced them to disclose what they do with your data and limit what they can do without consent. This post is about companies building user-hostile and illegal UX. Are you blaming the law for this?
The law didn't create worse experience, companies did by not following the law. They just went with some dark pattern to keep data and try to work around the law. Guess what? This is illegal and this is exactly what this post is about. It's a bit weird to complain about the law instead of companies trying to extort your personal data, process and resell them, illegally and without your consent...
No, these cookie laws are in fact really well implemented, they are just oversimplified in the press (such a coincidence). Cookies are not forbidden neither they require you to ask anything, as long as they are useful to the service you provide.
That's why a lot of websites don't show those banners while however using cookies to store session tokens, user preferences...
But, yes, when you are browsing content without being logged in or without having the need to store something, the law forbids the website to send you cookies. Because they are not needed to execute the service, they are just there to track you. And even if you consider that tracking is necessary to monetize your content, well, in this case, you have to require the consent.
To me it's a totally legitimate law. It's easy not to deal with cookie popup : just respect your users and don't track them without notification.
As a user, you can rant about the law. Or you can just decide that a website enforcing you to accept cookies to read some junk content is totally missing to respect you as an individual.
You can argue the law is just and right till the cows come home but the reality is it has made browsing the web much worse for everyone in the EU for unclear benefit.
It's a matter of taste. For me the web is much better like this. Your website is trying to track me to sell me a car or a vacuum cleaner and you dont want me to refuse consent ? No problem, i'll leave. At least I'm informed.
> Browsers have extensions to manage cookies, why force website to come up with their own unique UI for cookies?
You haven't understood the laws. It's not about cookies, it's about tracking and personal data. If you are annoyed with the popups, be annoyed with the companies' disregard for your privacy.
Why does every little site I visit ask for my consent to track me? The problem isn't the law, it's those stupid sites wanting to exploit users.
Websites are free to standardize on a browser extension that provides a conforming interface and use that for users that have it installed, I don't see how the law bans that. Similarly you also don't need to put a full-screen modal to ask people to opt-in for things that require opt-in, you can just put the switches somewhere on the page. But of course many websites don't want to make it easy to ignore opt-in options, but would rather annoy you with. (Although nowadays it's not that unusual to see it done e.g. with social media embeds: locally cached preview image and opt-in button to load the embed instead of prompting on page load)
There’s nothing wrong with cookie laws in the EU, they don’t exist anymore and have been completely replaced by GDPR.
GDPR is a pretty simple law, if you want to collect personal data on people, you need to get their informed consent. Just like you need their informed consent to have sex with them.
How you get that consent is up to each company, but GDPR lays some pretty clear rules about what doesn’t count as informed consent. Such as creating flows or pop ups that encourage people to click accept button, or by trying to bundle multiple unrelated consents together under a single button. How you present that UI isn’t specified, you could use a cookie banner, or you could just respect Do No Track headers etc.
Equally the law doesn’t care if you use cookies, or local storage or anything else. It only cares if your collecting personal data. Not how you’re collecting it. If you’re using cookies for legitimate reasons like enabling user sessions, no need for a banner, you’re not collecting personal data without consent.
Companies have chosen this hellscape of cookie banner etc in an attempt to skirt the law and avoid doing what should be doing. Letting people use the internet without having their every click tracked and aggregated.
Thankfully we’re now starting to see more enforcement showing this type of bullshit won’t be tolerated. Soon people will start getting rid of cookie banner etc, once it becomes clear that their a fig leaf that won’t protect them from legal repercussions, and that they’ll make more money by asking for consent nicely and not punishing people for refusing.
You usually make sensible comments, so that even you are not understanding that the law says nothing about cookies and is needed only in specific circumstances when the data processor wants to do something that cannot be reasonably expected and violates "the interests or the fundamental rights and freedoms of the [user]" means we need to better communicate what this law actually requires and when.
> The experience of browsing the web in Europe is shit due to all the popups asking you about [some technical thing that you can, indeed, control in your browser].
I just made this overview of when a cookie wall is required, hoping that it might help clear this up.
+-------------------------------------+
| Do you store data about users which |
| are merely viewing pages? |
+-------------------------------------+
| \ ________________________
yes `-no->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+---------------------------+
| Can this data be traced |
| to an individual person? |
+---------------------------+
| \ ________________________
yes `-no->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+------------------------------------+
| Are you legally required to do so? |
+------------------------------------+
| \ ________________________
no `-yes->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+--------------------------------------+
| Is it necessary, e.g. to make site |
| features work that the user enabled? |
+--------------------------------------+
| \ ________________________
no `-yes->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+---------------------------------------+
| Is it to protect the user's vital |
| interest, or are you a government and |
| the processing is necessary? |
+---------------------------------------+
| \ ________________________
no `-yes->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+---------------------------------+
| Considering recital 47, do you |
| have a legitimate interest? |
+---------------------------------+
| \ ________________________
no `-yes->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+----------------------------------------+
| Then processing their personal data is |
| none of your business but you can ask |
| for their permission ("consent"). |
+----------------------------------------+
\ _________________________
`----->|You need a cookie wall.|
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
What most people think when they see a GDPR banner: stupid law, politicians are stupid, "it's such a misunderstanding of regulators type of situation."
Reality: website wants to do something that you don't want them to do, and now the websites are required to let you make an informed decision.
>Since March 31, 2021, when the deadline set for websites and mobile applications to comply with the new rules on cookies expired, the CNIL has adopted nearly 100 corrective measures (orders and sanctions) related to non-compliance with the legislation on cookies.
I didn't realize there was that delay, I thought the rule was supposed to be enforced years ago.
There's multiple delays, arguably for a good reason. First, the law has to be ratified by each member state, which will also mean another delay state-side until legally enforceable. Institutions usually have a warm-up period too until they start enforcing new laws, preferring warnings beforehand.
It might seem inefficient but generally this is the only sane way to roll out changes across a society. Having people coordinate and "change habits" (as deplorable as the present habits may be) is best done gently. Providing ample time and warning for people to find a good course forwards.
One might even argue it's still too fast, given how many cookie walls we see. People are not aware that any site with such a banner is shady and that it's usually not required, and by now everyone has it fixed in their mind that it's the politicians that are stupid and don't understand technology. If we had done a better warmup with better communication, we might have had better-informed people (at least the techies, I understand that not every grandma is going to know the details here).
My understanding is EU member states have some freedom to implement the “cookie law” (ePrivacy Directive) in different ways, and this deadline is linked to some updates to the legislation in France which took effect from Oct 2020.
That's the delay set by the French DPO (Cnil). At that date, most French websites finally introduced an option to directly refuse (often a simple link saying "Continue without accepting").
I don't know about Facebook, but Google/Youtube sticks out as the only place where I effectively have to Accept All every time. Most cookie dialogs take only two clicks to reject nonessentials! You click something like "Customize" and then "Save", skipping the step with the dialog boxes, because the nonessentials will be all already turned off when you enter the config screen, at least if you visit sites from Sweden.
Even better if you visit sites from a Danish IP, I noticed there often exists an actual "reject" buttom which doesn't appear when you use a Swedish IP.
Does anyone know what the ramifications are for other EU countries, legally? They get the fine because they've broken French law, but that French law (I think?) exists as an implementation of EU law. If they now update their dialogs in France but not in, say, the Netherlands, can a Dutch court/data protection agency refer to this decision?
Point 10: "...the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union".
But I'm not a lawyer so I might be understanding that wrongly.
No. Regulations are directly applying law (they regulate things). Directives are implemented by member state law (they direct member state law towards a common goal)
I did not know that this distinction was between regulations and directives, thanks for sharing. Assuming this is the result of GDPR, the R being "regulation", then it seems that this automatically holds in the entire EU.
All the complaining in this thread about the lack of accountability on the party of devs building this stuff are really missing the point. If it's not "meaningfully illegal" to do this, people will continue doing it. We already know it's extremely effective. These fines are pitifully small compared to the usual investment required to see the improvements to metrics that dark patterns bring.
You don't see engineering firms ignoring safety regulations because they know the repercussions will destroy their business. Before that was the case (and in places where it still isn't the case) you see it all the time.
Expecting some random line-worker to stand up against changes that bring in this kind of money for the firm is just delusional.
This is the epitome of French hypocrisy when it comes to Big Tech. "Assymetric cookie dialogs" are a big no no but some of the biggest French websites give you two options:
1- Accept cookies and access the website.
2- Refuse cookies and pay 2€ per month to access the website.
How is that less hostile than having to click a few extra buttons?
"In addition to the fines, the restricted committee ordered the companies to provide Internet users located in France with a means of refusing cookies as simple as the existing means of accepting them, in order to guarantee their freedom of consent, within three months. If they fail to do so, the companies will have to pay a penalty of 100,000 euros per day of delay."
Well, it's ~356 developers they could have paid for that year instead. If only France fines them that might be workable, but there are a lot of other countries in the EU...
if I recall correctly, the fine scales up as time goes on up some (2?) percentage of company revenue. Like most people I would be happier seeing them get a several billion dollar fine right off the bat but so long as it eventually becomes unbearable that's good enough for me.
This is not a GDPR fine, that (as of now - there's some push to change that in the future) can't be passed by France and would have to go through Ireland's regulating agency (since Ireland is the country chosen by Google) which has been not particularly willing to enforce GDPR against the major multinationals.
Yes and no; percentage wise it's a dent, but it's still a lot of money.
It's enough money that they will probably employ / deploy a small army of lawyers to get them to reduce or dismiss the fine, or stall it for as long as possible. 150 million buys you a lot of lawyers' time.
Europe does fine differently than the US. The fines will increase dramatically and persistently for each continuing violation. It might eventually reach 4% of annual world-wide revenue - for each EU country.
I often read about regulatory bodies penalising big tech, but have often wondered if they actually pay the fines? Or do they end up paying a much lesser amount after appeals?
Civil fines like this are normally announced as a settlement with the company concerned including (like here) undertakings to correct their practices. This means no appeals, and also leaves the door open for court action if they continue in misconduct breaching the settlement.
Most people are celebrating it here. BUT are google, facebook and co the only companies that get punished for this? Seems really weird to be honest if true. How about French companies?
Also, GDPR applies as long as the company runs a business in EU. It doesn't matter where the company is originally from. They will be more than happy to fine the french entity if it made sens. Instead, they fine the Irish entity that performs social dumping. Not bad.
So Carrefour got a fine that was only 2% of Google's fine.
Carrefour has revenue of 80bn/year (Google has 68bn/year in Europe).
Very spicy indeed.
"The complainants argued that Carrefour (1) did not comply with their data access or erasure requests; (2) sent them direct marketing communications despite the fact that the complainants had objected to receiving those communications; or (3) in one case, did not allow the complainant to unsubscribe to marketing emails."
This all seems a lot worse to me than making one button harder to press than the other.
Ideally data protection authorities would just run a web scraper to identify these preemptively. Most non-compliant flows are implemented using a handful of known libraries (TrustArc for example) that are trivial to detect.
Yes. Fantastic. The figures are a bit low but this is exactly what I have been asking for. Big visible fines to corporations for simply making asymmetric non compliant cookie dialogs.
I wish they’d also go after one of the smaller fish that use a “cookie dialog provider” in default configuration. Effectively saying “if you think you can get away with buying this scam service you were wrong and the fine that could show up any day could end your business”.
It's over half of Google's estimated annual revenue in France. Not sure how you did that calculation, but if someone confiscated half your income it would not be much like a 62 cent fine.
Google doesn't break out the numbers by country. There are various estimates from 200M to 1000M. Either way this is a hefty fine, especially since France finds a new 9 digit fine to levy every year.
Also does it make sense for you that one region can make fines based on global revenue? Would it be OK if Iceland also gave companies fines based on global revenue rather than the revenue they have in Iceland?
More like a headline: "ordinary person <name> fined 0.62 for littering".
Would I like to litter, the fine would be slightly annoying (maybe worth busting my ass to a proper trashcan to avoid this fine), but also being in the news about it.
So what platforms are currently serving most of the news? I believe the number is well over 50% of the news is served through Facebook and Google, but I struggle with finding an actual number on it. In any case, I'm sure there are plenty of ways to push down any negative news surrounding their own platforms.
I don't think Google and Facebook are very concerned about having minor headlines about cookie-related fines. The users who would react negatively to this already don't trust them and those who trust them either don't understand the issue or don't care.
I love to see tech giants get fined as much as the next guy but I find these cookie laws a bit ridiculous.
A better browser could just make cookies more visible. I should be able to configure what kind of cookies I save or don't. Oh wait, I can. It just takes an extension.
Anyway the cookie banners are a nuisance. Every site has their own banner but they all do the same thing. And I can do that thing by myself in the browser.
The money raised from these fines should go towards building a browser that handles cookie permissions on the browser side.
Every site should get to ask for cookie permissions only once - through the browser - (like with notifications or location), and the browser should remember the user’s preferences and never ask again.
True, but the UX was deemed to complex for the average user.
Instead of it being something the user has to manually find in settings and configure, the browser can show an unobtrusive prompt for the user to agree whenever a site tries to store a cookie for the first time.
There could also be changes to the cookie standard that allow specifying if a cookie is “essential”, so browsers can permit them by default, or “non-essential”, so the browser should prompt the user.
What would prevent (apart from being painful on purpose) a browser "do not track" preference to be set once (off by default / changeable per site, not to repeat what IE did to kill DnT), and sent as a DnT header (do not track / ask me everytime / legitimate interest only) ?
Nothing prevents a browser from doing this. But it does nothing unless websites respect it. So far many websites haven't been cooperative, as evidenced by the amount of shitty cookie consent pop ups we all have to deal with.
Sure, but we're speaking of a kind of standard (RFC or more specific one).
In this case, compliance is in the law: albeit not perfect and people trying to game it, you have to comply or be fined (if you do business in the EU).
Compliance is already in the law: Accepting and rejecting cookies needs to be equally easy, otherwise you don't have consent for processing personal data. That's how they got these fines.
I agree on the logic, though G and FB are hardly the only culprits. Ballpark guess is >50% of sites I visit with a cookie popup behave in a similar way.
Would be much easier if there were a normalised DOM structure/wrapper for these cookie popups so an extension can be made to choose the preferred choice, with possible exceptions.
Between the cookie popups and a "sign up to our newsletter" as soon as your pointer leaves the viewport- they're a huge time suck.
I've seen some extensions advertised but unsure whether they're able to cater for all the variations of layout.
This is true, but the big ones have the most money to actually pay the fines, and they have an exemplary role. The smaller websites will see this and think "Oh shit, our big examples did not get away with it, we need to fix our shit"
Keep in mind that a lot of websites and technology in general is basically copying from others. Google and Facebook are leaders in that area, and a lot of companies try to emulate them and follow their lead. Cargo cult? A bit.
So 50% of sites do this, but the only ones getting fines are foreign entities that politicians like to hate on for votes? That indicates to me that this is about revenue and politics, and not about the law. Call me cynical.
They're also the two who run the biggest ad networks. It's their cookies that other illegal dialogs are installing & it's them that benefits the most from a culture of ignoring the law. I'd be more than happy for fines to be extended to other companies but I hope these fines will be a wakeup call for them.
If they don't want the fines, they could do what you and I do every day and follow the law.
The Danish browser extension "Consent-O-Matic" already handles most tracking dialogs, including Trust Arc.
But automating thus wasn't intended by the GDPR.
It specifically requires a reject all button and specifically bans an accept all button. Rejection has to always be easiest and the default, accepting has to be hard and slow.
> Following investigations, the CNIL noted that the websites facebook.com, google.fr and youtube.com do not make refusing cookies as easy as to accept them
Seems like a ton of websites are using the same cookie framework and they all do this. You get a pop up with with a button to allow all, or a button to customize your preference and you have to go through a bunch of accordions and grey patterns to make sure everything but "essential" cookies are disabled.
I am so happy about this, because those companies are not respecting the local laws! Now others will also switch to "symetric options" because of fear...
It's great! It has surprised me for while that companies just didn't do it, it's quite well known.
One thing I'm slightly worried about is that they are not going to do the symmetric "accept"/"decline" all but actually make you click 3-4 times and accept/decline each cookie category (similar to how you have to refuse the google one currently atm), that would be properly annoying.
But let's hope not! This will certainly improve the situation.
I can’t imagine anyone on HN not understanding this distinction; I can’t imagine any parliamentarian does understand it.
A website can not “set a cookie” in the browser. The website can include a cookie that the user (agent) optionally can include in future requests. The user does not “accept” or “reject” cookies, but rather chose to include them in future messages, or not.
The user agent doesn't know what the purpose of each cookie is. It could be a purely functional cookie (like a session cookie for an e-commerce website) or an advertising cookie. The website has to allow the user to accept the former and block the latter.
When disallowing setting such cookies will render the website unusable, this technical difference is not really meaningful. In practice a website can freely deny you usage without the correct semantic usage of cookies made up by them — that’s why laws are very important.
There are so many dark patterns for tracking users, not to mention other dark patterns. The excessive focus on cookies is a distraction. (Not to mention that cookies can be a valuable, almost unavoidable way of providing useful services.)
Dark patterns should be suppressed, but balancing attention on all such patterns.
EU law never specifically mentions cookies, it applies to all forms of tracking, even e.g. to CCTV in public spaces. GDPR and eProvacy Dir. are very broadly defined because they apply to anything containing or storing identifiable data, even IP addresses in server logs.
Even 2 out of 3 configuration options for their consent manager immediately turn it into an illegal setup.
GDPR isn't complicated, it only sounds complicated if you want to find a loophole without breaking the law. If you just comply, it's super easy and simple to follow.
Aside from the main topic in this article, I'm interested in knowing why the CNIL would have jurisdiction over Google and Facebook. I'm assuming that Google and Facebook have local offices incorporated in France, but is that the reason why?
American media companies when your account displays irregular activity: "nuclear ban on email, phone number, app store account, WiFi SSIDs, device fingerprint"
The same companies with cookies: "here's consent dialog, on every visit, multiple times"
I think punishments for breaking privacy regulations and laws should be applied to those who break the spirit/intent of the law and not just the letter. Otherwise it's just an arms race, when one loophole closes another opens.
That’s how GDPR works. Most EU regulation focuses on outcomes, as opposed to specific methodologies.
Results in many Americans complaining about how difficult to interpret the regulation is, due to lack of specificity (US regulation tends to be highly specific). But makes it much harder to people skirt the intent of the law, because the intent is written into the law and used as the benchmark to determine compliance. This approach does require a transition process so businesses and regulators can figure out how to meet the intent of law in their specific situation, and create implement guidelines. But over the long term produces more flexible law that adapts to technical and social change better.
Not sure if it's me, but I feel like Stack Overflow has also started going mad with cookie acceptance requests lately with the default option is set to accept all cookies. It's fucking annoying.
Yeah I wouldn't be surprised if they implement this as a France-only thing, considering a lot of other regions haven't put their foot down yet. It's scummy, but I've come to expect it from these corporations.
This is good, hopefully we will these start to see buttons to disagree to all appear on more sites - I've certainly given in and clicked agree a few times.
Or do away with them altogether; I wish that they tweaked the laws so that tracking or not is a browser setting, optionally enabled on a per-website basis but with no room for websites to bully you into it.
As we can see from Apple's changes recently, the vast majority of people do not agree to being tracked. The cookie banners bully people into allowing it anyway, because the opt-out is so convoluted.
My uBlock origin blocks a huge part of cookie banners. For some "Behind the overlay revival" works great, mainly for sites that just darken whole page with modal in the middle. Its one click away. For the 1% I manually block the element through uBlock origin, and the remaining 0.1% of websites that send you to another URL to confirm/deny, with no easy way to deny (looking at you, techcrunch) I just leave the site.
I seem to be the only one with this opinion in this thread, so perhaps I'm misguided, but the reason I'm tired of these cookie permission pop-ups is that they strike me as security theatre. It's pretending to the end user that they have some control over being tracked or not, when we all know that they'll be tracked all the same, with non-cookie based fingerprinting methods. Can the "don't do evil things with user data" intent of this legislation not simply be subsumed under GDPR?
They're not actually cookie permission pop-ups (that was a previous law IIRC), they're much broader consent pop-ups about handling user data. You don't really have any assurance they're not tracking you after declining, but it would at least be grossly illegal.
> Can the "don't do evil things with user data" intent of this legislation not simply be subsumed under GDPR?
It already is. Processing personal data requires a legitimate basis. Freely given consent is one of those, and the reason these companies are being fined is because "freely given" requires symmetry in accepting/rejecting. Without the symmetry, the companies had no legal basis for processing the data, so they got these fines.
It is harder to prove "evil things" in general, but the first step is preventing users from being coaxed into agreeing to "evil things" (or rather, making clear that this is illegal and will be punished).
It would be a good idea to fine a site based on their fake delay and/or how many cookie options they present (if it's one of those that give a switch for every "cookie vendor" they have for example)
This isn't a GDPR fine, it's EU ePrivacy Directive. That's why the French regulator felt it could fine Google directly rather than refer the matter to the Irish regulator - it says the GDPR's one-stop shop rule doesn't apply to this infringement.
ePrivacy predates GDPR and applies specific (and stricter) rules to a few things, including against intrusion to internet-connected devices (the ePrivacy Directive's so-called cookie rule also affects malware, telemetry, software updates, etc).
It's long overdue an update but its intended replacement, the ePrivacy Regulation, is taking a while to be agreed by EU legislators. In the meantime we're stuck with out of date legislation that's applied and enforced without the benefit of the GDPR's "one stop shop" enforcement coordination rules - neither of these things is ideal!
I always accept all cookies, and it has caused exactly zero problems for me. I have no idea why everyone is getting so excited about them. The only annoying thing is having to click accept all the time.
Seriously, the people downvoting this should try it. It frees up your mind to think about things that actually matter.
It's not that you get punched in the face if you 'accept all'.
It is that you create a small but real possibility to suffer from it in the future. Like getting a lottery ticket to win something like paying more for your flight, being denied insurance or bank loan, being subjected to political manipulation, having your name published alongside your sexual preferences, or, to nicely round it up, being selected for participation in a governmental work camp. All of this did happen in the past, albeit not to everyone of course, of course.
Those are paranoid things to worry about. Can you name a single example of someone in Europe who was denied some sort of insurance because they clicked on the wrong cookie consent button?
If my government wants to put me in a work camp will Europe's cookie consent laws protect me? None of this makes sense.
In Europe we have 28 nations that could fine these companies since 2018 when the GDPR went into effect. The question is which ones will actually bother to fine them, and the answer is "not many" given the evidence available so far.
Look again at the nature of the offence - it's not about consentless tracking (any tracking here, using cookies, was opt in). Plus, users that were concerned enough could quite easily refuse; they just couldn't do it with a single click. How much do you think they actually suffered? How big of a fine do you think something like this actually deserves (given we're just talking about French users here, not EU or global)?
Facebook: "More Options" -> "Allow only essential cookies" (1 click more than necessary)
Google: "Anpassen" -> Switch off "Suchanpassung" -> Switch off "Youtube-Verlauf" -> Switch off "Personalisierte Werbung" -> "Bestätigen" and then there are 3 seconds of delay with progress bar. (4 clicks more than necessary + delay). This delay does not occur, if I simply press "Accept all"
Could we not be disingenuous? If the delay was meaningless, it wouldn't exist. There is a clear intention by these companies to bore or confuse people into signing their rights away. Consider how many lawyers are on payroll or retention at these companies who are aware of the requirements of the law, then consider that G/FB made a cynical, calculated decision to ignore it.
> There is a clear intention by these companies to bore or confuse people into signing their rights away
These aren’t “rights”. There’s no confusion either. And people aren’t entitled to getting a service for free so they lost nothing.
> Consider how many lawyers are on payroll or retention at these companies who are aware of the requirements of the law, then consider that G/FB made a cynical, calculated decision to ignore it.
Hopefully companies will protest the EU and just get rid of these annoying popups altogether. If the EU wants to make it impossible for people to visit sites like YouTube I'm sure EU citizens will complain.
I think you gravely misunderstand. Companies do not have to show cookie banners, if they have other legal grounds for processing user data. The intended effect of the law is actually just that: Companies processing only data they absolutely need to.
Your strategy for protesting the (totally sensible) EU law seems strange: "Let us openly break the law, let the EU announce that we broke the law, refuse to do anything about it, let the EU announce that they will fine us until we stop doing business in EU and then hope that the users take our side". Seriously, I'm interested in what PR message you intend to come up with that convinces users the EU is at fault for you mishandling people's data.
I’m relieved this (eventually) happened. Every day those consent forms remain up is like a giant F. U. from Google at GDPR. It’s not like they didn’t realise they were completely non-compliant.
At times I wonder if the EU decided that fines were the way to get a portion of the pie of all the American tech giants. They seem to be very effective at transferring the wealth periodically
These stupid cookie dialogs are a result of EU law in the first place. They shouldn't exist, and even if they exist in Europe, as a non-European I shouldn't have to deal with them.
Cookie dialogs are the contemporary equivalent of popup ads, in terms of the annoyance to users. I'd love to find a browser that makes them go away, just like browsers blocked popups years ago.
The law doesn't stipulate that websites should have these cookie banners. It stipulates that users should only be tracked if they give consent. The banners are an invention from websites - get angry at them for tracking you, for annoying you into allowing them to track you instead.
And look at Apple; they pushed a change on the app store and their apps where privacy is now the default, and they do not bully and annoy you into accepting anyway.
And yet, these cookie banners appeared after the law was passed. We all know why. It's because of the law, and because the law forces companies to react a certain way in order to avoid legal trouble.
Github doesn’t have any popups interestingly, as well as a litany of other sane websites. Just because most of them are trashy and want to track you, it is not the fault of the EU. It is annoying but at least you know what’s ahead of you.
I honestly don’t think it’s an issue. If people are paranoid they can control their cookies via their browsers. Getting targeted advertising is a good thing not a bad thing to me (just my opinion).
I mean they could have also chosen to just stop tracking people. Getting annoyed at the fact that sites are now forced to make you aware that they're building up a profile of you seems a bit odd.
If a law trying to decrease the number of murders actually doesn’t do much and then increase rapes, wouldn’t you think the law was a bad idea in the first place?
Yes they do exist becuase of the GDPR, but what's your point? So the privacy law that is regulating tracking and data transfer - especially when ambiguous to the user - is to blame and not the companies performing these shady practices? The companies that then make a cookie banner cat-and-mouse game with dark patterns to trick users into "consenting" anyways, although it was clear from the beginning that many of these practices are illegal, a fact that jurisdictional takes some time to establish. But sure, the law which puts users' privacy at the center is to blame and not these companies.
> So the privacy law that is regulating tracking and data transfer - especially when ambiguous to the user - is to blame and not the companies performing these shady practices?
Yes, the purpose of the law is to end the shady practice which doesn't seem to be happening and no one is caring about the outcome. Popup seems to be just like a second ToS which existed in web for years. If the law doesn't track its real world effect or doesn't do an analysis on the benefit to annoyance ratio, yes it's the law which is to be blamed.
The law is just fine. It is the lack of enforcement which has been the problem. I hope that this move from the French is the beginning of the end of these shady pop ups.
Yes, the law is to blame. The companies never would have done any of this except for the law. The GDPR is the reason the web is festooned with ridiculous cookie consent forms of all kinds, both the good ones and the bad ones.
Keep in mind too that I am not a citizen of an EU country. I have to put up with these dialogs and I get nothing in return. The upside for EU citizens is that they have a law to protect them. All I get is the downside.
So you suggest that without the law they wouldn't track you? Or that without the law they wouldn't even give you a notification that they do illegally track you?
Yes, the law is to be blamed. I don't care about intentions, I see the outcome and as long as the outcome is lose lose (as is the case with the cookie banners) then the law needs to be changed / updated / repealed / amended.
Google has huge annual revenue from EU advertisers and significant assets within EU; the main EU subsidiary "Google Ireland" has something like 50 billion euros annual turnover - of course they have to pay this unless they want to withdraw completely.
The fines were issued to Facebook Ireland and Google Ireland, which are within the jurisdiction of the EU.
Typically if a company wishes to do business with EU residents they have to comply with the EU regulations. Many larger companies choose to incorporate somewhere in the EU to make this easier or in some cases they will even incorporate in each country that they do business in.
This might be a shocker, but even American companies have to obey the local law of the country they operate in. Big tech runs offices, has infrastructure and profits of a huge market in those countries. All of this is leverage a country can use to enforce their law.
France can just order local banks, payment networks and bailiffs to seize any money or physical assets that Facebook or Google have in France.
Or, if they wanted to go all out, could issue EU wide arrest warrants for top Google and Facebook executives, and start seizing their assets. I’m sure top exec at both companies have a bunch of holiday homes on the south coast of France they like to visit.
Google and Facebook are publicly traded companies. Indirectly, I own shares in both. I'm not American, nor are many of their workers, nor are many of their officies, nor is Sundar Pichai. Crucially, these 'customers' are French and, like you and I, if you want to sell things (belonging) to French people in France, you have to follow French laws. Assigning nationalities to companies is bizarre.
