No, they're asking for consent to track because the EU demanded it. The easiest way to avoid having a banner on your site is to... just not have an analytics package on your site. They're aggressive because they don't want their data spigot turned off - hence the work-to-rule nonsense. You should not infer any benevolence on the part of the people implementing these banners.

My personal habit is to always click whatever option denies the most amount of tracking, mostly because I can.

Likewise, except:

* If for any reason I can't easily deny all the unnecessary stuff (eg. there isn't a way or they have something like the Daily Mail where to disable all the "legitimate interest" you have to click literally hundreds of individual boxes) I don't click anything and leave the site immediately.

* I don't do it because I can. I do it because by clicking OK I would be explicitly consenting to being tracked and I don't want to be tracked. The content is pretty much never worth it. ("It" being falsely telling people I'm fine with being tracked. I'm perfectly aware it will happen anyway.)

Personally, I think that despite seemingly good intentions, this common practice is counterintuitively harming user-privacy and security, especially on mobile where the banners take up a large chunk of the screen.

Many normal people get something like "banner-blindness": they are so used to seeing banners requesting confirmation when they visit a website that they by default click any random buttons they see to try and hide them right away without reading what is requested.

This practice doesn't really help anybody, IMO, and should probably be handled on the browser-level if people care about it.

Why do you think they have good intentions?

Many of these banners employ some pretty slick dark patterns for you to opt-in to their most critical analytics. One of my favorites is when cookie selection is more than one click from the banner, or it causes a page reload.

It's a valid critique, so here goes: how would you implement it to avoid those?

I’d probably prefer more for the advertising industry to die a fast death, but I doubt that will ever happen.

The net result of VATMOSS, GDPR and cookie banners was that a ton of small businesses decided not to bother with a website and moved to being FB only or Amazon only.

No idea why it turned into this cookie banner nonsense.

The EU then passed a bill that said you can't collect data unless it's for one of six reasons, one of which is "user consent". This basically mandated opt-in, so everyone went super-aggressive on consent banners (which, BTW, are probably illegal).

It's ridiculous that Microsoft's response wasn't to just nuke trackers from space with some kind of adware blocker integration in Edge. This is the equivalent of a mugger saying he'll only honour your "do no mug" sign if the sign defaults to "mug me please" and has to be explicitly changed.

Note how most ad blocking tech is either community-run FOSS projects or companies with not-so-savory business practices. It's really not the kind of work that browser vendors want to do. In fact, Apple went out of their way to create an extension type purely for delivering ad block lists to Safari all the way back in iOS 9. Ad blocking is that much of a pain that even Apple was willing to farm it out to third parties years before we got proper mobile extension support.

Occasionally, browser vendors get lucky, and there's a tracker type that's "easy enough" to kill. Things like third-party cookies would be one of them - but even then this required a huge amount of testing to avoid breaking apps that relied on them for authentication.

The only reason why ad block even works is because ad companies are incredibly paranoid and don't trust each other. The standard way to do display ads is to embed each other's `<iframe>`s or JS, which gives ad blockers a nice easy target to hit. Platforms like Facebook or Twitter that are trusted to do their own ad delivery and thus don't hotlink subresources are far harder to block. They can change how ads are styled basically every hour if they wanted, which would make any kind of rule-based ad blocking ineffective. If every ad platform did this, ad block as we know it would be dead.

1. telemetry, for diagnostics and health monitoring

2. usage analysis, for program improvement and personalization

3. content analysis, for advertising and marketing purposes

Windows requires kind 1 and encourages kind 2*. Type 3 does not really apply, though, as I don't see Windows sniffing what I write in my text files so that I'm shown relevant ads later.

It's all explained here: https://privacy.microsoft.com/en-us/data-collection-windows

* Also note that the Customer Experience Improvement Program has been with us since Windows 7. Same thing, just not perceived as badly as Windows 10.

(There's even 0), data collected for functional purposes like 2FA. Multiple companies have taken data straight from 0 to 3 once they see the possible revenue.)

> Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Which is why I suspect almost all "cookie banners" are worthless. They don't give a clear, informed consent, so the site operator is still not allowed to use the data for anything at all.

0: https://gdpr.eu/article-4-definitions/

Some of the original Chrome browser team have followed this line of thought:

https://neeva.com/blog/introducing-cookie-cutter-by-neeva-a-...

It's not even work-to-rule. It's illegal if the button to refuse consent is in any way less obvious than the button to grant it, which it nearly always is.

Notably, OneTrust, which provides a lot of the banner solutions which are illegal gets it right on their own website. So they do know the rules, but they knowingly provide a solution that's illegal.

They have been well-advised by their lawyers. Anything else is just a bomb waiting to explode on you.

Works brilliantly :).

GDPR fundamentally changes the default of whether tracking is allowed to occur or not. If a user browses the web automatically blocking (just deleting/blocking the element, not automatically clicking accept) every consent pop-up, the website is not allowed to track them nor is it allowed to block the user from using the website.

If you had such a browser extension, and if websites were actually conforming to the law, all EU users could browse the web without ever seeing any popup and without ever getting tracked.

What if there's back-end only analytics? Does that require a banner?

The case for legitimate interest in parsing logs is extremely weak. There are situations where you could claim it but it still must be with a clear purpose. E.g. a Spanish company considering opening a branch in France might collect IPs to make a heatmap of where its French customers are. But they would not be able to use those IPs generally, to the extent e.g. they might be expected to delete the IP and only store aggregated by department.

You also said PII, not PD - note that some PII is sensitive data, which cannot be collected under LI provisions at all.

(This is not legal advice. If you think you can collect personal data with the LI exception, godspeed and I hope you have a good lawyer.)

You only need consent if there is absolutely no reason for you to have that data. Consent is the emergency hatch, only to be used in exceptional circumstances.

"But what gives?!", I hear you think. As a law professor said (roughly): it was truly amazing to see how an entire industry colluded so swiftly and completely to undermine legislation.

Also no.

There are specific acceptable reasons to have the data. LI is a weak one and does not apply in many situations (there are a lot of balancing factors applied, including a "reasonable person" standard on the data subject). As you say, consent is a very strong one, if received it can virtually always apply. The ones in-between only apply in limited situations genuinely necessary for business (company management of employee data, addresses of customers you need to ship to) or to a small set of companies (hospital management of health data, AML/KYC for banks), and rarely to general web / app analytics.

"I would like that data to serve ads better" (or "to sell to someone who wants to serve ads better") is not "absolutely no reason", but it is also rarely one of the other reasons. And conversely, even if in some case if you have a legitimate business interest i.e. would go bankrupt without it, it is not LI in the sense of GDPR if it cannot meet other factors. The modern adtech ecosystem more or less requires "consent-strength" allowances.

Could you explain this claim? I'm seeing it more often and I wonder if there's something I'm missing.

GDPR Article 6 gives five other legal bases for processing. From my reading, consent is just another basis you can use if the others don't work.

It's a newbie, be nice. They don't get how it works yet.

That'll make it harder for fraud detection to work (the traffic is legitimate, organic traffic after all). If enough people do it, tracking firms that ignore DNT will have garbage datasets or worse.

I've worked on systems for detecting this sort of fraud. Systematically injecting malicious traffic into legitimate click streams would defeat most anti-abuse measures that I've seen.

How will you defend yourself in court? "I didn't do it, I just let somebody else use my machine, yes I knew they were up to no good that was the point, but to my defense I was shown an ad"?

So, their complaint is what, exactly? They tried to run unauthorized code on my machine, it noticed, and forwarded the unauthorized logic/connection/nonce/etc to a honeypot?

This isn't an actual service I plan to build. If someone else does, and prevails in court, rest assured I'll be cheering them on.

A cookie that saves, for instance, a preference may not be considered essential but a "Functional Cookie" that adds extra features, because your app is usable without it, and then you do need permission for it.

If you are setting the cookie in direct response to a user initiated action, for functionality, that doesn't require consent.

[1] https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...

Now, there was a different directive preceeding the GDPR that tried to address the rampant abuse of cookies for tracking by regulating cookies directly. The intention of that directive was good, but the implementation really bad. I think this is where this distinction comes from. I don't think I've seen a case where someone who was not doing blatantly shady things with cookies got into trouble with that directive, though.

It doesn't have to be obnoxious either - if you have a preferences page, you could add something like "we'll save these preferences in a cookie on your computer, okay?"

Yes, we can play the tracker-removal cat-and-mouse game, but that involves a lot of time and effort, projected forever. This battle is going to be won by whoever has the most time and money to waste, and, spoiler alert: it's not the adblock vendors. It's Google.

In the specific case of cookies, you need those to authenticate to web services, so you can't just block all of them. Instead you need to delicately allow or deny every cookie based on if it's purpose is holding a login token or tracking a user. In fact, sometimes it's both.

Strictly speaking, if I log into Facebook, that shouldn't be considered consent to track. But right now, that's how it works. You know all those "login with Facebook" buttons all over the web? Those give Facebook third-party tracking capability. There is no browser extension in the world that will allow you to login with Facebook without also telling Facebook what site you were logging into. You need a law to force Facebook to split-brain themselves and silo off that data from their advertising operations.

Yeah, sure. "Just don't use Login with Facebook". Except every third-party login system has this problem - and there are plenty of smaller companies that absolutely do not want to handle user credentials and require that you use a third-party login service. And given that using smaller providers are the easiest way to get your credentials stolen, it is entirely understandable and advisable that they not roll their own authentication.

Furthermore, most users are not at all aware of all the technical stuff I mentioned above - and they shouldn't have to be in order to have privacy.

Having a well-written law is a lot easier: you just tell Facebook, "no, really, if you use your login service to track people we're going to fine you". Corporations react to (sufficiently large) fines a lot more favorably than technical restrictions or circumvention. "Don't be evil" is a way bigger guarantee than "can't be evil".

For example, showing you unlikely or imagined bike-related problems, to sell you useless protection gear or insurance after you get your bike. Showing you ads for motorcycles, because although you probably don't want one, someone who already likes bikes is more likely to buy a (more expensive) motorcycle, so that's where they'll direct their spam.

Targeted advertising is about manipulation, using knowledge of the customer to change their behavior. No one is going through those efforts to show you what you already want and save you a quick Google.

The ENTIRE POINT of an ad is manipulation. Advertisers wouldn't bother if people always ignored ads.

One the ads are more relevant.

Two because the ads are more relevant the advertiser makes far more money on them and therefore doesn't have to show you as many to fund their service.

But also, much of ads are scams, and the targetting helps the scammers find susceptible targets

Problem solved, am I right? ;)

Assuming people would just log less was hopelessly naive (especially given that apache defaults already do enough logging to run afoul of the GDPR).

Apache logs for example do not run afoul of GDPR unless you:

A) process them. (Correlate them with further identification)

B) sell them.

C) do nothing to secure them.

Regardless. The law does have conditions for these cookie banners. Namely that if you do not present an easy 2 click opt out then you’re in violation. Many people are in violation in what I feel is an attempt at a sort of civil disobedience. “They can’t prosecute us if we all do it” mentality.

And that's the default for collection of Apache logs.

You would be 99% in the clear if you do nothing. The worst that's likely to happen is that you're forced to adopt a retention policy and delete old logs, and even that is extremely unlikely unless you are Google/Facebook scale or are doing something significantly worse than industry standards.

Law depending on the opinion of lawyers is “useful”.

If anyone wants to attempt to prosecute me for storing Apache logs then I’m happy to defend it in court. GDPR isn’t the boogeyman unless you’re selling data. I’m quite certain there are sympathetic judges to that end. Logs are necessary and even in some cases legally mandatory.

I would talk to your lawyer.

My lawyer's great, but he won't be paying the fine if he's wrong.

You aren't going to get the maximum fine unless you are doing something egregious. Collecting the default Apache logs and not using them for anything malicious isn't going to get you the maximum fine or likely any fine at all.

You can also hire oricate security to stop stalkers, and yet stalking is illegal

You can have cookies without consent.

Tracking requires consent even if it doesn't use cookies.

You can block some tracking in the browser, but server-side tracking generally can't be blocked.

GDPR cares about whether you are tracking, not about the means you use to accomplish it.

They're not useful, they're an unwanted annoyance. Nobody wants to fill out a cookie form, they want to browse the site. Delete the cookie banners and the associated tracking completely.

Figuring out whatever tortuous process any particular cookie banner uses in lieu of what should be an equally prominent "reject all" button (or a completely absent banner and no tracking) does not make me an "advanced user of cookie banners".

> 3. Do you know about some instruments like DO-NOT-TRACK but for cookie banners?

Yes, Do-Not-Track is precisely that instrument. (And occasionally, some of the cookie banners seem to notice the do-not-track and use it to pre-populate all the checkboxes to "no".) If a site receives a Do-Not-Track, it should not show a cookie banner, and should just auto-reject all tracking. (If a site doesn't receive a Do-Not-Track, it should also not show a cookie banner, and should still auto-reject all tracking.)

> Adblock or adblock-like extentions IMO miss the point of doing the conscious decision.

There shouldn't need to be a conscious decision; all of the banners and tracking should be auto-rejected.

On browsers which support it, I use uMatrix and uBlock Origin, as well as the Stylus CSS manager.

uBlock Origin has an element remover that will permanently remove elements from a website. It's point-and-click, though you may need to hunt a bit to find the full element responsible for annoyances. (There's also a "zapper", which is temporary only.) I'll typically remove cookie and all other nags, as well as social "link litter", recommendations, Taboola chumboxes, and the like, if my normal adblocking hasn't already addressed these.

Under uMatrix, I'll simply globally deny cookies to the site. Since for most sites the only value I receive from cookies is to remove cookie nags ... this has zarro effect on any site functionality. (For a very small number of sites which I rely on authentication --- of which HN is a very large share --- I of course don't do this.)

Where necessary, tracking hosts / domains are blocked via a DNS-based blocklist.

DNT would of course be the proper way to achieve all of this. The advertisers and surveillance industry have chosen to ignore this. Turnabout is fair play.

Another option, and one I rely on increasingly, is to view the site via alternative intervases such as the Internet Archive or Archive.Today, outline.com, 12ft.io, etc.

On my e-ink tablet, I'll frequently save page as PDF or ePub and read that instead.

(The EInkBro "save to ePub" feature is a bit of brilliant genius, as it permits saving multiple pages to a single document or "book", and is an excellent way of organising reading for a day or week. See: https://toot.cat/@dredmorbius/107958709435468728)

TL;DR: Nuke banners, block cookies, using browser extensions, or hit the content from an alternate service.

For clarity, I was suggesting that site owners eliminate the banners and associated tracking.

That said, I'd certainly second the recommendation for uBlock Origin.

Filed under: things I'm not holding my breath for.

If it doesn't try to trick me into accepting things, I sometimes actually consider doing that.

Why don't I just accept them all? No idea. Out of spite? Principles? Because I have too much time? Because my mind is too eager to get distracted with the popup? The fact that the only reason to even show these popups is for the website to do non-essential things that aren't actually in my interest? All of the above? Use of tasteless dark UX patterns doesn't even instill trust in me that these choices are actually respected in any way, to put it lightly.

Remarkable how often that works.

    html, body {
        overflow-y: initial !important;
    }

Like those websites that have a banner stating “by using this website you agree to let us track you with cookies”

As a provider: I don't use cookies. Here's my privacy policy: https://max.io/privacy.html

Thanks for including your own privacy policy. We're starting our own effort and our top line was "we won't make data or the user the product" and were trying to structure something as simple as your policy.

edit: thanks for the thoughtful response, downvoters!

So your real issue is that people are spending their time and energy on something you don't like

I also think constant lies on TV is a problem. I of course believe somewhat in my own ability to filter through, but at the end of the day, it is reality-distorting when it goes on in large scale and a societal problem!

If there's too much work, like I have to uncheck every one of a zillion boxes, or if there's the trustarc or what's-it-called that needs to "work on it" for 10 minutes, I just leave the site.

I do this in the hopes that someone in marketing looks at the stats of people specifically refusing, takes note, and maybe comes up with something less invasive. Or at least realizes there's a market for that.

There is one site on which I don't do this, jeuxvideo.com. It's a French video game review site. They present a choice: "accept tracking" or "pay for a subscription". I only go there once in a blue moon, so a subscription wouldn't make sense for me. Plus, their ads aren't particularly intrusive (with UBlock on, but on MS Edge - which I barely use, since it runs on my gaming PC) so I figure it's fair.

Most sites that present the cookie banned don't usually have a subscription-based alternative.

In other words, service providers are not allowed to discriminate against users based on their tracking preference.

I find it worth the trouble to find some way of disagreeing, either via "reject all", or clicking through the various radio-buttons offered and hitting save. It just seems worth the effort.

While I admire the efforts to limit data collection, these privacy/cookie popups are now a plague across the internet, a 'net that had done a brilliant job of getting rid of the first wave of popups in the past that I well remember, along with the relief when they had been banished by sensible browser manufacturers.

Even better than dealing with the privacy banner, I now often just hit "Back" and don't bother reading any articles that are only offered in exchange for collecting my data. It's a good filter, and time saver.

[0] https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a...

[1] https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...

[0] https://addons.mozilla.org/en-US/firefox/addon/ekill/

I also use Behind The Overlay Revival[0] for annoying overlays. I just have to click the toolbar button - not even aim at the elements I want to remove.

That said, ekill's grudge mode looks interesting.

And I use Unstick![1][2] which can get rid of annoying fixed headers and footers that chew into your vertical space.

[0] https://addons.mozilla.org/en-US/firefox/addon/behind-the-ov...

[1] https://addons.mozilla.org/en-US/firefox/addon/unstickall/

[2] For some reason though, I always have to click it twice to make it work.

Imagine if the government passed a law that said restaurants had to warn you upfront that there might be poison in your food and you had to opt-out of it. I think I would just avoid restaurants with that sign altogether.

If you go to your uBlock origin plugin settings > filter lists > annoyances > checkmark "fanboy's annoyances", "adguard annoyances", and "uBlock annoyances"

Never see cookie banners again.

This ^^ hits the spot. No need to accept the dark UI patterns (illegal but everywhere) without the pain of going through the options. Works brilliantly.

To reclaim screen space. To provide a data point that I don't want to be tracked. To stop auto-playing videos that distract me.

Something like that (with a "remember this choice" checkbox) would be so much more economical, than making every single website implement it individually. When the browser does it, then websites also can't ignore it, cheat it, or use dark patterns to avoid it.

In the browser settings you could switch the "accept cookies" behavior between "never" - "ask" - "always". I believe it was set to "always" by default? It's been a long time ago, so I'm bit fuzzy on the details.

see: https://www.fabrica.cz/fabrica/img/netscape.jpg

I also have told Safari to "prevent cross-site tracking", and have sone adblock-type stuff going on to help with that.

And yes, I will shrug and find the "reject all" button upon returning to a site if my decision hasn't been tracked because that would be stored in a cookie on another site or whatever.

There is no advantage for me. The advantage is that it's a way for sites to cram in six hundred tracking services they've added for whatever reason, and still comply with the letter of anti-tracking laws. It is annoying and every now and then I miss the days when most sites weren't full of immensely sophisticated garbageware trying to build a profile on their viewers so as to serve them advertising they're more likely to click on.

Anyone who repeatedly askes for consent when boundaries have clearly been established should never be trusted.

So I ask, why would I ever accept?

To get them to stop asking is never the right answer.

I never understood the point of that. Asking companies who want to collect your data to "pretty please don't" when there's no oversight or accountability should they decide to ignore your plea makes DNT a waste of bandwidth. It's worthless. Even the companies who would respect your choice have to track you long enough to remember that you've asked them not to track you.

Don't bother asking them to stop tracking you, don't even give them the choice. Block JS, block 3rd party cookies, block ads and trackers, delete cookies on a regular basis.

Imagine it like this: DNT is a "No Trespassing" sign.

Do no trespassing signs actually stop anyone from trespassing? No.

In this case, I use it as a tool to judge who clearly rejects my request to not be tracked, not stop them from tracking me.

I suspect it's not legally binding when you never clicked agree or deny as well.

I've come to the conclusion for myself that I don't like the internet as it is now. The advertising is annoying, but more importantly for me I don't like the idea of being defined by my user behavior, and getting sucked into a machine feedback loop with no real Purpose ... simply something that endlessly extracts value for no other reason than to extract value. So I find myself:

1. Repeatedly using the least amount of cookies every time I read it. When I come across papers posted here from _Nature_, I opt out of cookies. That means I do have to reselect those every time.

2. As a habit, I just do it out of all of the sites that offer this. I think part of this is that I have to pick and choose what I spend time reading

3. Yes, and there are workarounds for all of those. I also use adblock, but they are kinda like the mob and will let advertisers pay them to bypass the adblock. Sites that don't show me the content because they detect an adblock makes me think if I really want to read what is on there; if I do, I don't mind making a conscious choice to support the publication. If I am annoyed by it, I might try the Firefox Reader option. Or I don't read it.

4. It's not an advantage so much as aligning with how I have come to approach life. I've come to realize that much of our civilization is built upon Value Extraction. Whether that is for my limited time here on Earth, my focus and attention, very few businesses are built to give something back, or at least are value-adding (not "value added") -- something that contributes to and expands the capabilities and resources of the whole ecosystem beyond profitability.

There are blockers that don't though? Not sure why you'd pick one that does with your values. Not judging or anything, I think there's arguments to be made in both directions.

I agree with most of your observations. Just highlighting this point to say, that is the reason I switched from adblock to ublock. They are similar, but ublock is open source and refuses to accept money to bypass their filters. https://ublockorigin.com/

2. If present I'll click 'Deny', but I'm not hunting it down. Blocking the prompt with an adblocker is my preferred option.

3. Cookie Autodelete is the only sensible way to manage cookies IMHO. Store cookies for webpages you trust, delete all others. Annoyingly there's no official way to tell webpages you don't care.

4. Cookie banners are entirely pointless since I'm fully in control of which cookies I am sharing.

The GDPR covers the intent and processing of the data rather than any specific technical means - it's not limited to cookies. Please see my other comment: https://news.ycombinator.com/item?id=30964163

Spite.

There seems to be a pattern that 'Agree' grants access to use tracking cookies and other metric collection. So, I usually either not consent and see what happens, or I 'customize' and for most sites that leaves 'essential' cookies enabled.

Why? Because I don't want to be harassed with targeted ads everywhere I go.

As other commenters have pointed out, these are mostly legal requirements. In most cases, the user would be better off with no banner and less cookies.

> What can they choose but "agree to everything" or look at some gray text through a gray overlay?

You can leave the website. The intrusiveness of these banners correlates negatively with the quality of what you're trying to read, so in most cases it's a good reminder that you shouldn't even be on this website to begin with. In the rare cases where you do need the content, tools such as uBlock Origin can still help make it for this one time. Contrary to other commenters here, if a website is bad enough that I need to do that on a regular basis, I just stop visiting the website.

> There are definitely people in the HN crowd who can understand the different options offered by cookie banners.

You're assuming it's worth anybody's time to even read these. It's not.

I do not have used so far custom cookies settings, nor I consider trustable what they say anyway. For ads, js etc I have NoScript + TPRB (with the policy of allowing just the minimum js needed on the sites I care, hoping FF Reader suffice in other cases) and uBlock origin + others. I just allow some ads on veeeeery few friendly websites/YT channels if they are not exaggerated.

For cookies in general, I simply reject the idea of WebApps, for me the web MUST be just html+CSS. Desktops must be desktops not WebVM bootloaders and apps+data should be under MY control not under my WebVM and third parties control. Some simple examples: why the hell banks have websites that are more than just advertisements and contacts information? OpenBank is an example API mandatory between banks in SEPA area so not something built by a geek in a garage, and a client who talk OpenBank, a desktop one, that aggregate all my banks, with my digitally signed transactions stored locally, with the same UI and no crappy ads etc on my desktop is far better for me and far easier for the bank (far less bandwidth, far less infra development and maintenance costs etc). Similarly for maps. Similarly even for damn contact infos. An RFC to publish contact infos easy to download as vcards etc should be the norm and APIs makes integration in desktop apps easy and good environments, built as classic desktops (Xerox etc) can make such integration FAR more powerful for end users and far more cheap for anyone. WebApps are needed only by GAFAM and alike.

[1] the monster improperly named by most "browser" for legacy reasons...

I'd check your adblock to see if it has a similar ruleset.

- obtuse cookie consent, where it hides everything and does a redirect - I don't bother: I'll close the tab

- quite easy to see "I agree", no easy way to reject things - depending on my mood or how much I feel the need to get the thing I want from this particular site, in order of probability: click agree, close the tab, do not click anything (try to see around the popover or remove it via inspector), search for a way to reject

- easy to see a rejection button - click the button or close the tab if the popover seems too excessive anyway

The reason I agree to any tracking is my belief I'm pretty safe with using uBlock Origin on Firefox, clearing cookies somewhat regularly and using first party isolation option of Firefox, also I use Tab Containers for important stuff. Maybe it doesn't cover me fully. Most sites I visit daily I could certainly do without.

I'm not sure, but I think that companies can legally protect themselves if they have records of people clicking accept.

They can still delete the data of people who don't click. Simple as that.

It is a dark pattern, I think, especially when there is no refuse button.

That is often less work than to have to go through some sites' cookie settings forms...

... but I wish I had a plug-in that did it in a more automated way. I'd want to just right-click and select "Remove this element" (but I'd name it something less polite...).

And the next step: Collect statistics about clicks and display a public list of shame. Then each month, send a strongly worded letter (regular mail) to the operator of the next site that got the worst rating in the past month (and didn't get a letter less than six months before).

If, for some reason, it doesn't work, I close the page.

Why do I do this? To send a big fuck you the big businesses that want to vacuum up everyone's data without any reciprocity. I'm a very spiteful person, even if it's not easy to get on my wrong side.

There's no conscious decision needed to not be tracked. It's the status quo: by default, I'm not being tracked, and if a web page wants to change that, it should require a conscious decision. That's when I disable the hiding and think about clicking something on the banner.

Any banner that pops up to my face, I click "agree"and don't look backwards.

I understand I can still be identified using some browser fingerprinting tricks, but I have absolutely zero trust in any of these privacy notices/policies.

Disclaimer: part of my actual job is to assess whether my clients' systems/applications effectively comply with privacy laws and the policy shown to users/customers. I have never seen a company that does what it promises to its users and I've been doing this job since 2015.

https://en.wikipedia.org/wiki/P3P was the standard for this, and was implemented in IE for many years.

However, back then there were no legal consequences to tracking without consent, so no sites bothered providing the metadata; and the support in user agents was dropped.

If I could find a web-search tool that de-listed or harshly penalized sites with hostile features I would use that.

Likely related to advertising/tracking: Many common categories of activity, like cooking, gardening, camping... are very hard to search for. The results are so polluted that I can't find the good web sites, and I'm certain people who love these activities have created great sites about them.

You are correct in that downvoted pists are made harder to read, and eventually end up dead or invisible.

In fact, those posts can be forced to render by activating show_dead in your profile if you're feeling adventurous.

@dang: why? :)

After all the browser's cooperation is needed to send cookies. This should be a mandatory standard part of the browser UI.

Since there are just two browser engines in widespread consumer use, and the engines are made by two of the world's most valuable corporations (Google and Apple), requiring browsers to implement specific UI is both technically easy and politically convenient.

After I'm done reading I just close the website again.

Some tracking methods will more effectively be able to track you across the boundaries of your "incognito" sessions.

For example, the modern browser has a huge API surface that makes accurate finger printing using tuples of individually only moderately narrowing information possible for as long as you allow it to execute JavaScript.

Which means that they calculate there are 21x more people that have a $5k XDR display than use macOS Safari. Which seems... unlikely.

(anyway, tracking via IP address is a pretty accurate way to track across browsers and cookie resets, until you're behind a large NAT / proxy.)

I wonder if the answer to the problem could be to let those companies to track whatever they want if only all they get is exactly the same fingerprint from every user.

Now, I wonder what does the GDPR and similar legislation say about those, but my uneducated guess is that a user accepting the site's policy regarding user data collection would approve the use of fingerprinting as well (and deleting the cookies would only work partially, privacy-wise).

This is also why there is value in not clicking "accept" even if you already block cookies and/or run in private browsing mode.

If the site starts getting complicated due to my decision of clicking "Disagree", it signals to me the website doesn't really care about its users and is trying to make me go away. If I don't care much about the content, that's what I do.

Hopefully they're measuring their bounce rate, happy to vote with my feet in those cases.

The banners are required by data privacy legislation and are often dark patterns that make it easy to agree to "all" but usually hide "only necessary" behind a couple additional clicks.

If you don't respect me enough to give me a one-click "only necessary" button, then I'm going out of my way to give you as little data as possible. I already block ads and many trackers at my router.

Most sites probably just put it as a cosmetic to adhere to policy laws.

I can trust much more my browser to block the tracking or data collection, than a"don't agree" button on any site".

I usually zap them with uBlock Origin or leave the website if I can't do that.

Even sites with full-page overlays usually load the actual page behind the overlay, so you can just delete the node if you really want to keep using the site.

If your website can work with the highest restrictions, then just make it the default option. It's the engineering thing to do.

I don't want a EULA or some rules just to make a few HTTP requests.

Since the extension hides the cookie banner it's effectively the same as ignoring it, not pushing any buttons (nor accept, nor reject), so it means the site is not allowed to track me, because I did not agree to anything, right?

In practice, most are poorly implemented though so I wouldn't count on it. The solution is to lobby for proper GDPR enforcement and in the meantime defend yourself by using antimalware solutions such as uBlock Origin and blocking malicious domains/ASNs at the network level if you can (Facebook is entirely blocked on my network, so even if my blocker fails it won't be able to do anything).

TechCrunch doesn’t like this. They have some kind of Yahoo cookie consent thing you have to interact with. You can deny everything though.

My "serious" browser I use only for these "10" sites where I need state (authentication or preferences).

I prefer to not have the trackers, but sometimes I'm just impatient to get on with things.

Except for the odd one like some retails sites and maybe just being in a bad mood and I'll click 'decline', I'll click Accept All for most sites just to get it away. The point is to get it off the screen as fast as possible and carry on with whatever content I'm trying to see without distraction.

For the most part tend not to visit that many sites that have tons of ads or large cookie popups so it's not an issue and I'm not a paranoid ad-blocker user.

* About 25 percent of the time I load the website in sandbox way —- a container or private mode. The website’s intentions are clear and I don’t trust them.

Bad news: enforcement is nowhere near enough, so the problem remains. But when/if enforcement does finally pick up, this problem will be resolved.

You don't have to show cookie consent banner if you use cookies just for technical (e.g auth) stuff

You think it's the EU's fault, and not the fault of the companies that are ignoring the "Do Not Track" header and implementing all these Dark Pattern malicious compliance popups instead?

Works well for me

The internet used to have pop ups in the early 2000s, until popup blockers and then the Mozilla browser came. Then we had over a decade of no pop-ups. Then Europe decided to make the internet a worse place by requiring websites to put something that's essentially a pop-up (the cookie notices) on them by law. I've seen enough pop ups in the early 2000s, so no thank you to them today.

I don't understand why Europe decided to make the web a worse place like this, because it's competing with apps, and apps can violate privacy much more than websites afaik

Providers made those banners big, annoying, and full of dark patterns because they want you to agree to those cookies. They didn't have to have a bunch of check boxes right next to an "Accept All" button--this was a conscious choice by those providers. You are being targeted by malicious compliance so you dislike the thing that they want gone. This is a sucker's game, and you are falling for the okeydoke.

"Europe" didn't make the Web worse. People who won't stop tracking you because it is worth nanocents to them to do so did, and this is how they're fighting people who are trying to stop them.

If a website doesn't want to annoy you with a cookie banner, they could always opt to not use any non-essential cookies.

> The cookie banners are actually illegal

IANAL but the 2011 cookie law required to notify users about cookies, and banners / popups were at least at that time how websites could do that

I can protect my privacy myself if I want to, the EU is not helping at all because there are just dark patterns everywhere to make not accepting cookies difficult or inconvenient.

One reason the EU did this is to bring to light the tracking habits of websites and give some power to the user. Much like Apple did with their do not track me button on IPhone. A lot of people opted to not be tracked but before just didn’t have the option or were oblivious to being tracked to begin with. And trust me being as secretive as possible for tracking is by design. It’s scary the amount of info a website can get from your browser.

Perhaps, rather than shrugging one's shoulders and saying "well, to hell with you, I've got mine," there are other things we as a functioning society can do. Like standardize how these cookie prompts must be displayed (small, inobtrusive) and standardize a set of accepted behaviors when the user ignores or closes it (reject all non-required).