The consent popups you see aren't just about cookies though. They want (and sometimes illegally force) you to consent to processing of your personal information for reasons beyond just providing you with a service (or more commonly just reading an article). Cookies might be one technical means to assist with that, but it's not the only means.
Yes, I can't fathom why the hate is on the law, and not the companies now being exposed by the law.. Seriously, if you don't do shady shit your site doesn't need a popup asking for consent.
But even Github has misunderstood it's not about the cookies. They had an article earlier about removing the popup since they managed to do stuff without cookies. The law doesn't care about cookies, it cares about tracking and illegitimate use of personal data. If you send data to third parties or track by other means, consent is still needed.
The law forced the companies to be explicit about what they do, and ask for consent.
The user experience is made shit by the companies doing shady things.
If they didn't do shady shit, they wouldn't have to display any banner.
I'd rather be informed, at least I can make a decision that way.
Why shoot the messenger?
The part that is missing is making rejecting as easy as accepting. So far there are a lot of dark patterns, but there are sites that make it very clear and easy, and I appreciate it.
How is something like having Google Analytics on your site "shady shit"? I would think counting unique visitors is a legitimate business interest for most businesses. And there is no way to do that without a cookie, or without storing IP address (which is considered personally identifiable info).
The law could have been much better if it simply asked browser makers to provide a single place to configure your preference, and then forced companies to abide by that setting.
> How is something like having Google Analytics on your site "shady shit"? I would think counting unique visitors is a legitimate business interest for most businesses.
Just because it's free and somewhat nice looking, doesn't mean it isn't shady shit. Maybe all you care about is counting unique visitors, but by doing that with Google Analytics, you're exposing your visitors to a complex surveillance product that collects data for its own purposes, and it sees much more than what's needed to just count unique visits.
What people don't see about GA, is that the data doesn't stop at you: "here is your data, X unique visitors, have a nice day".
It has a wider lifecycle: "this is YOUR data, and we collect, maintain, process, sell these data to a myriad other sources for a myriad other purposes". GA just feeds these monsters.
Most GA users just don't care about their clients/readers privacy. Or they care 'a little' but they care 'a lot more' in monetizing.
We externalize the costs, or find shady revenue streams. As long as people think "it's free therefore it is good and I like it" we are not progressing.
Use first-party, privacy-friendly tracking solutions. Usually, first-party cookies don’t require consent.
I would love to have a technical solution for browser-wide consent management, but it wouldn’t solve the issue of granular, informed consent for all the shady things that are possible in adtech.
Also, the law certainly doesn’t prohibit a technical solution, but that really is something that the industry should work out.
I'm sure it's possible to do analytics in a user friendly way - you can do basic analytics without storing IPs or using cookies.
The problem is that Google Analytics isn't _just_ collecting data for you, it's collecting a trove of other data that it's using to track and link users accross other websites.
There was a simple place — Do Not Track (DNT), ignored by industry.
Truly open culture does not accept tracking, for example there is no way to count Linux users. And people would not be kin to those who track physical news papers.
The purpose of the tracking matters, though. Truly open culture also doesn't attempt fraud, DoS attacks, data breaches, and all the other nasty things that some people who are hoping not to get caught and punished do online. Unless you can prevent all such threats, it's unreasonable to expect websites whose operators might be held responsible for the consequences not to monitor how their own systems are being used and who is using them.
DNT never worked - and never could, because it had no legal backing.
What happened was entirely predictable to anyone who understands how the market works: there were some volunteers who honored DNT while it was opt-in, but that mostly ended when one of the browsers decided to make sending DNT enabled by default.
The industry wasn't, isn't, and is never going to self-regulate itself out of a significant revenue stream. That's why we ended up with GDPR - a proper solution with legal backing - which almost works. It would be working, if EU member states were more eager to pursue violations and issue fines.
> I would think counting unique visitors is a legitimate business interest for most businesses. And there is no way to do that without a cookie, or without storing IP address (which is considered personally identifiable info).
Setting a cookie is not in itself a GDPR violation. Collecting personally identifiable information is. You can collect unique visitors by setting a cookie but without collecting personally identifiable information, so no consent popup would be required for that:
1. Set a "site last visited: <date>, <serial-of-the-day>" cookie if it is not set.
2. Count hits as appropriate by examining the cookie - without collecting IP addresses.
Since no personally identifiable information is being collected with this scheme, consent is not required.
Whether you parse log files locally, or in the cloud, or use a cookie really doesn't matter to the GDPR. They only mention the word "cookie" once in the entire law, it's independent of technology, as it should be. If you store personal information (like IP address) in your log files, you still need consent.
There is no cookie law. There was a privacy directive 7 years earlier, but it did not have any fines associated with it so no one really cared. We are discussing the GDPR that superseded the GDPR.
GDPR is a highly complex piece of legislation that is very hard to navigate and therefore only established companies with big bucks to spend on lawyers and extra engineering can profit from the ecosystem while everybody else is put at risk.
Complex legislation and regulations is the best way to keep monopolies in place. Same goes for the financial sector, telecoms, etc. It's nearly impossible for new players to emerge.
This complex frameworks are put it place so that big companies that do nasty things can get away with it because they will be able to demonstrate that they have complied with the regulations while emerging players will break their teeth on it.
Instead of regulating _how_ data collection and processing should be done, we should penalise _what_ is done with the data in simple clear terms, and make _people_ (CEOs, etc.) responsible not just giving fines to companies. Basically, reintroduce skin in the game.
GDPR is sooo easy to follow as a startup. Just gather the data you need and not everything else,and ask for consent.
If anything, it was the big players getting work to do. Thousands of people on mailing lists with no control of how they got there. Asked and kept insane amounts of not necessary data. Data floating in hundreds of database tables spread over various services and third party vendors and data centers with no control. Cleaning up that was a huge job.
It really isn't that easy. Something like an IP address is considered personally identifiable information, and most web servers and frameworks log that by default. If you really want to comply it takes quite a bit of effort you are not accidentally logging IP addresses somewhere. You can argue you need that info for the operation of your site, but it's been established that you would still need to ask permission in that case, did you do that?
Of course, they are unlikely to come after a startup for an infringement like that, but the point is that they could if they wanted to.
Just Google "IP addresses GDPR" and you will see several different conclusions. I actually looked at the site of the enforcement authority in my country and they say you can only store the first 3 bytes of an IP address. But enforcement authorities in other countries may claim differently.
My point is: it's really not that easy. It should be easy to get clear guidance on something straightforward like this, and not have to resort to Stack overflow answers.
You can argue you need that info for the operation of your site, but it's been established that you would still need to ask permission in that case, did you do that?
Where and how was that established? There are obvious operational and security reasons why the operator of a website might reasonably log access information, and there are lawful bases for processing data under the GDPR other than having the subject's explicit consent.
I highly doubt you as a non shady actor will be punished because of your server logs as such.
Start selling or otherwise sharing them with ad companies, directly or indirectly and you deserve and should expect a GDPR fine as soon as they can if you are in a jurisdiction where GDPR applies.
Same if you involuntary leak data because of gross negligence: passwords in cleartext, unnecessary data collected and stored and later leaked etc etc
In many cases I understand authorities will even contact companies first and try to guide them toward a compliant solution first instead of fining tjem right away.
That said I wish there were some clarifications given wrt to server logs and IP addresses; running without is in many cases gross negligence in itself.
Basic logging is first year defense against black arts curriculum.
GDPR is sooo easy to follow as a startup. Just gather the data you need and not everything else,and ask for consent.
Clearly we're not going to ask for consent to track someone who is systematically probing our site for vulnerabilities, or someone who is attempting to use us to validate presumably stolen credit card details, or a group who are obviously sharing a password to gain unauthorised access in violation of our terms of service.
Also, the purpose(s) of data processing matter, not just the data itself. It's not as simple as only gathering what you need. You also have to ensure that what you gather is used appropriately, and that you have the means to respond to the various rights that subjects have by law.
Thousands of people on mailing lists with no control of how they got there.
Actually, that was one of the tricky areas when the GDPR came in, and something almost no-one got right despite good intentions. Specifically, the widely accepted best practice for managing a mailing list had long been to use double opt-in, thus verifying that the subscriber really did intend to receive the messages, and to provide a simple, automated unsubscribe facility. However, unless you had kept all the confirmation replies, under the GDPR you might not have met the required standard for evidence of each list subscriber actively opting in to receive your mails.
That led to a wave of messages being sent out to mailing lists asking subscribers to confirm they still wanted to receive the mails. This was particularly ironic because if those subscribers hadn't already intended to consent then those messages were probably themselves in violation of existing law in much of the EU even before the GDPR came in. The difference was that before, no-one was seriously worried that a legitimately operated mailing list with double opt-in was going to be targetted for business-crippling penalties, but with all the ambiguity around the GDPR and the uncertainty around how it was going to be enforced, a lot of people panicked.
I don't recall having ever seen a mailing list following that best practice. It's always a
[] keep me informed about products
checkbox hidden somewhere in a purchase form, often pre-checked even though that's illegal. Recently I was somehow added to the mailing list of a car dealership after getting my car checked up there, and can't even unsubscribe without creating an account on their website.
I'm sure there are some legitimate mailing lists out there, but there are so many others that are scummy and in flagrant violation of the law. It's hard to shake the feeling that making things harder for mailing lists in general is going to be a net win for consumers.
Mailing list manager software operated that way almost universally for many years. You sent a mail to xyz-subscribe@example.com and then had to reply to a challenge message to confirm the subscription.
More recently, it's more about web forms and hosted services and so on, but typically you can't add subscribers on popular mailing list management services without either having the service run that kind of double opt-in check automatically or going through some kind of alternative process that involves explicitly confirming to the service that you have the required consent from somewhere else when adding the addresses directly.
There are loads of legitimate mailing lists, and the software and services running them have worked reasonably for decades, you just apparently haven't come across them. Not that I disagree with you that there are plenty of scummy ones as well, sadly.
Is every startup hiring a lawyer who specializes in data protection laws? Publishing an impact assessment and waiting 8±6 weeks for permission to deploy? GDPR is the size of a novel and adds a lot of bureaucracy beyond not doing bad things. I think everyone in other jurisdictions needs to consider whether revenue from serving EU users covers compliance costs and risks.
How is it helpful if most institutions are terrified? Doesn't it indicate that the regulation is unreasonable instead? If the EU commission can't run a website without a popup, then why would you expect anyone else to be able to?
>"But I want to track what users are doing!" - Well, then you have to show them a popup about that.
I think most website owners don't care about that, but they do care about earning money to actually run the website.
>The GDPR holds that data protection is a fundamental right.
The GDPR says that if the user asks to use your service then you have to offer them the service regardless whether they're willing to pay for it or not. You cannot not show content to users who refuse to share the data. Effectively, everyone else has to subsidize them.
And that's why you have a labyrinth of pop ups - GDPR breaks the normal monetization methods of the web. Suddenly they're surprised that this led to dark patterns.
Sure, but then your users will flock to an alternative that doesn't charge them money. Maybe the alternative is propped up by government funding or funding by some giant corporation or maybe they're based outside of GDPR jurisdiction or maybe they just don't care about the laws. Whatever it is, you're getting outcompeted.
And if every alternative charges money, then that means you're shutting out a large portion of people. For example, I can't pay for anything online right now. It doesn't matter whether it costs $5 or just a single cent - I have no way to pay. It'll be sorted eventually, but even then paying for anything online for me will be a 5-10 minute process. Not exactly something I'm willing to do for almost anything. And a lot of people in the world are in a similar position - credit cards aren't as accessible in most of the world compared to the US. If services like paypal don't accept bank transfers from your country, then they don't help either.
> I think most website owners don't care about that, but they do care about earning money to actually run the website.
Again -- the GDPR recognizes the right to data as a a fundamental right, and thus the ability to earn money with a website comes second to user's rights.
Argumenting against this is a bit like Big Tobacco complaining that they're not allowed to sell cigarettes to children.
> The GDPR says that if the user asks to use your service then you have to offer them the service regardless whether they're willing to pay for it or not. You cannot not show content to users who refuse to share the data. Effectively, everyone else has to subsidize them.
Sure you can. All you have to do is offer two models: (a) a model where the user pays for the service, and (b) a model were the user receives the service in exchange for a agreeing to tracking etc.
I'm not sure why you're downvoted, but (b) isn't allowed under GDPR. Consent has to be given freely. It means that you can't block content if the user is unwilling to have their information shared.
(b) is allowed. This has been confirmed by the Austrian Data Protection Agency. (I haven't checked other DPAs, but they coordinate with each other.)
In the case above, a newspaper offered access to paywalled content for a small monthly subscription fee, and readers would consume it with zero ads, zero tracking.
Alternatively, they offered access with no monetary cost, but instead in exchange for tracking.
The DPA ruled this as fair because readers had a choice, and because the paid model was reasonable for a newspaper subscription (€6/month).
The key here is that starting with alternative (a) makes it a paywalled service, which is clearly legal (think Netflix). Also offering (b) just offers another mode of payment.
You wrote earlier: "GDPR breaks the normal monetization methods of the web." Well, smoking regulation broke (some of the) monetization methods of Big Tobacco.
Arguing against the GDPR here is besides the point. The GDPR is not an end, it is a means. The end is recognition of right to data as a fundamental right.
Re-writing your statement in light of this, the point becomes "Data as a fundamental right breaks the normal monetization methods of the web." Opinions will differ here.
Oh yeah, thanks EU, now I can't read most USA local newspapers because they don't have money to waste complying with this and it's easier to region ban users
> Yes, I can't fathom why the hate is on the law, and not the companies now being exposed by the law.. Seriously, if you don't do shady shit your site doesn't need a popup asking for consent.
What problem do you believe is being solved by the popup? The idea that it will get consumers to boycott garbage websites and internet services (read: the vast majority) is wishful thinking. Consumers do not care in the slightest and just want to be cool and fit in and use the same thing as everyone else. Anyone who is tunnel visioned on web privacy (which doesn't and will never exist, due to how webcrap is built) will go to the bottom of the page and click "privacy policy". Websites shouldn't have means of collecting data about you at all in the first place. Banking and shopping should be done with software instead of insecure web scripts. Yes smaller steps can be taken but there is such thing as too small.
EDIT: Oh I think you're saying that the popup is indeed redundant because your website shouldn't have it because if it does your website is crap. I agree, but I don't agree with the law since I still use those websites regarldess of how trash they are and all the popup does is make it more annoying.
The EU's site is actually a pretty nice example. The banner is small, non-obtrusive and simple. It has the positive and negative options on equal footing. I don't think many would complain about that.
It's still a popup. And yeah, of course a website that doesn't ever have to care about paying the bills has leeway. Make the commission's website pay for their own hosting, maintenance, and development and see whether their website stays the way it is.
Also what is your source that the commission isn't paying for their website? I don't mean to say that it's a relevant point, but I'm curious where you got this information. Does the commission not budget for their own hosting?
As I understand it PECR does require affirmative consent to use cookies specifically. Often same mechanism is used for data processing bases for GDPR as for PECR consent.
> The consent popups you see aren't just about cookies though.
I don't care about all the other stuff the popups are about either. The popups are pointless, click-through damage and they serve no purpose. The laws that caused them to exist are equally pointless. There is no measurable benefit to any of this privacy theater and no less tracking is occurring since the advent of all of these pointless popups.
Have you tried going through these new popups? If they are trustworthy then the current ones allow you to disable some cookies and give you an idea of who is doing the tracking. Even though there are far better ways to manage cookies with browser settings and extensions: the options are sometimes quite limited (e.g. Chrome on Android) and many people would simply be unaware of cookies without these popups. Those people use browsers with little understanding of what's happening under the hood and have no interest in exploring technology so disclosure is one of the few ways to inform them.
As for privacy theatre, there are two reasons why these popups are pointless. First, it was too little and too late. If the regulations came in before tracking became pervasive, it could have been effective since people would have had the option to find similar content. Second, far too few people feel entitled and click through without really considering whether it is worth the price.
What's needed is a global setting to say no to everything.
Daniel from Croatia, perhaps could you add a checkbox (opt-in) to the extension with the text: «I declare that I don't want to be tracked and don't want to be bothered with questions about privacy.» and a link to a more detailed manifesto, if not already done?
Or you know, people could just disable cookies IN THE BROWSER SETTINGS if they don't like them. Which is the only place technical measures against cookies can be enforced anyways. And stop bothering the rest of us with these pointless popups.
Apparently THE LAW can force companies to put up these annoying popups. Couldn't THE LAW force companies to respect Do Not Track?
Yes, yes, I know, smaller sites will not give a fuck.
But I bet Google, FB and other ones will. Which is why they fight against this so hard. Just try enabling Do Not Track in Chrome and watch the scary dialogs you need to go through which will make regular people think it's a dangerous thing to do.
>>Apparently THE LAW can force companies to put up these annoying popups
Where do the law force companies to use annoying popups? I see the annoying popups as companies doing all they can do try to make users feel it is the laws fault and not the sites fault that a site require to get consent using an annoying popup. In most of the cases the popup do nothing except of annoy the users, is often no difference in what is loaded before or after users are tricked into giving consent.
To follow the law you could only handle data directly relevant to the functionality of the site/app or you could have a place where users could select reject all or see what to allow. Allow all or see more, like for instance google is using, is not following the law
The problem is, no one wants to be tracked. So it makes sense for browsers to default to the setting everyone wants. But then tracker tech can't respect the setting because it means just shutting down.
Its a law that's hard to enforce. How'd you verify that a company isn't tracking you without auditing their whole codebase and infrastructure at multiple points in time?
The list of cookies is so long that one might read 5 articles before reading the entire thing written in small print. Good luck if English is your second language.
No, f*k "some cookies". I block ALL cookies except for a few sites I need to log into. That means, ironically, the godawful popups can't set a cookie to remember that I don't want cookies, and they keep popping up every time I go back to that site.
The popups are a horrible experience, as are "please sign up for the newsletter" popups. I don't read any newsletters. I use uBlock Origin which gets rid of most popups, Intercom chat boxes, and other annoyances.
> No, f*k "some cookies". I block ALL cookies except for a few sites I need to log into. That means, ironically, the godawful popups can't set a cookie to remember that I don't want cookies, and they keep popping up every time I go back to that site.
I do that in reverse: everybody can set all the cookies they like, but only a few sites are allowed to keep their cookies after I close the tab. I do use I Don't Care About Cookie and this combiantion makes the web much more usable in my opinion.
And did you consent to setting cookies or did you enter a contract allowing tracking you with other means as well? If you consent on one site for one ad-company and reject on the other, can/will they use the original contract and track you on the rejected website? Or do you need to opt-out with the hidden form which can take 'up to 100 years? "
Legitimate interests" are supposed to be interests integral to the running of your business. Ads are the core of an ad-business. Is this a loop-hole? I don't know.
Yes, the web is more usable. But does anything anyone does actually limit the information? I don't know, maybe I'm too cynical.
> That means, ironically, the godawful popups can't set a cookie to remember that I don't want cookies, and they keep popping up every time I go back to that site.
If it's any consolation, a pretty significant number appear to do that even if you ARE accepting cookies.
I have. I found what the cynic in me expected to find: ambiguity enough to pass a convoy of container ships. This, coupled with the certainty that there are effectively no authorities policing these claims in detail (particularly the non-FAANG sites, being far less lucrative lawsuit targets) has only further convinced me of the utter pointlessness of consent popups.
The idea that people will go through these popup menus for every site they visit is just insane. It goes to show how governments and standards bodies really have no clue. When opening a hyperlink, you aren't meant to establish a relationship with this new website (at least not most of the time). It's supposed to be fast, possibly just to read a small part of that page and go back to the previous website.
And yet for many years it was the default that the new website behind the hyperlink would build a profile about you and sell this to its hundreds of 'partners'. You don't mean to establish a relationship with them, but they sure want one with you, and they want to know all about you.
If you were to quickly visit a shop and an employee would follow you around with a camera, make notes, and measure your height and your shoe size while you were waiting in line to pay, would you think that was okay and a normal experience? At least with the GDPR the stalkers have to ask your consent first, although ideally they wouldn't exist at all.
Its failure to make any real difference, together with the total lack of standard around implementation (why isn’t it treated like every other native browser permission dialog?) make it truly despicable.
> why isn’t it treated like every other native browser permission dialog?
Because it's not a browser permission. The browser could offer to send a "no" for you, but the site could just go on and track you anyway. It would be like having a permission dialog where clicking "no" just would ask the program kindly not to run with admin permissions.
Now, you might argue that the browser could start blocking cookies, but that would just break useful functionality (i.e. logins) without preventing the abundance of other methods of user tracking (local storage, tracking pixels, link parameters, fingerprints, ...). If you want to go down that route, the most reasonable response on clicking "no" would be to close the browser, really.
idgi, is it harder for a malicious website to ask you if you accept cross site tracking cookies and then ignore your refusal than it is for them to ignore the same instruction from your browser?
No, this is about boundaries, abstractions and context really. When a browser sets a bound, the website usually has no way to override that, as the browser is above it permission-wise. Similarly, if the OS sets a boundary, the browser looses out, since it's below the OS. Fittingly, when you deny crossing such a boundary, you'd expect it to be denied.
Imagine, for example, if the dialog to allow push notifications for a website would be an UAC window. It would not make sense since a) the OS would ask for something which is clearly contained within the context of the browser and b) the OS has no reasonable [0] way to know whether a notification sent by the browser is on behalf of the denied/allowed website. Similarly, it makes sense to have the prompt for tracking data in the context of the website, since it is the only context in which it can reasonably [0] handle the response. It does change the difficulty or legality of circumvention, yes, but it is a bit less security theater.
At least that's the technical reason. If we're being honest, the discussion never came up, because a) laws are bad for setting technical standards in many ways and b) most site owners prefer to build their own dark patterns to get the user to click accept anyway.
[0] Excluding heuristics, of course, which would just start a game of cat and mouse yet again and would necessarily be flawed.
> Imagine, for example, if the dialog to allow push notifications for a website would be an UAC window. It would not make sense since a) the OS would ask for something which is clearly contained within the context of the browser and b) the OS has no reasonable [0] way to know whether a notification sent by the browser is on behalf of the denied/allowed website. Similarly, it makes sense to have the prompt for tracking data in the context of the website, since it is the only context in which it can reasonably [0] handle the response. It does change the difficulty or legality of circumvention, yes, but it is a bit less security theater.
I see these answers and I always get the feeling that they treat existing software (browsers, websites, os) like something that was handed down by God in the book of law.
The browser already asks the user for permission through the OS - it does for location, webcam, filesystem, etc - there's no context needed because you're actively engaged with it, the browser or the os system don't need any more context than the user clicked Yes or No for this request.
The other part of the implementation is fining the companies. I'm sure after a few millions every month they'll stop making SDK's that don't enforce collecting authorisation from the user before tracking.
> I see these answers and I always get the feeling that they treat existing software (browsers, websites, os) like something that was handed down by God in the book of law.
There's two sides for this. For one, this is the infrastructure that already exists and that is out there in the wild. If you start selling 500V electric appliances, people can of course buy transformers or the state could upgrade its grid, but in reality, changing the existing infrastructure to suddenly support something different is a huge effort. It's far easier and more economical to treat the given infrastructure as fixed and working within its bounds.
On the other hand, it usually adds a lot of needless complexity to break layers. Sometimes it is worth it (ZFS might be a good example), but usually it isn't. Imagine, for example, if Firefox needed to be patched to support SSDs or SD cards because it did some magic and accessed the HDD firmware directly - this would arguably be a bad idea.
> The browser already asks the user for permission through the OS - it does for location, webcam, filesystem, etc - there's no context needed because you're actively engaged with it, the browser or the os system don't need any more context than the user clicked Yes or No for this request.
Sure it does. The OS<->Browser boundary is basically about what the browser executable itself can do to the OS; the OS has no context on the finer granularity of websites. Going back to the electrical grid: My power company is worried about bringing electricity to my flat connection; turning specific appliances on or off is my part. It would be very strange if the power company would suddenly be in charge on whether my kettle specifically should have power.
> The other part of the implementation is fining the companies. I'm sure after a few millions every month they'll stop making SDK's that don't enforce collecting authorisation from the user before tracking.
I fully agree on that and we need more of that, but that is irrespective of how the user is asked whether he wants to accept cookies/tracking.
I understand that and agree with you regarding backwards comp, and legacy systems, it still pisses me to no end though, because it's like a continuous patching of things over things, each one increasing the area of friction - at some point if this digital infrastructure is to take a central part in human systems though it will need to be pruned, re-worked and if needed broken, otherwise it will continue to get worse.
And this is not even just at a systems level that I think is problematic - for those working with it, it's also with what it enables and what it doesn't.
I'm not a genius but I can see many ways of solving these cookie/privacy issues and I'm sure the smart folks back at these companies (browser, ads, etc) could too, they just choose not to.
That doesn't change the fact that the current implementation is user hostile. There's no reason that privacy laws couldn't enforce a user setting at the browser level that websites could access in a standard way. Similar to the "Do Not Track" header, but actually enforceable. That would be the user friendly approach, but would require a technical committee of browser vendors, advertisers and tech giants to be part of the design process. Unfortunately the reason this doesn't happen is because the technical team would be working against their own financial interests, so there's no incentive to stop exploiting the user. Which is why the modern web is hostile to the user, and likely won't change unless the business models drastically change.
It just goes to show you that government still has a lot of catching up to do when implementing technological law. This is even more apparent when you witness the countless hearings between congress and tech CEOs, which only confirm how much of a joke it is. I have not yet met a single person in tech who thinks all of this "congress drilling Zuck" isn't ultimately just a joke meant for theatre. I mean even Keith Gill took congress for a ride in the GameStop hearing. It's all a joke at this point. These people aren't equipped to deal with these issues.
This creates an interesting situation if your browser addin auto-squashes those dialogs. I doubt any court of law would rule you gave consent to a dialog that was never displayed to you.
(Of course if their terms are posted somewhere else on their website they might have you there).
It is stated that you habe to activly give consent e.g. click an unchecked box or a button. Just using the website after seeing a warning or a pop-up is not active in the courts opinion
Any sufficiently large data analyzer is going to handle that already. Even if you have reliable delivery of the "session created" event into the analyzer, you'll still occasionally get wonky data from bit flips.
I'm bracing myself for the downvotes, but I'm going to post this anyway.
What do you mean with personal data anyway? In GDPR this means:
a name and surname;
a home address;
an email address such as name.surname@company.com; (NOT info@company.com!!!!)
an identification card number;
location data (for example the location data function on a mobile phone);
an Internet Protocol (IP) address;
a cookie ID;
the advertising identifier of your phone;
data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
For the IP address, I never count on the fact that they don't track it. Who does??? Same for location. Why would you think a website wouldn't be able to get your location, unless you take some real measure to prevent it.
Some consent popup isn't going to convince me that they will or will not track it. I don't give a shit, I expect EVERY website to track this.
For the rest, well, if I provide my info to the website, I'm guessing that they can also identify me with it, no? If I don't want the website to know it, I just don't provide it.
Same thing here: I really don't care what their consent message says.
So long story short: If I want to keep some privacy, I will definitely not rely on the "word of the website" that they will handle it any way they say. If I want privacy, I will take care of that myself.
And for the rest of the legal bullshit, I never read it anyway. EULA's etc.... who does?
Any good examples of these terms. I would like to read through them. I see very few of these pop-ups because I rarely use a graphical browser, and if I do, Javascript is disabled unless necessary.
It does seem like the GDPR is being exploited to manipulate how users consent in a way that benefits the website's online ad scheme more than the user's experience.
If I were drafting a GDPR, I would standardise the consent mechanism and not allow for much creativity. Ideally IMO the consent process, e.g., each pop-up, should be so predictable that consent/denial of consent could be automated. Asking users to read terms, and engage in some sort of interactive consent is not practicable. Users will just click "OK" or whatever they need to in order to make the pop-up go away. Website developers know this and it should be no surpise if they are taking advantage of that to sneek in all manner of one-sided terms.
The reason GDPR doesn't standardise a consent mechanism is because GDPR isn't about websites, its about data protection. It applies to offline companies just as much as it applies to online companies. GDPR has nothing to do with cookies (that's a separate directive), but is about personal data, personally identifiable data, the use of this data and user rights over their data.
The standardized popup is not in the gdpr but it is stated, that you have to make the privacy friendlies setting your default. If the user just clicks ok this should lead to no tracking at all.
> Any good examples of these terms. I would like to read through them. I see very few of these pop-ups because I rarely use a graphical browser, and if I do, Javascript is disabled unless necessary.
> It does seem like the GDPR is being exploited to manipulate how users consent in a way that benefits the website's online ad scheme more than the user's experience.
Agreed.
> If I were drafting a GDPR, I would standardise the consent mechanism and not allow for much creativity. Ideally IMO the consent process, e.g., each pop-up, should be so predictable that consent/denial of consent could be automated. Asking users to read terms, and engage in some sort of interactive consent is not practicable. Users will just click "OK" or whatever they need to in order to make the pop-up go away. Website developers know this and it should be no surpise if they are taking advantage of that to sneek in all manner of one-sided terms.
I would agree, except ... these pop-ups are visible and it is easy to verify that certain information is being presented. The failure review such information falls to the end user, even though there are legitimate reasons why they would click to make the pop-up go away (e.g. the time required to review the information). Unfortunately, it is difficult for most people to verify which cookies are being used by a particular site and it is impossible for them to verify how they are being used.
A subtlety that may be obscured by the name: the software developer is suggesting that people use technological self-help (proactively blocking and deleting cookies) instead of spending a lot of their time and energy repeatedly performing the same cookie consent actions. It's not so much "I don't care at all" as "I want to deal with cookies by a different method than being notified of them over and over again".
Did you read the first paragraph of the page by any chance?
“If you surf anonymously or if you delete cookies automatically every time you close the browser, websites will ask for that permission again and again, and it will soon become very irritating to click the same I agree buttons every day.”
The extension doesn't claim to delete cookies (and GP doesn't suggest that it does), but it's clearly targeted at people that are using technological means to deal with the problem rather than clicking "pretty please don't track me" and hoping for the best.
Because those cookies are cleared when the tab is closed and most of the major ad networks (Google, Amazon) forget who you are when that happens. Why worry about it?
This is wrongly downvoted despite being absolutely right.
There's a big misunderstanding behind these "cookie" consent prompts. They are actually about overall data processing consent regardless of technical means - this includes cookies but also things like browser fingerprinting, IP addresses, etc which will persist despite clearing cookies.
Using an extension that automatically grants consent and merely deletes cookies every time would give you a false sense of security if the automatically granted consent allows them to use your browser's fingerprint or IP address to track you anyway.
At least if you’re in EU, active consent is required to comply with the GDPR. This means that if you do what this extension does (filter out the UI elements and ignore dialogs), it’s illegal for a website to save PII about you and your visit.
Many websites and data processors violate this, but since that’s the case for those sites the only winning move is not to play.
It could be argued that if the consent prompt can’t be dismissed without providing an answer (whether accept or decline) and you use technical means to circumvent that then it’s fair for the system to track you anyway as it’s undefined behavior?
Many websites are not compliant though, so while its illegal, they're still doing it. For example, GDPR requires opt-in, many websites have opt-out. Its illegal, but if its not being enforced, then...
I don't see a anything in that policy that would prevent them (although I grant that many clauses try to give that impression without explicitly stating they don't). What they do say though is
> The information we collect includes unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and phone number, and application version number. We also collect information about the interaction of your apps, browsers, and devices with our services, including IP address, crash reports, system activity, and the date, time, and referrer URL of your request. ... We may also collect information about you from trusted partners, including marketing partners who provide us with information about potential customers of our business services, and security partners who provide us with information to protect against abuse. We also receive information from advertisers to provide advertising and research services on their behalf. We use various technologies to collect and store information, including cookies, pixel tags, local storage, such as browser web storage or application data caches, databases, and server logs. ... We use the information we collect to customize our services for you, including providing recommendations, personalized content, and customized search results
Google probably doesn't need to use fingerprinting. They control enough of the web that first-party cookies and google accounts probably give them enough information already.
The reality is that very few websites actually let you choose whether to accept tracking cookies or not. For the most part, they set the cookies immediately, even before the disclosure banner appears. Most of them don't even include the option to opt out. It doesn't matter that this is against both the spirit and the letter of the GDPR. Those banners are just an annoying bit of compliance theater.
Given that I'm getting the cookies whether I want them or not, and deleting them whenever my browser closes, if this extension keeps the banners off my screen it's a huge net positive from my perspective.
Or, if you already use uBlock Origin and would rather use its performant, customizable, extensible filtering capabilities instead of adding (and trusting!) yet another addon, just check the "EasyList Cookie" list in your Filter Lists :) .
How do you quantify "more"? If you mean "by length of blocklist", is the number of rules a good metric to evaluate a filter list? In years of using the built-in "EasyList Cookie" list, I've:
1. Never seen a cookie div.
2. Never been bitten by incorrect / false-positivey / over-zealous rules.
Everything else being equal, more options is good, but I don't see any reason to switch from Easylist Cookies, which I know is well-maintained, benefits from the Easylist umbrella, and has lots of users (since it's offered by default in uBlock Origin).
The website already offers an ad blocker filter. I use one that was not named on the website, so went poking in the filterlists available in my ad blocker extension, and found "I don't care about cookies" was already listed as an option there.
AFAIK, Firefox does, if you're running the beta/nightly channel (and maybe you need to have set an about:config pref too, I forgot, search about it). I install the beta release of uBlock Origin from its GitHub releases page.
EDIT: browser makers are understandably cautious about it, even with a closed ecosystem it's already hard enough for them to avoid half their users getting pushed into installing dubious/malware addons within three hours of browsing, and their resources are limited. So, they default to closed-ness "for the masses", but there's a knob. I don't find this unreasonable.
It'd be neat if extension stores could integrate with some CI system(s). The store could just tell the user "built from <source URL>". Best of both worlds.
It's a balancing act of security and opennes. Extensions so far had a really bad track record of having too much permissions. They could be detrimental to user's life if an extension can easily grab login cookies/credentials or whatever to your banking if you ever enter it in your own browser.
I think more restrictions should be put on extensions but it's always hard to balance between accesible developers tools to people who know what they're doing and somebdoy writing down the instructions how to circumvent it to lure the user to install a malicious extension in developer mode.
Honestly, I think it is our job as the creators/hackers to come up with a better solution. The problem is very real, and needs to be fixed. But no good solution has ever been created by lawyers. Ever. So here we are, left with a forest of cookie warnings that perfectly break the internet.
So here is a proposal:
What if a user could declare her/his consent settings _before_ opening the website? There would no longer be a need for consent dialogues, right?
One way to achieve that would be to take an example from the UTM parameters. A browser/User could just use ?utm_consent=all, ?utm_consent=minimal, and ?utm_consent=deny to indicate the level of consent. Browsers could offer it as a standard setting and automatically amend it to any URL. Websites could just drop the consent dialogue whenever that UTM is set.
Standardize an extension to the Set-Cookie header for a "Purpose" field. This field if unset means the cookie is essential (local laws now still apply so if a website misrepresents a non-essential cookie as essential then that's illegal just the same way as implementing a fake cookie banner or not implementing one (if you need it) is illegal). Now in my browser I can set my cookie preferences to only store and send essential cookies.
For other tracking methods that don't use cookies there's already DNT and all that's needed is for a local law update to clarify what it means and to enforce its use.
These things would actually make sense as opposed to the current situation where the EU makes it sound like cookies are something a website forcibly stores on your computer and uses.
Beautiful technical solution. Wouldn’t it depend on all website creators and all browser makers to pretty much commit to changes in their code at the same time, before the first consent banner would actually go away? How do you get them to do that?
Yes it would require everyone to make changes, but like the other person who responded to your comment it probably wouldn't need to happen at the same time. The point being is that it's probably a bit late now but if this was the original solution proposed by the EU the end result would be a lot cleaner while still taking about the same amount of effort (at the end of the day web developers still had to look at all the cookies they set, categorise them, implement warning banners and then correctly handle responses.
> Honestly, I think it is our job as the creators/hackers to come up with a better solution. The problem is very real, and needs to be fixed. But no good solution has ever been created by lawyers. Ever.
A much better way: you must ask for consent through something like navigator.cookieconsent, which will trigger the browser specific resolver (that may, or may not, show a prompt for the user depending on her choices). If you set a cookie before this, it will be silently ignored.
To work with js free sites, you can feed the same information through in a tag for the HTML.
We don't need an exemption for necessary cookies, since the only reason a site would need to set a necessary cookie is to remember the users choice, and the browser can do that better.
If the user logs in, by filling out a username and password field, a single cookie should automatically be saved.
I imagine Firefox is the best browser to get this started in. Anybody has any pointers to how to get the ball moving?
> I think it is our job as the creators/hackers to come up with a better solution.
Here's a radical idea for a solution: pressure EU member state data protection agencies to start seriously enforcing GDPR violations. Internet is so good at amplifying messages, so why not amplify that?
GDPR is already a good solution to this problem. The only reason it works so poorly is because it's not being enforced - so most websites feel safe choosing to break the law. If there was an uptick in fines being issued against all players, big and small, the situation would change very quickly.
Come to think of it, a malicious company could probably set up their systems so they get auto-confirmed by the plugin. I'm not sure they'd be valid in that case.
Similar attacks: load the fine print via JS and stick it into an /ads/advertisement.js so adblockers will block the loading of it.
Can the company claim "we showed it to the user, if their software hides it, that's not our problem"?
No, the user did not consent. They have to be aware of such systems not game it. The intent and the consent have to be clear to both parties. Agreement is about respect not about malice. If an consent is maliciously hidden away, no matter how technically then it's not valid. Law is not binary in these cases, it's all about the circumstance.
That's what I figure, but how does that work for e.g. Cookie Consent? The user has a plugin that just clicks "Accept" on the consent overlay. They don't read the consent, they're not aware of what they consent to specifically.
Is their (or their plugin's, acting as their agent) consent valid because they know about the general framework (tracking cookies)? And would that consent depend on the overlay not including any surprising terms (e.g. "you're also buying a washing machine", "you're also allowing us to mine crypto in your browser" or "we may also use browser finger printing, not just cookies")?
It wouldn’t be so necessary if all those websites asking for my permission to use cookies would actually use a cookie to store that permission / preference so they don’t ask again every damn time. This is really the reason why I use this extension - I didn’t mind so much reviewing the permissions once for each site, but having to do it constantly really became too much after a certain point.
but most do. I only have to redo my choice after I clean my browser data. Maybe you have your browser configured to automatically clean data after close?
I’ve used this for years and it’s brilliant. I really don’t care about cookies because I pair this extension with “cookie auto delete”, so whatever these cookies do, they would disappear.
The only downside is that some sites are broken by this extension. Sometimes you end up on a site where the page is disabled and you cannot click on things. Usually turning off the extension and clicking manually the banner fixes the issue.
So here are the three extensions I can’t live without:
I wish it was that easy. I'm also using Cookie Auto Delete and uBlock Origin, but remember that many of the tools you are agreeing to use fingerprinting, meaning that even if you delete their cookies they'll keep tracking you around the web. It's safer to not agree to load them IMHO.
I suppose I'll add this to the growing constellation of add-ons considered essential just to even get around the web without annoying, managerially-imposed dark patterns interrupting my workflow.
I use Firefox Focus as my primary browser on the phone. I get some kind of thrill agreeing to cookies from sites that are going to disappear from my history in minutes.
That means you also gave permission for them to identify you, store and process that data. And with things like canvas fingerprinting it doesn't matter that you deleted the cookies, they have a persistent identifier for you anyway.
I don't believe this to be true. My CS1 browser fingerprinting[1] results shows that Internet Explorer and Chromium (Chrome etc.) are trackable with fingerprinting but Firefox (at least for me) is not, neither on desktop or mobile. Of course they might have found something the researchers have not.
Thanks, I gave away my information by signing up for the project and they say that Firefox Focus can not be 'tracked uniquely over time' after I did a test scan on my phone. Plain Firefox from the Android store had the same result, but that app actually does store my cookies.
You have to test over time to get a useful result. Also note that this test only test Fingerprinting. They don't use cookies to test if you can be tracked.
I guess I thought they wouldn’t let me in if I click no!
I still think it is easy for a malicious site to make both the yes and no button install X malware when you click it. I don’t know if that fear is valid but as a Windows 95 and 98 ptsd person we were trained don’t click and agree to anything.
The problem with cookie popups is that it trains people to just click Yes and OK without thinking and reading. At the end we get blind to them and we click and accept things which are much more important, download viruses, click bad links or whatever.
What's needed is better default protection by the law to stop companies collecting and using data.
He offers ubo/abp block lists and says his extension accepts the policy when necessary. But there is no configuration, no way to add new site rules, and no source repo (would have to open the xpi myself).
It seems more useful to write my own Greasemonkey script, instead. At least when I encounter a site like this, which I couldn't think of.
It would be even more useful if extension had additional rules to always set minimal permissions level for a website; easier when using standard cookie banners, harder for custom coded ones.
Alternative solution: individual cookie allow/block list, so only useful (language settings, login etc.) cookies could be set.
"""
Cookies and local storage serve different purposes. Cookies are primarily for reading server-side, local storage can only be read by the client-side. So the question is, in your app, who needs this data — the client or the server?
If it's your client (your JavaScript), then by all means switch. You're wasting bandwidth by sending all the data in each HTTP header.
If it's your server, local storage isn't so useful because you'd have to forward the data along somehow (with Ajax or hidden form fields or something). This might be okay if the server only needs a small subset of the total data for each request.
"""
So I guess server-side no-JS applications are going to be caught in this crossfire?
Client side apps will be caught as well. Putting a JWT in a HttpOnly cookie is a common pattern. In fact, many people recommend this approach over localStorage for security reasons.
PHPBB era forums would let you authenticate by putting a session ID in the URL. No cookies needed. There are many ways to do authentication without cookies. There's also basic auth. The whole "we use cookies" thing is a weird misnomer to make laypeople understand that the website is talking about the same concept those FUD articles about web tracking have talked about (tracking can be done through thousands of different vectors, no cookies needed).
>So I guess server-side no-JS applications are going to be caught in this crossfire?
No, as nicbou said, the "we use cookies" popup seems to be only required for tracking/advertising cookies.
Pointless in your opinion. Tech companies’ obsession with tracking has really degraded the experience of the web, and at least someone is pushing back. If you don’t like the situation get mad at the companies who abused the lack of regulation.
It’s actually been around for a while; the Internet Archive seems to indicate that it has been around since at least January 2014 [1], and I’ve been using the filter list with UBlock Origin for at least a couple years now.
