Comment by Retr0id
1 day ago
> Legally-required cookie banner
> PostHog.com doesn't use third-party cookies, only a single in-house cookie
You're legally required to let me opt out of that cookie. Unless it's essential to the site functionality, in which case you don't need the banner at all.
Exactly. If they indeed only use the cookie for essential functionality, this kind of joke banner only makes their choice to respect visitors' privacy equally annoying.
Even worse: because it makes it seem like the EU law is just meritless pestering of people, they are actually fighting for the right for worse sites to spy on their visitors.
It's baffling.
> EU law is just meritless pestering of people
It is that. It has done literally nothing to improve anything whatsoever, in any country. And most of the "cookie management" scripts that people use, barely even work. Both the law and the way it's complied with in practice are a dumb solution to a problem that the EU should have forced browser vendors to solve. Only the user's browser can choose not to send back cookies, and it would be trivial for the user to be shown a dialog when they navigate to a previously-visited site in a new session saying:
The EU law is fine, the implementation used isn't. But never blame the EU laws for cookie banners; the law does not mandate banners at all, let alone the ones full of dark patterns to nag you into accepting anyway. That's all the industry.
The industry could have come up with a standard, a browser add-on, respect a browser setting, etc but they chose the most annoying one to pester you, the user.
15 replies →
I read an interview with a bunch of different young people. They all basically said "I just click 'yes' or 'accept' automatically". It sounded like they all believed that this was something they had to do in order to get to the content.
Bad implementation of the EU law indeed, as another comment said. It fails the purpose completely and just create more problems for nearly everyone.
1 reply →
If you like things the way they were before the law, just answer yes to all cookie banners you see.
It does not take time if you don’t care to read it. Yours click yes, and they will remember you want to be tracked.
27 replies →
I don't agree. It is the main way I am being informed that some sites I attempt to use, share my data with thousands of external partners, for no relevant function. I do not believe this information would be divulged to me and the public, if voluntary. The public is mistreated in innumerable ways, starting by not letting them know it is happening.
Platform for Privacy Preferences Project (P3P) has existed for over 20 years and no one wanted to implement it.
https://en.wikipedia.org/wiki/P3P
> the EU should have forced browser vendors to solve. Only the user's browser can choose not to send back cookies
This is only an option if you limit tracking to using cookies. But neither tracking technologies, nor the current EU law, are limited to tracking via cookies. It also kills functionality for many web applications without also accepting all tracking. Some browser-flavors went to extreme lengths to prevent tracking through other means (eg fixed window size, highly generic header settings, ...).
Maybe I am mistaken, but it seriously frustrates me how much people within the relevant field make this mistake of conflating tracking and cookies and come to this "it would be so simple" solution.
A welcome update to the law would be to allow a header flag to opt out/in (or force the do-not-track header to have this functionality) preventing the banner from showing.
3 replies →
The entire point of the law was to make websites using extraneous cookies and trackcing annoying to use. It's not something that can be solved in the browser _at all_. What I guess no one expected is that most websites would just decide to go on and pester their users rather than stop the tracking -- and that users would still continue using those websites.
> It has done literally nothing to improve anything whatsoever, in any country
That’s because of malicious compliance from all the websites/advertisers. I guess that is partly the lawmakers’ fault for not pre-empting that; but much larger blame lies on the industry that refuses to grant user privacy.
As an example for a site that followed the intent of the law instead: https://github.blog/news-insights/company-news/updates-to-ou...
Github removed excess tracking so they didn’t need to show a cookie banner and that’s what GDPR’s intent was.
14 replies →
No, it is not that. It highlighted an issue, and it makes it painfully obvious when a particular page is being extra ignorant about your privacy and trying to sell it to thousand vendors instead of a handful.
What I don't like about cookie popups isn't the popup (which isn't something the EU law dictated btw), it's that someone thought it was okay to have hundreds of advertisement vendors and data brokers on a single news article, and it's better to know so I can just close the tab and never interact with that webpage again if they're being excessive asshats.
They have failed at enforcing this properly though, in particular with the recent proliferation of "legitimate interest" abuse (it is only legitimate interest if it an implied component to a service I am directly requesting), and the general issue of popups illegally making rejection different from acceptance, intentionally making rejection slow, or even requiring payment to continue without cookies. And yes, the occasionally completely defective prompt.
I do agree that it would be neater if the browser handled this though. Would also be neater if the internet wasn't entirely sponsored by privacy violations. :/
How would that prevent sites from selling their users' data to third parties without consent server-side? GDPR is not about third party cookies, but about requiring informed consent.
9 replies →
lol this is what it used to be like back in the day. We have forgotten the old ways and now we yearn for them. Every tutorial instructed old people to just click Always Allow or else they would not be able to read their webmail.
The law is fine. The industry has just decided that dragging its heels and risking fines is better than actual compliance.
Most of the "cookie management" scripts that people use aren't compliant.
EU law requires "Accept All" and "Reject All Non-Essential" be both equally easy to access and given equal weight (or rather: the latter can't be given less weight and made more difficult to access, which almost all of these scripts blatantly ignore).
Browser vendors can't solve this because the question isn't technical but legal. It's not about first-party vs third-party cookies (let alone same-origin vs cross-origin) but about the purposes of those cookies - and not just cookies but all transferred data (including all HTTP requests).
You don't need to (and in fact can't) opt into technically necessary cookies like session cookies for a login and such. It's plausible that these might even be cross-origin (as long as the other domain is controlled by the same legal entity). If they're provided by a third party, that would indeed be data sharing that warrants a disclosure and opt in (or rather: this can only happen once the user acknowledges this but they have no option to refuse and still use the service if it can't plausibly be provided without this).
The GDPR and ePrivacy laws (and the DMA and DSA) have done a lot for privacy but most of what they have done has happened behind the scenes (as intended) by changing how companies operate. The "cookie management" is just the user-facing part of those companies' hostile and dishonest reactions to these laws as well as a cottage industry of grifters providing "compliance" solutions for companies that can't afford the technical and legal expertise to understand what they actually need to do and think they can just tick a box by buying the right product/service.
Heck, most companies don't even provide legally compliant privacy policies and refuse to properly handly data access requests. The GDPR requires companies to disclose all third parties (or their categories if they can't disclose identities) your (specifically your) data has been shared with and the specific types of data, purposes of that sharing and legal basis for sharing it (i.e. if it required consent, how and when that consent was given) - and yet most will only link you to their generic privacy policy that answers none of those questions or only provides vague general answers or irrelevant details ("We and our 11708 partners deeply care about your privacy").
[dead]
> because it makes it seem like the EU law is just meritless pestering of people
The law should have been just a browser setting sites had to follow, making it a "banner" has made it meritless pestering while pretending it's for my own good and allowing the worst offenders to make convoluted UI to try and trick you every site visit.
If the EU was a serious entity, they would just forbid cookies that are non-essential. Simple as that. Either you take your responsibility as a law maker serious, or you refrain from making laws entirely.
Or they would enforce it via the (unfortunately deprecated) do not track header.
As we all know, tracking is only reliant on cookies. And not things like "storing your geolocation for 12 years" https://x.com/dmitriid/status/1817122117093056541
People ranting against cookie banners and GDPR literally never read the regulation itself and they literally never read what these banners are supposed to trick you into
"EU law"... you mean "regulation", that to prevent some "abuse".
Here, EU is not quite doing the right thing: the web need "noscript/basic (x)html" compatibility more than cookie regulation. Being jailed into a whatng cartel web engine does much more harm than cookie tracking (and some could use a long cryptographic URL parameter anyway).
Basically, a web "site" would be a "noscript/basic (x)html)" portal, and a web "app" would require a whatng cartel web engine (geeko/webkit/blink).
I do remember clearly a few years back, I was able to buy on amazon with the lynx browser... yep basic HTML forms can do wonders.
Man, I am always required to use this seatbelt even though I haven't had a car accident in decades, it takes me seconds to put it on and off, makes this pestering sound when I forget it, that gets into my nerves, another useless law that need nothing to improve security. /s /s
>this kind of joke banner only makes their choice to respect visitors' privacy equally annoying
Their name is "PostHog", a dirtbag left joke from years ago. If they were trying to make joyless scolds happy with their humor, their site would be very different.
> makes it seem like the EU law is just meritless pestering of people
Which it is?
I am from the EU and I don't see what this law has accomplished apart from making the WWW worse, especially on mobile.
I remember back when Opera was a paid browser, last century, it already have options to accept all cookies, refuse them, or set fine-grained preferences per website. No need for handling it at the website level if the client can do it.
> making the WWW worse
You can argue that the law might not have improved things (at least not as much as intended), but nothing about this law has made the WWW worse. If you believe that, you've fallen for the concerted efforts of the advertising industry spreading misinformation about who's idea the annoying consent popups were & (like this website) perpetuating the myth that they're a legal requirement.
None of the new annoyances on the modern web that you're thinking about are mandated by EU law. It benefits the ad industry massively to scapegoat the EU for these annoyances.
3 replies →
> You're legally required to let me opt out of that cookie. Unless it's essential to the site functionality, in which case you don't need the banner at all.
Isn't it even simpler: Unless the cookie is used to track, you don't need the banner? For example, a cookie used to remember sort order would not require a cookie banner, I think.
(It's not about cookies. It's about tracking.)
It's about being "essential" or not, not about tracking. Also keep in mind with enough preferences you could have unique or near-unique fingerprint of preferences which could be used for tracking.
I’m interested to hear which country forces a cookie banner for any cookie, because the EU only requires it for tracking cookies and this website does net specify whether it’s used for that purpose.
I’ve created websites with a cookie banner “because it’s required” even though there were no cookies involved. The idea that every website needs a cookie banner is more hurtful than the cookie banners themself.
I rarely if ever put a cookie notice as the sites I tend to work on are only going to have 1 cookie for user sessions which is essential functionality and thus cannot be opted out of. It doesn't collect/store/share data so it's not something that needs the opt out banner.
It's still stupid though as most of the sites I do absolutely still track certain activity, it's just done server side.
Considering they have a login system, I'm going to guess that the cookie includes your login (probably in JWT form), which automatically makes it essential to site functionality. Which means the banner is there just because if it was absent, someone would say "Hey, where's the cookie banner?"
In other words, it's not actually legally required in their case, but it's practically required, because it lets everyone know that the absence of the banner is not a violation of the law.
> it's practically required, because it lets everyone know that the absence of the banner is not a violation of the law.
Your "logic" is baffling
What I mean is that if they don't add it, they're going to get threatening emails from regulators saying "Hey, you don't have a cookie banner". Those regulators don't have any way of knowing how their site operates, so the small banner at least manages to inform them and keep Posthog from receiving emails.
That is what I meant by "practically". I mean "in a practical sense" as opposed to in a theoretical sense.
17 replies →
It is not in any way required, and adding it just contributes to annoyance.
It's not legally required in terms of law, but it is legally required in the way that the legal department will complain if the banner not there. Checklists and all that. ;)
I love this website but yeah that banner really bothered me. 100% appreciate the effort to reduce cookies & the commitment to avoid 3rd-party, the tongue-in-cheek "legally required" flies completely in the face of all that effort - especially given it's misinformed & not in fact legally required at all.
Man it's 2025 and we still WANT to opt out of cookies visually? Why don't we just have browsers that just do that.
If one wants full control cookies could just be disabled by default at the browser level (which also blocks local storage). I do this and just whitelist sites that actually need it (very few).
The issue is some sites won't display any content without cookies, even if it's unnecessary. The amount of React-using sites that will load the entire page only to a second later to fully blank out since the JS couldn't set local storage does get annoying (and can regularly be worked around by disabling Javascript if not used for anything substantial). A handful like this have appeared just this past week on the HN front page.
A further problem is that some if not most sites (that employ any kind of tracking in the first place) do so through a variety of means in no way limited to cookies. Addressing the core problem without legislation that captures intent is not feasible without a new protocol and document data type.
Seems like it should be a browser setting that controls a request header.
Something like https://en.wikipedia.org/wiki/Do_Not_Track ? Which failed in part because Microsoft turned it on by default which even further disincentivised publishers from respecting it.
11 replies →
There's a reason the largest advertising company in the world hasn't sanctioned this move.
Ask your favorite advertising company: https://news.ycombinator.com/item?id=45217269
I don't see any cookies saved anywhere. I do see four variables in localStorage, though.
They also embed Youtube if you open the demo, which in turn tracks users (yes, even through the no-cookie subdomain: https://dustinwhisman.com/writing/youtube-nocookie-com-will-...).
Ursula von der Leyen would not be very proud.
Let's see if one of these shady lawyers who make their money by finding these violations reads HN and gets into contact with them...
Could it be that they actually did not know that they don't need to show a banner if there is no third party cookie?
Or that this is their way of bragging that they don't use third-party cookies?
>Unless it's essential to the site functionality, in which case you don't need the banner at all.
No, this is conflating "GDPR consent" and the ePrivacy Directive. According to ePD the banner must always be shown if the company providing the service is based in the EU
Different jurisdictions differ. Even if you collect your own and it contains identifying points, laws like GDPR will require you to attain informed consent before you collect it, along with methods for people deleting their data, and a million et als.
Ahh yes. HN’s favorite debate.
Where people who’ve never started a company or spoken to a lawyer about GDPR, the ePrivacy directive, the schrems rulings, etc but just emotionally love idea of what they think it represents (but actually doesn’t), debate with normal sane people.
All I can say is, I’m getting really tired of this one guys.
Just like a debate on any other topic? E.g., GNU/Linux on desktop.
[dead]