Europe's Cookie Nightmare is Crumbling (theverge.com) 126
The EU's cookie consent policies have been an annoying and unavoidable part of browsing the web in Europe since their introduction in 2018. But the cookie nightmare is about to crumble thanks to some big proposed changes announced by the European Commission today. From a report: Instead of having to click accept or reject on a cookie pop-up for every website you visit in Europe, the EU is preparing to enforce rules that will allow users to set their preferences for cookies at the browser level. "People can set their privacy preferences centrally -- for example via the browser -- and websites must respect them," says the EU. "This will drastically simplify users' online experience."
This key change is part of a new Digital Package of proposals to simplify the EU's digital rules, and will initially see cookie prompts change to be a simplified yes or no single-click prompt ahead of the "technological solutions" eventually coming to browsers. Websites will be required to respect cookie choices for at least six months, and the EU also wants website owners to not use cookie banners for "harmless uses" like counting website visits, to lessen the amount of pop-ups.
This key change is part of a new Digital Package of proposals to simplify the EU's digital rules, and will initially see cookie prompts change to be a simplified yes or no single-click prompt ahead of the "technological solutions" eventually coming to browsers. Websites will be required to respect cookie choices for at least six months, and the EU also wants website owners to not use cookie banners for "harmless uses" like counting website visits, to lessen the amount of pop-ups.
Finally⦠(Score:1, Insightful)
It took 18 years of pointless clicking for bureaucrats to finally notice that they chose the worst implementation possible of cookie control.
Re: (Score:3)
It was never even about cookies to begin with, it was about preventing tracking without consent. So they just incentivized big tech to switch to a different tracking technology and didn't address the real problem. Go figure.
Re:Finally (Score:1)
Track me without my consent! I don't give a fuck!
...
Mom's basement
...
Mom's basement
...
Mom's basement
...
Re: (Score:1)
Nope. Sitting in bed at home. Been here all day. I will here all day tomorrow too. Thursday will be more of the same, except when I go to a doctor appointment. Real exciting stuff.
Re: (Score:2)
Track me without my consent! I don't give a fuck!
I don't consider myself to be an important enough person for any corporation to care what I do online or IRL. I don't use any ad blockers or block any cookies, in the hopes that they'll harvest enough data to start serving me ads for things I want to buy. (They don't.)
Re: (Score:2)
Well, if you do not want basic human rights, that is, surprise!, a freedom you do not have. You get them even if you are dumb enough to not want them. For example, you cannot consent to be killed outside of very limited circumstances. And that is a good thing.
Re: (Score:2)
Re: (Score:2)
Untrue. This derives from the GDPR and the GDPR requires informed consent for storage and processing of any PII. Cookies are not in the GDPR at all. They may be in directives, but only as examples.
Re: (Score:2)
Re: (Score:2)
Your reference does not say what you apparently think it says.
Re: (Score:2)
Cookies are not in the GDPR at all.
Thank you, come again. [gdpr-info.eu]
As you can see, the claim "Cookies are not in the GDPR" is patently false. Don't try to defend this, it will make you look dumber than you already do.
Now, as for what I "apparently think it says" (I love your mind-reading abilities, here) let's just address what it does actually say about cookies, that thing you claim is not in the GDPR at all.
It says that they:
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
This means, quite clearly, that if the data they reference is "Personal Information", then they too are Personal Inform
Re: (Score:2)
Here is a HTML version of the GDPR, so it is searchable: https://eur-lex.europa.eu/lega... [europa.eu]
Note that this is the official version from EUR-Lex, or as official a "translation" to HTML can get.
Please tell me where this "Recital" you reference is located in the official text? Please tell me where the word "cookie" is located in the official text?
You may also refer to the footnote in your reference: "* This title is an unofficial description."
So, no cookies are NOT mentioned in the GDPR.
Re: (Score:2)
You can't ignore recitals. They're intimately bound to the regulation.
The CJEU will use recitals to determine the spirit of the regulation, and what its intents are.
Member states are free to incorporate them into implementing statutes, but don't have to. Courts will still use the recitals wherever the statute lacks context, however.
You're a citizen of an EU member state, and you don't know what recitals are in the context of EU regulations?
Re: (Score:2)
Bullshit. My claim was "Cookies are not even mentioned in the GDPR". That claim is accurate. And that is the regulation part.
Obviously, any judgments regarding concrete technologies will refer concrete technologies and comments on them. But these comments will be checked for validity by the court. Same for derived national laws. Recitals are nothing more than comments. They are NOT part of the regulation.
Oh, and: https://www.europarl.europa.eu... [europa.eu]
Seriously, why can you assholes not admit when you are flat o
Re: (Score:2)
Bullshit. My claim was "Cookies are not even mentioned in the GDPR". That claim is accurate. And that is the regulation part.
Incorrect. See linked PDF. See header.
The recitals are part of the regulation.
Oh, and: https://www.europarl.europa.eu... [europarl.europa.eu] [europa.eu]
Correct. That should have been clear to you in what I said.
They are not binding directives- they are for the courts to determine the spirit of the law- i.e., they are integral to its application.
You literally don't understand your own justice system- that's fucking awesome. I had suspected, but now it's clear as day for everyone to see. I thank you for that.
Re: (Score:2)
Enjoy your newfound enlightment. [fabianbohnenberger.com]
Re: (Score:1, Troll)
Isn't it nice having politicians insert themselves on technical issues for the users? I know that I really love it.
Re: (Score:2)
It took 18 years of pointless clicking for bureaucrats to finally notice that they chose the worst implementation possible of cookie control.
Getting policy right is hard. Sometimes you need to prepare a mindset change or test out an approach, though certainly there are things that fail miserably due to unintended consequences. See this like developing software, but instead it is policy.
What will be interesting is how long before the W3C comes up with a solution that can work across browsers and websites, and then how long before it gets adopted by browsers and websites.
Re:Finally⦠(Score:5, Insightful)
The GDPR does not mandate cookie notices. Cookie notices are malicious compliance by the surveillance-driven adtech industry.
If you are not tracking people, you don't need a cookie notice. Period.
If you are only using first-party cookies for functional reasons, you don't need a cookie notice. Period.
If you are using third-party cookies to track people and share their data with others, then you must have their consent to do so. Even then, the law does not mandate a cookie notice.
So, how would you comply with EU law without a cookie notice if your aim wasn't malicious compliance?
(a) You would not track people by default.
(b) People would have to go to your website's settings and turn on third-party tracking if they want that "feature".
(c) Boom! Done! No cookie notice necessary.
What's that you say? It would destroy your business because your business is founded on the fundamental mechanic of violating people's privacy? Good. Your business doesn't deserve to exist.
The real bullshit here is not a EU law that protects the basic human right to privacy. It is the toxic Big Tech business model of farming people for data and violating everyone's privacy.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The GDPR does not mandate cookie notices.
Thanks for telling us you have no clue what you're talking about. The GDPR has nothing, ZERO to do with cookie popups, and cookies are not mentioned anywhere in the nearly 100 pages of GDPR legislation.
Cookie popups are related to the ePrivacy Directive which was passed in 2002 and predate the GDPR by a decade and a half. Europe had cookie popups long before anyone even proposed the GDPR.
The EU's cookie policy is only annoying because advertising companies are deliberately making it annoying.
False. The advertising companies don't deliberately make it annoying. They just make it because they are forced to in ord
Re: (Score:3)
The advertising companies don't deliberately make it annoying. They just make it because they are forced to in order to continue to do what they do
There are quite a few companies that you don't see any sort of notice on because they do not want to store cookies on your computer unless you sign up for an account, then that sort of consent is implicit. Companies want to track you, store data on your PC, and keep it there for long times in exchange for letting you read some content someone posted years ago. The EU legislation requires them to make it explicit when they do this.
Advertising companies are forced to 'make it annoying' because their e
Re: (Score:2)
Re: (Score:2)
The well-intention but incompetently written mess is so fucked that you need to lookup the current list of "exempted cookie types" (as if that even made fucking sense) to see if the data you're storing along with your session cookie requires explicit consent
The end run is, there is almost certainly something on your dynamic site that does.
An argument can be made that "well you don't have to have a pop-up when you first come to the page", and you're right.
You don't.
However, nobody wants to
Re: Finally⦠(Score:2)
Cookie popus appeared on EU websites only 7-ish years ago, not 20+-ish.
I should know, I live there. And I was around since a lot longer than 2002 or 2018.
Re: (Score:2)
The 2002 directive set the need for consent (hide it in the EULA). 2009 directive update set the need for informed consent (put a banner on the bottom of your page). The GDPR required explicit consent (pop-ups, baby)
The original sin is still the 2002 directive, however.
It was never suitable narrow enough in scope to target actual bad behavior, and scooped up 85% of the internet's normal non-bad behavior into what it regulated, and they still don't even understand how
Re: (Score:2)
If GDPR had been properly enforced, the current style of cookie banners should have been blocked from the start.
Recital 32 states that consent cannot be forced or coerced. Putting up a big banner that obscures half the page is coercion. Making it more clicks to opt out than to accept is coercion, and what's more GDPR clearly says that everything must be opt in, not out.
Re: (Score:2)
If GDPR had been properly written, the current style of cookie banners should have been unncessary from the start.
FTFY.
This is a classical case of what happens when non-experts try to make rules for things they don't understand.
You're a common case of people who would do the same thing for the same reasons if you had their power.
Cookie popups exist because the regulation did not understand how websites fundamentally work. The subsequent tuning tries to fix it, but there's only one fix really- throw it away and re-write it with competence.
Re: (Score:2)
It's the opposite. The rules are well written by people who understand the issues. It's the regulators and courts that have had problems understanding.
Re: (Score:2)
Both the directive and GDPR are well-meaning, and I support that which they are attempting to achieve.
But the fact is, the politicians should target bad behavior, not try to define what is strictly necessary.
It is because of this list that anyone concerned with compliance and not just throwing up a blanket consent pop-up must stay apprised of what is curren
Re: (Score:2)
The rational response is to either not stalk users, or to have a small checkbox somewhere that lets them opt in to the privacy invasion.
Re: (Score:2)
80% of the fucking internet have these pop-ups, because completely non-stalking behavior is included in the not strictly necessary behavior.
This means that basic features that need to be opt-in need to be implemented as a checkbox when the feature is enabled, or just a catch-all when you first come to the site.
The latter is easier than the former, and so that is what people do.
Accusing the entirety of the internet of stalking you is the dumbest fucking shit I've heard
Re: (Score:2)
That's all fine, but like so many things in life the issue is perception rather than reality - specifically, the perception of risk.
More specifically, it's Google Analytics.
If you ask two people about whether the use of Google Analytics counts as requiring notification and opt-out, you will get two different answers. Ask 10 people, you'll get 10 different answers. Given the existence of drive-by-lawyers who will check for any cookie usage and throw a lawsuit at you to see what sticks (not common, but everyo
Re:Finally⦠(Score:5, Insightful)
Its not misinformation. The vast majority of websites you go to ARE NOT sites you have logged into. When creating an account you can easily opt in or opt out at the same time you're giving your own personal details. There are very few websites I go to (none in fact) where I click a preference and want it to be saved in a cookie where I have not logged in, and if I created an account I, again, can give consent when I create my account, and I *never get asked again*.
Of course you need to ask for consent. It does address third party cookies and tracking consent as well, except that most companies don't follow it, most websites list ~600 plus third parties, and the average user doesn't give two shits about their privacy.
Why the hell would I want a developer from a random website saving shit on my hard disk that I didn't explicitly consent to?? I know the internet has gotten shit but I can't believe people want to remove one of the few positive privacy things that have come out in recent years.
Re: (Score:2)
Re: (Score:2)
You literally didn't even refute my point.
If your session cookie includes- for example, the option to "not have to log in next time I visit", then it requires a cookie consent.
This is well known to everyone who develops this and has to have had instruction on GDPR compliance.
Again, I thank you for your misinformation.
Re: (Score:2)
Newsflash: The "bureaucrats" did not chose any implementation. The GDPR does not mention any specific tech. There are no laws or regulations requiring any specific technology or implementation.
This is 100% on the web-tech industry which chose to select the most annoying implementation they could. They were in no way forced to do that. All that is required is that any form pf PII can only be stored and processed with informed consent and that behavior data is PII. And that is it. For most sides, they could h
Re: (Score:2)
The GDPR does not mention any specific tech.
Incorrect. It actually lists cookies explicitly as a user identifier, and thus personal information.
You are part of the problem. Trying to wish the law was what you want it to be doesn't make it that.
Fck the EU (Score:1)
They screwed it up the first time, now they are doing it again. There are already http headers for do not track and it is a standard. Just force websites to respect that under threat of enormous penalties, that is all that is needed!
Re: (Score:2)
There are already http headers for do not track and it is a standard. Just force websites to respect that under threat of enormous penalties, that is all that is needed!
Of course, they can make that as annoying as heck too. In fact, during the past few weeks I've visited multiple websites that have apparently decided it's a good idea for them to tell me (via a raised notification I have to manually dismiss) that they are honoring my browser's enabled "do not track" setting.
Re: (Score:2)
Forget cookie consent, now they will just force sites to verify your identity and record your explicit consent to be tracked, while also tying this to your national identification number and keeping these records for 7 years.
Re: (Score:2)
No. The EU did nothing of the sort. The GDPR only (!) states that behavior data is PII and that storing and processing of PII requires informed consent. Period. The current mess is 100% on the web-tech makers. Specific technologies (like cookies) are not even mentioned in the GDPR. They can show up in legal decisions as to whether a specific technology fulfills the GDPR requirements, but that is it. The EU has made zero specific tech requirements.
The proposed changes are simply allowing more generic consent
This Was Already Possible (Score:3)
This was already largely possible thanks to add-ons, which actually prevent the browser from ever sending cookies to that domain unless I explicitly authorize it. That's vastly preferable to the EU method of specifying which cookies I want to send and then hoping that the web site abides by that preference instead of just collecting everything due to a "bug that affected a small number of users".
The problem with the EU approach to cookie management is that every fucking web site throws up a banner that they collect cookies and then asks for your cookie preference. And the answer to that question is saved... in a cookie! So when you block all cookies to that domain using an add-on, you get that banner on every...fucking...page. This is an objectively worse experience than I had before and I don't even live in the fucking EU!
Re: (Score:2)
This was already largely possible thanks to add-ons, which actually prevent the browser from ever sending cookies to that domain unless I explicitly authorize it.
Managing cookies on a domain level is wildly inaccurate and messy compared to managing cookies by classification of how they impact you.
hoping that the web site abides by that preference instead of just collecting everything due to a "bug that affected a small number of users".
Bugs that affect a small number of users are a great euphemism for "oh fuck oh fuck oh fuck we're about to get fined... but it's okay I'm sure Americans will just say it's unfair that we break EU laws and that the EU is in the wrong".
And the answer to that question is saved... in a cookie! So when you block all cookies to that domain using an add-on, you get that banner on every...fucking...page.
I'm glad you discovered the problem with your approach. The domain tells you nothing about the functionality or the necessity of a cookie. It'
Re: (Score:2)
the real point is that you should never be accepting the notice. The consent button means "we are doing something evil with your data, which you wouldn't agree to if you knew what it was. So we have to ask your permission". Good websites simply don't need the cookie consent, because they don't do 3rd party tracking.
It is completely avoidable (Score:1)
Just don't track your users can send the data to a gazillion other parties. (Or let shady companies like Google or Facebook do the tracking if your visitors for you.)
Welcome back Do Not Track header (Score:1)
DNT was proposed in 2009, implemented by most browser within a couple iterations. Microsoft famously poisoned-pilled their implementation to kill it by making it the default, which gave advertisers an excuse to claim people didn't really mean to set it, and ignore it.
It always needed the force of law to work.
Note that I am fully confident that the fine professionals in the EC will find some way to make this stupidly intrus
Re: (Score:2)
I think Microsoft gets too much blame for this. The assumption that most users won't want to be tracked is not that far off and they asked them and just included a user friendly default. The advertisers just looked for a reason to ignore it and that was the first one in reach. If it wasn't for Microsoft, they would have found some other reason why they ignore DNT.
Re: (Score:2)
I think Microsoft never gets enough blame for all the crap they do. They basically only do not fuck up things for the user when they overlook something.
Re: Welcome back Do Not Track header (Score:2)
The problem with DNT is that it's too generic and that it's just a voluntary convention, not enforced in any way.
Because it's called Do Not TRACK, it allows companies to wiggle out of any rules. Is performance measurement tracking? Is screen capturing for session replays tracking? Is it? Is it?? Well, you say yes, we say no. We'll see you in the court of law in 10 years.
Easy get out of jail card. Too easy. Even if it was respected at all (it's not).
Re:Welcome back Do Not Track header (Score:4, Interesting)
Microsoft famously poisoned-pilled their implementation to kill it by making it the default, which gave advertisers an excuse to claim people didn't really mean to set it, and ignore it.
This is bullshit.
First, do you realize what a ridiculous kind of "standard" DNT is? Advertisers promise to honor it, as long as users promise not to use it. This is a real life Catch 22, and nobody should defend it.
The issue is worse though: the DNT "standard" wasn't ever intended to stop tracking. It was intended to sabotage other proposals submitted to the W3C who would have had an impact on Google's bottom line. From this point of view it succeeded brilliantly.
At the time tracking was considered an important issue and some reasonably effective solutions were submitted for standardization. One of them, for example, boiled down to embedding functionality equivalent to AdBlock directly in browsers. That was a customer-facing design, because it would have left the choice to customers, and stopped browsers from contacting malicious tracing sites completely.
Google realized the danger and invented DNT. DNT is a terrible technical solution, and its problems were well understood at the time. Here are some issues:
- there is no way to enforce DNT against a non-cooperating site
- there is no way to find out in advance whether some site honors DNT or not
- there is no way to even find out whether some particular request resulted in your being tracked
- the feature is opt-out for tracking - an underhanded ploy to take advantage of less knowledgeable users, thus favoring the ad sellers. A standard intended to protect customers should default to more protection, not less.
Google bulldozed the alleged standard through the W3C with great fanfare, leveraging its membership in the Digital Advertising Alliance and requesting Mozilla to support the proposal (Mozilla was getting good money from Google at the time, so they embraced the DNT scam, principles be damned). Of course, DNT was a failure in the market place, as expected. But it did succeed at its real goal, which was to bury all competing standard proposals which would have benefited customers.
As a proof of the deep duplicity of Google in regards to DNT, consider that Google never honored it, even though it was their own proposal.
Re: (Score:2)
Note that I am fully confident that the fine professionals in the EC will find some way to make this stupidly intrusive and annoying as well as cost a crazy amount of money to implement. I believe in them.
You are mistaken. The GDPR does not even mentions cookies or any other specific technology. It merely requires informed consent for any PII storage or processing. The implementation that so annoys you is in 100% on web-tech makers. In other words, the industry failed to find a good solution for following the law. That is not the fault of the law. Good solutions would have been entirely possible. My take is the current solution was selected to try to coerce EU lawmakers.
Re: (Score:2)
Re: (Score:2)
No, I merely have some experience as a GDPR auditor. You seem to lack that.
Re: (Score:2)
Thanks for explaining yourself.
Re: (Score:2)
My take is that you are just lying now.
Websites "must" respect them (Score:3)
I hope by "must" it means that browsers are going to enforce it.
Why do the websites have the authority in the first place to tell your browser what cookies to store? This is 100% on browsers to restrict what websites can do with cookies. Websites should be able to do anything they are allowed to do. Malicious websites are not going to respect any legal rules.
Re: (Score:2)
Why do the websites have the authority in the first place to tell your browser what cookies to store? This is 100% on browsers to restrict what websites can do with cookies.
Firefox has offered this ability for, like, 20 years. And, 20 years later, it is still the only significant browser to do so.
Safari does block third-party cookies by default - which is certainly a good thing, but still not quite there.
Re: (Score:2)
A good browser will claim to go ahead and store the cookie, but not actually store anything.
Don't even bother with the whole permissions thing at all.
Re: (Score:2)
You really have not looked at the facts, have you? The thing is, the GDPR does not even mention cookies or any other specific tech. It simply states that tracking data for user behavior is PII and storage and processing of PII requires informed consent and must be default-off.
And how will that happen? (Score:2)
"People can set their privacy preferences centrally -- for example via the browser -- and websites must respect them
And how exactly will that happen? Will preferences be set at the browser level for doubleclick, google, etc? Do we expect joe sixpack to understand how to do this?
I'm not sure this is any better.
Re: (Score:2)
"Joe Sixpack" might be a nuclear engineer, brain surgeon, or astronaut - i.e. much smarter than you or your typical code monkey - who just doesn't care about the details of the OS, and just wants a simple solution to his annoyance.
Insulting them and thinking because you know how cookies work and they don't makes them an object of derision is why IT and computer people are held in such low esteem.
Grow up, script kiddie.
Re: (Score:2)
Dude, it's not an "insult". It's a generic term for "people who don't understand how cookies work". Insulting me doesn't help your argument either.
I'm arguing that this will not be a simple solution once implemented. Sure, lots of people understand how to allow or deny cookies. But this solution seems like you'll have to do that for every site regardless. Either that or a default deny, as another poster suggested, and then users get asked - and then we're right back to where we started.
This very much on the
Re: (Score:2)
This is really simple: Default-deny is the law. So a browser must be delivered with all site permissions off. Them when a site is visited that wants to track, the user gets asked.
Re: (Score:2)
And they get asked for every site that wants to place a cookie?
Now we're right back to where we started...
Re: (Score:2)
No, we are not. There are more options than doing this for each specific site. Some insight required.
No Cookies Needed for Most Website Usage (Score:1)
Re: (Score:2)
Indeed. And simple things that cannot really be used for tracking are allowed. The GDPR only states that tracking data is PII and PII can only be stored or processed with informed consent. Most session-local cookies are entirely unproblematic. Most site-specific cookies are unproblematic. The problem is 3rd party cookies and long-term persistent cookies.
Only cookie nightmare is NO cookie! (Score:3, Funny)
Website must respect them...right. (Score:2)
Re: (Score:2)
Look at which sites have cookie banners for EU users. They obviously care. The idea that the EU would not be relevant is simple and mostly wrong, because you would need to stop all business in the EU, what many sites can't do and won't want to do.
Re: (Score:2)
Gets a bit difficult if you cannot travel to any EU country or any country with an extradition treaty with the EU anymore, does it? But that is only the last step and was never needed so far. The steps before are huge fines and then a prohibition to do any sort of business in the EU that involves any personal data. These habe both happened.
Malicious compliance (Score:2)
Whenever a government tries to force companies to do something they don't like, companies respond by doing it in the most cumbersome and awful way possible, hoping that the public will get so angry that they force a change in policy
Completely wrong framing (Score:5, Insightful)
The law never demanded cookie banners.
The law demanded you not to store personal data, except you need it to provide the service for the user.
This means your login cookie does not need consent, neither does storing the e-mail address at newsletter signup need a banner (because the sign up button agrees to the use of the address if it is only used for the newsletter).
Why are there the banners? Because they tricked you! The users clicks the banner, in the best case for the site owner with "accept all" and then the site owner argues "The user WANTED to be tracked".
The peak of this is the pay-or-okay pattern in which a website provides a pay option (often more an alibi option to be able to use pay-or-okay without relying on making money with the pay option) and full "consent" as alternative to paying. While the usual banner must provide opt-out options, the pay-or-okay banner doesn't have to. If you click "Agree to tracking to read for free" they claim you had the choice to get the same content without agreeing, as they are allowed to charge for the content.
Is the nightmare crumbling? No, the privacy is. The proposed changes will weaken the privacy law and allow to use data under certain circumstances without user consent. So you may indeed see fewer banners, but that only means that they are now allowed again to sell your data without asking.
Finally, will you see fewer banners? That's unlikely, because the tracking ad model is so technically and legally complicated and involving literally thousands of companies, as your visit decides which companies will show you ads without the site owner knowing before which ones will be chosen, that it would be a large legal risk for site owners not to keep using the banners they are using now.
The possible outcome: You see the same banners, but have fewer opt-out options and certain companies claim they have "legitimate interest" and similar reasons to get your data even if you never receive any benefit for it.
And there is already a technical opt-out, which is *ignored* by the tracking companies: https://en.wikipedia.org/wiki/... [wikipedia.org]
Do you really think they will follow the new one? If it is legally binding, the new "consent" banner will read "Please instruct your browser to allow tracking", or they will try to have banners "Your browser disallows tracking, but as we provide valuable service you want to agree to *our* tracking nevertheless, don't you? Please click 'ignore my browser options and agree to all' to continue".
The only option to end tracking is to make it illegal to use the data. Let's say advertisers are forbidden to personalize ads. Every user needs to get the same ads (which are allowed to be tailored to the content shown). Then companies would stop paying for data and so would advertisers stop demanding site owners to collect data and they could remove the cookie banners, because cookies (and other tracking) would no longer be necessary for the advertisers to pay in full.
Re: (Score:2)
Alternative to end forced consent: Enforce the *informed* part of "informed consent". For each tracking service the user agrees to, the "save my choices" button needs to be delayed by another 10 minutes the user will need to actually read the privacy policy (and most privacy policies and their legalese would need more time) to be able to give *informed* consent. With the usual 200-1000 tracking companies that want consent, the cookie banner would be infeasible.
Re: (Score:2)
This means your login cookie does not need consent
A login cookie doesn't need consent, but it does need explicit information to the user. Yes a popup is required for any session tracking cookies. What isn't required is an opt-out mechanism.
Why are there the banners? Because they tricked you!
No one is being tricked here. The banners are explicit in their intent and outcome (and actually dark pattern banners are illegal). The reason the banners exist is because tracking companies don't stop tracking just because they were told they need to ask for consent. They just ask knowing users will mash any button on t
Re: (Score:2)
Indeed. It is funny how little the people screaming loudest know. The GDPR specifically requires informed consent for any form of storage and processing of personal information and behavior tracking is personal information. And that is it. There are no laws or regulations even mentioning cookies.
Re: (Score:2)
> There are no laws or regulations even mentioning cookies.
Yes. And in turn the laws are phrased that they basically cover a lot of fingerprinting as well, that's why the "cookie" banners mention the use of such techniques if you actually try to read them. In the end, the companies know the law and how close they are to breaking them. Let one of them get successfully sued for it and all cookie banners will change. It already happened once when Google were sued to add a reject all button and now most bann
Re: Completely wrong framing (Score:2)
So any website that wants to know if people actually read the articles or whether they clicked a link in order to A/B test the site needs a banner. That's pretty much any website that is being run for commercial purposes.
Re: (Score:2)
You can even do your own user counting. You just can't give the data to other companies or track users without them opting in.
And I'm okay with people having to voluntary participate in tests. In the best case paid.
Re: Completely wrong framing (Score:2)
The law doesn't just apply to cookies. It applies to any tracking if data that might be used to identify a person, even if the data itself is anonymized.
Re: (Score:2)
Indeed, the law is about processing data that can be personally identifying (e.g. IPs are not PII by themselves, but your provider knows who had the IP, what makes it PII). This means it doesn't really talk about cookies, but covers more generally fingerprinting and so on as well.
Simple setting is all we need (Score:3)
1. Disable all 3rd party cookies. Permanently.
2. Always allow strictly necessary cookies only.
That's it. That's the only setting we need.
Re: (Score:2)
How you define "strictly necessary" is probably different from what the web developer defines as "strictly necessary."
Re: Simple setting is all we need (Score:2)
Trust me. Web developers don't define cookies at all. They have no clue what cookies run and where. They just stitch requested functionality together from readily available external libraries, slap a cookie notice on top "just to be safe" and ship to production.
Just get an extension (Score:2)
f.ex. "I don't care bout cookies", like everybody else did after the 100th click.
People seem to have forgotten.... (Score:2)
The original idea of the legislation was that tracking should be forbidden.. Then some smart corporate lawyers said "but what if people want to be tracked?" - OK then but they have to give explicit consent... Fast forward and we have "consent or pay to opt out" and "by looking at this page you consent to us spying on you for whatever purpose we want and exploiting the resulting data in any way we please" - ok the second one is made up...
Exemptions (Score:2)
having to click accept or reject on a cookie pop-up for every website you visit in Europe,
Not quite, there are exemptions in the cookie directive. No consent is required for session cookie, and even for analytics cookie if things are done correctly (i.e. not with a GAFA partner).
Hyperbole much? What "nightmare"? (Score:3)
Since when is a minor annoyance a "nightmare"?
Advertising revenue (Score:2)
Re: (Score:2)
Not sure why you're being downvoted.
Your take on EU's DSA/DMA/KYC and what else is not wrong, but it started in the US with the PATRIOT Act(or even earlier?). The US drives the surveillance in pair with EU. The US does "full take" of internet traffic. Both parties suck.
Re:The EU is too busy making rules for everyone el (Score:4, Insightful)
Not sure why you're being downvoted
Probably because it's factually incorrect and precisely no EU rules apply outside of the EU or to companies which don't do business in the EU.
Re: (Score:2)
That is incorrect. These rules apply to anybody that does business with EU citizens or stores or processes data of EU citizens, even if that happens outside of the EU. Sure, if its is >99% non-EU citizens and just the occasional EU citizen in there and all business is in all aspects done outside of the EU and you never plan to ever do business in the EU, complaints will not be successful. But as soon as, say, an EU citizen can sign on to your website from the EU, you are affected.
Re: (Score:2)
That is incorrect. These rules apply to anybody that does business with EU citizens or stores or processes data of EU citizens, even if that happens outside of the EU.
False. It applies to EU residences. If you are an EU Citizen and you life in America Facebook et al don't need to give a shit about EU laws when dealing with you.
Re: (Score:2)
False. Precisely none of the EU regulations apply outside the EU. If you want to do business in the EU, follow their rules, if you don't want to then doing. You're more than welcome to ignore that massive market.
Just don't be a French company like Amazon S.a.r.l, or an Irish company like Apple Operations Europe Ltd, or Apple International Sales Ltd, or a German company like Microsoft Deutschland GmbH. You're free to not be a multinational and then you don't need to comply with any EU rules (which again, app
Re:The EU is too busy making rules for everyone el (Score:5, Insightful)
What a load if insightless nonsense. The basis of all this happens to be Human Rights. That the EU does not (unlike the US) ignore those is a good thing.
Re: (Score:3)
The Stockholm Syndrome is strong with this one! hahaha
Re: (Score:2)
A little of this is right, most is completely wrong.
EU regulators do not negotiate as equals; they threaten existential penalties, knowing most companies will kneel to protect European revenue.
Why on Earth would they negotiate as equals when they aren't? EU is the government of Europe (it shares that function with national governments). Its literal job is to make laws that govern Europe. For companies that do business in Europe, it's their job is to follow these laws, or face penalties set out in the above mentioned laws. Whether these laws are good, i.e. if they benefit the citizens of Europe, is another question, but in this case I believe the
Re: (Score:2)
There is no laws or regulations requiring consent for cookies in Europe. The GDPR requires informed consent for any form of tracking, without specifying what tech is used. Try to keep up.