> Complaining about these notices would be like complaining that restaurants are forced to put up a sign on their front door "Kitchen employees don't wash their hands" when they get caught not doing so.
I wouldn't recommend it. It's a bad analogy and if I saw someone use it I'd think they don't have a good grasp on web technologies. Cookie tracking is used to do things like persist shopping cart items without logging in, and plenty of other things users expect websites to do. It is also used in data collection, but that's more of a moral objection to advertising-based monetization than some sort of strictly-worse practices (like kitchen employees not washing hands).
Just to be clear, you can still use cookies, you don't need consent. Shopping carts and login sessions etc. will work just fine.
You can still display advertising, that also doesn't need consent.
You just can't collect and process people's data that isn't required for providing the service. If a site displays that notice, it's because they're attempting to do more with your data, or collect extra data, than is strictly needed for the service.
Perhaps in theory. But in practice, nobody wants to risk being fined because a court determines that some data wasn't required to provide the service. Do you really need to have persistent carts for non-logged-in customers? Can't you just only offer the cart for logged in customers? It's not required, just beneficial.
Thus, these cookie disclaimers are like Proposition 65 warnings in California. They're everywhere so people ignore them.
The most likely first steps in the UK is that ICO will get in touch and tell you you've done something wrong and need to fix it. Courts and enforcement penalties come later if you persist, or your infraction was signficant.
I run websites, and I don't feel in any way worried about it personally.
Right, and the easiest way to fix it is to throw up a cookie disclaimer and forget about it. So disclaimers become ubiquitous.
Are you familiar with Proposition 65 in California? Any product of business location that has any detectible amount of carcinogens needs to disclaim that it potentially contains carcinogens. Among other things, gas stoves and roasted coffee both contain trace amounts of carcinogens. So most restaurants and coffee shops display Proposition 65 warnings. Said warnings have become so ubiquitous that nobody cares about them. The same scenario is playing out with cookie disclaimers.
> Except there's no such thing as a cookie disclaimer as I said in another comment. Extra tracking/data processing has to be opt in, and you have to provide the service to the user even if they don't opt in, so you can't just throw up a notice that says you might not be compliant because you still need to be compliant.
Yeah, they do exist. And you can find them on plenty of sites that block content unless the disclaimer is accepted. You may be of the mind that this is not complaint with the legislation, but reality demonstrates otherwise.
> Prop 65 is different. The cookie law is like saying "if you sprinkle extra carcinogens in your product then you need to disclose it".
This is making the same error as the washing hands analogy. This ignores the fact that cookies are necessary to power user-facing features.
> Right, and the easiest way to fix it is to throw up a cookie disclaimer and forget about it. So disclaimers become ubiquitous.
Except there's no such thing as a cookie disclaimer as I said in another comment. Extra tracking/data processing has to be opt in, and you have to provide the service to the user even if they don't opt in, so you can't just throw up a notice that says you might not be compliant because you still need to be compliant.
> Are you familiar with Proposition 65 in California?
> This is making the same error as the washing hands analogy. This ignores the fact that cookies are necessary to power user-facing features.
I don't know if you're doing this deliberately or not at this point because I've said it so many times.
You. Are. Allowed. To. Use. Cookies. Under. GDPR.
There are times you need to ask for consent, but for login cookies, shopping carts etc. that follow some relatively simple guidelines, you don't need to ask for permission.
> You. Are. Allowed. To. Use. Cookies. Under. GDPR.
Until a government bureaucrat decides that your usage is not necessary and they threaten you with a fine.
You are not the one enforcing these laws. What you think is a reasonable interpretation of these "relatively simple guidelines" is no guarantee that a government commission is going to reach the same conclusion. Do you really find that so hard to understand?
If the ICO decides you're in breach of the rules, and has reached out to you to help you comply and you aren't receptive you're just going to end up in court and you can argue your case there, and if you can't trust your courts then you've got other problems.
If you allow users to add items to their cart without logging in, that isn't tracking them. It's just storing the information which the user wants you to store on their browser.
Many people click "add to cart" without logging in because that is the service they want. Nobody voluntarily clicks "track and analyze my activities on this site", because that is not a service people want.
> Many people click "add to cart" without logging in because that is the service they want. Nobody voluntarily clicks "track and analyze my activities on this site", because that is not a service people want.
You realize that in order to implement "add to cart" you have to track their activity on the site? That's what the cookie is for. To track customers and persist their cart. If you can't track customers then you can't associate them with their cart.
As far as analyzing activities, what is any isn't allowed is murky. Is it okay to do A/B testing and see their impact on sales? This requires tracking and analyzing user activity, but isn't necessary to provide the service. But it is necessary to actually determine whether changes to the service are positive or negative. So do you throw away A/B testing, do A/B testing and risk fines, or throw up a cookie disclaimer?
> If you can't work out what data is and isn't required for the functioning of your site then perhaps you shouldn't be running one.
I'm more than confident in developers' abilities to know what is and requires. I'm dubious of government bureaucrats' abilities of doing so.
A "cookie disclaimer" does not solve any of the problems you describe.
First, you can't avoid solving the murky analysis. You must be able to specify in clear language what personal data you're using for what purpose and which specific paragraph of the GDPR gives you the legal basis to do so.
Are you using that data for A/B testing because it's a legitimate need where you don't need consent or because the user consents to it? Well, you have to decide before implementing that disclaimer, because the disclaimer should clearly state that answer!
Furthermore, if you decide that some use case does not fit the legitimate need criteria and you need consent, then a "cookie disclaimer" does not reduce the risk of fines - because a disclaimer does not collect opt-in consent, it can (at best) record acknowledgement, so if you need consent but only have a disclaimer, then that still risks fines.
On the other hand, if you trust your developers to know what is required and what's not, and you have documented it properly (because it's not just a good idea, it's mandatory), then you should be able to run that documentation through your local data protection authority to validate any doubts, that's part of their job, and wherever I have seen them work it's something they eagerly do.
You can't implement carts, persistent or otherwise, without cookies (localstorage et al is a type of cookie), because clicking on a link would throw away the cart data. If people click "add to cart" then of course they want you to track the cart contents; that doesn't give you right to track anything else.
Right, and now you get sued by a group claiming that you don't need carts for non-logged in customers. Do you need to provide carts for non-logged in customers? No, says the lawyer, you selfishly used cookies to track people without consent in order to improve your sales. Or you can just throw up a cookie disclaimer to cover your ass.
Sure, the cart is perhaps a trivial case. But persistent tracking is also used to prevent abusive behavior, and other things that aren't strictly necessary. The risk that someone might try to claim that these are unnecessary far outweighs the cost of throwing up a cookie disclaimer. Thus, cookie disclaimers become pointless through their ubiquity.
Reply to your comment, since HN is rate limiting my work VPN:
> That's not it works. Someone complains to the Information Comissioners Office (ICO). ICO determine if the complaint is valid and will get in touch with the site owner to help them come into compliance.
And then they get sued if they don't come into compliance. This is just elaborating extra steps.
> There is no such thing.
> You have to make unecessary data collection and tracking opt in. You can't have a notice that says "we might do x unecessary data collection and/or tracking" and make the user click it or go away. You need to be compliant, or you need to not serve the European market.
Right, and websites don't display content unless this supposedly unnecessary data collection is opted into. Because nobody wants to risk being on the wrong side of ambiguous restrictions on necessary and unnecessary tracking. You insist that websites have to display content regardless. Reality demonstrates otherwise - this is a practice sites do all the time.
Again, cart's aren't actually necessary. They make it easier for users to buy multiple items, but you can make cart-less checkouts by having customers select all items on a single page. Thus, by adding cookies to implement a cart without consent you have violated user privacy for reasons unnecessary to provide your service.
> Right, and now you get sued by a group claiming that you don't need carts for non-logged in customers.
That's not it works. Someone complains to the Information Comissioners Office (ICO). ICO determine if the complaint is valid and will get in touch with the site owner to help them come into compliance.
> Or you can just throw up a cookie disclaimer to cover your ass.
There is no such thing.
You have to make unecessary data collection and tracking opt in. You can't have a notice that says "we might do x unecessary data collection and/or tracking" and make the user click it or go away. You need to be compliant, or you need to not serve the European market.
In some countries your competitors or some other third parties can just directly send you a cease-and-desist letter if they believe you're violating some law.
Even if that letter turns out to be unfounded because it turns out that implementing a shopping cart using cookies without an explicit consent is a legitimate use case, they're quite a bit more of a hassle to handle than your supposed friendly ICO just "get[ting] in touch with the site owner to help them come into compliance".
So one more reason to err on the side of over-caution and just put up a popup for any kind of cookie...
This is a reasonable grounds to discriminate. No one is required provide non-logged-in users a bulk product purchase interface. They could choose to buy each product separately, or sign in. Bulk purchase cart is not essential, it is a convenience.
> And then they get sued if they don't come into compliance. This is just elaborating extra steps.
If you don't come into compliance with data privacy laws after being helped to do so by the ICO, they yes, you deserve to end up in court.
> Right, and websites don't display content unless this supposedly unnecessary data collection is opted into.
That's literally not allowed under GDPR. You can't avoid the GDPR by doing soemthing that is in violation of the GDPR. It's like trying to avoid getting a speeding ticket by going faster.
> You insist that websites have to display content regardless. Reality demonstrates otherwise - this is a practice sites do all the time.
Yes, and they're not compliant with the GDPR. Not all sites will get the tap of the ICOs hammer though. Some are going to be too hard to enforce (non-EU only entities for instance) and some just won't get complaints.
> Again, cart's aren't actually necessary.
Nope, they are very much allowed.
> Thus, by adding cookies to implement a cart without consent you have violated user privacy for reasons unnecessary to provide your service.
Brilliant. I might copy and reuse that.