Not a radical idea. The EU is already working on it.
> […] the Commission is pondering how to tweak the rules to include more exceptions or make sure users can set their preferences on cookies once (for example, in their browser settings) instead of every time they visit a website.
DNT header already does this. Explicit denial of consent. Reaches their servers before everything else so they have no excuse and zero room for maneuvering.
Now the EU just needs to turn it into an actual liability for corporations. Otherwise it will remain as an additional bit of entropy for tracking.
They can't. The website may very well do the opposite of the preference DNT signals. Meanwhile, proving in a court of law that the tracking still happens will be hard.
Services should be denied the capacity to track and fingerprint, not just told about a preference against it.
DNT will always be an "evil bit", regardless of any law behind it.
> They can't. The website may very well do the opposite of the preference DNT signals. Meanwhile, proving in a court of law that the tracking still happens will be hard.
Its not hard when it comes to any website of note, large companies can't easily hide what their computers are doing really, if they have code that tracks people it is gonna be found.
DNT is considered deprecated in favor of GPC, which has legal backing in places with internet privacy laws. Funnily, Chrome still supports DNT but you need an extension to send a GPC header. Almost like the advertisement company wouldn't want people enabling legal privacy protections.
GPC compliance is already the law in California. I don’t know why the EU has been so slow at making it legally binding. That said, existing cookie popups that don’t have “Reject All” as prominently placed as “Accept All” are already illegal but widespread, in no small part due to deliberate sabotage by the Irish DPA, so don’t expect GPC compliance to fare any better until consumer rights associations like NOYB.eu are allowed to initiate direct enforcement actions.
The fact that it was turned on by default in edge really hurt it as an argument under these laws, because it then turned into a 'well we don't know the user actually selected this' thing. Making it explicitly have the force of law regardless would still be a good thing, though.
No, this wrong. The law says that by default you can't process personal data, unless the user gave consent. That setting matched both the expectation of users and the default as specified by the law.
The story that advertisers don't know what users selected and that somehow allows them to track the user is disingenous.
It doesn't allow them to track, but it does allow them to more convincingly argue that they can nag them about it (I think some regulators in some EU countries have rejected this, but I don't think this is universal). i.e. it makes it ineffective as a means of stopping the annoying pop-ups. Because the companies are basically belligerent about it there needs to be a clear declaration of 'if this header is set you may not track _and_ you may not bug the user about it'
If the user has already indicated that they don't consent by setting the header, you don't ask. If they want to change, make it available as a setting.
(and frankly, the number of users that actively want to consent to this is essentially zero)
Hence why I think the default hurt the initiative. And the header could be set on a per-domain basis, if you wanted that for some reason. I'm curious, why do you consent on such pop-ups?
Because it offers a better experience. The cookies are not pointless to the experience and you need all of them to have the full experience. The legal definition about what cookies are needed does not match reality.
What parts of the experience do you feel are missing if you do not consent to tracking? I have seen one or two cases of malicious compliance where rejecting tracking results in no state being kept, including having rejected it. Keep in mind that the legal definition is based on things that would not be reasonably expected to be kept or distributed in order to provide the service that the user is getting, you can do basically everything except targeted ads or selling user data under that definition, even if people who want to do the above are trying to pretend otherwise.
Targeted ads are part of the experience. They directly affect user satisfaction of the product. Relevant ads can increase user engagement. You may find it strange, but people prefer products with relevant ads.
People prefer products without ads at all. Ads are noise. People's brains literally learn how to filter them out via banner blindness.
People always comment that the internet is "so much nicer" after I install uBlock Origin on their browsers. It's just better, they can't explain why. They don't need to. I know why.
The fact is nobody wants this crap. Ads are nothing but noise in our signal. They're spam. They're content we did not ask for, forced upon us without consent. They do not improve the "experience", at best its impact is minimized.
I always consent as well. They can show much more relevant ads when you consent to cookies. If I block cookies I get generic ads about stuff I don't care about.
Ah, I can't think of any level of relevance that would make me want to see ads, and in areas where I do want to see something, like recommendation systems, I've found that they are better when they are only based on the content I am currently looking at as opposed to based on some profile based on my whole history.
The popup never lets you choose to see fewer ads. It's a common misconception by lay people that you will see fewer ads if you block cookies, but that's not happening of course. So you may as well get relevant ones.
Just today I got an ad for a new theater show in town I'd like to see, I might have missed that if it wasn't for the targeted ad. Did they "manipulate" me into seeing it? I guess so. Do I mind? No, I'm capable enough to decide for myself.
Recipe blogs are mostly "corporations" even if small ones. Most things you find at the top of Google search results aren't just enthusiastic individuals sharing their personal ideas with you but businesses who work hard to make sure you go to their websites rather than better ones.
Counteropinion: agile laws would be absolutely terrible. Either people wouldn't take them seriously because they're going to change in a few minutes anyway, or people would take them seriously and be bound by law by the equivalent of late-night untested code that seemed like it should work.
Laws should be enforceable, but at some point "it's a bad law if it can be bypassed with corruption" just completely surrenders any hope of holding powerful people / companies accountable to anything at all.
That's a very absolute outlook. The fact is that they were very naive and, althoug they seem to be adjusting, it's been painfully slow and the harm has been done and the public is suffering meanwhile.
Law making is a way of predicting the future and setting up incentives to achieve a goal. You need to foresee what can go wrong, talk to incumbents and anticipate the response. It's a technical matter and this has been a debacle.
It's useless to put the blame in the advertisers. Even if they're evil, that doesn't make the situation any better for the public.
> The fact is that they were very naive and, althoug they seem to be adjusting
Who are "they"? The law hasn't changed, it's enforcement that is changing, albeit very slowly.
There are so many institutions that can be rightfully blamed - chiefly the DPAs and the national governments, but your continued insistence on blaming the lawmakers makes no sense. The law is clear, it's just not being enforced.
Of course advertisers deserve all this blame too, but their blame is irrelevant when discussing enforcement. I don't expect them to stop any more than I expect a serial killer to turn themselves in. This is still a failure of the institutions.
Well almost all websites in France do the legal thing now with an obvious "decline all" button, which was not the case at first.
It took just a pair of ruling that made it clear this illegal pattern was going to actually be cracked down upon, and now these popups are just a small annoyance rather than the absolutely enraging trap that they were at first.
Of course I still wish they were unnecessary, but they serve as a reminder that these websites are still trying to prey upon their visitors.
I agree. These websites should just not spy on me and therefore not have a pop-up.
But in the absence of that? I appreciate at least being asked for my consent so that I can press the "I do not consent to being tracked" button. It shouldn't exist in the first place, but since these websites are unwilling to just not spy on people, this seems like the next best thing.
> That's like saying "don't visit places where people get murdered if you don't want to get murdered."
Nope. Murder is an action after which the victim can not make any more actions. It would be like saying "don't go to the bakery where they spit in your food and slap you in the face every time you order something". You are enraged by the behavior of the websites you visit and you still keep going there every day. Either you are a masochist or "voting with your wallet" or, in this instance with you attention, doesn't really work. Why do you give your attention to those that treat you like shit?
> How about you just enforce consumer protections for everyone?
They are. What gave you the idea they aren't? Because some pages still behave illegally? You understand that murder still happens?
> Because that is clearly not the law.
Do you know anything about GDPR? Because it seems that you do not. Could you point to the text of the regulation that you object to? I'll wait but I'm sure I'll be waiting for godot here.
> Murder is an action after which the victim can not make any more actions.
What does that have to do with anything? I think you missed my point.
> Why do you give your attention to those that treat you like shit?
Because I have no choice. Every website has these damned popups. Where am I supposed to get my news from otherwise? I mean, what internet do you use...?
> They are. What gave you the idea they aren't?
Because sites are still allowed to track me? Why bother with consent around tracking? Just make it illegal to begin with.
> Do you know anything about GDPR? Because it seems that you do not.
That's inappropriate for HN. Please see the guidelines. Assume good faith.
Lawmakers should have a limit on the number of laws they can write. Say it's 100. They can regulate 100 things, so they need to consider importance. If they want to regulate something new, they have to give up something else. Which one is more important?
The vast majority of laws are never enforced, so in practice this isn't as absurd as it sounds. It would make people consider what laws they spend time writing.
But the laws do allow this. It's illegal to make the user experience worse if you decline tracking, or to make it harder to decline tracking than to accept it, but it's not illegal to annoy the user on every page load.
Wait you're saying that the websites in question ask for your consent on every page load even if you give it to them? I was under the impression that they typically pester you for consent until you give it to them, then remember your choice once you "consent"
I do love the irony of reading a headline "Administrative court: Cookie banner must contain "Reject all" button" on a website that does a completely blocking cookie banner with no such option. I suppose if I lived in Germany I would be pleased with the results of reporting that to the authorities.
More generally, I actually did organically notice the massive increase in "Reject all" buttons and found out about these court decisions myself some time ago. Certainly a small win for the internet, although it should not have taken 9 years(!) from the implementation of GDPR for these violations of it to be cracked down on.
So maybe “malicious compliance” is a misnomer. We should just call it "illegal dark pattern".