> the absence of any option for refusing/rejecting/not consenting cookies at the same level as the one provided for accepting their storage constitutes a breach of the legislation [0]
On one hand, this was required from the beginning (this is just a clarification of original intent, not a change or addition)
However it's deeper since the popups we see today were never recommended nor required by the original regs. The laborious nonsense we endure was invented by websites as a workaround for the regs. So it wasn't obvious that consent parity would ever need to be clarified like this because it wasn't even obvious that the industry would come up with such an awful popup pattern to begin with (though in retrospect we should've known I guess).
The fact the popups were never even compliant anyway is just a combination of wilful ignorance, dark patterns, consulting companies wanting to sell something and - yes - an added set of people innocently misinterpreting regulation.
You're still thinking of it exclusively in terms of frontend web development (consent popups) whereas the original regulation was largely concerned with reducing data collection by the business in general, at a backend/database level & even things like manual in-person/on-paper collection.
The frontend content screen component of the whole topic was something that emerged afterward as businesses' attempt to get away with continuing rampant unfettered data collection.
To add to this, the law allows for data collection for a bunch of reasons. However, it intended to put a stop to a lot of data collection practices that were not to the benefit of the user, and informed consent is an exception to still allow for that, but only in the case that the user is actually actively OK with it. But of course, companies then started harassing users to make them agree, and the narrative arose that the EU "forced" them to do it.
This is nonsense talk. How do you differentiate between compliance with the regulation, and a "workaround" to the regulation? I guess it's at each of our discretion, right? It's subjective? Or are they the same thing? You can keep calling them "workarounds" but that distinction only exists in your own mind.
The rules are very clear: if you collect personal data¹ for other purposes than legitimate interest you need to give people an easy choice to deny that collection and the service should not be worse because of it.
I think you're misunderstanding what the poster was talking about. You're taking "the popups we see today were never recommended nor required by the original regs" to mean that the popups have become something that wasn't intended by the regulation (but the regulation did require popups).
I think that the poster was saying that the popups themselves as a concept were never recommended nor required by the regulations.
The regularion required informed consent. Nobody ever said it has to be done with popups. This is what people ended up doing afterwards.
Only when deceptive patterns became clear the EU made clear that allowing one simple "ok" option and a million convoluted ways to say "no" is not resulting in informed consent.
Wheter you us a popup or hide it in a menu with the default of not tracking does not matter.
Yeah I guess the word "require" has a few interpretations. The regulation didn't explicitly require popups, it required user consent IFF a company wants to collect/process/sell data the company doesn't need, but the intent was that companies would not do this, with consent being the exception, and the mechanism of consent was neither prescribed nor a focus: it certainly wasn't annoying popups per reg.
It's a workaround if a website manages to make users accept cookies that would otherwise refuse just by making it so inconvenient UI wise to refuse them.
The limits and edge cases on this may be subjective but then again so are most laws.
Many people sadly have this mindset that if something is not explicitly and comprehensively spelt out then anything goes, therefore any complaints for bad implementations is purely on the regulations for not being explicit and comprehensive enough. Now, obviously, there's SOME truth to this, but too often people think in black and white.
I often think it usually goes the other way. If a regulation is too specifically defined, it often ends up having gaping holes and other issues.
Most of our longest standing torts and crimes have subjectivity right at their core, and I'd argue that's not a coincidence but survivorship bias.
The world just isn't black and white, and attempts to legislatively render it so inevitably cause problems (though, obviously too much subjectivity and something because uselessly vague; it's a tricky balancing act for sure).
Depends on the legislative culture. For example, from the Copywrongs talk from now Felix Reda:
> The other legal tradition underlying the EU copyright system which is the continental European tradition of droit d’auteur (or Author's Rights). In this system, the authors of cultural works have certain inalienable rights that they cannot sell to a right holder. And, importantly, the exceptions to copyright, the interests of the public are written into the law. [...] The problem with the continental system is that it is quite inflexible because every time a new technological development comes about, you have to change the law to allow this type of use without a copyright infringement. So every new way of dealing with culture is fobidden by default. - https://www.youtube.com/watch?v=wL_Wxu6x1HU
Whereas other legislative cultures prefer to set a general framework, then leave the details to the Courts and or to Government ministers.
It was included. The rule hasn't been changed. The interpretation of the rule in one specific case has been confirmed, without having changed the rule. That means that, as written, this dark pattern was always illegal.
i really don’t understand how it came to this anyway. the industry is so stubborn. what is not clear here? you should not spy on your site visitors for marketing purposes.
when you join a poll you do so with consent, when a market/social/political research entity invites you to a focus group (for example) you get at least a coffee and snack if not real money.
websites just get this for granted? it’s like stealing. it will never stop until the industry gets some understanding of these concepts.
We're talking about the advertising industry here. Calling these companies stubborn is a gross understatement.
This is the industry that perfected psychological manipulation in the pursuit of profits. It's built on decades of research into the best ways to associate brand names with positive feelings, and plant a desire to make a purchase in the subconscious mind of consumers. They will do anything humanly possible to deliver ads to your senses, and they've corrupted every media technology to do so since the existence of public broadcasting.
The internet has just given them the most profitable delivery mechanism, and in turn has made technology companies insanely rich. These adtech giants rule the internet, and can build the playground they need to make ad delivery more efficient than ever. Now these profits can trickle down to website owners, which will in turn take the path of least legal resistance, and employ every dark pattern imaginable in order to maximize _their_ profits.
And if this corrupt business model wasn't enough, adtech companies can perpetually multi-dip by selling the data they collect on shady data broker markets.
So, no, it's not just stubbornness, or lack of understanding. Deceit is built into this industry, and these cookie consent forms are just the tip of the iceberg.
The solution requires much stronger regulation than the GDPR. Unfortunately, this is very unlikely to pass given the influence advertisers have on governments.
Absolutely not. If I see a cookie popup or subscribe modal, or even get interrupted reading with a pop-up prompt I immediately leave the site and add it to my blacklist.
Archive for life.
Free content was around before advertising on the web, this whole 'but they get free content' spiel was cooked up by advertisers.
Static we pages are cheap to host. Very rare is the article on [news site] getting mllions of simultaneous hits. But they all want videos embedded everywhere, gifs galore when all I want is to read their 20 min video in 2 minutes. They want their website hosted on the cloud with every new/hot architecture out.
How mant nyt articles are reprints of a reuters article the nyt then turns into 10 pages with aforementioned videos etc.
If the website decides to offer content for free, then it may do so. If not, the website is entirely allowed to put up a paywall, or to display *non-targeted* advertisements. What the website is not allowed to do is mandate payment in the form of private information.
Because the absence of a "DoNotTrack" header does not imply that a user has consented to being tracked, as a user may be using a browser that doesn't support "DoNotTrack". Nor does the setting of a "DoNotTrack" header necessarily correspond to a specific user, as it may have been set by a administrator policy. Nor would it be informed consent, as it is configured before the user has been informed as to the uses for which private data will be applied.
The GDPR requires that consent be informed, explicit, freely-given, and limited to a specific use case. Of these, the "DoNotTrack" header could be at most freely-given. Its design as a binary yes/no that can be configured across all sites prevents it from ever being used as a way to grant permission to track.
While the presence of "DoNotTrack=1" could be used to assume that no permission to track has been granted, this is already the default assumption that the GDPR requires companies to make.
Thanks for that. This game should probably be mandatory, for anyone involved with the cookie legislation. If they succed, they may propose a new draft.
It became painfully obvious over time that the people who drafted the legislation did not think through either the ways malicious compliance could work against their goals or the incentives of all actors in this story.
I think the possible forms of malicious compliance were considered, and are explicitly forbidden by the GDPR. The GDPR requires that consent be freely given, and be as easy to withdraw as to provide. The various end-runs around that requirement, such as redirects on rejected consent, click-through to privacy policy, click-through to a list of 3rd-parties, and so on, are all violations of the GDPR.
They aren't a form of malicious compliance at all, because they aren't compliant at all.
Naively, I'd expect a lot more enforcement action if so many sites were non-compliant. Did the EU create a policy it couldn't enforce, and that's the larger issue here?
From the gradual ramp-up of enforcement, my optimistic view is that they are closing out the deliberate "misunderstandings", establishing precedent for each one. I really should start collecting links as they come out, as they're a pain to track down later, but they've established things like "Targeted advertising is not a legitimate interest for the purpose of Act 6, and requires consent."
Note that "cookie" popups are about tracking, not cookies. If you agree in incognito, they might fingerprint your browser and track you outside of incognito too, since you've agreed.
That's a good nuclear option, but often we don't actually want to block all cookies. What we want is for sites to use cookies in ways that benefit us, but not use cookies to track us. Blocking them all or selectively allowing specifically chosen cookies puts to onus on the visitor to guess which cookies do what or lose functionality. Making the website owner legally responsible for declaring which cookies are for tracking and which provide functionality is a boon.
The person you replied to did not say block all cookies. They specifically said block all 3rd party cookies. If a site wants to set a 1st party cookie, but through code on their end share that cookie data with 3rd party sites, there's nothing we can do about that. But by gawd we can absolutely block the ones that are too lazy to do it like that and just link someone else's codes.
Third party cookies aren't the only thing that's tracking you. You can be tracked by first party cookies, local storage, your IP address, browser fingerprinting and other techniques. GDPR requires websites to get your explicit consent for any kind of tracking.
A lot of users are already blocking third party cookies and that's the default in Safari and Chrome nowadays - but ad companies have moved on.
I don't get it. A public site is like a public store. Do you have the expectation of privacy in a store? No not really. And be sure stores do track you.
> Do you have the expectation of privacy in a store?
Yes, absolutely. I don't have an expectation of having as much privacy as I do when in a private residence with the blinds closed, but I do have an expectation of some forms of privacy.
* The store will not perform a full strip-search of my person upon entering.
* The store will not place a GPS tracker on me as I leave, to determine where I live.
* The store will not have a team of employees with clipboards follow me at all times, making notes of my location within the store.
* The store will not keep a record of my eye movements, correlated against which products are being glanced at.
The problem is that, as technology has advanced, some forms of privacy that used to be protected by impracticality of implementation no longer have that protection. For example:
* The store will keep video record of my visit for a few weeks at the most.
* The store will not analyze video records outside of suspected shoplifting.
* Record of previous purchases is limited to the cashier's memory.
Privacy is not a binary yes/no decision. As technology improves, forms of privacy that were previously protected by limitations of implementation must be protected through other means.
I have the expectation that when I enter a store that the store keeper doesn't sic his minions to sniff after me while I browse other stores and for good measure maybe peeks into my bedroom.
Physical stores don't do that and therefore your analogy breaks down.
They do put electronic advertising screens in front that collect "anonymous" mac addresses. They also put trackers inside the shopping carts to follow you inside the store. The client-card you use during checkout records your name, address and spending habits.
They don't need to sic a minion to sniff after you. The implication of buying condoms and then visiting the hotel only requires to correlate three tables.
In this case the agent would be well a literal agent. Nobody is requiring your agent to walk around and advertise who you are, to accept every cookie or display an advert on its shirt while walking around the store for you
For your analogy to be more accurate, any store I walk into would have the ability to look at my behavior in every store, essentially in perpetuity, and share/sell that information. Feels like something you should at least have to opt into.
Visa only tracks purchases. Surveillance ad tech can track literally everything your browser is doing. Did you go to Reddit today, what subreddit, what posts, who did you reply to, etc. Or, did you visit a porn site today, or a dissident political site, or a marketplace for abortion drugs that are illegal in your state. There is no meatspace analog; the comparison is absurd.
Visa tracks did you purchase porn, did you buy something from Infowars.com, did you buy abortion pills, etc. That's only one source for data that advertisers use in the physical world. You think that's a big difference?
Cookies aren't the only thing involved here. The banners are asking if they can track you and that includes lots of things, your IP is the most obvious.
If I'm honest I never could quite understand the whole privacy kerfuffle about cookies, they ask the user to remember some token and if they so choose send that token back when they visit again. If cookies are a breach of privacy then so are ticket numbers.
Of course the whole issue is that the most popular user agents (i.e. web browsers) did very little to empower users to act responsibly with their cookies. I mean I consider the Cookie Autodelete extension just basic hygiene at this point, just like having a good ad blocker and some kind of firewall/virus scanner.
Watch out what you're agreeing to. Sites can share your email and telephone number with data brokers, if you've provided this info and clicked "agree".
You're agreeing to all — otherwise illegal — tracking they can manage to do, not just some cookies.
Unlike Safari, Firefox doesn’t block all third party cookies by default (because that breaks some websites’ legitimate use cases). Firefox does block known tracking cookies (with its “Enhanced Tracking Protection” Block list) and the remaining cookies are sandboxed to each website (“Total Cookie Protection”), so the Google tracking cookies on foo.com don’t know about the Google tracking cookies on bar.com.
As great as that is I still don't think it will make me hate them any less which is why I love Firefox for trying to address it at the browser level.
As a designer I despise mandatory content blocking modals and each one will still have a new design you have to decipher. Maybe if they clarified some design rules (2 or 3 big buttons with clearly defined text in legible colours/fonts etc) then it would be tolerable.
Regardless making it always have Accept/Reject/Custom is a good step forward, even though fingerprinting and browsers like Firefox blocking 3rd party cookies by default pretty much eliminates their utility.
It should just be a standard browser feature with a JavaScript API. Think of something similar to window.confirm() or a standard based on HTTP headers like Do Not Track. There could then just be a standard setting in the browser preferences and the world could be a better place again ten years from now.
No legal measure prevents your site from seeing the Do Not Track header and automatically rejecting cookies/tracking.
I've only seen a handful of sites do this. Developers inclined to respect Do Not Track seem less likely to add tracking anyway, in which case you also don't need the banner.
There's also nothing stopping a website from showing a cookie banner, getting a user who clicks on "no cookies" and tracking that user anyway. Making the user click a button was always a dumb solution.
There's also "nothing" stopping you from taking whatever you want from the grocery store without paying.
Sure, shady surveillance-based businesses can still pilfer your information and sell it to illegitimate businesses regardless of the legality. But it being illegal will stop the vast majority of wanting-to-be-legitimate businesses from collecting it, and prevent the largest group of threat actors (insurance/credit/etc) from using it.
It doesn't have to do with the distinction between DNT and cookie nags.
I was responding to this: "There's also nothing stopping a website from showing a cookie banner, getting a user who clicks on "no cookies" and tracking that user anyway". You seemed to be implying that since a website can technically ignore a user's (lack of) consent regardless, that the popups are unnecessary. But legally, the concept of consent is very significant.
The popup mechanism itself isn't designed for you. I do agree that honest businesses don't need "consent" nag walls, as nobody actually wants their personal information datamined as a feature. But the actual dynamic is that these businesses are trying to preserve the status quo of user surveillance by obtaining fig-leaf consent. And the "best" way to do this (from their perspective) is an obtrusive nag wall that makes it easier to submit rather than reject (whether by accident or through attrition).
So nag walls are just a similar user-hostile solution just like surveillance based advertising itself. And the main way the dynamic of malicious compliance will go away is further enforcement, although I fully support technical solutions that delete nag walls as well.
In fact yes. But if some dev is treated badly by that website and they know about this, they can direct legislators to that site saying it's illegal. And in this case that website has problems
But does that site have more problems than if they were ignoring the DNT bit? I'mn not sure how we got so far off-track, but that was how this discussion chain started.
maybe, but there are different ways to deal with infractions. Fines and blocking are among the first, but I'm sure govs will do everything possible to get some money in some way if they can
No, it has very much also accomplished the task of showing you in (literal) big bright banners which websites have complete disregard for your data. If a website goes to great lengths to trick you into giving away your data, that’s a fantastic sign you should leave and never come back.
No it doesn’t. It shows you which websites are big enough to be a target and/or to have entire regulatory compliance teams that are spooked by the threat of a revenue fine to invest enough resources into implementing a horribly bad UX just to dot their “i”s.
There’s nothing in the regulation that says the UX has to be bad; quite the contrary!¹ That’s the point: the harder a service goes out of their way to make the data collection UX bad—which is harder than making it simple—the less they care about you.
In addition, legitimate cookies to provide a service don’t require consent.²
If you’re annoyed at the EU instead of the websites, you’ve played right into the hands of the people wanting your data for illegitimate purposes. Every time you agree to a bad cookie banner you validate their shady practices and make the web worse for everyone, including yourself.
There are also other, less visible accomplishments. I've been on the inside of companies doing a GDPR data compliance check, and for some data stores, simply deciding that this one is not the "system of record", that passes beyond usefulness and setting a time-to-live of e.g. a month or a year, so that data about user actions is not retained beyond that.
This _absence_ of retained PII ( https://gdpr.eu/eu-gdpr-personal-data/ ) that has been encouraged by GDPR will inevitably make some breach somewhere less severe, but "what could have happened but did not" is not a visible accomplishment.
Thinking that it's all about your cookie banner is shallow, dismissive and egocentric.
Yes, because getting cancer from smoking is the same as having cookies in your browser. What a completely asinine argument, even if it seems to be very popular these days.
"Oh you are against x regulation? Yet you aren't against mandatory seatbelts or warnings in cigarette packages, or child labor laws! Curious!"
Like you realize that it is a pretty self defeating argument, since you are inadvertently saying that any regulation is a slippery slope to another one. Which thankfully isn't the case, and people can actually form an opinion on individual laws (and even disagree with them!) even if they are in favor of other regulations.
You gravely misunderstood the point of the analogy. The issue at hand isn't regulation, because nothing is being regulated, so there's no slippery slope. What cookie warnings and cancer warnings have in common is that they make transparent, to you the consumer, what a company or product is doing to you. You can still do it and opt into everything. It's no more regulatory than a nutritional table on a package of food.
People sometimes then have the weird reflex to blame regulators for making explicit what garbage they're being fed, when you should take it up with the company who is actually responsible for vacuuming up your data.
Well, this new specific detail of the law should get everything in order. Ignoring the banner means refusing for tracking. This was already in gdpr but not directly stated. So, in near future, banners should disappear in the current form
There really needs to be some kind of addition to the law that says "Should the user have GDPR_COOKIE_CONSENT=REJECTALL, the site should act as if the user manually rejected and objected all." The fact that third party vendors are having to produce workarounds for this reeks of the kind of American tax system that insists on taxpayers manually filling out their taxes.
"Disable cookies" was an option in the very first web browsers, so no, there doesn't need to be any addition to the law. You can disable cookies any time you want. Just don't cry when it turns out that you actually love "tracking" and need it to work for your web experience to be any good.
Here's the thing, kiddo. For most of the time, I'm quite content with disabling Javascript and cookies altogether since it also disables subscription popups and other inconveniences when all I want to do is read an article. When you click "Reject All", you aren't rejecting literally every cookie, otherwise how would it remember that you've rejected all? Instead, "Reject All" is shorthand for "Reject all cookies that aren't strictly necessary." You are simply being obtuse. Do you also froth at the mouth whenever someone says "Universal healthcare is free"?
I do in fact froth at the mouth when people say universal healthcare is free! You know me so well already :)
Fundamentally, standards as vague as "legitimate" or "necessary" shouldn't be a part of law because they are so subjective. What do you say to the executive who says that without the advertising the company will go bankrupt, and untargeted ads earn no money? That her company is not necessary? That her business is "wrong" in some way? That customers are wrong for not wanting to pay? It's ludicrous that such a situation can ever arise.
You do realise that vagaries are written into the law all the time? What do you suppose cruel and usual punishments means? Or unreasonable searches and seizures? Or just compensation? Or a speedy trial? Or excessive bail? Etc. These are all subjective.
And those are not surprisingly some of the most vicious and fought over parts of law, which are only tenable at all because of hundreds of years of case law which refine them. Most of the time lawmakers do try to be precise about what they mean which is why law is so voluminous and why you so often need lawyers to help understand it.
Good law is precise. Bad law isn't, regardless of how convenient it may be for the lawmakers to be vague. The existence of bad law doesn't justify the further propagation of it.
Could you please provide some examples of "most lawmakers try to be precise" before claiming that? And secondly, I object that good law is precise. I mentioned in another comment that the copyright tradition for continental Europe forbids by default any new methods of culture (eg, the invention of the internet), that the law needs to be changed to specifically allow it. You think we should do that for everything because good law is precise? I think good law is legible, not necessarily precise. Something that the average person can interpret is far, far better than something thousands of pages long because you must enumerate everything otherwise it's vague.
Do you recognize at least how circular this argument is? "Technical necessity for certain purposes", purposes like offering a service, which is the reason the business is necessary for the people who use it?
> the absence of any option for refusing/rejecting/not consenting cookies at the same level as the one provided for accepting their storage constitutes a breach of the legislation [0]
GO Europe GO !
[0] https://www.cnil.fr/en/edpb-adopts-final-report-outcome-cook...