If more browsers were still User Agents in the literal sense, maybe we wouldn't have needed this legislation. Browsers could have informed people about what cookies were, and could have presented the user with the option to never accept tracking cookies from Big Advertising. Every browser has the option to reject third party cookies or to clear all cookies at the end of the browser session.

This mischaracterization of cookies has, ironically, made life a lot less pleasant for people who don't accept cookies. The "opt-out" is just another cookie. There's nothing special about them either, they can be used to track return visitors just as well as any other cookie. I'm sure they're not, because that would be against the spirit of the law ...

Not tracking people without consent is definitely a Good Thing, but it shouldn't require everyone and their grandmother to put annoying cookie banners on every website under the sun. And I think it wouldn't have, had people been better informed.

I agree. The EU cookie laws were well-meaning, but have had the unintended consequence of making the web more annoying, more difficult to use, and more fragmented.

The solution? Cookie consent should be a built-in feature of browsers and http, not something that is reimplemented in a slightly different way by every single website.

Your browser should pop up a standardised cookie consent request when you browse a new site, and enforce your selection as part of its security policy. If you choose to block all cookies (ie: private browsing mode) then the cookie consent request wouldn’t need to appear at all.

Unfortunately these days the browser would be better referred to as the advertiser's agent," or perhaps just Google's agent.* Owing to Google's control over both web standards and the advertising market, cookie management features have received little attention.

Google's monopoly power has prevented a competitive market of privacy-focused, user-first browsers from flourishing.

It's also probably unlawful, the irony is that not too many years ago we punished Microsoft for unlawfully leveraging its monopoly to control the browser, and when we stopped them we paved the way for Google to do the same thing!

Well, from a antitrust perspective, having TWO giants in the space is better than having only ONE giant.

Ideally we'd now apply to Google the same pressure and further split the field. Alas, politics are complicated.

Many games wouldn't work well in a VM, of course, there's no getting around that.

Only if you ignore the giant market of adtech tracking bullshit that that has been ruining the web since about 2000.

Every website that shows you a "cookie" banner (aka we-track-the-fuck-out-of-you banner), is part of this problem. The law is just bringing it to light. Don't be annoyed by the law, be annoyed by the websites, they are choosing to be annoying.

Look at those websites, they are the problem, not the law telling them they can't do it secretly behind your back any more.

The biggest problem was that this law didn't tell them to be fucking honest in the banners. "This website needs cookies to function" (when it's only about their mishandling of data to 3rd parties) is a straight up lie by omission. If they had to honestly tell in the banners what they were up to "we track your every breath on this site and then sell it to third parties, who sell it to other parties, and god knows what", people would be looking at these sites differently.

"We're forced by law to inform you that we crap on your privacy and are actively ruining the web by delivering the fundamental data that runs the adtech industry"

And obviously Chrome would never do this kind of thing, since it hurts Google.

TBH, I wouldn't blame GDPR for this. Here's a good analogy of what's tracking companies are doing:

    - Companies dump used batteries into the sea.  
    - Dumping batteries into the sea is banned.  
    - Companies start dumping batteries into lakes.

Cookie control/policy in browsers needs to become more sophisticated than what we have today.

IANAL, mind you - but that's how we implemented it - you're opting-in to the ads that target you and analytics which track you, or you get the non-tracking/non-targeting ads and analytics.

    (adsbygoogle=window.adsbygoogle || []).requestNonPersonalizedAds = true;

You also have pretty tight control over the categories of ad that Adsense can display, and you can even go as far as to review individual adverts. I've booted a couple of ads that I found to be unethical/distasteful from my site using the review feature in Adsense.

The only issue with Adsense is that there are a gazillion ads it might show on your site, so I'd recommend filtering out any categories you don't much like first, and then reviewing ads sorted by popularity/impressions in descending order, otherwise you'll quickly go mad.

[1] Obviously not an option if you absolutely don't want to do business with Google.

Google seems to disagree [1]: Non-personalized ads are targeted using contextual information rather than the past behavior of a user. Although these ads don’t use cookies for ads personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the EU ePrivacy Directive’s cookie provisions apply.

What's not clear from Google's documentation, but what I assume, is that they also do not use the info about the context & visitor to serve them personalized ads on other websites.

[1] https://support.google.com/adsense/answer/7670013

Granted, from measurements on my own site that's only 1 - 1.5% of people, but Google's ad revenue for 2019 was $134.81 billion, meaning that they'd potentially be leaving $1.3 - $2 billion on the table by not serving ads to these people. Maybe it would be half that or less because the ads aren't personalised, so they're a bit more hit and miss and therefore probably wouldn't attract the same level of bids from advertisers.

But still, they'd be leaving a lot more money on the table than it would cost to fix the problem (an order of magnitude? two orders of magnitude?). Whilst they might choose to leave it due to opportunity cost, it doesn't seem that likely to me. Here's an example: I once worked at a company whose revenue sat in the £250-300 million range, and they absolutely considered it worth supporting 1% of their userbase for the extra £2 - 3 million it brought in (this is back in the day when IE7 and 8 were still a thing), because it probably only cost them high 5 to low-ish 6 figures per year in PITA workarounds to do that[1].

So, as I say, it seems odd to me that Google don't have a solution for serving cookie-free ads that require no consent.

Going back to skrtskrt's original question, "What are some good non-tracking & non-intrusive ad providers?"

[1] Obviously all us devs hated this, but it was tough to argue against from a rational standpoint.

I use adblock by default, so I have no ad-profile at Adsense that they'd use to show me "relevant ads". When I occasionally have to debug some issue with ads somewhere, I'm essentially getting the context-sensitive, not-personalized ads, and they're terrible. At least to me they look as if they were using very simple keyword-matches with little regard to context and primary language. It may be that they don't care to invest more, but it may also be that they don't have enough ad buyers that care for unpersonalized ads so they simply don't have a large pool they can choose from.

I'm also not sure that "cookie-free" would be enough, really. If you're loading ads directly from Google, the user makes the request and can therefore be tracked by Google. Even with Google Analytics and anonymizeIp, at least in the medical sector in Germany, GA is considered opt-in only. In that sense, I'm not sure a central service that delivers ads for you can work without requiring consent.

What very much should work would be a server-side system that's sale/lead-based, where the service would crawl your site, manage your affiliate programs and create ads for you that you'd then insert into your site. That way, no third party learns anything about the individual user and you don't require consent.

Example: you're seeing an article about devops and you get an ad about AWS instead of an ad that has followed you around from another website you visited previously.

The cookie used for frequency capping is considered to be a "technical cookie" and has no bearing on privacy, best I can tell.

The other types of cookies can be pretty much disabled at the point of calling the google tag, or enabled (along with more tracking/targeting ads) if the user consented to that.

But the comment you're responding to says it right there: Even google is telling you it requires consent. It's a cookie, so it requires consent, period. Don't fool yourself.

Could google serve ads without cookies, and do fraud detection by other means? Yes, perhaps lowering payout due to increased risk. But it much better to pretend that a cookie-banner is needed, so that you might as well enable ad-tracking cookies.

> You don't need to look far. You can simply tell Adsense[1] to serve up non-personalised ads

This discussion describes exactly the problem. How long has this tracking consent law been there now??

And it's just an option in Adsense?!!!

So whenever I see a cookie banner, you can assume they are simply too greedy to flip the switch.

Clearly the adtech and adtech-supporting industry hasn't even slightly bothered to look for alternatives, instead opting to annoy the public with banners. It's pure propaganda in the hope that the annoyance will turn into defeat, and somehow they manage to turn people's disgust towards the EU law instead of them, simply continuing to do their useless crap business and pretending the EU got their hands tied ... when there's a literal boolean switch to tell their shit to behave.

For my website [1], I have build close relationships with local experts. They provide services my readers need, and I know they can be trusted. I get a commission from resulting sales. I like that model because advertisers have zero access to or control over the readers' data. Unfortunately, it's simply not applicable to all websites.

- [1] https://allaboutberlin.com/

For pubads, look into "setCookieOptions(1)" and "setRequestNonPersonalizedAds(1)" for a good start on the matter.

It _can_ be done.

That part is not necessary. They are mandatory if you collect any form of personal data without legitimate interest.

Shopping carts, subscription services etc. will still work, you don't need to consent to that, as long as you're not tracking people or handling their data unecessarily.

When you see one of those cookie popups it is a sign that the website is trying to get more information out of you than they need.

Or the owner of the website has failed to understand the nature of the law. Given the amount of confusion in this comment section this also seems likely.

The ones which deliberately make the flow for closing the popup and accessing the site without 'consenting' are the ones I think are actually acting malicously.

If the admin of a site thinks they need a cookie banner when they don't, it's really because they haven't really bothered to give much thought to reducing the amount of data collection they do on their users.

But I bet it's not really that common, website admins who think they need a cookie banner when they really do not. What is WAY more common: the website admins that do need a cookie banner, but ONLY because they use Google Analytics, and don't realise this is a choice they get to make.

Or people (right here in this thread) saying "I can't make a useful website otherwise" -- it's not that the law is hard to understand, it's not. It's that they refuse to give the problem any thought. The ones "failing to understand the nature of the law", actually just don't give a crap. It's like a butcher complaining "Why do I have to label my meat with 'made from tortured animals', I have to kill them right? I can't possibly produce any meat without using this rusty spoon that I've used for decades".

> The ones which deliberately make the flow for closing the popup and accessing the site without 'consenting' are the ones I think are actually acting malicously.

You can easily not act maliciously, and still be a crucial part of the problem. That's also what laws are for, even if you cross them non-maliciously, you get punished. That's because people "not understanding the nature of the law", when it directly applies to their business, is undesirable, and really a responsibility they should carry.

Oh, sure, but if they don't understand it then they probably shouldn't be gathering people's data either.

GDPR is pretty complex, but website operators have proved for years and years that they can't be trusted to do the right thing themselves, so here we are.

Bear in mind:

- Extra data collection or processing must be opt in.

- Not opting in must be as easy as opting in.

- The content must be available if the user chooses not to opt in.

Then:

For instance, you go to a site, tumblr.com for example. Why is not important. You get a consent popup. Opting in to extra data collection is easy but you don't want to. Navigating this consent popup is almost impossible. within a few clicks you are lost, you find a list of several hundred "partners" tumblr wants to share your data with. All are checked and need to be individually unchecked. You still can't work out how to opt out.

To me it's like someone's trying to scam you out of your data. They are so desperate to get your information that they are jumping through all sorts of hoops to try to trick you into giving it.

Do I really want to give my data so an entity that is acting so creepily? Nope. I close the window.

That time "wasted" now, is time spent to fix their mistake.

The mistake of thinking they could collect data on me and sell it to third parties in perpetuity.

It being inconvenient to you to treat people's data and privacy with respect seems like something it's hard to feel sorry for.

And no, not asking for consent and collecting data without supervision is not an option, neither legally nor ethically.

GDPR compliance is usually expensive because people ignore Art. 5.1.(c):

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)

If you choose to collect personal data, you're responsible for handling it with due care. If you don't want that responsibility, don't collect the data. If your business model is predicated on doing shady things with personal data, find a different business model.

But I'm eagerly awaiting your measurements ...

Truly. Even if it shows the really big numbers you seem to imply. Because that shows something about their choice. How much trouble they're willing to go through to track you regardless.

It may not be terribly difficult to understand, but it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints.

> Looking around for loopholes to do analytics that aren't actually what the user came to the site for is fundamentally the thing that the legislation is targeting...

Totally agree, and this shouldn't be done.

> ...this handwringing about cookie popups and consent and anonymized data is "complicated" simply because it is not in the nature of the law. You do that, you need permission, period, and you need to be OK with people saying "no, I'd really rather you not do that".

This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.

Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?

The only different "constraints" relevant here would be "we get to play fast and loose with the data we collect or allow to be collected about users, without repercussions".

If that wasn't the "constraints" they were operating under, they have no problem now either.

> Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.

> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?

This is indeed where we disagree, except the law also disagrees with you:

It's. Not. About. Cookies.

It's simply about collecting and storing more data on your users than you strictly need to run your business.

There's really nothing technological about it, if you did it with pen and paper, you'd be subject to the same GDPR. Talking about HTTP response headers or "waging a war against cookies" is just misleading.

As a developer, I agree. As an end user, I am OK with this.

If organisations have to think hard about what data they collect, because it means they have to think hard about how to safely store and destroy it, then that's a good thing.

It has been easy to collect, store and disseminate user data without thought for a long time, and website operators have proved they can't (in general) act responsibly.

> This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive

My honest opinion about most of the consent popups I see is that they are at best trying to weasel out of having to comply with the regulations, or at worst applying dark patterns to trick the user into "consenting".

I am sure there are some honest people with consent popups out there, but I'm not generally generous enough to attribute anything other than malice or incompetence.

> this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution.

For sure, but it works both ways. There is a (potential) financial penalty for not taking care of user data, but at the same time, there's a pretty large cost to a user if their data is spaffed all over databases on the Internet when they didn't want that.

Also, I'm pretty sure if you are actually trying to be GDPR compliant then your first interaction with the information commissioners office will be them trying to help you comply, and you do always have the option of just deleting the data if you can't treat it safely.

> Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.

I feel like I read somewhere that telling the user to adjust their cookie settings in the browser was speficically discussed, and not allowed, but I could be wrong.

> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?

It would be a mistake to think that Cookies are the focus of the GDPR. See https://gdpr.eu/cookies/:

"However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30."

The GDPR is about user privacy, cookies are one of the primary tools for violating it, and the most prominent artefact seen on the web, so it's the focus of a lot of discussion, but the main thrust of the regulations aren't around cookies themselves.

It is significantly unlikely that there will be opt in banners for JS, HTTP, TCP, phone calls, cameras at the beach, or just looking at people with your eyes any time soon.

Consent must be informed and specific, so simply asking users to set their browser to accept or reject all cookies (regardless of purpose) is not compliant.

On the other hand, if browsers get their act together and standardize a consent API with the necessary features, then browser-based consent management would surely be compliant. GDPR and ePrivacy don't address this explicitly, though GDPR Recital 32 considers consent by “choosing technical settings for information society services”.

Centralising consent in browsers is a key consideration in the proposal for an updated ePrivacy Regulation, but the EU is not going to mandate specific technologies. Everyone is well aware of the mess that is the Do-Not-Track header.

I'm not against GDPR, and I'm glad these issues are getting attention. I just want to make sure we recognize there is a lot of nuance here, and there are real costs and second- and third-order consequences to consider.

That's a ridiculous over-generalization. My bank's website doesn't have ads on it; is that not useful? Wikipedia doesn't either, can you earnestly say you've never found wikipedia useful?

There is much more to the web than shitty ad-riddled websites.

Also it's kind of sad if you believe you can't make a useful website without having to hand over private user tracking data to Google. In fact you are using a website just like that, right now.

Most sites choose do popup instead because (they think) it is more effective. So be it, but don't say it's "mandatory" or that "they are forced to".

A/B testing is allowed and doesn't need opt-in if the A-or-B preference is only recorded in aggregate form and not tied to the user.

Same for the purchasing scenario. In this case, you would be explicitly collecting personal data to fulfill the order.

It's almost as if they just want to collect all the data on all the users forever without any oversight, by continuously rehashing bad and misunderstood versions of the GDPR and pretending it's hard and complex and vague.

That people absolutely ruin the user experience of their site deliberately is an active decision they make themselves.

Make an effort not to visit those sites. You will be surprised to know that people that make such bad decisions for their site seldom have any valuable content anyway.

Stop spreading this disinformation. It's just the filthy websites that track your every move on the site and then give it to third parties.

Would you rather they do that by default, extracting your data before you even notice, without even being able to distinguish the bad actor from the good actor?

The problem is that people think it's the cookie banner that's annoying, when it's in fact the very website that has been secretly abusing your privacy, except now they tell you.

The people think that agreeing to the tracking banner is a fair transaction because the adtech banner is being disingenuous. It's as if the entrance to a museum requires you to dump one empty battery in the ocean. It's a bit of a hassle but it doesn't cost you anything, and you get to see the museum which is what you want.

Except in 90% of the cases the museum is clickbait trash.

I mean I agree. No website should use cookie banners. None of them. Increasing fines all around for those adtech fuckheads.

I beg to differ. I use AdBlockPlus (ABP) and I can block 99% of these banners, and proceed immediately to the website. One can also use NoScript to block some websites that are full of crap/trackers (like techcrunch).

I would heavily recommend to switch to uBlock Origin (and maybe uMatrix) instead.

Disclosure: worked for eyeo in the past, and quit.

I use and appreciate this one: https://www.i-dont-care-about-cookies.eu/

I propose a better alternative: just stop doing things requiring consent (which are, by definition, unnecessary, and almost always support an unethical business model), and then you won't have to annoy users with consent popups anymore.

This could actually be a good thing. These days advertisers act as censors: all it takes is a bunch of complaints and a website's revenue stream gets pulled. The webmasters react by deleting the controversial content and avoiding the subject in the future. If this is what a profitable internet looks like it should probably die.

> Nobody has ever been hurt by a tracking cookie in the history of the internet.

How do you know?

> stamping out the little sites

Social media is responsible for this. Few people buy domains these days, it's much easier to register a name on some existing site. Most traffic originates from social media these days.

This is how newspapers have operated for nearly a century, and how television operated for over 60 years.

What do you expect will replace it? A reversion to the patronage system? I don't think Bloomberg or Murdoch paying for content to be made in the way they want it is going to be an improvement.

Yes. They depend on advertising revenue and are worse off for it.

Journalists have a duty to report facts accurately but they must also keep the advertisers happy. Due to this conflict of interest, newspapers lose trust and are perceived as having little integrity. Gotta wonder if the article is presenting a truth or some version of it that happens to be aligned with the interests of the people with the money.

TV shows are sanitized for maximum advertiser appeal. Even when they push boundaries, it's carefully controlled by the networks. There are numerous and well-documented cases where they actively influenced the creative process. Gotta wonder what shows would be like if creators had true free expression.

> What do you expect will replace it?

I don't know. Hopefully something better.

> A reversion to the patronage system?

Perhaps. Would be great if we had some kind of crowdfunding or patronage system that lets people directly fund the creators they like. Art should work like an investment: large numbers of people invest in the studios they like and the work starts once enough capital has been raised. Since the money is guaranteed, creators get more freedom to do what they want. Since they'd be compensated before the work starts, copyright becomes irrelevant.

> How do you know?

Same way I know that that defining the ASCII code for T as 084 has never hurt anyone. It's an interpretation of information, independent of the human condition. Change my mind.

I would have accepted a case wherein a user in the arctic, with limited bandwidth, was hurt due to the cookie data interfering with the communication. Hand waving about a series of human failings being connected to a technology is not compelling.

I guess it's the same argument as the "gun" isn't responsible for gun violence, excepting cookies aren't even designed to reveal information. Guns are definitely designed (in part) be used against people.

It's not just any cookie though. You specifically mentioned tracking cookies.

> Nobody has ever been hurt by a tracking cookie in the history of the internet.

These cookies exist for no purpose other than information collection. They aren't even required for the website to function.

This isn't negligence, it's imprudence: being reckless with people's personal information, amassing large amounts of it in the name of profit without stopping to think about the consequences.

This isn't unique to cookies either. It applies to every browser fingerprinting method.

Ideally, big companies would be subject to the law just the same. However, small companies can get a head start by just not doing what they know they are not supposed to.

> Nobody has ever been hurt by a tracking cookie in the history of the internet.

It doesn't have to hurt me. I just don't like it and I don't want it, and that is a good enough reason for me to not give up my privacy.

You make good points and I am not arguing with you, but I found theses two books really convinced me that some balance is required, and worthwhile.

> some feel-good legislation that accomplishes nothing

It hasn’t been all 100% positive, and doesn’t apply to everyone, but GDPR has definitely had an overall positive impact on digital privacy practices globally. I say this as founder of a for-profit US web company affected by the legislation.

> Nobody has ever been hurt by a tracking cookie in the history of the internet.

This is really demonstrably false. Tracking cookies, tracking pixels, and other tracking technologies, have been and are still being used to de-anonymize people and cross-correlate browsing behavior of people visiting sites other than the one they’re on. The concern is over privacy, and tracking cookies are a real threat to privacy, hence the legislation.

(I do entirely agree with you, the default internet is pretty much like you said, sadly)

How is a opt out cookie the same as tracking cookie?

Isn't there a clear difference for a cookie:

    is_opt_out: true

    tracking_id: 374739585483292

It's the same problem with pages where most users are logged in: the few who aren't are suddenly such a small group that they become identifiable through other means.

  I = -log2(p)

1 - https://en.wikipedia.org/wiki/Information_content

1. Do a study and check how many people want to be tracked. Don't trust the data from websites because everyone is currently being tricked into accepting. Go out on the street, talk to someone for 5 minutes about how tracking works, how it can lead to more relevant advertising and a potential increase in revenues for the service they're using, but in return their browsing history, purchases, and communication will be tracked and associated with them. How many want to be tracked?

2. If 80%+ of people do not want to be tracked, then just create a law saying it's not allowed. That's it, we're done.

3. If less than 80% of people don't want to be tracked, then force browsers to prompt users on install to ask if they want to accept tracking. Websites, analytics, advertisers, etc, then need to respect that setting or risk being fined. No need for every website in the world to invent their own cookie/tracking pop-up system, and no need for people to adjust their settings on a per-site basis.

Ask the same people if they wanted websites to stay free.

I bet 80%+ would want to eat a cookie, a have it too. (No anti-pun intended!)

(Side note: the proposition of banning things if 80% don't want to use them is dangerous. No wanting something personally is not the same as banning it for everyone.)

Logging out of youtube feels like falling kneedeep into the gutter. What I personally want is more and smarter tracking, not less.

When I'm at random site I rather see ads for electronics kits I considered purchasing recently, not liposuction or some other gross random things I would never want or need or even like to be aware of.

Disclosure: I'm a Googler. Not sure how that affects my fatalism here.

Also, why do we assume that the choice is between the status quo and the total collapse of the internet ecosystem? That there's no way for digital advertising to generate a profit without gobbling up ever greater amounts of our personal data?

This seems like it's a silly nitpicking point, but in this context that's the whole point of the discussion: whether your users understand and consent to paying that cost.

Example: my personal website costs me about $35/mo to run. If I put ads on it, Google would tell me I made about $5/mo, and then take that $5 for themselves because they have decided they don't need to pay out small amounts. So I basically get to pay to host ads for Google.

Counterpoint: Wikipedia.

If you were able to say "tracking or subscribe" it would made much more sense.

Given how many people think the EU did a bad job defining cookies, tracking, tracking methods and etc, it would be fun to see what they would think about he definition of a "browser" as something that can be forced to implement a certain feature.

There's a very popular (it's a bit weird that number of reviews is so drastically different between Chrome and Firefox) extension called Honey. Apparently bunch of people install it because it provides free coupons. I don't believe people that use it know that ultimately they are the product.

Now that the auth headers are known about, they can be treated as such and expired based on user preferences, but by default after 24h. There can be an alert "google.com has logged you in and now knows who you are until you log out".

Auth headers are then only sent for a single origin, so no scripts to track you around the web anyway.

The cookie workaround for those that need to genuinely use them are 1. session feature mentioned above - tie to that on the server side and 2. stick something in the URL and then keep tracking that via links, like most SPAs do anyway.

Want to do analytics? Anonymous-ish pixel or server logs.

Local storage is another issue, that should be permission based. (+ any other dodgy web apis).

Someone might say, what about a site you don't log into but needs to remember your prefence? A. Easy local storage, and it will ask for permissions AWS style e.g. "enter the name of the site to agree ____"

Maybe get rid of UA string?

and to this day, cookies in firefox are managed in a hidden box with a giant list of all the sites you've ever accepted. they don't want you to manage these permissions.

but for permissions they intent for you to manage, you click the security icon and you can revoke what you don't want. if the only permission you granted is the right to store cookies, it says you haven't granted any permissions, although this is a lie.

I used it for a week or two, maybe. I stopped because it made the web unbrowseable. If you think one banner per site is bad, imagine at least 5 consecutive popups to start, plus the possibility of more when you took any persistent action our the site loaded a new 3rd party resource. And if you don't choose the whitelist/blacklist option right away, it's the same thing the next time you visit.

I stuck with it until it became clear that I was not going to run out of domains to whitelist -- ie, this was a never-ending workload -- and switched to accepting only first-party cookies. I don't think there was an option to decline 3rd party and ask for 1st party; I probably would have used it.

Of course it's not visitors who want persistent shopping baskets. It's sellers. And I don't really care about what they want. On ~100% of the websites I visit, I'm the visitor, not the seller. And given that webshops were a thing before persistent shopping baskets were a thing, I'll wager they can do without.

[1] https://varnish-cache.org/docs/trunk/phk/http20.html

That’s not so simple. Persistent shopping baskets create problems for sellers e.g. stock changes; price changes; products may become obsolete. Some of them let the cart expire at some point, even down to a couple hours for some (ASOS). As a visitor I do want a persistent cart accross sessions because I may need some time to make (nor not) my purchase. And no, I won’t give you my email just for that.

[0] https://varnish-cache.org/docs/trunk/phk/http20.html#beating...

Switching to server side storage would've been a too costly architectural change. What if the server side was stateless before?

And even if, web applications would still have needed to support the old model for interop reasons. It's not feasible for everyone to maintain code for both approaches when they are so different.

It'd also break many use cases, such as using a (signed) cookie as cache for some really frequently used data. Or more importantly authentication, where an auth service returns a token (in some cases a token that can be checked by a different service without contacting the auth service again).

So yeah, that was a non starter.

Then that's a pretty bad design choice to begin with? If some state is required for operation, but the website keeps it only on client? Not least of all reasons, for security?

As a concrete example for a common use case, websites show your user or first name in the top right corner. It's common to put this in a cookie set on login/logout. This avoids querying the user directory service (from the frontend or a different backend service) on every pageload. Security wise it doesn't matter if the user tampers with it, it's a display only thing. (More often than not it's signed anyway, and the cookie contains other things as well.)

Cookies meant to be presented back to a server can be signed and (optionally) encrypted. This is also a very widely used pattern ("cookie secret" is a good search term for concrete implementations in frameworks).

I was talking about statelessness on the server side. If you remove cookies from HTTP, you now need a database on the server side.

You also get extra communication (between the client/DB, or the web service/DB), whereas previously the data would've already been available in both (the client has the jar, and the web service gets it in each the request). Turning a local memory read into a network request can be a difficult architectural change.

Also, DynamoDB reads are priced per unit ;-)

So if that UI will be deployed, may be those popups won't make sense anymore.

Unfortunately, cookies are not conveniently labeled as "advertising" or "federated login".

That said, yes, it'd be nice if the legislation in question had mandated proper labeling of cookies, and then let the user's browser handle rejecting them.

Ultimately though by default I use extension to destroy cookies as soon as I leave the page, I can place an exclusion for sites that I frequent but when I do that I just allow all cookies. My reasoning is that if I have credentials they can track me using these anyway.

Anyway the whole thing is moot though, since advertisers are beyond cookies and use many other ways to track users. Now seems what their primary goal is, is to be able to tie multiple devices of the same user together.

That combined with Firefox Containers would make for a very powerful combination since you could have different containers that would be your logged-in interface to a specific site, without then having to allow other sites be able to set cookies.

> Delete cookies and site data when Firefox is closed

setting checked in preferences. There is a Manage Permissions button next to it that allows some more per-website control.

Websites can place however many cookies they want. It won't help them track me past a day.

Setting up Safari this way and using FireFox only with containers for each major web platform works really well for me and I have been able to talk non tech friends into trying it.

Whitelist a site and set default behavior to block will still allow that whitelisted site... I think so at least, maybe you need wildcards or something...

You're probably right that it won't be happening now..the cat's out of the bag.

It discards most of these popups. Coupled with unlock origin and decentraleyes, I think you’re pretty well covered against tracking without too much hassle.

Of course temporary containers is the cherry on top (although amazon seems to have a way to recognize you anyway because it almost always only asks me for my email before logging me in)

https://news.ycombinator.com/item?id=22245101

https://source.chromium.org/chromium/chromium/src/+/master:c...

s/browsers/popular &/

There are browsers and other clients that are still User-Agents in the literal sense but they are not the popular ones.

The popular browsers measure their success by market share, not qualitative measures.

That is why Firefox tries to stay more or less in lock step with the leading browser on features.

This is not done out of fear of being inferior by some qualitative measure but out of fear of losing market share.

When a website sends cookies, prompt the user "this website wants to track you, allow it? y/n".

The same way microphone/camera access it prompted. So it should be fine to reject this for news sites, a random museum, etc, but okay to accept for, eg: webmail, sites where you log in, etc.

We've simplified browsers UI so much, a SINGLE toggle button for this would be lovely!

No tracking-by-default, no need for a banner.

You don't need cookies for that. But, if you insist that you do, that can easily be a session cookie, not a stored cookie. And there's no need to obtain consent for a cookie like this, if it's not used to identify or track a (EU) person.

That is - if you're building a website and using the bare minimum cookies you need to make the website function, you don't need a cookie popup. The default here is that you don't need a cookie popup, and when you start tracking users and/or selling their data, you need to comply with ePrivacy and the GDPR.

There are plenty of ways to collect data about people without using cookies to do it, so GDPR would still be needed no matter what measures browsers took to block tracking cookies.

Did no one involved in the cookie legislation think to run the idea by a technical expert before passing it? Why wouldn't they have done something like introduce an X-Allow-Tracking header in the http spec, and make the law require that sites respect that header instead of every site making their own cookie popup. Browsers could make that privacy setting as detailed as they want as far as which requests they included it with, and the EU could strongly recommend that everyone use browsers that they've approved as supporting that setting (or even force it in various ways, like require any OEM browser that ships with a device in the EU support that setting).

Let's imagine a world where a government force car builder to add speed limiter to cars. The car builders all decides to just cut the engine if you go over the limit. Will you say the law is bad or that car makers are trolling everybody ?

It's the same for this law. But curiously everybody is prompt to say that the law is bad. The reality is that a majority of internet actors are bad and are just trolling us.

We don't need to imagine a world like that, because it has nothing to do with what we are talking about.

Let's stick to the real world. The EU implemented a law. Everybody is scared of the power of the government, so they implemented what they thought was the intention of the law, to avoid prosecution. The mom-and-pop flower shop down the street could care less about making troll political statements about technical internet topics.

Turns out, the law had stupid unintended consequences. Was the person who designed it stupid? Or is the entire world stupid?

If your answer is "the entire world is stupid," then I'd argue you don't understand how the field of design is supposed to work.

No, they didn't. They implemented something that they thought allows them to continue with the practices that the law was specifically designed to combat.

The user has very little motivation to accept tracking. The web site has a lot of motivation to track the user (because personalized ads = more money).

Thus, web sites make saying no as difficult as possible, while making saying yes as easy as possible.

A 100% compliant, user-friendly implementation would be showing non-personalized ads, then occasionally replacing one of those ads with a banner "want to receive ads that are actually relevant? click here to enable personalized ads" (which would lead to an informed consent dialog and set a cookie that would then apply to all web sites that use that ad provider).

But pop-ups coercing the user to consent are more profitable.

This could be fixed by enforcing the actual law (punishing the companies that tried to weasel out of it and processed data without valid consent) so that trying to weasel out of it is no longer a valid strategy.

The same companies have their customers convinced that they need data collection to turn a profit.

As a result we see all kinds of stupid attempt to circumvent the law because an entire industry of shady data collectors and brokers have convinced businesses that the only way of making money online is by tracking people.

The basis of your argument is: All data collection is bad.

Therefore, in your model of the world, an evil conspiracy of bad actors are looking to strategically undermine the law with various dastardly convoluted schemes. I understand why you're arguing that, given the premise you're starting with.

However, the majority of business on the internet are not doing evil things with your data. They simply want to better target their offerings to their customers, allow for you to keep items in a shopping cart, etc. If they are providing better services to their customers, they make more money and the customers are happier. It's a win win for everybody involved.

Could it simply be that, most businesses put cookie popups on their sites because they don't want to get fined? Not because they are embroiled in an elaborate scheme to undermine the law?

Could it be that the EU should have created a smarter law that would actually help people be more aware of data tracking? Instead of stupid popups?

I wouldn't be so sure. There aren't that many advertising and analytics companies, but they make products that are widely used (and clearly misused) everywhere. The websites using such tools were never told that they could avoid having the banner if they just didn't have tracking cookies.

As a user I don't want anyone to "better target me" - no single exception. Gosh I miss the time where we just burned the McDonald's...

There's no need to straw man secret cabals of conspirators, when it's just business. (Or if you want to get political, capitalism). When big tobacco companies pour money into lobbyists, fund skewed studies, and buy ads to flout anti-smoking legislation, no one calls it conspiracy. Businesses are incentivized to respond in certain ways.

They can do it without the cookie notice. For example, Amazon can track what I'm looking at on their site and what I'm buying and store it to their database. They can use this information to offer me what they think I'll like. Also, another user-friendly approach would be for a site to ask me to select categories/topics that I like. Whatever it is, GDPR gives me a right to export the data, review it, and ask for it to be deleted if I don't want the site to have it anymore. No need for cookies in this scenario. What they need cookies for is when one site wants to track what I do on other sites.

> allow for you to keep items in a shopping cart

This is a functional cookie and there's no need to ask for consent to store a shopping cart. This is just a perfidious argument that data tracking companies use to ridicule the law.

> Could it simply be that, most businesses put cookie popups on their sites because they don't want to get fined? Not because they are embroiled in an elaborate scheme to undermine the law? Not because they are embroiled in an elaborate scheme to undermine the law?

The law is very clear about when you need to ask for consent and when you don't need to ask for consent. Most sites implement it in a wrong way, many of them use deliberate dark patterns, for example, when you deny cookies you get a loading spinner that spins for a couple of minutes. These are all attempts to condition the user into avoiding pressing the "slow" button.

Using user’s data within the confines of a web app is usually OK so we can put just small much smaller guardrails up to keep companies respecting the public good.

I generally just don’t like my data shared with third parties. A single web site can literally pass your data on to hundreds of companies (as discussed in the book on Surveillance Capitalism).

I don't think that's stupid, nor unintended.

That's not what actually happened. Companies got scared that the law would impact their business model, for which the law was directly design to impact, and asked lawyers to find the minimum change which could be argued as being in compliance.

When you ask lawyers to find a solution to a problem you do not get the intention of the law. If you ask a lawyer to find a solution to tax law you don't get the intention of the tax law, you get tax avoidance, the direct opposite. And if you ask a lawyer about consent, as I have done during conferences, you get straight answers like "People can consent to a 20 page EULA they have not read or have the legal education to translate".

It not that the word is stupid or that the person who designed the law is stupid. It just happens that if you pay a lot of people who have studied and spent a large part of their life to find clever interpretations of words what you get is a clever interpretation that may or may not be what a judge will see.

To make a quick parallel, a bunch of lawyers for companies are arguing that while the company is having millions in profits and giving out a lot of dividends to shareholder, the company is at the same time in "economical crisis" and thus deserve government grant money in order to handle corona. The department in charge of giving out the money asked its lawyers and they agreed, but the politicians are now a bit upset since they disagree. And so now everyone is arguing/blaming each other and discussing if they should change the law to specify what an economic crisis is and isn't and if the change to the law should be retroactive or not.

It sounds like you're saying the lawyers are smart, but the government is still stupid.

Why didn't the government have any lawyers involved in writing the law?

Isn't that pretty...stupid?

  > If your answer is "the entire world is stupid,"

Only by using a very loose definition of "implemented" sans common implementation measures like clarification and enforcement.

> implementation measures like clarification

No directive needs clarification to be implemented as law. That's the most absurd thing I've heard all year.

You mean putting trust that a website behaves by implementing its own popup system versus enforcing it on the browser side with a single implementation? Doesn't sound sane to me.

Why don't we implement a law where visitors cannot enter your house when you are not at home, unless you consent. That way we can get rid of locks.

Very sane.

Very sane.

Unless of course you block me from your browser, then I can't do anything.

Trying to say that the law is bad because it doesn’t conform to some idealised version of it you had in your head doesn’t mean the law is bad.

This is not only sane, it is very obviously the only way it could be done. Remember, the law isn't about cookies or headers or anything specific: it is a law about user tracking. You're delivering JS that paints a font in a hidden area of the screen? It's then measuring the results and reporting data back to you to track this particular user? Then you need to ask for consent. The browser can't possibly know the intent of the code it is running, so the browser can't be made responsible for protecting user privacy.

Using fingerprinting for tracking is not GDPR compliant.

We already have P3P to allow websites to declare how they want to use your information. European legislation should have focused on leveraging these existing tools and protocols to give control to the user, instead of annoying them with endless pop-ups.

1. https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...