> It pains me every time a “well behaved” website pops up a cookie consent banner for the billionth time after I already consented because the browser wiped all the persistent user identifiers available to it.
Do yourself a favor and enable the Cookie lists in uBlock Origin.
I'm personally grateful that a law requires my consent before tracking me. That means I should not be tracked without me saying OK without monetary risks.
> Do yourself a favor and enable the Cookie lists in uBlock Origin.
Could you elaborate on this please? I'm sifting through the options and not sure what I'm looking for (disclaimer: I have never once opened the uBlock Origin settings menu in all the years I've used it).
EasyList cookiefilter. Works in uBlock lite as well. It hides all permission notices and consent forms for things you are (presumably) blocking anyway.
I've found you need to remember that you've done this as occasionally I'll get a website that behaves strangely until I link the behavior to uBlock, temporarily disable it and fulfill the cookie notice, then I can enable it and proceed.
Setting a language preference cookie is not tracking and I will die on that hill. The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user. Collecting a crash report is not tracking a user. Even first party product analytics is not tracking a user.
Tracking a user across domains using a 3rd party aggregator to serve add and do attribution is the evil. And the EPD far overshoots the mark of specifically addressing that evil.
A language preference cookie is not tracking under the GDPR and doesn't need to be promoted for. Of course, if you take that language preference and feed it into your advertising to identify and target people, then it becomes tracking.
You're correct under the GDPR but incorrect under the older ePrivacy Directive. EU sites need to be compliant with both, and so the cookie banners persist.
> The Directive provision applicable to cookies is Article 5(3). Recital 25 of the Preamble recognises the importance and usefulness of cookies for the functioning of modern Internet and directly relates Article 5(3) to them but Recital 24 also warns of the danger that such instruments may present to privacy. The change in the law does not affect all types of cookies; those that are deemed to be "strictly necessary for the delivery of a service requested by the user", such as for example, cookies that track the contents of a user's shopping cart on an online shopping service, are exempted.
Language preferences are (in all of the deployments I've seen) legally categorized as functional cookies and not strictly necessary cookies. Same with e.g. dark mode/light mode or other preference toggles
The wording is annoying, but no. I’ve received legal advice on this topic. Functional cookies are not strictly necessary. It seems very backwards but it’s how the industry currently treats things.
Read: https://gdpr.eu/cookies/ …after you dismiss the cookie banner, of course. I add this not only as a quip but to highlight that even a gdpr explainer website which you’d expect isn’t doing the evil thing of tracking users, has interpreted the relevant laws such that it finds it necessary to promt the user in order to simply explain the gdpr and epd/epr…
> This is not an official EU Commission or Government resource. [...] Nothing found in this portal constitutes legal advice.
It's easier and safer to just claim that you must prompt for everything, and it serves the goal of obfuscating bad behaviour.
Cookies that are functionally necessary to do what the user is there for, not to track them, are OK, that's the spirit and intent of the law. Even if you think the wording means that, realistically, the EU isn't coming after anyone for a legitimate good-faith use of language cookies without a banner, and they'd clarify if that was how they intended to enforce it.
I did, I quoted stuff from it, but you are not helping. You should quote the things relevant to the point your are making. Especially when you notice people are not picking up. You also keep saying that gdpr is not EPD, but your link is short on details about this and with this point, you lead me to seek information in sections that are irrelevant.
But I see what you are saying now. That page lists the different purposes, including preference cookies (which include language preferences) and strictly necessary cookies, and I know asking consent is not necessary only for strictly necessary cookies (this page says it, I quoted that part earlier).
If that page is right, you are right and I was wrong. Thanks for persisting.
Well, that would be a shame, and that probably would explain why cd.cz makes me pick English each time I visit. I was assuming they could just save this preference in a cookie, but they obviously wouldn't be able to since I didn't provide consent, since I hide the cookie banners and they don't ask for consent later when needed.
I guess it it safe to ask consent in doubt, but I'm not yet convinced the language cookie cannot be considered strictly necessary. How can you correctly provide a requested service to a user if you don't use a language they understand, and how storing the language is not for fulfilling an explicit request from them?
>The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user.
If your are referring to GDPR this is wrong. GDPR does not require consent for strictly necessary cookies.
>Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
Though language preference does not seem like something that requires a cookie. Just respect the Accept-Language header. There is no need to reinvent the wheel here.
No I am referring to the EPD as I state in my comment, an acronym you should know since it’s defined in the explainer you link. As someone who has experience in this area, it’s not as simple as “just use the Accept-Language header it will be fine”.
In any event, that’s besides then point. There are non-tracking cookies that get swept up in the EPD’s consent requirements. This causes way more popups than needed to address the real problem of users being tracked and profiled across domains. The result is users being inundated with consent banners on freaking homepages.
If you changed the requirements to “consent is required for marketing cookies” then I’d wager it would vastly reduce the need for these banners. You could show the banner interstitially as soon as a customer entered your funnel and wanted to try to perform spooky attribution.
In my experience the banners are useless because they don’t actually tell me whether the site is tracking me or not (the behavior I presumably want to prevent). They just tell me whether the site uses cookies, which I’m okay with 99% of the time, so I just click yes.
We got it from understanding the legal difference between strictly-necessary and functional cookies. I’ve received legal advice on this topic. The law is crap. It is bad and harmful and botches a nuanced topic. That’s my original point.
> The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user
Nope.
That's exactly why the evil cookie modals are not on the GDPR but only on the sites that want to track you and now need to ask you for your consent before doing so. That's usually exactly where good faith GDPR detractors are wrong, and that's what needs to be repeated again and again in those discussions.
You're correct that the GDPR specifically doesn't require this, but you're incorrect that "the law" doesn't—the 2004 EU ePrivacy Directive requires affirmative consent for all cookies, and it's being enforced much more strictly now in a post-GDPR world
No you didn’t. You’re misunderstanding the classification of strictly necessary vs functional vs marketing/tracking cookies. Go talk to a lawyer. I’m sure they will clear things up for you.
Do yourself a favor and enable the Cookie lists in uBlock Origin.
I'm personally grateful that a law requires my consent before tracking me. That means I should not be tracked without me saying OK without monetary risks.