Maybe stop doing stupid shit that will legally require you to inform users that you're about to sell/share everything you know about them to 3rd parties?
I fail to understand companies that display page after page of cookies and tracking stuff for you to approve don't see the issue with their actions or the insanity of "allow us to share data with our 1500 partners". Does no one in these business look at this and go: "Hey, why do we need 50 different tracking tools" or "Why do we share customer data with over a thousand other businesses?".
When you actually read what these pop-ups says, then you understand why they are there, and why the problem with the laws isn't that it's annoying, but that it is not much more restrictive.
> When you actually read what these pop-ups says, then you understand why they are there, and why the problem with the laws isn't that it's annoying, but that it is not much more restrictive.
Worse, people (including on HN) actively blaming the EU for it. It’s like having a law mandating people are informed when there’s poison in their drink, then seeing people complain about the warning labels everywhere. The label isn’t the problem! As you said, if anything the issue is that the law isn’t aggressive enough.
> Worse, people (including on HN) actively blaming the EU for it.
The EU is exactly to blame for it.
The activity isn't illegal, and the EU didn't make it illegal.
What the *EU did* was make it so that companies engaging in that legal activity now had to disclose it in some way, and thee cookie popups are the best way to do that.
It's ridiculous to try and say the EU isn't to blame when they introduced and approved the legislation directly responsible for the popups.
What I always find funny about this, is that the popup is presented with "We value your privacy", followed by "allow us to share data with >500 partners".
I wished that such statements had some value greater than nil.
The vast majority of websites just want to know where their visitors are coming from and, if they are selling a product, some aggregate level of demographic knowledge to tailor their marketing efforts. They really don’t care about an individual or even small cohort and aren’t selling the data on.
Targeting advertising is sooo much more effective for small and medium sized businesses and actually makes many businesses viable in a way they weren’t in the past.
The ideal solution would be to find a way for businesses to get those insights in a way that preserves privacy at the individual level. Something like apples differential privacy system but web wide.
> Targeting advertising is sooo much more effective for small and medium sized businesses
I'm starting to question that, but without any proof that just me rambling. Assuming that it works, I'd actually be fine with a site saying "Hey, just letting you know, we use Google Analytics to learn more about you, is that cool?".
The 1500 partners and 50+ trackers aren't numbers I'm making up, those are numbers I frequently see. Sure, you feel you need a tracker, I can easily enough say no to a single tracker. I can also understand a webshop needing to share information with their advertising partner, but not 1500 of them.
The law would never have amounted to anything if the reality was a limited scope of data sharing with a clear obvious purpose. It's the insane amount of tracking and data sharing that triggered all this.
It doesn't matter what they want. It doesn't matter why they want it. They are not entitled to this information. They should not be able to know anything at all about us without our explicit consent. We should not have to sacrifice our privacy and peace of mind so that businesses can succeed. If they can't succeed without surveilling us and selling us out, then let them go bankrupt.
So much user time is spent, for example, on a few big sites which have enough data within their own siloes (based on users' behaviour and topics of interest), they can target pretty well without relying on external data. The big video sites, social media, Amazon/eBay/etc.
And then there's a big layer of smaller sites who can inherently target because they're already specialist in nature.
The losers in this scenario aren't really the brands, they're big generic sites such as news media who don't have any way to acquire targeting information on their own.
I can only imagine the disbelief and laughter in court if a thief said "Your honour, it's not like I stole one car, I actually stole 1500 different ones"!
> Maybe stop doing stupid shit that will legally require you to inform users that you're about to sell/share everything you know about them to 3rd parties?
Why? It's legal and extremely lucrative.
If it's really an issue, maybe the EU could actually limit these activities instead of just forcing sites to put a notification that they are attempting to engage in those activities?
Hey, just some background from someone who took part in a couple of privacy compliance projects at large platforms in the past:
For companies doing this the right way, the banner was just the tip of the iceberg, loads of work went into ensuring compliance behind the scenes, so customer and employee data was not shared with 3rd parties unknowingly. In one case the list of 3rd parties went from +400 to about 70, this is in my opinion a win for privacy, the culture around sharing your data went from casual to cautious.
Secondly, the culture around trusting meta and google blindly with behaviour data changed drastically. Businesses became aware of how much valuable data they share with these platforms, which actually puts them at great risk, should you really give these platforms detailed data on what customers browse and buy on your site, so they can use the data to sell targeting for competitors, or direct users towards their own shopping platforms?
So, yes the law is not perfect, we all hate the banners, but at least what happened in those early implementation days when the banner became law, was a change in culture around how data was shared and a better understanding of the risk for the business of using 3rd parties.
The cookie policy is a stupid value-signalling stunt with only negative real-life effects. The correct way of handling the problem would have been through request headers and browser settings, or simply, use the existing option of either allowing or disallowing cookies, and put this option on a per-site basis and a bit more into the users face..
Almost. It hardly worked as intended, but at least it increased awareness.
The fact that some sites tried to comply and actually provided a full list of all sites that they sell your private data to is somewhat a win. It got to a lot of wider public that realized "they sell it to 97 companies?!".
I personally think local governments or EU wide institutions should have a registry of companies and their sites with ratings, so we could integrate that directly in our browsers, company registries, phone dialer apps. iFixIt style.
- Clarity of EULA: 1/10, impossible to understand without lawyer's interpretation.
- Length of EULA: 1/10, pops up every week with no diff or summary of changes
- Legality: 4/10, historical track record of rules that are not compliant with local laws of xxx
- History: 1/10, no way to track what were the previous versions of the document or when they changed
- ...
EDIT:
to give some context and prove it's possible to provide metrics to legal documents, in Poland we have a formal "Registry of Forbidden Clauses" with references to lost court cases:
Request headers aren't going to do anything. Browser settings, maybe. If browsers were not owned by advertising companies, they'd just disallow this tracking and that would be the end of it.
This also solves nothing. It's up to the ethics of the company how they chose to group "none" "essential" and "all" and what kind of server-side tracking they do anyway.. It's no harder to do the wrong thing with the current system, but at least the headers would be invisible to the user.
Alternatively: Only allow the website to set cookies if it presents headers with the different options, in a standardized way so the user can chose to pre-set a preference and not be bothered with the cookie nag modal.
Besides cookies, there are tracking methods based on fingerprinting, IP and so on. None of them are permitted without explicit consent. This means that a site may not load resources from a third-party server without consent, since the request itself reveals enough information for fingerprinting and tracking.
Tracking is plainly not permitted without consent.
> Tracking is plainly not permitted without consent.
According to some poorly thought out law in certain territories, sure.
In practice, however, there is no technical mechanism by which users, or anyone else for that matter, can detect whether they're being tracked or consent to it. There are browser extensions conscious users can install to block certain browser features, but these are not infallible, and they're constantly playing a cat and mouse game with trackers.
The cookie policy only applies for cookies, not for general tracking. And even with it, companies loophole their way by claiming "legitimate interest". Many popular websites show cookie consent forms with upwards of a thousand of these companies, and deliberately use dark patterns to make it impossible to deny all of them. It's absolute insanity.
But in general, cookies are a red herring. They're used as sacrificial offering aimed at governments and the public to show that a company really cares about user privacy by not using them. When in reality they've been relying on far more sophisticated tracking methods for many years which are technically impossible for the public to even comprehend.
And let's not forget about the shady data broker market, where our data is perpetually transacted against our will or knowledge, let alone benefit.
We need far more technical experts in governments to pass strict regulation against this nonsense, in a way that it actually benefits the public. But I'm not holding my breath that this will ever happen, considering the corporatocracy we're living in.
The GDPR states I must give a specific opt-in approval to provide my personal data and allow it to be passed on.
You can use as many cookies as you like, but if you want to track me personally (advertisers take a bow) then you need my specific consent to do so. And so you should.
I'm amazed I have to keep explaining this to American web designers who should know better. This has been law in the UK and EU for quite some time now and is a prerequisite to doing business here.
When I'm on my phone and a website shows the ads popup, I open it in Brave, which just blocks everything. That's the current implementation of "do not track" settings.
GDPR compliance can be implement many ways, starting with not collecting data in the first place. Even if data is collected and sold it is still both possible and arguably even easier to implement GDPR compliance without cookie pop ups.
However, we have codecamp graduates gluing left-pad modules together until something works instead of engineers building websites and it shows.
For that to work users have to spend money on their services. I hope that will happen in the future, but until then it is hard to compete with free services that has ads.
They probably still track you even if you paid money, so that makes paying less enticing. And it's prudent to assume so unless they clearly state otherwise
> it is not legally required to provide the service if a user declines tracking cookies. The site can simply not provide functionality. So in many cases, its not really a choice – the choice is either not to use the site, or consent to tracking.
to be fair that is the choice. And ideally, the invisible hand would show that this is a horrible idea and cause a huge spike in traffic, but alas.
I think "stop putting popups cookies" on websites is an extreme stance, but I agree we could use fine tuning on the little things to help keep the spirit of the law. It should indeed be opt-in and not "ask for forgiveness". And it should adhere to current compliances.
Cookie banners are a great reason for expirations dates on new policies. If it works: Great, renew it! If it does not work, is not required anymore or was just plain stupid: Never talk about it again and it will run out.
But who will actively admit that regulation failed and work to undo it?
Cookie banners is not a policy, it is used to work around a policy, and often implemented incorrectly. GPDR says you need to be given a specific informed decision, but often cookie banners show a big green approve button, and a less positive deny button (if that is even the case). When the law is being enforced better (Which is slowly happening) those cookie banners should get 2 the same looking buttons, and that would result in more denies. Hopefully, companies would realize that they need to solve their marketing differently.
"Configure my preferences" -> Untick all the things -> Make sure you click the almost invisible Save button and not accidentally click the big green "Allow All" button.
Horrible. If we can force websites to do this, we should be able to force websites to read my request header NoDamnTrackingCookiesFfs
Most of laws, at leas where I live, are amended. 'Never talk about it again' seems bit naive to me. If good faith have not helped with trackers then ban them outright.
Malicious compliance gets the website two benefits: 1) Annoying the customer enough with the popups might net a permission to track from an user who originally did not want the cookies 2) Making the cookie banners as frustrating as possible increases the political pressure against the EU, hopefully leading to them repelling the anti-tracking legislation
There's no upsides for a website from providing an easy "Never track me" button, or just not using analytics cookies - you don't have to put up cookie consent banners for technical cookies used to save e.g. light/dark mode preference
The issue is also that the cookie banner has become a meme for non technical "deciders". That means even sites that do not track you will have the banner.
Do you have an example for such a site? Where does one even find a site without tracking nowadays?
How is such a banner even supposed to work when there is no choice for the user to make?
I mean, someone has to make that banner, so it's quite a way from the rash decision to its execution, where at any point (preferrably immediately) someone could and should step in and say "we are not required to do that and we should not spend any money on it". In my experience, non technical deciders are often sadly under-advised, sometimes because tech people who might know better fail to communicate even very simple facts like in these in an understandable way.
Readit News
I fail to understand companies that display page after page of cookies and tracking stuff for you to approve don't see the issue with their actions or the insanity of "allow us to share data with our 1500 partners". Does no one in these business look at this and go: "Hey, why do we need 50 different tracking tools" or "Why do we share customer data with over a thousand other businesses?".
When you actually read what these pop-ups says, then you understand why they are there, and why the problem with the laws isn't that it's annoying, but that it is not much more restrictive.
Worse, people (including on HN) actively blaming the EU for it. It’s like having a law mandating people are informed when there’s poison in their drink, then seeing people complain about the warning labels everywhere. The label isn’t the problem! As you said, if anything the issue is that the law isn’t aggressive enough.
The EU is exactly to blame for it.
The activity isn't illegal, and the EU didn't make it illegal.
What the *EU did* was make it so that companies engaging in that legal activity now had to disclose it in some way, and thee cookie popups are the best way to do that.
It's ridiculous to try and say the EU isn't to blame when they introduced and approved the legislation directly responsible for the popups.
Why does the European Parliament[0] and virtually[1] every EU website[2] feel the need to poison drinks?
> The label isn’t the problem!
The label is useless. See also, California's Prop 65: https://en.wikipedia.org/wiki/California_Proposition_65_list...
1: https://www.europarl.europa.eu/portal/en
2: https://european-union.europa.eu/
3: https://gdpr.eu/
I wished that such statements had some value greater than nil.
Targeting advertising is sooo much more effective for small and medium sized businesses and actually makes many businesses viable in a way they weren’t in the past.
The ideal solution would be to find a way for businesses to get those insights in a way that preserves privacy at the individual level. Something like apples differential privacy system but web wide.
I'm starting to question that, but without any proof that just me rambling. Assuming that it works, I'd actually be fine with a site saying "Hey, just letting you know, we use Google Analytics to learn more about you, is that cool?".
The 1500 partners and 50+ trackers aren't numbers I'm making up, those are numbers I frequently see. Sure, you feel you need a tracker, I can easily enough say no to a single tracker. I can also understand a webshop needing to share information with their advertising partner, but not 1500 of them.
The law would never have amounted to anything if the reality was a limited scope of data sharing with a clear obvious purpose. It's the insane amount of tracking and data sharing that triggered all this.
So much user time is spent, for example, on a few big sites which have enough data within their own siloes (based on users' behaviour and topics of interest), they can target pretty well without relying on external data. The big video sites, social media, Amazon/eBay/etc.
And then there's a big layer of smaller sites who can inherently target because they're already specialist in nature.
The losers in this scenario aren't really the brands, they're big generic sites such as news media who don't have any way to acquire targeting information on their own.
Isn’t that what Mozilla and Meta are together experimenting with?
It's not like a news site is selecting and managing 1500 different partners individually.
I can only imagine the disbelief and laughter in court if a thief said "Your honour, it's not like I stole one car, I actually stole 1500 different ones"!
Why? It's legal and extremely lucrative.
If it's really an issue, maybe the EU could actually limit these activities instead of just forcing sites to put a notification that they are attempting to engage in those activities?
The UK and EU do limit those activities. They remain entirely legal providing you get explicit opt-in consent.
Goatcounter or Plausible will do fine. Some decent frontend log parsing will also be a viable strategy.
Stop feeding Google your customers data for free.
For companies doing this the right way, the banner was just the tip of the iceberg, loads of work went into ensuring compliance behind the scenes, so customer and employee data was not shared with 3rd parties unknowingly. In one case the list of 3rd parties went from +400 to about 70, this is in my opinion a win for privacy, the culture around sharing your data went from casual to cautious.
Secondly, the culture around trusting meta and google blindly with behaviour data changed drastically. Businesses became aware of how much valuable data they share with these platforms, which actually puts them at great risk, should you really give these platforms detailed data on what customers browse and buy on your site, so they can use the data to sell targeting for competitors, or direct users towards their own shopping platforms?
So, yes the law is not perfect, we all hate the banners, but at least what happened in those early implementation days when the banner became law, was a change in culture around how data was shared and a better understanding of the risk for the business of using 3rd parties.
Almost. It hardly worked as intended, but at least it increased awareness. The fact that some sites tried to comply and actually provided a full list of all sites that they sell your private data to is somewhat a win. It got to a lot of wider public that realized "they sell it to 97 companies?!".
I personally think local governments or EU wide institutions should have a registry of companies and their sites with ratings, so we could integrate that directly in our browsers, company registries, phone dialer apps. iFixIt style.
- Clarity of EULA: 1/10, impossible to understand without lawyer's interpretation.
- Length of EULA: 1/10, pops up every week with no diff or summary of changes
- Legality: 4/10, historical track record of rules that are not compliant with local laws of xxx
- History: 1/10, no way to track what were the previous versions of the document or when they changed
- ...
EDIT: to give some context and prove it's possible to provide metrics to legal documents, in Poland we have a formal "Registry of Forbidden Clauses" with references to lost court cases:
https://www.rejestr.uokik.gov.pl/
Alternatively: Only allow the website to set cookies if it presents headers with the different options, in a standardized way so the user can chose to pre-set a preference and not be bothered with the cookie nag modal.
Tracking is plainly not permitted without consent.
According to some poorly thought out law in certain territories, sure.
In practice, however, there is no technical mechanism by which users, or anyone else for that matter, can detect whether they're being tracked or consent to it. There are browser extensions conscious users can install to block certain browser features, but these are not infallible, and they're constantly playing a cat and mouse game with trackers.
The cookie policy only applies for cookies, not for general tracking. And even with it, companies loophole their way by claiming "legitimate interest". Many popular websites show cookie consent forms with upwards of a thousand of these companies, and deliberately use dark patterns to make it impossible to deny all of them. It's absolute insanity.
But in general, cookies are a red herring. They're used as sacrificial offering aimed at governments and the public to show that a company really cares about user privacy by not using them. When in reality they've been relying on far more sophisticated tracking methods for many years which are technically impossible for the public to even comprehend.
And let's not forget about the shady data broker market, where our data is perpetually transacted against our will or knowledge, let alone benefit.
We need far more technical experts in governments to pass strict regulation against this nonsense, in a way that it actually benefits the public. But I'm not holding my breath that this will ever happen, considering the corporatocracy we're living in.
No. It isn't a "cookie policy".
The GDPR states I must give a specific opt-in approval to provide my personal data and allow it to be passed on.
You can use as many cookies as you like, but if you want to track me personally (advertisers take a bow) then you need my specific consent to do so. And so you should.
I'm amazed I have to keep explaining this to American web designers who should know better. This has been law in the UK and EU for quite some time now and is a prerequisite to doing business here.
The GDPR is a bloody good law. It makes the gathering of unnecessary personal data a liability, as it should be. See here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
Fail to see how it’s value-signalling ...
GDPR isn't about cookies, or browsers.
However, we have codecamp graduates gluing left-pad modules together until something works instead of engineers building websites and it shows.
to be fair that is the choice. And ideally, the invisible hand would show that this is a horrible idea and cause a huge spike in traffic, but alas.
I think "stop putting popups cookies" on websites is an extreme stance, but I agree we could use fine tuning on the little things to help keep the spirit of the law. It should indeed be opt-in and not "ask for forgiveness". And it should adhere to current compliances.
While this ruling does not specifically only use the ePrivacy directive (it is instead based in GDPR), laws do not exist in a vacuum.
"Configure my preferences" -> Untick all the things -> Make sure you click the almost invisible Save button and not accidentally click the big green "Allow All" button.
Horrible. If we can force websites to do this, we should be able to force websites to read my request header NoDamnTrackingCookiesFfs
There's no upsides for a website from providing an easy "Never track me" button, or just not using analytics cookies - you don't have to put up cookie consent banners for technical cookies used to save e.g. light/dark mode preference
How is such a banner even supposed to work when there is no choice for the user to make?
I mean, someone has to make that banner, so it's quite a way from the rash decision to its execution, where at any point (preferrably immediately) someone could and should step in and say "we are not required to do that and we should not spend any money on it". In my experience, non technical deciders are often sadly under-advised, sometimes because tech people who might know better fail to communicate even very simple facts like in these in an understandable way.