Adtech companies don't want users to have an easy opt-out. They didn't want P3P. They didn't want DNT. They will not want this new spec, unless the spec is so bad that most users will agree by accident.
The annoying and confusing cookie banners are a feature. Besides making people agree through confusion or attrition, the banners are malicious compliance. Adtech companies putting them up want you to be pissed off at the banners. They want you to associate them with privacy, and conclude that privacy laws are pointless and should be repealed.
We're fighting the ad and tracking industry here, the internet equivalent of a gang member with a shiv and a length of pipe. I'm not going to fight nicely. I'll deny you any chance and any method I get.
-- Banksy
It ruined print when every other newspaper and magazine page had an ad mixed in with the content. Sure you could get the paper for free, but how much content are you actually reading?
It ruined television when an hour-long show is interrupted several times to show 15 minutes of ads.
And now it's ruining the web with the advent of ad tech and the brilliant minds that get paid millions to think of new ways of squeezing more value out of people's attention. Web sites are riddled with ads now even worse than in the popup days. I have to navigate a legal minefield of dark patterns to ask them to please not track me or sell my data.
These are just the ways it ruins content and user experience. What about the misinformation? The lies from the tobacco industry, the political ads that overturn democracies, astroturfing and embedded marketing...? The list of shady and downright evil practices is too long to mention.
Advertising is a scourge on humanity. It needs to be strongly regulated and companies as influential as Google and Facebook need to switch to user respecting business models, for the sake of all of us.
Not just that, but I’ve never seen a cookie banner that does anything. Cookies get sent down with the page on the initial load. Whenever I’ve opened an inspector to see if cookies get unset by JavaScript in response to my “opting out,” I’ve never seen an effect. The same cookies get sent after I opt out: no change. Has anyone seen a cookie preference banner that actually does something?
https://www.gov.uk/, https://www.nhs.uk/, https://europa.eu/, https://home.cern/, https://www.bundesregierung.de/ (maybe), https://www.dr.dk/ (maybe).
They all started with a single "agree" button, then went to "agree/disagree" with no effect and are finally starting to come around to a functioning disagree button.
GDPR also helps here, as it defined what identifies an individual and that made most of the tracking PII even when it's all merged by a random ID that stays with the user. The effect is slow, but it's starting to work.
Hopefully the next step will be abandoning cookie banners and only using technically required cookies(don't need conset) and/or non-identifying tracking for aggregate results. This is a massive improvment on UX and actually gives the company more quality data that doesn't identify any single individual.
I'm personally pushing for aggregated tracking in my current company. It's an uphill battle, but one that can be won I think.
Once in a while I read/learn something new at HN that changes my perspective on things. This sentence is such an example.
Until the law that defined informed consent actually get enforced, a new law can not really fix it unless the regulators start to add the threat of jail time to repeat offenders.
What is different this time around compared to P3P, DNT, and other earlier mechanisms is that the times have changed. Privacy is a much bigger topic. There is much more reporting now about privacy. Users understand a bit better better (though, we are still far off from real transparency). Lawmakers and regulators are catching up. Many companies embrace privacy. There is a burgeoning privacy tech industry with quite a bit of venture funding.
Also, lessons were learned from earlier efforts. CalOPPA required recipients of DNT signals to only say whether they respect those. The CCPA regulations now require actual compliance. If the CCPA is applicable to your company, you have no choice but to respect it. And that is also true for automated browser signals. There is much stronger enforcement now behind more recent privacy laws. Virginia and Colorado recently enacted privacy laws, and it is likely that other states will do to.
Disclosure: I am an academic researcher working with collaborators of all stripes on Global Privacy Control (GPC) [1, 2]. We are in touch with the good folks at ADPC and support their work. They are doing a fantastic job over there!
[1] https://globalprivacycontrol.org/ [2] https://github.com/privacycg/proposals/issues/10
Capital and technology need not respect sovereign borders and laws as long as they can keep one step ahead of enforcement and still get enough revenue. The laws and lawmakers are fundamentally slower and weaker and poorer; by the time CCPA et al have an actual deterrent effect (beyond just mandated privacy notices), the industry will have moved on to some more sinister loophole.
It's an arms race that 1700s-style government simply cannot keep up with. It takes months to come up with new algorithmic loopholes, decades to change the law, one industry-friendly administration to undo all the progress.
Offloading privacy to government only works when you have strong states (China, the E.U. maybe). In the US, what's left of the federal government is too crippled to effectively tackle this (and arguably any technological problem) at scale. State-specific laws are subject to the same constraints, and additionally face the problem of enforcement across borders and Commerce Clause issues. If anything this will be an arms race between adtech and adblocking; Congress is the kid in the corner crying, "But I wanna play too!" and pretty much shrugged off by everyone else.
This is a sentiment expressed surprisingly often even here on HN.
And as the Sinclair adage goes, it is difficult to get a man to understand something when his salary depends on his not understanding it.
I remember spending a silly amount of time trying to come up with a P3P policy that was both accurate and also didn't break sign-on for a single app that used multiple domains.
Granted though that enforcement of the existing rules seems to be the biggest problem today.
Reminder that Internet advertising has a lot of actors with competing interests, and it is not usually the "adtech companies" who don't want users to have an easy-opt out, but publishers and to a lesser extent the advertisers. Many "adtech companies" would love to have clearer legal signals and simpler, industry-wide justification to collect less data.
Publishers have been very good at foisting all user frustration off on vague "adtech" (or alternately, adtech companies have been effective at reputation laundering for publishers/advertisers) but they're the ones that want to collect, share, and sell the data to be able to raise their rates.
advertises will pay higher CPM for precise targeting and attribution
publishers want the best CPM they can get
adtech uses as many tricks as possible to get as much information as possible about a user so they can maximize the CPM the advertiser will pay
Publishers just end up doing what ever their adtech partners tell them will give them the best CPM.
That won't stop them from additionally using cookie banners, out of spite. But I suspect many websites that currently have cookie banners only have them because they believe it to be necessary, and it's hard to push back on it. If such a spec came to be recognized as a way to obtain consent by regulation, it'd make it easy to point its way, and at least end the madness of cookie banners on websites that don't need it.
I agree. But I don't think it's because adtech want you to think privacy is shit; I think it's because by compelling you to click, they can run Javascript in the context of a user gesture.
I want a plugin that automatically says "OK" to cookie banners. My browser already blocks 3rd-party cookies. It only allows session cookies. Cookie banners are like fire-hydrant CAPTCHAs - they masssively increase the friction that web users have to deal with.
They also legitimise other kinds of popup window that websites present. I've noticed more and more popups appearing on first visit to a site, inviting me to subscribe to a newsletter or whatever. You often see a cookie banner, followed by a newsletter popup, followed by a Google login popup. Who knows, maybe there's a traffic-lights CAPTCHA.
Then finally you're into the site, and it turns out to be Washpo or NYT, and you can't read the article anyway, because it's paywalled.
Can we have our open web back please, mister?
Why would you want that? Even if you delete 3rd-party cookies that would still allow tracking companies to log your IP and track you through some other shady means which you've now consented to.
Try “I don’t care about cookies” :)
The emperor is naked. The GDPR law is broken.
All this noise about cookie privacy, fingerprinting, FLoC, tracking, etc. --- what are the actual harms that make these things bad? Has anyone in the real world ever experienced a concrete harm arising from interest targeting? Doubtful.
The EU privacy regime imposes a heavy regulatory burden in exchange for nothing. Information is a non-rivalrous good. Further limiting its dissemination will increase friction all over the internet, impose new transaction costs on previously free interactions, and make the whole network less useful for everyone. And for what? Assuaging the paranoia of a tiny fragile and vocal minority of privacy activists? Sorry, but that's not worth breaking the internet.
And this ability is currently asymmetric. While Big Tech and Big Govt knows nearly everything about everybody, ordinary citizens are denied data and transparency. And even if the data may be hypothetically available, its scale precludes analysis by anyone except highly funded groups.
Lack of privacy does translate to enormous soft power. It doesn't have to result in death, although the potential is there for that too. Democracy and individual liberty become meaningless except on paper.
I'm not sure that's what we want, in exchange for a few conveniences in the palm of our hands.
The kind of question can only be asked by someone who has never been abused by a domestic partner, never been on the wrong end of debt collectors, the law, disgruntled employees, doxxers, or other real and persistent threats that are enabled by the data collection and aggregation that is the foundation of interest targeting.
I feel like the current state of cookie consent is completely broken, partly due to the complete lack of enforcement, and having a browser-specific setting that propagates to all pages would be great -- but again you have to think about incentives. If pages are not required to accept these settings, their incentive is to ignore them and to claim that since it's unfortunately not supported "yet" (read "ever"), you still have to wade through the cookie form.
What I would like is to be able to whitelist domains in content security policy and reject everything else by default.
Like those that make you uncheck 10 or 20 entries one by one.
If you only accept a spec like this there is no way to pretend to be legal other than to accept it anymore. Make custom cookie banners totally illegal. Force the use of this. No dark patterns, no semi-legal trickery. Either you use it and accept it, or you don't. Take out the grey area.
The EU GDPR no longer applies in the UK because the UK is no longer a member of the EU. The EU GDPR has been incorporated into UK law (as the UK GDPR) but there's nothing preventing the UK Government varying it at any point in the future[2]
[1] - https://europa.eu/european-union/law/legal-acts_en
[2] - https://ico.org.uk/for-organisations/dp-at-the-end-of-the-tr...
This won't work:
- browsers other than Chrome will say "no tracking" by default, tracking companies won't like that
- websites will ignore this, this will be known and people will be upset even more
- more javascript when we want less
notice that if you disable javascript by default most cookie banners disappear and everything becomes better. Then you can enable it per-site if you need something in particular.
I usually allow images on every page, that's it. Some need CSS, some need iframes, and a small subset of websites I visit are actual webapps that need javascript.
They will absolutely not accept going back in time just 5 years in terms of revenue. They will fight to the death over every dollar.
They think if they keep badgering you enough you will eventually cave and say yes.
I hope free software micropayments payperview can be part of the web! Maybe with GNU Taler or Offset by Freedomlayer[0]
I honestly think there’s a good case to be made for banning advertising entirely, and replacing it with a societal stipend for art and media, or at least restricting it to specific places. The back of newspapers, for example.
I’m sure there are plenty of problems with and arguments against the idea, but it’s definitely worth discussing
Some people do. I would like to see relevant ads (of good special offers especially) if somebody could guarantee the ads are going to be humble and unintrusive), the goods advertised are of high quality and no-scam, the information they get from tracking can not be seen by any 3rd party (including legal authorities) and used for any purpose other than good recommendations under any circumstances ever.
When I just finished school I didn't mind cookies (and actually hoped ads relevance was going to increase and increase) because I didn't think about the dangers which come with them.
There are people who still believe they have nothing to hide and don't mind relevant offers.
If this movement is not backed by major web players, probably nothing will happen.
All my friends and family just click the CTA, "accept", "I'm OK with that", "Mmm cookies yummy!"
We have a home button. We have forward and back. We have 'bookmark' buttons, which many people understand. A big 'COOKIE' button, on the main browser UI, that clearly show cookie info, with a big "GET RID OF ALL COOKIES" trashcan button right there.... that would have prevented 90+% of the scare and legislation efforts from the start.
I looked for "clear my cookies" - in 2021, it's still click '3 dots' or something else, then click something, then click something, then confirm. https://its.uiowa.edu/support/article/719
"But there's so much nuance - I want to keep some, and not others, etc".
We didn't have this many choices in 1998. My point is giving a big honking "get rid of it all" back then would have changed the trajectory of the entire discussion. It still might.
I've lived through 2 decades of having to deal with support people trying to help users "clear your cache" or "reset your cookies". "Private mode" does help to a degree, assuming you're dealing with somewhat tech-savvy folks.
Opera and others didn't bother to make cookie transparency a big priority either. :/
More to the point, it was poorly exposed/managed well before Chrome.
The button you suggests cause more harm than good. Because people don't understand the cookie and think "is this button delete unnecessary data from my computer? Why not" and click it. Now all the legitimate data that were saved on their local storage is gone and they complains.
Not necessarily. Cookie !== localStorage (although... localStorage didn't exist at the time, IIRC).
My point was "we" (it/tech folks, but mainly browser makers) got ourselves in to this mess in the first place, and rather than making things more obvious and easier to deal with at that time, we seemed to double down on more obscure UIs.
I swear, pretty much every Netscape release, and later, for years, every other Firefox release, changed where/what/how cookie mgt was located in their UI.
"most people don't understand what cookie really is"
And that's... whose fault? Putting a big-ass 'COOKIE' button, with transparency in to what data is there, with quick options to remove it all, would have gone a LONG way to normalizing understanding. See some unknown shit in there? Delete it. If enough important things start breaking after deletion, people would have adapted (either users, or developers).
"delete unnecessary data" - there's pretty much nothing people put in cookies that is truly 'necessary' for most folks.
We didn't give people usable tools to manage this stuff, so eventually people turned to legislative means.
What about site statistics keeping? If say a newspaper collects statistics about visitors to their articles, and does browser/user tracking by implementing cookies, for __internal__ use, rather than selling data to third parties. Is a cookie banner still neccesary for that kind of consent?
Personally, I don't care if my IP appears on any website log that I have visited, or if a unique cookie ID becomes present on the site until I clear my cookies. If i cared about my IP being tracked, or cookie IDs like that, I would browse using a VPN and "Private mode" in browser. What I do care about is the complex browser fingerprinting that keeps track of (essentially) my entire browser history, externally, with everything from my google searches, youtube videos, online purchases and website visits being visible in some kind of giant aggregate form.
Basically compare it to being videotaped when entering a store. Yeah sure, I might be a bit irked by the camera but I don't care too much. Comparing that to putting a camera on every street corner, and using facial recognition to generate a day by day pattern of all my visits to all stores the last 30 years, and I'm not a happy camper any more.
I would even go as far as cookie banners for the above tracking scenario, where you are tracked completely, should be illegal. That kind of "consent" can't even be gained by just clicking a <button> on a website, it would require a valid ID and signature at least.
And on the other hand, the "internal store videocamera" taping customers as they enter, perhaps even applying face recognition software to count unique visitors per year to the store, is hardly worth the hassle of a clicking a cookie banner personally. I'm certainly not averse to a position of not wanting to be tracked when entering a store or a webpage though, and if someone has a personal need to not be tracked like that, they should be able to apply basic non consent based tools to avoid being tracked. Like wearing sunglasses and a cap when entering the store, or browsing using a VPN.
You don't need consent to store the IP in your server logs because that serves an undeniable legitimate interest for detecting abuse and diagnosing issues. However, you cannot use that information to generate statistics without consent.
As others said, gather as little as possible, for as short as possible, with a simple explanation and you should be golden. Lazy implementations (slapping Matomo on a server and calling it a day) do not comply with "as little as possible", and limitations in your tech stack ("we use cloudflare so we HAVE to use a cloudflare cookie") don't count either; it has to be as little as possible for the functionality to work, not for your developers to be comfortable.
Consult a professional for legal advice, but most websites don't strictly need consent popups. The advertisers do, and the marketeers want as much info as possible as well, but on a technical level, there's no need for most reasonable use cases to have a consent form. It all comes down to the bad decisions the website owners make.
I think it's disgusting that tracking has become the standard and opting out needs to be something special only some people can choose to do. Your comparison works for self-hosted monitoring (though I doubt a business that loudly proclaims, in text and audio so blind people can enter as well, that it tracks your ever move will get much business). However, most websites use third party trackers, so the comparison becomes closer to your own personal entourage if men in trenchcoats, following you around and occasionally writing something about you down.
Any kind of private information you store or share needs consent.
This is why plausible.io doesn't require consent, but Google Analytics does.
Having said that my understanding is you don't need consent if the information processed is not personally identifying. The gdpr text is also quite clear that consent is just one of a number of legal bases for processing pii and there are a whole bunch of provisos for relying on it (which are still ignored on most sites)
For your stats use case I think the best option would be to store and log anonymized stats that wouldn't be considered personally identifiable information. And then you shouldn't need a consent form.
You can collect statistics all you want if you anonymize data such as IP addresses. But you can't collect and store PII (or even aggregate data that can be used to identify a certain user, aka fingerprinting) without consent, or without having a legitimate reason.
By legitimate reason I mean that you can freely collect information that is strictly necessary for performing tasks expected by customers. For example, you don't need explicit consent to collect a customer's address for delivering a package via Post. You can also have a cookie for login without requiring "cookie banner". However, you can't repurpose data you collected legitimately for other purposes, such as sending spam.
(Please notice that legitimate reasons don't include anything marketing-related, spam, selling to third parties. "Legitimate interest" in GDPR means the legitimate interest of the customer, not of the business)
About fingerprinting, if it can be used to identify single users, it becomes PII. This means fingerprinting also falls into GDPR.
If it's opt-in, hidden inside browsers settings, effectively no-one will use it (e.g. current cookie blocking settings).
If it's opt-out everyone will use it (see e.g. Apple's recent "This app is asking to track you across the internet, do you want to allow it?".
Question is, why make it complicated with a spec like this. Better to just agree to block all cookies, or to allow cookies.
If it's opt-out and everyone will use it, ad companies will completely ignore this spec and keep tracking you.
The Internet is entirely in the hands of an advertising company. 90% of Internet users use Chrome and/or Android? Add Google Search and it's probably like 98%. Good luck with changing the status quo.
But I want some cookies and some I do not. Also I don't want non-cookie based tracking either. Having a binary choice for a subcategory is not very helpful to me.
It’s really not that awful. In fact, it’s kind of fantastic. I use a second browser (Google Chrome) for “signed-in stuff”.
Try it.
(Although the fact that I just posted this from safari reminds me I’m not 100% up to speed on which-browser-for-what-activity discipline.)
Problem solved.
Just as with Consent Banners, the website is still responsible for honouring your choices and not tracking you, either via Cookies or any other method.
One spec could be split up the JS api into stuff that manipulate the dom and stuff that access GPU and other hardwares that may identify the browser or machine. Safari seems to be the only one that is doing anything in that area.
There already is the do-not-track flag, why not just force everybody to respect it?
DNT is primarily about tracking, this new spec is more general and covers much more processing of personal data, and allows one to opt-in (or out) of specific instances of processing of specific (categories) of data.
I didn’t read the entire spec, maybe there’s stuff that replaced cookies in there.
Seriuosly, I reserve the right to expire, delete, manage and otherwise deal with cookies on my device myself.
Can anyone create a different standard with ONE flag - ACCEPT ALL COOKIES - SHOW NO BANNERS*
*User reserves right to delete, purge, modify, expire etc cookies on their device.
That's what I want.
This way you become mostly invisible to the ad and malware industry, no matter which browser you use.
Have JavaScript toggle next to address bar and keep JavaScript off by default. Most cookie banners will disappear.
Use Reader mode for daily news browsing. Most things will disappear except for main content. And it makes Internet less addictive.
The difference between swimming and drowning is subtle - flailing your limbs frantically vs relaxed movement. To many complex solutions will make us drown.
Consider swimming instead :)
At the top of the dialog a "decline"-button and to the right of it an "accept"-button. These buttons toggle all the toggles of the providers listed below those two buttons. You can then manually override each of the listed providers, which may be also grouped by purpose in order to ease selection. No nested dialogs are allowed.
Upon declination, one single cookie must get set, with a specific name, ie 'consent-acknowledge-status', with an expiry date of at least one week, where the consent selection is stored, so that it can be respected in future visits.
Why on earth this was not implemented in the first place on web browsers?
We (as a profession) shpuld try to eliminate cookie banners, while still allowing users to opt out.
