a) the cookies are necessary for technical reasons. This means you don't need to ask for permission
b) the cookies are for marketing, which means you must be able to decline without consequences
Half of the banners do neither of these things and are thus either unnecessary or insufficient.
Nope - 'decline' has to be the default assumption for GDPR compliance. You only need the banner if you want people to opt in.
That was his point. He was illustrating the absurdity he has to deal with.
Maybe the customer wants to not worry if some new developer is tasked with analytics and maybe this developer forgets about the cookie banner.
Some of the web sites I manage have sections in their Terms of Service outlining how we handle cookies, and store user login information.
These are web sites that store no cookies, and do not have user logins.
But whatever the legal department wants, the legal department gets.
When I feel generous, I chock it up to Legal future-proofing the situation. When I'm not, I call it trendchasing.
In my even less charitable mood, I'd call it copy-pasting ToS templates to avoid doing work.
I'd call it a legal fig leaf, but it doesn't cover up anything at all.
For the homepage I'd say visitors message rarely so it is less useful. That said, the ones that do are usually the same who convert as they are already fairly qualified leads and just want a little extra info before they sign up.
The retargeting most of us are see is the failed kind where you’re trying to sell a fridge to the person who already ordered one two days ago, and you’re the person who sold it, but your retargeting partner does actually support registering a purchases.
[0] https://support.cloudflare.com/hc/en-us/articles/200170156-U...
Without this enabled, attackers know what your backend IP address is, so even if you enabled it later, they could continue to DDOS your IP directly, without doing a DNS lookup.
You'd only get what you want if you both re-enabled this and switched to different IP addresses.
How do you know that? Because they say so?
https://support.cloudflare.com/hc/en-us/articles/200170156-U... goes in some detail what the cookies do and (more importantly here) what they don't do.
[1]: https://ns1.com/blog/netlify-leverages-ns1-to-improve-perfor...
Also, the API for their dashboard was super slow for me. I mean waiting up to 10 seconds for every click on the dashboard or API interaction.
[1] https://git.sr.ht/~jamesponddotco/dotfiles/tree/master/.loca...
[1]: https://github.com/gkbrk/scripts/blob/master/bunnycdn-sync.p...
Also their pages load as fast as anything these days, no problem there either.
Super happy with BunnyCDN - even the pricing!
Has anyone tried something like that? Did it work? Obviously what you give up is retargeting but that may have to go anyhow.
If you leave cookies enabled everything just works just just as you would expect, with full conversion tracking etc. Some ad services try to optimize ads according to tracking data you send them, which obviously doesn't work if you don't run their tracking code.
You definitely need a "cookie banner" when using Simple Analytics, Fathom, or Plausible. Any service that accesses the device information such as the URL needs a permission from the user according the ePrivacy directive.
We have consulted EU law specialists when building our upcoming analytics service that is as privacy-friendly as Simple Analytics, while still measuring important things like retention and conversions. More information:
What you are sharing is simply not true and I will clarify. A cookie banner is required when you store PII data. This is personal identifiable information. This includes, but is not limited to an IP address, a cookie with an user identifier, ... You are free to collect data that is not part of this without a cookie banner. You are also referring to a URL as being device information, this is not device information but basically a page view. You are allowed to collect page views and URLs that a linked to this page views with a cookie banner.
You are describing retention for your business. That's only possible with a cookie banner. It makes perfect sense because you need to calculate retention somehow. If you can calculate retention and conversions you are tracking a user. So you need a cookie banner.
Cookie banners are also a thing that are implemented on the web in many wrong ways. You should always have a way to disable cookies. Just a "accept all cookies" is legally invalid under the GDPR. The e-Privacy was already in place before the GDPR and the GDPR is somewhat a clarification of it.
Simple Analytics does not use cookies and does not require a cookie banner. We don't track your visitors and don't calculate retention or conversions. If your service does this, they a tracking your user and you might need a cookie banner.
The ePrivacy is just a _directive_ and doesn't oblige to anything. It's the local laws of Europe that do. We have compiled a detailed list of all the European countries and the respective laws that require an analytics service for opt-in or opt-out style banner. [2]
Retention is not possible without cookies or localStorage, but you can measure retention without storing or processing any PII information.
[1] https://volument.com [2] https://volument.com/learn/data-privacy
If you don't trust my word on this you might want to check out the official stance of the European Data Protection Board on this (from 2019): https://edpb.europa.eu/sites/edpb/files/files/file1/201905_e...
The EU is working on an ePrivacy regulation btw, which will indeed replace the ePrivacy directive, but it's not likely that it will be passed before 2021 or 2022.
In what country? There is certainly no US law to my knowledge, that says that.
don't use cookies.
saved you all a click.
- It's a WooCommerce store. WooCommerce stores one persistent cookie to keep track of your cart. I had to hack up a little snippet of PHP code to turn that into a session cookie. It's not quite documented behavior, but the hack feels robust enough that I can live with it. (Sessions cookies are allowed, as per GDPR.)
- YouTube embeds had to go, as even their youtube-nocookie domain sets cookies (thanks, YT). Vimeo has a "dnt" option that seems close to what I want, but it still sets some ID in localStorage, which the GDPR views as equivalent to cookies in this regard. So my current workaround is to just have the video thumbnail and link to the proper video on YT, but that sucks because now my visitors leave the website.
- Replaced Google Analytics with self-hosted Matomo, carefully configured to not set cookies (it's not trivial), which now regularly brings my cheap hosted server to the limit ;-)
So even a relatively simple website that does little fancy is not easy to get free of cookies.
Would you have a source? Reading through this page[0] I don't get the impression this is right. Session cookies are cookies nonetheless that can be used to identify users and if they are used that way, consent should be asked and given before usage.
I think cookies are great if they weren't abused as much.
(not saying the site is using any alternative approaches, I think their ambition is laudable)
From what I understand functional cookies are excluded from the consent banner.
So I think you are still required to inform users of the cookie usage, the purpose of the cookies and link to the relevant Cloudflare privacy/cookie policies.
Plan to redeploy your production server to a new IP address too since the attacker will still be able to hit it directly.
Though I'm disappointed hear that one of the conclusions seems to be there's no privacy-focused chat vendor that does something as simple as not collecting identifying information on users until they interact with the chat app, with integrated consent collection (which is essentially what they've implemented with their fork).
Maybe the wider HN community might know of such a service?
- https://github.com/LiveHelperChat/livehelperchat
There is an older law called the ePrivacy Directive that regulates cookies. Under this law, cookies require consent even if they are not used for tracking, unless they are strictly necessary for technical reasons. This law is a big pain the butt because many reasonable and legitimate uses for cookies aren't "strictly necessary."
The ePrivacy Directive technically applies to reading or writing data from a browser, so it will equally apply to any fingerprinting method you care to think of.
There's a cookie banner on google.com, but no way to decline.
I did not use any stock illustrations for our logo– the idea was thought up by me and subsequently digitally illustrated by me also. I've had my logo/branding both partly and fully copied time and time again, and while seeing this is a bit annoying, I'd chalk it up to "heavy inspiration" over out-right copying. That being said, Leave Me Alone is doing great stuff in a different space and I am rooting for their success.
I am using Firefox Focus on an iPhone 7 running iOS 14.1.
12K hits for the blogpost, HN is the top traffic source with 7,5K referrals.
I love your service because I can easily get rid of crappy newsletter but I don't care if a website is tracking me and I'd prefer if you'd spend more time on the product instead of this bike shedding.
I understand the marketing plan and getting traffic from HN and I respect that, but as a user, I'm slightly put off by this.
I hate crappy emails like I hate cookie banners. It's not because of privacy concerns, it's because it's a PITA.
This is pretty much how I got started on https://panelbear.com
Feeling super lucky as I just launched last month and already several hundred websites are actively using it.
There is a free plan if you just want to try it out.
We e.g. offer an open-source consent management solution that is compliant with GDPR (as much as you can say that with confidence) and which you can self host: https://github.com/kiprotect/klaro
Building sites without cookies is possible but it's a bit extreme IMHO. Properly scoped and limited first-party cookies do not pose a large privacy risk to indivuals and can make certain legitimate use cases like analytics much easier (or even possible, in some cases).
IMO, the "cookies banner" does not help to make internet safer, only worsening UI, add a few more banners and there is no content left. How many people who don't know how internet works hit "Disagree" if we still refuse to pay for e-services
