>those in charge of the cookie banners really believe that they protect the interests of the user
No, they're asking for consent to track because the EU demanded it. The easiest way to avoid having a banner on your site is to... just not have an analytics package on your site. They're aggressive because they don't want their data spigot turned off - hence the work-to-rule nonsense. You should not infer any benevolence on the part of the people implementing these banners.
My personal habit is to always click whatever option denies the most amount of tracking, mostly because I can.
> My personal habit is to always click whatever option denies the most amount of tracking, mostly because I can.
Likewise, except:
* If for any reason I can't easily deny all the unnecessary stuff (eg. there isn't a way or they have something like the Daily Mail where to disable all the "legitimate interest" you have to click literally hundreds of individual boxes) I don't click anything and leave the site immediately.
* I don't do it because I can. I do it because by clicking OK I would be explicitly consenting to being tracked and I don't want to be tracked. The content is pretty much never worth it. ("It" being falsely telling people I'm fine with being tracked. I'm perfectly aware it will happen anyway.)
Those consent boxes are nowadays used to blanket consent to things like telemarketing. I would never tell anyone to click agree on anything they haven’t thoroughly read, except proprietary software EULAs.
> No, they're asking for consent to track because the EU demanded it.
Personally, I think that despite seemingly good intentions, this common practice is counterintuitively harming user-privacy and security, especially on mobile where the banners take up a large chunk of the screen.
Many normal people get something like "banner-blindness": they are so used to seeing banners requesting confirmation when they visit a website that they by default click any random buttons they see to try and hide them right away without reading what is requested.
This practice doesn't really help anybody, IMO, and should probably be handled on the browser-level if people care about it.
> Personally, I think that despite seemingly good intentions
Why do you think they have good intentions?
Many of these banners employ some pretty slick dark patterns for you to opt-in to their most critical analytics. One of my favorites is when cookie selection is more than one click from the banner, or it causes a page reload.
I think you're talking about the businesses' motivations and I'm talking about the random EU bureaucrats that imposed the regulations. Despite how skeptical I am of most government interventions, I'd tend to assign benign intentions on the bureaucrats part here as I'd have to guess that they genuinely wanted to do something good. But like any bureaucrats sitting in their ivory towers imposing rules on others, the majority of their rules have unintended consequences, can be taken advantage of, are usually designed by committees that even when well-intentioned produce a mish-mash of inconsistent ideas, etc.
The rules are actually fairly sensible: the fact that the banners are deliberately confusing is actually illegal. The issue is that national agencies who enforce the rules (because EU rules are implemented via national laws) aren't enforcing the rules properly.
The "make it part of the browser" argument doesn't work in practice because the GDPR covers the intent and purpose of data collection/processing rather than any specific technical way of collecting or processing said data. Blocking cookies at the browser level doesn't prevent the website from using browser fingerprinting or the information you manually provided (your delivery address to make a purchase for example) in a way you didn't agree with.
I agree there is a greater chance they're more stupid than a brick than they're malicious but I wouldn't exclude the idea that internet gatekeeper like Facebook and Google are bribing them to create extra barrier for newcomers to have independent websites.
The net result of VATMOSS, GDPR and cookie banners was that a ton of small businesses decided not to bother with a website and moved to being FB only or Amazon only.
I don't understand why they didn't use the Do-Not-Track header. It's perfect: a client sending DNT is explicitly denying consent to any form of tracking before the page is even rendered. The presence of such a header should cause web applications to automatically delete any and all tracking javascript from their pages at the very least.
No idea why it turned into this cookie banner nonsense.
Microsoft pulled an Apple and turned DNT into opt-in. Advertisers were very clear that they would only honor DNT if it people were tracked by default.
The EU then passed a bill that said you can't collect data unless it's for one of six reasons, one of which is "user consent". This basically mandated opt-in, so everyone went super-aggressive on consent banners (which, BTW, are probably illegal).
> Advertisers were very clear that they would only honor DNT if it people were tracked by default.
It's ridiculous that Microsoft's response wasn't to just nuke trackers from space with some kind of adware blocker integration in Edge. This is the equivalent of a mugger saying he'll only honour your "do no mug" sign if the sign defaults to "mug me please" and has to be explicitly changed.
Ad blocking is not a "nuke trackers from space" button. It's more like piloting a drone fleet to pick out and kill terrorists or insurgents in a not-so-friendly country. It requires lots of work to identify ads and create comprehensive filter rules to block ads, and periodic re-checking to make sure they haven't been broken by the advertising companies.
Note how most ad blocking tech is either community-run FOSS projects or companies with not-so-savory business practices. It's really not the kind of work that browser vendors want to do. In fact, Apple went out of their way to create an extension type purely for delivering ad block lists to Safari all the way back in iOS 9. Ad blocking is that much of a pain that even Apple was willing to farm it out to third parties years before we got proper mobile extension support.
Occasionally, browser vendors get lucky, and there's a tracker type that's "easy enough" to kill. Things like third-party cookies would be one of them - but even then this required a huge amount of testing to avoid breaking apps that relied on them for authentication.
The only reason why ad block even works is because ad companies are incredibly paranoid and don't trust each other. The standard way to do display ads is to embed each other's `<iframe>`s or JS, which gives ad blockers a nice easy target to hit. Platforms like Facebook or Twitter that are trusted to do their own ad delivery and thus don't hotlink subresources are far harder to block. They can change how ads are styled basically every hour if they wanted, which would make any kind of rule-based ad blocking ineffective. If every ad platform did this, ad block as we know it would be dead.
While you are right that Microsoft loosened their stance with privacy, let's not conflate data collection purposes:
1. telemetry, for diagnostics and health monitoring
2. usage analysis, for program improvement and personalization
3. content analysis, for advertising and marketing purposes
Windows requires kind 1 and encourages kind 2*. Type 3 does not really apply, though, as I don't see Windows sniffing what I write in my text files so that I'm shown relevant ads later.
Without a law like the GDPR, nothing stops them from using data collected for 1) and 2) for 3). Which they will do once some PM realizes it's worth something.
(There's even 0), data collected for functional purposes like 2FA. Multiple companies have taken data straight from 0 to 3 once they see the possible revenue.)
Also, "consent" has a specific meaning in GDPR, see article 4(11) [0]:
> Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Which is why I suspect almost all "cookie banners" are worthless. They don't give a clear, informed consent, so the site operator is still not allowed to use the data for anything at all.
It's a modern variant of the "this site is unsafe, continue using" click through that browsers gave for incorrectly configured SSL before the major browser vendors converged on the conclusion that they should make it actively hard to pass through insufficiently-secured SSL configuration because users would just click okay on the spooky dialog.
It's not even work-to-rule. It's illegal if the button to refuse consent is in any way less obvious than the button to grant it, which it nearly always is.
Notably, OneTrust, which provides a lot of the banner solutions which are illegal gets it right on their own website. So they do know the rules, but they knowingly provide a solution that's illegal.
At least in the EU most sites seem to automatically disable nonessential cookies if you don't click Accept. The American equivalents all force you to manually uncheck everything
And if someone wrote a browser extension that hides those popups (or makes them scrollable instead of sticky), the user would not need to do anything to reject cookies.
Exactly. This is an absolute key point I find most people miss in these discussions.
GDPR fundamentally changes the default of whether tracking is allowed to occur or not. If a user browses the web automatically blocking (just deleting/blocking the element, not automatically clicking accept) every consent pop-up, the website is not allowed to track them nor is it allowed to block the user from using the website.
If you had such a browser extension, and if websites were actually conforming to the law, all EU users could browse the web without ever seeing any popup and without ever getting tracked.
My understanding; ip adresses are considered personal information. You are allowed to store them in your log for security purposes, without consent (legitimate interest). But if you use that log for analytics, you need consent.
Are you sure about this? Parsing the logs stored for legitimate interest and then aggregating from that data for another purpose without storing PII seems to me like fair game.
You can't process personal data "for legitimate interest" per se. This is the biggest lie the adtech industry keeps telling themselves. The LI exception is that you can process personal data to do X with fewer restrictions, if you have a legitimate interest in X. For example, all companies have a legitimate interest in certain employee data e.g. legal names / tax identification. More complex, if you run an insurance company, you have some legitimate interest in a broad swath of your customer's demographic data.
The case for legitimate interest in parsing logs is extremely weak. There are situations where you could claim it but it still must be with a clear purpose. E.g. a Spanish company considering opening a branch in France might collect IPs to make a heatmap of where its French customers are. But they would not be able to use those IPs generally, to the extent e.g. they might be expected to delete the IP and only store aggregated by department.
You also said PII, not PD - note that some PII is sensitive data, which cannot be collected under LI provisions at all.
(This is not legal advice. If you think you can collect personal data with the LI exception, godspeed and I hope you have a good lawyer.)
If you're storing personal data, you need consent. A banner would be the least intrusive way to do that. (If your backend analytics don't store a cookie and don't store IPs, you may not be storing personal data to begin with.)
You only need consent if there is absolutely no reason for you to have that data. Consent is the emergency hatch, only to be used in exceptional circumstances.
"But what gives?!", I hear you think. As a law professor said (roughly): it was truly amazing to see how an entire industry colluded so swiftly and completely to undermine legislation.
> You only need consent if there is absolutely no reason for you to have that data.
Also no.
There are specific acceptable reasons to have the data. LI is a weak one and does not apply in many situations (there are a lot of balancing factors applied, including a "reasonable person" standard on the data subject). As you say, consent is a very strong one, if received it can virtually always apply. The ones in-between only apply in limited situations genuinely necessary for business (company management of employee data, addresses of customers you need to ship to) or to a small set of companies (hospital management of health data, AML/KYC for banks), and rarely to general web / app analytics.
"I would like that data to serve ads better" (or "to sell to someone who wants to serve ads better") is not "absolutely no reason", but it is also rarely one of the other reasons. And conversely, even if in some case if you have a legitimate business interest i.e. would go bankrupt without it, it is not LI in the sense of GDPR if it cannot meet other factors. The modern adtech ecosystem more or less requires "consent-strength" allowances.
In the context of backend analytics, it is difficult-to-impossible for any of those others to apply. The point is that FE vs. BE, cookie vs. no cookie isn’t really what matters. What data you collect and why is what matters.
At this point, I'd be happy with a service that has my browser send a "do not track" header on each request, and also open a proxy connection to a black hat server each time the page decided to make a request to a known tracking domain.
Someone is trying to convey that a plugin should report sites that are detected ignoring DNT to ne'er'do'wells to invite horrible things to happen to them.
It's a newbie, be nice. They don't get how it works yet.
Not a newbie. Let 'em use a MiB or so from my legimate browsing session with legitimate IP to perpetrate click fraud or auction fraud or whatever.
That'll make it harder for fraud detection to work (the traffic is legitimate, organic traffic after all). If enough people do it, tracking firms that ignore DNT will have garbage datasets or worse.
I've worked on systems for detecting this sort of fraud. Systematically injecting malicious traffic into legitimate click streams would defeat most anti-abuse measures that I've seen.
You want to let people commit whatever fraud they want using your computer? Knowingly?
How will you defend yourself in court? "I didn't do it, I just let somebody else use my machine, yes I knew they were up to no good that was the point, but to my defense I was shown an ad"?
The tracking servers are using my computer without authorization. (The "do not track" header specifically told them so.)
So, their complaint is what, exactly? They tried to run unauthorized code on my machine, it noticed, and forwarded the unauthorized logic/connection/nonce/etc to a honeypot?
This isn't an actual service I plan to build. If someone else does, and prevails in court, rest assured I'll be cheering them on.
It’s an absolute pity that the legislature didn’t require
: deny everything
: remember my selection
: if the same analytics package exists on other sites, remember my g’d selection
Do you know if it is only third-party analytics being called that requires the prompt, or is setting any cookie for the website's use only requiring permission too?
Essential cookies that are necessary for the website to run do not need a permission from the user. For example, if you want to use cookies to save a selection or a language setting, you don't need to ask for permission.
Yep - but to clarify, the cookies must really be NECESSARY - i.e. your site or app would be unusable without the feature they implement.
A cookie that saves, for instance, a preference may not be considered essential but a "Functional Cookie" that adds extra features, because your app is usable without it, and then you do need permission for it.
Well, what does unusable mean? If my app offers a feature and the cookie is necessary for it to work, then it's essential. For example, a cart feature in an ecommerce app. Could you shop without a cart? Sure, still I would consider this cookie essential.
A cart does sound essential, but I guess it's up to a judge to decide. Perhaps you should implement a cookie-less "buy now" option to avoid needing to go before a judge.
IANAL, but from my understanding the GDPR itself does not make this distinction. It's okay to store things to implement functionality, like login or shopping baskets. Tracking people is not okay.
Now, there was a different directive preceeding the GDPR that tried to address the rampant abuse of cookies for tracking by regulating cookies directly. The intention of that directive was good, but the implementation really bad. I think this is where this distinction comes from. I don't think I've seen a case where someone who was not doing blatantly shady things with cookies got into trouble with that directive, though.
It doesn't have to be obnoxious either - if you have a preferences page, you could add something like "we'll save these preferences in a cookie on your computer, okay?"
Regular cookies that are required for normal operation (to remember that you are logged in etc), does not require any permissions. But they try to make it seem that way, and they bug you as much as they can to get you to just agree to all cookies. Dark patterns everywhere.
>No, they're asking for consent to track because the EU demanded it.
Given that you can completely block cookies and other tracking in the browser, why on earth did they bother? I despise bureaucrats writing laws when they don't understand technology.
I despise engineers writing code when they don't understand laws.
Yes, we can play the tracker-removal cat-and-mouse game, but that involves a lot of time and effort, projected forever. This battle is going to be won by whoever has the most time and money to waste, and, spoiler alert: it's not the adblock vendors. It's Google.
In the specific case of cookies, you need those to authenticate to web services, so you can't just block all of them. Instead you need to delicately allow or deny every cookie based on if it's purpose is holding a login token or tracking a user. In fact, sometimes it's both.
Strictly speaking, if I log into Facebook, that shouldn't be considered consent to track. But right now, that's how it works. You know all those "login with Facebook" buttons all over the web? Those give Facebook third-party tracking capability. There is no browser extension in the world that will allow you to login with Facebook without also telling Facebook what site you were logging into. You need a law to force Facebook to split-brain themselves and silo off that data from their advertising operations.
Yeah, sure. "Just don't use Login with Facebook". Except every third-party login system has this problem - and there are plenty of smaller companies that absolutely do not want to handle user credentials and require that you use a third-party login service. And given that using smaller providers are the easiest way to get your credentials stolen, it is entirely understandable and advisable that they not roll their own authentication.
Furthermore, most users are not at all aware of all the technical stuff I mentioned above - and they shouldn't have to be in order to have privacy.
Having a well-written law is a lot easier: you just tell Facebook, "no, really, if you use your login service to track people we're going to fine you". Corporations react to (sufficiently large) fines a lot more favorably than technical restrictions or circumvention. "Don't be evil" is a way bigger guarantee than "can't be evil".
Preach! What we ultimately need is just a law that says it is illegal for companies to collect or store any data for marketing purposes, tracking, or resale. No opt ins, no exceptions. Unfortunately we can't fully kill targeted or unsolicited advertising at the root because of freedom of speech issues, but we can eliminate all the data it depends on.
People see "targeted advertising" as "I was thinking about buying a bike and it shows me ads for bikes", ie. it's showing me what I want to see. That is not targeted advertising. Targeted advertising is showing you what they want you to see when they want you to see it, or showing you the same products in a light that makes you more likely to buy them.
For example, showing you unlikely or imagined bike-related problems, to sell you useless protection gear or insurance after you get your bike. Showing you ads for motorcycles, because although you probably don't want one, someone who already likes bikes is more likely to buy a (more expensive) motorcycle, so that's where they'll direct their spam.
Targeted advertising is about manipulation, using knowledge of the customer to change their behavior. No one is going through those efforts to show you what you already want and save you a quick Google.
you have quite a low view of people's ability to make decisions for themselves if you think being shown ads is manipulation. And I struggle to see how targeted ads are somehow worse than the same sort of 'manipulation' inherent in using an algorithmic feed like HackerNews or Twitter. Both are exposing you to things they want you to see. Yet you don't seem to have such strong opposition to those as you do targeted ads.
I think it's less the targeted advertising, and more like I can't take 5 internet steps today without 40 people shouting at me to buy their diapers because my partner googled "diapers" last night.
Two because the ads are more relevant the advertiser makes far more money on them and therefore doesn't have to show you as many to fund their service.
I 100% agree, but I feel like the proliferation of consent banners was predictable and if people didn't want it, the law should have initially accounted for it.
Assuming people would just log less was hopelessly naive (especially given that apache defaults already do enough logging to run afoul of the GDPR).
Apache logs for example do not run afoul of GDPR unless you:
A) process them. (Correlate them with further identification)
B) sell them.
C) do nothing to secure them.
Regardless. The law does have conditions for these cookie banners. Namely that if you do not present an easy 2 click opt out then you’re in violation. Many people are in violation in what I feel is an attempt at a sort of civil disobedience. “They can’t prosecute us if we all do it” mentality.
I'm not sure a lawyer would agree with your assessment of the Apache logs. If they aren't actively being used to maintain site health, the mere collection of private IPs is enough to make them unnecessary private information.
And that's the default for collection of Apache logs.
You would be 100% in the clear on that as long as you apply a reasonable retention policy to your logs. Keeping them forever isn't reasonable. Keeping them for a year almost certainly is.
You would be 99% in the clear if you do nothing. The worst that's likely to happen is that you're forced to adopt a retention policy and delete old logs, and even that is extremely unlikely unless you are Google/Facebook scale or are doing something significantly worse than industry standards.
I guess it varies depending on the lawyer, mine agrees with my interpretation.
Law depending on the opinion of lawyers is “useful”.
If anyone wants to attempt to prosecute me for storing Apache logs then I’m happy to defend it in court. GDPR isn’t the boogeyman unless you’re selling data. I’m quite certain there are sympathetic judges to that end. Logs are necessary and even in some cases legally mandatory.
With a 20 million euro minimum fine on the table, I don't think I'll feel comfortable on this topic until either the law is clarified or someone sets precedent.
My lawyer's great, but he won't be paying the fine if he's wrong.
$20 million isn't the minimum fine. That's the maximum fine for companies with under $500 million in annual turnover.
You aren't going to get the maximum fine unless you are doing something egregious. Collecting the default Apache logs and not using them for anything malicious isn't going to get you the maximum fine or likely any fine at all.
Because cookies are useful functionality that should be used in our best interests, not to pad some corporation's bottom line via surveillance capitalism. We shouldn't have to block cookies or anything, they're the ones who have to stop creating software that is essentially malware.
No, they're asking for consent to track because the EU demanded it. The easiest way to avoid having a banner on your site is to... just not have an analytics package on your site. They're aggressive because they don't want their data spigot turned off - hence the work-to-rule nonsense. You should not infer any benevolence on the part of the people implementing these banners.
My personal habit is to always click whatever option denies the most amount of tracking, mostly because I can.