mrweasel4 months ago
Maybe stop doing stupid shit that will legally require you to inform users that you're about to sell/share everything you know about them to 3rd parties?
I fail to understand companies that display page after page of cookies and tracking stuff for you to approve don't see the issue with their actions or the insanity of "allow us to share data with our 1500 partners". Does no one in these business look at this and go: "Hey, why do we need 50 different tracking tools" or "Why do we share customer data with over a thousand other businesses?".
When you actually read what these pop-ups says, then you understand why they are there, and why the problem with the laws isn't that it's annoying, but that it is not much more restrictive.
latexr4 months ago
> When you actually read what these pop-ups says, then you understand why they are there, and why the problem with the laws isn't that it's annoying, but that it is not much more restrictive.
Worse, people (including on HN) actively blaming the EU for it. It’s like having a law mandating people are informed when there’s poison in their drink, then seeing people complain about the warning labels everywhere. The label isn’t the problem! As you said, if anything the issue is that the law isn’t aggressive enough.
ruthmarx4 months ago
> Worse, people (including on HN) actively blaming the EU for it.
The EU is exactly to blame for it.
The activity isn't illegal, and the EU didn't make it illegal.
What the *EU did* was make it so that companies engaging in that legal activity now had to disclose it in some way, and thee cookie popups are the best way to do that.
It's ridiculous to try and say the EU isn't to blame when they introduced and approved the legislation directly responsible for the popups.
latexr4 months ago
> and thee cookie popups are the best way to do that.
No, the best way to do it is not invade people’s privacy. You can have ads without targeting (we did it forever before the internet) and you do not need cookie warnings if your cookies aren’t invasive.
https://commission.europa.eu/resources-partners/europa-web-g...
> The activity isn't illegal, and the EU didn't make it illegal.
Indeed that is a shame. If only.
ruthmarx4 months ago
> No, the best way to do it is not invade people’s privacy. You can have ads without targeting
You are deliberately missing the point and shifting the goalposts.
You're talking about asking a business voluntarily not engage in lucrative legal business activities. Why would they do that? There are so many more important things business should voluntarily abstain from by that reasoning.
No, as long as the behavior remains legal, a business has every right to engage in such activity.
The only reason the cookie popups are a thing is because the **EU** mandated some sort of notification which basically mapped to these popups.
So it's the EU to lame. No question about it. A business engaging in legal activity is not to blame, since it's the regulations around that activity and not the businesses practicing the activity that are the topic of discussion here.
Stop shifting the buck. It's so incredibly dishonest.
latexr4 months ago
> You're talking about asking a business voluntarily not engage in lucrative legal business activities. Why would they do that?
It is baffling that you can make that claim without realising your mistake. Yes indeed, why would businesses do that voluntarily? The answer is they aren’t doing it voluntarily, they are forced by law. In other words, the EU has made the practice illegal. Specifically, it is illegal to engage in that data collection without consent.
Let’s take tobacco warning labels as another example. Governments decided that tobacco companies have to print large warnings on cigarette packs. They didn’t make it illegal to sell tobacco, but if you want to do it you have to include those labels.
https://www.fda.gov/tobacco-products/labeling-and-warning-st...
Do you also blame governments for mandating those warning labels and would prefer there to be none? I mean, you do you, but please don’t accuse others of goal shifting and dishonesty simply because you misunderstood an argument. My position has remained consistent, I gave the poison example (which you chose to ignore) in the first post.
ruthmarx4 months ago
> It is baffling that you can make that claim without realising your mistake.
I'm not making any mistake. You continue to make the mistake to blame the businesses doing *legal* activities and complying with the *EU Regulation* that dictates the cookie popups.
> The answer is they aren’t doing it voluntarily,
They are not abstaining from legal behavior that makes them money, like literally every other business in acceptance.
Which means they are not doing anything remarkable, yet you are remarking on it. Why?
> In other words, the EU has made the practice illegal.
Not exactly. The EU has very specifically made the practice legal, but with regulations.
You're doing the equivalent of blaming tobacco companies for including graphic warnings on their packaging as is the case in some countries, when it's not them doing it voluntarily, it's a result of those governments imposing it.
> Specifically, it is illegal to engage in that data collection without consent.
Exactly. The *EU* regulated that informed consent is required, requiring some kind of popup to the user.
So, those companies are engaging in an explicitly legal practice, and doing so in the way the *EU* forces them to do so. So EU gets the blame.
> Let’s take tobacco warning labels as another example. Governments decided that tobacco companies have to print large warnings on cigarette packs. They didn’t make it illegal to sell tobacco, but if you want to do it you have to include those labels.
I genuinely typed my analogy above before I read this part of your reply. Amazing.
> Do you also blame governments for mandating those warning labels
YES!
Those warnings only exist because the governments are imposing them as a requirement.
Seriously, what's not to get here? If we follow your reasoning on the popups, to be consistent you would blame the tobacco companies for those warnings existing.
> simply because you misunderstood an argument.
What is it you think I've misunderstood? What do you think I think your position is as opposed to what it actually is? I'm certain I haven't misunderstood a thing.
What is the subject of the blame you were implicitly referring to in your first comment where you say "Worse, people (including on HN) actively blaming the EU for it."
What is the 'it' your refer to, if not the cookie popups?
> My position has remained consistent
Yes, your position is that the popups are not to be credited to the EU, which is absolutely wrong. They only exist because the EU dictates they need to for companies engaging in a specific legal activity.
You say in your first post "The label isn’t the problem! ", but that's the topic of discussion, that's the subject of the blame we are debating how to assign.
The issue of companies data collection and distribution practices are worth discussing, any any illegal activity needs to be dealt with. But that isn't relevant to who gets the blame/credit for the popups.
Fire-Dragon-DoL4 months ago
I think your point of view is overlooking the concept of loophole or more precisely, malicious compliance.
Businesses can make a separate page, a settings page, where you enable tracking. This solves the problem.
But obviously the cookie popup is HUGE to cover your view of the page and it's as confusing as possible, even with the requirement of an explicit reject all button.
This is textbook malicious compliance, and the EU has been trying to combat it (the explicit reject all button), but I suspect they don't want to codify in law the exact pattern they want to see (law becomes outdated)
ruthmarx4 months ago
> I think your point of view is overlooking the concept of loophole or more precisely, malicious compliance.
I don't think I am, because even if the cookie popups were made with the genuine best intentions to adhere to the regulations, no malicious compliance at all, the people I am disagreeing with would still blame the corporations engaging in legal activity and not the regulations themselves that dictate the popups.
I don't doubt malicious compliance exists or is a problem, but I don't think it makes much of a difference in this context.
unmole4 months ago
You do realize the (Official EU) website you linked to has a cookie banner, right?
latexr4 months ago
That is addressed right at the top of the page on a prominent explanatory banner with a blocky information icon:
> Use of the cookie consent kit is mandatory on each page of the DGs and executive agencies-owned websites, regardless of the cookies used.
I really wish people made a minimum of effort to engage in good faith. It took you longer to post your comment than it would’ve taken to read that notice.
floydnoel4 months ago
why is it mandatory?
unmole4 months ago
[flagged]
eska4 months ago
It is in fact illegal until the user opts into it. The company has to assume no as an answer until then.
ruthmarx4 months ago
Sure, hence the popups mandated by EU regulation.
troupo4 months ago
EU: Don't track users, don't obtain vast amounts of data on users, don't sell that data to third parties. If you you do, ask users for informed consent.
Industry: we hear you. Here's "informed consent" form riddled with dark patterns because we believe that all data is ours by God's decree, and our 15 000 "partners" agree with us
...
HN: The EU is to blame for this
ruthmarx4 months ago
What would the 'light' pattern be in this case, where the business wants to comply with regulation and maximize profit?
latexr4 months ago
Make a good product that does not rely on exploiting user data. Advertise in relevant locations without tracking (e.g. if you sell cars, advertise on a car-centric website/forum/magazine).
ruthmarx4 months ago
You don't have to reply to every comment I make in reply to someone else in this thread, just FYI.
> Make a good product that does not rely on exploiting user data. Advertise in relevant locations without tracking (e.g. if you sell cars, advertise on a car-centric website/forum/magazine).
No, none of this is a light pattern. It's just abstaining from the activity entirely.
latexr4 months ago
What are you on about? Do you realise you replied to me first, and the two times I replied to you responding to someone else were on the same thread that goes back to my original comment? No one’s after you, I just looked at the child replies in my post. Honestly I didn’t even realise I was replying to the same person. Complaining about it happening twice is quite the persecution complex.
ruthmarx4 months ago
> What are you on about?
Exactly what you say here:
> the two times I replied to you responding to someone else
---
> Honestly I didn’t even realise I was replying to the same person.
I find that very odd, not to pay attention to who you are replying to, but OK.
> quite the persecution complex.
Nah. It's a pretty common behavior or 'pattern' that some people who feel strongly about a position will reply to other child comments by a person they are debating with.
I find it frustrating because it normally leads to a lot of redundancy, with the same points being repeated in multiple places, just wasting time.
I mistakenly thought that's what you were doing. I apologize.
troupo4 months ago
Have a business that doesn't rely on pervasive and invasive tracking, and on wholesale sales of that data to thousands of "partners"?
ruthmarx4 months ago
That's not a light pattern, that's giving up the activity entirely.
If an activity is explicitly legal, even with regulations, then there should be a light pattern for that activity is there is a dark pattern.
Look at selling cigarettes in the 80s. A dark pattern would be trying to influence kids on the low, which mascots like Joe Camel.
A light pattern would not be abstaining from selling cigarettes entirely, analogous to what you suggest, but rather voluntarily adding labels to packaging and taking other precautions.
troupo4 months ago
> That's not a light pattern, that's giving up the activity entirely.
What's not right? Giving up pervasive and invasive tracking and selling user data?
> but rather voluntarily adding labels to packaging and taking other precautions.
GDPR, literally, is: if you use data not strictly required for the functioning of your business, ask user for consent.
How is this not a "light pattern"?
ruthmarx4 months ago
> What's not right? Giving up pervasive and invasive tracking and selling user data?
Exactly. Abstaining isn't a light pattern. A light pattern would be doing the thing in a non malicious way.
> GDPR, literally, is: if you use data not strictly required for the functioning of your business, ask user for consent.
You're missing the point. You were alleging businesses are using dark patterns while being in compliance with the law. I'm asking what a light pattern would be for collecting as much data as possible which is an explicitly legal activity as long as the regulations are followed.
You answered not engaging in that activity at all, which is not an answer.
troupo4 months ago
> Abstaining isn't a light pattern.
"Abstaining from selling hard drugs to minors isn't a light pattern. Show me how we can sell hard drugs to minors even with all the regulations in place"
Though I hate analogies, but this is what this sounds like to me.
> I'm asking what a light pattern would be for collecting as much data as possible which is an explicitly legal activity as long as the regulations are followed.
You either follow GDPR or do not engage in this activity. What is so hard to understand?
Instead the industry came up with the obnoxious cookie banners tricking users into providing any and all data and selling that data to thousands of "partners".
ruthmarx4 months ago
> Though I hate analogies, but this is what this sounds like to me.
The difference though is that selling drugs to kids is flat out illegal, no ifs ands or buts.
Data collection is explicitly legal as long as regulations are followed, so I think it's a flawed analogy.
> What is so hard to understand?
That the businesses are complying with the GDPR but you're still saying it's a dark pattern and complaining about what they are doing.
I need to remind you at this point the topic of discussion is who is responsible for the cookie popups, not the morality or legality of the activity that the EU felt required regulation. The answer is the EU, because that's how they chose to address the issue.
> Instead the industry came up with the obnoxious cookie banners tricking users into providing any and all data and selling that data to thousands of "partners".
Most cookie banners are not deceptive at all. They are the result of complying with the legislation the EU mandated.
In fact, the cookie banners that are as straightforward and clear as possible, and as non intrusive as possible, are an example of a light pattern in this context.
Fire-Dragon-DoL4 months ago
Make a settings page where I can go and explicitly enable tracking rather than make it popup.
Oh, right, nobody is going to use that page. So, is it really the EU fault for the cookie popup, which is a dark pattern?
krick4 months ago
This is correct. However, I always thought that legislation is pretty stupid. It isn't exactly comparable to alcohol/tobacco warnings. Actually, I always thought they are stupid too, but at least they can count as an "informed nonsent", since it's pretty clear, what's the harm they are taking about.
Cookies, on the other hand... Even for me, who was perfectly aware of the problem long before this legislation, and who was privacy-oriented to begin with, it isn't clear, what's the consent I'm giving. First off, I know everybody uses cookies, and almost everybody uses some trackers. Second, even me, somewhat informed user, I don't really understand, what is that information they are sharing with third parties, and why should I care. I feel kinda stupid when I bother to press "reject all". Like, does it even matter, what I choose? Wouldn't they do it anyway, whatever they do? Then, I use ublock and I hope it helps. If it doesn't, well, tough luck, but what do I do? I do want to read that one paragraph from the medium/NYT article I found on Google, despite how much I hate them. I won't stop using the internet because of... whatever this is.
I can only imagine, what it's like for average user, who is, let's be honest, pretty clueless. I guess for them it is indeed the EU who is too blame here.
GDPR is more useful, but still I'm not sure if it really helps. Like, I remember someone complaining that before GDPR you could bulk-download gpx files from Strava, and now you can only request .fit files, that are supposed to containt more data, but really aren't that useful for most. Well, it's not GDPR you should blame, it's Strava and all their partners/competitors (especially Garmin, god I hate them so much). They are successfully making life harder for you, because they don't want it to be easy to get your own data back. And who is to stop them? Maybe it's a matter of time, I don't know, but it doesn't seem GDPR is effectively enforcing what it is supposed to.
latexr4 months ago
The cookie law and GDPR are often conflated, but they are different things. It doesn’t help that websites engage in malicious compliance, thus making everything more confusing.
I’ll leave you with two links. The first explains which kinds of cookies do not require consent. You’ll see the list is pretty reasonable. The second is to noyb, a non-profit fighting for privacy (the name means “none of your business”), who has been doing good work thanks to the GDPR.
https://commission.europa.eu/resources-partners/europa-web-g...
troupo4 months ago
> Even for me, who was perfectly aware of the problem long before this legislation, and who was privacy-oriented to begin with, it isn't clear, what's the consent I'm giving.
Indeed, and that's exactly what the industry wants. Show me where exactly GDPR mandates the cookie dialogues. Or ePrivacy Directive for that matter.
> Well, it's not GDPR you should blame, it's Strava and all their partners/competitors
Yes. And yet you somehow twist it to blame GDPR
> but it doesn't seem GDPR is effectively enforcing what it is supposed to.
Yea. Enforcement has been sadly lacking
joenot4434 months ago
Legislation by the EU is why the popups are there. It really is that simple.
latexr4 months ago
The popups are there because these websites are invading your privacy. It really is that simple.
Or, to be fair to all parties, they are there because continuous abuse by the industry forced governmental action.
Don’t invade user’s privacy and you don’t need cookie banners. Can’t get simpler than that.
https://commission.europa.eu/resources-partners/europa-web-g...
simonsarris4 months ago
I just got a banner from that EU website. Clearly they think it necessary, and they're not a business.
latexr4 months ago
That is explained right at the top of the page:
> Use of the cookie consent kit is mandatory on each page of the DGs and executive agencies-owned websites, regardless of the cookies used.
Let’s please engage in good-faith conversation. If you don’t read a prominent explanatory banner with a blocky information icon at the top of an explanatory page, I don’t know what to tell you.
unmole4 months ago
You said:
> Don’t invade user’s privacy and you don’t need cookie banners.
But when it's pointed out all EU websites use cookie banners, you shift goalposts and pretend that others are engaging in bad faith.
latexr4 months ago
> But when it's pointed out all EU websites use cookie banners
Because you keep failing to read properly (and even had one comment flagged on the same subject), I’ll emphasise it this time:
> Use of the cookie consent kit is mandatory on each page of the DGs and executive agencies-owned websites, regardless of the cookies used.
Again:
> regardless of the cookies used
In case you still don’t understand, that means it doesn’t matter what type of cookies the EU websites use, they still have to show the banner even for cookies no one else has to show a banner for.
[deleted]4 months agocollapsed
USiBqidmOOkAqRb4 months ago
By that train of thought alcohol and tobacco were harmless until nasty bureaucrats came along and demanded that things must be explicitly labeled. Website operators are anything but blameless.
gruturo4 months ago
Do you also blame your doctor for correctly diagnosing your illness?
zmnd4 months ago
If a doctor diagnosed me with the same result every time I go to another room, yes I would.
gruturo4 months ago
So for some reason you're visiting 20 doctors and they all tell you "I will resell all your personal information to as many buyers as I can find, including sketchy ones, and to insurance companies which may raise your premiums depending on what you discuss with me" (I know it's illegal, it's an example), and you're blaming the law forcing them to confess this and giving you a chance to opt out?
latexr4 months ago
It’s not the same illness, every website has different tracking. The analogy wasn’t perfect, but they seldom are.
ruthmarx4 months ago
It really is that simple. It's bizarre the way people try to blame companies engaging in legal activities for doing something the EU specifically requires them to do.
unmole4 months ago
> It’s like having a law mandating people are informed when there’s poison in their drink
Why does the European Parliament[0] and virtually[1] every EU website[2] feel the need to poison drinks?
> The label isn’t the problem!
The label is useless. See also, California's Prop 65: https://en.wikipedia.org/wiki/California_Proposition_65_list...
1: https://www.europarl.europa.eu/portal/en
thn-gap4 months ago
What I always find funny about this, is that the popup is presented with "We value your privacy", followed by "allow us to share data with >500 partners".
I wished that such statements had some value greater than nil.
ikari_pl4 months ago
but they DO put a measurable value on your privacy
benfortuna4 months ago
Put another way, they monetize the erosion of your privacy.
simonbarker874 months ago
The vast majority of websites just want to know where their visitors are coming from and, if they are selling a product, some aggregate level of demographic knowledge to tailor their marketing efforts. They really don’t care about an individual or even small cohort and aren’t selling the data on.
Targeting advertising is sooo much more effective for small and medium sized businesses and actually makes many businesses viable in a way they weren’t in the past.
The ideal solution would be to find a way for businesses to get those insights in a way that preserves privacy at the individual level. Something like apples differential privacy system but web wide.
mrweasel4 months ago
> Targeting advertising is sooo much more effective for small and medium sized businesses
I'm starting to question that, but without any proof that just me rambling. Assuming that it works, I'd actually be fine with a site saying "Hey, just letting you know, we use Google Analytics to learn more about you, is that cool?".
The 1500 partners and 50+ trackers aren't numbers I'm making up, those are numbers I frequently see. Sure, you feel you need a tracker, I can easily enough say no to a single tracker. I can also understand a webshop needing to share information with their advertising partner, but not 1500 of them.
The law would never have amounted to anything if the reality was a limited scope of data sharing with a clear obvious purpose. It's the insane amount of tracking and data sharing that triggered all this.
simonbarker874 months ago
Anecdotally for the three ecom businesses I’ve run/worked at it’s been our only method of profitable marketing.
As usual it’s the extreme ends of the spectrum that ruin for everyone.
mrweasel4 months ago
I haven't been in that line of business for 10+ years, so my understand and reference is also a bit out of date.
Retargeting did very little. Ads helps in some cases, but rarely generic ads, it had to be extremely targeted, which was normally done by manually buying ad space with certain TV programs or in specific locations. The big ones for us was price comparison sites, if we could get on HotUKDeals we'd have a great week, but in particular Google Shopping did made a big difference.
simonbarker874 months ago
Agree, retargeting was a waste of money - it essentially just annoyed people.
matheusmoreira4 months ago
It doesn't matter what they want. It doesn't matter why they want it. They are not entitled to this information. They should not be able to know anything at all about us without our explicit consent. We should not have to sacrifice our privacy and peace of mind so that businesses can succeed. If they can't succeed without surveilling us and selling us out, then let them go bankrupt.
simonbarker874 months ago
If that’s where this all shakes out to it will have the affect of creating retail monopolies worse than even in the pre internet days as marketing will be simply too expensive for many online small businesses. 90% of Shopify stores would be dead in the water.
GJim4 months ago
Don't be silly!
Nobody is stopping anybody from advertising or marketing. Simply that if your advertisers wish to track me, then they must ask my specific opt-in permission to do so. And so they should.
If your business cannot survive without illegally (!) tracking and trading in personal data, then you have a scummy business model and a business that has no right to exist.
Ferret74464 months ago
And you aren't entitled to visit their website. Seems like everything is working fine then? Most of them won't go bankrupt just because you stop visiting; based on reality, most of them are doing relatively fine.
matheusmoreira4 months ago
Sure I am. You cannot deny me service because I refused to consent to surveillance capitalism nonsense. It's literally written in the laws. And that's the way it should be. It should be illegal for them to punish people in any way whatsoever for exercising their rights.
Charge people money up front if you require payment. My attention and personal information are not currencies to pay for services with.
GJim4 months ago
> And you aren't entitled to visit their website.
Yes you are!
The GDPR prohibits conditioning the provision of service on consent to the processing of personal data. Thus mandating acceptance of advertisers tracking cookies ("cookie walls") without providing alternative means of website access are considered violations of the GDPR.
Earw0rm4 months ago
Targeting, yes; retargeting, no.
So much user time is spent, for example, on a few big sites which have enough data within their own siloes (based on users' behaviour and topics of interest), they can target pretty well without relying on external data. The big video sites, social media, Amazon/eBay/etc.
And then there's a big layer of smaller sites who can inherently target because they're already specialist in nature.
The losers in this scenario aren't really the brands, they're big generic sites such as news media who don't have any way to acquire targeting information on their own.
fredski424 months ago
> The ideal solution would be to find a way for businesses to get those insights in a way that preserves privacy at the individual level.
Isn’t that what Mozilla and Meta are together experimenting with?
timeon4 months ago
If they can't do business without selling users data, then they shouldn't be doing the business.
compiler14104 months ago
all this effort - easily defeated by adblock and antitracking tools xD
ruthmarx4 months ago
Not easily and often not completely.
Earw0rm4 months ago
Presumably the partners are brought in en masse via some third party brokerage/aggregator service.
It's not like a news site is selecting and managing 1500 different partners individually.
GJim4 months ago
This is not an excuse!
I can only imagine the disbelief and laughter in court if a thief said "Your honour, it's not like I stole one car, I actually stole 1500 different ones"!
ruthmarx4 months ago
> Maybe stop doing stupid shit that will legally require you to inform users that you're about to sell/share everything you know about them to 3rd parties?
Why? It's legal and extremely lucrative.
If it's really an issue, maybe the EU could actually limit these activities instead of just forcing sites to put a notification that they are attempting to engage in those activities?
GJim4 months ago
I don’t know if you are trolling or so misinformed it is funny.
The UK and EU do limit those activities. They remain entirely legal providing you get explicit opt-in consent.
ruthmarx4 months ago
> I don’t know if you are trolling or so misinformed
Neither, you just somehow misinterpreted my comment.
> The UK and EU do limit those activities. They remain entirely legal providing you get explicit opt-in consent.
The point is that they do not limit them sufficiently, clearly. People who complain about the popups want to blame the businesses, but the business are doing in compliance with the law.
That's the point. So blaming the business for the popups doesn't make sense, because the popups are a result of EU regulation, not the businesses doing anything wrong. Because as you say, the EU limits those activities and allows those businesses to do as they do.
latexr4 months ago
> The point is that they do not limit them sufficiently, clearly.
I agree. The law should’ve been stronger. But we work now with the hand we have.
> People who complain about the popups want to blame the businesses
Not in my experience. There’s a split between people blaming the business and blaming the EU.
> but the business are doing in compliance with the law.
Most aren’t. The GDPR says explicitly that withdrawing consent must be at least as easy as giving it. Yet most popular websites make it incredibly simple to accept but obtuse to refuse.
However, you may have noticed that’s starting to get better. More and more websites have a clear way to reject now. Meta (Facebook / Instagram) in particular are now way clearer than at the start. We have to thank organisations such as noyb¹ for that. They have been tireless in that fight and won a number of high-profile cases.
ruthmarx4 months ago
> There’s a split between people blaming the business and blaming the EU.
I mainly just see Europeans defending it as not the EU, and I see that as patriotism and not an argument from merit. I have to see it that way because blaming the businesses for engaging in a legal activity and doing something mandated by regulation is crazy to me.
> Most aren’t. The GDPR says explicitly that withdrawing consent must be at least as easy as giving it. Yet most popular websites make it incredibly simple to accept but obtuse to refuse.
Most popups have two buttons, accept or reject. It doesn't really get simpler than that.
latexr4 months ago
> I mainly just see Europeans defending it as not the EU, and I see that as patriotism and not an argument from merit.
That’s absurd. By that logic Europeans would also have defended Chat Control, but that wasn’t the case. A person doesn’t become a blind zealot because they think differently from you.
> I have to see it that way
No, you choose to see it that way.
> blaming the businesses for engaging in a legal activity
Perhaps you’re too attached to the rule of law. Being legal does not mean being right, moral, or generally good. Slavery was legal at one point and then it wasn’t. Lead paint was legal and then it wasn’t. Those things weren’t good when they were legal. Companies knowingly engage in harmful legal behaviours every day.
https://www.sydney.edu.au/news-opinion/news/2024/05/02/how-c...
https://www.decof.com/documents/dangerous-products.pdf
> Most popups have two buttons, accept or reject. It doesn't really get simpler than that.
I addressed that in the previous comment. That’s becoming more common now, after years of fighting malicious compliance. Again, thank noyb and organisations like it.
ruthmarx4 months ago
> That’s absurd.
It's hardly absurd, it's a common pattern in nations and online rhetoric.
> By that logic Europeans would also have defended Chat Control, but that wasn’t the case.
Just because people may defend one thing out of tribalism doesn't mean they would defend everything out of tribalism.
It's specifically EU users on HN I see trying ti shift the blame to corporations. I find it bizarre, honestly. Correlation isn't causation but in this case I do think there's a link.
> No, you choose to see it that way.
Meh. I believe it's a reasonable position backed by evidence.
> Being legal does not mean being right, moral, or generally good.
Yeah, this has nothing to do with the actual root point being discussed though, which is which entity gets the blame/credit for the popups.
That's the EU, no question. You don't like the data collection practices or consider them immoral? That's fair and reasonable, and we can talk about that, but it's a separate albeit adjacent issue.
> Slavery was legal at one point and then it wasn’t.
This is why you shift the goalposts. Now you're talking about slavery. The original point you made in this thread and the topic being discussed are the popups, regulation of an activity not the activity itself.
Slavery is not analogues to popups. An analogy involving slavery would be if there were government mandate signage every 100 feet in town centers advising slaves are people and should be treated humanely (which obviously didn't happen, but it's hard to twist such a bad faith example to still make a point).
> That’s becoming more common now,
It's been common, i.e. the norm, since the laws came into effect.
latexr4 months ago
> It's specifically EU users on HN I see trying ti shift the blame to corporations.
You keep saying that. How do you know? Even if you looked at the profile of everyone you interacted with, I doubt you’d be able to ascertain nationality.
> I find it bizarre, honestly.
And I find it bizarre that someone would kowtow to corporations purposefully exploiting them, but I’m not going to pretend to know where those people live and accuse them of tribalism.
> This is why you shift the goalposts.
I’m not sure you understand what an example is. They are made so we can find a common ground on a subject and discuss the merits of an idea, not to change the subject. They are often employed when agreement is hard to reach on some specific matter and are meant to bring a more general concept into light so both parties can understand where the root of the disagreement comes from.
> It's been common, i.e. the norm, since the laws came into effect.
You are wildly misinformed. If they had been the norm, there wouldn’t have been so many cases of complaints and organisations created specifically to combat those.
But I don’t think continuing to converse with you is a good use of anyone’s time. There’s no point in discussing when the other party is already locked in a predetermined belief that whoever disagrees with them is doing so out of tribalism.
ruthmarx4 months ago
> You keep saying that. How do you know?
Because I find the position not to blame the EU so baffling and irrational that I was curious about the people who advocate that position. The first few times I checked the profiles it was very clearly EU users. I kept checking, while being very aware of and cautious of falling prey to confirmation bias, yet the same pattern kept holding.
> Even if you looked at the profile of everyone you interacted with, I doubt you’d be able to ascertain nationality.
Enough EU users freely comment in their history that they are in the EU somewhere, because enough threads come up where it's relevant. It's really not that hard to ascertain nationality of HN profiles with activity at all.
> And I find it bizarre that someone would kowtow to corporations purposefully exploiting them,
No one is doing that in a context relevant to this thread. It's literally a red herring.
The issue to who gets the blame/credit for the cookie popups. That's it.
> I’m not sure you understand what an example is.
It's been so hard for me to bite my tongue and withhold snark due to your positions, and yet here you give in to the temptation freely. Kind of frustrating. Please remember the HN guidelines.
> They are made so we can find a common ground on a subject and discuss the merits of an idea, not to change the subject.
Exactly, but to use an analogy you're discussing how people speeding are a problem while everyone else is complaining about the sirens of a police unit specifically to catch speeders are too loud.
Your position is a red herring. You keep talking about the immoral yet explicitly legal practices of these companies, and it's entirely irrelevant. As long as those companies are engaging in legal activities, then the blame for how they engage with them goes to the regulators.
latexr4 months ago
> You keep talking about the immoral yet explicitly legal practices of these companies
I did a search for “moral” in this thread’s history. I matched exactly once (twice with this one). That’s not “keep talking about”, that’s one mention. Even then it was a general point of not conflating legality with morality, it was not specific to this practice.
You’re ascribing preconceived notions from the straw man in your head, not my words. I thus point you to those same HN guidelines (I agree they are quite good).
> As long as those companies are engaging in legal activities, then the blame for how they engage with them goes to the regulators.
This, right there, encompasses the whole nature of our disagreement. This law prescribes several ways to comply and not be annoying to people. Thus if a company complies in an annoying way, it’s on them. It’s absurd to say that the blame for how you engage with a rules is on regulators. The text of the rule is on regulators, how someone engages with that text is on them.
ruthmarx4 months ago
> I did a search for “moral” in this thread’s history. I
Well that's the wrong approach. I didn't say you kept using the exact word 'immoral', I said you were talking about the "immoral yet explicitly legal practices". That doesn't mean you are using the same exact words I used generalize your various comments and position.
> That’s not “keep talking about”, that’s one mention.
No, it is “keep talking about”, because in every comment discussing who is responsible for the cookie banners, you refer to the activities that are being regulated, rather than the regulation which is what is actually relevant.
> You’re ascribing preconceived notions from the straw man in your head, not my words.
No, no strawman. Every time you try to shift the buck to blaming the companies and not the regulation, and that's what I'm responding to and calling out.
> I thus point you to those same HN guidelines
Out of a petty attempt to do so after I did it because of your snark? I haven't violated the guidelines in any of my replies, and there is no strawman here. I'm addressing your arguments and your arguments only.
> This law prescribes several ways to comply and not be annoying to people.
What method do you propose companies that want to engage in the explicitly legal activity of data collection as long as user consent is obtained obtain that user account? In a method less annoying than a cookie banner?
If you again suggest they just abstain from the explicitly legal activity of data collection as long as user consent is obtained, then you would again be trying to shift the goalposts.
> Thus if a company complies in an annoying way, it’s on them.
So what's the less annoying way than a cookie banner at the bottom of the screen to obtain consent, that doesn't rely on the goodness of the hearts of people running the corporations (because that would very surely be a very naive outlook to think that was realistic)?
> The text of the rule is on regulators, how someone engages with that text is on them.
Sure, and the cookie banners are pretty much the least annoying approach that is compliant with the regulation.
GJim4 months ago
> I see that as patriotism
Don't take the piss!
It's about a _GENERAL_ data protection act that prevents companies and jobsworths having free rein to your personal data. This has sweet FA to do with patriotism as you know perfectly well.
ruthmarx4 months ago
Not taking the piss, it's my genuine position after seeing this discussions on HN for years.
> It's about a _GENERAL_ data protection act that prevents companies and jobsworths having free rein to your personal data.
The context here is limited to assigning blame/credit for the cookie popups.
> This has sweet FA to do with patriotism as you know perfectly well.
Tribalism then.
binkethy4 months ago
Stop using Google Analytics and your need to place cookies and thus need for cookie popups vanishes.
Goatcounter or Plausible will do fine. Some decent frontend log parsing will also be a viable strategy.
Stop feeding Google your customers data for free.
cornedor4 months ago
They mostly use it to monitor (and automate) how successful ads are. Plausible is not a drop-in replacement for such use cases.
friendzis4 months ago
You have sales data for that.
wkat42424 months ago
Have you ever seen a marketeer say no to more data?
anonzzzies4 months ago
Because it is there: don't make them choose; we have x and nothing more so you cannot have more.
wkat42424 months ago
Yeah but there's the rub. Asking Google to take analytics away just isn't going to happen. It makes them billions.
And marketeers want this data because sales data only tells them where they succeeded. Not where they failed to sell, which is more interesting to them because that's where the growth is found.
It'll be really hard to wean them off this.
bortsampson4 months ago
The EU can simply tell them they can no longer operate Analytics. Too bad if it's hard on Google. They are a preditory company that violates privacy rights. There is clearly competition in the markets they serve. Any threat of complete exit is empty. Those competitors are more than willing to gain any market they exit. These companies need to be put in check by the government or a regulatory body. Marketing and Advertising are toxic to the internet.
wkat42424 months ago
> The EU can simply tell them they can no longer operate Analytics. Too bad if it's hard on Google.
No they can't. The US doesn't even let them decide whether to supply chip machines to China. Or for Schiphol Airport to reduce slots for noise abatement. the US immediately trumped up diplomacy and raised threats to stop those things.
Banning google analytics is just unthinkable in the current relationship between EU and US. I agree they are a predatory company but this is unfortunately how things are right now in the balance of power.
squarefoot4 months ago
This is why the AdNauseam extension is so hated by Google et al. It doesn't eliminate ads but rather fights against them using a different approach: polluting the well. It is built on Ublock Origin so it indeed blocks ads, but aside doing that it also silently clicks on all of them so that data collected by advertising companies suddenly become useless. https://adnauseam.io/
labster4 months ago
I don’t get the argument. Sure it makes Google ad targeting worse, why would Google care? They have monopoly power in online ads and targeting doesn’t work that well anyway. As long as people keep buying the gimmick, no amount of bad data will amount to anything.
ruthmarx4 months ago
The argument is that if enough people do it it's causes them to lose some amount of money and maybe even lose customers.
wkat42424 months ago
Yeah and not enough people do it. That's the biggest problem.
If enough people do it, it will have an effect. Remember when Apple pulled the advertiser ID unless users opted in? That really got the ad industry barking. That they feel. Ad Nauseam they don't. It's way too fringey.
timeon4 months ago
That is why we have GDPR in a first place. But apparently we need something more strict then.
pploug4 months ago
Hey, just some background from someone who took part in a couple of privacy compliance projects at large platforms in the past:
For companies doing this the right way, the banner was just the tip of the iceberg, loads of work went into ensuring compliance behind the scenes, so customer and employee data was not shared with 3rd parties unknowingly. In one case the list of 3rd parties went from +400 to about 70, this is in my opinion a win for privacy, the culture around sharing your data went from casual to cautious.
Secondly, the culture around trusting meta and google blindly with behaviour data changed drastically. Businesses became aware of how much valuable data they share with these platforms, which actually puts them at great risk, should you really give these platforms detailed data on what customers browse and buy on your site, so they can use the data to sell targeting for competitors, or direct users towards their own shopping platforms?
So, yes the law is not perfect, we all hate the banners, but at least what happened in those early implementation days when the banner became law, was a change in culture around how data was shared and a better understanding of the risk for the business of using 3rd parties.
dusted4 months ago
The cookie policy is a stupid value-signalling stunt with only negative real-life effects. The correct way of handling the problem would have been through request headers and browser settings, or simply, use the existing option of either allowing or disallowing cookies, and put this option on a per-site basis and a bit more into the users face..
szszrk4 months ago
> only negative real-life effects
Almost. It hardly worked as intended, but at least it increased awareness. The fact that some sites tried to comply and actually provided a full list of all sites that they sell your private data to is somewhat a win. It got to a lot of wider public that realized "they sell it to 97 companies?!".
I personally think local governments or EU wide institutions should have a registry of companies and their sites with ratings, so we could integrate that directly in our browsers, company registries, phone dialer apps. iFixIt style.
- Clarity of EULA: 1/10, impossible to understand without lawyer's interpretation.
- Length of EULA: 1/10, pops up every week with no diff or summary of changes
- Legality: 4/10, historical track record of rules that are not compliant with local laws of xxx
- History: 1/10, no way to track what were the previous versions of the document or when they changed
- ...
EDIT: to give some context and prove it's possible to provide metrics to legal documents, in Poland we have a formal "Registry of Forbidden Clauses" with references to lost court cases:
wvenable4 months ago
Request headers aren't going to do anything. Browser settings, maybe. If browsers were not owned by advertising companies, they'd just disallow this tracking and that would be the end of it.
dusted4 months ago
This also solves nothing. It's up to the ethics of the company how they chose to group "none" "essential" and "all" and what kind of server-side tracking they do anyway.. It's no harder to do the wrong thing with the current system, but at least the headers would be invisible to the user.
Alternatively: Only allow the website to set cookies if it presents headers with the different options, in a standardized way so the user can chose to pre-set a preference and not be bothered with the cookie nag modal.
yobbo4 months ago
Besides cookies, there are tracking methods based on fingerprinting, IP and so on. None of them are permitted without explicit consent. This means that a site may not load resources from a third-party server without consent, since the request itself reveals enough information for fingerprinting and tracking.
Tracking is plainly not permitted without consent.
imiric4 months ago
> Tracking is plainly not permitted without consent.
According to some poorly thought out law in certain territories, sure.
In practice, however, there is no technical mechanism by which users, or anyone else for that matter, can detect whether they're being tracked or consent to it. There are browser extensions conscious users can install to block certain browser features, but these are not infallible, and they're constantly playing a cat and mouse game with trackers.
The cookie policy only applies for cookies, not for general tracking. And even with it, companies loophole their way by claiming "legitimate interest". Many popular websites show cookie consent forms with upwards of a thousand of these companies, and deliberately use dark patterns to make it impossible to deny all of them. It's absolute insanity.
But in general, cookies are a red herring. They're used as sacrificial offering aimed at governments and the public to show that a company really cares about user privacy by not using them. When in reality they've been relying on far more sophisticated tracking methods for many years which are technically impossible for the public to even comprehend.
And let's not forget about the shady data broker market, where our data is perpetually transacted against our will or knowledge, let alone benefit.
We need far more technical experts in governments to pass strict regulation against this nonsense, in a way that it actually benefits the public. But I'm not holding my breath that this will ever happen, considering the corporatocracy we're living in.
TheCoelacanth4 months ago
If by "cookie policy" you mean GDPR, then it absolutely applies to general tracking, not just cookies. The actual technical means used for tracking has absolutely no bearing on legality.
GJim4 months ago
> there is no technical mechanism....
sigh There is the law.
The law that legitimate companies obey.
Such data protection law means I can trust my bank will not track me and provide my personal data (all the booze and fags I've spent money on) to my insurance company, and my insurance company cannot accept such data gathered 'unfairly'.
The only people who object to such data protection laws are scummy tech companies who haven't yet understood unnecessary personal data is now a liability, not an asset.
cynicalsecurity4 months ago
The request headers are already there. It's the DoNotTrack header.
GJim4 months ago
> The cookie policy
No. It isn't a "cookie policy".
The GDPR states I must give a specific opt-in approval to provide my personal data and allow it to be passed on.
You can use as many cookies as you like, but if you want to track me personally (advertisers take a bow) then you need my specific consent to do so. And so you should.
I'm amazed I have to keep explaining this to American web designers who should know better. This has been law in the UK and EU for quite some time now and is a prerequisite to doing business here.
The GDPR is a bloody good law. It makes the gathering of unnecessary personal data a liability, as it should be. See here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
Timshel4 months ago
? You now have a one click button to refuse most of tracking on compliant website and this include Google.
Fail to see how it’s value-signalling ...
thn-gap4 months ago
When I'm on my phone and a website shows the ads popup, I open it in Brave, which just blocks everything. That's the current implementation of "do not track" settings.
troupo4 months ago
The Do Not Track header was immediately used by the industry to fingerprint and track users.
GDPR isn't about cookies, or browsers.
friendzis4 months ago
GDPR compliance can be implement many ways, starting with not collecting data in the first place. Even if data is collected and sold it is still both possible and arguably even easier to implement GDPR compliance without cookie pop ups.
However, we have codecamp graduates gluing left-pad modules together until something works instead of engineers building websites and it shows.
cynicalsecurity4 months ago
Neither "graduates" nor "engineers" are responsible for any website functionality. They simply do the work that the management requested them to do.
friendzis4 months ago
The request from management to engineering was "make us gdpr compatible, show that cookie banner we see on other sites or some shit", implementation details were designed by IT.
snatchpiesinger4 months ago
At the same time if you suggest "maybe we shouldn't use X, Y and Z analytics then" then you get laughed out of the room. So is there really a choice?
GJim4 months ago
> then you get laughed out of the room
If this is the case, you need to re-asses both your work culture and 'belief' in what Google is telling you.
scarlehoff4 months ago
Please stop - selling our data to advertisers.
o_m4 months ago
For that to work users have to spend money on their services. I hope that will happen in the future, but until then it is hard to compete with free services that has ads.
kalaksi4 months ago
They probably still track you even if you paid money, so that makes paying less enticing. And it's prudent to assume so unless they clearly state otherwise
Ferret74464 months ago
That's because you're not paying enough. If you pay enough, you absolutely can get non-tracking products.
Of course, people either aren't willing or can't. Them's the breaks.
latexr4 months ago
The overwhelming majority of ad-supported services do not offer ad-free and surveillance-free alternatives. Heck, even plans literally named “no ads” can still show you ads.
kalaksi4 months ago
You don't know what I'd pay. So can you name any popular services that offer that option?
To add, there are estimations about how much ad money average user generates and it's very much affordable
troupo4 months ago
You don't need invasive and pervasive tracking to display ads. Google became an ad behemoth with contextual ads
johnnyanmac4 months ago
> it is not legally required to provide the service if a user declines tracking cookies. The site can simply not provide functionality. So in many cases, its not really a choice – the choice is either not to use the site, or consent to tracking.
to be fair that is the choice. And ideally, the invisible hand would show that this is a horrible idea and cause a huge spike in traffic, but alas.
I think "stop putting popups cookies" on websites is an extreme stance, but I agree we could use fine tuning on the little things to help keep the spirit of the law. It should indeed be opt-in and not "ask for forgiveness". And it should adhere to current compliances.
randoomed4 months ago
Unfortunately that (quoted) line is incorrect see this page by the dutch privacy authority: https://www.autoriteitpersoonsgegevens.nl/en/themes/internet... It is based on this 2019 ruling also by this same authority (unfortunately only available in dutch) https://www.autoriteitpersoonsgegevens.nl/documenten/normuit...
While this ruling does not specifically only use the ePrivacy directive (it is instead based in GDPR), laws do not exist in a vacuum.
planb4 months ago
Cookie banners are a great reason for expirations dates on new policies. If it works: Great, renew it! If it does not work, is not required anymore or was just plain stupid: Never talk about it again and it will run out. But who will actively admit that regulation failed and work to undo it?
cornedor4 months ago
Cookie banners is not a policy, it is used to work around a policy, and often implemented incorrectly. GPDR says you need to be given a specific informed decision, but often cookie banners show a big green approve button, and a less positive deny button (if that is even the case). When the law is being enforced better (Which is slowly happening) those cookie banners should get 2 the same looking buttons, and that would result in more denies. Hopefully, companies would realize that they need to solve their marketing differently.
RamRodification4 months ago
More like big green approve button vs.
"Configure my preferences" -> Untick all the things -> Make sure you click the almost invisible Save button and not accidentally click the big green "Allow All" button.
Horrible. If we can force websites to do this, we should be able to force websites to read my request header NoDamnTrackingCookiesFfs
wkat42424 months ago
Probably worth noting that this practice is illegal in the EU. Saying no should be just as easy as saying yes.
However they are very bad at enforcing it, sadly.
Thiez4 months ago
And 150 of the 400 "partners" will also have a pre-ticked "legitimate interest" checkbox that you have to untick separately. To me that's an automatic maximum penalty fine, but sadly there is no enforcement.
timeon4 months ago
Most of laws, at leas where I live, are amended. 'Never talk about it again' seems bit naive to me. If good faith have not helped with trackers then ban them outright.
nikanj4 months ago
Malicious compliance gets the website two benefits: 1) Annoying the customer enough with the popups might net a permission to track from an user who originally did not want the cookies 2) Making the cookie banners as frustrating as possible increases the political pressure against the EU, hopefully leading to them repelling the anti-tracking legislation
There's no upsides for a website from providing an easy "Never track me" button, or just not using analytics cookies - you don't have to put up cookie consent banners for technical cookies used to save e.g. light/dark mode preference
blkhawk4 months ago
The issue is also that the cookie banner has become a meme for non technical "deciders". That means even sites that do not track you will have the banner.
shmeeed4 months ago
Do you have an example for such a site? Where does one even find a site without tracking nowadays?
How is such a banner even supposed to work when there is no choice for the user to make?
I mean, someone has to make that banner, so it's quite a way from the rash decision to its execution, where at any point (preferrably immediately) someone could and should step in and say "we are not required to do that and we should not spend any money on it". In my experience, non technical deciders are often sadly under-advised, sometimes because tech people who might know better fail to communicate even very simple facts like in these in an understandable way.
blkhawk4 months ago
It costs time of people who don't weant to spend the time to decide if a cookie banner is needed. its the default. it COSTS money to decide not to have it.
wkat42424 months ago
> Enact a law that requires a service to respect the do not track signal from a browser (currently entirely voluntary), and not store any tracking cookies, clear gifs or other trackers – and require that a site not “discriminate” against users who elect no tracking – basically – provide all functions to users whether they consent or do not consent.
This is indeed the obvious solution. I don't understand why the EU didn't mandate the do not track flag to be obeyed. I know some browsers already removed it but that was because nobody bothered to obey it. As soon as it can be mandated it will be useful and come back quickly.
Also, there was criticism from the advertising industry that the do not track was on by default but that's how tracking should work in the EU anyway: opt in.
By not doing this the EU keeps getting flak for the many cookie walls.
redprince4 months ago
That there is no such mechanism can be explained pretty well with this extreme scenario:
- Browsers would come with the no tracking signal enabled by default (why wouldn't they?) so that tracking would become opt-in.
- Nobody chooses to be tracked.
- The whole industry built on tracking users collapses, namely advertisement
- Web sites who based their business model on advertisement go under
Because of this I bet that the industry is lobbying extremely hard for solutions that are maximally useless and inconvenient for the user. Unless the user "chooses" to be tracked of course.
In that vein, another proposal for stemming the flood of cookie consent banners comes from the German government and outlines a multi vendor strategy with very little technical guidance for centralized consent management systems:
https://www.heise.de/en/news/Consent-management-German-gover...
f1refly4 months ago
> - Browsers would come with the no tracking signal enabled by default (why wouldn't they?) so that tracking would become opt-in.
> - Nobody chooses to be tracked.
> - The whole industry built on tracking users collapses, namely advertisement
> - Web sites who based their business model on advertisement go under
This seems like the perfect outcome to me, but I doubt we'll be this lucky
Ferret74464 months ago
Maybe I'm soft, but I always ad block and yet I don't think millions of people losing their jobs, and the resultant economic depression causing millions of other people to go hungry/homeless is a perfect outcome.
wkat42424 months ago
Well those people could go do something constructive for humanity :) You're acting as if there won't be anything to replace it.
f1refly4 months ago
it's like when we "found out" leaded gasoline is bad for every living being on the planet. the whole automotive industry and its associates really didn't want to change, but at the end of the day life goes on. maybe one day we'll be able to have an internet that is not financed by mass surveillance enabled psychological abuse.
wkat42424 months ago
Well yes but the websites will find suppliers of untracked (context sensitive e.g. car ads on a website about cars) ads, which will become more valuable since they no longer have to compete with tracked ads.
Companies like Google and Meta would lose their huge moat because they're the only ones with the kind of pervasive tracking network that make tracked ads viable. They no longer have a big advantage over smaller ad players. And them losing their huge market position isn't a bad thing IMO.
I don't think ads would disappear, they would just become untracked. Neither would websites. They will find a way.
tgv4 months ago
> I don't understand why the EU didn't mandate the do not track flag to be obeyed.
1. Because the implementation is simply left open?
2. Because it's nearly impossible to verify?
wkat42424 months ago
The implementation in technical terms is left open yes, but they could have added a clause that settings like this (and not necessarily specifically this alone) must be respected if set. And in that case no other questions may be asked because the preference is already given. In that case the EU would have done themselves a huge favour because now they get blamed by everyone for the cookiewalls. Even though this was never the intention of the law.
What do you mean verify? If it's set then it's set. It gets automatically injected with every web request. It's not possible to make sure the user manually set the flag or if it was default, no. But in the EU the law says that tracking must be opt-in so this is perfectly good behaviour in line with the law.
bspinner4 months ago
How are cookie banners any better in regards to 2? Not sure what you mean by 1.
tgv4 months ago
Point 1 means that e.g. the GDPR doesn't mandate a specific implementation. It describes the outcome, which is quite reasonable.
Point 2: you can't check/verify if parties, especially those outside the jurisdiction of the EU, really honor things like the 'don't track' flag.
It's unfortunate that so many companies decide to implement the requirements in the laziest and sleaziest possible ways.
troupo4 months ago
> I don't understand why the EU didn't mandate the do not track flag to be obeyed.
GDPR is a general regulation. It doesn't concern itself with browsers, or cookies. It's on industry to come up with a solution for specific technologies.
Oh, and for browsers they did. It's called the "Do Not Track" header, and the industry immediately sed it to fingerprint and track users.
> By not doing this the EU keeps getting flak for the many cookie walls.
No. It's the industry winning the PR wall. The EU never mandated the cookie walls. It's the industry's calculated malicious compliance.
Well, in the end the industry might end up with EU strictly regulating every single technical aspect of this, but then the industry will cry about government overreach or something.
wkat42424 months ago
> Oh, and for browsers they did. It's called the "Do Not Track" header, and the industry immediately sed it to fingerprint and track users.
They do this anyway. They should have mandated this be honoured (or any other type of tech). If that were the case the browsers would have brought it back in short order.
> The EU never mandated the cookie walls. It's the industry's calculated malicious compliance.
Exactly. And this is their fault for not regulating this properly.
troupo4 months ago
> They should have mandated this be honoured (or any other type of tech)
GDPR mandates honoring user consent.
It's a general data protection regulation. It doesn't talk about specific technologies.
> this is their fault for not regulating this properly.
What "this". Should there be a separate law for browsers? And a separate law for mobile apps? And a separate law for desktop apps? And a separate law for offline businesses? And...
Or should we blame the people and industries who couldn't care less about user privacy?
cbanek4 months ago
Also, for those of us with vision issues (or just want to zoom in a lot on a webpage), these popups look horrible at 150%-200%, and often get misrendered in strange ways, sometimes hiding the button. Then if you actually try to reject it, if you can, the rejecting or customizing page is nearly always broken when zoomed in.
evdubs4 months ago
uBlock Origin has cookie notice filters. I don't think this is enabled by default; you can enable it in the Filter Lists section, along with "annoyances".
Moru4 months ago
And it works really well. Until it does not, and then you need to figure why the page isn't working for you but your neighbour has no problems. I still use it all the time though but there is some pages I won't bother with much. Probably better that way anyway :-)
wkat42424 months ago
Yes I prefer using the special EU cookie wall plugin. I forget the name right now, sorry.
Ublock just blocks the popup which breaks some sites that don't work until you make a choice, which you can't because it's blocked. The other plugin answers it for you in the background with your chosen options.
ipv6ipv44 months ago
By far, my favorite feature in iOS 18 is Safari’s “hide distracting items” feature. It lets you permanently hide the cookie popups on a per site basis. And the annoying google sign in popups, and the annoying scroll down popups.
wruza4 months ago
and the annoying scroll down popups
Wait, is it when you pull the page by moving your finger to the bottom of the screen and the “header” pops up?
Lio4 months ago
You mean the vanity flap at the top?
No those are a different sign of design ineptitude.
They mean the popups that appear as you try to read what you followed the link for.
ipv6ipv44 months ago
Some sites ask you for an email, or login when you scroll down, and you have to hide it to keep reading. I think Medium pioneered this?
wruza4 months ago
Oh, sad. I hate these idiotic header backscroll popups so hard, hoped it can disable that too.
ipv6ipv44 months ago
Maybe it can. I don’t know.
jimkleiber4 months ago
Whoa thanks for letting me know this exists
rrr_oh_man4 months ago
The future 2 years down is cookieless anyway.¹
I'm afraid that these banners, because these are called "cookie banners" and not "consent to us using your data and giving it freely to other companies banners", will just go away, people (& companies) will be happy, and the consumer stays a fool.
ben_w4 months ago
The legal requirement behind them is about storing information about a person that isn't strictly necessary for functionality or law.
It remains even if "cookies" were replaced with "smart dust tracked into your house by cyber-ants".
rrr_oh_man4 months ago
Yup, but it will be very hard to see/prove this from the outside.
Unlike cookies.
dehrmann4 months ago
The larger lesson here is this is what happens when governments try to regulate things they don't understand. Cookie popups just add friction, and it's not clear consumers see any real privacy benefit. What's even worse is people seem to not care that the policy isn't working, but they aren't telling lawmakers to fix it.
sofixa4 months ago
The lawmakers regulated that a website should warn you, and then upgraded to ask for your consent, before collecting and storing privately identifiable information about you.
The regulation doesn't mention cookie popups. The easiest way to comply is to not collect nor store any such information.
ipv6ipv44 months ago
> The regulation doesn't mention cookie popups. The easiest way to comply is to not collect nor store any such information.
Utopia is just around the corner as long as everyone does exactly as I say rather than being driven by self interest.
ben_w4 months ago
Governments don't think in terms of utopia, but the rest is literally what a government is: here are the rules, you will follow them or get punished.
Relying on self-interest is Laissez-faire, that had the result of (1) the invention of communism and (2) basically ended even in the US with the Great Depression.
Communism kinda had the same problem, as it made false assumptions about human nature and self-interest.
Earw0rm4 months ago
How do you manage login sessions without?
If you're a site that has even basic analytics reporting requirements, how do you do any of that without?
"Don't do these things" is a decent option for sole traders, microbusiness and hobby website operators, but good luck selling that to anyone "in a suit" (more likely $500 jeans or chinos nowadays).
sofixa4 months ago
> If you're a site that has even basic analytics reporting requirements, how do you do any of that without?
If your analytics are anonymous, as they should be, you don't need a cookie, nor a consent banner.
> How do you manage login sessions without?
You don't need to ask for consent for that, because it's a necessary requirement for functionality.
Ekaros4 months ago
That is why we should do proper enforcement. Cookie popup that is not needed 1% revenue fine for each month it stays up. Suits will start to understand things really really fast.
yxhuvud4 months ago
You don't need a cookie popup for managing login sessions. Things that are essential to providing the feature don't need permission.
At least based on the so called cookie law. There is also GDPR, but you'd typically agree to that on signing up, not on accessing the site.
GJim4 months ago
I'm puzzled how one can remain so ignorant.
Once again, there is no law requiring cookie popups. Gathering data fairly and transparently (e.g. login credentials) is perfectly fine. However if you wish to pass my data to third parties to track me (advertisers take a bow) then you need my explicit opt-in permission to do so. And so you should.
This isn't difficult to understand and has been law in the UK and EU for quite some time now.
Explanation is here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
jiggawatts4 months ago
Website admins chose the path of malicious compliance.
michaelteter4 months ago
Not necessarily. Many are told by their bosses to either put minimal effort into becoming compliant, or worse, told to use a horrid cookie notice service that creates so much user frustration that some of us abandon the site rather than deal with it.
I think with few exceptions, most web admins just want to get the cookie notice sh*t out of the way and get on with work that matters.
jiggawatts4 months ago
The “told to implement a horrid solution” is the malicious compliance.
USiBqidmOOkAqRb4 months ago
Could you perhaps muster up the courage to clearly substantiate what you're criticizing? These terms "government", "regulation", "lawmakers" come off as dogwhistles. It's not like evil Ursula von der Leyen walked up to the blue lectern and said websites now must present a dialog with one button before you can look at the content.
If you're talking about GDPR, then it regulates that businesses have to have reason to store and process PII. I don't see a reason to be unhappy about that.
michaelteter4 months ago
I'm not sure why you're being downvoted. I believe the way you stated this is accurate.
The regulation and its outcome was clearly not understood or intended by those who mandated it. Absolutely everyone is suffering from this.
As for the "not care", I think the primary issue is that most people don't make much effort to understand the things they use. If they understood what was going on, they would be more upset and possibly make some effort to get things changed/reverted.
I would put a bit of blame on big corporations for not spending some of their lobbying money on fighting this requirement - not because they should get a free pass at misusing our info, but because they should be well equipped to know that the regulation will be addressed in a crappy way that costs them money and annoys users.
johnnyanmac4 months ago
I think it's a bit weird (but the author did the same thing) that the blame is put on regulators here for not being precise enough with language, and not companies are are happily exploiting the loophole for as long as they can. And if it does get repealed: great! companies win, tracking is back.
There seems to be a nuance missing here in most of this discussion.
troupo4 months ago
GDPR is general regulation that doesn't even talk about cookies or browsers.
The obnoxious cookie popups is the industry's malicious and calculated response.
This is a good sibling comment about this: https://news.ycombinator.com/item?id=41576346
troupo4 months ago
GDPR is general regulation that doesn't even talk about cookies or browsers.
The obnoxious cookie popups is the industry's malicious and calculated response.
mindwok4 months ago
Interesting article. This policy has felt like a complete failure, but I didn't know the depths of how badly it has failed.
I would really like to see these die. Regulators should just work with browser vendors to make an API that I can set at the browser level, and websites just read that to know my preferences and leave me alone.
sofixa4 months ago
Your preferences should be on the website level though, not global. And you should be asked about it on first visiting the website.
Let me explain why with an example: say you're the type of people who doesn't care about "privacy" online ("I've got nothing to hide"), or you do; and you want to "support " certain ad-supported websites you're a fan of; but not that new clickbait toilet paper your aunt sends you.
I can't think of any way to have a good UX to opt in or out of "tracking" cookies which people would actually use (few will bother changing the defaults, and most mindlessly click ok).
wruza4 months ago
Your preferences should be on the website level though, not global. And you should be asked about it on first visiting the website.
Preferences should be expressible in any form a user seems fitting their needs. If they want to block-all,enable-per-site or enable-all,block-per-site, or block-mask, or enable-mask, or top-down rule priority list — they should be able to. Designing preferences in any other way is a dark pattern not worth considering as a fully user-controlled mechanism.
I can't think of any way to have a good UX to opt in or out of "tracking" cookies which people would actually use
Virtually any UX is better than cookie popups as they are now, cause they get designed with interests of a site owner in mind. This alone makes it the worst possible UX on average.
awfulneutral4 months ago
Why not do like with popups, and show a little toast with "x tracking cookies were blocked, click to allow"? Cookies could have to register whether they are essential or not. It's really wild how much work must have been created by distributing this problem to every website on earth instead of doing it in the browser.
greyface-4 months ago
Lynx, back in the day, forced you to explicitly accept/reject each cookie offered by the server while loading the page. Modern browsers silently accept them all by default. Browsers have regressed.
Earw0rm4 months ago
Because Chrome (Google) and a large chunk of the web media publishing ecosystem are hooked on this crap. It's a hundred billion dollar business.
And yes, it's mostly selling garbage, but that's hardly unique in 21st century capitalism.
litenboll4 months ago
The important part here is that it's at the browser level, IMO. Then it's the user's choice to either reject/accept all by default or get prompted once per page. I'd guess that 99.9% want to set it globally and never think about it again.
cynicalsecurity4 months ago
It's been on the browser level for ages. It's the DoNotTrack http header. The websites simply ignore it and hope the users will simply keep pressing the consent button.
wvenable4 months ago
Why would anyone want to support an ad-supported website by allowing cross-domain tracking? I think that's a stretch.
gpvos4 months ago
The API exists already: the DNT (do not track) header.
troupo4 months ago
And the industry is using it to fingerprint and track users.
switch0074 months ago
Why would they stop?
Most users are now giving explicit consent to be tracked! What a dream! Before, they had to worry about legal grey areas!
Now the legislation says it's fine, as long as they click "OK". Which almost every user does because they are tired and annoyed by the pop ups.
Thank you legislators!
thinkingemote4 months ago
I've come across a few websites that have cookie controls that don't do what they say they do when I manually examined them. E.g. still using analytics
Are there any tools to check websites to see that they do what they say they will do? Or is it a manual thing?
dochne4 months ago
The Insites GDPR checker[1] does this.
fmajid4 months ago
Global Privacy Control, basically a legally binding Do-Not-Track header, is already the law in California, I don’t understand why the EU is dragging its feet on making it mandatory to comply with.
natch4 months ago
Please stop using full justify text layout on your website.
nurettin4 months ago
The way to reduce cookie banners only depends on a small tweak by google. If you give people the choice between SEO and legibility, they will choose SEO.
fire_lake4 months ago
I love the “long press to preview” feature in mobile web browsers. But now all I get to preview is the cookie pop up! EU, pls fix.
nuclearsugar4 months ago
I think its ironic for these pop-ups to frequently only offer "accept necessary" or "accept all"...
kuba-orlik4 months ago
> If a site does comply with the notice and consent requirements, it is not legally required to provide the service if a user declines tracking cookies.
That's simply not true. In order for consent to be valid under GDPR, the service should operate normally if you decline tracing cookies. Otherwise it's considered a "forced consent" and is not valid.
andreapaiola4 months ago
So... Abolish all the EULAs?
anonzzzies4 months ago
If you do not collect my data outside for what is strictly needed, then all is good. Remove analytics, recaptcha, embedded youtube, google cdn and any other things you do not actually need to run your product. And collect only the info you need (and nope, you really do not need my address or phone number unless you ship physical goods, so why are you getting it?). You probably do not need my email address besides for spam (forgot password is not a thing; either use one of the oauth providers, or hash the email and let the user enter it; if it matches you can send the email).
Then you don't need cookie banners or gdpr consent popups. It is not that hard. But you want to screw your clients for profit, I know, in that case, you need them or get fined. Which you should be for misusing my information/behaviour and privacy. Nothing good did come of ad tracking, user fingerprinting and data selling, so I wish you many fines.
literalAardvark4 months ago
This doesn't read quite right to me. Maybe I missed something.
Under the GDPR sites are emphatically NOT allowed to deny service over rejecting cookies.
Iirc the only valid options are providing a paid alternative or blocking service to the entire class of GDPR covered citizens.
wkat42424 months ago
Even a paid alternative is very iffy. Some jurisdictions like Germany have allowed it after a court ruling but most have not. Meta is also getting flak from the EU for their "accept or pay" model.
xaerise4 months ago
That is not really GDPR. That is the ePrivacy ( ie. The Cookie Law from 2009 ) directive that supplements but sometimes overrules GDPR.
https://gdpr.eu/cookies/ # Cookie compliance
TheRealPomax4 months ago
So, the problem with this is: the law. If you use session management: GOOD NEWS GDPR AND CPPA UNDER PENALTY OF THE COURTS DEMAND YOU INFORM USERS and if you know a better way than an intrusive "accept this before you can continue" by all means pipe up but the problem is overbearing laws, not "people following them". The law requires that you disallow access until people tell you their position on your handling of their personally identifiable information and welcome to modern web dev hell. If you don't like it, hell has done its job.
Both Europe and California consider IP addresses PII and this is the result.
nikanj4 months ago
Session management does not require a cookie consent. Implementation-relevant technical cookies are exempt, it's the 337 different analytics services that sites use that require the cookie consent
troupo4 months ago
1. you don't need consent for functionality strictly required for the functionality of your product. Such as session management
2. You are allowed to legitimately process PII for legitimate purposes related to your business: e.g. combating fraud
3. What you emphatically aren't allowed without consent: collect vast amounts of data, store it indefinitely, and sell it to 15 000 third party "partners"
Moldoteck4 months ago
gdpr works a bit differently. You can use cookies for providing website operations, for it you don't even need a banner. You can't easily use cookies/trackers for ad purposes. You can still display ads but these shouldn't use cookies (this way again - no need for banner).
tomw18084 months ago
So, suppose I run websites. Actually I do and I have cookie banners on all of them - but only for users with EU IP Addresses.
Here's the twist: Good news is (for me), I can[1] track and do whatever I want with any other IP address. You visit my site? Well, thanks to nobody else I care about having GDPR-like regulations in place, I can make sure I'll not only track you down and display ads across all advertiser networks, feed them your visit in all imaginable and unimaginable ways, but I can do it in such a targeted way that it's borderline scary. I can literally use any information you gave me on my websites, like your name, your location, proximity to anything. And if I can't then the advertiser can. And in the case of that particular lawsuit mentioned in the article, collecting all user consents, their IP addresses, and basically which websites they visited, its like a gold mine for advertisiers. If it isn't one yet, it can be turned into one with the click of a button.
It's like that one case a few years back, where a health insurance company bought a bank and started closing bank accounts from people they knew were risk patients.
Simply connect the dots...
GDPRs promise was to make it harder to do so. It wasn't the plan to annoy the hell out of everyone with banners. The whole idea was to not allow tracking unless you opted in, because quite frankly, its scary.
And no, I'm not a fan of GDPR or overregulation. But in reality, there hasn't been any tech I've come across that really protects the non-technical internet users at large. There's uBlock and plugins, but not installed by default or built into standard mobile browsers. Apple might be close for regular consumers to stop the excessive tracking and companies like FB really hates them for it (for good reason, it costs them big $$). Google will never shoot their own foot by integrating non-tracking tech into any of their products.
So, no, my opinion is don't stop that darn annoying cookie pop-ups unless you also stop the tracking. If you stop the tracking, remove the cookie pop-up. As easy as that.
[1] I don't do it, but I could. I'm not a reckless psycho-marketer.
peter_d_shermanop4 months ago
>"Almost every major website you visit today pops up a banner to warn you that it uses “cookies.” This is not legally required in the U.S. or in most places, and where it is, the vast majority of sites do not comply with legal requirements."
Moldoteck4 months ago
afaik gdpr is valid for eu citizens that are in other countries too, including us. US ofc wouldn't do a thing, but EU can act on your business in their land. That's why cookies are everywhere - websites can't know if you are eu citizen or not. Another problem is that - if you don't use cookies for ads/tracking, you don't need a banner but many websites are ignoring this Another problem - imo gdpr should have been adapted to enforce some http header with auto-response so that the banner wouldn't be needed
peter_d_shermanop4 months ago
>"That's why cookies are everywhere - websites can't know if you are eu citizen or not."
An excellent point!
Websites can't know if someone is a citizen of country X, country Y, country Z, or even no country (indigenous people, sovereigns, legal constructs, AI's, international groups/associations, companies domiciled in space, other actors/legal constructs, present and future, etc., etc.)!
That is, they cannot know implicitly, without being explicitly given the appropriate information, if someone/something (non-human actors and/or legal reprentatives) accessing a website are citizens of a given country -- or not!
Now websites can do what many courts do, rightly or wrongly, and that is to presume an arbitrary citizenship/jurisdiction for a given website visitor (or visiting actor -- whatever is on the other side of that HTTP/S request)...
But will that be the correct presumption to make in all cases?
Probably not!
So perhaps the future needs a way for visitors to set in their browser (or by some other mechanism!) -- their citizenship and/or jurisdiction!
Of course, then we'd get into some weird scenarios like "what if website X in country Y decides to decline people who have set their browser to "I'm a citizen of country Z" -- sort of like the equivalent of a limiting country's physical immigration policy -- but for HTTP/S requests...
If the HTTP/S requests are not in the citizenship/jurisdiction of a whitelist specified by each website, then, "no HTTP/S response for you!" (Sort of like the HTTP/S version of Seinfeld's Soup Nazi -- "No soup for you -- come back in 1 year!" :-)).
Of course, the whole set of ideas I've outlined above, were they to come to fruition in the future -- sort of would violate the spirit of openness, trust, and good faith that was present in the early World Wide Web...
Remember that the early World Wide Web was built in such a way that all HTTP requests were answered with no need to provide a password or other credentials, no need to accept cookies (the early WWW / HTTP didn't have them!) and could be contrasted with FTP sites of the time which did require passwords (although many would be set to allow username "anonymous", password "anonymous" logins).
That is, the early WWW / HTTP -- was a passwordless, cookieless, loginless, "just give me the information", information-passing protocol, which in its earliest incarnations served academics (no one else had access to the Internet at that time!) who only wanted to share academic infomation (papers and the like!) with other academics, regardless of their country, jurisdiction, or their acceptance or rejection of any potentially access-limiting and resource denying cookie!
So, in conclusion, an excellent point!
mediumsmart4 months ago
me and my 486 partners agree
em1sar4 months ago
[dead]