Dear Paul Graham, there is no cookie banner law

Using your analogy, I think what ends up happening is that even companies that don't collect hidden fees will put up a banner just in case.

Not only that, I'm not an EU citizen and I'm not browsing websites based in EU but I'm still bombarded with cookie banners non-stop.

Agree. How much corporate propaganda are people consuming that legislators are seen as wholly responsible for the bad behavior and malicious compliance actions of corporations?

What does it say about the relationship between businesses and consumers that the first response to this bad behavior is to shout "look what you made them do!"

Seemingly it is everyone's fault except the bad actors themselves.

On this issue in the group that complain about the cookie law there are some people who are very wrong on purpose because it's in their interest, and some people who are very wrong because they genuinely don't understand the position they're defending, complaining about being made aware of the fee, instead of the fees themselves or the fact that the companies hide them if not forced by law.

The reality is that I (and others who are complaining, as well as many who have resigned themselves to their fate) are happy to have a website "track me", certainly if the cost of non-tracking are having to click away an annoying popup, and think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.

I don’t think this is strictly accurate. There’s nothing about cookies themselves that makes them a problem. It’s the way they are used. Needing to inform people you are using cookies for sessions is like needing to inform people you are using a fork to eat. The problem is that some people are using the fork to stab people, so now we require everyone to say how they’re going to use it in advance. Instead of just prohibiting stabbing people.

Hidden fees are bad because of the specific combination - the hiding, and the fees. Since tracking isn't hidden and isn't a fee, the analogy doesn't help to justify the EUs law.

People should have a default expectation that if they give their personal data to companies then it will be recorded. And if they don't want cookies then they should disable cookies. The EU's regulation hasn't revealed anything that is useful to know about.

The law is updated to say you are not allowed to charge the user a fee unless you tell him in advance.

Why not a real regulation then to get rid of hidden fees and heavy fines/jail time for companies that are found to be doing it?

PG's argument (I hope) is that there is no point in talking about "regulation" and "customer protection" if companies STILL get away with their ridiculous and hostile practices.

There is no customer benefit in having user data collection and tracking. Companies do it only to exploit you. Even the usual BS excuses ("oh, we need user data to customize the experience") could be done completely in-device.

I don't want regulatory bodies to just give more hoops for other companies to jump. They will jump it anyway, because it is profitable to do so. What I want is for regulatory bodies to effectively stop predatory practices.

I agree with almost everything you said, except for one thing: I don't believe the euphemism "hidden fees" helps to clarify the fact that these people are taking money away from people without their knowledge or explicit consent.

We have other more precise words to describe that action. I asked ChatGPT what those could be, here's its answer:

     Q: What are some english words meaning "taking money away from people without their knowledge or explicit consent"?
     ChatGPT: There are several words and phrases in English that convey the idea of taking money away from people without their knowledge or explicit consent:

    Embezzlement: This refers to the act of dishonestly withholding assets for the purpose of theft. It often involves someone in a position of trust, such as an employee, misappropriating funds entrusted to them.

    Misappropriation: Similar to embezzlement, misappropriation involves taking something (usually money) for one's own use without permission or legal right, often in a breach of trust.

    Theft: Theft is the generic term for taking someone else's property without permission, including money.

    Fraud: Fraud involves intentional deception for personal gain, which can include financial deception or stealing.

    Swindling: This term implies deceitful behavior to cheat or defraud someone, often involving trickery or manipulation.

    Skimming: Skimming refers to the illegal practice of taking cash "off the top" of the proceeds of a business or other source of income without recording it.

    Extortion: While not always directly related to taking money without explicit consent, extortion involves obtaining money, property, or services from an individual or entity through coercion or threat.

    Pilfering: Pilfering involves stealing small amounts or petty theft, often done stealthily or without detection.

    Conning: This refers to the act of deceiving or tricking someone, often for financial gain, through manipulation or persuasion.

    Clandestine withdrawals: This phrase specifically refers to taking money from someone's account without their knowledge or consent, typically in a secretive or unauthorized manner.

The fees example is maybe apples to oranges. The fees are a problem because they subvert the pricing information signals needed for the free market. The problem is not the fact that they are charged, the problem is that they are not included in an upfront price display. Were they included in the total upfront price and never specified the users should not care - it's not their business how a company spends their money.

But I suppose that was just an example you picked to illustrate the industry's malicious compliance, and not the main point, in which case fair enough. :-)

I don't want to be tracked either. But if companies can play the law this easily, I think it's a pretty bad law.

Except you could always just "turn off fees" in the browser, so the whole conflict seems kind of superfluous.

This is a bad example because the market usually fixes this problem. The reason why the market doesn’t fix the cookie banner problem and the reason why this is bad law is because users defacto do not care, it is merely annoying.

There’s a law in California that says that businesses which have chemicals that might cause cancer on the premises need to let people know. That’s great but the levels they set turn out to be lower than what you can feasibly test for and as a result all properties pretty much just put up the signs that say “there might be chemicals here”. The warning is useless and annoying because of market forces which is another way of saying the law incentivized the behavior that occurred.

Airbnb used to hide their total price until EU started requiring them to do so in 2019, whereas USA only had this requirement from December 2022.

I think this is a good analogy and I agree that the intent of the law was not to force websites to have a cookie banner, it was just the side effect.

What I think we are missing is a browser option/API that lets the user choose the acceptable tracking level. Similar to the do not track header but more fine grained.

As we are missing that, extensions are doing a good job ATM

https://chromewebstore.google.com/detail/consent-o-matic/mdj...

https://addons.mozilla.org/ro/firefox/addon/consent-o-matic/

I found pretty late about Consent-o matic and it saved me a ton of time handling banners. It's exactly what we should have built-in the browser.

The "fee" isn't the cookie. It's the obnoxious popup.

Doesn't that argument work both ways? If you interpret the EU's regulation with the "lens of game theory", it is an unintended consequence of aggressive corporate data collection. Not sure why it makes sense to complain about the EU and not the companies.

(author here)

I'm a fan of second-order thinking and unintended consequences, so I'm with you there. How would you frame a "don't track people without consent" without unintended consequences?

The article tries to make the point (perhaps fails), that companies do this intentionally to get the "consent" of people against their will, therefor running the tight line of breaking the law without breaking it.

The blog clearly works from the actual outcome lense. It's repeated. Several times. The companies could just not track.

The actual outcome is that they do want to track, and use adversarial patterns and malicious compliance to twist your arm and "force consent."

Paul Graham is still wrong.

The actual outcome is, from my experience, that tracking has reduced, a lot. When this law was enacted, *we all removed "like on Facebook"* buttons. Remember those? Yeah, we don't see them anymore. Google Analytics also was forced to change, at least a little.

Is there still tracking? Sure. But it's not so blatant anymore. There are hoops one needs to jump through. And that was the point - to make tracking a harder.

None of my projects have cookie banners. Why? Because I use a first party tracking system (Matomo), I anonymize all visits and I respect DNT. It's that easy.

I consider it a good outcome when I can clearly identify shitty websites and just click the back button.

There are a lot of ridiculous things a company can choose to do in response to any given law. Those choices are not mandated by the law. Horrible consent UX is not the only option to choose from.

Government can, and should, analyze likely (or unlikely) unintended consequences and use those to further shape the law, but at the end of the day, those consequences come from choices that people who are subject to the law make.

I think the big mistake the EU made is they probably thought: “Surely no company would choose to abuse their customers with horrible UI just because they don’t like the law and want to take their collective frustration out on their users!” The EU was obviously wrong about the extent to which companies would throw their users under the bus while maliciously complying.

I’m not surprised. This is a “hot take-centric” platform issue, and a laziness in trying to understand him too. Or.. two people on the street yelling at each other but not listening.

The outcome would be much better if the law explicitly stated that the initial cookie banner must have a "Necessary cookies only" opt-out one-click option. And that this option means truly necessary, not the Internet Explorer is needed by the operating system 'necessary'.

It’s unfortunate, if companies are okay not tracking you, that they care little enough about their user experience to use cookie banners.

Except many companies respond to the cookie law with a cookie consent popup that violates the law (by making opt-out harder than opt-in).

Could we really have predicted from the "Law of Unintended Consequences" that companies would respond not by tracking less nor by giving people an easy way to opt out, but with a cookie consent popup that is not compliant and also really annoying to their visitors?

This is better explained by business operators being ignorant of the actual law and being ignorant of the UX impact.

Paul Graham focused on whining about regulation as he always does

I see your point, but then to have a constructive conversation Paul Graham should also give his two cents about how the law could be improved. I don't know him, so I'll ask here: did he do that?

Everyone knows that bad actors will continue to behave badly in the face of the law. This isn't the insight you seem to think it is.

Really, PG's tweet has little to do with game theory or anything else. It is a first-world-problem whinge about having to click through cookie banners. Assessing the "actual outcome" of complex regulation and legislation is a task beyond the scope of a single tweet.

It might be useful for Graham to determine what claim he is trying to make in the first place. Is he rebutting a particular EU representative for boasting about how good they are at regulation? Or is the idea that the EU shouldn't have the audacity to attempt to regulate in the first place?

It would be 100% ok for it to be a browser setting. It isn't though, because that would make too many people opt out. That's what the article is about.

Exactly this.

The law could have been written in such a way that we could use a browser setting and avoid incessent popups which irritate users and desensitise them to genuinely useful warnings.

Whatever the good intentions of EU lawmakers, they seem inept at technical legislation because they ALLOW companies to continue doing shady things, and rather than tackle it, the legislators create a law that merely annoys users.

As far as I can tell, politicians don't spend much if any time thinking about second and third order consequences. GDPR is but one example, but instances of this abound. The default should be to mistrust new laws. Reagan takes lots of flak on the internet, but he was right on the scariest phrase being "I'm from the government, and I'm here to help".

Even worse, this thread is full of armchair lawyers that will confidently tell you there's no need for cookie banners in particular cases. Nevermind that there's hardly any case law about this and each country seems to interpret it differently. Any actual lawyer would tell you to slap it on there to stay protected.

This is 100% what PG means IMO and the most sane take on this. Either write the law correctly so it's not easily bypassed or just don't touch anything because you will only make it worse.

The law isn't that bad actually, just that the courts have been very slow. The dark UI patterns are actually illegal and have been judged so in court now. This realization just has to trickle down to the companies writing these cookie banners.

If the cookie law was written properly then it would have just been a browser setting that had to be respected and this whole thing would have been completely transparent to the end user and they would have benefitted by default.

The law does not mandate websites to display a cookie banner. There are already "Do not track" settings in browsers. A website could choose to honor that setting and don't track you without ever showing you a cookie banner. But most don't.

The problem is that we as a society constantly have to deal with adult children, so don't expect reason. Do expect elaborate rationalizations intended to waste the energy of an indecisive parent, who is basically getting bullied by a kid throwing a tantrum.

This kind of behavior reminds me of the book: "Language vs. Reality: Why Language Is Good for Lawyers and Bad for Scientists" - Nick Enfield, Linguistic Anthropologist [1]

[1] https://mitpress.mit.edu/9780262548465/language-vs-reality/

but leaves a loophole

There's no loophole. There's just limited enforcement. Most of the banners you see every day do not match the requirements at all.

There is no loophole here. If you want to track someone, you need their consent. How are cookie banners a "loophole"?

Instead through incompetent government employees

Or greedy companies, one of the two...

Hate this way of thinking where the government (with seemingly good intentions) tries to stop something but leaves a loophole where all our lives are made more tedious and then people defend it saying the companies should just not do it, well we needed the law in the first place so it's a bit silly thinking to suggest they stop doing it after the law, no?.

We deal with similar issues developing and releasing software. Instead of not ever releasing software, or only writing perfect software that never has issues, we have a couple of options.

1) In critical life or death situations, spend a ton of time modeling all states of the system and program in a way that very strictly controls for these states, with a lot of testing. See NASA/JPL coding standards for critical systems.

2) For less critical situations, or those were modeling all states of the system are impractical, we release, observe, and iterate. Yes there will be edge cases, bugs, and loopholes. But we can observe them, iterate, and release updates.

I think case 1) is impractical for changes to large legal and economic frameworks in the real world given how many variables are at play. If we could model the entire economy and see how it would react to a given change, the world would be a very different place in lots of ways already.

A lot of politics seems to work against 2) and that hurts our ability to improve things. "I will pass a law that does X" and "I will repeal the law Y that is not working, see look at these loopholes!" are good political campaign statements.

"I will gather and analyze data on the operation of the current system and support an iterative change that intends to improve things, implement that change, and then observe the results to determine if future changes are needed" is hard to rally around either in campaigning or when actually doing the work of getting political support to pass law.

I think decent example of this in government, although far from perfect, is the feedback loop of the NTSB and FAA. The NTSB's job is to observe and report on failures of air safety, and the FAA's job is to apply those lessons to future air regulation. Of course there are many examples of this not working perfectly, but it's a more concrete feedback loop than most governmental action has.

More observation of the analysis of the impact of laws after they are passed, and follow-up iterations where we compare the expected and actual results and make updates, would probably result in a lot less gnashing of teeth over "bad government regulation" but I'm not sure how we get there politically.

There has been a browser setting for tracking cookies since 2002! https://www.w3.org/P3P/

It has even been implemented in Internet Explorer when it had 90%+ market share.

And then Google intentionally sent malformed P3P header to bypass user preferences in IE.

When Safari added a heuristic rejecting Google's 3rd party cookies, Google has found a technical workaround to bypass it (and has been fined for doing this).

When IE and P3P were totally dead, browsers have tried to give adtech the simplest to implement bare minimum setting - the DNT header. The adtech has completely ignored it.

There are trillion-dollar businesses relying on tracking, and they will do whatever they can to undermine any technology and lobby against any law that would harm their business.

That's what you get when you try to protect consumer but “don't want to harm business” who are hurting consumers.

Sometimes life really is is fact a zero sum game and you need to punish the offenders in order to protect the victims.

The law does not require a specific implementation. Law is never written to require a specific implementation and should not be written in this way.

Instead law is written in a technology neutral way. It is so neutral that it isn't even called "cookie law". It is called ePrivacy directive. It has only 5 times the mention of "cookie" as an example.

Reference: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A...

I wrote something elsewhere in the thread about this[0]. I don't think laws mandating specifics of implementations at the level of browser settings is a good idea. To your point about government employees not being competent I don't trust them to get that right. Companies could work with browser makers to fix this but, as the OP points out, they don't want to.

In my opinion the EU's big failure with GDPR has been slow and ineffective enforcement against blatantly illegal implementations.

0: https://news.ycombinator.com/item?id=39742989

In this case, it is just showing that most companies are collecting more data than they need.

You don’t need a banner for the data that is necessary for the service to work at minimum level. There is no role for the consent since the site won’t work otherwise.

You mean the EU should have foreseen that people in tech have no conscience and sensitivity for right or wrong?

It's impossible to foresee everything, including the amount of malicious compliance.

In the end we are better off with this legislation and its future iterations and additions than we are without it. The extent to which people's data is misused is simply ridiculous.

No, people cannot escape responsibility by saying "the law made me be belligerent toward my users". It is intentional choice to use cookies and to make it unpleasant for people.

Yes and no? To some extent, sure. As an example: But if companies or people went out of their way to comply with a law that is clearly not complying with the spirit of the law, just the letter of it, are you really responsible for that? Or are they because they're doing everything to not comply?

Let's say you make a law to reduce working hours from 40 to 37 hours except in "emergency situations". Now a company will force employees to sign off on "emergency situations" every week or they'll be fired. They're clearly not complying to the spirit of the law? Is it really your fault when you make a law like that? I'd say only to some degree, the people trying to abuse every loop hole are much more responsible in this case.

Companies using dark patterns, hiding the "reject all" option behind an additional click (which even is illegal) and even trying to collect all data possible are much more responsible than the EU's law. Oftentimes they are collecting data just because, not even thinking about it, because they'll add GA to their WordPress site without even looking at it or whatever. That cookie banners have become the standard around the web is sad because it just shows how much everyone is trying to track you.

The thing is, the consequences seem to be very much intended. The consequences of forcing companies to be transparent about tracking, and hopefully letting the users start voting with their wallets as they get annoyed by the omnipresent "We Value Your Privacy"-popups (which is very ironic considering all the dark patterns et al that are used to have users get tracked).

If nothing else, at least now people know just how much they've been tracked. One can only hope that this increased consciousness would help people to choose services that don't track people. For example Hacker News doesn't need tracking cookies nor a cookie popup, and it seems to be doing just fine, even in terms of the law ;)

I would put it another way. Any legislation against doing something is almost always motivated by someone's desire to do that very thing. Legislation is usually a battle of interests where the legislator, ideally, wants to protect the overall interests of the public when they conflict with narrower private interests. When the narrower interests belong to powerful groups, you often expect to see some struggle, and if the private interests have a way of making the regulation seem more intrusive and annoying than the harm it's intended to cause, they would take advantage of that to sway the public in their favour.

So legislators do expect such a struggle, and the shape it takes may be partly their fault, but it's clearly not all their fault. The more power the private interests have, the more likely they are to find some way to fight the regulation. They will certainly do everything they can to convince the public that the legislators are bad at regulation.

In this particular case, however, websites showing banners are also harming themselves as their competitors now have an interest in not showing banners and offering a better experience -- i.e. the regulation makes it worthwhile not to display banners in competitive situations. So we'll see how this all turns out.

I guess PG's original tweet assumes that cookie banners are a) bad, b) the fault of the EU, and C) unanticipated and unintended by the EU, thereby demonstrating their incompetence.

I can't really comment on what the lawmakers foresaw or intended, but I'd argue that cookie banners are actually a) good, and b) the fault of companies who can't imagine a better way to treat their users.

The reason I think they're good is that they cause a psychological nuisance to users of software which doesn't go out of their way to do them well or avoid their necessity. Over time I hope this will tend to cause an association in users minds that sites with cookie banners are somehow seedy or unscrupulous, like pop-up ads.

I would expect that most companies would be ashamed to publicly state that they sell your data to hundreds(!) of data providers and they would fix this before they had to disclose it. But nope, apparently the money is too good. And blaming the government is more convenient.

On the one hand when murders go up because you make using a gun in a crime an automatic 5 year prison term you should have foreseen that possible situation, on the other hand the real bad guy is the one shooting the witnesses.

Almost all websites make money through ads,

Doesn't require tracking of individuals.

or at least keep logs of user activity to help them optimize their website

Doesn't require tracking of individuals.

Your point is well made, and this is an unfortunate consequence of the regulation (and I enjoyed the analogy). But it isn't necessary to have cookie banners on every website. Github is a moderately complex, user-optimised website, right? https://github.blog/2020-12-17-no-cookie-for-you/

Almost all websites make money through ads

The EU regulation does not prevent ads from being shown, it specifically targets tracking. No tracking > no banner > everyone is happier > go ahead and show all the ads that are required.

I guess the confusion is about advertising and tracking - the banners are about tracking not advertising.

A site can keep logs of user activity to help optimize without tracking my personal data. As soon as a company needs to track me, it's doing more than "optimizing its website"—it's using my data to sell me stuff or selling my data to third parties. And I'm glad it needs permission to do those things.

those pesky regulations. back in the good ol days where I could pillage for a living, but then that damn government came and took away my livelihood!

How dare they!

</sarcasm>

Just because you made money of it, it doesn't mean it is right.

Showing adverts is not what requires them to ask permission.

If your business is "doing sketchy shit with people's data", and the regulatory hammer just came down on you... well, yeah.

If a business cannot survive without it essentially stealing my property (read: my data), it should not survive.

The point of the legislations is to protect the citizens, not corporate income.

if it “just didn’t track” a large swath would no longer exist.

You say this like it's a bad thing...

In this logic it is totally unfair that I am not allowed sell drugs while I could make a lot of revenue from it.

Why does your business deserve to exist if you can't do so without stealing from your customers?

If your business cant survive without selling visitors data to Facebook it shouldnt exist.

totally agree. who cares that we are selling our users data to the highest bidder, gotta get that money right?

Since this is around the 5th time this sentiment has been expressed in this thread, I have to ask... are cookie banners really so frustrating? Oh no, gotta click one, maybe 2, more buttons...

I think the goal was to give citizens the possibility to make informed decisions about where their personal data is being used.

If you don't care about tracking, ok. But some do. The EU tried to cater to both audiences which I think is fair. Turns out most people that did not care about tracking would also not consent when they are asked about it specifically and there are no immediately perceived downsides visible.

Shopping carts and notification preferences don't require a consent banner.

It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.

Not really - basic functionality like you describe does not require consent, AND any cookie specifying non-consent is in itself anonymous.

If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.

If it is crucial to provide the service or the service is explicitely requested by the user (i'd argue a shopping cart is), I think you don't need consent (see Article 5 of Directive 2002/58/EC).

The law takes these things into account just fine. It's not a cookie law, it's a tracking law, and the "tracking" isn't about the technical meaning of "to track" but about the way the data is used (and could be used).

It's not "you're not allowed to store anything about the visitor without their consent", it's "you're not allowed to track them across your site, or share that data with others, except if it's directly necessary to provide the service". That last part refers to session tokens, shopping carts, and yes, also to remembering the "no tracking" choice. If you ask a site to remember something (such as "no tracking plz" or "I want to buy this product" or "keep me logged in plz") then that's explicitly asking it to do something that in technical terms is tracking, but not in operational terms.

It's like, the EU makes a new law that makes it illegal to break into people's houses, and all the pedantic HN'ers start saying "but this is stupid! what if you lose your key? you need to be able to hire a locksmith to let you back in!". That's obviously not how the "no break-ins" laws work, and it's also not how the GDPR works wrt tracking.

If you break the GDPR, there's a fair set of warnings before you can actually get the kinds of humongous fines that the law is infamous for. This means to me, as an entrepreneur, that if I follow the intent of the law as best I can, then worst case scenario if we still get it wrong, then there's a big enough chance we're in the clear. And then if somehow we do get a warning from the local privacy authority, we learn and adjust. This is fine.

We don't need to be maximally pedantically safe. We just gotta not track people and then we don't need a cookie banner. It's great.

If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.

These are first-party cookies as they're served by the host domain, so they wouldn't need an opt-in under GDPR. Site owners should try to limit that to core functionality, like updating shopping cart state as you navigate from page to page.

It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.

That's not how it works. The cookie banner opt-in asks if you want to accept cookies aka tracking. If you say no, no cookies are downloaded, so the site has no idea that you have visited it. So the next time you arrive on the site, it will provided the popup again, as though it's your first time visiting.

But while it sounds good on the surface, it doesn't take much digging to show it's silly. If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.

A tracking warning a login/sign up would be enough. No need to ask for cookie consent at every visit. It would just be part of the typical T&C.

It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice. Easily solved with a cookie that says "don't track". If cookie is set, don't track anything.

Shopping carts, session cookies, or any other kind of functional cookies (including the one for "do not track" saving) do not require consent, and so don't require the banner. Github for example doesn't have it.

Please, read the basics about the law before disparaging criticisms, I constantly have to educate users on HN about this misrepresentation of GDPR and Cookie Law.

You are citing directive that does not apply in all cases.

It is amended by Directive 2009/136/EC, which changes especially the cookies part.

(66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

If you read the exceptions part, you know that you don't need a banner on strictly necessary case.

I think you might not have fully grasped the meaning of the post. Let me rephrase it for clarity: there is no cookie banner law, but a consent law, but it doesn't need to be as ugly, intrusive or user-unfriendly as the current cookie banners. One alternative is to opt out of using cookies on your website entirely (which is what I do, by the way), and then you won't need to ask for consent. Or to use a simple, unremarkable, bar.

But that is what the title states and is explained in the article. There is no law that forces a cookie banner. There is a law that requires consent before tracking, but that is not necessarily about showing a banner - that is just one of the possible ways of complying with the law. There is an electronic privacy law, and it is quite comprehensive. There is no "cookie banner law".

But this is exactly what the article is saying.

There’s a law, but it’s not a “cookie banner law”. The section you quoted says nothing about banners. The banners are a design decision by the operators.

This shall not prevent any technical storage or access ...or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

If the functionality explicitly requested by the user -- e.g., logging in, or changing the default language or currency, or what-not -- no consent is necessary to keep cookies. Cookies are only necessary for things the user didn't implicitly ask for, like tracking.

The article makes that point. There is no law to put a giant banner that disturbs UX in your users face. Companies choose to do so. There only is a law that prevents companies from tracking you without consent.

This doesn't require a specific implementation just that informed consent is given. This could be implemented as a web standard alá Apple's ATT(App Tracking Transparency). There's nothing preventing the industry from creating such a standard, obviating cookie banners in the process. This would not only be a win for users, who could express their overall position on consent as a browser setting, but also save thousands of developer hours for website.

hmm I disagree. I found the article, quite an eye opener for me. I also thought that he cookie banners is what the EU forced the web-site owners to show.. but it clearly isn't. It is just about consent. This consent could be given in a non-annoying way, but clearly the involved companies don't want to.

What do you mean by "the original (now decades-old) law" ? The GDPR is 8 years old.

Note that this isn't a cookie law, it's also the EU's main anti-malware law. The principle is that no piece of third-party controlled software should write information to your computer/phone, or read info from it, over the Internet, without your prior informed consent

So it is a responsibility of the browser vendor to implement this.

did they try to make it a standard for browser? I tried searching but I couldn't find anything

In my understanding, the most important part is to not share user information with third parties. IIUC, Google can use Google analytics data to join your behavior from multiple sites and then use that to serve targeted ads.

The next level is to not store PII unless there's a specific reason in the user's interest (improving site quality doesn't count, logging in does). Therefore, you can see how many people visited a page, aggregates of device types etc. Just not anything that identifies an individual.

Yes you can. See for example https://plausible.io/, which does analytics without using cookies, and without collecting any personal data.

You can track the number of visits without using cookies, but its practically impossible to track the number of unique visitors without using cookies.

The number of unique visitors is a very useful metric (both in itself, and combined with the number of visits).

The EU has made it impossible to track this simple and harmless metric without inconveniencing all users with awful UX.

Under the GDPR / ePrivacy Directive, ANY user-based unique identifer used for advertising, analytics and tracking will trigger the need for consent.

---

General Data Protection Regulation (GDPR)

Article 4(1) defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

Article 6(1) outlines the lawfulness of processing and states that processing is only lawful if and to the extent that at least one of the following applies: "the data subject has given consent to the processing of his or her personal data for one or more specific purposes."

---

ePrivacy Directive (Directive 2002/58/EC)

Article 5(3) requires prior informed consent for the storage of or access to information stored on a user's device: "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

You can use something like Plausible Analytics which does not use cookies.

Of course you can. What is it you want to do that you think you can't do?

DNT existed, but websites decided they could freely ignore that. Hence the regulation

The EU doesn't tend to require specific implementations - the banners aren't a required implementation, either. It's just what the advertisers thought works best to get their desired outcome.

There was the DNT header. Few sites acknowledge it (and thanks to those who do!), and when Microsoft went against spec by setting it default-on in their browser, advertisers whined that they can't see informed consent anymore and just shut down the whole initiative. Note: Microsoft is also in the advertising business, so if you're into that, that might be another angle for your favorite conspiracy theories.

Finally, there's consent-o-matic, available as browser extension for various browsers, and it lets you state your preferences. https://consentomatic.au.dk/ Would it have been better to integrate that into browsers properly? Sure. But the social and economical dynamics being what they are, this is probably the best we can get.

The EU in this scenario believes in the open market: let the web browsers and web sites find a technical solution.

Because it's not about cookies. It's a much broader statement than that about how the company is allowed to handle your data.

The law punishes companies, not private citizens. If lawyers are overreacting or companies cannot discern between essential tracking and non-essential then perhaps they are the incompetent ones.

The law is reason people think "Look, Why take a chance?" and build crap like cookie banners in.

Really, no. Not being willing to let go of user tracking, and now realizing that it's against the law if you get it wrong, is why people think "Look, why take a chance?" and grasp for shitty dark patterns to cover their asses.

My business did not track its customers online and had no banner. Period.

That's not true. "strictly necessary cookies" are allowed without consent (but information on their use must be available).

Examples for what that means given by the EU itself [1] include "cookies that allow web shops to hold your items in your cart while you are shopping".

And on the policing - there are a lot of laws that cannot be "policed". It requires trust, goodwill, collaboration and savy users to report violations to the webmaster or relevant ICO.

[1]: https://gdpr.eu/cookies/

What you're suggesting is basically the same thing as what the law is achieving.

Yes, users could block all cookies but this will break functionality on a lot of sites, so it's not reasonable. And yes, sites could communicate which are functionality cookies and which are tracking cookies, but as you say it's hard to police this, so pushing the issues to the user's software won't work.

What the law does is fixes all this by requiring sites to obtain consent in certain scenarios; but if your site only sets cookies required for the site to function (shopping cart, login cookies), or if it tracks users for the purpose of security (eg a bank that detects when you log in from a new device / location) you DO NOT need to obtain consent, no banner required.

You are implying that strict anti-emission laws caused uncontrolled emissions by Volkswagen vehicles.

But Volkswagen was very discreet about it, and when uncovered everybody was against them. Website are being obnoxious, instead, and people accuse the law. Go figure!

The site also shows how simple it could be, though - it respects the DNT flag: no cookie banner, no tracking in this case.

And it's a super sane implementation. A simple yes or no.

I've been running Consent-o-matic [1] in both Chrome and Firefox for quite a while now, which automates a lot of them. You can set your preferences for what categories of cookies you want to allow.

[1] https://github.com/cavi-au/Consent-O-Matic

There are extensions to hide the cookie banners and while you have not clicked yes you have effectively said no.

I believe quite a lot of them have their paychecks depending on invasive user tracking, so no surprise.

Everyone's needs would be better served if we could pay for content the same way we did back in the day of printed newspapers.

This is one option. Another is that advertisement goes back to those days: you associate advertisement to a content and to a rough geographical location, and that's it. No personalised ads is still possible.

Yeah, IIRC I think noyb was looking into "Trust arc"

I agree with this. We recently removed all tracking (eg google analytics) from our homepage because we didn't want to have a cookie banner. The result: everything is going fine. Turns out we didn't need the tracking at all. Should've done it way sooner.

Thank you. The industry needs more such testimonies showing that letting go of tracking is okay and won't sink the ship.

It's now magically made it to page 6, seems a bit odd

These do not sound like competent companies, if they cannot even classify the tracking that they initiate as essential or non-essential

"tracking" here means storing data:

Yes, without any consent. For instance logging in a site, doesn't require the warning.

Customers are more informed. Savvy companies now only do essential tracking, so don't have to bother users. Or at least more will as enforcement catches on.

And yet there isn't a lot of actual difference between Americans and EU citizens.

Sure lots of EU laws, practically speaking no difference at all.

The article even has a book ad on the side

The default should be no tracking.

I find it annoying but I do the opposite. Don't give my consent for all the optionals and prefer not to get tracked. I don't believe all of that tracking is warranted in a significant number of cases. Websites appear to be still fully functional without all of those extras, too, meaning the website providers are also ok with foregoing it.