The EU cookie legislation is still mind blowing to me. In terms of widely used protocols with terrible designs it's up there with US payment card processing (want to make a $5 payment? Hand over the secret that gives the other party the ability to take an unlimited amount of money from you at any time in the next 4 years, and hope they don't misuse it).
Did no one involved in the cookie legislation think to run the idea by a technical expert before passing it? Why wouldn't they have done something like introduce an X-Allow-Tracking header in the http spec, and make the law require that sites respect that header instead of every site making their own cookie popup. Browsers could make that privacy setting as detailed as they want as far as which requests they included it with, and the EU could strongly recommend that everyone use browsers that they've approved as supporting that setting (or even force it in various ways, like require any OEM browser that ships with a device in the EU support that setting).
The law itself is perfectly sane. The problem is that everybody try to apply it in the worst possible way.
Let's imagine a world where a government force car builder to add speed limiter to cars. The car builders all decides to just cut the engine if you go over the limit. Will you say the law is bad or that car makers are trolling everybody ?
It's the same for this law. But curiously everybody is prompt to say that the law is bad. The reality is that a majority of internet actors are bad and are just trolling us.
> Let's imagine...the car builders all decides to just cut the engine if you go over the limit.
We don't need to imagine a world like that, because it has nothing to do with what we are talking about.
Let's stick to the real world. The EU implemented a law. Everybody is scared of the power of the government, so they implemented what they thought was the intention of the law, to avoid prosecution. The mom-and-pop flower shop down the street could care less about making troll political statements about technical internet topics.
Turns out, the law had stupid unintended consequences. Was the person who designed it stupid? Or is the entire world stupid?
If your answer is "the entire world is stupid," then I'd argue you don't understand how the field of design is supposed to work.
> so they implemented what they thought was the intention of the law
No, they didn't. They implemented something that they thought allows them to continue with the practices that the law was specifically designed to combat.
The user has very little motivation to accept tracking. The web site has a lot of motivation to track the user (because personalized ads = more money).
Thus, web sites make saying no as difficult as possible, while making saying yes as easy as possible.
A 100% compliant, user-friendly implementation would be showing non-personalized ads, then occasionally replacing one of those ads with a banner "want to receive ads that are actually relevant? click here to enable personalized ads" (which would lead to an informed consent dialog and set a cookie that would then apply to all web sites that use that ad provider).
But pop-ups coercing the user to consent are more profitable.
This could be fixed by enforcing the actual law (punishing the companies that tried to weasel out of it and processed data without valid consent) so that trying to weasel out of it is no longer a valid strategy.
The law has stupid unintended consequences because it would kill the business of the tracking companies it targets, if they where to follow the intention of the law.
The same companies have their customers convinced that they need data collection to turn a profit.
As a result we see all kinds of stupid attempt to circumvent the law because an entire industry of shady data collectors and brokers have convinced businesses that the only way of making money online is by tracking people.
The basis of your argument is: All data collection is bad.
Therefore, in your model of the world, an evil conspiracy of bad actors are looking to strategically undermine the law with various dastardly convoluted schemes. I understand why you're arguing that, given the premise you're starting with.
However, the majority of business on the internet are not doing evil things with your data. They simply want to better target their offerings to their customers, allow for you to keep items in a shopping cart, etc. If they are providing better services to their customers, they make more money and the customers are happier. It's a win win for everybody involved.
Could it simply be that, most businesses put cookie popups on their sites because they don't want to get fined? Not because they are embroiled in an elaborate scheme to undermine the law?
Could it be that the EU should have created a smarter law that would actually help people be more aware of data tracking? Instead of stupid popups?
> However, the majority of business on the internet are not doing evil things with your data. They simply want to better target their offerings to their customers, allow for you to keep items in a shopping cart, etc. If they are providing better services to their customers, they make more money and the customers are happier. It's a win win for everybody involved.
I wouldn't be so sure. There aren't that many advertising and analytics companies, but they make products that are widely used (and clearly misused) everywhere. The websites using such tools were never told that they could avoid having the banner if they just didn't have tracking cookies.
> Therefore, in your model of the world, an evil conspiracy of bad actors are looking to strategically undermine the law with various dastardly convoluted schemes.
There's no need to straw man secret cabals of conspirators, when it's just business. (Or if you want to get political, capitalism). When big tobacco companies pour money into lobbyists, fund skewed studies, and buy ads to flout anti-smoking legislation, no one calls it conspiracy. Businesses are incentivized to respond in certain ways.
> They simply want to better target their offerings to their customers
They can do it without the cookie notice. For example, Amazon can track what I'm looking at on their site and what I'm buying and store it to their database. They can use this information to offer me what they think I'll like. Also, another user-friendly approach would be for a site to ask me to select categories/topics that I like. Whatever it is, GDPR gives me a right to export the data, review it, and ask for it to be deleted if I don't want the site to have it anymore. No need for cookies in this scenario. What they need cookies for is when one site wants to track what I do on other sites.
> allow for you to keep items in a shopping cart
This is a functional cookie and there's no need to ask for consent to store a shopping cart. This is just a perfidious argument that data tracking companies use to ridicule the law.
> Could it simply be that, most businesses put cookie popups on their sites because they don't want to get fined? Not because they are embroiled in an elaborate scheme to undermine the law? Not because they are embroiled in an elaborate scheme to undermine the law?
The law is very clear about when you need to ask for consent and when you don't need to ask for consent. Most sites implement it in a wrong way, many of them use deliberate dark patterns, for example, when you deny cookies you get a loading spinner that spins for a couple of minutes. These are all attempts to condition the user into avoiding pressing the "slow" button.
How about rephrasing this to: all data tracking that involves sharing a user’s data with third parties is bad and should be outlawed
Using user’s data within the confines of a web app is usually OK so we can put just small much smaller guardrails up to keep companies respecting the public good.
I generally just don’t like my data shared with third parties. A single web site can literally pass your data on to hundreds of companies (as discussed in the book on Surveillance Capitalism).
> so they implemented what they thought was the intention of the law, to avoid prosecution.
That's not what actually happened. Companies got scared that the law would impact their business model, for which the law was directly design to impact, and asked lawyers to find the minimum change which could be argued as being in compliance.
When you ask lawyers to find a solution to a problem you do not get the intention of the law. If you ask a lawyer to find a solution to tax law you don't get the intention of the tax law, you get tax avoidance, the direct opposite. And if you ask a lawyer about consent, as I have done during conferences, you get straight answers like "People can consent to a 20 page EULA they have not read or have the legal education to translate".
It not that the word is stupid or that the person who designed the law is stupid. It just happens that if you pay a lot of people who have studied and spent a large part of their life to find clever interpretations of words what you get is a clever interpretation that may or may not be what a judge will see.
To make a quick parallel, a bunch of lawyers for companies are arguing that while the company is having millions in profits and giving out a lot of dividends to shareholder, the company is at the same time in "economical crisis" and thus deserve government grant money in order to handle corona. The department in charge of giving out the money asked its lawyers and they agreed, but the politicians are now a bit upset since they disagree. And so now everyone is arguing/blaming each other and discussing if they should change the law to specify what an economic crisis is and isn't and if the change to the law should be retroactive or not.
Trying to make good laws is not easy, and trying to anticipate how companies will react to them is also not easy. Really, n a vacuum, I think I can forgive them for not anticipating that "people will put up so many banners that it will undermine our law and make it look like we wanted more banners rather than people not using tracking cookies".
Yes, that was entirely predictable, was in fact predicted, and was really the whole experience of the cookie banners which have already plagued the web for years before the GDPR.
For the GDPR to be effective, there will need to be several more rounds of “yes, we really need you to change”. It’s a big change in business practices, and businesses don’t like change when it come to their revenue. Lots of laws get passed and then not effectively enforced, and I can’t really blame businesses for not wanting to entirely upend their business model for something the EU might not care about in a few years.
I have never say that and it's not correct to suggest it. Lots of people are abusing other people with tracking and they have a financial interest to say that the law is bad and to act in bad faith. And they are doing it.
It's being enforced. https://www.enforcementtracker.com/ The huge list of people or organisations that come into compliance after an admonishment from the data commissioner does not even make the news.
> implementation measures like clarification
No directive needs clarification to be implemented as law. That's the most absurd thing I've heard all year.
> The law itself is perfectly sane. The problem is that everybody try to apply it in the worst possible way.
You mean putting trust that a website behaves by implementing its own popup system versus enforcing it on the browser side with a single implementation? Doesn't sound sane to me.
Why don't we implement a law where visitors cannot enter your house when you are not at home, unless you consent. That way we can get rid of locks.
Konsoolo is right, this is the most stupid solution they could possibly come with. Every time I enter a website, I see the bloody useless cookie banner. Those who designed this law have no idea how people behave on the internet. Nobody is going to read a cookie policy on every single website they enter, people want to get to the content they are looking for as quickly as possible. Privacy controls should be available at a browser level, so that 1) you don't force me to accept/refuse each time, disrupting the user experience 2) I am not going to lose all settings if someone from customer support suggests to delete cookies 3) I only set my preferences once, instead of having to decide a million times. The outcome of this stupid regulation is that website owner can still find a million ways to trick users with all sorts of dark patterns and subtle manipulation of language, and users have no way to defend their privacy unless they are willing to spend time understanding the working of this on each website they visit.
The solution to avoiding tracking can't be on the client side, because it's not the client side doing the tracking. So it should be obvious that the law can't target the browser, it must target the server.
This is not only sane, it is very obviously the only way it could be done. Remember, the law isn't about cookies or headers or anything specific: it is a law about user tracking. You're delivering JS that paints a font in a hidden area of the screen? It's then measuring the results and reporting data back to you to track this particular user? Then you need to ask for consent. The browser can't possibly know the intent of the code it is running, so the browser can't be made responsible for protecting user privacy.
Ok. So we drop the cookies and invent/use something else that works like the cookies(e.g an iframe that pings to Google's server) What's that good for? Are you considering including the CORS, iframes and whatever feature may leak information about the visitor in the law as well?
Browser fingerprinting is a thing. In fact I suspect most of the supposedly GDPR compliant (so no cookies or local storage) still use fingerprinting in the background because you can't prove it's happening from the client (and the law is not being enforced anyway).
The cookie law is the ePrivacy Directive 2002,[1] not GDPR. And as a user, I would much rather control my privacy preferences regarding cookies from my own browser, instead of within hundreds of different implementations across websites.
We already have P3P to allow websites to declare how they want to use your information. European legislation should have focused on leveraging these existing tools and protocols to give control to the user, instead of annoying them with endless pop-ups.
GDPR is all about user data AFAIK. If I understand it correctly it avoided the trap that is to single out specific implementations.
Also it seems either I or someone else misread the context. I'm in the broader GDPR context while someone else seems to be in the older cookie law context.
There is no reason to submit to abusive people because we know in advance they will react in bad way. Pragmatism has some limits and tracking everybody is out of limit even if it makes some types of business more difficult.
I don't see why. People don't need laws to do insane things. Everybody can do insane things and respect the law. Law is not a magical thing that force everybody to act rationally and sanely.
I have never seen a cookie consent implementation that wasn’t annoying, and absolutely do not believe that this law has had any beneficial impact at all on anybody’s privacy. It is the very definition of a bad law. It makes the web worse and more user hostile, and achieves none of its objectives.
See the tracking consent page on https://basecamp.com/? No? That's because there isn't one.
Every time you see one of those cookie popups it is a sign, right there front and centre, that the website you are trying to use is trying to play fast and loose with your data.
Complaining about these notices would be like complaining that restaurants are forced to put up a sign on their front door "Kitchen employees don't wash their hands" when they get caught not doing so.
> Complaining about these notices would be like complaining that restaurants are forced to put up a sign on their front door "Kitchen employees don't wash their hands" when they get caught not doing so.
I wouldn't recommend it. It's a bad analogy and if I saw someone use it I'd think they don't have a good grasp on web technologies. Cookie tracking is used to do things like persist shopping cart items without logging in, and plenty of other things users expect websites to do. It is also used in data collection, but that's more of a moral objection to advertising-based monetization than some sort of strictly-worse practices (like kitchen employees not washing hands).
Just to be clear, you can still use cookies, you don't need consent. Shopping carts and login sessions etc. will work just fine.
You can still display advertising, that also doesn't need consent.
You just can't collect and process people's data that isn't required for providing the service. If a site displays that notice, it's because they're attempting to do more with your data, or collect extra data, than is strictly needed for the service.
Perhaps in theory. But in practice, nobody wants to risk being fined because a court determines that some data wasn't required to provide the service. Do you really need to have persistent carts for non-logged-in customers? Can't you just only offer the cart for logged in customers? It's not required, just beneficial.
Thus, these cookie disclaimers are like Proposition 65 warnings in California. They're everywhere so people ignore them.
The most likely first steps in the UK is that ICO will get in touch and tell you you've done something wrong and need to fix it. Courts and enforcement penalties come later if you persist, or your infraction was signficant.
I run websites, and I don't feel in any way worried about it personally.
Right, and the easiest way to fix it is to throw up a cookie disclaimer and forget about it. So disclaimers become ubiquitous.
Are you familiar with Proposition 65 in California? Any product of business location that has any detectible amount of carcinogens needs to disclaim that it potentially contains carcinogens. Among other things, gas stoves and roasted coffee both contain trace amounts of carcinogens. So most restaurants and coffee shops display Proposition 65 warnings. Said warnings have become so ubiquitous that nobody cares about them. The same scenario is playing out with cookie disclaimers.
> Except there's no such thing as a cookie disclaimer as I said in another comment. Extra tracking/data processing has to be opt in, and you have to provide the service to the user even if they don't opt in, so you can't just throw up a notice that says you might not be compliant because you still need to be compliant.
Yeah, they do exist. And you can find them on plenty of sites that block content unless the disclaimer is accepted. You may be of the mind that this is not complaint with the legislation, but reality demonstrates otherwise.
> Prop 65 is different. The cookie law is like saying "if you sprinkle extra carcinogens in your product then you need to disclose it".
This is making the same error as the washing hands analogy. This ignores the fact that cookies are necessary to power user-facing features.
> Right, and the easiest way to fix it is to throw up a cookie disclaimer and forget about it. So disclaimers become ubiquitous.
Except there's no such thing as a cookie disclaimer as I said in another comment. Extra tracking/data processing has to be opt in, and you have to provide the service to the user even if they don't opt in, so you can't just throw up a notice that says you might not be compliant because you still need to be compliant.
> Are you familiar with Proposition 65 in California?
> This is making the same error as the washing hands analogy. This ignores the fact that cookies are necessary to power user-facing features.
I don't know if you're doing this deliberately or not at this point because I've said it so many times.
You. Are. Allowed. To. Use. Cookies. Under. GDPR.
There are times you need to ask for consent, but for login cookies, shopping carts etc. that follow some relatively simple guidelines, you don't need to ask for permission.
> You. Are. Allowed. To. Use. Cookies. Under. GDPR.
Until a government bureaucrat decides that your usage is not necessary and they threaten you with a fine.
You are not the one enforcing these laws. What you think is a reasonable interpretation of these "relatively simple guidelines" is no guarantee that a government commission is going to reach the same conclusion. Do you really find that so hard to understand?
If the ICO decides you're in breach of the rules, and has reached out to you to help you comply and you aren't receptive you're just going to end up in court and you can argue your case there, and if you can't trust your courts then you've got other problems.
If you allow users to add items to their cart without logging in, that isn't tracking them. It's just storing the information which the user wants you to store on their browser.
Many people click "add to cart" without logging in because that is the service they want. Nobody voluntarily clicks "track and analyze my activities on this site", because that is not a service people want.
> Many people click "add to cart" without logging in because that is the service they want. Nobody voluntarily clicks "track and analyze my activities on this site", because that is not a service people want.
You realize that in order to implement "add to cart" you have to track their activity on the site? That's what the cookie is for. To track customers and persist their cart. If you can't track customers then you can't associate them with their cart.
As far as analyzing activities, what is any isn't allowed is murky. Is it okay to do A/B testing and see their impact on sales? This requires tracking and analyzing user activity, but isn't necessary to provide the service. But it is necessary to actually determine whether changes to the service are positive or negative. So do you throw away A/B testing, do A/B testing and risk fines, or throw up a cookie disclaimer?
> If you can't work out what data is and isn't required for the functioning of your site then perhaps you shouldn't be running one.
I'm more than confident in developers' abilities to know what is and requires. I'm dubious of government bureaucrats' abilities of doing so.
A "cookie disclaimer" does not solve any of the problems you describe.
First, you can't avoid solving the murky analysis. You must be able to specify in clear language what personal data you're using for what purpose and which specific paragraph of the GDPR gives you the legal basis to do so.
Are you using that data for A/B testing because it's a legitimate need where you don't need consent or because the user consents to it? Well, you have to decide before implementing that disclaimer, because the disclaimer should clearly state that answer!
Furthermore, if you decide that some use case does not fit the legitimate need criteria and you need consent, then a "cookie disclaimer" does not reduce the risk of fines - because a disclaimer does not collect opt-in consent, it can (at best) record acknowledgement, so if you need consent but only have a disclaimer, then that still risks fines.
On the other hand, if you trust your developers to know what is required and what's not, and you have documented it properly (because it's not just a good idea, it's mandatory), then you should be able to run that documentation through your local data protection authority to validate any doubts, that's part of their job, and wherever I have seen them work it's something they eagerly do.
You can't implement carts, persistent or otherwise, without cookies (localstorage et al is a type of cookie), because clicking on a link would throw away the cart data. If people click "add to cart" then of course they want you to track the cart contents; that doesn't give you right to track anything else.
Right, and now you get sued by a group claiming that you don't need carts for non-logged in customers. Do you need to provide carts for non-logged in customers? No, says the lawyer, you selfishly used cookies to track people without consent in order to improve your sales. Or you can just throw up a cookie disclaimer to cover your ass.
Sure, the cart is perhaps a trivial case. But persistent tracking is also used to prevent abusive behavior, and other things that aren't strictly necessary. The risk that someone might try to claim that these are unnecessary far outweighs the cost of throwing up a cookie disclaimer. Thus, cookie disclaimers become pointless through their ubiquity.
Reply to your comment, since HN is rate limiting my work VPN:
> That's not it works. Someone complains to the Information Comissioners Office (ICO). ICO determine if the complaint is valid and will get in touch with the site owner to help them come into compliance.
And then they get sued if they don't come into compliance. This is just elaborating extra steps.
> There is no such thing.
> You have to make unecessary data collection and tracking opt in. You can't have a notice that says "we might do x unecessary data collection and/or tracking" and make the user click it or go away. You need to be compliant, or you need to not serve the European market.
Right, and websites don't display content unless this supposedly unnecessary data collection is opted into. Because nobody wants to risk being on the wrong side of ambiguous restrictions on necessary and unnecessary tracking. You insist that websites have to display content regardless. Reality demonstrates otherwise - this is a practice sites do all the time.
Again, cart's aren't actually necessary. They make it easier for users to buy multiple items, but you can make cart-less checkouts by having customers select all items on a single page. Thus, by adding cookies to implement a cart without consent you have violated user privacy for reasons unnecessary to provide your service.
> Right, and now you get sued by a group claiming that you don't need carts for non-logged in customers.
That's not it works. Someone complains to the Information Comissioners Office (ICO). ICO determine if the complaint is valid and will get in touch with the site owner to help them come into compliance.
> Or you can just throw up a cookie disclaimer to cover your ass.
There is no such thing.
You have to make unecessary data collection and tracking opt in. You can't have a notice that says "we might do x unecessary data collection and/or tracking" and make the user click it or go away. You need to be compliant, or you need to not serve the European market.
In some countries your competitors or some other third parties can just directly send you a cease-and-desist letter if they believe you're violating some law.
Even if that letter turns out to be unfounded because it turns out that implementing a shopping cart using cookies without an explicit consent is a legitimate use case, they're quite a bit more of a hassle to handle than your supposed friendly ICO just "get[ting] in touch with the site owner to help them come into compliance".
So one more reason to err on the side of over-caution and just put up a popup for any kind of cookie...
This is a reasonable grounds to discriminate. No one is required provide non-logged-in users a bulk product purchase interface. They could choose to buy each product separately, or sign in. Bulk purchase cart is not essential, it is a convenience.
> And then they get sued if they don't come into compliance. This is just elaborating extra steps.
If you don't come into compliance with data privacy laws after being helped to do so by the ICO, they yes, you deserve to end up in court.
> Right, and websites don't display content unless this supposedly unnecessary data collection is opted into.
That's literally not allowed under GDPR. You can't avoid the GDPR by doing soemthing that is in violation of the GDPR. It's like trying to avoid getting a speeding ticket by going faster.
> You insist that websites have to display content regardless. Reality demonstrates otherwise - this is a practice sites do all the time.
Yes, and they're not compliant with the GDPR. Not all sites will get the tap of the ICOs hammer though. Some are going to be too hard to enforce (non-EU only entities for instance) and some just won't get complaints.
> Again, cart's aren't actually necessary.
Nope, they are very much allowed.
> Thus, by adding cookies to implement a cart without consent you have violated user privacy for reasons unnecessary to provide your service.
This is based on your own interpretation of what the law is supposed to do, and not the stated intention of the law. The premise that use of any cookie that would require a consent banner can only possibly mean abusive tracking is simply false. The UK guidance on the law describes 4 categories [0], strictly necessary, performance, functionality and tracking. The presence of a cookie consent banner could mean nothing more than the specific functionality of the service requires it. Furthermore, the difference in categorization from one cookie to another depends in part on how the data is used rather than what types of collection are technically feasible. The absence of could also mean that the service is simply non-compliant, and the presence of one is not sufficient to make the judgements you're making. Compliance, even among those who choose to display a banner is incredibly low [1]. The law has simply had no impact at all on privacy, the way it has been implemented only services to nuisance and mislead consumers, and if you actually do use it to divine the information you're claiming to, then you're simply intentionally misleading yourself.
I'm specifically talking about the GDPR which is the cause of all the popups we're seeing (but to be clear, doesn't require a popup), not the earlier "cookie law", which I agree is crap, and that you linked to.
However, that law does state that you don't need to get permission if the cookie is:
"Strictly necessary to provide a service explicitly requested by the user"
A cookie that remembers your shopping cart if you leave the site and return to it later. A cookie that remembers any preference you register if you leave a site and return to it later. A login cookie that persists after you leave the site doesn't explicitly require consent, but if you don't get it, then you are technically deviating from the guidelines that "[strictly necessary cookies] will generally be first-party session cookies" and that session cookies are "temporary and expire once you close your browser (or once your session ends)". If you had a persistent auth cookie, it would be reasonable to lean towards consent based on the published guidance.
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
> To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:
> Receive users’ consent before you use any cookies except strictly necessary cookies.
Your stated understanding of when consent is and is not required is simply incorrect.
> Receive users’ consent before you use any cookies except strictly necessary cookies.
Yup.
> login cookies
Put an unchecked "Remember me" checkbox on your login page and link to your cookie/privacy policy. This is a good idea anyway as the user might be on a shared computer.
> Preferences cookies
Allowed to be persistent as long as they don't contain user identifiable information.
> A cookie that remembers your shopping cart if you leave the site and return to it later.
I couldn't find any specific guidance on this, so it seems reasonable to use a cookie that might last a few hours or so, then have a talk to your local Information Commissioners Office if someone complains.
However, such devices, for instance so-called ‘cookies’, can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.
Where are you getting that some cookies don't require consent?
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
See the "Cookies and the GDPR" section for discussion.
Why are you so unwilling to read anything on that page except that specific paragraph. The next paragraph says:
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
and further down the page a little bit:
> Receive users’ consent before you use any cookies except strictly necessary cookies.
I sincerely hope that nobody reading this thread follows any of your terribly incorrect advice.
Preference cookies are not allowed to persist without consent. Not only is your interpretation of the regulations very highly opinionated, but it’s just outright wrong on some points. Your assertion that anybody who deviates from your opinions on the regulation, or doesn’t share your misunderstandings must be abusing data by asking for a cookie consent is frankly ridiculous. The guidelines also state that even for Strictly Necessary cookies, the site must explain why they are necessary, something your canonical example of a good site fails to do.
> Preference cookies are not allowed to persist without consent.
OK, I am willing to be educated, point me at the place in the regulations this is discussed.
> Not only is your interpretation of the regulations very highly opinionated, but it’s just outright wrong on some points.
s/opinion/interpretation/
> The guidelines also state that even for Strictly Necessary cookies, the site must explain why they are necessary, something your canonical example of a good site fails to do.
You don't need to do this in a cookie popup consent dialog. You are welcome to carry on thinking this if you want to though obviously.
> Preference cookies are not allowed to persist without consent.
> OK, I am willing to be educated, point me at the place in the regulations this is discussed.
It is not discussed, it is stated very explicitly:
>(66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
If you want to persist any preference information, you must get explicit consent. Whether you use that information for tracking or not, or whether it is combined with PII or not, has absolutely no bearing on your obligation. The act of persisting that information in the users browser requires consent. As this is a directive, it will be implemented independently by every member state, so if you want specific guidance for a specific state, you'll have to look it up. I linked the UKs guidance on this to you above, which you ignored. The facts are:
> If you want to persist any preference information, you must gain explicit consent
> The existence of cookie consent dialog is not a sign of malfeasance
> Lack of a cookie consent dialog is not a sign of lack of malfeasance
> Your stated interpretation of the regulations is very highly opinionated, and not supported by any jurisprudence
> Some of your stated interpretations are just demonstrably wrong
> The actual regulation is almost never followed
Based on those facts I would argue that the regulation has provided no benefit to the public at all, and has simple created a global nuisance that we all have to put up with now.
It's a little closer to "kitchen employees may touch pens or keyboards". Of course the restaurant is going to print off a sign and stick it to the door instead of asking staff to remind you that they're going to write down your order.
I think you are talking about wait staff not kitchen staff.
The thing is, wait staff need to use pens/keyboards to do their job. It's part of what it is to be a waiter or waitress.
GDPR doesn't make website owners ask people if they can use cookies, you can use cookies just fine without asking people. You have to ask people when you want to collect or process more data than is required to provide the service.
The point of the analogy was to make a comparison between being clean with data and being clean with food.
> GDPR doesn't make website owners ask people if they can use cookies, you can use cookies just fine without asking people. You have to ask people when you want to collect or process more data than is required to provide the service.
I don't have any first-hand knowledge here, but my guess would be that the corporate lawyer's recommendation is always going to be "just get consent for every cookie". The alternative is to risk lengthy litigation over whether specific cookies required the consent. If they ask every time, they can avoid that nightmare.
Because of this, the notice doesn't really serve any purpose of a signal of sysop goodwill. Virtually every business large enough to have lawyers will add it where there's the possibility it'd be required, regardless of the cookie's intention.
Well-intended law that causes many negative side effects is still bad law, just as well-intended software may very well still be bad software.
It's up to you if you want to stick unnecessary notices on your website. If your lawyers tell you to do this then do it, or get better lawyers.
Some lawyers make restaurants get waivers from customers before they order steak that's not fully cooked. It doesn't mean it's necessary (and I would definitely not eat at one).
> If your answer is "the entire world is stupid," then I'd argue you don't understand how the field of design is supposed to work.
And I think it really sums the argument up. Good design and engineering is about building something that performs its function efficiently, reliably, and unobtrusively. If something is widely misunderstood or misused, it's a design flaw.
"Blame the [law-abiding] citizens" is just as much of a cop-out as "blame the user".
In this case, however, it's not a case of general misinterpretation or misunderstanding. It's a case of the law creating very strong -- like significant-millions-of-dollars-on-the-line strong -- incentives for every significantly-sized company to harass every visitor. That's a pretty huge flaw.
It sounds like your response is basically "well if they aren't doing anything wrong, they have nothing to fear! just go to the tribunal and prove that every cookie is innocent." And in that case, please refer back to pembrook's quote above.
> want to make a $5 payment? Hand over the secret that gives the other party the ability to take an unlimited amount of money from you at any time in the next 4 years, and hope they don't misuse it
I don't understand this at all, and I always feel so nervous using my card at US retailers for this reason (these days I try to stick to PayPal where possible). Where I'm from, _all_ one-off online card transactions are 2FA'd between you and your bank; it was strange to say the least the first time I paid for something on Amazon and the transaction just...went through.
In the US this isn't a major issue due to very consumer friendly legislation. This is omitting some details, but effectively you call your card provider and say you didn't make a purchase. Then its effectively up to the merchant to prove you did.
That's not really consumer friendly. We wind up paying higher costs for everything because of this. The lost money doesn't magically disappear - the merchants have to include it in their costs.
Actually fixing the problem - 2FA etc. - would probably be more consumer friendly in the long run.
It really just depends on what you value most when it comes to "friendliness". If you value being able to just swipe your card or enter your details and be done with it, and not have to deal with 2FA prompts, remembering a PIN, digging in an app on your phone, or waiting for a code via SMS, then you might not mind the small price increases around the board to account for fraud.
Not saying that's the case for everyone, but you can't define "customer friendly" in a narrow way that conforms to your personal desires and assume that's that.
Also consider that if banks did have strong authentication around every purchase, there would be less of an incentive for banks or merchants to agree to roll over and eat the cost when there is fraud (and more ammunition for them against laws that require them to). No security/anti-fraud system is perfect, and something will always slip through; I wouldn't want to be a card holder stuck with a big bill because someone managed to clone/swap my SIM (for example) and make transactions using my card if I had no protection from that.
From what I can tell, most gas stations aren't set up for chip cards. I got gas last weekend at a Shell station in SF and was surprised to see the reader was chip-capable. Seems like it's still pretty rare. It's moderately insane that gas stations have been allowed to drag this out so much, considering that gas pump readers are a huge target for card skimmers.
(Then again, I guess a chip reader doesn't stop people from putting in a skimmer that just reads the card number as usual through the magstripe.)
The pump also had a pad for contactless payments, but I couldn't get it to work with either my phone or the NFC chip on my credit card. Maybe it only works with Shell's own card? Wasn't clear.
(And at the complete other end of the spectrum, I then went to top up my tire pressure, only to find that the air pump wanted quarters, and only quarters. Fortunately the attendant turned it on for me for free. I usually don't carry much cash around with me, and even more rarely have coins.)
> Then again, I guess a chip reader doesn't stop people from putting in a skimmer that just reads the card number as usual through the magstripe.
I'd imagine it would do though, as many chip readers only need you to insert your card far enough to read the chip, which isn't far enough to read the entire magnetic track and thus skim the track (am layman though)
Maybe US issuers were much better at on-line fraud detection and didn’t need the newer system?
Hoping someone from the industry can comment, but I was under the impression that US issuers were eventually forced into EMV, after dragging their heels, because the US became a prime market for cashing out mag stripe data from non-US issuers.
Not because they are better at fraud detection, but because US issuers levy much higher fees from their customers across the board and so can eat more fraud-related losses.
Yep. In US the interchange fee is more than 2% of the transaction. In the EU, interchange fees are capped to 0.3% of the transaction for credit cards and to 0.2% for debit cards. That's why in US they have those cash back options on credit cards, that are just not possible in Europe.
Consumers have been paying for merchant losses since before credit cards even existed. The price of shop lifting, robbery, burglary, ect... have always been factored into brick and mortar pricing (even if only via the cost of insurance). The cost of fraud is factored into online pricing. It’s not a problem that’s going to go away.
Speaking of omitting details. Consumer friendly legislation helps solve a problem that need not exist in the first place and saying this “isn’t a major issue” assumes:
a) the consumer catches it in time
b) the consumer has the time to deal with the bank (try calling Wells Fargo in the midst of COVID)
c) it doesn’t cause the consumer’s rent check to bounce
The US payment card system is not a good solution for the non-cash payments problem.
AFAIK you're talking about 3DS and under 3DS the code is treated like a PIN. So if you want to revert transaction protected by 3DS, you're out of luck, because you acknowledged it yourself. Now if your transaction is not 3DS (or PIN) protected, you can claim that your card was stolen and bank should revert transaction and issue new card.
So it's about who's responsible. Without 3DS or PIN a merchant is responsible. With 3DS or PIN a client is responsible.
The banks have determined that the cost of preventing fraud is higher than the fraud itself. If you suspect fraud on your account, or if a card is stolen/lost, the fraudulent transaction is quickly reversed and a new card arrives in the mail in 2-3 days.
And it's pretty rare. I've had only once actual instance of electric fraud, and one stolen card in 20 years. That's 20 years of never having to remember or type in a PIN.
I get your decision making but the annoying thing is that using PayPal will most likely reduce your legal protections? Fingers crossed PayPal don't screw you over...
Look up what a "chargeback" is. That's the mechanism (and which has been working well enough in practice to keep the system going, and everyone is happy (except for some merchants of course)) that is preventing the dangers you are thinking about from occuring too often to unsuspecting card holders.
Then it brings with it a whole list of different problems, like being incredibly susceptible to buyer fraud, the cost of which everybody then has to eat.
Meanwhile it causes the payment processors to not want to do business with merchants who get a large number of chargebacks, even if the problem isn't with the merchants but with their customers. In other words, it discriminates against merchants who do business with disadvantaged clientele who are more likely to have payment issues.
A merchant getting excessive numbers of chargebacks is not in and of itself an issue if you have all your ducks in a row.
I mean it's an interesting enough heuristic, but can you provide an example of a processor that would refuse to business with someone because they had excessive chargeback, but also had the information in place to prove the purchases in question?
I mean, if you've got crappy customers, I can understand where you're coming from, but I think your choice of customer base to market to may be more in question then whether the system as a whole is fit to transact in.
I don't have much firsthand experience in it though, so I'd be thrilled if you could share some insight on it.
> I mean it's an interesting enough heuristic, but can you provide an example of a processor that would refuse to business with someone because they had excessive chargeback, but also had the information in place to prove the purchases in question?
The problem in many cases is the difficulty in proving the purchases. For something like digital content, the only proof you'd really have is some server logs showing that it was transferred, which are naturally trivial to fabricate because they're entirely under the control of the seller, and so the payment processor may not give them much weight.
> I mean, if you've got crappy customers, I can understand where you're coming from, but I think your choice of customer base to market to may be more in question then whether the system as a whole is fit to transact in.
But then you run headlong into the efficient market hypothesis, because when everybody else is avoiding that customer base for those reasons there is less competition and thereby greater opportunity.
Also, from the perspective of the customer, just because 30% of similar customers are dirtbags doesn't mean you are or that you don't want to be able to buy your stuff.
I did not say it does not have any problems. The poster said that they don't understand why the whole system even works. I simply explained the mechanism by which it currently works. I did not say it was flawless.
>Did no one involved in the cookie legislation think to run the idea by a technical expert before passing it? Why wouldn't they have done something like introduce an X-Allow-Tracking header in the http spec, and make the law require that sites respect that header instead of every site making their own cookie popup. Browsers could make that privacy setting as detailed as they want as far as which requests they included it with, and the EU could strongly recommend that everyone use browsers that they've approved as supporting that setting (or even force it in various ways, like require any OEM browser that ships with a device in the EU support that setting).
Like with DNT? Nobody cares about that. Defaults matter too and DNT is default off. So it probably adds more entropy if you enable it.
Besides that: Technical cookies (or any other storage in your browser) that are required for your site to work do not require consent. Tracking from ads are obviously not included in that definition.
Yes, it means that if you consent for cookies, you don't get annoying popups everywhere.
Or, what actually would be interesting, a law explicitly disallowing "please enable X-Allow-Tracking for this website" popups.
Right now the web is broken anyway - some pay (in data and ads), some are free-riders. And everyone is pested by cookie popups. This "no tracking unless required for functionality" would make it nice to change a model for actually paying for use. (It promotes quality content, less distractions, less clickbaits; and thinking twice if you want to spend more time on yet another meme aggregator.)
Sites were supposed to stop using a shotgun method of grabbing all data they can, sharing it with everyone that will take it, and hoping something will stick. They were supposed to take responsibility for data they collect and share.
But instead of changing anything, sites went for the laziest workaround (which apparently isn't even legal), so that they could ignore the legislation and keep business as usual.
There absolutely is a cookie law. The UK legislation is "PECR" [1] which sits alongside the GDPR.
> PECR are the Privacy and Electronic Communications Regulations. Their full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003.
> They are derived from European law. They implement European Directive 2002/58/EC, also known as ‘the e-privacy Directive’.
> PECR cover several areas:
> The use of cookies or similar technologies that track information about people accessing a website or other electronic service.
See "How does this fit with the GDPR?" for how the two relate, tl;dr:
> The GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply, but using the new GDPR standard of consent.
I think they tried a cooperative approach with more technical design . It was called DNT .. the do not track header thingy. Failed because no one gave a shit. So they made it financially painful. It is the only language companies understand and respect.
Cookies are also just a method. GDPR is not specific about it.
4 years? You're lucky. My Argentian card expires in 2031. Yet I've never gone more than 2-3 years without having to cancel it due to some bad actor overcharging me.
Note that the law only requires this banners for cookies which e.g. track you.
(Which by now require far more opt in than a cookie banner, thanks to GDPR).
For purly functional cookies like they are used for CSRF prevention or login cookies do not require any user notifications as far as I know.
(Be aware that this is only true for login cookies which are just used to handle a active login, which means they must set the right flags to not be send to a different domain, etc.)
Believing that there is such a thing as an "EU cookie legislation" is a clear sign that you don't know what you are talking about. You seriously want the EU to micro-manage the HTTP spec?
> You seriously want the EU to micro-manage the HTTP spec?
Well no, what you really want is browsers that do the right thing to begin with and e.g. block third party cookies by default. Then you don't need "cookie legislation" at all.
But if they're going to require something then it should at least be clear what the requirement is. If multiple large corporations who can obviously afford competent attorneys are doing something ridiculous, that's pretty good evidence that your legislation is drafted stupid.
But it is not just third-party cookies that are the issue. If that was the case it was easy to solve. But consider if you buy some books or sex toys or whatever from an online store. Do you want the store to sell information about your purchases to third parties? That is what the "cookie consent" is about.
But that has nothing to do with "cookies" at all. You could in principle implement purchasing using client-side javascript without any cookies, as long as you don't care that the customer's shopping cart disappears if they close their tab, and when the customer sends their purchase information you'd still have all their personal info even if you didn't use any cookies.
Meanwhile the actual problem with (third party) cookies is that they're used to correlate users across multiple sites for tracking purposes, which goes away when browsers stop accepting third party cookies by default.
> But consider if you buy some books or sex toys or whatever from an online store. Do you want the store to sell information about your purchases to third parties?
This is really a different problem, because how are you supposed to know if they're doing this anyway? How is the government? Once they have your information there is no real way to tell what they're doing with it if they're willing to lie to you.
So the answer is to make it so they never actually have your personal information. But for this we need some kind of anonymous digital payment system for small transactions, so that the vendor doesn't have to know who you are. If all they have is a transaction ID from a bank that lets them get paid and a virtual one-time-use PO box number you had the item shipped to which forwards to your real address for a week and then is deleted forever, they can do whatever they want with that information and you don't have to worry about it.
The obvious problem we all know, is that a browser cannot distinguish between a functional and an advertisement cookie. And honestly, cookies are a method. There are tracking methods where the user agent has no chance and is not involved.
Also GDPR is addressing much more than tracking consent.
> The obvious problem we all know, is that a browser cannot distinguish between a functional and an advertisement cookie.
Sure it can. Functional cookies come from the domain the user actually visited, advertising cookies come from other domains. That's not always true, but it's true often enough that those should be the defaults.
Firefox even does one better. It has a feature you can enable called "first party isolation" that allows third party cookies, but keeps a different set of them for each domain the user actually visits, so if the user visits a different site none of the third party cookies from the first site are there and they can't be used for tracking between sites.
> Also GDPR is addressing much more than tracking consent.
Next week we'll probably discuss some different part of it that would have been more effective if done some other way.
I'm very curious what leads you to believe that this law doesn't exist? And be so sure about it as to call out someone else for not knowing what they're talking about.
"Passed in the 2002 and amended in 2009, the ePrivacy Directive (EPD) has become known as the “cookie law” since its most notable effect was the proliferation of cookie consent pop-ups after it was passed."
To be frank I suspect that the answer is because that isn't their goal any more than a congressional fact finding session is to find facts - but to grandstand angrily about sour grapes.
Did no one involved in the cookie legislation think to run the idea by a technical expert before passing it? Why wouldn't they have done something like introduce an X-Allow-Tracking header in the http spec, and make the law require that sites respect that header instead of every site making their own cookie popup. Browsers could make that privacy setting as detailed as they want as far as which requests they included it with, and the EU could strongly recommend that everyone use browsers that they've approved as supporting that setting (or even force it in various ways, like require any OEM browser that ships with a device in the EU support that setting).