Much like the current cookie banner shitshow, a "centrally configured" setting which "websites must respect" will accomplish nothing. There is no consent, informed or otherwise. Advertisers and their ilk are still hoovering up all the data they can, with or without cookies or consent.
Locking up a few people who don't respect their users' privacy would be a much more effective way of achieving actual results. AFAIK no big adtech or data brokers have been punished in any way.
>Locking up a few people who don't respect their users' privacy would be a much more effective way of achieving actual results. AFAIK no big adtech or data brokers have been punished in any way.
I'm a big fan of personal accountability in the corporate world.
Step 1: force websites to add an opt-out flow for privacy-minded users.
Step 2: websites don't complain too much because they can implement it in obnoxious and dark-pattern-laden ways, so that few users actually opt-out.
Step 3: now that websites have proven there's no technical barrier and the flows are already implemented, slowly retire unnecessary user tracking and data sharing.
I'd be surprised if this was planned ahead of time, but it's not a bad strategy.
There is a very clear law that forbids any additional contract terms post the point of sale, so that if you go to a store, purchase a box with software in it and then go home to install it, when it pops up a dialog for you to "agree" on, you can just ignore it, nothing in that is enforceable at all. And no, small print text on the box that says you have to agree to terms in the software does not change anything. But that's not how software is sold anymore.
EULAs in general are not unenforceable, so long as they are presented before the sale. This is precisely why Steam (for example) now gives you the EULA before it lets you buy anything.
There’s still some principles that it must be proportionate and reasonably intelligible to the average person. A 100-page EULA for end-user software generally won’t be enforceable.
It was a lot more plausible when it is likely the judge has never clicked past an EULA. Today unless you've dug up some archaic fossil the judge is perfectly familiar with this nonsense so you're in a position where the person who decides what the law is knows EULAs are bullshit nobody reads.
I'd expect a situation like Somerset v Stewart. Mansfield clearly didn't want to rule you can't have slavery because that's going to be extremely disruptive to powerful people - so he suggests they settle and then the case goes away and he isn't called to say anything. But Stewart refuses to settle, apparently nobody could convince him that it's in his best interest - so, OK says Mansfield: fiat justitia, ruat cælum (Justice be done though the heavens fall). Somerset walks free.
Are corporations relying on EULAs smart enough to take the L? I guess we'd see.
The choice citizens would make every single time is to see the website without ads. Of course, publishers aren’t happy about that, since they would have to close shop. Maybe the EC should consider both sides of the equation.
Untargeted pay less than 90% of targeted ones generally. And there's not a lot of companies that can handle a 90% drop in revenue.
The real solution would be to make users pay for the content, but charging for something that users used to get for "free" is also essentially impossible.
It doesn't have to be untargeted. You know the type of content the website hosts, therefore, you know a lot about the type of visitors. You can then charge appropriately for advertising that is targeted at those visitors. Don't show diaper ads on a site called Jalopnik. Instead show ads for Armorall, jack stands, tools, etc. When you visit a media site specializing in content like real houswives or kardashians, don't show the previously suggested ads. Instead, show ads on inane fast fashion, beauty products, luxury items, etc.
Targeted ads are always dumb as they tend to push an item that you've looked into before purchasing, but never realize that item has been purchased and you are no longer interested. They never get that the person researched item but has not looked for some time for item. Let's now advertise accessories for that item. If it was a fridge, show stainless cleaning items, for dishwasher, show ads for different detergents or other kitchen related items. It's not hard. For whatever reasons, they can't do targeted well. Targeted doesn't work as advertised.
We’ve been talking about federated micropayment technologies for some two decades. I’d happily pay for content but I refuse to sign up for 30+ publisher websites. If I could opt to pay $.25 for some article without giving the site all my personal data or incurring a subscription I’d be all for it. As it is I either “steal” the content through an archiving site or simply leave the site. More and more it’s the latter. I’d also happily pay some monthly fee for unlimited content from a consortium of publishers rather than disable my ad blocker, and let them sort out how much each one gets based on my browsing habits. None of these seem like hard technical problems, it’s certainly not impossible. I think the days of believing content comes without any cost are long behind us.
The preponderance of dark UI/UX patterns in advertising and cookie consent pop-ups, as well as the grey-hat browser fingerprinting and DRM based tracking, unfortunately stand testament to exactly that.
Given that ~98% of Internet users couldn't even articulate what javascript does as part of their browsing experience, the exfiltration and reassembling of their PII via meta-data into sellable profiles for targeted auctions is completely beyond their capacity to comprehend or engage with. Thus consent is de facto ungrantable.
Personally, I find this a move in the wrong direction where hostile behavior by websites is normalized and hidden. Cookie banners show web site true colors. When someone asks me to share data with a thousand of "partners", I leave.
> Personally, I find this a move in the wrong direction where hostile behavior by websites is normalized and hidden. Cookie banners show web site true colors. When someone asks me to share data with a thousand of "partners", I leave.
I kind of agree, but at the same time basically all websites are using some kind of tracking to know what kind of users visit, and I'm tired of clicking "allow all" just to read an article. Many websites don't even work if you refuse non-essential trackers, because their tag manager is configured incorrectly, or because by law if there's even a single textbox where users can put their email or name, they need to have the consent to show that and allow input on it.
Having a browser default of "nope" with the option to whitelist a broken website would save a ton of time for people and machines the same, and also reduce website latency a lot. There's a nice website that "tracks" this cost: https://cookiecost.eu/
I think I agree, at least until it's clear how exactly this should be implemented.
Fingerprints can be shared with third parties without cookies, and while I know that the so-called "cookie law" is not really just about cookies, this is where the deception begins.
For some reason, I think it's easier to force websites to list everyone they share data with, than to force them to comply with an invisible preference that says "don't share data".
It even sounds as if this could be a trojan horse to dismantle parts of the GDPR altogether (see the DNT references in this thread...), and I happen to think that by and large, GDPR is good.
I agree. I think it's one of those things that people complain about because other people complain about. You have to click a button. Wow. What an ordeal. The title of this thread used the term "nightmare". I would be thankful that my life is so wonderful that clicking a button is considered a "nightmare". It's transparent and if you don't like it, don't go to that site.
It's a nightmare because it is everywhere you turn, not because of the difficulty in dismissing the banner (although not all banners are made equally). But I'm pretty sure you're smart enough to realize you're intentionally making a strawman argument. It's the purpose of the argument I'm not sure.
Users will overwhelmingly use browsers in vanilla config. The question here will be how browser vendors show this option. If - say - a company that gives away a browser for free but makes money from ads designed this, then they'll hide the option deep in some obscure menu, never remind people it exists, and reset it on every update.
So the devil is in the details. The best option I think isn't a secret setting in a browser, but a standardized consent dialog. Basically the sites communicate to the browser a standardized data format for consent. Then the browser shows that query in a popup that looks the same for every site. That means 1) the sites no longer have a chance to do dark patterns 2) it's less confusing for end users since the UX is always the same 3) it allows users to check a "Automatically reject for all sites". The site should not know whether the user has auto-rejected this, or manually rejected it. There should be no option to automatically consent for all sites (Can't have that). So the only ergonomic choice is to set it to auto reject.
Having this "use this choice (reject) for all sites" is the really important part here. Because it means that ALL users of ALL browsers will quickly see this choice, so in short order a huge chunk of users will have made this permanent rejection choice.
Dialog is already standardized in the current GDPR. There is literally an item there which states that Reject consent option should be the same and equally easily accessible as Accept consent option. So basically all dark pattern sites are already criminals. The problem is zero enforcement of the GDPR.
It's standardized in behavior only, it doesn't prescribe which button is where in the dialog etc. But yea for those that actually follow it, it's not a _big_ problem, but it's still an improvement to get an exactly similar dialog. Especially if you can check the [x] reject everything on every site
Since tracking is not legal without informed consent, either browsers will be mandated to default to no tracking, or to display a choice on first use. Silently defaulting to tracking certainly won’t be an option, given the whole GDPR and e-Privacy framework.
IMO there isn't a cookie nightmare but rather a tracking nightmare. I'm not fully up-to-date on if there is a separate EU directive on cookies on the internet specifically, but the GDPR is the _General_ Data Protection Regulation. Meaning that if I go and collect your info on pen and paper, I must then ask your permission on how I process and share that data, especially if sharing that data is not necessary to complete the main transaction but is somehow done auxiliary to the main purpose. (e.g. I buy a pillow online, my info is used to target ads for me.)
GDPR itself doesn't require consent for functional cookies. For example, Apple.com does not have a cookie consent box _at all_.
On tracking specifically, I feel there are at least two levels. One that happens in-browser by third party companies. These are your classic advertisements. The other is more first-party backend-heavy. These would be your local grocery store using your purchase history linked to your membership card and using that data to create analytics and targeted ads etc.
So creating a browser setting would likely not toggle all tracking away, just the ones that are "annoying" while browsing.
There is no legislation on cookies. The legislation is on tracking, or more generally, personal data collection. It doesn’t matter if websites use cookies or other means for those purposes.
That moves the onus to the user to distinguish between tracking and non-tracking uses of cookies and local storage. It also contradicts the principle that tracking requires informed consent.
Speeding is illegal. Controlled substances are illegal. Murder is illegal. Embezzlement is illegal. Driving in a school zone while using a mobile device is illegal.
This was the correct decision and could have been made a decade ago. An .. institutional deficiency was trying to make the GDPR as completely general as possible rather than doing a technology mandate. But this had two consequences: bad actors could circumvent it, and good actors just trying to comply ended up horribly confused (e.g. is logging an IP address in an Apache log "personal data"?).
DNT header. Legally binding. Out of the way of the end user. Unambiguous for enforcement purposes. Probably the end of targeted advertising, but that was always the logical conclusion of GDPR.
I agree cookie banners were the wrong solution, and sometimes made things worse (it make a cookie whitelist extensions I used to use unusable because you have to allow the cookie that stores your cookie preferences).
However, this bit concerns me:
> This key change is part of a new Digital Package of proposals to simplify the EU’s digital rules, and will initially see cookie prompts change to be a simplified yes or no single-click prompt ahead of the “technological solutions” eventually coming to browsers. Websites will be required to respect cookie choices for at least six months, and the EU also wants website owners to not use cookie banners for “harmless uses” like counting website visits, to lessen the amount of pop-ups.
That implies there will be "harmless tracking" allowed, and it removes choices. The latter might restrict dark patterns, but it might also encourage "allow all cookies or you cannot read the site at all" approaches.
DNT is dead by the way, Global Privacy Control (GPC) is the new privacy signal mechanism. It has actual legal weight in some jurisdictions already like California and their CCPA law for example.
Cookie consent banners and such come from the ePrivacy Directive, not the GDPR. The banners themselves were never mandated, but lacking any other standardized opt-in signal, that's what everyone converged on anyway.
It wasn't a "Europe's" nightmare, it was website's nightmare. There is literally no legitimate reason to collect and store PII in excess of allowed by GDPR. No data harvesting - no cookie banners absolutely legally.
In the meantime, if you're browsing the web with uBlock Origin, you should definitely enable cookie list filters in Dashboard > Filter lists > Cookie Notices. Haven't seen a banner in ages.
There have been times where I've been known to open up the dev tools to find the offending overflow:hidden rule. "I'll show you" mentality takes over some times.
When the Digital Services/Markets Act was written this was actually considered. But there's also companies that surveil your browsing data and sell that for other purposes not just advertisement. Market Research and such. I'd have been for a blanket ban though.
Sadly, this is mostly a matter of not enforcing the GDPR enough. Things such as "data minimization" and the erosion of "technically necessary" already should protect us. Instead the Business Community chose malicious compliance on a vast scale and the data protection agencies did nothing.
> They no longer track you by (only) cookies- the GPDR made sure of that. Fingerprinting is the current standard and there’s no easy way to block that.
Without consent, this is illegal, so if this is happening someone's gonna get sued and fined.
fingerprinting and cookiless tracking was a thing before GDPR. And GDPR literally talks about all forms of tracking, not just cookies. One would think you'd read at least something before having an opinion.
"Europe's cookie nightmare" has nothing to do with Europe and everything to do with companies assuming that they have god-given right to all your data in perpetuity.
Europe literally said: we're not going to force specific tech decisions on you. All we ask is to let people opt-in if they want to be tracked. What we got is "we care about your privacy, we're sending all your data to 15000 partners" from the industry.
To people crying "but this should've been mandated as a browser setting": Which world's largest advertising company has dominating browser marketshare and subsumes all web standards committees? What exactly prevented that company to come up with a browser settimg that isn't "we sell you data by default and use dark patterns to trick you to agree" https://x.com/dmitriid/status/1664682689591377923?
Our industry is shit, and we blame governments for regulations that ... assume that industries shouldn't be shit. There's literally no need for EU to regulate browser settings. And yet here we are.
We need clear, direct punishments based on %revenue for websites not taking "NO!" for an answer.
Don't fucking rush, you useless bureaucrats.
"A mix of European legislation has resulted in cookie notices that use dark patterns to nudge people into accepting online tracking. And regulators aren’t taking strong action"
Much like the current cookie banner shitshow, a "centrally configured" setting which "websites must respect" will accomplish nothing. There is no consent, informed or otherwise. Advertisers and their ilk are still hoovering up all the data they can, with or without cookies or consent.
Locking up a few people who don't respect their users' privacy would be a much more effective way of achieving actual results. AFAIK no big adtech or data brokers have been punished in any way.
>Locking up a few people who don't respect their users' privacy would be a much more effective way of achieving actual results. AFAIK no big adtech or data brokers have been punished in any way.
I'm a big fan of personal accountability in the corporate world.
I like the cookie law as a sort of 4D chess move.
Step 1: force websites to add an opt-out flow for privacy-minded users.
Step 2: websites don't complain too much because they can implement it in obnoxious and dark-pattern-laden ways, so that few users actually opt-out.
Step 3: now that websites have proven there's no technical barrier and the flows are already implemented, slowly retire unnecessary user tracking and data sharing.
I'd be surprised if this was planned ahead of time, but it's not a bad strategy.
> This is not a real choice made by citizens
This is something which courts should consider more about other things, such as EULA and Terms and Conditions. Same reasons.
Are EULAs even enforceable?
In the EU, it's complicated.
There is a very clear law that forbids any additional contract terms post the point of sale, so that if you go to a store, purchase a box with software in it and then go home to install it, when it pops up a dialog for you to "agree" on, you can just ignore it, nothing in that is enforceable at all. And no, small print text on the box that says you have to agree to terms in the software does not change anything. But that's not how software is sold anymore.
EULAs in general are not unenforceable, so long as they are presented before the sale. This is precisely why Steam (for example) now gives you the EULA before it lets you buy anything.
There’s still some principles that it must be proportionate and reasonably intelligible to the average person. A 100-page EULA for end-user software generally won’t be enforceable.
they are generally thought to be, but require litigation- which is a problem for the general population!
corporations have enough money to tie you up in court with lawyers.
People always say this, but are there any real examples of corporations extracting damages from EULA violations?
It was a lot more plausible when it is likely the judge has never clicked past an EULA. Today unless you've dug up some archaic fossil the judge is perfectly familiar with this nonsense so you're in a position where the person who decides what the law is knows EULAs are bullshit nobody reads.
I'd expect a situation like Somerset v Stewart. Mansfield clearly didn't want to rule you can't have slavery because that's going to be extremely disruptive to powerful people - so he suggests they settle and then the case goes away and he isn't called to say anything. But Stewart refuses to settle, apparently nobody could convince him that it's in his best interest - so, OK says Mansfield: fiat justitia, ruat cælum (Justice be done though the heavens fall). Somerset walks free.
Are corporations relying on EULAs smart enough to take the L? I guess we'd see.
The choice citizens would make every single time is to see the website without ads. Of course, publishers aren’t happy about that, since they would have to close shop. Maybe the EC should consider both sides of the equation.
False dichotomy, just advertise based on the content of the site without spying on people
Untargeted pay less than 90% of targeted ones generally. And there's not a lot of companies that can handle a 90% drop in revenue.
The real solution would be to make users pay for the content, but charging for something that users used to get for "free" is also essentially impossible.
It doesn't have to be untargeted. You know the type of content the website hosts, therefore, you know a lot about the type of visitors. You can then charge appropriately for advertising that is targeted at those visitors. Don't show diaper ads on a site called Jalopnik. Instead show ads for Armorall, jack stands, tools, etc. When you visit a media site specializing in content like real houswives or kardashians, don't show the previously suggested ads. Instead, show ads on inane fast fashion, beauty products, luxury items, etc.
Targeted ads are always dumb as they tend to push an item that you've looked into before purchasing, but never realize that item has been purchased and you are no longer interested. They never get that the person researched item but has not looked for some time for item. Let's now advertise accessories for that item. If it was a fridge, show stainless cleaning items, for dishwasher, show ads for different detergents or other kitchen related items. It's not hard. For whatever reasons, they can't do targeted well. Targeted doesn't work as advertised.
We’ve been talking about federated micropayment technologies for some two decades. I’d happily pay for content but I refuse to sign up for 30+ publisher websites. If I could opt to pay $.25 for some article without giving the site all my personal data or incurring a subscription I’d be all for it. As it is I either “steal” the content through an archiving site or simply leave the site. More and more it’s the latter. I’d also happily pay some monthly fee for unlimited content from a consortium of publishers rather than disable my ad blocker, and let them sort out how much each one gets based on my browsing habits. None of these seem like hard technical problems, it’s certainly not impossible. I think the days of believing content comes without any cost are long behind us.
That's going to rapidly change if targeted ones are no longer available.
Right now why would you spend money on untargeted ads when you have better options.
Loaded language, it can’t be “spying” if the user consents.
The preponderance of dark UI/UX patterns in advertising and cookie consent pop-ups, as well as the grey-hat browser fingerprinting and DRM based tracking, unfortunately stand testament to exactly that.
Given that ~98% of Internet users couldn't even articulate what javascript does as part of their browsing experience, the exfiltration and reassembling of their PII via meta-data into sellable profiles for targeted auctions is completely beyond their capacity to comprehend or engage with. Thus consent is de facto ungrantable.
This only really rings true if the consent is informed, I don’t believe that that is the case.
Ads don't require invasive tracking. They work in print, radio, television, and 90s web without tracking.
Advertising has existed for centuries, I'm sure it can survive as an industry without requiring invasive tracking.
Related: https://news.ycombinator.com/item?id=45667866
Personally, I find this a move in the wrong direction where hostile behavior by websites is normalized and hidden. Cookie banners show web site true colors. When someone asks me to share data with a thousand of "partners", I leave.
> Personally, I find this a move in the wrong direction where hostile behavior by websites is normalized and hidden. Cookie banners show web site true colors. When someone asks me to share data with a thousand of "partners", I leave.
I kind of agree, but at the same time basically all websites are using some kind of tracking to know what kind of users visit, and I'm tired of clicking "allow all" just to read an article. Many websites don't even work if you refuse non-essential trackers, because their tag manager is configured incorrectly, or because by law if there's even a single textbox where users can put their email or name, they need to have the consent to show that and allow input on it.
Having a browser default of "nope" with the option to whitelist a broken website would save a ton of time for people and machines the same, and also reduce website latency a lot. There's a nice website that "tracks" this cost: https://cookiecost.eu/
I think I agree, at least until it's clear how exactly this should be implemented.
Fingerprints can be shared with third parties without cookies, and while I know that the so-called "cookie law" is not really just about cookies, this is where the deception begins.
For some reason, I think it's easier to force websites to list everyone they share data with, than to force them to comply with an invisible preference that says "don't share data".
It even sounds as if this could be a trojan horse to dismantle parts of the GDPR altogether (see the DNT references in this thread...), and I happen to think that by and large, GDPR is good.
I agree. I think it's one of those things that people complain about because other people complain about. You have to click a button. Wow. What an ordeal. The title of this thread used the term "nightmare". I would be thankful that my life is so wonderful that clicking a button is considered a "nightmare". It's transparent and if you don't like it, don't go to that site.
It's a nightmare because it is everywhere you turn, not because of the difficulty in dismissing the banner (although not all banners are made equally). But I'm pretty sure you're smart enough to realize you're intentionally making a strawman argument. It's the purpose of the argument I'm not sure.
Users will overwhelmingly use browsers in vanilla config. The question here will be how browser vendors show this option. If - say - a company that gives away a browser for free but makes money from ads designed this, then they'll hide the option deep in some obscure menu, never remind people it exists, and reset it on every update.
So the devil is in the details. The best option I think isn't a secret setting in a browser, but a standardized consent dialog. Basically the sites communicate to the browser a standardized data format for consent. Then the browser shows that query in a popup that looks the same for every site. That means 1) the sites no longer have a chance to do dark patterns 2) it's less confusing for end users since the UX is always the same 3) it allows users to check a "Automatically reject for all sites". The site should not know whether the user has auto-rejected this, or manually rejected it. There should be no option to automatically consent for all sites (Can't have that). So the only ergonomic choice is to set it to auto reject.
Having this "use this choice (reject) for all sites" is the really important part here. Because it means that ALL users of ALL browsers will quickly see this choice, so in short order a huge chunk of users will have made this permanent rejection choice.
Dialog is already standardized in the current GDPR. There is literally an item there which states that Reject consent option should be the same and equally easily accessible as Accept consent option. So basically all dark pattern sites are already criminals. The problem is zero enforcement of the GDPR.
It's standardized in behavior only, it doesn't prescribe which button is where in the dialog etc. But yea for those that actually follow it, it's not a _big_ problem, but it's still an improvement to get an exactly similar dialog. Especially if you can check the [x] reject everything on every site
> The question here will be how browser vendors show this option.
We know exactly how. Here's Google presenting "more private web". If you click "yes, I'm in", all the tracking options will be turned on: https://x.com/dmitriid/status/1664682689591377923
And of course HN (and the industry at large, and journalists) will blame it on "clueless bureaucrats writing regulations"
Since tracking is not legal without informed consent, either browsers will be mandated to default to no tracking, or to display a choice on first use. Silently defaulting to tracking certainly won’t be an option, given the whole GDPR and e-Privacy framework.
IMO there isn't a cookie nightmare but rather a tracking nightmare. I'm not fully up-to-date on if there is a separate EU directive on cookies on the internet specifically, but the GDPR is the _General_ Data Protection Regulation. Meaning that if I go and collect your info on pen and paper, I must then ask your permission on how I process and share that data, especially if sharing that data is not necessary to complete the main transaction but is somehow done auxiliary to the main purpose. (e.g. I buy a pillow online, my info is used to target ads for me.)
GDPR itself doesn't require consent for functional cookies. For example, Apple.com does not have a cookie consent box _at all_.
On tracking specifically, I feel there are at least two levels. One that happens in-browser by third party companies. These are your classic advertisements. The other is more first-party backend-heavy. These would be your local grocery store using your purchase history linked to your membership card and using that data to create analytics and targeted ads etc.
So creating a browser setting would likely not toggle all tracking away, just the ones that are "annoying" while browsing.
There is no legislation on cookies. The legislation is on tracking, or more generally, personal data collection. It doesn’t matter if websites use cookies or other means for those purposes.
Here's my proposal:
* Let websites do whatever they want with cookies/local storage.
* Let browsers delete them as often as they want.
* Make other kinds of fingerprinting illegal.
That moves the onus to the user to distinguish between tracking and non-tracking uses of cookies and local storage. It also contradicts the principle that tracking requires informed consent.
> * Make other kinds of fingerprinting illegal.
Speeding is illegal. Controlled substances are illegal. Murder is illegal. Embezzlement is illegal. Driving in a school zone while using a mobile device is illegal.
Has the legality stopped any of it?
>Has the legality stopped any of it?
I'd suggest that illegality has in fact stopped most of it. We'd surely have many times as many murders if it was legal to murder people.
This was the correct decision and could have been made a decade ago. An .. institutional deficiency was trying to make the GDPR as completely general as possible rather than doing a technology mandate. But this had two consequences: bad actors could circumvent it, and good actors just trying to comply ended up horribly confused (e.g. is logging an IP address in an Apache log "personal data"?).
DNT header. Legally binding. Out of the way of the end user. Unambiguous for enforcement purposes. Probably the end of targeted advertising, but that was always the logical conclusion of GDPR.
I agree cookie banners were the wrong solution, and sometimes made things worse (it make a cookie whitelist extensions I used to use unusable because you have to allow the cookie that stores your cookie preferences).
However, this bit concerns me:
> This key change is part of a new Digital Package of proposals to simplify the EU’s digital rules, and will initially see cookie prompts change to be a simplified yes or no single-click prompt ahead of the “technological solutions” eventually coming to browsers. Websites will be required to respect cookie choices for at least six months, and the EU also wants website owners to not use cookie banners for “harmless uses” like counting website visits, to lessen the amount of pop-ups.
That implies there will be "harmless tracking" allowed, and it removes choices. The latter might restrict dark patterns, but it might also encourage "allow all cookies or you cannot read the site at all" approaches.
Fine I can vote with my feet and avoid sites that say "no cookies, no lookie" and use archive if I am really eager to read something.
DNT is dead by the way, Global Privacy Control (GPC) is the new privacy signal mechanism. It has actual legal weight in some jurisdictions already like California and their CCPA law for example.
Would there have been cookie banners if DNT was respected?
Cookie consent banners and such come from the ePrivacy Directive, not the GDPR. The banners themselves were never mandated, but lacking any other standardized opt-in signal, that's what everyone converged on anyway.
To be clear, the other option was to respect privacy by default and comply with the GDPR without any banner.
> An .. institutional deficiency was trying to make the GDPR as completely general as possible rather than doing a technology mandate.
Making it a technological mandate would have made it trivial to circumvent.
So… Do Not Track 2.0?
https://en.wikipedia.org/wiki/Do_Not_Track
It's still 1.x, but this time legally enforced (hopefully).
It wasn't a "Europe's" nightmare, it was website's nightmare. There is literally no legitimate reason to collect and store PII in excess of allowed by GDPR. No data harvesting - no cookie banners absolutely legally.
In the meantime, if you're browsing the web with uBlock Origin, you should definitely enable cookie list filters in Dashboard > Filter lists > Cookie Notices. Haven't seen a banner in ages.
I've noticed more and more websites breaking from that. The page won't scroll and you can't interact with anything.
There have been times where I've been known to open up the dev tools to find the offending overflow:hidden rule. "I'll show you" mentality takes over some times.
This occasionally causes breakage though; because many cookie notices open up modal dialogs and disable scrolling.
Thank you I didn’t know this.
EU! EU! EU!
Just ban individually targeted advertising and be done with it.
When the Digital Services/Markets Act was written this was actually considered. But there's also companies that surveil your browsing data and sell that for other purposes not just advertisement. Market Research and such. I'd have been for a blanket ban though.
Sadly, this is mostly a matter of not enforcing the GDPR enough. Things such as "data minimization" and the erosion of "technically necessary" already should protect us. Instead the Business Community chose malicious compliance on a vast scale and the data protection agencies did nothing.
Thank you. My fucking idea implemented. YEA!
https://news.ycombinator.com/item?id=33262369
yes. everyone install Cookie Auto Delete.
the problem is a plugin like that would take out entire industries because it would basically end anonymous tracking cookies.
They no longer track you by (only) cookies- the GPDR made sure of that. Fingerprinting is the current standard and there’s no easy way to block that.
> They no longer track you by (only) cookies- the GPDR made sure of that. Fingerprinting is the current standard and there’s no easy way to block that.
Without consent, this is illegal, so if this is happening someone's gonna get sued and fined.
Don't hold your breath for that to happen though. Maybe in your grandkid's lifetime, but doubtful in yours.
The GDPR surely didn't have an influence on that.
The GDPR is technologically agnostic about tracking. You don't accept, then no tracking either way.
> the GPDR made sure of that
wat.
fingerprinting and cookiless tracking was a thing before GDPR. And GDPR literally talks about all forms of tracking, not just cookies. One would think you'd read at least something before having an opinion.
> says the EU. “This will drastically simplify users’ online experience.”
They are proudly removing the annoyance they mandated 7 tears ago.
Do we have to congratulate them?
None of that annoyance was mandated by the EU.
Curious how no one blames the industry which just needs to store your precise geolocation data for 12 years: https://x.com/dmitriid/status/1817122117093056541
"Europe's cookie nightmare" has nothing to do with Europe and everything to do with companies assuming that they have god-given right to all your data in perpetuity.
Things like "precise location information stored for 12 years": https://x.com/dmitriid/status/1817122117093056541
Europe literally said: we're not going to force specific tech decisions on you. All we ask is to let people opt-in if they want to be tracked. What we got is "we care about your privacy, we're sending all your data to 15000 partners" from the industry.
To people crying "but this should've been mandated as a browser setting": Which world's largest advertising company has dominating browser marketshare and subsumes all web standards committees? What exactly prevented that company to come up with a browser settimg that isn't "we sell you data by default and use dark patterns to trick you to agree" https://x.com/dmitriid/status/1664682689591377923?
Our industry is shit, and we blame governments for regulations that ... assume that industries shouldn't be shit. There's literally no need for EU to regulate browser settings. And yet here we are.
We need clear, direct punishments based on %revenue for websites not taking "NO!" for an answer.
Don't fucking rush, you useless bureaucrats.
"A mix of European legislation has resulted in cookie notices that use dark patterns to nudge people into accepting online tracking. And regulators aren’t taking strong action"
Wired, 20/5/2020:
https://www.wired.com/story/gdpr-cookie-consent-eprivacy/
[dead]
LOL the EC mandarins have finally had enough of the endless nagging!
What are "EC mandarins"? Google doesn't give me anything useful.
The nagging which was done by the data collectors to blame the EC