Imagine a market in which companies charge a lot of hidden fees behind their customers' back, and users are not happy when they realize after the fact. The law is updated to say you are not allowed to charge the user a fee unless you tell him in advance.
Companies with tons of hidden fees decide to keep them but force you to read all the fees on every page of the menu before you can see the rest of the text, in the most annoying way possible, and promote the idea that the issue is not the extravagant fees, nor the fact that the companies hide them before and had to be forced by law to warn you about them, no the problem is a law that force them to tell you what you're getting into before it's too late !
That's, essentially, what's happening. And we have people complain that companies need to display their fees.
On this issue in the group that complain about the cookie law there are some people who are very wrong on purpose because it's in their interest, and some people who are very wrong because they genuinely don't understand the position they're defending, complaining about being made aware of the fee, instead of the fees themselves or the fact that the companies hide them if not forced by law.
To each their own belief about which category PG fits into.
Using your analogy, I think what ends up happening is that even companies that don't collect hidden fees will put up a banner just in case.
Not only that, I'm not an EU citizen and I'm not browsing websites based in EU but I'm still bombarded with cookie banners non-stop.
Do you have /any/ examples of websites that don't have a bunch of 3rd party cookies that still have a cookie banner?
Middle managers absolutely love anything with charts and graphs because it makes their decisions feel more scientific. That's why they want tracking software included on their websites. And if the law requires disclosure then a cookie popup is the solution.
My company recently announced a game, and we launched a website for the game. There's no ̶t̶h̶i̶r̶d̶ ̶p̶a̶r̶t̶y̶ e:tracking cookies (I didn't make the site, but I do run it).
Our US based legal team told us we needed a cookie banner if we were going to have visitors in the EU. I pushed back, but I lost, and ultimately it's not my fight.
Thanks for this, it seems a lot of cookie popups are there just due to cargo culting
I don't quite think Cargo Culting is the right label for it. It's not just because everyone's doing it. My experience when legal meets code is that common sense, intent and what is actually allowed go out the window, and cover-your-ass wins. My experience with Legal has been that they default to no "just in case" for every question you come to them with.
It's a battle to get them onboard to not taking the safest possible approach, so you only want to fight that battle when it's a kingmaker of an opportunity.
Yeah, people often approach legal in the wrong way: people often want to ask "is this OK?" and have the lawyers say "yes", but basically no lawyer is going to say that for almost anything. Instead you need to ask them to explain what the risks of different courses of action are and take a view as to whether they are important or not.
That's been my experience, but unfortunately _that's_ where cargo culting comes in. As part of $NEW_WEBSITE_CHECKLIST we have to "check with legal" which inevitably involves a laundry list of stuff like this, and the default is to accept what legal says, unless we _really_ don't like the answer at which point we're going to do it anyway...
Legal counsel is there to advise, not to design product UX. Some companies have bonehead policies like “you must develop whatever Legal advises” but that’s a choice the company is making. Sensible companies treat their in house counsel as advisory, and weigh the risks like they would weigh any other risks.
The funny thing is that most of the CYA cookie banners... are in themselves GDPR violations
It is not about third party or not, but what it is used for. Consent may be required even if there are no cookies at all.
you're right, I said third party, but I actually meant tracking. I actually went and checked, and our only cookie is the cookie for if you've seen the cookie banner or not...
For what?
It's not about cookies. Tracking without cookies also requires consent.
See my original post. Our US legal team said that we need the banner if we have visitors from the EU, not if we're tracking them.
This actually makes sense - because if you didn't have the cookie banner then some fucking weirdo would come to Hacker News and make a self righteous post about how you're "tracking residents of the EU without their consent and abusing them" (even though you're not). Instant karma. Next thing you know these weirdos and their mob are reporting you to their government and you're dealing with government inquiries and more legal expenses trying to prove your cookie-less web 1.0 site doesn't "abuse people."
The banner placates them.
Your legal team is holding the door open for the day they decide to start tracking.
They probably won't tell you that, tho.
Our legal team is following the checklist that they have that they know is pre-approved
OK? Does that contradict what I said?
Which was probably written (even if not by the legal team, but someone they consulted) with an eye towards keeping more data than legitimate interest allows under GDPR.
Sounds like your US legal team is covering their asses on topics they are not familiar with instead of acquiring the neccessary competences.
I think a heck of a lot of smaller sites just cargo-cult the pop-up. Either because they misunderstand the law or because of overly cautious lawyers.
Or because of FUD from people interested in undermining privacy protections.
It only took two minutes to find at https://www.schwarzkuenstler.com/ and I'm sure I can find a dozen more in half an hour.
Germany is a bit litigious w.r.t. internet or privacy, so the combination---cookie consent---is a doozy. Nearly every German website that does anything will have a consent notification, and the slightest misstep (e.g. using Google Fonts without asking permission) can be punishable.
Their privacy policy states they use Google reCAPTCHA, which requires disclosure.
Aggregate data is not considered personal data by the GDPR.
Managers and everyone else can have charts and graphs without retaining personal data.
The processing of personal data prior to anonymisation to turn it into aggregate data, that part needs protection. But you can do it in a variety of ways that don't require personally invasive tracking.
Again, that's the fault of the companies putting those up, they could make it opt-in to collect your data, they could just put a small notice on the footer with 2 simples links "Accept all/Reject all". But they chose, they decided to pester you with those banners as annoyingly as possible to make you have exactly the reaction you're having.
The fact that companies are doing that says more about the bad law than the companies which is exactly Paul Graham's point.
It is the companies that suck, and Paul Graham is (quite literally) invested in the suckage, wherefore this dumb tweet. Which, if one wanted to create an ad campaign for that eternal Upton Sinclair quote, couldn't have been done much better.
(Thanks for the site though, Paul)
Paul is very unlikely to be invested in tracking unless he has some shares in Google/Facebook. Startups in tracking aren’t really a thing
I expect most startups "integrate" their regular revenues (if they have any) with some sort of adtech deal.
what a ridiculous point of view.
do you think the same thing about laws against murder?
about fraud?
I've got to admit, I'm unclear what the equivalent of a cookie banner for murder would be.
This criminal uses murder! If you continue to interact, you consent to being murdered.
Murders you anyway
So the problem is that the legislator did not expect companies to be even worse assholes than they already were...?
Laws are not borne in a perfect state; very much like programs, sometimes you need a few versions to see how the system actually works in practice and fix a few bugs. The fact that v1.0 has such bugs is not a good reason to just give up, nor it's an indication that the programmer is bad at programming.
What exactly is bad about the law that allows companies to do the annoying cookie banner?
Or it says more about the manipulative intentions of the companies than anything about a good law.
The law is pretty crystal clear. In many cases the issue is that websites are outsourcing their tracking to ad companies, which in turn apply those banners indiscriminately because that's in their interest.
That being said, all the dark-pattern banners actually break the law. The problem, if anything, is lack of enforcement of the law.
Just been in Europe last week (I live in US): you have no idea what a nightmare internet is in Europe. You are only seeing a side effect here.
I live in Europe; I don't experience this "nightmare". Would you care to expand?
Sure. The nightmare is that every single time you open the browser on a website you have to go through the data tracking preference for that website. It's a lot of work to avoid being tracked (companies are obviously using dark patterns there) and when you do it 20 times a day it gets frustrating quickly and collectively a big waste of human time.
Now I am not saying the US doesn't have a problem. They just don't have GDPR and most website don't ask you for any permission to track you. So the experience is generally smoother (with the occasional tracking popup).
Ideally there should be a way for me to broadcast my willingness to share my data and not allow dark patterns to try to change my opinion. But the GDPR does not cover that and allows websites to drive you crazy until you click "YES, Track me"
I think your problem is that you're accessing US websites from Europe, since those are what you know. European websites are a lot less annoying, they actually care about the customer base here.
This is not my experience. Perhaps the websites you favour are exceptionally abusive.
That's the opposite of what most people want to broadcast.
Apparently your view is that GDPR should not allow that, i.e. it isn't strict enough. I'm inclined to agree.
As someone who's lived in both the US and Europe during the past few years... GP is full of shit.
It's crazy how censored the internet is too, you need a VPN to access even piracy adjacent sites in Germany. Unheard of that an ISP would block a website in the US without the FBI itself taking it down.
You don't need a VPN, just a different DNS server.
It's really not much different.
Source: Living in Europe
For your first point I disagree, my companies don't track and we don't have banner cookies.
On your second point, that is again a choice of said companies, not a problem with the law. The GDPR has proven very well that if they cared, they can segment who is affected or not, and not just big tech lots of random local news site and the likes are doing it just fine.
So again, you're aiming at the wrong culprit.
Agree. How much corporate propaganda are people consuming that legislators are seen as wholly responsible for the bad behavior and malicious compliance actions of corporations?
What does it say about the relationship between businesses and consumers that the first response to this bad behavior is to shout "look what you made them do!"
Seemingly it is everyone's fault except the bad actors themselves.
Many of us had no real problem with the ad-supported web in the first place. I was happy with the status quo.
So yes, I do blame the government as I would be fine returning to the prior state.
A site can serve ads without tracking (and the banner) - the ads just couldn't be targeted at individuals. Instead they'd have to guess what ad was appropriate ("Rolling Stone" could serve everybody ads for Taylor Swift's latest album without a banner, etc).
The biggest problem with online advertising is not tracking users. It's a lack of trust between advertisers and pretty much everyone else. If you're going to pay for an ad, you want to be sure it was seen by a real person. I'm not sure that's the concern any more because click-through is more important than "seeing" an ad. Regardless, the goals are to make sure it's easy for a given advertiser to get on many web sites, easy for a site to get ads, and also possible to prevent fraud since there will obviously be multiple parties involved.
I suspect tracking users was an offshoot of just verifying that users were real to prevent fraud in the ad world. Not saying any of it is OK, but it seems like the way to prevent tracking is to find a way to verify authenticity while also preserving privacy.
Embedded banner ads with a third party sampling the site to see that ads are fairly displayed according to paid quota. Maybe something like that?
This means you get less money for it and can't survive due to the lesser revenue.
This is contrafactual. Many things survived on exact that model before hyper targetted ads. And besides, with targetted ads the middle men take most of the cut.
And that would be fine, as long as Swift was willing to pay for it. But the tracking and personalized ads thing was a numbers game; personalized ads have a higher conversion rate, thus are more valuable, thus we need data to personalize ads.
"I would like website operators to assume that I consent to being tracked, so I'm annoyed that website operators are not allowed to assume that everybody consents to being tracked."
That was your choice in the end, but this was the problem - people didn't have the choice, or the awareness. The EU law fixed this, but instead of corporations going "Hmm, maybe we shouldn't track users", they instead went with malicious compliance and implemented annoyances - because data is more valuable for a lot of websites than whatever said website is peddling.
If it only were that simple. When the GDPR came out, a lot of confusion and misunderstanding ensued. Not only regarding the damn cookie banner. Even totally legitimate health-care providers started to collect signatures to be on the safe side. I still rememeber receiving a basic GDPR training where we were told that opt-out/signing is only necessary if the entity is planning to do weird stuff with your data. IOW, if someone wants you to sign, they plan a bad move. Then my bank wanted a signature. And a month later, one of my healthcare providers wanted a signature. After a chat with him, I learnt that his lawyer told him to collect the signatures just in case, and made him believe that if someone doesn't sign, that is a problem.
So now we have this situation where providers were trained to play the GDPR in such a way that they will never have a problem, no matter what they actually do with the data.
And consumers are pissed because they are made to sign things which essentially reduce their rights...
And if someone (like me) thinks the EU did a half-assed job there, the downvotes rain in.
But not as much as you might think. Consent under GDPR only applies to what you were informed of when you consented, and you're allowed to revoke consent (with prospective effect) at any time.
Yeah, but these are rather theoretical practicalities. In the majority of cases, consent is coaxed out of the consumer. If you show up for a MRI, and you get a piece of paper with the comment "It is for data protection", almost nobody has the time or nerve to actually read the text, and even less people have the inclination to decline to sign. After all, they (sometimes desperately) need the service. Let alone that the accompanying comment is deliberately phrased such that some people will believe they need to sign in order for their data to be protected. Dark patterns all over the place. My bank implemented the consent (for a while) as a reoccuring pop-up after login. Yes, you get the popup as long as you decline to sign it, over and over again. I think they gave up on that practice, and it was partly a dark pattern (IOW, there were two buttons to decline to sign, and one would result in the popup reoccuring). Examples are all over the place if you walk an EU country with open eyes.
I kinda hate saying this, but Microsoft (or at least github) got it right in a week. Some OSS publishers also got it right, like nexedi, and some i'm sightly upset with (gitlab) but it is true that for the commercial internet it seems to be invasive. I do not use the commercial internet much, and like any person with greasemonkey, i took a rainy afternoon to remove the most annoying banners (i think now i use a plugin that does it for me).
The fact that you have to use a plugin or other thecnical remedies to fix the cookie banner situation is all the proof we need to see that the EU totally fucked up. It is easy to declare that you just need to install this or that to get a obstruction-free internet again. But it is also very very elitist. Not even 1% of the population is truly capable of handling that.
Incompetent lawyers and managers did a half-assed job, and some exemplary fines will motivate them with respect to the other half.
That is so wonderfully naiv that I had to laugh out loud. The fairytale of the manager who suddenly is fined big-time for his/her decisions is just that, a fairytale to pacify critics.
The same people also complain they cannot use by default said websites unless they share all their personal data with them. Half-assed, indeed the measure is. But it also reflects the majority thinking, unfortunately. So unless there's some popular pressure to full-ass the measure, we will still have banners and misused personal data.
The funny thing is it's not just corporations. When you open the German state railways' website, somehow you get a GDPR overlay, When you open the German revenue agency's website, you get greeted by a cookie banner on top.
I call upon all German users of this website to write to their MPs! Obviously the German civil service is a bad actor! The German deep state is plotting to discredit our beloved eurocrats and must be shut down! Den Sumpf trockenlegen!
I understand the joke you're trying to make but you clearly don't understand the relation between germans and privacy/tracking regulation to think this makes sense.
It's not supposed to make sense, it's supposed to show the absurd position of the post I'm replying to. The less it makes sense, the better.
And I only picked Germany, because it's one of the few EU countries where stuff like that is rigorously enforced. In the rest of the EU, everything unrelated to the common market and/or getting money from the EU is at best haphazardly enforced.
If you want to, check out france.fr, a website maintained by an agency of the French tourism ministry. (After disabling the 3 dozens of annoyance blocking extensions everyone must use nowadays, of course.) What do you see?
A giant cookie overlay. Égoutter le marais!
I get no overlay on france.fr
Me neither, unless I disable ad blockers and anti-annoyance extensions.
Shows for me - https://i.imgur.com/c8c3MDk.png
No such thing anymore, unfortunately.
Why do I need to be "consuming corporate propaganda" when I just hate that I need to dismiss banners on every news website, when I didn't have to before the regulation?
I don't care about being tracked. But now that all websites need to cover their asses in response to regulation, I'm forced to figure out which button I need to click on to read content, and these websites don't even appear to save my preferences whether I agree to be tracked or not.
Objectively, the outcome of this regulation is that my experience is worse. Are the companies bad actors? Sure! Sounds like the EU should account for companies' bad behavior instead of forcing the internet to be more annoying.
The experience you describe is the fault of websites which chose to make things that way. The article goes into more detail on this point: There Is No Cookie Banner Law.
It's important to note that we didn't have to go through the banners after the law, either. We only had to go through them after website operators intentionally picked the most disruptive and annoying popup to serve us. We can blame them. They chose to add it when they could have legally not added anything at all.
It's like the situation described here: https://news.ycombinator.com/item?id=39742766
Again, from the perspective of users, the experience got worse post-regulation.
I don't disagree. But they were less annoying before. So make them go back to being less annoying.
Again, from the perspective of users, the experience got worse only after websites decided for themselves to add annoying cookie banners. Not after the regulation.
> make them go back to being less annoying
That is a request between you and them (the websites), unless you're talking about legislating a banner-less opt-out, or maybe just willing to file a complaint against the website with a data protection authority, if the banner is already illegally annoying.
Websites have the right to annoy their users with cookie popups, with or without the GDPR (ironically , the GDPR actually has some protections here, websites simply break the law). Unfortunately, it seems many are choosing to exercise that right because they make money doing so.
Get a plugin to click that button for you, I got one and haven't seen such a banner in a really long time now.
It's so depressing. Many of the people who are pointing the finger at the regulators for the annoying cookie banners don't actually see the web site/app *as* a bad actor. The fact that they had been tracking tons of extra data via cookies without their consent or knowledge was totally fine to them as long as it wasn't inconveniencing them in any way. The cookie banner is an inconvenience to their mindless consumption, so NOW it's a problem and they just don't care what the solution actually is as long as the thing goes away.
I've seen this attitude from tech people, too, so it's not just a matter of tech ignorance or illiteracy.
It’s an inconvenience to people who care about privacy and use browser configurations that don’t store state between visits.
So now in an attempt to protect regular users, the law ended up hurting users that already cared.
Additionally, the shadiest and incompetent sites still just track people with no cookie banner. So the law doesn’t really provide protection against uncooperative parties, whereas privacy technology does.
Fair point about the banners mostly "hurting" users who care about privacy (but, really though- how much does it really "hurt" you? I'm "hurt" more by the fact that I have to fold laundry several days a week).
But, I take major issue with you saying that the LAW ended up hurting users. Companies are under no legal obligation to make those banners as obnoxious as they are or with so many dark patterns (I sometimes don't know if I'm even enabling or disabling tracking with the way they word it). That's squarely on the web site owners pulling that nonsense.
I agree that the only/best way to protect yourself is via technology and not by relying on people obeying the law.
However, if this is also an argument against having the law, it's an incredibly weak one. You can apply that logic to argue that NO laws are effective. People still murder even though it's illegal- must be a bad law, no?
Actually every single lawyer we asked about implementing GDPR advised us to have one of those obnoxious banners. Because the law is so ambiguous and the penalties so high that is better to play it safe. And we have no ads nor tracking at all on our product website.
You can ignore your lawyer's advice if you want, but it's a bit like a lawyer office ignoring my data security and backup advice: assuming a huge amount of risk.
The GDRP is about all kinds of tracking, of which things you can block locally at the browser level is only one part. So yes, even those users that already cared enough to block/discard cookies benefit.
Again, this should have been a >browser feature< instead of a website feature. I trust Safari and Firefox WAY MORE than I trust the website's owners to actually block cookies and protect privacy, as well as implement this in a better UX.
The proper way to have done this would have been to go to the W3C or WHATWG and proposed an extension to HTML for sites to define an opt-in manifest or something similar.
Apple is doing the same thing, passive-aggressively doing things like removing support for pinning webapps / PWAs / whatever they're called to your home screen, then backtracking after backlash. Or Microsoft with their browser choice screen or Windows releases without media player. And even those aren't as bad as the malicious compliance of cookie banners.
The reality is that I (and others who are complaining, as well as many who have resigned themselves to their fate) are happy to have a website "track me", certainly if the cost of non-tracking are having to click away an annoying popup, and think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.
The reality is that most people don't want to be tracked:
https://arstechnica.com/tech-policy/2021/07/facebook-adverti...
I've stopped going to Ars Technica exactly because their cookie pop-up lets me know that Condé Nast wants to share my data with at least (according to the popup) 159 partners.
They have so many "partners" that their cookie popup comes with a search bar.
56 of their "partners" want my precise geolocation data!
16 "partners" want to actively scan my device!
101 "partners" want to "match and combine data from other data sources" (I can't disable or object to this)
102 "partners" want to identify my device. I also can't object to this.
The only way I can really object is to close the tab, so that's what I do.
Isn't it too late by then?
Legally no, they can't store his data if he doesn't click yes.
Considering their consent banner isn't legal under GDPR anyway, I'd be wary of expecting them to be compliant with that either.
The problem is that most people don't want to pay for any of the internet services they use either.
Great, then maybe we can all finally go outside and smell the damn roses.
Any internet services that are unable to secure funding without abusing their users are welcome to stop existing.
"Number of visitors" does not constitute tracking. The tracking in question here is to discover who you are specifically and the absurd amount of detail about your online activities collected and shared with data brokers for aggregation and resale.
A few of these cookie prompts during the day and they'd be able to tell everything from where your kids go to school to the kind of prn you prefer to watch on weekdays and everything in between.
I used to work at an online video advertisement company, you'd be horrified how much information we tracked across all the ads, especially since the ad was played with a special media player "plugin" loaded inside the other media player.
This is how ad companies can sell premium views, don't show cosmetics to men, increase car related ads to people who has watched other car related ads and so on.
There's no such thing as server-side "private browsing".
It's really not. They already could do all that before cyberstalking was normalized. It's called content-based profiling, and it doesn't require any GDPR consent.
The ad companies wanted to aggregate information across multiple channels.
The example about "show more car ads to someone who watched other car ads"? It's not about showing car ad on a site whose content is about cars (or where the site owner decided they like that kind of thing).
It's about knowing you have wandered over to car comparison site recently so they can show you car advertisements when you look up sports news, show car-related merchandise when you're browsing some shopping site, show you insurance ads, etc.
Honestly I don't mind them collecting this data, what is really infuriating is the fact they won't share it with me. I would love to know what kind of porn I prefer on weekdays. I think they shouldn't be allowed to track anything with consent or without it unless they share all the data with the subject of spying.
And aside from that, I think it should be much more expensive to say sorry than ask for permission. In my world a firm like facebook should not have any right to exist, they earned it. Fine them to oblivion just like I would get a long time behind bars if I wouldn't do my taxes right.
I call BS. Give me your email password and your browser history and I'll share everything I learn about you with you. I'll also keep it and share it with whomever else I want to, but I'll definitely share it with you, too.
Is this something that's kept secret in European society?
If someone told me they knew where my kids went to school I wouldn't be surprised, it's sort of dependent on our address which is in the phone book.
Well, different people want different things - I'd rather spend a millisecond to click 'refuse' rather than let them track me - out of spite if nothing else. Yes, cookie banners are annoying; the dark patterns within cookie banners (you need multiple clicks to get to the 'refuse' button while the 'accept' button is right there in your face) are even more so. But honestly - screw them.
Does it become less ridiculous when your browsing history is sold to insurers, who use it to raise your rates.
The you should doubly blame the companies, because that's what do not track was for, they're the one who decided to make it not work that way and instead being ignored and not considered a valid option for the law.
You don't need a cookie for that, and what GDPR has told us is that we're not talking of that but about dozens or hundreds on every major sites so trying to frame it that way is disingenuous.
Is counting visitors all that sites are doing with tracking info?
They're not selling it to ad brokers, insurance companies, governments? They're not matching your name, address, and phone number with your web activity (including sexual interests, "anonymous" embarrassing stories, health concerns, etc)?
I agree that wanting to know the number of visitors is benign and it is not abuse.
But saying companies should be allowed to track me (for whatever purpose) across the web without my consent is also pretty ridiculous.
This is addressed in the article. They could track you, with your consent, in many different ways. The fact that they are choosing to force this cost upon you is what is ridiculous.
I don’t think this is strictly accurate. There’s nothing about cookies themselves that makes them a problem. It’s the way they are used. Needing to inform people you are using cookies for sessions is like needing to inform people you are using a fork to eat. The problem is that some people are using the fork to stab people, so now we require everyone to say how they’re going to use it in advance. Instead of just prohibiting stabbing people.
You don't need a cookie banner for session cookie, not in eprivacy nor in gdpr, same applies for all cookies that are "strictly necessary" for the functionnal operation of the website on the technical level. Language selection cookie, "remember me" cookie, etc ... Are all perfectly fine.
I’ve often wondered if necessary cookies could just be carved out and designed (and named) differently to improve handling. You could then just configure your browser to inherently accept the benign <biscuits/bikkies> from a site, which would then only ask for non-essential ones.
The real nirvana, IMO, would be better sandboxing between sites.
Browser based solution not mandated by law but made by the industry wouldn't work, because all 4 major browser vendor makes significant revenues from Ads.
At a time a solution appeared with "do not track", and we ended up with the industry making sure it was as toothless as possible, opt-in, and google pushing hard to control the browser market.
You don’t need to inform people you are using cookies.
It is not about cookies.
As long as those cookies are only used for making the core functionality of the website work (i.e. login sessions, user preferences)
See for example GitHub's statement [1] about no longer displaying a cookie banner. While ironically the blog still does display them, the main site doesn't.
[1] https://github.blog/2020-12-17-no-cookie-for-you/
A few places allow you to opt for a spoon instead, or drink right from the bowl without utensils. Note that it's not the customers who use the forks for stabbing; it's the restaurants themselves. To show their goodwill to a customer who does not trust them with a fork, they can offer a spoon.
The further we take this analogy, the more strained it becomes.
Yes, it's natural to use a cookie to track a session; this is a mechanism invented for that purpose. It's much less natural to share this tracking information with third parties, especially along with a record of your purchases or other interesting actions.
But ad revenue is much harder to obtain without targeting and thus tracking. And a lot of places depend mostly on ad revenue.
This is another case of "buy now, pay later" pattern, stretched to "take for free now, pay in loss of your privacy later". In a funny enough way, many people don't value the information they get on many ad-supported sites as highly as the marketers paying to grab their attention, so simply compensating by adding a subscription or one-time payment to go ad-free sometimes does not even work; the more generic / "doom-scrollalbe" the content is, the worse it works.
Hidden fees are bad because of the specific combination - the hiding, and the fees. Since tracking isn't hidden and isn't a fee, the analogy doesn't help to justify the EUs law.
People should have a default expectation that if they give their personal data to companies then it will be recorded. And if they don't want cookies then they should disable cookies. The EU's regulation hasn't revealed anything that is useful to know about.
Tracking is certainly hidden if you're not a programmer, and is certainly a fee if you value your time. Not all people live in low-trust societies or desire to.
People don't "give" their information to trackers, it's collected without their knowledge. I don't think most people expect the kind of things trackers collect is being collected.
Why not a real regulation then to get rid of hidden fees and heavy fines/jail time for companies that are found to be doing it?
PG's argument (I hope) is that there is no point in talking about "regulation" and "customer protection" if companies STILL get away with their ridiculous and hostile practices.
There is no customer benefit in having user data collection and tracking. Companies do it only to exploit you. Even the usual BS excuses ("oh, we need user data to customize the experience") could be done completely in-device.
I don't want regulatory bodies to just give more hoops for other companies to jump. They will jump it anyway, because it is profitable to do so. What I want is for regulatory bodies to effectively stop predatory practices.
I mean, that would be great, but I suspect that even just here on HN you'd get a lot of people strongly disagreeing with you. Because that would infringe upon the companies' "freedom" to profit in whatever way they see fit—and the people's "freedom" to let their data be vacuumed up and sold for massive profits.
Whether they agree or not is irrelevant. I think that PG's argument is that all the "regulation" and "strength of the EU" amounts to nothing. It's just people pretending to play power games, doing privacy theater and solving absolutely zero problems.
I agree with almost everything you said, except for one thing: I don't believe the euphemism "hidden fees" helps to clarify the fact that these people are taking money away from people without their knowledge or explicit consent.
We have other more precise words to describe that action. I asked ChatGPT what those could be, here's its answer:
We here are all interested in hearing your thoughts, so please filter raw chatbot output through them, rather than pasting the output verbatim, which isn't value-added, and can even be negative value, given chatbots' penchant for hallucinating information.
The fees example is maybe apples to oranges. The fees are a problem because they subvert the pricing information signals needed for the free market. The problem is not the fact that they are charged, the problem is that they are not included in an upfront price display. Were they included in the total upfront price and never specified the users should not care - it's not their business how a company spends their money.
But I suppose that was just an example you picked to illustrate the industry's malicious compliance, and not the main point, in which case fair enough. :-)
The use of secret tracking also subverts the pricing signals needed for the free market. Users aren't informed that the website is subsidized by the sale of the users' information, much less the details of the arrangements and monetary amounts.
If the total price of the website without the secret costs of tracking were presented upfront, it would be less of an issue.
I don't want to be tracked either. But if companies can play the law this easily, I think it's a pretty bad law.
Are we all such spoiled brats that some cookie banners interrupting our web browsing is all it takes for us to give up and call the malicious companies the winners and the law(s) trying to protect our privacy "bad"?
We're a pathetic lot.
Except you could always just "turn off fees" in the browser, so the whole conflict seems kind of superfluous.
Except you can't because the in-browser fees are only one of many possible fees you could be charged.
This is a bad example because the market usually fixes this problem. The reason why the market doesn’t fix the cookie banner problem and the reason why this is bad law is because users defacto do not care, it is merely annoying.
There’s a law in California that says that businesses which have chemicals that might cause cancer on the premises need to let people know. That’s great but the levels they set turn out to be lower than what you can feasibly test for and as a result all properties pretty much just put up the signs that say “there might be chemicals here”. The warning is useless and annoying because of market forces which is another way of saying the law incentivized the behavior that occurred.
The market is working perfectly here, if you remember that users are not the customers. Users are the product sold to adtech, data brokers, law enforcement, etc.
For data-harvesting companies users are like livestock, and nobody cares about livestock's opinion. It only matters how much value can be extracted from users, even if it's annoying, misleading, and relies on dark patterns.
Airbnb used to hide their total price until EU started requiring them to do so in 2019, whereas USA only had this requirement from December 2022.
I think this is a good analogy and I agree that the intent of the law was not to force websites to have a cookie banner, it was just the side effect.
What I think we are missing is a browser option/API that lets the user choose the acceptable tracking level. Similar to the do not track header but more fine grained.
As we are missing that, extensions are doing a good job ATM
https://chromewebstore.google.com/detail/consent-o-matic/mdj...
https://addons.mozilla.org/ro/firefox/addon/consent-o-matic/
I found pretty late about Consent-o matic and it saved me a ton of time handling banners. It's exactly what we should have built-in the browser.
The "fee" isn't the cookie. It's the obnoxious popup.