points by ocdtrekkie 2 years ago

Regulators didn't enforce cookie banners. Cookie banners are a form of malicious compliance. When you complain about them, you are doing the lobbying work of ad companies for free. The correct solution is to just not spy on people, and the problem is that the EU didn't go far enough and just ban the behavior altogether.

zamadatix 2 years ago

The rules are really surprisingly encouraging about notification of cookies to the point it's quite easy to legitimately need to notify and gain consent about something non-spying related requires consent. E.g. if you have a UI customization cookie which sets the results density preference and you want to store that more than a session (i.e. it should still save for a month later) then the official EU analysis of this is you must notify this is a cookie and that setting this will set this cookie.

If the law didn't intend for users to be inundated with notification banners and consent checkboxes it sure is odd how much time they spent about writing how anything but the most basic connection cookies require said things.

  • handsclean 2 years ago

    It’s trivial to implement this in a legal and user friendly way, just make the save button make clear that it’ll persist, or even add a persistence checkbox. Demanding consent as an aggressive popup when it isn’t necessary for anything but ad tracking is not a good faith compliance effort, it’s an attempt to avoid real compliance by just having the user just sign off on whatever they were already doing.

    • sureglymop 2 years ago

      Add the cookie popup/banner into the browser so that the user can make a choice for _all_ the websites used. But honestly, something like that is much harder to achieve with such regulations because it's kind of not the browser vendors problem. The ad network companies are parasitic in a way.

  • mrweasel 2 years ago

    > E.g. if you have a UI customization cookie which sets the results density preference and you want to store that more than a session

    I'm not entirely sure that this is true. You can implement a "shopping cart" on your site, with a session cookie without needing to have a "cookie notification", so depending on circumstance I'd argue that settings might be allowed as well. Or you can just display the cookie information along with the settings it self, it doesn't actually need to be a popup.

    • zamadatix 2 years ago

      "and you want to store that more than a session" -> "...with a session cookie without needing to have a "cookie notification"". Session cookies are fine, the example was for a preference beyond the session.

      "Or you can just display the cookie information along with the settings it self, it doesn't actually need to be a popup." this is true, you can put the information for each cookie in every place that the UI interacts with the cookie or you can put it in a dedicated popup or however else you can figure out to do it. So long as you notify and require (informed) interaction with the associated interaction you're good.

  • askonomm 2 years ago

    Last I read the law, any cookie used for the functioning of the site, and not for the tracking of the user, is perfectly fine without a cookie banner.

    • majewsky 2 years ago

      I was going to agree with you, but in researching this, it does seem that GP is right. This is the source that I found: https://gdpr.eu/cookies/

      As far as I can see, this is a resource funded by the EU, so not quite authoritative, but good enough IMO. They say:

      > To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must: Receive users’ consent before you use any cookies except strictly necessary cookies. [...]

      This sounds like what you're saying, but this verbiage is based on a classification of cookies further above where a distinction is made:

      > Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. [...] > > Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for [...]

      So "strictly necessary" really only means "the site breaks without this", e.g. a session cookie set by a login page or the shopping cart example that the quoted article explicitly calls out, too. Presentational settings like display density, font size, dark/light mode and such seem to require consent.

      • askonomm 2 years ago

        Ah, so the truth was more specific than I thought. Consider me educated!

    • zamadatix 2 years ago

      https://ec.europa.eu/justice/article-29/documentation/opinio...

      3.6 UI customization cookies:

      "These customization functionalities are thus explicitly enabled by the user of an information society service (e.g. by clicking on button or ticking a box) although in the absence of additional information the intention of the user could not be interpreted as a preference to remember that choice for longer than a browser session (or no more than a few additional hours). As such only session (or short term) cookies storing such information are exempted under CRITERION B. The addition of additional information in a prominent location (e.g. “uses cookies” written next to the flag) would constitute sufficient information for valid consent to remember the user’s preference for a longer duration, negating the requirement to apply an exemption in this case."

      In particular, criterion A "functioning of the site" is a lot more narrow than your interpretation. It sounds like "oh, they need this to use the site's functions" but it really describes is functionality more like "you can't use the site at all without setting this cookie because you couldn't authenticate" and criterion B "for service explicitly requested" has more limitations (like lasting beyond session).

eviks 2 years ago

Regulators are the ones accepting the malicious compliance as compliance! So they did enforce cookie banners. When you ignore that fact, you are doing the pro-gov propaganda for free.

  • mrweasel 2 years ago

    > Regulators are the ones accepting the malicious compliance as compliance!

    Yeah, I had to read the first version of "the cookie law". The intend was super clear, at least in the Danish version, it was pretty easy to implement and wouldn't really bother anyone... Then came the marketing/SEO/retargting assholes who had a nice thing going tracking the everlasting crap out of everyone and they did NOT want things to change. Some of these people then came up with the "hosted cookie banner" and things went to hell from there.

    You are absolutely right that this should never in a million years be viewed as compliance. It mostly didn't, and still doesn't work. What should have happened is that the law should have been amended to prevent outsourcing responsibility.

lovepronmostly 2 years ago

What is the limit here?

If I own a store and you walk into my store am I required to forget that you came into my store?

Monday:

Bill: "Hey Jane (store owner), do you have any X45 hammers?"

Jane: "Sorry Bill, I'm out but might have some tomorrow"

Tuesday:

Bill "Did hammer come in I mentioned yesterday?"

Jane: "What hammer? Sorry I'm not allowed to remember anything about people in my shop because that would be spying so whatever you said to me yesterday has been deleted from my memory"

PS: I hate spying too. I'm just not sure how to design a law to prevent it that doesn't have unintended consequences.

  • kmeisthax 2 years ago

    Yes. In fact, you already do this most of the time. The right to be forgotten is so fundamental to humanity that humans have to expend extra effort to violate it and remember stuff. Machines with perfect memory violate the right to be forgotten by default and we have to tell them to forget things. Hence the regulation.

    • lovepronmostly 2 years ago

      I don't do this most of the time. It keep a diary. I keep records of all kinds of stuff.

      • whatshisface 2 years ago

        I would be uncomfortable if I had found out your diary contained as much about my daily travel and grocery errands as I know can be bought by marketing firms, or anyone with the right relationships in the industry. For that matter, the friendly greengrocer doesn't know what I bought at the shoe store.

      • yjftsjthsd-h 2 years ago

        Do you... write down the name of every person that walks into your store, then cross-correlate so you have nice little lists of every time each person came in and what they bought and how they looked that day? Because doing the same thing online companies get away with is generally seen as stalking in the real world.

  • anon25783 2 years ago

    A website run by a large corporation is very different from a store run by Jane. Jane does not have thousands or millions of people coming into her store, and she also is not selling CCTV footage from her store to advertising companies. We would be rightly outraged if she was. She also probably isn't sharing customer details or security footage with government authorities unless her store has been robbed or something.

    • aaomidi 2 years ago

      This is a thing that these comparisons always miss.

      These rules aren’t for your dream small business. It’s for a mega corp that would literally not care if you lived or died or if that hammer hit you on the head.

    • jasonjayr 2 years ago

      Probably?

      * Using Quickbooks Online? they market/sell that data.

      * using ADT for payroll? They market/sell employee salary information.

      * Using Ring for security? they freely share video with LEO

      * etc, etc. All these services that SMB's use already have their fingers in the pie.

      • midasuni 2 years ago

        Those big multinationals are abusing their position I agree. I’d like to see those practices banned, HN wouldn’t because half of HN relies of predatory activities to pay their rent

  • NOWHERE_ 2 years ago

    First: just look into your session store, which lists all people which are in your store (hah!).

    Second: You can have analytics AND be GDPR compliant without a cookie banner. There are even companies built around this: https://plausible.io/

  • mananaysiempre 2 years ago

    Not a lawyer. My impression is that you’re in any case allowed to record things in order to fulfil explicit requests (preferences, ongoing orders—like in your example), legal requirements (limited-time order history—ugh), or functional necessities (free trial used up), no explicit consent needed. Notably the bar is “required to work at all”, not “required to be profitable” or “required to use common out-of-the-box solutions”. Cloudflare or reCAPTCHA 3 would probably make interesting test cases here (my burning hate for them from the several years I needed to use a self-hosted always-on VPN aside).

    The way to do this (both in ePrivacy and in GDPR, despite the different legal mechanisms they use) looks to be to write a phrase like “legitimate interest” into the main text, give illustrative examples of what that’s supposed to mean in the recitals before that, and let the courts figure out the details.

  • zamadatix 2 years ago

    Law isn't like software code. It doesn't have to be put to an exhaustive set of unit tests to 100% pass rate and then worry about anything it might not have covered. The law just needs to signal intent and scope clear enough the judicial system can work with interpreting it to new applications in a way most people can consider consistent.

    In the case of cookies, they simply apply to computers and not people. Why? It's not about whether the two are operationally similar it's about whether the two are practically similar. Until every shopkeep meticulously tracks every detail of every customer interaction and starts efficiently sharing them with others, all manually, often enough and at a large enough scale that it becomes a similar privacy concern it's not really worth fretting the law be generic enough to cover the use cases. In such a case it probably even makes sense to just write a separate law which meets the domain's needs more succinctly.

    • mtlmtlmtlmtl 2 years ago

      Excellent post.

      To hammer your point home even further, there's also the key point that in the digital world you also have entities like Meta that track you everywhere you go because they have their little tracker scripts running on almost every website.

      To bring this back to the previous hypothetical, it's more like a single person following you around with a camera everywhere you go, which is already covered by existing laws.

  • dghlsakjg 2 years ago

    The law says that you need consent for any cookies which aren't strictly necessary for the functioning of the site.

    In your instance, I would have put a backordered hammer in my cart. I come back the next day to check and see if the hammer is in stock. The cookie that enables cart behavior is necessary to the functioning of an online store. No consent needed.

    In the real world, this basically means that tracking and marketing cookies are what you are being asked about. They don't need to ask about much else.

    The EU has a very good write-up: https://gdpr.eu/cookies/

    • michaelmrose 2 years ago

      Even tracking what items you had looked at purely for the purpose of showing you things you had previously considered is trivially justifiable if its used for that feature rather to sell info to advertisers.

      • bluefirebrand 2 years ago

        Showing you your viewing history would be an "unnecessary to the core functionality of an online store" feature and require explicit consent to track.

        I think it would actually be very difficult to demonstrate that this tracker is absolutely required for the online store to function.

        • michaelmrose 2 years ago

          Most stores suggest products to buyers

          • bluefirebrand 2 years ago

            And yet it's still not a vital part of running a store.

            • michaelmrose 2 years ago

              > These cookies are essential for you to browse the website and use its features

              It doesn't seem to directly require comporting with someone's limited view of how a particular app is supposed to work

  • superb_dev 2 years ago

    Jane is tracking you from store to store, remembering everything you saw, everything you interacted with, everything you did, and selling that to the highest bidder

  • cscurmudgeon 2 years ago

    EU in 2035:

      All store owners and employees should get whacked in the head every day.
    

    Don't give them ideas

  • diffeomorphism 2 years ago

    > what is the limit here.

    Common sense and consent. Laws are not theorems or malicious genies.

  • poorlyknit 2 years ago

    > am I required to forget that you came into my store?

    No. Your head is not covered by the GDPR. It requires you to not keep a record of all your clients' personal info without a legitimate interest.

    There's a Seinfeld episode where Elaine goes to buy a fancy pen at a stationery store which isn't available atm. The clerk asks for her full name and number to notify her (that's a legitimate interest) but then uses it to hit on/stalk her (that would be a GDPR violation). Presumably he also doesn't get rid of the number after their business transaction.

6510 2 years ago

Fun thought experiment: How would you disable access to your website after someone refuses your cookies? iow, you should always click NO.

  • scintill76 2 years ago

    If they don’t send a cookie, pop up the banner. If they click No, redirect them to another site. If they click yes, save the cookie.

    • 6510 2 years ago

      What if they visit the same site again? Can you just ask again and again?

  • zamadatix 2 years ago

    By requiring a valid cookie be present and used when trying to actually use the functionality of the site. The law does not allow this kind of behaviour for any cookies that require consent though, so that's why you can get away with hitting no.

  • watermelon0 2 years ago

    1.) In general, it's illegal to disable access to the website, if user rejects tracking cookies.

    2.) You are allowed to save 'consent=given/rejected' cookie depending on user choice.