Disclaimer: I actually click through the "do not consent" procedure, which tells a lot about what I'm about to say.
When the EU regulation came up, I was shocked that a single article was being shared with 100+ "partners". I knew it was bad, but I didn't know it was that bad. At least now I get the choice to opt-out. Sidenote: Google got fined for that pop-up because it should have a "do not accept" option [1].
Companies know they don't need those pop-ups. They are putting them there to anger you and demand for things to go back. Do you want to blame the EU for not anticipating that companies would act maliciously? Sounds fair to me. But don't let the companies off the hook for acting maliciously!
Exactly, I always click the 'do not accept/consent' or 'manage my preferences' button. There are a surprising number of sites that use dark patterns.
Whoever made the initial video must be a shill for the tracking companies because they didn't click on the 'do not accept' options, otherwise people would see how pervasive and thoroughly ridiculous the trackers are.
And when you get one that has a whole series of sliders in the left position and and all lit up green or blue, and no "Reject All" button at the top or bottom, close the tab.
> Companies know they don't need those pop-ups. They are putting them there to anger you and demand for things to go back.
You're giving these companies much more credit than they deserve. They're just going through the motions in an attempt to avoid lawsuits, but clearly not even Google can get it right 100%.
Hanlon's razor:
"Never attribute to malice that which is adequately explained by stupidity."
Having worked for a number of companies implementing these measures, there's no malicious intent, they are rolling their eyes the whole time. It's just a box they need to tick. Everyone wishes it would just go away.
Who the heck downloads apps these days for every stupid thing? I mean apart from clueless grannies who would gladly send some money to that poor Nigerian prince over and over again.
I've stopped quite some time ago, basically my collection of apps is set in stone once I configure a new phone. If something seismic happens in real world I may add app in average rate 1 app/year, and that's about it.
Not using apps is so cool, some crappy webs that don't support mobile firefox with ublock origin don't even get my time, the rest is well curated. Due to reasons behind I am more than fine clicking on consent popups, the way they are designed to get to reject consent dialog tells you outright how moral/amoral business is behind it. So this is actually time-saving feature.
The thing is, life is short. No, its darn short, ask any old person. Definitely too short to waste too much of it on regretful things like phones.
So far the law had desired effect, and the companies making it hard to opt out are actually breaking said law, just nobody yet bothered to take them to court for that.
>Companies know they don't need those pop-ups. They are putting them there to anger you and demand for things to go back. Do you want to blame the EU for not anticipating that companies would act maliciously? Sounds fair to me. But don't let the companies off the hook for acting maliciously!
This gets repeated a lot. However, even one of the pages on the official site of the EU has a cookie banner:
When the first cookie law came into action companies sprung up claiming to provide a solution. Rather than actually doing anything useful they'd give you a JavaScript snippet to just dump onto your page and then they'd deal with everything. They'd scan your site and compile a list of cookies and their purpose and present that to your users. It sort of worked, expect the service would frequently fail to recognize certain cookies or part of you site might be behind a login. But it was something you could easily implement and push the responsibility to a third-party for a small fee.
Then came GDPR and these retarded cookie banner companies decided to offer that as a service as well... Basically the same thing right? Well for many of the sites it is, because their goal is find a way to do nothing, or as little as possible, they don't want things to change and here's someone offering them just that.
I hate that it when people are blaming the EU for the nightmare that is consent popups. They aren't required, unless you doing stupid shit. Companies love presenting this as: The EU is making us do this. NO, you want to track people online and the EU is simply asking for you to declare that.
It's truly amazing that companies don't see to problem telling people that they care about their privacy, yet presents them with a list of 600 "partners" whom which they share our data.
So yes, it's laziness, these sites don't want to chance the way they deal with advertisers, because that would be slightly harder. It's also partly incompetence, there's an entire generation of ad people who don't know the first thing about advertising, they know Google Adwords and Facebook Ads.
> NO, you want to track people online and the EU is simply asking for you to declare that.
False. Cookies aren't there only to maliciously track your actions and show add. They solve lots of technical issues in various scenarios.
This is your typical premature compliance for a technically incompetent formalistic regulation. Better be safe than sorry - so thats why you see that stupid "this website uses cookies" on every other site that merely has a login form, a captcha, or a cdn - because of course it fucking does.
I would like an option for those of us who don’t care and click whatever button have brighter color. Like a default consent to sharing all data. This don’t have to be on by default. This would improve my browsing experience tremendously.
Instead of hating the EU, how about directing your hate towards the bad players of the web? Cookie banners are not the fault of the EU, but the fault of companies disrespecting privacy rights and pushing data collection, ads and all possible shady growth hacking strategies towards the user. I am glad that a government body actually made this possible and made visible how horrible the internet is.
Cookie banners are absolutely the fault of the EU.
Users have always been in control of whether they accept cookies. There have been settings in your browser since (at least) Netscape 3.0. It's only because of dumb EU laws that cookie control has been pushed up into "user space" with these idiotic banners that no one reads.
It seems like you don't practice what you preach, seeing how Hacker News relies on cookies for authentication.
Besides, GDPR isn't about cookies, it's about what companies are allowed to do with your personal information. Functional cookies don't require consent, abuse of your personal data does.
Our machines always had Cookie Pal [0] installed on them, and it allowed per domain settings for rejecting cookies and control over third party cookies [1].
> Cookie Pal includes the following features:
> Automatically and transparently accepts or rejects cookies from all or specified servers without user interaction.
> Cookies received from unspecified servers can be automatically accepted or rejected without user interaction, or the user can be asked for confirmation.
> "On the fly" adding of servers to the accept from and reject from lists, allows you to manually accept or reject a cookie the first time it is received and then have it automatically accepted or rejected every time it is received thereafter.
A bad bandaid is still a bad thing, regardless of what it is covering up. Cookies are table stakes on the internet. This is the wrong solution to a completely different problem.
Website analytics can be incredibly useful for designers and developers; giving those up would be a huge hit to a lot of companies, large and small, so it's understandable that they're not going to do so.
Random example from more than a decade ago: I worked at an online retailer, and we did a nice redesign of our cart page. Looked great, much more readable, but we started losing sales. Did people hate the redesign? It was certainly easier to use and navigate.
Our marketing guy looked at our analytics and saw that there was a massive drop in checkouts from users whose displays were set to 1024x768. He changed his resolution and, sure enough, the 'Checkout' button was something like four pixels below the bottom of the screen, if you were using Internet Explorer or Chrome and you had your browser maximized.
I get that analytics can seem creepy and gross, and stuff like that is 'none of [retailers'] business' to a lot of people, but without those analytics we would have had no idea why we lost those sales, and would have had to simply revert the redesign with no real opportunity to change it.
The EU allows you to get stuff like 1024x768 without tracking individuals. This metric works just as well in aggregate. You can have metrics without per user id, or with an ephemeral id that evaporates when you leave the site.
Yeah, sorry but some small dev story won't bulge my opinion on this extremely lucrative 1984-esque business. I can come up with tons of similar battle stories for reason X or Y, they are nothing but tiny largely meaningless anecdotes. Also, you could have just spent a tiny bit more on UI testing and discover these rather obvious UI issues.
I'd expect a bit more from smart people who see very well into what kind of society we are going full speed, with no way out once in (if you don't consider going back to caves as a good option, I don't).
Its very fabric of whole society our kids will live in we are talking about here, nothing less. Is pretty clear what directions the biggest corporations are taking, hey are not even trying to hide what's in plain sight. If we common folks don't at least attempt to stop it or steer it in other direction I am worried nobody else ever will.
> Website analytics can be incredibly useful for designers and developers
I'd have sympathy for these people if they weren't also primarily responsible for the many darkpatterns, traps, and user-hostile aspects of modern interactivity.
> Website analytics can be incredibly useful for designers and developers; giving those up would be a huge hit to a lot of companies, large and small, so it's understandable that they're not going to do so.
Everyone thinks that but in practice most folks don't have a clue what they're looking at and just use the numbers as a crutch for whatever opinion they already had.
Of course, this problem isn't just a web analytics one.
> Website analytics can be incredibly useful for designers and developers; giving those up would be a huge hit to a lot of companies, large and small, so it's understandable that they're not going to do so.
Yes, but the cost of doing that through GA is that a single US megacorp outside EU jurisdiction can reconstruct most users entire browsing history for whatever US intelligence wants to do with it.
> Website analytics can be incredibly useful for designers and developers; giving those up would be a huge hit to a lot of companies, large and small, so it's understandable that they're not going to do so.
And at small small cost of privacy violations and spying on users.
Doesn't HTTP has an header [0] for this? The user can opt easily in and out. I've just read the specs and find that it's being deprecated. Why? It may not be granular, but I believe anyone opting out of telemetry also does not want marketing tracking.
Yea websites straight up ignore it. Can’t currently find it but there was some wired/verge article detailing what they track of u and they actually mentioned as such too
> The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.
> Why is P3P useful?
> P3P uses machine readable descriptions to describe the collection and use of data. Sites implementing such policies make their practises explicit and thus open them to public scrutiny. Browsers can help the user to understand those privacy practises with smart interfaces. Most importantly, Browsers can this way develop a predictable behavior when blocking content like cookies thus giving a real incentive to eCommerce sites to behave in a privacy friendly way. This avoids the current scattering of cookie-blocking behaviors based on individual heuristics imagined by the implementer of the blocking tool which will make the creation of stateful services on the web a pain because the state-retrievel will be unpredictable.
> In some situations, the cookies we use to secure and authenticate your Google Account and store your preferences may be served from a different domain than the website you're visiting. This may happen, for example, if you visit websites with Google +1 buttons.
> Some browsers require third party cookies to use the P3P protocol to state their privacy practices. However, the P3P protocol was not designed with situations like these in mind. As a result, we've inserted a link into our cookies that directs users to a page where they can learn more about the privacy practices associated with these cookies.
> Our marketing guy looked at our analytics and saw that there was a massive drop in checkouts from users whose displays were set to 1024x768. He changed his resolution and, sure enough, the 'Checkout' button was something like four pixels below the bottom of the screen, if you were using Internet Explorer or Chrome and you had your browser maximized.
Hint: buy the cheapest crappiest laptop you can find. Test your site on it.
Why do you give those retroactive hints as if it is something obvious?
You are clearly confusing the issue here.
No one cares for your smartass solution for the problem - it's obvious enough once you are aware of the problem itself. The issue is tracking the problem in the first place.
Hints like "oh you should have just been totally aware of it in the first place" are plain naive.
> Website analytics can be incredibly useful for designers and developers; giving those up would be a huge hit to a lot of companies, large and small, so it's understandable that they're not going to do so.
I'll believe that when they don't have a huge banner that's covering a fourth of the page.
EU just requires explicit consent for non-table stakes/non-required persistent tracking.
> The commonly seen method of using a checkbox and a simple information note such as “remember me (uses cookies)” next to the submit form would be an appropriate means of gaining consent therefore negating the need to apply an exemption in this case.
If it is 'table stakes', like "remember me" checkbox, you don't need a separate cookie banner
Enforcement is part of regulation. If the policymakers of the EU put regulation in place without enforcing it promptly and consistently, then it is indeed fair to blame them for this mess.
It's not like this is limited to "bad players." It's standard procedure for almost every website. Whether that's good or bad is a separate topic - the point it's not just nefarious people using cookies to watch user behavior. Normal people use this information to make their websites better and create more effective products for people. Which is exactly what people said when this legislation was introduced. So instead of actually fixing anything, they made it worse. Now we're being tracked _and_ we have annoying nags that block content show up on every website, exactly like people said would happen when this legislation was introduced.
It's the same tired nonsense as when regulators try to tax a business that's already operating on thin margins and act surprised when the business passes the cost to their customers instead of eating it.
I'm not upset with the intent of what they were trying to do, which was noble; the upsetting thing is that it was patently obvious their hamfisted implementation would lead to this outcome, and they did it anyway, knowing they could count on people to deflect blame away from them.
It's not as if these companies are kicking in your door and violating your right to privacy. You're accessing their site with a device that is configured to transmit whatever you have it set to.
If you don't want cookies, disable cookies. If you want greater control, go and configure it yourself. Stop forcing your preferences on everyone.
The reality is that outside of a vocal contingent on HN, most people simply do not care. They won't pay a cent for their ad supported services. And I for one hate the endless consent popups and GDPR hoops I have to jump through. As an expat in London, I can't read many local news stories in the US because those sites simply block the traffic instead of trying to comply with a foreign law.
> You're accessing their site with a device that is configured to transmit whatever you have it set to.
This is not how it works.
Me visiting a website does not mean I want that website to send my personal identifiers to hundreds of unknown (both to me and the website operator in question) third parties.
I am using cookies as a catch all term, as many people do. I thought this was well known.
If you don’t want fingerprinting, disable canvas, fonts, or JS entirely. My point is that you are downloading code and then executing it. You have control.
And think, if website operators chose to actually use the DoNotTrack signal from your browser, you wouldn't have such a terrible experience on their websites.
Just a guess, but even people that don't want to be tracked choose the easy "accept everything" button than spending the time to customize the tracking.
If companies DoNotTrack, they will have fewer people opting-in for tracking.
> even people that don't want to be tracked choose the easy "accept everything" button
The design of these consent forms is often so obscure I end up in some menu system with too much information I didn't want, and no hotkeys to go back except leave the website.
I usually right click these and choose ublock origin's block element to make it go away. I actually don't know what that means as I never answered the question one way or the other.
Nearly every single cookie pop up I have seen is provided by the exact same third party company. That cookie dialog has an option where you can have a simple "Reject all" button that you can click to reject all "not necessary" cookies and use the website.
It is the website owners fault when they choose not to turn that feature on.
That shouldn't be a "feature" that you can turn on and off; according to the EU regulations, the option must be equally prominent so there should always be a "reject all" button, and it can't be buried or made harder to see than the "accept all" button.
(Leaving aside that sites should just not have these banners, which provides the best user experience. Just delete all the tracking and the banners along with it.)
Wasn't there an incident where a browser shipped with DoNotTrack enabled by default, and thus the signal didn't actually mean the user explicitly enabled DNT themselves?
It's a real pity. Part of the issue is on browsers at the time were competing for developers, not users. So this feature was largely buried in UIs, its treatment was inconsistent, and browsers never bothered to enforce it.
That ship has sailed. It is now on the end user to protect themselves. These banners are just plain noise. No one is reading them. People will click whatever they need to click to dismiss the dialog. The general computing population does not give a shit, and the ones who do will use privacy-oriented browsers and platforms.
Nothing is written in stone or in stars. Nd there used not to be legislation. And now there's legislation that fights towards user consent, so I don't see how anything has sailed anywhere. It's just a bunch of company code that needs to change, with a quick solution of a multiple-deletion commit as an option in most instances.
It's a deeply stupid local minimum that the EU has ended up in because they were afraid to mandate details, and also afraid to just ban tracking for advertising purposes altogether. So you end up with a situation where:
- most people are tracked on almost all websites by a small number of US megacorps (e.g. google analytics could probably reproduce complete browser histories for most Europeans, and most likely does for some intelligence agency)
- AND most people have their time wasted by consent banners
- AND small companies worry about compliance costs (my least favourite aspect of EU law is it doesn't understand the need to exclude small companies from complex requirements)
It's non-confrontational to a fault and therefore ineffective.
This is one of the reasons why Social Networks are eating websites. Most people get a bad experience browsing the internet. Yeah, I get it, we know Hacker News, and other good websites. But my dad just want to read news about sports and politics, it's much easier to do it through Facebook posts than to open a browser and get annoyed by ads, popups, etc. Same for young people: I can get fun with TikTok and YouTube, why should I go into that maze of websites that do not provide anything worth it?
Even despite the fact that Amazon is a pile of crappy knock-offs and astroturfed reviews, it still manages to be better than the UX nightmare of actually trying to go through the companies' own websites directly to figure out what they're selling and how much they cost.
Lately, I've been having developers and designers on my team install each of the three major browsers without plugins and visit five of the "top 10 media sites" (https://www.similarweb.com/top-websites/news-and-media/), plus twitter, facebook and linkedin for a total of two hours so they see what the web looks like for regular users. It doesn't take long for people to realize just how terrible 25 years of accumulated surveillance, advertising and front-end cruft has made the web.
I traveled and I wonder why someone would use Youtube's free tier, There's like an ads every 3 minutes, plus the ones when the video starts (Youtube don't show ads in my country). My Twitch usage has gone down a lot because of 7-8 ads in a row. I would subscribe to the few creators I follow if not for the friction when I want to quickly check another creator's page (give me like at least 15 minutes without ads).
I think most of the comments here right now are missing the point of OP's post. It's not about one thing in particular (cookie consent), just that the whole ordeal is full of ads and popups (one of which is the cookie consent popup).
Most of this crap is the same everywhere, not just in the EU.
Thanks, that was my intention (back when I posted it). I added "from EU" just to make it clear—since people would have otherwise said "that's not how it works in the US :p"
Yeah hat EU remark unleashed some emotions a bit, people are (incorrectly) bashing EU for consent popup due to companies tracking (and monetizing) the hell out of their browsing habits
Remember the horse meat scandal, when horse meat showed up unexpectedly in food in Europe? The ceo of one British supermarket chain blamed the Irish food safety authority, who’d detected the contamination due to routine DNA testing (the British FSA had at the time recently ended such testing due to Tories, iirc). His logic was more or less that the FSAI, by detecting the problem, had created the problem; if no-one had known there would be no problem. Pretty much everyone at the time thought this was a bizarre take.
I find it interesting that, in the cookie case, people blame the EU for making the problem visible, rather than blaming the people who created the problem. The cookies are the horseburger, in this instance.
It just ended up feeling like a half measure that did nothing but make the internet more tedious for something most people who know anything about the web already knew was a problem. Now it just adds this group of people who have no idea what the popup means who likely just click on the "Accept All" without having any idea what it means.
If they really wanted to do something successful they should've been more strict on the situation. "Accept or Decline front and center" "No tracking cookies without specific UNFORCED opt in" "No annoying popups"
Like I don't know what they added to my experience. I already knew cookies existed and what they were used for. I guess now I can at least opt out in some cases. But who knows what is classified as a "strictly necessary cookie" which is the lowest amount of cookie tracking you can get on most of those sites.
Companies were fined because they had accept all without reject all. Report any violations you see.
Strictly necessary means necessary to provide the service the user requested or comply with other laws. It is stricter than your suggested no tracking standard.
We have been able to happily side-step this entire conversation in our new web properties.
We literally use zero cookies (local storage, et. al.) in our latest products. The user's state is entirely managed on the server, and we pass their session identifier forward through hidden form fields or URL query parameter as appropriate. The only way this works is to go all-in on SSR-style web applications. 100% of user interactions must be satisfied with boring-ass form get/post. The microsecond you start thinking about SPA or holding onto even the merest of boolean facts between page loads, the whole magic experience vanishes in an instant. That isn't to say you can't use javascript, but you certainly don't start with it.
Our initial reasoning for going to this extent was due to weird behavior around cookie lifetime we were seeing on iOS/safari devices as of iOS13. If you don't use any client-side state, other than what is loaded into the current window/document/URL, who could ever ruin your day? They'd literally have to cripple 100% of the internet to start causing trouble for our newest approach. Over time, it became obvious this style also provides a better user & development experience. For instance, I no longer have to put the Apple WWDC event on my work calendar in anticipation of a refactoring effort. Pending legislation is also something I do not worry about anymore.
I find it interesting that the most compliant web experience is also the easiest (aka most boring) to develop and also usually provides the best end user experience. To me, cookie banners ultimately seem to be a higher order consequence of splitting the product into front-end/back-end and farming out every possible consideration to a 3rd party.
This is not an EU problem. This is a web problem. Companies have assumed they have a right to all of your personal information and so they build their sites and services around that.
The EU does it's best to at least let you know what's happening. What I would like is for browsers out of the box to auto reject cookies and tracking behavior. But that is probably the reason all the prompts are not standardized.
I like it, and Everytime I will go through and reject all of them. If the extension doesn't catch them already.
What could you possibly mean? Government made it so much better. How else would you know that the cookies (you're going to consent to anyway) are being put on your computer?
Is there anyone who actually consents for any other reason than the consent button being either to click than more options? Would we accept this kind of behavioural tracking in real life? Of course not.
Just ban tracking for advertising purposes entirely, or at the last least mandate that sites respect the do not track header and require browser manufacturers implement it as opt-in.
>Is there anyone who actually consents for any other reason than the consent button being either to click than more options?
If the "reject all" button isn't as easy to click as the "accept all" button, then the popup is illegal. The big players have all been forced into compliance, but there's a long tail of publishers who are chancing their arm on the assumption that the regulators don't have the resources to deal with everyone. That's probably a reasonable assumption in the short term, but the EU are playing the long game.
That's what they say, but even government websites do the same thing.
Anyway, my point wasn't so much about the pop up itself but rather that if you make it easy to reject, then everyone will reject. So what's the point of allowing it? It's like having a cashier asking everyone "would you like to get kicked in the balls?" with the hope that someone misunderstands, and then they get to kick them in the balls.
> If the "reject all" button isn't as easy to click as the "accept all" button, then the popup is illegal
You should watch the video in the linked article. The options are accept all and "customize". I'd be willing to bet a lot of money that accepting is one click and rejecting is more than one
So you’re a company with a web property. Your lawyers tell you you have two options:
1. Ensure that you’re perfectly abiding by all “legit purposes” and be prepared to update your policies and software each time those change, at the risk of huge fines. Or,
2. Just put an annoying banner up and have no risk.
Which do you do?
Government created this problem. Yes, it was in response to bad behavior from industry, but that doesn’t absolve the bureaucrats from responsibility for the results of their “solution”. If someone lights your kitchen on fire and the fire department’s response is to burn down the entire house, there is plenty of blame to go around.
If these are the two options your lawyers give you, fire them, because they are lazy shit bags.
All you need to do is not store cookies. That's it. It's not difficult at all. If you do want to cover your ass and use a consent dialog, there's a million options that are non-disruptive to your users and allow them to one click opt out.
The banners usually don't provide you with an all-or-nothing approach. Choice is usually between reject everything *except essential*, accept everything, or something in between.
That means the analysis for point 1 has been made. They know exactly which cookies need consent.
This is nonsense. You can't just put any kind of cookie banner up and magically be in compliance. You'd still have to explain what kind of data is being shared with with parties and why. And you have to update your privacy policy to keep it accurate in any case!
In fact, many of the websites that have these obnoxious cookie banners are NOT in compliance because don't offer a simple and unambiguous opt-out option.
These cookie banners and cookie popups are intentionally made to be maximally annoying. That's not good faith behavior by companies. That's malicious and an attempt to get consumers to blame regulators for breaking their browsing experience. The worst thing is that some people totally fall for it!
2 doesn't work since you actually have to list what you use the data for and keep that list up to date. You think large companies like Google didn't already try that?
> Which do you do?
Given that 2 goes out of its way to violate the law and make your users miserable I would suggest 1. But that is just the opinion of a non lawyer.
It’s also not what EU law requires. All the many websites that make it easier for people in the EU to accept the tracking than to decline it, as common as that pattern is, are non-compliant. Under-enforcement of these rules is sadly the norm. Compliant websites, such as that of the European Commission, don’t make it any harder to dismiss the dialog by accepting only essential cookies than by accepting all of them.
I agree with you that the non-compliant approach teaches a bad security practice to the general population. The fix is better enforcement of existing law, without a new law actually being needed except possibly a better procedure for more effective enforcement.
Unfortunately, achieving that is hard for political reasons. The EU’s politicians, and therefore the data protection authorities whom they oversee, care mostly about seeming to protect privacy, whatever the reality, and don’t want to deal with the economic + lobbying + PR + political donation + therefore electoral consequences of routinely taking proper and timely action. This is especially true for some of the most regulatorily captured data protection authorities in the EU, such as Ireland’s.
And it’s so easy, with the choice of one button to make things work like they always did, or a quick sixteen-part questionnaire and identity verification process if you want to submit a request to be considered for an alternative cookie delivery experience.
It may be annoying, but just the possibility of opting out of some of them is already something against the rising tide of taking control away from the user.
Is it the perfect system? No. Is it better than no system at all. I think so.
And it is not like companies could have chosen a better approach.. like default opt-out, or remember that one thing, or respect a DNT. There would have been some options to comply with the law, but there was only one that still allows companies to grab most of the data and at the same time get people annoyed about the attempt to reasonable legislation (which certainly could be improved, like just go a DNT approach, but companies went immediately rampant on that for the same reasons..)
But big corps know what they wanted and do and lead the rest of the pack..
People with anti-GDPR views appear to assume that like them, everybody else also just wants to accept every cookie. But that is not true. And the interface affects how users respond, too. For example:
Given a binary choice, more users are willing to accept tracking compared to mechanisms that require them to allow cookie use for each category or company individually
I don't consent to them. If websites are making it hard not to consent, then they are in violation of the GDPR.
Stop blaming the government for something private companies are doing to you. All the government did was require them to be honest about it.
Maybe the EU should be more aggressive with GDPR, and start fining these companies out of existence for not being 100% compliant. That would put a stop to the maze of dark patterns pretty quickly. Either every shitty company would go bankrupt overnight, or they would learn how to make very simple "yes cookies" and "no cookies" buttons.
In my personal experience, people who hate the GDPR are typically not EU citizens. I am an EU citizen and I strongly approve of GDPR. Is it perfect? No. Is it a step in the right direction? Yes.
Do you also approve of surveillance states that a lot of EU countries are? Do you approve of push to end encrypted messaging? Do you approve of impossibility of getting an anonymous SIM card?
And the EU is the only thing that consistently fights countries that try to spy on their citizens. I'm in Denmark and the government flat out refuse to stop tracking people via the cell phone network. The EU is pretty much the only organization that cares and tries to stop it (hard to actually stop it when the local government just ignores every ruling from the EU on the subject).
But you know that the problem are we operators - right?
There could be browser configuration for the cookie consent popup (accept, essential, reject all) that websites could follow but now - they prefer to be obnoxious about it hoping that everyone will click "allow" pit of boredom (not to mention that at the beginning it was only visible option and reject was hidden, which was illegal)...
This. It boggles the mind that browser vendors (and standards committee) haven‘t come up with a preferences page for cookie consent. Expose that through JS and/or send it to the server via a HTTP header.
The companies who actually use these cookies don't want that, because everyone would just turn everything off forever. It would probably just kill off tons of analytics companies overnight.
(I wouldn't lament the loss of invasive analytics, but the job losses would be saddening)
It's not the browser vendors (well, save for morons from google) because there is DoNotTrack header but it's not used/enforced. EU could amend the law to include that and it would be AWESOME.
Don't shoot the messenger. 99% of cookie/tracking dialogues are illegal, and are only there as a fig leaf because the website itself is engaged in illegal data processing in the first place.
i liked how the reddit popup had nothing to do with cookie consent and the second site didnt have any popups at all - author could have cherry picked a bad example but for some reason gave us this?
It's also a great example as to why the web is as annoying as it is. It sounds like a lot of people here are mad because you called out the EU but realistically your video is a great example of the modern day web and it's awful.
Well, it‘s fairer than cherry picking the most outrageous examples. Though I wonder if he didn‘t get any Reddit cookie banners because he had already accepted them at some point in the past.
No mention of the dramatic difference between certain news websites not having intrusive pop ups due to GDPR. Which should be mentioned any time this debate pops up.
I recently started using Artifact on iOS as a news aggregator, and... wow. It uses a standard customized WebView and not a SafariViewController or whatever, meaning that it doesn't support any of the system-wide content blockers that I'm used to.
It's truly amazing that websites are so insanely difficult to just... read, these days. Ads that pop up covering the screen, videos (irrelevant to the article) which I scroll past, and which then suddenly decide to pin themselves to cover the top 1/3 of the screen and autoplay, along with ads covering the bottom 1/4 of the screen, while cookie reminders pop up and the page keeps jumping around because ads take so long to load... It's truly astonishing how bad of an experience I was missing out on.
Artifact is a pretty nice app, all in all, but the browsing experience without content blockers is so terrible that I just can't bring myself to use it anymore.
That's only for websites that insist on tracking users first thing before hello. Nothing stops 99% of the sites from having an opt-in link somewhere in the footer, and minimal defaults, other than that they insist on convoluted metrics for their little brochure thingy. It's only really necessary to sell impressions or worse, not to make functional or even beautiful sites.
Sure, I know there's counter-examples, there are sites that do interesting things with personal data, even. But I know the vast, vast majority of sites that have these banners are not those sites, and I don't accept these corner cases as a fig leaf for this elephant (whose name is incompetence and greed) sitting on the couch, moaning about this law, since day one.
"this is what someone who considers themselves a webmaster, or even a web developer, writes nowadays (2021)"
I no longer stay on websites that require consent, show overlays, demand subscriptions and signups or do any other funky anti-user maneuvers. Just let this part of the web die.
Web is already hostile enough nowadays with all the tracking, scams, abuses of consent and bad ux designed to sell shit nobody needs.
EU politicians are dumbest beings on Earth. Dumbness of US politicians pales in comparison. They pretend like they care for citizens privacy, while simultaneously pushing for an end to encryption. States like Germany, which is at the helm of these policies, has fucking SCHUFA. It’s so hypocritical.
Maybe, but by being a paying customer with lots of options (including collective negotiation), you have a lot more leverage to get them to do what you want.
Sure. When they charge a reasonable price for occasional visitors, not the "just the price of a Starbucks coffee per month" subscription that's the SaaS wet dream.
Edit: also, non targeted NON INTRUSIVE ads will do too. Or would have done. If the ad industry wouldn't have burned any shred of credibility they ever had.
That's a pretty good point. If you want to be critical of the cookie/GDPR popup that's really the route to take. HN, Wikipedia and Github doesn't have any of this non-sense, because they have no incentive to track their users.
I do question the incentive of a number of sites. Reddit technically don't need to track you, they know all they need to based on which subreddit you're currently on. It's mainly sites that have no context to your activities that really need the tracking to attempt to provide ads that makes sense. Maybe having these sites should be financed differently?
Those cookie consent banners have to be one of the most obnoxious things to affect the web in recent history, only outmeasured by how useless and pointless they are.
Consent-O-Matic helps a lot with not having to see this nonsense though.
2016 was a weird time. When this legislation came down we literally had no idea what to do. We were a US company and didn't run any ads or broker data, so we thought at first that we were exempt.
After consulting with a legal team they made it clear this was not the case. And for the next 2 years there was a lot of pain.
We had too many cookies that were important to UX and analytics. If you don't understand why, imagine trying to run a store but not be allowed to look at your customers. We were fine not chasing them into the parking lot with a Polaroid camera, but GDPR didn't make a distinction really invasive tracking and "normal" un-creepy QOL cookies.
Before tools like OneTrust or Trustarc were available, it was also not even clear how you actually handle consent. TL:DR; you basically have to set a semi-anonymous cookie that tells you it's okay to load other cookies. But at the time it was not even clear if this was legal (since there are somewhat conflicting advice as to what could constitute PII in this situation).
To this day, we still deal with a lot of GDPR edge cases. Specifically what constitutes PII at a technical level when you are talking about session IDs, users IDs, or client addresses. It's still really tricky and we're always afraid the rug will be pulled out from under us. And even the most expensive lawyers will be experts in the law but need constant hand-holding through even the most basic technology.
(Data removal requests are another story - if people only knew, man)
The lesson I have learned:
- Anyone who says GDPR is simple has no real experience
- Do exactly what other companies are doing - do not try to stand out
I'm using auto-accept all cookies, and after I leave auto-delete all cookies. Then white-list only the cookies I actually need. That and use Firefox containers.
yes, it is a terrible experience...I personally think GDPR and thinking about user data is a great thing to have. But, the actual implementation is terribe. Like consent banner etc... I can tell 100% that whoever made this law is not a techie person. They wanted to solve a technical problem, like sharing user data without consent, through the law system that we used to...It would be a lot better if they forced this as a part of http protocol...So that we could have our pre-defined consent answers...I mean right now, we have no standart way to say no to any consent banner. You have to understand the consent banner, understand the options, evaluate them, and then process the outcome...You have to do this for all websites that you are visiting...
Yes, please fork http...EU, you can do that...I know it...
The consent banners you complain about are not due to GDPR it is a different law plus a compliant website makes it as easy to reject cookies as it does to accept them.
I can feel that you are from EU. Just because the way you defend your arguments sounds so european. But, let me whisper it to your ears, this thing is shit bro. Literally, I'm spending hours looking at screen and this consent banner pops out almost every minute...I keep my right to take this to the court if I'm diagnosed with schizophrenia or whatever.
The popu repeating is definitely not due to EU legislation. You should only get it once and it shjould offer you the choice to accept all or reject all or optionally the complex choosing.
If it pops up every minute it is the website that is doing it wrong sue them.
The "consent" popup is not GDPR conform. Rejection should not take more effort than accepting. That said, of course you should never trust Google, simply clicking "accept". Especially when they make it take more effort to reject, you need to reject.
That's what the companies make browsing the web in the EU look like nowadays. It's their decision to abuse us - and the law - and it is on them to fix it. If you check the enforcement tracker you can get an idea of what the tip of the iceberg looks like, the data that's lost/sold/leaked. Then take into account that just like with a real iceberg the bulk of the leaks and breaches goes unreported (and probably a large fraction of them goes undetected until the data shows up on some marketplace).
Until the GDPR a lot of this went on anyway, but totally invisible, now at least we have some idea of the magnitude of the problem and companies have an incentive to at least try to get it right. Not that many of them do. People that are categorically against government regulation tend to point at this and say 'see: that's what you get'. But they forget that in the relationship between companies and individuals it is the companies that on balance have the most power and there is ample evidence that this power then gets abused. Hence regulation. I'm all for tightening the rules another notch or two and adding a zero to the average fine. Because there is still a lot of room for improvement.
> That's what the companies make browsing the web in the EU look like nowadays. It's their decision to abuse us - and the law - and it is on them to fix it.
No, it's the EU that mandated those popups - an asinine solution to the tracking problem. The EU gets the blame.
The EU does not mandate popups. The EU mandates consent to be tracked. You could simply not track and then you wouldn't need consent. Or you could do it without a popup.
> The EU does not mandate popups. The EU mandates consent to be tracked.
Same difference. Semantics.
> You could simply not track and then you wouldn't need consent.
Not all tracking is malicious. It's not going to disappear, hence the popups.
As I said, it's an asinine solution. It's as useless as the default browser nonsense. The EU seems to make one of these annoying blunders every decade or so, next one should be coming up.
You have cause and effect mixed up, that's fine by me but you're not helping yourself - or the rest of the world - by doing that. The EU is simply trying to ensure that the rights of its subjects are respected. Companies apparently care more about their bottom line than either the comfort or the rights of those subjects and that is why you have those popups. Note that on my website there are no such popups and yet I'm completely in compliance with the law. Every other website could do the same.
I feel like a reasonable tweak to GDPR is to require that if a site has an "accept all" button, it needs an equally (or more) prominent "reject non-essential" button.
GDPR regs in fact already require exactly this, and all "consent" acquired without one has no legal basis. One or two national regulators have belatedly started to pursue it.
It's pretty much a requirement already. The website can't make it hard to reject or make it seem like accepting is the only way ahead. Many popular sites had made rejection easier after GDPR complaints (smaller ones often still didn't because nobody cared enough to complain, I guess).
Your beef is misplaced, madam/sir. EU does not mandate any website to store on your computer cookies that require consent. The companies (and individuals, hah) that choose to track you, do so of their own volition.
As an EU citizen, I am actually somewhat delighted that our legislation that attempts to improve privacy is being successfully exported. But similarly to how I find the US exporting their legislation quite loathsome---at least at times---I understand your beef.
It's hard to dynamically figure out if you're an EU citizen or not via the browser. Hence, websites play it "safe" by showing it to pretty much the whole world.
They can't really export it, it's just most big companies have a presence in the EU and don't want to risk it. Plenty of other websites just blacklisted EU IP address space.
People are fucking babies. They're lobbying for deceptive marketing tactics to avoid the fraction of a second that it takes once in order to agree to be subjected to deceptive marketing tactics (although they have to disable their plugins and ad blockers to complain about it.) I couldn't even understand what I was supposed to see; people in the US also get cookie popups the first time they go to a site that is gathering a dossier about them.
When the EU regulation came up, I was shocked that a single article was being shared with 100+ "partners". I knew it was bad, but I didn't know it was that bad. At least now I get the choice to opt-out. Sidenote: Google got fined for that pop-up because it should have a "do not accept" option [1].
Companies know they don't need those pop-ups. They are putting them there to anger you and demand for things to go back. Do you want to blame the EU for not anticipating that companies would act maliciously? Sounds fair to me. But don't let the companies off the hook for acting maliciously!
[1] https://www.taylorwessing.com/en/insights-and-events/insight...