Laws are best when they are abstract, so that there is no need for frequent updates and they adapt to changing realities. The European "cookie law" does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.
There is no doubt that the goals set by the law are sensible. It is also not evident that losing time over privacy is so horrible. In fact, when designing a law that enhances consumer rights through informed consent, it is inevitable that this imposes additional time spent on thinking, considering and acting.
It's the whole point, folks! You cannot have an informed case-by-case decision without spending time.
I see constantly banners on sites that set tracking cookies by default, and delete them if you reject them in the banner (or even worse, not delete them at all!) – this is not compliant as the cookies were set before consent was given
Also see banners where there is only a big "OK" button, with no visible option to reject, this is also not compliant!
While the OP of this comment chain stated that laws are best if they are abstract, I think in this case the EU should have mandated an implementation as well, for example a browser based consent setting. Can be global, can be per-website. But the (ad)tech companies wouldn't like that, because as it turns out if given a fair choice, the majority of people would not opt-in, and they don't like that. Even though a small percentage of visitors that do opt in would already generate statistically significant results.
It's the same with the alternative, e.g. US sites simply not allowing access from the EU. They could just not have tracking. Advertisers could serve non-tracking ads, based on e.g. IP geolocation. But they don't like that because it's not as targeted as before the EU laws.
Depends on what you consider to be "cookies were set". I think it's a valid argument that cookies aren't set until a "Set-Cookie" HTTP header is sent to the server. The banner is just a form to decide whether or not to set the cookies prior to actually doing so. The banner switches aren't the cookies themselves.
SV and the advertising industry thrives on those misunderstandings.
Put simply, there is no need for "cookie banners" unless those cookies are being used to track or personally identify me (hello advertisers!), in which case, I need to give my opt-in informed consent to allow this; and so I should.
Hardly surprising SV and the advertising industry campaigns against "cookie banners", rather than their own unethical trading in personal data without consent.
What do you mean? There is no law banning companies from honoring a DNT header, companies just choose not to do so. The law already allows it, it just doesn't mandate it.
Sites and cookie banner plugins could just accept DNT signals from browsers and no productivity would be lost.
[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Se...
Couldn't disagree more, people (and even companies) have a right to know if they're breaking the law. Broad laws just make everyone (potentially) guilty. It's ripe for abuse and corruption.
Laws are only as good as their real world consequences.
- Laws are best when abstract. This is true. Laws work best when they cover a class of behavior, not specific behaviors.
- Requiring informed consent is good. This I disagree with with because it is a hard to measure outcome. Abstract, yes, but to the point where nobody knows what it means. The only way to meet this in spirit is to go so far overboard that nobody can ever say you didn’t try hard enough.
- Mandating that huge populations spend time to make informed case by case decisions. This is like mandating pi=3. As soon as this became the goal the whole enterprise was doomed. The only way this happens is with notaries and witnesses , which is far too heavy a burden for visiting a website.
The whole thing is noble intent, but disproportionate to the problem and not aligned with the putative goals.
Regulation can be good, and it should be abstract, but it cannot mandate abstract outcomes. Imagine if speed limit signs said “speed limit: optimized balance of reduced time to destination and net cost of carbon emissions and amortized risk of accidents”
And everyone knows what “informed consent to tracking”. If you’re building something, you know when you intrude on your users’ privacy. But everyone chose forgiveness instead of permission, and now I throwing a fit when the latter is required.
The definition of consent is provided here. [0] There are clear application guidelines. To me it takes being intentionally obtuse or malicious in the interpretation when reading the text to come to the conclusion "I don't know what it means so I'll do the thing that benefits me".
Imagine blowing through a stop sign and trying to explain that you don't know what it means, the Earth is moving so you could never really be in compliance. You're not wrong but it's clear that your incompliance doesn't come from a place of honest misunderstanding.
> Mandating that huge populations spend time to make informed case by case decisions
It's mandating that the user is given the tools to provide informed consent, not that they must use them properly. If you need to know what it means, the text is clear. If not and never needed to read it, it's easy to conclude it's hard, impossible even.
[0] https://gdpr.eu/article-4-definitions/#:~:text=%E2%80%98-,co...
I personally find informed consent to be a very desirable thing, because it aims at the goal of legislation, not at the means. If you think that citizens cannot, should not, or should not be required to profoundly understand what is happening to them in digital contexts, that's a specific point of view. From this you evaluate the trade-offs.
My personal (humanistic) perspective is that a profound understanding and practical control over our digital lives are the prerequisite for dignity, which is the ultimate goal of a state.
And even if we wanted case-by-case consent, a standardised format and actually enforced rules against coerced consent would've also been quite easy to do.
If you don't want to send some of them, then just configure your client not to do that.
It's bizarre that the onus is put on the websites themselves to request consent before requesting that the client sets the cookies.
If I don't want to be informed, there should be a way for me to signal my willingness to participate in uninformed consent.
Would there exist any other method of implementing it that would be substantially different? Its hard to imagine. I suppose they could implement it by not having tracking cookies.
I think the ideal situation is that people could just set it as a browser preference and be done with it. Oh wait they already can.
That is what the law requires.
Blame the unnecessary gathering of personal data (and think about why they want it!), not the 'cookie law'.
> Would there exist any other method of implementing it that would be substantially different?
A checkbox or button, anywhere on the page, that you can click to opt-in or ignore to not op-in. Once clicked the site/app has consent to track that consent, so the box can stay ticked (or be moved out of the way entirely as long as a way to retract consent is easily available, perhaps via an obvious link in page footers). Done. Informed consent implemented in a way that doesn't irritate any user (those that care either way, and those that don't care at all).
They could even include a short bit of text begging people to opt in because it helps their site/app make more money from advertisers, without going as far as a pop-over or otherwise wasting a large portion of screen space.
> Its hard to imagine.
For those with very little imagination, perhaps.
> … ideal situation is that people … set … a browser preference …. Oh wait they already can.
Only with regard to cookies, and perhaps other local storage, which as I stated at the top is not at all the whole matter. And even within those limitations those options are rather ineffective against the experienced stalkers that the advertising industry consists of, because they can and will simply ignore things like DNT and will work around cookie/localstorage/other blocks using various other fingerprinting tricks.
No, that's bullshit. Nobody is after case-by-case decisions.
People are under DoS attacks from corporations throwing single-sided contracts into them until they make a mistake and accept something.
Those boxes are just that, harassment, done in the hope people will pay them to go away.
Good luck explaining alternative technology to the lawyers and then to the lawyers of the other party in court should the need arise, and then to the judge. While you are technically 100% right, I believe you will have a truly hard time implementing anything other than the cookie banners.
Setting cookies that aren’t used to track people, doesn’t require consent.
The consent is for tracking that happens to use cookies, not for cookies themselves.
How do I even know that you want to try and farm my personal data until I go there?
Perhaps you should put a click through gateway that states that "proceeding on to this website will sell your personal information to spammy, scummy advertising".
Forcing me to make an informed decision where I don't care about the result is the one of the major ways of wasting my time.
If you wanted to create a good law about this you should make it so I only have to make a case-by-case decision if I care about my privacy (as it's currently exploited) and do nothing if I don't.
The UK and EU have decided _society_ cares, about the dangers due to unregulated sharing of personal data; hence the law requires informed consent to do this.
If _you_ don't care, then that is your prerogative.
The laws do not force that. Informed consent before tracking could be implemented other ways, perhaps even more easily.
The companies choose to force you to make the decision, rather than making it something you could choose to click or choose to ignore, because forcing that increases the chance that people who do care will accidentally opt-in and people who don't care will get irritated and (as is evident in places in this thread) incorrectly blame the law.
The companies make a point of inconveniencing people like you who don't care, so they can weaponise you against those of us who do. The companies are doing this to you, not the law.
If you're on iOS, the Kill Sticky bookmarklet does a decent job of cleaning these up without breaking most sites: https://www.smokingonabike.com/2024/01/20/take-back-your-web...
Except for the pesky sites that somehow disable (or rather "not enable") certain things until you've "answered" the banner. Can't remember what site I hit that on most recently, but I had to disable uBlock, reload the page, click "Deny", and then the video/element worked.
Should have unchecked those 973 legitimate interest checkboxes they hid under the ”affiliates” or ”vendors” or ”providers” or whatever.
Next, they will resell that profile to political campaigns, advertisers, law enforcement, private dicks and security providers, the military, foreign intelligence services and drug cartel hit squads, to name a few. You could buy it too! Or your friends, enemies, neighbors, colleagues, bosses…
Which works on Chrome, Firefox and iOS.
The best part is that you can actually specify your preferences, but globally for all websites. I actually prefer to have the functionality cookies enabled.
Regardless, I use Hush and another blocker and it has still come in very handy several times already, so I thought others would want to know about it.
That's not true. On average any overhead in browsing performance introduced by ad blocking is compensated by the elimination of tracking and ads elements of the pages. It saves bandwidth and are better for UX. We can argue about business models but claiming it requires tremendous resources is not true.
And content-based ad blocking still works in chrome but in much more limited capability compared to superior browser like Firefox.
I don't have the evidence with me, but from what I've seen content-based blocking actually saves resources, both load times and memory. It's because Ads are not actually free or even cheap, you have to make a third-party request, load some content and JavaScript. So, if you spend a little to find and block those requests, you end up saving resources on average.
Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls. So now every website gets a shitty banner - on top of all the other annoying in-page banners and popups which are a staple of 2020s web design - that asks us if we want cookies. All these banners look different, are positioned differently on the page, appear at different times after the page is loaded, and function differently. So there's no consistency. And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies." How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?
So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.
So again, why isn't this the responsibility of browser vendors? Am I taking crazy pills? Am I going insane or is the world going insane?
/rant
You need to ask permission to track people and to do other things with their personal data.
Cookies are one method to do that, but any other method (like local storage or storing session state in a URL parameter) also counts.
Hence, it is not possible to have a system where a browser can tell a site what kinds of processing the user thinks are OK, as it would be too complicated.
[1] Shameless plug to my rant on the subject https://blog.melnib.one/2024/05/19/death-of-the-user-agent/
You haven't been reading the news lately, have you?
If you're referring to the US elections, then you might be interested in the fact that not everyone on HN is from US, and not everyone cares.
It should be, but then legislators don't get to brag about having Done Something and enforcers don't get to brag about punishing Bad People.
Because these "banners" are not just about cookies but about data processing and storage. Cookies are just the most obvious and immediate aspect because they're browser-facing and thus consent needs to be obtained early on. But there's nothing special about cookies when it comes to the need to obtain consent (even the ePrivacy directive which singles them out only does so to explain what information needs to be disclosed in order for consent to be possible).
> Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls.
Yes. Because they break the law if they don't comply or try to trick you to "opt in".
> So there's no consistency.
Yes. Most consent dialogs are breaking the law by being intentionally non-compliant to mislead visitors into opting in. The ePrivacy directive makes it pretty clear what a compliant dialog would look like. For example if you have a big "accept all" CTA you need to have an equally prominent "reject all and proceed" CTA.
> And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies."
If they're strictly necessary, they are required for the site to function. Disabling them would make the site not work.
> How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?
Because that would break the law.
> So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.
No, we have created a law they have to follow and which they can be fined for violating. We have also established privacy and the right to your personal data as a universal right because everything else in the GDPR and ePrivacy directive follows downhill from that.
They're not self-regulating, they're regulated. This is literally how regulation works: they have to follow the law or they risk a fine. The problem right now is some DPAs dragging their heels, most being underfunded and foreign companies getting special "One Stop Shop" deals where a ridiculously corrupt DPA (hello Ireland) gets to be the single DPA in charge of handling complaints about them.
In my opinion, the web needs to be less reliant on cookies and state data, and websites should be adaptable to situations where they cannot store or access it. Websites can easily provide UI feedback for this issue. For instance, a store website unable to save a cookie can place a banner at the top saying something like "please enable cookies for this website in order to use the shopping cart." And then it's up to browser vendors to provide a simple, consistent, intuitive user interface for enabling cookies - such a UI should minimize the amount of instructional info a site's banner will need to contain in the first place.
The web really needs to be built around opting into site functionality on a site by site basis. It's been the opposite of this for a long time now and we've ended up where we are today... There are many reasons site operators will hate this, from legitimate concerns about usability or accessiblity, to business concerns about users not wanting to take the minimum amount of time to change a setting to add items to a cart resulting in reduced sales, or even malicious concerns about not being able to track users under a magnifying glass. As pissed off as these site owners will be, it's a change browser vendors can make without needing their permission the same way Apple added app-tracking-transparency controls much to the chagrin of companies like Facebook.
And yes, users will find one reason or another to complain about this, despite the fact that it will be optional. "It's like Vista's UAC prompts all over again!" "I shouldn't have to do extra work to add stuff to my cart!" etc. That's great that they don't care about being tracked and if they want to be the cattle of data mining companies that's fine. But there are plenty of people who, given the choice, will prefer the alternative, and over time sites will adapt. If sites purposefully punish people for not enabling cookies, and websites are interested in pissing off thier users, well there's always the option to close that site and use another... in any case I'd rather deal with that kind of fight then the situation we have now.
Knowing and caring how the plumbing actually works marks you out as a plumber, and sophisticated people don't concern themselves with those kind of details.
(Also various corruptions in the drafting process itself, of the sort which tend to arise when you have a mega-nation with competing interests and power blocs, but in this case it's mostly just ignorance.)
Not if it comes from "consumer protection", as opposed to "your computer, your rules."
Treading down the latter too far leads into weird realms like "Hacking? I didn't make your computer do X, I simply sent it messages, it's your fault for not controlling its behavior."
The EU does not mandate banners, it's the businesses choosing to bully their customers into accepting all tracking and profiling.
It's stunning the number of people on HN (a tech news site!) who don't realise there is simply no requirement for "cookie banners" UNLESS you are using those cookies to track me or personally identify me (advertisers take a bow)..... In which case you need to ask my explicit permission to do so.
And so you should.
So modest proposal: Make these websites pay 575€ million/year for wasting citizens' time or have them accept that "no" means "no".
Quote from the blog post:
> Well, EU law requires you to use cookie banners if your website contains cookies that are not required for it to work.
And the majority isn't even compliant, without a big disable button, instead hiding it through 10 different dark patterns in the cookie setting, where every misclick leads to accepting the whole array of spyware.
Dont blame the system (nonideal but darn good to be in place, compared to literally rest of the world where humans have simply less rights), when its companies failing knowingly basic rules.
And possibly requiring browser vendors to implement Do Not Track in an accessible and user-friendly way. (Those whose business models are reliant on ads might need a firm nudge there.)
That's a bold statement to claim that the largest trade block in the world is utterly useless, but I'll bite it.
What was the underlying issue they didn't understand?
If the average time for toilet visits per day is 12 minutes, we are losing 89.8 million hours a day collectively across Europe, and continuing the same logic in as in the article, with 25€/h this sums to 5% of EU GDP being spent down the drain.
Maybe we should focus efforts on a productivity programme to ban bathroom visits?
1. the general 'utility' of informing users about cookies (or giving them the opportunity) and getting 'consent' is completely ignored. 2. The time spent is assumed to be 'working' productive time, not leisure time 3. They ignore the existence of tools that automate these (auto accept/reject)
At this point, why not calculate the 'economic costs' of every activity we do outside of work? I imagine reading and watching TV and movies would have massive productivity hits...
The "cookie banner problem" exists because it's primarily end users that are shouldering the burden of them, and not the companies. For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner. For everyone else, it's thousands of wasted seconds per year. Make the law hit companies where it hurts: their balance sheets.
But a lot of businesses assume they need to ask permission for placing any cookies, which is simply not correct. Local analytics tracking is fine, it's only when the user can be tracked across multiple separate websites that they need explicit permissions. And the user should not be annoyed into making that decision.
Partly because of laziness, partly because of pessimistic legal compliance.
Yay capitalism.
Part of the problem is that the law didn't seek to distinguish between tame first-party cookies and the really naughty third-party cookies so the burden is equal regardless of how malicious the service is.
> For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner.
This is actually not true. There's a lot more that goes into a cookie banner than you might realize, and there's now an industry dominated by a small handful of players (Osano vs OneTrust)
The things they're calling legitimate use just isn't, which is why they need banners.
Isn't this industry for those, who want to share their website data automatically with 100+ partners? For others, who don't really share that much data with others, less relevant.
Maybe I'm an outlier, but ideally I don't want them collecting any "tokens" without my consent. I don't care if they're first party or third party or birthday party. I should be able to browse web sites in peace without some company collecting anything. If the web site doesn't work exactly the way I'd expect because I did not provide that consent, then that's on me.
If you use cookies for auth, no need to disclail it.
Better, you don't need a banner even of you do track users for anybody with DNT. So you can offer a seamless experience.
They just don't care.
The cookie banner is required depending on the purpose of the cookies, not the party setting them.
Because of that there are now neat categories of cookies / cookie purposes.
Would be nice if we could select one time in our browser “necessary cookies only”, and that would be communicated to every website visited, without the need for a banner. But that’s user friendly and that’s anathema to the modern web :)
It does, or rather the law doesn't state cookies at all. It has nothing to do with cookies.
All the law says is you require informed consent if you want to harvest personal data and use it for tracking. Cookies are a common way to do that. But cookies used for session and whatnot are exempt, because they're not used for tracking.
The problem is companies are maliciously compliant.
Instead of requiring companies to put up a banner if they did certain tracking activities via cookies the law should have simply outright banned the tracking activities entirely.
If I do not want a website to set any cookies, the correct course of action is to tell my user-agent to not keep any cookies from it.
I have it like this. But with that, I'm using a banner autoclicker. So the company gets my data, although different each time I enter the website, and I don't see any banners. Win/win?
It should've been an user-agent centered feature rather than individual website gimmick - that's the only way it could've possibly worked. After that, companies can try to continue doing whatever shit they want to try, but none of their identifiers would be persisted unless user agent allows it. (This does not account for fingerprinting, but that's a whole other story.)
Instead, legislators made some weird decisions that failed to account for human and corporate nature (greed), and we ended up with more popups and banners than ever.
Wrong.
And the GDPR is not just for the web.
I think 90% of the blame lies with the EU. They had experience from the cookie law that this would happen.
It like... say you would rather people didn't drink alcohol in pubs (because of all the scary violence it leads to). You can
1. Ban alcohol in pubs.
2. Allow alcohol in pubs.
3. Allow alcohol in pubs but only if people recite the lord's prayer before every purchase.
3. is obviously a dumb choice, yet it's the one they chose.
That's the law here in Scotland. As annoying as it is, the same law doesn't apply in the rest of the UK but it's reasonable.
It's like piracy, there's only so much you can do plugging holes
Cookie banners always felt like a feel-good solution. Made worse by inconsistent UIs, differing button texts, long explanations, etc.
I say keep on plugging. When you make a law and bad actors find loopholes, the solution isn't to throw up your hands and say "Well, we tried!" The solution is to continuously refine the law as loopholes are found. Laws should get regular patch releases.
I hope you're happy that this law already encourages people to stay within a few big websites (where they've already clicked away the cookie banner) and not explore anything new (where they'd have to click away a cookie banner every time).
After seeing websites pull shit like "legitimate interest" where they share data with 9 trillion of their "partners", they can all rot for all I care.
If you don't want a website doing something on your computer, you start with the browser, not the website.
2. It was intended to be a way to communicate an actual intent from the user. Once it was set by default, it ceased to be an indicator of user intent.
The GDPR and ePrivacy directive aren't just about cookies. They limit what a company can do with your data in general, who can access it and how long. Cookie banners are just a downstream consequence of it and the reason they're bad is that most companies try to be clever and design them maliciously in ways to coerce you into "opting in" even though this makes them non-compliant.
If DPAs were serious about enforcing the law, every single website not giving at least equal visual weight to the "refuse all and continue" button (or hiding it behind other options or using individual "legitimate interest" toggle buttons to sneak in their partners despite the existence of the toggle button invalidating the claim of "legitimate interest") would be punished with the maximum fine because they have purposefully and maliciously violated the law.
Because if they can say "hey look over there, regulation bad"; they can escape regulation if it is repealed
On the contrary; data protection law was written precisely by those who understand tech and the dangers of companies using it to gather and share your personal data.
It's utterly bizarre people get annoyed for being asked explicit, opt-in consent to gather and share personal data on a case by case basis (as the law demands!), rather than get annoyed at the scummy SV adtech surveillance capitalists for seeking to share your data without consent.
(Once again, "cookie banners" are not required if you aren't tracking me or gathering personal data. Case in point, Hacker News sets cookies and is entirely compliant with no need to ask any permissions from me)
Regulation exists in the real world, not in some fantasy land where companies do what you want.
Cookies should be enforced in the browser. I think all the major browsers block third party cookies now. Bad actors can use other fingerprints to do tracking.
No "cookie banner" is required UNLESS you are using cookies to track me or personally idetify me.... in which case, you must ask my explicit consent to do so.
Blame the parasitic adtech industry wanting trade your personal data. Not the EU for providing you with consumer protection.
Blame them for what? We all understand that personal information is the currency that pays for these services. While we may not love that we have to pay (who does?), we accept it as a fair trade. Until governments get their ass in gear to make paying with more favourable currencies viable, that is going to remain, now just with extra clicks.
> Not the EU for providing you with consumer protection.
I guess a bandaid is better than nothing, but we'd be better off if the EU would tackle the real issue. Going there would ruffle some real feathers, though, so good luck. But if there is blame to go around, it is on the EU for being too afraid to ruffle them.
Blocking 3rd party cookies has no impact. Everyone and their cousin can technically track you with first party cookies.
One would hope so. Google cancelled the plans https://www.reuters.com/technology/google-scraps-plan-remove...
> On average, a user visits about 100 websites per month, totaling 1,200 websites per year.
The number of 100 websites per month is pulled out of thin air. Following the links it seems to be based on the number of web PAGES visited DAILY by Americans in 2007.
In my anecdata most people are online a lot but mostly in just a few apps and websites.
So I guess all numbers in the article should be much much lower.
I spend ~0sec on these banners. How many are there people like me? The authors say nothing about this solution and it seems to me that they are not aware of the possibility of the automation. They just assume that each banner costs 5 seconds.
Why 5 seconds? It is an eternity, to pick "reject" and click on it would take 0.5 seconds or so, wouldn't it? Yeah, I know, there are sites that do not allow just reject all and force you to uncheck a several dozen of checkboxes one by one, but these sites eat much more time than 5 seconds, it is more like 50 seconds. Maybe 5 seconds is an average value across all sites? But how it was calculated?
But I agree, that the situation is stupid. It would be better to have a standard API common for all sites, that will allow addons to accept and reject cookies based on the user settings.
https://chromewebstore.google.com/detail/consent-o-matic/mdj...
> This situation calls for an urgent revision of the ePrivacy Directive
Shame companies cannot live without tracking cookies, and shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss".
You know the best way of not having to put up cookie banners on your website? Don't store PII in cookies. You know the best way of not having to care about GDPR? Don't store PII.
I hear this a lot. As an American that hosts casual personal websites, I can't help but worry that I'm in violation of the GDPR.
For example, my router logs connections for debugging. And my NGinx server maintains server logs for debugging.
These contain IP addresses. I'm pretty sure those are considered PII under GDPR. And there are a lot of things I think that follow from that, things I haven't bothered to look into or implement. Like whatever policies, disclaimers, notifications, request handling processes, etc. that need to be in place to gather those logs.
Whether or not I need a registered agent in the EU to host my website seems to be rather fuzzy too. It seems to come down to how "sensitive" the data I store in my logs are?
Its also not clear to me whether my home router is subject to GDPR if it receives and logs a packet that was sent to it by an EU citizen, regardless of whether there was a public internet service hosted on that router or not.
I mostly choose to not think about these things - but that nagging concern that my entire self-hosted digital presence violates European law does linger.
GDPR is intentionally obfuscated and made scary by people who have an interest in others thinking the regulation is onerous and silly (so that it is eventually changed/removed).
The regulation is not very hard to read, I would recommend you do it if you haven’t and boils down to: “don’t pass on (process) information without informed consent, if someone requests that you remove their account you should do so- and also don’t keep records around, and do your best not to let anyone access personal information”, the last one is technically unenforceable, but exists to prevent people leaving open access to data processors and bypassing consent more than anything else. A secondary benefit is that people take access controls a little more seriously by forcing breach disclosures.
Even the cookie banners are not needed unless you’re setting cookies for data collection, especially for third-parties!
There is a distinct irony in that all the online simplifications (“gdpr for dummies”, “the 7 things to comply with for gdpr”) are misleading and harder to read than the actual text of the regulation.
EDIT; I was foolish to post this during the peak time for US people. It feels like the Americans want the GDPR to be perceived as a pain.
It could be that you are running ads and your ad provider is a processor in the EU and because they cannot handle jurisdictional consent well they attempt to pawn that off onto you in your terms and conditions. EU law has already decided that they cannot turn a blind eye however, if you aren't collecting consent then your processor has to assume that consent isn't given.
So yeah, worry about your contracts with third parties that might try to sneak in liability transfers and how your own jurisdiction would deal with that. If your provider is transferring that kind of liability maybe they are trying to also make you liable in the case that their ad installs a virus, so I hope you are already aware of such third party liability transfers in your contracts if your jurisdiction allows for such things.
This type of downvoting on HN is getting silly and needs to stop.
(And a thanks to those who did respond to OP with the advice he is not in GDPR violation. Frankly, a worrying number of HN readers are clueless about legislation that directly affects them, whether they like it or not.)
Most cookies are entirely benign. Many cookies (or something like a cookie) are required for a website to operate normally. The EU law, while good intentioned, was/is too broad and failed to understand the realities of operating websites. This regulation has caused the entire world to be annoyed with useless cookie banners that 99% of people just reflexively click through - just like all of California's Prop65 warnings are ignored today.
> Don't store PII.
These hard-line statements defy reality. Many websites have legitimate need to store PII.
> You know the best way of not having to care about GDPR?
Don't be in the EU?
Just ignore it. There are no consequences. If you don't have physical presence within the EU - there's little-to-zero the EU can do about it. The EU can think it's laws apply to the world all it wants - but the world disagrees.
"Essential Cookies" do not need a consent banner.
Case in point: Hacker News is 100% compliant AFAIK and has no banner.
> Many websites have legitimate need to store PII.
If there is actual legitimate interest or legal requirements, such as collecting an address for delivering a package or performing fraud-prevention, there is also no need for cookie banners.
Give reading the actual implementations a try. You'll quickly notice they actually thought of this. I wouldn't say it's "expertly crafted" by any means, but the banner is for a specific "class" of cookies, not just "abc=123" as you seem to think.
You can wish upon a star that humans weren’t the way we are. In the real world, this was a predictable response to a stupid rule. (And in some cases a necessary one. For example, for websites requiring a login or reliant on ads.)
> know the best way of not having to care about GDPR? Don't store PII
This is a nothing to hide argument [1]. Proving compliance with GDPR is tedious and expensive even if you’re fully compliant. (Proving no jurisdiction is easier.)
[1] https://en.m.wikipedia.org/wiki/Nothing_to_hide_argument
They don't need consent for that.
> reliant on ads
Yes. For me, this has been eye-opening about how many different ad agencies there are snooping on my browsing history. It was bad enough when it was just the (UK) government passing a law to do that, now I've got websites with more "trusted partners" monitoring my every move than my high school had students.
> This is a nothing to hide argument
"Don't store PII" does not seem to be that, to me?
If anything, the opposite party gets that criticism, given that the default is allowing private agencies to spy on everyone?
"Assuming it takes an average of 5 seconds per interaction with a cookie banner".
People don't spend 5 seconds clicking accept. They start reading their website, notice the banner in their periphery shortly after, and click it to go away.
The banner often obscures the view, and the user need to dismiss it in order to know if the page contains the information user looks for. But in order to dismiss it, you can click "Accept all" easily and job done, OR you need to enter options by clicking the "manage" button, find your way around the banner, understand what are the options and which ones are checked and which are unchecked, then click "consent" or whatever terminology is used, but only after finding the button.
This easily can take up to a minute.
Yes, sometimes there's the "reject all" button, but not always. Also you need to know how they define the "reject all" button, because sometimes it probably may be defined as "reject some".
It's not a problem for me, because I autoclick them away with browser plugins, but when I'm on a mobile, the web is really hard to browse because of those banners.
What would I have contributed to my GDP in the 5 seconds it took to ‘Reject all’ on Reddit?
"575M hours spent every year by Europeans" = 850 average human lifespans per year
Cookie banners in Europe have an effect vaguely comparable to "wasting" 850 human lives per year.
Sometimes when you go for a walk in the country there are stiles or gates to climb over and that is also fine.
I feel like there's some kind of implied belief here that all interactions with the world should be perfectly frictionless which I think may be more of a niche view than is realised?
Yeah, right. You don't have to use cookie banners if you don't use cookies. Unless you are running ads or profiling users, you can get equivalent data from server logs.
You don't need to ask people for their consent if you do not store personal data client side to track them. There are clear definitions what is personal and what isn't, you can store cookies for legitimate reasons which are also clearly outlined.
So if you don't want to ask for consent, you can avoid that by not doing things that require it.
I am skeptical of this claim. Partially due to the existence of trackers, beacons, 3rd party cookies and fingerprinting methods.
> Identifying users typically requires a court order to process IP addresses
And this one as well.
If you got told tomorrow you had to start every conversation with "are you okay if I remember this" or you lose 90% of your salary, guess what you'd do.
Oh and 5 seconds is unrealistically high.
Sure the banners are a stupid idea and a little annoying, but these figures have no merit. There's no way 500m hours of productivity are going to materialize from removing the banners. Removing 'please subscribe' popups, and other ads, now that's altogether different...
FTFY
And you could add an analysis of the productivity cost of those “Subscribe to out newsletter” and “The experience is better on the app” pop-ups please?
All websites we build adhere to the Do Not Track setting and don't even show a cookie banner if it's set. The only question is whether we should show a message to say that we're not tracking people because we see they've asked us not to! It's possibly a bit easier for us because we work primarily in the non-profit sector where ethics are perhaps a little higher up the agenda.
I'm sorry, but if we are really so worried about businesses failing that we can't restore some amount of sanity, then something is wrong with society.
They’d be supplanted by foreign competitors. That’s the actual stalemate.
Then everybody kept their cookie banners around and folded GDPR requirements into it, making it more complex, and more necessary all over the place, and less likely for people to think do we need these cookies or not and do we need to show this banner because of fear of GDPR (potential fines are big!!)
Nothing in the relevant regulations, from the EU, California, or anywhere else, in any way mandates the inconvenience that these companies are creating for you.
>404 Not Found
<S>OMFG!!! YOUTUBE IS COSTING THE WORLD *750B EUR* PER YEAR. </S>
How many hours of productivity are lost to Youtube ads?
2.49 billion active users, average seems to be 29 hours per month, reddit reports 4 ads/10 minutes lately - so 24 ads/hour, 5 seconds each (even though that went up!), so 2mins of ads/hour or 1 hour of ads per month, 12 hours of ads per year!
12 hours * 25 Eur/hour * 2.5B = 750B Eur
(probably made some mistakes)
Also, this article is ridiculous - like assuming all 400M European internet users are "productive" at 25Eur/h (30% are probably < 15 or > 65), people clicking 1200 banners per year because they visit 100 sites/month (12*100, right?!) and so on.
GDPR is basically exactly what Bill Gurley talks about here ; https://www.youtube.com/watch?v=F9cO3-MLHOM
Regulatory capture.
In general: Southern+Central EU wants to build a new USA. Northern states meanwhile want to reduce the power of the EU. A common market is really the only thing we want.
UK had enough and quit.
This whole cookie banners, and GDPR in general, is as good as literature.
>if you collect users data
>you must ask first
>add a yes or no button on a banner so they can pick
but instead the eu citizens were let down by the legislators
French law for example specifically says that any implementation must "allow the user to refuse the deposit of cookies as easily as to accept it." [1]
[1] https://www.termsfeed.com/blog/cookie-consent-decline-reject...
Whatever you see in cookie banners is either malicious compliance or directly illegal (and already being prosecuted and resulting in fines).
(I say that, but the EU bureaucrats that passed this law may actually see the immense numbers of popups as a win still - who knows).
A revision is patently obvious to seemingly everyone - revise the law to instead mandate that websites respect the Do Not Track header, or at least have designed a more granular replacement. There's no reason you shouldn't just be able to set it once and your browser tracks it for you.
for me personally out of all these options giving my data is my least painful payment option for one off services.
