UK's ICO Calls For Browser-Level Controls To Fix 'Cookie Fatigue' (techcrunch.com) 135
An anonymous reader quotes a report from TechCrunch: In the latest quasi-throwback toward "do not track," the UK's data protection chief has come out in favor of a browser- and/or device-level setting to allow Internet users to set "lasting" cookie preferences -- suggesting this as a fix for the barrage of consent pop-ups that continues to infest websites in the region. European web users digesting this development in an otherwise monotonously unchanging regulatory saga, should be forgiven -- not only for any sense of deja vu they may experience -- but also for wondering if they haven't been mocked/gaslit quite enough already where cookie consent is concerned.
Last month, UK digital minister Oliver Dowden took aim at what he dubbed an "endless" parade of cookie pop-ups -- suggesting the government is eyeing watering down consent requirements around web tracking as ministers consider how to diverge from European Union data protection standards, post-Brexit. (He's slated to present the full sweep of the government's data 'reform' plans later this month so watch this space.) Today the UK's outgoing information commissioner, Elizabeth Denham, stepped into the fray to urge her counterparts in G7 countries to knock heads together and coalesce around the idea of letting web users express generic privacy preferences at the browser/app/device level, rather than having to do it through pop-ups every time they visit a website.
In a statement announcing "an idea" she will present this week during a virtual meeting of fellow G7 data protection and privacy authorities -- less pithily described in the press release as being "on how to improve the current cookie consent mechanism, making web browsing smoother and more business friendly while better protecting personal data" -- Denham said: "I often hear people say they are tired of having to engage with so many cookie pop-ups. That fatigue is leading to people giving more personal data than they would like. The cookie mechanism is also far from ideal for businesses and other organizations running websites, as it is costly and it can lead to poor user experience. While I expect businesses to comply with current laws, my office is encouraging international collaboration to bring practical solutions in this area. There are nearly two billion websites out there taking account of the world's privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organizations to develop a coordinated approach to this challenge," she added.
Last month, UK digital minister Oliver Dowden took aim at what he dubbed an "endless" parade of cookie pop-ups -- suggesting the government is eyeing watering down consent requirements around web tracking as ministers consider how to diverge from European Union data protection standards, post-Brexit. (He's slated to present the full sweep of the government's data 'reform' plans later this month so watch this space.) Today the UK's outgoing information commissioner, Elizabeth Denham, stepped into the fray to urge her counterparts in G7 countries to knock heads together and coalesce around the idea of letting web users express generic privacy preferences at the browser/app/device level, rather than having to do it through pop-ups every time they visit a website.
In a statement announcing "an idea" she will present this week during a virtual meeting of fellow G7 data protection and privacy authorities -- less pithily described in the press release as being "on how to improve the current cookie consent mechanism, making web browsing smoother and more business friendly while better protecting personal data" -- Denham said: "I often hear people say they are tired of having to engage with so many cookie pop-ups. That fatigue is leading to people giving more personal data than they would like. The cookie mechanism is also far from ideal for businesses and other organizations running websites, as it is costly and it can lead to poor user experience. While I expect businesses to comply with current laws, my office is encouraging international collaboration to bring practical solutions in this area. There are nearly two billion websites out there taking account of the world's privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organizations to develop a coordinated approach to this challenge," she added.
GDPR (Score:3)
This is the start of the UK degrading GDPR in the UK.
It's a very bad move
Re:GDPR (Score:5, Interesting)
Indeed, if he was really bothered about cookie requests he would simply enforce the existing law.
The law says that requests to track people (non-essential cookies) cannot be made into a barrier to accessing the site. The request can't be made confusing or use a dark pattern to fool the user into agreeing either. Non-essential cookies must be opt-in, saying "we opted you in, click here and here and here to opt out" is not allowed.
If that was enforced then the cookie notice would just be a bit of text saying "we use essential cookies, click here to opt in to our tracking" and nobody would care or click it.
Re: (Score:2)
Indeed. It would also mean that for all practical purposes, tracking is restricted to people that actually decide to become customers, subscribers or the like. Well, basically that state has already been reached in the EU even though many still need to get into compliance with it. The only ones that will suffer are the advertisers but they are a plague anyways and the more of them die the better.
Re: (Score:2)
Not true. The cookie(s) used for "staying logged in" are strictly necessary to a function which the user has explicitly requested, and so do not require separate consent. The reason for the near-ubiquity of cookie consent banners is that most sites want to monetise their users by selling their personal data to third parties.
Re: (Score:2)
The reason for the near-ubiquity of cookie consent banners is that most sites want to monetise their users by selling their personal data to third parties.
I don't buy it.
Part of my job is "Business Internet Solutions".
I design networks, software, and in general- solutions.
As such, I'm rather constantly dealing with questionable tracking behaviors of businesses.
Most are not monetizing you. They're tracking you for their own internal metrics.
They want to know what you did on their page, how you did it, when you did it, in some nonsensical quest to understand the people who use their site.
Now- is the GPDR making doing that more of a pain in the ass a goo
Re: (Score:2)
They want to know what you did on their page, how you did it, when you did it, in some nonsensical quest to understand the people who use their site.
Why isn't that information in their logs? Why do they need the browser to keep track of it for them?
Re: You find it confusing? (Score:2)
Because tracking 1) session across multiple servers and application stacks and 2) the state of the page as it is displayed to the user composed from a bunch of different sources, is REALLY hard to do server-side, especially at scale.
Re: (Score:2)
I am not a web developer. I've never run a web server. And I say: WTF is the matter with this business?!!
I should think a company whose business is serving information to people would be very worried at the idea that they themselves can't keep track of what information they're serving to whom when! And they should be much more worried if they're using random untrusted remote computers to track their state for them. Why is this not considered to be a HUGE security risk? Why are people in charge at the techni
Re: (Score:2)
I am not a web developer. I've never run a web server. And I say: WTF is the matter with this business?!!
You could have stopped right there.
I should think a company whose business is serving information to people would be very worried at the idea that they themselves can't keep track of what information they're serving to whom when! And they should be much more worried if they're using random untrusted remote computers to track their state for them. Why is this not considered to be a HUGE security risk? Why are people in charge at the technically-knowledgeable level OK with this? I'm not even convinced this sort of behavior should be legal.
This shows that you don't understand what they're doing, or why, or how it's hardly a privacy risk.
Me, I use a cookie whitelist. So if I don't have an account on your website, I don't have any cookies from your website.
That's absolutely fine. You're part of a vanishingly small minority, so as far as business determinations go, you just don't matter.
Re: (Score:2)
This shows that you don't understand what they're doing, or why, or how it's hardly a privacy risk.
So explain it to me. Why is it okay that your server needs my browser to tell it what the server is doing? Why isn't it considered a security risk that the server just trusts whatever random crap my browser tells it? If Dynedain is to be believed, since I whitelist cookies, it's REALLY hard for a webserver to even know what happened while I was visiting. If that's true, why isn't there a demand for better server software?
Re: (Score:2)
So explain it to me. Why is it okay that your server needs my browser to tell it what the server is doing?
Needs is a strong word, but I'll parse it in a liberal sense.
The server wants to know what the browser is doing so that marketing can evaluate how you use the site. They will then use this information to come up with ways to squeeze more money out of you (or nominally, "improve your user experience")
This doesn't mean the stuff the server normally logs (your actual server requests) but rather the stuff you're doing in that webpage on the client that doesn't normally result in a server request.
Why isn't it considered a security risk that the server just trusts whatever random crap my browser tells it?
Because the w
Re: (Score:2)
So explain it to me. Why is it okay that your server needs my browser to tell it what the server is doing? Why isn't it considered a security risk that the server just trusts whatever random crap my browser tells it? If Dynedain is to be believed, since I whitelist cookies, it's REALLY hard for a webserver to even know what happened while I was visiting. If that's true, why isn't there a demand for better server software?
The fact of the matter is these schemes generally thru permissive CORS policy have given dozens of third parties involved in a typical website site access to even user session tokens. It's both a privacy AND security nightmare with no acceptable real world excuse. They are just following the path of least resistance, expedience and cost that results in these practices. Everyone but the user wins and since there is no meaningful regulatory pushback to internalize the costs borne in terms of user privacy a
Re: (Score:2)
Folks, mod parent up! This is the most informative answer I've ever gotten on this subject, in many years of asking similar questions.
So what a lot of those "tracking cookies" are really about is keeping track of what I'm doing on a web page between actual clicks? Fascinating! I love your idea of a browser extension that lies to them about it.
Re: (Score:2)
Because it's not one server. There can be hundreds of different servers and applications involved in serving up just one page to your browser. The only place that has a singular view of that composite resulting page and personalized session is the browser itself.
The days of a single-server blog site are a decade or two in the past.
Re: (Score:2)
Navigate any retailer's website from homepage to order completion. Congratulations, you just crossed over at least 3-4 different server-side application stacks to complete that journey from homepage, to catalog, to cart, to checkout, to billing, to order confirmation. Now, describe how to maintain session AND how to attribute the originating referral link (because you have to pay the referrer a kickback for sending you a paying customer) just by looking at server logs and without reinventing something that
Re: (Score:2)
And why, if you click on the little triangles for details, are there hundreds of companies involved? Are they all altruistically helping the main site understand what their users are doing? I don't buy it.
Usually just a few. Why? One for your captchas and such, another for your website client logging.
Neither of those are particularly monetizable, or privacy intrusive.
As for why are third party sources used for things like client logging? Because it's the future, and companies are fucking lazy.
Why do what someone else already packages up into something neat and clean for you?
One tool I've seen let's you watch a literal simulation of the web page and the client's cursor navigating around it, including wh
Re: (Score:2)
Because the real world has an inadequate supply of superheroes with nuclear weapons.
Re: (Score:2)
And why, if you click on the little triangles for details, are there hundreds of companies involved? ....
Usually just a few. ....
You've got to be kidding. When I sometimes opt for the cookie choices, there are usually hundreds of them. You can accept the lot, or spend ten minutes de-selecting them, or reject the lot and the site won't work. Or back out and find they have stuck you with their cookies anyway. This might just be for something you wanted to check quickly like whether a seller stocks cat litter. Some even want you to register with the site just to view their fucking advert, but that's another issue.
Whatever the GDPR i
Re: (Score:2)
Re: (Score:2)
You've got to be kidding. When I sometimes opt for the cookie choices, there are usually hundreds of them. You can accept the lot, or spend ten minutes de-selecting them, or reject the lot and the site won't work. Or back out and find they have stuck you with their cookies anyway. This might just be for something you wanted to check quickly like whether a seller stocks cat litter. Some even want you to register with the site just to view their fucking advert, but that's another issue.
I'd love an example. Care to give me one?
Whatever the GDPR is supposed to do, in practice it is useless.
The evidence doesn't support that it's useless. However, there's also good evidence that it does harm along with the good it does. Like most things, there's a bit of nuance involved in the conclusion.
Re: (Score:2)
I think part of the problem is that people use 3rd party analytics services because they're easy to set up and work very well, those 3rd party analytics services then use the data for commercial purposes as that's how they make money and they wouldn't exist otherwise.
Re: (Score:2)
I think part of the problem is that people use 3rd party analytics services because they're easy to set up and work very well, those 3rd party analytics services then use the data for commercial purposes as that's how they make money and they wouldn't exist otherwise.
Some of those services are "free" (hah) as you mention.
Others are paid.
In the US, it's risky to take someone's data and hand it off to someone else who may commercialize it.
CA law puts you in legal jeopardy if you do so without clear consent.
Doesn't mean it doesn't happen... But in my experience, that's not the goal. Middle managers are happy to pay for analytics.
Tell the European Commission that (Score:2)
The European Commission disagrees with you. ...
Essential cookies are those without which the site cannot work at all. Below that are what are called "Preferences Cookies".
The official description of Preferences Cookies (quoting from EC.europa.eu):
--
It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don't have to keep re-entering them whenever you come back to the site.
Be aware though that yo
Re: (Score:2)
I note that you didn't give a URL for your quote from ec.europa.eu. Google is able to find the quoted sentence beginning "Be aware though" on four pages, and in all of them the context is identical:
Re: (Score:2)
And what's the very next sentence that you cut off from the quote?
You've got two options here:
A) Learn something from what you just read on GDPR.eu, so then you actually know
B) Put your fingers in your ears and say "nanana I can't hear you", refusing to learn anything.
I, and the rest of us, can read the page. So we know what it says. *WE* know it says saved login is a preferences cookie, not an essential cookie. I guess you can decide if you want to know or not. You see it right there on the page. You can
Re: (Score:2)
I assume that you mean the list item following the second quote, although it would be helpful if you were explicit.
Are you choosing to interpret a cookie which remembers "what your user name and password a
Re: (Score:2)
That would be the difference between "staying logged in to Slashdot" (after you close the tab) vs having to log in again every time you come to Slashdot. The word "staying" is there for a reason.
Re: (Score:2)
The European Commission disagrees with you.
Essential cookies are those without which the site cannot work at all.
GDPR.eu breaks it down nicely:
The link you provided is clearly indicating the opposite:
"Strictly necessary cookies -- These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site ...
These cookies will generally be first-party session cookies."
"Preferences cookies -- Also known as âoefunctionality cookies,â these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or wha
Re: (Score:2)
That would be the difference between "staying logged in to Slashdot" (after you close the tab) vs having to log in yet again every time you come to Slashdot.
Re: (Score:2)
That would be the difference between "staying logged in to Slashdot" (after you close the tab) vs having to log in yet again every time you come to Slashdot.
Session cookies are not bound to tabs or even necessarily the lifetime of the browser process.
Re: (Score:2)
What gets me is when for example when my local councils website wants to set tracking and advertising cookies. Really WTF. The same goes for any website offering a service for which I pay, which is far far to many in my experience.
Re: (Score:2)
Did you read TFA?
When I open it I get a full screen overlay that obscures all content and cannot be dismissed without either agreeing to being tracked or doing to another screen, unticking 20 boxes and scrolling down to the "save" button.
Re: (Score:2)
That sounds pretty annoying. Do you like it that way, or would you rather it just uses your "no third-party cookies" setting that you set in your browser a year ago?
But no, I don't get what you do. Perhaps because I'm not in Europe. In the US, I don't get that annoyance. It just follows what I have set in my browser.
Re: (Score:2)
Did you read TFA?
When I open it I get a full screen overlay that obscures all content and cannot be dismissed without either agreeing to being tracked or doing to another screen, unticking 20 boxes and scrolling down to the "save" button.
Yes, and I backed out from that screen by going to my home page and I found they had stuck me with a cookie anyway. Many sites stick you with multiple cookies even if you do back out.
Is this shit allowed under the GDPR? If so the GDPR is toothless, and if not, it is illegal. Maybe that was a non-EU site, but it happens with EU websites anyway.
Re: (Score:2)
It's not allowed. I have made a complaint, will escalate it if they don't fix.
Re: (Score:2)
Are you saying you find this confusing, or tricky?
--
Do you want to allow cookies to remember your preferences on this site?
[Accept] [Reject]
I think it is.
The "cookie" modality is irrelevant and confusing to normal people. Simply asking to remember preferences is sufficient. Invoking the word cookie serves no useful purpose.
Also the question itself is generally over specific and unnecessary. Asking it especially up front disconnected from any actual changes to preferences is poor design and a source of alert fatigue.
The cookie cookie cookie verbiage generally is intentionally designed to distract people away from what the site is actually see
Re: (Score:2)
It is unfortunate that Microsoft killed DNT. Whole certainly not ideal, it would have been a step forward.
Re: (Score:2)
That would be a straightforward, law complying cookie popup, the kind the poster wants to see implemented as required by law.
I have never seen that style of cookie message.
Every cookie pop-up that I see says something to the effect of "accept all cookies" and if you do not do that, you must bring up another window, and if you are lucky then deselect (thus opt-out, not opt-in) something that may be confusingly labeled, and then click back to get the page you were on. In the best case this is not a huge burde
Re: (Score:2)
That's really, really weird that you've never seen that, because I see pretty much exactly that on over half of web sites, I'd say. "Decline" may be labeled "essential cookies only".
I know people get entirely different NEWS, because they shop for news that fits their pre-existing bias, but I wouldn't have thought we'd have such vastly different experiences on this topic. Odd.
Re: (Score:3)
TFA puts up a full screen overlay that cannot be dismissed except by agreeing or going through a complex opt-out screen. The content of the site cannot be viewed until it is dismissed.
That is a barrier.
If you need to click 20+ times then it must be opt-out, because otherwise you would not need to do anything as the default is not to handle your personal information for any purpose other than those strictly necessary for technical reasons.
Re: (Score:2)
And what aggravates me the most, is that you have all these sliders (regular ones off, "legitimate interest" on), you turn them all off, and then the big colored button at the bottom is "accept all" which just reactivates everything (and good luck finding a way to undo that because the box is gone). You have to click the less attractive button to actually disable everything, contrary to any other computer UI.
And on some sites it's "accept all" on the right and "save settings" on the left, sometimes the othe
Re: (Score:3)
The current system at innumerable websites is to pop up a small window with a long list of pre-checked boxes, often on two tabs (one for regular compliance, one for "Legitimate interest", often 20+ boxes, and at the bottom a button to accept the choices selected. The text on the buttons may also change. There's a big inviting colored button saying "accept and access" or similar, and one in black and white saying "decline" or similar.
The latest trick I have seen is button/sliders where there is nothing to indicate which are the ON/OFF directions, and the colour remains the same either way. The wording by the button is deliberately ambiguous as to what ON and OFF would mean anyway.
Re: Clueless (Score:2)
Re: GDPR (Score:2)
Cookie fatigue? (Score:5, Funny)
Re: (Score:2)
Coookie Monster is a mad monster who caused this cookie mess online! :P
Why? (Score:2)
No one asked for this in the ~30 year long history of the internet.
Re:Why? (Score:5, Insightful)
Re: (Score:3)
This is currently the subject of on-going complaints: https://noyb.eu/en/noyb-files-... [noyb.eu]
I've started filing some myself, although I don't see very many cookie requests because I have ad-blockers.
Re: (Score:2)
I see some of this from the other side (as IT auditor) and there still is a lot of confusion on the side of the companies. The practical rules are pretty simple though. Basically you need to offer a "no" button regarding all tracking and identification of the user (you _are_ allowed to track that decision with a session-cookie that records just that "no"), and additionally as many options as you like with _clear_ descriptions of what they do. Note that some browsers may keep session cookies longer than the
Re: (Score:2)
Re: Why? (Score:2)
Re: (Score:2)
If you live in Europe, damned near every site you visit now has a pop-up with detailed options around cookies that must be negotiated before you can so much as read an article. It's a response to obligations under GDPR, and it's damned near malicious compliance because no one reads them, and most just click "accept all" because who has the time to navigate each one of these?
I thought this was what all Europeans wanted? They surely worked hard enough to get the world to implement this grand solution to whatever critically important thing they needed to solve.
Re: (Score:2)
I thought this was what all Europeans wanted? They surely worked hard enough to get the world to implement this grand solution to whatever critically important thing they needed to solve.
I think it's more of a question of malicious compliance. Sites have to ask if they want to track you. The ones who comply in good faith put an unobtrusive banner at the bottom of the screen that says something like "This site uses cookies to save your preferences. Do you want to allow that? Accept/Reject". The shady sites put up modal screen blocking banners, try to hide the reject button, or tick the opt-in checkbox by default.
If there were a standard for expressing user consent in the browser, we could
Re: (Score:2)
I thought this was what all Europeans wanted? They surely worked hard enough to get the world to implement this grand solution to whatever critically important thing they needed to solve.
I think it's more of a question of malicious compliance.
I think you are 100 percent right.
Re: (Score:2)
And now that opt-in has been disallowed, they pull this "legitimate interest" bullshit, pretending that there are pages that have a "legitimate interest" to track and profile you.
Plus, if you dutifully tick off every single of those fucking "legitimate interest" boxes (there'll be somewhere between 20 and half a billion), rest assured that the next time you visit that page, you'll be asked again, just in case you changed your mind.
But don't worry, if you let them spy on you, they'll stop bugging you and nev
Re: (Score:2)
Re: (Score:2)
This is why there are different kinds of cookies, and yes, they had the foresight to define them as such. There are those cookies required for the function of the site and those that exist for marketing purposes.
And yes, you have to let your user choose which one they accept.
Re: (Score:2)
As soon as you provide personalized services, you can require more technical cookies and also long-term ones. You still cannot do marketing tracking (i.e. behavioral information) without explicite consent and you cannot require that consent if there is no technically valid reason for it.
Re: (Score:2)
Indeed. A site can also simply default to no tracking and if there are specific functions that require it (and are legally allowed to require tracking) to only ask then. Or leave the cookie question somewhere unobtrusive on the screen and do not track unless people actively agree.
Note that you do not have to provide the same website without tracking consent. You have to provide the same information about products and services, but if you fall back to HTML 2.0 for people that do not want to be tracked, that
Re: (Score:2)
No, what we wanted was for all data-trafficking to be consensual.
Nobody asked for every single web site to turn into a game of whack-a-mole before you can even see if the page is worth viewing or not.
Re: (Score:2)
No, what we wanted was for all data-trafficking to be consensual.
Nobody asked for every single web site to turn into a game of whack-a-mole before you can even see if the page is worth viewing or not.
And sometimes we get unintended consequences. This so called solution is more like punishment.
Letting politicians make technical decisions is seldom a good idea. Because they won't eliminate trackers.
Re: Why? (Score:2)
Re: (Score:2)
If you live in Europe, damned near every site you visit now has a pop-up with detailed options around cookies that must be negotiated before you can so much as read an article. It's a response to obligations under GDPR, and it's damned near malicious compliance because no one reads them, and most just click "accept all" because who has the time to navigate each one of these?
I thought this was what all Europeans wanted? They surely worked hard enough to get the world to implement this grand solution to whatever critically important thing they needed to solve.
I thought this was what all Europeans wanted? They surely worked hard enough to get the world to implement this grand solution to whatever critically important thing they needed to solve.
Not really. The GDPR doesn't specify these kinds of screens nor do users want them. It's the advertising industry being malicious by designing the worst fucking possible mechanism to be compliant with the GDPR. The goal is to annoy the users so much they will run back to the EU crying for the GDPR to be watered down.
So these screens are there because advertisers are basically class- A Assholes that would rather shit some more on their users than to stop tracking them.
Re: (Score:2)
If you actually take the time to click on the little detail icons to see how many companies are involved that are all harvesting your data, you will see how real this problem is. How can anyone find it remotely acceptable that everything you do is shared by hundreds of little companies?
Imagine you're going through a supermarket while being constantly followed by dozens of shady people with cameras recording everything you touch or even look at. Would you be comfortable with that? Because that's what browsing the internet without GDPR protections is like. Except it's not dozens but hundreds of shady companies.
I use scriptblocking, privacy badger, and adblocking. It' is nothing more than disgusting the amount of data harvested from us. And unless you block scripts as well, you're still being tracked and harvested.
To me what the big issue is is that we are aiming the internet at people that can't be bothered to learn how to protect themselves.
I have a couple sites that I geoblock Europe on. Which is what I think should be done for all sites that are not in the EU.
Re: (Score:2)
That's not just an "if you live in Europe" thing. While I'm sure some sites are using some form of geo-detection and only showing it there, a lot of us outside of Europe have had to suffer with these as many sites just turn it on in general regardless of location to comply with the EU directive.
Re: (Score:2)
You can just hit "accept all" and get what you'd get without the EU.
Re: (Score:2)
If you live in Europe, damned near every site you visit now has a pop-up with detailed options around cookies that must be negotiated before you can so much as read an article. It's a response to obligations under GDPR, and it's damned near malicious compliance because no one reads them, and most just click "accept all" because who has the time to navigate each one of these? A browser-level setting with suitable standardisation would enact the spirt and not just the letter of GDPR. If you haven't been exposed to these, I could understand why this seems to be out of nowhere, but for Europeans, I think something like this is a necessary development.
It isn't "near" malicious compliance, it is malicious compliance and should be smacked down hard for it.
So much so that a decent adblock now blocks cookie popups (not to mention the I Dont Care About Cookies extension).
The two things that the companies pushing these popups don't get are:
1. You're not driving us to hate the GDPR, you're driving us to other sites that aren't trying to turn us against the GDPR.
2. You cannot force us to give up legal protection by annoying us into acquiescence. A legal
Re: (Score:2)
You've been gaslit.
Consent is not required for those cookies that are only used for purposes *essential* to the working of the site. Two of the key reasons to be allowed to process data under GDPR are necessity and consent. It's also why if you apply for a loan, the bank will tell you what they will do with your data but not ask for your consent. Consent cannot be assumed just because you submitted the form but they don't need your consent because they collect and u
Re: (Score:2)
Consent : Can I post a reply to your post [Y/N/I don't give a damn]?
Re: (Score:2)
No one asked for this in the ~30 year long history of the internet.
You clearly don't live in the EU where every page has a cookie pop-up and everyone for the past 10 years has been asking for this. Well not specifically what the UK is proposing... Ideally what the regulation would do is enforce a standard setting, e.g. force companies to use essential cookies only and not ask anything if e.g. Do Not Track is set or something similar.
Mind you, you new worlders have other problems. Such as how pages like www.usatoday.com take 45 seconds to load with all the tracking scripts
nice way to kill traffic (Score:2)
Do Not Track (Score:5, Insightful)
All we need to do is amend the law so that user selections such as "do not track" and "no targeted advertising" can be specified by a user, once, in their browser settings and to make it a legal requirement for web sites to honor those values.
Problem solved.
Instead, web sites are being configured so that if you purge your cookie cache each time your browser closes, you have to go through the "opt out" rigmarole each and every time. This is "pester power" being used by corporations to get people to cave in and accept being tracked.
If the UK government are going to make a change to the law, adjust the law to force companies to respect existing browser functionality and preserve end user privacy.
Anything else would be selling out the UK's entire "on line population" to big business. Which might be what the UK government want to do, but it is most assuredly not what they were elected to do.
Re: (Score:2)
> The article's reference to "Do Not Track" says all that needs to be said here.
Not necessarily
> device-level setting
We've had that since forever in browsers (only lately it disappeared). Accept all cookies, whitelisted cookies, only first party cookies, No cookies. Along with configurable cookie lifetime.
God I miss Konqueror...
If this is set on the device, and the legal mandated default is first party cookies, the reference to DNT is non-sensical, because it requires no good behaviour from the serve
Re: (Score:3)
I have been thinking about this and I'm tempted to try a test complaint.
If my browser sends a "do not track" header then the website asks me if I want to allow tracking anyway, and it frustrates me by covering the page with that request, or making it difficult to dismiss, or trying to opt me in unless I click something, that would seem to be incompatible with GDPR rules.
Re: (Score:2)
In fact,there may be other elements to this. For example, there are a bunch of web sites you can find where opening the "cookie preferences" window gives you a list of hundreds - perhaps even thousands - of third party cookies. Instead allowing you to opt out of all those cookies - which the site you are visiting would be able to do, since a simple piece of "if...then...else" or equivalent logic would deal with that as the page renders - the site
Re: (Score:2)
I have been thinking about this and I'm tempted to try a test complaint.
If my browser sends a "do not track" header then the website asks me if I want to allow tracking anyway, and it frustrates me by covering the page with that request, or making it difficult to dismiss, or trying to opt me in unless I click something, that would seem to be incompatible with GDPR rules.
That is a case that needs an explicite decision by the privacy commissioner responsible. But there is a step before that: It must not be made hard to use the site without consenting to tracking. A single klick in a single pop-up is likely to be below that threshold. It is also permissible to ask you again every time you visit if you disagree. However requiring multiple clicks, extensive scrolling, etc. is likely not permissible.
Privacy is not free. Essentially companies do not want to annoy prospective cust
cookies to save cookie preferences? (Score:3)
What I hate is that every time I visit a damned website, I have to go through the same crap to tell them that I don't want their cookies.
I mostly care about tracking cookies, but I also don't want third party stuff loaded that might allow *them* to track me.
But I'd be okay with allowing them to set one cookie, saying that I don't want their cookies, so they don't pop up with the question over and over again.
(which oddly, I'm pretty sure they know, as so many are already pre-populated with everything off that you can turn off)
Re: (Score:2)
> But I'd be okay with allowing them to set one cookie, saying that I don't want their cookies, so they don't pop up with the question over and over again.
This is literally allowed. If you are experiencing something else is i malicious in intent or incompetent.
Re: (Score:2)
But I'd be okay with allowing them to set one cookie, saying that I don't want their cookies,
They don't need a cookie for this. Instead just follow the "do not track" header.
Re: (Score:2)
What I hate is that every time I visit a damned website, I have to go through the same crap to tell them that I don't want their cookies.
Do you delete cookies on exit? I've only had repeat requests for cookies when I've cleared cookies... which is something I've set to do now for all sites which makes it a PITA.
which oddly, I'm pretty sure they know, as so many are already pre-populated with everything off that you can turn off
No this is a requirement of the law. The default option needs to be opt-in for anything but the essentials. Not pre-populating them this way would be illegal.
Tech Crunch weasel wording (Score:4, Insightful)
It's interesting to see the weasel wording from Tech Crunch, being tragicomic in a way. They are clearly trying to frame the deluge of cookies and tracking scripts as a good thing, given that they earn money through it.
Personally, I find the warnings a good thing, because it shows just how much of an enemy Silicon Valley and their disciples all over the world have become. It's also useful to show in school, just how invasive both Google and Apple are when it comes to their devices. At my kids school, I showed them the net with and without a tracker sinkhole(for simplicity's sake, in this case I showed the kids and teachers Pi-Hole).
It's also going to be hilarious watching all the Silicon Valley worshippers around here come out of the woodwork and start chanting their "Google/Apple/Amazon good, law doesn't apply to them! Heil Free Market!", in support of the companies, even as they bemoan "Da Guvermint" raping privacy(With Silicon Valleys explicit help, mind!).
Re: (Score:2)
I submitted a complaint to Tech Crunch's (or rather parent company Verizon's) GDPR compliance team. I will see what they do and escalate to a formal complaint to the ICO if they don't remove their shitty full screen dark pattern request.
Re: Tech Crunch weasel wording (Score:2)
chanting their "Google/Apple/Amazon good, law doesn't apply to them! Heil Free Market!", in support of the companies, even as they bemoan "Da Guvermint" raping privacy?
... I'm not sure you're talking about the same people. I had a hard time figuring out what you were talking about in general.
The article was about website cookie consent pop ups? Then you something something GoogleAppleSiliconValley. Have they given a statement on the idea of making cookie consent a smoother experience?
I can't tell if your are for or against that, but you like the web pop ups because it shows something GoogleApple ... I don't understand your association between silicon valley fanboy, go
Re: (Score:2)
Personally, I find the warnings a good thing, because it shows just how much of an enemy Silicon Valley and their disciples all over the world have become.
Thanks for writing. Me too, precisely this.
Never ever... (Score:3)
Ask a bureaucrat to solve a problem...
Re: (Score:2)
Alias "Never replace a problem with another problem before considering whether you can replace it with two others."
Malicious compliance (Score:2)
The GDPR has a flaw. (Score:2)
The cookie fixation of the GDPR is n00by non-sense written in to law by the IT layman and thinned down with broad-strokes loopholes. Web-wide tracking and the construction of shadow profiles that the end-user doesn't see and control are the problem. Fixing this in the GDPR would rid us of this "Cookie Popup" privacy theater non-sense.
Re: (Score:2)
The GDPR has no "cookie fixation". In fact, it does not even mention cookies anywhere. It is about identifying people and recording and profiling their behavior. Any tracking without informed consent, whether invisible to the user or visible via cookies is just as illegal.
There's a setting in my browser (Score:2)
That says "Do Not Track"
I don't believe there is a website on the Internet that actually pays attention to this setting.
Who should I sue first?
Whitelist cookies. (Score:4, Informative)
Cookies are something 99% of sites you visit do not need to use but they do. Furthermore, the tracking of cookies becomes increasing insidious as time goes on. Therefore, the only logical response is to only enable cookies for a domain when it is needed. This is why I switched to cookies whitelisting and have never looked back.
Re: (Score:2)
I use Cookie Auto Delete for Firefox and Chrome. It removed all site data, including cookies, after you leave a site. That way sites don't break but also can't persist cookies between visits.
Obviously 3rd party cookies are completely disabled.
Re: (Score:2)
I don't care... (Score:2)
I rarely see cookie popups or notices.
Just clear them (Score:2)
When you're done browing for the day, clear all your cookies and cache. Then, when you go back to the same site the next day, they think you're someone new which then pollutes their tracking since quite obviously you are not a new visitor.
Also, by clearing out your cookies you prevent being directly tracked since there is nothing to go back to for reference. Let them figure out who you are, until the next time you clear everything and force them to start over from the beginning.
"DNT: 1" means DO NOT TRACK (Score:2)
I hate ads (Score:2)
ICO not eating its own dogfood (Score:2)
The first thing that you see when visiting ICO is a "our use of cookies" consent slide out. You can't even read the cookie policy document linked to it without it being obscured by the slide out.
Heading on their site reads "The UKâ(TM)s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals." and yet somehow they couldn't even be bothered to run their own stat package on their own site instead opting to use
Browsers need a 'protected cookie' space (Score:2)
I propose that every browser implement a Protected Cookies local folder on each user's system. Cookies in this area would be easily separately identified by the user - you would know who placed each such cookie and why - and would be individually deletable. A General Cookies folder would be the default location for all other cookies, managed as cookies are now except that the user could specify a default answer to the GDPR question to avoid having that goddamned GDPR question pop up on every page of the Int