undefined | Better HN

0 pointsmziel8y ago0 comments

You can read more about the cookie law here: https://www.cookielaw.org/the-cookie-law/

Basically EU wanted sites to obtain consent to use users' cookies (and for the users to give/take away that consent). However, pretty much all the sites just decided to provide you with a banner saying something like "if you're using this site you agree to our cookie policy". Therefore the law became ineffective and just a nuisance to the users.

This notion of "implied consent" is being actively fought with GDPR. You have to provide explicit consent to the usage of your data. And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service).

With ePrivacy this will go one step further. Right now you only need to provide opt-out, which means most people will likely leave it as it. Going forward those additional services (marketing purposes, ad tracking) will need to be strictly opt-in (and there's already internal research done in some companies showing that marketing/ad opt-in rates will be 10-12% at best).

0 comments

askvictor8y ago

But what's the alternative approach to the cookie law? A yes/no consent page before your site, and if you click no, the user doesn't get to access it? Because that's basically the same thing, but even more annoying.

tgsovlerkhgsel8y ago

If you click no, a single, non-tracking cookie (i.e. "optout=true", not a session ID) is set, and you get to use the parts of the web site that don't require cookies to function (which, for 99% of the cookie banners I've seen, is all I wanted).

Furthermore, if I remember correctly, no explicit consent is required where the cookie has to be used for features the user requested, like a shopping cart.

So, if the law was actually written to require what it was supposed to require, and actually enforced, a web site operator would have the options to either:

a) implement an opt-out globally across the entire site to ensure no part sets a cookie and doesn't track them, with a high risk if you get it wrong, annoy every visitor with a modal yes/no before letting them onto the site (which would hurt your conversion rates etc.), where the "no" would be a meaningful choice that would still let them use your site, and there would be very little incentive for the user to click yes

b) stop tracking users unnecessarily in general

As it is written, the options are:

a) implement an opt-out globally across the entire site to ensure that no part sets a cookie and doesn't track the users, with a high risk if you get it wrong

b) slap an annoying banner on your web site

One of these options is significantly less work and allows you to keep tracking users, so guess what gets done.

haeffin8y ago

Which is why there is the "And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service)." point - you're not allowed to deny access to a newspaper article if somebody does not consent.

akvadrako8y ago

Unless you are charging for the content, I suppose.

xg158y ago

Not tracking users.

From what I understand, the GDPR also disallows denying users access to a site if they don't consent to an unrelated data collection.

kuschku8y ago

Websites in the Netherlands (and German public broadcasters) already follow the original ideal:

Before accessing the website, you get a choice between yes and no.

If you select no, the site will not do any tracking, no analytics — some sites disable ads in that case entirely. You still get to access the site.

If you select yes, you getthe tracking.

BukhariH8y ago

Honestly asking... Does anyone ever click yes?

1 more reply

whyever8y ago

No, you could outlaw degrading functionality, which is what they are doing in the new law.

askvictor8y ago

How do you do this for services where functionality is reliant on tracking etc? E.g. some of Google's services.

2 more replies

a_imho8y ago

IMO the cookie law was good and (ianal) but a banner in your face is not consent, not in an opt-in way at least.

vageli8y ago

If you're made aware of the terms and can choose to leave, that's pretty much consent. Do you sign a paper agreeing to all the terms when you enter a car park? Of course not! It's a class of contracts called contracts of adhesion. [0]

[0]: https://en.m.wikipedia.org/wiki/Standard_form_contract

PeterisP8y ago

EU consumer rights specify many (types of) terms that are considered unfair in various common contracts, so if they're included in a standard form contract offered to consumers, they're automatically considered null and void. I.e. it's a general legal principle that because such contracts aren't negotiated, there's one-sided leverage, and certain classes of terms are inherently abusive to consumers, therefore even if a consumer "agrees" to them and signs a contract including these terms, they shall not be considered binding.

GDPR extends this concept also to consent for processing private data - there are some ways how that consent can be granted and received, but contracts of adhesion are not (will not be when GDPR comes in force) one of them. In particular, GDPR specifies that anything included in such a "take it or leave it" contract is not considered "freely given" consent and thus such a contract does not and can not give you any rights to use that data, no matter what is written there.

boomlinde8y ago

The cookie banner does not put me in a "take it or leave it" position. By the time I get to learn of the terms—by any reasonable definition a prerequisite for consent—the other party has already set a bunch of cookies.

s73v3r_8y ago

Contracts of adhesion are almost universally derided as being quite one sided and shitty to people.

a_imho8y ago

How is GDPR different in this regard?

iagovar8y ago

But op-int for what? For being tracked? Using you data? Just showing you an ad?

mzielOP8y ago

You're supposed to enumerate all uses of the data (and they need to be sufficiently detailed and specific). The user has a choice to opt-in/out of each of them separately.

There is currently no detailed description as to what the definition of "sufficiently" is. For example:

- can I use your data to build a targeting machine learning model?

- can I use it to target you?

- do I need specific opt-in for every model?

Most things in GDPR are not specified in order to both give flexibility to the sites and to reduce the number of loopholes (which are technically legal but against the spirit of the law). You need to decide on the implementation and be ready to defend it in case of an audit.

TomMarius8y ago

Defend it? What happened with "innocent until proven guilty"?

4 more replies

j / k navigate · click thread line to collapse

0 comments

askvictor8y ago

tgsovlerkhgsel8y ago

Furthermore, if I remember correctly, no explicit consent is required where the cookie has to be used for features the user requested, like a shopping cart.

So, if the law was actually written to require what it was supposed to require, and actually enforced, a web site operator would have the options to either:

b) stop tracking users unnecessarily in general

As it is written, the options are:

a) implement an opt-out globally across the entire site to ensure that no part sets a cookie and doesn't track the users, with a high risk if you get it wrong

b) slap an annoying banner on your web site

One of these options is significantly less work and allows you to keep tracking users, so guess what gets done.

haeffin8y ago

akvadrako8y ago

Unless you are charging for the content, I suppose.

xg158y ago

Not tracking users.

From what I understand, the GDPR also disallows denying users access to a site if they don't consent to an unrelated data collection.

kuschku8y ago

Websites in the Netherlands (and German public broadcasters) already follow the original ideal:

Before accessing the website, you get a choice between yes and no.

If you select no, the site will not do any tracking, no analytics — some sites disable ads in that case entirely. You still get to access the site.

If you select yes, you getthe tracking.

BukhariH8y ago

Honestly asking... Does anyone ever click yes?

1 more reply

whyever8y ago

No, you could outlaw degrading functionality, which is what they are doing in the new law.

askvictor8y ago

How do you do this for services where functionality is reliant on tracking etc? E.g. some of Google's services.

2 more replies

a_imho8y ago

IMO the cookie law was good and (ianal) but a banner in your face is not consent, not in an opt-in way at least.

vageli8y ago

[0]: https://en.m.wikipedia.org/wiki/Standard_form_contract

PeterisP8y ago

boomlinde8y ago

s73v3r_8y ago

Contracts of adhesion are almost universally derided as being quite one sided and shitty to people.

a_imho8y ago

How is GDPR different in this regard?

iagovar8y ago

But op-int for what? For being tracked? Using you data? Just showing you an ad?

mzielOP8y ago

You're supposed to enumerate all uses of the data (and they need to be sufficiently detailed and specific). The user has a choice to opt-in/out of each of them separately.

There is currently no detailed description as to what the definition of "sufficiently" is. For example:

- can I use your data to build a targeting machine learning model?

- can I use it to target you?

- do I need specific opt-in for every model?

TomMarius8y ago

Defend it? What happened with "innocent until proven guilty"?

4 more replies

j / k navigate · click thread line to collapse