Comment by basisword
2 days ago
European here. I like the cookie law. It's made it clear to people how much we're being tracked and I can choose to opt out. The implementation could of course be better but the real issue is the scummy web devs choosing to make it as annoying as possible instead of taking the more sensible decision to not have 150 trackers on every page.
>> I see a lot of pro-EU content on this site when they're terrible on both tech and entrepreneurship.
Life is bigger than tech or entrepreneurship. In the 00's I dreamed of moving to the US. That's changed, especially over the last decade. If I was offered a huge salary tomorrow to work in the US I would turn it down.
Website operators hate these cookies popups because they make their website more annoying and make me more likely to press the back button and click on a different website. As it should be. This incentivizes them to stop tracking me.
Why then do they make the most annoying, user-hostile dark pattern cookie banners they can come up with? No, website operators hate that they have to either stop spamming thousands of tracker scripts or put up a banner.
They found out that they can offload blame on the EU instead and so have chosen to make the web as annoying as possible.
Yeah, that's more the point; in discussions with clients I very often get asked how far we can go without any consent. Most companies want all the privacy ignoring stuff and they don't want to tell their users about it.
1 reply →
Most of them don’t care and just integrate whatever is the most common cookie banner widget because their legal team asked them to
The solution to that one is pretty simple, simply don't collect information you don't need, and you can avoid the banner altogether! Github manages to not have banners, it's not because of magic.
There is no obligation to put a banner of you don't sell your users' data to third parties. The law is very clear that your don't need it for period technical cookies, so it's really always and every time solely about tracking and advertisement money.
You do need it for analytics though, or any other non-essential purpose.
You could probably argue self-hosted, privacy-preserving analytics is a "legitimate business purpose" so doesn't need consent. AFAIK it's because you're sending user data to Google that you normally need consent for GA.
1 reply →
99% of the people just click accept and go through.
This could be solved on the client side, by requiring all devices with browsers sold in EU to have separate cookie jars per domain and by default those cookies would be deleted on window/tab close. If you wanted to stay logged in to a site, you'd click a button next to the url bar that says "keep cookies for this domain", and be done.
You mean 96% click do not allow and go through https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-o...
> This could be solved on the client side
GDPR legally prohibits tracking in general, not cookies specifically. Advertisers use fingerprinting more than cookies these days already, even if browsers removed cookie support altogether it wouldn't change anything.
Cookies have literally nothing to do with GDPR or the ePrivacy directive. It is mentioned I think twice total in both documents as an example of how user data is persisted and tracked across domains, but ultimately the mechanism is irrelevant.
> European here. I like the cookie law. It's made it clear to people how much we're being tracked and I can choose to opt out.
Opting out of cookies does not mean no tracking. Tracking companies moved away from cookies a decade ago and now fingerprint the browser through JS in very subtle ways.
And the banners are not about cookies specifically, they are about tracking. It's illegal to track people without a lawful reason (and one of the valid reasons is user consent).
What are you supposed to learn from the banner anyway? It's just an additional annoyance.
You should just assume that anything that your browser exposed may be used to track you. The real problem is that most browsers and browser configurations are far too permissive for the sake of avoiding breakage. The real technical solution to online tracking is standardization of browser attributes so that users look identical, and only allowing for very limited and coarse measurement of client-side user interaction.
2 replies →
And the banners are not about cookies specifically, they are about tracking. It's illegal to track people without consent.
So you like the law, but don't like how it didn't actually solve the problem it was trying to solve?
I assume you're pretty well read up on matters of privacy, right? So you have a better awareness and understanding. But do you believe the average person does? Or would you assume that the average person has either been trained to ignore the banner, automatically consent to more invasive tracking, or is generally more confused about why the banner exists, or what it does?
The cookie consent law is the dumbest application of an attempt to improve privacy. It's made the internet worse, and is being used to train people into consenting to giving away their privacy without thinking... because: "clicking accept is what you have to do to use the page" -- every normal person casually browsing any site.
No implementation for cookie based consent can be done correctly.
Personally, I'd love to see a law that makes any/all dark patterns a crime, and empowers state prosecutors via grand jury to bring charges for them against both the company, and individual authors of the specific commits as jointly responsible. I don't want statutory laws, I want a trial jury to look at it, and decide if any technological measure, pattern, tactic, procedure, design, or measurement was used to encourage one decision over the other instead of a fair choice.
I don't want a set of rules that given enough funding any company is able to win as a negative sum game. I want a jury, not a trailing clause, to decide if the company is clearly acting in good faith or worthy of apocalyptic fines.
> So you like the law, but don't like how it didn't actually solve the problem it was trying to solve?
(Not the person you replied to)
I'm not sure where all of this is coming from, the law is actually extremely obvious and useful: you want to track people, they have to be informed, and have to consent. The law says nothing about how, and the way it was implemented was entirely up to the corporations discretion, which of course opted for the most malicious terrible way to do it, but they did it.
The purpose of the law was that people should be informed about cookies being installed and consent to that happening.
Do you feel like people are now aware that cookies are being installed, more so than before the banner? Do people understand that they are consenting to this?
That is the law at work.
Everything above and beyond that is nice to have, and I'm sure the world would be better for it, but without the EU, people probably wouldn't even know what cookies were, let alone understand (or have control over) how they are being tracked.
If that's not a net positive in a world where net-negatives happen every week, I don't know.
> Do you feel like people are now aware that cookies are being installed, more so than before the banner? Do people understand that they are consenting to this?
> That is the law at work.
The problem is that's not what anybody, including the users, want. Nobody cares that browsers have cookies as an implementation detail. It's a ridiculous thing to use as the basis of a privacy rule. Does the user care that the site uses cookies to implement a shopping cart feature? Does the user not care that the site is tracking them without cookies using device fingerprinting? Cookies were never the problem.
On top of that, they were the thing the users already had control over. Browsers allow you to delete or reject cookies, provide private browsing modes that don't submit them, etc.
Meanwhile the things that would actually be useful, like prohibiting services from requiring the user to provide a phone number (a de facto cross-service cross-device tracking ID) in order use the service, or requiring device attestation (which uniquely identifies the device), are left unaddressed.
4 replies →
> I don't want a set of rules that given enough funding any company is able to win as a negative sum game. I want a jury, not a trailing clause, to decide if the company is clearly acting in good faith or worthy of apocalyptic fines.
You want the winner to be the side with more expensive lawyers who use psychological manipulation techniques against a jury?
In general juries are the finders of fact. They decide what happened, e.g. who is lying. Judges decide the law, i.e. whether the thing the jury says they did is a violation of the law.
What you're asking for is to have the jury decide what the law is. There are a lot of problems with that, but one of the big ones is that jury determinations don't have to follow precedent and, unless you want judges ultimately deciding it anyway, can't really be appealed. Which would result in zillions of spurious lawsuits against innocent people because a small percentage of them would win big at random.