The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.
"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be.
https://www.techspot.com/news/108043-german-court-takes-stan...
Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.
Not a radical idea. The EU is already working on it.
> […] the Commission is pondering how to tweak the rules to include more exceptions or make sure users can set their preferences on cookies once (for example, in their browser settings) instead of every time they visit a website.
DNT header already does this. Explicit denial of consent. Reaches their servers before everything else so they have no excuse and zero room for maneuvering.
Now the EU just needs to turn it into an actual liability for corporations. Otherwise it will remain as an additional bit of entropy for tracking.
They can't. The website may very well do the opposite of the preference DNT signals. Meanwhile, proving in a court of law that the tracking still happens will be hard.
Services should be denied the capacity to track and fingerprint, not just told about a preference against it.
DNT will always be an "evil bit", regardless of any law behind it.
> They can't. The website may very well do the opposite of the preference DNT signals. Meanwhile, proving in a court of law that the tracking still happens will be hard.
Its not hard when it comes to any website of note, large companies can't easily hide what their computers are doing really, if they have code that tracks people it is gonna be found.
DNT is considered deprecated in favor of GPC, which has legal backing in places with internet privacy laws. Funnily, Chrome still supports DNT but you need an extension to send a GPC header. Almost like the advertisement company wouldn't want people enabling legal privacy protections.
GPC compliance is already the law in California. I don’t know why the EU has been so slow at making it legally binding. That said, existing cookie popups that don’t have “Reject All” as prominently placed as “Accept All” are already illegal but widespread, in no small part due to deliberate sabotage by the Irish DPA, so don’t expect GPC compliance to fare any better until consumer rights associations like NOYB.eu are allowed to initiate direct enforcement actions.
The fact that it was turned on by default in edge really hurt it as an argument under these laws, because it then turned into a 'well we don't know the user actually selected this' thing. Making it explicitly have the force of law regardless would still be a good thing, though.
No, this wrong. The law says that by default you can't process personal data, unless the user gave consent. That setting matched both the expectation of users and the default as specified by the law.
The story that advertisers don't know what users selected and that somehow allows them to track the user is disingenous.
It doesn't allow them to track, but it does allow them to more convincingly argue that they can nag them about it (I think some regulators in some EU countries have rejected this, but I don't think this is universal). i.e. it makes it ineffective as a means of stopping the annoying pop-ups. Because the companies are basically belligerent about it there needs to be a clear declaration of 'if this header is set you may not track _and_ you may not bug the user about it'
If the user has already indicated that they don't consent by setting the header, you don't ask. If they want to change, make it available as a setting.
(and frankly, the number of users that actively want to consent to this is essentially zero)
Hence why I think the default hurt the initiative. And the header could be set on a per-domain basis, if you wanted that for some reason. I'm curious, why do you consent on such pop-ups?
Because it offers a better experience. The cookies are not pointless to the experience and you need all of them to have the full experience. The legal definition about what cookies are needed does not match reality.
What parts of the experience do you feel are missing if you do not consent to tracking? I have seen one or two cases of malicious compliance where rejecting tracking results in no state being kept, including having rejected it. Keep in mind that the legal definition is based on things that would not be reasonably expected to be kept or distributed in order to provide the service that the user is getting, you can do basically everything except targeted ads or selling user data under that definition, even if people who want to do the above are trying to pretend otherwise.
Targeted ads are part of the experience. They directly affect user satisfaction of the product. Relevant ads can increase user engagement. You may find it strange, but people prefer products with relevant ads.
People prefer products without ads at all. Ads are noise. People's brains literally learn how to filter them out via banner blindness.
People always comment that the internet is "so much nicer" after I install uBlock Origin on their browsers. It's just better, they can't explain why. They don't need to. I know why.
The fact is nobody wants this crap. Ads are nothing but noise in our signal. They're spam. They're content we did not ask for, forced upon us without consent. They do not improve the "experience", at best its impact is minimized.
I always consent as well. They can show much more relevant ads when you consent to cookies. If I block cookies I get generic ads about stuff I don't care about.
Ah, I can't think of any level of relevance that would make me want to see ads, and in areas where I do want to see something, like recommendation systems, I've found that they are better when they are only based on the content I am currently looking at as opposed to based on some profile based on my whole history.
The popup never lets you choose to see fewer ads. It's a common misconception by lay people that you will see fewer ads if you block cookies, but that's not happening of course. So you may as well get relevant ones.
Just today I got an ad for a new theater show in town I'd like to see, I might have missed that if it wasn't for the targeted ad. Did they "manipulate" me into seeing it? I guess so. Do I mind? No, I'm capable enough to decide for myself.
Recipe blogs are mostly "corporations" even if small ones. Most things you find at the top of Google search results aren't just enthusiastic individuals sharing their personal ideas with you but businesses who work hard to make sure you go to their websites rather than better ones.
Counteropinion: agile laws would be absolutely terrible. Either people wouldn't take them seriously because they're going to change in a few minutes anyway, or people would take them seriously and be bound by law by the equivalent of late-night untested code that seemed like it should work.
Laws should be enforceable, but at some point "it's a bad law if it can be bypassed with corruption" just completely surrenders any hope of holding powerful people / companies accountable to anything at all.
That's a very absolute outlook. The fact is that they were very naive and, althoug they seem to be adjusting, it's been painfully slow and the harm has been done and the public is suffering meanwhile.
Law making is a way of predicting the future and setting up incentives to achieve a goal. You need to foresee what can go wrong, talk to incumbents and anticipate the response. It's a technical matter and this has been a debacle.
It's useless to put the blame in the advertisers. Even if they're evil, that doesn't make the situation any better for the public.
> The fact is that they were very naive and, althoug they seem to be adjusting
Who are "they"? The law hasn't changed, it's enforcement that is changing, albeit very slowly.
There are so many institutions that can be rightfully blamed - chiefly the DPAs and the national governments, but your continued insistence on blaming the lawmakers makes no sense. The law is clear, it's just not being enforced.
Of course advertisers deserve all this blame too, but their blame is irrelevant when discussing enforcement. I don't expect them to stop any more than I expect a serial killer to turn themselves in. This is still a failure of the institutions.
Well almost all websites in France do the legal thing now with an obvious "decline all" button, which was not the case at first.
It took just a pair of ruling that made it clear this illegal pattern was going to actually be cracked down upon, and now these popups are just a small annoyance rather than the absolutely enraging trap that they were at first.
Of course I still wish they were unnecessary, but they serve as a reminder that these websites are still trying to prey upon their visitors.
I agree. These websites should just not spy on me and therefore not have a pop-up.
But in the absence of that? I appreciate at least being asked for my consent so that I can press the "I do not consent to being tracked" button. It shouldn't exist in the first place, but since these websites are unwilling to just not spy on people, this seems like the next best thing.
> That's like saying "don't visit places where people get murdered if you don't want to get murdered."
Nope. Murder is an action after which the victim can not make any more actions. It would be like saying "don't go to the bakery where they spit in your food and slap you in the face every time you order something". You are enraged by the behavior of the websites you visit and you still keep going there every day. Either you are a masochist or "voting with your wallet" or, in this instance with you attention, doesn't really work. Why do you give your attention to those that treat you like shit?
> How about you just enforce consumer protections for everyone?
They are. What gave you the idea they aren't? Because some pages still behave illegally? You understand that murder still happens?
> Because that is clearly not the law.
Do you know anything about GDPR? Because it seems that you do not. Could you point to the text of the regulation that you object to? I'll wait but I'm sure I'll be waiting for godot here.
> Murder is an action after which the victim can not make any more actions.
What does that have to do with anything? I think you missed my point.
> Why do you give your attention to those that treat you like shit?
Because I have no choice. Every website has these damned popups. Where am I supposed to get my news from otherwise? I mean, what internet do you use...?
> They are. What gave you the idea they aren't?
Because sites are still allowed to track me? Why bother with consent around tracking? Just make it illegal to begin with.
> Do you know anything about GDPR? Because it seems that you do not.
That's inappropriate for HN. Please see the guidelines. Assume good faith.
Lawmakers should have a limit on the number of laws they can write. Say it's 100. They can regulate 100 things, so they need to consider importance. If they want to regulate something new, they have to give up something else. Which one is more important?
The vast majority of laws are never enforced, so in practice this isn't as absurd as it sounds. It would make people consider what laws they spend time writing.
But the laws do allow this. It's illegal to make the user experience worse if you decline tracking, or to make it harder to decline tracking than to accept it, but it's not illegal to annoy the user on every page load.
Wait you're saying that the websites in question ask for your consent on every page load even if you give it to them? I was under the impression that they typically pester you for consent until you give it to them, then remember your choice once you "consent"
I do love the irony of reading a headline "Administrative court: Cookie banner must contain "Reject all" button" on a website that does a completely blocking cookie banner with no such option. I suppose if I lived in Germany I would be pleased with the results of reporting that to the authorities.
More generally, I actually did organically notice the massive increase in "Reject all" buttons and found out about these court decisions myself some time ago. Certainly a small win for the internet, although it should not have taken 9 years(!) from the implementation of GDPR for these violations of it to be cracked down on.
Viewing corporations as amoral bots that are justified in squeezing every bit of profit out of humans is exactly what is wrong with our society. Someone in a big tech was the inventor of this dark pattern and they think they're awesome for finding a loophole in the well-meaning regulation, at the cost of the costumer they supposedly should serve. That person is the problem, and so are the people that followed them
How else should we view them? Walks like a duck, quacks like a duck, probably a duck.
Nobody justified the behavior, only stated that corporations have proven over time to generally seek profits over all else. They provide legal cover to bad-faith actions. That wasn't the original intention, but it is absolutely the current state of the world.
corporations are the mechanism by which bad actors are shielded from responsibility. limited liability is used in bad faith in these cases; regulating this bad-faith usage should impact the individuals responsible for the implementation, but should also impact those not directly involved for allowing it to happen in the first place, including board members, management and investors (if you really want to see change, start fucking with peoples' money when they allow bad things to happen through inaction).
Unless you're advocating slaughtering 90% of humanity, what is the purpose of this line of thinking?
Sure, some of you are just so good and nice that you're going to spend all of your time trying to better your fellow man no matter the incentives. The rest of us are spending our time and energy trying to better ourselves. It's better for everyone if the rules of the game are set up so those actions create positive externalities.
We tend to lock up people whose actions are amoral enough. The problem with thinking that its normal for corporations to act amorally is that that also means we forget its people making these decisions and that those people should be held accountable.
For this "modern" view, you have to look back to 1896, when New Jersey made it easy to create for-profit corporations beholden only to shareholders as a way to attract investment to the state.
It's really not even primarily the privately-held corporations that are the problem. Some family business, even if it's big, is more likely to care about its reputation because that's their family's company and it's still going to be their family's company in 50 years or more.
Whereas you get publicly-traded companies and the primary shareholders are investment funds, whose managers get bonuses based on short-term results and who may not be in the same job or having the fund hold the same companies in as little as a year from now. So their incentive is to have companies squeeze customers for short-term gains and then choose the right time to pawn the shares off on some bag holders who see strong recent numbers and don't realize what that strategy does to the company's long-term prospects.
It's basically the further removed those benefiting financially are from the actual operation the more likely the business will care about money over everything else. The public private distinction matters less - private companies can still have external investors calling the shots.
> Viewing corporations as amoral bots that are justified in squeezing every bit of profit out of humans
Literally what a corporation is.
This is capitalism mate. People will do basically anything with the "for the company" excuse. If they don't, they will be out of a job and eventually starve.
Laws are the only things that can limit corporations. Without those we'd still have children working, 14 hour shifts and no weekends.
Why is that person a problem? That is why rule of law exists, ideally, so that we don't run society on arbitrary outraged moral judgement. E.g. many people are morally outraged by presence of any illegal immigrants and others are outraged by any enforcement against undocumented immigrants. If we base decisions on arbitrary outraged moral judgement it's not going to go well.
A "loophole" is only a "loophole" to someone who agrees with yours. And I say it as someone who agrees in this particular instance.
That person is a problem because low-trust environments are inherently low-privacy and low-efficiency environments. Allowing a small portion of the population to destroy trust and then justifying it with "well there was no explicit rule against it" is parasitic on the whole society. It's better to stand up and say "this is unacceptable and clearly not what was asked for".
That is only as far as you or I are concerned. The environment where you first write the rules then someone can arbitrarily come and say nah that's not what we meant (with any consequences) is far worse than any low trust environment. Vague rules with selective/interpretative enforcement is in fact what authoritarian countries like Russia/China tend to use. Disturbing social harmony is illegal and all the right thinking people know it when they see it.
> Also, please remember that in Europe there is no such thing as "the spirit of the law versus the letter of the law." The intent of the law IS the law.
On the other hand, there is the issue how the intent of laws (which were often passed by highly incompetent politicians, in particular when IT topics are involved) is to be interpreted.
as long as we cannot provide some objective foundations for the meaning of words we're pretty much left with the law constantly being interpreted, and even if somehow laws and enforcement becomes completely independent of the fallibility of human minds, as long as we are subject to it we ourselves will have different interpretation from time to time
and even if the law somehow becomes a perfect ideal filter for separating good from bad ... its enforcement will run into the problem of false positives and negatives as long as it deals with messy real world events and their various imperfect impressions found in whatever evidence is collected in a case.
well, of course a more competent electorate and politicians would be nice anyway, but now we run into the problem of competence in the eyes of who?
Europe is not homogenic when it comes to law doctrine though and does have variations in how to handle unclarities in the letter of the law. In some jurisdictions the intent very much matter to resolve how ambiguities should be resolved.
Yes and sometimes it's subtly different from the letter of the law. The point is, if I understand it correctly, that in the US, courts always literally interpret the law as written, whereas in the EU there's a culture of sometimes, when the letter of the law super clearly differs from the intent it was obviously written with, siding with the intent of the law rather than the precise wording.
No. US courts consider both, to the extent that it’s a bright-line divider between “conservative” judges and “liberal” ones, where the former are far more likely to profess strict adherence to the text of the law (particularly constitutional law).
In any case, there is always a difference between the “intent” of a large and diverse body of politicians, and the actual text of a law. Any practical legal system must take it into consideration.
> where the former are far more likely to profess strict adherence to the text of the law (particularly constitutional law)
This is a fiction and just an excuse conservative justices use to make conservative rulings when they don't like a law.
They are perfectly fine to abandon the text of the law whenever it doesn't move forward a conservative agenda. The shining example of this is the voting rights act. Something never amended or repealed by congress but slowly dismantled by the court counter to both the intent and the text of the law.
And if you don't believe me, I suggest reading over the Shelby County v. Holder [1] decision because they put it in black and white.
> Nearly 50 years later, they are still in effect; indeed, they have been made more stringent, and are now scheduled to last until 2031. There is no denying, however, that the conditions that originally justified these measures no longer characterize voting in the covered jurisdictions.
IE "We know the law says this, and it's still supposed to be in effect. But we don't like what it does so we are canceling it based on census data".
> This is a fiction and just an excuse conservative justices use to make conservative rulings when they don't like a law.
Isn't this the other way around? If you cite "the spirit of the law" then you're ignoring the text in order to do whatever you want.
Finding a "conservative" judge who does the latter is evidence that the particular judge is hypocrite rather than any argument that ignoring what the law actually says is the right thing to do.
But you also picked kind of a bad example, because that wasn't a case about how to interpret the law, it was about whether the law was unconstitutional.
That's an uncharitable reading. Citing the "the spirit of the law" is
not automatically ignoring the text in order to do whatever you want. It can be "how do I apply this archaic text about oxen (or whatever) to current events". Maybe the meaning is that stealing stuff in general is frowned upon, not just oxen. Or should we focus on how a Chevrolet Corvette is definitely not an ox?
Interpreting constitutions and very old laws requires a different frame than modern laws that merely say something different than you'd like them to.
Why does the First Amendment say "freedom of speech, or of the press" and make no mention of radio or TV or the internet? Because, of course, it was enacted in 1791. The drafters can't be expected to have listed things that didn't exist yet and it's obvious to everyone that it's meant to apply to this category of things even if we're now using fiber optics and satellites instead of dead trees.
But if you're interpreting a law from 20 years ago instead of 200 and nothing relevant has changed that the drafters couldn't have predicted when it was enacted, the fact that someone is doing what you said instead of what you meant is entirely down to you being bad at saying what you mean and that ought to be on you rather than on them.
I’m not saying it’s true or false. Hypocrisy is universal to politics, and it’s trivial to find examples throughout US history on all sides of the political spectrum. I’m just saying that the issue of strict interpretation is so fundamental to the US legal system that it’s a core philosophical debate for judges.
It’s the same problem as those reading the Scripture literally. You can’t. You are reading a translation, for starters. To come even close, you need a subtle understanding of semite languages, culture and Greek, depending on your denomination. You need some guidance when reading, whether that is the Holy Ghost, your pastor, or a decade or two of yeshiva school.
The problem here is that people need some way to know if doing something will incur a penalty before they actually do it.
One way to do that is to interpret the law strictly according to the text, or in the case of ambiguity to choose the interpretation that benefits the accused rather than the government. Then you could just read the law to know if it prohibits what you want to do, because unless it unambiguously does, then it doesn't. And then if the government doesn't like it once they see someone doing that, it's up to them to change the law.
Another is to give people a way to get clarification ahead of time. This is called advisory opinions and governments generally hate them because as soon as you allow it, the government is going to be absolutely swamped with requests for clarification because everybody wants to pre-clear everything they're going to do rather than take the risk of getting punished for doing something without clearing it. But in order for this to work, getting a clarification has to be cheap, because "pay a million dollars for an advisory opinion to avoid the risk of a million dollar fine" isn't a real solution to the problem of people getting punished when the law is unclear.
So the first one is actually better, the only "problem" with it is that you need the government to be paying attention and promptly rework the law when it isn't having the intended effect, otherwise you'll have people complaining about it because in the meantime there is a dumb law on the books. But if your government is bad at making good laws then you're going to have a bad time no matter what.
> Another is to give people a way to get clarification ahead of time. This is called advisory opinions and governments generally hate them because as soon as you allow it, the government is going to be absolutely swamped with requests for clarification because everybody wants to pre-clear everything they're going to do rather than take the risk of getting punished for doing something without clearing it. But in order for this to work, getting a clarification has to be cheap, because "pay a million dollars for an advisory opinion to avoid the risk of a million dollar fine" isn't a real solution to the problem of people getting punished when the law is unclear.
A partial solution to this problem is: write laws in a way that need a lot less clarification because there is rarely a need for it because the laws are thought out so well.
A very first step could be to to brutally expose every politician who voted for such shittily designed laws.
Not doing that is a civic duty that I expect from every politician who wants to be considered to be more trustworthy than a child molester who has relapsed several times.
Nope, you need something more systemic than that. Every incumbent politician has voted for shitty laws because if you don't vote for the omnibus full of shitty laws when your party is in the majority and they need your vote then you become a pariah and then your constituents vote you out because pariahs can't accomplish any of the other things they want. And fresh faces wouldn't inherently change the incentives there.
You need something like, ban omnibus bills with a single subject matter rule. Replace first-past-the-post with score voting to dissolve the two-party system. Add new checks and balances so that someone with a better structural incentive to reject bad laws is in a position to veto them, like the US Senate used to be before the 17th amendment.
Or in the EU the structural problems will be different and you may need something different, but you still need something or the status quo tomorrow will be what it was yesterday.
That doesn't jibe with my understanding. For one thing, "interpreting the law as written" is impossible on its face. You need to have an understanding of what it means, i.e. interpret it. And not only that, isn't the whole deal with Common Law that the judge, judges?
IIRC a common law maxim oft repeated said something like: “a judge doesn’t make a ruling because it is right, the ruling is right because the judge has ruled it.”
I think he meant to say the spirit of the law is the law.
If you read GDPR in it's complete form [1], there are 173 paragraphs before the actual law begins at CHAPTER I, almost half way down the page. Those are the reasons why the law was created, what's it trying to achieve, how it is intended to work, responsibilities of govenrnments, etc.
The EU provided us the spirit of the law - in writing.
nah, it's just slow, as unfortunately almost all things involving technology and international/supranational organizations
first case was around 2018-2019 and then it took some time for the cookie banner consent thing to percolate through the courts. (the Hungarian data protection agency already issued a ~3000 EUR fine in 2018-08 and cited the GDPR. and the Hungarian DPA cites this 2019 EU court case which is explicitly about cookie consent [1])
and according to this tracker - https://noyb.eu/en - there are 2B fines already imposed and (883 total cases and still 468 pending)
If you can't enforce the law, then it is a bad law. Also, this is a problem that naturally solves itself over time, so no law was ever needed. The UX of the web degraded for everyone after GDPR was passed and that I think everyone can agree on.
If people care about privacy, then over time they will migrate to companies and services that respect their privacy. Government laws are broad based policies that always lack nuance. This is why it is better to let markets drive better outcomes organically.
> If you can't enforce the law, then it is a bad law.
Or, alternatively, you _could_ enforce the law but the resources to do so (people) are no longer available. This happens a lot in the US when the current admin doesn't feel it's important, so doesn't fund the enforcement agencies. And is particularly true more of codes/regulations (I get them confused) than of laws.
The government has outlawed murder but your local law enforcement isn't investigating the murders. You're blaming the lawmakers for writing "bad laws" in this situation, why?
First order of blame goes to the national DPAs for not carrying out their duties.
Second order of blame goes go to whichever EU authority is responsible for penalizing EU member states for non-compliance. There should be serious consequences for non-enforcement like frozen funding. (I don't know what the actual legal process is)
> If people care about privacy, then over time they will migrate to companies and services that respect their privacy.
This is just a libertarian fairy-tale that is designed to sound sensible and rational while being malicious in practice. It exploits information asymmetry, human ignorance, network effects, and our general inability to accurately assess long-term consequences, in order to funnel profits into the hands of the most unscrupulous businesses.
In other words, there's a reason why we have to have regulations that protect people from themselves (and protect well-being of society as a whole).
> The government has outlawed murder but your local law enforcement isn't investigating the murders. You're blaming the lawmakers for writing "bad laws" in this situation, why?
Investigating murders is enforceable. If law enforcement isn't doing their job then that is a different problem. By virtue of being on the Internet, tracking cookies span many legal jurisdictions (even ones outside of the EU that never agreed to GDPR) and therefore run into all sorts of different legal obstacles. Apples and oranges and all that.
> This is just a libertarian fairy-tale that is designed to sound sensible and rational while being malicious in practice. It exploits information asymmetry, human ignorance, network effects, and our general inability to accurately assess long-term consequences, in order to funnel profits into the hands of the most unscrupulous businesses.
No, it allows people to be adults and vote with their feet. We do this all the time in many other areas and it works. (Exactly what the free market is based on) This is not to say that there shouldn't be any privacy and anti-spam laws, but when it comes to allowing marketing/advertising the trade-off has been well understood for some time. We are all funneling a lot of profits into companies that provide software to serve up the cookie banner warnings now and the advertisers still end up getting lots of people's data. A poorly designed law is a bad law. Legally requiring consent upfront and the ramifications of that decision should have been thought through much more thoroughly.
> If law enforcement isn't doing their job then that is a different problem.
Yes, that is precisely the problem with GDPR, too. Enforcement is supposed to be carried out by national Data Protection Authorities but they just don't investigate. I've reported some clear cut violations and they never followed up on anything.
> By virtue of being on the Internet, tracking cookies span many legal jurisdictions (even ones outside of the EU that never agreed to GDPR) and therefore run into all sorts of different legal obstacles.
It doesn't matter. It's irrelevant to the general enforcement issue. Most DPAs seem to be failing to enforce even the simplest of cases. Let's chat about the edge cases and jurisdiction when the clear cut cases are being taken care of reliably.
> Yes, that is precisely the problem with GDPR, too. Enforcement is supposed to be carried out by national Data Protection Authorities but they just don't investigate. I've reported some clear cut violations and they never followed up on anything.
No, it's not the problem with GDPR. As explained earlier it has to do with jurisdictional overreach.
> It doesn't matter. It's irrelevant to the general enforcement issue. Most DPAs seem to be failing to enforce even the simplest of cases. Let's chat about the edge cases and jurisdiction when the clear cut cases are being taken care of reliably.
Edge cases and jurisdiction are at the heart of this issue and exactly why it is a bad law. This is exactly the baggage that bad laws create!
> It isn't that this can't be enforced, it just lagged because of the size and changes that this law brought.
How long have these laws been out and we are still dealing with these issues. They seem to have gotten worse, not better.
> How does it solve itself?
People build services that don't track others and people pay for those services. It's pretty simple.
> Due to website operators doing illegal things.
If it was so illegal it would be stopped, but apparently businesses are indeed complying with the law.
> Why would people care about something they don't know about?
It's well known that cookies track you across sites and some people choose not to use those sites. The sites are required to disclose this information, so users are definitely aware.
> How long have these laws been out and we are still dealing with these issues. They seem to have gotten worse, not better.
No, they have gotten better. Earlier reject all was barely seen on the internet. Now it is on the majority of places or at least in much more places. How is that getting worse? Can you please explain how it has gotten worse or why you think it has gotten worse?
> People build services that don't track others and people pay for those services. It's pretty simple.
How would an average individual know that a service is tracking them if the service doesn't need their consent for it?
> If it was so illegal it would be stopped, but apparently businesses are indeed complying with the law.
GDPR art. 7.3:
"The data subject shall have the right to withdraw his or her consent at any time. 2The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 3Prior to giving consent, the data subject shall be informed thereof. 4It shall be as easy to withdraw as to give consent."
So the law states that it must be as easy to reject cookies as to accept. That means that it is illegal to hide reject all.
In the parent post of this thread there is even a link about a court case:
So has your opinion with this information changed on who is to blame for the bad UX? If not, why not?
> It's well known that cookies track you across sites and some people choose not to use those sites. The sites are required to disclose this information, so users are definitely aware.
Maybe now, because of GDPR forcing site operators for asking consent to being tracked. But you said that it would happen organically without GDPR. I'm confused, even you, in the last sentence say that sites are required to disclose information but that is because of GDPR. It isn't the market somehow reaching that point organically. So which is it because you seem to agree that GDPR is needed but at the same time you are saying that it isn't needed and the market would sort it out. I'm really confused now.
There were laws requiring disclosure before GDPR and there were already tools to disable or prevent trackers built into browsers or adding on with plugins. (organic market developments) You also had alternatives to services that used the lack of tracking as a reason to choose a particular service offering over another. GDPR ended up just making these disclosures more in your face. Text like "It shall be as easy to withdraw as to give consent" is so vague as to be useless, which is why there are so many disagreeing opinions are whether companies with their current implementations are complying or not. GDPR is a bad law and in general the EU hasn't learned it doesn't get to enforce its laws in countries outside of its jurisdiction.
> ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Meaning if you force users into pressing a button or let them scroll through 1000 no options, with one easy yes option, you have not collected their free consent. Congrats you broke the law.
Meaning if you just have them click yes, but not informed them about the harmful data collection you did not collect free consent.
I may be missing something, but I don't see how this clearly precludes that behavior.
Which descriptor do you think is unambiguously violated by making it easier to provide consent than withhold it? To my eyes, both 'freely' and 'informed' are plausibly upheld.
It would be very straightforward to specify that consent and withholding must be equally accessible in the interface, instead of splitting hairs about definitions of "freely given". This is what people refer to when they say the law is poorly written
> Which descriptor do you think is unambiguously violated by making it easier to provide consent than withhold it?
> Art 7(3) It shall be as easy to withdraw as to give consent. [0]
But legal interpretation of GP I believe is reaching the consensus that that phrasing too is broken by that implementation:
> Free and informed consent (Art. 7 GDPR): Consent is valid only if it is freely given. When the option to decline is hidden or unnecessarily cumbersome, the user's choice is affected and consent is no longer "free." [1]
Ah appreciated, that is indeed exactly what I was asking about!
Now I'm left wondering why enforcement was supposedly so hard. Seems like shooting fish in a barrel, especially given that some very large websites were in clear violation of this article
Subjective take: Huge amount of small actors, and the big actors have a financial interest in shifting the conversation to blaming the EU for their annoying dark patterns over protecting customers from privacy violations and tracking to the detriment of their financials.
Wouldn't this also mean that if a user was using one of those browser extensions that automatically click "yes" to close the pop, then the site would not have informed consent, and therefore would not be allowed to collect the data?
If a child wearing stilts and a long coat walks into a movie theater where children can enter for free, and buys an adult ticket, then watches the movie, is he entitled to sue the theater and claim a refund?
Programming your computer to automatically click "yes" sounds like affirmatively giving consent to all popups to me. The standard for consent here is lower than for things like sex.
That seems too clever. If you set up a browser extension that automatically writes your signature on any contract people email to you and returns it, I'm pretty sure you're bound by those contracts.
Be careful with just clicking the big “decline” button. That skips past your opportunity to “object to legitimate interests”¹ in many cases.
--------
[1] Here “legitimate interest” essentially means “we see your preference not to be stalked, but we want to so we are going to make it that bit more faf to opt out, because fuck you and the privacy we lie about caring about”.
Definitely the spirit of it, though some claim not the letter or it due to loopholes.
> The decline button means decline all.
It certainly should, but I never trust it does (with other dark patterns on show I'm all out of benefit-of-the-doubt) and go into to "details" to look for objection toggles. Not that I particularly trust those anyway, but that is a different niggle!
Decline all means decline everything the law says you need consent for. The Google dialog kind of describes it perfectly: "Decline all cookies for this additional purposes".
> Decline all means decline everything the law says you need consent for.
I agree, it should do. But many sites don't consider the “legitimate interest” crap (“we see your preference not to be stalked, but we want to anyway so you'll have to object separately”) to not be something that they have to get consent for, hence the option is to object/not rather than to consent/not. If you hit decline all without objecting to “legitimate interests” [sic], in at least some case, I suspect many, much tracking will still happen.
> The Google dialog kind of describes it perfectly: "Decline all cookies for this additional purposes".
IIRC Google's preferences don't include any legitimate interest gubbins at all, so that isn't really relevant. And just because one tracking nag screen does things a certain way, does not mean that many others work differently.
> No, the problem is 100% the law, because it was written in a way that allows this type of malicious compliance.
There is no malicious compliance here, just breaking the law. So if it is the problem of laws that they are broken then according to you all laws are 100% the problem. That stance, IMO, is beyond stupid.
You think websites like having this crap? You think they haven't considered alternatives? What greedy corporate executive is thinking "yes, let's make our product considerably worse just to prove a point"
They obviously looked at the alternatives and decided that the benefits of cookies or the cost of compliance is bad enough to allow for this crappy experience. And they all pretty much decided across the board.
So what problem is this cookie crap trying to solve? No one asked for it, no one wants to comply and now we're just making the web worse off as a result.
> Laws need to be written well to achieve good outcomes.
This is a critical failure point which should get more attention. Laws (and regulations) are like computer code in some key ways. Early computer code was written assuming it would be run by experts in trusted, benign environments that were relatively fixed in size and complexity. Our legislative law-making structures were created with similar assumptions. As the world changed, code changed but law-making structures didn't.
At a minimum, while being drafted laws should be subject to independent red-teaming and penetration testing to A) Assess their ability to actually accomplish their stated intent over time in the real world, and B) Surface likely unintended perverse consequences. Of course, that still wouldn't solve the issue of intentional weakening of laws with vague terminology, incomplete scoping, inserting loopholes, exceptions, etc by special-interest-driven legislators.
Sadly, these days I think intentional nerfing of laws during drafting is the biggest cause of 'bad laws'. But at least the red-teaming concept might prevent some unintended bugs on top of lobbyist-driven nerfing.
I agree. The law was lobbied to death before it was passed. Thus, the lawmakers are the problem.
The intent was nice, but the ask from the article is essentially asking browsers to implement uBlock Origin built-in and expect Google to just comply without pushback.
Unlike to happen because the ones that got us the current law, the ones that make the browsers, and the ones that make money from the ads (cookies == ads) are all the same companies.
Well written laws are difficult to create. You usually wind up with one of
- The law allows things it shouldn't, or
- The law disallows things it should
And the later gets swept under the rug as "we won't enforce it that way"... and then it winds up getting enforced exactly that way because someone has an agenda, and this is a hammer.
Like mentioned by sibling comments, GDPR explicitly does not allow this. It's just the fact that enforcement is spotty and complicated by the fact that the responsibility is shared across all EU member states with limitations what each country can do by itself, with some countries' data protection authorities intentionally dragging their feet to protect multinationals.
It's the same issue as with most EU-wide issues, where there's always countries competing with each other at the benefit of others.
Also GDPR is not exclusive to browsers or internet, it's applicable universally, for both online and offline businesses and processes, which is why it can't and doesn't prescribe exact technical implementation details.
You're missing the subtlety here. There is no legal precedent requiring corporate fiduciary duty to focus solely on shareholders. In practice, however, it's a reference to the Realpolitik of being ousted by a Board, enabled to do so by arguing a fiduciary responsibility to shareholders.
If it wasn't, the ghoulish masquerade of Corporate Social Responsibility wouldn't be a thing - it in itself a response to Milton Friedman's 1970 article “The Social Responsibility of Business Is to Increase Its Profits” which argued that corporate executives are agents of shareholders and should focus solely on maximizing returns, not social responsibility.
> While it is certainly true that a central objective of for-profit corporations is to make money, modern corporate law does not require for-profit corporations to pursue profit at the expense of everything else, and many do not do so. For-profit corporations, with ownership approval, support a wide variety of charitable causes, and it is not at all uncommon for such corporations to further humanitarian and other altruistic objectives. Many examples come readily to mind. So long as its owners agree, a for-profit corporation may take costly pollution-control and energy-conservation measures that go beyond what the law requires. A for-profit corporation that operates facilities in other countries may exceed the requirements of local law regarding working conditions and benefits.
——
The best I understand it, what this ultimately means is that, yes; if the shareholders hold a vote to say "you need to focus on profits over X thing you're doing now/planning to do", you have to do that, but absent a specific shareholder mandate, you are not in any way obligated to seek profit over all else.
Ford lost this case because he overtly admitted that he wasn't pursuing profit and because he was deliberately trying to prevent minority shareholders from getting money to start up a rival car company.
If he had just made some vague claim that what he was doing was in the long-term interest of shareholders, he probably would have gotten away with it.
I think that does eventually solve it. If clicking "deny" is as easy as clicking "accept", people will mostly just do the former.
As that will erode most worth derived from tracking, sensible operators will decide to stop annoying users and just ditch the tracking altogether. Or so I hope. I wouldn't know, as Brave does a pretty good job of hiding cookie banners in the mean-time.
>If clicking "deny" is as easy as clicking "accept", people will mostly just do the former.
Unfortunately, I don't actually think people realize the law is on their side here. My girlfriend never clicked "Reject All" until I told her to because she thought something wouldn't work if she did that!
Your girlfriend was somewhat right though: if you click "Reject all" they cannot show you targeted ads, and will show you generic ads instead. That's why I always accept the tracking cookies, for me the price of the privacy incursion is worth seeing more relevant ads.
Once again; the goal of the GDPR is to give users control of their personal data. There are (believe it or not) legitimate reasons why somebody might want to be tracked or allow their personal data to be collected; this is perfectly fine, provided its done fairly and the user gives their explicit opt-in consent.
Half of the GDPR advocates here seem to think tracking is inherently bad and should be banned.
Frankly, users don't want control at all costs, where that cost is "make the entire web really annoying." Either ban tracking or don't, but the current cost is too high.
> Half of the GDPR advocates here seem to think tracking is inherently bad and should be banned.
There is noting wrong with tracking (indeed, it is essential for some services), provided it is done fairly with a clear opt-in.
> but the current cost is too high.
If you think the cost of providing informed consent (!) is "too high", them I'm afraid we live on different planets.
If you don't like being constantly nagged to provide informed consent, then direct your ire to the scummy add-tech industry who are parasites on the web. One can serve up advertising without needing to invade a users privacy.
Yeah, you're exactly one of those GDPR advocates I was describing. You say this:
> There is noting wrong with tracking
But then you turn around and describe tracking as "scummy," "parasites," and "invading privacy."
Again, I would find it less objectionable to just make tracking illegal than this "informed consent" bullshit (which is mostly not actually informed consent because no one wants to spend the time to be informed about every fricking decision here, it's just a website).
Although I agree the law isn’t as good as it could be. It’s also impossible to create perfect law when websites are looking to avoid the spirit of the law to begin with.
Otherwise how can we explain “please see our privacy policy and send us a sneaker email to opt out” kind of tracking options.
Yeah law is kinda like the rules in sports leagues. You have to keep updating it as the meta shits.
It's impossible to write things correctly the first or final time and especially with the interpretation of words changing over time it doesn't matter if you could.
Rules in sports are always being adjusted, and participants are always looking for (barely legal) ways to get around them.
Example: In cycling, they banned narrow handlebars. There's an aero advantage, but it was seen as a safety problem. So cyclists canted their brake hoods way inside, rested their hands on the brake hoods, and got an aero advantage.
And now there's a rule about brake hoods. Laws are meant only be living things that change as society changes, and also change to patch what we might call "exploits." You are perfectly correct: It's never one and done, it's an ongoing process.
This is part of why a lot of EU directives are almost 50% "why this law is necessary and what we're trying to achieve", 30% "what needs to be implemented", and then 20% "who's going to look after all of this and how".
That way, a misplaced comma or a wonky sentence doesn't allow for easy loopholes that need tighter laws to fix issues.
Now law text will work forever, but this format makes for a very solid foundation.
Of course the politicians share a portion of the blame, but we cannot ignore the fact that websites are just playing the blame game as well.
We’re also seeing tracking despite the lack of user consent as well. This could be a fluke but when I make anonymous search on website and switch to another, I’m seeing the product I have just searched in the ads. With all the tracking disabled I mind you.
The difference between a law an a program is that the computer isn't a malicious actor trying to do everything in it's power to subvert the law. A law is nothing like a program, because a computer will do nothing without a program, but societies do all sorts of things regardless of laws.
The world a program works in and the computer it runs on are often very malicious, or they sure act like they are. Not to talk about users, some are pure evil :-)
We put a lot of safeguards, exception handling and all kind of measures to control errors.
browsers should be developed so they do not provide the web server any more information than any other visitor.
web browsers should curl the website and process it locally without telling the server anything else.
It seems like web browsers were developed in a pre-surveillance capitalism world
And you write 100% bug free and secure software right? There is no way a law can account for every malicious tech bro trying to subvert it on first pass, or even after that. It is always a constant battle with bad actors.
Of course. The law is clear, the intent is clear and the guidelines are clear.
I think the biggest challenge (and the reason why it feels this is everywhere) is because of the handful of "big corporations" controlling the browsers. Neither Apple nor Google have any interest in making tracking opt-in or working to make this into a standard.
In my view, the situation will be greatly improved with policy like the DMA being amplified even further to prevent cartel-like reactions from the FAANGs (whatever the acronym is today). We have a deep "culture difference" with the US, where everyone expects everything to be spelled out for them in the law so they can sue each other into oblivion, but the reality is this doesn't work. We need to reduce the influence of bigger players and install guardrails so it will never be possible again for a single company to have such dramatic influence over the world.
Imagine how many of these consent prompts can be removed if it wasn't for the fact that even loading a Google Font exposes one to a few hundred "partners"?
> Neither Apple nor Google have any interest in making tracking opt-in or working to make this into a standard.
Apple has taken steps to make it harder to track, both in iOS apps and in the browser.
It's Google whose revenue depends entirely on surveillance advertising.
The problem is that the technical methods surveillance ad networks use within the browser to track us are features that are useful for many other things.
Trying to redefine this as a technical problem, that can be solved purely by getting the browser makers to change how browsers work, rather than a sociopolitical problem, will fail. Sure, there are more things that Google—and probably Apple—could be doing to protect us, but they can't completely stop the tracking.
The way to stop the tracking is to make laws banning targeted advertising.
Apple engages in “privacy washing” - they take steps in the name of privacy when it disadvantages their competitors. At the same time, Apple has no problem collecting say Spotlight and Safari search terms … or “features” from Photos etc.
I agree that ads as a monetisation channel were a mistake. But beyond that, privacy is a human right and should be applied without exception.
Is there any actual evidence that Apple is collecting this information and either using it for tracking purposes, or selling it to others who do? As opposed to processing it in aggregate to improve their services?
If there is, I'll be the first to say they shouldn't be doing that, and I would definitely prefer them not to be collecting it in the first place, but there are different kinds and purposes of data collection.
I don’t think they’re selling it (at least that) but it’s spotlight and the browser … exactly where one tends to type sensitive things. It’s unsettling to know everything I typed becomes a dataset to circulate all divisions within a big corp for years to come, for data analysis, unit tests and who knows what else.
> everyone expects everything to be spelled out for them
Strictly speaking, that's how civil law works, spelling out explicitly the statutes.
By contrast, common law statutes can be (but are not always), more concise but more vague, putting greater emphasis on the courts to interpret them.
That is one reason USA is more litigious, but it probably isn't the only reason. After all, Germany has the infamous legal bounty hunters (one of the words may be "Abmahnanwälte" but I think there's a different one), and Germany is a civil law country, so USA being common law can't fully explain it.
My point was that the approach is not effectual when the guilty party is a corporation with near infinite resources.
Take Apple for example, it takes years just to complete a single “unlawful termination” suit, and it would be … decades before the world can equalise the damage from their App Store practices. And all while this is going on, corps are pouring huge amount of money into lobbying so by the end they nerf or even reverse the very policy that keeps them accountable.
The biggest challenge is that websites wouldn't be able to pay the bills if they didn't track you (show you ads). The price we would pay for that is an open and freely accessible internet. Websites like YouTube, Twitter, and Reddit would likely never have been as successful if there wasn't the ad market (even if those websites don't use that, the existence of such a possible pivot still adds to the value of such a site for investors).
People respond to this with "but you don't have to track people to show them ads!" But that's naive and shows that you really haven't thought it through. What's the value of an ad to you in Chinese? Russian? Japanese? Latvian?
The answer is zero. You would constantly get ads that are completely irrelevant to you and the company that bought advertising. Even with today's tracking this still happens a lot. I still ads every week that are in a language I do not understand.
Take your Google Fonts example - would that even exist if it wasn't for the "exposed to 100 partners" part? Quite possibly not.
But I don't want to deal with "Accept All" and "Decline All" either.
First, I, the user, am requesting to open the website. It's not the website imposing on me. My browser, which supposedly is under my control, is what forwards all the data.
Second, there is absolutely no way to know whether the website actually does what it says based on the cookie pop up. If it's a website based outside the EU then there's no way to enforce this cookie pop up.
But if the browser handles this, then there is a way to enforce it. Of course, the downside there is that the website will then use other means to potentially collect the data, meaning that you still need the law to limit such data collection.
Counterpoint - making every website you visit ask you about cookies still absolutely sucks. Even when they are fully in compliance it's a bad experience that makes using the internet worse.
And it's all because the law was written by lawyers who care less about user experience or privacy than the companies that have to enforce it.
Tracking by default is not an acceptable solution, so I would say respecting the Do-Not-Track header must be mandatory and enforced by laws and percentage of global revenue fines.
That wouldn’t help much in terms of annoyance, because you need the option of per-site or per-service opting-in to tracking cookies (like “remember me” checkboxes and similar functionality), and then you can’t really prevent web pages showing a banner offering that opt-in option. It wouldn’t be exactly the same as today’s cookie banners, but websites would made it similarly annoying.
We cannot rule by law if the websites don’t want to abide by the rule of law.
The level of tracking is insane and would never happen in real life, and companies would be fined to oblivion had they tried, if not forced to close by an angry mob of people.
Kinda… but between credit cards (and any cards serviced by them—debit cards aren’t safe) and widespread facial recognition with cameras everywhere in stores these days, and things like “loyalty cards” being required to just get what should be normal prices on things, we’re pretty heavily tracked in physical space now, too. People just don’t realize how much, and don’t see this stuff being sold and aggregated then re-sold.
We really need to crack down on stalking-but-automated.
The big difference there is that unlike, say, Price Chopper, Google, Facebook, and Xitter can track not only what you do with them, but everything you do on thousands and thousands of sites across the internet, through analytics packages that send data back to them and/or the scripts loaded by their "social buttons".
If I buy baby food at Price Chopper, they might send me an email offering me discounts on diapers, but at least I (probably!) won't also get shown such ads literally everywhere I go on the web.
I’m pretty sure the loyalty-card thing has become so big because they’re selling the data.
So many things are like that now. Like Roku sticks and TVs are subsidized by selling user data. You want to make a Roku competitor that doesn’t spy? Your product will struggle to get on shelves and to stay there, in part because the price for your product will be higher even if you get just as good a price on your components as they do, because you’d have to price them at-cost to match Roku’s pricing. Meanwhile 99% of people looking at the products don’t realize that one’s cheaper than the other because it’s going to spy on them and sell the data.
> Meanwhile 99% of people looking at the products don’t realize that one’s cheaper than the other because it’s going to spy on them and sell the data.
And this, plus the fact that it's so abstract and opaque what the negative consequences of that spying are, is a huge part of the problem with all of it.
We need better regulations on this, but sadly, even before the recent fascist takeover, the regulators have been largely asleep at the wheel for decades.
> widespread facial recognition with cameras everywhere in stores these days, and things like “loyalty cards” being required to just get what should be normal prices on things
Which is why this is also illegal in the same jurisdiction.
The website has to be able to inform you about what exactly you are opting in to (like saving your shopping cart, and/or who they will be sharing the respective information with). This can’t be covered by a predefined set of options.
Browser-level permissions are about what the browser is sharing with the website, which is a different thing. For one, the browser sharing information with the website isn’t a blanket permission legally for the website to do anything with that information it likes.
You can login and buy things.
But how do you choose whether the shop can kleep track of what you have bought to suggest rebuying or for you to keep a shoopping list. Requestion those is more than login.
In my opinion, it would be best to regulate the browsers themselves... preinstalled browser on a device sold in EU? Cookies are silently stored to a temporary jar, deleted on tab/window close. One jar per domain. Then add a button by the address bar to enable the "I want this site to remember me", and it'll make the cookies from that domain 'permanent' (with an additonal 'advanced' setting if you want to allow 3rd party cookies too or not).
But hey, when the regulators are lawyers who have no idea what cookies and browser are, we get consent forms on every domain visit.
Tracking now happens with fingerprinting, focusing on cookies won't provide a benefit.
> when the regulators are lawyers who have no idea what cookies and browser are, we get consent forms on every domain visit.
In this case the regulators have considered the problem and implemented the law independent of the used technology. The software developers/companies were the clueless/malicious ones here.
That is a terrible proposal. The GDPR is not about cookies, it's about tracking. Websites can track you through cookies, through browser fingerprinting, through your IP adres, through your login, through your local storage, and various other ways. They could probably find ways to track you by your mouse movements or how you type, if all other methods were somehow made unavailable.
That websites track you and then sell that data has nothing to do with how long your browser stores cookies. Cookies are just one of many, many ways that websites do tracking.
That's true, but at least then we could rid the internet of all those shitty cookie consent banners plastered all over. Those are almost more annoying to me than some company making a fraction of a penny on selling my mouse movement history to some chump.
You should ask if true privacy is really possible. Cookies are just the tip of the iceberg. Between IP addresses, browser fingerprinting, unique URLs, and the existence of third parties that correlate information across web sites (mainly ad networks) I'm confident it isn't.
True privacy is not possible if websites truly want to track you. The point of the GDPR is ensuring that legitimate companies operating in the EU will refrain from doing so without consent, because it's against the law and the punishments can be pretty severe. Sadly enforcement has room for improvement.
Some US sites may bother, many won't. At a small startup, whenever this was discussed, it was decided we had better things to focus on since we had no paying EU customers.
If it's not a third party cooking, then it's not a tracking cookie. So logins and other site functionality will be perfectly fine. They're not subject to GDPR and similar laws.
GPC (Global Privacy Control) is the header that's actually being enforced in (parts of) the US. DNT is considered deprecated by many, due to the nonconsensual way that Microsoft rolled it out.
Why is Microsoft's implementation a problem? Having the setting default to a safe value is the rational choice.
It's like saying having a secure OS/browser would deprive malware authors of revenue, and thus vulnerabilities should be preserved unless the user explicitly opts into patching them.
This combined with governments ignoring it, and actively enforcing GPC... it's questionable whether compliance is necessary (I still suggest treating it the same as a GPC signal).
But future work and effort should be put towards the GPC signal.
For a new corporate website we just completed, we used GPC signals as the opt out mechanism. If your browser sends GPC, the site just opts you out of everything and loads zero tracking scripts. If it doesn't, you see a popup that explains how to turn it on if you want, or an "I understand" button.
An approach like this seems ideal to me, the problem is that it's only natively supported in Firefox. Our instructions for Chrome and Edge are basically "install Privacy Badger."
And Safari is the WORST, which as an Apple customer it pains me to say. Not only does the browser not support it, there are ZERO Safari browser extensions, NONE, on ANY platform (mac/iphone/ipad), that you can install that will send a simple GPC signal with the HTTP headers. There is a paid Safari extension on iOS called ChangeTheHeaders that you can configure to send a GPC signal, but come on, you can't ask normal people to buy an app and manually enter a specific HTTP header. (ChangeTheHeaders is made by Jeff Johnson, the same dev as StopTheMadness. I asked him whether he'd consider adding user-friendly GPC signals to that (or any other) plugin and he said it would just be "duplicating functionality" :-/ )
It's sounding like California is going to require browser manufacturers to support the GPC signal. The privacy movement in California has a lot of political power and backing; it's pretty likely this will change in the next couple years.
From what I understand, their AG has said the GPC signal must be honored if sent and that it is an acceptable opt-out mechanism under the CCPA. I haven't heard anything concrete about requiring browsers to support it, but that would be a welcome development.
California's "Opt Me Out Act" (AB 566) requires that by January 1, 2027, internet browsers must provide a built-in, easy-to-use setting that allows users to send an opt-out preference signal, such as Global Privacy Control.
(copied from a search, but wanted to let you know)
The Global Privacy Control (GPC) is the header that actually has enforcement behind it in the US, and there are already companies getting fined. California has partnered with several other states to broaden enforcement.
Would love something better than GPC, but in the interim, the EU should start considering it as a proper signal of (lack of) consent, obviating the need for a banner altogether.
I would blame ad providers more than individual website owners. From my experience, ad providers have made it very difficult to serve their ads unless you use an ad-supported cookie consent manager. I tried to write my own simple cookie consent form and gave up after realising how obscenely complicated TCF is. And since most ad-compatible cookie consent banners are provided by the ad companies themselves, you kinda just get stuck with bad options. I even tried to pay for a commercial cookie consent manager but it wasn’t supported by my ad provider.
If I had more time I probably could have figured it out. But unfortunately I’m just running a hobby project and do not have weeks to spend on this. The revenue from the ads is what pays for hosting. I imagine lots of websites are in a similar boat.
I would love if there was a simpler option that could respect people’s privacy more, be less annoying, and that would still allow websites like mine to survive by running ads. Targeting browsers instead of websites could have been that option.
The problem here is the problem everywhere; we still as a world have no remotely effective way to actually punish companies-as-bad-actors on the internet or in tech generally.
None of any technical ANYTHING matters until we (meaning law and government) inflict truly meaningful consequences. Fines, breaking up companies, perhaps even jail time, etc.
Yes. The problem isn't the letter of the law, it's that governing bodies like the EU need something like an enforcement czar who tells companies in no uncertain terms that if they're going to try to be clever they're going to get the ol' Jack Ma treatment. Stop letting the tail wag the dog.
And before someone says that it will hamper innovation, I used to live in China and talk to investors often, they would always stress that for every guy with a billion who can't play by the rules there's a thousand guys with a million who have no problem taking the market share, that's hardly an issue
We just refuse to use them, because our politicians either believe that companies should have more rights than we do, or are terrified that if they actually try to enforce the law on them they'll lose out on massive amounts of campaign contributions (whether direct or indirect).
My default firefox settings rejected content tracker and in the end no cookies were created at all, plus there was just one failed CDN request outside original domain.
Don't worry, you are still being tracked by IP + browser fingerprinting... and using a browser with a low single-digit marketshare stands out like a sore thumb.
(which is also why framing GDPR discussions around cookies misses the point - the point is to determine the user's consent to being tracked regardless of technical ability, whether cookies, IP address, fingerprinting, or even some magic crystal ball)
Everyone states this. At the same time, any official site I have ever visited for the EU government/regulators _has cookie banners_. Why would the EU malicious compliance itself?
Or we could stop the charade of that cookie laws prevents tracking and get rid of all the stupid banners. All the beacons are firing in the back(server to server) now and all session data is passed on the inbound URL and stored. Browsers banning third party beacons, cookies laws, etc don't do anything. You can't even tell your being tracked.
GDPR is not about Cookies, it's about all tracking, including the examples you mention. As far as I understand the GDPR, the things you mention would also require the user to opt-in to be legal
That law has "discovered" that these rules for these sites suck because nobody wants to sit and decide what they want on a site by site basis and thus the "just get out of my face" kinda clicking and annoyance works.
The idea that just visiting any given site I visit means I have to make some legal agreement makes no sense.
uBlock Origin + Cookie Notice blocklists also work fine.
I started to write this comment meaning to add that Firefox does it all by itself now, but I just read that such feature "is not currently available anymore".
Using uBlock to hide the cookie banners mostly works, but there are occasional websites where it's buggy: I have to disable uBlock, accept or reject cookies, then re-enable uBlock.
So some websites actually require an accept/reject, and don't work if just visually hiding the banner, which is what this does.
> Given a free choice, how many people actually want to be tracked?
Good question. But there isn't enough information to answer the question. Are these people properly informed about what "tracking" means, or do they think this means companies are passing around their full names and addresses on post-it notes?
This is the problem, the law clearly recognizes tracking as something people don't want. The fact that they let every website beg you to allow tracking instead of banning all but functional cookies is the problem. They capitulated to advertisers and this is the result.
The regulation actually specifies what counts as informed consent. Annoying users into accepting tracking does not count.
The problem is that there's a chronic lack of enforcement, so the winning strategy is to breach the regulation. Worst case scenario, you will merely be forced to clean house at some point (but can enjoy the rewards of tracking until then).
> but malicious compliance by websites that don't want to give up tracking
It isn't even compliance, they are just breaking the rules by as much as they think they can get away with and so far, for the most part, they are getting away with it.
Important not to confuse the actual result vs. the hoped-for result.
You HOPED that websites' top priority is to provide the best possible experience. The REALITY is that not getting sued is way more important than removing all possible user inconveniences.
I wonder why people don't build a collection of scripts into a browser plugin, like Adblock that auto rejects all tracking info to the greatest extent possible?
Isn't that the inverse? Ie auto-accept just to get rid of the UI box?
Edit: their FF-page says,
Set your preferences once, and let the technology do the rest!
This add-on is built and maintained by workers at Aarhus University in Denmark. We are privacy researchers that got tired of seeing how companies violate the EU's General Data Protection Regulation (GDPR). Because the organisations that enforce the GDPR do not have enough resources, we built this add-on to help them out.
We looked at 680 pop-ups and combined their data processing purposes into 5 categories that you can toggle on or off. Sometimes our categories don't perfectly match those on the website, so then we will choose the more privacy preserving option.
"The problem is not the law but with the people who don't follow it."
I mean... uh.
If the world would only consist of people who want to cooperate and don't have malicious intentions, then WE WOULDN'T NEED THE LAW AT ALL.
The law exists BECASUE OF the people who don't want to comply. So if the law doesn't control those people who don't want to comply, then the problem is with the law.
Because if we're saying that the problem is with the people, then the discussion is pointless like a black hole.
> The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.
If that was the case, then why does the site from the EU first off track... and secondly why does it use a cookie banner rather than some other solution that would not be malicious compliance with the law?
If there was a solution to having cookies and some other way of informing visitors of it, shouldn't that be demonstrated on the official EU government explaining GDPR?
> If that was the case, then why does the site from the EU first off track
If you are asking why there isn't a "reject all" button on their webpage then the answer is simple. There is one. The "Accept only essential cookies".
> and secondly why does it use a cookie banner rather than some other solution that would not be malicious compliance with the law?
GDPR (general data protection regulation) is about general data protection, not about technology. It applies the same no matter if you are using cookies or something else.
> Can a company go wrong implementing the same approach as https://european-union.europa.eu/index_en uses? Why is that considered malicious compliance with the law?
The example you've given is an example of compliance since there is a button to reject all tracking cookies. Whenever you read the words malicious compliance within the context of this discussion you can just swap it with the word illegal which is the correct word for the behavior that is being bemoaned here.
> Whenever you read the words malicious compliance within the context of this discussion you can just swap it with the word illegal which is the correct word for the behavior that is being bemoaned here.
I don't think that's the case. A number of people downthread are quite explicit that they find being asked at all annoying and don't think websites should be allowed to throw up cookie banners all the time.
I'm asking "if cookie consent banners are the less than idea solution, why isn't the official EU government site implementing it in a way that is ideal?"
If a company is deciding how to comply with the GDPR on its website, can it go wrong with copying how that site does it? Alternatively, if it tries something that is new, do they risk getting sued by the EU for not following the GDPR?
My claim that it isn't malicious compliance to use cookie consent banners, but rather the least risky approach since that is exactly how europa.eu complies with their own laws.
> I'm asking "if cookie consent banners are the less than idea solution, why isn't the official EU government site implementing it in a way that is ideal?"
Cookie banners are perfectly valid solution to the problem. GP originally said that the ideal solution is to avoid cookie banners by not tracking users. Not that if you want to track users there is a better solution than presenting them with a cookie banner.
> If a company is deciding how to comply with the GDPR on its website, can it go wrong with copying how that site does it?
No, because that is how it is spelled out in the law. Rejecting tracking must be as simple as accepting it. On the EU website both those options are presented in a clear way.
> My claim that it isn't malicious compliance to use cookie consent banners, but rather the least risky approach since that is exactly how europa.eu complies with their own laws.
There is no malicious compliance. If it is done as it is done on the EU site then it is compliant. If it isn't then it is illegal. Malicious compliance means that the letter of the law is strictly followed so to cause/do something not intended by the law. In case of hiding the reject button, that is illegal.
One thousand percent yes. And I'll repeat because people need to see it called out as often as possible: this is due to malicious compliance by websites. Period.
I'm so cynical now that I can't read articles like this without my first reaction being to look at how it benefits companies that profit from ads.
My two theories here?
1. An attempt to shift liability from companies having to comply with GDPR to browsers having to comply.
2. An attempt to consolidate all cookie consent into the three (?) browser engines we have... so efforts to thwart it can be focused on just those places.
The problem is exactly the law then because it was written so incompetently that it left the loopholes to allow websites to try and trick accepting.
Should have been written in the law that it’s a one toggle in browser settings.
If government is going to impose on the internet the least they could do is be competent in what they impose. Not writing laws that waste lifetimes in collective hours a day as every person in Europe deals with multiple of these dialogs a day and thousands a year.
> it left the loopholes to allow websites to try and trick accepting.
It did not. These practices are illegal under the GDPR, the problem is a chronic lack of enforcement by most national enforcement agencies in all but the most severe cases.
Some are just ineffective but others have gone completely rogue. Swedish Data Protection Authority (DPA) for example takes the position that commercial data brokers like Mrkoll are allowed to publish and sell people's personal information (including your current home address, hello stalkers!) [1] and that this is somehow protected under the pretense of "journalism" [2].
[2] Doesn't fully capture the negligence of the Swedish DPA ("IMY"), here's a better source:
> IMY’s practice of simply “forwarding” complaints.
> The IMY’s way of dealing with complaints since the Supreme Administrative Court ruling is to attach an “appeal form” to their (non-)decisions. But it still doesn’t investigate the complaints. Instead, the authority simply forwards the complaint to the entity that illegally processes personal data and then immediately closes the case. This also happened in the case preceding noyb’s current legal action against the IMY. After a data subject filed a complaint regarding a recorded phone call, the authority forwarded it to the respondent without investigating.
> Should have been written in the law that it’s a one toggle in browser settings.
No!
For crying out loud..... The law says if you want to track me (advertisers take a bow) then in each case, you must have my explicit opt-in permission to do so. And so you should!
Having a browser toggle setting isn't explicit opt-in consent.
Maybe not a single browser toggle, but it really should be handled at the browser level. There are browser APIs for opt-ins like your current location, using the camera and microphone - why not one for tracking consent?
The problem isn't technical - the problem is that ultimately spyware operators want to track people so it isn't in their interest to support these solutions and won't do so unless they are forced to. Since enforcement is significantly lacking, operators adopt the pragmatic strategy of non-compliance or pseudo-compliance with the current banners.
"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...
Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.