Hacker News new | past | comments | ask | show | jobs | submit login

I’m not sure they’re illegal. If they are, EU institutions should be taking action against ... themselves.

https://ec.europa.eu/info/law/law-topic/data-protection_en

> This site uses cookies to offer you a better browsing experience. Find out more on how we use cookies.

> Accept all cookies

> Accept only essential cookies

https://www.europarl.europa.eu

> Dear visitor, We use analytics cookies to offer you a better browsing experience. You have the choice to refuse or accept them.

> I refuse analytics cookies

> I accept analytics cookies

https://www.echr.coe.int has a small, non-intrusive banner about at the bottom (good), but their cookie policy does say they “generate anonymous analytics such as the number of documents downloaded.” Hopefully that’s not per user — if so that’s pretty much best-practice.

But clearly there’s a lot of variation even among EU institutions in how they approach cookie prompts.




The first two have two buttons of the same size, color and prominence at the bottom of the site allowing you to accept or refuse cookies. These are not cookie popups, and they don't promote one option over the other unlike what Facebook and Google were fined for here. So I'm not sure where you see a problem with these sites?


The problem with these is the cognitive overload that comes from dealing with cookie prompts on every website you visit, aka “cookie consent popup fatigue”. Regulators need to do better.

Cookie popups such as these wouldn’t be a problem if we had a handful of websites. But they’re not helpful on the modern web with tens or even hundreds of sites visited by nontechnical or simply busy / task-focused users every day.

Please have a look at the comment chain to get context about why I brought this up. The point is that the EU’s guidance around cookie popups is part of the problem today (I know they had good intentions though).


The entire point of the law is to make those websites with unnecessary tracking annoying to use.


That’s one point of view. The other view is that it has trained ordinary people to unthinkingly just click “accept cookies”.

Consent != Informed Consent. The medical community is very well aware of this, it’s time tech realised it as well.


Yes well that is exactly why they are ensuring the "NO" button is at least as large as the "yes" button. It's still not critical since the point, again, is to make them annoying to use; offering choice is secondary.


A cookie popup allowing you to easily either accept or deny (you do not need consent for truly essential cookies) is legal and the intended way to do it, so at least those first two are perfectly fine - not sure about the last one. It is not fine or legal to have a giant accept button and hide the option to refuse behind a dozen buttons like "More information" or requiring you to spend two minutes denying consent for each individual cookie provider.


> If they are, EU institutions should be taking action against ... themselves.

Yes. Yes, they should. No idea why you think that some EU institutions doing something incorrectly absolves everyone else.


> No idea why you think that some EU institutions doing something incorrectly absolves everyone else.

Implicitly, I think signal11 is making this argument:

Prior assumption: You cannot read primary legislation and understand it correctly, unless you're a lawyer specialising in that area of law.

Instead, you should copy people who've probably received competent legal advice.

Observation: A great many websites, including those of EU government bodies, use cookie consent modals.

Conclusion: Cookie consent modals must be legal.


Thank you, yes that’s pretty much it. Except instead of “consent modals must be legal” I’d say “consent modals must be *established practice*”.

There is in fact case law which interprets the legislation and says explicit consent is required[1] but of course it doesn’t mandate modals.

However it does note[2] that

> That decision is unaffected by whether or not the *information stored or accessed on the user’s equipment is personal data*. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.

This sets a fairly high bar for getting consent for any identifier-laden cookie. So I can understand why people choose to use modals as a risk-reduction approach, and why it has become accepted practice. If you do end up in court, it’s reasonable to expect courts to consider established practice is while formulating their judgement.

However, I do fundamentally disagree with the notion that explicit consent at the time of first visit is a good model for ordinary internet users. It was a good first effort but regulators need to do better, and strengthen ways for users to effectively pre-set their consent preferences in advance, think ‘Do Not Track’ but with teeth.

[1] https://curia.europa.eu/juris/liste.jsf?num=C-673/17

[2] https://curia.europa.eu/jcms/upload/docs/application/pdf/201...


his argument is that if not even the commission, which presumably would adhere to the regulation they themselves have written do it correctly, it suggests that the rules for cookies are different from what you claim.


coe.int is not the EU.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: