Even worse: because it makes it seem like the EU law is just meritless pestering of people, they are actually fighting for the right for worse sites to spy on their visitors.
It's baffling.
It is that. It has done literally nothing to improve anything whatsoever, in any country. And most of the "cookie management" scripts that people use, barely even work. Both the law and the way it's complied with in practice are a dumb solution to a problem that the EU should have forced browser vendors to solve. Only the user's browser can choose not to send back cookies, and it would be trivial for the user to be shown a dialog when they navigate to a previously-visited site in a new session saying:
Last time you were here, the site stored information that may help them recognize you or remember your previous actions here.
< I want to be recognized > / < Forget Everything >
[ ] Also keep these third-party cookies <Details...>
[x] Remember my choice and don't ask again for ycombinator.comThe industry could have come up with a standard, a browser add-on, respect a browser setting, etc but they chose the most annoying one to pester you, the user.
In fact the law pretty explicitly disallows dark patterns like that. Of course tech companies have a loosy-goosy relationship with the law at the best of times.
Kind of. The intent is good and the wording disallows some of the dark patterns. The challenge is that it stands square in the path of the adtech surveillance behemoths. That we ended up with the cesspit of cookie banners is a result of (almost) immovable object meeting (almost) irresistable force. There was simply no way that Google, Facebook et al were ever going to comply with the intent of the law: it's their business not to.
The only way we might have got a better outcome was for the EU to quickly respond and say "nope, cookie banners aren't compliant with the law". That would have been incredibly difficult to do in practice. You can bet your Bay Area mortgage that Big Tech will have had legions of smart lawyers pouring over how to comply with the letter whilst completely ignoring the intent.
Many websites are free because they survive from ads. Ads make more money if you collect data. The EU law essentially cut the revenue of all these websites. Their choice is to not collect data (meaning less revenue) or show a popup (meaning more bounce rate, which means less revenue).
People who think this is a good thing are being short-sighted. That's because this law mainly affects websites that host information that visitors visit from clicking on links on the web. If a website is like Facebook or Youtube, where users must sign up first or probably already have an account, they will be able to collect data for ads with or without banners since they have their own ToS for creating an account, and they can infer a lot from how the user uses their services.
I'm not saying privacy regulation is a bad thing. It made countless businesses reconsider how they handle people's data. But it's clear to me that there are two problems.
First, this regulation hurts all the small websites that need to exist in order for we have to have a healthy "web." A lot of these are making only barely their hosting costs in ads, so there is no way they can afford the counsel to figure out how to comply with laws from another continent. If we had another way to support these websites, this wouldn't be a problem, but ads are really the lifeblood of half of the internet, and almost nobody wants to donate or pay a subscription.
Second, this regulation doesn't even really protect people's private data in the end, which may give users a false sense of security because they have the GDPR on their side. I forgot the name, but there was a recent gossiping app that required the user to upload a photo in order to sign up, which should be deleted afterwards, but they never deleted it and when the app was hacked the attacker had access to photos of all users. It's the same thing with GDPR. We can tell when a website is clearly not complying with the GDPR, but there is no way to tell if they actually complied with the GDPR until the server gets hacked.
Even the way they comply with GDPR isn't enough to protect users' privacy, e.g. if you have an account on Discord and you want your data deleted, they will simply turn every post your made into an "anonymous" post. This means if you sent a message that discloses your private information on Discord, that will never get deleted because its outside the scope of compliance. You could literally say "Hi, my name is XYZ, I live in ABC" and they won't delete that because you consented to provide that information, they will just change your username from "xyz" to "anonymous" or something like that.
I still wonder what are the actual benefits of GDPR with these cookie banners when 99% of the users just stay on Facebook and Youtube anyway.
Bad implementation of the EU law indeed, as another comment said. It fails the purpose completely and just create more problems for nearly everyone.
It does not take time if you don’t care to read it. Yours click yes, and they will remember you want to be tracked.
In practice these banners regularly break. They are hard to click on certain devices where the button is off screen. If they use JavaScript and there is an error elsewhere, you can’t hide them. And I regularly see them over and over again on the same sites because for some reason they can’t track me effectively for this purpose.
In short they are a regular minor annoyance that does take time and effort.
It doesn’t matter what site I visit and what choice I do. The next day, every single website asks me to pass through the banners again.
There's a reason people have always hated popup ads even though "just close them" has always been an option.
This is only an option if you limit tracking to using cookies. But neither tracking technologies, nor the current EU law, are limited to tracking via cookies. It also kills functionality for many web applications without also accepting all tracking. Some browser-flavors went to extreme lengths to prevent tracking through other means (eg fixed window size, highly generic header settings, ...).
Maybe I am mistaken, but it seriously frustrates me how much people within the relevant field make this mistake of conflating tracking and cookies and come to this "it would be so simple" solution.
A welcome update to the law would be to allow a header flag to opt out/in (or force the do-not-track header to have this functionality) preventing the banner from showing.
Maybe we could move towards that end in small steps. The EU should start by banning irrelevant non-sequiturs like "We value your privacy" and other misleading or at best distracting language. It can then abandon the notion that users are at all interested in fine-grained choice, and enforce that consent and non-consent to non-essential statekeeping are two clearly distinguished and immediately accessible buttons. No one wants to partially block tracking.
It seems as though the EU is operating under the notion that this is all a matter of consumer choice, as though any informed consumer would choose to have tabs kept on them by 50 trackers if not for the inconvenience of figuring out which button stops them.
That’s because of malicious compliance from all the websites/advertisers. I guess that is partly the lawmakers’ fault for not pre-empting that; but much larger blame lies on the industry that refuses to grant user privacy.
As an example for a site that followed the intent of the law instead: https://github.blog/news-insights/company-news/updates-to-ou...
Github removed excess tracking so they didn’t need to show a cookie banner and that’s what GDPR’s intent was.
As an example of true malicious compliance, some companies intentionally add trace amounts of allergens to all their food, that way they can just claim that all their food contains allergens and not be at risk of being accused of improper labeling. but the intention of the law requiring accurate labeling was clearly not to get companies to add more allergens to their food. it requires a level of creativity to even think of complying like that. It requires zero creativity to think “this law requires user consent before tracking, so let’s ask for consent”.
In other words, of course Facebook knows you like bacon if you've followed 5 bacon fan pages and joined a bacon lovers group, and they could sell that fact.
But without cookies being saved long-term, Facebook wouldn't know that you are shopping for a sweater unless you did that shopping on Facebook. Today they undoubtedly do know if you are shopping for anything because cookies exist and because browsers are configured to always save cookies across sessions.
Also, I always point this out when this topic comes up: Of all websites I visit and have to click stupid banners on, almost none of them are in the market of "selling data" or building dossiers about individuals ("Steve Smith bought flowers on June 19th. Steve is 28 years old. He has a Ford Explorer. He lives in Boston."). They just want to get metrics on which of their ads worked, and maybe to know aggregate demographics about their audience. My local water utility, Atlassian, and Nintendo to pick 3 sites at random, have never been and are not in the business of data brokerage. But they do need to show cookie banners to not be sued for imaginary harms under CCPA or GDPR (unless they want to not make any use of online advertising or even aggregate analytics).
What I don't like about cookie popups isn't the popup (which isn't something the EU law dictated btw), it's that someone thought it was okay to have hundreds of advertisement vendors and data brokers on a single news article, and it's better to know so I can just close the tab and never interact with that webpage again if they're being excessive asshats.
They have failed at enforcing this properly though, in particular with the recent proliferation of "legitimate interest" abuse (it is only legitimate interest if it an implied component to a service I am directly requesting), and the general issue of popups illegally making rejection different from acceptance, intentionally making rejection slow, or even requiring payment to continue without cookies. And yes, the occasionally completely defective prompt.
I do agree that it would be neater if the browser handled this though. Would also be neater if the internet wasn't entirely sponsored by privacy violations. :/
Most of the "cookie management" scripts that people use aren't compliant.
EU law requires "Accept All" and "Reject All Non-Essential" be both equally easy to access and given equal weight (or rather: the latter can't be given less weight and made more difficult to access, which almost all of these scripts blatantly ignore).
Browser vendors can't solve this because the question isn't technical but legal. It's not about first-party vs third-party cookies (let alone same-origin vs cross-origin) but about the purposes of those cookies - and not just cookies but all transferred data (including all HTTP requests).
You don't need to (and in fact can't) opt into technically necessary cookies like session cookies for a login and such. It's plausible that these might even be cross-origin (as long as the other domain is controlled by the same legal entity). If they're provided by a third party, that would indeed be data sharing that warrants a disclosure and opt in (or rather: this can only happen once the user acknowledges this but they have no option to refuse and still use the service if it can't plausibly be provided without this).
The GDPR and ePrivacy laws (and the DMA and DSA) have done a lot for privacy but most of what they have done has happened behind the scenes (as intended) by changing how companies operate. The "cookie management" is just the user-facing part of those companies' hostile and dishonest reactions to these laws as well as a cottage industry of grifters providing "compliance" solutions for companies that can't afford the technical and legal expertise to understand what they actually need to do and think they can just tick a box by buying the right product/service.
Heck, most companies don't even provide legally compliant privacy policies and refuse to properly handly data access requests. The GDPR requires companies to disclose all third parties (or their categories if they can't disclose identities) your (specifically your) data has been shared with and the specific types of data, purposes of that sharing and legal basis for sharing it (i.e. if it required consent, how and when that consent was given) - and yet most will only link you to their generic privacy policy that answers none of those questions or only provides vague general answers or irrelevant details ("We and our 11708 partners deeply care about your privacy").
Here, EU is not quite doing the right thing: the web need "noscript/basic (x)html" compatibility more than cookie regulation. Being jailed into a whatng cartel web engine does much more harm than cookie tracking (and some could use a long cryptographic URL parameter anyway).
Basically, a web "site" would be a "noscript/basic (x)html)" portal, and a web "app" would require a whatng cartel web engine (geeko/webkit/blink).
I do remember clearly a few years back, I was able to buy on amazon with the lynx browser... yep basic HTML forms can do wonders.
The law should have been just a browser setting sites had to follow, making it a "banner" has made it meritless pestering while pretending it's for my own good and allowing the worst offenders to make convoluted UI to try and trick you every site visit.
People ranting against cookie banners and GDPR literally never read the regulation itself and they literally never read what these banners are supposed to trick you into
Their name is "PostHog", a dirtbag left joke from years ago. If they were trying to make joyless scolds happy with their humor, their site would be very different.
Which it is?
I am from the EU and I don't see what this law has accomplished apart from making the WWW worse, especially on mobile.
I remember back when Opera was a paid browser, last century, it already have options to accept all cookies, refuse them, or set fine-grained preferences per website. No need for handling it at the website level if the client can do it.
You can argue that the law might not have improved things (at least not as much as intended), but nothing about this law has made the WWW worse. If you believe that, you've fallen for the concerted efforts of the advertising industry spreading misinformation about who's idea the annoying consent popups were & (like this website) perpetuating the myth that they're a legal requirement.
None of the new annoyances on the modern web that you're thinking about are mandated by EU law. It benefits the ad industry massively to scapegoat the EU for these annoyances.
It doesn't matter much what happened behind the scenes to cause that outcome. From a black-box perspective, it could be that
(a) the EU mandated the cookie banners, (b) the EU mandated to provide cookie settings in some generic form, and websites decided to use banners because it's easier, more lucrative, or even to put people against the EU, in spite of having other options that were better for the user. (c) the EU mandated a different thing and the annoying banners don't even comply with the law.
No matter what the case is, the fact is that the EU made the WWW worse with the law. Either due to an outright harmful law, or to a well-intentioned law with too many loopholes, or to a good law but lack of enforcement. Doesn't matter much for the end user. When you make laws that affect people's daily life, good intentions aren't enough.