Imagine a market in which companies charge a lot of hidden fees behind their customers' back, and users are not happy when they realize after the fact. The law is updated to say you are not allowed to charge the user a fee unless you tell him in advance.
Companies with tons of hidden fees decide to keep them but force you to read all the fees on every page of the menu before you can see the rest of the text, in the most annoying way possible, and promote the idea that the issue is not the extravagant fees, nor the fact that the companies hide them before and had to be forced by law to warn you about them, no the problem is a law that force them to tell you what you're getting into before it's too late !
That's, essentially, what's happening. And we have people complain that companies need to display their fees.
On this issue in the group that complain about the cookie law there are some people who are very wrong on purpose because it's in their interest, and some people who are very wrong because they genuinely don't understand the position they're defending, complaining about being made aware of the fee, instead of the fees themselves or the fact that the companies hide them if not forced by law.
To each their own belief about which category PG fits into.
Agree. How much corporate propaganda are people consuming that legislators are seen as wholly responsible for the bad behavior and malicious compliance actions of corporations?
What does it say about the relationship between businesses and consumers that the first response to this bad behavior is to shout "look what you made them do!"
Seemingly it is everyone's fault except the bad actors themselves.
It's so depressing. Many of the people who are pointing the finger at the regulators for the annoying cookie banners don't actually see the web site/app *as* a bad actor. The fact that they had been tracking tons of extra data via cookies without their consent or knowledge was totally fine to them as long as it wasn't inconveniencing them in any way. The cookie banner is an inconvenience to their mindless consumption, so NOW it's a problem and they just don't care what the solution actually is as long as the thing goes away.
I've seen this attitude from tech people, too, so it's not just a matter of tech ignorance or illiteracy.
I only got a cookie banner on the first of those links, and as far as cookie banners go it wasn't very annoying; I clicked "no" and it went away immediately.
> The cookie banner is an inconvenience to their mindless consumption,
It’s an inconvenience to people who care about privacy and use browser configurations that don’t store state between visits.
So now in an attempt to protect regular users, the law ended up hurting users that already cared.
Additionally, the shadiest and incompetent sites still just track people with no cookie banner. So the law doesn’t really provide protection against uncooperative parties, whereas privacy technology does.
> It’s an inconvenience to people who care about privacy and use browser configurations that don’t store state between visits.
>
> So now in an attempt to protect regular users, the law ended up hurting users that already cared.
Fair point about the banners mostly "hurting" users who care about privacy (but, really though- how much does it really "hurt" you? I'm "hurt" more by the fact that I have to fold laundry several days a week).
But, I take major issue with you saying that the LAW ended up hurting users. Companies are under no legal obligation to make those banners as obnoxious as they are or with so many dark patterns (I sometimes don't know if I'm even enabling or disabling tracking with the way they word it). That's squarely on the web site owners pulling that nonsense.
> Additionally, the shadiest and incompetent sites still just track people with no cookie banner. So the law doesn’t really provide protection against uncooperative parties, whereas privacy technology does.
I agree that the only/best way to protect yourself is via technology and not by relying on people obeying the law.
However, if this is also an argument against having the law, it's an incredibly weak one. You can apply that logic to argue that NO laws are effective. People still murder even though it's illegal- must be a bad law, no?
> Companies are under no legal obligation to make those banners as obnoxious as they are
Actually every single lawyer we asked about implementing GDPR advised us to have one of those obnoxious banners. Because the law is so ambiguous and the penalties so high that is better to play it safe. And we have no ads nor tracking at all on our product website.
You can ignore your lawyer's advice if you want, but it's a bit like a lawyer office ignoring my data security and backup advice: assuming a huge amount of risk.
If you are using cookies for user preferences/settings, then they require consent. If you are only using cookies for session information (like a shopping cart), then you don't have to get consent. Your lawyers know this.
Frankly, I doubt the veracity of this anecdote. But even so, I'm willing to bet that the lawyers in this story did not tell you that the banners have to cover half the screen and have ambiguous wording to intentionally confuse visitors to your site. When I say "obnoxious banner" I'm not being redundant: not all banners or popovers are "obnoxious".
Are you a lawyer? Are you willing to assume the liability I may incur if I follow your advice? Or are you at least a business owner/manager who's had to deal with this crap?
Or are you in the peanut gallery willing to believe that there is some conspiracy where all websites have suddenly decided to obliterate their user's UX when GDPR appeared just because they are evil?
I live in the EU and I can tell you: ALL banners/popups are obnoxious. They ALL get in my way when I want to do something entirely different. As a (non ad/user-tracking) business I would never afflict them on my users if I had a choice.
The productivity loss here in EU since the GDPR would be staggering - if there was much productivity to begin with, of course.
The GDRP is about all kinds of tracking, of which things you can block locally at the browser level is only one part. So yes, even those users that already cared enough to block/discard cookies benefit.
Again, this should have been a >browser feature< instead of a website feature. I trust Safari and Firefox WAY MORE than I trust the website's owners to actually block cookies and protect privacy, as well as implement this in a better UX.
The proper way to have done this would have been to go to the W3C or WHATWG and proposed an extension to HTML for sites to define an opt-in manifest or something similar.
More like a content blocker. The websites can ask, but there's not guarantee the user will accept. Really no different than browsers asking to show popups beforehand.
If it only were that simple. When the GDPR came out, a lot of confusion and misunderstanding ensued. Not only regarding the damn cookie banner. Even totally legitimate health-care providers started to collect signatures to be on the safe side. I still rememeber receiving a basic GDPR training where we were told that opt-out/signing is only necessary if the entity is planning to do weird stuff with your data. IOW, if someone wants you to sign, they plan a bad move. Then my bank wanted a signature. And a month later, one of my healthcare providers wanted a signature. After a chat with him, I learnt that his lawyer told him to collect the signatures just in case, and made him believe that if someone doesn't sign, that is a problem.
So now we have this situation where providers were trained to play the GDPR in such a way that they will never have a problem, no matter what they actually do with the data.
And consumers are pissed because they are made to sign things which essentially reduce their rights...
And if someone (like me) thinks the EU did a half-assed job there, the downvotes rain in.
That is so wonderfully naiv that I had to laugh out loud. The fairytale of the manager who suddenly is fined big-time for his/her decisions is just that, a fairytale to pacify critics.
I kinda hate saying this, but Microsoft (or at least github) got it right in a week. Some OSS publishers also got it right, like nexedi, and some i'm sightly upset with (gitlab) but it is true that for the commercial internet it seems to be invasive. I do not use the commercial internet much, and like any person with greasemonkey, i took a rainy afternoon to remove the most annoying banners (i think now i use a plugin that does it for me).
The fact that you have to use a plugin or other thecnical remedies to fix the cookie banner situation is all the proof we need to see that the EU totally fucked up. It is easy to declare that you just need to install this or that to get a obstruction-free internet again. But it is also very very elitist. Not even 1% of the population is truly capable of handling that.
I use a plugin to block ads. That it also block most cookie consent banner is a positive side effect. It does not block all of them. It doesn't block gitlab banner, or EU website banners, because i think it automagically block cross domain js injection, which, you know, is good because less attack surface, and every browser should do the same without plugin (CORS do not go far enough imho).
The same people also complain they cannot use by default said websites unless they share all their personal data with them. Half-assed, indeed the measure is. But it also reflects the majority thinking, unfortunately. So unless there's some popular pressure to full-ass the measure, we will still have banners and misused personal data.
> they are made to sign things which essentially reduce their rights...
But not as much as you might think. Consent under GDPR only applies to what you were informed of when you consented, and you're allowed to revoke consent (with prospective effect) at any time.
Yeah, but these are rather theoretical practicalities. In the majority of cases, consent is coaxed out of the consumer. If you show up for a MRI, and you get a piece of paper with the comment "It is for data protection", almost nobody has the time or nerve to actually read the text, and even less people have the inclination to decline to sign. After all, they (sometimes desperately) need the service. Let alone that the accompanying comment is deliberately phrased such that some people will believe they need to sign in order for their data to be protected. Dark patterns all over the place. My bank implemented the consent (for a while) as a reoccuring pop-up after login. Yes, you get the popup as long as you decline to sign it, over and over again. I think they gave up on that practice, and it was partly a dark pattern (IOW, there were two buttons to decline to sign, and one would result in the popup reoccuring). Examples are all over the place if you walk an EU country with open eyes.
Under GDPR, your MRI example and your bank example do not qualify as consent. (For the MRI example, they might be able to claim basis b, but only if they're doing stuff that you could actually have requested.)
I don't feel confident a complaint would be easy to get through. After all, my MRI example is standard procedure, good luck making a case against that. Besides, layers cost money.
would an adjustment of GDPR that forces websites to respect DNT solve the problem? am i missing something obvious? (aside from the pain in the ass that is amending laws) /gen
The funny thing is it's not just corporations. When you open the German state railways' website, somehow you get a GDPR overlay, When you open the German revenue agency's website, you get greeted by a cookie banner on top.
I call upon all German users of this website to write to their MPs! Obviously the German civil service is a bad actor! The German deep state is plotting to discredit our beloved eurocrats and must be shut down! Den Sumpf trockenlegen!
> I call upon all German users of this website to write to their legislators! Obviously the German civil service is a bad actor! The German deep state must be shut down!
I understand the joke you're trying to make but you clearly don't understand the relation between germans and privacy/tracking regulation to think this makes sense.
It's not supposed to make sense, it's supposed to show the absurd position of the post I'm replying to. The less it makes sense, the better.
And I only picked Germany, because it's one of the few EU countries where stuff like that is rigorously enforced. In the rest of the EU, everything unrelated to the common market and/or getting money from the EU is at best haphazardly enforced.
If you want to, check out france.fr, a website maintained by an agency of the French tourism ministry. (After disabling the 3 dozens of annoyance blocking extensions everyone must use nowadays, of course.) What do you see?
Apple is doing the same thing, passive-aggressively doing things like removing support for pinning webapps / PWAs / whatever they're called to your home screen, then backtracking after backlash. Or Microsoft with their browser choice screen or Windows releases without media player. And even those aren't as bad as the malicious compliance of cookie banners.
A site can serve ads without tracking (and the banner) - the ads just couldn't be targeted at individuals. Instead they'd have to guess what ad was appropriate ("Rolling Stone" could serve everybody ads for Taylor Swift's latest album without a banner, etc).
>> A site can serve ads without tracking (and the banner) - the ads just couldn't be targeted at individuals.
The biggest problem with online advertising is not tracking users. It's a lack of trust between advertisers and pretty much everyone else. If you're going to pay for an ad, you want to be sure it was seen by a real person. I'm not sure that's the concern any more because click-through is more important than "seeing" an ad. Regardless, the goals are to make sure it's easy for a given advertiser to get on many web sites, easy for a site to get ads, and also possible to prevent fraud since there will obviously be multiple parties involved.
I suspect tracking users was an offshoot of just verifying that users were real to prevent fraud in the ad world. Not saying any of it is OK, but it seems like the way to prevent tracking is to find a way to verify authenticity while also preserving privacy.
> ("Rolling Stone" could serve everybody ads for Taylor Swift's latest album without a banner, etc).
And that would be fine, as long as Swift was willing to pay for it. But the tracking and personalized ads thing was a numbers game; personalized ads have a higher conversion rate, thus are more valuable, thus we need data to personalize ads.
This is contrafactual. Many things survived on exact that model before hyper targetted ads. And besides, with targetted ads the middle men take most of the cut.
That was your choice in the end, but this was the problem - people didn't have the choice, or the awareness. The EU law fixed this, but instead of corporations going "Hmm, maybe we shouldn't track users", they instead went with malicious compliance and implemented annoyances - because data is more valuable for a lot of websites than whatever said website is peddling.
"I would like website operators to assume that I consent to being tracked, so I'm annoyed that website operators are not allowed to assume that everybody consents to being tracked."
> How much corporate propaganda are people consuming that legislators are seen as wholly responsible for the bad behavior and malicious compliance actions of corporations
Why do I need to be "consuming corporate propaganda" when I just hate that I need to dismiss banners on every news website, when I didn't have to before the regulation?
I don't care about being tracked. But now that all websites need to cover their asses in response to regulation, I'm forced to figure out which button I need to click on to read content, and these websites don't even appear to save my preferences whether I agree to be tracked or not.
Objectively, the outcome of this regulation is that my experience is worse. Are the companies bad actors? Sure! Sounds like the EU should account for companies' bad behavior instead of forcing the internet to be more annoying.
The experience you describe is the fault of websites which chose to make things that way. The article goes into more detail on this point: There Is No Cookie Banner Law.
It's important to note that we didn't have to go through the banners after the law, either. We only had to go through them after website operators intentionally picked the most disruptive and annoying popup to serve us. We can blame them. They chose to add it when they could have legally not added anything at all.
> Again, from the perspective of users, the experience got worse post-regulation.
Your right, the experience got worse.
But the underlying point is there two ways this could have gone. The GDPR simply mandated that if companies track you they have to get your informed consent. So one way it could have gone is companies didn't track anonymous users.
Notice this doesn't apply to non-anonymous users. By definition once you've logged in you've revealed who are and agreed to a far more onerous privacy statement. So one way companies could comply is just to make you log in to see some content (and track you that way), and not bug you otherwise.
But they didn't go that way. They insist on tracking you regardless. Perhaps you don't agree, but I find this even more annoying because I install tracking blocking extensions and that breaks some sites. To me the world would have been a much better place if they had just gone along with the intent of the damned law and not tracked people who are try to remain anonymous.
To be fair it's not so bad. Firefox dismisses the cookie banners for you [0], and I have extensions that block the worst of their effects. If you are using a browser from an ad company and are complaining about cookie banners (which almost to the man use a deceptive UI to encourage you to accept them all so the ads work better), then I don't have a lot of sympathy. Me rejecting as many cookies as I can then blocking their trackers the worst possible outcome for the web sites trying to garner some ad revenue of course, but shrug, the industry could have acted in good faith, and didn't.
Again, from the perspective of users, the experience got worse only after websites decided for themselves to add annoying cookie banners. Not after the regulation.
> make them go back to being less annoying
That is a request between you and them (the websites), unless you're talking about legislating a banner-less opt-out, or maybe just willing to file a complaint against the website with a data protection authority, if the banner is already illegally annoying.
Websites have the right to annoy their users with cookie popups, with or without the GDPR (ironically , the GDPR actually has some protections here, websites simply break the law). Unfortunately, it seems many are choosing to exercise that right because they make money doing so.
The flaw in your analogy is that the modal consumer cares about hidden fees, wants to be made aware of them, and might even make a different decision with that knowledge. The modal consumer does not care about cookies.
Imagine you walk into a restaurant and they hand you a paper that details full allergy information for all of the foods they serve, and then they wait for you to say, "I consent to these ingredients being in the food," before they can seat you. I think that's a closer analogy. We can all agree that the restaurant shouldn't hide that information from you, and that some minority of people might want the information, but do we really have to add this inconvenient step to the process for all people? The current real-world system, where allergy information is available upon request, was working fine.
There are some things that everyone cares about and would be appalled by, that businesses should have to inform people about, and many things that a small minority of people care about. Why stop at cookies? Maybe we should mandate a popup if the website's server infrastructure was manufactured abroad, and another popup if the company that runs the website has higher than average carbon emissions, and another popup if the food in the food court that serves the headquarters of the company that runs the website is not kosher. The lobby of people who care about cookies is of similar size to the lobby of people who care deeply about binary size and about running JavaScript. Should there be mandatory popups to execute JavaScript? If the website is >10MB, should I have to consent on a lightweight page before downloading it? How do you determine which activities warrant a popup warning and which do not?
I am not allergic, then I do not need to know about it and I will suffer no damages from not caring. This is not the case for tracking. Tracking can hurt you.
This is a bad example because the market usually fixes this problem. The reason why the market doesn’t fix the cookie banner problem and the reason why this is bad law is because users defacto do not care, it is merely annoying.
There’s a law in California that says that businesses which have chemicals that might cause cancer on the premises need to let people know. That’s great but the levels they set turn out to be lower than what you can feasibly test for and as a result all properties pretty much just put up the signs that say “there might be chemicals here”. The warning is useless and annoying because of market forces which is another way of saying the law incentivized the behavior that occurred.
The market is working perfectly here, if you remember that users are not the customers. Users are the product sold to adtech, data brokers, law enforcement, etc.
For data-harvesting companies users are like livestock, and nobody cares about livestock's opinion. It only matters how much value can be extracted from users, even if it's annoying, misleading, and relies on dark patterns.
Yes, but that "livestock" can vote with their feet. If people cared about this, it would be a good opportunity for new entrants to take market share from incumbents by not using tracking cookies and thus not needing to have the cookie banners. But (to the parent comment's point) that isn't happening because this is not a compelling feature to offer, because people do not care about this, no matter how much we want them to.
I used to think this was just an education issue, that people just didn't understand the implications of privacy concerns on the web. But I no longer think this is the case. I think people do mostly understand, and just do not consider this a priority.
I don’t think this is strictly accurate. There’s nothing about cookies themselves that makes them a problem. It’s the way they are used. Needing to inform people you are using cookies for sessions is like needing to inform people you are using a fork to eat. The problem is that some people are using the fork to stab people, so now we require everyone to say how they’re going to use it in advance. Instead of just prohibiting stabbing people.
A few places allow you to opt for a spoon instead, or drink right from the bowl without utensils. Note that it's not the customers who use the forks for stabbing; it's the restaurants themselves. To show their goodwill to a customer who does not trust them with a fork, they can offer a spoon.
The further we take this analogy, the more strained it becomes.
Yes, it's natural to use a cookie to track a session; this is a mechanism invented for that purpose. It's much less natural to share this tracking information with third parties, especially along with a record of your purchases or other interesting actions.
But ad revenue is much harder to obtain without targeting and thus tracking. And a lot of places depend mostly on ad revenue.
This is another case of "buy now, pay later" pattern, stretched to "take for free now, pay in loss of your privacy later". In a funny enough way, many people don't value the information they get on many ad-supported sites as highly as the marketers paying to grab their attention, so simply compensating by adding a subscription or one-time payment to go ad-free sometimes does not even work; the more generic / "doom-scrollalbe" the content is, the worse it works.
See for example GitHub's statement [1] about no longer displaying a cookie banner. While ironically the blog still does display them, the main site doesn't.
Cookies that do not require consent [...] or authentication cookies (when users authenticate themselves on your web site to log in in order to check online services such as their bank account).
Again: are you a lawyer?! If not, in what quality are you advising businesses how to implement such a dangerous law? Have you seen the magnitude of the potential punishment? Will you cover my fines if you're wrong?
Note that putting a “we use cookies” banner on your website will not absolve you from GDPR fines anyway. You still need to adher to the law about informend consent, storing safely etc.
If you are worried about GDPR, by far the safest is to just not collect personal information.
You are correct: implementing GDPR correctly is much, much harder and more expensive than people realise. Cookie banners are just the tip of the iceberg.
A few things not allowed under GDPR:
1. Analytics
2. Third-party resources like fonts or JS libraries
3. CDNs
4. DDOS protection services
And I am sure I am missing many more. I am not a lawyer, but I worked with a few.
You don't need a cookie banner for session cookie, not in eprivacy nor in gdpr, same applies for all cookies that are "strictly necessary" for the functionnal operation of the website on the technical level. Language selection cookie, "remember me" cookie, etc ... Are all perfectly fine.
I’ve often wondered if necessary cookies could just be carved out and designed (and named) differently to improve handling. You could then just configure your browser to inherently accept the benign <biscuits/bikkies> from a site, which would then only ask for non-essential ones.
The real nirvana, IMO, would be better sandboxing between sites.
Browser based solution not mandated by law but made by the industry wouldn't work, because all 4 major browser vendor makes significant revenues from Ads.
At a time a solution appeared with "do not track", and we ended up with the industry making sure it was as toothless as possible, opt-in, and google pushing hard to control the browser market.
Do you have /any/ examples of websites that don't have a bunch of 3rd party cookies that still have a cookie banner?
Middle managers absolutely love anything with charts and graphs because it makes their decisions feel more scientific. That's why they want tracking software included on their websites. And if the law requires disclosure then a cookie popup is the solution.
My company recently announced a game, and we launched a website for the game. There's no ̶t̶h̶i̶r̶d̶ ̶p̶a̶r̶t̶y̶ e:tracking cookies (I didn't make the site, but I do run it).
Our US based legal team told us we needed a cookie banner if we were going to have visitors in the EU. I pushed back, but I lost, and ultimately it's not my fight.
Which was probably written (even if not by the legal team, but someone they consulted) with an eye towards keeping more data than legitimate interest allows under GDPR.
I don't quite think Cargo Culting is the right label for it. It's not just because everyone's doing it. My experience when legal meets code is that common sense, intent and what is actually allowed go out the window, and cover-your-ass wins. My experience with Legal has been that they default to no "just in case" for every question you come to them with.
It's a battle to get them onboard to not taking the safest possible approach, so you only want to fight that battle when it's a kingmaker of an opportunity.
Yeah, people often approach legal in the wrong way: people often want to ask "is this OK?" and have the lawyers say "yes", but basically no lawyer is going to say that for almost anything. Instead you need to ask them to explain what the risks of different courses of action are and take a view as to whether they are important or not.
That's been my experience, but unfortunately _that's_ where cargo culting comes in. As part of $NEW_WEBSITE_CHECKLIST we have to "check with legal" which inevitably involves a laundry list of stuff like this, and the default is to accept what legal says, unless we _really_ don't like the answer at which point we're going to do it anyway...
Legal counsel is there to advise, not to design product UX. Some companies have bonehead policies like “you must develop whatever Legal advises” but that’s a choice the company is making. Sensible companies treat their in house counsel as advisory, and weigh the risks like they would weigh any other risks.
you're right, I said third party, but I actually meant tracking. I actually went and checked, and our only cookie is the cookie for if you've seen the cookie banner or not...
> Consent may be required even if there are no cookies at all.
>Our US legal team said that we need the banner if we have visitors from the EU, not if we're tracking them.
This actually makes sense - because if you didn't have the cookie banner then some fucking weirdo would come to Hacker News and make a self righteous post about how you're "tracking residents of the EU without their consent and abusing them" (even though you're not). Instant karma. Next thing you know these weirdos and their mob are reporting you to their government and you're dealing with government inquiries and more legal expenses trying to prove your cookie-less web 1.0 site doesn't "abuse people."
Do you have any basis at all for such an absurd claim? The law actually works in the opposite direction (kinda):
You may use "legitimate interest" cookies/tracking without saying so, but as soon as you show a privacy dialog you actually have to disclose everything you're doing including legitimate interest.
Basically by having a list of what youre're doing with your user's data you're giving up your right to do anything not listed.
GDPR actually doesn't specifically mention cookies at all. Tracking is what's illegal, not cookies.
Let's say you keep website logs with IPs on them, and you do analytics for non-essential purposes. You can do this under GDPR, but you must gain consent from the user before logging this PII.
It actually is completely and totally orthogonal to cookies. Some cookies are fine without consent. Some things that are not cookies are illegal without consent.
Germany is a bit litigious w.r.t. internet or privacy, so the combination---cookie consent---is a doozy. Nearly every German website that does anything will have a consent notification, and the slightest misstep (e.g. using Google Fonts without asking permission) can be punishable.
True, I hadn't noticed that at first glance, and I didn't see that as a third-party cookie in my site data. Nonetheless, I regularly see cookie warnings on sites with purely first-party cookies or even "just" session storage. (Mostly, I have been alert to this for the past year as I've started making non-personal web sites in Europe.)
Aggregate data is not considered personal data by the GDPR.
Managers and everyone else can have charts and graphs without retaining personal data.
The processing of personal data prior to anonymisation to turn it into aggregate data, that part needs protection. But you can do it in a variety of ways that don't require personally invasive tracking.
> Not only that, I'm not an EU citizen and I'm not browsing websites based in EU but I'm still bombarded with cookie banners non-stop.
Again, that's the fault of the companies putting those up, they could make it opt-in to collect your data, they could just put a small notice on the footer with 2 simples links "Accept all/Reject all". But they chose, they decided to pester you with those banners as annoyingly as possible to make you have exactly the reaction you're having.
So the problem is that the legislator did not expect companies to be even worse assholes than they already were...?
Laws are not borne in a perfect state; very much like programs, sometimes you need a few versions to see how the system actually works in practice and fix a few bugs. The fact that v1.0 has such bugs is not a good reason to just give up, nor it's an indication that the programmer is bad at programming.
All companies? Every single company with a website even if without any trackers or ads?! All companies are evil and the single law that triggered their evil behaviour is good. Sure. Ever heard of Occam's razor?
All companies exist just to make a buck. And in the process they serve us with literally every single product and service we are using every second of every day. They play by the rules we put on them, making their life easier or harder, and in the process making our life easier or harder. Like this bad cookie law.
The law is pretty crystal clear. In many cases the issue is that websites are outsourcing their tracking to ad companies, which in turn apply those banners indiscriminately because that's in their interest.
That being said, all the dark-pattern banners actually break the law. The problem, if anything, is lack of enforcement of the law.
The law is pretty crystal clear. In many cases the issue is that websites are outsourcing their tracking to ad companies, which in turn apply those banners indiscriminately because that's in their interest.
You think a small company should roll their own tracking software? A mom and pop website that wants to track its conversion rate on its little eCommerce site?
It is the companies that suck, and Paul Graham is (quite literally) invested in the suckage, wherefore this dumb tweet. Which, if one wanted to create an ad campaign for that eternal Upton Sinclair quote, couldn't have been done much better.
"this is what you get for trying to handle us with kid gloves" is an understandable reaction/blowback from advertisers but I don't think it's something we should be giving any real weight or merit.
it's also generally an indictment of the modern neoliberal regulatory approach in general. asking people nicely to follow train safety regulations etc isn't going to get you results. even fines/penalties largely end up just as cost-of-doing-business (even in the EU). if you really want behavior to go away, make it illegal and give people at the top Sarbanes-Oxley-style legal culpability if it happens on their watch.
again, if you want to know the right way to set incentives so that people don't do a thing, you need only look at the way rich people want their money handled. you can bet that ripping off rich people is an ultra-mega-crime and doesn't just get a 1%-of-the-takings slap on the wrist. And lo and behold SOX does actually hold important people accountable as a result, not just some fall guy at the bottom.
For your first point I disagree, my companies don't track and we don't have banner cookies.
On your second point, that is again a choice of said companies, not a problem with the law. The GDPR has proven very well that if they cared, they can segment who is affected or not, and not just big tech lots of random local news site and the likes are doing it just fine.
Sure. The nightmare is that every single time you open the browser on a website you have to go through the data tracking preference for that website. It's a lot of work to avoid being tracked (companies are obviously using dark patterns there) and when you do it 20 times a day it gets frustrating quickly and collectively a big waste of human time.
Now I am not saying the US doesn't have a problem. They just don't have GDPR and most website don't ask you for any permission to track you. So the experience is generally smoother (with the occasional tracking popup).
Ideally there should be a way for me to broadcast my willingness to share my data and not allow dark patterns to try to change my opinion. But the GDPR does not cover that and allows websites to drive you crazy until you click "YES, Track me"
I think your problem is that you're accessing US websites from Europe, since those are what you know. European websites are a lot less annoying, they actually care about the customer base here.
If you are using a browser provided by an ad company surely being nagged to death to provide data they can sell is the expected outcome? You could use Firefox, which can disable most cookie banners [0].
The post is dated 2022. The feature became generally available in v120. Stable is v123, so it is available now. It's gated, so you still have to enable it as described in the post.
It's crazy how censored the internet is too, you need a VPN to access even piracy adjacent sites in Germany. Unheard of that an ISP would block a website in the US without the FBI itself taking it down.
I think this is a good analogy and I agree that the intent of the law was not to force websites to have a cookie banner, it was just the side effect.
What I think we are missing is a browser option/API that lets the user choose the acceptable tracking level. Similar to the do not track header but more fine grained.
As we are missing that, extensions are doing a good job ATM
> The law is updated to say you are not allowed to charge the user a fee unless you tell him in advance.
Why not a real regulation then to get rid of hidden fees and heavy fines/jail time for companies that are found to be doing it?
PG's argument (I hope) is that there is no point in talking about "regulation" and "customer protection" if companies STILL get away with their ridiculous and hostile practices.
There is no customer benefit in having user data collection and tracking. Companies do it only to exploit you. Even the usual BS excuses ("oh, we need user data to customize the experience") could be done completely in-device.
I don't want regulatory bodies to just give more hoops for other companies to jump. They will jump it anyway, because it is profitable to do so. What I want is for regulatory bodies to effectively stop predatory practices.
I mean, that would be great, but I suspect that even just here on HN you'd get a lot of people strongly disagreeing with you. Because that would infringe upon the companies' "freedom" to profit in whatever way they see fit—and the people's "freedom" to let their data be vacuumed up and sold for massive profits.
Whether they agree or not is irrelevant. I think that PG's argument is that all the "regulation" and "strength of the EU" amounts to nothing. It's just people pretending to play power games, doing privacy theater and solving absolutely zero problems.
Are we all such spoiled brats that some cookie banners interrupting our web browsing is all it takes for us to give up and call the malicious companies the winners and the law(s) trying to protect our privacy "bad"?
> On this issue in the group that complain about the cookie law there are some people who are very wrong on purpose because it's in their interest, and some people who are very wrong because they genuinely don't understand the position they're defending, complaining about being made aware of the fee, instead of the fees themselves or the fact that the companies hide them if not forced by law.
The reality is that I (and others who are complaining, as well as many who have resigned themselves to their fate) are happy to have a website "track me", certainly if the cost of non-tracking are having to click away an annoying popup, and think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.
"Number of visitors" does not constitute tracking. The tracking in question here is to discover who you are specifically and the absurd amount of detail about your online activities collected and shared with data brokers for aggregation and resale.
A few of these cookie prompts during the day and they'd be able to tell everything from where your kids go to school to the kind of prn you prefer to watch on weekdays and everything in between.
I used to work at an online video advertisement company, you'd be horrified how much information we tracked across all the ads, especially since the ad was played with a special media player "plugin" loaded inside the other media player.
This is how ad companies can sell premium views, don't show cosmetics to men, increase car related ads to people who has watched other car related ads and so on.
There's no such thing as server-side "private browsing".
> This is how ad companies can sell premium views, don't show cosmetics to men, increase car related ads to people who has watched other car related ads and so on.
It's really not. They already could do all that before cyberstalking was normalized. It's called content-based profiling, and it doesn't require any GDPR consent.
The ad companies wanted to aggregate information across multiple channels.
The example about "show more car ads to someone who watched other car ads"? It's not about showing car ad on a site whose content is about cars (or where the site owner decided they like that kind of thing).
It's about knowing you have wandered over to car comparison site recently so they can show you car advertisements when you look up sports news, show car-related merchandise when you're browsing some shopping site, show you insurance ads, etc.
Honestly I don't mind them collecting this data, what is really infuriating is the fact they won't share it with me. I would love to know what kind of porn I prefer on weekdays. I think they shouldn't be allowed to track anything with consent or without it unless they share all the data with the subject of spying.
And aside from that, I think it should be much more expensive to say sorry than ask for permission. In my world a firm like facebook should not have any right to exist, they earned it. Fine them to oblivion just like I would get a long time behind bars if I wouldn't do my taxes right.
I call BS. Give me your email password and your browser history and I'll share everything I learn about you with you. I'll also keep it and share it with whomever else I want to, but I'll definitely share it with you, too.
This is addressed in the article. They could track you, with your consent, in many different ways. The fact that they are choosing to force this cost upon you is what is ridiculous.
> The reality is that I (and others who are complaining, as well as many who have resigned themselves to their fate) are happy to have a website "track me", certainly if the cost of non-tracking are having to click away an annoying popup, and think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.
I agree that wanting to know the number of visitors is benign and it is not abuse.
But saying companies should be allowed to track me (for whatever purpose) across the web without my consent is also pretty ridiculous.
I've stopped going to Ars Technica exactly because their cookie pop-up lets me know that Condé Nast wants to share my data with at least (according to the popup) 159 partners.
They have so many "partners" that their cookie popup comes with a search bar.
56 of their "partners" want my precise geolocation data!
16 "partners" want to actively scan my device!
101 "partners" want to "match and combine data from other data sources" (I can't disable or object to this)
102 "partners" want to identify my device. I also can't object to this.
The only way I can really object is to close the tab, so that's what I do.
> people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous
Is counting visitors all that sites are doing with tracking info?
They're not selling it to ad brokers, insurance companies, governments? They're not matching your name, address, and phone number with your web activity (including sexual interests, "anonymous" embarrassing stories, health concerns, etc)?
Well, different people want different things - I'd rather spend a millisecond to click 'refuse' rather than let them track me - out of spite if nothing else. Yes, cookie banners are annoying; the dark patterns within cookie banners (you need multiple clicks to get to the 'refuse' button while the 'accept' button is right there in your face) are even more so. But honestly - screw them.
> The reality is that I (and others who are complaining, as well as many who have resigned themselves to their fate) are happy to have a website "track me", certainly if the cost of non-tracking are having to click away an annoying popup
The you should doubly blame the companies, because that's what do not track was for, they're the one who decided to make it not work that way and instead being ignored and not considered a valid option for the law.
> think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.
You don't need a cookie for that, and what GDPR has told us is that we're not talking of that but about dozens or hundreds on every major sites so trying to frame it that way is disingenuous.
The fees example is maybe apples to oranges. The fees are a problem because they subvert the pricing information signals needed for the free market. The problem is not the fact that they are charged, the problem is that they are not included in an upfront price display. Were they included in the total upfront price and never specified the users should not care - it's not their business how a company spends their money.
But I suppose that was just an example you picked to illustrate the industry's malicious compliance, and not the main point, in which case fair enough. :-)
The use of secret tracking also subverts the pricing signals needed for the free market. Users aren't informed that the website is subsidized by the sale of the users' information, much less the details of the arrangements and monetary amounts.
If the total price of the website without the secret costs of tracking were presented upfront, it would be less of an issue.
I agree with almost everything you said, except for one thing:
I don't believe the euphemism "hidden fees" helps to clarify the fact that these people are taking money away from people without their knowledge or explicit consent.
We have other more precise words to describe that action. I asked ChatGPT what those could be, here's its answer:
Q: What are some english words meaning "taking money away from people without their knowledge or explicit consent"?
ChatGPT: There are several words and phrases in English that convey the idea of taking money away from people without their knowledge or explicit consent:
Embezzlement: This refers to the act of dishonestly withholding assets for the purpose of theft. It often involves someone in a position of trust, such as an employee, misappropriating funds entrusted to them.
Misappropriation: Similar to embezzlement, misappropriation involves taking something (usually money) for one's own use without permission or legal right, often in a breach of trust.
Theft: Theft is the generic term for taking someone else's property without permission, including money.
Fraud: Fraud involves intentional deception for personal gain, which can include financial deception or stealing.
Swindling: This term implies deceitful behavior to cheat or defraud someone, often involving trickery or manipulation.
Skimming: Skimming refers to the illegal practice of taking cash "off the top" of the proceeds of a business or other source of income without recording it.
Extortion: While not always directly related to taking money without explicit consent, extortion involves obtaining money, property, or services from an individual or entity through coercion or threat.
Pilfering: Pilfering involves stealing small amounts or petty theft, often done stealthily or without detection.
Conning: This refers to the act of deceiving or tricking someone, often for financial gain, through manipulation or persuasion.
Clandestine withdrawals: This phrase specifically refers to taking money from someone's account without their knowledge or consent, typically in a secretive or unauthorized manner.
We here are all interested in hearing your thoughts, so please filter raw chatbot output through them, rather than pasting the output verbatim, which isn't value-added, and can even be negative value, given chatbots' penchant for hallucinating information.
Hidden fees are bad because of the specific combination - the hiding, and the fees. Since tracking isn't hidden and isn't a fee, the analogy doesn't help to justify the EUs law.
People should have a default expectation that if they give their personal data to companies then it will be recorded. And if they don't want cookies then they should disable cookies. The EU's regulation hasn't revealed anything that is useful to know about.
People don't "give" their information to trackers, it's collected without their knowledge. I don't think most people expect the kind of things trackers collect is being collected.
Tracking is certainly hidden if you're not a programmer, and is certainly a fee if you value your time. Not all people live in low-trust societies or desire to.
>, Paul Graham came up with the thought, that the EU forces companies to have cookie banners. There is no law for cookie banners. [...] Companies could easily avoid any cookie banner. Just don’t track.
KingOfCoders/amazingcto, of course you are technically correct but Paul Graham wasn't talking about the letter of the law.
Instead, you have to interpret his complaint with the lens of game theory. I.e. The Law of Unintended Consequences that takes into account what companies actually do in response to laws instead of what we hope they will do.
Your blog post focused on good intentions of the law. PG's tweet focused on actual outcome.
Doesn't that argument work both ways? If you interpret the EU's regulation with the "lens of game theory", it is an unintended consequence of aggressive corporate data collection. Not sure why it makes sense to complain about the EU and not the companies.
Of course not. Only titans of industry and the landed gentry of the executive class are allowed to "move fast and break things", "ask for forgiveness rather than permission" and take "imperfect action rather than perfect action."
It's more morally permissible for corporate decision makers to install a global surveillance complex than for civil servants to attempt to regulate it.
That's a misuderstanding of the banners. The requirement is to get consent to track someone and/or process their personal information in a way that is not strictly necessary or covered by contract. The mechanism that does the tracking is irrelevant.
Because the companies are getting what they want (data on users), but the regulation is not getting what it wants (no tracking or informed tracking).
I don't know if this mini-competition between regulators and companies is truly zero-sum, there could be some way to get everyone something they want. But with the current regulation, it is zero-sum, and the companies are winning and the EU is losing. And the EU "works for you", so of course you can complain to them.
OK, fair enough. pg's point still stands I think - I believe that most users have zero idea what that popup is and don't bother doing anything but clicking on it immediately even if they do have some idea.
I find it pretty difficult to be sure what point pg is making, because he uses an ambiguous phrase "good at regulation". What does he mean by "good at regulation"? According to the UK's Institute of Chartered Accountants [0] good regulation satisfies five criteria:
* Transparency
* Accountability
* Proportionality
* Consistency
* Targeting
I'm not certain that the GDPR laws fail any of these. I'm guessing pg is getting at something more nebulous to do with how annoying the UX is as a result of the regulation, and whether it encourages civil engagement. But if he'd simply said "EU regulation has made UX annoying" then he wouldn't have such a snappy tweet.
> Good regulation maximises the benefits while minimising compliance costs and unintended consequences. The benefits of regulation can be both to wider society (such as improved environmental or safety standards) and to regulated (for example, through increased consumer confidence), but not all of the benefits are necessarily easy to quantify.
Put that way, I can get on board with what pg's saying.
> Not sure why it makes sense to complain about the EU and not the companies.
Unfortunately a non-negligible number of people in tech also have libertarian leanings, with a default “gubmint bad!” position, which makes them easy prey for adtech propaganda.
GP answered your question, for some reason you decided to cut the quote right before the answer. Here is the part that is missing from your quote which answers your question: '[...]with a default “gubmint bad!” position'
Perhaps you should consider the possibility that the reason why libertarians assume a default "gubmint bad!" reaction to new policy interventions is that they are sensitized due to decades of experience seeing multitudes of government interventions both (a) to achieve their intended outcomes and (b) create unintended consequences, often worse than the problems they are meant to solve, instead.
Personally, I find it very very strange that many of the people who call for regulation as a remedy to perverse incentives manifest in commercial markets seem unwilling to recognize the existence of even more perverse incentives in the political realm. If people seeking profit sometimes do bad things to get it, why would people seeking political power be expected to behave differently?
That's beside the point. If you are in favour of government intervention you should be all the more interested in good policies that have the intended effect.
No, it does not work both ways. The roles of governments and corporations are not symmetric.
Good regulation is regulation that has good outcomes. If a law has bad outcomes it is a bad law. You can separately complain about what companies are doing but that doesn't change the fact that it's a bad law.
It is of course debatable whether GDPR as a whole has bad outcomes, but if we're talking about cookie banners in isolation then it certainly does.
> No, it does not work both ways. The roles of governments and corporations are not symmetric.
>
> Good regulation is regulation that has good outcomes. [...]
You don't seem to explain what the role of corporations is or what a good corporation looks like. If these things are not symmetric, you need to finish your explanation of why or how they aren't.
Corporations and the whole of property rights only exist because of government protection, so it would be pretty audacious--in my opinion--to assert that corporations have no duty to behave to the benefit of society. I'm not saying that's your claim, but I'm curious as to how close you're willing to get to that claim...
Governments are supposed to represent the whole of society. The justification for their policies is ideally based on democratic legitimacy. No entity outside of government can possibly have that legitimacy.
In my opinion it is not audacious at all to reject the idea that corporations should intentionally pursue societal goals or claim to act out of a sense of duty.
Of course we want the effect of what corporations do to be of net benefit to society as a whole. But this cannot be based on their intentions or sense of duty. It has to be based on the systemic effects of them pursuing their own (possibly enlightened) self interest within the framework of the law.
It is for governments to make sure that these effects are beneficial and to intervene when they are not. So the asymmetry I see is that capitalism is a tool of society, not the other way around.
I would regard it as a duty of government to ensure that using the internet is safe and respects user privacy, but not to ensure that the internet has a clean UI. To that extent, I'd argue that the EU is achieving good outcomes. Ensuring a clean UI and smooth user experience is one of those things that should manifest as a result of market economics, but does not manifest because markets don't really work that way.
I see absolutely no reason why clean UX should manifest as a result of market forces. Media consumers, on average, are clearly unwilling to pay for ad-free experiences.
I won't pursue that assertion as it's tangential. I shouldn't have brought it up. The main point is that clean UX is not the purpose of the EU's data laws.
> In my opinion it is not audacious at all to reject the idea that corporations should intentionally pursue societal goals or claim to act out of a sense of duty.
I still find it somewhat silly to reject the idea that a corporation (run by human beings) shouldn't intentionally be evil for the sake of maximizing profit, but I do understand that this is a fairly common Friedman-esque point of view.
But, even so, I guess "duty" was the wrong word for me to use. I more meant that if a corporation does NOT benefit society, we should expect the corporation to stop existing. So, in that sense, there's a "duty" (existential requirement) to benefit society.
> Of course we want the effect of what corporations do to be of net benefit to society as a whole. But this cannot be based on their intentions or sense of duty. It has to be based on the systemic effects of them pursuing their own (possibly enlightened) self interest within the framework of the law.
>
> It is for governments to make sure that these effects are beneficial and to intervene when they are not. So the asymmetry I see is that capitalism is a tool of society, not the other way around.
I feel like you're circling back around to almost disagree with yourself. Several comments back in this thread someone made a point about "unintended consequences" of the law and applying "game theory" logic to it, and another commenter replied that the companies in question could also have seen the law coming if they misbehaved too badly. That commenter asked if the "game theory" logic shouldn't go both ways, and that we should then blame the corporations for the regulation because the government is just doing what governments do.
You replied that the argument does NOT go both ways because the roles of government and corporations are not symmetric.
But, what you're arguing here seems to be consistent with the view that the "unintended consequences" and "game theory" logic DOES go both ways. You acknowledge that it is a government's duty to intervene when corporations are not benefiting society, and you also say that corporations will pursue their own self-interest within the framework of the law.
I don't mean to put words in your mouth, but the only way I can resolve this asymmetry in my mind is to have a framework where corporations doing things that are bad for society is okay, because the government is supposed to stop them; but if the government is unable to fully stop them from being bad, then it's STILL not the corporation's fault, but the government's...
It just sounds like we've gotten lost in the abstractions of corporations and governments. At the end of the day, these are decisions being made by fellow sentient human beings, and if a corporation's humans make some evil decision, I refuse to let them off the hook with "well, free markets" and "they have no choice but to maximize profits".
>I still find it somewhat silly to reject the idea that a corporation (run by human beings) shouldn't intentionally be evil for the sake of maximizing profit, but I do understand that this is a fairly common Friedman-esque point of view.
On a very general level, the idea is that not every part of a complex system has to incorporate all the principles of the system as a whole. Individual parts of the system can have limited roles and responsibilities. That's fine and it has nothing to do with being evil.
Defense lawyers must defend their clients to the best of their ability whatever horrible things they may have done. Juries, judges, prosecutors, they all have their specific roles to play.
It's the justice system as a whole that should result in justice being done. If everyone involved tried to pursue their own interpretation of generally desirable societal outcomes, the justice system would be unfit for purpose.
And here's the asymmetry again. Those designing the system as a whole have to think about societal outcomes as part of their job (as does every citizen). Those acting in a specific defined role as part of the system can only do that in limited ways or under exceptional circumstances.
Corporations are run by people, but these people act in a limited role that is defined in such a way that pursuing specific societal outcomes does not necessarily boost the likelihood of their personal success or the success of the corporations they run.
If there is a conflict between certain societal outcomes and making a profit then those executives willing to prioritise profits will be the ones running the successful corporations. That's why it's so futile to bet on corporations acting against their self-interest in significant ways. They are systemically incapable of doing that (on average - exceptions are always possible).
That's why I'm saying that if we want to make corporations act in desirable ways, we have to make laws rather than appealing to the conscience of those running the corporations.
>I don't mean to put words in your mouth, but the only way I can resolve this asymmetry in my mind is to have a framework where corporations doing things that are bad for society is okay, because the government is supposed to stop them; but if the government is unable to fully stop them from being bad, then it's STILL not the corporation's fault, but the government's...
The question I'm asking is who can fix a particular issue, and if the issue isn't getting fixed then I'm assigning blame to those whose job it is to fix it.
Corporations collectively can't fix an issue when the only fix is not exploiting a particular economic opportunity. If one corporation stops exploiting the opportunity, another one will.
That said, of course I do blame corporations for stuff all the time. There's nothing wrong with that. Blaming them is sometimes effective consumer power. It can take away the economic opportunity as the reputational damage may outweight the benefits. Blame can also help build momentum for a change in the law.
But if laws are made and they have giant loopholes in them, then I blame lawmakers for doing a shoddy job.
Your framing heavily incentivises malicious compliance. After all if the subjects of regulation coöperate to derail, delay, mislead the public and overload enforcement it's going to have a bad outocme by default.
The main problem with GDPR is the scale of non-compliance greatly exceeds the size of any reasonable enforcement capacity, at least until enforcement catches up.
>The blog clearly works from the actual outcome lense. [...] The companies _could_ just not track.
No, you've inadvertently stated a contradiction. Your use of the word _"could"_ is literally a hope/wish/intention of the law.
In contrast, the actual outcome is that the companies didn't stop tracking. We _wish_ they would stop tracking. (I.e. "The companies _could_ just stop tracking us!") But that hope still doesn't change the observation of reality.
The law is not code. Equating hope with the intention of the law is a poor way to think about it. The law is to protect users against opaque companies and to enable them making informed choices.
If companies act maliciously to contort around the law and force users back to making uninformed choices, it is the companies' fault and not the law's. Companies could have followed the interpretation of the law unobstrusively. But they didn't.
Invoking "reality," semanticking a position, do not make Graham's position justified. Neither does it make the blog wrong.
Can you really say that confidently? I think a lot of these companies would go out of business if they didn't track users so it seems like under the law they have no option but to show cookie banners. Or are you claiming the law exempts companies in such circumstances?
I'm a fan of second-order thinking and unintended consequences, so I'm with you there. How would you frame a "don't track people without consent" without unintended consequences?
The article tries to make the point (perhaps fails), that companies do this intentionally to get the "consent" of people against their will, therefor running the tight line of breaking the law without breaking it.
> How would you frame a "don't track people without consent" without unintended consequences?
Drop the consent requirement? I.e. just don't track people. No third-party cookies, first-party only, and only for the correct operation of the site.
It's not the cookies that people object to, it's the tracking. Tracking provides no benefits to visitors. If there were no tracking risk, there would be no need to require consent.
That's not a benefit of the tracking. That's a benefit of the advertising dollars.
I have yet to see any kind of meaningful study showing that tracking improves the ROI on advertising by anything remotely resembling enough to justify it.
Probably the same way most laws end up. We see the unintended consequences, then revise the law to counter the consequences. Thus the cat/mouse game continues.
An idea could be that the tracking has to be opt-in AND the webpage cannot stop critical use of the page as part of the opt-in process.
Then another round of consequences.. rinse repeat...
- no fines for non-compliance (or malicious compliance)
- no legal liability for data leaks of PPI
When businesses believe (correctly or incorrectly) that the benefit of tracking outweighs the cost (annoying users, regulatory noncompliance) they will do it. The fix is to make tracking too costly for businesses.
> - no fines for non-compliance (or malicious compliance)
"The Biggest GDPR Fines of 2023"
1. Meta – €1.2 billion (Ireland)
2. Meta – €390 million (Ireland)
3. TikTok – €345 million (Ireland)
4. Criteo – €40 million (France)
5. TikTok – €14.5 million (UK)
6. Axpo Italia Spa – €10 million (Italy)
7. Tim S.p.A. – €7.6 million (Italy)
8. WhatsApp – €5.5 million (Ireland)
9. EOS Matrix – €5.5 million (Croatia)
10. Clearview AI – €5.2 million (France)
"GDPR fines are designed to make non-compliance around data security a costly mistake and they can be separated into two tiers. Less severe infringements can result in a fine of €10 million or 2% of a firm’s annual revenue from the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm’s annual revenue from the preceding year, depending on what is higher."
"In January 2023, France’s data protection watchdog, CNIL, fined TikTok €5 million ($5.4 million) for making it difficult to refuse cookies on its website. The CNIL found that TikTok manipulated consent by discouraging users from rejecting cookies. They required multiple clicks to refuse cookies, but only one click to accept them. TikTok resolved the issue by adding a “Refuse all” button to its site."
Fines for data breaches is one idea? If we want to disincentivize data hoarding, the main cost to data hoarding is data breaches, so we could perhaps penalize that.
This would have a different issue, specifically companies would no longer self-report data breaches, but it's just an idea. There are alternative approaches to getting to "don't track people without consent" that aren't a toothless stick by making it more expensive to track.
Here's my idea - no data collection without compensation. For example, you must pay me in advance 1 cent for the permission to access 1 byte of my personally identifiable information for the following month, whether that's stored in a cookie or in your own database or you access it via a third party (e.g. Meta). So instead of a "cookie consent" pop-up, I want a "cookie payment" pop up where the site will ask me for my payment details and say how much they'll pay me (again, in advance) for each of the options I can toggle.
> The article tries to make the point (perhaps fails), that companies do this intentionally to get the "consent" of people against their will, therefor running the tight line of breaking the law without breaking it.
That X button is right there at the top near the tab name. Not sure how a user could be forced against their will into staying on the site presenting them with a cookie banner.
Everyone knows that bad actors will continue to behave badly in the face of the law. This isn't the insight you seem to think it is.
Really, PG's tweet has little to do with game theory or anything else. It is a first-world-problem whinge about having to click through cookie banners. Assessing the "actual outcome" of complex regulation and legislation is a task beyond the scope of a single tweet.
It might be useful for Graham to determine what claim he is trying to make in the first place. Is he rebutting a particular EU representative for boasting about how good they are at regulation? Or is the idea that the EU shouldn't have the audacity to attempt to regulate in the first place?
Except many companies respond to the cookie law with a cookie consent popup that violates the law (by making opt-out harder than opt-in).
Could we really have predicted from the "Law of Unintended Consequences" that companies would respond not by tracking less nor by giving people an easy way to opt out, but with a cookie consent popup that is not compliant and also really annoying to their visitors?
This is better explained by business operators being ignorant of the actual law and being ignorant of the UX impact.
There are a lot of ridiculous things a company can choose to do in response to any given law. Those choices are not mandated by the law. Horrible consent UX is not the only option to choose from.
Government can, and should, analyze likely (or unlikely) unintended consequences and use those to further shape the law, but at the end of the day, those consequences come from choices that people who are subject to the law make.
I think the big mistake the EU made is they probably thought: “Surely no company would choose to abuse their customers with horrible UI just because they don’t like the law and want to take their collective frustration out on their users!” The EU was obviously wrong about the extent to which companies would throw their users under the bus while maliciously complying.
The actual outcome is, from my experience, that tracking has reduced, a lot. When this law was enacted, *we all removed "like on Facebook"* buttons. Remember those? Yeah, we don't see them anymore. Google Analytics also was forced to change, at least a little.
Is there still tracking? Sure. But it's not so blatant anymore. There are hoops one needs to jump through. And that was the point - to make tracking a harder.
None of my projects have cookie banners. Why? Because I use a first party tracking system (Matomo), I anonymize all visits and I respect DNT. It's that easy.
It’s not the difficulty level that people object to.
It’s a combination of two things:
1) the law comes to the rest of the world from Europe. We (rest of the world) didn’t vote in the people who brought it. We’ve had quite enough of Europeans making rules for the rest of the world in the past few centuries thank you very much.
2) GDPR encodes an expectation that may or may not be common in the EU, but certainly isn’t common elsewhere. I don’t have any expectation of privacy when I walk in public or when I give any information at all to a business. My solution to this is: a) I wear pants outside, and b) I don’t give out private information. Whether the business ecosystem knows their age and purchasing patterns is largely immaterial to virtually everyone I’ve ever met.
And don’t show me a survey showing people don’t like it - if you prime people with the question, of course they will respond that way. They know their info is being gathered, and they just don’t think it’s as big a deal as GDPR would like it to be.
So, I get your point. I can see how (1) can be aggravating. Can't really say anything to defend it, that's the Brussels effect for you. From the point of view of your own sovereignty, it's a bad thing, period. From the point of view of an effect on the lives of average people, I'm not so sure, it's so cut and dry.
Now, point (2) is, unfortunately, in the same vein as smoking, pollution, seat belts etc. Uninformed people (uninformed because they have better things to do) are not protected from their lack of knowledge. They suffer the consequences just the same.
And while I agree that and informed person, making a self-destructive choice has (in most cases) the right to do so, there is something to be said about the very, very powerful exploiting the uninformed. And this is where GDPR comes into play. It's protecting normal people, from a very, very big threat, that is not that obvious and is being wielded by the powerful.
GDPR is one of those laws restraining western corporations from going full dystopian future on us all. I said restraining, to be honest, I think it's just slowing them down.
And as far as surveys go - it used to be the same here. Europeans didn't care and said exactly the same things (i.e. the famous "i didn't do anything wrong, so I have nothing to hide") and then activists worked for years to educate them that, at the very least, it's leading them to buy things at higher prices. Now most people are extremely sensitive to their data.
With all due respect, you're speaking on behalf of 1 person here, not an entire country of people, and certainly not the entirety of the non-E.U. world. "We" can speak for ourselves, and don't all agree with the views you're ascribing to us. And "I" don't agree with the sort of stereotyping I'm responding to.
I'm personally glad someone is doing something for my privacy here. My own government, due to regulatory capture, is unlikely to act in my best interests here.
The article elaborates on this point: There Is No Cookie Banner Law. Only bad website operators choosing to abuse their users with annoying consent dialogs.
Nobody in Europe is issuing "diktats", meaning citizen-supported legislation I guess, or affecting your business, unless you're trying to deal with their citizens' data. Just don't process EU citizen data and it's not an issue. Better yet, just don't track users.
In any case, your disagreement only serves to underscore that you were speaking on behalf of 1 person, not any country or countries. Otherwise, we wouldn't be disagreeing!
I actually self-host all my web assets and use Matomo already. So I do actually agree with the premise.
What I object to strenuously is someone dictating terms to the world from distant shores, especially since they seem not to get how the internet works (it’s all funded by ads, online sales, and ads for online sales, all of which involve metrics and tracking!)
The diktats I mentioned include a ruling that Google Fonts are illegal now. So if I’m using those, or I’m using Google Analytics, and a European happens across my site, I’m now a criminal? Fuck that.
The consequences of contravening the GDPR are uncertain but sounds scary. This is terrible for the open and free internet.
Please tone down the hyperbolic rhetoric and FUD. Consider how strongly you can make your point without them.
To the point: Nobody in Europe is "dictating terms to the world", or "issuing diktats", meaning passing citizen-supported legislation I guess, or affecting your business, unless you're trying to deal with their citizens' data.
> The diktats I mentioned include a ruling that Google Fonts are illegal now. So if I’m using those, or I’m using Google Analytics, and a European happens across my site, I’m now a criminal?
No, because website operators have at least 4 more options:
1. Don't process EU citizen data (block them).
2. Don't track users, period (host the font on the site instead).
3. Don't track users until they log in (convert them).
4. Get users' informed consent (let them know that they'll be tracked on the site due to the choice of google fonts instead of hosting a font).
Wow, that wasn't scary at all! The general attitude I'm getting from some folks, though, is that they want to do anything they want to users without consequence and never change. This attitude is going lead to a lot of anguish. Others have rights, too, and they override our right to do whatever we want to them, in many cases.
Many webmasters have neither the time nor inclination to read up on EU law. So blocking is the easiest and safest solution to minimize our legal risks. This is absolutely terrible - I grew up dreaming of an internet that is really humanity's network; not islands separated by political allegiance.
I agree that I can tone it down, but 99.99% of the FUD around is directly the fault of the EU for not making it crystal clear what the theory and practice around their internet laws will be.
Luckily that's just 1 of the 4 options, and those 4 options are just 4 of many options, so no need to focus on 1 of many and say you don't like it: you can just choose another! Or you can choose to create the islands. I don't see what's so terrible about that.
Did website operators think they could keep violating the rights of EU citizens indefinitely? I mean, based on enforcement capacity, chances are most operators can, but it'd be good to stop. IMO, A network for humanity should prioritize humans and their rights, over tracking and ads, and the lack of respect for those rights is what I find terrible.
Real talk: if you have questions about the GDPR, ask them, and I'm sure the smart folks at HN will be able to help you find answers and overcome obstacles. You can build and not break laws, whether GDPR or ITAR, we can help. Nobody's saying it'll be zero work, but nobody's entitled to run a business doing whatever it wants with zero work, either, and shouldn't expect to.
You keep missing my point, possibly on purpose, so I'll end this here.
The EU and the US and China disagree about what user rights are and what reasonable behaviour for a website is.
If one of those parties enforces their vision onto their traffic, it has a chilling effect - splittig the net into federations. By making GDPR super vague, the EU just makes everything worse, including for Europeans. If you disagree that the rules are vague, I'll refer you to the rest of this thread. Nobody knows what's being enforced or what the penalties are.
As far as the GDPR goes, only webmasters choosing to ban entire countries of users out of greed (wanting to unfairly profit off users) or laziness (not caring enough about the privacy of their users) or spite (punishing users because you don't like the GDPR) can achieve the splitting you describe. If it happens, it would be their decision, and thus their fault.
Real talk though, again: you say you personally feel the GDPR is vague. If you have questions about the GDPR, ask them, and I'm sure smart folks at HN will be able to help you find answers and overcome obstacles. You can build and not break laws, whether GDPR or ITAR, we can help. If you have troubles building, share them with us, let us advise you. Nobody's saying it'll be zero work, but nobody's entitled to run a business doing whatever it wants with zero work, either, and shouldn't expect to.
I see your point, but then to have a constructive conversation Paul Graham should also give his two cents about how the law could be improved. I don't know him, so I'll ask here: did he do that?
The outcome would be much better if the law explicitly stated that the initial cookie banner must have a "Necessary cookies only" opt-out one-click option. And that this option means truly necessary, not the Internet Explorer is needed by the operating system 'necessary'.
I’m not surprised. This is a “hot take-centric” platform issue, and a laziness in trying to understand him too. Or.. two people on the street yelling at each other but not listening.
Part of what it means to be "good at regulation" is to anticipate the likely consequences of regulations. So a regulation that says that "businesses must now give away their products for free, unless they honk each customer's nose" will result in a lot of sore noses.
Which is basically the case here. Almost all websites make money through ads, or at least keep logs of user activity to help them optimize their website, and that's not going to change, so the EU's boneheaded regulations make the customers suffer a little extra.
Only if you maintain your own ad inventory, instead of using Google/Facebook ads like 90% of online advertisers do. And neither of those platforms work without installing their scripts on your site.
Sure, lots of people want to sell my data. That's a choice. You don't need to do that for advertising - it's a pretty recent invention having fully personalised adverts.
It would be like opening an independent video store when the entire market has moved to streaming. Yeah you could try it, but there are good reasons not to.
Correct me if I'm wrong, aren't but IP addresses are considered to be "personal information" and therefore collecting them is "tracking" under the GDPR?
Yes but it depends what you're doing with them as to whether you need consent. If you're keeping a record of my IP address and what I do on your site to sell me stuff then yes you're tracking me and need my consent for that. If you've got my IP address in your logs because you keep security logs for reasonable timeframes then you don't need my consent - though you do need to handle them appropriately because it's my personal data.
My guess is that they are because ISPs may keep records of them—I think they are required to in some jurisdictions. But you don't have to store IPs in your server logs.
You're also allowed to store IP addresses in your logs, you just have to take care with the data and the reason you're storing them needs to be justified - either because you have a legitimate interest in doing so (e.g. security) or because you have my explicit consent.
If I order something from an online shop, they don't need to have a banner in order to take my name and address to post the item to me - that's fully expected and reasonable. They do need my consent if they want to use that to post adverts to me though.
Then store it for that purpose, don't use it for anything else, and delete it when it's not useful anymore (realistically, for these purposes, after a few minutes to an hour?).
Absolutely, and gdpr doesn't get in the way of those legal obligations. The point is that you can do what is necessary or expected to provide the service without consent, and you can do much more with consent.
Your point is well made, and this is an unfortunate consequence of the regulation (and I enjoyed the analogy). But it isn't necessary to have cookie banners on every website. Github is a moderately complex, user-optimised website, right? https://github.blog/2020-12-17-no-cookie-for-you/
The EU regulation does not prevent ads from being shown, it specifically targets tracking. No tracking > no banner > everyone is happier > go ahead and show all the ads that are required.
And all that tracking comes down with inability to take risk on business side. Ad company wants to be 100% sure that ads are shown to humans, and pay only for those shown to humans(going deeper - to specific cohorts of humans, which in the past was approximated by content of the site showing ads).
Whereas sites serving ads want to extract as much money as it is possible from advertisers based on their audience count.
The incentives are on both sides to to one-up each other without tracking - hosts by inflating visitor numbers, advertisers by disputing that.
In a perfect world ad(wouldn't exist i know but bear with that) companies would pay X/month for site with Y visitors, where X depends on Y. No need for tracking, and roughly over multiple sites and multiple months it averages out.
Not enough conversion rates(risk for ad company - they could pay less)? offer lower rate per visitor next period.
Site gets spike in visitors(risk for host - they could charge more)? report higher estimated Y for next period.
What we got instead is an insane tracking infrastructure that costs way more than any possible profit gained for both sides. It's not even profit - it's avoiding being 'scammed', avoiding risk.
Remember that all that tracking bullshit started before targeted advertising was mainstream and widespread. It all started with bots and inflated click numbers, and inability to accept risk.
Tl;dr banning targeted advertising won't remove all tracking bullshit
ad networks can simply send out banners to sites for time slots, and that's it. do you want to advertise healthy food? send it to yoga sites (insert it on #yoga hashtag profile pages, insert it after videos/snaps/tiktoks/reels that the AI categorized as yoga, etc.) ... it's called item-to-item recommendation (use the content of the page - as it was done for - again - decades)
it's perfectly possible to ban and remove tracking bullshit
Hmm, what if people outside of yoga like health food? Or what if some people at the yoga site instead eat fried food but just have a good exercise routine?
your solution here just makes ads less valuable, which isn’t a win for advertisers or sites. if you can remove tracking, and still allow targeting, then you’ve hit gold. short of that you won’t find meaningful buy-in.
> your solution here just makes ads less valuable, which isn’t a win for advertisers or sites
It sounds like that's a natural outcome of the point of the law in the first place: people felt that, for too long, tracking has extracted too much value from them without their consent.
Whether a website "buys in" to complying with the law is of course a risk analysis they can conduct for themselves. Neither advertisers nor sites are entitled to a "win" here.
Ad networks can offer to optimize the impressions, help to with targeting.
After all the current implicit user profiling and targeting is already not a 100%. Many people use adblockers, many devices are used by more than one user, etc. (In this day and age we are still baffled how Amazon/Google/whatever advertises us - for days - the same fucking thing we just purchased yesterday. Of course, because based on their model it's still the most likely thing the user might buy or click on, etc.)
Google seems to be already moving away from individual profiles with FLoC - of course they still want all of the data to be able do dynamically allocate users to cohorts (to maximize their profits).
And this is why Tiktok and Instagram just went ahead and are now doing direct sales. (They put a link on the video overlay where the user can go and buy whatever shit the video talks about.)
> isn’t a win for [...] sites
this is something that a lot of people are pushing back on, because their claim is that we need some slack in the system for sites to be able to pursue their own creative vision (however lame, banal, mundane, or seemingly useless it is). before every click was tracked it was okay if some article (or video) underperformed, because in general the advertiser got the increased sales (or brand awareness or whatever they measured)
I’ll be honest that’s too long of a post to read and a cursory reading didn’t really shed any light on your point of view.
Many of us are old enough to remember untargeted ads, and pretty much all anybody saw at the time as an ad for cialis/viagra. 14 year old girls, 25 year old men, it didn’t matter, clearly you’re in the market for ED meds. this is a regression and i’ll take anonymized profile data over seeing completely irrelevant ads.
One thing that stood out to me from your post is this
> Many people use adblockers, many devices are used by more than one user, etc.
adblockers see no where near the adoption you seem to think, as it’s not many users, it’s a very small minority. and most users in fact have their own device and have for some years now. you seem to be detached from reality.
> this is a regression and i’ll take anonymized profile data over seeing completely irrelevant ads.
exactly. let the user decide. that's why it's out to be opt-in/out.
> you seem to be detached from reality.
I'm simply stating factors that are not insignificant compared to the difference we are talking about.
the policy discussion starts with cost-benefit analysis of "implicit profile-based ads" vs "alternative ads", and I'm simply stating that there are already many factors that ad networks consider.
FB/Meta rolled out Advantage+, which is a machine-learning-based full campaign optimization system. (The advertiser uploads many banners, and Meta tries all of them for various target groups, and learns which one to show for which users.) ... and it did all this because of Apple's ATT (app tracking transparency)
Welcome to my new insurance company! Thanks for requesting a quote (it's free! the quote, not the insurance), my agent will swing by to install a GPS chip while you sleep. We're not doing anything malicious with it, we just give you call whenever you're within 5 miles of one of our locations. We'll put it in the bin the vehicle manufacturer conveniently installed for us to hold all the trackers grocery stores and shopping malls use to offer free parking, which you can of course empty out at any time (it's clearly labeled once you remove the oil pan).
What's this, a shopping center now asks before installing a GPS chip on my car (but still somehow offers free parking if I decline)? How inconvenient!
You’re forgetting a key thing, market acceptance. Drive at all once in your life and you’ll realize a majority of people speed. You’re not going to force these people to punish themselves so such a system would have to come from regulation. The market has already said no.
A site can keep logs of user activity to help optimize without tracking my personal data. As soon as a company needs to track me, it's doing more than "optimizing its website"—it's using my data to sell me stuff or selling my data to third parties. And I'm glad it needs permission to do those things.
What if I want to optimize my site for certain classes of users? Say a less than abled person. What if I want to make my product easier to use with various control schemes used by a handicapped person and my product is so complex that tracking this demographic’s usage of my product is the easiest or only way? and what if there is no intent to sell your data?
I could ask permission and delay, or I could just capture the data and run experiments or A/B testing. You should also learn that nobody knows everything, and saying something isn’t required usually is just showing your own ignorance as in almost every case you’ll come across you will find at least one valid use.
Say I want to know why handicapped people with certain disorders are having a difficult time accessing the site. Having a site accessible is a start, but unless you somehow predict difficulties using your product after design changes then you will constantly have to verify things like button sizes and placements.
Note that this isn't a cookie law, it's also the EU's main anti-malware law. The principle is that no piece of third-party controlled software should write information to your computer/phone, or read info from it, over the Internet, without your prior informed consent (with narrow exceptions for storage/reads that are needed to provide a service you've asked for, or equally narrow functions like load balancing). This isn't just about browser cookies, but also your webcam, your mic, and the contents of your Documents folder.
The principle seems sound, but the EU is deadlocked over reforms to create some extra exemptions, e.g. for security scans/mandatory updates, or privacy-respecting audience metrics. EU regulators are already sort of turning a blind eye to those, so it's fair to say the EU isn't great at regulating - it's not fixing what society mostly seems to see as bugs/overreach in the original (now decades-old) law.
> Note that this isn't a cookie law, it's also the EU's main anti-malware law. The principle is that no piece of third-party controlled software should write information to your computer/phone, or read info from it, over the Internet, without your prior informed consent
So it is a responsibility of the browser vendor to implement this.
No moreso than the OS itself. The real responsibility actually lies with the people causing the remote access (e.g. the website operator, the remote hacker, etc).
The Cookie banners aren't from the browser they're really from the site.
That said, it seems fair to require the browser vendor to implement it. The browser is the one that exposes a method to store data on the machine (ex. Cookies, LocalStorage) so it seems fair that they should know the user wanted data to be stored.
The standard for browser was called Do Not Track [0], but of course adtech killed it, there is another one now, but unless this is mandated by law or courts it won't go anywhere. Note there seems to be a court decision upholding DNT as rejection of consent [1], but this would have to be much more powerful and broadly adopted to work.
Yes. Although in fairness, the "cookie rule" part has been updated since then. But not anytime recently.
And the GDPR's subsequent entry into force created the current emphasis on how actively (and individually) you need to consent to things, and how much you have to be told about them first. Stuff like "clicking anywhere on this site, tells us you consent" was a lot more common, pre-GDPR
In this case, it is just showing that most companies are collecting more data than they need.
You don’t need a banner for the data that is necessary for the service to work at minimum level. There is no role for the consent since the site won’t work otherwise.
How does it show that? Most people I know are annoyed by this and click on "reject" (if they can find it), but for a lot of non-technical people these banners are just a given because they don't even understand the problem. Doesn't mean they don't care
The close to million users now on https://www.stilldontcareaboutcookies.com/ suggests that there's a pretty sizable amount of people that care less about the philosophy of European data laws and more about just getting on with their day.
>pretty sizable amount of people that care less about the philosophy
How does it show that?
It shows that they prefer to get on with their day over clicking cookie banners. It says nothing about whether they agree with the philosophy of the GDPR.
How many "normies" do you know that stopped visiting websites that track them? I don't know anybody who isn't in my tech bubble who cares, and very few normies who would rather pay money than to give access to their data.
None. That doesn't mean they don't care. As I said, most people I know are annoyed by this but take these banners and tracking as a given because they don't understand enough about technology and see them everywhere. And let's be honest here, if you were to stop visiting sites that track you, you could just stop using more or less the whole internet. It's not about stopping to use these sites, it's about stopping those sites from tracking you, which almost everyone I talk to is ok with. The only people I see that defend the amount of tracking happening on the web are commenters online (here, on reddit, etc.). That leads me to believe it's mostly corporate accounts.
To the point: Not using a site is not the point of it. Insert "yet you participate in society" meme
Apple do not track alert resulted in many people saying they don't want it. And of course, had impact on Meta's business.
So if websites presented cookie banners in a neutral way without dark patterns to make Reject difficult, "normies" would reject these, I'm sure.
This is something a lot of people seem to misunderstand about GDPR. At its core it says you should only process people’s personal data within a lawful basis. There are 6, and consent is only one.
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The thing is, if you have any of (b)-(f), why shouldn't you also get (a)?
The maximum fine is 20 million euros or 4% of revenue, whichever is higher. Sure, it probably won't be imposed on a first time violation, but why take the chance?
Could you imagine any lawyer advising a company against requiring consent, even if they have some cover because of a legal obligation? Isn't it much safer to deny service to those that refuse to consent?
Sure, it'll annoy the customer, but right now the customer is used to minor annoyances.
This is true, but the comment you replied to was about the cookie law, not about GDPR. They are separate issues, even if they are obviously related. Cookie law is about not using other peoples storage for usage that is not needed, GDPR is about personal information. You can use cookies for saving information that is not personal but that still would need banners.
> You don’t need a banner for the data that is necessary for the service to work at minimum level.
We were advised by our lawyers (a top SV tech law firm) that we should include a cookie banner in the EU even if we're only using cookies for functions like login. After eventually switching legal counsel (for unrelated reasons), we were told the same thing by our new counsel.
Either EU law covers cookie banners that use cookies for routine functionality, or it's so (deliberately) vague that even top tech law firms would rather everyone add a cookie banner than risk running afoul of the law. Either case validates PG's argument here.
It is indeed quite complex. I would argue that just the login does not need.
1. There are users who will come to your website with specific purpose or expectation of your service.
2. Then there are users who came to website by accident and might just try out things without understanding what is happening.
The banner recommendation from the lawyers is likely for the 2nd case. The users haven't subscribed to the service with certain expectation or knowledge what is expected from them to service to provide what they want. Or they have zero expectations about the service to provide something for their needs.
For example, the login case, the group 1. probably wants to stay logged in if they came to service with expectation of personal service, which cannot be linked to the person without an account.
Or the lawyers just did not understand your service well enough and just said that put the banner be done with it.
For group 2. it is unlikely that someone did not expect or want to stay logged in all the time, but that is for minority and arguable case whether is fair to assume that.
If the lawyers don't recommend you add the banner, and you somehow run into trouble because of it, the lawyers will be blamed. However, if they do recommend that you add a banner and you follow their advice, then they can get some more billable hours by recommending some verbiage for the banner, checking your website to make sure the banner is displayed in a compliant way, etc. And even if you don't follow their advice - people rarely fire their lawyer for recommending caution.
So, how did you ever expect the lawyers not to recommend adding the banner? That's like going to a plumber and ask them if you should DIY or not some installation. Of course they're going to recommend you get a professional...
I would put it another way. Any legislation against doing something is almost always motivated by someone's desire to do that very thing. Legislation is usually a battle of interests where the legislator, ideally, wants to protect the overall interests of the public when they conflict with narrower private interests. When the narrower interests belong to powerful groups, you often expect to see some struggle, and if the private interests have a way of making the regulation seem more intrusive and annoying than the harm it's intended to cause, they would take advantage of that to sway the public in their favour.
So legislators do expect such a struggle, and the shape it takes may be partly their fault, but it's clearly not all their fault. The more power the private interests have, the more likely they are to find some way to fight the regulation. They will certainly do everything they can to convince the public that the legislators are bad at regulation.
In this particular case, however, websites showing banners are also harming themselves as their competitors now have an interest in not showing banners and offering a better experience -- i.e. the regulation makes it worthwhile not to display banners in competitive situations. So we'll see how this all turns out.
No, people cannot escape responsibility by saying "the law made me be belligerent toward my users". It is intentional choice to use cookies and to make it unpleasant for people.
> No, people cannot escape responsibility by saying "the law made me be belligerent toward my users".
Correction: people should not be able to escape responsibility by saying this.
The problem is that right now people do escape responsibility for saying this because the EU is not properly enforcing these new laws.
Introducing a law and then not enforcing it has consequences, and those consequences should have been foreseen. Either the law is unenforceable due to practical constraints, in which case it's a bad law, or the EU is failing to enforce it due to inability.
Hopefully the EU starts putting more focus on enforcing its existing laws rather than creating new ones.
And use of cookies themswlves don't demand these banners, nor that they be so obstructive. Just don't collect unnecessary cookies or PII, or put in a prominent banner that doesn't overlap the site purpose.
I guess PG's original tweet assumes that cookie banners are a) bad, b) the fault of the EU, and C) unanticipated and unintended by the EU, thereby demonstrating their incompetence.
I can't really comment on what the lawmakers foresaw or intended, but I'd argue that cookie banners are actually a) good, and b) the fault of companies who can't imagine a better way to treat their users.
The reason I think they're good is that they cause a psychological nuisance to users of software which doesn't go out of their way to do them well or avoid their necessity. Over time I hope this will tend to cause an association in users minds that sites with cookie banners are somehow seedy or unscrupulous, like pop-up ads.
It's impossible to foresee everything, including the amount of malicious compliance.
In the end we are better off with this legislation and its future iterations and additions than we are without it. The extent to which people's data is misused is simply ridiculous.
Yes and no? To some extent, sure. As an example: But if companies or people went out of their way to comply with a law that is clearly not complying with the spirit of the law, just the letter of it, are you really responsible for that? Or are they because they're doing everything to not comply?
Let's say you make a law to reduce working hours from 40 to 37 hours except in "emergency situations". Now a company will force employees to sign off on "emergency situations" every week or they'll be fired. They're clearly not complying to the spirit of the law? Is it really your fault when you make a law like that? I'd say only to some degree, the people trying to abuse every loop hole are much more responsible in this case.
Companies using dark patterns, hiding the "reject all" option behind an additional click (which even is illegal) and even trying to collect all data possible are much more responsible than the EU's law. Oftentimes they are collecting data just because, not even thinking about it, because they'll add GA to their WordPress site without even looking at it or whatever. That cookie banners have become the standard around the web is sad because it just shows how much everyone is trying to track you.
It's not enough to write a law on principles alone. It must be clear and practical to comply and clear how it will be enforced. The EU should not have created a situation where the most practical solution for 1000's of companies is a cookie banner.
As a reminder, it's the same people in tech we're trusting to build things like chat bots, "AI", cars that try to drive themselves and rockets that try to land themselves... etc.
You have to admit that if these same people can't be trusted to follow a simple "do not track" directive, humanity is in big trouble.
Sadly, we are. I didn't ever think of myself as an optimist until I realised just how pessimistic it is possible to become, as I've learned in the last 5 or so years. Now I realise I was quite an optimistic person, at least by comparison with my present self.
I mean, humanity is and always has been in big trouble. That's why history is full of disasters, mass death etc.
But I don't think it's that developers "can't" follow a DNT cookie. It's that they won't because it doesn't benefit their employer's financial interests.
Making a rocket that lands, on the other hand, does directly correspond to SpaceX's financial interests.
The thing is, the consequences seem to be very much intended. The consequences of forcing companies to be transparent about tracking, and hopefully letting the users start voting with their wallets as they get annoyed by the omnipresent "We Value Your Privacy"-popups (which is very ironic considering all the dark patterns et al that are used to have users get tracked).
If nothing else, at least now people know just how much they've been tracked. One can only hope that this increased consciousness would help people to choose services that don't track people. For example Hacker News doesn't need tracking cookies nor a cookie popup, and it seems to be doing just fine, even in terms of the law ;)
I would expect that most companies would be ashamed to publicly state that they sell your data to hundreds(!) of data providers and they would fix this before they had to disclose it. But nope, apparently the money is too good. And blaming the government is more convenient.
On the one hand when murders go up because you make using a gun in a crime an automatic 5 year prison term you should have foreseen that possible situation, on the other hand the real bad guy is the one shooting the witnesses.
I think pg is talking about the advertising banners, and yes, congratulations EU you have ruined our web experience to the benefit of even-worse-tracking that mobile applications do.
I think the bigger issue here is that this law did not fix anything, destroyed what little EU online advertising business existed, and focused on the wrong thing. For starters, the european people did not ask for this law, they have bigger problems, it was campaigned by specific german interest groups for which most EU citizens are indiffernt. Ad tracking is/was not a concern for the vast majority of EU citizens (who , again were never asked about this law) . Internet and social media addiction, however, IS an issue that most citizens have, and the EU has spent so much energy and capital on this pointless cookie banners issue, that it doesnt have more to spend on solving the addiction issue. Premature legislation always does that, and the worst is, there will never be accountability for such wrong decisions. The people who inspired the legislation are not up in some kind of election, and the upcoming MEP elections have nothing to do with EU politics and everything to do with domestic politics (Show me a country where MEP election results are not considered a proxy for national elections).
But it doesnt matter how many times someone points the political misaligments , there is no mechanism to change that until something really grave happens, when it will be too late.
A personal anecdote: I was charged with adding a cookie banner to my company’s website after having successfully resisted having one for many years. The reason given to me by the new owners of the business being that the marketing department wanted to try some new stuff, and the lawyers told them that it required consent on the part of our users. I was also told that I shouldn’t spend a lot of time on this, and to therefore use an off-the-shelf product (OneTrust), and to not customize it any way. When I remarked that the default texts for the banner sounded very scary and implied that we did a lot of things that we weren’t actually doing, I was told to leave them unchanged, because we had to assume that they had been vetted by (OneTrust’s) lawyers, and that it would be too legally risky to change them. My argument that OneTrust’s offering was a one size fits all that had to be compliant with the sleaziest, most ad-tech compromised media sites out there, but that we were not that, failed to make an impression.
A couple of observations:
1. Players like OneTrust and the consultants who specialize in this, are highly incentivized to play up the risks of not being compliant. My layman’s estimation of the legal risks is that the risk for good faith actors is actually pretty low. If the authorities find that you are not in compliance, you will most likely get a chance to rectify this, and possibly a slap on the wrist. Those scary fines measured in percent of global revenue, is not going to be what you face for an honest mistake.
2. Those businesses that rely on invasive tracking, and therefore really must use these banners, benefit from everyone else mistakingly believing that they too must compromise their UX with these banners. It makes what they do seem normal and acceptable.
Hate this way of thinking where the government (with seemingly good intentions) tries to stop something but leaves a loophole where all our lives are made more tedious and then people defend it saying the companies should just not do it, well we needed the law in the first place so it's a bit silly thinking to suggest they stop doing it after the law, no?.
If the cookie law was written properly then it would have just been a browser setting that had to be respected and this whole thing would have been completely transparent to the end user and they would have benefitted by default.
Instead through incompetent government employees we now have cookie banners for the rest of eternity on almost every site and they're not even standardized so worst sites like where journalists publish can have more and more obtuse ones.
The law isn't that bad actually, just that the courts have been very slow. The dark UI patterns are actually illegal and have been judged so in court now. This realization just has to trickle down to the companies writing these cookie banners.
* There was an option of making this non-intrusive, by requiring it to be a browser setting, they chose not to
* The law went into effect ~6 years ago
* Companies still break the law by employing dark patterns
My take is that it makes both the law, and the courts bad.
My take is that law tries to dictate UX more than just set groundrules which good laws do. They pre-emptively set the law such that it prevents any use when the focus is on misuse. The law is about 1st party and 3rd party cookies, not just 3rd party.
In an ideal case, if it was just a law, a simpler wording could be "you are allowed to collect anonymized data, but not monetize/share it without permission from users. We may ask you to furnish proof that you havent been doing that at times, failing which you would face massive fines (as %age of revenue whatever)."
Problem is collecting basic anonymized usage data[1] is needed by companies to improve the product, provide a better experience, detect misuse. They bundled those use cases with everything else meaning the law was too broad and we got cookie banners given every site needs basic analytics. On flipside, worst is that most websites use Google Analytics, so they might have had to display the banners anyway.
[1] Moreover, it's vaguely worded so we companies do not know if they have committed a GDPR offence. By general understanding IP addresses are under GDPR. You can get that via request headers. So, to be on the safe side, even anonymized analytics tracking is considered under GDPR
notice the part about how purposes cannot be bundled together. EU's own website does that till date.
> NOT needed to improve your website
When I say usage data, aggregated data about how many people bounced off my page, or how long it took for my webpage to load under different internet connections is absolutely needed for me to make sure every user that comes on the page is having a good enough experience. I may not save any info, but those numbers are definitely used in aggregate. if the bounce rate is too high, content is not useful for people i am reaching. If i cant know that, how does the webpage gets better. That is usage data.
I do not care about who the person is, but I would want to know whether it was one person doing one action 100 times or 100 different people doing the same action. Makes a massive difference.
Which cookies did you have to accept/reject? What do they do? Why do the websites believe they must ask you to accept them?
Also, the law allow browsers to automatically accept/reject the cookies on your behalf (actually, the law does not care about which specific technology the websites use to collect and process personal data). You, as a user, can choose a browser/extension that rejects these cookies by default, except the necessary ones. I use https://addons.mozilla.org/en-US/android/addon/istilldontcar... and I haven't see a single cookie banner for years on desktop and mobile. I don't like cookies and I like the law.
> If the cookie law was written properly then it would have just been a browser setting that had to be respected and this whole thing would have been completely transparent to the end user and they would have benefitted by default.
The law does not mandate websites to display a cookie banner. There are already "Do not track" settings in browsers. A website could choose to honor that setting and don't track you without ever showing you a cookie banner. But most don't.
But the websites are still putting up banners in my way, and they never remember what I consent to anyway, they just ask every time.
They didn't do this before the regulation. It doesn't much matter whether a website could do better, they simply aren't going to do better unless forced to.
> A website could choose to honor that setting and don't track you without ever showing you a cookie banner. But most don't.
Exactly! Either fix the regulation to say they can't make UX worse or throw it away.
Yes, because they just tracked you and you didn't have a choice and didn't even know that they were tracking you probably.
You don't seem to understand what GDPR does. Very simply, it says: "Hey, if you run a website and want to store cookies in your visitors browsers that helps you track them, you need to ask them first if that's ok".
There are multiple paths websites could take:
1) Don't set tracking cookies -> No need to ask the visitor for consent
2) Honor "do not track" headers sent by browsers -> Only need to ask visitor for consent if the browser didn't set "do not track" header
3) Ask the visitors, but do it in a nice way that doesn't disrupt the whole browsing experience -> some examples are given in the blog post
There are a lot of browser extension that hide or click reject cookies for you, so you don't need to see 99% of all cookie banners. Have you tried using some of them?
The law does not require a specific implementation. Law is never written to require a specific implementation and should not be written in this way.
Instead law is written in a technology neutral way. It is so neutral that it isn't even called "cookie law". It is called ePrivacy directive. It has only 5 times the mention of "cookie" as an example.
It has even been implemented in Internet Explorer when it had 90%+ market share.
And then Google intentionally sent malformed P3P header to bypass user preferences in IE.
When Safari added a heuristic rejecting Google's 3rd party cookies, Google has found a technical workaround to bypass it (and has been fined for doing this).
When IE and P3P were totally dead, browsers have tried to give adtech the simplest to implement bare minimum setting - the DNT header. The adtech has completely ignored it.
There are trillion-dollar businesses relying on tracking, and they will do whatever they can to undermine any technology and lobby against any law that would harm their business.
It would be 100% ok for it to be a browser setting. It isn't though, because that would make too many people opt out. That's what the article is about.
I don't think a browser setting would make any difference. The setting would have to be either "I don't want to be tracked by anyone ever" or "I'm ok with being tracked by everyone all the time". Everyone would just choose the first setting. But just because someone has that setting doesn't mean you can't ask them specifically if they're ok with being tracked on your specific website for some specific purpose. So then you're back at the cookie banners.
(Also, if a lot of people did choose the 'everyone all the time' setting, that would arguably be a poor outcome, because it's unlikely that this is really what people want.)
The DNT (Do-Not-Track HTTP header) setting has died the moment Microsoft made it too easy to enable it during setup of Edge, making most of their users default to do-not-track.
The adtech will absolutely freak out and destroy any attempt to make such setting as soon as there's a risk of it working.
> The setting would have to be either "I don't want to be tracked by anyone ever" or "I'm ok with being tracked by everyone all the time".
The only alternative to that binary logic is cookie banners. So to be clear, you are advocating for cookie banners.
The reality is that the overwhelming majority of people do legitimately want option 1, which makes cookie banners redundant. The only reason that cookie banners exist is as a high pressure sales tactic to sell users into option 3.
The point is that you'd still get cookie banners even with option 1, because a site can always ask you if you're willing to override your default preference.
What you are describing is still option 3 (cookie banners). The only real option 1 would be for sites to give up on tracking users.
So yeah, you can never compel a site designer to stop doing a thing without compelling them to stop do that thing. The only middle ground is a middle ground.
It could. And the GDPR already bans dark UX patterns in consent popups (i.e. making it artificially difficult to refuse consent). But the law can’t realistically tell sites exactly how to design their UX.
We already have granular permissions for other things (like location queries) and it works out just fine. You allow things when they make sense and refuse when they don't. It could be resolved in a way that preserves usability, but still achieves a goal not tracking non-users via ads. I doubt that it would make PG particularly happy though.
The key difference with tracking is that it's based on intent. Technically there is no difference between a tracking cookie and any other cookie. It is just a question of its intended use.
Sure. If I'm asking a website to remember my user session, I expect and am happy to allow a cookie, even if it's a few extra clicks. When I visit a site I'm not a registered user of, no tracking is needed really.
This is 100% what PG means IMO and the most sane take on this. Either write the law correctly so it's not easily bypassed or just don't touch anything because you will only make it worse.
The law is not bypassed, the annoying banners with no simple option to reject are illegal. The issue is that enforcement is slow, not that the law is badly written.
GDPR's Article 7 [0] is very clear:
> 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. [emphasis mine]
Yes, that very much is an example of the law being badly written.
"Prior to giving consent, the data subject shall be informed thereof."
Means there must be some sort of a cookie notification (which could of course take a small space of the screen, but still).
The existence of this notification makes it easier to initially give consent. If withdrawing later is to be as easy, the notification must never disappear.
> The issue is that enforcement is slow, not that the law is badly written.
The enforcement/implementation of a law is so deeply entwined with the text that it's deceptive to separate them.
If a law is written in a way so as to make enforcement hard, or if the government doesn't have the resources to quickly and consistently apply it, then it's a bad law because it enables weaponized targeted/selective enforcement of a new law that wasn't present before.
Essentially all laws are difficult to enforce. If someone really won't follow the law, then it takes a lot of time and money to prosecute them. Society relies on most people voluntarily following most laws most of the time.
You literally say it's "deceptive to separate them". The whole POINT of modern governance is to separate them.
Saying legislature is writing "bad laws" because the judiciary may or may not have the resources to enforce is to necessarily subjugate the legislature to the judiciary which violates the principles of separation in the first place.
There are countless examples of legislation that does not get litigated due to political or other pressures on the judiciary. Your argument would require that the legislature lie down in those cases. Perhaps that is your preferred order of the world.
But in a modern, principled government, the entire principle is their separation and independence. Suggesting otherwise is to lean into autocracy, whatever your motives.
> The whole POINT of modern governance is to separate them
This is wildly incorrect. The point is not separation - that is obviously stupid and pointless. The point is maintaining checks and balances on the power of the government, and one of the (many) mechanisms is through separation.
> Saying legislature is writing "bad laws" because the judiciary may or may not have the resources to enforce is to necessarily subjugate the legislature to the judiciary which violates the principles of separation in the first place.
Again, incorrect, because the principle is limiting power, not separation of powers test for its own sake. Not passing laws that can't be correctly enforced is not a violation of that goal or the strategy of separation of powers.
> There are countless examples of legislation that does not get litigated due to political or other pressures on the judiciary. Your argument would require that the legislature lie down in those cases.
Nowhere did I say that or does my argument imply or necessitate that. Being unable to enforce a law due to lack of resources is categorically different than political pressure. You're intentionally misinterpreting my words
> But in a modern, principled government, the entire principle is their separation and independence.
This is your own projection of what a "modern", "principled" government should look like - which, as stated before, is obviously stupid and pointless. Separation is not a virtue - it's a means to an end. You may want to consider reading the US Constitution to see this in action.
The fact that you replied with a sarcastic comment lacking any content and then went to my profile and signed my email up for a bunch of spam emails is proof that you're unable to defend your argument. Not that proof was needed.
I can't speak to the latter, but the former was not sarcastic and there's nothing to defend. Muddying the independence of arms of government is page one of the autocrat's handbook which you seem smart enough to know. No making laws all by yourself legislators, you will first check with the Ministry of Enforcement! It's an entirely valid form of governance, as Big Men of History will attest, and you're entitled to your opinion on the matter.
Thank you for mentioning point 7.3 this as it's a very important, but gets often ignored. I hope that it gets strictly enforced. _It shall be as easy to withdraw as to give consent._
Regarding the link you posted, they have a banner at the bottom saying:
> We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. [Ok] [No] [Privacy Policy]
My understanding was that such an implicit consent ("we will assume that you are happy with it") is not legal so I find it a bit surprising to see it used on a website dedicated to the GDPR.
> Hate this way of thinking where the government (with seemingly good intentions) tries to stop something but leaves a loophole where all our lives are made more tedious and then people defend it saying the companies should just not do it, well we needed the law in the first place so it's a bit silly thinking to suggest they stop doing it after the law, no?.
We deal with similar issues developing and releasing software. Instead of not ever releasing software, or only writing perfect software that never has issues, we have a couple of options.
1) In critical life or death situations, spend a ton of time modeling all states of the system and program in a way that very strictly controls for these states, with a lot of testing. See NASA/JPL coding standards for critical systems.
2) For less critical situations, or those were modeling all states of the system are impractical, we release, observe, and iterate. Yes there will be edge cases, bugs, and loopholes. But we can observe them, iterate, and release updates.
I think case 1) is impractical for changes to large legal and economic frameworks in the real world given how many variables are at play. If we could model the entire economy and see how it would react to a given change, the world would be a very different place in lots of ways already.
A lot of politics seems to work against 2) and that hurts our ability to improve things. "I will pass a law that does X" and "I will repeal the law Y that is not working, see look at these loopholes!" are good political campaign statements.
"I will gather and analyze data on the operation of the current system and support an iterative change that intends to improve things, implement that change, and then observe the results to determine if future changes are needed" is hard to rally around either in campaigning or when actually doing the work of getting political support to pass law.
I think decent example of this in government, although far from perfect, is the feedback loop of the NTSB and FAA. The NTSB's job is to observe and report on failures of air safety, and the FAA's job is to apply those lessons to future air regulation. Of course there are many examples of this not working perfectly, but it's a more concrete feedback loop than most governmental action has.
More observation of the analysis of the impact of laws after they are passed, and follow-up iterations where we compare the expected and actual results and make updates, would probably result in a lot less gnashing of teeth over "bad government regulation" but I'm not sure how we get there politically.
I wrote something elsewhere in the thread about this[0]. I don't think laws mandating specifics of implementations at the level of browser settings is a good idea. To your point about government employees not being competent I don't trust them to get that right. Companies could work with browser makers to fix this but, as the OP points out, they don't want to.
In my opinion the EU's big failure with GDPR has been slow and ineffective enforcement against blatantly illegal implementations.
The problem is that we as a society constantly have to deal with adult children, so don't expect reason. Do expect elaborate rationalizations intended to waste the energy of an indecisive parent, who is basically getting bullied by a kid throwing a tantrum.
This kind of behavior reminds me of the book: "Language vs. Reality: Why Language Is Good for Lawyers and Bad for Scientists" - Nick Enfield, Linguistic Anthropologist [1]
As far as I can tell, politicians don't spend much if any time thinking about second and third order consequences. GDPR is but one example, but instances of this abound. The default should be to mistrust new laws. Reagan takes lots of flak on the internet, but he was right on the scariest phrase being "I'm from the government, and I'm here to help".
Even worse, this thread is full of armchair lawyers that will confidently tell you there's no need for cookie banners in particular cases. Nevermind that there's hardly any case law about this and each country seems to interpret it differently. Any actual lawyer would tell you to slap it on there to stay protected.
The wording was imprecise, but to the website owner, this is a distinction without a difference. Just because a civil law system is in use versus common law, you still need judges to interpret what the law is. Their decisions may not be binding in the way precedent is in common law systems, but they are still important in determining what might be legal or illegal in the face of ambiguous laws (that is, all laws)
That's not entirely true. Continental European law tends to be far more detailed than Anglo Saxon law, but still relies on precedents set in previous cases when there are ambiguities in the law, and when it comes to metering out punishment and damages.
> Even worse, this thread is full of armchair lawyers that will confidently tell you there's no need for cookie banners in particular cases. Nevermind that there's hardly any case law about this and each country seems to interpret it differently. Any actual lawyer would tell you to slap it on there to stay protected.
I bet the number of cases of illegal implementations due to insufficient consent are vastly smaller than the blatantly illegal consent implementations(i.e. those that make it harder to reject consent than accept it). Companies clearly don't care about following the law anyway.
I'd think so too, but the number of implementations that use dark patterns that make it more difficult to reject consent than accept it seems to indicate they aren't erring on the side of caution.
I'm not talking just de-emphasising the reject option here, but cases where there is no reject option or it's buried beneath 2-3 more clicks.
No one only needs to be familiar with lawyers themselves to speculate about what they might do. They are a cautious bunch. This is distinct from dispensing legal advice.
The law could have been written in such a way that we could use a browser setting and avoid incessent popups which irritate users and desensitise them to genuinely useful warnings.
Whatever the good intentions of EU lawmakers, they seem inept at technical legislation because they ALLOW companies to continue doing shady things, and rather than tackle it, the legislators create a law that merely annoys users.
> they ALLOW companies to continue doing shady things
No they don't. But enforcement requires complaints, actions, and budgets. Remember that the EU has no police, it's down to national governments to enforce regulations.
Also, take fraud. There are plenty of laws against fraud in any country - and still it happens every day in one way or another. That's not because all fraud laws are bad, but because enforcement is complex and costly.
it would be horrible regulation if you tell how to comply instead of telling what to comply with.
as written elsewhere (since you obviously didn't read anything) your proposed solution would be just fine. But people opted out of impmenting it that way since it would yield less profit.
Show me the section of the ePrivacy Directive (Directive 2002/58/EC) or GDPR that implies the "Do Not Track" browser setting can override the need for consent banners / popups.
well, if you respect the do not track setting and therefore DO NOT TRACK, then just remove the banner. You have not obligation to tell people that you do not track because you do not track.
Are you 100% confident that you don’t do anything which could be construed as tracking by a hostile regulator? Even the official EU sites that host the relevant regulations have cookie banners, explaining (https://eur-lex.europa.eu/content/legal-notice/legal-notice....) that they can’t otherwise do basic analytics or interface persistence.
Better safe than sorry... Absolutely. If you work with a company, where you cannot guarantee that no tracking will be injected into their users computers, then you better add the disclaimer.
Also, if you feel certain, and a ready to defend in court, that practices you have on your website does not constitute tracking. Then you don't have to show the banner either.
Personally, I am much more pragmatic about these regulations - with good reason. I still have to hear about some small innocent company hit with a massive fine. Empirically speaking, it is mostly huge multinational companies with plenty of resources to manage these things down into details who have gotten fines after repeat offences.
All in all. If you assume malicious regulators, then it is going to be stressful to work in a market. From US influence, I also do understand the sentiment, though it is rarely mirrored with EU citizens who generally don't assume hostile regulation.
DNT wouldn't work, but a hypothetical "yes, please feel free to track me" setting would, if standardized by browser vendors and implemented appropriately (i.e. ensuring user consent).
> Whatever the good intentions of EU lawmakers, they seem inept at technical legislation
I don't think that's a specialization of EU lawmakers, particularly. A far as I can recall, laemakers started thinking about internet regulation around the turn of the millenium, and I didn't welcome the prospect; I assumed that regulation would favour state intelligence and police agencies, and would be drafted by adtech lobbyists. Why? Because I didn't think the civil servants who are supposed to draft these laws had the requisite competence.
The GDPR doesn't prohibit such a browser setting to exist and to be applied. The GDPR however also isn't a technical standard that would prescribe any specific technical protocol.
> Companies could easily avoid any cookie banner. Just don’t track.
Well, then, the EU should've just made _this_ the law.
And we'd have called it the "Just don't track" law.
Rant & Details:
> There is no law for cookie banners.
> What the EU is saying, you need my consent when you want to track me, profile me and sell my behavior off to ad companies.
> or “Look, Why take a chance?” (Remo Gaggi),
This kinda proves PG's point.
Rant: I find it incredible that folks defend the EU by saying things like "There is no law for cookie banners". No, there is a law. The law is reason people think "Look, Why take a chance?" and build crap like cookie banners in. The law is not a bunch of words on paper. It's the institution that incentivizes or punishes people for their actions; thereby influencing people's behavior.
If you understand the law properly you understand you don't need a cookie banner if you don't track your users. But it is easier to not have to understand it and play safe. But then you shouldn't blame the law for making you do no research and play safe.
Most people are copy cats, and if some big websites add cookie banners, they think they also need to do it because these big sites are doing it. And then they blame the law.
If you're not a copy cat and understand your businesses, there is no need to blame the law for making you do something you don't need to.
And yeah, laws can be complicated to understand sometimes. That's with most laws. But that is why we have lawyers. But yeah lawyers are also often copy cats, it seems. At least in tech. So it's always good to keep thinking for yourself too. Don't believe everything other people are telling you. Do some investigation and research yourself. It's also not that hard.
> The law is reason people think "Look, Why take a chance?" and build crap like cookie banners in.
Really, no. Not being willing to let go of user tracking, and now realizing that it's against the law if you get it wrong, is why people think "Look, why take a chance?" and grasp for shitty dark patterns to cover their asses.
My business did not track its customers online and had no banner. Period.
The law punishes companies, not private citizens. If lawyers are overreacting or companies cannot discern between essential tracking and non-essential then perhaps they are the incompetent ones.
> If lawyers are overreacting or companies cannot discern between essential tracking and non-essential then perhaps they are the incompetent ones.
If the EU is incapable of creating a law where it is unclear even to quite some lawyers where the boundary between allowed and forbidden is, the EU politicians are the incompetent ones.
There are a bazillion unclear laws all over the world. It's common practice, really, to formulate things a little bit generally, and let practitioners (lawyers and courts) figure out the details.
In this case, the unclear point is around the notion of "legitimate interest". I guess something like fraud prevention can be thought of legitimate interest. But ad companies just said, "well, we make money out of tracking the hell out of users, so it's in our legitimate interest to keep doing it, and never mind that the whole point of the law was explicitly to rein in our industry's nasty behaviour."
So now law practitioners how to hash out amongst themselves what "legitimate interest" actually means in 2024, and this of course can change in 2034, so you write the law to not have to be updated every time the tech industry invents new ways of being naughty.
This is written from the standpoint that you want to deny consent. But I just want to give consent and get on with my day. I see it as sort of paying for the content.
Honestly I think most people see it this way, even if it’s an unpopular stance in some tech circles.
I find it annoying but I do the opposite. Don't give my consent for all the optionals and prefer not to get tracked. I don't believe all of that tracking is warranted in a significant number of cases. Websites appear to be still fully functional without all of those extras, too, meaning the website providers are also ok with foregoing it.
Whilst, I am very opposed to tracking; especially covert. I do believe the cookie law is bad. Fundamentally, websites can not store content on your computer without your consent. Your "User Agent" is what stores cookies; it is usually a piece of open source software fully in your control capable of only storing them based on any policy you like, including asking you for each site.
Whilst it would be nice for all sites to set an "Evil Bit" telling you which cookies are functional and which are for Adversing tracking, this is un-policable.
What you're suggesting is basically the same thing as what the law is achieving.
Yes, users could block all cookies but this will break functionality on a lot of sites, so it's not reasonable. And yes, sites could communicate which are functionality cookies and which are tracking cookies, but as you say it's hard to police this, so pushing the issues to the user's software won't work.
What the law does is fixes all this by requiring sites to obtain consent in certain scenarios; but if your site only sets cookies required for the site to function (shopping cart, login cookies), or if it tracks users for the purpose of security (eg a bank that detects when you log in from a new device / location) you DO NOT need to obtain consent, no banner required.
That's not true. "strictly necessary cookies" are allowed without consent (but information on their use must be available).
Examples for what that means given by the EU itself [1] include "cookies that allow web shops to hold your items in your cart while you are shopping".
And on the policing - there are a lot of laws that cannot be "policed". It requires trust, goodwill, collaboration and savy users to report violations to the webmaster or relevant ICO.
"Companies could easily avoid any cookie banner. Just don’t track."
It seems like a point dear to the author's heart, given the way he highlights this and puts it in bold at the top of the article.
But while it sounds good on the surface, it doesn't take much digging to show it's silly. If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.
> If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
If it is crucial to provide the service or the service is explicitely requested by the user (i'd argue a shopping cart is), I think you don't need consent (see Article 5 of Directive 2002/58/EC).
Regardless of the answer here, the fact that there's still a debate about what basic functionality requires a cookie banner is really a testament to how bad this legislation is. How long has this been around, 20 years? And there's still widespread debate and lack of understanding as to what specific functionality requires a cookie banner?
> consent is not required [for] cookies that are strictly necessary to provide an online service that the person explicitly requested. e.g. […] when your customers use a shopping basket
So shopping carts (user clicked to add to cart) and notification preferences (user clicked to indicate preference) don’t require consent. Same for authentication cookies.
The page is quite clear; the confusion likely arises from how companies implement it.
i think it's worth noting that those cookies keep track of whether you have filled out their feedback form and to count the number of unique visitors to the page, or cookies from third parties the website may present embeds from https://european-union.europa.eu/cookies_en
Your lawyers are playing it safe. Their job is to make sure your company is not getting into lawsuits, and having a cookie banner that is not needed won't get you into a lawsuit, so that's what they suggest. They don't care about annoying your users.
If you really care about not annoying your users and don't intend to track them more than what's absolutely required for the service to work, then talk with your lawyers more. Of course, it is not free as it requires extra work, and it may carry some risk (which your lawyers should minimize) but it may be worth it, many people press the "back" button as soon as they see a cookie banner and try their luck elsewhere.
Yes, and if you ask the CFO about the best way to increase profits, the answer is always to fire all your staff. That doesn't mean that that answer is the most optimal solution.
It is not that simple. In "Opinion 04/2012 on Cookie Consent Exemption" [1] the the EU Parliament's Working Party On The Protection Of Individuals With Regard To The Processing Of Personal Data said:
> A cookie that is exempted from consent should have a lifespan that is in direct relation to the purpose it is used for, and must be set to expire once it is not needed, taking into account the reasonable expectations of the average user or subscriber. This suggests that cookies that match CRITERION A and B will likely be cookies that are set to expire when the browser session ends or even earlier. However, this is not always the case. For example, in the shopping basket scenario presented in the following section, a merchant could set the cookie either to persist past the end of the browser session or for a couple of hours in the future to take into account the fact that the user may accidentally close his browser and could have a reasonable expectation to recover the contents of his shopping basket when he returns to the merchant’s website in the following minutes. In other cases, the user may explicitly ask the service to remember some information from one session to another, which requires the use of persistent cookies to fulfil that purpose.
(Criterion A is cookies that are user “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” and criterion B is cookies that are “strictly necessary in order for the provider of an information
society service explicitly requested by the subscriber or user to provide the service”).
If your shopping cart cookie has a lifetime longer than the "reasonable expectations of the average user or subscriber" you may need to obtain consent. That a sufficiently vague criteria that it may not be clear if your particular shopping cart cookie requires consent or not.
> But while it sounds good on the surface, it doesn't take much digging to show it's silly. If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
A tracking warning a login/sign up would be enough. No need to ask for cookie consent at every visit. It would just be part of the typical T&C.
> It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.
Easily solved with a cookie that says "don't track". If cookie is set, don't track anything.
The law takes these things into account just fine. It's not a cookie law, it's a tracking law, and the "tracking" isn't about the technical meaning of "to track" but about the way the data is used (and could be used).
It's not "you're not allowed to store anything about the visitor without their consent", it's "you're not allowed to track them across your site, or share that data with others, except if it's directly necessary to provide the service". That last part refers to session tokens, shopping carts, and yes, also to remembering the "no tracking" choice. If you ask a site to remember something (such as "no tracking plz" or "I want to buy this product" or "keep me logged in plz") then that's explicitly asking it to do something that in technical terms is tracking, but not in operational terms.
It's like, the EU makes a new law that makes it illegal to break into people's houses, and all the pedantic HN'ers start saying "but this is stupid! what if you lose your key? you need to be able to hire a locksmith to let you back in!". That's obviously not how the "no break-ins" laws work, and it's also not how the GDPR works wrt tracking.
If you break the GDPR, there's a fair set of warnings before you can actually get the kinds of humongous fines that the law is infamous for. This means to me, as an entrepreneur, that if I follow the intent of the law as best I can, then worst case scenario if we still get it wrong, then there's a big enough chance we're in the clear. And then if somehow we do get a warning from the local privacy authority, we learn and adjust. This is fine.
We don't need to be maximally pedantically safe. We just gotta not track people and then we don't need a cookie banner. It's great.
Shopping carts, session cookies, or any other kind of functional cookies (including the one for "do not track" saving) do not require consent, and so don't require the banner. Github for example doesn't have it.
Please, read the basics about the law before disparaging criticisms, I constantly have to educate users on HN about this misrepresentation of GDPR and Cookie Law.
> If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
These are first-party cookies as they're served by the host domain, so they wouldn't need an opt-in under GDPR. Site owners should try to limit that to core functionality, like updating shopping cart state as you navigate from page to page.
> It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.
That's not how it works. The cookie banner opt-in asks if you want to accept cookies aka tracking. If you say no, no cookies are downloaded, so the site has no idea that you have visited it. So the next time you arrive on the site, it will provided the popup again, as though it's your first time visiting.
At one company where I worked the head of legal and the compliance officer scheduled a meeting with me[1] without any notice. I showed up and it turns out they wanted to know why we didn't have a cookie banner. I explained we didn't have any cookies.
They insisted we implement a cookie banner which would set a cookie to say whether or not you had accepted cookies. This was the only cookie.
[1] Never a good sign when legal and compliance just book a meeting with you like that and you don't know any normal context.
As a person who is generally suspicious of regulation on the grounds that it is an always growing beast (rules do not get revisited enough and rejected when they become an unneeded complexity), this viewpoint is spot on for me.
And while the main visible results today are bad (cookie banners of various levels of annoyance) it is bad mostly due to existing dark patterns and encourages changes in the right direction. Will those chances come and, if so, when, is to be seen. My 2c.
If you don't want websites to store (1st, 2nd or 3rd party) cookies then such behavior could/should simply be controlled within the browser. Just turn off cookies (although the browser cookie control options could be improved).
If I'm allowing my browser to set cookies, I don't need an EU law forcing websites to ask me everytime if I'm ok with a cookie being set.
It's how we wish people worked, but it's not how people work. The area of people that actively care about being tracked is not equal to the area of people, that would say yes if you point blank ask them "do you want to be tracked?" (with all the fears that this question triggers), and it's not equal to the area of people who would actually be happy to give up the affordances that tracking allows for in their every day life, even if they really do not like to say "yes" when asked to be tracked.
All of this is compatible because, hi, this is us. We close our eyes, and pretend they are open. We love to not consider consequences, while thinking of ourselves as considerate. Well, not always. We do make "a few mistakes" every now and then, of course. This makes the whole thing believable, to ourselves and each other.
I understand that it makes for good internet banter to ignore all that but what else it is good for, I do not know.
Europe's parliament's site has cookie banner[1]. People saying you don't need cookie banner either haven't worked in companies or are purely driven by ideology.
I agree with this. We recently removed all tracking (eg google analytics) from our homepage because we didn't want to have a cookie banner. The result: everything is going fine. Turns out we didn't need the tracking at all. Should've done it way sooner.
I hope the EU sticks to their guns. A few years ago, there was a flood of HN posts about optimizing initial page loads etc, because research showed that even a few hundred milliseconds slower load times measurably affected how often people clicked on buttons named "buy" and "sign up" and the likes. Then GDPR happened, and this somehow became a non-topic and instead we get 3-screen tall "TrustArc" modals that take half a second responding to a click? This makes no sense at all!
I hope, and believe, that it's just a matter of time before people re-discover that yes, actually, if you make a page fast and nice and friendly, you get more clicks/signups/purchases/$kpi, and that cookie banners hurt business.
If this is true, then what we're seeing now is just the initial path of least resistance: do what we did before, plus do what the lawyers tell us to. As the key GDPR rules have gradually become "common knowledge", we ought to be seeing gradually more sites switch their approach and focus on fast UX again, ie, no cookie banners and thus no tracking. Sure, it's work, and I bet the math doesn't always work out against tracking, but I bet often enough it does.
> I agree with this. We recently removed all tracking (eg google analytics) from our homepage because we didn't want to have a cookie banner. The result: everything is going fine. Turns out we didn't need the tracking at all. Should've done it way sooner.
Thank you. The industry needs more such testimonies showing that letting go of tracking is okay and won't sink the ship.
There is a law, that does not mandate cookie banners, but that still causes them by creating incentives to show the banner. That's the point of criticism.
You are implying that strict anti-emission laws caused uncontrolled emissions by Volkswagen vehicles.
But Volkswagen was very discreet about it, and when uncovered everybody was against them. Website are being obnoxious, instead, and people accuse the law. Go figure!
Arguably by your logic the emissions laws incentivize cheating, much as folks see the GDPR incentivizing annoying users -- to nag regulators to change the rules back in the company's favor.
It's a stretch though. I prefer more obvious analogies.
He's not saying there is though? The "cookie law" is 14 years old now, and it looks like the proverbial Brussels effect failed to change how the whole industry operates, except we now have cookie banners.
Customers are more informed. Savvy companies now only do essential tracking, so don't have to bother users. Or at least more will as enforcement catches on.
I wonder - why didn't the the EU put the burden on user agents a.k.a. web browsers to handle the cookie notices? When I visit a site, before saving any cookies, have my user agent ask me if I want to allow cookies for that site. Could have a default "no cookies" option with a whitelist, or default "yes" with a blacklist. It would have been so much easier, with a far more consistent UX, wouldn't it have? Now we have to put up with 1,000 different flavors of invasive banners, popups, "necessary cookies", etc.
The EU doesn't tend to require specific implementations - the banners aren't a required implementation, either. It's just what the advertisers thought works best to get their desired outcome.
There was the DNT header. Few sites acknowledge it (and thanks to those who do!), and when Microsoft went against spec by setting it default-on in their browser, advertisers whined that they can't see informed consent anymore and just shut down the whole initiative. Note: Microsoft is also in the advertising business, so if you're into that, that might be another angle for your favorite conspiracy theories.
Finally, there's consent-o-matic, available as browser extension for various browsers, and it lets you state your preferences. https://consentomatic.au.dk/
Would it have been better to integrate that into browsers properly? Sure. But the social and economical dynamics being what they are, this is probably the best we can get.
Technically they can ignore the users’ choices on cookie consent as well though. In fact, I would be curious just how many websites honor a user’s selection, and how many of them are just smoke and mirrors by having a consent modal that has zero subsequent value.
I've been running Consent-o-matic [1] in both Chrome and Firefox for quite a while now, which automates a lot of them. You can set your preferences for what categories of cookies you want to allow.
I don't know exactly what Paul was referring to when he wrote his tweet, but my own interpretation of the problem is that the EU has basically transferred the responsibility entirely over to the end user, which is a responsibility that we know people are not capable of handling.
Sure, you can say that websites have the option of "Just don't track", but realistically we know that that will never happen. Particularly since a lot of websites are actually tracking the user for the purpose of making the experience better (such as remembering settings, recent search terms, etc...), rather than tracking for the purpose of selling data to advertisers. But, from the user's point of view, they won't know what they have agreed to anyways. So essentially we get to a scenario where 99% of the websites have annoying cookie banners, when we already know that 99% of users won't read the terms anyways...
If the EU was good at regulating things, they would come up with a solution which puts the responsibility primarily on the website. One example of this could be if EU defines like ~5 different "data ratings", with pre-defined conditions of what sort of data was allowed to be tracked for each rating. Then the websites are responsible for choosing the rating that corresponds to their level of data gathering, and if they report it incorrectly, the EU could fine them.
The result of this is that when a user visits a website, you can quickly see a "badge" in the browser which lets you know what sort of tracking this page has (thus the user learn what each rating means, and get a better understanding of what they agree to). This is very similar to what Apple already does in the App Store in the "Data Linked To You" section for each app.
Big websites are tracking people, unknowingly to them, giving them lots of power, because information is power these days. And the sites that treat their customers fairly and honestly, ie they just want to offer you their product/service and are not interested in making a profit from your information, are not highlighted for their good intentions.
This law makes the difference clear to users. Maybe most users don't care, like most users don't care about open source, or fair trade products. But I'm personally happy that the EU cares, because I care. And I understand that most people don't care because they are ignorant about the issues and consequences. But I do find it a bit funny that a lot of people on HN don't seem to care. And I think the cookie banners are a good way to start to make people aware of these issues. It won't solve it in one go of course, but at least it starts to make people think about it in some way. And maybe there are better ways, but you gotta start somewhere.
Maybe the next step would be that websites should adhere to the "Do not track" browser option, and not show the popup when people have that option on. I think that would make a lot of people very happy. The businesses that thrive on data collection not of course, but who cares about them really? People might say they pay our salaries, but if they don't thrive, other businesses will thrive, and they will pay our salaries. I rather have businesses thrive in a ethical way and have them pay our salaries. So I can only see good coming out from this.
What do you mean no consequences? Haven't you heard they use this data to manipulate public opinion to push certain political agendas? And that is just one example of the tip of the iceberg. Information is power. They are not collecting it just for fun.
By tracking people, they understand people's behavior, what hypes there are, what kind of things people are engaging with, interested in. Then they can target specific campaigns at certain groups of people, to manipulate their opinion, or exploit them.
"They" are the ones that have control over the data. The ones that collect and process all the data, or the ones that buy it. Mostly FAANG and their clients, which are also governments.
For example, a few months ago, ironically, a department within the EU ran a campaign on X, persuading people to vote for CSAM laws. But they micro-targeted specific groups. And this is actually prohibited by EU laws itself, by the Digital Services Act (DSA). See this article:
And microtargetting is actually a common practice, used for political campaigns in the US, Australia. It's also used by Russia for disinformation campaigns. See:
I hope this helps you understand how tracking cookies can be used against you. Of course it doesn't affect you directly personally when you visit some websites. But you have to see it in the grander scale. We are collectively a group. And as a group we can be influenced, manipulated, etc. And ultimately that affects the individuals inside the group. And this has always happened, it just happens more automated these days. But if we, as a group, stand up against it, we can empower ourselves, and we can make life better for us as a group, which will ultimately impact our personal lives as well.
It's mostly about making people aware. And it does have some effect. Maybe not much, but you have to start somewhere.
Imagine a group of people living in a big house that hasn't been maintained and cleaned in a long time. Then someone starts cleaning a little window. And someone says: look at the rest of the house, do you see any change? Well of course not, but you have to start somewhere. And maybe we didn't even use the right cleaning product or technique. But by doing it, we're learning about what works and what doesn't. And we might inspire other people, and they could start cleaning other parts of the house, and we can collectively make a significant change.
It's a slow process and it might seem impossible to some people. But it is possible. Look at history, if we never made any law and order we would still be walking around as wild men.
The change we would like to see might not even be in our own lifetime. But think of the next generations. They have to deal with what we leave behind. And I'm very happy our previous generations layed the foundations for law and order on which we can continue to build.
Yes things are not perfect and they will never be. But there's always room for improvement. And why not work towards improvement instead of deterioration. Why not have a positive outlook instead of a negative one.
I'm not saying you have to go out on the street and go protesting with billboards. But we can at least try to support each other improving the system. Again we have a long way to go, but there is hope. There always is. If there wasn't, we wouldn't be here.
I don't see how removing buttons from your keyboard is helping with those issues. I do see how making people aware about the use of tracking cookies will help with raising awareness about the use of tracking cookies.
I understand you see it as an inconvenience, making the UX worse. But it's not about that, the cookie banners actually provide you information about what they use the cookies for. Which 3rd parties they share it with. It is about raising awareness.
And yeah, you have to start somewhere. If you don't do anything, nothing will change, and deterioration continues.
You do understand that the ones in control of this data have a lot of power. Do you wish to change it or are you satisfied with the situation? If you have a better idea on how to deal with this issue, that could be a helpful contribution.
I have what I think is a somewhat clear perspective on the issue of tracking cookies, because I have been on both sides of this issue “in the trenches.” My observation has been that companies really cannot choose to not track as a larger entity, because systemically they do not trust their own employees to make good decisions.
What I mean by this is that tracking in web properties is a joint decision (in most tech companies anyway) between Marketing, Legal, and Product as functions and executive leadership overall. This is actually a “big” decision, because it’s a binary decision that guides future trajectory.
Companies can choose to:
A. Make decisions about where to expend resources on ads, product feature development, localization, accessibility, et al on web properties based entirely on the “gut check” of their employees in each function and trust the outcomes.
B. Carefully measure and track everything so that decisions are supported by data and results are tracked, simplifying decision making and reducing the potential bias of employees and eliminating the need to trust employees to make good decisions and being able to validate outcomes.
If your product /is/ a web-app, the impact becomes even more pronounced.
At the end of the day, the only way to get an organization to give up tracking is to directly force the issue in the law or solve the underlying issues that create a trust gap and competency gap within large organizations. I think the latter is likely impossible to solve, so the former is the only option. In line with the banality of evil, companies are not maliciously deciding to track you, if there is any malice here its towards their own employees down the line, who aren’t or can’t be trusted to do their jobs without tracking.
Because Option B is the only likely option here, the net effect of the law as it stands today is to have a cookie banner everywhere. There’s literally a SaaS called Cookie Law that helps companies comply with these rules.
Well pg is right in that the EU should have forbidden tracking users completely.
But I'm pretty sure that close to 100% of pg's YC startups do track their users. So here's pg's shitting all over the regulators who made him a flower by still allowing his businesses to track people by tricking them into accepting cookies.
> The only thing that matters is that if an entity wants to track people, they have to let them know in a way that is clear and request their approval.
The law may be a one-liner that just wants to protect the users privacy. But this vagueness makes this law so extremely bad. Companys don't know anymore what's allowed and what not, so in order not to risk getting sued by some greedy shenanigans they just put up some cookie consent wall up. Can i use tools like Microsoft Clarity or Google Pages without getting sued by not having some cookie banner? Who knows anymore without getting an expensive lawyer and then i have to deal with the expensive technical changes required to implement these regulation wich especially hurts small or one-person software shops while big co doesn't care anyway.
To me, this seems like engagement clickbait targeting PG to promote an infotainment product (CTO coaching/course):
>there is no cookie banner law
There definitely is. The article explicitly states this:
>you need my consent when you want to track me
"tracking" here means storing data:
>store information in a visitor's browser is only allowed if the user is provided with "clear and comprehensive information", in accordance with the Data Protection Directive, about the purposes of the storage of, or access to, that information; and has given their consent (wikipedia)
The actual directive also explicitly states this
>consent may be given by any appropriate method enabling a freely given specific and informed indication of the user's wishes, including by ticking a box when visiting an Internet website (32002L0058.17)
There is a law that lead to almost every website, including every official EU website, to have a cookie banner. If you refer to the "cookie banner law" everyone will know that you mean that law.
Just imagine someone in the supermarket following you all the time, writing down all of your actions. That's pretty creepy and that's why you have to give consent first. I have no idea why anyone thought it's normal when done online. Or to extend it to the offline world just because it's technical easy. That's all the cookie banner is doing - showing how creepy many companies are and how much they don't care about you personally.
If someone was running a supermarket and you came in day after day and never paid for anything, they'd get suspicious and probably follow you around all the time, too.
You don't pay for (almost) anything on the internet. Nobody does, because the requisite infrastructure doesn't even exist to allow you to pay for a page at a time. Until that changes, the creepy companies will keep finding ways to follow you around- both to earn money from advertising, and to ensure you're not abusing their systems.
> What the EU is saying, you need my consent when you want to track me, profile me and sell my behavior off to ad companies.
Huh. I always thought that as soon as you use a long-term cookie that could technically be used for tracking, you have to get permission.
Which also means you have to get permission when someone logs in to your website. Though I guess the act of logging in could be seen as giving permission.
Anyway: I don't add cookie banners on my websites, and I don't use any tracking.
Slovenia does have a cookie law, explicitly stating that setting cookies in browsers is not allowed unless permission is granted beforehand. But it's up to interpretarion whether enabling cookies in the browser counts as permission.
One of the most egregious abusers of this recently got told off for it, I want to say it's IAB, but they're all as bad. Trust arc or whatever they're called deliberately made it as annoying and deceptive as possible. You can't blame the EU at all for a deliberate misinterpretation of the law.
Thats right, however, there is a consent needed for cookies that are not necessary. If you don't have the cookie banner asking for consent to track you with the unnecessary tracking cookies you can get a letter from the abmahnanwalt which means that in germany there is a defacto cookie banner law (next to the self censorhip brain bucket) just to be on the safe side.
Having read comments here first, I was surprised when I visited the article and found that while the thrust of the article was that pg was incorrect about the existence of a law about "cookie banners", the tweet referenced in the post -- and screenshot, even -- does not even imply that pg thinks that there is a law specifically mandating cookie banners.
I see a lot of comments about how it is some sort of an unforeseen second-order consequence. But it isn't. If you want to have no tracking, you write a law that nans tracking. If you write a law about mandatory notifications, bombardment of notifications is the most direct consequence one can imagine.
> just listen to “Do Not Track” headers (it’s deprecated because companies did hate this)
It was my understanding that it is deprecated because it was completely disregarded and thus gave a false sense of safety from tracking and it was used by tracking company to do additional tracking.
The whole premise of the law is wrong at a fundamental level.
For cookies to function, browser (acting on behalf of the user) and website have to cooperate.
First, the website sends a snippet of data to the browser, the browser then stores that data, and sends it back to the server on subsequent requests.
If the user doesn't want the cookies to function, all he has to do is tell his browser to stop sending the cookies back. The website has no way to forcefully store the cookies on the users computer and then snatch them back from their hard drive. The browser, and ultimately, the user, is the one that decides to store and send the cookies back.
But legally, website owners are held accountable for the inability of users to stop themselves from sending the cookies back. It doesn't make sense.
If the rest of the Internet worked this way, you would need to call Google on the phone and tell them that you consent to them sending you HTML before being able to load google.com on your browser.
The entity that has legislative power takes responsibility for unintended consequences of its legislation. At least this is how Anglo/Common Wealth cultures think about it. You can see that Germans think about this differently.
If only my browser showed, for each link that leads to a website with an annoying cookie banner, a small icon indicating that that's the kind of website the link leaves to. Can someone make a browser extension like that?
Without even reading the whole article, I can tell the author is German.
Create dumb and pointless rules and enforce them with highest passion.
Believe that you're the smartest person who only understands these rules.
Serve nothing but the soul sucker bureaucracy.
Many people are leaving Germany pretty much because of this. Startup founders often do pointless work just to not get in prison.
The author of course has zero experience building anything. He is the amazing CTO. He'll teach you how to do. Because he's superior than rest of the world.
The society here has tendency to descend into madness with a strange group behaviour.
You're making it sound like it was a switch that I could simply turn on/off as a web dev. The reality is that most sites are a complete clusterf*k of 3rd party components, dependencies, backend services etc.
Doing an audit of which of these components are compliant with tracking / cookie laws is just not a realistic ask. Hence why devs decide to just tack on a cookie banner and call it a day.
@KingOfCoders / amazingcto you wrote `Indeed, as an American, there is no need to force them onto you.` - I feel like that suggests some assumptions about PG here that might not be quite correct. Since PG's often in the UK, his place of birth and where he has a residence, he's sometimes in a place that has GDPR obligations, he'll likely be exposed to the full GDPR vs analytics annoyances that IP addresses, email addresses, trackers, and the data protection make likely. I've no idea what internet use would be like in the US though (I haven't surfed via the US for ages though so don't know what the geo-targetted and account targetted consent differences are). PG likely both benefits and suffers from being in multiple jurisdictions.
As for his personal identity, with terms like American and British, he might identify with both, but he did write "Keep Your Identity Small" so he might even prefer neither label, I don't know.
Regardless, yes there could be better ways at a protocol level, maybe the EU should have foresaw that rather that the noise which we have now. Guess we'll have ML agents to handle it for us soon.
The cookie banners are the way they are because they comply with the law, so you can not say "you follow the law in a wrong way", except for these banners which do not allow to reject cookies as easy as to accept them, the banners comply with the law so you can not blame site owners.
Instead, the law and requirements should be adjusted to make the horror of cookie banners stop.
I never could understand who thought asking website owners to get your consent is a good idea. Think of when you are installing an app on your phone, is it the app asks permission to use your location or your OS? Access to cookie storage is the same, a browser should allow or not allow webpage to store something on your device. Same as most of the browsers do for notifications btw.
Fixing ~200 browsers is much easier than fixing millions of the websites, you can also setup default preference, you can also have a clear, unbiased UI.
I think this is one of the rare cases where the now-popular-and-often-misused word "gaslighting" fits perfectly: the companies are punishing users because of a law that protects them from data exploitation, then blame the law for protecting them. It's beyond evil.
On the other hand, nobody is entitled to free content on the internet. Hopefully people will become annoyed enough that they will stop visiting the sites of data exploitation companies altogether.
hey: I want to be tracked and I'm extremely annoyed that the law forces me to consent on every f- site I go to. Seems fairly clear that I consent when my browser makes a request to someone elses server and I have js enabled.
If you don't want to be tracked: disable js, disable cookies, don't go to website you know will track you.
As a user: the way you can check whether you have a tracker is as trivial as interacting with a cookie banner. Plus the cookie banners are all different but the UI to check cookies on your browser is standard and the same. if the EU wants to do something: force browser vendors to educate users on how to use their software
it is pure HN that there's so many people commenting who
1) didn't bother to read the article
2) didn't bother to read any previous articles and so have continually spread nonsense about what the regulations actually required
3) defending all the companies that decided to be fuckwits with barrages of notices to users instead of actually sincerely trying to reduce their creepy nonsense and then - if anything was left that required disclosure - explained it honestly
The deliberate, bad faith misunderstandings of the tracking consent and GDPR stuff on here reminds me every time exactly how many people are apparently content to work for and shill for adtech.
Working for Lockheed Martin or RTX is a more moral choice than working in adtech IMO.
With or without EU regulations, client software could decide to discard all cookies once the user has "left" the site. Or it could block cross domain cookies of its own volition. Yes, it doesn't fix the fundamental issue, but it does address it for those that want to fix it against the tide. Yes, it comes with drawbacks, but it is what it is so long as we don't collectively move towards paying for content, ideally in micro form.
I sometimes come across articles in local publications that ask me to subscribe - dude, seriously? Do you expect me to subscribe to an Alaskan publication when I live half the world away and could not care less of what happens there, but just want to read this one article that seems interesting?
So instead we have ad funded websites that have to do what they have to do in order to make some money and keep publishing whatever it is they publish. Hence tracking cookies.
Everyone's needs would be better served if we could pay for content the same way we did back in the day of printed newspapers. You buy today's edition and you get today's edition and no one except the newsagent is tracking you (if you happen to regularly buy the newspaper from her, she'll remember you, and she may even suggest additional newspapers to buy but it's implied, right? we dislike machine tracking, not humans remembering our buying habits).
Alas, we don't have that. We have intrusive tracking and subscriptions, even though technically it's something we could build in weeks (lest the payment companies didn't make it unfeasible, for their own benefit).
And people do sometimes try to figure it out. Bundles come to mind. Everything -- except micro transactions allowing you to purchase just. this. article. And while micro transactions don't exclude tracking, companies are more likely (is this wishful thinking?) to be careful with a paying customer's experience than with freeloaders, which is what we insist of being, while putting up demands as to what publishers can do with our data.
> Everyone's needs would be better served if we could pay for content the same way we did back in the day of printed newspapers.
This is one option. Another is that advertisement goes back to those days: you associate advertisement to a content and to a rough geographical location, and that's it. No personalised ads is still possible.
Putting up a wall in the middle of a busy street and then getting upset when people find ways around it doesn't make sense. The solution is either to remove the wall or ensure it cannot be bypassed.
Right now, it's just irritating for the average person and slightly inconveniencing those who actually break the rules.
This is the same situation with the cookie banner regulations. If the goal is to eliminate tracking, then making tracking illegal is the straightforward path (or make "do not track" actually mean something legally). Otherwise, ignoring it might be better. Implementing a policy that only frustrates the general public without effectively addressing the problem is not the right approach.
This is what the OP cannot understand.
EDIT: To the downvoters - I don't think you understand what the purpose of the downvote is on this site.
I think the goal was to give citizens the possibility to make informed decisions about where their personal data is being used.
If you don't care about tracking, ok. But some do. The EU tried to cater to both audiences which I think is fair. Turns out most people that did not care about tracking would also not consent when they are asked about it specifically and there are no immediately perceived downsides visible.
And therein lies the false premise that makes the whole thing absurd.
Most people have no idea what "cookies" are, don't understand what difference it makes when you reject them, and are never going to learn - and we shouldn't expect them to! Leave the technical stuff for the programmers.
The cookie law only makes sense if you think that there's any significant overlap between "people who understand what cookies are" and "people who need help with internet privacy", for which I refer you to the Venn diagram in this comic: https://churchm.ag/eu-cookie-law-history/
There is no cookie law. There is a law that makes companies ask for consent when they share personal data or store identifiers that make this possible.
If companies wouldn't try to frame the whole thing in technicalities, it could be a simple popup listing the features on the website that need sharing personal info and users could turn that off.
Since this is around the 5th time this sentiment has been expressed in this thread, I have to ask... are cookie banners really so frustrating? Oh no, gotta click one, maybe 2, more buttons...
a) they were standardized — they currently add a hefty cognitive load while parsing them, deciding which action to take, etc.
b) they worked properly — I would say, more often than not, they 'forget' the previous setting. I should never see a cookie popup on the same site twice unless I clear my browser settings.
Most consent banners are produced by a relatively small set of providers. As such, https://consentomatic.au.dk/ does a decent job of submitting your preferences and pushing them out of sight.
If you want to click “no” it’s often dozens of clicks (e.g. to explicitly disable each “trusted partner” with “legitimate interest”) alongside constant attempts to trick you into clicking “yes” accidentally.
It would be time-consuming and expensive to take some of these companies to court, and likely difficult to win as they'd nitpick over fine details and pass the buck over who's responsible.
Slowly turn the wheels of justice. We’ll get there, I think. Lawsuits take time. Regulations take time. And, as demonstrated in every GDPR-discussion anywhere: understanding takes time.
- bright red or green “OK” button that opts in to all tracking
- muted “save settings” button
But aha, gotcha, the default settings still have a bunch of tracking enabled, so you have to uncheck all of those, then remember to press “save” and not “OK”.
In the worst ones there’s an artificial delay when you uncheck one of the third-party boxes, as if it has to file a form in triplicate for the unusual request of not immediately sending all your account info there.
It definitely happens where they don't give you a 'reject all' option, so you have to go 'select options' or similar and untick each one, or at least each category, and then 'confirm choices'.
As an aside, it's supposed to be as easy to decline as to accept; so if you give a 1 click 'accept all' then more than that (whether two or dozens) is unacceptable.
Gears of EU grind slowly but finely. IAB just received a fine for promoting horrible banner practices. And it's not like we'd be better off if the gears didn't grind at all. Now just even uBlock will save you a lot of hassle and server-side tracking purely by the virtue of blocking the consent banners (so they can't be approved)
Is it just me or does someone else finds it curious that a post with 414 points in 2 hours and many comments is on page 2? There are posts with less points, and less comments in more time that are on the first page.
Is the HN ranking algorithm public?
This seems like a very "um, akshuallyyy" response. There IS a cookie banner law. If the law says, "You must do X before doing Y," and you know that everyone is still going to do Y, you've effectively mandated X. The argument that simply not doing Y (which everyone does, and which you need to do to avoid being at a competitive disadvantage in the market) would avoid the mandate to do X is a pointless technicality.
Regardless of whether cookie banners could technically be avoided, Graham's point stands that this regulation has served no purpose other than to annoy consumers.
I'm glad someone said this on a broader scale than I could reach. This is exactly why we have cookie consent pop-ups. Implemented by Admiral Tech or whatever. It's disgusting and is hostile to the open web.
Even disagreeing now forces you into another full-page pop-up where you have to itemize your disagreement before clicking on Reject All.
> “I’m not a lawyer and this is not legal advice. Ask your data protection specialist.”
Ironically, the author felt compelled to announce that he’s not providing legal advice. There is also no need for him to make that disclaimer. But hey, why take the risk?
In my understanding, the most important part is to not share user information with third parties. IIUC, Google can use Google analytics data to join your behavior from multiple sites and then use that to serve targeted ads.
The next level is to not store PII unless there's a specific reason in the user's interest (improving site quality doesn't count, logging in does). Therefore, you can see how many people visited a page, aggregates of device types etc. Just not anything that identifies an individual.
Best way is to self-host your analytics, the main thing about GDPR is not sending your data to third parties or using it for marketing/targeting purposes.
By not sending the data to third-parties, you already comply to most of the GDPR policies.
Certainly one aspect of GDPR is about how you share data with third-parties. But self-hosted analytics are still subject to GDPR and/or ePrivacy restrictions if you process full (unredacted) IP addresses, any user-identifying tokens, or anything else deemed as PII (Personally Identifiable Information) for purposes such as analytics without seeking user consent.
That's true, but the "analytics" purpose is ambiguous. It could be for security most servers already have access logs by default, that stores IP addresses anyway, and it's often used for DDOS protection for example or fail2ban login attempts.
You can track the number of visits without using cookies, but its practically impossible to track the number of unique visitors without using cookies.
The number of unique visitors is a very useful metric (both in itself, and combined with the number of visits).
The EU has made it impossible to track this simple and harmless metric without inconveniencing all users with awful UX.
Under the GDPR / ePrivacy Directive, ANY user-based unique identifer used for advertising, analytics and tracking will trigger the need for consent.
---
General Data Protection Regulation (GDPR)
Article 4(1) defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Article 6(1) outlines the lawfulness of processing and states that processing is only lawful if and to the extent that at least one of the following applies: "the data subject has given consent to the processing of his or her personal data for one or more specific purposes."
---
ePrivacy Directive (Directive 2002/58/EC)
Article 5(3) requires prior informed consent for the storage of or access to information stored on a user's device: "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
Dumb take. “Just run your business with 10% of the revenue? What’s the problem?”
Edit: to those downvoting, yea, it’s agreed that tracking is bad but the tone of the article completely ignores that a lot of the web’s content depends on this model so if it “just didn’t track” a large swath would no longer exist.
Come on, this is such a ridiculous take. Adding google adsense to a website needs a cookie bar.
That’t not "doing sketchy shit with people's data"
I can’t believe how many people have bought into this EU regulation hook line and sinker. It’s ridiculous, imagine the man hours that have been wasted in the last 7 years just clicking cookie bars. And as OP says, it’s completely unrealistic to not have them.
Using anything Google on your website without asking for consent before loading it from Google, is in my definition quite sketchy. It may be either uninformed, no conscience, or not properly thinking about the ethics of ones choices, or whatever, but it is definitely not right and not ethical to do so. I am quite happy with regulations coming down on people and especially businesses, who continue to do this.
Many websites that you rely on would not be around if it wasn’t for Google ads.
You think it’s some sort of choice you have between being tracked or not, but it’s not, it’s between having a fairly decentralised internet or not.
And unfortunately with recent google SEO changes almost all small blogs at this point have been wiped out. Googles own properties, Reddit and Quora, and large websites like NYT and CNET are the only websites left in search rankings.
Do you mean a generalized "you", as in general Internet using population, or do you mean me in particular? If the later, I would ask, how you know what websites I personally rely on and perhaps state, which sites you think those are. I am quite far from the norm in that aspect, but maybe there is something I can further cut away.
You attributed a medical diagnose to me for saying something that is possibly uninformed. That makes me not ever want to have a conversation with you again.
Just food for thought...
Turns out you were the uninformed one. From the context through parent posts you can clearly see this was about a website using google adsense and by that, the company sells my info to an external (google) which then tries to take advantage of me to extract money from me.
That is what I am talking about and I think this was clear from the previous posts.
I think you owe me an apology
“ Turns out you were the uninformed one. From the context through parent posts you can clearly see this was about a website using google adsense and by that, the company sells my info to an external (google) which then tries to take advantage of me to extract money from me.”
This is not how it works. You might not be medically delusional but you are saying things that are not true.
> That’t not "doing sketchy shit with people's data"
Of course it is. If you add AdSense to your website you are letting Google track your users in exchange for a cut of the profits. Of course you should have to warn your users that they are being tracked at the very least.
Advertising is “ground zero” for the cookie explosion because nobody trusts anybody in the advertising biz.
For instance the website selling ads has every reason to inflate view and click count numbers, the ad buyer has reasons to diminish those numbers. In fact if you measure an honest pipeline it is going to look that way because some people drop out at each stage.
One reason you have 87 trackers on a typical web site is that many sites and advertisers figure if they have a large number of trackers they can’t all be wrong.
Site X could show ads to users just fine without third-party cookies but then advertisers would not be so sure about the stats.
Sure, but is that situation worse than other traditional forms of advertising? Are we just saying that the advertising industry is so greedy that they want so much more of the pie than they used to have, that we should enable them?
> Site X could show ads to users just fine without third-party cookies but then advertisers would not be so sure about the stats.
Feels like 99% of people would prefer this. Maybe advertising becomes less effective, but it may actually become more effective if it leads to more ads being visible since they are no longer ad-blocked.
Please do not bring American two-party politics into this, especially in a way that has nothing to do with my comment and provides no insight or opinion beyond "liberals bad".
Yes there is. More specifically, it’s the Privacy and Electronic Communications Directive 2002/58/EC, which each member state adjusts their own laws to follow. It’s published here:
> 3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
If you want to argue that companies have a legal alternative to showing you cookie banners, then by all means do so. But don’t say there’s no law because there clearly is. This is a misleading and inflammatory headline.
Edit: Yes, I read the article. To draw a distinction between “must obtain consent” and “must show UI that obtains consent” is of no value unless you want to write an article with a shocking headline.
The article makes that point. There is no law to put a giant banner that disturbs UX in your users face. Companies choose to do so. There only is a law that prevents companies from tracking you without consent.
But that is what the title states and is explained in the article. There is no law that forces a cookie banner. There is a law that requires consent before tracking, but that is not necessarily about showing a banner - that is just one of the possible ways of complying with the law. There is an electronic privacy law, and it is quite comprehensive. There is no "cookie banner law".
You are citing directive that does not apply in all cases.
It is amended by Directive 2009/136/EC, which changes especially the cookies part.
> (66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
If you read the exceptions part, you know that you don't need a banner on strictly necessary case.
> This shall not prevent any technical storage or access ...or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
If the functionality explicitly requested by the user -- e.g., logging in, or changing the default language or currency, or what-not -- no consent is necessary to keep cookies. Cookies are only necessary for things the user didn't implicitly ask for, like tracking.
This doesn't require a specific implementation just that informed consent is given. This could be implemented as a web standard alá Apple's ATT(App Tracking Transparency). There's nothing preventing the industry from creating such a standard, obviating cookie banners in the process. This would not only be a win for users, who could express their overall position on consent as a browser setting, but also save thousands of developer hours for website.
I think you might not have fully grasped the meaning of the post. Let me rephrase it for clarity: there is no cookie banner law, but a consent law, but it doesn't need to be as ugly, intrusive or user-unfriendly as the current cookie banners. One alternative is to opt out of using cookies on your website entirely (which is what I do, by the way), and then you won't need to ask for consent. Or to use a simple, unremarkable, bar.
I think you might not have read beyond the first line of my comment. Why are you telling me that there are alternatives? I literally said that in my comment.
There’s a law, but it’s not a “cookie banner law”. The section you quoted says nothing about banners. The banners are a design decision by the operators.
hmm I disagree. I found the article, quite an eye opener for me. I also thought that he cookie banners is what the EU forced the web-site owners to show.. but it clearly isn't.
It is just about consent. This consent could be given in a non-annoying way, but clearly the involved companies don't want to.
Companies with tons of hidden fees decide to keep them but force you to read all the fees on every page of the menu before you can see the rest of the text, in the most annoying way possible, and promote the idea that the issue is not the extravagant fees, nor the fact that the companies hide them before and had to be forced by law to warn you about them, no the problem is a law that force them to tell you what you're getting into before it's too late !
That's, essentially, what's happening. And we have people complain that companies need to display their fees.
On this issue in the group that complain about the cookie law there are some people who are very wrong on purpose because it's in their interest, and some people who are very wrong because they genuinely don't understand the position they're defending, complaining about being made aware of the fee, instead of the fees themselves or the fact that the companies hide them if not forced by law.
To each their own belief about which category PG fits into.