The announcement says it wants to "protect consumers", but it changes user tracking from opt-in to opt-out... How about ensuring that companies stop tracking people unnecessarily?
I see so many websites – even club websites or private blogs – that have a cookie consent banner, but which wouldn't actually need one if they'd just turn off Google Analytics. I just don't get it.
The goal of the announcement is purely to make the EU look stuffy and bureaucratic. "Look, we got rid of those annoying cookie pop-ups THEY forced on US!"
Tories need this because of two reasons:
1. Brexit is hurting the UK economy
2. They need to distract from the Partygate scandals[0]
As for Google Analytics... I've talked with multiple clients who have wanted to improve site performance on their stores. The first thing I usually point out is the multiple overlapping analytics packages downloading multi-megabyte JavaScript files. Those are, of course, absolutely untouchable for whatever reason, and we just have to work around the most obvious performance flaws in their site.
The reasons why someone might tank their site performance with a bunch of conflicting ad trackers is not just because "data is valuable". We're conditioned to think of ad tracking as solely interest targeting[1] and remarketing[2], but a huge part of it is also just attribution. Advertising is paid for on a per-click or per-conversion basis, and nobody trusts nobody in this industry, so everything needs to be tracked or the people buying ads get gamed out of their money by the people they buy ads from.[3] So even if you just want to buy ads, you often also need to have tracking on your website purely so that the ad network can either protect you from click fraud, or if you're paying per conversion, actually track how much you owe them.
[0] For those who are not in the UK, like me: The scandal is the fact that the PM and his staff were running a bunch of illegal parties while the whole country was on COVID lockdowns.
[1] When ad networks track your interests to serve more relevant ads. As the ad buyer you can purchase ads based on these specific interest categories; i.e. "I want this ad to be served to 40-year-old men with an interest in cars"
[2] When ad networks track your history to serve ads based on what sites you've visited recently. This is actually a different thing from interest-related ads; it's more like "I want this ad to be served to anyone who has just gone car shopping".
[3] This is also why on-domain advertising will never be a thing outside of the big social media networks.
>I see so many websites – even club websites or private blogs – that have a cookie consent banner, but which wouldn't actually need one if they'd just turn off Google Analytics. I just don't get it.
Actually, most are probably not even correctly following the law since the cookies will probably be set before the popup is accepted. For most, people just assume they need a cookie banner. I'm pretty sure I've seen cookie banners on sites that had no cookies.
The popups are annoying specifically because the rules lumped Google Analytics in with all the bad tracking that evil companies do.
I want to know how many people visited my website. So does every website. It's something that websites need to know. We use Analytics to handle that for us, and because of this silly EU rule we're all technically breaking the law by not bothering every single visitor with annoying popups.
Now there are in fact bad companies collecting data on individual people, correlating it between sites on the backend, and using it for nefarious purposes. Those are presumably the reason these stupid laws were passed in the first place, and it would be nice if they actually did need to show a button for you to click.
But since the law says that everybody needs to show that button or lose the ability to know how many people saw their site, you never know whether you're getting the button for an evil site or just one of the millions of other sites you visit every day.
I don't blame the evil companies even a little bit for this mess. It's the people who passed these terribly thought out laws. They'll keep passing more of them until we stop letting them.
> "The announcement says it wants to "protect consumers", but it changes user tracking from opt-in to opt-out... "
The cookie-blocking features in modern browsers (except Chrome, probably, haha) effectively make tracking opt-in anyway, don't they? The cookie pop-ups are pretty redundant today.
Not to suggest that this makes all the down sides of Brexit worthwhile, but it does make me happy that this can now be addressed. Cookie popups seriously harm the usability of the web and have been one of the most highly visible and ill-conceived pieces of EU legislation.
A few days ago I visited a German provincial government website that had a cookie banner for the cookie banner provider. It's really funny if it wasn't so stupid.
From what I understand the way this is currently shaking out, is that it largely won't impact marketplace sites as credit cards can be used as a form of age verification. You might have to create an account and associate a credit card before you're able to browse which would be an awful user experience...
For other sites though, if the this passes into law I suspect it will have a much more intense cooling effect on the availability and access to sites. For the unpaid service sites I run, I'm certainly not going to pay for identity verification or allow that garbage on my sites. I'm much more likely to hide or disable any user generated content, or just serve a static page to users in the UK saying the site isn't available in your region.
They're really doubling down on removing themselves from the world community...
Yeah, this seems remarkably unworkable. 10p per user is a really high cost. I have to imagine that sites like Facebook or Twitter will fight hard against this. It’s far more onerous than GDPR.
> The UK is also planning to legislate to remove the EU-derived requirement for the Data Protection Officer, as the person responsible for safeguarding an organisation’s users’ privacy rights, while simultaneously demanding under the OSB that companies appoint named individuals who are subject to personal arrests and criminal sanctions for failing to prevent bad things from happening on the internet.
*subject to personal arrests and criminal sanctions* seems like the limited liability companies no longer limit the liability.
I have a legal entity registered in Scotland. Seems like it might be time to wind that up and move it to another country. Where is a good company within the EU to registered?
This doesn't even seem like it'll accomplish what's intended.
The goal is to hold the company accountable, but it sounds like they just created legalized paid-fall guys.
If the government wants to pierce the limited liability veil, they should either go after the persons in the company either directly or ultimately responsible (eg the direct manager, or the C-suite). Letting the company decide who takes the fall just means they're going to foist it on some uniformed schmuck.
You get paid more for being on-call - now wait until you see the legaly-liable-for-the-entire-company bonus!
> Where is a good company within the EU to registered?
Estonia for sure. Their e-residency scheme is fantastic and designed for people all around the world to register virtual companies, even if you don't have any presence in Estonia.
It could be much easier if the major web browsers (at this point Chrome, Safari (mobile), Firefox) were able to read the metadata and if parents (or corporate IT departments) wanted to filter content they could using 'built-in' technology rather every web site having to potentially re-invent the wheel.
Government attempting to legislate something they don't understand (especially technology I'd say) is nothing new, its already happening in the UK, in the EU, in the states and all around the world. Why we let this pass, I don't know, but its the reality we're living in.
But if I'm reading this right, this takes the cake for the worst one yet, or certainly up there.
Historically in the UK inconvenience-inducing online laws like the Online Safety Bill have fallen either shortly after passage or shortly before passage as the people who pass them realise that they too have to follow their own rules.
This was certainly the case for that nationwide opt-out porn block that they brought in a decade ago, then quickly slipped under the rug when it became clear that they too would have to either learn to use a VPN or call up their service providers expressing their desire to watch porn
<<Preamble: you’ll be aware that the UK’s Online Safety Bill has been promoted as a piece of big tech/social media legislation, but it is not. It will impact any company or project of any size, nature, location, or business model which has user-generated content on it or allows humans to interact with other humans. So if your site, service or app is anything other than a promotional portfolio web 1.0 site, or a blog like this here blog that only allows comments, you’re in scope. If you weren’t aware of that, you are now. Enough of the preamble, let’s amble.
Sold. I am all for returning to standard boring web 1.0. Lets do this thing!
So the Online Harms Bill (the switch part of TFA) is about having a completely controlled Internet in which innovation is completely stalled and entirely government mandated. It seems kind of mad that this could be phased in soon...
I presume I will have to log into hacker news via a VPN because obviously this place isn't going to implement anything other than geo blocking for UK IPs (like 99% of websites will); it certainly isn't going to be paying 10p+ for every user here to prove they are over 16/18?
Do we know under what terms young people will be allowed to interact with the Internet?
I really despise "won't someone think about the children laws" and I say this as a parent. It is not society's job to shelter your children from the unsavory, it is the parents' job.
Besides that, it is hard to argue against any law that is couched as protecting innocent children. Obviously, having to verify with ID the age of every website visitor is impractical right now. The logical solution is for government to mandate and issue Internet IDs that must be used to access any web service. This bait-and-switch leads down a slippery slope that erodes anonymity on the Internet, not that there is much left.
I am impressed. This bill manages to go from “think of the children” to “papers, please” in zero intermediate steps! One motivates the other, directly. And no one noticed the irony!
I'm really sad that even professionals hate the cookie/gdpr/data collection banners for the wrong reason. And most people hate the wrong entity for being responsible for their existence.
If companies weren't actively spying on their users, if the didn't collect every last bit of data they can, there would be no need to put up a banner. If the website needs cookies for core functionality (essential cookies) only, there' no need to inform, ask or badger the user for anything. The websites/data collectors are the bad guy here (from where I'm standing) and now that they have to ask us if they can please spy on us, the EU is evil because they force them to ask?
The main presented point of this bill is "We will eliminate the obligation for the spies to ask you if they may spy on you" and even the author of this piece is celebrating that.
> and even the author of this piece is celebrating that.
I don't think so. Read the last part of that sentence which I've emphasised in italics.
"So if you work in any sort of tech or digital related role, and the work you put into the world can be viewed, or accessed, by anyone of any age in the UK, and you are (rightfully) celebrating the loss of the cookie popups, I need you to do me a favour and drop the balloons and party streamers and sit down."
> The websites/data collectors are the bad guy here (from where I'm standing) and now that they have to ask us if they can please spy on us, the EU is evil because they force them to ask?
If the end-result of the law + standard human behavior is that you made web browsing a crappier experience then you made a crappy law.
You really think that basic web analytics is "spying on you"? So a company that records how many people purchase a given product is "spying" on them? Business owners are not allowed to do basic accounting to gauge product performance? Because that's all 99% of people use these analytics for.
Would it be possible to avoid all this mess by imaging a different way to use the web?
An access method based on rss (of some sort), in the way "start pages" did it ages ago.
So instead of going to a website to get information, the information comes to my website where I make the rules (as I'm the provider and the sole user). And instead of only receiving plain text information, I can also interact and communicate with other people (the content provider and other consumers), if I choose to.
It took them 15 years to fuck up the Web, we can pull the rug underneath them and perhaps get 20 more.
The EU had some teeth when GDPR was passed. Even if I'm not in the EU, there are lots of countries that are, so cost/benefit of compliance seems reasonable.
When I hear about strange Brinternet rules, I just think why should I care about a single country and their strange and costly laws. If UK users want to reach my site, change your laws or use a VPN.
Especially if compliance becomes a _criminal_ issue. But then again Britain probably thinks this will spur a domestic market for smaller tech, and maybe that’s correct? Though it does sound like the main thing it incentivizes will be some rent seeking age verification companies or very dubious utility to consumers.
Indeed. My response to this has largely been "if this passes I'll just block traffic from the UK to my website" as it'd be cheaper than implementing this utter madness.
Hmm the main allegation against GDPR seems to be that it lead to creation of useless pop-ups, which is partially true but it should be also highlighted that GPDR itself does not require a pop-up mechanism just consent, it did not specify what technological implementation should there be. It is the website owners to blame for using daunting cookie pop-up implementations.
This is to say that "killing pop-ups" should not be a point of a legislation if there isn't one that requires these pop-ups.
The popups are a revenge tactic used by data hoarders. "Oh, look at this terrible EU, they make us show you all kinds of popups [small]because we want to track your every move online[/small], poor you, the inconvenienced users! If only there was a way to prevent this terrible faith!"
The popups happen because that turns out to be what the legislation is incentivising. The solution is to make different legislation that doesn't incentivise popups.
Some examples (obviously not problem-free, but just to show that a solution space exists):
* No tracking even with permission
* No tracking unless the user mailed you hard-copy permission
* No popups
* No popups unless user testing shows that a user who hates popups, doesn't care about privacy and is just clicking stuff to get to see the site, will decline tracking at least 80% of the time
This whole charade feels exactly like ISO-9000 and SOX compliance. Both were a pretty simple idea: document your policies, and document your adherence to the policies. In practice however, mid-level managers at Fortune 500's sprang into action to implement every idea thrown at them by white papers, underwritten by auditing firms, who would then be hired to come in and judge whether the company was adhering to their recommendations for compliance, which ultimately had very little to do with either precision and accuracy (in the case of ISO) or separation of roles and security (in the case of SOX).
A lot of cookie pop-ups you encounter are not even remotely required under GDPR. They are a mostly a form of malicious compliance from the ad-tech industry that want the restrictions lifted.
If only Google had used just a little bit of its lobbying money to get those laws more technologically sound and help solve that with metadata that the browser can then handle.
How does the UK passing a law saying you don't need cookie popups make those popups go away. Maybe big companies will target UK cetizens to not get popups, but most sites will still give you popups, because giving everyone popups to comply with EU laws is a lot easier than figuring out if you live in the EU or not. For example, the US doesn't have requirements for cookie consent, but you still see a ton of these popups if you live in the US.
[+] [-] dbrgn|3 years ago|reply
I see so many websites – even club websites or private blogs – that have a cookie consent banner, but which wouldn't actually need one if they'd just turn off Google Analytics. I just don't get it.
[+] [-] kmeisthax|3 years ago|reply
Tories need this because of two reasons:
1. Brexit is hurting the UK economy
2. They need to distract from the Partygate scandals[0]
As for Google Analytics... I've talked with multiple clients who have wanted to improve site performance on their stores. The first thing I usually point out is the multiple overlapping analytics packages downloading multi-megabyte JavaScript files. Those are, of course, absolutely untouchable for whatever reason, and we just have to work around the most obvious performance flaws in their site.
The reasons why someone might tank their site performance with a bunch of conflicting ad trackers is not just because "data is valuable". We're conditioned to think of ad tracking as solely interest targeting[1] and remarketing[2], but a huge part of it is also just attribution. Advertising is paid for on a per-click or per-conversion basis, and nobody trusts nobody in this industry, so everything needs to be tracked or the people buying ads get gamed out of their money by the people they buy ads from.[3] So even if you just want to buy ads, you often also need to have tracking on your website purely so that the ad network can either protect you from click fraud, or if you're paying per conversion, actually track how much you owe them.
[0] For those who are not in the UK, like me: The scandal is the fact that the PM and his staff were running a bunch of illegal parties while the whole country was on COVID lockdowns.
[1] When ad networks track your interests to serve more relevant ads. As the ad buyer you can purchase ads based on these specific interest categories; i.e. "I want this ad to be served to 40-year-old men with an interest in cars"
[2] When ad networks track your history to serve ads based on what sites you've visited recently. This is actually a different thing from interest-related ads; it's more like "I want this ad to be served to anyone who has just gone car shopping".
[3] This is also why on-domain advertising will never be a thing outside of the big social media networks.
[+] [-] that_guy_iain|3 years ago|reply
Actually, most are probably not even correctly following the law since the cookies will probably be set before the popup is accepted. For most, people just assume they need a cookie banner. I'm pretty sure I've seen cookie banners on sites that had no cookies.
[+] [-] jasonkester|3 years ago|reply
I want to know how many people visited my website. So does every website. It's something that websites need to know. We use Analytics to handle that for us, and because of this silly EU rule we're all technically breaking the law by not bothering every single visitor with annoying popups.
Now there are in fact bad companies collecting data on individual people, correlating it between sites on the backend, and using it for nefarious purposes. Those are presumably the reason these stupid laws were passed in the first place, and it would be nice if they actually did need to show a button for you to click.
But since the law says that everybody needs to show that button or lose the ability to know how many people saw their site, you never know whether you're getting the button for an evil site or just one of the millions of other sites you visit every day.
I don't blame the evil companies even a little bit for this mess. It's the people who passed these terribly thought out laws. They'll keep passing more of them until we stop letting them.
[+] [-] hericium|3 years ago|reply
Isn't one of the incentives for Analytics, that by knowing your audience Google will be able to suggest your site to their search engine users?
I've heard more than once something in the lines of "we can't disable analytics as we'd lose traffic".
[+] [-] CommanderData|3 years ago|reply
Each passing day the govnement becomes more and more deceptive
[+] [-] Reason077|3 years ago|reply
The cookie-blocking features in modern browsers (except Chrome, probably, haha) effectively make tracking opt-in anyway, don't they? The cookie pop-ups are pretty redundant today.
Not to suggest that this makes all the down sides of Brexit worthwhile, but it does make me happy that this can now be addressed. Cookie popups seriously harm the usability of the web and have been one of the most highly visible and ill-conceived pieces of EU legislation.
[+] [-] lakomen|3 years ago|reply
[+] [-] tensor|3 years ago|reply
[+] [-] zaphirplane|3 years ago|reply
https://smallstep.com/blog/
[+] [-] TrueDuality|3 years ago|reply
For other sites though, if the this passes into law I suspect it will have a much more intense cooling effect on the availability and access to sites. For the unpaid service sites I run, I'm certainly not going to pay for identity verification or allow that garbage on my sites. I'm much more likely to hide or disable any user generated content, or just serve a static page to users in the UK saying the site isn't available in your region.
They're really doubling down on removing themselves from the world community...
[+] [-] dhosek|3 years ago|reply
[+] [-] that_guy_iain|3 years ago|reply
> The UK is also planning to legislate to remove the EU-derived requirement for the Data Protection Officer, as the person responsible for safeguarding an organisation’s users’ privacy rights, while simultaneously demanding under the OSB that companies appoint named individuals who are subject to personal arrests and criminal sanctions for failing to prevent bad things from happening on the internet.
*subject to personal arrests and criminal sanctions* seems like the limited liability companies no longer limit the liability.
I have a legal entity registered in Scotland. Seems like it might be time to wind that up and move it to another country. Where is a good company within the EU to registered?
[+] [-] acoard|3 years ago|reply
The goal is to hold the company accountable, but it sounds like they just created legalized paid-fall guys.
If the government wants to pierce the limited liability veil, they should either go after the persons in the company either directly or ultimately responsible (eg the direct manager, or the C-suite). Letting the company decide who takes the fall just means they're going to foist it on some uniformed schmuck.
You get paid more for being on-call - now wait until you see the legaly-liable-for-the-entire-company bonus!
[+] [-] jamessb|3 years ago|reply
[+] [-] humanistbot|3 years ago|reply
Estonia for sure. Their e-residency scheme is fantastic and designed for people all around the world to register virtual companies, even if you don't have any presence in Estonia.
[+] [-] DocTomoe|3 years ago|reply
[+] [-] pram|3 years ago|reply
[+] [-] zekica|3 years ago|reply
[+] [-] dhimes|3 years ago|reply
[+] [-] alisonkisk|3 years ago|reply
[deleted]
[+] [-] throw0101a|3 years ago|reply
* https://www.w3.org/TR/powder-use-cases/#cpA
* https://www.w3.org/2007/powder/
* https://en.wikipedia.org/wiki/Protocol_for_Web_Description_R...
It could be much easier if the major web browsers (at this point Chrome, Safari (mobile), Firefox) were able to read the metadata and if parents (or corporate IT departments) wanted to filter content they could using 'built-in' technology rather every web site having to potentially re-invent the wheel.
[+] [-] bodge5000|3 years ago|reply
But if I'm reading this right, this takes the cake for the worst one yet, or certainly up there.
[+] [-] permo-w|3 years ago|reply
This was certainly the case for that nationwide opt-out porn block that they brought in a decade ago, then quickly slipped under the rug when it became clear that they too would have to either learn to use a VPN or call up their service providers expressing their desire to watch porn
[+] [-] dcdc123|3 years ago|reply
Hate to break it to you but we have no laws for them in the US and we have the stupid popup on almost every site.
[+] [-] A4ET8a8uTh0|3 years ago|reply
Sold. I am all for returning to standard boring web 1.0. Lets do this thing!
[+] [-] andy_ppp|3 years ago|reply
I presume I will have to log into hacker news via a VPN because obviously this place isn't going to implement anything other than geo blocking for UK IPs (like 99% of websites will); it certainly isn't going to be paying 10p+ for every user here to prove they are over 16/18?
Do we know under what terms young people will be allowed to interact with the Internet?
[+] [-] macinjosh|3 years ago|reply
Besides that, it is hard to argue against any law that is couched as protecting innocent children. Obviously, having to verify with ID the age of every website visitor is impractical right now. The logical solution is for government to mandate and issue Internet IDs that must be used to access any web service. This bait-and-switch leads down a slippery slope that erodes anonymity on the Internet, not that there is much left.
[+] [-] loriverkutya|3 years ago|reply
[+] [-] EGreg|3 years ago|reply
[+] [-] kmlx|3 years ago|reply
https://bills.parliament.uk/bills/3137
so, a long way to go.
the new Data Reform Bill has not even been submitted yet.
[+] [-] wdb|3 years ago|reply
[+] [-] mngnt|3 years ago|reply
If companies weren't actively spying on their users, if the didn't collect every last bit of data they can, there would be no need to put up a banner. If the website needs cookies for core functionality (essential cookies) only, there' no need to inform, ask or badger the user for anything. The websites/data collectors are the bad guy here (from where I'm standing) and now that they have to ask us if they can please spy on us, the EU is evil because they force them to ask?
The main presented point of this bill is "We will eliminate the obligation for the spies to ask you if they may spy on you" and even the author of this piece is celebrating that.
[+] [-] teh_klev|3 years ago|reply
I don't think so. Read the last part of that sentence which I've emphasised in italics.
"So if you work in any sort of tech or digital related role, and the work you put into the world can be viewed, or accessed, by anyone of any age in the UK, and you are (rightfully) celebrating the loss of the cookie popups, I need you to do me a favour and drop the balloons and party streamers and sit down."
[+] [-] random_upvoter|3 years ago|reply
If the end-result of the law + standard human behavior is that you made web browsing a crappier experience then you made a crappy law.
[+] [-] tensor|3 years ago|reply
No one cares about you enough to "spy" on you.
[+] [-] scarface74|3 years ago|reply
[+] [-] rudasn|3 years ago|reply
An access method based on rss (of some sort), in the way "start pages" did it ages ago.
So instead of going to a website to get information, the information comes to my website where I make the rules (as I'm the provider and the sole user). And instead of only receiving plain text information, I can also interact and communicate with other people (the content provider and other consumers), if I choose to.
It took them 15 years to fuck up the Web, we can pull the rug underneath them and perhaps get 20 more.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] gorjusborg|3 years ago|reply
When I hear about strange Brinternet rules, I just think why should I care about a single country and their strange and costly laws. If UK users want to reach my site, change your laws or use a VPN.
[+] [-] mattnewton|3 years ago|reply
[+] [-] unicornfinder|3 years ago|reply
[+] [-] sdfhbdf|3 years ago|reply
This is to say that "killing pop-ups" should not be a point of a legislation if there isn't one that requires these pop-ups.
[+] [-] jeroenhd|3 years ago|reply
[+] [-] waqf|3 years ago|reply
Some examples (obviously not problem-free, but just to show that a solution space exists):
* No tracking even with permission
* No tracking unless the user mailed you hard-copy permission
* No popups
* No popups unless user testing shows that a user who hates popups, doesn't care about privacy and is just clicking stuff to get to see the site, will decline tracking at least 80% of the time
[+] [-] TheRealDunkirk|3 years ago|reply
[+] [-] TrueDuality|3 years ago|reply
[+] [-] ta988|3 years ago|reply
[+] [-] thayne|3 years ago|reply
[+] [-] ukoki|3 years ago|reply