Maybe stop doing stupid shit that will legally require you to inform users that you're about to sell/share everything you know about them to 3rd parties?
I fail to understand companies that display page after page of cookies and tracking stuff for you to approve don't see the issue with their actions or the insanity of "allow us to share data with our 1500 partners". Does no one in these business look at this and go: "Hey, why do we need 50 different tracking tools" or "Why do we share customer data with over a thousand other businesses?".
When you actually read what these pop-ups says, then you understand why they are there, and why the problem with the laws isn't that it's annoying, but that it is not much more restrictive.
> When you actually read what these pop-ups says, then you understand why they are there, and why the problem with the laws isn't that it's annoying, but that it is not much more restrictive.
Worse, people (including on HN) actively blaming the EU for it. It’s like having a law mandating people are informed when there’s poison in their drink, then seeing people complain about the warning labels everywhere. The label isn’t the problem! As you said, if anything the issue is that the law isn’t aggressive enough.
What I always find funny about this, is that the popup is presented with "We value your privacy", followed by "allow us to share data with >500 partners".
I wished that such statements had some value greater than nil.
The vast majority of websites just want to know where their visitors are coming from and, if they are selling a product, some aggregate level of demographic knowledge to tailor their marketing efforts. They really don’t care about an individual or even small cohort and aren’t selling the data on.
Targeting advertising is sooo much more effective for small and medium sized businesses and actually makes many businesses viable in a way they weren’t in the past.
The ideal solution would be to find a way for businesses to get those insights in a way that preserves privacy at the individual level. Something like apples differential privacy system but web wide.
> Maybe stop doing stupid shit that will legally require you to inform users that you're about to sell/share everything you know about them to 3rd parties?
Why? It's legal and extremely lucrative.
If it's really an issue, maybe the EU could actually limit these activities instead of just forcing sites to put a notification that they are attempting to engage in those activities?
Hey, just some background from someone who took part in a couple of privacy compliance projects at large platforms in the past:
For companies doing this the right way, the banner was just the tip of the iceberg, loads of work went into ensuring compliance behind the scenes, so customer and employee data was not shared with 3rd parties unknowingly. In one case the list of 3rd parties went from +400 to about 70, this is in my opinion a win for privacy, the culture around sharing your data went from casual to cautious.
Secondly, the culture around trusting meta and google blindly with behaviour data changed drastically. Businesses became aware of how much valuable data they share with these platforms, which actually puts them at great risk, should you really give these platforms detailed data on what customers browse and buy on your site, so they can use the data to sell targeting for competitors, or direct users towards their own shopping platforms?
So, yes the law is not perfect, we all hate the banners, but at least what happened in those early implementation days when the banner became law, was a change in culture around how data was shared and a better understanding of the risk for the business of using 3rd parties.
The cookie policy is a stupid value-signalling stunt with only negative real-life effects. The correct way of handling the problem would have been through request headers and browser settings, or simply, use the existing option of either allowing or disallowing cookies, and put this option on a per-site basis and a bit more into the users face..
Almost. It hardly worked as intended, but at least it increased awareness.
The fact that some sites tried to comply and actually provided a full list of all sites that they sell your private data to is somewhat a win. It got to a lot of wider public that realized "they sell it to 97 companies?!".
I personally think local governments or EU wide institutions should have a registry of companies and their sites with ratings, so we could integrate that directly in our browsers, company registries, phone dialer apps. iFixIt style.
- Clarity of EULA: 1/10, impossible to understand without lawyer's interpretation.
- Length of EULA: 1/10, pops up every week with no diff or summary of changes
- Legality: 4/10, historical track record of rules that are not compliant with local laws of xxx
- History: 1/10, no way to track what were the previous versions of the document or when they changed
- ...
EDIT:
to give some context and prove it's possible to provide metrics to legal documents, in Poland we have a formal "Registry of Forbidden Clauses" with references to lost court cases:
Request headers aren't going to do anything. Browser settings, maybe. If browsers were not owned by advertising companies, they'd just disallow this tracking and that would be the end of it.
Besides cookies, there are tracking methods based on fingerprinting, IP and so on. None of them are permitted without explicit consent. This means that a site may not load resources from a third-party server without consent, since the request itself reveals enough information for fingerprinting and tracking.
Tracking is plainly not permitted without consent.
For that to work users have to spend money on their services. I hope that will happen in the future, but until then it is hard to compete with free services that has ads.
> it is not legally required to provide the service if a user declines tracking cookies. The site can simply not provide functionality. So in many cases, its not really a choice – the choice is either not to use the site, or consent to tracking.
to be fair that is the choice. And ideally, the invisible hand would show that this is a horrible idea and cause a huge spike in traffic, but alas.
I think "stop putting popups cookies" on websites is an extreme stance, but I agree we could use fine tuning on the little things to help keep the spirit of the law. It should indeed be opt-in and not "ask for forgiveness". And it should adhere to current compliances.
Cookie banners are a great reason for expirations dates on new policies. If it works: Great, renew it! If it does not work, is not required anymore or was just plain stupid: Never talk about it again and it will run out.
But who will actively admit that regulation failed and work to undo it?
Cookie banners is not a policy, it is used to work around a policy, and often implemented incorrectly. GPDR says you need to be given a specific informed decision, but often cookie banners show a big green approve button, and a less positive deny button (if that is even the case). When the law is being enforced better (Which is slowly happening) those cookie banners should get 2 the same looking buttons, and that would result in more denies. Hopefully, companies would realize that they need to solve their marketing differently.
Most of laws, at leas where I live, are amended. 'Never talk about it again' seems bit naive to me. If good faith have not helped with trackers then ban them outright.
Malicious compliance gets the website two benefits: 1) Annoying the customer enough with the popups might net a permission to track from an user who originally did not want the cookies 2) Making the cookie banners as frustrating as possible increases the political pressure against the EU, hopefully leading to them repelling the anti-tracking legislation
There's no upsides for a website from providing an easy "Never track me" button, or just not using analytics cookies - you don't have to put up cookie consent banners for technical cookies used to save e.g. light/dark mode preference
> Enact a law that requires a service to respect the do not track signal from a browser (currently entirely voluntary), and not store any tracking cookies, clear gifs or other trackers – and require that a site not “discriminate” against users who elect no tracking – basically – provide all functions to users whether they consent or do not consent.
This is indeed the obvious solution. I don't understand why the EU didn't mandate the do not track flag to be obeyed. I know some browsers already removed it but that was because nobody bothered to obey it. As soon as it can be mandated it will be useful and come back quickly.
Also, there was criticism from the advertising industry that the do not track was on by default but that's how tracking should work in the EU anyway: opt in.
By not doing this the EU keeps getting flak for the many cookie walls.
That there is no such mechanism can be explained pretty well with this extreme scenario:
- Browsers would come with the no tracking signal enabled by default (why wouldn't they?) so that tracking would become opt-in.
- Nobody chooses to be tracked.
- The whole industry built on tracking users collapses, namely advertisement
- Web sites who based their business model on advertisement go under
Because of this I bet that the industry is lobbying extremely hard for solutions that are maximally useless and inconvenient for the user. Unless the user "chooses" to be tracked of course.
In that vein, another proposal for stemming the flood of cookie consent banners comes from the German government and outlines a multi vendor strategy with very little technical guidance for centralized consent management systems:
> I don't understand why the EU didn't mandate the do not track flag to be obeyed.
GDPR is a general regulation. It doesn't concern itself with browsers, or cookies. It's on industry to come up with a solution for specific technologies.
Oh, and for browsers they did. It's called the "Do Not Track" header, and the industry immediately sed it to fingerprint and track users.
> By not doing this the EU keeps getting flak for the many cookie walls.
No. It's the industry winning the PR wall. The EU never mandated the cookie walls. It's the industry's calculated malicious compliance.
Well, in the end the industry might end up with EU strictly regulating every single technical aspect of this, but then the industry will cry about government overreach or something.
Also, for those of us with vision issues (or just want to zoom in a lot on a webpage), these popups look horrible at 150%-200%, and often get misrendered in strange ways, sometimes hiding the button. Then if you actually try to reject it, if you can, the rejecting or customizing page is nearly always broken when zoomed in.
uBlock Origin has cookie notice filters. I don't think this is enabled by default; you can enable it in the Filter Lists section, along with "annoyances".
By far, my favorite feature in iOS 18 is Safari’s “hide distracting items” feature. It lets you permanently hide the cookie popups on a per site basis. And the annoying google sign in popups, and the annoying scroll down popups.
I'm afraid that these banners, because these are called "cookie banners" and not "consent to us using your data and giving it freely to other companies banners", will just go away, people (& companies) will be happy, and the consumer stays a fool.
The larger lesson here is this is what happens when governments try to regulate things they don't understand. Cookie popups just add friction, and it's not clear consumers see any real privacy benefit. What's even worse is people seem to not care that the policy isn't working, but they aren't telling lawmakers to fix it.
The lawmakers regulated that a website should warn you, and then upgraded to ask for your consent, before collecting and storing privately identifiable information about you.
The regulation doesn't mention cookie popups. The easiest way to comply is to not collect nor store any such information.
Could you perhaps muster up the courage to clearly substantiate what you're criticizing? These terms "government", "regulation", "lawmakers" come off as dogwhistles. It's not like evil Ursula von der Leyen walked up to the blue lectern and said websites now must present a dialog with one button before you can look at the content.
If you're talking about GDPR, then it regulates that businesses have to have reason to store and process PII. I don't see a reason to be unhappy about that.
I'm not sure why you're being downvoted. I believe the way you stated this is accurate.
The regulation and its outcome was clearly not understood or intended by those who mandated it. Absolutely everyone is suffering from this.
As for the "not care", I think the primary issue is that most people don't make much effort to understand the things they use. If they understood what was going on, they would be more upset and possibly make some effort to get things changed/reverted.
I would put a bit of blame on big corporations for not spending some of their lobbying money on fighting this requirement - not because they should get a free pass at misusing our info, but because they should be well equipped to know that the regulation will be addressed in a crappy way that costs them money and annoys users.
Interesting article. This policy has felt like a complete failure, but I didn't know the depths of how badly it has failed.
I would really like to see these die. Regulators should just work with browser vendors to make an API that I can set at the browser level, and websites just read that to know my preferences and leave me alone.
Your preferences should be on the website level though, not global. And you should be asked about it on first visiting the website.
Let me explain why with an example: say you're the type of people who doesn't care about "privacy" online ("I've got nothing to hide"), or you do; and you want to "support " certain ad-supported websites you're a fan of; but not that new clickbait toilet paper your aunt sends you.
I can't think of any way to have a good UX to opt in or out of "tracking" cookies which people would actually use (few will bother changing the defaults, and most mindlessly click ok).
I've come across a few websites that have cookie controls that don't do what they say they do when I manually examined them. E.g. still using analytics
Are there any tools to check websites to see that they do what they say they will do? Or is it a manual thing?
Global Privacy Control, basically a legally binding Do-Not-Track header, is already the law in California, I don’t understand why the EU is dragging its feet on making it mandatory to comply with.
The way to reduce cookie banners only depends on a small tweak by google. If you give people the choice between SEO and legibility, they will choose SEO.
[+] [-] mrweasel|1 year ago|reply
I fail to understand companies that display page after page of cookies and tracking stuff for you to approve don't see the issue with their actions or the insanity of "allow us to share data with our 1500 partners". Does no one in these business look at this and go: "Hey, why do we need 50 different tracking tools" or "Why do we share customer data with over a thousand other businesses?".
When you actually read what these pop-ups says, then you understand why they are there, and why the problem with the laws isn't that it's annoying, but that it is not much more restrictive.
[+] [-] latexr|1 year ago|reply
Worse, people (including on HN) actively blaming the EU for it. It’s like having a law mandating people are informed when there’s poison in their drink, then seeing people complain about the warning labels everywhere. The label isn’t the problem! As you said, if anything the issue is that the law isn’t aggressive enough.
[+] [-] thn-gap|1 year ago|reply
I wished that such statements had some value greater than nil.
[+] [-] simonbarker87|1 year ago|reply
Targeting advertising is sooo much more effective for small and medium sized businesses and actually makes many businesses viable in a way they weren’t in the past.
The ideal solution would be to find a way for businesses to get those insights in a way that preserves privacy at the individual level. Something like apples differential privacy system but web wide.
[+] [-] Earw0rm|1 year ago|reply
It's not like a news site is selecting and managing 1500 different partners individually.
[+] [-] ruthmarx|1 year ago|reply
Why? It's legal and extremely lucrative.
If it's really an issue, maybe the EU could actually limit these activities instead of just forcing sites to put a notification that they are attempting to engage in those activities?
[+] [-] binkethy|1 year ago|reply
Goatcounter or Plausible will do fine. Some decent frontend log parsing will also be a viable strategy.
Stop feeding Google your customers data for free.
[+] [-] cornedor|1 year ago|reply
[+] [-] pploug|1 year ago|reply
For companies doing this the right way, the banner was just the tip of the iceberg, loads of work went into ensuring compliance behind the scenes, so customer and employee data was not shared with 3rd parties unknowingly. In one case the list of 3rd parties went from +400 to about 70, this is in my opinion a win for privacy, the culture around sharing your data went from casual to cautious.
Secondly, the culture around trusting meta and google blindly with behaviour data changed drastically. Businesses became aware of how much valuable data they share with these platforms, which actually puts them at great risk, should you really give these platforms detailed data on what customers browse and buy on your site, so they can use the data to sell targeting for competitors, or direct users towards their own shopping platforms?
So, yes the law is not perfect, we all hate the banners, but at least what happened in those early implementation days when the banner became law, was a change in culture around how data was shared and a better understanding of the risk for the business of using 3rd parties.
[+] [-] dusted|1 year ago|reply
[+] [-] szszrk|1 year ago|reply
Almost. It hardly worked as intended, but at least it increased awareness. The fact that some sites tried to comply and actually provided a full list of all sites that they sell your private data to is somewhat a win. It got to a lot of wider public that realized "they sell it to 97 companies?!".
I personally think local governments or EU wide institutions should have a registry of companies and their sites with ratings, so we could integrate that directly in our browsers, company registries, phone dialer apps. iFixIt style.
- Clarity of EULA: 1/10, impossible to understand without lawyer's interpretation.
- Length of EULA: 1/10, pops up every week with no diff or summary of changes
- Legality: 4/10, historical track record of rules that are not compliant with local laws of xxx
- History: 1/10, no way to track what were the previous versions of the document or when they changed
- ...
EDIT: to give some context and prove it's possible to provide metrics to legal documents, in Poland we have a formal "Registry of Forbidden Clauses" with references to lost court cases:
https://www.rejestr.uokik.gov.pl/
[+] [-] wvenable|1 year ago|reply
[+] [-] yobbo|1 year ago|reply
Tracking is plainly not permitted without consent.
[+] [-] scarlehoff|1 year ago|reply
[+] [-] o_m|1 year ago|reply
[+] [-] johnnyanmac|1 year ago|reply
to be fair that is the choice. And ideally, the invisible hand would show that this is a horrible idea and cause a huge spike in traffic, but alas.
I think "stop putting popups cookies" on websites is an extreme stance, but I agree we could use fine tuning on the little things to help keep the spirit of the law. It should indeed be opt-in and not "ask for forgiveness". And it should adhere to current compliances.
[+] [-] randoomed|1 year ago|reply
While this ruling does not specifically only use the ePrivacy directive (it is instead based in GDPR), laws do not exist in a vacuum.
[+] [-] planb|1 year ago|reply
[+] [-] cornedor|1 year ago|reply
[+] [-] timeon|1 year ago|reply
[+] [-] nikanj|1 year ago|reply
There's no upsides for a website from providing an easy "Never track me" button, or just not using analytics cookies - you don't have to put up cookie consent banners for technical cookies used to save e.g. light/dark mode preference
[+] [-] wkat4242|1 year ago|reply
This is indeed the obvious solution. I don't understand why the EU didn't mandate the do not track flag to be obeyed. I know some browsers already removed it but that was because nobody bothered to obey it. As soon as it can be mandated it will be useful and come back quickly.
Also, there was criticism from the advertising industry that the do not track was on by default but that's how tracking should work in the EU anyway: opt in.
By not doing this the EU keeps getting flak for the many cookie walls.
[+] [-] redprince|1 year ago|reply
- Browsers would come with the no tracking signal enabled by default (why wouldn't they?) so that tracking would become opt-in.
- Nobody chooses to be tracked.
- The whole industry built on tracking users collapses, namely advertisement
- Web sites who based their business model on advertisement go under
Because of this I bet that the industry is lobbying extremely hard for solutions that are maximally useless and inconvenient for the user. Unless the user "chooses" to be tracked of course.
In that vein, another proposal for stemming the flood of cookie consent banners comes from the German government and outlines a multi vendor strategy with very little technical guidance for centralized consent management systems:
https://www.heise.de/en/news/Consent-management-German-gover...
[+] [-] tgv|1 year ago|reply
1. Because the implementation is simply left open?
2. Because it's nearly impossible to verify?
[+] [-] troupo|1 year ago|reply
GDPR is a general regulation. It doesn't concern itself with browsers, or cookies. It's on industry to come up with a solution for specific technologies.
Oh, and for browsers they did. It's called the "Do Not Track" header, and the industry immediately sed it to fingerprint and track users.
> By not doing this the EU keeps getting flak for the many cookie walls.
No. It's the industry winning the PR wall. The EU never mandated the cookie walls. It's the industry's calculated malicious compliance.
Well, in the end the industry might end up with EU strictly regulating every single technical aspect of this, but then the industry will cry about government overreach or something.
[+] [-] cbanek|1 year ago|reply
[+] [-] evdubs|1 year ago|reply
[+] [-] ipv6ipv4|1 year ago|reply
[+] [-] rrr_oh_man|1 year ago|reply
I'm afraid that these banners, because these are called "cookie banners" and not "consent to us using your data and giving it freely to other companies banners", will just go away, people (& companies) will be happy, and the consumer stays a fool.
¹ https://en.wikipedia.org/wiki/Third-party_cookies
[+] [-] dehrmann|1 year ago|reply
[+] [-] sofixa|1 year ago|reply
The regulation doesn't mention cookie popups. The easiest way to comply is to not collect nor store any such information.
[+] [-] jiggawatts|1 year ago|reply
[+] [-] USiBqidmOOkAqRb|1 year ago|reply
If you're talking about GDPR, then it regulates that businesses have to have reason to store and process PII. I don't see a reason to be unhappy about that.
[+] [-] michaelteter|1 year ago|reply
The regulation and its outcome was clearly not understood or intended by those who mandated it. Absolutely everyone is suffering from this.
As for the "not care", I think the primary issue is that most people don't make much effort to understand the things they use. If they understood what was going on, they would be more upset and possibly make some effort to get things changed/reverted.
I would put a bit of blame on big corporations for not spending some of their lobbying money on fighting this requirement - not because they should get a free pass at misusing our info, but because they should be well equipped to know that the regulation will be addressed in a crappy way that costs them money and annoys users.
[+] [-] mindwok|1 year ago|reply
I would really like to see these die. Regulators should just work with browser vendors to make an API that I can set at the browser level, and websites just read that to know my preferences and leave me alone.
[+] [-] sofixa|1 year ago|reply
Let me explain why with an example: say you're the type of people who doesn't care about "privacy" online ("I've got nothing to hide"), or you do; and you want to "support " certain ad-supported websites you're a fan of; but not that new clickbait toilet paper your aunt sends you.
I can't think of any way to have a good UX to opt in or out of "tracking" cookies which people would actually use (few will bother changing the defaults, and most mindlessly click ok).
[+] [-] gpvos|1 year ago|reply
[+] [-] switch007|1 year ago|reply
Most users are now giving explicit consent to be tracked! What a dream! Before, they had to worry about legal grey areas!
Now the legislation says it's fine, as long as they click "OK". Which almost every user does because they are tired and annoyed by the pop ups.
Thank you legislators!
[+] [-] thinkingemote|1 year ago|reply
Are there any tools to check websites to see that they do what they say they will do? Or is it a manual thing?
[+] [-] dochne|1 year ago|reply
[1] https://insites.com/free-website-gdpr-check/
[+] [-] fmajid|1 year ago|reply
[+] [-] natch|1 year ago|reply
[+] [-] nurettin|1 year ago|reply