Actually it's a bit more complex (but not much) than what is described: 1st party may need user consent when they will use personal datas for something that is not the intended service (legitimate use).
For example, for a shopping cart: cookies are necessary for the service, so no problem. For fraud detection : no problem because it's a legitimate use. But if you start tracking with a user cookie what pages your users are viewing (statistics collection), then... you need the user consent ! Because it's not necessary for the service... (even if it might be in your interest)
EDIT: if your statistics are not bound to personal informations (so you dont need statistics for INDIVIDUAL users but only the your users AS A WHOLE) then... no problem for RGPD and no need for consent. Actually, that's what a lot of RGPD-compatible statistics do (like Matomo and others...)
Toot/thread author here. You are of course right. I couldn't pack all details in those toots. I had to break it down to the absolute basics that are often misunderstood: Not every cookie needs consent. The way this is presented nowadays in these popups is deliberately misleading and trying to move the blame to some anonymous political entity when in reality it simply isn't that way.
In theory, website owners could do as GitHub did and remove inessential cookies and get rid of annoying banners: https://github.blog/2020-12-17-no-cookie-for-you/ But in practice, website owners are worried about breaking laws and aren't experts and just follow what they see everyone else doing, and so put up banners. So in practice, the regulations are indeed the ultimate cause of annoying banners, even if in theory those are avoidable in some cases. The people who introduced the regulations were able to look at the ecosystem of website owners and predict that the consequences of the regulations would be the vandalism of the internet by banners that we've seen over the last few years.
It's not the EU that's causing the fear of breaking laws. It's the ad tech industry that is instilling that fear by fostering the "you need a cookie banner on your site now" FUD. If Joe Schmoe thinks he needs a cookie banner for doing nothing and puts one up, then from a user's perspective, all sites are equally bad.
Compare with "Ask App Not to Track" in iOS, which is enforced by the OS and actually means something. The tracking industry hates that one because it shows them for what they are (not all apps need to throw up that screen) and they don't get to blame the EU for it.
It's literally the EU that created a worthless regulation that hasn't meaningfully helped anyone.
I wish more browsers would just include extensions that automatically accept and hide these warnings. It's stupid we have to do this but this is the world we live in.
Yes, there's a cargo cult mentality (encouraged by the big players who would like everyone to believe they are just doing the same as the average wordpress blog), but one way of counteracting that is to educate website owners like the above posts aim to. It's important to realise this isn't just a consequence of the laws being passed but poor understanding of them, which is in part deliberately propagated by those who object to the law.
> But in practice, website owners are worried about breaking laws
That is weird argument. If one genuinely cannot bother to read the law or does not feel capable of fully comprehending the law why don't they simply consult a lawyer? Hiring professional accountants is somehow standard practice.
> And the alternative is to have to pay lawyers every time I want to start a business on the web?
I thought it was pretty commonplace to hire a lawyer to draft various application, bylaws, policies and stuff like that when founding a company, online or not.
> Yes because reading and interpreting an 11 chapter 99 section law is really simple…
GDPR really is very simple at the core: you are not allowed to collect personal information, unless. 99% of it are definitions of those exceptions.
> I thought it was pretty commonplace to hire a lawyer to draft various application, bylaws, policies and stuff like that when founding a company, online or not.
No it’s not. You can go to nolo.com and pay less than $300 to get incorporated
Even if you choose to hire a lawyer to do it, it’s a relatively simple process and it would cost a lot more to hire a lawyer who knows the technicalities of something like the GDPR and whether it’s applicable to your website.
Should I also include the lawyer in my product planning meeting?
> GDPR really is very simple at the core: you are not allowed to collect personal information, unless. 99% of it are definitions of those exceptions.
If it’s so simple, then why is it 99 sections and 11 chapter.
I would say yes, all businesses looking to make money need to invest money into all sorts of things to do this, including a lawyer. Even the smallest business should consult with counsel during the product design phase to ensure what they are building is legal. This doesn't seem to me to be unreasonable. Every company I have ever worked for, large and small, has had at least one lawyer weigh in on the product. You'd be careless not to.
No all businesses that want to make money do not hire a lawyer to vet their businesses and especially not their website design. Neither do they need to.
And you really don’t see why all of the ridiculous regulation in the EU might be part of the reason that no meaningful tech company comes out of the EU.
I'd have one very important addition, as you tend to use the word yourself even if you basically term at pointing out this distinction:
The law itself does not even mention "cookies", afaik.
It aims at regulating ANY kind of detection or storage of PII, regardless of it's technical nature.
"Cookies" are preferred nomenclature partly because non technical users kinda understand what it means, but it's VERY MUCH also part of the very tactics you are writing about: because "do you accept cookies?" is a really really cute obfuscation of "do you consent to us taking your fingerprints and tracking everything you do online?".
That also goes for calling the GDPR the "EU cookie law".
The EU already had a "cookie law" long before GDPR that already mandated informing users about the site's usage of cookies, but it was widely ignored or even unknown to publishers outside of the eu since it: didn't regulate consent & storage, referred to cookies specifically and had thus become easy to kite with modern tracking techniques even if anybody gave a damn, and also didn't impose any kind of substantial sanctions when breached.
The GDPR aimed to fix that and therefore explicitly avoids specifying any technology it should be applied to. It's applicable to cookies, server side tracking, fotos of you or paper forms just the same.
Now it sticks, and'll probably be used forever. But mastodon, the project, has long stopped calling it a toot, removed it from all UI and docs and explained why it changed.
This seems to conflict with the ePrivacy directive:
> Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment.
Your quote is from the 2002/58/EC directive, which is amended by directive 2009/136/EC [1]. The latter says :
> (66) [...] Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by
the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. [...]
Hence, so long as the use of cookies or similar is strictly necessary for the specific service requested by the user, a website doesn't have the obligation to obtain their permission.
As a side note: cookie management is just A PART of RGPD, that is based on personal information. So RGPD implies to inform the user about the ways their information is used, how it can be accessed, modified, deleted and so...
Given that OP's username starts with Olivier, I assume they're French. The French name is Règlement Général sur la Protection des Données. You just get used to your native language's abbreviations.
My guess is they are a native speaker of some Romance language, and that is the acronym in their native language, perhaps French based on username and what little I know of French.
It's not only the French, would be the same for the Portuguese, for example. English is an official language of only two EU countries, if I'm not mistaken.
Isn't it inconvenient and search result partitioning to use this? I haven't come across/noticed it before. In English for example we use the French order acronym UTC, not UCT or CUT. (Though to be fair in the UK outside of a computing context we mostly use GMT.)
It's my understanding that we use UTC because it favours neither the english nor the french. English wanted CUT, french wanted TUC, so UTC was chosen to favour neither.
I generally prefer when we agree on a spelling, even if it isn't in English. CERN is a good example of this, no English speaker in their right mind would call it ECNR.
It's not enough that you "want to". You have to weigh your interest and that of the users against each other and would probably come to the conclusion that you can process that data for that purpose without consent if you aggregate it.
Why? Just store lists of bought product ids in its own database, then compute some statistics on it. Zero customer or user involvement is needed in that process.
So is that tracking or not? It's definitely storing personal information, so it feels like it counts, but surely the intent is for a self-contained order database to get a pass on this? Maybe not.
Although these things are called "cookie banner", it doesn't matter whether you need/use cookies or do it server-side. It's about the data that is being processed and the intent, not the technical implementation.
What if you could only buy bundles of goods which are dynamically generated (and look like a basket to the user) and the seller just shows frequently purchased bundles or combines subsets of these? Curious where to draw the line.
I think the vast majority of sites that use cookie popups DO need to do so because they use targeted advertising. It's only a tiny number that have been 'too aggressive', although I'm personally aware of such an example.
While legitimate interest is one of possible exemptions to GDPR blanket ban, legitimate interest justification must be accompanied by a rights and freedom test.
>Tech bros love to whine about "The EU cookie policy" that simply doesn't exist the way they imagine it. All these popups are the most radical way to interpret the explicit consent demanded by regulations when sending data to a 3rd party. An ongoing provocation by the ad/tracker industry to blame their ruthless data hoarding on the EU.
It’s also fast. I clicked the don’t allow button and it responded instantaneously. Many cookie banners are (probably purposely, at least when should don’t allow) slow as hell.
> That one's the pretty much the optimal implementation though.
It's strictly performative, they're setting session and tracking cookies without consent. Whatever you click on their "consent" (or if you click at all) is irrelevant and has no effect on the cookies being set. It's been that way for a long time and nobody cares (I've reported it before and never got a reply).
It's a classic "do as I say, not as I do". Rules are for us, not for them.
After navigating for a couple of pages in incognito (without clicking on any option on the banner) I see two cookies set: one which I suspect tracks if I accepted cookies or not, and one that tracks the fact that I closed the EU/European Commission survey. I'm not sure what you're seeing, or if you're thinking that these two are not OK to be set.
If you click on "how we use cookies" you'll see the reason is 3rd party services outside of the control of the EU (like embedded YouTube) that they are using on some of their pages.
Yes that's the joke. The law was meant to discourage the use of "non essential" cookies on the assumption that people would rather stop using them than put up annoying banners, but even the EU org itself thinks that YouTube embeds are essential.
> I believe there is also a lot of "cargo culting" where site admins copy what everyone else is doing without understanding the legal background.
And an entire industry with companies like TrustArc built on pitching and selling this crap even if not required and/or if their solution wouldn't achieve compliance anyway.
Indeed. I have many times mentioned this with business/product owners in my organization - but it is a nasty mix of complicated laws and regulation, pressure from legal, and a mentality of risk-minimizing. I usually only mention it in passing because fighting the requirement (which often is not actually needed) would take all my time and several weeks/months. I dont really care in the end.
> At GitHub, we want to protect developer privacy, and we find cookie banners quite irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really.
Your Product Owner / Team must push against the ever-growing demands of Marketing Team. If the Marketing Team dictates what features Product should build instead of selling your product, then you are doomed. Saying yes to having a cookie banner is sadly an easy bargain for Product Team.
> small players who can’t afford to spend time or money in understanding these things
Most of them can afford it, since it's part of the cost of doing business. Most European businesses were already regulated by similar rules with the Loi informatique et libertés in France, and the Datenschutzgesetz in Germany. But since the maximum fines were smaller, everybody was breaking the law.
The main issue is not that they can't afford it, the issue is that they don't want to do it.
I've worked for 3 different small businesses which were happy to use free-of-charge AGPL libraries in their main SaaS product. And when I mentioned that we should remove AGPL libraries or release our entire codebase under AGPL, what I got was "we'll look into this later".
This is not "i can't afford it", this is "i'm too lazy/incompetent to make time for it"
I think it boils down to how service providers can manage the inconvenience. Since sites can pass the blame to the EU for the cookie things, and they can create a nice shiny button that makes the inconvenience go away in an instant, cookie modals are a good solution. They can perform that they are giving the users options for privacy, and also absolve themselves from the burden of the EU regulation, with one simple click on the Allow all button.
I also think that it users don't mind the inconvenience too much. Complain, yes, but they are not really choosing a website that doesn't have the popup, over a website that does have. And so, businesses have no real incentive to change their ways.
The regulation is much easier to understand and comply with than many other laws you already need to comply with (taxation, etc) and nobody seems to complain about.
The problem isn't the complexity of the regulation, it's that entire businesses and careers have been built on the fact that spyware became decriminalized in the last decade and they are fighting back with misinformation to try and preserve this status-quo.
Small companies have less code and complexity but don't have internal resources specialised in law, security and web development available to fix things.
They usually also don't have the money to bring outsiders to do it for them.
> Small companies have less code and complexity but don't have internal resources specialised in law, security and web development available to fix things.
When you clamp all those things together, this sounds like a great burden. Please tell me, how these poor small businesses comply with, you know, actual laws, rules and regulations that they have to comply with? By breaking them?
GDPR for small businesses is much easier because small businesses depend on much less data, and often don't even need to collect any (much less sell it to third parties).
> When you clamp all those things together, this sounds like a great burden. Please tell me, how these poor small businesses comply with, you know, actual laws, rules and regulations that they have to comply with? By breaking them?
Most of the time they don't.
Ever wonder why food health and safety inspections discover serious issues in basically all restaurants they inspect?
It's because people owning and operating restaurants usually aren't knowledgable enough about these topics, don't have the time or don't have the money to things differently or all three at the same time.
Most restaurants stay in business because the inspection are generally pretty lenient (issue warnings and don't close the business down) and are also understaffed compared to the number of businesses that have to be inspected.
This is a simple example and I'm purposefully targeting a part of the law (food health and safety) that is directly linked to the core business (restaurants).
I'm not even going into issues that could be found in other areas (accounting, human resources, etc.) of said business.
Now let's try to imagine how a restaurant is going to approach GDPR compliance.
> Ever wonder why food health and safety inspections discover serious issues in basically all restaurants they inspect?
As a person whose mother has worked at restaurants for over 40 years, and whose best friends owned a restaurant for close to 20, I can tell you that those "serious issues" and "all restaurants" are FUD.
> Most restaurants stay in business because the inspection are generally pretty lenient (issue warnings and don't close the business down)
So you write this ^. And then you immediately go on to write this:
> Now let's try to imagine how a restaurant is going to approach GDPR compliance.
It will be the same: they will get it wrong the first time, get issued a warning, fix it, and carry on.
Don't forget that those poor hapless restaurants also have to deal with:
- handling money
- taxes
- accounting
- labor laws
- zoning regulations
- smoking regulaitons
- fire regulations
- contract laws (becuase they have contracts with many external parties)
And this is why your "most of the time they don't comply" is bullshit is that they do comply, most of the time. And when thry don't, they get issued a warning, fix their shit, or go out of business. This is no different.
And yeah, small business (or any business for that matter) really has no business collecting my private data, and selling it to third-parties.
> As a person whose mother has worked at restaurants for over 40 years, and whose best friends owned a restaurant for close to 20, I can tell you that those "serious issues" and "all restaurants" are FUD.
"Among restaurant inspections with a total score of >80, at lease one critical violation was cited in 44% of those inspections"
Now imagine which percent of restaurants would fail if we also included failures to comply in other subjects?
> It will be the same: they will get it wrong the first time, get issued a warning, fix it, and carry on.
No, they will most likely never be inspected because there are far too many businesses to control and thus will never implement or fix their practices.
> And yeah, small business (or any business for that matter) really has no business collecting my private data, and selling it to third-parties.
They have just as many rights to do it as large companies
> Now imagine which percent of restaurants would fail if we also included failures to comply in other subjects?
And your point to all this is?
> No, they will most likely never be inspected because there are far too many businesses to control and thus will never implement or fix their practices.
Funny how it's not far too many for the heath inspectors, and tax agencies, and ...
> They have just as many rights to do it as large companies
Exactly: zero. Edit: that is, zero right to collect any personal data beyond what they need for the service. And definitely no right to siphon and sell it to others with reckless abandon.
Small businesses are already not able to comply to core business regulations so obviously they won't have the time and resources to comply with the GDPR compared to large companies that have specialised in-house talent and financial means to do so.
> Funny how it's not far too many for the heath inspectors, and tax agencies, and ...
It absolutely is.
Taxes are basically based on people voluntarily complying because there are absolutely not enough inspectors to detect most frauds.
> Exactly: zero. Edit: that is, zero right to collect any personal data beyond what they need for the service. And definitely no right to siphon and sell it to others with reckless abandon.
That is your opinion and it doesn't match what the law allows for.
This is correct. Bad UX with modal popups and very ambiguous/deliberately vague verbose language designed to make you click some ok button are a choice not a legal requirement. Being deliberately obnoxious is of course a weird choice if you are trying to actually get people to engage with your website.
The more obnoxious the UX, the less you should trust websites to do the right things when it comes to your privacy and rights. If someone puts a "reject all" button in the cookie thing, I click it on principle. Every time. I go out of my way to find it and click it. The harder websites try to hide that button, the harder I try to find it and click it. It's usually there.
But you have to wade through a lot of bullshit and deal with some offensively stupid UX to get to that button. I'm not going to mico-manage all the various ways you want to sell my data / abuse me. Does anyone actually do that? The engagement on UI like that must be absolutely terrible. What does that say about your brand if you are trying to be deliberately misleading, manipulative, and offensive like that? It's not a good look.
Advertising your web design incompetence and malice/corporate stupidity like that is a choice. A bad and odd choice. But it's a choice. The more visually offensive the cookie experience, the less likely I am to provide consent and the more annoyed I get. It's that simple. Maybe I'm weird. Or maybe lots of people are exactly like me and don't provide consent either. So why even bother with this level of abuse?
I also have an ad blocker (I don't even remember the web before ad blockers), I use firefox containers, and firefox cleans up cookies and blocks trackers really aggressively. So, not only is this stupid. It's also futile.
Dark patterns aren't actually a valid approach of complying with the regulation - if you do that, you may as well just track and collect data without consent, because any consent obtained by misleading or annoying the user does not count as valid anyway.
>So stop blaming "the EU" and ask yourself if this is the internet we want.
...Yes, thats exactly the internet "we" want. I don't get why it so hard to accept that people simply dgaf about privacy, and much prefer free products online paid for by ads. And there is nothing wrong with that, because for those that actually care about privacy, there are plenty of tools.
When you say "many, many" I take that to mean "a substantial proportion" and I think you may be making the mistake of estimating your proportions from the population of people in tech forums, rather than from the global population of internet users.
I know next to nothing about the "global population of internet users". I know a fair bit about the EU population and I can assure you that it's a very substantial proportion.
To anyone that doesn't agree with me, please show me your rooted android phone that has no popular apps installed that collect any data, and doesn't use a sim card.
Because if you say you give a fuck about privacy, and use a modern android phone with OEM rom or an iPhone, you either don't understand what privacy is and shouldn't be talking about it in the first place, or you are a hypocrite.
I don't live in a heavily fortified home only accessible through a drawbridge but still give a fuck about the privacy of my little city flat that you could probably enter with a heavy kick.
A more applicable analogy is that you want to have locks on your door to prevent unwanted visitors, but the people that built the building have a master key that they can come in whenever they want, take pictures, install cameras/microphones. But thats ok, because they are the only ones that are collecting data, and they say they are "privacy-first".
But thanks for proving the part of "not understanding what privacy is" part of my post.
I have given my landlord a key recently so that he can check the smoke alarm and take the water meter reading while I'm at work. I trust that he didn't install a hidden camera even though nothing could have stopped him apart from "being a decent human being" and "not wanting to commit a crime". Not every protection needs to on a technological level. I'd rather live in a society where we have other tools available than one where I have to take each and every matter into my own hand. This is what my analogy showed.
Your analogies are really poor. Not only do you not you understand the level to which Apple or Google or your carrier can read the things you do on your devices, and how little control you have over that, but you are ignoring things like the big celebrity iCloud hacks.
For the sake of not playing an analogy war, let me just say this: if you use a modern device with OS made by Microsoft, Google or Apple (or derivative of), you are implicitly consenting to very large amount of personal data collection, which you have no control over. If you choose to trust those entities for whatever reason, thats totally fine, but your particular selection of trust isn't "correct" in the sense that it should apply to everyone, because it has no concrete objective basis. And therefore, you shouldn't base what you think the law should be on it.
One necessitates the other. Anyway, arguing that anyone who cares about security can trust society to protect them but those who care about privacy should not, is a really poor argument.
It all depends on your assumed threat model, but also not conflating privacy and security, but remembering that compromised privacy may also compromise security. Not everybody's requirements are the same.
Someone can give a fuck about privacy in the areas they can, while not going overboard or trying too hard, you know. what you are describing is no true Scotsman nonsense. “You dgaf about privacy unless you wear a balaclava all the time”.
It’s also possible they understand the trade off with privacy wrt, say, google and their isps/mobile providers, versus the trade off with random websites on the internet.
There is no "areas" here. What you do online is tracked if you use windows, mac os on laptop or phone, or android. Who is tracking that is irrelevant. Claiming that its ok that Apple gets your data, a company who literally allowed the iCloud photo hacks to happen, but not 3d party advertisers is like olympic level mental gymnastics.
It is absolutely relevant; it is arguably the most relevant question. It lies at the basis of the entire concept of "threat model" in security.
The police wants to track you to investigate you as a suspect in a crime. Facebook wants to track you to know who you are talking to. Amazon wants to track you to learn what you might want to buy. The Chinese government wants to track you to know if you might work for or against it. And so on.
I, like most people, give wildly different amounts of shit about every single one of these agents, and take different levels of precautions as a result.
I don't buy the argument that you don't want Amazon or Facebook to track you, but you are ok with Apple or Google tracking you.
In case its not clear, because Im really doubting that people have a good grasp of privacy here, when you buy an Iphone, it phones home quite a bit collecting pieces of data about you that Apple can and does use internally for their advertising purposes, and you cannot opt out of it.
You don't have to buy it, I'm gonna give it to you for free: I don't want Facebook tracking me, because I don't like them and don't trust them. OTOH I don't care if Google tracks me because I am an actively paying user of Google on a contract. I also don't care if Apple tracks me because they have a much cleaner track record.
Ah yes, the "internet we want", where Ad geniuses will spam you for the same thing you just bought off Amazon and mobile sites turning your phone into a hand warmer with all the ad crap they have to load and all the 3rd party cookies they add
And yet, before GDPR, when all of this was happening, those sites still saw increase in visitors and still made money, because people learned to ignore the ads since the design of the core website was pretty good and ads were not obtrusive to user experience.
And yet, before the FDA was allowed to regulate baby food, baby food producers in the US saw increase in buyers and still made money with their product with arsonic and lead content above dangerous threeshold for adults.
Those new regulation will probably increase the price of baby food, and people obvisouly didn't care about the heavy metal content, so why regulate at all?
I'd say "way before GDPR" we had a local maximum with the initial AdWords experience, where those ads were pretty unobtrusive and there was limited .js spam
"They still made money" sure, on top of externalities.
And now they realize, with some help from Apple and Chrome that this business model has a limit
This is not how civilized society works. Taken individually, people don't care about a million things, yet regulators have to take care of those things on behalf of everybody else.
Just because you don't understand the ramifications of something it does not mean nobody else understands it.
Taking care of those things would involve an actual solution that works, which would require people understanding the technical aspects of the problem, which would require those type of people running for office and getting elected.
When that happens, then we can talk about responsible governance in this regard. GDPR was a direct response to Trump campaign shenanigans, as a tool for politicians to capitalize on appearing to be better than US. It had nothing to do with protecting people. If GDPR outlawed 3d party tracking outright, then you would have half an argument.
As long it is an informed consent that people don't care about privacy.
Uninformed consent is the tricky part. Medicine has to constantly deal with that a lot of people that dgaf about what medicine or brand of medicine is given to treat a specific illness. They just want to get better. Is there something wrong with doctors that just don't inform or get consent? Patients that actually care about specific medicines can look it up.
I don't understand why it isn't solved in this way:
You get a banner on your first visit, with a list "here are all the cookies and ways how we use your data, if you are not fine with it, please leave this website"
This should be an option for small private websites (different rules for FB, Google and alike), because no one forces you to use a site, same as "my house, my rules"
Because that is very explicitly illegal. Consent to harvest personal data that isn't necessary for pure access to the site must not be used as a condition of access.
The issue is that there is too much money to be left on the table advertising wise, so instead you are going to see every way to get around anything GDPR that is going to progressively shit up the internet.
In the end, you can be tracked without cookies using fingerprinting, and AI will make this job easier and easier. So the banner is pretty much irrelevant technologically. You will also see companies that make popular browsers include features in the browsers for advertising purposes that will make cookies irrelevant - i.e you give consent otherwise the browser doesn't work at all or on websites with relevant content.
Best thing to do is really just to let it all go IMO. Its really not a big deal. Between things like VPN and all the privacy tweaking you can do in Firefox, if someone wants privacy they can have it.
Nitpick: none of those dark patterns "get around" the GDPR - they merely get away with it due to a (hopefully temporary) lack of enforcement. GDPR explicitly disallows annoying the user into accepting and tricks such as hiding the decline button, etc.
> So the banner is pretty much irrelevant technologically
That's why the GDPR doesn't explicitly target cookies or a specific means of tracking but rather the collection and processing of personal data, regardless of technical means (a hypothetical crystal ball that actually worked would also fall in scope).
> Between things like VPN and all the privacy tweaking you can do in Firefox, if someone wants privacy they can have it.
Even if let's assume there was a way to truly be anonymous and defeat all fingerprinting, how are you going to do business on the internet? At some point you will need to enter personal data, whether it's to buy something, sign up for real-world thing, etc. No amount of VPNs or plugins will save you if you enter your delivery address because you bought something.
GDPR or similar legislation is the only way around it - you should be able to enter your delivery address without consenting to it being used for malicious purposes such as advertising.
The point is to allow someone the option to defeat all fingerprinting if they want to. The consequences of that are up to the companies - if they don't want to sell you something because you are anonymous, they have the right to reject your browser requests. Thats an important cornerstone of capitalism.
Even with limits on collection/processing of personal data, because the legislation was made by non technical people, there are always ways around it. For example, lets say company has an advertising ml model that they use that essentially identifies visitors by fingerprint and maps them to some advertising targeting. They can train that model and throw away the training data, and then hand that model off to any regulator that is going to have no idea what to do with a bunch of floats in matrices, and claim that there is no user data stored in there, and nobody could prove otherwise.
> if they don't want to sell you something because you are anonymous, they have the right to reject your browser requests. Thats an important cornerstone of capitalism.
Maybe in a perfect world where healthy competition is a thing. But (potentially due to under-regulation elsewhere) that's not what we have in practice - for a lot of services, you only really have a choice between a handful of providers, and you're out of luck if they all decide to stalk and spam you.
Competition is not currently an effective solution to data protection, so something else was needed. The GDPR's approach to it is to outlaw personal data and spam as a payment method - you can't make non-functionally-required data processing mandatory for using a given service or product. I think it's a good approach - less spam, tracking and incentives for hoarding personal data is always a good thing.
> They can train that model and throw away the training data, and then hand that model off to any regulator that is going to have no idea what to do with a bunch of floats in matrices, and claim that there is no user data stored in there, and nobody could prove otherwise.
At least in theory, the regulator should be able to see through that scheme. But even if let's assume they actually did train an ML model and got away with it, the GDPR mandates that users should be able to decide how their personal data is processed, so they can just not opt into targeted advertising, and their personal data must not be processed using that model. The model can be there, it'll just sit unused.
Article 21 of the GDPR allows an individual to object to processing personal information for marketing or non-service related purposes.[24] This means the data controller must allow an individual the right to stop or prevent controller from processing their personal data.
There are some instances where this objection does not apply. For example, if:
1. Legal or official authority is being carried out
2. "Legitimate interest", where the organisation needs to process data in order to provide the data subject with a service they signed up for
3. A task being carried out for public interest.
2 is the key here. Make an entire ML model that generates a website layout based on the request, claim its core business logic, oh and btw, it just happens to load advertisements from companies based on this contextual data, but that contextual data has nothing to do with the user. Look, we don't store any advertising cookies or session data, don't request any either, and here is our model. Investigate it as much as you want, and we don't have the training data anymore because we delete that.
This would be explicitly forbidden by GDPR. You either don’t serve EU customers or allow them to opt out/in. You can’t degrade or deny service based on consent.
Essentially, if I build and host a hobby site, it's my digital property.
You have the right to see what are the conditions to visit (essentially: fetch) it and if you don't agree, you are free to go.
I tried adblock but I turned it off as it was blocking things that weren't supposed to be blocked. Very rarely though. I don't know, it's like I almost don't see the ads, my eyes just scroll past it.
I'm not a fan of attaching third party things that work by reading the contents of what I'm browsing. I'd rather run a DNS based blocker but unfortunately those can't prevent cookie modal monsters.
I see the point in that, but wrt browsing, what counts as a third party? There's a million of points where the browsing data leaks already, running the most trusted adblocker extension doesn't really change that. ISPs track and sell DNS and other metadata, VPNs do god knows what, each website is a third party basically, every website with a Facebook Like button reports your visit to Facebook, most websites are using a large CDN like Cloudflare, some browsers use their own CDN / service to do things like compress images, ...
In the sea of all these things happening, the user is much better served with uBo than going in without it. It gives the mind some peace not seeing all the advertisements, for one.
Except from the usability and privacy perspective the EU cookie rule is objectively bullshit. Don’t require notification for every fucking site I visit. Also there are no circumstances where “functional cookies are required”. Painting a webpage doesn’t require a cookie.
If you really cared about customer privacy you’d make a rule that allowed me to set my privacy setting in my browser and require the sites to respect it. And one of the options better be “none ever, just do what you can without it”
What moron thought the current rules were sane? What a useless waste of air to defend an obviously broken and constantly annoying and useless rule.
In conclusion a four year old could have come up with a better rule. So stop whining about people’s legitimate objections.
> "To make this very clear: user/visitor consent is only needed for data going to 3rd parties."
I think this statement is categorically false. Art. 6 GDPR (https://gdpr-info.eu/art-6-gdpr/) lists exhausively the reasons for lawful processing of personal data which applies not only to cookies, but also IP addresses etc. The "cookie consent" addresses Art. 6 Point 1(a). Whether third-parties (data processors) are involved is irrelevant, e.g. if I need to transfer personal data to my accountant, it falls under b, c (or d).
Agreed. It isn't the third party that is the issue - it is the separate purpose.
For example, if I access a web page, I'm giving my IP address to the server, so that it knows how to sent the data I just asked for back. That IP address is personal information, but it is necessary for the server to fulfil the purpose of the task I just asked for. That server also gives the IP address to a third party - the router in between it and me. That's also necessary, because otherwise the packets can't be routed, and it's fine legally.
However, if the company running the web page were to take that IP address and store it and use it for deep analytics, matching my request up to other requests from the same IP address, then the personal data has not been handed over to a third party, but it is being used for a purpose which requires consent, and would be illegal unless that consent had been obtained. That data use isn't necessary for the original purpose of the task I asked for, which is to serve me a web page - it is a separate purpose.
Wouldn't that depend on perspective? Wouldn't the router e.g. cloudflares purpose be to ensure fast delivery and that it's not an attack.
Both require capturing the ip address and analyzing behavior. A faster road where no one wants to go isn't a faster way, so the router needs to capture it so they know where to build their roads.
> However, if the company running the web page were to take that IP address and store it and use it for deep analytics
Or, in fact, sending off to Google Fonts. As a German court case reveals, that is considered sending the IP to Google -- breaking GDPR since it is done without consent on first launch of the site.
Toot author here. Yes, the complexities are tough to explain in a few toots. Bit as an abstraction it is valid IMHO. As per the GDPR and ePrivacy Directive, a website must ask its users’ consent to use cookies that are not necessary for accessing the website’s functionality. All third party cookies typically fall under this rule. 1st party cookies that do not collect PII (Personally Identifiable Information) like simple session cookies ar exempted from consent.
I use Matomo on Wordpress. Turned of cookie based tracking. It means sometimes a revisting visitor can not be discriminated from a new one. I don't care. But, now he is saying, I can enable the cookie if I want, without needing the consent banner?
And what about a privacy page? Indeed it does make whipping up a blog or so more complex. Although I usually use Hugo of WP, keep them vanilla: Now cookies required for just viewing content.
I thought GDPR regulated the cookies that websites are allowed to request to store on users devices. Does it also cover tracking built into browsers by Google, Microsoft, etc.?
How would the browser discern between legitimate 1st part cookies and illegal privacy violating ones? It's not a technical problem, it needs laws.
And for GDPR and other privacy rules, cookies aren't even a thing. The laws doesn't care about the medium you use. They apply beyond technicalities. For instance you could track IP addresses and a browser would have no way to stop you. GDPR makes it illegal without involving new crazy tech.
GDPR and those data processing consent flows are about data collection and processing in general and not a specific technical means of doing so - it would also apply to IP addresses, browser fingerprinting, information manually entered (such as delivery address when placing an e-commerce order) or a hypothetical crystal ball that actually worked.
Both CloudFlare and Jetpack on WordPress insert a tracking cookie as a part of using their service, right? (I may be wrong, things may have changed)
For a lot of folks, that's what they have to use, otherwise delivering the page resource-wise isn't viable. Ergo, they need those banner popups to be in compliance, right?
It depends on what the cookies are being used for. If they're "essential for site functionality" (e.g. fraud prevention) then consent is not necessary.
Well, here's the thing though, it could be argued that they are essential for site functionality (if you conflate functionality with availability for example), however, you are revealing the IP of the user to those third-party services, which is no bueno.
However, CloudFlare is an odd one. They're also the reverse proxy and DNS for the site, ergo they can collect that IP if they intend to, which they apparently don't.
Where is the line drawn? If an asset loaded via a third-party CDN is "leaking the IP", surely CloudFlare also is? Surely any kind of DNS is?
I'm asking big questions, I know, but have always been curious, and have been waiting for a good opportunity to put them in front of others.
What we did was basically ignore GDPR and send a mail to our watchdog about the points we weren't sure would pass as legitimate use.
Basically: if you in good faith think it's legitimate, it's probably legitimate. The watchdog will propose you ways to remove PII from your data if he think you're misguided, and they drafted us an architecture that worked for data protection (like half a day of work for an architect, i think they already have these kind of drafts as our issue was quite common). We spent 20 minutes to write the email and basically earned 500$ (or whatever is the cost of half a day of an architect is). We also had prior contact with the watchdogs for unrelated reasons (trying to get certified to handle sensitive data).
The vast majority of people DO NOT care about cookies nor do they care about trackers.
However, there is a very real productivity loss with all the cookie prompts - both trying to implement them, getting around them, and the billions of people who have to click on them every single day.
You’re missing the point of the article. The banner is only needed if your business relies on handing over info about the user to 3rd party. And yes, it’s reasonable to make sure user knows about it. The fact that these pop ups are annoying is the fault of the creator, not the regulation.
Try accessing Apple.com or iCloud.com. No cookie pop up, yet one of the most successful businesses in history. You don’t have to be annoying
What info? My IP address and the pages I've visited inside their site? By visiting a site I know I'm giving that info to them, they can do whatever they want with it.
Why is it a stupid law? Why should businesses be free to look up the IP and figure out who is looking at their page? An IP can reveal a lot of information, especially if there's servers hanging off of it.
GDPR is not a complex law no matter how shady businesses and clueless devs are trying to tell you. It's also been in effect for 7 years. You'd think it's enough time to have at least some clue on what it's about.
And yet we still have these inane threads on HN claiming it's about cookie popups, and people having no idea what info trackers collect.
> vast majority of people DO NOT care about cookies nor do they care about trackers
I highly doubt that. Do give people simpler ways to opt-out of all tracking, and they‘d happily chose that. Currently we have two problems: 1) The consent button is one click for cookies, the other is several clicks away. 2) The layman does not now how to choose a setting to always opt-out of tracking.
I've got an easy one for you: stop embedding google analytics and others. You don't need a cookie banner when you only have operational ones or better yet, none at all.
You can have GDPR-compliant analytics, like what Fathom does.
I also built my own analytics solution that simply shows me my blog article reads per day, week, month, and year (that is all I care about). It's a simple bit of JS that sends a request to my endpoint when the user spends 30 seconds on a page with an article. I also do some light user agent filtering (no "curl" or "python" in the agent string, for example).
I might start logging the referrer in the future to see where my traffic is coming from. However, I am very far from needing cookies or a GDPR notice. I doubt there's a need for cookies at all for most analytics. Even if you wish to track user flow in your website, you can do it with IPs (or hashed IPs to not store the actual IPs) only. An IP is unlikely to change while a user is browsing the website.
It seems to my mind that we only see so many GDPR notices because many websites use dinosaur software like Google Analytics that hasn't been keeping up with the times.
> many websites use dinosaur software like Google Analytics that hasn't been keeping up with the times
Or maybe has a conflict of interest, and its true purpose is to act as spyware on behalf of Google? Google absolutely has the skills to build a GDPR-compliant version if they wanted to.
The problem is that they aren't in the business of giving away free stuff. GA is only free because they need to give you an incentive to deploy their spyware - they'll happily let you in on (some) of the data they collect in exchange for you spreading it.
They could probably spy on users in a GDPR-compliant way. GDPR isn't about not tracking users, it is about protecting their personal data. All that analytics providers must do in principle is make sure to never associate certain types of data (phone numbers, names, addresses, and similar) to the user fingerprint they use for advertising.
As far as I understand (and I could be wrong), the cookie notices exist because analytics providers do not guarantee that this personal data won't be associated with the cookie fingerprint in their systems. Cookies themselves are only mentioned once in relation to this in the GDPR text:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
If the advertising ID/fingerprint was kept unassociated with personal data capable of identifying a natural person, there would be no need for the cookie notice in my understanding. However, I am not a lawyer.
Well, I'm glad I don't use GA on my personal site, then, even if it means I have no idea what traffic levels it gets. GA is incredibly popular though - I would guess the vast majority of blogs etc. use it and have no consent to do so.
Anonymization (if you actually believe Google despite their conflict of interest and previous GDPR breaches) still happens on their server, so the IP address (which counts as personal data) is still transmitted there.
I guess you may actually make it truly anonymous from a GDPR point of view if you proxy all calls through your own server and strip out anything that can be used to reidentify a user - so no IP addresses, session IDs, etc.
At least part of the intent of the law was that websites would reduce the amount of tracking if they have to explicitly ask for consent. You can build your website with just functional cookies (session cookie, storing preferences like dark mode, etc) and cookie-less tracking, and go without any cookie popups.
Somehow the industry decided it's better to annoy your users with consent for 50 different trackers with the most in-your-face popup possible to cause users to reflexively hit consent instead.
> Somehow the industry decided it's better to annoy your users with consent for 50 different trackers with the most in-your-face popup possible to cause users to reflexively hit consent instead.
GDPR actually has provisions against this kind of malicious compliance - the problem is a chronic lack of enforcement, despite it being trivial to detect with a web crawler.
Of course the simple solution that we all know is to not collect the damn data in the first place. But marketing boffins the world over will never willingly do this unless it’s enforced by law, so we’re left with the user’s taking on the burden of clicking deliberately confusing stuff and not knowing whether they’ve ended up consenting or not.
Also accepting them cookies is one single click but rejecting them feels like entering the dark realm with multiple options and not knowing where to click. I am software dev but still have to use just enough mental resources to reject all of the non essential ones. How the fuck is this legal.
It is not legal for webs to make rejecting cookies more complicated than accepting them.
In fact, the French data protection authority CNIL has issued orders to around sixty players that do not make refusing cookies as easily as accepting them. They have also fined companies such as Google and Facebook for making it harder to reject cookies than to accept them. The CNIL has ordered these companies to provide a means of refusing cookies as simple as the existing means of accepting them.
Also, under GDPR, it is not legal for websites to make rejecting cookies more complicated than accepting them. In May 2020, the EU updated its GDPR guidance to clarify that cookie walls do not offer users a genuine choice because if you reject cookies you’re blocked from accessing content. It confirms that cookie walls should not be used. Companies such as Google have introduced new options to reject tracking cookies in Europe after their existing dialog boxes were found to be in violation of EU data laws.
Now what I don't know is if users outside of EU get the evil-twin version of those popups when visiting websites. My experience browsing the www is just not as bad as many people describe because I usually get a "reject all" button or when "managing" the cookies, they are all disabled by default and I can simply save the options.
People are definitely aware of them. The trouble lies with how easy opting-out is. Many websites have included options to just opt for the "compulsory" option. The only concern now is how many of them would willingly provide that option.
Most people do not care because they don't really see/understand how it affect them. Just like most people probably don't care about HVAC regulation, welding regulation for system under pressure and other very technical field.
They will see the issue and care about it when something happen. We have a lot of regulation about welding under high pressure because we know from experience what happen when we have no rules (things go boom).
What happen when we have no regulation about tracker ? We get massive data leaks from poorly secured data hoarding company (hello Equifax). This is dangerous in many many ways: Identity theft, scam & spam, identifying people with certain political view, from a minority of some sort, etc...
GDPR does not solve all this issue, some company can still hoard massive amount of data about you (it is always scary to ask for a data extraction from Meta, Twitter, ... and how you have a "profile") and have bad security, but it does limit in how many hand this data circulate and how easy it is to gain access to.
> To make this very clear: user/visitor consent is only needed for data going to 3rd parties. All cookie laws, including GDPR and CCPA, allow essential first-party cookies to be exempt from collecting user consent before performing their actions. So your session tracking cookie on your site DOES NOT need a consent popup AT ALL.
Most consent dialogs can be avoided, were it not that the surveillance capitalist services need your data, and shove these dialogs full of deceptive design in your face. In hopes to have as many people as possible complain about the regulations, and use that pressure to lobby them away again.
My bank doesn't use 3rd party cookies, but they have a modal wall you have to click through anyway that explains that they DO NOT use cookies.
This is insanity. Their explanation is that users are so accustomed to these cookie walls that a site without one would feel suspicious and unsafe.
I very much blame the EU on this, because the EU policy has solved NOTHING, tracking still happens just as before, except now users just have to go through more friction. Of course I am also pissed at the websites and entities that sell my data, but that is irrelevant to my gripe with the EU.
Superficially, the banners appeared due to how the law was made and how it's implemented. The noble intention is one thing and the pragmatic reality is another.
It's correct to blame the businesses for creating the banners but also unfair to treat the matter as if the businesses and the EU are on a level playing field. The EU makes laws - it has cheat codes to achieve what it wants.
It's like defensive driving. You may not be at fault if someone crashes into you but you may have had the power to prevent it.
> 7 years of complaining about it hasn't changed that.
Funnily how "7 years of complaining" was, and continues to be, only about the EU. Not about the predatory businesses creating these banners (often in direct violation of GDPR).
> Or enforce the existing ones.
That's definitely the biggest criticism you can level at EU: they are too slow in enforcing this.
I blame the businesses for destroying the social fabric of the internet, and I simultaneously blame the EU for implementing pointless regulations that do not solve the first problem while making life miserable for its subjects.
Businesses: destroy the social fabric of the internet
Regulation, literally: do not collect people's data without their consent if you don't require that data for services you provide. Applies in equal measure to websites, banks, grocery stores, shit processing plants and nuclear power stations.
...
4ad: I still blame the EU, and it's a pointless regulation.
You seem to think that the EU should be imune from criticism because it tries to do the right thing.
No, when politicians make things worse and absolutely don't solve any problem they promised they will solve then they should be held accountable, removed from positions of power, and replaced with competent people who write better regulation.
Edit to your edit: indeed, the EU is mostly about making people miserable while convincing them it's actually better for them.
Is he right though? I work with affiliate people a lot, and they hate cookie-consent popups. Even when you do all your analytics inhouse with self-hosted matomo, if you want to use a cookie, you need consent is what the lawyers say unanimously. And these aren't "we want you to ask for consent because we secretly want more privacy" lawyers, these are "I get paid to find a way for you to do your tracking in the easiest way possible and I don't care about privacy" lawyers.
> Even when you do all your analytics inhouse with self-hosted matomo, if you want to use a cookie, you need consent is what the lawyers say unanimously
If you use a cookie for Matomo tracking than yes, you need consent. You are using a cookie for a non essential service (analytics), so you need to ask consent.
But that primarily says that Github doesn't care about cookies (or consent), not that you (not being a multinational corporations with an army of lawyers and millions in lobbying spending) can do the same.
I'm pretty sure those cookies are non-compliant if you look at them closely, because none of them are necessary for the operation of the service. a) a default value doesn't need to be stored in a cookie -- and it has to be a default value, because you haven't selected a color scheme or a timezone b) login-state does not require a cookie: either you're logged in and have a session, or you aren't, and you don't, c) there's no reason for a session on the public facing side that doesn't contain any private/individualized data, unless you want to use these session cookies to track users -- and it's only about users as bots will typically ignore cookies.
My money is on "Microsoft knows that cookie consent is optional if you're not a small European company".
So why do even the official website of the European commission and the European parliament have a cookie consent button? One would assume that they are not "capitalist services".
Unfortunately big tech surveillance capitalists (which is different than "capitalist services", mind you) are court suppliers of IT services that EU institutions depend upon.
Edit: And as the sibling said, in many cases it may be restricted to analytics and simple 'reject' suffices, which is at least better than some of the intricate dialog designs.
I mean, you could literally read what their banner says. E.g. Eu Paarliament
"We use analytics cookies to offer you a better browsing experience. You have the choice to refuse or accept them. Reject. Accept".
Those analytic cookies are not required for the functioning of the website, and those web sites are required to ask for your consent to gather any additional data.
Having a clear cut "CALL TO ACTION" dialogue option which presents one positive ( don't track me ) and one negative ( track me ) option. People choose the positive one.
Cookies/tracking banners on website completely obfuscates the choice. Negative option ( track me ) is presented as the pearly gates to heaven and easy to click. Positive option ( don't track me ) is presented as these mathematical puzzle where you must know what to click or your dog gets executed.
So yeah people care about not being tracked when presented with clear instructions to which one is bad and which one is good.
No one likes these consent modals, not the EU, not the companies, not the end users.
But they're good.
They're making the negative externality visible. We had developed an ecosystem where as soon as you clicked on a webpage it would spaff your personal data to third party brokers and infest you with tracking across the entire internet. All driven by marketing and sales departments. All driven by a capitalist free market.
The regulations changed nothing other than to make people annoyed by this. Good. Take that anger and direct it against the god damn companies building this stuff, many of the employees of which are on this site. Stop whining about the EU, they're just holding up a mirror to the abject horror of tech.
No, they are not good in any way. Imagine you have to press buttons whenever you start your car and have to give promises you are not going to go above the speed limit...
It's just plain NONSENSE. This consent madness should be implemented in the browser. You set it once, and then you just forget about it. Poof, problem gone. If
I cannot imagine that the legal systems in question would consider setting a consent setting in your browser, once, to be explicit positive and informed opt-in.
It was in the browser (still is?) called DNT, and it didn't work because the industry ignored, circumvented and even actively opposed it.
Your idea has been tried and was found to not work.
Nah, it should be like notifications. You can set a global block on those. Same should apply to these cookie consent things. You set what you want to keep and enjoy a popup free web.
Arguably most of these cookie popups are not compliant with GDPR law anyway as all cookie acceptance has to default to opt out, its only if the user wants to opt in that the data can be collected. Almost all of the popups default the wrong way and use dark patterns including making you wait minutes to avoid the popups.
This is all by design, they will happily show you that popup everytime you come to the site and you'll never see it again if you accept them. When you see such a pop up you know what sort of entity you are dealing with, one that is willing to fight with the EU and the law to get that data as well as enormously hurting its customers in preference.
> A 1st party cookie for tracking a session that stays on the site doesn't need consent/popups. All cookie laws, including GDPR and CCPA, allow essential first-party cookies to be exempt from collecting user consent before performing their actions
I'd love to hear some legal or DPA opinion on this.
From what I know, per the ePrivacy Directive in the version from 2009, any access or storage to information on the end user's device needs consent unless that access/storage is strictly necessary for a service explicitly requested by the user. This is known as the “cookie law”, but is not technology-specific and will also apply to equivalent client-side approaches such as LocalStorage, tracking IDs in URLs, or fingerprinting. The consent requirement is also independent of the question of whether the stored information qualifies as personal data.
The GDPR didn't change anything with these rules. It only changed the definition of consent, invalidating “implied consent” approaches like “by continuing to use this site, you consent to …”. Consent means opt-in. Consent must be easy to decline and withdraw, and users must understand what precisely they are consenting to. This has led to a decrease in the percentage of people who consent to the storage of analytics IDs.
So the question is whether we can be considered as a strictly necessary for a service
Which, depending on how you read it, might make participating on the internet practically impossible. An IP is considered personal data, so in theory you cannot use foreign infrastructure like a CDN.
Which certainly makes the internet as we know it impossoble. An internet where everybody builds tools on their site that everybody else can embed on their site. Because that would mean IPs flowing around between sites.
Which gives a huge disadvantage to Euroeans. Because Europreans have to show cookie banners and stuff to everybody around the world. While the rest of the world has to only show them to Europeans. Look at your favorite website through a proxy inside/outside the EU. It starts with an annoying popup only in the EU.
Which cements the stronghold of Google and Co, who 1) only have to bug their European users and 2) have the legal resources to cope with this insanity. Startups and indiemakers don't. So there will be even less of them in the EU. And the ones who exist will have to waste their time on this instead of building their products.
This is way off base. Using PI to fulfill a request someone has made of you is the happy path of GDPR, you just can't retain or reuse that information more than you have
1) a contract or
2) permission or
3) a lawful task
For.
Having other parties process PI for you is fine as long as it's done under an agreement that binds them to the same terms.
First, no, you cannot reduce a thousands of words long legal document to a few words like you did and say "Easy, this is how it works". Those thousands of words are there for a reason.
Second, good luck, figuring out what you have "a contract, permission or a lawful task" for under the specific circumstances of your site.
Third, good luck, making and understanding an "agreement that binds them" with every provider of every piece of infrastrcuture you use. Good luck doing that for even a single piece of infrastructure.
Toot/thread author here. I have added more clarifications and explanations, based on the feedback in the comments here. Thank you for that! It was an angry rant written down in a very short burst of productivity ;) I had to simplify a lot if things to get the main point across — that these pop-up banners are NOT what GDPR demands, that they deliberately are designed to exaggerate and intrude on users.
Before the prompts, situation was not good, but I could delete browser history and what not. After the prompts, I still need to delete browser history, but I can't delete memories of prompts from my mind. Every time I see a cookie prompt, I get traumatized. Prompt blockers do not work reliably. I don't want to read about cookies, GDPR, EU, whatever every time I see a random web page. I remember the old internet.
Ideally browsers would have an API to handle GDPR requests natively, the way they do for hardware access, and users would be able to set the default level of access, as well as lists of exceptions for some domains. Of course, Google will never provide such API in Chrome as it would be bad for their core business of spying on people in order to sell them more stuff.
Not much has changed since browsers had to remove the capability to create popup windows (and pop-unders, which only existed because users were getting too proficient at the game of whackamole). At every single step, the industry has shown it will only behave anywhere near reasonably when externally forced to do so.
DNT should have solved this problem, but the leopard couldn't change its spots, and used it to further its attacks on users instead.
And this is why we have over-reaching regulation. Not because we want it, but because we earned it.
It needs a API, to talk with a user preference tresor and auto-negotiate site access. If a agreement can not be reached, the site remains privacy paywalled, else its just there and the site owner has consent.
The problem is that GDPR doesn't go far enough. It should completely prohibit third party tracking without the possibility to agree to it. Third party cookies/tracking simply should not exist.
Id be willing to bet that there is a large overlap of people who dislike tech company layoffs and people who have this sentiment about 3d party tracking.
The problem is they picked the wrong parties to be responsible. It’s not the websites that are doing the tracking. The websites are merely asking to save a cookie. It is the users’ own web browser that is storing the cookie and sending the cookie back to these websites. It’s the browsers that should be regulated if anybody but it’s a lot easier to regulate the little guy than to regulate Google and apple.
The GDPR goes far enough and even prohibits dark patterns and annoying the user into accepting. Making the "decline" option harder to find is not compliant for example.
The problem is a chronic lack of enforcement that allowed websites (and entire companies such as TrustArc/etc) to implement these malicious pseudo-compliant solutions and get away with it, at the expense of everyone's privacy and sanity.
For example, for a shopping cart: cookies are necessary for the service, so no problem. For fraud detection : no problem because it's a legitimate use. But if you start tracking with a user cookie what pages your users are viewing (statistics collection), then... you need the user consent ! Because it's not necessary for the service... (even if it might be in your interest)
EDIT: if your statistics are not bound to personal informations (so you dont need statistics for INDIVIDUAL users but only the your users AS A WHOLE) then... no problem for RGPD and no need for consent. Actually, that's what a lot of RGPD-compatible statistics do (like Matomo and others...)