Comment by Cthulhu_
2 days ago
The EU law is fine, the implementation used isn't. But never blame the EU laws for cookie banners; the law does not mandate banners at all, let alone the ones full of dark patterns to nag you into accepting anyway. That's all the industry.
The industry could have come up with a standard, a browser add-on, respect a browser setting, etc but they chose the most annoying one to pester you, the user.
> let alone the ones full of dark patterns to nag you into accepting anyway.
In fact the law pretty explicitly disallows dark patterns like that. Of course tech companies have a loosy-goosy relationship with the law at the best of times.
> In fact the law pretty explicitly disallows dark patterns like that.
Yes. For "cookie banners" the law in fact forbids hiding "Reject all non-essential and continue" to be given less visual weight than "Accept all and continue", let alone hiding it behind "More details" or other additional steps.
It also requires consent to be informed (i.e. you need to know what you're agreeing to) and specific (i.e. you can't give blanket consent, the actual categories of data and purposes of collection need to be spelled out) and easily revokable (which is almost never the case - most sites provide no direct access to review your options later once you've "opted in").
One good example I can think of for a "cookie banner" that gets this right is the WordPress plugin from DevOwl: https://devowl.io/wordpress-real-cookie-banner/ (this is not an ad, but this is the one I've been recommending to people after having tried several of them) because it actually adds links to the footer that let you review and change your consent afterwards.
EDIT: Sorry, I first misread "disallows" as "allows". I've amended my reply accordingly.
Yeah, and only when (I think) Google got a hefty fine did the banner implementations start to add an instant "opt-out" button. The tech companies really try to skirt the rules as closely as possible.
I'm glad I'm not in EU legal, it's gotta be like dealing with internet trolls ("I didn't ACTUALLY break any rules because your rules don't say I can't use the word "fhtagn"")
The #1 problem with the cookie law is that it's not enforced.
Start fining sites with dark pattern banners and they'll start going away.
I feel like the #1 problem with the cookie law is that the vast majority of websites need to do something in order to comply while keeping their business model and the law hasn't provided a clear direction for how to comply with it.
If they had done that, nobody would be making cookie banners wrong.
> The EU law is fine
Kind of. The intent is good and the wording disallows some of the dark patterns. The challenge is that it stands square in the path of the adtech surveillance behemoths. That we ended up with the cesspit of cookie banners is a result of (almost) immovable object meeting (almost) irresistable force. There was simply no way that Google, Facebook et al were ever going to comply with the intent of the law: it's their business not to.
The only way we might have got a better outcome was for the EU to quickly respond and say "nope, cookie banners aren't compliant with the law". That would have been incredibly difficult to do in practice. You can bet your Bay Area mortgage that Big Tech will have had legions of smart lawyers pouring over how to comply with the letter whilst completely ignoring the intent.
GDPR requires informed consent before collecting data. It's a wonder we don't have to force everyone through an interstitial consent page.
Yes, this sounds good. This sounds like something desirable. I mean, this is the expectation literally everywhere else so... why not the web?
Also, data collection is fully a choice. You can always choose not to. I've built websites with logins and everything and guess what - no cookie banners necessary. Just don't collect data you don't need.
> GDPR requires informed consent before collecting data.
And this is a good thing, no? I certainly think so.
> It's a wonder we don't have to force everyone through an interstitial consent page.
If the information being tracked is truly essential to the site/app (session management and authorisation data for instance) then no consent is needed, for anything else ask before you store it, and most certainly ask before you share it with your “partners” or anyone else.
There's obviously a lot more real world than they can codify into laws and examples but I think if you can get consent, you should get consent. The ICO:
> Private-sector or third-sector organisations will often be able to consider the ‘legitimate interests’ basis in Article 6(1)(f) if they find it hard to meet the standard for consent and no other specific basis applies. This recognises that you may have good reason to process someone’s personal data without their consent – but you must avoid doing anything they would not expect, ensure there is no unwarranted impact on them, and that you are still fair, transparent and accountable.
Session tracking, storing account information, addresses, etc all seem obvious in any e-commerce system but you still have every opportunity to notify and consent that data collection.
I think you and I both think that data protection is a good thing, I'm just a little more wary of leaning on legitimate usage* as a way to skip formal consent.
1 reply →
The EU law isn't fine.
Many websites are free because they survive from ads. Ads make more money if you collect data. The EU law essentially cut the revenue of all these websites. Their choice is to not collect data (meaning less revenue) or show a popup (meaning more bounce rate, which means less revenue).
People who think this is a good thing are being short-sighted. That's because this law mainly affects websites that host information that visitors visit from clicking on links on the web. If a website is like Facebook or Youtube, where users must sign up first or probably already have an account, they will be able to collect data for ads with or without banners since they have their own ToS for creating an account, and they can infer a lot from how the user uses their services.
I'm not saying privacy regulation is a bad thing. It made countless businesses reconsider how they handle people's data. But it's clear to me that there are two problems.
First, this regulation hurts all the small websites that need to exist in order for we have to have a healthy "web." A lot of these are making only barely their hosting costs in ads, so there is no way they can afford the counsel to figure out how to comply with laws from another continent. If we had another way to support these websites, this wouldn't be a problem, but ads are really the lifeblood of half of the internet, and almost nobody wants to donate or pay a subscription.
Second, this regulation doesn't even really protect people's private data in the end, which may give users a false sense of security because they have the GDPR on their side. I forgot the name, but there was a recent gossiping app that required the user to upload a photo in order to sign up, which should be deleted afterwards, but they never deleted it and when the app was hacked the attacker had access to photos of all users. It's the same thing with GDPR. We can tell when a website is clearly not complying with the GDPR, but there is no way to tell if they actually complied with the GDPR until the server gets hacked.
Even the way they comply with GDPR isn't enough to protect users' privacy, e.g. if you have an account on Discord and you want your data deleted, they will simply turn every post your made into an "anonymous" post. This means if you sent a message that discloses your private information on Discord, that will never get deleted because its outside the scope of compliance. You could literally say "Hi, my name is XYZ, I live in ABC" and they won't delete that because you consented to provide that information, they will just change your username from "xyz" to "anonymous" or something like that.
I still wonder what are the actual benefits of GDPR with these cookie banners when 99% of the users just stay on Facebook and Youtube anyway.
> Many websites are free because they survive from ads. Ads make more money if you collect data.
My business is to get money out of other people's wallets and bank accounts. I could get make much money if you just logged into your bank account and approved transactions whenever I told you to, or screamed less whenever I took the wallet out of your pocket on my own.
That there's a way to earn more money does not justify it as legitimate thing to do, and if you can't figure out how to run a service in legitimate ways does not mean that illegitimate ways that attempt to violate its users in secret suddenly become okay.
Like I said, GDPR only stops the smallest websites from doing that, and in most cases they're barely a "business," they're just some website that gets paid only enough in ads to cover its hosting costs so that the webmaster doesn't have to pay money on top of time to publish information for free for everyone on the internet.
The largest websites will still "violate its users in secret." That's why I don't think GDPR is as useful as people purport it to be.
> First, this regulation hurts all the small websites that need to exist in order for we have to have a healthy "web."
there is nothing healthy about force-feeding ads optimized via collected data.
You're going to get force-fed ads optimized via collected data either way. The only question is whether small websites will exist that rely on third-party ad networks or only Facebook and Youtube will exist because they have first-party ad delivery systems. I don't think the latter is healthier than the former. Do you?