Comment by croon
6 hours ago
Frankly, the cookie banners are an example of bad enforcement. Most of the annoying ones are actually non-compliant with the regulation. I'd say that regulation is mostly fine as well.
6 hours ago
Frankly, the cookie banners are an example of bad enforcement. Most of the annoying ones are actually non-compliant with the regulation. I'd say that regulation is mostly fine as well.
I disagree - I think they’re a bad law. Ideally it wouldn’t need to be enforced at all, because companies would comply with it. The last website I worked on we had 0 telemetry in cookies but we used a cookie for non telemetry uses. When we were putting together a privacy policy, one of legal’s questions was “are there any cookies”, to which we said yes. We explained, but as far as they were concerned cookies means cookie bar.
> I'd say that regulation is mostly fine as well. Personally I’ve never looked at a cookie bar and said “wow I’m glad I now know how many people they’re selling my data too” and then changed my behaviour. And the companies have just slapped non compliant (and unenforced/able) banners to justify what they were already doing. That’s a bad regulation.
> Ideally it wouldn’t need to be enforced at all, because companies would comply with it
The non-compliance is a result of the lack of enforcement. If it went into effect and a few fines were handed down the next day for non-compliant consent flows, you can bet everyone else would quickly go into compliance.
But that effectively never happened, and the probability of getting fined for a non-compliant consent flow appears to be less than winning the lottery, so of course everyone just ignores the regulation.
Agreed 100%. "Enforcement" of the law has gotten so bleak that people can't imagine a world where we have to follow the laws as they are now.
Imagine a world where activity like this was fined, or where the police actually persecuted white collar criminals. A world where politicians and corporations were both afraid to engage in open corruption. Where companies got fined for uncompetitive practices and weren't able to pollute the environment or engage in union busting.
We wouldn't need any new laws to live in a world like that. We would just need the "enforcement" wing of the government to actually be effective and do thier jobs
Yep, bad law, I'd also say bad intent.
Apple is ahead of the curve[1]. You get a system-level popup asking you for consent to be tracked. Actual, not implied consent - only "yes" means "yes".
So you say "no" and it means "no". Apps are blocked from all basic forms of tracking (like device ID), and the App Store rules state that apps that try to circumvent that will be kicked out. Apple doesn't fuck around - they've kicked Meta and Epic without blinking an eye.
EU's response? Kick Apple, because EU companies can no longer do targeted advertising on Apple's platform. Our regulators are full of shit.
[1]: Well Apple still tracks you in their first-party apps, but that's a different story.
> EU's response?
It wasn’t the EU, it was France who fined Apple over ATT (although there are ongoing discussions at the EU level).
They were fined for self-preferencing, which is exactly the “different story” in your footnote.
It was also pointed out that consenting to ATT still isn't sufficient to provide informed consent required under GDPR and is misleading for implementers who think they can just rely on ATT (its effectively yet another non-compliant cookie banner), but the fine was just for the self-preferencing.
> Apple doesn't fuck around - they've kicked Meta and Epic without blinking an eye.
Sorry what?
Everyone lies on those "privacy nutrition labels" on the App Store listings and gets away with it, and everyone is free to embed dozens of analytics/tracking SDKs in their app that track the user by fingerprinting and IP address.
Apple doesn't care. If Apple cared, they could simply say that all apps must comply with the laws of the locale they are distributed in - which they do for things like copyright infringement, etc - and thus ban Meta and most their competitors all the way back in 2018 when the GDPR went into effect. But they didn't.
Isn't that bad lawyers rather than bad rules?
If the rules are so opaque even professional lawyers are confused, thats a bad law.
It definitely is.
My experience with GDPR lawyers is that they treat every "cookie" as requiring consent purely because of lack of information and difficulty in fully assessing the full picture.
In every other field, lawyers have to work together with experts. Technical experts must engage with the lawyers. This here is a failure from both sides.
That’s the “you’re holding it wrong” defense.
Good rules will have their intent followed by bad lawyers. Bad rules will have their letter followed but their intent missed.
Most lawyers aren’t bad, they’re just risk averse. I’ve had very few outright “no” answers from legal, even when pushing the boundaries in the grey areas, but the result of that is the PM doesn’t get a straight yes from legal so they decide to take the most complicit option. In the cookie banners case, that’s show by default especially if you don’t understand.
In your case you wouldn't have needed a popup/bar.
In all other cases, a "Decline All" option should be a the most prominent option (or defaulted to would be fine). The current implementations are either non-compliant (if hiding the decline option behind more clicks than the "Accept All" option), or malicious compliance in making their own products worse to shift blame to regulations, because the unregulated previous status quo was extremely user exploitative on tracking data. Of course (exploitative) companies would like to continue selling data on top of whatever their main business supposedly is.
No company needs a cookie bar, unless they have no other business than selling user data.
A good point. Regulation is worth nothing if not enforced. There are new right to repair laws but nothing has been enforced.