"You DON’T need consent for: First-party cookies used just for your own analytics (in most cases)"
They claim that, but the page they link to as the source says "You must...Receive users’ consent before you use any cookies except strictly necessary cookies.". So what exactly makes them think that first-party analytics cookies are "strictly necessary"? The Mastodon link in the at the start of page doesn't seem to work.
that might be overdoing it. I don't know where is the current case law, but IMHO storing a random number and identifying the retuning user is not PII (to count how many times that user returned).
now of course if it gets joined with other data it can become PII.
IP address is usually treated as PII, because it can have very high "selectivity" (and with a subpoena can be turned into PII, whereas a site specific cryptorandom cookie id cannot)
Considering that for most banners the "consent" is the easy option I assume a lot. People want to get rid of the banners.
However I claim the point of the bad UX is to make users angry and then have them complain about EU etc. "demanding" those. In order to weaken the regulation of tracking. If they are successful (and they are making progress) "no more cookie banners" is a lot better headlines than "more tracking"
The failure of the EU was to not write into (an updated version of the law) that setting a specific HTTP header means "no", and "no" means "no" not "show me a popup to ask" (i.e. showing a popup in such cases would not be allowed).
I have been on a call with a CMP where they got mad at me for not resetting our user's preferences and because our 'do not accept' was high due to the fact i refused to de-promote it via a dark pattern. I kid you not.
fwiw; looking at our stats for the past year:
No consent: 40.8%
Full Consent: 31%
Just closed the damn window: 28.1%
Went through the nightmare selector: 0.07%
Most of the sites use dark patterns in the banners, from not presenting decline option to hiding and renaming it to be unrecognizable. For example I make an effort in always picking Decline All option if available and the practice shows that I click on Allow All in about 20-30% of all banners, because it was impossible to avoid. So I safely assume that general population clicks Allow All even more.
It's always those awful websites with a million popups, adverts, sites that reflow after 10 seconds, etc. They would be horrible to use even without the cookie banners.
“You DO need consent for:
Third-party tracking cookies like Google Analytics, Facebook Pixel“ Since most websites use GA then yes most need the banners. You could say most sites don’t need GA but that’s a different argument.
GA is free while Fathom and Plausible are not. I think that's the main reason why GA is so popular and therefore why most sites need cookie consent banners.
For my company, being able to view the user journey throughout the site in the analytics is pretty valuable.
We don't care who the specific users are - but the tracking gives us an idea of how many people use the site? do they have a good experience? are they giving us money? do we have a bug somewhere we're missing? etc.
If you're in any way something beyond a hobbyist, you should probably get legal advice about whether you need to get affirmative or implicit consent, whether you need to handle universal opt-out signals (in California, Global Privacy Control signals are now legally required to be respected), etc.
Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
And a proper consent banner will immediately handle your GPC signal, and generally not show you anything (California now requires a visual notification that your preference has been respected).
I understand what the author is actually saying: you can design sites that don't require the tracking tools requiring consent. And yes, while true at a certain (small) scale, when you have hundreds of millions or billions of page loads per month, and several development teams, a partnership group, and a lot of moving parts, you'll forgive me for thinking this is impractical.
Consent banners don't have to be awful, I promise.
Forgive me for immediately untrusting you on the matter because the reality distortion field must be strong. Cookie banners are an absolute crystal clear evil and there is absolutely no leeway for a different opinion here.
(Tracking is also an undisputed evil)
> Consent banners don't have to be awful, I promise.
False.
They absolutely have to be awful because that's the whole premise of the law. You have to get user's consent. In order to force the user to make a choice you have to make it more annoying than it is annoying to read your content while ignoring the popup. The only way to conform to the law is to make users' experience on your website miserable.
> true at a certain (small) scale, when you have hundreds of millions [...] this is impractical.
True.
However it is also impractical to actually use the consent dialog. Because all the trackers and tools that different teams are adding to the site - they have to communicate with the cookie popup somehow and no living programmer would be bothered to even think about it. Nothing good for the world comes out of presenting and respecting the cookie popup ().
Thus I see fake cookie consent popups that are actually ignoring users' choices.
() On my site I do my best to respect the user's choice and do NOT track them once they hopefully reject.
Why are you tracking when it's an undisputed evil? Reality distortion indeed.
Is getting consent interruptive? yes. Is that worse than not getting consent? Also yes.
Since you don't appear to want to give up the undisputed evil of tracking, then consent is what's left to you. You've made the same choice as everyone else.
I'd encourage you to respect GPC and DNT, so the (roughly 20%, depending on audience) of users that have it enabled can automatically opt out of your tracking without the "crystal clear evil" of a consent banner. Remember that in California you need to show some display that their consent choices have been observed.
> the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
The page describing the law has more examples of cases where you do not need consent than the ones you do.
It is also quite complex to integrate a third-party consent management platform in a compliant way; the tool itself is a script, but it somehow needs to preempt loading of any other scripts until the right consent is given (there's also an argument whether the CMP being third-party is itself a breach of "data minimization" when such functionality can trivially be done in-house, or at least self-hosting the script).
The majority of sites fail at this, which already breaches the GDPR since merely loading a third-party script discloses your IP address and browser fingerprint to them.
It's not a big deal in their case because their CMP is itself configured to be non-compliant, but if you want to be compliant with a third-party CMP it's likely the effort to integrate it properly would be just as much as just doing it in-house.
> Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law
You're mixing GDPR up with the ePrivacy Directive (henceforth "ePrivacy", not to be confused with the proposed ePrivacy Regulation). GDPR Recital 30 describes how cookies should be understood in relation to the GDPR (to the extent that GDPR Article 4(1) didn't already make it clear), and GDPR Recital 15 affirms that "the act of writing any cookie" doesn't have any special treatment under GDPR. Whereas ePrivacy Article 5 ¶3 discusses "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user", and is the real source of nearly all "cookie consent" obligations in the EU. I hope you don't work on the legal side of the consent product!
Less pithily: I've noticed a lot of "consent" providers getting this basic stuff wrong, both in their marketing copy and in their actual products. I (along with most internet users) have a vested interest in any improvements in this area. I'm available to discuss this further, if that would be helpful – keeping in mind that while I know a lot more about this than many working professionals apparently do, I'm still very much an amateur with no formal legal training.
> I'm available to discuss this further, if that would be helpful.
That would not be helpful, because the whole business of "consent management" is to provide plausible deniability and the illusion of compliance to businesses without actually making them comply (since complying with the GDPR would incur significant cost and obsolete most of the marketing/analytics team's jobs).
I'm very sure they perfectly know what they're doing and have the budget for the best legal advice money can buy, it's just that their business is all about selling the illusion of compliance instead of actual compliance.
It's the fault of the regulators for still not cracking down on this after 8 fucking years. Detecting non-compliant consent flows is trivial with a web scraper.
> in their actual products
The products are configurable by the customer. Now you could indeed argue that the product should not offer an option to configure it in a way that would be in breach of the regulation it's supposed to help you comply with... but again see above.
I appreciate your precision. Most folks, unless discussing specific provisions, just use GDPR as an umbrella term, much like the CCPA is still used and inclusive of CPRA.
Any real business needs to do behavioral tracking for campaign conversions, add-to-cart, customer acquisition, funneling, retention, personalization, etc.
I love how we all hate cookie banners and say they are unnecessary, but are salaries are all paid by apps that do behavioral tracking.
I appreciate the list of reasons to cookies are useful. Despite having worked in technology for 25 years, I couldn't have articulated that list off the top of my head. I have never worked for a website that made money that way.
I think that means not ALL websites need invasive tracking.
Some of those scenarios are dubious as to whether they actually bring profit and "make money". They can very well be a net loss and are merely there to justify the job of the advertising/marketing/analytics/etc team, who is conveniently charge of crunching those numbers and obviously would never put any adverse numbers forward.
Same thing in advertising - there's a lot of middlemen in the industry that are happy to take their cut, cook the numbers and look the other way despite no actual impact on sales.
So while I don't disagree these things can make money when in the right hands and done in moderation, the reality is that there's a shit ton of waste and deadweight in the industry. It may very well be that the actual (vs self-reported) profit from ad/marketing efforts is negative and merely covers the paychecks of said ad/marketing teams.
There's no _need_ to use cookies for tracking purposes though, it's usually just easier/cheaper/quicker (or requested by the marketing department) to use off the shelf software than actually spend the time to implement these things.
But if you have a cart, you need a cookie banner regardless of any tracking you are doing.
Even the biggest tech companies, with surplus engineering resources, do third party integrations.
"easier / cheaper / quicker" means that will be the solution . You can't tell your boss "let's spend more money, more time, more risk" on getting it done.
It's a shame this is downvoted. It doesn't make it right, but it is true.
Until the regulation actually gets enforced so that everyone is on a level playing field and does not do such things, you will be at a disadvantage if you're the only one to comply, so the winning strategy is to not comply and engage in such practices just like your competitors do.
> you will be at a disadvantage if you're the only one to comply, so the winning strategy is to not comply
"need" is the wrong word for this. And the comment doesn't talk about it as a prisoner's dilemma, it says "need" unconditionally. The downvotes are not sad.
wouldn't be so sure about that in Germany, even if technically and legally true. i've heard too many times about spamigation cases where shysters send mass cease and desist letters. even if those are complete bullshit and without substance you're well advised to respond and competent at that - which means you'll have to invest in a lawyer ... yadda yadda.
Unfortunately culprit may the privacy laws, irrespective of their good intentions, precisely because the 'banner' does not materially do anything but create an arbitrary annoyance.
It's not a better experience, it's a worse experience, because users will click on 'whatever' and therefore the goal of the privacy laws are not met.
Given the current situation - things would be improved by merely providing users with a consistent way to check on cookie status aka with a 'privacy link' up top that always gives clear info about privacy - but with no popup.
Or - given the current situation - it may be more appropriate to be more assertive with privacy and not allow one-click opt-in because it's just too much?
The fact is, the popups are just bad - the don't accomplish what the are trying to accomplish and we need a more UX friendly way to regulate. Which could be lighter or more restricting, one way or another.
I think we should accept that certain kinds of tracking should be allowed by default for many cases. It don't think it's a violation of privacy for companies to map an individuals experience across their property, as long as user is anonymous, there are other checks etc. Sharing data between sites is completely another thing altogether.
I consider all those pop-ups to be illegal. The use case in my opinion does not warrant pissing off users by distracting them via such pop-ups. Here I classify slide-ins the same as pop-ups. I don't even read what is written there since I already don't care. I kind of have to use extensions to workaround this spam. The EU bureaucrats are very confused here - they cost a lot of money and don't really improve much at all. Plus, when they hand over data to the USA from EU citizens, it already puts them at logical odds - either you are consistent in what you do, or you simply shouldn't act in an orthogonal manner that degrades the user experience via laws. That's just nonsensical.
"You DON’T need consent for: First-party cookies used just for your own analytics (in most cases)"
They claim that, but the page they link to as the source says "You must...Receive users’ consent before you use any cookies except strictly necessary cookies.". So what exactly makes them think that first-party analytics cookies are "strictly necessary"? The Mastodon link in the at the start of page doesn't seem to work.
Case and point, the EU Data Protection Board has a cookie consent banner and only uses a first-party cookie for analytics.
https://www.edpb.europa.eu/concernant-le-cepd/mentions-legal...
that might be overdoing it. I don't know where is the current case law, but IMHO storing a random number and identifying the retuning user is not PII (to count how many times that user returned).
now of course if it gets joined with other data it can become PII.
IP address is usually treated as PII, because it can have very high "selectivity" (and with a subpoena can be turned into PII, whereas a site specific cryptorandom cookie id cannot)
Exactly. Analytics is one of the types of data for which permission is explicitly required.
Session auth cookies are the only ones the EU considers strictly necessary.
> Session auth cookies are the only ones the EU considers strictly necessary.
There are several others which are permissible. The EU has six examples.
https://commission.europa.eu/resources/europa-web-guide/desi...
1 reply →
Anyone that says the quote is the case doesn't know what they're talking about. For the love of god, just read the law text :(((
I wonder how many people provide consent through these banners. Is it frequent enough to be worth the terrible user experience?
I know some sites use dark patterns in their cookie banners, which I consider to be a helpful hint that the company doesn't respect the users.
Considering that for most banners the "consent" is the easy option I assume a lot. People want to get rid of the banners.
However I claim the point of the bad UX is to make users angry and then have them complain about EU etc. "demanding" those. In order to weaken the regulation of tracking. If they are successful (and they are making progress) "no more cookie banners" is a lot better headlines than "more tracking"
The failure of the EU was to not write into (an updated version of the law) that setting a specific HTTP header means "no", and "no" means "no" not "show me a popup to ask" (i.e. showing a popup in such cases would not be allowed).
3 replies →
Those are technically in violation of the GDPR since the opt out is required to be just as easy as the opt in.
8 replies →
I have been on a call with a CMP where they got mad at me for not resetting our user's preferences and because our 'do not accept' was high due to the fact i refused to de-promote it via a dark pattern. I kid you not.
fwiw; looking at our stats for the past year: No consent: 40.8% Full Consent: 31% Just closed the damn window: 28.1% Went through the nightmare selector: 0.07%
~1.5M impressions from GDPR areas
Most of the sites use dark patterns in the banners, from not presenting decline option to hiding and renaming it to be unrecognizable. For example I make an effort in always picking Decline All option if available and the practice shows that I click on Allow All in about 20-30% of all banners, because it was impossible to avoid. So I safely assume that general population clicks Allow All even more.
From what I understood—but I think it's been added more recently—declining all optional cookies must be as easy as accepting all cookies.
1 reply →
It's always those awful websites with a million popups, adverts, sites that reflow after 10 seconds, etc. They would be horrible to use even without the cookie banners.
“You DO need consent for: Third-party tracking cookies like Google Analytics, Facebook Pixel“ Since most websites use GA then yes most need the banners. You could say most sites don’t need GA but that’s a different argument.
GA is free while Fathom and Plausible are not. I think that's the main reason why GA is so popular and therefore why most sites need cookie consent banners.
That’s the argument made by the article.
Which is why this article has no value. The title is completely disconnected from market reality
Cookie consent banners make me immediately think if I should just leave the site and not care about the content.
Correction: none of them do. The Biggest misunderstanding in how tech works by the EU ruined usability for eternity.
The way not to need cookie consent banners is to not do analytics tracking in the first place.
I often wonder what value it actually is.
Sure, you might understand your demographics better.. if you presume that the analytics are faultless at telling you this- which they're really not.
If you care about how your site is used, you don't need to set any cookies.
For my company, being able to view the user journey throughout the site in the analytics is pretty valuable.
We don't care who the specific users are - but the tracking gives us an idea of how many people use the site? do they have a good experience? are they giving us money? do we have a bug somewhere we're missing? etc.
All that is valuable as a business.
2 replies →
For some sites and businesses that's the right approach.
For some.
I think if you are using Google adsense, u have to show this annoying thing to all your visitors...
But if you're including ads you're already past the point of caring about annoying your visitors.
Not at all. Ads can be displayed in a respectful fashion and not interfere with content. This is a a lost art, I know.
Disclaimer: I work on a consent product.
If you're in any way something beyond a hobbyist, you should probably get legal advice about whether you need to get affirmative or implicit consent, whether you need to handle universal opt-out signals (in California, Global Privacy Control signals are now legally required to be respected), etc.
Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
And a proper consent banner will immediately handle your GPC signal, and generally not show you anything (California now requires a visual notification that your preference has been respected).
I understand what the author is actually saying: you can design sites that don't require the tracking tools requiring consent. And yes, while true at a certain (small) scale, when you have hundreds of millions or billions of page loads per month, and several development teams, a partnership group, and a lot of moving parts, you'll forgive me for thinking this is impractical.
Consent banners don't have to be awful, I promise.
> Disclaimer: I work on a consent product.
Forgive me for immediately untrusting you on the matter because the reality distortion field must be strong. Cookie banners are an absolute crystal clear evil and there is absolutely no leeway for a different opinion here.
(Tracking is also an undisputed evil)
> Consent banners don't have to be awful, I promise.
False.
They absolutely have to be awful because that's the whole premise of the law. You have to get user's consent. In order to force the user to make a choice you have to make it more annoying than it is annoying to read your content while ignoring the popup. The only way to conform to the law is to make users' experience on your website miserable.
> true at a certain (small) scale, when you have hundreds of millions [...] this is impractical.
True.
However it is also impractical to actually use the consent dialog. Because all the trackers and tools that different teams are adding to the site - they have to communicate with the cookie popup somehow and no living programmer would be bothered to even think about it. Nothing good for the world comes out of presenting and respecting the cookie popup ().
Thus I see fake cookie consent popups that are actually ignoring users' choices.
() On my site I do my best to respect the user's choice and do NOT track them once they hopefully reject.
Why are you tracking when it's an undisputed evil? Reality distortion indeed.
Is getting consent interruptive? yes. Is that worse than not getting consent? Also yes.
Since you don't appear to want to give up the undisputed evil of tracking, then consent is what's left to you. You've made the same choice as everyone else.
I'd encourage you to respect GPC and DNT, so the (roughly 20%, depending on audience) of users that have it enabled can automatically opt out of your tracking without the "crystal clear evil" of a consent banner. Remember that in California you need to show some display that their consent choices have been observed.
1 reply →
> the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
The page describing the law has more examples of cases where you do not need consent than the ones you do.
https://commission.europa.eu/resources/europa-web-guide/desi...
Covered under the law: they are, they really are.
You're required to disclose. I didn't say consent.
This is precisely why I say talk to a lawyer. I appreciate the firmness of your conviction, but not reading what was explicitly stated, well.
4 replies →
> proper consent banner
It is also quite complex to integrate a third-party consent management platform in a compliant way; the tool itself is a script, but it somehow needs to preempt loading of any other scripts until the right consent is given (there's also an argument whether the CMP being third-party is itself a breach of "data minimization" when such functionality can trivially be done in-house, or at least self-hosting the script).
The majority of sites fail at this, which already breaches the GDPR since merely loading a third-party script discloses your IP address and browser fingerprint to them.
It's not a big deal in their case because their CMP is itself configured to be non-compliant, but if you want to be compliant with a third-party CMP it's likely the effort to integrate it properly would be just as much as just doing it in-house.
CMPs generally don't do well with this. Admittedly.
> Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law
You're mixing GDPR up with the ePrivacy Directive (henceforth "ePrivacy", not to be confused with the proposed ePrivacy Regulation). GDPR Recital 30 describes how cookies should be understood in relation to the GDPR (to the extent that GDPR Article 4(1) didn't already make it clear), and GDPR Recital 15 affirms that "the act of writing any cookie" doesn't have any special treatment under GDPR. Whereas ePrivacy Article 5 ¶3 discusses "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user", and is the real source of nearly all "cookie consent" obligations in the EU. I hope you don't work on the legal side of the consent product!
Less pithily: I've noticed a lot of "consent" providers getting this basic stuff wrong, both in their marketing copy and in their actual products. I (along with most internet users) have a vested interest in any improvements in this area. I'm available to discuss this further, if that would be helpful – keeping in mind that while I know a lot more about this than many working professionals apparently do, I'm still very much an amateur with no formal legal training.
ePrivacy Directive as amended in 2009: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
GDPR as amended in 2016 (without recitals): https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
> I'm available to discuss this further, if that would be helpful.
That would not be helpful, because the whole business of "consent management" is to provide plausible deniability and the illusion of compliance to businesses without actually making them comply (since complying with the GDPR would incur significant cost and obsolete most of the marketing/analytics team's jobs).
I'm very sure they perfectly know what they're doing and have the budget for the best legal advice money can buy, it's just that their business is all about selling the illusion of compliance instead of actual compliance.
It's the fault of the regulators for still not cracking down on this after 8 fucking years. Detecting non-compliant consent flows is trivial with a web scraper.
> in their actual products
The products are configurable by the customer. Now you could indeed argue that the product should not offer an option to configure it in a way that would be in breach of the regulation it's supposed to help you comply with... but again see above.
1 reply →
I appreciate your precision. Most folks, unless discussing specific provisions, just use GDPR as an umbrella term, much like the CCPA is still used and inclusive of CPRA.
5 replies →
"Advertising or behavioral tracking cookies"
Any real business needs to do behavioral tracking for campaign conversions, add-to-cart, customer acquisition, funneling, retention, personalization, etc.
I love how we all hate cookie banners and say they are unnecessary, but are salaries are all paid by apps that do behavioral tracking.
Only hobby blogs can get by without it.
I appreciate the list of reasons to cookies are useful. Despite having worked in technology for 25 years, I couldn't have articulated that list off the top of my head. I have never worked for a website that made money that way.
I think that means not ALL websites need invasive tracking.
> website that made money that way
Some of those scenarios are dubious as to whether they actually bring profit and "make money". They can very well be a net loss and are merely there to justify the job of the advertising/marketing/analytics/etc team, who is conveniently charge of crunching those numbers and obviously would never put any adverse numbers forward.
Same thing in advertising - there's a lot of middlemen in the industry that are happy to take their cut, cook the numbers and look the other way despite no actual impact on sales.
So while I don't disagree these things can make money when in the right hands and done in moderation, the reality is that there's a shit ton of waste and deadweight in the industry. It may very well be that the actual (vs self-reported) profit from ad/marketing efforts is negative and merely covers the paychecks of said ad/marketing teams.
can you give examples of serious online businesses that are not doing those things?
Here are the industries that I've worked in that all did behavioral tracking for the above applications
* gaming
* music industry
* healthcare
* social media
* news
* internet search
* online retail
13 replies →
you don't need a banner for shopping carts, or personalisation
the heuristic for whether you need the banner is essentially: is the user deriving the benefit, or just the operator?
if it's the latter you definitely need the banner
> the heuristic for whether you need the banner is essentially: is the user deriving the benefit, or just the operator?
This is just as bogus as the user vs developer distinction in copyleft world.
Of course users benefit from the operator knowing if their design decisions are actually on the right track.
2 replies →
There's no _need_ to use cookies for tracking purposes though, it's usually just easier/cheaper/quicker (or requested by the marketing department) to use off the shelf software than actually spend the time to implement these things.
But if you have a cart, you need a cookie banner regardless of any tracking you are doing.
Even the biggest tech companies, with surplus engineering resources, do third party integrations.
"easier / cheaper / quicker" means that will be the solution . You can't tell your boss "let's spend more money, more time, more risk" on getting it done.
You can track conversions exactly without using analytics or cookies, by using promotion codes.
"you can" and no one does.
3 replies →
It's a shame this is downvoted. It doesn't make it right, but it is true.
Until the regulation actually gets enforced so that everyone is on a level playing field and does not do such things, you will be at a disadvantage if you're the only one to comply, so the winning strategy is to not comply and engage in such practices just like your competitors do.
> you will be at a disadvantage if you're the only one to comply, so the winning strategy is to not comply
"need" is the wrong word for this. And the comment doesn't talk about it as a prisoner's dilemma, it says "need" unconditionally. The downvotes are not sad.
I wish I had a nickel for all the downvotes I’ve earned for describing things as they are
1 reply →
wouldn't be so sure about that in Germany, even if technically and legally true. i've heard too many times about spamigation cases where shysters send mass cease and desist letters. even if those are complete bullshit and without substance you're well advised to respond and competent at that - which means you'll have to invest in a lawyer ... yadda yadda.
Unfortunately culprit may the privacy laws, irrespective of their good intentions, precisely because the 'banner' does not materially do anything but create an arbitrary annoyance.
It's not a better experience, it's a worse experience, because users will click on 'whatever' and therefore the goal of the privacy laws are not met.
Given the current situation - things would be improved by merely providing users with a consistent way to check on cookie status aka with a 'privacy link' up top that always gives clear info about privacy - but with no popup.
Or - given the current situation - it may be more appropriate to be more assertive with privacy and not allow one-click opt-in because it's just too much?
The fact is, the popups are just bad - the don't accomplish what the are trying to accomplish and we need a more UX friendly way to regulate. Which could be lighter or more restricting, one way or another.
I think we should accept that certain kinds of tracking should be allowed by default for many cases. It don't think it's a violation of privacy for companies to map an individuals experience across their property, as long as user is anonymous, there are other checks etc. Sharing data between sites is completely another thing altogether.
I consider all those pop-ups to be illegal. The use case in my opinion does not warrant pissing off users by distracting them via such pop-ups. Here I classify slide-ins the same as pop-ups. I don't even read what is written there since I already don't care. I kind of have to use extensions to workaround this spam. The EU bureaucrats are very confused here - they cost a lot of money and don't really improve much at all. Plus, when they hand over data to the USA from EU citizens, it already puts them at logical odds - either you are consistent in what you do, or you simply shouldn't act in an orthogonal manner that degrades the user experience via laws. That's just nonsensical.
Why would pissing off users be illegal? Websites can do whatever they want, I don't like those popups and just leave the page when they show up.
[dead]