return to table of content

Dear Paul Graham, there is no cookie banner law

nolok
131 replies
6h40m

Imagine a market in which companies charge a lot of hidden fees behind their customers' back, and users are not happy when they realize after the fact. The law is updated to say you are not allowed to charge the user a fee unless you tell him in advance.

Companies with tons of hidden fees decide to keep them but force you to read all the fees on every page of the menu before you can see the rest of the text, in the most annoying way possible, and promote the idea that the issue is not the extravagant fees, nor the fact that the companies hide them before and had to be forced by law to warn you about them, no the problem is a law that force them to tell you what you're getting into before it's too late !

That's, essentially, what's happening. And we have people complain that companies need to display their fees.

On this issue in the group that complain about the cookie law there are some people who are very wrong on purpose because it's in their interest, and some people who are very wrong because they genuinely don't understand the position they're defending, complaining about being made aware of the fee, instead of the fees themselves or the fact that the companies hide them if not forced by law.

To each their own belief about which category PG fits into.

aurareturn
44 replies
6h25m

Using your analogy, I think what ends up happening is that even companies that don't collect hidden fees will put up a banner just in case.

Not only that, I'm not an EU citizen and I'm not browsing websites based in EU but I'm still bombarded with cookie banners non-stop.

gizmo
22 replies
6h18m

Do you have /any/ examples of websites that don't have a bunch of 3rd party cookies that still have a cookie banner?

Middle managers absolutely love anything with charts and graphs because it makes their decisions feel more scientific. That's why they want tracking software included on their websites. And if the law requires disclosure then a cookie popup is the solution.

maccard
16 replies
5h54m

My company recently announced a game, and we launched a website for the game. There's no ̶t̶h̶i̶r̶d̶ ̶p̶a̶r̶t̶y̶ e:tracking cookies (I didn't make the site, but I do run it).

Our US based legal team told us we needed a cookie banner if we were going to have visitors in the EU. I pushed back, but I lost, and ultimately it's not my fight.

raverbashing
5 replies
5h44m

Thanks for this, it seems a lot of cookie popups are there just due to cargo culting

maccard
4 replies
4h51m

I don't quite think Cargo Culting is the right label for it. It's not just because everyone's doing it. My experience when legal meets code is that common sense, intent and what is actually allowed go out the window, and cover-your-ass wins. My experience with Legal has been that they default to no "just in case" for every question you come to them with.

It's a battle to get them onboard to not taking the safest possible approach, so you only want to fight that battle when it's a kingmaker of an opportunity.

rcxdude
2 replies
4h46m

Yeah, people often approach legal in the wrong way: people often want to ask "is this OK?" and have the lawyers say "yes", but basically no lawyer is going to say that for almost anything. Instead you need to ask them to explain what the risks of different courses of action are and take a view as to whether they are important or not.

maccard
1 replies
4h40m

That's been my experience, but unfortunately _that's_ where cargo culting comes in. As part of $NEW_WEBSITE_CHECKLIST we have to "check with legal" which inevitably involves a laundry list of stuff like this, and the default is to accept what legal says, unless we _really_ don't like the answer at which point we're going to do it anyway...

ryandrake
0 replies
4h11m

Legal counsel is there to advise, not to design product UX. Some companies have bonehead policies like “you must develop whatever Legal advises” but that’s a choice the company is making. Sensible companies treat their in house counsel as advisory, and weigh the risks like they would weigh any other risks.

p_l
0 replies
37m

The funny thing is that most of the CYA cookie banners... are in themselves GDPR violations

almostnormal
4 replies
5h30m

It is not about third party or not, but what it is used for. Consent may be required even if there are no cookies at all.

maccard
3 replies
5h16m

It is not about third party or not

you're right, I said third party, but I actually meant tracking. I actually went and checked, and our only cookie is the cookie for if you've seen the cookie banner or not...

Consent may be required even if there are no cookies at all.

For what?

akvadrako
2 replies
5h8m

It's not about cookies. Tracking without cookies also requires consent.

maccard
1 replies
5h6m

See my original post. Our US legal team said that we need the banner if we have visitors from the EU, not if we're tracking them.

astura
0 replies
4h25m

Our US legal team said that we need the banner if we have visitors from the EU, not if we're tracking them.

This actually makes sense - because if you didn't have the cookie banner then some fucking weirdo would come to Hacker News and make a self righteous post about how you're "tracking residents of the EU without their consent and abusing them" (even though you're not). Instant karma. Next thing you know these weirdos and their mob are reporting you to their government and you're dealing with government inquiries and more legal expenses trying to prove your cookie-less web 1.0 site doesn't "abuse people."

The banner placates them.

qarl
3 replies
4h26m

Your legal team is holding the door open for the day they decide to start tracking.

They probably won't tell you that, tho.

maccard
2 replies
4h13m

Our legal team is following the checklist that they have that they know is pre-approved

qarl
0 replies
3h54m

OK? Does that contradict what I said?

p_l
0 replies
38m

Which was probably written (even if not by the legal team, but someone they consulted) with an eye towards keeping more data than legitimate interest allows under GDPR.

account42
0 replies
3h33m

Sounds like your US legal team is covering their asses on topics they are not familiar with instead of acquiring the neccessary competences.

rcxdude
1 replies
4h48m

I think a heck of a lot of smaller sites just cargo-cult the pop-up. Either because they misunderstand the law or because of overly cautious lawyers.

account42
0 replies
3h31m

Or because of FUD from people interested in undermining privacy protections.

PennRobotics
1 replies
5h56m

It only took two minutes to find at https://www.schwarzkuenstler.com/ and I'm sure I can find a dozen more in half an hour.

Germany is a bit litigious w.r.t. internet or privacy, so the combination---cookie consent---is a doozy. Nearly every German website that does anything will have a consent notification, and the slightest misstep (e.g. using Google Fonts without asking permission) can be punishable.

gizmo
0 replies
5h45m

Their privacy policy states they use Google reCAPTCHA, which requires disclosure.

jlokier
0 replies
4h46m

Aggregate data is not considered personal data by the GDPR.

Managers and everyone else can have charts and graphs without retaining personal data.

The processing of personal data prior to anonymisation to turn it into aggregate data, that part needs protection. But you can do it in a variety of ways that don't require personally invasive tracking.

piva00
10 replies
6h23m

Not only that, I'm not an EU citizen and I'm not browsing websites based in EU but I'm still bombarded with cookie banners non-stop.

Again, that's the fault of the companies putting those up, they could make it opt-in to collect your data, they could just put a small notice on the footer with 2 simples links "Accept all/Reject all". But they chose, they decided to pester you with those banners as annoyingly as possible to make you have exactly the reaction you're having.

aurareturn
9 replies
6h21m

The fact that companies are doing that says more about the bad law than the companies which is exactly Paul Graham's point.

rvense
2 replies
5h19m

It is the companies that suck, and Paul Graham is (quite literally) invested in the suckage, wherefore this dumb tweet. Which, if one wanted to create an ad campaign for that eternal Upton Sinclair quote, couldn't have been done much better.

(Thanks for the site though, Paul)

kortilla
1 replies
5h17m

Paul is very unlikely to be invested in tracking unless he has some shares in Google/Facebook. Startups in tracking aren’t really a thing

toyg
0 replies
3h6m

I expect most startups "integrate" their regular revenues (if they have any) with some sort of adtech deal.

bananapub
1 replies
6h10m

what a ridiculous point of view.

do you think the same thing about laws against murder?

about fraud?

card_zero
0 replies
5h42m

I've got to admit, I'm unclear what the equivalent of a cookie banner for murder would be.

This criminal uses murder! If you continue to interact, you consent to being murdered.

Murders you anyway

toyg
0 replies
6h8m

So the problem is that the legislator did not expect companies to be even worse assholes than they already were...?

Laws are not borne in a perfect state; very much like programs, sometimes you need a few versions to see how the system actually works in practice and fix a few bugs. The fact that v1.0 has such bugs is not a good reason to just give up, nor it's an indication that the programmer is bad at programming.

piva00
0 replies
6h13m

What exactly is bad about the law that allows companies to do the annoying cookie banner?

paulryanrogers
0 replies
6h13m

Or it says more about the manipulative intentions of the companies than anything about a good law.

layer8
0 replies
6h11m

The law is pretty crystal clear. In many cases the issue is that websites are outsourcing their tracking to ad companies, which in turn apply those banners indiscriminately because that's in their interest.

That being said, all the dark-pattern banners actually break the law. The problem, if anything, is lack of enforcement of the law.

pokot0
8 replies
5h56m

Just been in Europe last week (I live in US): you have no idea what a nightmare internet is in Europe. You are only seeing a side effect here.

denton-scratch
4 replies
5h52m

what a nightmare internet is in Europe

I live in Europe; I don't experience this "nightmare". Would you care to expand?

pokot0
2 replies
5h22m

Sure. The nightmare is that every single time you open the browser on a website you have to go through the data tracking preference for that website. It's a lot of work to avoid being tracked (companies are obviously using dark patterns there) and when you do it 20 times a day it gets frustrating quickly and collectively a big waste of human time.

Now I am not saying the US doesn't have a problem. They just don't have GDPR and most website don't ask you for any permission to track you. So the experience is generally smoother (with the occasional tracking popup).

Ideally there should be a way for me to broadcast my willingness to share my data and not allow dark patterns to try to change my opinion. But the GDPR does not cover that and allows websites to drive you crazy until you click "YES, Track me"

tremon
0 replies
4h54m

I think your problem is that you're accessing US websites from Europe, since those are what you know. European websites are a lot less annoying, they actually care about the customer base here.

denton-scratch
0 replies
3h16m

every single time you open the browser on a website you have to go through the data tracking preference for that website

This is not my experience. Perhaps the websites you favour are exceptionally abusive.

a way for me to broadcast my willingness to share my data

That's the opposite of what most people want to broadcast.

But the GDPR does not cover that and allows websites to drive you crazy

Apparently your view is that GDPR should not allow that, i.e. it isn't strict enough. I'm inclined to agree.

yau8edq12i
0 replies
5h47m

As someone who's lived in both the US and Europe during the past few years... GP is full of shit.

overstay8930
1 replies
5h50m

It's crazy how censored the internet is too, you need a VPN to access even piracy adjacent sites in Germany. Unheard of that an ISP would block a website in the US without the FBI itself taking it down.

MaKey
0 replies
5h25m

You don't need a VPN, just a different DNS server.

diordiderot
0 replies
5h14m

It's really not much different.

Source: Living in Europe

nolok
0 replies
6h21m

For your first point I disagree, my companies don't track and we don't have banner cookies.

On your second point, that is again a choice of said companies, not a problem with the law. The GDPR has proven very well that if they cared, they can segment who is affected or not, and not just big tech lots of random local news site and the likes are doing it just fine.

So again, you're aiming at the wrong culprit.

CipherThrowaway
36 replies
6h7m

Agree. How much corporate propaganda are people consuming that legislators are seen as wholly responsible for the bad behavior and malicious compliance actions of corporations?

What does it say about the relationship between businesses and consumers that the first response to this bad behavior is to shout "look what you made them do!"

Seemingly it is everyone's fault except the bad actors themselves.

throwawaysleep
8 replies
5h40m

Many of us had no real problem with the ad-supported web in the first place. I was happy with the status quo.

So yes, I do blame the government as I would be fine returning to the prior state.

alistairSH
5 replies
5h16m

A site can serve ads without tracking (and the banner) - the ads just couldn't be targeted at individuals. Instead they'd have to guess what ad was appropriate ("Rolling Stone" could serve everybody ads for Taylor Swift's latest album without a banner, etc).

phkahler
1 replies
4h15m

> A site can serve ads without tracking (and the banner) - the ads just couldn't be targeted at individuals.

The biggest problem with online advertising is not tracking users. It's a lack of trust between advertisers and pretty much everyone else. If you're going to pay for an ad, you want to be sure it was seen by a real person. I'm not sure that's the concern any more because click-through is more important than "seeing" an ad. Regardless, the goals are to make sure it's easy for a given advertiser to get on many web sites, easy for a site to get ads, and also possible to prevent fraud since there will obviously be multiple parties involved.

I suspect tracking users was an offshoot of just verifying that users were real to prevent fraud in the ad world. Not saying any of it is OK, but it seems like the way to prevent tracking is to find a way to verify authenticity while also preserving privacy.

actionfromafar
0 replies
4h8m

Embedded banner ads with a third party sampling the site to see that ads are fairly displayed according to paid quota. Maybe something like that?

LunaSea
1 replies
4h21m

This means you get less money for it and can't survive due to the lesser revenue.

actionfromafar
0 replies
4h11m

This is contrafactual. Many things survived on exact that model before hyper targetted ads. And besides, with targetted ads the middle men take most of the cut.

Cthulhu_
0 replies
3h41m

("Rolling Stone" could serve everybody ads for Taylor Swift's latest album without a banner, etc).

And that would be fine, as long as Swift was willing to pay for it. But the tracking and personalized ads thing was a numbers game; personalized ads have a higher conversion rate, thus are more valuable, thus we need data to personalize ads.

MattHeard
0 replies
5h30m

"I would like website operators to assume that I consent to being tracked, so I'm annoyed that website operators are not allowed to assume that everybody consents to being tracked."

Cthulhu_
0 replies
3h42m

That was your choice in the end, but this was the problem - people didn't have the choice, or the awareness. The EU law fixed this, but instead of corporations going "Hmm, maybe we shouldn't track users", they instead went with malicious compliance and implemented annoyances - because data is more valuable for a lot of websites than whatever said website is peddling.

lynx23
7 replies
5h38m

If it only were that simple. When the GDPR came out, a lot of confusion and misunderstanding ensued. Not only regarding the damn cookie banner. Even totally legitimate health-care providers started to collect signatures to be on the safe side. I still rememeber receiving a basic GDPR training where we were told that opt-out/signing is only necessary if the entity is planning to do weird stuff with your data. IOW, if someone wants you to sign, they plan a bad move. Then my bank wanted a signature. And a month later, one of my healthcare providers wanted a signature. After a chat with him, I learnt that his lawyer told him to collect the signatures just in case, and made him believe that if someone doesn't sign, that is a problem.

So now we have this situation where providers were trained to play the GDPR in such a way that they will never have a problem, no matter what they actually do with the data.

And consumers are pissed because they are made to sign things which essentially reduce their rights...

And if someone (like me) thinks the EU did a half-assed job there, the downvotes rain in.

wizzwizz4
1 replies
4h24m

they are made to sign things which essentially reduce their rights...

But not as much as you might think. Consent under GDPR only applies to what you were informed of when you consented, and you're allowed to revoke consent (with prospective effect) at any time.

lynx23
0 replies
4h6m

Yeah, but these are rather theoretical practicalities. In the majority of cases, consent is coaxed out of the consumer. If you show up for a MRI, and you get a piece of paper with the comment "It is for data protection", almost nobody has the time or nerve to actually read the text, and even less people have the inclination to decline to sign. After all, they (sometimes desperately) need the service. Let alone that the accompanying comment is deliberately phrased such that some people will believe they need to sign in order for their data to be protected. Dark patterns all over the place. My bank implemented the consent (for a while) as a reoccuring pop-up after login. Yes, you get the popup as long as you decline to sign it, over and over again. I think they gave up on that practice, and it was partly a dark pattern (IOW, there were two buttons to decline to sign, and one would result in the popup reoccuring). Examples are all over the place if you walk an EU country with open eyes.

orwin
1 replies
5h22m

I kinda hate saying this, but Microsoft (or at least github) got it right in a week. Some OSS publishers also got it right, like nexedi, and some i'm sightly upset with (gitlab) but it is true that for the commercial internet it seems to be invasive. I do not use the commercial internet much, and like any person with greasemonkey, i took a rainy afternoon to remove the most annoying banners (i think now i use a plugin that does it for me).

lynx23
0 replies
4h58m

The fact that you have to use a plugin or other thecnical remedies to fix the cookie banner situation is all the proof we need to see that the EU totally fucked up. It is easy to declare that you just need to install this or that to get a obstruction-free internet again. But it is also very very elitist. Not even 1% of the population is truly capable of handling that.

HelloNurse
1 replies
4h56m

Incompetent lawyers and managers did a half-assed job, and some exemplary fines will motivate them with respect to the other half.

lynx23
0 replies
4h52m

That is so wonderfully naiv that I had to laugh out loud. The fairytale of the manager who suddenly is fined big-time for his/her decisions is just that, a fairytale to pacify critics.

soco
0 replies
5h23m

The same people also complain they cannot use by default said websites unless they share all their personal data with them. Half-assed, indeed the measure is. But it also reflects the majority thinking, unfortunately. So unless there's some popular pressure to full-ass the measure, we will still have banners and misused personal data.

username332211
6 replies
5h30m

The funny thing is it's not just corporations. When you open the German state railways' website, somehow you get a GDPR overlay, When you open the German revenue agency's website, you get greeted by a cookie banner on top.

I call upon all German users of this website to write to their MPs! Obviously the German civil service is a bad actor! The German deep state is plotting to discredit our beloved eurocrats and must be shut down! Den Sumpf trockenlegen!

nolok
4 replies
5h28m

I call upon all German users of this website to write to their legislators! Obviously the German civil service is a bad actor! The German deep state must be shut down!

I understand the joke you're trying to make but you clearly don't understand the relation between germans and privacy/tracking regulation to think this makes sense.

username332211
3 replies
5h15m

It's not supposed to make sense, it's supposed to show the absurd position of the post I'm replying to. The less it makes sense, the better.

And I only picked Germany, because it's one of the few EU countries where stuff like that is rigorously enforced. In the rest of the EU, everything unrelated to the common market and/or getting money from the EU is at best haphazardly enforced.

If you want to, check out france.fr, a website maintained by an agency of the French tourism ministry. (After disabling the 3 dozens of annoyance blocking extensions everyone must use nowadays, of course.) What do you see?

A giant cookie overlay. Égoutter le marais!

musiciangames
2 replies
4h23m

I get no overlay on france.fr

username332211
0 replies
4h9m

Me neither, unless I disable ad blockers and anti-annoyance extensions.

account42
0 replies
3h40m

the German state railways

No such thing anymore, unfortunately.

raydev
4 replies
3h35m

How much corporate propaganda are people consuming that legislators are seen as wholly responsible for the bad behavior and malicious compliance actions of corporations

Why do I need to be "consuming corporate propaganda" when I just hate that I need to dismiss banners on every news website, when I didn't have to before the regulation?

I don't care about being tracked. But now that all websites need to cover their asses in response to regulation, I'm forced to figure out which button I need to click on to read content, and these websites don't even appear to save my preferences whether I agree to be tracked or not.

Objectively, the outcome of this regulation is that my experience is worse. Are the companies bad actors? Sure! Sounds like the EU should account for companies' bad behavior instead of forcing the internet to be more annoying.

ImPostingOnHN
2 replies
3h10m

The experience you describe is the fault of websites which chose to make things that way. The article goes into more detail on this point: There Is No Cookie Banner Law.

It's important to note that we didn't have to go through the banners after the law, either. We only had to go through them after website operators intentionally picked the most disruptive and annoying popup to serve us. We can blame them. They chose to add it when they could have legally not added anything at all.

It's like the situation described here: https://news.ycombinator.com/item?id=39742766

raydev
1 replies
2h57m

Again, from the perspective of users, the experience got worse post-regulation.

The experience you describe is the fault of websites which chose to make things that way.

I don't disagree. But they were less annoying before. So make them go back to being less annoying.

ImPostingOnHN
0 replies
2h37m

Again, from the perspective of users, the experience got worse only after websites decided for themselves to add annoying cookie banners. Not after the regulation.

> make them go back to being less annoying

That is a request between you and them (the websites), unless you're talking about legislating a banner-less opt-out, or maybe just willing to file a complaint against the website with a data protection authority, if the banner is already illegally annoying.

Websites have the right to annoy their users with cookie popups, with or without the GDPR (ironically , the GDPR actually has some protections here, websites simply break the law). Unfortunately, it seems many are choosing to exercise that right because they make money doing so.

Jensson
0 replies
3h12m

Get a plugin to click that button for you, I got one and haven't seen such a banner in a really long time now.

ragnese
4 replies
5h45m

It's so depressing. Many of the people who are pointing the finger at the regulators for the annoying cookie banners don't actually see the web site/app *as* a bad actor. The fact that they had been tracking tons of extra data via cookies without their consent or knowledge was totally fine to them as long as it wasn't inconveniencing them in any way. The cookie banner is an inconvenience to their mindless consumption, so NOW it's a problem and they just don't care what the solution actually is as long as the thing goes away.

I've seen this attitude from tech people, too, so it's not just a matter of tech ignorance or illiteracy.

kortilla
3 replies
5h23m

The cookie banner is an inconvenience to their mindless consumption,

It’s an inconvenience to people who care about privacy and use browser configurations that don’t store state between visits.

So now in an attempt to protect regular users, the law ended up hurting users that already cared.

Additionally, the shadiest and incompetent sites still just track people with no cookie banner. So the law doesn’t really provide protection against uncooperative parties, whereas privacy technology does.

ragnese
1 replies
4h48m

It’s an inconvenience to people who care about privacy and use browser configurations that don’t store state between visits. > > So now in an attempt to protect regular users, the law ended up hurting users that already cared.

Fair point about the banners mostly "hurting" users who care about privacy (but, really though- how much does it really "hurt" you? I'm "hurt" more by the fact that I have to fold laundry several days a week).

But, I take major issue with you saying that the LAW ended up hurting users. Companies are under no legal obligation to make those banners as obnoxious as they are or with so many dark patterns (I sometimes don't know if I'm even enabling or disabling tracking with the way they word it). That's squarely on the web site owners pulling that nonsense.

Additionally, the shadiest and incompetent sites still just track people with no cookie banner. So the law doesn’t really provide protection against uncooperative parties, whereas privacy technology does.

I agree that the only/best way to protect yourself is via technology and not by relying on people obeying the law.

However, if this is also an argument against having the law, it's an incredibly weak one. You can apply that logic to argue that NO laws are effective. People still murder even though it's illegal- must be a bad law, no?

nickpp
0 replies
5m

Companies are under no legal obligation to make those banners as obnoxious as they are

Actually every single lawyer we asked about implementing GDPR advised us to have one of those obnoxious banners. Because the law is so ambiguous and the penalties so high that is better to play it safe. And we have no ads nor tracking at all on our product website.

You can ignore your lawyer's advice if you want, but it's a bit like a lawyer office ignoring my data security and backup advice: assuming a huge amount of risk.

account42
0 replies
3h42m

The GDRP is about all kinds of tracking, of which things you can block locally at the browser level is only one part. So yes, even those users that already cared enough to block/discard cookies benefit.

webworker
0 replies
2h39m

Again, this should have been a >browser feature< instead of a website feature. I trust Safari and Firefox WAY MORE than I trust the website's owners to actually block cookies and protect privacy, as well as implement this in a better UX.

The proper way to have done this would have been to go to the W3C or WHATWG and proposed an extension to HTML for sites to define an opt-in manifest or something similar.

Cthulhu_
0 replies
3h44m

Apple is doing the same thing, passive-aggressively doing things like removing support for pinning webapps / PWAs / whatever they're called to your home screen, then backtracking after backlash. Or Microsoft with their browser choice screen or Windows releases without media player. And even those aren't as bad as the malicious compliance of cookie banners.

miracle2k
21 replies
6h24m

On this issue in the group that complain about the cookie law there are some people who are very wrong on purpose because it's in their interest, and some people who are very wrong because they genuinely don't understand the position they're defending, complaining about being made aware of the fee, instead of the fees themselves or the fact that the companies hide them if not forced by law.

The reality is that I (and others who are complaining, as well as many who have resigned themselves to their fate) are happy to have a website "track me", certainly if the cost of non-tracking are having to click away an annoying popup, and think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.

madmoose
3 replies
5h54m

I've stopped going to Ars Technica exactly because their cookie pop-up lets me know that Condé Nast wants to share my data with at least (according to the popup) 159 partners.

They have so many "partners" that their cookie popup comes with a search bar.

56 of their "partners" want my precise geolocation data!

16 "partners" want to actively scan my device!

101 "partners" want to "match and combine data from other data sources" (I can't disable or object to this)

102 "partners" want to identify my device. I also can't object to this.

The only way I can really object is to close the tab, so that's what I do.

stefanka
2 replies
4h45m

The only way I can really object is to close the tab, so that's what I do.

Isn't it too late by then?

Jensson
1 replies
2h55m

Legally no, they can't store his data if he doesn't click yes.

p_l
0 replies
29m

Considering their consent banner isn't legal under GDPR anyway, I'd be wary of expecting them to be compliant with that either.

caskstrength
2 replies
5h23m

The problem is that most people don't want to pay for any of the internet services they use either.

dwaltrip
0 replies
4h55m

Great, then maybe we can all finally go outside and smell the damn roses.

account42
0 replies
3h9m

Any internet services that are unable to secure funding without abusing their users are welcome to stop existing.

isodev
6 replies
6h16m

"Number of visitors" does not constitute tracking. The tracking in question here is to discover who you are specifically and the absurd amount of detail about your online activities collected and shared with data brokers for aggregation and resale.

A few of these cookie prompts during the day and they'd be able to tell everything from where your kids go to school to the kind of prn you prefer to watch on weekdays and everything in between.

rnts08
2 replies
6h9m

I used to work at an online video advertisement company, you'd be horrified how much information we tracked across all the ads, especially since the ad was played with a special media player "plugin" loaded inside the other media player.

This is how ad companies can sell premium views, don't show cosmetics to men, increase car related ads to people who has watched other car related ads and so on.

There's no such thing as server-side "private browsing".

tremon
1 replies
4h51m

This is how ad companies can sell premium views, don't show cosmetics to men, increase car related ads to people who has watched other car related ads and so on.

It's really not. They already could do all that before cyberstalking was normalized. It's called content-based profiling, and it doesn't require any GDPR consent.

p_l
0 replies
31m

The ad companies wanted to aggregate information across multiple channels.

The example about "show more car ads to someone who watched other car ads"? It's not about showing car ad on a site whose content is about cars (or where the site owner decided they like that kind of thing).

It's about knowing you have wandered over to car comparison site recently so they can show you car advertisements when you look up sports news, show car-related merchandise when you're browsing some shopping site, show you insurance ads, etc.

yard2010
1 replies
6h5m

Honestly I don't mind them collecting this data, what is really infuriating is the fact they won't share it with me. I would love to know what kind of porn I prefer on weekdays. I think they shouldn't be allowed to track anything with consent or without it unless they share all the data with the subject of spying.

And aside from that, I think it should be much more expensive to say sorry than ask for permission. In my world a firm like facebook should not have any right to exist, they earned it. Fine them to oblivion just like I would get a long time behind bars if I wouldn't do my taxes right.

ragnese
0 replies
5h32m

I call BS. Give me your email password and your browser history and I'll share everything I learn about you with you. I'll also keep it and share it with whomever else I want to, but I'll definitely share it with you, too.

joenot443
0 replies
5h50m

where your kids go to school

Is this something that's kept secret in European society?

If someone told me they knew where my kids went to school I wouldn't be surprised, it's sort of dependent on our address which is in the phone book.

suslik
0 replies
6h7m

Well, different people want different things - I'd rather spend a millisecond to click 'refuse' rather than let them track me - out of spite if nothing else. Yes, cookie banners are annoying; the dark patterns within cookie banners (you need multiple clicks to get to the 'refuse' button while the 'accept' button is right there in your face) are even more so. But honestly - screw them.

paulryanrogers
0 replies
6h16m

Does it become less ridiculous when your browsing history is sold to insurers, who use it to raise your rates.

nolok
0 replies
6h18m

The reality is that I (and others who are complaining, as well as many who have resigned themselves to their fate) are happy to have a website "track me", certainly if the cost of non-tracking are having to click away an annoying popup

The you should doubly blame the companies, because that's what do not track was for, they're the one who decided to make it not work that way and instead being ignored and not considered a valid option for the law.

think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.

You don't need a cookie for that, and what GDPR has told us is that we're not talking of that but about dozens or hundreds on every major sites so trying to frame it that way is disingenuous.

leereeves
0 replies
6h15m

people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous

Is counting visitors all that sites are doing with tracking info?

They're not selling it to ad brokers, insurance companies, governments? They're not matching your name, address, and phone number with your web activity (including sexual interests, "anonymous" embarrassing stories, health concerns, etc)?

geysersam
0 replies
6h13m

The reality is that I (and others who are complaining, as well as many who have resigned themselves to their fate) are happy to have a website "track me", certainly if the cost of non-tracking are having to click away an annoying popup, and think that people who compare a website wanting to know the number of their visitors to "hidden fees" are kind of being ridiculous.

I agree that wanting to know the number of visitors is benign and it is not abuse.

But saying companies should be allowed to track me (for whatever purpose) across the web without my consent is also pretty ridiculous.

catapart
0 replies
6h19m

This is addressed in the article. They could track you, with your consent, in many different ways. The fact that they are choosing to force this cost upon you is what is ridiculous.

Aeolun
7 replies
5h52m

I don’t think this is strictly accurate. There’s nothing about cookies themselves that makes them a problem. It’s the way they are used. Needing to inform people you are using cookies for sessions is like needing to inform people you are using a fork to eat. The problem is that some people are using the fork to stab people, so now we require everyone to say how they’re going to use it in advance. Instead of just prohibiting stabbing people.

nolok
2 replies
5h50m

You don't need a cookie banner for session cookie, not in eprivacy nor in gdpr, same applies for all cookies that are "strictly necessary" for the functionnal operation of the website on the technical level. Language selection cookie, "remember me" cookie, etc ... Are all perfectly fine.

greggsy
1 replies
5h36m

I’ve often wondered if necessary cookies could just be carved out and designed (and named) differently to improve handling. You could then just configure your browser to inherently accept the benign <biscuits/bikkies> from a site, which would then only ask for non-essential ones.

The real nirvana, IMO, would be better sandboxing between sites.

nolok
0 replies
5h30m

Browser based solution not mandated by law but made by the industry wouldn't work, because all 4 major browser vendor makes significant revenues from Ads.

At a time a solution appeared with "do not track", and we ended up with the industry making sure it was as toothless as possible, opt-in, and google pushing hard to control the browser market.

bazoom42
1 replies
5h44m

You don’t need to inform people you are using cookies.

It is not about cookies.

vaylian
0 replies
5h22m

As long as those cookies are only used for making the core functionality of the website work (i.e. login sessions, user preferences)

proto-n
0 replies
5h42m

See for example GitHub's statement [1] about no longer displaying a cookie banner. While ironically the blog still does display them, the main site doesn't.

[1] https://github.blog/2020-12-17-no-cookie-for-you/

nine_k
0 replies
5h34m

A few places allow you to opt for a spoon instead, or drink right from the bowl without utensils. Note that it's not the customers who use the forks for stabbing; it's the restaurants themselves. To show their goodwill to a customer who does not trust them with a fork, they can offer a spoon.

The further we take this analogy, the more strained it becomes.

Yes, it's natural to use a cookie to track a session; this is a mechanism invented for that purpose. It's much less natural to share this tracking information with third parties, especially along with a record of your purchases or other interesting actions.

But ad revenue is much harder to obtain without targeting and thus tracking. And a lot of places depend mostly on ad revenue.

This is another case of "buy now, pay later" pattern, stretched to "take for free now, pay in loss of your privacy later". In a funny enough way, many people don't value the information they get on many ad-supported sites as highly as the marketers paying to grab their attention, so simply compensating by adding a subscription or one-time payment to go ad-free sometimes does not even work; the more generic / "doom-scrollalbe" the content is, the worse it works.

roenxi
2 replies
6h18m

Hidden fees are bad because of the specific combination - the hiding, and the fees. Since tracking isn't hidden and isn't a fee, the analogy doesn't help to justify the EUs law.

People should have a default expectation that if they give their personal data to companies then it will be recorded. And if they don't want cookies then they should disable cookies. The EU's regulation hasn't revealed anything that is useful to know about.

paulryanrogers
0 replies
6h12m

Tracking is certainly hidden if you're not a programmer, and is certainly a fee if you value your time. Not all people live in low-trust societies or desire to.

AlexandrB
0 replies
6h7m

People don't "give" their information to trackers, it's collected without their knowledge. I don't think most people expect the kind of things trackers collect is being collected.

rglullis
2 replies
4h13m

The law is updated to say you are not allowed to charge the user a fee unless you tell him in advance.

Why not a real regulation then to get rid of hidden fees and heavy fines/jail time for companies that are found to be doing it?

PG's argument (I hope) is that there is no point in talking about "regulation" and "customer protection" if companies STILL get away with their ridiculous and hostile practices.

There is no customer benefit in having user data collection and tracking. Companies do it only to exploit you. Even the usual BS excuses ("oh, we need user data to customize the experience") could be done completely in-device.

I don't want regulatory bodies to just give more hoops for other companies to jump. They will jump it anyway, because it is profitable to do so. What I want is for regulatory bodies to effectively stop predatory practices.

danaris
1 replies
3h39m

I mean, that would be great, but I suspect that even just here on HN you'd get a lot of people strongly disagreeing with you. Because that would infringe upon the companies' "freedom" to profit in whatever way they see fit—and the people's "freedom" to let their data be vacuumed up and sold for massive profits.

rglullis
0 replies
3h7m

Whether they agree or not is irrelevant. I think that PG's argument is that all the "regulation" and "strength of the EU" amounts to nothing. It's just people pretending to play power games, doing privacy theater and solving absolutely zero problems.

haitchfive
1 replies
4h18m

I agree with almost everything you said, except for one thing: I don't believe the euphemism "hidden fees" helps to clarify the fact that these people are taking money away from people without their knowledge or explicit consent.

We have other more precise words to describe that action. I asked ChatGPT what those could be, here's its answer:

     Q: What are some english words meaning "taking money away from people without their knowledge or explicit consent"?
     ChatGPT: There are several words and phrases in English that convey the idea of taking money away from people without their knowledge or explicit consent:

    Embezzlement: This refers to the act of dishonestly withholding assets for the purpose of theft. It often involves someone in a position of trust, such as an employee, misappropriating funds entrusted to them.

    Misappropriation: Similar to embezzlement, misappropriation involves taking something (usually money) for one's own use without permission or legal right, often in a breach of trust.

    Theft: Theft is the generic term for taking someone else's property without permission, including money.

    Fraud: Fraud involves intentional deception for personal gain, which can include financial deception or stealing.

    Swindling: This term implies deceitful behavior to cheat or defraud someone, often involving trickery or manipulation.

    Skimming: Skimming refers to the illegal practice of taking cash "off the top" of the proceeds of a business or other source of income without recording it.

    Extortion: While not always directly related to taking money without explicit consent, extortion involves obtaining money, property, or services from an individual or entity through coercion or threat.

    Pilfering: Pilfering involves stealing small amounts or petty theft, often done stealthily or without detection.

    Conning: This refers to the act of deceiving or tricking someone, often for financial gain, through manipulation or persuasion.

    Clandestine withdrawals: This phrase specifically refers to taking money from someone's account without their knowledge or consent, typically in a secretive or unauthorized manner.

ImPostingOnHN
0 replies
3h25m

We here are all interested in hearing your thoughts, so please filter raw chatbot output through them, rather than pasting the output verbatim, which isn't value-added, and can even be negative value, given chatbots' penchant for hallucinating information.

foobarian
1 replies
5h41m

The fees example is maybe apples to oranges. The fees are a problem because they subvert the pricing information signals needed for the free market. The problem is not the fact that they are charged, the problem is that they are not included in an upfront price display. Were they included in the total upfront price and never specified the users should not care - it's not their business how a company spends their money.

But I suppose that was just an example you picked to illustrate the industry's malicious compliance, and not the main point, in which case fair enough. :-)

ImPostingOnHN
0 replies
3h31m

The use of secret tracking also subverts the pricing signals needed for the free market. Users aren't informed that the website is subsidized by the sale of the users' information, much less the details of the arrangements and monetary amounts.

If the total price of the website without the secret costs of tracking were presented upfront, it would be less of an issue.

clktmr
1 replies
5h58m

I don't want to be tracked either. But if companies can play the law this easily, I think it's a pretty bad law.

ragnese
0 replies
5h30m

Are we all such spoiled brats that some cookie banners interrupting our web browsing is all it takes for us to give up and call the malicious companies the winners and the law(s) trying to protect our privacy "bad"?

We're a pathetic lot.

c22
1 replies
4h48m

Except you could always just "turn off fees" in the browser, so the whole conflict seems kind of superfluous.

account42
0 replies
3h18m

Except you can't because the in-browser fees are only one of many possible fees you could be charged.

AbrahamParangi
1 replies
5h36m

This is a bad example because the market usually fixes this problem. The reason why the market doesn’t fix the cookie banner problem and the reason why this is bad law is because users defacto do not care, it is merely annoying.

There’s a law in California that says that businesses which have chemicals that might cause cancer on the premises need to let people know. That’s great but the levels they set turn out to be lower than what you can feasibly test for and as a result all properties pretty much just put up the signs that say “there might be chemicals here”. The warning is useless and annoying because of market forces which is another way of saying the law incentivized the behavior that occurred.

pornel
0 replies
5h6m

The market is working perfectly here, if you remember that users are not the customers. Users are the product sold to adtech, data brokers, law enforcement, etc.

For data-harvesting companies users are like livestock, and nobody cares about livestock's opinion. It only matters how much value can be extracted from users, even if it's annoying, misleading, and relies on dark patterns.

whazor
0 replies
5h20m

Airbnb used to hide their total price until EU started requiring them to do so in 2019, whereas USA only had this requirement from December 2022.

onel
0 replies
1h47m

I think this is a good analogy and I agree that the intent of the law was not to force websites to have a cookie banner, it was just the side effect.

What I think we are missing is a browser option/API that lets the user choose the acceptable tracking level. Similar to the do not track header but more fine grained.

As we are missing that, extensions are doing a good job ATM

https://chromewebstore.google.com/detail/consent-o-matic/mdj...

https://addons.mozilla.org/ro/firefox/addon/consent-o-matic/

I found pretty late about Consent-o matic and it saved me a ton of time handling banners. It's exactly what we should have built-in the browser.

AlchemistCamp
0 replies
6h15m

The "fee" isn't the cookie. It's the obnoxious popup.

jasode
58 replies
6h26m

>, Paul Graham came up with the thought, that the EU forces companies to have cookie banners. There is no law for cookie banners. [...] Companies could easily avoid any cookie banner. Just don’t track.

KingOfCoders/amazingcto, of course you are technically correct but Paul Graham wasn't talking about the letter of the law.

Instead, you have to interpret his complaint with the lens of game theory. I.e. The Law of Unintended Consequences that takes into account what companies actually do in response to laws instead of what we hope they will do.

Your blog post focused on good intentions of the law. PG's tweet focused on actual outcome.

n4r9
23 replies
6h20m

Doesn't that argument work both ways? If you interpret the EU's regulation with the "lens of game theory", it is an unintended consequence of aggressive corporate data collection. Not sure why it makes sense to complain about the EU and not the companies.

polygamous_bat
10 replies
6h11m

Not sure why it makes sense to complain about the EU and not the companies.

Unfortunately a non-negligible number of people in tech also have libertarian leanings, with a default “gubmint bad!” position, which makes them easy prey for adtech propaganda.

gred
4 replies
6h3m

Unfortunately a non-negligible number of people in tech also have libertarian leanings

Why is this unfortunate? Because you don't agree with us? The "they would agree with me if they were smarter" trope is tired and gets us nowhere.

Kbelicius
3 replies
5h44m

Why is this unfortunate?

GP answered your question, for some reason you decided to cut the quote right before the answer. Here is the part that is missing from your quote which answers your question: '[...]with a default “gubmint bad!” position'

gred
0 replies
5h36m

Pretty clearly implying the diminished mental capacity which prevents us from agreeing with him, no? I addressed this above:

The "they would agree with me if they were smarter" trope is tired and gets us nowhere.
Gormo
0 replies
4h3m

Perhaps you should consider the possibility that the reason why libertarians assume a default "gubmint bad!" reaction to new policy interventions is that they are sensitized due to decades of experience seeing multitudes of government interventions both (a) to achieve their intended outcomes and (b) create unintended consequences, often worse than the problems they are meant to solve, instead.

Personally, I find it very very strange that many of the people who call for regulation as a remedy to perverse incentives manifest in commercial markets seem unwilling to recognize the existence of even more perverse incentives in the political realm. If people seeking profit sometimes do bad things to get it, why would people seeking political power be expected to behave differently?

FredPret
0 replies
5h22m

Some people have a default “gubmint gud business bad” position and assume that disagreement is only possible if you’re a brainwashed bootlicker.

I say that’s unfortunate

FredPret
2 replies
5h53m

How arrogant to assume your position should be the default one, and people who don’t agree with you are - of course - easy prey for propaganda.

hallway_monitor
1 replies
5h47m

Seems to be a common tactic from a certain faction currently in power in the United States.

FredPret
0 replies
2h23m

Not just a US phenomenon - it's gone global

fauigerzigerk
1 replies
5h59m

That's beside the point. If you are in favour of government intervention you should be all the more interested in good policies that have the intended effect.

Bad laws boost libertarianism.

ZeroGravitas
0 replies
5h37m

Also, lying about good laws boosts libertarianism.

At least until you realise what they're doing, then you think they're skeevy corporate toadies with no morals.

fauigerzigerk
7 replies
6h4m

No, it does not work both ways. The roles of governments and corporations are not symmetric.

Good regulation is regulation that has good outcomes. If a law has bad outcomes it is a bad law. You can separately complain about what companies are doing but that doesn't change the fact that it's a bad law.

It is of course debatable whether GDPR as a whole has bad outcomes, but if we're talking about cookie banners in isolation then it certainly does.

ragnese
5 replies
5h24m

No, it does not work both ways. The roles of governments and corporations are not symmetric. > > Good regulation is regulation that has good outcomes. [...]

You don't seem to explain what the role of corporations is or what a good corporation looks like. If these things are not symmetric, you need to finish your explanation of why or how they aren't.

Corporations and the whole of property rights only exist because of government protection, so it would be pretty audacious--in my opinion--to assert that corporations have no duty to behave to the benefit of society. I'm not saying that's your claim, but I'm curious as to how close you're willing to get to that claim...

fauigerzigerk
4 replies
4h49m

Governments are supposed to represent the whole of society. The justification for their policies is ideally based on democratic legitimacy. No entity outside of government can possibly have that legitimacy.

In my opinion it is not audacious at all to reject the idea that corporations should intentionally pursue societal goals or claim to act out of a sense of duty.

Of course we want the effect of what corporations do to be of net benefit to society as a whole. But this cannot be based on their intentions or sense of duty. It has to be based on the systemic effects of them pursuing their own (possibly enlightened) self interest within the framework of the law.

It is for governments to make sure that these effects are beneficial and to intervene when they are not. So the asymmetry I see is that capitalism is a tool of society, not the other way around.

n4r9
2 replies
4h29m

I would regard it as a duty of government to ensure that using the internet is safe and respects user privacy, but not to ensure that the internet has a clean UI. To that extent, I'd argue that the EU is achieving good outcomes. Ensuring a clean UI and smooth user experience is one of those things that should manifest as a result of market economics, but does not manifest because markets don't really work that way.

fauigerzigerk
1 replies
3h57m

I see absolutely no reason why clean UX should manifest as a result of market forces. Media consumers, on average, are clearly unwilling to pay for ad-free experiences.

n4r9
0 replies
2h54m

I won't pursue that assertion as it's tangential. I shouldn't have brought it up. The main point is that clean UX is not the purpose of the EU's data laws.

ragnese
0 replies
3h17m

In my opinion it is not audacious at all to reject the idea that corporations should intentionally pursue societal goals or claim to act out of a sense of duty.

I still find it somewhat silly to reject the idea that a corporation (run by human beings) shouldn't intentionally be evil for the sake of maximizing profit, but I do understand that this is a fairly common Friedman-esque point of view.

But, even so, I guess "duty" was the wrong word for me to use. I more meant that if a corporation does NOT benefit society, we should expect the corporation to stop existing. So, in that sense, there's a "duty" (existential requirement) to benefit society.

Of course we want the effect of what corporations do to be of net benefit to society as a whole. But this cannot be based on their intentions or sense of duty. It has to be based on the systemic effects of them pursuing their own (possibly enlightened) self interest within the framework of the law. > > It is for governments to make sure that these effects are beneficial and to intervene when they are not. So the asymmetry I see is that capitalism is a tool of society, not the other way around.

I feel like you're circling back around to almost disagree with yourself. Several comments back in this thread someone made a point about "unintended consequences" of the law and applying "game theory" logic to it, and another commenter replied that the companies in question could also have seen the law coming if they misbehaved too badly. That commenter asked if the "game theory" logic shouldn't go both ways, and that we should then blame the corporations for the regulation because the government is just doing what governments do.

You replied that the argument does NOT go both ways because the roles of government and corporations are not symmetric.

But, what you're arguing here seems to be consistent with the view that the "unintended consequences" and "game theory" logic DOES go both ways. You acknowledge that it is a government's duty to intervene when corporations are not benefiting society, and you also say that corporations will pursue their own self-interest within the framework of the law.

I don't mean to put words in your mouth, but the only way I can resolve this asymmetry in my mind is to have a framework where corporations doing things that are bad for society is okay, because the government is supposed to stop them; but if the government is unable to fully stop them from being bad, then it's STILL not the corporation's fault, but the government's...

It just sounds like we've gotten lost in the abstractions of corporations and governments. At the end of the day, these are decisions being made by fellow sentient human beings, and if a corporation's humans make some evil decision, I refuse to let them off the hook with "well, free markets" and "they have no choice but to maximize profits".

zanellato19
0 replies
5h24m

Exposing the fact that the entire internet is tracking is actually a good outcome.

edanm
2 replies
3h29m

Because the companies are getting what they want (data on users), but the regulation is not getting what it wants (no tracking or informed tracking).

I don't know if this mini-competition between regulators and companies is truly zero-sum, there could be some way to get everyone something they want. But with the current regulation, it is zero-sum, and the companies are winning and the EU is losing. And the EU "works for you", so of course you can complain to them.

n4r9
1 replies
2h56m

the regulation is not getting what it wants (no tracking or informed tracking)

That's an overstatement of the purpose of the regulation IMO. The purpose is to give the user control over the tracking of their data.

edanm
0 replies
2h50m

OK, fair enough. pg's point still stands I think - I believe that most users have zero idea what that popup is and don't bother doing anything but clicking on it immediately even if they do have some idea.

CipherThrowaway
0 replies
5h22m

Of course not. Only titans of industry and the landed gentry of the executive class are allowed to "move fast and break things", "ask for forgiveness rather than permission" and take "imperfect action rather than perfect action."

It's more morally permissible for corporate decision makers to install a global surveillance complex than for civil servants to attempt to regulate it.

KingOfCoders
14 replies
6h13m

(author here)

I'm a fan of second-order thinking and unintended consequences, so I'm with you there. How would you frame a "don't track people without consent" without unintended consequences?

The article tries to make the point (perhaps fails), that companies do this intentionally to get the "consent" of people against their will, therefor running the tight line of breaking the law without breaking it.

gizmo
3 replies
6h5m

The problems with the current law are:

- no fines for non-compliance (or malicious compliance)

- no legal liability for data leaks of PPI

When businesses believe (correctly or incorrectly) that the benefit of tracking outweighs the cost (annoying users, regulatory noncompliance) they will do it. The fix is to make tracking too costly for businesses.

pella
2 replies
5h33m

- no fines for non-compliance (or malicious compliance)

"The Biggest GDPR Fines of 2023"

1. Meta – €1.2 billion (Ireland)

2. Meta – €390 million (Ireland)

3. TikTok – €345 million (Ireland)

4. Criteo – €40 million (France)

5. TikTok – €14.5 million (UK)

6. Axpo Italia Spa – €10 million (Italy)

7. Tim S.p.A. – €7.6 million (Italy)

8. WhatsApp – €5.5 million (Ireland)

9. EOS Matrix – €5.5 million (Croatia)

10. Clearview AI – €5.2 million (France)

"GDPR fines are designed to make non-compliance around data security a costly mistake and they can be separated into two tiers. Less severe infringements can result in a fine of €10 million or 2% of a firm’s annual revenue from the preceding financial year, depending on which amount is higher. More serious violations can result in a fine of up to €20 million or 4% of a firm’s annual revenue from the preceding year, depending on what is higher."

via https://www.eqs.com/compliance-blog/biggest-gdpr-fines/

gizmo
1 replies
5h23m

Which ones of those fines were because of inappropriate use of cookie consent popups?

You just copy-pasted a list of GDPR fines.

pella
0 replies
5h1m

fines were because of inappropriate use of cookie consent popups?

see: "8 companies that faced cookie consent fines"

https://www.cookieyes.com/blog/cookie-consent-fines/

"In January 2023, France’s data protection watchdog, CNIL, fined TikTok €5 million ($5.4 million) for making it difficult to refuse cookies on its website. The CNIL found that TikTok manipulated consent by discouraging users from rejecting cookies. They required multiple clicks to refuse cookies, but only one click to accept them. TikTok resolved the issue by adding a “Refuse all” button to its site."

denton-scratch
3 replies
5h39m

How would you frame a "don't track people without consent" without unintended consequences?

Drop the consent requirement? I.e. just don't track people. No third-party cookies, first-party only, and only for the correct operation of the site.

It's not the cookies that people object to, it's the tracking. Tracking provides no benefits to visitors. If there were no tracking risk, there would be no need to require consent.

caskstrength
2 replies
5h15m

It's not the cookies that people object to, it's the tracking. Tracking provides no benefits to visitors

Sure it does. Visitors get to use all those great sites and apps without paying for the services directly.

danaris
0 replies
3h35m

That's not a benefit of the tracking. That's a benefit of the advertising dollars.

I have yet to see any kind of meaningful study showing that tracking improves the ROI on advertising by anything remotely resembling enough to justify it.

account42
0 replies
2h57m

"directly" does the heavy lifting here. Users (on average) still end up paying for the services in the end.

kevmo314
2 replies
5h58m

Fines for data breaches is one idea? If we want to disincentivize data hoarding, the main cost to data hoarding is data breaches, so we could perhaps penalize that.

This would have a different issue, specifically companies would no longer self-report data breaches, but it's just an idea. There are alternative approaches to getting to "don't track people without consent" that aren't a toothless stick by making it more expensive to track.

falcor84
0 replies
5h43m

Here's my idea - no data collection without compensation. For example, you must pay me in advance 1 cent for the permission to access 1 byte of my personally identifiable information for the following month, whether that's stored in a cookie or in your own database or you access it via a third party (e.g. Meta). So instead of a "cookie consent" pop-up, I want a "cookie payment" pop up where the site will ask me for my payment details and say how much they'll pay me (again, in advance) for each of the options I can toggle.

Sponge5
0 replies
5h40m

the main cost to data hoarding is data breaches

... the main cost at the moment. I think we as a society are very close to a tracking/data tax.

mlrtime
1 replies
5h50m

Probably the same way most laws end up. We see the unintended consequences, then revise the law to counter the consequences. Thus the cat/mouse game continues.

An idea could be that the tracking has to be opt-in AND the webpage cannot stop critical use of the page as part of the opt-in process.

Then another round of consequences.. rinse repeat...

denton-scratch
0 replies
5h37m

An idea could be that the tracking has to be opt-in

Why would anyone opt-in? Tracking provides zero benefits to the site visitor.

caskstrength
0 replies
5h16m

The article tries to make the point (perhaps fails), that companies do this intentionally to get the "consent" of people against their will, therefor running the tight line of breaking the law without breaking it.

That X button is right there at the top near the tab name. Not sure how a user could be forced against their will into staying on the site presenting them with a cookie banner.

hikingsimulator
5 replies
6h14m

The blog clearly works from the actual outcome lense. It's repeated. Several times. The companies could just not track.

The actual outcome is that they do want to track, and use adversarial patterns and malicious compliance to twist your arm and "force consent."

Paul Graham is still wrong.

jasode
2 replies
6h3m

>The blog clearly works from the actual outcome lense. [...] The companies _could_ just not track.

No, you've inadvertently stated a contradiction. Your use of the word _"could"_ is literally a hope/wish/intention of the law.

In contrast, the actual outcome is that the companies didn't stop tracking. We _wish_ they would stop tracking. (I.e. "The companies _could_ just stop tracking us!") But that hope still doesn't change the observation of reality.

itishappy
0 replies
4h2m

But companies have stopped tracking (or they've started lying). I can now opt out. I could not before.

hikingsimulator
0 replies
5h32m

The law is not code. Equating hope with the intention of the law is a poor way to think about it. The law is to protect users against opaque companies and to enable them making informed choices.

If companies act maliciously to contort around the law and force users back to making uninformed choices, it is the companies' fault and not the law's. Companies could have followed the interpretation of the law unobstrusively. But they didn't.

Invoking "reality," semanticking a position, do not make Graham's position justified. Neither does it make the blog wrong.

voxic11
1 replies
4h28m

Can you really say that confidently? I think a lot of these companies would go out of business if they didn't track users so it seems like under the law they have no option but to show cookie banners. Or are you claiming the law exempts companies in such circumstances?

itishappy
0 replies
3h58m

I'm sure illegal/unethical actions would help a lot of struggling companies.

sputr
3 replies
6h0m

The actual outcome is, from my experience, that tracking has reduced, a lot. When this law was enacted, *we all removed "like on Facebook"* buttons. Remember those? Yeah, we don't see them anymore. Google Analytics also was forced to change, at least a little.

Is there still tracking? Sure. But it's not so blatant anymore. There are hoops one needs to jump through. And that was the point - to make tracking a harder.

None of my projects have cookie banners. Why? Because I use a first party tracking system (Matomo), I anonymize all visits and I respect DNT. It's that easy.

FredPret
2 replies
5h37m

It’s not the difficulty level that people object to.

It’s a combination of two things:

1) the law comes to the rest of the world from Europe. We (rest of the world) didn’t vote in the people who brought it. We’ve had quite enough of Europeans making rules for the rest of the world in the past few centuries thank you very much.

2) GDPR encodes an expectation that may or may not be common in the EU, but certainly isn’t common elsewhere. I don’t have any expectation of privacy when I walk in public or when I give any information at all to a business. My solution to this is: a) I wear pants outside, and b) I don’t give out private information. Whether the business ecosystem knows their age and purchasing patterns is largely immaterial to virtually everyone I’ve ever met.

And don’t show me a survey showing people don’t like it - if you prime people with the question, of course they will respond that way. They know their info is being gathered, and they just don’t think it’s as big a deal as GDPR would like it to be.

sputr
1 replies
2h15m

So, I get your point. I can see how (1) can be aggravating. Can't really say anything to defend it, that's the Brussels effect for you. From the point of view of your own sovereignty, it's a bad thing, period. From the point of view of an effect on the lives of average people, I'm not so sure, it's so cut and dry.

Now, point (2) is, unfortunately, in the same vein as smoking, pollution, seat belts etc. Uninformed people (uninformed because they have better things to do) are not protected from their lack of knowledge. They suffer the consequences just the same.

And while I agree that and informed person, making a self-destructive choice has (in most cases) the right to do so, there is something to be said about the very, very powerful exploiting the uninformed. And this is where GDPR comes into play. It's protecting normal people, from a very, very big threat, that is not that obvious and is being wielded by the powerful.

GDPR is one of those laws restraining western corporations from going full dystopian future on us all. I said restraining, to be honest, I think it's just slowing them down.

And as far as surveys go - it used to be the same here. Europeans didn't care and said exactly the same things (i.e. the famous "i didn't do anything wrong, so I have nothing to hide") and then activists worked for years to educate them that, at the very least, it's leading them to buy things at higher prices. Now most people are extremely sensitive to their data.

FredPret
0 replies
42m

I get it - what you're saying is a very common-sense regulation. Reasonable people can disagree about this.

But different societies prefer a different balance here.

Americans are used to a more caveat emptor situation. Europeans want more regulation. Which one to choose is a political choice.

What's happening is that the political choice that the EU went with is being forced on the rest of us, whether we like it or not.

semi-extrinsic
0 replies
6h19m

I consider it a good outcome when I can clearly identify shitty websites and just click the back button.

ryandrake
0 replies
3h40m

There are a lot of ridiculous things a company can choose to do in response to any given law. Those choices are not mandated by the law. Horrible consent UX is not the only option to choose from.

Government can, and should, analyze likely (or unlikely) unintended consequences and use those to further shape the law, but at the end of the day, those consequences come from choices that people who are subject to the law make.

I think the big mistake the EU made is they probably thought: “Surely no company would choose to abuse their customers with horrible UI just because they don’t like the law and want to take their collective frustration out on their users!” The EU was obviously wrong about the extent to which companies would throw their users under the bus while maliciously complying.

klabb3
0 replies
6h15m

I’m not surprised. This is a “hot take-centric” platform issue, and a laziness in trying to understand him too. Or.. two people on the street yelling at each other but not listening.

karmakaze
0 replies
18m

The outcome would be much better if the law explicitly stated that the initial cookie banner must have a "Necessary cookies only" opt-out one-click option. And that this option means truly necessary, not the Internet Explorer is needed by the operating system 'necessary'.

jmathai
0 replies
6h11m

It’s unfortunate, if companies are okay not tracking you, that they care little enough about their user experience to use cookie banners.

gizmo
0 replies
6h9m

Except many companies respond to the cookie law with a cookie consent popup that violates the law (by making opt-out harder than opt-in).

Could we really have predicted from the "Law of Unintended Consequences" that companies would respond not by tracking less nor by giving people an easy way to opt out, but with a cookie consent popup that is not compliant and also really annoying to their visitors?

This is better explained by business operators being ignorant of the actual law and being ignorant of the UX impact.

VeejayRampay
0 replies
6h12m

Paul Graham focused on whining about regulation as he always does

GTP
0 replies
6h15m

I see your point, but then to have a constructive conversation Paul Graham should also give his two cents about how the law could be improved. I don't know him, so I'll ask here: did he do that?

CipherThrowaway
0 replies
5h31m

Everyone knows that bad actors will continue to behave badly in the face of the law. This isn't the insight you seem to think it is.

Really, PG's tweet has little to do with game theory or anything else. It is a first-world-problem whinge about having to click through cookie banners. Assessing the "actual outcome" of complex regulation and legislation is a task beyond the scope of a single tweet.

It might be useful for Graham to determine what claim he is trying to make in the first place. Is he rebutting a particular EU representative for boasting about how good they are at regulation? Or is the idea that the EU shouldn't have the audacity to attempt to regulate in the first place?

whywhywhywhy
54 replies
6h31m

Hate this way of thinking where the government (with seemingly good intentions) tries to stop something but leaves a loophole where all our lives are made more tedious and then people defend it saying the companies should just not do it, well we needed the law in the first place so it's a bit silly thinking to suggest they stop doing it after the law, no?.

If the cookie law was written properly then it would have just been a browser setting that had to be respected and this whole thing would have been completely transparent to the end user and they would have benefitted by default.

Instead through incompetent government employees we now have cookie banners for the rest of eternity on almost every site and they're not even standardized so worst sites like where journalists publish can have more and more obtuse ones.

exitb
10 replies
6h20m

It would be 100% ok for it to be a browser setting. It isn't though, because that would make too many people opt out. That's what the article is about.

foldr
9 replies
5h57m

I don't think a browser setting would make any difference. The setting would have to be either "I don't want to be tracked by anyone ever" or "I'm ok with being tracked by everyone all the time". Everyone would just choose the first setting. But just because someone has that setting doesn't mean you can't ask them specifically if they're ok with being tracked on your specific website for some specific purpose. So then you're back at the cookie banners.

(Also, if a lot of people did choose the 'everyone all the time' setting, that would arguably be a poor outcome, because it's unlikely that this is really what people want.)

thomastjeffery
3 replies
5h29m

The setting would have to be either "I don't want to be tracked by anyone ever" or "I'm ok with being tracked by everyone all the time".

The only alternative to that binary logic is cookie banners. So to be clear, you are advocating for cookie banners.

The reality is that the overwhelming majority of people do legitimately want option 1, which makes cookie banners redundant. The only reason that cookie banners exist is as a high pressure sales tactic to sell users into option 3.

foldr
2 replies
5h25m

The point is that you'd still get cookie banners even with option 1, because a site can always ask you if you're willing to override your default preference.

exitb
1 replies
5h23m

It could work like popup permissions - unobtrusive notification you ignore unless you're specifically looking for it.

foldr
0 replies
5h20m

It could. And the GDPR already bans dark UX patterns in consent popups (i.e. making it artificially difficult to refuse consent). But the law can’t realistically tell sites exactly how to design their UX.

exitb
3 replies
5h26m

We already have granular permissions for other things (like location queries) and it works out just fine. You allow things when they make sense and refuse when they don't. It could be resolved in a way that preserves usability, but still achieves a goal not tracking non-users via ads. I doubt that it would make PG particularly happy though.

foldr
2 replies
5h24m

The key difference with tracking is that it's based on intent. Technically there is no difference between a tracking cookie and any other cookie. It is just a question of its intended use.

exitb
1 replies
5h18m

Sure. If I'm asking a website to remember my user session, I expect and am happy to allow a cookie, even if it's a few extra clicks. When I visit a site I'm not a registered user of, no tracking is needed really.

foldr
0 replies
2h47m

The issue isn't cookies vs. no cookies; it's tracking cookies vs. other cookies. Session cookies in and of themselves do not require consent.

pornel
0 replies
4h55m

The DNT (Do-Not-Track HTTP header) setting has died the moment Microsoft made it too easy to enable it during setup of Edge, making most of their users default to do-not-track.

The adtech will absolutely freak out and destroy any attempt to make such setting as soon as there's a risk of it working.

cbeach
9 replies
6h19m

Exactly this.

The law could have been written in such a way that we could use a browser setting and avoid incessent popups which irritate users and desensitise them to genuinely useful warnings.

Whatever the good intentions of EU lawmakers, they seem inept at technical legislation because they ALLOW companies to continue doing shady things, and rather than tackle it, the legislators create a law that merely annoys users.

madsbuch
5 replies
6h8m

it would be horrible regulation if you tell how to comply instead of telling what to comply with.

as written elsewhere (since you obviously didn't read anything) your proposed solution would be just fine. But people opted out of impmenting it that way since it would yield less profit.

cbeach
4 replies
6h5m

Show me the section of the ePrivacy Directive (Directive 2002/58/EC) or GDPR that implies the "Do Not Track" browser setting can override the need for consent banners / popups.

madsbuch
2 replies
5h56m

well, if you respect the do not track setting and therefore DO NOT TRACK, then just remove the banner. You have not obligation to tell people that you do not track because you do not track.

SpicyLemonZest
1 replies
4h24m

Are you 100% confident that you don’t do anything which could be construed as tracking by a hostile regulator? Even the official EU sites that host the relevant regulations have cookie banners, explaining (https://eur-lex.europa.eu/content/legal-notice/legal-notice....) that they can’t otherwise do basic analytics or interface persistence.

madsbuch
0 replies
1h47m

Better safe than sorry... Absolutely. If you work with a company, where you cannot guarantee that no tracking will be injected into their users computers, then you better add the disclaimer.

Also, if you feel certain, and a ready to defend in court, that practices you have on your website does not constitute tracking. Then you don't have to show the banner either.

Personally, I am much more pragmatic about these regulations - with good reason. I still have to hear about some small innocent company hit with a massive fine. Empirically speaking, it is mostly huge multinational companies with plenty of resources to manage these things down into details who have gotten fines after repeat offences.

All in all. If you assume malicious regulators, then it is going to be stressful to work in a market. From US influence, I also do understand the sentiment, though it is rarely mirrored with EU citizens who generally don't assume hostile regulation.

layer8
0 replies
6h1m

DNT wouldn't work, but a hypothetical "yes, please feel free to track me" setting would, if standardized by browser vendors and implemented appropriately (i.e. ensuring user consent).

toyg
0 replies
6h2m

> they ALLOW companies to continue doing shady things

No they don't. But enforcement requires complaints, actions, and budgets. Remember that the EU has no police, it's down to national governments to enforce regulations.

Also, take fraud. There are plenty of laws against fraud in any country - and still it happens every day in one way or another. That's not because all fraud laws are bad, but because enforcement is complex and costly.

layer8
0 replies
6h3m

The GDPR doesn't prohibit such a browser setting to exist and to be applied. The GDPR however also isn't a technical standard that would prescribe any specific technical protocol.

denton-scratch
0 replies
5h17m

Whatever the good intentions of EU lawmakers, they seem inept at technical legislation

I don't think that's a specialization of EU lawmakers, particularly. A far as I can recall, laemakers started thinking about internet regulation around the turn of the millenium, and I didn't welcome the prospect; I assumed that regulation would favour state intelligence and police agencies, and would be drafted by adtech lobbyists. Why? Because I didn't think the civil servants who are supposed to draft these laws had the requisite competence.

threemux
8 replies
6h3m

As far as I can tell, politicians don't spend much if any time thinking about second and third order consequences. GDPR is but one example, but instances of this abound. The default should be to mistrust new laws. Reagan takes lots of flak on the internet, but he was right on the scariest phrase being "I'm from the government, and I'm here to help".

Even worse, this thread is full of armchair lawyers that will confidently tell you there's no need for cookie banners in particular cases. Nevermind that there's hardly any case law about this and each country seems to interpret it differently. Any actual lawyer would tell you to slap it on there to stay protected.

ulucs
2 replies
5h38m

Cases != law in continental Europe. The law is the law. I don't think you're in a position to call others armchair lawyers

threemux
0 replies
3h56m

The wording was imprecise, but to the website owner, this is a distinction without a difference. Just because a civil law system is in use versus common law, you still need judges to interpret what the law is. Their decisions may not be binding in the way precedent is in common law systems, but they are still important in determining what might be legal or illegal in the face of ambiguous laws (that is, all laws)

adamlett
0 replies
3h36m

That's not entirely true. Continental European law tends to be far more detailed than Anglo Saxon law, but still relies on precedents set in previous cases when there are ambiguities in the law, and when it comes to metering out punishment and damages.

K0nserv
2 replies
5h59m

Even worse, this thread is full of armchair lawyers that will confidently tell you there's no need for cookie banners in particular cases. Nevermind that there's hardly any case law about this and each country seems to interpret it differently. Any actual lawyer would tell you to slap it on there to stay protected.

I bet the number of cases of illegal implementations due to insufficient consent are vastly smaller than the blatantly illegal consent implementations(i.e. those that make it harder to reject consent than accept it). Companies clearly don't care about following the law anyway.

oneeyedpigeon
1 replies
5h49m

Any actual lawyer would tell you to slap it on there to stay protected.

Presumably, lawyers err on the side of caution? That doesn't mean they're right.

K0nserv
0 replies
5h45m

I'd think so too, but the number of implementations that use dark patterns that make it more difficult to reject consent than accept it seems to indicate they aren't erring on the side of caution.

I'm not talking just de-emphasising the reject option here, but cases where there is no reject option or it's buried beneath 2-3 more clicks.

adamlett
1 replies
5h33m

Even worse, this thread is full of armchair lawyers

...

Any actual lawyer would tell you

Assuming you're not yourself a lawyer, doesn't speculating about what an actual lawyer would say or do make you an armchair lawyer?

threemux
0 replies
4h0m

No one only needs to be familiar with lawyers themselves to speculate about what they might do. They are a cautious bunch. This is distinct from dispensing legal advice.

poszlem
6 replies
6h24m

This is 100% what PG means IMO and the most sane take on this. Either write the law correctly so it's not easily bypassed or just don't touch anything because you will only make it worse.

piva00
5 replies
6h19m

The law is not bypassed, the annoying banners with no simple option to reject are illegal. The issue is that enforcement is slow, not that the law is badly written.

GDPR's Article 7 [0] is very clear:

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. [emphasis mine]

[0] https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...

zalyalov
1 replies
5h35m

Yes, that very much is an example of the law being badly written.

"Prior to giving consent, the data subject shall be informed thereof."

Means there must be some sort of a cookie notification (which could of course take a small space of the screen, but still).

The existence of this notification makes it easier to initially give consent. If withdrawing later is to be as easy, the notification must never disappear.

thomastjeffery
0 replies
5h27m

So you want users to be tracked without consent? I don't.

throw10920
1 replies
6h8m

The issue is that enforcement is slow, not that the law is badly written.

The enforcement/implementation of a law is so deeply entwined with the text that it's deceptive to separate them.

If a law is written in a way so as to make enforcement hard, or if the government doesn't have the resources to quickly and consistently apply it, then it's a bad law because it enables weaponized targeted/selective enforcement of a new law that wasn't present before.

foldr
0 replies
5h50m

Essentially all laws are difficult to enforce. If someone really won't follow the law, then it takes a lot of time and money to prosecute them. Society relies on most people voluntarily following most laws most of the time.

demurgos
0 replies
6h7m

Thank you for mentioning point 7.3 this as it's a very important, but gets often ignored. I hope that it gets strictly enforced. _It shall be as easy to withdraw as to give consent._

Regarding the link you posted, they have a banner at the bottom saying:

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. [Ok] [No] [Privacy Policy]

My understanding was that such an implicit consent ("we will assume that you are happy with it") is not legal so I find it a bit surprising to see it used on a website dedicated to the GDPR.

boxed
6 replies
6h23m

The law isn't that bad actually, just that the courts have been very slow. The dark UI patterns are actually illegal and have been judged so in court now. This realization just has to trickle down to the companies writing these cookie banners.

whywhywhywhy
1 replies
4h40m

The law isn't that bad actually

I've clicked 3 cookie banners today alone and its not even 2pm yet.

How many cookie banners have I clicked in my life so far? How many cookie banners can I expect to click over the remaining 40-50 years of my life?

The law is objectively bad.

rcMgD2BwE72F
0 replies
4h15m

The law is objectively bad.

No, the websites you visit are probably bad.

Which cookies did you have to accept/reject? What do they do? Why do the websites believe they must ask you to accept them?

Also, the law allow browsers to automatically accept/reject the cookies on your behalf (actually, the law does not care about which specific technology the websites use to collect and process personal data). You, as a user, can choose a browser/extension that rejects these cookies by default, except the necessary ones. I use https://addons.mozilla.org/en-US/android/addon/istilldontcar... and I haven't see a single cookie banner for years on desktop and mobile. I don't like cookies and I like the law.

ankit219
1 replies
5h25m

My take is that law tries to dictate UX more than just set groundrules which good laws do. They pre-emptively set the law such that it prevents any use when the focus is on misuse. The law is about 1st party and 3rd party cookies, not just 3rd party.

In an ideal case, if it was just a law, a simpler wording could be "you are allowed to collect anonymized data, but not monetize/share it without permission from users. We may ask you to furnish proof that you havent been doing that at times, failing which you would face massive fines (as %age of revenue whatever)."

Problem is collecting basic anonymized usage data[1] is needed by companies to improve the product, provide a better experience, detect misuse. They bundled those use cases with everything else meaning the law was too broad and we got cookie banners given every site needs basic analytics. On flipside, worst is that most websites use Google Analytics, so they might have had to display the banners anyway.

[1] Moreover, it's vaguely worded so we companies do not know if they have committed a GDPR offence. By general understanding IP addresses are under GDPR. You can get that via request headers. So, to be on the safe side, even anonymized analytics tracking is considered under GDPR

account42
0 replies
2h44m

Usage data is NOT needed to improve your website.

Moreover, it's vaguely worded so we companies do not know if they have committed a GDPR offence.

Only if they are trying to skirt the law.

63stack
1 replies
6h2m

  * There was an option of making this non-intrusive, by requiring it to be a browser setting, they chose not to  
  * The law went into effect ~6 years ago  
  * Companies still break the law by employing dark patterns
My take is that it makes both the law, and the courts bad.

toyg
0 replies
3h4m

Neither the law or the court can start any enforcement proceeding.

Clearly, national prosecution authorities can't be arsed and we don't have enough citizen-activists filing strong lawsuits.

shafyy
1 replies
5h59m

If the cookie law was written properly then it would have just been a browser setting that had to be respected and this whole thing would have been completely transparent to the end user and they would have benefitted by default.

The law does not mandate websites to display a cookie banner. There are already "Do not track" settings in browsers. A website could choose to honor that setting and don't track you without ever showing you a cookie banner. But most don't.

raydev
0 replies
3h40m

But the websites are still putting up banners in my way, and they never remember what I consent to anyway, they just ask every time.

They didn't do this before the regulation. It doesn't much matter whether a website could do better, they simply aren't going to do better unless forced to.

A website could choose to honor that setting and don't track you without ever showing you a cookie banner. But most don't.

Exactly! Either fix the regulation to say they can't make UX worse or throw it away.

xjay
0 replies
5h24m

The problem is that we as a society constantly have to deal with adult children, so don't expect reason. Do expect elaborate rationalizations intended to waste the energy of an indecisive parent, who is basically getting bullied by a kid throwing a tantrum.

This kind of behavior reminds me of the book: "Language vs. Reality: Why Language Is Good for Lawyers and Bad for Scientists" - Nick Enfield, Linguistic Anthropologist [1]

[1] https://mitpress.mit.edu/9780262548465/language-vs-reality/

viraptor
0 replies
5h58m

but leaves a loophole

There's no loophole. There's just limited enforcement. Most of the banners you see every day do not match the requirements at all.

thinkingtoilet
0 replies
6h5m

There is no loophole here. If you want to track someone, you need their consent. How are cookie banners a "loophole"?

Instead through incompetent government employees

Or greedy companies, one of the two...

stetrain
0 replies
5h10m

Hate this way of thinking where the government (with seemingly good intentions) tries to stop something but leaves a loophole where all our lives are made more tedious and then people defend it saying the companies should just not do it, well we needed the law in the first place so it's a bit silly thinking to suggest they stop doing it after the law, no?.

We deal with similar issues developing and releasing software. Instead of not ever releasing software, or only writing perfect software that never has issues, we have a couple of options.

1) In critical life or death situations, spend a ton of time modeling all states of the system and program in a way that very strictly controls for these states, with a lot of testing. See NASA/JPL coding standards for critical systems.

2) For less critical situations, or those were modeling all states of the system are impractical, we release, observe, and iterate. Yes there will be edge cases, bugs, and loopholes. But we can observe them, iterate, and release updates.

I think case 1) is impractical for changes to large legal and economic frameworks in the real world given how many variables are at play. If we could model the entire economy and see how it would react to a given change, the world would be a very different place in lots of ways already.

A lot of politics seems to work against 2) and that hurts our ability to improve things. "I will pass a law that does X" and "I will repeal the law Y that is not working, see look at these loopholes!" are good political campaign statements.

"I will gather and analyze data on the operation of the current system and support an iterative change that intends to improve things, implement that change, and then observe the results to determine if future changes are needed" is hard to rally around either in campaigning or when actually doing the work of getting political support to pass law.

I think decent example of this in government, although far from perfect, is the feedback loop of the NTSB and FAA. The NTSB's job is to observe and report on failures of air safety, and the FAA's job is to apply those lessons to future air regulation. Of course there are many examples of this not working perfectly, but it's a more concrete feedback loop than most governmental action has.

More observation of the analysis of the impact of laws after they are passed, and follow-up iterations where we compare the expected and actual results and make updates, would probably result in a lot less gnashing of teeth over "bad government regulation" but I'm not sure how we get there politically.

pornel
0 replies
4h58m

There has been a browser setting for tracking cookies since 2002! https://www.w3.org/P3P/

It has even been implemented in Internet Explorer when it had 90%+ market share.

And then Google intentionally sent malformed P3P header to bypass user preferences in IE.

When Safari added a heuristic rejecting Google's 3rd party cookies, Google has found a technical workaround to bypass it (and has been fined for doing this).

When IE and P3P were totally dead, browsers have tried to give adtech the simplest to implement bare minimum setting - the DNT header. The adtech has completely ignored it.

There are trillion-dollar businesses relying on tracking, and they will do whatever they can to undermine any technology and lobby against any law that would harm their business.

littlestymaar
0 replies
6h6m

That's what you get when you try to protect consumer but “don't want to harm business” who are hurting consumers.

Sometimes life really is is fact a zero sum game and you need to punish the offenders in order to protect the victims.

PinguTS
0 replies
6h1m

The law does not require a specific implementation. Law is never written to require a specific implementation and should not be written in this way.

Instead law is written in a technology neutral way. It is so neutral that it isn't even called "cookie law". It is called ePrivacy directive. It has only 5 times the mention of "cookie" as an example.

Reference: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A...

K0nserv
0 replies
6h2m

I wrote something elsewhere in the thread about this[0]. I don't think laws mandating specifics of implementations at the level of browser settings is a good idea. To your point about government employees not being competent I don't trust them to get that right. Companies could work with browser makers to fix this but, as the OP points out, they don't want to.

In my opinion the EU's big failure with GDPR has been slow and ineffective enforcement against blatantly illegal implementations.

0: https://news.ycombinator.com/item?id=39742989

ianlevesque
38 replies
6h45m

The funny thing about legislation is that you're responsible for the unintended consequences of your laws too.

nicce
14 replies
6h41m

In this case, it is just showing that most companies are collecting more data than they need.

You don’t need a banner for the data that is necessary for the service to work at minimum level. There is no role for the consent since the site won’t work otherwise.

poszlem
7 replies
6h34m

It also shows that most people don't care and just want to get on with their day. We know that companies are collecting more data. Now what?

leononame
6 replies
6h32m

How does it show that? Most people I know are annoyed by this and click on "reject" (if they can find it), but for a lot of non-technical people these banners are just a given because they don't even understand the problem. Doesn't mean they don't care

poszlem
2 replies
6h27m

How many "normies" do you know that stopped visiting websites that track them? I don't know anybody who isn't in my tech bubble who cares, and very few normies who would rather pay money than to give access to their data.

leononame
0 replies
6h19m

None. That doesn't mean they don't care. As I said, most people I know are annoyed by this but take these banners and tracking as a given because they don't understand enough about technology and see them everywhere. And let's be honest here, if you were to stop visiting sites that track you, you could just stop using more or less the whole internet. It's not about stopping to use these sites, it's about stopping those sites from tracking you, which almost everyone I talk to is ok with. The only people I see that defend the amount of tracking happening on the web are commenters online (here, on reddit, etc.). That leads me to believe it's mostly corporate accounts.

To the point: Not using a site is not the point of it. Insert "yet you participate in society" meme

boo-ga-ga
0 replies
5h51m

Apple do not track alert resulted in many people saying they don't want it. And of course, had impact on Meta's business. So if websites presented cookie banners in a neutral way without dark patterns to make Reject difficult, "normies" would reject these, I'm sure.

joenot443
1 replies
5h42m

The close to million users now on https://www.stilldontcareaboutcookies.com/ suggests that there's a pretty sizable amount of people that care less about the philosophy of European data laws and more about just getting on with their day.

ziddoap
0 replies
5h11m

pretty sizable amount of people that care less about the philosophy

How does it show that?

It shows that they prefer to get on with their day over clicking cookie banners. It says nothing about whether they agree with the philosophy of the GDPR.

oneeyedpigeon
0 replies
6h30m

if they can find it

If it even exists!

iEchoic
2 replies
6h24m

You don’t need a banner for the data that is necessary for the service to work at minimum level.

We were advised by our lawyers (a top SV tech law firm) that we should include a cookie banner in the EU even if we're only using cookies for functions like login. After eventually switching legal counsel (for unrelated reasons), we were told the same thing by our new counsel.

Either EU law covers cookie banners that use cookies for routine functionality, or it's so (deliberately) vague that even top tech law firms would rather everyone add a cookie banner than risk running afoul of the law. Either case validates PG's argument here.

yau8edq12i
0 replies
2h33m

If the lawyers don't recommend you add the banner, and you somehow run into trouble because of it, the lawyers will be blamed. However, if they do recommend that you add a banner and you follow their advice, then they can get some more billable hours by recommending some verbiage for the banner, checking your website to make sure the banner is displayed in a compliant way, etc. And even if you don't follow their advice - people rarely fire their lawyer for recommending caution.

So, how did you ever expect the lawyers not to recommend adding the banner? That's like going to a plumber and ask them if you should DIY or not some installation. Of course they're going to recommend you get a professional...

nicce
0 replies
6h5m

It is indeed quite complex. I would argue that just the login does not need.

1. There are users who will come to your website with specific purpose or expectation of your service.

2. Then there are users who came to website by accident and might just try out things without understanding what is happening.

The banner recommendation from the lawyers is likely for the 2nd case. The users haven't subscribed to the service with certain expectation or knowledge what is expected from them to service to provide what they want. Or they have zero expectations about the service to provide something for their needs.

For example, the login case, the group 1. probably wants to stay logged in if they came to service with expectation of personal service, which cannot be linked to the person without an account.

Or the lawyers just did not understand your service well enough and just said that put the banner be done with it. For group 2. it is unlikely that someone did not expect or want to stay logged in all the time, but that is for minority and arguable case whether is fair to assume that.

Joeri
2 replies
6h25m

This is something a lot of people seem to misunderstand about GDPR. At its core it says you should only process people’s personal data within a lawful basis. There are 6, and consent is only one.

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

yxhuvud
0 replies
5h19m

This is true, but the comment you replied to was about the cookie law, not about GDPR. They are separate issues, even if they are obviously related. Cookie law is about not using other peoples storage for usage that is not needed, GDPR is about personal information. You can use cookies for saving information that is not personal but that still would need banners.

username332211
0 replies
4h56m

The thing is, if you have any of (b)-(f), why shouldn't you also get (a)?

The maximum fine is 20 million euros or 4% of revenue, whichever is higher. Sure, it probably won't be imposed on a first time violation, but why take the chance?

Could you imagine any lawyer advising a company against requiring consent, even if they have some cover because of a legal obligation? Isn't it much safer to deny service to those that refuse to consent?

Sure, it'll annoy the customer, but right now the customer is used to minor annoyances.

isodev
8 replies
6h41m

You mean the EU should have foreseen that people in tech have no conscience and sensitivity for right or wrong?

SuperNinKenDo
5 replies
6h38m

To be fair, completely foreseeable.

isodev
2 replies
6h31m

As a reminder, it's the same people in tech we're trusting to build things like chat bots, "AI", cars that try to drive themselves and rockets that try to land themselves... etc.

You have to admit that if these same people can't be trusted to follow a simple "do not track" directive, humanity is in big trouble.

crabmusket
0 replies
6h23m

I mean, humanity is and always has been in big trouble. That's why history is full of disasters, mass death etc.

But I don't think it's that developers "can't" follow a DNT cookie. It's that they won't because it doesn't benefit their employer's financial interests.

Making a rocket that lands, on the other hand, does directly correspond to SpaceX's financial interests.

SuperNinKenDo
0 replies
6h27m

Sadly, we are. I didn't ever think of myself as an optimist until I realised just how pessimistic it is possible to become, as I've learned in the last 5 or so years. Now I realise I was quite an optimistic person, at least by comparison with my present self.

moomin
1 replies
6h34m

Yeah, I’m not sure legislators should be on the hook for malicious compliance, though.

SuperNinKenDo
0 replies
6h31m

Of course not, I was just having a laff at tech's expense.

loftsy
1 replies
6h22m

It's not enough to write a law on principles alone. It must be clear and practical to comply and clear how it will be enforced. The EU should not have created a situation where the most practical solution for 1000's of companies is a cookie banner.

lesuorac
0 replies
4h29m

Eh, I think people have the wrong take-away from all of this.

Imagine if the banner said "This website is known to the state of California to cause cancer". Would you keep visiting the site?

Like if every time you went the bar, the bouncer asked "Hey, can I punch you in the face?". Would you keep going to that bar?

As annoying as the banners are, they actually aren't annoying enough to change mass-behavior.

Avamander
3 replies
6h44m

It's impossible to foresee everything, including the amount of malicious compliance.

In the end we are better off with this legislation and its future iterations and additions than we are without it. The extent to which people's data is misused is simply ridiculous.

piker
1 replies
6h42m

So perhaps that suggests caution be taken in meddling…

paulryanrogers
0 replies
6h38m

Meddling in what way?

'Meddling' causing citizens to lose visibility and corporations to gain more power over data?

mgoetzke
0 replies
6h42m

Though this was 100% predictable

gostsamo
2 replies
6h41m

No, people cannot escape responsibility by saying "the law made me be belligerent toward my users". It is intentional choice to use cookies and to make it unpleasant for people.

paulryanrogers
0 replies
6h35m

And use of cookies themswlves don't demand these banners, nor that they be so obstructive. Just don't collect unnecessary cookies or PII, or put in a prominent banner that doesn't overlap the site purpose.

Diggsey
0 replies
6h20m

No, people cannot escape responsibility by saying "the law made me be belligerent toward my users".

Correction: people should not be able to escape responsibility by saying this.

The problem is that right now people do escape responsibility for saying this because the EU is not properly enforcing these new laws.

Introducing a law and then not enforcing it has consequences, and those consequences should have been foreseen. Either the law is unenforceable due to practical constraints, in which case it's a bad law, or the EU is failing to enforce it due to inability.

Hopefully the EU starts putting more focus on enforcing its existing laws rather than creating new ones.

leononame
1 replies
6h33m

Yes and no? To some extent, sure. As an example: But if companies or people went out of their way to comply with a law that is clearly not complying with the spirit of the law, just the letter of it, are you really responsible for that? Or are they because they're doing everything to not comply?

Let's say you make a law to reduce working hours from 40 to 37 hours except in "emergency situations". Now a company will force employees to sign off on "emergency situations" every week or they'll be fired. They're clearly not complying to the spirit of the law? Is it really your fault when you make a law like that? I'd say only to some degree, the people trying to abuse every loop hole are much more responsible in this case.

Companies using dark patterns, hiding the "reject all" option behind an additional click (which even is illegal) and even trying to collect all data possible are much more responsible than the EU's law. Oftentimes they are collecting data just because, not even thinking about it, because they'll add GA to their WordPress site without even looking at it or whatever. That cookie banners have become the standard around the web is sad because it just shows how much everyone is trying to track you.

paulryanrogers
0 replies
6h2m

Bonus points if you can convince folks to call it the annoying Sign Off law.

sham1
0 replies
6h8m

The thing is, the consequences seem to be very much intended. The consequences of forcing companies to be transparent about tracking, and hopefully letting the users start voting with their wallets as they get annoyed by the omnipresent "We Value Your Privacy"-popups (which is very ironic considering all the dark patterns et al that are used to have users get tracked).

If nothing else, at least now people know just how much they've been tracked. One can only hope that this increased consciousness would help people to choose services that don't track people. For example Hacker News doesn't need tracking cookies nor a cookie popup, and it seems to be doing just fine, even in terms of the law ;)

pron
0 replies
6h23m

I would put it another way. Any legislation against doing something is almost always motivated by someone's desire to do that very thing. Legislation is usually a battle of interests where the legislator, ideally, wants to protect the overall interests of the public when they conflict with narrower private interests. When the narrower interests belong to powerful groups, you often expect to see some struggle, and if the private interests have a way of making the regulation seem more intrusive and annoying than the harm it's intended to cause, they would take advantage of that to sway the public in their favour.

So legislators do expect such a struggle, and the shape it takes may be partly their fault, but it's clearly not all their fault. The more power the private interests have, the more likely they are to find some way to fight the regulation. They will certainly do everything they can to convince the public that the legislators are bad at regulation.

In this particular case, however, websites showing banners are also harming themselves as their competitors now have an interest in not showing banners and offering a better experience -- i.e. the regulation makes it worthwhile not to display banners in competitive situations. So we'll see how this all turns out.

crabmusket
0 replies
6h30m

I guess PG's original tweet assumes that cookie banners are a) bad, b) the fault of the EU, and C) unanticipated and unintended by the EU, thereby demonstrating their incompetence.

I can't really comment on what the lawmakers foresaw or intended, but I'd argue that cookie banners are actually a) good, and b) the fault of companies who can't imagine a better way to treat their users.

The reason I think they're good is that they cause a psychological nuisance to users of software which doesn't go out of their way to do them well or avoid their necessity. Over time I hope this will tend to cause an association in users minds that sites with cookie banners are somehow seedy or unscrupulous, like pop-up ads.

casperb
0 replies
6h31m

I would expect that most companies would be ashamed to publicly state that they sell your data to hundreds(!) of data providers and they would fix this before they had to disclose it. But nope, apparently the money is too good. And blaming the government is more convenient.

bryanrasmussen
0 replies
6h39m

On the one hand when murders go up because you make using a gun in a crime an automatic 5 year prison term you should have foreseen that possible situation, on the other hand the real bad guy is the one shooting the witnesses.

tlb
29 replies
6h38m

Part of what it means to be "good at regulation" is to anticipate the likely consequences of regulations. So a regulation that says that "businesses must now give away their products for free, unless they honk each customer's nose" will result in a lot of sore noses.

Which is basically the case here. Almost all websites make money through ads, or at least keep logs of user activity to help them optimize their website, and that's not going to change, so the EU's boneheaded regulations make the customers suffer a little extra.

IanCal
11 replies
6h26m

Almost all websites make money through ads,

Doesn't require tracking of individuals.

or at least keep logs of user activity to help them optimize their website

Doesn't require tracking of individuals.

throw10920
6 replies
5h57m

Correct me if I'm wrong, aren't but IP addresses are considered to be "personal information" and therefore collecting them is "tracking" under the GDPR?

thomastjeffery
2 replies
5h22m

What else would you need my IP address for?

throw10920
1 replies
5h16m

Uh...DDoS and spam protection?

yau8edq12i
0 replies
2h45m

Then store it for that purpose, don't use it for anything else, and delete it when it's not useful anymore (realistically, for these purposes, after a few minutes to an hour?).

oneeyedpigeon
1 replies
5h43m

My guess is that they are because ISPs may keep records of them—I think they are required to in some jurisdictions. But you don't have to store IPs in your server logs.

IanCal
0 replies
5h31m

You're also allowed to store IP addresses in your logs, you just have to take care with the data and the reason you're storing them needs to be justified - either because you have a legitimate interest in doing so (e.g. security) or because you have my explicit consent.

If I order something from an online shop, they don't need to have a banner in order to take my name and address to post the item to me - that's fully expected and reasonable. They do need my consent if they want to use that to post adverts to me though.

IanCal
0 replies
5h34m

Yes but it depends what you're doing with them as to whether you need consent. If you're keeping a record of my IP address and what I do on your site to sell me stuff then yes you're tracking me and need my consent for that. If you've got my IP address in your logs because you keep security logs for reasonable timeframes then you don't need my consent - though you do need to handle them appropriately because it's my personal data.

rchaud
3 replies
4h39m

Doesn't require tracking of individuals.

Only if you maintain your own ad inventory, instead of using Google/Facebook ads like 90% of online advertisers do. And neither of those platforms work without installing their scripts on your site.

thejohnconway
1 replies
2h44m

And they did it that way because they could. It could be done a different way.

rchaud
0 replies
1h31m

It would be like opening an independent video store when the entire market has moved to streaming. Yeah you could try it, but there are good reasons not to.

IanCal
0 replies
1h33m

Sure, lots of people want to sell my data. That's a choice. You don't need to do that for advertising - it's a pretty recent invention having fully personalised adverts.

rkangel
6 replies
6h26m

Your point is well made, and this is an unfortunate consequence of the regulation (and I enjoyed the analogy). But it isn't necessary to have cookie banners on every website. Github is a moderately complex, user-optimised website, right? https://github.blog/2020-12-17-no-cookie-for-you/

hgomersall
5 replies
6h20m

I clicked on that link and immediately got a cookie banner. Am I missing something?

rkangel
2 replies
6h17m

Interesting. Clearly I am providing out of date information.

cseleborg
1 replies
5h58m

More interestingly, that article says:

We are also committing that going forward, we will only use cookies that are required for us to serve GitHub.com.

A few pixels further down, on the cookie banner:

We use optional cookies to improve your experience on our websites and to display personalized advertising based on your online activity.

I guess now we finally have a rule-of-thumb figure for what "going forward" means: 3-4 years, tops.

hgomersall
0 replies
4h12m

OTOH, github.blog is not github.com.

denton-scratch
1 replies
5h12m

I don't know; I clicked on the link and saw no cookie banner.

siva7
0 replies
2h22m

It's probably only displayed to EU users. I saw the cookie banner and it left a bad impression on me with such an blog article.

isodev
3 replies
6h33m

Almost all websites make money through ads

The EU regulation does not prevent ads from being shown, it specifically targets tracking. No tracking > no banner > everyone is happier > go ahead and show all the ads that are required.

Xelbair
2 replies
6h19m

And all that tracking comes down with inability to take risk on business side. Ad company wants to be 100% sure that ads are shown to humans, and pay only for those shown to humans(going deeper - to specific cohorts of humans, which in the past was approximated by content of the site showing ads). Whereas sites serving ads want to extract as much money as it is possible from advertisers based on their audience count.

The incentives are on both sides to to one-up each other without tracking - hosts by inflating visitor numbers, advertisers by disputing that.

In a perfect world ad(wouldn't exist i know but bear with that) companies would pay X/month for site with Y visitors, where X depends on Y. No need for tracking, and roughly over multiple sites and multiple months it averages out.

Not enough conversion rates(risk for ad company - they could pay less)? offer lower rate per visitor next period. Site gets spike in visitors(risk for host - they could charge more)? report higher estimated Y for next period.

What we got instead is an insane tracking infrastructure that costs way more than any possible profit gained for both sides. It's not even profit - it's avoiding being 'scammed', avoiding risk.

Remember that all that tracking bullshit started before targeted advertising was mainstream and widespread. It all started with bots and inflated click numbers, and inability to accept risk.

Tl;dr banning targeted advertising won't remove all tracking bullshit

thomastjeffery
0 replies
5h20m

Without regulation, how do you expect this market to change?

joenot443
0 replies
5h44m

Well said. It's frustrating seeing people earnestly pretending as if the 'solution' we're living with now is any kind of improvement.

xxs
2 replies
6h36m

I guess the confusion is about advertising and tracking - the banners are about tracking not advertising.

paulgb
1 replies
6h16m

Advertising can be more targeted (and thus higher paying) when paired with tracking.

itishappy
0 replies
3h47m

So can car insurance, but I'd rather my agent not install a GPS without my knowledge or consent on my vehicle.

oneeyedpigeon
0 replies
6h30m

A site can keep logs of user activity to help optimize without tracking my personal data. As soon as a company needs to track me, it's doing more than "optimizing its website"—it's using my data to sell me stuff or selling my data to third parties. And I'm glad it needs permission to do those things.

madsbuch
0 replies
6h3m

those pesky regulations. back in the good ol days where I could pillage for a living, but then that damn government came and took away my livelihood!

How dare they!

</sarcasm>

Just because you made money of it, it doesn't mean it is right.

happymellon
0 replies
6h30m

Showing adverts is not what requires them to ask permission.

piker
25 replies
6h43m

Dumb take. “Just run your business with 10% of the revenue? What’s the problem?”

Edit: to those downvoting, yea, it’s agreed that tracking is bad but the tone of the article completely ignores that a lot of the web’s content depends on this model so if it “just didn’t track” a large swath would no longer exist.

dTal
11 replies
6h42m

If your business is "doing sketchy shit with people's data", and the regulatory hammer just came down on you... well, yeah.

zpeti
10 replies
6h39m

Come on, this is such a ridiculous take. Adding google adsense to a website needs a cookie bar.

That’t not "doing sketchy shit with people's data"

I can’t believe how many people have bought into this EU regulation hook line and sinker. It’s ridiculous, imagine the man hours that have been wasted in the last 7 years just clicking cookie bars. And as OP says, it’s completely unrealistic to not have them.

chgs
3 replies
6h37m

Google Adsense is doing sketchy shit with peoples data.

PaulHoule
1 replies
6h28m

Advertising is “ground zero” for the cookie explosion because nobody trusts anybody in the advertising biz.

For instance the website selling ads has every reason to inflate view and click count numbers, the ad buyer has reasons to diminish those numbers. In fact if you measure an honest pipeline it is going to look that way because some people drop out at each stage.

One reason you have 87 trackers on a typical web site is that many sites and advertisers figure if they have a large number of trackers they can’t all be wrong.

Site X could show ads to users just fine without third-party cookies but then advertisers would not be so sure about the stats.

oneeyedpigeon
0 replies
6h14m

Sure, but is that situation worse than other traditional forms of advertising? Are we just saying that the advertising industry is so greedy that they want so much more of the pie than they used to have, that we should enable them?

Site X could show ads to users just fine without third-party cookies but then advertisers would not be so sure about the stats.

Feels like 99% of people would prefer this. Maybe advertising becomes less effective, but it may actually become more effective if it leads to more ads being visible since they are no longer ad-blocked.

dTal
0 replies
6h34m

Indeed. Just because it is widespread doesn't make it okay. We should not allow greedy companies to set the Overton Window of acceptability.

zelphirkalt
0 replies
6h32m

Using anything Google on your website without asking for consent before loading it from Google, is in my definition quite sketchy. It may be either uninformed, no conscience, or not properly thinking about the ethics of ones choices, or whatever, but it is definitely not right and not ethical to do so. I am quite happy with regulations coming down on people and especially businesses, who continue to do this.

wildrhythms
0 replies
6h37m

I don't see people advocating for cookie banners; I see them advocating for stopping the tracking.

master-lincoln
0 replies
6h15m

Of course this is "doing sketchy shit with people's data".

Selling my personal info to external companies so that they can manipulate me easier is sketchy in my eyes if I don't consent

ludocode
0 replies
5h54m

That’t not "doing sketchy shit with people's data"

Of course it is. If you add AdSense to your website you are letting Google track your users in exchange for a cut of the profits. Of course you should have to warn your users that they are being tracked at the very least.

fullspectrumdev
0 replies
6h32m

That is absolutely “doing sketchy shit with people’s data”.

So you need to tell people you are doing that, so they can consent.

SuperNinKenDo
0 replies
6h35m

Using Google adsense absolutely meets the bar for doing sketchy shit with people's data.

thunfischtoast
4 replies
6h41m

If a business cannot survive without it essentially stealing my property (read: my data), it should not survive.

master-lincoln
1 replies
6h16m

This is copying, not stealing though.

But I agree, taking advantage of me telling you personal info by selling it to externals is unfair without consent

xxs
0 replies
4h24m

Steal has a bit broader meaning, e.g. 'to steal a kiss', taking without permission.

ericb
1 replies
6h24m

I'm sorry, what data is stolen? If I remember your name after we meet, have I stolen your data?

xxs
0 replies
4h26m

If it's about remember a name - b/c it was given by choice; so that's ok.

bheadmaster
2 replies
6h40m

The point of the legislations is to protect the citizens, not corporate income.

wildrhythms
1 replies
6h38m

Sorry but have you been living under a rock for the past 100 years of neoliberal governing?

bheadmaster
0 replies
6h34m

Please do not bring American two-party politics into this, especially in a way that has nothing to do with my comment and provides no insight or opinion beyond "liberals bad".

vallassy
0 replies
6h36m

if it “just didn’t track” a large swath would no longer exist.

You say this like it's a bad thing...

elfrinjo
0 replies
5h57m

In this logic it is totally unfair that I am not allowed sell drugs while I could make a lot of revenue from it.

arnath
0 replies
6h41m

Why does your business deserve to exist if you can't do so without stealing from your customers?

FranzFerdiNaN
0 replies
6h42m

If your business cant survive without selling visitors data to Facebook it shouldnt exist.

38
0 replies
6h41m

totally agree. who cares that we are selling our users data to the highest bidder, gotta get that money right?

poszlem
22 replies
6h37m

Putting up a wall in the middle of a busy street and then getting upset when people find ways around it doesn't make sense. The solution is either to remove the wall or ensure it cannot be bypassed.

Right now, it's just irritating for the average person and slightly inconveniencing those who actually break the rules.

This is the same situation with the cookie banner regulations. If the goal is to eliminate tracking, then making tracking illegal is the straightforward path (or make "do not track" actually mean something legally). Otherwise, ignoring it might be better. Implementing a policy that only frustrates the general public without effectively addressing the problem is not the right approach.

This is what the OP cannot understand.

EDIT: To the downvoters - I don't think you understand what the purpose of the downvote is on this site.

squigz
18 replies
6h31m

Since this is around the 5th time this sentiment has been expressed in this thread, I have to ask... are cookie banners really so frustrating? Oh no, gotta click one, maybe 2, more buttons...

iainmerrick
7 replies
6h22m

If you want to click “no” it’s often dozens of clicks (e.g. to explicitly disable each “trusted partner” with “legitimate interest”) alongside constant attempts to trick you into clicking “yes” accidentally.

elygre
3 replies
6h19m

This is actually in violation of the rules. Withholding consent is supposed to be as easy as giving consent.

iainmerrick
2 replies
6h13m

Yes, I know. It’s infuriating but understandable that the regulations aren’t enforced properly.

master-lincoln
1 replies
5h26m

Why is it understandable that the regulations aren’t enforced properly?

iainmerrick
0 replies
4h30m

It would be time-consuming and expensive to take some of these companies to court, and likely difficult to win as they'd nitpick over fine details and pass the buck over who's responsible.

squigz
2 replies
6h21m

On most websites I use, it's 1 click. On the rest, it's 2. I've never once encountered a website that required "dozens" of clicks

iainmerrick
0 replies
6h9m

The typical pattern I see is:

- bright red or green “OK” button that opts in to all tracking

- muted “save settings” button

But aha, gotcha, the default settings still have a bunch of tracking enabled, so you have to uncheck all of those, then remember to press “save” and not “OK”.

In the worst ones there’s an artificial delay when you uncheck one of the third-party boxes, as if it has to file a form in triplicate for the unusual request of not immediately sending all your account info there.

OJFord
0 replies
6h12m

It definitely happens where they don't give you a 'reject all' option, so you have to go 'select options' or similar and untick each one, or at least each category, and then 'confirm choices'.

As an aside, it's supposed to be as easy to decline as to accept; so if you give a 1 click 'accept all' then more than that (whether two or dozens) is unacceptable.

ulucs
3 replies
5h57m

Fun fact, they are illegal if they require more clicks to reject than accept; so this is not a consequence of the law anyway.

master-lincoln
2 replies
5h27m

I wouldn't call it fun that so many big providers just ignore the law and are apparently getting through without consequences.

ulucs
0 replies
5h23m

Gears of EU grind slowly but finely. IAB just received a fine for promoting horrible banner practices. And it's not like we'd be better off if the gears didn't grind at all. Now just even uBlock will save you a lot of hassle and server-side tracking purely by the virtue of blocking the consent banners (so they can't be approved)

squigz
0 replies
5h13m

I believe they were probably being facetious

oneeyedpigeon
3 replies
6h24m

are cookie banners really so frustrating

They would be a LOT less frustrating if:

a) they were standardized — they currently add a hefty cognitive load while parsing them, deciding which action to take, etc.

b) they worked properly — I would say, more often than not, they 'forget' the previous setting. I should never see a cookie popup on the same site twice unless I clear my browser settings.

squigz
2 replies
6h21m

Standardization would certainly be nice, since we could automate it then (I imagine doing so now would require specific cases for most sites)

pgeorgi
1 replies
6h9m

Most consent banners are produced by a relatively small set of providers. As such, https://consentomatic.au.dk/ does a decent job of submitting your preferences and pushing them out of sight.

squigz
0 replies
6h6m

Thanks!

poszlem
1 replies
6h30m

2 more buttons x the number of websites you visit a day x the number of time the website forgets your choice? Yes, they are quite annoying.

squigz
0 replies
6h20m

My bar for annoyance must just be very high.

master-lincoln
2 replies
6h19m

I think the goal was to give citizens the possibility to make informed decisions about where their personal data is being used.

If you don't care about tracking, ok. But some do. The EU tried to cater to both audiences which I think is fair. Turns out most people that did not care about tracking would also not consent when they are asked about it specifically and there are no immediately perceived downsides visible.

arrowsmith
1 replies
5h59m

informed decisions

And therein lies the false premise that makes the whole thing absurd.

Most people have no idea what "cookies" are, don't understand what difference it makes when you reject them, and are never going to learn - and we shouldn't expect them to! Leave the technical stuff for the programmers.

The cookie law only makes sense if you think that there's any significant overlap between "people who understand what cookies are" and "people who need help with internet privacy", for which I refer you to the Venn diagram in this comic: https://churchm.ag/eu-cookie-law-history/

master-lincoln
0 replies
5h32m

There is no cookie law. There is a law that makes companies ask for consent when they share personal data or store identifiers that make this possible.

If companies wouldn't try to frame the whole thing in technicalities, it could be a simple popup listing the features on the website that need sharing personal info and users could turn that off.

arbuge
20 replies
6h24m

"Companies could easily avoid any cookie banner. Just don’t track."

It seems like a point dear to the author's heart, given the way he highlights this and puts it in bold at the top of the article.

But while it sounds good on the surface, it doesn't take much digging to show it's silly. If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.

It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.

crabmusket
13 replies
6h22m

Shopping carts and notification preferences don't require a consent banner.

iEchoic
11 replies
6h16m

Our lawyers told us otherwise.

Regardless of the answer here, the fact that there's still a debate about what basic functionality requires a cookie banner is really a testament to how bad this legislation is. How long has this been around, 20 years? And there's still widespread debate and lack of understanding as to what specific functionality requires a cookie banner?

smallerfish
2 replies
6h3m

How long has this been around, 20 years?

No. It took effect in 2018.

cccbbbaaa
1 replies
5h50m

Cookies banner are a response to the ePrivacy directive from 2002.

espadrine
1 replies
5h27m

Here is an authoritative source[0]:

consent is not required [for] cookies that are strictly necessary to provide an online service that the person explicitly requested. e.g. […] when your customers use a shopping basket

So shopping carts (user clicked to add to cart) and notification preferences (user clicked to indicate preference) don’t require consent. Same for authentication cookies.

The page is quite clear; the confusion likely arises from how companies implement it.

[0]: https://europa.eu/youreurope/business/dealing-with-customers...

aednichols
0 replies
2h42m

I am amused that your official EU link, which contains only static documentation, asks me to choose between “all cookies” and “essential cookies”.

tremon
0 replies
4h39m

Yes, and if you ask the CFO about the best way to increase profits, the answer is always to fire all your staff. That doesn't mean that that answer is the most optimal solution.

rchaud
0 replies
4h33m

Maybe your shopping cart is served through a third party domain, like a Shopify iframe or something?

crabmusket
0 replies
6h2m

Fair, I can't argue with that. It's definitely a shame.

cccbbbaaa
0 replies
5h31m

You can find a lot of guidelines around GDPR or ePrivacy made by the EDPB or a DPA. For instance:

https://ec.europa.eu/justice/article-29/documentation/opinio...

This says that cookies for a shopping cart or user preferences are exempted from consent. The ICO and the CNIL say the same, as expected.

bspammer
0 replies
5h47m

Our lawyers told us otherwise.

Probably because they're not particularly technical people, and also because of the asymmetric incentives for them personally.

Tell someone to put a cookie banner up when they didn't need to: no consequences.

Tell someone not to put up a cookie banner up when they did need to: potentially big consequences for them and their career.

GuB-42
0 replies
5h25m

Your lawyers are playing it safe. Their job is to make sure your company is not getting into lawsuits, and having a cookie banner that is not needed won't get you into a lawsuit, so that's what they suggest. They don't care about annoying your users.

If you really care about not annoying your users and don't intend to track them more than what's absolutely required for the service to work, then talk with your lawyers more. Of course, it is not free as it requires extra work, and it may carry some risk (which your lawyers should minimize) but it may be worth it, many people press the "back" button as soon as they see a cookie banner and try their luck elsewhere.

tzs
0 replies
1h56m

It is not that simple. In "Opinion 04/2012 on Cookie Consent Exemption" [1] the the EU Parliament's Working Party On The Protection Of Individuals With Regard To The Processing Of Personal Data said:

A cookie that is exempted from consent should have a lifespan that is in direct relation to the purpose it is used for, and must be set to expire once it is not needed, taking into account the reasonable expectations of the average user or subscriber. This suggests that cookies that match CRITERION A and B will likely be cookies that are set to expire when the browser session ends or even earlier. However, this is not always the case. For example, in the shopping basket scenario presented in the following section, a merchant could set the cookie either to persist past the end of the browser session or for a couple of hours in the future to take into account the fact that the user may accidentally close his browser and could have a reasonable expectation to recover the contents of his shopping basket when he returns to the merchant’s website in the following minutes. In other cases, the user may explicitly ask the service to remember some information from one session to another, which requires the use of persistent cookies to fulfil that purpose.

(Criterion A is cookies that are user “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” and criterion B is cookies that are “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”).

If your shopping cart cookie has a lifetime longer than the "reasonable expectations of the average user or subscriber" you may need to obtain consent. That a sufficiently vague criteria that it may not be clear if your particular shopping cart cookie requires consent or not.

[1] https://ec.europa.eu/justice/article-29/documentation/opinio...

vman81
0 replies
6h1m

It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.

Not really - basic functionality like you describe does not require consent, AND any cookie specifying non-consent is in itself anonymous.

smhg
0 replies
6h14m

If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.

If it is crucial to provide the service or the service is explicitely requested by the user (i'd argue a shopping cart is), I think you don't need consent (see Article 5 of Directive 2002/58/EC).

skrebbel
0 replies
6h2m

The law takes these things into account just fine. It's not a cookie law, it's a tracking law, and the "tracking" isn't about the technical meaning of "to track" but about the way the data is used (and could be used).

It's not "you're not allowed to store anything about the visitor without their consent", it's "you're not allowed to track them across your site, or share that data with others, except if it's directly necessary to provide the service". That last part refers to session tokens, shopping carts, and yes, also to remembering the "no tracking" choice. If you ask a site to remember something (such as "no tracking plz" or "I want to buy this product" or "keep me logged in plz") then that's explicitly asking it to do something that in technical terms is tracking, but not in operational terms.

It's like, the EU makes a new law that makes it illegal to break into people's houses, and all the pedantic HN'ers start saying "but this is stupid! what if you lose your key? you need to be able to hire a locksmith to let you back in!". That's obviously not how the "no break-ins" laws work, and it's also not how the GDPR works wrt tracking.

If you break the GDPR, there's a fair set of warnings before you can actually get the kinds of humongous fines that the law is infamous for. This means to me, as an entrepreneur, that if I follow the intent of the law as best I can, then worst case scenario if we still get it wrong, then there's a big enough chance we're in the clear. And then if somehow we do get a warning from the local privacy authority, we learn and adjust. This is fine.

We don't need to be maximally pedantically safe. We just gotta not track people and then we don't need a cookie banner. It's great.

rchaud
0 replies
4h34m

If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.

These are first-party cookies as they're served by the host domain, so they wouldn't need an opt-in under GDPR. Site owners should try to limit that to core functionality, like updating shopping cart state as you navigate from page to page.

It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.

That's not how it works. The cookie banner opt-in asks if you want to accept cookies aka tracking. If you say no, no cookies are downloaded, so the site has no idea that you have visited it. So the next time you arrive on the site, it will provided the popup again, as though it's your first time visiting.

plextoria
0 replies
6h20m

But while it sounds good on the surface, it doesn't take much digging to show it's silly. If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.

A tracking warning a login/sign up would be enough. No need to ask for cookie consent at every visit. It would just be part of the typical T&C.

It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice. Easily solved with a cookie that says "don't track". If cookie is set, don't track anything.
piva00
0 replies
6h17m

Shopping carts, session cookies, or any other kind of functional cookies (including the one for "do not track" saving) do not require consent, and so don't require the banner. Github for example doesn't have it.

Please, read the basics about the law before disparaging criticisms, I constantly have to educate users on HN about this misrepresentation of GDPR and Cookie Law.

JimDabell
14 replies
6h33m

Yes there is. More specifically, it’s the Privacy and Electronic Communications Directive 2002/58/EC, which each member state adjusts their own laws to follow. It’s published here:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...

The relevant part:

Article 5

Confidentiality of the communications

3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

If you want to argue that companies have a legal alternative to showing you cookie banners, then by all means do so. But don’t say there’s no law because there clearly is. This is a misleading and inflammatory headline.

Edit: Yes, I read the article. To draw a distinction between “must obtain consent” and “must show UI that obtains consent” is of no value unless you want to write an article with a shocking headline.

nicce
4 replies
6h24m

You are citing directive that does not apply in all cases.

It is amended by Directive 2009/136/EC, which changes especially the cookies part.

(66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

If you read the exceptions part, you know that you don't need a banner on strictly necessary case.

JimDabell
3 replies
6h17m

That update doesn’t matter because the original has the same exception. I quoted it.

nicce
2 replies
6h3m

Then there isn't cookie law?

JimDabell
1 replies
5h58m

If there are exceptions to copyright such as fair use, does that mean that there is no copyright law?

nicce
0 replies
5h50m

The context was very specific in this case. Like you are always required to present a banner when you use a cookie. But that is not the case.

kome
1 replies
6h24m

I think you might not have fully grasped the meaning of the post. Let me rephrase it for clarity: there is no cookie banner law, but a consent law, but it doesn't need to be as ugly, intrusive or user-unfriendly as the current cookie banners. One alternative is to opt out of using cookies on your website entirely (which is what I do, by the way), and then you won't need to ask for consent. Or to use a simple, unremarkable, bar.

JimDabell
0 replies
6h14m

I think you might not have read beyond the first line of my comment. Why are you telling me that there are alternatives? I literally said that in my comment.

shdon
0 replies
6h28m

But that is what the title states and is explained in the article. There is no law that forces a cookie banner. There is a law that requires consent before tracking, but that is not necessarily about showing a banner - that is just one of the possible ways of complying with the law. There is an electronic privacy law, and it is quite comprehensive. There is no "cookie banner law".

krab
0 replies
6h26m

But this is exactly what the article is saying.

iainmerrick
0 replies
6h28m

There’s a law, but it’s not a “cookie banner law”. The section you quoted says nothing about banners. The banners are a design decision by the operators.

gwd
0 replies
6h20m

This shall not prevent any technical storage or access ...or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

If the functionality explicitly requested by the user -- e.g., logging in, or changing the default language or currency, or what-not -- no consent is necessary to keep cookies. Cookies are only necessary for things the user didn't implicitly ask for, like tracking.

ascar
0 replies
6h30m

The article makes that point. There is no law to put a giant banner that disturbs UX in your users face. Companies choose to do so. There only is a law that prevents companies from tracking you without consent.

K0nserv
0 replies
6h23m

This doesn't require a specific implementation just that informed consent is given. This could be implemented as a web standard alá Apple's ATT(App Tracking Transparency). There's nothing preventing the industry from creating such a standard, obviating cookie banners in the process. This would not only be a win for users, who could express their overall position on consent as a browser setting, but also save thousands of developer hours for website.

5kyn3t
0 replies
6h17m

hmm I disagree. I found the article, quite an eye opener for me. I also thought that he cookie banners is what the EU forced the web-site owners to show.. but it clearly isn't. It is just about consent. This consent could be given in a non-annoying way, but clearly the involved companies don't want to.

flipbrad
8 replies
6h39m

Note that this isn't a cookie law, it's also the EU's main anti-malware law. The principle is that no piece of third-party controlled software should write information to your computer/phone, or read info from it, over the Internet, without your prior informed consent (with narrow exceptions for storage/reads that are needed to provide a service you've asked for, or equally narrow functions like load balancing). This isn't just about browser cookies, but also your webcam, your mic, and the contents of your Documents folder.

The principle seems sound, but the EU is deadlocked over reforms to create some extra exemptions, e.g. for security scans/mandatory updates, or privacy-respecting audience metrics. EU regulators are already sort of turning a blind eye to those, so it's fair to say the EU isn't great at regulating - it's not fixing what society mostly seems to see as bugs/overreach in the original (now decades-old) law.

toyg
2 replies
5h59m

What do you mean by "the original (now decades-old) law" ? The GDPR is 8 years old.

flipbrad
0 replies
4h44m

Yes. Although in fairness, the "cookie rule" part has been updated since then. But not anytime recently.

And the GDPR's subsequent entry into force created the current emphasis on how actively (and individually) you need to consent to things, and how much you have to be told about them first. Stuff like "clicking anywhere on this site, tells us you consent" was a lot more common, pre-GDPR

aleph_minus_one
2 replies
5h50m

Note that this isn't a cookie law, it's also the EU's main anti-malware law. The principle is that no piece of third-party controlled software should write information to your computer/phone, or read info from it, over the Internet, without your prior informed consent

So it is a responsibility of the browser vendor to implement this.

lesuorac
0 replies
4h33m

I mean it currently isn't.

The Cookie banners aren't from the browser they're really from the site.

That said, it seems fair to require the browser vendor to implement it. The browser is the one that exposes a method to store data on the machine (ex. Cookies, LocalStorage) so it seems fair that they should know the user wanted data to be stored.

flipbrad
0 replies
4h42m

No moreso than the OS itself. The real responsibility actually lies with the people causing the remote access (e.g. the website operator, the remote hacker, etc).

is_true
1 replies
6h33m

did they try to make it a standard for browser? I tried searching but I couldn't find anything

adulion
5 replies
6h29m

can you build a website nowadays with analytics without using cookies? or violating GDPR?

krab
0 replies
6h8m

In my understanding, the most important part is to not share user information with third parties. IIUC, Google can use Google analytics data to join your behavior from multiple sites and then use that to serve targeted ads.

The next level is to not store PII unless there's a specific reason in the user's interest (improving site quality doesn't count, logging in does). Therefore, you can see how many people visited a page, aggregates of device types etc. Just not anything that identifies an individual.

cornedor
0 replies
6h21m

Yes you can. See for example https://plausible.io/, which does analytics without using cookies, and without collecting any personal data.

cbeach
0 replies
6h8m

You can track the number of visits without using cookies, but its practically impossible to track the number of unique visitors without using cookies.

The number of unique visitors is a very useful metric (both in itself, and combined with the number of visits).

The EU has made it impossible to track this simple and harmless metric without inconveniencing all users with awful UX.

Under the GDPR / ePrivacy Directive, ANY user-based unique identifer used for advertising, analytics and tracking will trigger the need for consent.

---

General Data Protection Regulation (GDPR)

Article 4(1) defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

Article 6(1) outlines the lawfulness of processing and states that processing is only lawful if and to the extent that at least one of the following applies: "the data subject has given consent to the processing of his or her personal data for one or more specific purposes."

---

ePrivacy Directive (Directive 2002/58/EC)

Article 5(3) requires prior informed consent for the storage of or access to information stored on a user's device: "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

alex_suzuki
0 replies
6h20m

You can use something like Plausible Analytics which does not use cookies.

IanCal
0 replies
6h24m

Of course you can. What is it you want to do that you think you can't do?

VoodooJuJu
5 replies
6h28m

I wonder - why didn't the the EU put the burden on user agents a.k.a. web browsers to handle the cookie notices? When I visit a site, before saving any cookies, have my user agent ask me if I want to allow cookies for that site. Could have a default "no cookies" option with a whitelist, or default "yes" with a blacklist. It would have been so much easier, with a far more consistent UX, wouldn't it have? Now we have to put up with 1,000 different flavors of invasive banners, popups, "necessary cookies", etc.

ulucs
1 replies
6h3m

DNT existed, but websites decided they could freely ignore that. Hence the regulation

junto
0 replies
4h17m

Technically they can ignore the users’ choices on cookie consent as well though. In fact, I would be curious just how many websites honor a user’s selection, and how many of them are just smoke and mirrors by having a consent modal that has zero subsequent value.

pgeorgi
0 replies
6h13m

The EU doesn't tend to require specific implementations - the banners aren't a required implementation, either. It's just what the advertisers thought works best to get their desired outcome.

There was the DNT header. Few sites acknowledge it (and thanks to those who do!), and when Microsoft went against spec by setting it default-on in their browser, advertisers whined that they can't see informed consent anymore and just shut down the whole initiative. Note: Microsoft is also in the advertising business, so if you're into that, that might be another angle for your favorite conspiracy theories.

Finally, there's consent-o-matic, available as browser extension for various browsers, and it lets you state your preferences. https://consentomatic.au.dk/ Would it have been better to integrate that into browsers properly? Sure. But the social and economical dynamics being what they are, this is probably the best we can get.

elygre
0 replies
6h20m

The EU in this scenario believes in the open market: let the web browsers and web sites find a technical solution.

IanCal
0 replies
6h25m

Because it's not about cookies. It's a much broader statement than that about how the company is allowed to handle your data.

cafed00d
4 replies
6h8m

Companies could easily avoid any cookie banner. Just don’t track.

Well, then, the EU should've just made _this_ the law.

And we'd have called it the "Just don't track" law.

Rant & Details:

There is no law for cookie banners.

What the EU is saying, you need my consent when you want to track me, profile me and sell my behavior off to ad companies.

or “Look, Why take a chance?” (Remo Gaggi),

This kinda proves PG's point.

Rant: I find it incredible that folks defend the EU by saying things like "There is no law for cookie banners". No, there is a law. The law is reason people think "Look, Why take a chance?" and build crap like cookie banners in. The law is not a bunch of words on paper. It's the institution that incentivizes or punishes people for their actions; thereby influencing people's behavior.

paulryanrogers
2 replies
5h57m

The law punishes companies, not private citizens. If lawyers are overreacting or companies cannot discern between essential tracking and non-essential then perhaps they are the incompetent ones.

aleph_minus_one
1 replies
5h47m

If lawyers are overreacting or companies cannot discern between essential tracking and non-essential then perhaps they are the incompetent ones.

If the EU is incapable of creating a law where it is unclear even to quite some lawyers where the boundary between allowed and forbidden is, the EU politicians are the incompetent ones.

cseleborg
0 replies
5h27m

There are a bazillion unclear laws all over the world. It's common practice, really, to formulate things a little bit generally, and let practitioners (lawyers and courts) figure out the details.

In this case, the unclear point is around the notion of "legitimate interest". I guess something like fraud prevention can be thought of legitimate interest. But ad companies just said, "well, we make money out of tracking the hell out of users, so it's in our legitimate interest to keep doing it, and never mind that the whole point of the law was explicitly to rein in our industry's nasty behaviour."

So now law practitioners how to hash out amongst themselves what "legitimate interest" actually means in 2024, and this of course can change in 2034, so you write the law to not have to be updated every time the tech industry invents new ways of being naughty.

cseleborg
0 replies
5h34m

The law is reason people think "Look, Why take a chance?" and build crap like cookie banners in.

Really, no. Not being willing to let go of user tracking, and now realizing that it's against the law if you get it wrong, is why people think "Look, why take a chance?" and grasp for shitty dark patterns to cover their asses.

My business did not track its customers online and had no banner. Period.

ZiiS
4 replies
6h22m

Whilst, I am very opposed to tracking; especially covert. I do believe the cookie law is bad. Fundamentally, websites can not store content on your computer without your consent. Your "User Agent" is what stores cookies; it is usually a piece of open source software fully in your control capable of only storing them based on any policy you like, including asking you for each site. Whilst it would be nice for all sites to set an "Evil Bit" telling you which cookies are functional and which are for Adversing tracking, this is un-policable.

niklasrde
2 replies
6h4m

That's not true. "strictly necessary cookies" are allowed without consent (but information on their use must be available).

Examples for what that means given by the EU itself [1] include "cookies that allow web shops to hold your items in your cart while you are shopping".

And on the policing - there are a lot of laws that cannot be "policed". It requires trust, goodwill, collaboration and savy users to report violations to the webmaster or relevant ICO.

[1]: https://gdpr.eu/cookies/

ZiiS
1 replies
4h50m

How do you know if a site has used a cookie they said was functional to track you?

LunaSea
0 replies
3h10m

It doesn't matter because that's the law and if you don't follow it you risk a fine.

How do you know if your neighbour is not producing meth in his basement?

mpeg
0 replies
6h3m

What you're suggesting is basically the same thing as what the law is achieving.

Yes, users could block all cookies but this will break functionality on a lot of sites, so it's not reasonable. And yes, sites could communicate which are functionality cookies and which are tracking cookies, but as you say it's hard to police this, so pushing the issues to the user's software won't work.

What the law does is fixes all this by requiring sites to obtain consent in certain scenarios; but if your site only sets cookies required for the site to function (shopping cart, login cookies), or if it tracks users for the purpose of security (eg a bank that detects when you log in from a new device / location) you DO NOT need to obtain consent, no banner required.

eterevsky
3 replies
6h26m

There is a law, that does not mandate cookie banners, but that still causes them by creating incentives to show the banner. That's the point of criticism.

pif
2 replies
6h11m

You are implying that strict anti-emission laws caused uncontrolled emissions by Volkswagen vehicles.

But Volkswagen was very discreet about it, and when uncovered everybody was against them. Website are being obnoxious, instead, and people accuse the law. Go figure!

eterevsky
1 replies
6h5m

I don't see the relation to the story about VW and emissions. VW broke the law, while the websites are following it.

paulryanrogers
0 replies
5h52m

Arguably by your logic the emissions laws incentivize cheating, much as folks see the GDPR incentivizing annoying users -- to nag regulators to change the rules back in the company's favor.

It's a stretch though. I prefer more obvious analogies.

YetAnotherNick
3 replies
6h6m

Europe's parliament's site has cookie banner[1]. People saying you don't need cookie banner either haven't worked in companies or are purely driven by ideology.

[1]: https://www.europarl.europa.eu/portal/en

dahauns
1 replies
5h51m

The site also shows how simple it could be, though - it respects the DNT flag: no cookie banner, no tracking in this case.

YetAnotherNick
0 replies
1h27m

It's a case of moving goalposts. The thing claimed is that sites don't need cookie banner and a simple parliament site needs it.

braymundo
0 replies
5h55m

And it's a super sane implementation. A simple yes or no.

stephc_int13
2 replies
6h14m

This article just reminded me that I should always choose NO when asked.

And that probably can be automated...

shade
0 replies
5h34m

I've been running Consent-o-matic [1] in both Chrome and Firefox for quite a while now, which automates a lot of them. You can set your preferences for what categories of cookies you want to allow.

[1] https://github.com/cavi-au/Consent-O-Matic

frizlab
0 replies
5h42m

There are extensions to hide the cookie banners and while you have not clicked yes you have effectively said no.

bananapub
2 replies
6h8m

it is pure HN that there's so many people commenting who

1) didn't bother to read the article

2) didn't bother to read any previous articles and so have continually spread nonsense about what the regulations actually required

3) defending all the companies that decided to be fuckwits with barrages of notices to users instead of actually sincerely trying to reduce their creepy nonsense and then - if anything was left that required disclosure - explained it honestly

ulucs
1 replies
5h59m

I believe quite a lot of them have their paychecks depending on invasive user tracking, so no surprise.

bananapub
0 replies
5h55m

everyone's at best a temporarily embarrassed surveillance capitalist

vbo
1 replies
6h14m

With or without EU regulations, client software could decide to discard all cookies once the user has "left" the site. Or it could block cross domain cookies of its own volition. Yes, it doesn't fix the fundamental issue, but it does address it for those that want to fix it against the tide. Yes, it comes with drawbacks, but it is what it is so long as we don't collectively move towards paying for content, ideally in micro form.

I sometimes come across articles in local publications that ask me to subscribe - dude, seriously? Do you expect me to subscribe to an Alaskan publication when I live half the world away and could not care less of what happens there, but just want to read this one article that seems interesting?

So instead we have ad funded websites that have to do what they have to do in order to make some money and keep publishing whatever it is they publish. Hence tracking cookies.

Everyone's needs would be better served if we could pay for content the same way we did back in the day of printed newspapers. You buy today's edition and you get today's edition and no one except the newsagent is tracking you (if you happen to regularly buy the newspaper from her, she'll remember you, and she may even suggest additional newspapers to buy but it's implied, right? we dislike machine tracking, not humans remembering our buying habits).

Alas, we don't have that. We have intrusive tracking and subscriptions, even though technically it's something we could build in weeks (lest the payment companies didn't make it unfeasible, for their own benefit).

And people do sometimes try to figure it out. Bundles come to mind. Everything -- except micro transactions allowing you to purchase just. this. article. And while micro transactions don't exclude tracking, companies are more likely (is this wishful thinking?) to be careful with a paying customer's experience than with freeloaders, which is what we insist of being, while putting up demands as to what publishers can do with our data.

pif
0 replies
6h6m

Everyone's needs would be better served if we could pay for content the same way we did back in the day of printed newspapers.

This is one option. Another is that advertisement goes back to those days: you associate advertisement to a content and to a rough geographical location, and that's it. No personalised ads is still possible.

throwaway67743
1 replies
6h40m

One of the most egregious abusers of this recently got told off for it, I want to say it's IAB, but they're all as bad. Trust arc or whatever they're called deliberately made it as annoying and deceptive as possible. You can't blame the EU at all for a deliberate misinterpretation of the law.

raverbashing
0 replies
6h38m

Yeah, IIRC I think noyb was looking into "Trust arc"

skrebbel
1 replies
6h14m

I agree with this. We recently removed all tracking (eg google analytics) from our homepage because we didn't want to have a cookie banner. The result: everything is going fine. Turns out we didn't need the tracking at all. Should've done it way sooner.

I hope the EU sticks to their guns. A few years ago, there was a flood of HN posts about optimizing initial page loads etc, because research showed that even a few hundred milliseconds slower load times measurably affected how often people clicked on buttons named "buy" and "sign up" and the likes. Then GDPR happened, and this somehow became a non-topic and instead we get 3-screen tall "TrustArc" modals that take half a second responding to a click? This makes no sense at all!

I hope, and believe, that it's just a matter of time before people re-discover that yes, actually, if you make a page fast and nice and friendly, you get more clicks/signups/purchases/$kpi, and that cookie banners hurt business.

If this is true, then what we're seeing now is just the initial path of least resistance: do what we did before, plus do what the lawyers tell us to. As the key GDPR rules have gradually become "common knowledge", we ought to be seeing gradually more sites switch their approach and focus on fast UX again, ie, no cookie banners and thus no tracking. Sure, it's work, and I bet the math doesn't always work out against tracking, but I bet often enough it does.

cseleborg
0 replies
5h12m

I agree with this. We recently removed all tracking (eg google analytics) from our homepage because we didn't want to have a cookie banner. The result: everything is going fine. Turns out we didn't need the tracking at all. Should've done it way sooner.

Thank you. The industry needs more such testimonies showing that letting go of tracking is okay and won't sink the ship.

schnuri
1 replies
4h45m

Is it just me or does someone else finds it curious that a post with 414 points in 2 hours and many comments is on page 2? There are posts with less points, and less comments in more time that are on the first page. Is the HN ranking algorithm public?

hazbo
0 replies
4h1m

It's now magically made it to page 6, seems a bit odd

rsp1984
1 replies
6h2m

Just don’t track.

You're making it sound like it was a switch that I could simply turn on/off as a web dev. The reality is that most sites are a complete clusterf*k of 3rd party components, dependencies, backend services etc.

Doing an audit of which of these components are compliant with tracking / cookie laws is just not a realistic ask. Hence why devs decide to just tack on a cookie banner and call it a day.

paulryanrogers
0 replies
5h55m

These do not sound like competent companies, if they cannot even classify the tracking that they initiate as essential or non-essential

pearjuice
1 replies
6h31m

To me, this seems like engagement clickbait targeting PG to promote an infotainment product (CTO coaching/course):

there is no cookie banner law

There definitely is. The article explicitly states this:

you need my consent when you want to track me

"tracking" here means storing data:

store information in a visitor's browser is only allowed if the user is provided with "clear and comprehensive information", in accordance with the Data Protection Directive, about the purposes of the storage of, or access to, that information; and has given their consent (wikipedia)

The actual directive also explicitly states this

consent may be given by any appropriate method enabling a freely given specific and informed indication of the user's wishes, including by ticking a box when visiting an Internet website (32002L0058.17)
xxs
0 replies
6h30m

"tracking" here means storing data:

Yes, without any consent. For instance logging in a site, doesn't require the warning.

oytis
1 replies
6h16m

He's not saying there is though? The "cookie law" is 14 years old now, and it looks like the proverbial Brussels effect failed to change how the whole industry operates, except we now have cookie banners.

paulryanrogers
0 replies
5h50m

Customers are more informed. Savvy companies now only do essential tracking, so don't have to bother users. Or at least more will as enforcement catches on.

nojvek
1 replies
5h51m

US does a really shitty job at regulating tech companies - esp privacy and abuse of data.

Perhaps because the big tech has captured the regulators with a lobby revolving door.

Look at how big a tantrum Apple is throwing regarding 3rd party app stores.

I’m glad EU is doing what it’s doing.

And the various data locality laws. Data is precious.

I wish US would impose stronger fines when data is misused or hacked into due to negligence.

mlrtime
0 replies
5h46m

And yet there isn't a lot of actual difference between Americans and EU citizens.

Sure lots of EU laws, practically speaking no difference at all.

happosai
1 replies
6h25m

Great example: Neither hacker news, nor that linked article needed a cookie banner.

xxs
0 replies
6h21m

The article even has a book ad on the side

dangus
1 replies
6h23m

Just in case this helps someone: you can just block cookie banners because before you click “accept” the default is no tracking.

There are extensions like “I don’t care about cookies” for this but also uBlock Origin has a list checkbox for it.

andrewaylett
0 replies
3h39m

The default should be no tracking.

bjornsing
1 replies
6h38m

This is written from the standpoint that you want to deny consent. But I just want to give consent and get on with my day. I see it as sort of paying for the content.

Honestly I think most people see it this way, even if it’s an unpopular stance in some tech circles.

c-flow
0 replies
6h17m

I find it annoying but I do the opposite. Don't give my consent for all the optionals and prefer not to get tracked. I don't believe all of that tracking is warranted in a significant number of cases. Websites appear to be still fully functional without all of those extras, too, meaning the website providers are also ok with foregoing it.

zalyalov
0 replies
5h31m

I see a lot of comments about how it is some sort of an unforeseen second-order consequence. But it isn't. If you want to have no tracking, you write a law that nans tracking. If you write a law about mandatory notifications, bombardment of notifications is the most direct consequence one can imagine.

tristor
0 replies
5h25m

I have what I think is a somewhat clear perspective on the issue of tracking cookies, because I have been on both sides of this issue “in the trenches.” My observation has been that companies really cannot choose to not track as a larger entity, because systemically they do not trust their own employees to make good decisions.

What I mean by this is that tracking in web properties is a joint decision (in most tech companies anyway) between Marketing, Legal, and Product as functions and executive leadership overall. This is actually a “big” decision, because it’s a binary decision that guides future trajectory.

Companies can choose to:

A. Make decisions about where to expend resources on ads, product feature development, localization, accessibility, et al on web properties based entirely on the “gut check” of their employees in each function and trust the outcomes.

B. Carefully measure and track everything so that decisions are supported by data and results are tracked, simplifying decision making and reducing the potential bias of employees and eliminating the need to trust employees to make good decisions and being able to validate outcomes.

If your product /is/ a web-app, the impact becomes even more pronounced.

At the end of the day, the only way to get an organization to give up tracking is to directly force the issue in the law or solve the underlying issues that create a trust gap and competency gap within large organizations. I think the latter is likely impossible to solve, so the former is the only option. In line with the banality of evil, companies are not maliciously deciding to track you, if there is any malice here its towards their own employees down the line, who aren’t or can’t be trusted to do their jobs without tracking.

Because Option B is the only likely option here, the net effect of the law as it stands today is to have a cookie banner everywhere. There’s literally a SaaS called Cookie Law that helps companies comply with these rules.

tmaly
0 replies
4h47m

I don’t put these cookie banners on my sites. They are just annoying.

Most decent browsers block google analytics these days.

The facebook pixel was retired as far as I can recall.

At this point I just have a local analytics setup just to let me know how many visits a particular page got.

skerit
0 replies
5h50m

What the EU is saying, you need my consent when you want to track me, profile me and sell my behavior off to ad companies.

Huh. I always thought that as soon as you use a long-term cookie that could technically be used for tracking, you have to get permission.

Which also means you have to get permission when someone logs in to your website. Though I guess the act of logging in could be seen as giving permission.

Anyway: I don't add cookie banners on my websites, and I don't use any tracking.

siva7
0 replies
2h36m

The only thing that matters is that if an entity wants to track people, they have to let them know in a way that is clear and request their approval.

The law may be a one-liner that just wants to protect the users privacy. But this vagueness makes this law so extremely bad. Companys don't know anymore what's allowed and what not, so in order not to risk getting sued by some greedy shenanigans they just put up some cookie consent wall up. Can i use tools like Microsoft Clarity or Google Pages without getting sued by not having some cookie banner? Who knows anymore without getting an expensive lawyer and then i have to deal with the expensive technical changes required to implement these regulation wich especially hurts small or one-person software shops while big co doesn't care anyway.

seydor
0 replies
5h34m

I think pg is talking about the advertising banners, and yes, congratulations EU you have ruined our web experience to the benefit of even-worse-tracking that mobile applications do.

I think the bigger issue here is that this law did not fix anything, destroyed what little EU online advertising business existed, and focused on the wrong thing. For starters, the european people did not ask for this law, they have bigger problems, it was campaigned by specific german interest groups for which most EU citizens are indiffernt. Ad tracking is/was not a concern for the vast majority of EU citizens (who , again were never asked about this law) . Internet and social media addiction, however, IS an issue that most citizens have, and the EU has spent so much energy and capital on this pointless cookie banners issue, that it doesnt have more to spend on solving the addiction issue. Premature legislation always does that, and the worst is, there will never be accountability for such wrong decisions. The people who inspired the legislation are not up in some kind of election, and the upcoming MEP elections have nothing to do with EU politics and everything to do with domestic politics (Show me a country where MEP election results are not considered a proxy for national elections).

But it doesnt matter how many times someone points the political misaligments , there is no mechanism to change that until something really grave happens, when it will be too late.

seanhunter
0 replies
5h43m

At one company where I worked the head of legal and the compliance officer scheduled a meeting with me[1] without any notice. I showed up and it turns out they wanted to know why we didn't have a cookie banner. I explained we didn't have any cookies.

They insisted we implement a cookie banner which would set a cookie to say whether or not you had accepted cookies. This was the only cookie.

[1] Never a good sign when legal and compliance just book a meeting with you like that and you don't know any normal context.

reactordev
0 replies
5h37m

I'm glad someone said this on a broader scale than I could reach. This is exactly why we have cookie consent pop-ups. Implemented by Admiral Tech or whatever. It's disgusting and is hostile to the open web.

Even disagreeing now forces you into another full-page pop-up where you have to itemize your disagreement before clicking on Reject All.

randallsquared
0 replies
6h19m

Having read comments here first, I was surprised when I visited the article and found that while the thrust of the article was that pg was incorrect about the existence of a law about "cookie banners", the tweet referenced in the post -- and screenshot, even -- does not even imply that pg thinks that there is a law specifically mandating cookie banners.

ptero
0 replies
6h34m

As a person who is generally suspicious of regulation on the grounds that it is an always growing beast (rules do not get revisited enough and rejected when they become an unneeded complexity), this viewpoint is spot on for me.

And while the main visible results today are bad (cookie banners of various levels of annoyance) it is bad mostly due to existing dark patterns and encourages changes in the right direction. Will those chances come and, if so, when, is to be seen. My 2c.

philip-b
0 replies
5h7m

If only my browser showed, for each link that leads to a website with an annoying cookie banner, a small icon indicating that that's the kind of website the link leaves to. Can someone make a browser extension like that?

pcl
0 replies
6h15m

> “I’m not a lawyer and this is not legal advice. Ask your data protection specialist.”

Ironically, the author felt compelled to announce that he’s not providing legal advice. There is also no need for him to make that disclaimer. But hey, why take the risk?

openplatypus
0 replies
5h21m

Tired of cookie banners?

Just use Consent Free analytics like Wide Angle Analytics.

nedt
0 replies
3h14m

Just imagine someone in the supermarket following you all the time, writing down all of your actions. That's pretty creepy and that's why you have to give consent first. I have no idea why anyone thought it's normal when done online. Or to extend it to the offline world just because it's technical easy. That's all the cookie banner is doing - showing how creepy many companies are and how much they don't care about you personally.

mediumsmart
0 replies
4h57m

Thats right, however, there is a consent needed for cookies that are not necessary. If you don't have the cookie banner asking for consent to track you with the unnecessary tracking cookies you can get a letter from the abmahnanwalt which means that in germany there is a defacto cookie banner law (next to the self censorhip brain bucket) just to be on the safe side.

luke-stanley
0 replies
5h8m

@KingOfCoders / amazingcto you wrote `Indeed, as an American, there is no need to force them onto you.` - I feel like that suggests some assumptions about PG here that might not be quite correct. Since PG's often in the UK, his place of birth and where he has a residence, he's sometimes in a place that has GDPR obligations, he'll likely be exposed to the full GDPR vs analytics annoyances that IP addresses, email addresses, trackers, and the data protection make likely. I've no idea what internet use would be like in the US though (I haven't surfed via the US for ages though so don't know what the geo-targetted and account targetted consent differences are). PG likely both benefits and suffers from being in multiple jurisdictions. As for his personal identity, with terms like American and British, he might identify with both, but he did write "Keep Your Identity Small" so he might even prefer neither label, I don't know. Regardless, yes there could be better ways at a protocol level, maybe the EU should have foresaw that rather that the noise which we have now. Guess we'll have ML agents to handle it for us soon.

kennethwolters
0 replies
6h29m

The entity that has legislative power takes responsibility for unintended consequences of its legislation. At least this is how Anglo/Common Wealth cultures think about it. You can see that Germans think about this differently.

jstummbillig
0 replies
5h31m

Both ideas are simplistic nonsense.

It's how we wish people worked, but it's not how people work. The area of people that actively care about being tracked is not equal to the area of people, that would say yes if you point blank ask them "do you want to be tracked?" (with all the fears that this question triggers), and it's not equal to the area of people who would actually be happy to give up the affordances that tracking allows for in their every day life, even if they really do not like to say "yes" when asked to be tracked.

All of this is compatible because, hi, this is us. We close our eyes, and pretend they are open. We love to not consider consequences, while thinking of ourselves as considerate. Well, not always. We do make "a few mistakes" every now and then, of course. This makes the whole thing believable, to ourselves and each other.

I understand that it makes for good internet banter to ignore all that but what else it is good for, I do not know.

jesprenj
0 replies
5h56m

Slovenia does have a cookie law, explicitly stating that setting cookies in browsers is not allowed unless permission is granted beforehand. But it's up to interpretarion whether enabling cookies in the browser counts as permission.

http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO8611 -- 225. člen (piškotki)

fullspectrumdev
0 replies
6h31m

The deliberate, bad faith misunderstandings of the tracking consent and GDPR stuff on here reminds me every time exactly how many people are apparently content to work for and shill for adtech.

Working for Lockheed Martin or RTX is a more moral choice than working in adtech IMO.

frizlab
0 replies
5h48m

just listen to “Do Not Track” headers (it’s deprecated because companies did hate this)

It was my understanding that it is deprecated because it was completely disregarded and thus gave a false sense of safety from tracking and it was used by tracking company to do additional tracking.

dangoodmanUT
0 replies
6h12m

There's a simple way to not have your rockets explode when trying to go to mars,

just don't build rockets

d--b
0 replies
4h11m

Well pg is right in that the EU should have forbidden tracking users completely.

But I'm pretty sure that close to 100% of pg's YC startups do track their users. So here's pg's shitting all over the regulators who made him a flower by still allowing his businesses to track people by tricking them into accepting cookies.

Ugh

bheadmaster
0 replies
6h36m

I think this is one of the rare cases where the now-popular-and-often-misused word "gaslighting" fits perfectly: the companies are punishing users because of a law that protects them from data exploitation, then blame the law for protecting them. It's beyond evil.

On the other hand, nobody is entitled to free content on the internet. Hopefully people will become annoyed enough that they will stop visiting the sites of data exploitation companies altogether.

bartimus
0 replies
32m

If you don't want websites to store (1st, 2nd or 3rd party) cookies then such behavior could/should simply be controlled within the browser. Just turn off cookies (although the browser cookie control options could be improved).

If I'm allowing my browser to set cookies, I don't need an EU law forcing websites to ask me everytime if I'm ok with a cookie being set.

aurareturn
0 replies
6h23m

Agreed with Paul Graham here: https://news.ycombinator.com/item?id=39627573

HN loves EU regulations though. HN also loves Paul Graham. I got my popcorn ready to read what people will write.

aristofun
0 replies
4h40m

Paul Graham is right still.

Eu bureaucrats could have expected that many companies _need_ tracking to survive.

While most people do not actually care about tracking.

Not to mention that behind most companies are the people who earn their living. By honest work (advertising is not guns smuggling you know).

So eventually those stupid bureaucrats didn’t really solve anything, but made life slightly worse for everyone.

Which proves original Paul’s point.

antomeie
0 replies
5h21m

I don't know exactly what Paul was referring to when he wrote his tweet, but my own interpretation of the problem is that the EU has basically transferred the responsibility entirely over to the end user, which is a responsibility that we know people are not capable of handling.

Sure, you can say that websites have the option of "Just don't track", but realistically we know that that will never happen. Particularly since a lot of websites are actually tracking the user for the purpose of making the experience better (such as remembering settings, recent search terms, etc...), rather than tracking for the purpose of selling data to advertisers. But, from the user's point of view, they won't know what they have agreed to anyways. So essentially we get to a scenario where 99% of the websites have annoying cookie banners, when we already know that 99% of users won't read the terms anyways...

If the EU was good at regulating things, they would come up with a solution which puts the responsibility primarily on the website. One example of this could be if EU defines like ~5 different "data ratings", with pre-defined conditions of what sort of data was allowed to be tracked for each rating. Then the websites are responsible for choosing the rating that corresponds to their level of data gathering, and if they report it incorrectly, the EU could fine them.

The result of this is that when a user visits a website, you can quickly see a "badge" in the browser which lets you know what sort of tracking this page has (thus the user learn what each rating means, and get a better understanding of what they agree to). This is very similar to what Apple already does in the App Store in the "Data Linked To You" section for each app.

andrewstuart
0 replies
6h26m

Why is this guy pontificating in this topic if he is not a lawyer?

amadeuspagel
0 replies
5h10m

There is a law that lead to almost every website, including every official EU website, to have a cookie banner. If you refer to the "cookie banner law" everyone will know that you mean that law.

adamlett
0 replies
5h42m

A personal anecdote: I was charged with adding a cookie banner to my company’s website after having successfully resisted having one for many years. The reason given to me by the new owners of the business being that the marketing department wanted to try some new stuff, and the lawyers told them that it required consent on the part of our users. I was also told that I shouldn’t spend a lot of time on this, and to therefore use an off-the-shelf product (OneTrust), and to not customize it any way. When I remarked that the default texts for the banner sounded very scary and implied that we did a lot of things that we weren’t actually doing, I was told to leave them unchanged, because we had to assume that they had been vetted by (OneTrust’s) lawyers, and that it would be too legally risky to change them. My argument that OneTrust’s offering was a one size fits all that had to be compliant with the sleaziest, most ad-tech compromised media sites out there, but that we were not that, failed to make an impression.

A couple of observations:

1. Players like OneTrust and the consultants who specialize in this, are highly incentivized to play up the risks of not being compliant. My layman’s estimation of the legal risks is that the risk for good faith actors is actually pretty low. If the authorities find that you are not in compliance, you will most likely get a chance to rectify this, and possibly a slap on the wrist. Those scary fines measured in percent of global revenue, is not going to be what you face for an honest mistake.

2. Those businesses that rely on invasive tracking, and therefore really must use these banners, benefit from everyone else mistakingly believing that they too must compromise their UX with these banners. It makes what they do seem normal and acceptable.

RudyStone
0 replies
5h26m

A-fucking men.

MobileVet
0 replies
6h7m

Or you are worn down and no longer care after twenty banners and say yes

This is probably the worst omission from the EU law, no limit to the number of times you can be asked.

I told you my answer last time I visited… but you didn’t like it so you ask again, and again, and again. Every time I visit you ask me. <rage quit>

627467
0 replies
5h44m

hey: I want to be tracked and I'm extremely annoyed that the law forces me to consent on every f- site I go to. Seems fairly clear that I consent when my browser makes a request to someone elses server and I have js enabled.

If you don't want to be tracked: disable js, disable cookies, don't go to website you know will track you.

As a user: the way you can check whether you have a tracker is as trivial as interacting with a cookie banner. Plus the cookie banners are all different but the UI to check cookies on your browser is standard and the same. if the EU wants to do something: force browser vendors to educate users on how to use their software

627467
0 replies
5h55m

Companies could easily avoid any cookie banner. Just don’t track.

Companies can easily not deal with EU shenanigans. Just leave the EU. actually: many do.