1. Client asks for something that is a dark pattern.
2. I outline that it is morally questionable to do that and give a suggestion on how it can be done otherwise.
3. Client insists that they don’t care or don’t agree because they feel as it will bring in more money.
4. I end up building it.
I do have the choice to outright say no, but I’ve found that it normally comes down to a compromise. Some clients are not willing to budge but we can always steer them in the right direction.
I understand it’s hard to say no but it would perhaps be easier to say “we’ll build that but it’ll cost you 5x more because we would be taking a legal risk”.
Making the option to follow the regulation cheaper has to be the goal.
They might complain to their manager, even log a formal notice that they believe this feature to be breaking the law (if they are smart), but quitting a company for this specific dark pattern seems a bit unusual.
There’s a lot of a-moralistic attitude towards FAANG on Hacker News, which honestly I find strange; Google and Facebook in particular are just giant douchebags with lots of cash.
If I tell my boss that doing xyz is illegal and he doesn't dispute it, I'm absolutely certain he would not ask me to implement it.
Certainly there will be shittier bosses that will ask anyway, demand it, and perhaps even go so far as to fire someone for not violating the law, but I should hope those in the last category are few and far between and there would be internal and/or external outcry over it. Even if you have a boss that wants to fire you over it and nobody cares internally or externally (I'd find this situation very unlikely), you'd still get unemployment benefits / severance / whatever is typical in your jurisdiction, since you were fired rather than choosing to leave yourself.
I don't quite understand what you're trying to say. If you were asked to kill someone, clearly you wouldn't say "what are you supposed to do anyway" and go off to find a murder weapon since the answer there is rather obvious. What makes being asked to violate a different law different? (Assuming you find the request morally objectionable, I've probably violated laws that I thought were counterproductive for everyone.)
I think a lot of this dark patterns would be even darker but for the push-back by some developers. Though I've been at companies where some workers are like robots and will carry out management's desires down to a T, even when the idea is total insanity. Some workers are immigrants who cannot afford to lose their employment or they will be thrown out of the country and potentially lose their partner and children.
When I have to work on my own projects, I generally avoid all dark patterns - I try to go as far in the opposite direction as possible, while still generating revenue. Though, with the torrent site I built once, it was "Anything Goes". You're already running an illegal site, might as well write something that bleeds the users dry if you can.
EDIT: I want to add that most of it was down to lack of technical knowledge by management. They were business guys who didn't know the Web. Most of the time they weren't trying to be assholes, it just appeared that way.
- Only a tiny fraction of all web devs read HN
- If business wants something done, the devs are rarely in a position to oppose the decision
I think so. There are many devs who are against government regulating the web and will happily code around them. HN is pro regulations so it's either keep quiet or get down voted to hell.
The customer in this case was rather non-technical and just wanted his tracking, so he wanted to have it like everyone else does. I/We actually told him very clearly that this is most likely illegal and talked it down a notch (from having "reject" hidden in the text), but he said he checked that with legal and we should do it. Loosing the customer over this was really not worth it (especially since this is basically the way cookie dialogs are done everywhere), so we did what he asked, with our asses covered in case it backfires. I might send him this case, though.
On a side note, it was really hard to implement the cookie dialog correctly so that it only loads Google Analytics and our tracking when ok is clicked. We thought this was a solved problem, but nope. Especially when you want to delete cookies when consent is revoked. I would not be surprised at all if most dialogs actually don't work at all.
Often what happens is that someone (hopefully you) will raise the issue internally, but if the company decided to ignore regulations and take the risk of legal punishment, well it's not an engineer that will be able to stop it from being implemented. Hopefully such fines will make product owners and upper management consider the problem more seriously, but I wouldn't bet on it.
I made a client side firewall-esque library for Transcend Consent Manager so that site owners can load trackers immediately and locally quarantine tracking events for replay once consented.
This makes it possible to track like before but move the annoying cookie banner into an integrated UI so that site owners can ask for consent when the user is more invested in the site (e.g. during signup/checkout).
each these people may have a different viewpoint on what they want to happen and why
And they're thinking: "Yup, that's me. That's my handiwork, my impact on the world." And then they think: "But what can you do? R&V, R&V, R&V ..."
As in: rest & vest
These types of engineers will also build stupid stuff that doesn't work, because that's what the specification written by a group of business people who have never even looked at code before said.
It's also why frameworks like React are popular.
It's a bit sad, but each time you try to be nice and friendly, you get "raped" I feel, so well, might as well make some money off of some people to pay for when we get scammed ourselves.
The original saying (that I don’t necessarily agree with) is not about competence but about ethics: if every ethical person refuses to work in weapon manufacturing/ advertising / whatever is deemed morally unacceptable, then the only people that will do it are people with no morals and we will be worse off as a society.
So really, in this case the person just shutting up and doing it is already the worse fallback.
IMHO, as long as devs weren't trained on cookie law, they are not morally responsible.
If you want to block third party cookies you have always had a switch there in your browser options.
If 5 years after GDPR went into effect you still don't know what it is and why it exists, your company deserves to be sued into oblivion.
EU law very much is about cookies.
> ... the ePrivacy Directive (EPD) has become known as the “cookie law” since its most notable effect was the proliferation of cookie consent pop-ups after it was passed.
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> However, properly informing your users about the cookies your site is using and, when necessary, receiving their consent will keep your users happy and keep you GDPR-compliant.
We the people, through our democratic processes, have asked companies for transparency of their tracking process, the industry have decided as a whole to say fuck off and made the process as painful as possible.
Yes, the companies are evil/stupid villains on this case. Not everything needs bloody philosophy.
Discussion of this point at the time:
Right. We should just be able to set a blanket "No" in our browser preference tab, and be done.
All of these garbage cookie banners are just as noncompliant as ignoring that setting would be. You wouldn't have cookie banners to deal with, but at least clicking through those now supposedly results in less data being tracked.
Not devs.
If that's not bad enough, having an "Accept all" button but requiring another click to have the option of refusing, then making us manually select each category to turn off, then confirming, is certainly not symmetric.
These large sites know exactly what they're doing. They're hoping people will become fed up enough to just accept, or they're hoping there'll be enough accidents where people click "Accept all". It's rather shitty.
That, and if there is a “reject all” button it is often only equivalent to flicking all the base check-boxes off, leaving their mirror “legitimate interest” options enabled. In fact, the “legitimate interest” checks irritate on their own: they basically say to me “we see your preference, but fuck you we still wanna”.
Agreed. The way the EU has handled this is naive at best.
> These large sites know exactly what they're doing. They're hoping people will become fed up enough to just accept, or they're hoping there'll be enough accidents where people click "Accept all". It's rather shitty.
Yes, and there need to be new regulations to prevent them from doing this. Something like:
(1) all web browsers should have a setting allowing users to accept or reject advertising/tracking cookies.
(2) this must default to not accepting them.
(3) in headers of http GET/POST requests, if the user allows advertising/tracking cookies, it should indicate this; if the user doesn't allow such cookies, it should be silent.
(4) all websites would be forbidden from using advertising/tracking cookies unless explicitly permitted
(5) all websites and web browsers would be banned from nagging the user or giving them a worse user experience for not allowing advertising/tracking cookies
(6) The spirit of these regulations is that users need do nothing and they will automatically have a tracking-free experience; any work-around by companies attempting to find a loophole in this is a violation of the regulations.
(7) Violation of any of the above would result in heavy fines; and if infractions continue, further crippling fines would be levied.
How so? The law is explicit that it should be just as easy to refuse the cookies as it is to accept them. Companies are ignoring the letter of the law anyway.
The EU could have started fining everybody and unleash hell at unseen levels. They would have ended up bankrupting companies and people who added google analytics or AdWords to their site in good faith, without understanding the privacy implications.
So the regulators initially notified companies and gave them time to implement whatever change they were required to. To this day, if they aren’t satisfied with the changes, they contact the company again, they don’t just issue fines. This happened to a company I used to work for, that initially just added a cookie banner, then was asked to make the “deny all” and “accept all” buttons of equal size and with equal accessibility.
After years of experiencing cookie popup hell, I’d say that a better way forward would be allowing users to configure their browsers to automatically communicate cookie preferences and consent, but regulators would have to work with the tech industry to make that happen.
And meanwhile companies will keep inventing workarounds like FLoC to track users without cookies.
We tried that once before. Advertisers joined the board investigating making the "Do Not Track" header have legal weight, as an apparent sign of good faith, and then murdered it with endless bureaucracy that went nowhere.
We're trying to again with the Global Privacy Control headers [0], and I fully expect the same thing to happen again.
Yes. I should only have to say once (or better still not at all) that I don't want to be tracked, and then it would automatically apply to everything.
> regulators would have to work with the tech industry to make that happen
"work with the tech industry" sounds a bit too much like the regulators think they get what they want, but the tech industry really get what they want.
Regulators need to be able to impose a solution on an unwilling tech industry, who'll never agree to it unless forced.
> And meanwhile companies will keep inventing workarounds like FLoC to track users without cookies.
Any such workarounds need to be explicitly make illegal.
So it's sensible to allow a per-website configuration. Arguably, it would be better that this is included in the browser (like DoNotTrack was) with a configurable default (refuse all/always ask/accept all... and "always ask" ticked out of the box) and a widget showing if the website is in accept all/refuse all and allowing to change it... a bit like the uBlock extension
All browsers already have a setting whether to accept third-party cookies. It's just a matter of changing its default value.
No it doesn't. Such cookie popups are illegal under GDPR. What credit should EU legislation take?
EU has been too slow in hitting these sites with fines though.
It's mostly the fault of companies trying everything possible to trick people into agreeing even if they don't want to and shifting blaimn away.
Also GDPR is not technology specific, so it doesn't matter if the company tracks you using cookies or fingerprinting. (Through there are local predcessors of GDPR which are technology specific.)
The current consent dialog doesn't behave at all as you describe, I'm not sure if there were previous versions that behaved in a different way.
[1]: https://alexanderdunkel.com/iframe.php?url=https://stackover...
Refusing all cookies would of course cause a prompt on every visit, because that's what cookies are for.
>giant cookie popup takes up half the window
>figure out how to reject and close it
>another popup "allow this webshit to access your location"
>close it
>another popup "allow this webshit to send you notifications"
>close it
>another popup, allow this webshit to login using your google account
>close it
>another popup, autoplaying video, screeching into my ears at max volume
>scroll for 5 mins to find what i'm looking for buried deep at the bottom (and its probably not even there)
The business model of generated content + algorithmic ads made the internet a worse place to find information/purchase products/etc. These sites crowd out small, specialist and hobbyist websites in search results and don't usually provide the content they advertise. They exist to earn microcents per impression and use any trick possible to look like a legitimate search result. It's these websites which are the worst offenders - opting out of tracking is drawn out and they prompt with every visit.
On the topic of cleaning up the crud - I also think search engines could play a better role here, as there are many sites that will turn up in just about any search request, despite not really having meaningful content (e.g. pinterest, amazon, etc.)
Otherwise, IMHO, the cookie prompts are a huge pain in the ass, and this should be dealt with client-side - eg., browsers silently accepting cookies, and wiping them on tab/window close, with a special button/toggle for that specific website, to save cookies for longer than that session (eg. if you want to log in or stay logged in). I know there are extensions that do this, but this should be the default in browsers everywhere.
Finally the regulators do something.
Well, not sure if that's fair. Until you accept at least the "strictly necessary" cookies, it makes sense that you get prompted the consent at every visit, since no cookies are saved.
EDIT: the reality is that it should actually be a "can we track you?" consent box. sites using the word "cookie" instead of "tracking" in the consent banner/popup are using technobabble to confuse you into just clicking "ok". users are not supposed to understand what it means.
it hurts me deeply that even programmers, who do understand what cookies are, have seen these misleading cookie banners so often that they think that's what GDPR prescribes. it's not, it's a lie.
Agreed about the fines though, but it is good to see that it will be 100k a day for non compliance.
The article only mentions France though, is that excluding all other EU countries then ?
Easy solution: UBlock Origin > eye dropper tool > highlight cookie div in lower left corner > click Create button
I agree that they're very annoying.
Anyone who actually worked on browser engines knew it was bullshit that the big internet advertisers (google, Facebook, etc) were using to deflect whichever privacy disaster was in the press at the time.
The rule required DNT not be enabled by default. It was optional for advertisers to follow it, and it was very clear that if there was any significant population that enabled DNT the advertisers would start ignoring it.
And they did. They went even further: they used the DNT state to to track users.
Nothing like this on the client side has any value unless it is made illegal to ignore such flags, and that is actually enforced.
Google's ultimate move however is killing cookies, so they can push their own concept of a supercookie that only they will be able to access.
Hopefully every EU state fines these companies and continues to do so until they comply.
The nasty ones are the likes of Google's more recent interstitial, which you can't easily hide with a blocker even if you've chosen to disallow cookies through your browser settings anyway, and which also requires several clicks to turn everything off explicitly before continuing, and which then redirects to a link on a domain most ad blockers will intercept causing further hassle for the user to override.
I'd have some sympathy for sites being put in a difficult position if visitors have disabled cookies entirely because putting up some sort of prompt on every visit if they need one is probably then required to comply with the letter of the law. But there's really no need for the obnoxious many-clicks-to-clear-it things like Google is doing and I don't believe for a moment that they weren't fully aware of the implications when they made the change.
I'm sure the code they use to do this is throttled. It certainly seems to run more slowly than the "Accept All" option.
It should be illegal. Not accepting cookies is the default and should be a no-op. Accepting cookies is the one that should take a while, since only then do all the 3rd party scripts load in and do their thing.
Cookie banners should be made as much annoying as possible so that people hate it and begin to protest that law.
This is exactly what the advertising industry wants: You are confusing GDPR requirements with advertisers' malicious interpretations. GDPR doesn't require annoying your users; advertisers have chosen to require that all on their own.
We need to stop calling them cookie pop ups as that’s a misnomer. You can use cookies. You can store site state, login sessions, shopping carts and much more without asking at all.
They are tracking consent popups.
However that said the cookie preferences "cookie" can be considered a strictly necessary cookie so that it can be used to remember your cookie choices. This is the UK's Information Commissioner's guidance on such cookies:
https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...
While this is an interesting question/argument, I'd argue that adding a cookie to represent that you have rejected all cookies might be considered an acceptable essential cookie, since it's expected you need to reject them all only once. See here for example:
No, not a single person has a legitimate interest in being subscribed to your 160 marketing companies. Even the people that "like ads" know this is just blanket stalking.
The amount of those popups elements I have hidden using ublock with right click, it's staggering.
Some websites introduce a vertical-scroll: hidden; rule on <body> that I often need to remove manually, or to introduce a CSS rule in ublock.
Reader view often help a lot, but some websites, like yahoo, make it so that reader view won't work (it will display the consent thing in reader view).
Some websites in france went another route: they ask users to accept cookies or to pay instead. It's crazy. It really shows data really, really matters to them.
Other gimmick, I had big troubles using the mozilla matrix server because of cookies, since I've set up firefox to delete all cookies at shutdown, except those in a whitelist.
I have a bookmarklet saved that simply deletes fixed elements, making it faster and easier to get rid of those[0]. However I have noticed sites are starting to make their banners more akin to shrinkwrap agreements where they state that dismissing the popup or continuing to read without making a choice is equivalent to acceptance.
[0] What I find most interesting is how many websites become much more readable by this - I hate sites that use a good third of the screen real-estate for headers and footers, nevermind those awful menus that only appear on scroll-up and cover the top few lines of content.
this will not fly with gdpr (which is the whole point of the popup) as consent has to be explicit.
Thanks for articulating a feeling I hadn't managed to put a label on yet.
Is there some exception for 'meta services' like this? It's not the service/app itself, but is required if you want to read T.O.S. details, get help, etc for WhatsApp itself. Or should Facebook open their checkbook again?
/cookie-tracking/all/accept
/cookie-tracking/all/info
/cookie-tracking/essential/accept
/cookie-tracking/essential/info
As a bonus we might witness the first ever televised government bikeshed over API/naming/is it really REST though?
Especially accepting tracking should NOT, under any circumstances, be automated.
To me, it sounds like the purpose of this suggestion:
> Browsers could hook into these or making a browser extension would be easy enough.
Is that browsers can dictate the UI and so you wouldn't have these dark patterns to fight on each individual website.
I don't know if this would be a good or a bad idea, because indeed I can see people making an extension at minimum and a browser (*cough*chrome) at worst that would allow accepting everything automatically (which would not be legally valid because the consent was not 'informed', but the site owners would have no way of knowing that). On the other hand, there is also the advantage of no dark pattern being possible at all if you implement the API correctly. I don't know. Either way, this is what I think GP meant to suggest.
GET /cookie-tracking/all/info
You can choose not to voice objection with DNT, but you can not give consent using it, and that's what these cookie walls are asking for.
(If you have a legitimate interest, legal requirement, technical requirement, or other ground for processing data while the user does nothing more than browse your website, an up-front banner to ask for consent is never required.)
You could say that the law is failing because it opened the loopholes allowing businesses to choose to behave badly, externalising the decision making to users. If that's your opinion, can you be a bit more specific, so we can dig into that issue and explore solutions and objections?
That's why a lot of websites don't show those banners while however using cookies to store session tokens, user preferences...
But, yes, when you are browsing content without being logged in or without having the need to store something, the law forbids the website to send you cookies. Because they are not needed to execute the service, they are just there to track you. And even if you consider that tracking is necessary to monetize your content, well, in this case, you have to require the consent.
To me it's a totally legitimate law. It's easy not to deal with cookie popup : just respect your users and don't track them without notification.
As a user, you can rant about the law. Or you can just decide that a website enforcing you to accept cookies to read some junk content is totally missing to respect you as an individual.
You haven't understood the laws. It's not about cookies, it's about tracking and personal data. If you are annoyed with the popups, be annoyed with the companies' disregard for your privacy.
Why does every little site I visit ask for my consent to track me? The problem isn't the law, it's those stupid sites wanting to exploit users.
GDPR is a pretty simple law, if you want to collect personal data on people, you need to get their informed consent. Just like you need their informed consent to have sex with them.
How you get that consent is up to each company, but GDPR lays some pretty clear rules about what doesn’t count as informed consent. Such as creating flows or pop ups that encourage people to click accept button, or by trying to bundle multiple unrelated consents together under a single button. How you present that UI isn’t specified, you could use a cookie banner, or you could just respect Do No Track headers etc.
Equally the law doesn’t care if you use cookies, or local storage or anything else. It only cares if your collecting personal data. Not how you’re collecting it. If you’re using cookies for legitimate reasons like enabling user sessions, no need for a banner, you’re not collecting personal data without consent.
Companies have chosen this hellscape of cookie banner etc in an attempt to skirt the law and avoid doing what should be doing. Letting people use the internet without having their every click tracked and aggregated.
Thankfully we’re now starting to see more enforcement showing this type of bullshit won’t be tolerated. Soon people will start getting rid of cookie banner etc, once it becomes clear that their a fig leaf that won’t protect them from legal repercussions, and that they’ll make more money by asking for consent nicely and not punishing people for refusing.
> The experience of browsing the web in Europe is shit due to all the popups asking you about [some technical thing that you can, indeed, control in your browser].
I just made this overview of when a cookie wall is required, hoping that it might help clear this up.
(Edit: for mobile https://pastebin.com/raw/gDn5AwuV )
+-------------------------------------+
| Do you store data about users which |
| are merely viewing pages? |
+-------------------------------------+
| \ ________________________
yes `-no->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+---------------------------+
| Can this data be traced |
| to an individual person? |
+---------------------------+
| \ ________________________
yes `-no->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+------------------------------------+
| Are you legally required to do so? |
+------------------------------------+
| \ ________________________
no `-yes->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+--------------------------------------+
| Is it necessary, e.g. to make site |
| features work that the user enabled? |
+--------------------------------------+
| \ ________________________
no `-yes->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+---------------------------------------+
| Is it to protect the user's vital |
| interest, or are you a government and |
| the processing is necessary? |
+---------------------------------------+
| \ ________________________
no `-yes->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+---------------------------------+
| Considering recital 47, do you |
| have a legitimate interest? |
+---------------------------------+
| \ ________________________
no `-yes->|No cookie wall needed.|
| ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
+----------------------------------------+
| Then processing their personal data is |
| none of your business but you can ask |
| for their permission ("consent"). |
+----------------------------------------+
\ _________________________
`----->|You need a cookie wall.|
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Reality: website wants to do something that you don't want them to do, and now the websites are required to let you make an informed decision.
I didn't realize there was that delay, I thought the rule was supposed to be enforced years ago.
It might seem inefficient but generally this is the only sane way to roll out changes across a society. Having people coordinate and "change habits" (as deplorable as the present habits may be) is best done gently. Providing ample time and warning for people to find a good course forwards.
Even better if you visit sites from a Danish IP, I noticed there often exists an actual "reject" buttom which doesn't appear when you use a Swedish IP.
Afaik the different data protection agencies cooperate, meaning they can join in, and compliance means compliance in the whole union.
See: https://gdpr-info.eu/art-60-gdpr/
Point 10: "...the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union".
But I'm not a lawyer so I might be understanding that wrongly.
You don't see engineering firms ignoring safety regulations because they know the repercussions will destroy their business. Before that was the case (and in places where it still isn't the case) you see it all the time.
Expecting some random line-worker to stand up against changes that bring in this kind of money for the firm is just delusional.
1- Accept cookies and access the website.
2- Refuse cookies and pay 2€ per month to access the website.
How is that less hostile than having to click a few extra buttons?
- I don't have to tell you about tracking
- I'll tell you but assume you accept
- I'll ask you but make it extremely frustrating to opt-out
- (Hopefully soon-ish) I'll ask you and make it equally easy to opt-in and opt-out
It's enough money that they will probably employ / deploy a small army of lawyers to get them to reduce or dismiss the fine, or stall it for as long as possible. 150 million buys you a lot of lawyers' time.
How's not that an infringement?
Carrefour got a spicy +3M€ fine in November 2020.
You can find a non-exhaustive list here (FR) > https://www.nextinpact.com/recherche;q=cnil%20amende
Also, GDPR applies as long as the company runs a business in EU. It doesn't matter where the company is originally from. They will be more than happy to fine the french entity if it made sens. Instead, they fine the Irish entity that performs social dumping. Not bad.
I wish they’d also go after one of the smaller fish that use a “cookie dialog provider” in default configuration. Effectively saying “if you think you can get away with buying this scam service you were wrong and the fine that could show up any day could end your business”.
While it's true they are a bit low compared to those companies revenues, they are pretty much higher than what we are used to until now.
Would I like to litter, the fine would be slightly annoying (maybe worth busting my ass to a proper trashcan to avoid this fine), but also being in the news about it.
A better browser could just make cookies more visible. I should be able to configure what kind of cookies I save or don't. Oh wait, I can. It just takes an extension.
Anyway the cookie banners are a nuisance. Every site has their own banner but they all do the same thing. And I can do that thing by myself in the browser.
It would be nice to go back to that, but I strongly suspect that Google has no incentive to do that.
Every site should get to ask for cookie permissions only once - through the browser - (like with notifications or location), and the browser should remember the user’s preferences and never ask again.
Don't they all do that? Per-site cookie management in the browser has been around since IE6 if not earlier:
Would be much easier if there were a normalised DOM structure/wrapper for these cookie popups so an extension can be made to choose the preferred choice, with possible exceptions.
Between the cookie popups and a "sign up to our newsletter" as soon as your pointer leaves the viewport- they're a huge time suck.
I've seen some extensions advertised but unsure whether they're able to cater for all the variations of layout.
Keep in mind that a lot of websites and technology in general is basically copying from others. Google and Facebook are leaders in that area, and a lot of companies try to emulate them and follow their lead. Cargo cult? A bit.
But automating thus wasn't intended by the GDPR. It specifically requires a reject all button and specifically bans an accept all button. Rejection has to always be easiest and the default, accepting has to be hard and slow.
Seems like a ton of websites are using the same cookie framework and they all do this. You get a pop up with with a button to allow all, or a button to customize your preference and you have to go through a bunch of accordions and grey patterns to make sure everything but "essential" cookies are disabled.
One thing I'm slightly worried about is that they are not going to do the symmetric "accept"/"decline" all but actually make you click 3-4 times and accept/decline each cookie category (similar to how you have to refuse the google one currently atm), that would be properly annoying.
But let's hope not! This will certainly improve the situation.
A website can not “set a cookie” in the browser. The website can include a cookie that the user (agent) optionally can include in future requests. The user does not “accept” or “reject” cookies, but rather chose to include them in future messages, or not.
Dark patterns should be suppressed, but balancing attention on all such patterns.
GDPR isn't complicated, it only sounds complicated if you want to find a loophole without breaking the law. If you just comply, it's super easy and simple to follow.
The same companies with cookies: "here's consent dialog, on every visit, multiple times"
Results in many Americans complaining about how difficult to interpret the regulation is, due to lack of specificity (US regulation tends to be highly specific). But makes it much harder to people skirt the intent of the law, because the intent is written into the law and used as the benchmark to determine compliance. This approach does require a transition process so businesses and regulators can figure out how to meet the intent of law in their specific situation, and create implement guidelines. But over the long term produces more flexible law that adapts to technical and social change better.
> This constitutes an infringement of Article 82 of the French Data Protection Act.
As we can see from Apple's changes recently, the vast majority of people do not agree to being tracked. The cookie banners bully people into allowing it anyway, because the opt-out is so convoluted.
I'm sure some part will go toward keeping the CNIL properly staffed (which is great), but where is the rest going ?
It already is. Processing personal data requires a legitimate basis. Freely given consent is one of those, and the reason these companies are being fined is because "freely given" requires symmetry in accepting/rejecting. Without the symmetry, the companies had no legal basis for processing the data, so they got these fines.
It is harder to prove "evil things" in general, but the first step is preventing users from being coaxed into agreeing to "evil things" (or rather, making clear that this is illegal and will be punished).
Seriously, the people downvoting this should try it. It frees up your mind to think about things that actually matter.
It is that you create a small but real possibility to suffer from it in the future. Like getting a lottery ticket to win something like paying more for your flight, being denied insurance or bank loan, being subjected to political manipulation, having your name published alongside your sexual preferences, or, to nicely round it up, being selected for participation in a governmental work camp. All of this did happen in the past, albeit not to everyone of course, of course.
Your strategy for protesting the (totally sensible) EU law seems strange: "Let us openly break the law, let the EU announce that we broke the law, refuse to do anything about it, let the EU announce that they will fine us until we stop doing business in EU and then hope that the users take our side". Seriously, I'm interested in what PR message you intend to come up with that convinces users the EU is at fault for you mishandling people's data.
Cookie dialogs are the contemporary equivalent of popup ads, in terms of the annoyance to users. I'd love to find a browser that makes them go away, just like browsers blocked popups years ago.
And look at Apple; they pushed a change on the app store and their apps where privacy is now the default, and they do not bully and annoy you into accepting anyway.
Typically if a company wishes to do business with EU residents they have to comply with the EU regulations. Many larger companies choose to incorporate somewhere in the EU to make this easier or in some cases they will even incorporate in each country that they do business in.
This might be a shocker, but even American companies have to obey the local law of the country they operate in. Big tech runs offices, has infrastructure and profits of a huge market in those countries. All of this is leverage a country can use to enforce their law.
