Europe's Cookie Law Messed Up the Internet. Brussels Wants To Fix It. (politico.eu) 102
In a bid to slash red tape, the European Commission wants to eliminate one of its peskiest laws: a 2009 tech rule that plastered the online world with pop-ups requesting consent to cookies. From a report: It's the kind of simplification ordinary Europeans can get behind. European rulemakers in 2009 revised a law called the e-Privacy Directive to require websites to get consent from users before loading cookies on their devices, unless the cookies are "strictly necessary" to provide a service. Fast forward to 2025 and the internet is full of consent banners that users have long learned to click away without thinking twice.
"Too much consent basically kills consent. People are used to giving consent for everything, so they might stop reading things in as much detail, and if consent is the default for everything, it's no longer perceived in the same way by users," said Peter Craddock, data lawyer with Keller and Heckman. Cookie technology is now a focal point of the EU executive's plans to simplify technology regulation. Officials want to present an "omnibus" text in December, scrapping burdensome requirements on digital companies. On Monday, it held a meeting with the tech industry to discuss the handling of cookies and consent banners.
"Too much consent basically kills consent. People are used to giving consent for everything, so they might stop reading things in as much detail, and if consent is the default for everything, it's no longer perceived in the same way by users," said Peter Craddock, data lawyer with Keller and Heckman. Cookie technology is now a focal point of the EU executive's plans to simplify technology regulation. Officials want to present an "omnibus" text in December, scrapping burdensome requirements on digital companies. On Monday, it held a meeting with the tech industry to discuss the handling of cookies and consent banners.
Prop 65 (Score:4, Insightful)
Can California address the Prop 65, too?
Re: (Score:1)
Prop 65: "The law protects the state's drinking water sources from being contaminated with chemicals known to cause cancer, birth defects or other reproductive harm."
there must be more to your comment.
Re: (Score:2)
I have a can of mushrooms that has a proposition 65 label. They are so ubiquitous that no one pays attention anymore. Analytical chemistry can routinely get to part per trillion levels, at that purity level everything is contaminated.
Re: Prop 65 (Score:3)
Re: (Score:2)
Prop 65 is a good thing. It causes consumers, and eventually manufacturers to avoid toxic chemicals. It could be implemented differently, instead of a warning when the product uses a toxic chemical, there could be a certification that the product does not use known toxic chemicals.
Re: (Score:2)
I needs to have some indication of the risk involved, but right now it's the same if something has a1 in 5 chance of giving you cancer to a 1 in 5 trillion. The result is people just assume they're all the same
Re: (Score:2)
Prop 65 is a good thing. It causes consumers, and eventually manufacturers to avoid toxic chemicals.
It's intention was to cause consumers and manufacturers to avoid toxic chemicals. That's a fine, high minded intention but intentions are not results.
What it actually does is incentivize everyone to put a Prop 65 label on virtually everything, making the labels useless when selecting products. I do not, in fact, get a choice of two grocery stores, one with a Prop 65 warning, one without.
What I expect it also actually does is allow some set of law firms and public interest groups to make bank filing Prop 65
Re: (Score:2)
It's not completely useless, there are still manufacturers who don't put the label. If I had a choice of 2 competing products of similar prices, I go with the one without the label. Also when I see one of these in a place I don't expect, e.g. a swimming pool, it prompts me to look it up and learn something from it.
Yes, it can be improved, e.g. by listing the actual risk of using the product, but I can also research that myself.
Re: (Score:2)
It's not completely useless, there are still manufacturers who don't put the label. If I had a choice of 2 competing products of similar prices, I go with the one without the label.
I can't remember the last time I was in that situation. Can you list some examples of when you had that choice?
If the labels help you, well that's great for you. You're literally the first person I've ever talked to about this (and I've lived in California since before Prop 65 passed) who even hinted they thought the warnings informative and useful. That means you're in a very slim minority. The small benefit you get is swamped by the cost and annoyance they are causing all the rest of us. And, I presume bu
Re: (Score:2)
The most recent incident I could remember was some sort of dried fruit. Not sure why (improving the label's detail would help). Maybe it was contaminated with something or maybe the packaging itself was a problem. I ended up buying a different kind.
The small benefit you get is swamped by the cost and annoyance they are causing all the rest of us.
Oh? Please explain how it costs you, the consumer? Or how it annoys you other than in a purely free-market theoretical way?
The only people who'd care about a label that can be easily ignored are manufacturers who'd like to use cancer-causing materials. It costs n
Re: (Score:3)
The most recent incident I could remember was some sort of dried fruit. Not sure why (improving the label's detail would help). Maybe it was contaminated with something or maybe the packaging itself was a problem. I ended up buying a different kind.
Thank you. After I wrote that, I was thinking whether I'd actually seen Prop 65 warnings on food items and I honestly can't remember. Usually I see them on the entrances to buildings. I'm sure Whole Foods has a Prop 65 warning by their front door.
Oh? Please explain how it costs you, the consumer? Or how it annoys you other than in a purely free-market theoretical way?
Sure, I'll give you three. Bear in mind we're talking about a proposition. Being annoyed is sufficient reason to vote for or against one.
Say you've got a bag of dried apricots. There's only so much room on the label for marketing blather, idealized images, mandated nutritional information, and the warning. My eyes aren't what they used to be but I do read the nutrition information. I'd rather the nutrition facts were larger and easier to read rather than having the Prop 65 warning.
The apricot packager has c
Third-party JS (Score:5, Interesting)
Re: (Score:2)
This is far more insidious than cookies but doesn't require any consent. Why not?
Agreed. That is what NoScript is for. :)
Re: (Score:2)
Would it be any better if the site would load it server-side and include it into a first party script tag? This way you at least know what you get.
And the law is not about cookies, even though that's the part most users understand. It also regulates browser fingerprinting and other means to track users.
Re: (Score:2)
I reject cookies every time it pops up (Score:5, Interesting)
I guess I'm a weird one. I opt out of unnecessary cookies every time I see that popup. Not that I actually believe the honesty of the site, but I guess I'm just trying to send them a message. Of course I also run ublock origin and privacy badger to block those tracking cookies.
Re:I reject cookies every time it pops up (Score:5, Interesting)
Re: (Score:3)
Malicious compliance. A similar bad practice in the context of junk email is several different lists from the same entity, and you can only unsubscribe from each list when you receive that type of email.
Hopefully they update the law to deal with these kinds of bad practices.
Re: (Score:3)
All browsers should switch to discarding all site data by default, unless the user specifically indicates that they want to keep it. That could be by logging in, or it could be a manual confirmation.
I use CookieAutoDelete to enforce that on Firefox. All site data, including cookies, gets deleted after I leave the site, unless I specifically tell it that I want to retain it.
Re: I reject cookies every time it pops up (Score:2)
"legitimate interest"
Sorry, but no -- rejected.
Re:I reject cookies every time it pops up (Score:4, Interesting)
Re: (Score:2)
Most I've seen have a "reject all" button thankfully. Very few require me to tick several boxes.
Re: (Score:2)
I do the same, and have found that some sites default to only their strictly necessary cookies with all others disabled.
Isn't Brussels the reason for this situation in the first place?
Re: (Score:1)
Re:I reject cookies every time it pops up (Score:4, Insightful)
exactly. TFS says "People are used to giving consent for everything", but for everyone I know it is "People are used to reject consent for everything" - which is the default in the law, it is companies that want to move away from the default, not users. You can build stateful websites without cookies, you know ...
Re: (Score:2)
The sentence "People are used to giving consent for everything" comes from a "data lawyer", so a lobbyist. No surprise about his stance.
Re: I reject cookies every time it pops up (Score:2)
Same here. And for those annoying sites where I still have to click multiple buttons to opt out, I still opt out.
If I can't opt out, I leave the site.
The default should be that I'm opted out of everything -- get rid of the box, and get rid of all 3rd-party cookies and scripts.
But that'll never happen, alas (earwax).
Re: (Score:1)
If you/your browsing habits are the product, there's little incentive for them to default to the 'we don't get paid' option.
Re: (Score:1)
A popup that says [Reject All] [Accept Necessary] [Accept All] is easy enough.
What actually happens is many sites just provide a full-blown cookie management UI that is so complex users just click on Accept All.
Re: (Score:2)
Sometimes the popup has simply too many boxes to check and many of them not easily accessible. When they are too much, I open the page in a private windows and agree to all, knowing they will be temporary cookies.
Who created the consent banners? (Score:5, Insightful)
Excellent framing here from the adware/private data collecting industry; the European law in no way mandates banners. The law mandates requiring consent for data collection, which is entirely reasonable. If you don't collect and transmit identifying/private data, you don't need to put a banner on your website. The whole banner thing has been malicious compliance from day one from the ad industry.
Re:Who created the consent banners? (Score:4, Informative)
Yes but IP address may be considered private data in regards to the law. Collect IP addresses and store them briefly to prevent brute force attacks? You need to get consent. Easiest way to do it, is usually a banner.
Re:Who created the consent banners? (Score:4)
I've never seen a cookie banner ask for consent to collect and store my IP address. If that is their reason, they completely failed to obtain consent in a manner that meets the law.
The reason for the banners are simple - a court case ruled that cookies are covered by GDRP, but they haven't explicitly ruled on other tracking mechanisms. So ad companies pushed the minimum and most annoying method of conforming with that ruling without changing their practices, and continue to ignore the fact that all the other tracking they are doing without consent is blatantly illegal.
Re: (Score:1)
Re:Who created the consent banners? (Score:4, Informative)
Please point out where it says you need consent to ensure normal operation at a technical level.
To my knowledge it is perfectly acceptable to have IP addresses for that purpose.
However, when you collect them for use at the business level (e.g. to profile users), that's a different story.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Temporary storage of an IP address, purely for preventing cyber attacks, not linked to any other data, does not require GDPR consent.
Re: (Score:1)
not linked to any other data
That's nearly impossible. The request destination, the timing, the geographic location, proxy use, contents of the request etc. are all necessary if you want to defend against attacks. These all need to be collected at all times. If you wait until you're under attack to start collecting, you will fail to block the attack.
Moreover, you'd want to store information about legitimate users so that they can be whitelisted.
The fundamental problem with these laws is that they are written by people who have almost n
Re: (Score:2)
Your IP address will be collected no matter what in the web server access logs.
Re: (Score:1)
malicious compliance
That is a great way to describe it. Maybe in that send turnabout is fair play so make the banner popup say a very unfavorable view in very loud letters of what they are doing if they are in fact doing it, like cigarettes do.
"We WILL sell your data to unknown brokers who will use it track you and sell that data to anyone to create an online profile of any detail of your life we can buy and use that to both target and bombard you with ads. And there is likely chance this will be hacked and released online f
Re: (Score:2)
Yeah. My web site doesn't have any ads and doesn't need to set any cookies unless you log in. So, since forever, I only display a consent message on the login screen. Guests can browse the non-exclusive content without getting nagged.
We're just used to the tech industry being 0.001% reasonable.
Re: (Score:3)
Operational cookies do not require consent, so you don't even need to display the popup for the authentication.
Re: Who created the consent banners? (Score:2)
Three EU did update the law (or the courts did, maybe) to tackle some of the malicious compliance issues. That's why there's an "reject all"-type button now.
Originally many sites had a single "allow all", and many "reject each cookie individually" buttons -- like, hundreds of them.
Re: (Score:2)
Excellent framing here from the adware/private data collecting industry; the European law in no way mandates banners. The law mandates requiring consent for data collection, which is entirely reasonable. If you don't collect and transmit identifying/private data, you don't need to put a banner on your website. The whole banner thing has been malicious compliance from day one from the ad industry.
In theory, true. In practice, virtually every free site funds themselves with ad revenue and so you wind up getting inundated with banners. I'm sure the backers hoped requiring consent would incentivize web site operators to not collect and sell tracking data. It would be interesting to see numbers whether implementation of the requirement actually had that effect.
ObJoke: What's the difference between theory and practice? In theory, nothing.
Isn't if You Click the Site, You Have Consented ? (Score:1)
Anyone with common sense knows cookies should run on implicit consent — if I visit a site, I’ve already consented to it working. The EU law wasn’t comprehensive, it was clumsy. Real privacy rules should target data abuse, not train people to mindlessly smash ‘Accept All.’ Instead, we got years of absurd pop-up windows that block the content until you click the obvious. Oh Lord
Re: (Score:2)
Re: Isn't if You Click the Site, You Have Consente (Score:2)
If all the sites were that easy, it wouldn't be a problem, at least 1/3 of them require a labyrinthine process to untuck all the little boxes. When the law was created, it should have specified a process of accept all, reject all, click here to manage individual choice. It's far from that easy.
Re: Isn't if You Click the Site, You Have Consente (Score:4, Informative)
The law already is this way, but a lot of websites are non-compliant.
Re: (Score:1)
The owners of those sites are thoughtfully disclosing that they are complete dicks so that those who care to can leave ASAP
Re:Isn't if You Click the Site, You Have Consented (Score:5, Insightful)
Anyone with common sense knows cookies should run on implicit consent — if I visit a site, I’ve already consented to it working.
There is a big difference between 'working' and tracking you and selling your data. A blog might need a cookie to store your user session, but then it has quite literally 600 other trackers spread across the page measuring mouse movements, keyboard clicks, time you're watching, among other things, which is then sold off,*with your username and profile data* (possibly including name, gender, location, age, interests, among whatever else you told the website).
Want to give that data? Fine, but it must be transparent and you should be able to agree to it.
MOST users have no clue this is going on and the GDPR went a long way towards not only educating people but helping them to protect their personal data, which is worth a lot more than you might think. This legislation is most likely being pushed by ad agencies or Microsoft or some other Big Corpo that feeds off your data to make billions, because its most definitely NOT in the interest of most people.
Instead, we got years of absurd pop-up windows that block the content until you click the obvious.
The VAST majority of websites allow you to interact with data on an opt-in basis until you click the banner. Its rare to see a site that does not, and most of them are specifically if you've disabled ads (ad-blocker) and require either ads or for you to login.
Re: (Score:2)
Gah its early. I did not mean GDPR : The law is called 'ePrivacy Directive'.
Re: (Score:2)
A blog might need a cookie to store your user session, but then it has quite literally 600 other trackers spread across the page measuring mouse movements, keyboard clicks, time you're watching, among other things, which is then sold off,*with your username and profile data* (possibly including name, gender, location, age, interests, among whatever else you told the website).
And yet, the banners never seem to indicate that this is happening. They just ask about 'cookies'. There is no informed consent here, so the law is actually useless. You are being asked to consent to something you know nothing about and then think that everything is ok. It is not.
Re: (Score:2)
> but then it has quite literally 600 other trackers
> spread across the page
All of which I was perfectly capable of blocking, and did block, before GDPR; all of which I still block, regardless of those stupid GDPR popups; and all of which I will continue to block when the EU inevitably changes things up again and GDPR goes the way of Safe Harbor, Privacy Shield, probably others that I don't recall off the top of my head, and the dodo bird.
I've never needed a pack of pinheaded busybody bureaucrats to h
Re: (Score:1)
There should be a requirement to have the button labelled 'Decline and go fuck yourself"
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That ip address is traceable to you by way of the entity that runs a wire to your house or provisions the sim to your phone so you can send those packets.
No, this is wrong. There are, probably more often than not, multiple people using the same source IP address, from the point of view of the website.
No website has ever loaded cookies on device (Score:1)
Then law should have had no effect, since in all of history, no website has ever "loaded a cookie" on a user's device.
The furthest a website has ever gone in that direction, is to send cookies to the user's browser along with the requested data.
It's the web browser which decides whether or not to store the offered cookie. (And it also decides if/when to send the cookie back.)
Re: (Score:2)
Semantics. It's the hardware that stores the cookie, not the OS. Don't you know anything about computers? The other cookies are stored in the cupboard, but they tend not to last as long and relatively few sites actually deliver them.
Reject (Score:1)
Instead of routinely ALLOWING those cookies I routinely REJECT all cookies not critical to functions that serve ME.
If they pass change this, we lose the ability to reject those cookies!
Unless we use something like TAILS I suppose....
First-party cookies only (Score:2)
Most of the things people complain about involve third-party cookies of one sort or another. Very few people would object to most first-party cookies or the reasons they're used. After all, if you visit a site obviously they know everything you do there. So, my ideal rules:
Re: (Score:2)
Re: (Score:2)
“Nobody could have foreseen this.” (Score:2)
It was literally impossible to predict this, after how effective all these little warning labels have been.
Just enforce the browser do-not-track setting (Score:2)
It's that easy. Make the browser do-not-track setting legally binding. Users caring can set it and forget, no more annoying popups. And companies not respecting it could be pursued by law.
Only one good choice (Score:2)
Given an option to do so, everyone would select "necessary only" 99.99% of the time. No one would willingly enable all the tracking, performance, profiling and all the other crap.
Therefore the choice should be easy - ban all non essential and/or 3rd party cookies by default.
Really? (Score:2)
"People are used to giving consent for everything" - are there really people who accept non-essential cookies?
One browser setting (Score:1)
And all sites must work with both options selected.
Done.
Re: (Score:2)
This is more of what it should have been. Instead of legislating that every site implement a UI for accepting/declining cookies, it should be something built into the browser with a consistent UI and functionality. Plus you'd know if it was actually working, there's no guarantee that pressing a button on the website will work.
Probably would split it up into a few categories like None, Necessary (local), All (include third party sites). It's kind of pointless anyways since ad companies have plenty of ways
Brussels's legalistic cookie popups spam basically (Score:2)
Re: (Score:2)
Nah. You have your timeline wrong. People forgot how to write emails in favor of Facebook before that.
And it'd even worse (Score:2)
Most users (and webmasters) now think of cookie banners as of something that a website needs to have. For legal reason. Like an imprint.
No one realizes that the easiest way of getting around implementing a cookie banner is to not use unnecessary cookies.
Re: (Score:2)
Those cookies are necessary for them to make money so that they can keep the website running. It may not be necessary for any one particular a visitor, but if all visitors fail to make the website money, then the website will not function for long.
If a website does not use advertising to make money off of you, you should ask how they're making money instead, and whether that way of making money off of you is better (privacy or otherwise).
Re: (Score:2)
This implies that personalized Ads are better than contextualized Ads, which could be based on the website content instead of the users past browsing history.
Cooking and tracking based ads give us 6 months of washing machine ads after buying a new one. That's wasted ad money. But as a webmaster, that's wasted money that I receive, so it's not my problem.
Re: (Score:2)
Personalized ads pay up to 40% more. Remember this is revenue, not profit. It could be the difference between making a per visitor profit and a per-visitor loss. You are in the latter situation, it's only a matter of time before you decide to stop subsidizing it, or at the very least stop improving the site and attracting more visitors so they can't bankrupt you as quickly.
For every badly targeted ad, a dozen well-targeted ones go through and occasionally leads to a purchase. It's also a self-correcting pro
Browser (Score:2)
Re: (Score:2)
There can be and it's a really great idea! I currently use the CookieAutoDelete extension, and while I hate its shitty UI, it does what I want: unless I have whitelisted the domain, any cookies it offers get deleted a little while after closing the tab. So if I want long-term cookies for someone (e.g. slashdot.org, to stay logged-in all the time), I got 'em. If I don't go out of my way to whitelist a site, whatever cookies it sent, go away in a few minutes.
Web browsers ought to be able to do that out-of-the
Re: (Score:2)
Firefox has an option to delete cookies when you quit the browser.
The Desktop (Linux) version of Firefox also has the additional option to specify exceptions to this deletion for specific sites. Unfortunately the Android version of Firefox does not have this option (or I couldn't get it to work).
Cookies and site data (local storage) are treated the same (since a site can store a user identifier in local storage). Local storage is a great way for a websites to store personal data. It avoids tracking an
Re: (Score:2)
\o/ (Score:1)
Speak for yourself, I wrote a bookmarklet to click the FU checkbox on 650 cookie and partner options.
This site stalks you NOT this site uses cookies (Score:2)
Everyone says cookies as a distraction to obfuscate what they are doing. Cookies are merely a modality. There is nothing specific to cookies in GDPR. They are merely listed in the text as a modality for underlying behavior of collection/stalking.
Instead of "is it ok if we stalk you?" it becomes "is it ok if we install a cookie (to stalk you)" and the press turns this into a cookie law. What should be banned is any mention of technical terms like cookies which only serve to confuse and distract users fro
The solution is not to scap, it's to correct (Score:2)
This is a shill using the moment to scrap a regulation they don't like.
The solution to the annoyance of banners is making mandatory the presence of a "no consent" button, and making it the default choice if the user does not act. The banner should also not be shown more than once per session, so you don't have those popups repeatedly trying you to reverse your "no" decision.
And then, make ad-blocker-excluding websites illegal, and mandate the banners to accept the ad-blocker saying "no consent" automatical
This is not the funny you were looking for (Score:2)
The Funny I was looking for would probably have made it clear how this law is supposed to have messed up the Internet. Near as I can tell, the cookie warnings are mess-neutral. The Web was a colossal mess before the law appeared and it's still a colossal mess now.
I'm even willing to bet that the Internet will remain a colossal mess as long as we humans last. So will our AI replacements bother to fix the Web? I wouldn't bet on that.
Wrong. (Score:2)
The Internet was "messed up" before. Yeah, those cookie regulations are silly and obviously written by people overwhelmed with computers and digital networks, but fixing them would take 5 minutes and this bizarre cookie pop-up nonsense would vanish overnight.
Cross domain de-anonymizing tracking is prohibited.
There, fixed the law. No more pointless cookie bullshit.
As for the Internet: De-centralized crypto signed DNS as a replacement for the existing DNS. There, Internet fixed.
Customer protection laws need to be watertight (Score:2)
The problem with customer protection laws is, that companies are working actively against them. Nobody ever demanded cookie banners. All necessary data processing is allowed without one.
They are a way to claim that users would have asked you to mine their data so you can justify your data mining which would normally be against the law. The first court that ruled cookie banners to be a valid form of consent did the fatal mistake. Just as courts don't rule hidden clauses in contracts to be effective, they sho
Stupid (Score:2)
Stupid rule that accomplishing nothing (Score:2)
Cookies are just one of a hundred ways a web developer can store session information about you. Local storage, session storage, IndexedDB, javascript variables, not to mention server-side session storage. Picking on cookies specifically, was boneheaded and ineffective in the first place.