Comment by bradleyy
2 months ago
Disclaimer: I work on a consent product.
If you're in any way something beyond a hobbyist, you should probably get legal advice about whether you need to get affirmative or implicit consent, whether you need to handle universal opt-out signals (in California, Global Privacy Control signals are now legally required to be respected), etc.
Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
And a proper consent banner will immediately handle your GPC signal, and generally not show you anything (California now requires a visual notification that your preference has been respected).
I understand what the author is actually saying: you can design sites that don't require the tracking tools requiring consent. And yes, while true at a certain (small) scale, when you have hundreds of millions or billions of page loads per month, and several development teams, a partnership group, and a lot of moving parts, you'll forgive me for thinking this is impractical.
Consent banners don't have to be awful, I promise.
> Disclaimer: I work on a consent product.
Forgive me for immediately untrusting you on the matter because the reality distortion field must be strong. Cookie banners are an absolute crystal clear evil and there is absolutely no leeway for a different opinion here.
(Tracking is also an undisputed evil)
> Consent banners don't have to be awful, I promise.
False.
They absolutely have to be awful because that's the whole premise of the law. You have to get user's consent. In order to force the user to make a choice you have to make it more annoying than it is annoying to read your content while ignoring the popup. The only way to conform to the law is to make users' experience on your website miserable.
> true at a certain (small) scale, when you have hundreds of millions [...] this is impractical.
True.
However it is also impractical to actually use the consent dialog. Because all the trackers and tools that different teams are adding to the site - they have to communicate with the cookie popup somehow and no living programmer would be bothered to even think about it. Nothing good for the world comes out of presenting and respecting the cookie popup ().
Thus I see fake cookie consent popups that are actually ignoring users' choices.
() On my site I do my best to respect the user's choice and do NOT track them once they hopefully reject.
Why are you tracking when it's an undisputed evil? Reality distortion indeed.
Is getting consent interruptive? yes. Is that worse than not getting consent? Also yes.
Since you don't appear to want to give up the undisputed evil of tracking, then consent is what's left to you. You've made the same choice as everyone else.
I'd encourage you to respect GPC and DNT, so the (roughly 20%, depending on audience) of users that have it enabled can automatically opt out of your tracking without the "crystal clear evil" of a consent banner. Remember that in California you need to show some display that their consent choices have been observed.
> Why are you tracking when it's an undisputed evil?
Not that tracking. You know what I mean: tracking by ad networks and international corporations.
We are tracking events (users clicked on the button) in an anonymous fashion. We do not collect PII. We do not store IPs. We do not correlate behaviors with user ids. We simply track how many people clicked the button and on what page. This is hardly privacy invasive at all.
> Is getting consent interruptive? yes. Is that worse than not getting consent? Also yes.
I'm not entirely sure about the latter. First of all, I don't believe in the slightest that the site will respect my choice. Second, even if the site itself does, the ad network present on the site, definitely will track me no matter what.
In other words, consent banners are cargo cult, do not work in practice and are a net negative for the world.
> DNT
It was an obvious idea but didn't work, unfortunately due to the fact that ad network absolutely have to look down users' ass and they will not cease this practice.
> users that have it enabled can automatically opt out of your tracking
They can install adblock and wholesale opt out of all the bullshit, including insane cookie consent banners.
> Remember that in California you need
My business is not California or US based and thus I don't have to implement the vast variety of of cargo cult laws in existence.
> the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
The page describing the law has more examples of cases where you do not need consent than the ones you do.
https://commission.europa.eu/resources/europa-web-guide/desi...
Covered under the law: they are, they really are.
You're required to disclose. I didn't say consent.
This is precisely why I say talk to a lawyer. I appreciate the firmness of your conviction, but not reading what was explicitly stated, well.
> I appreciate the firmness of your conviction
I don’t understand how you could misread “firmness of conviction” in my comment. I made it as short, bland, and neutral as possible, on purpose. It’s just a statement of fact with a source.
3 replies →
> proper consent banner
It is also quite complex to integrate a third-party consent management platform in a compliant way; the tool itself is a script, but it somehow needs to preempt loading of any other scripts until the right consent is given (there's also an argument whether the CMP being third-party is itself a breach of "data minimization" when such functionality can trivially be done in-house, or at least self-hosting the script).
The majority of sites fail at this, which already breaches the GDPR since merely loading a third-party script discloses your IP address and browser fingerprint to them.
It's not a big deal in their case because their CMP is itself configured to be non-compliant, but if you want to be compliant with a third-party CMP it's likely the effort to integrate it properly would be just as much as just doing it in-house.
CMPs generally don't do well with this. Admittedly.
> Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law
You're mixing GDPR up with the ePrivacy Directive (henceforth "ePrivacy", not to be confused with the proposed ePrivacy Regulation). GDPR Recital 30 describes how cookies should be understood in relation to the GDPR (to the extent that GDPR Article 4(1) didn't already make it clear), and GDPR Recital 15 affirms that "the act of writing any cookie" doesn't have any special treatment under GDPR. Whereas ePrivacy Article 5 ¶3 discusses "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user", and is the real source of nearly all "cookie consent" obligations in the EU. I hope you don't work on the legal side of the consent product!
Less pithily: I've noticed a lot of "consent" providers getting this basic stuff wrong, both in their marketing copy and in their actual products. I (along with most internet users) have a vested interest in any improvements in this area. I'm available to discuss this further, if that would be helpful – keeping in mind that while I know a lot more about this than many working professionals apparently do, I'm still very much an amateur with no formal legal training.
ePrivacy Directive as amended in 2009: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
GDPR as amended in 2016 (without recitals): https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
> I'm available to discuss this further, if that would be helpful.
That would not be helpful, because the whole business of "consent management" is to provide plausible deniability and the illusion of compliance to businesses without actually making them comply (since complying with the GDPR would incur significant cost and obsolete most of the marketing/analytics team's jobs).
I'm very sure they perfectly know what they're doing and have the budget for the best legal advice money can buy, it's just that their business is all about selling the illusion of compliance instead of actual compliance.
It's the fault of the regulators for still not cracking down on this after 8 fucking years. Detecting non-compliant consent flows is trivial with a web scraper.
> in their actual products
The products are configurable by the customer. Now you could indeed argue that the product should not offer an option to configure it in a way that would be in breach of the regulation it's supposed to help you comply with... but again see above.
I'm pleased when there's at least one configuration that isn't in breach of the regulations. Sadly, many providers don't even manage that.
I appreciate your precision. Most folks, unless discussing specific provisions, just use GDPR as an umbrella term, much like the CCPA is still used and inclusive of CPRA.
This response sounds suspiciously like competence. Do you mind disclosing which consent provider you work for, so I can have a look? (I only ever found one consent product I was really happy with, and it shut down a few months after I discovered it.)
4 replies →