Reading it in translation, seems they identified the following as breaches:
1. When you visited bing.com they always dropped an ad fraud detection cookie.
2. After clicking around on bing.com, without clicking yes on any of the banners, it would drop an ads cookie.
3. On their cookie banner, rejecting took two clicks while accepting took one.
On 1, Microsoft argued that detecting ad fraud was "strictly necessary" for running bing.com, but the court disagreed, saying that advertising is not a service requested by the user. (point 53 in the full decision).
On 2, Microsoft said it was an accident and had already stopped, though not before CNIL asking them about it
On 3, Microsoft argued that (a) rejecting was not actually required to be as easy as accepting and that (b) since the default was no cookies and it took a click to get cookies that rejecting was easier than accepting. The CNIL disagreed on both.
This isn't about advertising - you can still advertise just fine, even more so on a search engine where the benefit of tracking is limited as the user explicitly tells you what they're searching for.
They were fined for tracking to detect ad fraud. Advertisers are paying per click, often quite a lot, and if you charge them for clicks that don't represent real humans they get grumpy and go advertise somewhere else.
For that matter, browser + ip fingerprinting can be server-tracked anyway, if less reliably overall. Especially with JS enabled. There are lots of tricks that can be used for this.
Aside, wonder how good/bad ip+agent fingerprinting could be combined with a url that feeds a small randomly generated string with a VERY long cache expiration, with server/proxy no-cache headers (e-tag per agent/ip). Effectively similar to a cookie, without technically being a cookie.
Not clear in this case, since while detecting ad fraud doesn't meet the "strictly necessary" requirements of ePrivacy (necessary for storing the cookie on your machine) it is still an open question whether the GDPR requires user consent for it. (Lawyers at advertising companies think that you don't, but that doesn't mean they're right)
Interesting. One quirk of browsing sites with JS disabled is that the cookie banners rarely show up. Often, they are implemented as scripts loaded from a site like "cookielaw.org".
I've long suspected that these sites default to dropping cookies when my consent is neither asked for nor received, as MS appears to have done here.
It's good to hear that such behavior is probably illegal in the EU.
It's in violation of various EU privacy laws like GDPR and the ePrivacy Directive.
They get discussed a lot here on HN so it's easy to assume everyone's familiar with them, but if you're not then you should search up a summary on them.
That would conflict with normal cookie terminology, where cookies are "set" and packets are "dropped".
But much more importantly, it is completely impossible in the context of the thread:
> [Accusation 3.] On their cookie banner, rejecting took two clicks while accepting took one.
> On 3, Microsoft argued that (a) rejecting was not actually required to be as easy as accepting and that (b) since the default was no cookies and it took a click to get cookies that rejecting was easier than accepting. The CNIL disagreed on both.
> Microsoft argued that (a) rejecting was not actually required to be as easy as accepting
The regulation explicitly says so. Easy way to accept, reject and choose. A lot of companies seem to be violating the law in that one. By making it difficult for people to reject cookies.
Reading the article, it's the French Data Protection Act, which is the french incorporation of various data privacy laws into french law. Where is your claim that it's based solely on the ePrivacy Directive coming from?
The decision considers both, but the decision is combining two regulations: one that says you need to get consent before using storage for purposes that aren't 'strictly necessary' (ePrivacy) and another that says how consent for the processing of personal data must be collected (GDPR). This is not the same as a regulation that explicitly says how consent for storage must be gathered, and before this decision it was not clear how the two regulations interacted on this point.
The constraints on use of client-side storage aren't reiterated in the GDPR: they are only in the ePrivacy Directive and the upcoming ePrivacy Regulation. The interaction between the GDPR and ePrivacy was not obvious on this point.
Civil law does not leave room for such creative interpretations. Even if the storage is being done client-side, as long as the company can access and use it, they will be considered to be having that information. Then GDPR will kick in. Note that cookies are also stored client side.
Sorry, I wasn't saying that Microsoft was claiming not to have access to the information. I was saying that the interaction between two different rules was unclear before this decision:
1. The ePrivacy Directive says that before setting anything in client-side storage you must have the consent of the user unless it is strictly necessary for performing an operation requested by that user.
2. The GDPR requires consent from the user before using their personal data in a bunch of different ways, and provides a lot of details on how that consent may be collected to be considered valid.
My interpretation of Microsoft's behavior here is that they were compliant with (1) and (2) individually, but the problem was the way they were collecting consent for (1) did not follow the requirements of (2).
When the permission is withdrawn, the other party cannot collect more data. And the existing data that they collected would need to be deleted if the user asks them to. If the withdrawal of permission also involves permissions regarding data storage and processing, it would mean that the company would need to destroy any personal data that they have.
If withdrawing is meant to be “undo consent”, how would you make that as easy as the initial “one click to consent”? Would you not have to show a banner on every page view, with a one click option to “withdraw”?
You'll have to go and ask the legislators what they were imagining. Thankfully it's not being interpreted quite as literally. Sometimes pragmatism saves the day.
What is the point in implementing a cookie banner if you are still breaking the law in an obvious way? Why not just break the law by not having a cookie banner? That way it would at least be less annoying for your users.
I think a lot of companies comply with cookie banners the way that they do just to annoy users, as a protest against regulation. If they can irritate users as much as possible while complying, they think they can turn users against the regulation itself rather than the way that they comply. I don't know if this applies in this particular case, but I know at least some companies do that so it's worth considering. Other than that, maybe the answer is that they were just trying not to be obvious, or that it was totally different divisions responsible for each?
But almost no company complies with the law anyways. They need to have a "reject all" button; a "more options" button is not enough. So any company that has a cookie banner without a "reject all" option might as well not have a banner at all.
We do. At least for the part of the product I was responsible for I made sure that the tracking script is really only loaded if the user explicitly clicks yes.
It's sometimes hard to make marketing understand why this is an issue in the first place but then we are B2B in a mostly offline industry so it doesn't matter as much.
>I think a lot of companies comply with cookie banners the way that they do just to annoy users,
in my experience they don't actually understand what they are required to do, they then think the easiest way to handle it is to pay for some outside expertise with of course the understanding that they would still like to get some ad money.
There are benefits to being a US based company that doesn't target EU users, even if it doesn't reject EU users, I guess.
I can't think of a way to actually use any kind of tracking cookies, even non-ad/sales/data-harvesting related that wouldn't be annoying in EU.
Of course, if you manage your own load balancing, could definitely combine a load-balancer pinning cookie (uuid) for "all" uses as a single "essential" cookie.
Load balancing would fall under "essential" cookies that don't require a permissions. No banner necessary.
See GitHub.
You can't use the data for other purposes though.
Tracking without cookies requires consent no matter how you implement it. Claiming it to be essential won't fly if, say your Marketing or sales team has access.
using a cookie that is essential for non-essential purposes, is not allowed. So using a load-balancer cookie is fine, as long as it's only used for load balancing.
Once it's used for other (technically non-essential) needs as well, one needs to find another basis for processing or ask permission for that second purpose(consent basis).
Also, if the LB cookie can be non-identifying, while fullfilling the stated technical purpose, it must not allow identifying users. So for LB cookies, one must not use a unique ID per user, but an LB ID instead. Something like "node1", "node2" etc...
I honestly don't know how people in Europe surf the web, it's so annoying now. When I was just in Germany, every site I'd have a GDPR popup, then the ads would load, then some random ad would popup with a close button the size of a pixel. This was on major sites. The modern web is so broken, the GDPR popup made it worse. Why can't you just have a browser wide setting to accept or deny GDPR in force. In the US it's bad enough, now with the GDPR popups, it has become almost unusable, especially on mobile.
I don’t understand why the blame is put on GDPR (which is NOT the reason for cookie banners btw, it’s the ePrivacy directive). Websites choose to have cookie banner because they have abusive cookies, tracking, etc. Some websites such as GitHub famously made the choice to remove tracking cookies, and now do not need a cookie banner. Forcing websites to clearly display their crappy practices is a good thing. Forcing websites to ask for user consent before tracking them is good.
The GDPR just missed a step. They should have mandated an automated way for users to present their preference. Like the old DNT flag for instance. With the legal framework behind it that would have made that flag actually useful and browsers would have brought it back quickly.
I assume this didn't happen due to industry lobbying.
AFAIK there was a legislative initiatives to do exactly that and the ad industry whined about it.
I think the result would have been similar to what happened when apple did it's Facebook nerf. Within the margin of error no one wants to be tracked and the ad industry knows this despite their fake "user-benefit" Spiel.
In the end it didn't happen and I can't recall what it was called.
It’s not the same thing. I’d love something like <meta> tags where the websites declare their cookies, with a standardized set of metadata. We could have a browser native permission system like we have for microphone, camera, geolocation, and the possibility to allow or disallow cookies in a unified way. Blocking the undeclared/disallowed cookies would then be done at the browser level, so there would be no need to trust that the websites actually respect the settings
I'd like something like an <ad> tag to go along with it, where the contents are sandboxed by the browser separate from the rest of the page. Mainly as a cudgel against sites which are very anti-adblocker.
> some random ad would popup with a close button the size of a pixel.
Run an adblocker. The Web was a total mess even before GDPR came along and not limited to Europe. If the issue of denying sites a revenue stream bothers you then perhaps make yourself a promise that you'll turn it off when ad networks stop being a vector for malware and/or stop engaging in the un-permitted collection and sale/abuse of personal data.
Personally, I run NoScript (as well as ad blockers) and so cookie popups are relatively rare on my Mac, but I still get them on iOS. I don't like them, but I see them as a warning that the site is going to try to exploit my personal data in return for serving me content.
It's also worth pointing out that there is no actual need to have a cookie banner unless you're doing something with the data that actually needs permission. For instance basecamp.com was GDPR/ePrivacy directive compliant when I was there, but never needed a banner because they decided to stop collecting and processing personal data in a way that required permission.
I don't think they thought they were breaking the law: you can read their arguments summarized in the decision and they're plausible: https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046768989. I also suspect that if they had been successful in keeping the jurisdiction to their home authority in Ireland (which has a reputation of being much less strict), they would not have been found to be out of compliance.
Lawyers are rarely hired by the defense to pen long arguments why they were intentionally breaking the law. They’re always going to argue that they didn’t do it, and if they did do it they didn’t intend to ( because intentionally violating can have higher penalties ).
> 46. En défense, la société explique que le cookie " MUID " est un cookie multi-finalités, utilisé à des fins essentielles et non essentielles pour éviter d’utiliser plusieurs cookies chacun pour une finalité, afin de réduire le nombre de lectures et écritures d’informations entre le terminal de l’utilisateur et " bing.com". La société indique que seules les finalités essentielles sont activées avant que l’utilisateur donne son consentement. La société fait valoir qu’elle considère comme des finalités essentielles à la fonctionnalité de " bing.com " : les finalités de lutte contre la fraude, y compris la fraude publicitaire, de sécurité telles que la prévention des attaques par déni de service, de détection des logiciels malveillants et de lutte contre la désinformation. La société soutient que ces finalités indissociables sont strictement nécessaires à la fourniture des services " bing.com " tels que demandés par l’utilisateur. La société précise qu’en l’absence de consentement de l’utilisateur, la seule finalité publicitaire pour laquelle le cookie " MUID " est utilisé est la publicité non ciblée dans le cadre de la lutte contre la fraude publicitaire.
They tried to be clever by re-using the same cookie for multiple purpose essential and non-essential (the “essential” purpose being related to ad fraud detection) so they claimed they did not need consent to set the cookie. And since they argued that they chose to use a single cookie “to reduce the number of reads and writes”, which is bullshit, they were clearly not acting in any kind of good faith here. The regulator did not condemn them for the bad faith argument though, but because “ad fraud detection doesn't qualify as essential”, so their “smart” move of mixing essential and non-essential purposes within the same cookie wasn't even properly done:
> En outre, le rapporteur précise, en réponse à l’argumentation de la société considérant la finalité de lutte contre la fraude au sens large comme une finalité essentielle exemptée de consentement, que seule la finalité de lutte contre les attaques en déni de service pourrait être exemptée de consentement. Le rapporteur relève que les autres finalités évoquées ne relèvent pas du champ des exemptions prévues par l’article 82 de la loi Informatique et Libertés puisqu’elles n’ont pas vocation à faciliter une communication électronique et ne sont pas strictement nécessaires à la fourniture d’un service expressément demandé par l’utilisateur.
The regulator then remarked that mixing both kinds of purpose within the same cookie is explicitely forbidden anyway: (emphasis mine, on the relevant part)
> En premier lieu, s’agissant des cookies et autres traceurs multi-finalités, la formation restreinte rappelle que l’article 82 de la loi Informatique et Libertés exige un consentement aux opérations de lecture et d’écriture d’informations dans le terminal d’un utilisateur mais prévoit des cas spécifiques dans lesquels certains traceurs bénéficient d’une exemption au consentement : soit lorsque celui-ci a pour finalité exclusive de permettre ou faciliter la communication par voie électronique soit lorsqu’il est strictement nécessaire à la fourniture d’un service de communication en ligne à la demande expresse de l’utilisateur.
Before this decision I think using the same cookie for both inessential and essential purposes was something that many people still thought was okay, as long as (as Microsoft claimed they were doing) when you do not have permission to use the cookie for inessential purposes you only use it for essential purposes.
But yes, this all ended up being irrelevant since the court decided that they were using it for non-essential purposes before getting permission.
I am glad to see the cookie law, as misguided as it was, be enforced. Online advertising is an oligopoly with a stronghold on network effects.
However, I wish the law were solely about sites working with cookies disabled. The prompt on every website is driving me crazy, to the point of installing extensions like https://www.i-dont-care-about-cookies.eu/ (though this has been acquired by Avast apparently, so I won't ever update from 3.3.2).
Ever since the first browsers, cookie preferences were customizable in them. Websites should not duplicate that functionality, but merely respect it.
Try consent-o-matic instead. It allows you to select the level of consent that you want to give web sites. I currently have it set to none, and I haven't seen a consent dialogue for a long time.
Consent-o-matic is great! Managing my cookie preferences on different sites used to be more annoying that it was worth to me, but with the extension it doesn't require any additional effort. It's also interesting to see the number of clicks it saves on its statistics page, with certain types of cookie dialogs apparently taking more than 12 clicks on average (and good ones only taking one click per site, or even "0", not sure how that works)
The thing is this is something we suffer through while we wait for companies to get enough, and large enough fines to actually read GDPR and respect it.
Once that happens it will be almost as before, just with less battery usage, less network usage and less tracking.
Will it happen?
I think it will. I know see even Google - who I expect to have a small army of lawyers - have given up to certain extent and now lets me opt out directly without any extra steps.
Cookie regulations have been a disaster. Cookie prompts are a huge annoyance but the bigger thing is that sites are locking their content with registration walls so they can track users by logged in state. Benefit to users is actually negative.
> sites are locking their content with registration walls so they can track users by logged in state
This has nothing to do with that. NYT started locking its content years before cookie regulations. Membership content existed way before. It recently exploded. That's why. Not due to cookies.
> Users accept vendor's conditions upon registering and are giving their consent
That's the Angloamerican common law's logic. In civil law, the law cannot be overridden by others 'agreeing' to override it. Its more like software engineering in that regard, instead of arbitrary interpretations.
It is totally due to that difference. Contracts form the basis of common law. The reason why so many US corporations think that someone 'agreeing' to terms and therefore entering a contract with the company regarding the usage of the site over those terms means anything in civil law. It does not. In the eyes of civil law, the use of the site would need to take place per the laws and regulations present in civil law as opposed to whatever that the user may agree in terms.
This is factually inaccurate; contracts are one area of, but not the basis of, common law.
> In the eyes of civil law, the use of the site would need to take place per the laws and regulations present in civil law as opposed to whatever that the user may agree in terms.
In common law, contracts don't trump other law, and contracts or provisions thereof can be invalid for being contrary to public policy.
> This is factually inaccurate; contracts are one area of, but not the basis of, common law.
Of course it isn't the entire basis of the law. However it lies in the fundamental of the entire common law institution: Common law originated from the feudal relationship in between the liege lord and the vassal contracting each other based on certain criteria. Over time, this concept was meshed with medieval customs and started being applied to the society as a whole. Hence the awkward medieval-feeling nature of the common law with all those 'precedents', 'interpretations' and 'agreements'.
> In common law, contracts don't trump other law, and contracts or provisions thereof can be invalid for being contrary to public policy.
Today. And mainly because the US combines common law and civil law in a meshed system. For the UK, its mainly because common law was basically unworkable and indefensible in the modern age after civil law became de facto standard in the entire world, setting the legal discourse. Still, the contractual concepts lies in the fundamental of the law as evidenced by the 'agreement' concept that is so extensively being utilized by US corporations.
Law is a philosophical construct, not a programming language. By their own statement Microsoft demonstrated bad faith and intent to coerce, and this forms an antithesis of compliance.
Never dick around trying to use contract terms and narrow technicalities to bypass regulations and obligations. It won’t go well.
Terms and conditions do not override law. Coerced consent is not consent.
By law, the user experience must not be different based on whether the user has or has not given consent for tracking.
Registration implies consent to process information (identity) for the purposes for which that information was provided, namely access to the content. It does not imply consent to use that information for other purposes such as tracking, and so any attempt to track a user around a site for advertising purposes using their login details would be in breach of the GDPR, unless the user has explicitly and freely given separate consent for that to be done. For that to be possible, the request for consent to track must be completely separate from the process of creating an account or logging in - it cannot be part of the terms and conditions.
Others have pointed out the specifics related to websites and GDPR/the ePrivacy directive, but there's another example of why what you say isn't really true that might help understand, and that's EU (and for now UK) consumer law.
A site might have terms and conditions, or conditions of sale etc. but if you as an individual buy something you still have protection from consumer laws. Any conditions you agree to are only ever in addition to your statutory rights.
So, a company might state that an item has a 12 month warranty (as happened with me, a Mac computer bought from Apple), and it might break after that time (mine after something like 13 months). In my case Apple said they were not going to fix it for free because it was out of warranty and I didn't have Apple care (deliberately because I knew consumer law), but I successfully argued that (as stated in the legislation) that there was a reasonable expectation that the item should have worked for a lot longer than that, ultimately making them responsible. They did in the end accept this and fix it.
There's other examples, like if an item is not as described then the company selling it has to pay costs to have it returned, and that the company is responsible for the item while it is in transit in either direction. You are due a refund within 14 days of the /rejection/ of the item, not any other timescale, or dependent on when you return the item, etc. etc.
In summary, your "terms and conditions" are effectively irrelevant if they attempt to reduce or bypass existing legislation.
I don't see how banning digital advertising would be anything other than a net positive to society and it drives me crazy that such an idea is beyond discussion thanks to how enthralled our political class is.
Similar - more precisely another term for "enslaved". The subtle distinction in my mind is that enslavement is forceful, while enthrallment is more like people voluntarily baring their neck to a vampire, hoping for dark powers.
This isn't really true, it means "capture the fascinated attention of". A child could be enthralled by a jigsaw puzzle. You could argue that their attention has somehow been enslaved, but I can't recall ever hearing or reading any phrasing quite like it.
Context matters. If you are talking about a child with a jigsaw then sure, the more cutesy definition applies. But talking about politicians and money, you have to bend over backwards pretty far not to see the second definition as more appropriate.
Hopefully they will just go away; much easier to understand the value proposition of some content if the owner has had to put an actual price tag on it. Yes, people will end up consuming less media - but given how precipitously the quality of news and news-like publishing has dropped, I'd be glad to have fewer, better sources of "journalism".
Advertisers aren’t charities though, their objective is to show ads to people who have the means to buy stuff - poor people seeing their ads (and having their content subsidised) isn’t something they want and they’d be more than happy to stop it should there become a reliable way of tracking and detecting poor people.
If you don't like them then don't visit them or visit them with an ad blocker on. Don't deprive users from the content and don't deprive staff from their jobs.
Not that simple. Even for paid media (Netflix, for example) advertising is starting to creep back in, because consumers have no way to resist it. Companies which don't gather ad money and just rely on actual value-transfer transactions get outcompeted.
Advertising itself is only mildly offensive; if done with taste it can be no problem at all, but too many companies seemingly don't know when to stop - the line from Ready Player One about monetizing 70% of a person's field of view sounds exactly like what Meta and Google would do if they could get away with it.
I want legislation on this topic to create breathing space for real businesses which make things of value.
No. It's really not. It's "I would gladly give person A the thing I have X for the thing they'll give me Y but you won't let me because you don't want to do that".
It's more like the minimum wage argument or something like that but you don't really need an analogy.
I fail to understand why politicians thought the cookie dialogue was a good idea. Adds almost nothing to benefit user and huge annoyance from the UX perspective.
Politicians never thought the 'cookie dialogue was a good idea'. Politicians aimed to reduce the use of cookies for tracking without consent. That the industry responded by either ignoring the directive and/or by harassing their users to give that consent forcibly isn't on the politicians but on the owners/operators of those websites.
Lawmaking is like chess. Politcians and their lawyers should anticipate what bigcorp will do in response to new law and inject countermeasures before the law is introduced.
Cookie law was lame af from the beginning and did nothing but annoyed end-users.
The relevant governing bodies need to crack down on companies that are violating the rulings and ensure that it's understood this is a requirement for doing business.
If you've ever been in a position to write policy, you know the adage that if you design something to be idiot-proof, they'll just design a better idiot. Same rule applies for bad actors.
Laws don't try to predict everything, that's why the spirit of the law is just as important as the letter. What the law means to accomplish is just as important as what is actually written, and persons who violate the spirit of the law while not explicitly violating the letter should not get a free pass; this is not how law works, and it's why despite the hundreds of thousands of laws on the US books, there are still courts to interpret laws and make rulings on situations.
Corporations can kick and scream all they want while writhing through to meet the letter of the law, but that doesn't make them right, it just makes them desperate.
I can understand if it was a small subset of companies that made it difficult for the user.
I can show multiple government websites where the UX is broken. There is no profit motive there. But if you live in the EU, you probably have seen it already.
It is so worse that chrome has an add-on that has 800k downloads.
Cookie law wasn't lame. Regardless of what kind of law you crafted, the corporations that are used to skirting the law, especially in the US legal landscape, would try to dodge the law by any means possible. Ranging from having people 'consent' to the cookie through tos, or by making it difficult to reject. BOTH of which are prohibited by law. They were prohibited exactly to prevent skirting the law.
So basically every cookie prompt that makes you take more than one click to reject or says "You consent to this -> Yes" is in violation of the law and they will get fined if they are reported.
I've also seen a lot of other sneaky bypassing of the law.
For example the news site nu.nl now requires having a free account to read many specific articles. This is a smart move on their part because logging in requires maintaining a higher amount of user information across visits and thus it brings a lot of tracking into the "technically necessary" realm so they don't have to ask permission.
I disagree. If companies decide to take these laws in the worst possible way, far worse than any normal and sane person would anticipate the problem isn't with the law.
Take into consideration that these companies annoyed their users but blamed it on the politicians, which is pretty irrational behavior.
And here you are, still blaming the politicians. As a result the GDPR came into being which is far more strict, it too is being blamed as the reason why many companies have now decided to shut down service altogether as the easiest solution to comply, when obviously the alternative would be to simply stop tracking your users.
> If companies decide to take these laws in the worst possible way, far worse than any normal and sane person would anticipate the problem isn't with the law.
Are you saying that before the 2002 ePrivacy Directive came out most people who thought about this wouldn't have predicted that companies would put up cookie banners?
The cookie nagging kinda worked for a while because EU bureaucrats bad. But I believe their was a general shift in realizing Google et al. spy on you where it backfired in the long term.
Users were way more naive at the time of cookie banners being introduced. Internet were still not a real IRL thing.
I think if you confronted your average user with what these companies collect in data behind the scenes they would be astounded. I've seen a lot of this stuff professionally and it is quite amazing that any of this is legal at all. The profiles that these companies have on private individuals are at a level that the intelligence services likely can not match, either in quantity or in quality.
To Joe Doe's defense it took way to long for me to realize Google stalked me on the web. Embarrassingly long. "Internet people" told me but I thought they were crackpots.
> cookie dialogue (...) Adds almost nothing to benefit user and huge annoyance from the UX perspective.
It's misinterpretation of the letter of the law (there's no such thing as a cookie dialog/banner) and the spirit of the law (disabling tracking should be easy default choice, not the convoluted, hard choice).
Cookie banners are simply the most annoying and spiteful way to fulfill the EU regulations. You don’t need to block access to the website until you accepted tracking. If you don’t track you don’t need any thing at all.
Things that are technically necessary to facilitate functions requested by the user like shopping carts or login tokens are exempt under clause 22 of the ePrivacy directive.
Don't set any other cookies and you won't need to ask for consent.
Politicians aren't forcing websites to set more than the strictly necessary cookies, which require consent. It's marketing/advertising that does.
That's because the cookie dialogues as they are now were never part of the original GDPR and other privacy related bills/acts/whatever.
GDPR requires that consent is as easy to withdraw as it is to give. [0]
That companies have dragged their feet and gone kicking and screaming with cookie banners is irrelevant to the actual law; the EU needs to start cracking down more and more on this to show what it actually means, since it's quite clear that companies are not going to willingly comply with the data consent laws.
So don't blame the politicians on this one, they never gave any requirement for such banners, and in fact specifically mentioned that it must be simple to revoke/deny consent. Companies that didn't want to comply with GDPR and other privacy laws decided to make it as painful as possible for you and I and blame it on the privacy rules.
There are a lot of misconceptions in the comments, this is honestly not what I expect from HN.
- cookie banners are the result of the ePrivacy directive, NOT the GDPR. This directive is implemented in France in the law « informatique et libertés » which is honestly pretty good overall
- cookie banners are NOT mandatory when you use cookies. If you use only technical cookies (session IDs, local settings, etc.), you do NOT need a cookie banner. The law simply states that you must ask consent before tracking users. Cookie banners just highlight the fact that tons of websites track their users and did it on the cover of unreadable ToS before. The fact that cookie banners are so annoying proves the law wasn’t misguided
- cookies are not the only target of ePrivacy: it’s a law about consent to tracking, not about cookies
- the law works. I personally go out of my way to click « reject non necessary » when I can. I also report websites violating the intent of the law when I see them
* cookie banners are NOT mandatory when you use cookies. If you use only technical cookies (session IDs, local settings, etc.),
Theres sort of a grey area where you need them to do basic website analytics, which IS a bit annoying as a developper since all website will ever do this until the end of times
This can be done without tracking users though. Also, in the context of "no-one owes you a business model", just because being able to do something can increase your bottom line by some % doesn't mean you can do it at the expense of individuals. The web industry (which I'm very much a part of) had years during which they could have voluntarily stopped being shitty to users, and they didn't, so now we have GDPR etc.
A person can sue a company that broke GDPR against this person, in a civil case, after GDPR body rules that the company indeed broke the law against this person.
Now it would be great if the EU could start enforcing GDPR.
Multiple sites of Polish government - main www.gov.pl among others - attempt to run Google's tracking code on visitors' devices without consent.
This is basically illegal in the EU but Poland's GDPR body (Urząd Ochrony Danych Osobowych) dismissed the case opened by me against the Minister of Digital Affairs (Minister Cyfryzacji) who is responsible for those sites operation as baseless.
it's interesting to see what the EU and France focuses their energy on. surely there's a technical solution that could be deployed by the government that all Europeans could use to preserve their privacy if they'd like and end the madness.
alas, most of the top technical talent either has moved to the United States or works for US companies so fines it is.
"See how us Americans have freedom to be tracked by big tech at their whim? Up yours EU and your privacy protection and government standing behind people, not corporations!"
It is limited to a purpose and informed. But the most surveiled country left EU some time ago (and the survelliance was entirely due to their own laws, not EUs) and it's not as bad, and better since GDPR.
So for example if you want to have cameras in your shop you have to write on the doors that you have it, who is processing that data and for what purpose.
If say you as owner wanted to give that data to police, that's within the usage and fine. If you decided to make compilation of funny people in supermarket from it, or decide to train your AI models on it, that would be illegal. There is also limitation on storage period (3 months) that can be longer only if there is some crime being investigated related to that.
More IT related example: we can log IP and stuff for security purposes but they can be used only for that; we don't need to get consent to save that for purpose of say preventing DDoS or spotting out attacks but we can't use that to do analytics without anonymizing data or consent.
There are other laws that require storing data for longer, mostly tax and money related, can't exactly use GDPR to tell bank to stop storing your financial data.
Most importantly that puts the burden of handling it on corporations; with GDPR the PII is basically "radioactive".
I think it is in pretty good compromise between "freedom to do whatever you want" and "freedom for whoever else to fuck you without consequences because they can do whatever they want" althought EU is definitely overreaching in places (like the hard-on on EVs before infrastructure is ready)
Reading it in translation, seems they identified the following as breaches:
1. When you visited bing.com they always dropped an ad fraud detection cookie.
2. After clicking around on bing.com, without clicking yes on any of the banners, it would drop an ads cookie.
3. On their cookie banner, rejecting took two clicks while accepting took one.
On 1, Microsoft argued that detecting ad fraud was "strictly necessary" for running bing.com, but the court disagreed, saying that advertising is not a service requested by the user. (point 53 in the full decision).
On 2, Microsoft said it was an accident and had already stopped, though not before CNIL asking them about it
On 3, Microsoft argued that (a) rejecting was not actually required to be as easy as accepting and that (b) since the default was no cookies and it took a click to get cookies that rejecting was easier than accepting. The CNIL disagreed on both.