> the absence of any option for refusing/rejecting/not consenting cookies at the same level as the one provided for accepting their storage constitutes a breach of the legislation [0]
On one hand, this was required from the beginning (this is just a clarification of original intent, not a change or addition)
However it's deeper since the popups we see today were never recommended nor required by the original regs. The laborious nonsense we endure was invented by websites as a workaround for the regs. So it wasn't obvious that consent parity would ever need to be clarified like this because it wasn't even obvious that the industry would come up with such an awful popup pattern to begin with (though in retrospect we should've known I guess).
The fact the popups were never even compliant anyway is just a combination of wilful ignorance, dark patterns, consulting companies wanting to sell something and - yes - an added set of people innocently misinterpreting regulation.
You're still thinking of it exclusively in terms of frontend web development (consent popups) whereas the original regulation was largely concerned with reducing data collection by the business in general, at a backend/database level & even things like manual in-person/on-paper collection.
The frontend content screen component of the whole topic was something that emerged afterward as businesses' attempt to get away with continuing rampant unfettered data collection.
To add to this, the law allows for data collection for a bunch of reasons. However, it intended to put a stop to a lot of data collection practices that were not to the benefit of the user, and informed consent is an exception to still allow for that, but only in the case that the user is actually actively OK with it. But of course, companies then started harassing users to make them agree, and the narrative arose that the EU "forced" them to do it.
This is nonsense talk. How do you differentiate between compliance with the regulation, and a "workaround" to the regulation? I guess it's at each of our discretion, right? It's subjective? Or are they the same thing? You can keep calling them "workarounds" but that distinction only exists in your own mind.
The rules are very clear: if you collect personal data¹ for other purposes than legitimate interest you need to give people an easy choice to deny that collection and the service should not be worse because of it.
I think you're misunderstanding what the poster was talking about. You're taking "the popups we see today were never recommended nor required by the original regs" to mean that the popups have become something that wasn't intended by the regulation (but the regulation did require popups).
I think that the poster was saying that the popups themselves as a concept were never recommended nor required by the regulations.
The regularion required informed consent. Nobody ever said it has to be done with popups. This is what people ended up doing afterwards.
Only when deceptive patterns became clear the EU made clear that allowing one simple "ok" option and a million convoluted ways to say "no" is not resulting in informed consent.
Wheter you us a popup or hide it in a menu with the default of not tracking does not matter.
Yeah I guess the word "require" has a few interpretations. The regulation didn't explicitly require popups, it required user consent IFF a company wants to collect/process/sell data the company doesn't need, but the intent was that companies would not do this, with consent being the exception, and the mechanism of consent was neither prescribed nor a focus: it certainly wasn't annoying popups per reg.
It's a workaround if a website manages to make users accept cookies that would otherwise refuse just by making it so inconvenient UI wise to refuse them.
The limits and edge cases on this may be subjective but then again so are most laws.
Many people sadly have this mindset that if something is not explicitly and comprehensively spelt out then anything goes, therefore any complaints for bad implementations is purely on the regulations for not being explicit and comprehensive enough. Now, obviously, there's SOME truth to this, but too often people think in black and white.
I often think it usually goes the other way. If a regulation is too specifically defined, it often ends up having gaping holes and other issues.
Most of our longest standing torts and crimes have subjectivity right at their core, and I'd argue that's not a coincidence but survivorship bias.
The world just isn't black and white, and attempts to legislatively render it so inevitably cause problems (though, obviously too much subjectivity and something because uselessly vague; it's a tricky balancing act for sure).
Depends on the legislative culture. For example, from the Copywrongs talk from now Felix Reda:
> The other legal tradition underlying the EU copyright system which is the continental European tradition of droit d’auteur (or Author's Rights). In this system, the authors of cultural works have certain inalienable rights that they cannot sell to a right holder. And, importantly, the exceptions to copyright, the interests of the public are written into the law. [...] The problem with the continental system is that it is quite inflexible because every time a new technological development comes about, you have to change the law to allow this type of use without a copyright infringement. So every new way of dealing with culture is fobidden by default. - https://www.youtube.com/watch?v=wL_Wxu6x1HU
Whereas other legislative cultures prefer to set a general framework, then leave the details to the Courts and or to Government ministers.
It was included. The rule hasn't been changed. The interpretation of the rule in one specific case has been confirmed, without having changed the rule. That means that, as written, this dark pattern was always illegal.
i really don’t understand how it came to this anyway. the industry is so stubborn. what is not clear here? you should not spy on your site visitors for marketing purposes.
when you join a poll you do so with consent, when a market/social/political research entity invites you to a focus group (for example) you get at least a coffee and snack if not real money.
websites just get this for granted? it’s like stealing. it will never stop until the industry gets some understanding of these concepts.
We're talking about the advertising industry here. Calling these companies stubborn is a gross understatement.
This is the industry that perfected psychological manipulation in the pursuit of profits. It's built on decades of research into the best ways to associate brand names with positive feelings, and plant a desire to make a purchase in the subconscious mind of consumers. They will do anything humanly possible to deliver ads to your senses, and they've corrupted every media technology to do so since the existence of public broadcasting.
The internet has just given them the most profitable delivery mechanism, and in turn has made technology companies insanely rich. These adtech giants rule the internet, and can build the playground they need to make ad delivery more efficient than ever. Now these profits can trickle down to website owners, which will in turn take the path of least legal resistance, and employ every dark pattern imaginable in order to maximize _their_ profits.
And if this corrupt business model wasn't enough, adtech companies can perpetually multi-dip by selling the data they collect on shady data broker markets.
So, no, it's not just stubbornness, or lack of understanding. Deceit is built into this industry, and these cookie consent forms are just the tip of the iceberg.
The solution requires much stronger regulation than the GDPR. Unfortunately, this is very unlikely to pass given the influence advertisers have on governments.
Absolutely not. If I see a cookie popup or subscribe modal, or even get interrupted reading with a pop-up prompt I immediately leave the site and add it to my blacklist.
Archive for life.
Free content was around before advertising on the web, this whole 'but they get free content' spiel was cooked up by advertisers.
Static we pages are cheap to host. Very rare is the article on [news site] getting mllions of simultaneous hits. But they all want videos embedded everywhere, gifs galore when all I want is to read their 20 min video in 2 minutes. They want their website hosted on the cloud with every new/hot architecture out.
How mant nyt articles are reprints of a reuters article the nyt then turns into 10 pages with aforementioned videos etc.
If the website decides to offer content for free, then it may do so. If not, the website is entirely allowed to put up a paywall, or to display *non-targeted* advertisements. What the website is not allowed to do is mandate payment in the form of private information.
Because the absence of a "DoNotTrack" header does not imply that a user has consented to being tracked, as a user may be using a browser that doesn't support "DoNotTrack". Nor does the setting of a "DoNotTrack" header necessarily correspond to a specific user, as it may have been set by a administrator policy. Nor would it be informed consent, as it is configured before the user has been informed as to the uses for which private data will be applied.
The GDPR requires that consent be informed, explicit, freely-given, and limited to a specific use case. Of these, the "DoNotTrack" header could be at most freely-given. Its design as a binary yes/no that can be configured across all sites prevents it from ever being used as a way to grant permission to track.
While the presence of "DoNotTrack=1" could be used to assume that no permission to track has been granted, this is already the default assumption that the GDPR requires companies to make.
Thanks for that. This game should probably be mandatory, for anyone involved with the cookie legislation. If they succed, they may propose a new draft.
It became painfully obvious over time that the people who drafted the legislation did not think through either the ways malicious compliance could work against their goals or the incentives of all actors in this story.
I think the possible forms of malicious compliance were considered, and are explicitly forbidden by the GDPR. The GDPR requires that consent be freely given, and be as easy to withdraw as to provide. The various end-runs around that requirement, such as redirects on rejected consent, click-through to privacy policy, click-through to a list of 3rd-parties, and so on, are all violations of the GDPR.
They aren't a form of malicious compliance at all, because they aren't compliant at all.
Naively, I'd expect a lot more enforcement action if so many sites were non-compliant. Did the EU create a policy it couldn't enforce, and that's the larger issue here?
From the gradual ramp-up of enforcement, my optimistic view is that they are closing out the deliberate "misunderstandings", establishing precedent for each one. I really should start collecting links as they come out, as they're a pain to track down later, but they've established things like "Targeted advertising is not a legitimate interest for the purpose of Act 6, and requires consent."
Note that "cookie" popups are about tracking, not cookies. If you agree in incognito, they might fingerprint your browser and track you outside of incognito too, since you've agreed.
That's a good nuclear option, but often we don't actually want to block all cookies. What we want is for sites to use cookies in ways that benefit us, but not use cookies to track us. Blocking them all or selectively allowing specifically chosen cookies puts to onus on the visitor to guess which cookies do what or lose functionality. Making the website owner legally responsible for declaring which cookies are for tracking and which provide functionality is a boon.
The person you replied to did not say block all cookies. They specifically said block all 3rd party cookies. If a site wants to set a 1st party cookie, but through code on their end share that cookie data with 3rd party sites, there's nothing we can do about that. But by gawd we can absolutely block the ones that are too lazy to do it like that and just link someone else's codes.
Third party cookies aren't the only thing that's tracking you. You can be tracked by first party cookies, local storage, your IP address, browser fingerprinting and other techniques. GDPR requires websites to get your explicit consent for any kind of tracking.
A lot of users are already blocking third party cookies and that's the default in Safari and Chrome nowadays - but ad companies have moved on.
I don't get it. A public site is like a public store. Do you have the expectation of privacy in a store? No not really. And be sure stores do track you.
> Do you have the expectation of privacy in a store?
Yes, absolutely. I don't have an expectation of having as much privacy as I do when in a private residence with the blinds closed, but I do have an expectation of some forms of privacy.
* The store will not perform a full strip-search of my person upon entering.
* The store will not place a GPS tracker on me as I leave, to determine where I live.
* The store will not have a team of employees with clipboards follow me at all times, making notes of my location within the store.
* The store will not keep a record of my eye movements, correlated against which products are being glanced at.
The problem is that, as technology has advanced, some forms of privacy that used to be protected by impracticality of implementation no longer have that protection. For example:
* The store will keep video record of my visit for a few weeks at the most.
* The store will not analyze video records outside of suspected shoplifting.
* Record of previous purchases is limited to the cashier's memory.
Privacy is not a binary yes/no decision. As technology improves, forms of privacy that were previously protected by limitations of implementation must be protected through other means.
I have the expectation that when I enter a store that the store keeper doesn't sic his minions to sniff after me while I browse other stores and for good measure maybe peeks into my bedroom.
Physical stores don't do that and therefore your analogy breaks down.
They do put electronic advertising screens in front that collect "anonymous" mac addresses. They also put trackers inside the shopping carts to follow you inside the store. The client-card you use during checkout records your name, address and spending habits.
They don't need to sic a minion to sniff after you. The implication of buying condoms and then visiting the hotel only requires to correlate three tables.
In this case the agent would be well a literal agent. Nobody is requiring your agent to walk around and advertise who you are, to accept every cookie or display an advert on its shirt while walking around the store for you
For your analogy to be more accurate, any store I walk into would have the ability to look at my behavior in every store, essentially in perpetuity, and share/sell that information. Feels like something you should at least have to opt into.
Visa only tracks purchases. Surveillance ad tech can track literally everything your browser is doing. Did you go to Reddit today, what subreddit, what posts, who did you reply to, etc. Or, did you visit a porn site today, or a dissident political site, or a marketplace for abortion drugs that are illegal in your state. There is no meatspace analog; the comparison is absurd.
Visa tracks did you purchase porn, did you buy something from Infowars.com, did you buy abortion pills, etc. That's only one source for data that advertisers use in the physical world. You think that's a big difference?
Cookies aren't the only thing involved here. The banners are asking if they can track you and that includes lots of things, your IP is the most obvious.
If I'm honest I never could quite understand the whole privacy kerfuffle about cookies, they ask the user to remember some token and if they so choose send that token back when they visit again. If cookies are a breach of privacy then so are ticket numbers.
Of course the whole issue is that the most popular user agents (i.e. web browsers) did very little to empower users to act responsibly with their cookies. I mean I consider the Cookie Autodelete extension just basic hygiene at this point, just like having a good ad blocker and some kind of firewall/virus scanner.
Watch out what you're agreeing to. Sites can share your email and telephone number with data brokers, if you've provided this info and clicked "agree".
You're agreeing to all — otherwise illegal — tracking they can manage to do, not just some cookies.
Unlike Safari, Firefox doesn’t block all third party cookies by default (because that breaks some websites’ legitimate use cases). Firefox does block known tracking cookies (with its “Enhanced Tracking Protection” Block list) and the remaining cookies are sandboxed to each website (“Total Cookie Protection”), so the Google tracking cookies on foo.com don’t know about the Google tracking cookies on bar.com.
As great as that is I still don't think it will make me hate them any less which is why I love Firefox for trying to address it at the browser level.
As a designer I despise mandatory content blocking modals and each one will still have a new design you have to decipher. Maybe if they clarified some design rules (2 or 3 big buttons with clearly defined text in legible colours/fonts etc) then it would be tolerable.
Regardless making it always have Accept/Reject/Custom is a good step forward, even though fingerprinting and browsers like Firefox blocking 3rd party cookies by default pretty much eliminates their utility.
It should just be a standard browser feature with a JavaScript API. Think of something similar to window.confirm() or a standard based on HTTP headers like Do Not Track. There could then just be a standard setting in the browser preferences and the world could be a better place again ten years from now.
No legal measure prevents your site from seeing the Do Not Track header and automatically rejecting cookies/tracking.
I've only seen a handful of sites do this. Developers inclined to respect Do Not Track seem less likely to add tracking anyway, in which case you also don't need the banner.
There's also nothing stopping a website from showing a cookie banner, getting a user who clicks on "no cookies" and tracking that user anyway. Making the user click a button was always a dumb solution.
There's also "nothing" stopping you from taking whatever you want from the grocery store without paying.
Sure, shady surveillance-based businesses can still pilfer your information and sell it to illegitimate businesses regardless of the legality. But it being illegal will stop the vast majority of wanting-to-be-legitimate businesses from collecting it, and prevent the largest group of threat actors (insurance/credit/etc) from using it.
It doesn't have to do with the distinction between DNT and cookie nags.
I was responding to this: "There's also nothing stopping a website from showing a cookie banner, getting a user who clicks on "no cookies" and tracking that user anyway". You seemed to be implying that since a website can technically ignore a user's (lack of) consent regardless, that the popups are unnecessary. But legally, the concept of consent is very significant.
The popup mechanism itself isn't designed for you. I do agree that honest businesses don't need "consent" nag walls, as nobody actually wants their personal information datamined as a feature. But the actual dynamic is that these businesses are trying to preserve the status quo of user surveillance by obtaining fig-leaf consent. And the "best" way to do this (from their perspective) is an obtrusive nag wall that makes it easier to submit rather than reject (whether by accident or through attrition).
So nag walls are just a similar user-hostile solution just like surveillance based advertising itself. And the main way the dynamic of malicious compliance will go away is further enforcement, although I fully support technical solutions that delete nag walls as well.
In fact yes. But if some dev is treated badly by that website and they know about this, they can direct legislators to that site saying it's illegal. And in this case that website has problems
But does that site have more problems than if they were ignoring the DNT bit? I'mn not sure how we got so far off-track, but that was how this discussion chain started.
maybe, but there are different ways to deal with infractions. Fines and blocking are among the first, but I'm sure govs will do everything possible to get some money in some way if they can
No, it has very much also accomplished the task of showing you in (literal) big bright banners which websites have complete disregard for your data. If a website goes to great lengths to trick you into giving away your data, that’s a fantastic sign you should leave and never come back.
No it doesn’t. It shows you which websites are big enough to be a target and/or to have entire regulatory compliance teams that are spooked by the threat of a revenue fine to invest enough resources into implementing a horribly bad UX just to dot their “i”s.
There’s nothing in the regulation that says the UX has to be bad; quite the contrary!¹ That’s the point: the harder a service goes out of their way to make the data collection UX bad—which is harder than making it simple—the less they care about you.
In addition, legitimate cookies to provide a service don’t require consent.²
If you’re annoyed at the EU instead of the websites, you’ve played right into the hands of the people wanting your data for illegitimate purposes. Every time you agree to a bad cookie banner you validate their shady practices and make the web worse for everyone, including yourself.
There are also other, less visible accomplishments. I've been on the inside of companies doing a GDPR data compliance check, and for some data stores, simply deciding that this one is not the "system of record", that passes beyond usefulness and setting a time-to-live of e.g. a month or a year, so that data about user actions is not retained beyond that.
This _absence_ of retained PII ( https://gdpr.eu/eu-gdpr-personal-data/ ) that has been encouraged by GDPR will inevitably make some breach somewhere less severe, but "what could have happened but did not" is not a visible accomplishment.
Thinking that it's all about your cookie banner is shallow, dismissive and egocentric.
Yes, because getting cancer from smoking is the same as having cookies in your browser. What a completely asinine argument, even if it seems to be very popular these days.
"Oh you are against x regulation? Yet you aren't against mandatory seatbelts or warnings in cigarette packages, or child labor laws! Curious!"
Like you realize that it is a pretty self defeating argument, since you are inadvertently saying that any regulation is a slippery slope to another one. Which thankfully isn't the case, and people can actually form an opinion on individual laws (and even disagree with them!) even if they are in favor of other regulations.
You gravely misunderstood the point of the analogy. The issue at hand isn't regulation, because nothing is being regulated, so there's no slippery slope. What cookie warnings and cancer warnings have in common is that they make transparent, to you the consumer, what a company or product is doing to you. You can still do it and opt into everything. It's no more regulatory than a nutritional table on a package of food.
People sometimes then have the weird reflex to blame regulators for making explicit what garbage they're being fed, when you should take it up with the company who is actually responsible for vacuuming up your data.
Well, this new specific detail of the law should get everything in order. Ignoring the banner means refusing for tracking. This was already in gdpr but not directly stated. So, in near future, banners should disappear in the current form
There really needs to be some kind of addition to the law that says "Should the user have GDPR_COOKIE_CONSENT=REJECTALL, the site should act as if the user manually rejected and objected all." The fact that third party vendors are having to produce workarounds for this reeks of the kind of American tax system that insists on taxpayers manually filling out their taxes.
"Disable cookies" was an option in the very first web browsers, so no, there doesn't need to be any addition to the law. You can disable cookies any time you want. Just don't cry when it turns out that you actually love "tracking" and need it to work for your web experience to be any good.
Here's the thing, kiddo. For most of the time, I'm quite content with disabling Javascript and cookies altogether since it also disables subscription popups and other inconveniences when all I want to do is read an article. When you click "Reject All", you aren't rejecting literally every cookie, otherwise how would it remember that you've rejected all? Instead, "Reject All" is shorthand for "Reject all cookies that aren't strictly necessary." You are simply being obtuse. Do you also froth at the mouth whenever someone says "Universal healthcare is free"?
I do in fact froth at the mouth when people say universal healthcare is free! You know me so well already :)
Fundamentally, standards as vague as "legitimate" or "necessary" shouldn't be a part of law because they are so subjective. What do you say to the executive who says that without the advertising the company will go bankrupt, and untargeted ads earn no money? That her company is not necessary? That her business is "wrong" in some way? That customers are wrong for not wanting to pay? It's ludicrous that such a situation can ever arise.
You do realise that vagaries are written into the law all the time? What do you suppose cruel and usual punishments means? Or unreasonable searches and seizures? Or just compensation? Or a speedy trial? Or excessive bail? Etc. These are all subjective.
And those are not surprisingly some of the most vicious and fought over parts of law, which are only tenable at all because of hundreds of years of case law which refine them. Most of the time lawmakers do try to be precise about what they mean which is why law is so voluminous and why you so often need lawyers to help understand it.
Good law is precise. Bad law isn't, regardless of how convenient it may be for the lawmakers to be vague. The existence of bad law doesn't justify the further propagation of it.
Could you please provide some examples of "most lawmakers try to be precise" before claiming that? And secondly, I object that good law is precise. I mentioned in another comment that the copyright tradition for continental Europe forbids by default any new methods of culture (eg, the invention of the internet), that the law needs to be changed to specifically allow it. You think we should do that for everything because good law is precise? I think good law is legible, not necessarily precise. Something that the average person can interpret is far, far better than something thousands of pages long because you must enumerate everything otherwise it's vague.
Do you recognize at least how circular this argument is? "Technical necessity for certain purposes", purposes like offering a service, which is the reason the business is necessary for the people who use it?
The irony that I have to click through one of the ultra-shitty agree/learn more cookie popups just to read this article. Maybe if GHacks didn't comply with the legislation in such a user hostile manner, browser developers wouldn't have to waste time on such features.
Most of the big German news sites require you to either accept ads, or pay for a subscription.
It is sadly perfectly legal afaik. Nobody is entitled to your content without agreeing to some terms. Luckily, archive.is works very well. Wish there were more alternatives.
Would be totally fine if they weren't indexed, linked and summarized in a way that makes them indistinguishable from open web pages, until you click on them.
Certainly at this point anybody serious about wanting to give Google special access through their paywall would allow based on the published IP blocks [1] and not an easily spoofed UA header
GDPR does not allow forcing you to get a consent by preventing you from using the service:
"Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
Since GDPR clearly does not consider ad-tracking cookies as "necessary for the performance of service", this should be against the spirit of the law. I guess it's up for the BfDI and relevant state-level commissioners to prosecute this and I don't know what is their stance, but this type of behavior does not seem compliant.
Of course, there are many other types of non-compliant behavior. Most cookie banners out there make rejecting cookies harder than accepting, and there are many cookie walls that block you from accessing the site at all until you dismiss them. These are clearly non-compliant, but prevalent. Even oversized or disruptive banners that goad you to click "I Agree" in order to dismiss them, cannot be considered as "freely-given consent".
They aren't preventing you from using the service. You can consent to the cookies, or also choose to pay.
Which of course requires an account, which requires a cookie, which is then tied to your payment details, and therefore far less private than ads, but that's GDPR for you. A nonsensical law in which nobody involved thought anything through.
No, it cannot, that’s explicitly not what legitimate interest is about. If that’s the way it’s playing out in Germany then that’s sad, but that’s a problem with the national regulator. Other regulators are dropping the ball on enforcement so it doesn’t surprise me, but that is expressly not legitimate interest.
Legitimate interest is things like a legal requirement to maintain PII because of the services offered.
In Italy the privacy authority is looking into it as well [0], but they also said that at first look the "cookie wall" is "in principle" not incompatible with the GDPR.
Interestingly, browsing to your example link with uBlock Origin blocking all javascript by default I get a page that looks like indexes to articles. Clicking on one gives me what appears to be the full article. As I can not read German, I pasted part of the text into google translate, and yes, it does appear to be the full article text.
So for at least that site, it appears that all of the 'protection' is provided by javascript, and if one does not allow the javascript to execute, one receives the article content. There also does not look to be much in the way of ads with the javascript blocked as well.
They should make Ultra have a limited time countdown, to stress people into FOMOclicking.
But of course, for maximum trap potential, we need to find a wording such that Premium is the option without, while Ultra tracking and Basic tracking should both do roughly the same amount of tracking (modulo not really relevant details). With a sufficiently discouraging wall of text, a bad UX, and a limited time option, no one would spend the time to figure out they need to click the middle option.
(This tweet brought to you by our sponsor, Moloch.)
Not OP. I've been using NoScript until today, works as expected of course, but the hassle to have to enable specific scripts to make a useful website work outweighs its usefulness for me.
There's "NoJS", a extension where you can enable all JS through a switch, but it doesn't handle iframes very well at the moment.
> but the hassle to have to enable specific scripts to make a useful website work
You only have to do this once per website, so (unless you've already uninstalled it) you've already done the hard work time investment for the sites you visit most often.
And there is even worse : sometimes the “partner” list does not have a reject all AND each partner requires a two click steps - waiting for an animation in between.
> I agree, sites shouldn't be doing the things that require showing one
Like what, showing ads? Collecting payment from the user in leiu of ads? I wonder what website you're imagining that doesn't do something that requires a cookie consent popup. GeoCities, maybe?
It's perfectly possible to show ads without collecting data about your users; printed publications have done it for ages. Currently the big players are very heavily pushing for a model with ridiculous levels of user tracking (to the point that many people believe ads and user tracking are inseparably connected), but that doesn't mean it's the only possible model.
Print publications give their advertisers detailed demographic data collected via surveys and other techniques. The idea they don't collect data about their readers is wrong.
So sites need to have their own in-house advertising platform, I guess, because all of the major advertising platforms assume that they'll be able to keep track of how many unique ad views they're getting.
This is the same Europe that's trying to implement blanket surveillance of all chat communication. Just, you know, by the way. To illustrate how much they actually care about your privacy.
Any popup or obstruction is cancer, cookie consent or otherwise.
We need the same approach as for ad blocking. Just remove the crap from the DOM tree. Block the tracker cookies, based on curated blacklists or heuristics, or both.
We need to take back control of our devices, not leave it to every single website to hopefully obey some law.
Cookies are by far not the only option for tracking.
Banners yes, should be blocked from dom if you care, because by gdpr law, no respons means refusing
There's a major difference between a two button UI with a clear "I refuse cookies" screen, and a screen where you first need to click "Learn More", then manually toggle 5 toggles about what you don't want to allow, then click the greyed out "View our partners" button, then block all of those. The second one is definitely extremely user hostile.
...and let the world wide web stop torturing me. I have a nice button that clears cookies and websites can't do anything about it. This whole dance is stupid.
It's easy enough to block cookies with an extension, but I'm sick of wasting time clicking the damn banners.
This should be controlled by the browser not the site. Let the site do whatever it wants to try to track, but let my browser do whatever it wants to prevent that.
I honestly appreciate this bit of twisted propaganda. It's like you put up a barbed-wire fence with a gate in it, and people objected to the barbed-wire fence, so you put up a 1meter brick wall that people have to climb over. Whenever people complain about the wall, you say "Hey, the fence had a gate in it! But nobody wanted to play ball..."
But incognito will not save you. Your browser can be fingerprinted even in incognito. That's why gdpr exists.
Also it's strange how your default proposed flag is in favor of tracking. Why not have a flag that is defaulted to notrack:true instead?
Sigh. Because OP doesn’t give a fuck. It’s right there.
You’re proposing DNT flag. We’ve been there, done that, it failed.
Pragmatically, the opposite flag has a better chance of being adopted, because it aligns incentives - both parties get what they want: the website can track me (and really: some people don’t give a fuck and don’t need lectures on the wrongness of their ways), I get less annoying UI.
Keep in mind the cookie law doesn't just apply to browser cookies, but to other kinds of fingerprinting too. Your proposal would let you be tracked in a persistent way through canvas, localstorage and other forms of entropy easily retrieved from your browser that deleting cookies will not help against.
"Clear cookies" clears local storage, indexeddb, and the other obvious places. Of course that leaves evercookie-type tracking, but the folks using those techniques are not likely to care about about consent. And frankly you'd be better off just simply banning those techniques outright. Or better yet, make them impossible in the browser in the first place.
The "can I track you?" question does not add value.
Fuck the law. Defend yourself with technical measures that actually work. You wanna make a law that helps? Give safe-haven protections to Tor exit nodes.
Honest question: why is cookie management done by the sites instead of the browser? There's something wrong with the way this is all designed if we're relying on the websites, which have an obvious conflict of interest, to manage which cookies are necessary and which are frivolous.
Because this is malicious compliance by websites. They are attempting to annoy people into clicking the easiest button, which is always the "store all my data, spam me at will" button.
And then the second is: browsers don't really know the purpose of any particular cookie, or how much the user actually wants it or not. Due to how cookies work, they really have no way to know. Cookies are not standardized enough.
cookies could be standardized/semantic - by name or by another cookies’ name (of course, there could still be violations if any part of a cookies value is opaque)
If you had that you could (and I think this is GGP's point) have settings in the browser similar to phone privacy settings: allow cookies for (login || place || shopping cart || etc)
I mean, you can turn cookies off in your browser settings, but the browser doesn't have a good way to differentiate between a cookie that keeps you logged into something and a cookie that tracks you to show ads.
Sure, but the vast majority of websites where I see these cookie prompts aren't even websites I'm logging in to in the first place... often they are websites I am not sure you can even log into at all. I get that if I want some kind of fine-grained cookie handling for websites that are legitimately using cookies for something I need to rely on them, but that initial "do I want this site to get cookies at all?" is almost always "no" and I should not have to rely on them for it.
This is pretty "easy" in Chrome, at least for a definition of "easy" that I'm comfortable with.
For more than ten years I've had all cookies turned off by default in Chrome's site settings, and I click two buttons when visiting a site if I want to allow it to store data on my machine. That allowlist is persistent so I don't have to think about it again.
> Sure, but the vast majority of websites where I see these cookie prompts aren't even websites I'm logging in to in the first place... often they are websites I am not sure you can even log into at all.
Cookies for managing login's are explicitly allowed by the GDPR. If you get a cookie choice prompt when visiting a website, it is an indication that the site is placing "advertising/tracking" cookies, for which the GDPR does require consent.
I would assume because either the appropriate solution (to have the settings in the browser) wasn't proposed due to a dearth of technological competence in politics or the ad lobby pushed for each site to present its own in some poor attempt to pretend to provide "consumer choice".
Aside from the other things people have mentioned, GDPR prompts (unlike typical ePrivacy Directive prompts before that) don’t only apply to client-side stuff.
Without obtaining consent or having a legitimate (i.e. functional, not economic) reason, the website operator cannot collect server-side logs or fingerprints either. Or they might not need consent to collect data (e.g. remember your purchases for refunds) but do need it to disclose that data to third parties (e.g. to feed the purchases into a recommendation engine... or, let’s be real, an advertisement profile).
None of this nuance is enforceable browser-side. It could in theory be communicated in machine-readable form by the browser, such as with a DNT header, but before somebody sues over that I doubt it’s going to be honoured.
(I remember that the SameSite cookie proposal had a follow-up, even more web-breaking same-origin-policy cookie proposal. That’s probably the most meaningful thing you can do client-side. But it had seemingly died when FLoC did, and I can’t find it now.)
While browser cookie UI has been historically bad even for developers, I don't see how a browser's cookie UI could do what these menus do.
For example, load StackOverflow in Chrome incognito. It has buttons for "Accept all cookies", "Necessary cookies only" and a "Customize" menu that gives you checkboxes for "strictly necessary", "performance", "functionality", and "targeting cookies" all with a lot of links and explanations.
It isn't just a matter of turning off third party cookies.
The main reason is the web is run via ads which are fueled by cookies. browsers have no interest in limiting their functionality in any way. It's a deal with the devil kind of thing. spyware v free web.
The EU is planning to do just that. The new ePrivacy Regulation is currently in trilogue negotiations, and should go into force between later this year and 2025.
> the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies that improve internet experience, such as cookies to remember shopping-cart history or to count the number of website visitors.
Super, so we can get rid of all banners then. Because ad tracking cookies absolutely improve the user experience. It's unarguably better for users to see a small number of high quality targeted ads than to see a large number of low quality animated flashy barrel-scraping casino ads, which is what you get when there's no ability to track preferences or interests. And nobody's privacy is being invaded because they aren't linkable to any individual identity anyway.
Given that the EU has now conceded that point, we can finally get rid of this noise and move on. Hurrah!
Now, some of you may disagree with the above analysis, but your analysis is no more valid than anyone else's. EU privacy law is deliberately vague and open to interpretation so you can't complain when someone interprets it the way given above.
Yes, but websites want us all to believe that they just want to put these cookies on our machines to help us with required features but the regulations require this annoying pop-up just so we can use it. A LOT of people still believe this is true and do not understand they are consenting only to being tracked. So re-stating it is only helpful.
Uhm, yes it will? At least that's how laws work no? You make a law, spot problems and adapt it. While(true)
I'm really happy gdpr exists, it just needs more polishing to be user friendly
Or they could have mandated cookie consent but require it to be handled by the browser, not the site (page and server). Define some standardized cookie description format, get it to the browser, and let it handle prompting the user for consent. Any cookie the user doesn't consent to is dropped instead of being stored.
Benefits:
(1) Don't have to trust the site to honor your consent.
(2) Sites won't try dark UI patterns (because they're not building the UI).
(3) More standardized UI because instead of each site inventing their own, they all use the browser's UI.
(4) Less tedium for the user. Browser can let the user choose defaults for the cookie consent dialog. Or define rules to handle certain choices automatically. And, if you can standardize categories (performance cookies, advertising cookies, etc.), then you can apply defaults and rules to those too.
(5) Web developers' jobs are easier. Just maintain and serve a cookie description data file. And of course be prepared to live without certain cookies.
Yes, this is extra work for the developers of browsers themselves. But it would be worth it. And apparently they're already spending engineering resources on cookie consent anyway.
Not honoring "do-not-track" isn't as visible. Sure a site could just do the bare minimum to look like it upholds the law while breaking it, but instead we got tons of user hostile dark pattern filed dialogs that outright screamed "look at us, we are violating the law".
Privacy Policy pages aren't really a solution to this, in my opinion. I don't think they reasonably count towards satisfying "informed consent".
First, because they don't actually inform you of much.
Second, because they're tricky to understand if you're not a lawyer. Most of them mean "you have no privacy", but worded in a way that leads you to think you do.
Third, because it's a bit ridiculous to expect everyone to read them. You'd spend more of your time reading those damned things than the page you want to read -- and you'd have to read them on every visit because they can change at any time without notice.
Better is if sites would just give basic, truthful warnings at the moments where you are making a privacy-impacting decision.
There is no solution to what you want really, which is informed users. Users don't always care to be informed, and shoving a consent dialog in their faces has been a grand experiment that proves this.
I suppose we could require users to take a test to prove that they read the privacy policy. That would be interesting.
I'm not on board with shoving consent dialogs in people's faces. But a nice little warning line next to relevant controls seem like it would be a good idea.
> I suppose we could require users to take a test to prove that they read the privacy policy
That wouldn't really address the main issue with them, which is that they're written in a deceptive manner. I can tell you right now what 90% of them mean: "you have none". But that's not how they read. How they read is things like "we may share your data with trusted partners in order order to deliver you a great experience".
They should be written clearly, without obfuscation. If you have none, then that's exactly what they should say.
but none of the ones I've read qualify as "informed consent" because even if they're clearly understandable, they don't fully inform you. They always mention sharing data with partners, for instance, but never say who those partners are, what data is being shared with them, and what those partners are doing with that data.
Unless you know that, informed consent is impossible.
Every privacy policy I've read seemed very sensible to me. Remember that privacy policies are legal documents and they quickly become cluttered with "legal-isms" and verbosity. Sometimes companies will move heaven and earth to make their privacy policy readable at a 3rd-grade level. And you know what? That costs them money and they pass those costs on to consumers, who overwhelmingly don't care about what's actually in the agreement (because they have a fairly good understanding of what kinds of things it says anyway).
Complaining about them seems to miss the bigger picture.
That was the reasoning for DNT being enabled in Internet Explorer 11 by default. (Unfortunately, it coincided with the ad-tracking companies – Microsoft included – only agreeing to honour DNT if it were off by default.)
That seems like it would be a huge win for the public. Is there any good reason this couldn't happen besides the obvious troublesome process of passing laws?
I hate those cookie prompts so much I get Cookie Rage every time they appear. I rather be tracked from here to infinity than see another cookie prompt in a site i approved yesterday.
Try adding the EasyList Cookie List[0] to your adblocker to block them all.
It's present in the uBlock Origin filter list settings under Annoyances but not enabled by default. HN readers may also find some of the other default disabled filter lists interesting such as the AdGuard URL Tracking Protection list which strips tracking parameters from URLs.
Note that using this blocker list can actually increase first party tracking if it blocks a properly configured user respecting consent management platform.
Not all consent managers are just forms. Some of them contain enforcement technology and some block lists do not differentiate between the forms and the enforcement technology, even when the consent managers make it easy to differentiate and block individual components.
For example, the manner in which Brave blocks Transcend Consent Manager can increase first party tracking due to Transcend Consent Manager being blocked in its entirety.
If you reject cookies, the site has no way of knowing you have rejected cookies the next time you visit. You need a cookie in order to store the cookie decision
A rejected cookie preference could be stored client side in local storage and depending on that value you could decide whether to show the cookie prompt.
Directive 2002/58/EC applies to any "hidden information" stored on users' computers. It's irrelevant whether you use cookies or localStorage or IndexedDB. Regardless of what you use to store data on the user's computer, you have to "ensure that users are made aware of information being placed on the terminal equipment", and users must "have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment."
However, the ICO has suggested that saying "I refuse to allow any cookies on my computer" could be taken as implied consent to allow a cookie stating such.
There's no exception for "functional cookies". There's an exception for cookies "strictly necessary" for an "explicitly requested" service. I don't see how remembering you don't want cookies is strictly necessary or explicitly requested. Unless you have a separate optional check for "remember my decision" I would argue that not asking every session would be a violation of the ePrivacy law.
It's good to remember that judges are not computers. They are not required to follow the law to the letter in weird edge cases, especially when that would be against the intent of the law. They are allowed to do that, but not required.
Many common practices are against some particularly pedantic interpretations of the law. Nobody cares, because following the law to the letter would not be in anyone's interests. If an obnoxious asshole decides to really push the issue, and they are not laughed out of court because the judge is an equally obnoxious asshole, the practice may be found technically illegal. There will likely be no consequences, because it was done in good faith with everyone's best interests in mind.
However, the ruling may force the government to change the letter of the law, wasting a lot of time and money that could have been spent for other purposes. All because of some particularly evil asshole.
Do you mean the most restrictive interpretation of the law you can imagine? Because you can't actually know what the letter of the law means in specific cases before a judge rules something.
You can of course try living your life like that, but you'll likely find that it becomes effectively impossible to do anything.
Browsers provide multiple ways to store data like that locally, you don't need cookies. And even if you did, you wouldn't need consent to store that preference.
StackOverflow has never once remembered my choice. It's the website that frustrates me the most because I felt like they had a lot of goodwill with me and now it's just gone.
I haven’t (intentionally) use Stack Overflow in at least a decade. It was good in the early 2000s, but rapidly became overrun with obvious “give me theee codez” questions, while anything interesting got locked by mods for whom Wikipedia deletionism isn’t enough of an outlet for their inner Karen.
Not really. I would answer it, accepting all cookies, cakes and whatever just leave me alone. Then, the next day, I would open the same site, and they will ask me again. This is not just on one device - it's on all of them, and everywhere.
Some are really bad - Admiral requires me to either accept all (hundreds of cookies) or press one link, open a form, then accept a default selection. Some also present me with a confirmation popup. Some I have to stare at for a moment to see where is the puzzle to solve - where is that button.
You are likely keeping all your cookies which is a huge privacy problem. If sites remember who you are between sessions then of course they can track you. With addons like Cookie AutoDelete this doesnt happen.
If security conscious it would be recommended to also use disposable VMs for browser sessions like with Qubes OS. Otherwise, with persistence like you describe, it's crazy to me that one bad click could so easily compromise you forever
I still smile sometimes at the pop-ups. I mean, you can try and store a cookie. I'm still gonna automatically delete it in a few minutes.
This never needed a legal solution in this form. Browsers should just not accept cookies, unless the user explicitly wants something stored on their device. That might have been better to legislate. Software on a user's device should not store or enable tracking by remote services, without disclaimer.
With a purely client-side solution how do you stop a company using the same identifying token for basic session management and invasive tracking/data gathering?
Tracking a single session doesn't really worry me and I seriously doubt any law will stop it. What we want to do is prevent them correlating two sessions. With FF in full defensive mode. No canvas, restricted JS, deleted cookies I can at least make it hard for them.
But.. what if it asks to allow tracking based on your internet provider? Then the provider delivers who you are automatically instead of anything you control.
Rejection is required to ensure that for functionally required cookies (e.g. session cookies when logged in) you refuse permission to use them for any other purpose, and that you refuse permission to use any of the many non-cookie tracking methods.
Tracking probably won't go away if you remove client side cookies - it will just move server side (think a new server-side google analytics) and to more aggressive client fingerprinting.
I mean, I am pretty sure (have seen first hand) that this already happens regardless of whether client cookies are enabled. There's so many other (good?) ways to track users beyond just a cookie.
As far as I know the law only applies to tracking cookies, I’m not sure if the browser can distinguish those from normal ones so it has be done via the law. Asking for consent for any kind of cookie whatsoever would be a bit much
All this focus on cookies is entirely missing the point of regulating user tracking online. Adtech is ten steps ahead of this, and can track users whether they accept cookies or not. It's an illusion of choice that muddies the discussion of topics that really matter.
There should be more congressional hearings of adtech representatives, with legislators who are technically equipped to grill them on all details of their business, and how it affects the population.
Unfortunately, given how most legislators are technically illiterate at best, and financially corrupt at worst, nothing of value for the people has so far resulted from these hearings.
I'm hoping that in the coming decades, as younger generations get in government, this will improve. We really need much stronger regulation for Big Tech, just like we have for Big Tobacco, Oil, Pharma, et al. Hopefully this will come sooner than the point when the harms from its long-term effects are fully understood.
> Certain regulations, like the GDPR, the General Data Protection Regulation, by the European Union, require that sites get consent for placing cookies and data on user devices.
Well, that is bullshit. GDPR requires that you have some form of legal basis for storing cookies. Consent is the last ditch effort if you were not able to find any other justification. So by nearly by definition, denying that consent is in the user's interest.
I think there is some other EU regulation that requires cookie banners. But don't blame it on the GDPR!
The website should ask your browser should ask for permission to store cookies beyond the length of the session as it asks for your location / camera access.
Reading a lot of really good, insightful comments in this thread I have come to this conclusion: It's just another arms race. Like spam, CAPTCHAs, user engagement, and ads. There is no permanent solution and there cannot be because there are innovative humans (and now their ML tools) on both sides of it. All "good" solutions will be temporary, and laws are only as good as their enforcement.
Clicking "reject all" isn't sufficient though. In many cases you need to go into some sub-tab and click "object all" to legitimate interest, or even uncheck a bunch of individual checkboxes that default to on.
This is applied for purposes such as "build a personalized profile", "show personalized content" and "show targeted ads" so I have no idea what the cookie dialog is supposed to prevent anymore... clearly the original purpose has been rules lawyered into oblivion by amoral scumbags.
But if they don't handle this, they're just going to blindly opt people into a bunch of stuff you'd expect to be opted out of.
It's all so silly. The simplest solution would be to have a standard cookie (and/or API in javascript) that everyone can access which declares your preferences. Instead we have these multiple rounds of complexity.
There's no auto-accept feature? I still wouldn't use it, or Firefox, because that kind of automated interaction seems unreliable, but I really don't want auto- reject breaking stuff.
The law that triggered these banners already mandates that the website may not reduce functionality if the user rejects the cookies. Functionality-tied cookies are already exempted from the acceptance requirement.
These banners are the most-user-hostile possible response to the law, so it makes sense to automate getting rid of them.
Not everyone actually follows the law though, sometimes they mix in essential cookies and you have to click through a bunch of layers to turn them off without turning off essential ones.
I wouldn't be surprised if they find some way to defeat this in a not quite legal way and break stuff for people who use it.
That's not true. Directive 2002/58/EC explicitly says that it's fine to condition use of websites upon acceptance of cookies:
> Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.
I never accept or reject cookie banners - I just delete them, using uBlock Origin. This works out fine, basically all the time, so far as my experience goes.
I also use NoScript. The cookie banner of ghacks didn't show either because I uBlocked it time ago or because it was displayed by a script that didn't run.
This whole thing is not about cookies, it is about extracting value from a website users. If a website has only necessary functional cookies - it is not obliged to get a user's consent. So if you see a cookie consent popup - it is 100% website trying to persuade you into giving away some of you rights. Recently I developed a habit to just close the tab with those annoyances (including the one this thred linked to).
Honestly I've been using the "I don't care about cookies" extension for several years now, and I can't live without it (same with an ad blocker). I've even switched from Chrome to Kiwi Browser on my Android (it's a Chromium flavor that support extensions), just for that purpose.
Thanks for the tip. Apparently, "I don't care about cookies" has been bought out by the spyware vendor Avast, so people don't trust it anymore. There's now a de-bloated open-source fork "I still don't care about cookies" instead.
Ironically the linked article shows content blocking modal without easily available option to reject all cookies. Go Firefox!
All this cookie banner nonsense could have been solved years ago by implementing a simple standard of setting your privacy preferences right in the browser.
Honestly those are more like gimmicks from an advanced user standpoint as the I still don't care about cookies extension does the job just fine as far as I'm concerned, and while this may indeed make a good headline or feature I think development may lack emphasis on the core of firefox and what makes it a good browser.
Cool feature, but is it necessary to interact with cookie prompts at all? I feel that simply blocking the tracking and the cookie prompts seem like the best solution here.
And I get a nice big cookie prompt when I open up that site. The web is broken. And it follows the dark pattern approach. I’m not even gonna read it. Blacklisted.
Okay so what if I actually want cookies? I notice Firefox’s feature will reject cookies. But I am so sick of having to log in to websites every 15 minutes because the site forgot who I am or otherwise running into silly bugs because nobody tested the site with cookies turned off. I honest to god just want to go back to the internet before GDPR and want to tell Firefox to just allow all cookies rather than reject. I care about privacy but I don't think cookie consent is the solution.
I think the solution lies in somewhere in the realm of legally limiting the ability to profit off of the sale of collected data or even collect data without my consent. I don’t care if snazzy.app wants to collect product analytics and marketing data when I’m on their site. I consent to that by navigating to snazzy.app. I do care if snazzy.app embeds cambridge-analytica.js, though. And cookie consent banners simply don't address this nuance. What we need is control over where the data goes and if it crosses property/origin boundaries.
why didn't the law prescribe an API for the cookie updates to begin with? it could have been a first class feature of the browser, and then maybe it would actually be used as intended.
I'm pretty sure this is against GDPR, it requires explicit choice from the user
Users should decide themselves what to filter, so the bad actors with aggressive cookie policy gets automatically filtered out over time
I was looking for a recipe last time, I googled what I wanted, clicked the 1st link, bunch of popups for cookie/ad, I immediately hit "previous page" then I checked the next link, I bookmarked the one without fuss
It is not. The GDPR requires websites to obtain explicit consent to misuse your data. The default state is an absence of consent, so such an addon doesn't change anything.
As muyuu said, Brave has been on this for quite a while. Why is it not a more popular browser with infosec-focused people? I'm certain I'm missing something.
> the absence of any option for refusing/rejecting/not consenting cookies at the same level as the one provided for accepting their storage constitutes a breach of the legislation [0]
GO Europe GO !
[0] https://www.cnil.fr/en/edpb-adopts-final-report-outcome-cook...