I hate the standard wording on Cookie banners. Most of them should read:
"The site uses cookies. Actually it doesn't - you are not logged on and we don't need to maintain state. But our advertising partners, their partners, and their partner's partners all love to set tracking cookies. Click here to consent to three dozen cookies from around the globe."
Why not just let browsers controls who sets what cookies?
I'm tired the endless cookie popups, can we come up with an "allow cookies if the browser accepts them" standard as long as that guarantees no cookie popups?
Then browser vendors can ship a delete all non same origin cookies on tab close or something.
This is (mostly) based on EU law; entities that set cookies and track user data are required to get opt-in permission from users before doing so, and if the user declines, the entity cannot offer a degraded service.
At least that's the idea. In practice, almost everyone just throws up a banner that says "fuck you, we're selling your data as hard and as fast as we can," with no opt-out available, but they pretend that this is compliant with the law.
My favorite of the week: Doordash. Doordash does not use two-factor authentication, except for one thing: opting out of having your data sold. For that, it sends an SMS message to your phone. Since I signed up for them using a landline, the SMS message is lost.
Its a shame the EU became laser focused on cookies, which can be managed technically by browser settings, and not on dark patterns like these. Or how US consumers complain about being able to subscribe to a service via the web but must call a customer service person to cancel, often with a lengthy wait, dropped calls, and being transferred to a sometimes rude 'retention specialist.'
There's so much more pressing than just cookies imo.
Contrary to popular belief, GDPR has nothing to do with cookies and isn't even about the web specifically. It is - as it says right in the name - a General Data Protection Regulation.
> 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
This if from article 7 of the GDPR [0]. Clearly the situation described involves a much harder time withdrawing consent than giving it - which goes against the law.
I may have misunderstood what you meant but how is this being laser focused on cookies? This articles applies beyond the Internet anyway.
Oh man this makes my blood boil, another reason ill never thouch MS again is they they removed the cancel xbox live subscription button for NZ subscribers and I assume other locales where they didnt have some law forbidding it, the feature to cancel was there but they decided if they could to hold you hostage and made you call and waste lots of time via as painfull process as possible to cancel
The new one I'm seening is you opt out easily enough, but there's a subtly hidden tab called 'legitimate interest' and every ad network claims to have a legitimate interest in harvesting your data, even though you've got no business relationship with them.
What should be happening is every company that's done that should be getting massive fines, but instead all the enforcement agencies are doing nothing.
If a company is going to lie or skirt the law about their cookie use, why show the banner at all? It's almost worse to show a decline option that does nothing.
Malicious compliance is still compliance. Somebody being told "Please watch the pressure gauge." and then staring at it as it goes outside of safe regions is doing exactly what they were asked to do. This is blatant noncompliance with the thinnest veneer of respectability.
Yeah, people should start reporting these sleazy sites to their authorities if in the EU. I'm hoping that GPDR enforcement will eventually get up to speed.
Except that those authorities are often stripped of resources toothless organizations often made to serve as digital potemkin villages to the public, everyone knows this and can't be bothered one second of their life to be wasted on that bs.
I typed "cnil fines" (the CNIL being the French data watchdog) on google which led me to their sanction page [0] which features 100M€ fines to Google and 35M€ to Amazon _last week_. It is surely not much in the grand scheme of thing but surely this is more than a mere Potemkin village.
That's true, but I wish they spread their reach wider. These fines to Google/Amazon/Facebook make the news, but are just a slap on the wrist to these giants. What would work much better is a wider campaign of smaller fines, so that everybody in the sleazy business would know or heard of someone who was fined.
I typed "UK data watchdog" (for I did not know its name) and while it is true that I needed more clicks than for France, I found their enforcement page with their list of fines [0]: £18m here, £2m there...
They also had a massive budget shortfall which meant they sent out what amounted to a protection racket letters demanding £40 per year from every UK business, even though almost none of those businesses should be paying it.
All this while simultaneously investigating the ad industry, finding it is egregiously breaking the law, but then doing nothing about it.
The UK's ICO is taking an extremely broad definition of who should be paying it, but an extremely narrow definition of who it should enforce against.
I might add that the £40 it is demanding is almost 3 times the normal £15 yearly fee for running a business in the UK.
Legitimate interest exists, and we use it at work. But because I work in the field of security, and for the sake of our infrastucture, we log specific informations and might drop a mandatory cookie at a time.
Everything outside that field cannot, I guess, be considered as legitimate interest.
The absolutely funniest interpretation of ”legitimate interest” is in a recurring spam message I get from (of all things) an email lead marketing company.
They have small print after each of their emails that says that GDPR allows them to email me because they believe I might be legitimately interested in purchasing their services.
It's not really about cookies but more about non-essential information gathering, of which tracking is a part, and some forms of tracking use cookies. So basically, three levels deep before we go from the law to cookies. Then again, people have an easier time talking about 'cookie popups' instead of 'information harvesting', which sadly hides the real issue.
What keeps back Mozilla to implement this setting and lobby for a general Web API for expressing cookie consent? As far as I can tell, their users would be extremely happy about that.
Because it won't take off. Right now, the advertisers are basically hoping for you to be too lazy to click around ten minutes to find the 'no'-option. If every user would be presented with a fairly weighted chance once, hardly anyone would click yes. Accepting this standard would undermine their business even more.
It can, first iteration used the Do-not-track header, but that died in the standardization process, now there are a movement for the Global Privacy Control header that you can read about here: https://globalprivacycontrol.org/
Once, and only once, since GDPR was implemented, I found a banner that was actually compliant with the GDPR. It defaults to allowing only necessary cookies, requires affirmative consent before any other cookies are used, and makes rejection of tracking have no additional steps compared to accepting tracking. Every other banner I have seen will violate those in some way, either saying that continued use of the site constitutes acceptance, or requiring unchecking of several boxes before clicking accept, or requiring going to dozens of affiliate websites in order to search out and disable tracking settings there.
As in, this is the first GDPR banner I've seen that is actually legal under the GDPR.
Sad but true, i wish there was some way to change the current state of affairs, but EU is a juggernaut that has lost track of its citizens wishes regarding cookies.
One of the most precious things we have is time and the constant cookie interruptions are a nuisance that should be kept from sight.
Does this mean that sites that offer free but ad-supported content still have to offer that content? So I can watch those free Youtube movies and listen to those Spotify tracks ad-free because EU Law says fuck you.
How is this fair?
Edit: Okay, okay, non-targeted (and no 3rd party) ads are okay, got it xD
You can display ads just fine without using cookies. You just can’t track people across the web.
Also Spotify can easily require a free login and associate everything with that, no tracking cookies required. They just can’t associate your playlist with your web browsing habits.
No, it just means those ad-supported sites cannot use cookies to spy on you in the name of personalized ads. They are still free to display "generic" ads including content-related ads. Same as old school TV, radio and print ads really, which couldn't track me either but sustained those broadcasting companies and publishers well enough.
Billboards, newsletter ads, flyers etc won't track whether you look at them as well, and last time I checked print advertisement still kinda sold.
Tracking is not necessary to show ads. Certainly there are business models which depend on this, but hey who says our society benefits from those? Targeted advertisement and free informed democracies don't mix well IMO.
Especially ironically, Facebook has been taking out newspaper ads to whine about how it needs targeted advertising to survive, and how mean Apple is harming them.
1. A law that aims to prevent stealing should be deterring thieves, not just regulating padlocks.
2. Technical measures are insufficient because cookies are regulated by purpose. A third-party cookie for fraud detection is allowed; a first-party cookie for analytics requires consent. It also prevents using necessary cookies for secondary purposes, something that literally cannot be accomplished through technical means alone.
As a minor point, the so-called "cookie law" also regulates browser fingerprinting. I have a hard time imagining that you could legislatively mandate effective anti-fingerprinting approaches.
The reason you are provided many free services is because you ARE tracked / analyzed and marketed to. That is the CORE of the business. The popup will say, do you accept this cookie and being tracked to use this free service. Everyone literally clicks yes. I can't believe the billions of wasted clicks and manhours that have gone into this charade.
> Why not just let browsers controls who sets what cookies?
Because it doesn't have anything to do with cookies. You don't need a banner if you use CSRF cookies, you don't need a banner if you use them for stuff like CloudFlare's anti-DDoS script, and you certainly don't need a banner if your site requires cookies for basic functionality like logging in.
The browser can't possibly tell what the server is doing with its cookies. It might even be using a single cookie as CSRF protection and ad tracking at the same time.
> Then browser vendors can ship a delete all non same origin cookies on tab close or something.
That doesn't prevent Facebook or Twitter or advertisers in general from tracking you across dozens of pages or more, it just means that they'll have to issue you a new cookie each session.
I feel that browsers should implement a permissions grant pop-up for when a site attempts to set a cookie with SameSite=none, and the cookie api can be extended to enable explanations to be given by the developer.
This essentially moved the banner into the browser, and will make will make ad networks tell websites to not use SameSite=none, but use SameSite cookies and tell those ad networks behind the scenes. There are plenty of ads now already that are seemingly first party hosted (and go as far as transmitting the ad content through e.g. websockets to avoid adblocker detection).
This is where we were before the GDPR. You can order your browser not to accept any cookies. But since you need atleast one cookie (or other way of persisting data on the client) for stateful http connections the burden to sort out the bad ones is on the consumer. This is exactly what the legislation wanted to prevent.
I would like to store a cookie or a client-side cert to remain logged in, but not the other cr. Granted, they could use that cookie to track me, but this is what GDPR is about.
IIRC, Internet explorer used to ask you for each cookie, circa 2000. These pop-ups became more and more common with time. The web would be unusable with those nowadays.
Practically there is only one browser, Chrome. And we know that it's not in Googles interest to do any of that. They are actively fighting and diluting tools and techniques that would prevent tracking.
I hate the implication that those banners are some sort of consent. They're so commonplace now that people blindly click 'okay' or close them just to be able to read the site. If the wording was something else ("you agree that we can take your first born child") would it even hold up?
The worst is when the banner says: "This site uses cookies. Agree / Disagree" -- it's not even asking for consent.
The worst is when the banner says: "This site uses cookies. Agree / Disagree" -- it's not even asking for consent.
Some sites don't even give you a "Disagree." Liberty of London has no way to opt-out: "By closing this box or by clicking accept and close, you agree to our use of cookies."
I have never once in my life clicked on any of these banners. In no way have I given them my consent. I simply ignore them. If they track me, they're breaking the law.
the law requries either consent or legitimate interest ( there are even more options - but not relevant here ). So they can track you without consent and not breaking the law.
"Legitimate interest" (Article 6.1.f) is one of the weaker clauses for lawfulness of processing as it comes with the following caveats:
1. Having some legitimate interest is not necessarily sufficient - the privacy interests of the data subject can override the legitimate interests of the controller (Article 6.1.f itself), so the controller has to explicitly take the privacy interests of the data subject into account, and the reasonable expectations of data subjects matter. So this can be tricky, as it's up to the organization to demonstrate that their legitimate need outweighs the data subject interests.
2. the right to object of Article 21 applies for this clause, with explicit clarification in 21.2 that yes, people do have the right to object to direct marketing profiling;
3. the controller is required to explicitly inform the users "At the latest at the time of the first communication with the data subject" that they have the right to object to this processing (Article 21.4, and Recital 70);
4. As article 21.5 states "the data subject may exercise his or her right to object by automated means using technical specifications", so this opens the way for specifications such as the upcoming Global Privacy Control header (https://globalprivacycontrol.github.io/gpc-spec/) which would be a legally binding "I object" mechanism.
Because of this, whenever an organization can assert some other basis for lawfulness of processing (e.g. consent or performance of contract) then that would be a safer option than trying to assert a legitimate need.
Very true! yet lots of companies still (try to) hide behind it. My recent experience was with Sonos. They heavily track you without opt-in/explicit consent and hide behind legitimate interest.
when it comes to cookies the ePrivacy directive 5.3 is more strict and requires explicit consent for non-essential cookies and similar technology (incl. fingerprinting). Look up the recent case against Apple IDFA. Legitimate interest does not come into play here actually.
on mobile so can’t easily post links unfortunately. EDIT: here’s a couple of links
There are somewhat strict rules of what is legitimate interest. And sending data to a US company (Google Analytics) even requires some extra steps beyond normal consent, now that the privacy shield has been scrapped.
and often it works like - please leave the site nothing here for you button. Amazing how irl businesses use such types of third party booking systems with ads and other crap showed down your throat, that's for anything from hairdressers to carpenters, one would think at least they don't require you to login via fb, ah waaaait, some of them do. The web dystopia is here now, enjoy it.
"We're not going to lie to you. Your privacy isn't our priority. It's not even close. Not because we want to track your every move. But because we simply don't care. We'd rather spend what limited time we have actually improving the web site. We're into taking pictures and adding content, not obsessing over what your dog had for lunch so we can sell it to MegaEnormousBigCo. We're not tracking you. We're not tabulating you. We're not folding, spindling, or mutilating you. Seriously, your personal life is not important to us. However, you may or may not be of interest to the people who advertise on this web site."
The last sentence is the key part. I could respond in kind: No one cares if you care or not. We only care about the people who are willing to buy that stuff from you.
Here's the other perspective: Data brokers don't really want your data if you don't want them to have it. It's a legal liability for them, and most of them are struggling to work at the scale their customers demand already. But publishers want high advertising rates and that means advertisers want to make good bids and that means both actually want a data broker involved to deal with the technical (collection, filtering, aggregation, ETL) and legal (GDPR) bullshit.
But then publishers and advertisers don't do their due diligence or decent engineering and just shovel illegal shit to data brokers on the backend. The ones that shut up and launder it do well; the ones that actually try to do a good (technical, legal) job drown in account management and data processing overhead.
So fuck that site. They are the ones that care about your data, they're just making a show of keeping their hands clean while they pay someone else for the dirty work and hiding behind their (half willful half stupid) ignorance of how their own industry works.
I find these pop ups weird. Shouldn't we get an option to say, "Disable tracking"? These pop ups don't really have any utility because a banner won't stop them from reading the article.
“And we would rather not have this crap but nobody pays for content are there only two types of ad networks: privacy preserving and paying so we’re stuck. Please call your congressperson to complain [here].”
I'm confused.... AFAIK the biggest ad company, Google, doesn't share your private info. It's not in their interest to do so. Instead they keep it to themselves and then offer ads by categories so as a 3rd party I can say "Please target this ad at 'video game players'" but I can't ask "give me the names of video game players"
Consent often involves more than just cookies. Consenting essentially allows them to use other tracking technologies beyond cookies such as IP addresses or browser fingerprinting.
This is also why the GDPR requires consent forms instead of relying on browser cookie settings, as it covers the intent of tracking itself as opposed to any technical means by which it is achieved (and this is why functional cookies such as for logging in or shopping carts don’t actually need consent at all).
TZ/lang preferences do not require consent, a CSRF token for a logged in user seems to me to be legitimate interest too, but I suppose you could see it as an identifier that can be linked back to the user. I still think if you're using it just for security purposes it counts, but the fact that the same identifier could be used for tracking based on differences on the backend is one of the reasons why this isn't just based on browser cookie settings.
well it's legal to create a hash and save it inside a database to count unique users. if the hash is not connected to any info that would identify a user (btw. user agent is some kind of identifing stuff) it is fine.
what I wanted to say is that cookies are not illegal by gdpr means and gdpr does not make a lot of stuff illegal, it's just that SAVING personal information or information that could identify somebody needs explicit permission.
edit:
another thing ip addresses, by german law you are required to save it, when a user can register on your site and your site allows users to submit data. because authorities force you to give them out when a user did something illegal. (§ 7 Abs.1 Satz1 Nr.4 TKÜV, https://www.gesetze-im-internet.de/tk_v_2005/__7.html) In germany it's basically: fuck the privacy if they harmed our law! or at least you need a way to "activate" saving ip addresses.
How do you create the hash? If it's based on something that you can derive from the user (let's say sha1(IP address + User Agent), that seems pretty clearly identifying. If you generate a random identifier but save that identifier in their cookies and send it back next time, also pretty clearly identifying.
> How do you create the hash? If it's based on something that you can derive from the user (let's say sha1(IP address + User Agent), that seems pretty clearly identifying.
of course that is forbidden.
and that's exactly why it is really hard to tell if companies honor it.
"The site uses cookies. Actually it doesn't - you are not logged on and we don't need to maintain state. But our advertising partners, their partners, and their partner's partners all love to set tracking cookies. Click here to consent to three dozen cookies from around the globe."