I'd like to point out how this law is hurting the web.
When the onus is on the developer to ask a user for permission, the user is forced to trust the developer. For example when a website asks me if they can store cookies in my browser, and I say no, there is no easy way of me knowing if that site is actually listening to me.
Wouldn't it be cleaner if the burden was on the browser to ask us for permission?
In iOS for example, the operating system asks you if you'd like to grant an app access to your camera... not the app itself! Imagine we had to blindly trust an app to not use our camera, without any help from Apple. Mayhem!
Instead, the EU mandates that developers ask permission. Developers place a stupid looking div filled with legal jargon on their homepage. We roll our eyes and click accept. Good actors (who respected our privacy in the first place) continue to respect our privacy. Bad actors continue to ignore it.
I'm surprised this isn't a standard feature built into browsers. Seems like it would be obvious to have a level of granularity between accept all first-party cookies and accept none.
Edit: to clarify, I don't think setting cookies is the issue (and not worth the UX hassle to ask everytime); the issue is storing the cookies for longer than the interaction persists. To me, it's analogous to someone remembering who you are during a conversation vs adding you to their rolodex and storing that info indefinitely.
I'm pretty sure Firefox & Chrome have similar functionality.
I've mostly switched back to Safari ...so I look forward to getting this option in a decade or so.
In all seriousness, this would naturally fit into the new Safari "Websites" permissions in Settings. Right now cookies, databases, HSTS policy, and local storage are still in the old "Manage Website Data..." window, which would seem redundant now.
Just so long as the ML algorithm is open source and entirely personal – having a company decide which cookie is good would be easily abusable.
EDIT: According to [2] and [3] it seems the behavior was triggered by about:config network.cookie.lifetimePolicy set to 1 (ASK_BEFORE_ACCEPT), but the meaning of 1 apparently has changed over the years. At least setting it to 1 doesn't trigger any cookie dialogs in my Firefox 70.0.1 (64-bit).
[1] https://www.ghacks.net/2016/02/05/firefox-44ask-me-everytime...
No, you definitely don't want the web browser to ask.
https://bugzilla.mozilla.org/show_bug.cgi?id=570366#c1
"This option isn't supported, last I checked"
What a reason. They decided to remove it because it "isn't supported"? So much for "open source" being better at "do what users want"... if you personally don't need that option, fine, don't use it. But don't go taking away things that a lot of others want.
I get extremely angry whenever I see discussions like that. You can read and even participate in them, but your opinion is ultimately useless because you're not part of some privileged group who makes all the decisions about what to do with Firefox. It's no better than proprietary software where your bug reports are similarly ignored, besides being possibly a little bit easier to patch.
If the actual backend doesn't support that option, it's indeed a problem that the UI offers it, especially if it's causing a bug. The question if it should be supported is unrelated to that, and not really a topic for that unrelated issue. I've certainly had my own bad experiences with Firefox issues, but that's not a good example.
A user brings up the amusing parallel that Mozilla shouldn't block popups for the same reason they don't want to block the page visibility API.
Of course, it's not quite as simple as "first party cookies fine, third party bad", since when you're on a domain like google.com for example, a whole lot of tracking goes on with first party cookies. But still, that can be dealt with. If I were coming up with a regulation (be it enforced at the browser or site level) it would make a distinction between first party cookies on domains serving up to X users per month, first party cookies on domains serving over X users per month, and third party cookies on all domains. The first of those categories could, I think, be unregulated. Save messages and/or restrictions for the other two and I think it would go a lot further toward achieving the goals of these sorts of initiatives, while being much less of a useless annoyance.
Firefox is going in this direction somewhat with their default blocking of third party cookies, but there's nothing they can really do unilaterally to treat first party cookies on google.com differently from bobsblog.com.
If you tell the browser no, it would just block the site from storing any info in the browser. It would ask you once only the first time you visit a site, and you can change it whenever in the toolbar. Problem solved, no?
That is absolutely not true.
Consider, a computer virus is only doing what the OS/hardware allows it to do. By your reasoning that should be absolutely acceptable in all situations as TCP/IP is an API.
Oh?
I'd love it if that were true. But increasingly, it's not.
Take the YouTube app on iOS. It has no extension functionality. And it's de facto the YouTube browser.
Is it a web browser? Depends how you look at it. YouTube is the web of videos.
Even if we're talking about the actual web, Chrome on iOS doesn't seem to be configurable with extensions. Certainly not easily reconfigurable. In fact, Apple blocks apps that become too configurable, like Expo's old "Scan a QR code and now see your app running immediately" functionality.
Sadly we no longer seem to live in the world where you're encouraged to reconfigure anything.
Food for thought: how about advertising companies needing to ask people for consent for showing them the ads; your local post asking for consent for delivering tou junk mail; etc... Lots of things are taken for granted and we just have to cope with it
I also recommend using Cookie AutoDelete for Chrome [0] or Firefox [1]. You can define a whitelist of websites where you actually need Cookies (because you want to stay logged in), and the rest will be forgotten when you close the tab. It even allows different rules in Firefox Containers.
0: https://chrome.google.com/webstore/detail/cookie-autodelete/...
1: https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...
That's also my interpretation. If you use cookies for session state, authorization, then it's no problem.
The problem is that every website decided that they needed to track users. Or that asking for permission would minimize liability.
However, what counts as reasonable hasn't been explicitly defined. The UK government considers it fine to use a header that automatically disappears after awhile (i.e. no need to click "ok"). But other governments may view it differently so I can understand some large organisations being cautious.
The real problem here is the lack of enforcement of the regulations. The majority of GDPR consent prompts are obnoxious because they aren't actually compliant - compliant ones are much more pleasant. See this comment I just posted on another GDPR thread: https://news.ycombinator.com/item?id=21429666
Finally there's this misconception (it could be a lie perpetuated by companies looking to profit from GDPR-related consulting, or those looking to push back on the regulation by making it seem more annoying than it actually is) that all cookies require consent. That is blatantly false. Cookies to store site preferences (like language, font size), shopping carts or login sessions don't require consent as they're necessary for the functionality you're trying to use.
And none of this farce would be needed if sites wouldn't track individual users. Showing ads don't require tracking individual users (and retargeting is frankly BS)
Even if you’re completely cynical about being compliant with GDPR I would imagine that not having popups like that at all is more compliant or less likely to get you in trouble than having those flagrantly-non-compliant ones...
GDPR violations are so ubiquitous that regulators can't possibly go after all of them.
As long as you aren't a particularly juicy target and are doing the same things that everyone else is to pretend to follow GDPR, you probably aren't going to be among the first enforcement targets.
https://www.technipages.com/wp-content/uploads/2014/07/IE-Ad...
Edge is dumbed-down and removes, among other things, that option:
https://answers.microsoft.com/en-us/edge/forum/all/cookie-co...
A browser popping up a prompt saying "google.com wants to store a cookie, is that okay?" isn't enough.
The design of these cookie and enhanced data protection laws is that websites need to spell out their intent. To tell people what data they're storing any why. Yes, you could code that into headers and have the browser relay that information, but that's the stalemate we're in.
https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
I think they compartmentalize each tap until it is closed. Dunno if it only clears cookies or all other forms of storage.
Cookies get all the bad press when there is many other ways to store data. Or does the word "cookie" encompass all forms of persistent storage?
https://www.reddit.com/r/worldnews/comments/7h28hi/google_co...
We’re only in the midgame of this particular regulation— the rules changed “suddenly” and specified outcomes rather than methods. Regulators and businesses are in the messy stage of negotiating best practices as businesses change as little as possible and regulators give fines for misconduct.
The hope is twofold: that enough users will opt out to make problematic business models less profitable, and that the lower user friction of models that don’t require tracking will become relatively more successful. Neither of these goals is served by allowing a blanket permission setting.
Browsers give you all kinds of opt-out capabilities, if that's something you're interested in. The fact is, most people aren't interested.
edit: mea culpa, I somehow missed bunch of keys and there is a missing negation in my comment which should read "But those opt-out capabilities aren't as clear-cut as most of GDPR banners." I mean: the UI isn't there to opt out of affiliated adtech networks or to store the amount of details the user is willing to share.
Even something as simple as a unique identifier can be used for both helpful and malicious ends. You'd need to read all the code pertaining to it to have a clue if it's something you should accept, and you can't ever know what the server's backend code is, even if it claims to be open source (it can always be running extra components that are not developed in the open).
So, opt-outs are inherently a flawed idea, at least with any granularity.
Turning off cookies entirely in your browser then opting all-in for sites you choose to trust is about all you can reasonably do.
If we add a mechanism to allow the OS to handle cookies, bypassing possible untrusty browser vendors. We won't solve much and create a false expectation, while (arguably) break more than we fix.
This doesn't mean we shouldn't, but if a method is found, it should include a significantly more comprehensive form of anonymity.
--2 cents
There was a time wayy back when a browser would prompt user when site requests to push out a cookie [up to about mid 90's AFAIR], but that was before the web was hijacked for commercial interests.
now there are often so many cookies with the typical website that a manual dialogue would waste all your user time.
so i think thats where the decision was made to include all cookies, in one broad permission setting.
There’s unfortunately little difference between cookies used to keep you logged in and to track you. Therefore no cookies = log in every time. As long as you’re ok with that, go for it!
Basically, the form is only required if you're doing something nastier, like tracking.
I've never understood why sites just run with the concept and implement the "permission form" when it really isn't required for good actors.
https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies#sect...
ps: for firefox I use "cookie autodelete" extension https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...
With the current situation, there often isn't even a no button! You're required to click yes. And then if you ever clear your cookies, it pops up the box another time.
Additionally people who don't like the popup can simply go into their browser settings and say allow for all sites.
This is only partly true for web browsers. Google, Mozilla and Microsoft have addresses. But what all the browsers that have forked from open source projects? If someone forks Chromium and adds nasty features, how do you track them down if they did everything anonymously?
More to the point, if a law is passed that says "all browsers must do X,Y and Z". How to you enforce that in a world where open source is so prevalent? The big players may add the requirements to their flagship browsers, but if those browsers have open source underpinnings they have no control over the forked versions.
It's the publishers who are abusing browser capabilities, its much easier to force them in to compliance rather than trying to legislate how browsers work.
Easier to enforce it on browsers than EVERY SINGLE website that uses cookies for tracking, no?
