When the EU regulation came up, I was shocked that a single article was being shared with 100+ "partners". I knew it was bad, but I didn't know it was that bad. At least now I get the choice to opt-out. Sidenote: Google got fined for that pop-up because it should have a "do not accept" option [1].
Companies know they don't need those pop-ups. They are putting them there to anger you and demand for things to go back. Do you want to blame the EU for not anticipating that companies would act maliciously? Sounds fair to me. But don't let the companies off the hook for acting maliciously!
[1] https://www.taylorwessing.com/en/insights-and-events/insight...
Whoever made the initial video must be a shill for the tracking companies because they didn't click on the 'do not accept' options, otherwise people would see how pervasive and thoroughly ridiculous the trackers are.
You're giving these companies much more credit than they deserve. They're just going through the motions in an attempt to avoid lawsuits, but clearly not even Google can get it right 100%.
Hanlon's razor: "Never attribute to malice that which is adequately explained by stupidity."
Having worked for a number of companies implementing these measures, there's no malicious intent, they are rolling their eyes the whole time. It's just a box they need to tick. Everyone wishes it would just go away.
Yes, I think we should clearly hold legislators accountable for unintended consequences. And I think it would be crazy not to.
If the law didn't have the desired effect, and makes everyone miserable, we should fix or amend it.
A simple page request results in almost a thousand requests being made to third parties, just to show you some bad ads.
[1] https://pagexray.fouanalytics.com/q/pathofexile.fandom.com?f...
This gets repeated a lot. However, even one of the pages on the official site of the EU has a cookie banner:
https://commission.europa.eu/index_en
Is the EU itself acting maliciously in putting up that cookie banner?
Then came GDPR and these retarded cookie banner companies decided to offer that as a service as well... Basically the same thing right? Well for many of the sites it is, because their goal is find a way to do nothing, or as little as possible, they don't want things to change and here's someone offering them just that.
I hate that it when people are blaming the EU for the nightmare that is consent popups. They aren't required, unless you doing stupid shit. Companies love presenting this as: The EU is making us do this. NO, you want to track people online and the EU is simply asking for you to declare that.
It's truly amazing that companies don't see to problem telling people that they care about their privacy, yet presents them with a list of 600 "partners" whom which they share our data.
So yes, it's laziness, these sites don't want to chance the way they deal with advertisers, because that would be slightly harder. It's also partly incompetence, there's an entire generation of ad people who don't know the first thing about advertising, they know Google Adwords and Facebook Ads.
https://duckduckgo.com/?q=i+still+don%27t+care+about+cookies
People will choose convenience over mostly everything else.
Users have always been in control of whether they accept cookies. There have been settings in your browser since (at least) Netscape 3.0. It's only because of dumb EU laws that cookie control has been pushed up into "user space" with these idiotic banners that no one reads.
Besides, GDPR isn't about cookies, it's about what companies are allowed to do with your personal information. Functional cookies don't require consent, abuse of your personal data does.
Did Netscape 3.0 have per-site options to enable cookies and specifically allow/block third party cookies?
If so, that’s impressive.
Any other cookies are not "table stakes".
> The commonly seen method of using a checkbox and a simple information note such as “remember me (uses cookies)” next to the submit form would be an appropriate means of gaining consent therefore negating the need to apply an exemption in this case.
If it is 'table stakes', like "remember me" checkbox, you don't need a separate cookie banner
https://ec.europa.eu/justice/article-29/documentation/opinio... via https://law.stackexchange.com/questions/32152/gdpr-cookie-fo...
https://commission.europa.eu/index_en
Is the EU itself acting maliciously in putting up that cookie banner?
That's like hating a rock for rolling downhill. Regulation is the only way.
It's the same tired nonsense as when regulators try to tax a business that's already operating on thin margins and act surprised when the business passes the cost to their customers instead of eating it.
I'm not upset with the intent of what they were trying to do, which was noble; the upsetting thing is that it was patently obvious their hamfisted implementation would lead to this outcome, and they did it anyway, knowing they could count on people to deflect blame away from them.
It's not as if these companies are kicking in your door and violating your right to privacy. You're accessing their site with a device that is configured to transmit whatever you have it set to.
If you don't want cookies, disable cookies. If you want greater control, go and configure it yourself. Stop forcing your preferences on everyone.
The reality is that outside of a vocal contingent on HN, most people simply do not care. They won't pay a cent for their ad supported services. And I for one hate the endless consent popups and GDPR hoops I have to jump through. As an expat in London, I can't read many local news stories in the US because those sites simply block the traffic instead of trying to comply with a foreign law.
This is not how it works.
Me visiting a website does not mean I want that website to send my personal identifiers to hundreds of unknown (both to me and the website operator in question) third parties.
If companies DoNotTrack, they will have fewer people opting-in for tracking.
The design of these consent forms is often so obscure I end up in some menu system with too much information I didn't want, and no hotkeys to go back except leave the website.
The argument is transparent self-serving BS, though.
Unlike do-not-track to 1, as far as I know, it is never set to 0 by default. So it should represent actual consent.
Not the best for privacy, but at least, it would make the web less annoying.
It's google, facebook etc that are trying to shove these things down your throat, not the EU.
- most people are tracked on almost all websites by a small number of US megacorps (e.g. google analytics could probably reproduce complete browser histories for most Europeans, and most likely does for some intelligence agency)
- AND most people have their time wasted by consent banners
- AND small companies worry about compliance costs (my least favourite aspect of EU law is it doesn't understand the need to exclude small companies from complex requirements)
It's non-confrontational to a fault and therefore ineffective.
Most of this crap is the same everywhere, not just in the EU.
I find it interesting that, in the cookie case, people blame the EU for making the problem visible, rather than blaming the people who created the problem. The cookies are the horseburger, in this instance.
If they really wanted to do something successful they should've been more strict on the situation. "Accept or Decline front and center" "No tracking cookies without specific UNFORCED opt in" "No annoying popups"
Like I don't know what they added to my experience. I already knew cookies existed and what they were used for. I guess now I can at least opt out in some cases. But who knows what is classified as a "strictly necessary cookie" which is the lowest amount of cookie tracking you can get on most of those sites.
Strictly necessary means necessary to provide the service the user requested or comply with other laws. It is stricter than your suggested no tracking standard.
We literally use zero cookies (local storage, et. al.) in our latest products. The user's state is entirely managed on the server, and we pass their session identifier forward through hidden form fields or URL query parameter as appropriate. The only way this works is to go all-in on SSR-style web applications. 100% of user interactions must be satisfied with boring-ass form get/post. The microsecond you start thinking about SPA or holding onto even the merest of boolean facts between page loads, the whole magic experience vanishes in an instant. That isn't to say you can't use javascript, but you certainly don't start with it.
Our initial reasoning for going to this extent was due to weird behavior around cookie lifetime we were seeing on iOS/safari devices as of iOS13. If you don't use any client-side state, other than what is loaded into the current window/document/URL, who could ever ruin your day? They'd literally have to cripple 100% of the internet to start causing trouble for our newest approach. Over time, it became obvious this style also provides a better user & development experience. For instance, I no longer have to put the Apple WWDC event on my work calendar in anticipation of a refactoring effort. Pending legislation is also something I do not worry about anymore.
I find it interesting that the most compliant web experience is also the easiest (aka most boring) to develop and also usually provides the best end user experience. To me, cookie banners ultimately seem to be a higher order consequence of splitting the product into front-end/back-end and farming out every possible consideration to a 3rd party.
The EU does it's best to at least let you know what's happening. What I would like is for browsers out of the box to auto reject cookies and tracking behavior. But that is probably the reason all the prompts are not standardized.
I like it, and Everytime I will go through and reject all of them. If the extension doesn't catch them already.
If website uses cookies just for legit purposes (e.g auth, language choice), then it doesn't need to show cookie consent.
Webmasters should get awarness on this or stop spying
Just ban tracking for advertising purposes entirely, or at the last least mandate that sites respect the do not track header and require browser manufacturers implement it as opt-in.
The cookie pop-up is a dumb law.
1. Ensure that you’re perfectly abiding by all “legit purposes” and be prepared to update your policies and software each time those change, at the risk of huge fines. Or,
2. Just put an annoying banner up and have no risk.
Which do you do?
Government created this problem. Yes, it was in response to bad behavior from industry, but that doesn’t absolve the bureaucrats from responsibility for the results of their “solution”. If someone lights your kitchen on fire and the fire department’s response is to burn down the entire house, there is plenty of blame to go around.
No, but let's blame them for coming up with an asinine 'solution' to that problem.
Speak for yourself. I never consent to marketing or analytical cookies. I appreciate the option to turn them off.
I agree with you that the non-compliant approach teaches a bad security practice to the general population. The fix is better enforcement of existing law, without a new law actually being needed except possibly a better procedure for more effective enforcement.
Unfortunately, achieving that is hard for political reasons. The EU’s politicians, and therefore the data protection authorities whom they oversee, care mostly about seeming to protect privacy, whatever the reality, and don’t want to deal with the economic + lobbying + PR + political donation + therefore electoral consequences of routinely taking proper and timely action. This is especially true for some of the most regulatorily captured data protection authorities in the EU, such as Ireland’s.
Is it the perfect system? No. Is it better than no system at all. I think so.
But big corps know what they wanted and do and lead the rest of the pack..
Given a binary choice, more users are willing to accept tracking compared to mechanisms that require them to allow cookie use for each category or company individually
Stop blaming the government for something private companies are doing to you. All the government did was require them to be honest about it.
Maybe the EU should be more aggressive with GDPR, and start fining these companies out of existence for not being 100% compliant. That would put a stop to the maze of dark patterns pretty quickly. Either every shitty company would go bankrupt overnight, or they would learn how to make very simple "yes cookies" and "no cookies" buttons.
There could be browser configuration for the cookie consent popup (accept, essential, reject all) that websites could follow but now - they prefer to be obnoxious about it hoping that everyone will click "allow" pit of boredom (not to mention that at the beginning it was only visible option and reject was hidden, which was illegal)...
(I wouldn't lament the loss of invasive analytics, but the job losses would be saddening)
Ads, Reddit popup, bad cambridge.org design are experienced by non EU too
A more accurate title like ""Sigh, this is what browsing the web looks like nowadays"" would not have gotten you criticism
It's truly amazing that websites are so insanely difficult to just... read, these days. Ads that pop up covering the screen, videos (irrelevant to the article) which I scroll past, and which then suddenly decide to pin themselves to cover the top 1/3 of the screen and autoplay, along with ads covering the bottom 1/4 of the screen, while cookie reminders pop up and the page keeps jumping around because ads take so long to load... It's truly astonishing how bad of an experience I was missing out on.
Artifact is a pretty nice app, all in all, but the browsing experience without content blockers is so terrible that I just can't bring myself to use it anymore.
Sure, I know there's counter-examples, there are sites that do interesting things with personal data, even. But I know the vast, vast majority of sites that have these banners are not those sites, and I don't accept these corner cases as a fig leaf for this elephant (whose name is incompetence and greed) sitting on the couch, moaning about this law, since day one.
"this is what someone who considers themselves a webmaster, or even a web developer, writes nowadays (2021)"
We might have tried similar things if Europe was as dominant in American tech markets.
Web is already hostile enough nowadays with all the tracking, scams, abuses of consent and bad ux designed to sell shit nobody needs.
Edit: also, non targeted NON INTRUSIVE ads will do too. Or would have done. If the ad industry wouldn't have burned any shred of credibility they ever had.
I do question the incentive of a number of sites. Reddit technically don't need to track you, they know all they need to based on which subreddit you're currently on. It's mainly sites that have no context to your activities that really need the tracking to attempt to provide ads that makes sense. Maybe having these sites should be financed differently?
Consent-O-Matic helps a lot with not having to see this nonsense though.
After consulting with a legal team they made it clear this was not the case. And for the next 2 years there was a lot of pain.
We had too many cookies that were important to UX and analytics. If you don't understand why, imagine trying to run a store but not be allowed to look at your customers. We were fine not chasing them into the parking lot with a Polaroid camera, but GDPR didn't make a distinction really invasive tracking and "normal" un-creepy QOL cookies.
Before tools like OneTrust or Trustarc were available, it was also not even clear how you actually handle consent. TL:DR; you basically have to set a semi-anonymous cookie that tells you it's okay to load other cookies. But at the time it was not even clear if this was legal (since there are somewhat conflicting advice as to what could constitute PII in this situation).
To this day, we still deal with a lot of GDPR edge cases. Specifically what constitutes PII at a technical level when you are talking about session IDs, users IDs, or client addresses. It's still really tricky and we're always afraid the rug will be pulled out from under us. And even the most expensive lawyers will be experts in the law but need constant hand-holding through even the most basic technology.
(Data removal requests are another story - if people only knew, man)
The lesson I have learned:
- Anyone who says GDPR is simple has no real experience
- Do exactly what other companies are doing - do not try to stand out
- The only real winners were the lawyers
Kind of a context-aware private browsing mode, I guess.
I don’t even use an adblocker normally, but the cookie banners are insanely annoying.
Yes, please fork http...EU, you can do that...I know it...
Until the GDPR a lot of this went on anyway, but totally invisible, now at least we have some idea of the magnitude of the problem and companies have an incentive to at least try to get it right. Not that many of them do. People that are categorically against government regulation tend to point at this and say 'see: that's what you get'. But they forget that in the relationship between companies and individuals it is the companies that on balance have the most power and there is ample evidence that this power then gets abused. Hence regulation. I'm all for tightening the rules another notch or two and adding a zero to the average fine. Because there is still a lot of room for improvement.
No, it's the EU that mandated those popups - an asinine solution to the tracking problem. The EU gets the blame.
Many websites seem to break this law.
As an EU citizen, I am actually somewhat delighted that our legislation that attempts to improve privacy is being successfully exported. But similarly to how I find the US exporting their legislation quite loathsome---at least at times---I understand your beef.
It's hard to dynamically figure out if you're an EU citizen or not via the browser. Hence, websites play it "safe" by showing it to pretty much the whole world.
Oh, the suffering of having to click "OK."