Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Internet Privacy United Kingdom

UK's ICO Calls For Browser-Level Controls To Fix 'Cookie Fatigue' (techcrunch.com) 135

An anonymous reader quotes a report from TechCrunch: In the latest quasi-throwback toward "do not track," the UK's data protection chief has come out in favor of a browser- and/or device-level setting to allow Internet users to set "lasting" cookie preferences -- suggesting this as a fix for the barrage of consent pop-ups that continues to infest websites in the region. European web users digesting this development in an otherwise monotonously unchanging regulatory saga, should be forgiven -- not only for any sense of deja vu they may experience -- but also for wondering if they haven't been mocked/gaslit quite enough already where cookie consent is concerned.

Last month, UK digital minister Oliver Dowden took aim at what he dubbed an "endless" parade of cookie pop-ups -- suggesting the government is eyeing watering down consent requirements around web tracking as ministers consider how to diverge from European Union data protection standards, post-Brexit. (He's slated to present the full sweep of the government's data 'reform' plans later this month so watch this space.) Today the UK's outgoing information commissioner, Elizabeth Denham, stepped into the fray to urge her counterparts in G7 countries to knock heads together and coalesce around the idea of letting web users express generic privacy preferences at the browser/app/device level, rather than having to do it through pop-ups every time they visit a website.

In a statement announcing "an idea" she will present this week during a virtual meeting of fellow G7 data protection and privacy authorities -- less pithily described in the press release as being "on how to improve the current cookie consent mechanism, making web browsing smoother and more business friendly while better protecting personal data" -- Denham said: "I often hear people say they are tired of having to engage with so many cookie pop-ups. That fatigue is leading to people giving more personal data than they would like. The cookie mechanism is also far from ideal for businesses and other organizations running websites, as it is costly and it can lead to poor user experience. While I expect businesses to comply with current laws, my office is encouraging international collaboration to bring practical solutions in this area. There are nearly two billion websites out there taking account of the world's privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organizations to develop a coordinated approach to this challenge," she added.

This discussion has been archived. No new comments can be posted.

UK's ICO Calls For Browser-Level Controls To Fix 'Cookie Fatigue'

Comments Filter:
  • by Celt ( 125318 ) on Wednesday September 08, 2021 @08:10AM (#61775079) Journal

    This is the start of the UK degrading GDPR in the UK.
    It's a very bad move

    • Re:GDPR (Score:5, Interesting)

      by AmiMoJo ( 196126 ) on Wednesday September 08, 2021 @08:32AM (#61775129) Homepage Journal

      Indeed, if he was really bothered about cookie requests he would simply enforce the existing law.

      The law says that requests to track people (non-essential cookies) cannot be made into a barrier to accessing the site. The request can't be made confusing or use a dark pattern to fool the user into agreeing either. Non-essential cookies must be opt-in, saying "we opted you in, click here and here and here to opt out" is not allowed.

      If that was enforced then the cookie notice would just be a bit of text saying "we use essential cookies, click here to opt in to our tracking" and nobody would care or click it.

      • by gweihir ( 88907 )

        Indeed. It would also mean that for all practical purposes, tracking is restricted to people that actually decide to become customers, subscribers or the like. Well, basically that state has already been reached in the EU even though many still need to get into compliance with it. The only ones that will suffer are the advertisers but they are a plague anyways and the more of them die the better.

    • Itâ(TM)s an excellent move. I just donâ(TM)t want _anyone_ to use my data in any way. There should be an option in the browser for this, Iâ(TM)m sure apple Google and Microsoft can agree something, wher I select âoeno, i donâ(TM)t want any of this shitâ, and then the browser tells the website. With serious consequences if they ignore it.
  • by Coookie Monster ( 6527100 ) on Wednesday September 08, 2021 @08:16AM (#61775087)
    Me never get tired of cookie! Me love cookie!! OM NOM NOM NOM
  • by Gabest ( 852807 )

    No one asked for this in the ~30 year long history of the internet.

    • Re:Why? (Score:5, Insightful)

      by john83 ( 923470 ) on Wednesday September 08, 2021 @08:29AM (#61775117)
      If you live in Europe, damned near every site you visit now has a pop-up with detailed options around cookies that must be negotiated before you can so much as read an article. It's a response to obligations under GDPR, and it's damned near malicious compliance because no one reads them, and most just click "accept all" because who has the time to navigate each one of these? A browser-level setting with suitable standardisation would enact the spirt and not just the letter of GDPR. If you haven't been exposed to these, I could understand why this seems to be out of nowhere, but for Europeans, I think something like this is a necessary development.
      • by AmiMoJo ( 196126 )

        This is currently the subject of on-going complaints: https://noyb.eu/en/noyb-files-... [noyb.eu]

        I've started filing some myself, although I don't see very many cookie requests because I have ad-blockers.

        • by gweihir ( 88907 )

          I see some of this from the other side (as IT auditor) and there still is a lot of confusion on the side of the companies. The practical rules are pretty simple though. Basically you need to offer a "no" button regarding all tracking and identification of the user (you _are_ allowed to track that decision with a session-cookie that records just that "no"), and additionally as many options as you like with _clear_ descriptions of what they do. Note that some browsers may keep session cookies longer than the

      • What you said is true and I mostly agree with you about the need for a browser/device-level setting. That being said, the same effect can already be achieved with ad blockers.
      • If you live in Europe, damned near every site you visit now has a pop-up with detailed options around cookies that must be negotiated before you can so much as read an article. It's a response to obligations under GDPR, and it's damned near malicious compliance because no one reads them, and most just click "accept all" because who has the time to navigate each one of these?

        I thought this was what all Europeans wanted? They surely worked hard enough to get the world to implement this grand solution to whatever critically important thing they needed to solve.

        • by flink ( 18449 )

          I thought this was what all Europeans wanted? They surely worked hard enough to get the world to implement this grand solution to whatever critically important thing they needed to solve.

          I think it's more of a question of malicious compliance. Sites have to ask if they want to track you. The ones who comply in good faith put an unobtrusive banner at the bottom of the screen that says something like "This site uses cookies to save your preferences. Do you want to allow that? Accept/Reject". The shady sites put up modal screen blocking banners, try to hide the reject button, or tick the opt-in checkbox by default.

          If there were a standard for expressing user consent in the browser, we could

          • I thought this was what all Europeans wanted? They surely worked hard enough to get the world to implement this grand solution to whatever critically important thing they needed to solve.

            I think it's more of a question of malicious compliance.

            I think you are 100 percent right.

          • And now that opt-in has been disallowed, they pull this "legitimate interest" bullshit, pretending that there are pages that have a "legitimate interest" to track and profile you.

            Plus, if you dutifully tick off every single of those fucking "legitimate interest" boxes (there'll be somewhere between 20 and half a billion), rest assured that the next time you visit that page, you'll be asked again, just in case you changed your mind.

            But don't worry, if you let them spy on you, they'll stop bugging you and nev

            • by sfcat ( 872532 )
              So this is slashdot. For the slashdot site to give you back the correct HTML for you (as opposed to me), it has to be able to tell that your browser logged in as you (and not me). And this is the problem, as soon as you have an account that you log into the web developer has to "track" you. Doesn't mean they log where you go and what you do, but they often do. But to make it work at all, it has to be able to say this web request belongs to user XYZ, gets these permissions, displays these widgets, etc.
              • This is why there are different kinds of cookies, and yes, they had the foresight to define them as such. There are those cookies required for the function of the site and those that exist for marketing purposes.

                And yes, you have to let your user choose which one they accept.

                • by gweihir ( 88907 )

                  As soon as you provide personalized services, you can require more technical cookies and also long-term ones. You still cannot do marketing tracking (i.e. behavioral information) without explicite consent and you cannot require that consent if there is no technically valid reason for it.

          • by gweihir ( 88907 )

            Indeed. A site can also simply default to no tracking and if there are specific functions that require it (and are legally allowed to require tracking) to only ask then. Or leave the cookie question somewhere unobtrusive on the screen and do not track unless people actively agree.

            Note that you do not have to provide the same website without tracking consent. You have to provide the same information about products and services, but if you fall back to HTML 2.0 for people that do not want to be tracked, that

        • No, what we wanted was for all data-trafficking to be consensual.

          Nobody asked for every single web site to turn into a game of whack-a-mole before you can even see if the page is worth viewing or not.

          • No, what we wanted was for all data-trafficking to be consensual.

            Nobody asked for every single web site to turn into a game of whack-a-mole before you can even see if the page is worth viewing or not.

            And sometimes we get unintended consequences. This so called solution is more like punishment.

            Letting politicians make technical decisions is seldom a good idea. Because they won't eliminate trackers.

            • Letting politicians make the decision is fine. They should have just added âoesites that donâ(TM)t make it as easy as possible to have no tracking at all get a huge fine.â And then hand out huge fines until this crap stops.
        • by noodler ( 724788 )

          If you live in Europe, damned near every site you visit now has a pop-up with detailed options around cookies that must be negotiated before you can so much as read an article. It's a response to obligations under GDPR, and it's damned near malicious compliance because no one reads them, and most just click "accept all" because who has the time to navigate each one of these?

          I thought this was what all Europeans wanted? They surely worked hard enough to get the world to implement this grand solution to whatever critically important thing they needed to solve.

          I thought this was what all Europeans wanted? They surely worked hard enough to get the world to implement this grand solution to whatever critically important thing they needed to solve.

          Not really. The GDPR doesn't specify these kinds of screens nor do users want them. It's the advertising industry being malicious by designing the worst fucking possible mechanism to be compliant with the GDPR. The goal is to annoy the users so much they will run back to the EU crying for the GDPR to be watered down.
          So these screens are there because advertisers are basically class- A Assholes that would rather shit some more on their users than to stop tracking them.

      • That's not just an "if you live in Europe" thing. While I'm sure some sites are using some form of geo-detection and only showing it there, a lot of us outside of Europe have had to suffer with these as many sites just turn it on in general regardless of location to comply with the EU directive.

      • by mjwx ( 966435 )

        If you live in Europe, damned near every site you visit now has a pop-up with detailed options around cookies that must be negotiated before you can so much as read an article. It's a response to obligations under GDPR, and it's damned near malicious compliance because no one reads them, and most just click "accept all" because who has the time to navigate each one of these? A browser-level setting with suitable standardisation would enact the spirt and not just the letter of GDPR. If you haven't been exposed to these, I could understand why this seems to be out of nowhere, but for Europeans, I think something like this is a necessary development.

        It isn't "near" malicious compliance, it is malicious compliance and should be smacked down hard for it.

        So much so that a decent adblock now blocks cookie popups (not to mention the I Dont Care About Cookies extension).

        The two things that the companies pushing these popups don't get are:
        1. You're not driving us to hate the GDPR, you're driving us to other sites that aren't trying to turn us against the GDPR.
        2. You cannot force us to give up legal protection by annoying us into acquiescence. A legal

      • It's a response to obligations under GDPR,

        You've been gaslit.

        Consent is not required for those cookies that are only used for purposes *essential* to the working of the site. Two of the key reasons to be allowed to process data under GDPR are necessity and consent. It's also why if you apply for a loan, the bank will tell you what they will do with your data but not ask for your consent. Consent cannot be assumed just because you submitted the form but they don't need your consent because they collect and u

    • Consent : Can I post a reply to your post [Y/N/I don't give a damn]?

    • No one asked for this in the ~30 year long history of the internet.

      You clearly don't live in the EU where every page has a cookie pop-up and everyone for the past 10 years has been asking for this. Well not specifically what the UK is proposing... Ideally what the regulation would do is enforce a standard setting, e.g. force companies to use essential cookies only and not ask anything if e.g. Do Not Track is set or something similar.

      Mind you, you new worlders have other problems. Such as how pages like www.usatoday.com take 45 seconds to load with all the tracking scripts

  • build a bunch of annoying popups into your website and watch all the traffic disappear along with any ad revenue you might generate
  • Do Not Track (Score:5, Insightful)

    by ytene ( 4376651 ) on Wednesday September 08, 2021 @08:30AM (#61775121)
    The article's reference to "Do Not Track" says all that needs to be said here.

    All we need to do is amend the law so that user selections such as "do not track" and "no targeted advertising" can be specified by a user, once, in their browser settings and to make it a legal requirement for web sites to honor those values.

    Problem solved.

    Instead, web sites are being configured so that if you purge your cookie cache each time your browser closes, you have to go through the "opt out" rigmarole each and every time. This is "pester power" being used by corporations to get people to cave in and accept being tracked.

    If the UK government are going to make a change to the law, adjust the law to force companies to respect existing browser functionality and preserve end user privacy.

    Anything else would be selling out the UK's entire "on line population" to big business. Which might be what the UK government want to do, but it is most assuredly not what they were elected to do.
    • > The article's reference to "Do Not Track" says all that needs to be said here.

      Not necessarily

      > device-level setting

      We've had that since forever in browsers (only lately it disappeared). Accept all cookies, whitelisted cookies, only first party cookies, No cookies. Along with configurable cookie lifetime.
      God I miss Konqueror...

      If this is set on the device, and the legal mandated default is first party cookies, the reference to DNT is non-sensical, because it requires no good behaviour from the serve

    • by AmiMoJo ( 196126 )

      I have been thinking about this and I'm tempted to try a test complaint.

      If my browser sends a "do not track" header then the website asks me if I want to allow tracking anyway, and it frustrates me by covering the page with that request, or making it difficult to dismiss, or trying to opt me in unless I click something, that would seem to be incompatible with GDPR rules.

      • by ytene ( 4376651 )
        Indeed, it would be entirely incompatible with GDPR rules.

        In fact,there may be other elements to this. For example, there are a bunch of web sites you can find where opening the "cookie preferences" window gives you a list of hundreds - perhaps even thousands - of third party cookies. Instead allowing you to opt out of all those cookies - which the site you are visiting would be able to do, since a simple piece of "if...then...else" or equivalent logic would deal with that as the page renders - the site
      • by gweihir ( 88907 )

        I have been thinking about this and I'm tempted to try a test complaint.

        If my browser sends a "do not track" header then the website asks me if I want to allow tracking anyway, and it frustrates me by covering the page with that request, or making it difficult to dismiss, or trying to opt me in unless I click something, that would seem to be incompatible with GDPR rules.

        That is a case that needs an explicite decision by the privacy commissioner responsible. But there is a step before that: It must not be made hard to use the site without consenting to tracking. A single klick in a single pop-up is likely to be below that threshold. It is also permissible to ask you again every time you visit if you disagree. However requiring multiple clicks, extensive scrolling, etc. is likely not permissible.

        Privacy is not free. Essentially companies do not want to annoy prospective cust

  • by oneiros27 ( 46144 ) on Wednesday September 08, 2021 @08:31AM (#61775125) Homepage

    What I hate is that every time I visit a damned website, I have to go through the same crap to tell them that I don't want their cookies.

    I mostly care about tracking cookies, but I also don't want third party stuff loaded that might allow *them* to track me.

    But I'd be okay with allowing them to set one cookie, saying that I don't want their cookies, so they don't pop up with the question over and over again.

    (which oddly, I'm pretty sure they know, as so many are already pre-populated with everything off that you can turn off)

    • by VMaN ( 164134 )

      > But I'd be okay with allowing them to set one cookie, saying that I don't want their cookies, so they don't pop up with the question over and over again.

      This is literally allowed. If you are experiencing something else is i malicious in intent or incompetent.

    • by MobyDisk ( 75490 )

      But I'd be okay with allowing them to set one cookie, saying that I don't want their cookies,
      They don't need a cookie for this. Instead just follow the "do not track" header.

    • What I hate is that every time I visit a damned website, I have to go through the same crap to tell them that I don't want their cookies.

      Do you delete cookies on exit? I've only had repeat requests for cookies when I've cleared cookies... which is something I've set to do now for all sites which makes it a PITA.

      which oddly, I'm pretty sure they know, as so many are already pre-populated with everything off that you can turn off

      No this is a requirement of the law. The default option needs to be opt-in for anything but the essentials. Not pre-populating them this way would be illegal.

  • by Shinobi ( 19308 ) on Wednesday September 08, 2021 @08:36AM (#61775139)

    It's interesting to see the weasel wording from Tech Crunch, being tragicomic in a way. They are clearly trying to frame the deluge of cookies and tracking scripts as a good thing, given that they earn money through it.

    Personally, I find the warnings a good thing, because it shows just how much of an enemy Silicon Valley and their disciples all over the world have become. It's also useful to show in school, just how invasive both Google and Apple are when it comes to their devices. At my kids school, I showed them the net with and without a tracker sinkhole(for simplicity's sake, in this case I showed the kids and teachers Pi-Hole).

    It's also going to be hilarious watching all the Silicon Valley worshippers around here come out of the woodwork and start chanting their "Google/Apple/Amazon good, law doesn't apply to them! Heil Free Market!", in support of the companies, even as they bemoan "Da Guvermint" raping privacy(With Silicon Valleys explicit help, mind!).

    • by AmiMoJo ( 196126 )

      I submitted a complaint to Tech Crunch's (or rather parent company Verizon's) GDPR compliance team. I will see what they do and escalate to a formal complaint to the ICO if they don't remove their shitty full screen dark pattern request.

    • chanting their "Google/Apple/Amazon good, law doesn't apply to them! Heil Free Market!", in support of the companies, even as they bemoan "Da Guvermint" raping privacy?

      ... I'm not sure you're talking about the same people. I had a hard time figuring out what you were talking about in general.

      The article was about website cookie consent pop ups? Then you something something GoogleAppleSiliconValley. Have they given a statement on the idea of making cookie consent a smoother experience?

      I can't tell if your are for or against that, but you like the web pop ups because it shows something GoogleApple ... I don't understand your association between silicon valley fanboy, go

    • by ljw1004 ( 764174 )

      Personally, I find the warnings a good thing, because it shows just how much of an enemy Silicon Valley and their disciples all over the world have become.

      Thanks for writing. Me too, precisely this.

  • by Xenna ( 37238 ) on Wednesday September 08, 2021 @08:37AM (#61775143)

    Ask a bureaucrat to solve a problem...

  • Just too many websites are guilty of malicious compliance. And thatâ(TM)s intentional. They just need to catch you out _once_ not pressing the right buttons. And all of them donâ(TM)t follow the law which says there must be ONE obvious button to reject everything.
  • The cookie fixation of the GDPR is n00by non-sense written in to law by the IT layman and thinned down with broad-strokes loopholes. Web-wide tracking and the construction of shadow profiles that the end-user doesn't see and control are the problem. Fixing this in the GDPR would rid us of this "Cookie Popup" privacy theater non-sense.

    • by gweihir ( 88907 )

      The GDPR has no "cookie fixation". In fact, it does not even mention cookies anywhere. It is about identifying people and recording and profiling their behavior. Any tracking without informed consent, whether invisible to the user or visible via cookies is just as illegal.

  • That says "Do Not Track"

    I don't believe there is a website on the Internet that actually pays attention to this setting.

    Who should I sue first?

  • Whitelist cookies. (Score:4, Informative)

    by Gravis Zero ( 934156 ) on Wednesday September 08, 2021 @09:19AM (#61775285)

    Cookies are something 99% of sites you visit do not need to use but they do. Furthermore, the tracking of cookies becomes increasing insidious as time goes on. Therefore, the only logical response is to only enable cookies for a domain when it is needed. This is why I switched to cookies whitelisting and have never looked back.

    • by AmiMoJo ( 196126 )

      I use Cookie Auto Delete for Firefox and Chrome. It removed all site data, including cookies, after you leave a site. That way sites don't break but also can't persist cookies between visits.

      Obviously 3rd party cookies are completely disabled.

  • Comment removed based on user account deletion
  • ...about cookies... https://www.i-dont-care-about-... [i-dont-car...cookies.eu]
    I rarely see cookie popups or notices.
  • When you're done browing for the day, clear all your cookies and cache. Then, when you go back to the same site the next day, they think you're someone new which then pollutes their tracking since quite obviously you are not a new visitor.

    Also, by clearing out your cookies you prevent being directly tracked since there is nothing to go back to for reference. Let them figure out who you are, until the next time you clear everything and force them to start over from the beginning.

  • I am giving every web site all the information they need with every single request. The standard exists longer than any of you fucking moron politicians knew there was a problem. At the very least that header is enough to comprehensively answer every single cookie dialogue, but actually it's more than that. It also means you are not allowed to use other tracking. If that isn't clear enough I'll add a header called "DO NOT FUCKING TRACK FFS" and set that to 111eleventyeleven. Stop shilling for the fucking cr
  • Just fuck the Internet and fuck the people who ruined it
  • The first thing that you see when visiting ICO is a "our use of cookies" consent slide out. You can't even read the cookie policy document linked to it without it being obscured by the slide out.

    Heading on their site reads "The UKâ(TM)s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals." and yet somehow they couldn't even be bothered to run their own stat package on their own site instead opting to use

  • I propose that every browser implement a Protected Cookies local folder on each user's system. Cookies in this area would be easily separately identified by the user - you would know who placed each such cookie and why - and would be individually deletable. A General Cookies folder would be the default location for all other cookies, managed as cookies are now except that the user could specify a default answer to the GDPR question to avoid having that goddamned GDPR question pop up on every page of the Int

If you have a procedure with 10 parameters, you probably missed some.

Working...