Comment by xp84
2 days ago
> EU law is just meritless pestering of people
It is that. It has done literally nothing to improve anything whatsoever, in any country. And most of the "cookie management" scripts that people use, barely even work. Both the law and the way it's complied with in practice are a dumb solution to a problem that the EU should have forced browser vendors to solve. Only the user's browser can choose not to send back cookies, and it would be trivial for the user to be shown a dialog when they navigate to a previously-visited site in a new session saying:
Last time you were here, the site stored information that may help them recognize you or remember your previous actions here.
< I want to be recognized > / < Forget Everything >
[ ] Also keep these third-party cookies <Details...>
[x] Remember my choice and don't ask again for ycombinator.com
The EU law is fine, the implementation used isn't. But never blame the EU laws for cookie banners; the law does not mandate banners at all, let alone the ones full of dark patterns to nag you into accepting anyway. That's all the industry.
The industry could have come up with a standard, a browser add-on, respect a browser setting, etc but they chose the most annoying one to pester you, the user.
> let alone the ones full of dark patterns to nag you into accepting anyway.
In fact the law pretty explicitly disallows dark patterns like that. Of course tech companies have a loosy-goosy relationship with the law at the best of times.
Yeah, and only when (I think) Google got a hefty fine did the banner implementations start to add an instant "opt-out" button. The tech companies really try to skirt the rules as closely as possible.
I'm glad I'm not in EU legal, it's gotta be like dealing with internet trolls ("I didn't ACTUALLY break any rules because your rules don't say I can't use the word "fhtagn"")
The #1 problem with the cookie law is that it's not enforced.
Start fining sites with dark pattern banners and they'll start going away.
1 reply →
> In fact the law pretty explicitly disallows dark patterns like that.
Yes. For "cookie banners" the law in fact forbids hiding "Reject all non-essential and continue" to be given less visual weight than "Accept all and continue", let alone hiding it behind "More details" or other additional steps.
It also requires consent to be informed (i.e. you need to know what you're agreeing to) and specific (i.e. you can't give blanket consent, the actual categories of data and purposes of collection need to be spelled out) and easily revokable (which is almost never the case - most sites provide no direct access to review your options later once you've "opted in").
One good example I can think of for a "cookie banner" that gets this right is the WordPress plugin from DevOwl: https://devowl.io/wordpress-real-cookie-banner/ (this is not an ad, but this is the one I've been recommending to people after having tried several of them) because it actually adds links to the footer that let you review and change your consent afterwards.
EDIT: Sorry, I first misread "disallows" as "allows". I've amended my reply accordingly.
> The EU law is fine
Kind of. The intent is good and the wording disallows some of the dark patterns. The challenge is that it stands square in the path of the adtech surveillance behemoths. That we ended up with the cesspit of cookie banners is a result of (almost) immovable object meeting (almost) irresistable force. There was simply no way that Google, Facebook et al were ever going to comply with the intent of the law: it's their business not to.
The only way we might have got a better outcome was for the EU to quickly respond and say "nope, cookie banners aren't compliant with the law". That would have been incredibly difficult to do in practice. You can bet your Bay Area mortgage that Big Tech will have had legions of smart lawyers pouring over how to comply with the letter whilst completely ignoring the intent.
GDPR requires informed consent before collecting data. It's a wonder we don't have to force everyone through an interstitial consent page.
Yes, this sounds good. This sounds like something desirable. I mean, this is the expectation literally everywhere else so... why not the web?
Also, data collection is fully a choice. You can always choose not to. I've built websites with logins and everything and guess what - no cookie banners necessary. Just don't collect data you don't need.
> GDPR requires informed consent before collecting data.
And this is a good thing, no? I certainly think so.
> It's a wonder we don't have to force everyone through an interstitial consent page.
If the information being tracked is truly essential to the site/app (session management and authorisation data for instance) then no consent is needed, for anything else ask before you store it, and most certainly ask before you share it with your “partners” or anyone else.
1 reply →
The EU law isn't fine.
Many websites are free because they survive from ads. Ads make more money if you collect data. The EU law essentially cut the revenue of all these websites. Their choice is to not collect data (meaning less revenue) or show a popup (meaning more bounce rate, which means less revenue).
People who think this is a good thing are being short-sighted. That's because this law mainly affects websites that host information that visitors visit from clicking on links on the web. If a website is like Facebook or Youtube, where users must sign up first or probably already have an account, they will be able to collect data for ads with or without banners since they have their own ToS for creating an account, and they can infer a lot from how the user uses their services.
I'm not saying privacy regulation is a bad thing. It made countless businesses reconsider how they handle people's data. But it's clear to me that there are two problems.
First, this regulation hurts all the small websites that need to exist in order for we have to have a healthy "web." A lot of these are making only barely their hosting costs in ads, so there is no way they can afford the counsel to figure out how to comply with laws from another continent. If we had another way to support these websites, this wouldn't be a problem, but ads are really the lifeblood of half of the internet, and almost nobody wants to donate or pay a subscription.
Second, this regulation doesn't even really protect people's private data in the end, which may give users a false sense of security because they have the GDPR on their side. I forgot the name, but there was a recent gossiping app that required the user to upload a photo in order to sign up, which should be deleted afterwards, but they never deleted it and when the app was hacked the attacker had access to photos of all users. It's the same thing with GDPR. We can tell when a website is clearly not complying with the GDPR, but there is no way to tell if they actually complied with the GDPR until the server gets hacked.
Even the way they comply with GDPR isn't enough to protect users' privacy, e.g. if you have an account on Discord and you want your data deleted, they will simply turn every post your made into an "anonymous" post. This means if you sent a message that discloses your private information on Discord, that will never get deleted because its outside the scope of compliance. You could literally say "Hi, my name is XYZ, I live in ABC" and they won't delete that because you consented to provide that information, they will just change your username from "xyz" to "anonymous" or something like that.
I still wonder what are the actual benefits of GDPR with these cookie banners when 99% of the users just stay on Facebook and Youtube anyway.
> Many websites are free because they survive from ads. Ads make more money if you collect data.
My business is to get money out of other people's wallets and bank accounts. I could get make much money if you just logged into your bank account and approved transactions whenever I told you to, or screamed less whenever I took the wallet out of your pocket on my own.
That there's a way to earn more money does not justify it as legitimate thing to do, and if you can't figure out how to run a service in legitimate ways does not mean that illegitimate ways that attempt to violate its users in secret suddenly become okay.
1 reply →
> First, this regulation hurts all the small websites that need to exist in order for we have to have a healthy "web."
there is nothing healthy about force-feeding ads optimized via collected data.
1 reply →
I read an interview with a bunch of different young people. They all basically said "I just click 'yes' or 'accept' automatically". It sounded like they all believed that this was something they had to do in order to get to the content.
Bad implementation of the EU law indeed, as another comment said. It fails the purpose completely and just create more problems for nearly everyone.
In many cases it is required to access the content. Courts have allowed "Consent or pay" for sites such as newspapers.
In some cases is how I would state it. It's actually very rare that you have to consent to 'accept all cookies' to read content, I've never actually seen it myself. 'Pay if you want to read more' is common, for certain types of sites.
If you like things the way they were before the law, just answer yes to all cookie banners you see.
It does not take time if you don’t care to read it. Yours click yes, and they will remember you want to be tracked.
Yep, it baffles me that a lot of people would rather not have the option to reject cookies. Its weird to say "I don't want to stop a website tracking me because the UX is terrible. I'd rather get tracked instead.". Of course, it would be better if the UX were even better, but I'd rather take something over nothing.
> Yep, it baffles me that a lot of people would rather not have the option to reject cookies.
Back in the day browsers offered this natively. When the advertising companies started building browsers there was a lot of incentive to see that go by the wayside of course...
But the earlier comment isn't saying that you shouldn't have options, rather that the law needs to be more specific, such as requiring browsers to work in coordination with website operators to provide a unified solution that is agreeable to users instead of leaving it completely wide open to malicious compliance.
These kind of laws need to be careful to not stifle true innovation, so it is understandable why it wanted to remain wide open at the onset. But, now that we're in the thick of it, maybe there is a point where we can agree that popup dialogs that are purposefully designed to be annoying are in volition of the spirit and that the law should be amended to force a better solution?
6 replies →
That’s in theory.
In practice these banners regularly break. They are hard to click on certain devices where the button is off screen. If they use JavaScript and there is an error elsewhere, you can’t hide them. And I regularly see them over and over again on the same sites because for some reason they can’t track me effectively for this purpose.
In short they are a regular minor annoyance that does take time and effort.
Seems like it's working then? Because the website chose to (optionally) track you, you need to go through a minor annoyance to accept it. You're effectively making a choice that you're fine with this annoyance (since you keep using the website) and since you're accepting it, you're fine with being tracked.
Other people already get two choices to make here which they didn't get before, which is a win in my book. Seeing the banner, you can decide to avoid the website and if you still wanna use the website, you can chose if you allow them to track you by PII or not.
3 replies →
The worst part. The one cookie that should remember your choice NEVER works. Never.
It doesn’t matter what site I visit and what choice I do. The next day, every single website asks me to pass through the banners again.
Try UBlock Origin. It blocks stupid banners just fine. And it doesn't mean that you give your consent.
I do click yes. It still wastes my time since especially on mobile they obscure at least 1/3 of the viewport. They're just like the other popups that are now on most every site: The "Sign up for our newsletter" or "Get 10% off by signing up for emails", the paywall, the "It looks like you're using an adblocker."
There's a reason people have always hated popup ads even though "just close them" has always been an option.
You should understand that the law doesn't mandate the cookie popup to be annoying. It's a deliberate choice of websites, they want you to hate the banner and the law.
2 replies →
How many billions of human hours of productivity have we collectively wasted with these cookie banners?
Always remember it is the web site owner who chose to waste your time.
The more obnoxious the cookie banner, the quicker you can conclude "I didn't really need to visit your site anyway".
1 reply →
Most probably magnitudes less than those wasted on advertisement and the resulting unnecessary purchases.
Under German law, the BGB (Bürgerliches Gesetzbuch, German civil law book defining most private laws) provides very specific and concrete provisions for liabilities and duties in most business transactions and commercial exchanges of goods and services and even employment. It's not necessary to agree to formal contractual obligations in writing for most service agreements unless you want to add additional obligations or explicitly waive ones prescribed by the BGB (and some in fact can't be waived or not entirely) - if you can prove an agreement was made that falls under the BGB's laws, those laws apply to it regardless of the existence of a written and signed contract. And yet it's extremely uncommon not to have a written contract for serious business relations and most contracts explicitly insist on signatures (in fact in German contract law, the legal phrase "in Schriftform", literally "in writing", is defined in such a way it specifically requires a document signed by both parties whereas for "in Textform", literally "in text", even an e-mail or text message would be sufficient).
It's not cookie banners that are wasting productivity, it's mutual distrust and the need to protect against it. "Cookie banners" (or more correctly: consent forms) are legal contracts. The reason they are often so annoying to navigate is that the companies that built them want to try to trick you into agreeing to things you have no interest in agreeing to or might even have an interest in not agreeing to. Technically the law forbids this but it's still more profitable to risk the fine than to abide by the law.
Or to put it another way: there's no honest reason to require a consent form to let you read an article. The consent form isn't for reading the article, it's for what the site wants to do to you (or your data - which includes all data collected about you because the GDPR defines that as being yours, too) while you're reading the article.
The GDPR doesn't make you waste time on cookie banners. The GDPR grants you ownership of all personally identifiable information of you and about you - it creates legal rights and protections you previously didn't have. Cookie banners exist because companies want to infringe upon those rights. Most cookie banners are difficult to navigate because most companies don't want you to understand what you're agreeing to (and on second order because they want you to blame the law granting you rights rather than them for infringing upon those rights).
2 replies →
Dude, I was in France and browsed to a page and it was a full page cookie modal with like 3 buttons and all these sliders. Turns out everywhere in the EU has these insane page things.
I don't agree. It is the main way I am being informed that some sites I attempt to use, share my data with thousands of external partners, for no relevant function. I do not believe this information would be divulged to me and the public, if voluntary. The public is mistreated in innumerable ways, starting by not letting them know it is happening.
Platform for Privacy Preferences Project (P3P) has existed for over 20 years and no one wanted to implement it.
https://en.wikipedia.org/wiki/P3P
> the EU should have forced browser vendors to solve. Only the user's browser can choose not to send back cookies
This is only an option if you limit tracking to using cookies. But neither tracking technologies, nor the current EU law, are limited to tracking via cookies. It also kills functionality for many web applications without also accepting all tracking. Some browser-flavors went to extreme lengths to prevent tracking through other means (eg fixed window size, highly generic header settings, ...).
Maybe I am mistaken, but it seriously frustrates me how much people within the relevant field make this mistake of conflating tracking and cookies and come to this "it would be so simple" solution.
A welcome update to the law would be to allow a header flag to opt out/in (or force the do-not-track header to have this functionality) preventing the banner from showing.
The pessimist in me thinks a legally enforced header and corresponding browser setting (so that the user wouldn't have to make an explicit choice per website) would have met enough pushback from businesses for the EU to back down to something with the infinite stupidity of the current solution.
Maybe we could move towards that end in small steps. The EU should start by banning irrelevant non-sequiturs like "We value your privacy" and other misleading or at best distracting language. It can then abandon the notion that users are at all interested in fine-grained choice, and enforce that consent and non-consent to non-essential statekeeping are two clearly distinguished and immediately accessible buttons. No one wants to partially block tracking.
It seems as though the EU is operating under the notion that this is all a matter of consumer choice, as though any informed consumer would choose to have tabs kept on them by 50 trackers if not for the inconvenience of figuring out which button stops them.
I know it'll be considered a hot take, but I'd argue that people don't even know what "tracking" in the Internet context even means enough for their supposed "preferences" about it to be valid.
90% of non-tech-nerds have this simple of an opinion about it:
1. Retargeting ads are "creepy" because ... "they just are"
2. Retargeting ads either annoy me because I think they're dumb in that particular instance ("I already BOUGHT a phone case last week, it's so dumb that it keeps showing me phone cases all day!") or because they're too good ("I gave in and bought the juicer after I kept seeing those ads all around the web") and I don't like spending money.
The rest of "tracking" they don't even know anything about and can't verifiably point to any harms.
Data brokers acquire data from thousands of different sources - many of which aren't stemming from Internet usage - and most of the browser data relevant here isn't tied to their actual name and permanent identity (and doesn't need to be to serve its purpose which is usually "to show relevant ads" and the more specific case of "to get people to come back and buy things they saw").
Honestly, just like people are annoyed by pushy car salesmen, and being asked for a "tip" at a self-order kiosk counter-service restaurant, they are going to be annoyed about aspects of the commercial Internet, and it doesn't automatically mean that they're being victimized or that they need regulations to try to help.
1 reply →
The entire point of the law was to make websites using extraneous cookies and trackcing annoying to use. It's not something that can be solved in the browser _at all_. What I guess no one expected is that most websites would just decide to go on and pester their users rather than stop the tracking -- and that users would still continue using those websites.
> It has done literally nothing to improve anything whatsoever, in any country
That’s because of malicious compliance from all the websites/advertisers. I guess that is partly the lawmakers’ fault for not pre-empting that; but much larger blame lies on the industry that refuses to grant user privacy.
As an example for a site that followed the intent of the law instead: https://github.blog/news-insights/company-news/updates-to-ou...
Github removed excess tracking so they didn’t need to show a cookie banner and that’s what GDPR’s intent was.
Blaming the industry for it doesn't change the reality that the law has done very little to improve the thing it was aimed at and made the internet worse for users (and developers) with all the banners. By any objective measure its outcomes are terrible - lawmakers should do better than just throwing out things like that.
> By any objective measure
Number of sites using google analytics on my browsing session with my consent has gone down
Very little? The norm used be to slap google analytics on everything. Suddenly everybody thinks about compliance — especially those who didn't even have idea there was something wrong.
Many sites ditched tracking altogether so they don't have to have banners. Everybody is aware of GDPR so you can be pretty confident that when european site has no banner it doesn't track you.
Could the law be better? Sure I would love to ban tracking altogether. But this was lobbied to hell by AD companies. Everybody was kicking and screaming because they want all the data. And we still got something that helps. That is a win.
And you can see how industry hates it in way they implement the banners. It is annoying and confusing on purpose. You could comply in nice way but when you need to share the data with your 141 ad partners and each one gets their own checkbox… good luck.
Same reason nobody was respecting the dont track me flag. The industry is absolutely and exclusively to blame here.
6 replies →
in what way is it malicious compliance? the law just requires you ask for consent. that’s exactly what companies do. some companies violate the law by asking for consent in a way that is misleading or incorporates dark patterns. but if the law says “you must ask for consent before you do X” and companies ask for consent before they do X, that is just compliance, not malicious compliance.
As an example of true malicious compliance, some companies intentionally add trace amounts of allergens to all their food, that way they can just claim that all their food contains allergens and not be at risk of being accused of improper labeling. but the intention of the law requiring accurate labeling was clearly not to get companies to add more allergens to their food. it requires a level of creativity to even think of complying like that. It requires zero creativity to think “this law requires user consent before tracking, so let’s ask for consent”.
Have you seen the 300 individual checkboxes you need to disable? Or the hoops that the advertising industry went through to claim that “Do-Not-Track” didn’t count for:
> In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02...
Article 4, Section 21.5
The malicious compliance is more that they all refused to add the one-click opt-out until a high-profile enforcement against Google brought them to heel.
1 reply →
The "malicious" compliance came from the trick that accepting / opting-in was fast and almost instant, but rejecting / opting-out was a slow and arduous process, and it required lawsuits and fines [0] for companies to comply.
I found a website that lists all fines handed out for violating the GDPR: [1]
[0] Google fined €325 million by French CNIL for placing cookies without consent https://www.cnil.fr/en/cookies-and-advertisements-inserted-b...
[1] https://www.dsgvo-portal.de/gdpr-fines/gdpr-fine-against-goo...
How would that prevent sites from selling their users' data to third parties without consent server-side? GDPR is not about third party cookies, but about requiring informed consent.
Though I agree with your point, the idea that cookie banners in any sense contribute to "informed consent" is very debatable.
It’s because those were made to be bad solution by very advertising companies wanting people to be denied their rights and making it look like law is bad instead of implementation being bad
The 'selling of data' is separate of course, but the banners do nothing to actually ensure that they aren't collecting data you don't know about. They're honor system, which is dumb when you could have browsers not send that data back without opt-in.
In other words, of course Facebook knows you like bacon if you've followed 5 bacon fan pages and joined a bacon lovers group, and they could sell that fact.
But without cookies being saved long-term, Facebook wouldn't know that you are shopping for a sweater unless you did that shopping on Facebook. Today they undoubtedly do know if you are shopping for anything because cookies exist and because browsers are configured to always save cookies across sessions.
Also, I always point this out when this topic comes up: Of all websites I visit and have to click stupid banners on, almost none of them are in the market of "selling data" or building dossiers about individuals ("Steve Smith bought flowers on June 19th. Steve is 28 years old. He has a Ford Explorer. He lives in Boston."). They just want to get metrics on which of their ads worked, and maybe to know aggregate demographics about their audience. My local water utility, Atlassian, and Nintendo to pick 3 sites at random, have never been and are not in the business of data brokerage. But they do need to show cookie banners to not be sued for imaginary harms under CCPA or GDPR (unless they want to not make any use of online advertising or even aggregate analytics).
> They're honor system, which is dumb when you could have browsers not send that data back without opt-in.
Given that there is no objective way to differentiate between functional and tracking cookies, your "technical" solution would also boil down to honoring marking certain cookies as such by the website owner, effectively being the same as what we have today.
(Though I do agree that the UX would be nicer this way)
5 replies →
No, it is not that. It highlighted an issue, and it makes it painfully obvious when a particular page is being extra ignorant about your privacy and trying to sell it to thousand vendors instead of a handful.
What I don't like about cookie popups isn't the popup (which isn't something the EU law dictated btw), it's that someone thought it was okay to have hundreds of advertisement vendors and data brokers on a single news article, and it's better to know so I can just close the tab and never interact with that webpage again if they're being excessive asshats.
They have failed at enforcing this properly though, in particular with the recent proliferation of "legitimate interest" abuse (it is only legitimate interest if it an implied component to a service I am directly requesting), and the general issue of popups illegally making rejection different from acceptance, intentionally making rejection slow, or even requiring payment to continue without cookies. And yes, the occasionally completely defective prompt.
I do agree that it would be neater if the browser handled this though. Would also be neater if the internet wasn't entirely sponsored by privacy violations. :/
lol this is what it used to be like back in the day. We have forgotten the old ways and now we yearn for them. Every tutorial instructed old people to just click Always Allow or else they would not be able to read their webmail.
The law is fine. The industry has just decided that dragging its heels and risking fines is better than actual compliance.
Most of the "cookie management" scripts that people use aren't compliant.
EU law requires "Accept All" and "Reject All Non-Essential" be both equally easy to access and given equal weight (or rather: the latter can't be given less weight and made more difficult to access, which almost all of these scripts blatantly ignore).
Browser vendors can't solve this because the question isn't technical but legal. It's not about first-party vs third-party cookies (let alone same-origin vs cross-origin) but about the purposes of those cookies - and not just cookies but all transferred data (including all HTTP requests).
You don't need to (and in fact can't) opt into technically necessary cookies like session cookies for a login and such. It's plausible that these might even be cross-origin (as long as the other domain is controlled by the same legal entity). If they're provided by a third party, that would indeed be data sharing that warrants a disclosure and opt in (or rather: this can only happen once the user acknowledges this but they have no option to refuse and still use the service if it can't plausibly be provided without this).
The GDPR and ePrivacy laws (and the DMA and DSA) have done a lot for privacy but most of what they have done has happened behind the scenes (as intended) by changing how companies operate. The "cookie management" is just the user-facing part of those companies' hostile and dishonest reactions to these laws as well as a cottage industry of grifters providing "compliance" solutions for companies that can't afford the technical and legal expertise to understand what they actually need to do and think they can just tick a box by buying the right product/service.
Heck, most companies don't even provide legally compliant privacy policies and refuse to properly handly data access requests. The GDPR requires companies to disclose all third parties (or their categories if they can't disclose identities) your (specifically your) data has been shared with and the specific types of data, purposes of that sharing and legal basis for sharing it (i.e. if it required consent, how and when that consent was given) - and yet most will only link you to their generic privacy policy that answers none of those questions or only provides vague general answers or irrelevant details ("We and our 11708 partners deeply care about your privacy").
[dead]