Comment by dcow
1 month ago
Setting a language preference cookie is not tracking and I will die on that hill. The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user. Collecting a crash report is not tracking a user. Even first party product analytics is not tracking a user.
Tracking a user across domains using a 3rd party aggregator to serve add and do attribution is the evil. And the EPD far overshoots the mark of specifically addressing that evil.
A language preference cookie is not tracking under the GDPR and doesn't need to be promoted for. Of course, if you take that language preference and feed it into your advertising to identify and target people, then it becomes tracking.
You're correct under the GDPR but incorrect under the older ePrivacy Directive. EU sites need to be compliant with both, and so the cookie banners persist.
Are you sure? That's new to me.
https://en.m.wikipedia.org/wiki/EPrivacy_Directive says
> The Directive provision applicable to cookies is Article 5(3). Recital 25 of the Preamble recognises the importance and usefulness of cookies for the functioning of modern Internet and directly relates Article 5(3) to them but Recital 24 also warns of the danger that such instruments may present to privacy. The change in the law does not affect all types of cookies; those that are deemed to be "strictly necessary for the delivery of a service requested by the user", such as for example, cookies that track the contents of a user's shopping cart on an online shopping service, are exempted.
10 replies →
>The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user.
If your are referring to GDPR this is wrong. GDPR does not require consent for strictly necessary cookies.
>Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
https://gdpr.eu/cookies/
Though language preference does not seem like something that requires a cookie. Just respect the Accept-Language header. There is no need to reinvent the wheel here.
No I am referring to the EPD as I state in my comment, an acronym you should know since it’s defined in the explainer you link. As someone who has experience in this area, it’s not as simple as “just use the Accept-Language header it will be fine”.
In any event, that’s besides then point. There are non-tracking cookies that get swept up in the EPD’s consent requirements. This causes way more popups than needed to address the real problem of users being tracked and profiled across domains. The result is users being inundated with consent banners on freaking homepages.
If you changed the requirements to “consent is required for marketing cookies” then I’d wager it would vastly reduce the need for these banners. You could show the banner interstitially as soon as a customer entered your funnel and wanted to try to perform spooky attribution.
In my experience the banners are useless because they don’t actually tell me whether the site is tracking me or not (the behavior I presumably want to prevent). They just tell me whether the site uses cookies, which I’m okay with 99% of the time, so I just click yes.
> There are non-tracking cookies that get swept up in the EPD’s consent requirements
Still not sure where you and nightpool got this.
https://news.ycombinator.com/item?id=44426726#44434685
1 reply →
> The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user
Nope.
That's exactly why the evil cookie modals are not on the GDPR but only on the sites that want to track you and now need to ask you for your consent before doing so. That's usually exactly where good faith GDPR detractors are wrong, and that's what needs to be repeated again and again in those discussions.
You're correct that the GDPR specifically doesn't require this, but you're incorrect that "the law" doesn't—the 2004 EU ePrivacy Directive requires affirmative consent for all cookies, and it's being enforced much more strictly now in a post-GDPR world
I answered that at https://news.ycombinator.com/item?id=44426726#44434685
1 reply →
Accept-Language.