It worked to highlight the insane amount of tracking every fucking website does. Unfortunately it didn’t stop it. A browser setting letting me reject everything by default will be a better implementation. But this implementation only failed because almost every website owner wants to track your every move and share those moves with about 50 different other trackers and doesn’t want to be better.
I used to use an extension that let me whitelist which sites could set cookies (which was pretty much those I wanted to login to). I had to stop using it because I had to allow the cookie preference cookies on too many sites.
You can fix that. I use an extension called "I don't care about cookies" that clicks "yes" to all cookies on all websites, and I use another extension* that doesn't allow any cookies to be set unless I whitelist the site, and I can do this finely even e.g. to the point where I accept a cookie from one page to get to the next page, then drop it, and drop the entire site from even that whitelist when I leave the page, setting this all with a couple of clicks.
* Sadly the second is unmaintained, and lets localStorage stuff through. There are other extensions that have to be called in (I still need to hide referers and other things anyway.) https://addons.mozilla.org/en-US/firefox/addon/forget_me_not.... I have the simultaneous desire to take the extension over or fork it, and the desire not to get more involved with the sinking ship which is Firefox. Especially with the way they treat extension developers.
The only thing that works well for me is using an extension that automatically gives permissions and another that auto deletes cookies when i close the tab.
The problem with Ublock etc. is that just blocking breaks quite a lot of sites.
The website wouldn’t inform you about which cookies are doing what. You wouldn’t have a basis to decide on which cookies you want because they are useful versus which you don’t because they track you. You also wouldn’t be informed when functional cookies suddenly turn into tracking cookies a week later.
The whole point of the consent popups is to inform the user about what is going on. Without legislation, you wouldn’t get that information.
Because it's not like the browser has two thousand cookies per website, it only has one and then they share your data with the two thousand partners server-side. The government absolutely needs to be involved.
To begin with that isn't true, because the worst offenders are third party cookies, since they can track the user between websites, but then you can block them independently of the first party cookies.
Then you have the problem that if they are using a single cookie, you now can't block it because you need it to be set so it stops showing you the damn cookie banner every time, but meanwhile there is no good way for the user or the government to be able to tell what they're doing with the data on the back end anyway. So now you have to let them set the cookie and hope they're not breaking a law where it's hard to detect violations, instead of blocking the cookie on every site where it has no apparent utility to you.
But the real question is, why does this have anything to do with cookies to begin with? If you want to ban data sharing or whatever then who cares whether it involves cookies or not? If they set a cookie and sell your data that's bad but if they're fingerprinting your browser and do it then it's all good?
Sometimes laws are dumb simply because the people drafting them were bad at it.
> If you want to ban data sharing or whatever then who cares whether it involves cookies or not?
Nobody. The law bans tracking and data sharing, not cookies specifically. People have just simplified it to "oh, cookies" and ignore that this law bans tracking.
> The law bans tracking and data sharing, not cookies specifically.
From what I understand it specifically regards storing data on the user's device as something different, and then cookies do that so cookies are different.
Again. You could literally try and read the law. After all, it's only been around for 9 years.
--- start quote ---
(1) The protection of natural persons in relation to the processing of personal data is a fundamental right.
...
(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally.
...
(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.
...
(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system.
...
(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person.
...
(32)
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
You keep saying to read the law, but did you? "The law literally doesn't talk about cookies." It does:
> (30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
That is why: "In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used."
That it also applies to things "such as" RFID tags isn't really that interesting. The salient part is identifiers. Because fingerprinting turns that into a mess.
Is your browser user agent string an "identifier"? It generally isn't unique, and requiring explicit consent to process it would cause a lot of trouble, but that and a few other things you could say the same thing about are collectively enough to be uniquely identifying.
Which is something different which they apparently hadn't considered and it's not clear how it's supposed to work. Do they become an identifier as soon as you have enough of them to uniquely identify someone? How do you even know when that threshold is passed? Does it require you to actually use them as an identifier, or is it enough just to have them because then they could be used retroactively? What if you provide a non-identifying subset of them to a third party in another jurisdiction who collects others from someone else and then combines them without explicitly notifying you?
> The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.
If the thing they failed to pass promises to do something additional, doesn't that imply that the thing they did pass doesn't already do it?
And I mean, just look at this:
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
So you don't need consent for a shopping cart cookie, which is basically a login to a numbered account with no password, but if you want to do an actual "stay logged in with no password" or just not forget the user's preferred language now you supposedly need an annoying cookie banner even if you're not selling the data or otherwise doing anything objectionable with it. It's rubbish.
> but if you want to do an actual "stay logged in with no password"
Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
> or just not forget the user's preferred language
Why would you store the language preference client site anyhow? Isn't a better place the user profile on the server? I use the same language for the same site no matter the device I am logged in.
> Wouldn't that be a session cookie (which is a strictly necessary cookie for accessing a secure area) with no expiration?
The gdpr.eu website literally says that a cookie that allows the website to remember "what your user name and password are so you can automatically log in" is a functional cookie rather than a strictly necessary cookie.
> Why would you store the language preference client site anyhow?
You're not storing the language preference in the cookie, you're storing a cookie that identifies the user so that the server can remember their language preference.
Consider the two possible ways that this can work: 1) if the cookie identifies the user then using it for anything outside of the "strictly necessary" category requires the cookie banner, or 2) if the cookie is used for any strictly necessary purpose then you can set the cookie even if you're also using it for other purposes, in which case anyone can set a strictly necessary cookie and then also use the same cookie to do as much tracking as they want without your consent.
Both of these are asinine because if it's the first one they're putting things like remembering your language preference outside of the strictly necessary category and requiring the dumb cookie banner for that, but if it's the second one the law is totally pointless.
> The gdpr.eu website literally says that a cookie that allows the website to remember "what your user name and password are so you can automatically log in" is a functional cookie rather than a strictly necessary cookie.
But one row before it mentions "such as accessing secure areas of the site.". If the secure cookie has 12 months validity, this is basically a different way to implement "remember username/password".
Besides, all my browsers (Firefox, Chrome) remember the users and passwords for all the site I access, so are we even talking about this? Is Safari that bad that it doesn't remember your user/password (no experience with that one)?
> You're not storing the language preference in the cookie, you're storing a cookie that identifies the user
Ok, I agree that for sites without username / password that will not work. On the other hand, personally I rarely end up on any site that is not in a language that I can read and on top the browser has a language preference : https://developer.mozilla.org/en-US/docs/Web/API/Navigator/l... . So, in practice, I think there are extremely few cases for sites require a language cookie for a not authenticated user.
> But one row before it mentions "such as accessing secure areas of the site."
Which could be read as allowing session cookies but not ones that allow you to save your login if you come back later. But it's also kind of confusing/ambiguous, which is another problem -- if people don't know what to do then what are they going to do? Cookie banners everywhere, because it's safer.
> Ok, I agree that for sites without username / password that will not work.
How would it work differently for sites with a username and password? The login cookie would still identify the user and would still be used to remember the language preference.
> allow you to save your login if you come back later.
Again, is there any browser nowadays that doesn't save the login? I don't know any, personally but I do not know all of them. And if they are, how much market share they have? (If I myself build tomorrow a browser without the functionality, that can't be an argument that the legislation is wrong...)
> How would it work differently for sites with a username and password?
Generally for sites where you use a username, the site will load from the server several information to display (ex: your full name to write "Hello Mister X", etc.). In the same request you can have the user preferences (theme/language/etc.), and the local javascript uses them to do whatever it needs to do. Even with a cookie, there needs to be some javascript to do some actions, so no difference.
Or you could just redirect via a URL that has the user preferences once he logged in (ex: after site knows you are the correct user it will redirect you to https://mysite.com?lang=en&theme=dark)
There are many technical solutions, not sure why everybody is so crazy about cookie (oh, maybe they think of the food! Yummy)
Actually it often is a separate cookie per tracker because that's convenient for the trackers. But the only reason they don't put in the effort to do it the way you said is that browsers don't have the feature to block individual cookies. If they did, they would.
Some browsers like Midori do the sensible thing and ask you for every cookie, whether you actually want to have it. Cookie dialogs are then entirely redundant. You can click accept all in the website, and reject all in the browser.
Not all cookies are bad for the user, for instance the one that keeps you logged in or stores the session id. Those kind were never banned in the first place.
Blocking cookies locally doesn't allow you to easily discriminate between tracking and functional cookies. And even if the browser had a UI for accepting or rejecting each cookie, they're not named such that a normal user could figure out which are important for not breaking the website, and which are just for tracking purposes.
By passing a law that says "website providers must disambiguate" this situation can be improved.
If there's no regulation, nothing stops a website from telling hundreds of third-party entities about your visit. No amount of fiddling with browser settings and extensions will prevent a keen website operator from contributing to tracking you (at least on ip/household level) by colluding with data brokers via the back-end.
> Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.
There are a LOT of shades of gray when it comes to website tracking and HN commenters refuse to deal with nuance.
Imagine running a store, and then I ask you how many customers you had yesterday and what they are looking at. "I don't watch the visitors - it's unnecessary and invasive". When in fact, having a general idea what your customers are looking for or doing in your store is pretty essential for running your business.
Obviously, this is different than taking the customer's picture and trading it with the store across the street.
When it comes to websites and cookie use, the GDPR treated both behaviors identically.
Realistically, you want to know things like, how many users who looked at something made a purchase in the next 3 days? Is that going up or down after a recent change we made?
Many necessary business analytics require tracking and aggregating the behavior of individual users. You can't do that with server logs.
Many people want to do many things, problem is do we agree as society it is ok, considering all the implications.
I personally find the commercial targeting extremely poor. I look for things to buy and I get stupid ads which don't fit, or I bought the things and still bombarded with the ad for the same thing.
But data collection can be used by far more nefarious purposes, like political manipulation (already happening). So yes, I am willing to give up some percentage points in optimizing the commercial and advertisement process (for your example, wait for 2 weeks and check for the actual sales volume difference) to prevent other issues.
This isn't even about ads. It's just about basic business metrics.
And no, you can't just "wait 2 weeks and check for the actual sales volume difference". The example I gave requires individual anonymized tracking. Pretty much anything that has to do with correlations in customer behavior requires individual tracking. And that's how businesses improve.
Also, it's not just giving up "some percentage points". There are a huge number of small businesses that can only exist because Facebook ads work so well in targeting very precise customer segments who would never know about their product otherwise. Targeting advertising does actually work, and you'd be putting tons of small business owners out of work if you got rid of it.
Maybe what you say is correct, but without a reference can also be an opinion influenced by your domain of activity.
What I see though is many shops closing, because more and more people buying online. What I hear is people buying crap from Amazon and throwing it very fast, or using fast fashion from the like of Shein. Neither seem to me a great outcome.
I did a cursory look and I found this https://www.pewresearch.org/short-reads/2024/04/22/a-look-at... , will quote "The number of high-propensity business applications – those that are highly likely to turn into businesses with payrolls – remained relatively stable between 2009 and 2019,". This for me does not support the idea that of "huge number" that only exist due to Facebook (business exits have also grown over the period, more data at https://data-explorer.oecd.org/), but of course this is an interpretation.
Okay, and why do you need to share whatever info you collect with thousands of random data "partners" if it's just for you to keep track of whatever made up thing you say you need to track? Because in reality that's what GDPR exposed, that random ecomm website selling socks or whatever is sharing everything they know about you with a billion random companies for some unknowable reason.
Even EU government websites had annoying giant cookie banners.
Yet, some how the vast majority of HN comments defend the cookie banners saying if you don't do anything "bad" then you don't need the banners.