It's constantly frustrating to read about European users getting cool new features to help manage their digital life that the rest of the world doesn't get. The expected cost in lost ad revenue per user must be pretty significant to justify the complexity of keeping this stuff limited to Europe.
There are also downside for European regulations. There is no free lunch and some toll needs to be paid.
Some examples include
- Banning encrypted messaging (almost passed)
- Cookie pop ups
- Various regulations harming open source (discussed before on HN)
Also due to how Europe is wired up, the cost of doing startup business is higher, why there are fewer and fewer successful European software growth companies.
Your examples are terrible, which probably proves the point that EU users are getting more than they are losing. Btw Europe != EU.
It's a positive thing that it was brought up and struck down. EU is the actually the one you should be thanking because most European countries would ban it.
Malicious compliance by websites, but at least users have a choice of opting out of tracking. Again, a positive thing.
The most recent changes are so watered down that it basically only applies to commercial open source companies that are turning a profit. It's helping users more than it's harming the open source community.
If the legislation had been written correctly then the current nightmare wouldn’t exist.
Should have been a browser level setting the sites are forced to comply with. The pop-up per site with free rein how obtuse it can work was always gonna suck. Pure incompetence from the politicians involved.
This is always brought up when EU cookie regulations are discussed. If only the EU consulted HN readers...
It's true, though. The technical language could've been written in a way that makes it more difficult for websites to circumvent, and less annoying for users. Or the regulation could've been amended to clarify and improve the technical aspects.
That said, getting to a regulation at all was probably a bigger nightmare, with Big Tech lobbying against it every step of the way. So I'm glad that we even have the current GDPR, and that the EU is still leading the way in privacy regulations globally.
The cookie regulation was designed to train people to "Agree" without reading.
It was a prerequisite step for GDPR that was designed to legalise data collection and trading.
Before GDPR it was a gray area, now companies can easily get consent as users mindlessly click "Agree" to data processing and selling and they have a legal basis to do so.
These are corrupt laws, but most people blindly believe EU is good and totally not in bed with big corporations.
You have clearly not seen the amount of people who click "deny all" or "only statistics". Before the GDPR _everyone_ had to accept _everything_ a website sent their way and didn't have a say in it, after the GDPR only 33% of people click "accept all" on the cookie banner for the fairly large e-commerce site I work at.
If the goal of the GDPR was to train people to click "Agree" and to legalise data collection, then that law was an abject failure.
How do you know that only 33% click accept all if you are not meant to track those who deny?
That said 33% of consent, legal to be sold is better than 100% of gray area.
Before GDPR you didn't have explicit consent and you still could be on the hook for trading personal data.
The system is working as intended.
Without tracking it's easy to:
a) compare the total number of visitors vs those who accepted tracking
b) just increase a counter for each "No"
That's a cynical take. In reality, companies took advantage of the loose technical language to do the least possible work to comply with the law, while doing their best to implement dark patterns to confuse the user into clicking "Agree". This is something that can be improved with stricter regulation, but it will always be a cat and mouse game.
Another cynical, and also false, take. The GDPR wasn't "designed" for that. In fact, it actively tries to prevent it. An EU citizen can contact any company in the EU and demand to access all their personal data, or for it to be deleted. This is an unequivocal win for people to regain control over their personal information.
Is this the best that governments can do? Certainly not. I'm still glad that at least something exists, and the tech industry is not entirely unregulated, as in most other parts of the world.
No. These laws are a step in the right direction. Unfortunately, the strong influence and rapid pace of development of the tech industry means that governments will always play catch up, even when they want to pass laws that protect their citizens.
Citation needed. Name me a government that is not in bed with Big <industry>. Big Tech in particular is in strong symbiosis with governments, as they both share some common goals. So, sure, there's that. And yet despite of it, the EU still passes laws that fight Big Tech's reach, and fines companies when they don't comply. Can it do better? Sure. But name me a government on Earth that does a better job at this than the EU.
We don't need to get political here. But it's foolish to spew cynical takes when some governments are at least trying to fight Big Tech, and even more foolish to imply that their attempts are making things worse for its citizens.
You seem to be inverting cause and consequence: it's the websites who are annoying to the users, not the law. The banner is optional, it only exists because websites want to collect your private data, not even to make the thing work.
The regulation has been clarified to mean something important: refusal must be as easy, visible and doable as acceptance, so people can click "refuse" everywhere. Lack of acceptance mean refusal, so people can close the banner.
No, I mean that the law could've been written in a way that makes giving consent less cumbersome for users. I agree with GP: if it had been a browser setting that websites _must_ comply with, like the abused and now dead DoNotTrack header, then we wouldn't have ended up with annoying consent forms to begin with. After all, it does make sense for this to be a global user preference, rather than something the user needs to consent to on each site. Even without getting into technical details, this should be evident to anyone.
I'm not aware of why this didn't happen, or why the DNT header was killed, but it wouldn't surprise me if the (ad)tech industry strongly lobbied against it, and won. The internet loves to criticize this oversight as incompetence from politicians, but politicians couldn't have elaborated the technical aspects of the law without IT consultants, and these surely understood what could be the implications. The fact they went with the consent form approach, and the fact this hasn't been rectified years later, is probably a sign that the tech industry still has considerable sway in regulatory matters.
But to blame this situation on the law itself, or the EU, is just delusional. I'm still happy it exists, warts and all.
But nothing prevents browsers from doing so ! In fact you can even configure your browser to never show those popups, and everything is fine. Everytime I switch people over to Firefox I install ublock origin and the list that blocks cookie popups: https://jasonmurray.org/posts/2020/cookies/ (there are even more settings to block even more popups today)
Actually Google is seeing the wind turn and is slowly moving away from cookies, so it did even better than what you wanted: it will effectively kill (unnecessary) cookies as a whole.
I have no issue believing lawmakers did in fact take advices from IT experts, seeing how they could make the difference between useful and unuseful cookies. But the law never goes into implementation details, that's another level of regulation, and the real effect is coming: the major browser will block third-party cookies. That will change everything.
It works fine now, many sites i visit have a "Deny All" button which was how it was supposed to work. Initially, (inevitably) private corporations found a way to subvert the spirit of the law to their benefit.
Getting the legalise of legislation right first time is almost impossible when there is an army of lawyers, paid by corporations, whose job it is to unpick it.
That’s not fine. It’s anti-thetical to the very idea of the web. Accepting this shit as a compromise is exactly what we did with adblockers and that battle is still ongoing, and not solved. Whenever the greasy finger of corporations end up inside our browsers, whether it’s fingerprinting or meaningless consent screens, or tracking cookies/pixels/scripts, things are not dandy, imo. I don’t have a solution. Just saying.
I'm genuinely curious and not trying to pick a fight here. The core idea behind html when it was first conceived was that it allowed you as the viewer to present that info in any way that you chose. You can change the font, etc to suit your own preferences.
This idea got killed by content providers who mostly want to hardwire their content layout because they know better. So where is this "idea of the web" coming from. Surely there's no longer a central core idea, it's just what each of us make of it, and as a result we're often in conflict about how things go.
Did choice get formally taken away? Does the content provider get to choose how it's done now?
Like with “democracy”, it is not possible to create a comprehensive formal definition that embodies the full spirit of the idea. Without getting too philosophical, the web is client-server based where the provider controls the server, and the user controls the client. There are fierce battles being fought on both fronts:
- Providers are being lured by ad tech giving you a free (as in beer) space in exchange for relinquishing any control of the server. An example would be YouTube where you get free hosting if you comply with opaque community guidelines and strike systems. Limiting linking to other “platforms” aka websites is another example. A more subtle example would be cloud infrastructure where switching provider is designed to be prohibitive.
- Users are under attack based on their IP geo, VPN usage, extensions (ad-blockers primarily), fingerprinting, UA sniffing, JS obfuscation, video DRM etc. The most egregious example is to force users to download an app (a client that the provider controls fully). Captchas is a more subtle example.
Note that there are real hard problems with a healthy web, notably DOS protection, which needs some level of client fingerprinting (like IP rate limiting).
However, large businesses – many of whose success is built entirely on top of the web – are actively eroding it for banal selfish reasons. Much like how democracy can be leveraged by those who don’t believe in it in order to gain traction, only to later be dismantled to maintain power and control.
It was written correctly. Because it's a General Data Protection Regulation. It applies in equal measure to websites, apps, paper records, SaaS, shops, government entities etc.
And it says: "do not get more data than is required for your business. If you want more data, the user must give consent, where opting out is the default, and must be as easy as opting in".
Now, what exactly is badly written in the law? You can start with quoting exactly where it requires existing cookie popups.
For example, GitHub found out they need exactly none: https://github.blog/2020-12-17-no-cookie-for-you/
It's called the Do Not Track header, and at one point Safari removed it because the companies you think are blameless used it to track users
Legislation is not a technical spec. It's made purposely to be interpreted. And companies are made to optimize their profit given the constraints set by the law. Sometimes companies have to bet that if they do X, they won't get a fine, and decide if they want to take that risk.
Companies can even bet that the fine will be smaller than the profit, which is often the case. And that, IMHO, is the problem: we (I mean our governments) should be much, much more aggressive with the fines. BigTech can basically do anything they want because the fines are always ridiculous (because BigTech are too big, sure).
Well, if this scum, which is adware companies, would have respected the Do-Not-Track flag set in the browser this wouldn't have been necessary.
Now, would it?
You see, the thing about european legislation is that certain stuff, especially stuff people oppose, is proposed over and over again until it passes. It costs almost nothing to re-propose things like killing net neutrality or banning end-to-end encryption, but it's very costly to oppose them. Which the politicians and lobbyists know and use to their advantage.
Well at least people's voices are being heard, not something I can say for every country, federation, or union.
That does not sound particularly specific to the EU to me?
No it's not. People should be fired for proposing such things as they breach human rights.
It's like being happy that someone proposed genocide of all men over 60 to save on pensions and that the idea didn't pass.
Perhaps GP meant that the end result is a net good, since now it's in the books that it was positively, explicitly struck down? (Rather than being ambiguous or assumed, with no records etc.)
Anyway, reading sibling comments it seems like it's not that simple either way.
Cookie popups are a net positive because users are given a choice. Besides, in the US we often still get the popups but they're just useless, with the only option being "accept"
Unpopular opinion: the proper place to controll cookies is from the browser, not from the website. Browsers should show a prominent way to disable or otherwise restrict persistent storage to websites to inhibit tracking.
DNT exists, and the cookie banners did not need to be regulated into existence if the websites did not strategically ignore the DNT header.
Why not regulate the DNT header into expressing the user's cookie banner preferences?
GDPR does not specify what technology to use to acquire consent [1], as long as the user consent. Trackers could honor the DNT header if they wanted to, and show the banner as a fallback for browsers not sending the header.
[1] You can read the text: https://eur-lex.europa.eu/eli/reg/2016/679/oj there is a single instance of "cookie" (in the preamble) and no instance of "banner".
> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
While DNT could potentially be used for opt-out, it wouldn't comply for opt-in because it is not specific or informed as the user does not know what specific data processing activities will be done, can't opt-in or out of specific data processing activities, doesn't know the identity of those doing them or that they can withdraw consent at any time.
DNT specification does not allow for giving valid consent under GDPR because it is not granular and it is not informed. There's no browser dialogue that details the requested consent for which and what processing.
There are proposed browser signal specifications that would meet legal GDPR consent defintions. See https://www.dataprotectioncontrol.org/spec/
And as for why DNT did not took off, it's because MSFT sabotaged it by making DNT set by default in Internet Explorer. The social contract in that time between adtech, publishers and users was that the signal would strictly be opt-in. The adtech industry used IE making DNT the default as justification for not honoring any of the signals being sent by browsers. It doesn't take a lot of reasoning to realize MSFT did this on purpose, knowing it itself earns income from ads.
I've checked and sadly it's listed as deprecated on MDN. I don't know if there's anything to replace it.
But it was deprecated precisely because websites either ignored it or used it as yet another signal to identify users (thus making it have the opposite effect to what was intended).
Tell that to the Chrome team.
https://assets.publishing.service.gov.uk/media/62052c52e90e0...
You probably want to tell that to CMA first.
The problem is that you can’t tell if the site actually needs the cookies to work properly. And it does not help against other kinds of tracking.
I use uMatrix for that. I have it set to block all cross-domain cookies by default.
Neither GDPR nor ePrivacy directive demands cookie walls. ePrivacy directive demands consent. That consent can be given programmatically by browser APIs. There's even acknowledgement of such possibillity in the legal text (see point 7 in the directive). GDPR itself does not demand cookie banners, either. It merely demands there to be a legal basis for processing of data that constitutes personal data. One of those bases is consent. It's not the only basis. Other notable basis includes contractual necessity (includes all the cookies that are necessary for user experience, i.e sth like PHP placed session cookie).
Browsers do not have automated means to give consent/not give consent under ePrivacy because the largest browser is ran by an ad company. Monetarily speaking, the ad company earns more if it coerces its users with dark patterns into giving consent under ePrivacy than it does offering pro-user choice technologies to give a blanket not consent.
And ePrivacy itself is not just about cookies. EDPB recently released binding recommendations that severely expanded the perceived scope of ePrivacy (the true scope was always as it is, the adtech industry just ignored it). ePrivacy includes JavaScript side tracking, fingerprinting with various APIs and so on. It's not just cookies.
Your opinion should be more popular. Seems like even a lot of technically savvy readers on HN miss this.
It was done, and turns out that piece of info was just used as an additional data point for tracking.
I mean there are extensions like "consent-o-matic" that auto answer for you, but the law doesn't require any functions like that in a browser. I suppose it was a compromise between business interests and consumer advocates when they worked out the law for the EU?
I don't know. The web is pretty unbearable here in the EU due to the cookies consent.
Even more, many times I find myself wondering why a site is not responsive to my clicks just to find out there's some hidden cookie consent that didn't fire up properly and now I have to inspect the DOM to remove it manually.
Obtrusive cookie banners are somewhere between malicious compliance or a sign of shady business practices. Now that I see it spelt out like this, they are always a sign of scumbag companies.
They are present even literally on the pages of the EU organs that proposed them.
Go to European Commision page - bam, cookie banner.
Compare a clear "allow cookies/allow only essential" to the industry standard wall of "we care about your privacy, so we sell your data to thousands of trackers that you have to opt out of manually"
Though yes, government services shouldn't use anything but essential cookies (for which you don't need a cookie popup)
That's switching goalposts.
You said only scammy businesses have cookie banners... no, all websites have cookie banners now in EU, and it's majorly annoying, unless you use extensions that click it for you.
(The most popular one is owned by Avast. Which is a horrible company that sells users data. So... yay?)
I didn't
All the sites that collect more data than strictly necessary, yes.
Here's an example of a website that spent need a cookie banner: https://github.blog/2020-12-17-no-cookie-for-you/
Indeed. This should tell you all you need to know about these cookie popups and companies that use Avast's, or IAB's or Admiral's cookie popups.
I really believe the primary reason is that Europe is not one culturally homogeneous area that speaks one language - like the US. Having that is such a huge benefit.
Doing marketing, promo, getting traction, legal documents, taxes, - anything - for your startup in your ONE country is already difficult. Now imagine doing it in 25 countries before you get to have scale benefits equal to the US or China.
There are likely several reasons at play, culture being a big one. However, there are other reasons at play such as differences in law, financing, immigration, the job market. Bert Huber, an entrepreneur in the EU has given this some thought:
https://berthub.eu/articles/posts/is-europe-just-not-good-at...
Exactly. We are building a platform that helps founders generate a sales strategy in the EU. We're half a year in and almost tackled "how to write good emails to Dutch prospects". Next up is Flemish, which has the same language, but a very different business culture. With luck, we have then captured a few percent of the EU tech market.
Germany is so different, that we'll need to hire several experts for the different regions in Germany. France too. Italy and Spain, unattainable (we are told) without at least a local branch and solid local staff. That's still only a portion of the EU.
"Cookie banners" are not the reason tech is hard in Europe. If you believe that, you really don't know anything about Europe or the EU.
The cookie banner isn't required if the web page isn't doing shady things with cookies though.
"shady things"
It's funny how you slipped in "growth companies" in there.
How about... profitable companies? In the past 10-15 years most "successful" US companies have been fueled by unlimited investor money with zero expectations of profits. I mean, look at YC's "top startups list". They lose billions of dollars every year. But sure, they grow. Like cancer
Websites do not have to show cookie pop ups if they are using only technical cookies like auth tokens.
But coming from a good idea - make vendors responsible for the software they put out, to prevent tons of abusive practices like shutting of cloud services making paperweights, or never updating massively holed software harder. The ramifications for open source were then realised, and the legislation which is still under planning/review has been drastically updated to make it more applicable for open source software.
But didn't?
Which has little to do with regulations, much more to do with the size and wealth of the potential markets.
Is that bad though? Are software "growth" companies a requirement for something? There are tons of successful software companies in various European countries, just not at the level of their American counterparts. Again, with quote obvious reasoning - there are 4x the people in the US compared to France (which is top 2 by population in the EU), and Americans both earn and spend more in USD not adjusted for anything.
Also lately, getting the newest LLMs features much later than the rest of the world, or not getting them at all
Or, there are fewer overinflated unicorns that produce no societal value at all and exist solely as a marketing-fueled VC bet that will make a limited amount of people ultrarich relatively fast while the rest of us shoulders the social, economic, and financial burden of their efforts. Potato, potato.
What's frustrating is that we get the annoying things like the cookie popups everywhere but the beneficial stuff is somehow properly region locked to inside the EU?
I've always been curious if you offer a service for profit, but don't want to adhere to EU laws (obviously just avoiding EU customers at all). Is it enough to block EU country IP addresses so that Interpol doesn't get the Feds to kick in your door and turn you over to them for prosecution or freeze all your bank accounts for not sticking to the many Internet laws that you might not be familiar with? Is anyone aware of how to deal with fire walling off countries where you don't want to deal with the legalese?
FWIW, we also get non-stop cookie permission banners and often just straight-up denied access to certain services that don't want to have to jump through the hoops.
If you don't want to deal with cookie banners, there are browser extensions you can install to automatically accept them. However, although the cookie banners are sometimes a nuisance, it is still a good thing that people are informed and given the option to accept it or not.
I agree in general, but when I see a dialog box titled "We respect your privacy" and a choice between "allow all" or "see more", I donate 0.10 € to NOYB.
If anything, every time I have to click through one of those banners I wish that activist organisations/politicians had to pay me for having to go through it.
You can get an extension that will automatically click "allow all" and everything will be exactly as it was before this directive.
I want one that automatically rejects all.
You can disable cookies in browsers so that cookies do not persist after session close. Firefox lets you add a whitelist of sites to allow cookies, too.
Cookie banners will still appear.
If I understand the law correctly, your suggestion is good on practice but could be harmful on the long run.
When I click "I agree" I am not agreeing to cookies but rather to tracking. If the website wants to track me with (say) browser fingerprinting, deleting the cookies will not stop them from tracking me across sessions. Even worse: since I agreed they no longer need to show me a warning, so I may not even notice that I may want to revoke that consent.
If I don't want to be tracked, saying "I do not consent" is the only legally-actionable way. Deleting cookies works now because cookies are still cost-effective, but this won't remain true forever.
https://addons.mozilla.org/en-US/firefox/addon/istilldontcar...
Emphasis mine:
I wish that was true, but those extensions are far from flawless. Still, they are a massive improvement over having to click away all banners, especially for those of us who have our browsers set to clear cookies when quitting the browser.
It is not the activists fault that the company wants to track you. They do not have to show you that stuff if they don't so unnecessary tracking
It’s usually “we value your privacy”, which always makes me think “you put a value on it, alright, can’t wait to take it away”.
Those extensions are far from perfect in my experience (ditto the lists in uBlock Origin)
Often leave you wondering why you can’t click anything on the page
https://consentomatic.au.dk/ also allows to reject them automatically.
If anything, there should be extensions to automatically reject them. It’s a testament to how draconian the process to do it usually is that the extensions just surrender. Every time an extension or person accepts those, they’re reinforcing those companies’ choice to break the law¹ in the name or profit.
¹ The GDPR is clear that rejecting must be as simple as accepting.
The only things I've been denied as an EU citizen on the web so far have been US local news websites. And tbh I assume that is just one company that has a blanken policy of sorts. So I don't think "often" is accurate here.
That's just the secret program to get Europeans to stop making fun of us.
that's propagated to the rest of the world lol
We could have these regulations in the US, too, if we voted for them.
European citizens didn't vote for those regulations.
To a larger point, european citizens are largely favorable to those regulations, which makes passing these rules possible, and not a political suicide.
HN might not be representative, but the number of comments we see defending companies's right to make as much money as they can and against regulation that would add costs to businesses is IMHO pretty high. If that's the general US sentiment, politicians the have little upside in putting burdens on tech companies in the first place.
European citizens are largely ignorant of EU regulations, EU politics and EU spending. Most European citizens do not know the name of the EU president. But Europeans will categorically support and agree with EU policy and laws.
As for cookie laws, can we honestly say that they have done anything to protect people from corporate spying and abuse of private information? Real regulation would be to outlaw that kind of spying, not putting up annoying banners so that some web developer can feel good about themselves.
Very bold claim. Do you have any sources to back it up? EU politics are in the news all the time here.
Go ask a European. Who are the three EU presidents? Who were the EU presidents before them? Then ask them who is the current US president? And which presidents were before him? Which are the two top candidates in the 2024 election?
In case it wasn't clear from my comment: I'm European...
That is my point: You can ask anybody on the streets.
Because the person doesn't matter. Policies matter. And Europeans largely prefer privacy-protecting regulations
On spendings, probably. On regulations, oh boy do people care.
Regulations have pretty direct impact on each countries' economy, and they get discussed nationally before being applied. That means meat prices rises when some practices get banned or a whole sector suddenly getting competitive when barriers to entry are lowered.
For better or worse, people care a lot, and the negative sentiments are enough to fuel may extreme side politics.
Probably a bit controversial but to some degree, that is a good thing. It prevents personality cult and allows to pursue agendas that think in longer terms.
In Switzerland, quite a big part of the population could probably not name the current seven members of the federal council - they can actually get work done, without having to appease the public at every corner.
European Citizens voted for the people who voted for those regulations.
And we have input via our governments, and the national parliaments have a say in the procedures: a group of 1/3 of all national parliaments can send proposals back.
Yes, and so do American citizens. Whether you agree or disagree with the regulations, they were never voted on by the people.
Both parties in the US are in the tank with big tech (see: NY Dems killing right to repair)
We don't vote for regulations, we vote for politicians. Who are a package deal, so in practice you're voting on several dozen different issues at once, and you inevitably have to prioritize. I don't think you'll find significant opposition to many of these laws in US, it's just that it's never going to be that one thing that drives people to vote for or against some candidate or party.
My experience is that stuff like this gets framed as "pro consumer" in Europe and "anti corporation" in the US. The difference runs deep.
Or just called our electeds about it. I’ve worked on privacy issues. Past tense, because after a massive effort like two people call and the bill is dropped. (Except in Oregon. Oregonians apparently call and write about privacy.)
Ok, how about this: "It's a bummer that the rest of the voting population doesn't agree with my priorities enough to enact similar privacy regulation to Europe."
I wonder if I could just change my location in settings?
Most apps like this us GPS to verify as well. A lot of gambling apps require that permission so you can't just VPN to legality.
It's just politics. Ask your legislators to give you the cool stuff as well.
Thanks to the Brussels effect[1] some of it can trickle down.
https://en.wikipedia.org/wiki/Brussels_effect
A part of this is the products being fitted to US market and only after they get traction do they hit the other countries. That means any of the wider digital management, privacy etc. are literally after thoughts, and the business model also doesn't properly fit.
With that approach I think we'll always get products that are optimized for free + ads first and foremost, as the US public reacts better to those, and once it's setup it's just so hard to pivot to paying models.
If you are in the US write your local congressman. Its the only way things like this change with companies that are too big and powerful. Takes a long time to turn a big ship.
Eh, can't be that excited about anything involving the data hole that is Meta Platforms products, even if they make some EU concessions. Maybe when we get that EU-only iOS sideloading support I can finally be more smug about it.