These shenanigans are not required, they are very much designed on purpose.
Indeed, corporations can follow the "Do Not Track" header. There is nothing in the EU law that requires a banner, only informed consent.
So if I have DNT=1 set in my browser, pop a quick non modal notification saying "we wants to track you but but we won't because you said not to. Click here if you want to change that". Solved.
I'm informed. I made my choice.
But that's not what it's about.
Because the vast majority of people would not consent. Who are you kidding? This tracking is not benefiting us. It's like when politician says it's "for the children" or "to fight terrorists". Everybody knows there are full of it.
So the banner is just the most annoying way that is legally allowed to try to get people to force-accept tracking. In fact, some banner are crafted to make rejection the hardest path for this very reason.
Those corps chose to make the web terrible a little bit more every day: tracking, auto play, scroll hijacking, dark patters, cookie banners...
We should thank the UE a 1000 times to reveal who are the bad players.
> In fact, some banner are crafted to make rejection the hardest path for this very reason.
Something that's also illegal. National regulators don't seem to care though, which is a shame as a couple of fines and operators would mysteriously, simultaneously and suddenly realise there _was_ a way to make rejection at least as easy as acceptance all along.
I think they do care, but with limited means they cannot tackle the whole problem at once. So they go after one bad actor after another, and the others eventually adjust their practices to be a bit less illegal.
On the French web you can see the evolution on newspaper websites, which used to have these popups with an easy accept button and difficult, hidden paths for refusal, which eventually moved to a simpler "reject" button with subdued colours or a "reject and read the article" a bit less visible than accept, but still easy enough to spot, and now many have two equal buttons... but "reject" leads to a page that says "you can reject cookies but then you can't read the newspaper, you can pay instead".
You can really see how they try to go as far as they think they can, and adjust their behaviour even without having been targeted themselves. I have good expectations that everything will eventually get better even if it will take time.
The same happened with Google and Youtube. They used to have pop-ups with large and obvious "Accept" button and a clicking game if you wanted to reject tracking. The EU put a pressure on them and now the popups have two equal "Reject" and "Accept" buttons.
The current situation is still a problem. If you disable cookies, you get the banner every single time.
The law should outlaw that behavior so that people can continue to conveniently block cookies. Google is an ad network and controls chrome. They could come up with a universal opt out (like X-DO-NOT-TRACK) that works with such a law.
It's up to your user agent what it displays and which cookies to store. It's the user agent that needs to change to stop bugging you. That's what brave are doing
> I think they do care, but with limited means they cannot tackle the whole problem at once.
That always seems like such a cop out. Ooohhh, I'm government, I'm so poor I can't enforce the law! Maybe let regular people help. If every time I found a web site that didn't follow cookie rules or GDPR or whatever, I could one-click sue them and get $1,000 or so, I would probably quit my job and just browse the web all day. There are so many naughty sites that count on toothless enforcement, people could make a fortune AND the law would get enforced.
OneTrust, who seems to do a sizeable fraction, get it right on their own website. I have never seen a OneTrust dialog elsewhere have equal prominence given to the reject and accept pathways.
Nope. Apparently selling conconformant GDPR-compliance services is not against the law, only buying them is? Which makes some sense, but in any case OneTrust still sell dark-pattern banners to (at least) hundreds of websites even after a sizeable batch of them has been ruled illegal[1].
Scummy as that is, I don't think that providing the banners should be illegal, as otherwise it's a hop and a step to "providing software that can be used illegally is in itself illegal". Which makes text editors illegal without "safeguards" baked in.
However, if OneTrust are selling the software under the promise that if the customers configure it that way, then it's compliant, then that's some kind of misrepresentation (which is illegal, software or not). Just as if I sell a USB flash drive as an anti-5G-field dongle, that's illegal, but it'll not illegal to just sell the flash drive.
The option for the company is between the "more money" and "less money" option. There is a general sense in which the average individual benefits from the "more money" option; websites are better funded, they can provide better services, etc. There is also a incredibly minor way that they are worse off, in that some of their data (consisting of a field that says when they viewed certain news articles) might show up in a data leak in the future. But when you put it as "do you want to be tracked", of course it sounds bad, so all else being equal most people will say "no".
The "informed consent" framing of this issue is quite ridiculous. When someone is asked to pay for an item at the store, we don't say that they should also have the choice to take the item for free, and only pay for it if they want to. We recognize that, individually, most people would rather pay less, but that we collectively benefit when businesses are profitable. The situation with cookies is even worse, because unlike with money, most people have no idea what a website even uses their data for.
Th EU trying to rewrite the issue as concerning "consent" is thus idiotic, and innevitably lead to the cookie banner issue. If you think tracking is bad, then ban it, and let websites figure out how to target ads and improve their product without it. If you recognize tracking as overall beneficial, then permit it, and throw out this charade of informed consent. The EU can't make this decision themselves, so they expect every single individual to make this decision for themselves, every time they visit a website. This despite the average individual having no idea what their data is even being used for.
The issue is existential for websites, since it concerns their ability to remain profitable. As such, the website that stays in business longest is the one that can coax the most people to hand over their data. It is entirely inevitable that websites would go up to and beyond the letter of the law in pursuing this.
That’s an extremely obtuse justification for immoral behavior.
Consumers are informed, and they say “no” when given the choice. Respect their “no”.
Tracking builds a massive, exploitative, dangerous information asymmetry. You claim the cost to consumers is small; the aggregate cost is very clearly not small.
This should be an existential issue for websites, and it should force the closure of websites that can only exist through exploitative abuse of consumers.
The cookie banners exist because of bad actors on the web who have become too dependent on abusing user’s data. The problem is with them, and their use of dark patterns to purposefully confuse and mislead consumers.
Consumers are informed, and they say “no” when given the choice.
That's the point. If your position is that consumers don't want tracking and that it's harmful on balance, then just ban it altogether rather than incentivizing sites to use dark patterns to trick users into "agreeing".
The issue is existential for websites, since it concerns their ability to remain profitable. As such, the website that stays in business longest is the one that can coax the most people to hand over their data. It is entirely inevitable that websites would go up to and beyond the letter of the law in pursuing this.
Exactly right. It reminds me of the Wells Fargo scandal where branch managers were given unattainable quotas and resorted to fraud to meet them. Incentives matter.
Well unless you don't consider free access to video streaming (YouTube) or free access to news a benefit.
My honest opinion on all this has always been that the majority of people, if properly explained to that 'tracking' is never even viewed by a human, and even if it was, your identified as user 563758, would consider this a fair trade.
People largely think you can remove the tracking and access all the same content for free. But when the ads pay 90% less, it becomes much more difficult for the free content to survive.
If you think a human never sees your information, you're sadly ill informed, I know 563758 lives in ottowa, the porn he searches for and that he's a vegan who is into electronic music from the 70s. These profiles are incredibly detailed, and available to every average advertiser.
These banners start with "your privacy is important to us", but they omit the next part of the phrase, but we'd like you to allow our partners to invade it.
The banners are there because the process is so abusive they need your consent to make 90% more.
>The banners are there because the process is so abusive they need your consent to make 90% more.
The banners are there because if you take away 90% of their revenue, they cease to exist. Imagine your salary reduced by 90% tomorrow unless you beg your boss daily for your full pay.
>If you think a human never sees your information, you're sadly ill informed
Are you under the impression ads are manually targeted? The only time someone at Google has ever laid eyes on your profile would be if somehow your profile bugged out and caused something to crash. And even if they did look at a single user's data, it would be meaningless without having the name attached. And even if the name was attached, it'd still be meaningless, because there's 300 million people in the US alone.
You have to strawman the absolutely perfect situation for it to even remotely matter.
You went to the website for some purpose no? So you'd rather not have gone to the website at all? So why did you attempt to visit the website in the first place?
It's just so irresponsible to take extremes like this, ignoring the amount of information and entertainment available on the internet.
In my experience, the number of ads, cookie banner shenanigans, and embedded Twitch streams is inversely correlated with the usefulness and quality of the website. Maybe if all of these websites went away, I could actually find useful information or entertainment on Google.
An internet maturing over twenty years full of hobbyist bloggers and forums rather than megacorp media and affiliate review sites is a world I’d be curious to experience.
Look at the cookie consent page of any news article you read - your article is worth often 100+ people sharing my data. It's not, it's just not.
Do you know how many people get access to my search data? One. But your news article is worth 100x. How many get access to my streaming preferences? One. But your news article needs to violate my privacy 100x more.
Your arguments are sound in an imaginary world where six seconds of attention is worth being followed around for years. No.
Just look at Google. They became big by ads on the search site. Analysing the intent, not the history. If I search for a pen I want to buy a pen, thus an ad for buying a pen might be effective. If I bought a pen a day ago it is unlikely I am interested in pens for next few weeks. Look at the context of where the ad appears and match that.
To some degree that is how ads worked in print: In a magazine about horseback riding you will find ads about riding equipment, as readers are into that while reading.
"If I bought a pen a day ago it is unlikely I am interested in pens for next few weeks"
And yet whenever I buy anything online I'm inundated with ads for said item. In fact I almost wish there were an officially sanctioned/ standardised way of updating your status as a tracked user on various products you might be interested in or have in fact now purchased with no need to buy another soon. As it is I still see ads for baby formula on YouTube despite having had no need to purchase it for over 16 years (and I honestly would expect Google should know that about me, though when I ask Google Assist how old my children are it refuses to tell me...)
Google ad became big, television and news papers advertisement became small. The reasons were very obvious.
Google don't need to follow local law and regulations.
Google don't need to employ people to verify content or take legal responsibility.
Google can track users and thus categorize users in much more fine details than television and news papers ever could. A magazine about horseback riding might have a vague idea about who their readers are, but google can find out that a pregnant teenage girl has yet to tell her parents.
I think the biggest difference is simply a reduction in the relative amount of time watching TV. People see Google’s Ads at work, at home, and while waiting at line looking at their cellphones.
Google launched in 1998 and didn’t buy double click until 2008 when they could afford to spend 3.1 billion on it. So that was hardly an early purchase or required for extreme profitability.
Feel free to link to all these advertising supported websites better than Seinfeld. I could use a good laugh.
News was hit or miss. They did a lot of serious investigative reporting, but newspapers where simply a better medium for personalized in depth coverage.
If I had to choose between network television and YouTube, I would choose YouTube every day of the week and twice on Sunday. I mean, I enjoy Seinfeld too, but on the whole YouTube is both more entertaining and vastly more useful and educational than network television. Not because the content has the highest production values, but because the content matches my interests and needs. That's the true power of targeted advertising. It allows creators to focus on niches that can't be served by content produced for a mass audience. Even large 'niches' get dumbed down to the lowest common denominator for network television.
Case in point: Here's Jay Leno interviewing Elon Musk about SpaceX Starship for network television [1] vs YouTuber Tim Dodd [2]. Leno's program is fine for people who don't follow space. For my niche Dodd is vastly better, but he can't draw a wide enough audience to make money on non-targeted ads like Leno can.
And the thing is, everyone has their niches. There is no large population of people out there who are average in every way and need the network television version of everything. The average person doesn't exist.
Dodd got 6 million people watching a 1 hour segment. That valuable even without advertising targeting beyond estimates of viewership based on content.
Now, you can quibble about how much targeting increase revenue but the funny thing about total advertising is it’s fairly consistent through time. Tracking failed to significantly increase worldwide advertising spend, it only redirects it.
6 million views (a view only requires 30 seconds of watch time, not the full hour) over a period of 14 months, for the most viewed video ever on his channel. If he could draw that for every video, maybe he could come close to competing with Leno. But he can't. I mean, looking at YouTube numbers alone, Leno's show's most viewed video has 34 million views. And of course the vast majority of his viewership and revenue is elsewhere.
Dodd simply couldn't have a network television show with this kind of content. It wouldn't come close to making sense. If he did a network television show it would have to be a lot different, almost certainly in a direction that would make it less interesting for me personally.
My argument has nothing to do with global ad spend, that's a red herring. The key is how those ad dollars get distributed. Targeted advertising makes niche content viable in a way that non-targeted advertising can't match.
You can have non targeted advertising on niche content. In fact YouTube will display advertising to any user even those it knows nothing about.
The only difference is relative pricing, but again the global population and global advertising spend doesn’t depend on tracking so if it was banned little would actually change.
> global advertising spend doesn’t depend on tracking so if it was banned little would actually change
> The only difference is relative pricing
... the relative pricing difference is the whole difference I'm talking about. Without targeted advertising niche content makes less money, general audience content makes more. So you agree with me that this is true. Then you say that this is a small change. I say it has enormous effects on the content that gets produced. Honestly, this is transparently obvious.
It’s not that simple. Tracking doesn’t universally increase spend to all niche content, it reduces spend to some niche content and increases it to other niche content. So there would be some changes to which niche content is created but it’s not going away.
Just look at how much YouTube content is sponsored via an Ad inside the video. That isn’t tied to your personal history.
Certainly I wouldn't say that every single niche benefits from targeted advertising without exception. There are exceptions to every rule. But the vast, overwhelming majority of niche content would be worse off without targeted advertising, and this would overall have a strongly negative effect on the diversity of content produced.
Ok that I disagree with, if anything niche content in a world without tracking should attract a higher percentage of advertising.
If I manufacture say jigsaw puzzles and I can’t target individuals then I want to link to show up on a YouTuber with puzzle related content. But with tracking I shouldn’t care about the videos content as much and should be happy to show up on cat videos as long as tracking supports the association. That same logic would seemingly extend to any activity with associated products which is basically everything.
On the other hand soda manufactures are presumably less picky and could advertise on both.
Advertising soda is always worth it without targeting. But advertising jigsaw puzzles might not be. That jigsaw marketing money goes elsewhere, not YouTube, and YouTube jigsaw people don't have a lot of ads for their videos, because nobody else is choosing to specifically advertise on jigsaw videos. Maybe even if jigsaw people do advertise, they don't have a ton of money to spend on ads, so jigsaw content is still hurting. But with targeting, there are effective ads on every video, and content matters more than ad spend targeted at your niche. People choose the content they like by watching it, instead of advertisers choosing the content they like by steering their spending. Because there are far more people than there are advertisers, this promotes more diverse content.
We could continue to make up just-so stories about the effects of targeting on niche content. But I doubt we would convince each other. Is there any research on this topic?
Competitive markets reach equilibrium. With or without tracking it’s going to barely cover costs because otherwise more people enter the market due to minimal barriers to entry.
It think that means that advertising is not going to save content, and people will have to think of alternative revenue streams, because revenue from advertising is only going to go down.
Imagine that I went to a hospital and asked to get a copy of all the patients records. The contract I sign will say that no record should ever be viewed by a human, and if any human did read a record, patients would be identified by patient ID like 563758. In return patients would get services worth ~50 cent.
How many patients would consider this a fair trade?
In addition, drugs would get targeted advertisement, and the funds for advertisements would be raised through the profits of said drugs (ie, patients would be paying for it, by an average of $1 more per patient). Still, patients would get free services that costs the advertisement network ~50 cent per patient.
This is a fair point. If you don't want to be intrusively tracked, you should not expect "free" services.
However, IMHO the answer here is to find a different model for funding online software/services. Letting advertising firms run the internet does not really seem to be taking software in a user/consumer-friendly direction.
Plenty of services were free prior to commercialization of the web because they generated nom-monetary value (community, knowledge, etc.). Plenty of creators and artists also make money directly via donations (Patreon, etc.). I'm not sure we need the existing ad model for either free content or to make money on the internet.
This is one of the reason I don't use a cookie banner blocker. I would rather close the page upon seeing one, or circumventing it manually using ublock origin's element zapper.
Generally, I think these discussions are poisoned by disingenuous web developers who pretend to be extremely annoyed by the banners as users, but really they're annoyed at the banners as website operators. They are the aforementioned 'bad players' who feel outed and targeted by the EU's regulations. Why are supposed user complaints about cookie banners so prevalent on this site, but virtually unheard of in 'normie' spheres of discussion?
I remember that Medium (yes, the one that is now notorious about paywall) used to have banner to that wording when I set DNT in my browser to "On". This [1] shows how it actually appeared at that point. Medium also has an FAQ about its DNT at [2].
> Because the vast majority of people would not consent.
Many people would click No when asked "Can we track you?". Yet, fewer people would click No when asked "Can we show you ads that are closely related to your interests"? Likely even more people would agree with "Are you willing to share some data so we can improve our product?". And maybe most people would actually be ok with websites including Google Fonts [1].
Of course, when too many people agree with the proposition, then the question must be legally mandated to be more scary.
The truth is that "people" are fundamentally not on the side of the privacy advocates. This is the whole reason for the GDPR. People are perfectly happy to share their data in exchange for using those services. Fundamentally, GDPR advocates are claiming that people just don't get it, and should not be allowed to make this choice. Which is why websites are not allowed to make their service conditioned on consent to tracking.
> So if I have DNT=1 set in my browser, pop a quick non modal notification saying "we wants to track you but but we won't because you said not to. Click here if you want to change that". Solved.
This is still an annoying banner somewhere. Please no.
"can we track you" is not a scary proposition, this is the only objective fact.
"Can we show you ads that are closely related to your interests" and "Are you willing to share some data so we can improve our product?" are not facts, they are excuses like "fight terrorist" and "protect the children". And not as good, because nobody would object protecting children while some people do for the former.
The reality is rather "can we get enough data so we can manipulate you better in order to make more money?", "can we create a knowledge graph powerful enough to kill all our competition and influence democracy in our favor?" and "can we follow you everywhere to prey on you once we know enough to find a way in your life?"
You think those sentences don't reflect reality? I think they are as realistic as yours.
So the law finds a middle ground and use facts: "do you accept tracking?". Simple. Objective.
> This is still an annoying banner somewhere.
A non modal notification, just like stated in the original comment, is not a banner. It can be safely ignored, doesn't prevent you from getting to the content, nor require you to act or take a decision to progress.
I mean, you just stated that tons of people are ready to accept obnoxious interruptions in the form of ads that benefit corporations, and you think a small notification on the bottom right on the screen to benefit the consumer is unacceptable?
I'm answering your comment for the sake of other readers, but given how much bad faith I felt in it, I'm expecting any answer would be of the same caliber and will just ignore them.
> The reality is rather "can we get enough data so we can manipulate you better in order to make more money?", "can we create a knowledge graph powerful enough to kill all our competition and influence democracy in our favor?" and "can we follow you everywhere to prey on you once we know enough to find a way in your life?"
Sometimes people just want to know which buttons users click because, yes, (gasp) it helps their business (the one that is employing people).
> I mean, you just stated that tons of people are ready to accept obnoxious interruptions in the form of ads that benefit corporations,
There aren't any fewer ads. We now have the same amount of ads + 3 privacy popups on every page you visit. I don't want any popups. EU regulation / the GDPR is clearly to blame for the popup. Supporters have to take responsibility for the internet experience they have wrought. Complaining about "bad actors" is an excuse. This is our reality today. It's because of these rules. Own it up.
In the vast majority of cases I reject analytics and telemetry not because I don't want the company knowing which buttons perform better, it's because I don't want some third-party scum like Google Analytics to know that.
Analytics can be done in a privacy-friendly way, but the vast majority of them aren't, and as a user there's no way to know whether that's the case, so the default "safe" option is to reject.
Also, it's not the GDPR that's to blame for the popups, it's the non-enforcement of it. GDPR explicitly outlaws annoying consent flows - here's the guidelines one of the regulators suggests, which 90% of implementations out there don't comply with: https://ico.org.uk/for-organisations/guide-to-data-protectio....
> Also, it's not the GDPR that's to blame for the popups, it's the non-enforcement of it.
A distinction without a difference. This is the result of the law. If you think this can be improved by better enforcement, maybe the EU should give this a try. But this comes in a package. You can't pass a law and then say, "sure we ruined the internet, but its just because the law is scary enough that companies add terrible popups, but not scary enough to make them actually compliant.
Also, to be clear, I personally don't care about dark patterns in those consent popups. I click whatever is the biggest button (like lots of people), the one that hopefully gets me the quickest to the content I want to see. The popup itself is the annoying thing. Because it appears on every. single. link you click.
I wouldn't be surprised if German data protection agencies give news "publishers" more leeway given that they seem to be extremely influential in other domains of digital law in Germany.
But yeah, it's debatable whether "my business model depends on showing you ads from services that harvest your data via those ads" is a legitimate interest. If it is, that sets a bad precedent IMO.
> So the banner is just the most annoying way that is legally allowed to try to get people to force-accept tracking. In fact, some banner are crafted to make rejection the hardest path for this very reason.
Just FYI, a banner that tries to skew a choice by using pre-ticked checkboxes, making one option more prominent than the other or makes it more difficult to decline than to accept is not "legally allowed". It's merely tolerated because nobody gives a shit about enforcing the GDPR, but it's not actually compliant with the regulation in any way.
This is the problem with mixing law with tech, the requirement should not have been with the websites. but each browser, should have come with the capability of auto destroying cookies and also making cookies isolated.
That would just make it a race between fingerprinting and fingerprinting resistance tech. The point is to prevent tracking without purpose / permission regardless of the technology used.
The race is already here, just look at all the extensions one has to use just to get some usability out of the web. There's no security panacea, just an endless game of whack-a-mole
Firefox also plans to have builtin support for auto-rejecting cookies when there is a consent banner. See https://bugzilla.mozilla.org/show_bug.cgi?id=1783015. From my understanding, this should be similar to Consent-O-Matic. It will be available on both desktop and mobile versions. This is enabled recently by default in Nightly (but I don't use Nightly).
I want to use your comment to outline a broader criticism of what Brave is about nowadays. In this case, it should be obvious that even Firefox is more innovative than Brave - Firefox plans to auto-reject based on intelligent patterns. This should, if done right, take care of almost all cookie prompts, especially if they also add a filterlist.
Brave has been in the business of blocking ads for a long time. Surprisingly it took them years to come up with cookie banner blocking, even though all they do is include a list maintained for free by easylist maintainers. This could have been implemented already 2 years ago without much effort.
What's going on at Brave? Is everyone busy with crypto-stuff?
Brave should work on detecting cookie-banners, even if they are not blocked by some list.
The Brave Browser looks like they abandoned many important things because they are focusing on crypto - the UI is very basic, the customization is not better than Chrome, and due to the addition of many optional features, some users have reported the browser slowing down significantly. Maybe they should offer different installers for different audiences.
People have asked about new-tab page customization for a long time. People have asked to have the uBO-functionality ported to the built-in Brave Shields, including cosmetic filtering, and granular control. People have asked for Brave to not activate the new-tab background sponsored images by default, which is in conflict with their user-first ideology. The VPN ad for guardianapp on iOS is too prominent and shows that they try to push it to increase revenue.
If Brendan Eich is worried about ROI, he should start putting contextual ads on his search engine, instead of focusing on in-browser ads.
I can give some context here (I work on Brave's adblock engine).
> Brave has been in the business of blocking ads for a long time. Surprisingly it took them years to come up with cookie banner blocking, even though all they do is include a list maintained for free by easylist maintainers.
Brave has been sponsoring Fanboy's work as an Easylist maintainer since early 2019 via an employment contract. This "list maintained for free" you're talking about was originally "Fanboy's Cookie List" and was promoted into Easylist as of November 2019 [1].
> This could have been implemented already 2 years ago without much effort.
Indeed, it was available through the brave://adblock settings menu 2 years ago. Building a new filter list is really difficult though - not only do you have to cover enough websites for it to be useful, but you have to make sure that important functionality doesn't break when it's applied. Multiply that by approximately every website on the internet and you'll have some idea of how difficult it is.
The list is finally comprehensive enough to be rolled out to a much wider audience - which is exactly what we're doing.
> People have asked to have the uBO-functionality ported to the built-in Brave Shields, including cosmetic filtering, and granular control.
Not sure what you are referring to here, but we do have cosmetic filtering and the ability to add custom filters or subscribe to anyone else's list with auto-updates. Procedural filtering is the main missing feature, but I'm actively working on that.
> you have to make sure that important functionality doesn't break when it's applied.
This feels unnecessarily conservative for a browser trying to achieve literally any market share; nobody's got only Brave installed and those who have it at all are those most likely to understand if a site is broken because of its blocking measures.
If Brave isn't going to be the one to push privacy features over compatibility, who is? I mean, you didn't name it "Caution".
We generally try to expose these kinds of things for the more technical users who are interested in finding them - again, the cookie list has been available in brave://adblock for years now, we have "aggressive" blocking mode, "strict" fingerprinting protection mode, etc. But ultimately we want to change the standards of privacy on the web for everyone, not just those who can tolerate frequent breakage (or those who will switch to a less private browser when something isn't working).
Honestly, building any browser software that relies on filter lists takes some appetite for risk. By definition, the lists are reactive and so there's always going to be a gap in compatibility in sites which have updated recently enough.
I'm not sure why you think firefox solution is better (it seems worse) nor why you think highly of firefox in this case, or at least higher than brave.
>plans to auto-reject based on intelligent patterns
Not sure what you mean with that. Checking code[1] it apparently uses a rules list (can be found in [1]) to function on site-by-site basis. This is the same approach utilized by popular "I don't care about cookies" add-on.
> In this case, it should be obvious that even Firefox is more innovative than Brave - Firefox plans to auto-reject based on intelligent patterns.
Was Firefox's plan publicly documented before Brave's feature was publicly announced? I heard about them in the opposite order; Brave first. It seems to me that Firefox is reacting, not innovating.
FWIW since these conversations are often tribal, I use Firefox.
I see haters in the surrounding replies and agree on tribal aspect, so to defuse that, I'll say Firefox is doing something interesting and different from what we're shipping. It is worth having browsers try different approaches, no matter who is "first" (Brave likely will be, for stable release channel distribution).
It seems Firefox’s cookie consent blocker automates clicking Reject after letting consent-management-provider(CMP)-scripts load.
It looks like the code also injects opt-out cookies too, may sometimes do both click and cookie injection. Session cookie, so has to inject recurrently.
The Brave approach blocks the CMP scripts that pose these bono-consent dialogs in the first place. One reason we favor this approach beyond simplicity: many consent frameworks, besides being found illegal already in EU courts (going to top court soon), do dark deeds: extort from publishers, lie to and track users no matter what the user clicks. See
I'm increasingly encountering banners that (a) get past my banner-blocker, and (b) pop up a sequence of different banners; i.e. I dismiss the first banner (accept, reject, doesn't matter because I use cookie controls); and another one pops up - sometimes waiting for me to scroll 10% or so of the way through the article before it appears.
I think they believe that "human interaction" (like a click) somehow gets them around browser protections. I think they are wrong, at least as far as my browser (Firefox) is concerned.
It's an arms race, it has always been. Companies will continue squeezing as hard as is legally allowed, browser extensions will be effective until they gain adoption and get actively countered.
Legislation seems somewhat effective, but many websites purposefully won't adjust to comply, just to see if the law will actually be enforced.
Some of the worst offenders are mainstream news sites.
They know that most of their website readers haven't paid; I'm sure there are managers who want to extract money from those web visitors. But monetizing web-visitors promises diminishing returns - the harder you try to force visitors to cough up, the more they'll stay away from your site.
If I see an interesting-looking link from washpo, for example, I'll usually walk by, and find the story elsewhere, rather than paste it into archive.ph. I'm simply not going to subscribe to every site that asks me to; I visit about 30 sites a day. I'm a pensioner, and I'd go broke.
I understand the "cookies and javascript were a mistake" posture; mostly they're useless to me. There is a handful of sites that are useful, but are completely dependent on Javascript. And anywhere that you have to login to, you need something equivalent to cookies (like, my bank).
I block ads because - well, I don't consume food that I picked up off the footway. They run scripts in iFrames, they auto-run videos, they try to set cookies, I don't know what they do. I don't know where the site sourced its ads. Perhaps they want to use my computing equipment to mine bitcoin for them, or try to actually take over my network.
Ad-blockers work fine (unless they have a pay-to-play whitelist). Cookie management is more problematic, because (a) the variety of different kinds of cookies, (b) the fact that most users don't really understand the different ways cookies are used, and (c) the lack of clarity and granularity in cookie controls. Users can't exercise informed consent unless they can understand the information.
Note that, at least in theory, tracking banners should be about any kind of tracking, not just cookies. That means that you choosing Reject on the banner should disable tracking pixels, facebook Like buttons etc - not just cookies.
Most importantly, it should not "disable" them; they should never be enabled (or even loaded) in the first place, and only explicit, opt-in consent should load them.
The vast majority of "consent management platforms" fail at this even if they otherwise appear to be compliant (no dark patterns, etc).
The CMP should essentially be the one managing the tracking libraries after correct consent has been collected, yet most websites still embed tracking libraries directly or using something like Google Tag Manager (which itself is a tracker and would require explicit consent).
Highly OT, but is there any glaring difference between FF Dev edition and the stable version? AFAIK, all the devtool features are same in both the versions and I did not find any glaring difference as such.
Dev edition is the same as beta, except occasionally (not often, as far as I can tell) some features in development are enabled slightly earlier. In other words: it's beta but with different branding.
There is a misunderstanding about GDPR and cookie consent that many people have.
Using cookies to track state on a website, that is only used for that website, is fine. You don't need to ask for consent. That is how a site tracks things like whether you are logged in.
Also inversely, there are non cookie things which do need consent, like server side fingerprinting, which is why the "just turn off cookies in your browser" suggestion here and from some noncompliant sites doesn't cut it
Even different usages of the same data can require consent.
Logging & storing IP addresses in logs for a reasonable period of time for debugging or abuse prevention is fine and doesn't require consent (falls under legitimate interest).
Querying those same logs for marketing, analytics or market research purposes would not be fine as this would require consent.
That's not correct: the ePrivacy directive doesn't distinguish between first and third party cookies but instead about whether the cookies are "strictly necessary for the delivery of a service requested by the user".
Yes. And login state or preferences are perfectly valid "functional uses" that don't require consent (but need to be spelled out in the privacy policy by most interpretations of the law).
The difference between first and third party cookies/embeds is only relevant when the third party may be collecting data (e.g. keeping access logs). This covers things like Google Fonts, Google Maps and social media embeds all of which should be opt-in and have fallback options (like an external link to the otherwise embedded post or map).
No, the in-proposal ePrivacy Regulation supersedes the in-effect ePrivacy Directive.
GDPR overlaps (or rather, mandates a specific implementation of) only a small portion of the ePD. Most of the ePD is still open for implementation and most of the GDPR does not overlap with it.
That's not correct. Both are in effect simultaneously, and they each restrict different behaviors. Very roughly: ePrivacy restricts sites' use of client-side storage, the GDPR restricts their use of personal information.
>Using cookies to track state on a website, that is only used for that website, is fine. You don't need to ask for consent. That is how a site tracks things like whether you are logged in.
They are called 1st party cookies and they are required like you said in order for a website to work but 3rd party cookies are intrusive and invasive.
The 1st vs. 3rd party distinction is not legally relevant; what matters is what any personal data is used for, regardless of its technical implementation. A first-party tracking cookie is not allowed without consent; a third-party OAuth cookie may be (if most common OAuth providers weren't also massive trackers...).
They were speaking about Log In session cookies that is what I was referring to. I don't know what legal status of session cookies is but they are required in order for a website to track if you are logged in or not otherwise you would need to log in constantly.
But I get your point, purpose of a cookie is important.
I think two things get mixed up (not by you)... a lot of sites, especially American ones, only started showing any kind of notice/request for consent once GDPR came in. But there was another wave before that, which everyone called the "cookie law" but which is apparently the ePrivacy Directive.
"On the other hand, providing your customers with a customized user experience or tailored product suggestions is not a requirement for an online store, and cookies that enable these features do not fall under the "strictly necessary" category. You'll need to get consent before you use them."
"Depending on your country's interpretation of the law, you may only need to get a user's "implied consent." Rather than forcing every user to click "accept" ... you can instead display a short message informing them that cookies are being used, typically through a header bar or some other non-obstructive method. After a predefined period of time ... the announcement can disappear."
I think what happened is that a lot of sites went for non-compliance or implied consent until the GDPR came in requiring proper consent for most cookies and harsher penalties (?) and everyone went from 0 to 100. But people were complaining about & blocking even the implied consent banners when they first came in. Now everyone thinks the GDPR is about cookies but it's really about tracking.
> typically through a header bar or some other non-obstructive method.
Those are obstructive too. Just respect my DNT header; if you don't want to serve me the page after seeing what my preference is, don't show me the page, and I won't read it. I know when I'm not wanted. There are plenty more sites on the web.
Additionally the ePrivacy law was revised to e.g. mandate that if an "accept all" button is present it can not be given more visual weight than a "deny all and continue" button. Most (especially American) sites are currently in violation of this requirement as they try to get away with making it annoying to not opt-in to everything.
What a web RUM system or a JavaScript error logger that track groups by seasons? Or let’s say you’re testing a new feature with an AB test platform and the cookies are used to store bucket information?
Increased discontent with cookies is a direct result of annoying people with these banners. Do it long enough and radically enough and the backlash will grow to severe.
Although Brave claims to be a privacy-preserving browser, like this article, I wonder about Brave's policy because some trackers are actually whitelisted and Brave News recommends sites that contain a lot of trackers and advertisements.
> Brave News recommends sites that contain a lot of trackers and advertisements.
From the website:
"By using Brave’s new private CDN to deliver RSS feeds to the browser anonymously, there is no data trail available for third parties to collect or track. This makes Brave News a unique news reading experience when compared to other apps and platforms that track users’ reading activities. Nobody can track the content that Brave users are reading, including Brave itself."
As for 'recommending', I don't think they're recommending anything, they're just providing you with an RSS feed that's more private than any other alternative. Sure the news websites have ads and trackers but Brave will block those too + The feature is disabled by default anyway.
> because some trackers are actually whitelisted
I think this is a bit misleading to say. Developers from Brave have already cleared that they do not block everything as they want the web to be functional for all users, people who want to block everything can use the 'Agressively block all trackers and ads' mode.
Stopped reading this after being presented with a list of over 100 pre-selected "Legitimate Interest" no-ops. Including "Receive and use automatically-sent device characteristics for identification. Your device might be distinguished from other devices based on information it automatically sends, such as IP address or browser type."
I've counted up to 150 'legitimate interest' settings I've had to manually turn off one by one before I got to the end of the list. Obviously that's not something people are supposed to be able to actually do, even if I've done it a few times just for the heck of it (usually I just leave the site right away, unless it has a 'reject all' or similar - and many don't).
Why don't have this in the browser options for any browser - always show banners, always hide them, auto reject, auto accept, white/black list based on rules etc - let your users pick the behaviour they want.
Probably because most of the people would choose 'Reject all' if given the option. The gameplay here is to hide cookie options in submenus that are different on every webpages so users get annoyed and choose 'Accept all'.
That’s why the relevant legislation usually requires the “Reject all” option to be as accessible as the “Accept all” option. You can complain to tour data protection authority to get these dark patterns removed
I believe the rules we currently have are enough to protect privacy and deal with these kinds of dark patterns. The problem is the non-enforcement of these rules, so much that entire businesses now specialize in producing "consent management platforms" that help break the rules.
Why do so much work to get people to select the wrong thing? That is as illegal in the EU as not getting consent for your cookies. Might as well just skip the cookie consent and just use your tracking cookies.
They want something similar to US style "you can put whatever in the small print" and hope it provides them with some plausible deniability that straight up refusal woulsn't
This is probably true in most cases, especially for non-techy and/or non-privacy-aware people, which leads to the inevitable question: So, what's the point of having such a law in the first place since 99% of users will choose "Accept All" WITHOUT ever bothering to read the site's policy due to the annoyance caused by the banner?
> since 99% of users will choose "Accept All" WITHOUT ever bothering to read the site's policy
I block all cookies that aren't from the site I'm visiting. I'm OK with first party session-cookies.
It's like this: if you serve me a cookie, and I accept it, then you can check that WITHOUT A POPUP. And if my blocker rejects it, then whether I click "Accept" or "Reject" on your popup isn't going to change the configuration of my blocker.
So If I get one of these popups, I click "Accept". Your popup can't override my browser preferences.
Because just banning such predatory practices would be portrayed as "authoritarian", and when the good players remove the tracking and so dont show a banner, and the bad players play games within the new law, the same people who would have called the simple ban "authoritarian" blame the inconvenience on the weakened law to divert attention from the people who try to circumvent it.
Disagreed - the practices are banned. Dark-pattern-based implementations are not compliant with the GDPR. The problem is that nobody is actually interested in enforcing it, so non-compliant solutions are allowed to proliferate.
Problem is, what's a "banner"? It's just some div with CSS properties attached to it. Nobody's going to style their cookie popup with "#block-me: { whatever }". A lot of sites seem to generate unpredictable strings for their popup CSS classes.
Ads are necessary for business. Surely there are some companies with 0 marketing spend, but rather exceptional. You can say Tesla is one, but arguably their marketing expenses is Musk’s social influence, SEC and other potential regulatory fines that may eventually catch up with their self-driving campaign.
Otherwise, investing marketing money into your brand means that you have something too loose. Relatively easy to set to set up a website or a white-labeled brand, but when you put few millions into marketing it signals that you attached to that brand.
When competition is tight and cost of acquisition can eat your margin, you want to want to be laser focused on ad efficiently. Getting cost of acquisition, life time value and ROI of different cohorts is very very difficult. You need a good tracking for that. But then there are two outcomes, improve the product or invest further into invasive tracking to “engineer” customers into buying your product. When industry leans towards the latter, individual companies have to as well to stay competitive.
I understand this reality, but that is what I am referring to as manipulating people for gain. That is literally what is happening. That it helps businesses doesn't change that.
Ads don’t have to imply tracking or targeting based on anything but page context or browser language or crude geolocation.
If as tracking and targeting disappears tomorrow, not much would have to change, except that some of the money that has been flowing out of traditional advertising like print and TV will flow back. This would make a dent in the “free” online content for sure but it would be worth it. Personally I wouldn’t lose any sleep even if 90% of the ad funded internet including most social media disappeared or became subscription only tomorrow.
It is a difficult problem though as there is no standard for cookie dialogs, everyone has their own implementation.
And if you don't do it properly you may only block the visuals and be stuck with an invisible element that covers the screen and makes it non-clickable.
Just in case you're not aware, a couple of options. It's possible (though who knows for how long) to add the filter list[1] used by IDCAC directly to uBO. The extension was forked[2] prior to acquisition if that is preferable. EasyList Cookie is available as a toggleable list on uBlock Origin, which hides many consent prompts - though only visually if I'm understanding correctly, so better to combine with an autodelete extension.
Websites aren’t allowed to start collecting data until the user has made an active choice. Thus, removing the DOM elements should be enough, on compliant websites. There should be no need to reject
Indeed, hence "on compliant websites". I wish the EU's enforcement wasn't so lacklustre. Would be interesting if they hired 2-3 reverse engineers and had them go down Alexa top 10k and verify that consent banners are implemented correctly, handing out fines if not. One can dream I guess.
Fundamentally, the problem with the GDPR isn't that the law is problematic, it's the lack of enforcement, this is the true cause of the consent banner proliferation.
EU's enforcement is based on the country the site is hosted in's regulator.
Which is a faff because it means the Irish regulator actively looking at what sites are hosted in the Ireland, rather than an EU regulator looking at all EU accessible sites. Which is non trivial to search for.
(Also the Irish regulator struggles with regulatory capture).
it is enforced, see https://www.enforcementtracker.com And yes, there's talk amongst some of my GDPR friends about creating a bot. If they did, it would basically a money printing machine. (At least in the first month or so until companies catch up). This site can help you get it right: https://webbkoll.dataskydd.net
Your link basically disproves your assertion. The total amount fined across all countries and companies is still less than what the biggest offender (Google or Facebook) make in a single year.
Regarding scraping bots, Noyb (a pro-privacy non-profit) has done so and sent out automated notices to the offenders. The problem as far as I understand is that the best you can do is complain to your local DPA (which is useless), it doesn't give you the right to sue directly (nor provides a way to estimate monetary damages), so suing directly is not an option.
All the examples I looked at were about installing cameras or video surveillance. I have not looked through the full list but it certainly is not what it’s being presented to be, i.e. GDPR tracking enforcement.
It tries to, and does it better than others, but nothing is 100% . consent-o-matic gets rid of a ton of these pop up consent banners and sets them to "off"
In practice, you'd be using uBlock with the other lists which would block all the trackers anyway, so it would (by not loading what would set those cookies in the first place).
I'm increasingly encountering the following hostile sequence:
1. A CAPTCHA
2. A cookie consent ad
3. An immediate content blocking pop up asking me to subscribe to their newsletter(generally
before I've had time to read a single sentence.
It's amazing how miserable browsing the web has become. It's also amazing how many companies see this experience as acceptable. I just close the page when I get the email newsletter request.
I realize the CAPTCHA is not going away but I feel like I'm regularly seeing it just to browse ordinary content.
Is there any way browsers could limit these annoying mailing list subscription prompts as well? I feel like this has quickly become a scourge on par with the cookie consent ads.
Why blocking outright might be not the right solution, it would be much easier if there was some standard for cookie banners, where once user chooses default parameters for all websites (all, none, or something in between), and later can adjust them per website basis if need be. There is already some consensus for mandatory, (extra) functionality, analytics and marketing categories, although many websites just dump everything in "mandatory".
Although, lately I'm seeing more and more "reject all" buttons right next to "accept all" on websites. Might be a first good step.
Which they acknowledged and even used as an example of an annoying cookie banner in their own article. That's quite funny... actually... because if they think of their own banner as this annoying then they could have made it a lot nicer and more subtle.. :)
It's traditional and professional for the journalistic and business sides of a publication to operate independently. It's not perfect, and it's gotten weaker over time, but this article is an example of it operating correctly.
Without this division we wouldn't have an article without annoying banners, we would have the business side killing the article for promoting an ad blocking browser ("don't you realize how we're funded!")
"In some cases, however, these banners can serve as trackers themselves, as they engage in a privacy-breaching data exchange before the user even has a chance to opt out."
Blocking the banners, which generally require Javascript to function, is enough to stop consent, but keeping Javascript enabled still enables and/or strengthens the ability to track. No doubt JS is on by default in Brave. Can it be disabled globally for all websites or only on a site-by-site basis. The project was co-founded by the creator of Javascript.
There will be people who make statements such "Disabling Javascript breaks every website." What they will not admit is that it breaks various tactics, including but not limited to cookie banners, used in tracking. And it breaks online advertising as a "business model". "Tech" companies have vested interests in Javascript remaining enabled. Dark patterns are used to ensure it stays on. This is unfortunate for all the legitimate uses of JS and the websites who only use JS responsibly.
The above website "breaks" if Javascript is enabled. It demonstrates that so-called "modern" browsers running Javascript allow website developers to play games with website visitors. They can try to make visitors enable or disable Javascript by causing them to believe something will not "work".
Meanwhile, I use a 1.3MB static binary text-only browser that does not run Javascript, store cookies, process CSS or auto-load resources. Yet I can generally read every website submitted to HN. To me, the websites "work" if I can read the content. If I do not like something that the browser does, I can edit the source and re-compile in a matter of minutes. For some reason(s), this is not done with "modern" browsers. They are used "as is".
Perhaps "extensions" are a way to appease those users who might be inspired to modify the source code of "modern" browsers to remove undesired default behaviour or add functionality. The "tech" company browser vendor can change the rules of "extensions" at any time. As Google is about to do with Chrome.
Not sure how successful this will be, but it's always good to see someone kicking up a fuss about it.
Apparently they're trying to block than just the visible parts ("where possible") so that's good.
But you wouldn't know it from the headline, or even the prompt in the browser (screenshot in article) -- "block the banners" to me sounds like "hide the banners".
The issue is that websites/businesses are doing things to users that the users do not want and do not ask for.
We need legislation to target the unwanted behaviour more directly. Asking nicely isn't going to fix anything.
Any 'cookie consent' style system will just be abused, worked around and cheated as the current one has.
If you give an inch, they will take a mile. Every time.
If you wanted to make app stores stronger and the Web much worse, these consent banners would be a fantastic way to do it. "User agents" should be able to express our intentions clearly and without nag screens every time.
That’s great then. But I’m assuming the worst offenders who aren’t compliant with their banners also aren’t compliant in what they do when their pop up is blocked.
Why is it that Google Analytics is often listed in “strictly necessary cookies”? I’ve never known that to be a requirement for handling cookie based seasons or logins.
Back in the old days, before FF started inserting GA shims, having `onclick="ga_track(); doTheThing();"` was fairly common. So, if disabling GA broke the site, then from their PoV it was necessary
No, the banners aren't required, the user consent is required.
If the users do not want to accept the proposal, they aren't required to, and they aren't required to even view and consider the proposal - there is nothing illegal if the users preemptively block and ignore it.
I think the cookie consent was great in intention, but naively executed/enforced by the EU.
I believe there must be a strong push back on those banners from browser vendors to force the EU to reconsider the current law and modify it. IMHO it would be much better if they'd revise the current law to require browser vendors to have a global cookie setting (accept functional, marketing, etc.) and then websites having to obey to a user's preference based on their browser setting.
There's nothing in any of the relevant EU laws forcing websites to have consent banners. They could simply handle consent like mobile apps are supposed to handle permissions (i.e. prompt once for a single purpose when it becomes relevant for a user interaction).
But they want to shovel a ton of trackers and tracking ads and analytics and other garbage into every page load, so they need to obtain consent before those can be loaded and then they try to be clever (read: illegal) and trick you into giving them a blank check by making it harder to opt out and continue than to opt in to everything and give up.
There's also nothing in the law saying the cookie banner has to be a modal dialog. The same sites happily went for actual "banners" rather than popups when the first EU cookie law was passed and only required notice rather than consent. They only went for modal popups because this forces users to make a choice before they can access the content.
Ironically, if a data protection agency were particularly spicy that day, it could be argued that putting a site behind a modal consent popup rather than defaulting to opt-out and merely informing the user about other options violates the GDPR's requirement not to make the use of a website conditional to unrelated data processing because the popup is intended as a form of light coersion.
> There's nothing in any of the relevant EU laws...
Sure, my pet peeve is not that THERE IS something in EU law that makes these banners so annoying. My issue is that THERE ISN'T anything in the EU law that specifically prescribes HOW it should be handled so that it's not such an absolute fecking annoyance. As I said, I think they should revise the law so that it specifically states that the cookie options must be a browser option and websites MUST respect that preference, and that the browser preference trumps anything else which a user might have consented elsewhere, rendering attempts to workaround it as useless.
The banners themselves are not legally required, neither by the GDPR nor by the EPR. What is required (at least from a EU standpoint) is (taken from https://gdpr.eu/cookies/):
- Receive users’ consent before you use any cookies except strictly necessary cookies.
- Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
- Document and store consent received from users.
- Allow users to access your service even if they refuse to allow the use of certain cookies
- Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
Site owners don't have to use obnoxious banners to comply with any of these obligations:
- User consent can be collected _when the cookie is used_ rather than preemptively.
- Information can be provided when consent is asked and/or at a specific URL linked from the footer.
- Documenting and storing is a no-brainer.
- Allowing users to access the service without certain cookies is also a no-brainer.
- Allowing the user to change their mind can also be a simple form at a specific URL linked from the footer.
So-called cookie banners exist because they are simpler and cheaper than designing online services properly.
Yes. The GDPR only mentions cookies once, as something that could contain user data, and the EPR is about _many_ things, including cookies. What to actually do with cookies, in terms of user experience and technical implementation is never explicitly mentioned so it is perceived as enough trouble for site owners to consider punting to those pesky banners.
FWIW, I don't remember ever explicitly setting a cookie or reading from it in the last 6-8 years or so and I don't think I am the only one. Third party integrations have been the only source of cookies in all the projects I have been involved with in that timespan: YouTube embeds and tracking, mostly.
Yes - this is my understanding of the requirement.
When I was coding up my poetry website I decided I wanted to give users the chance to share the poem they were reading on Facebook or Twitter - both of which require their cookies on the user's browser to make the functionality work. But I didn't want to ruin the user experience of visiting the site (that comes later, when they're reading the poem) by shoving a consent banner onto the screen as soon as the site loaded. The solution I came up with was to redirect the users to the site's cookie consents page[1] only after they clicked on the FB/Twitter share buttons, and only load the relevant cookies onto their browsers after they explicitly agree to them.
I don't see how it can be illegal. The website is showing it and it's the user who has decided to use a browser that blocks it. You may as well say is illegal for me to not read the pop-up.
Another way to look at it, if I disable JavaScript and therefore the pop-ups don't show is that illegal?
> Purely from a Devils Advocate perspective those banners are legally required, so pro-actively blocking them seems like a bad idea.
Not a European or a lawyer, but I think "legally required" might be a slight question mark.
I could be very wrong, but I think the issue is that the requirements of these laws are all vaguely worded, so companies started putting in place these giant consent forms on load purely to cover their ass legally.
> Alternatively, you can just not track the behaviour of every person who lands on your website.
Tracking behaviour is useful to ensure the site is working, that people are able to use the site and make purchases, or even to know what parts of the site people are using. There is nothing wrong with that, so long as the logs are not shared and not kept for longer than necessary.
Tracking people's use of the site to build a profile of them and share with third parties, without consent, is where the privacy problem comes from.
"Tracking" that is necessary to ensure the service is functioning does not require consent. That is for example why logging IPs for things like rate-limiting or DDoS protection does not require consent, but that data cannot be used for anything else.
If you do not track users but just track usage that should not require consent. So if you track for example purchases per hour (but not which users made a purchase) you can see if it becomes irregular. You can also track usage of certain site functions without tying that data to a specific user or session.
So the actually necessary tracking does not require consent, but since companies got used to tracking everything and tying it to users/sessions before these laws it seems like they try to continue on that path instead of adapting.
> So if you track for example purchases per hour (but not which users made a purchase) you can see if it becomes irregular.
Yeah, nice for you! But you're requiring my collaboration in your investigations; sorry, but I can't tell which cookies (or web-storage blocks) are for checking whether my behaviour is "irregular", and which are intrusive data-collectors.
I'm not going to scrutinise every cookie a site serves; life's too short. I configure my browser to accept first-party session-cookies only. My web-storage pool is zero bytes. If your site doesn't work with those settings, your site is broken (and I'll find a better one).
I think you misunderstand my point. The "tracking" I mentioned is only "actions per {time unit}", for all users. Basically aggregating how many times the "/api/checkout" endpoint is hit. It requires no cookies, it requires no checking of any individuals behavior. The only point of it is if action $FOO decreases dramatically then $FOO might be broken.
At no point does that require cookies or personal data or personal tracking. My point was that you don't need cookies or personally identifiable info to be able to make sure a website runs well.
> Tracking behaviour is useful to ensure the site is working
If that's the only way you can tell the site is working, then something's obviously wrong.
> There is nothing wrong with that
Indeed, there's nothing wrong with that, except that I'm not OK with cookies that are served by third-parties, or by some framework or analytics script that you've thrown onto the site.
Yep, I paused at that also. Quite hypocritical of them to state they are "legally required" when the prompt they display isn't in compliance. The European Data Privacy Board (EDPB) has been very clear that the choice to opt out must be as easy as to opt in. Yes/No, not Yes/More Info.
But due to lax enforcement companies just keep ignoring this. Luckily it's (very) slowly changing. Even Google was recently forced to amend their practices but it took a fine of 150 million, and probably a threat of a lot more for them to finally do it. https://www.cnil.fr/en/cookies-google-fined-150-million-euro...
If anyone is interested, NOYB is doing good work to make sure companies are aware that they are breaching the GDPR, which is also very useful when it finally comes to enforcing it as they can't pretend they didn't know. If you like their work you can become a member to support them.
Personalized ads never seemed workable, nor sensible to me, especially when showing me products I had just bought. It makes more sense if they are about tracking and influencing behaviour, as is done in Chy-nah.
The banners should be part of a broader permissions management system in the browser. Any calls to the cookies constructor should be checked for permission
I find it ironic that the site reporting this is practically unreadable on Safari due to all the ad banner noise. I took this opportunity to try Brave on iOS and it clears out most of the noise. If it gets rid of the consent banners too that would make the internet much less frustrating to peruse.
Why did Firefox implement it? I was talking about extensions. uBlock Origin could (does?) already do it and, IMO, this domain is much better left to a third-party with no financial incentive to track people or to make exceptions for "fair" trackers.
“These notifications are incredibly annoying but have become necessary to do business online to comply with data protection regulations like GDPR.”
Incorrect. bleepingcomputer.com is required to show the banner because they want to spy on us, and the GDPR demands that they ask permission to do so. If they were more ethical, they could “do business” without having to annoy us with the banner.
https://termsandconditions.game/
(SSL warning)
These shenanigans are not required, they are very much designed on purpose.
Indeed, corporations can follow the "Do Not Track" header. There is nothing in the EU law that requires a banner, only informed consent.
So if I have DNT=1 set in my browser, pop a quick non modal notification saying "we wants to track you but but we won't because you said not to. Click here if you want to change that". Solved.
I'm informed. I made my choice.
But that's not what it's about.
Because the vast majority of people would not consent. Who are you kidding? This tracking is not benefiting us. It's like when politician says it's "for the children" or "to fight terrorists". Everybody knows there are full of it.
So the banner is just the most annoying way that is legally allowed to try to get people to force-accept tracking. In fact, some banner are crafted to make rejection the hardest path for this very reason.
Those corps chose to make the web terrible a little bit more every day: tracking, auto play, scroll hijacking, dark patters, cookie banners...
We should thank the UE a 1000 times to reveal who are the bad players.