Certain regulations, like the GDPR, the General Data Protection Regulation, by the European Union, require that sites get consent for placing cookies and data on user devices.
Which doesn’t have to come in the form of invasive banners. It’s the form chosen by the ad industry to shift the blame for their desire to track users to “European bureaucrats”.
I feel like this whole “consent dialogs” UX antipattern thing could be solved with an HTTP request header, they might give it a useful and obvious name like “Do-Not-Track”.
Actually, the Do-Not-Track header could be argued to be disagreeing. So depending on how the law is worded, asking for approval again after that, via a consent dialog, could (should) be disallowed.
Not really. That accepts everything automatically, which is pretty much the opposite of the right thing, especially because you’re accepting a full privacy policy, not just allowing cookies.
It also seems to be better than the feature described in the OP, which can only do “reject all” or fall back to “accept all” if you set it to do that (why???)
Agreeing to random privacy policies means you’re agreeing to a lot more than just storing some cookies you can delete later. Cookies are not, and never were, the real problem.
I think the “real problem” is different for different people.
For me, the “real problem” is that if I would care about all the privacy policies of all websites I visit each day, I wouldn’t have the time to do any work nor to read any articles. Yesterday alone I visited 26 different websites, and by looking at the domain names alone, for most of them, I wouldn’t be able to tell why I was even there. We can also argue about what is the definition of the cookie rejection action, and how does an “essential cookie, without which the website can’t work” work, because not knowing how the law defines these, we can’t make an informed decision if we want those things to happen, or not.
If we say that a cookie is required for basic use of the website, then what does it mean? I think in order to be sure, we have to read the GDPR official legal texts, and even if we’ll gain that knowledge, we will need to decode lots of legal documents that define how the law makes sure that GDPR is even followed, what is the legal enforcement mechanism, and what is the risk that the website will illegally (by omission, or by intentional action) mis-use “essential” cookies for marketing purposes. Because if I check “use essential cookies only”, I implicitly trust that some random website is following the law, which is a bit naive in my opinion. This is also a real problem for me.
The cost of managing the privacy policy of one-off websites is simply too high. You have to use a shortcut somewhere. I choose to go there right at the beginning of that path, because I don’t believe GDPR is designed with users in mind; it’s a part of some shady business, and someone wants to make money off of it. I refuse to pay the price with my attention.
The problem that @robert_tweed slides to is that you are not granting consent to cookies. The law was never about cookies. The consent is required to handle and process information about you. Cookies are one mechanism that may be used for this but the site can also use a mix of IP address and browser fingerprinting to fairly accurately identify you as an individual. By consenting and clearing cookies, you are granting them a legal framework to collect this data and share it with third parties for a very broad range of purposes. In comtrast, if you reject tracking then you have denied them the legal framework to justify this and that opens them to the 5% of global turnover fines that the regulator may apply, which any moderately sane company will consider far too high risk.
I don’t think this comparison is apt. It would be more like: every stranger I meet asks me to take my picture. But in order to decline, they hand me over a short book of regulations, each stranger with their own rules. I need to read and understand those regulations to know how to decline the request. So I choose to wear a mask and allow myself to be photographed. They have a photograph of my mask instead of me, and are free to use that as they see fit.
A real world comparison could be that strangers approach you and ask you to put colourful ribbons on your wrist. What does it matter when you agree to let them put on the wristband when you discard it the moment younare out of their eyes?
No, it’s like someone comes up to you and and says they want to put a wrist band on you. To do so, they ask you to agree to a contract that gives you consent for them to track you using any means that they wish. They then give you a bright shiny wristband that you throw away and they track you with CCTV cameras and drones.
That’s not what’s happening though. It’s not the wristband (the cookie). It’s that effectively all means they want, your IP, ETags, browser fingerprinting, and most likely a combination of these are legally used if you consent. Even if you delete everything you still have the IP, and if you somehow hide/switch that you still have browser fingerprinting.
It’s a lot more like have a camera drone following you, watching you discarding your wristband, or watching you putting your mask on or whatever you want for the real world comparison of changing your IP would be.
There is ways to work with browser fingerprinting as well, but that’s on the rare side to do properly.
Of course working around these things and things like deleting cookies is great if you don’t trust the reject button which is reasonable. Just go on a random website and see what you get despite rejecting everything.
Browser fingerprinting works by estimation, not a specific result. Even if the fingerprint is unique, then it can be differently unique between different sessions of the same user. So it’s another tool for statistic analysis, not a “following camera drone” that is always able to detect intentional evasion. And even if it is able sometimes to detect it, then there’s still a statistical uncertainity of the result.
With these things I always wonder how much it makes the “market share” statistics plummet. There is such features, there is extensions, there is a correlation of Firefox and privacy minded people, there is a correlation between the websites and mechanisms market share statistics use and the websites that Firefox users actually visit.
The Wikimedia stats seemed like a good indication of actual usage shares, since it’s tracked on the server side and because it’s a reasonably sized/used/famous website.
Ironically, I can’t even read the article without dismissing a gigantic cookie prompt!
Which doesn’t have to come in the form of invasive banners. It’s the form chosen by the ad industry to shift the blame for their desire to track users to “European bureaucrats”.
I feel like this whole “consent dialogs” UX antipattern thing could be solved with an HTTP request header, they might give it a useful and obvious name like “Do-Not-Track”.
Actually, the
Do-Not-Trackheader could be argued to be disagreeing. So depending on how the law is worded, asking for approval again after that, via a consent dialog, could (should) be disallowed.“I don’t care about cookies” extension also works pretty nicely:
https://chrome.google.com/webstore/detail/i-dont-care-about-cookies/fihnjjcciajhdojfnbdddfaoknhalnja?hl=en
Not really. That accepts everything automatically, which is pretty much the opposite of the right thing, especially because you’re accepting a full privacy policy, not just allowing cookies.
Consent-O-Matic is better: https://github.com/cavi-au/Consent-O-Matic
It also seems to be better than the feature described in the OP, which can only do “reject all” or fall back to “accept all” if you set it to do that (why???)
I uninstalled I don’t care about cookies and switched to Consent-O-Matic when they got bought by Avast.
I wish Mozilla would just mainline Consent-O-Matic; its behavior is a reasonable default.
I mean don’t get me wrong; I’m glad we have the ability to do this in extensions, but it’s a shame we have to.
Fair enough. Although I’m also using Cookie AutoDelete: https://chrome.google.com/webstore/detail/cookie-autodelete/fhcgjolkccmbidfldomjliifgaodjagh?hl=en, so I really don’t care if they gather my temporary one-time cookies :), I just don’t want to see these annoying cookie banners.
Agreeing to random privacy policies means you’re agreeing to a lot more than just storing some cookies you can delete later. Cookies are not, and never were, the real problem.
I think the “real problem” is different for different people.
For me, the “real problem” is that if I would care about all the privacy policies of all websites I visit each day, I wouldn’t have the time to do any work nor to read any articles. Yesterday alone I visited 26 different websites, and by looking at the domain names alone, for most of them, I wouldn’t be able to tell why I was even there. We can also argue about what is the definition of the cookie rejection action, and how does an “essential cookie, without which the website can’t work” work, because not knowing how the law defines these, we can’t make an informed decision if we want those things to happen, or not.
If we say that a cookie is required for basic use of the website, then what does it mean? I think in order to be sure, we have to read the GDPR official legal texts, and even if we’ll gain that knowledge, we will need to decode lots of legal documents that define how the law makes sure that GDPR is even followed, what is the legal enforcement mechanism, and what is the risk that the website will illegally (by omission, or by intentional action) mis-use “essential” cookies for marketing purposes. Because if I check “use essential cookies only”, I implicitly trust that some random website is following the law, which is a bit naive in my opinion. This is also a real problem for me.
The cost of managing the privacy policy of one-off websites is simply too high. You have to use a shortcut somewhere. I choose to go there right at the beginning of that path, because I don’t believe GDPR is designed with users in mind; it’s a part of some shady business, and someone wants to make money off of it. I refuse to pay the price with my attention.
The problem that @robert_tweed slides to is that you are not granting consent to cookies. The law was never about cookies. The consent is required to handle and process information about you. Cookies are one mechanism that may be used for this but the site can also use a mix of IP address and browser fingerprinting to fairly accurately identify you as an individual. By consenting and clearing cookies, you are granting them a legal framework to collect this data and share it with third parties for a very broad range of purposes. In comtrast, if you reject tracking then you have denied them the legal framework to justify this and that opens them to the 5% of global turnover fines that the regulator may apply, which any moderately sane company will consider far too high risk.
If every stranger you met asked you for your personal information, would you tell them just to avoid wasting time?
I don’t think this comparison is apt. It would be more like: every stranger I meet asks me to take my picture. But in order to decline, they hand me over a short book of regulations, each stranger with their own rules. I need to read and understand those regulations to know how to decline the request. So I choose to wear a mask and allow myself to be photographed. They have a photograph of my mask instead of me, and are free to use that as they see fit.
A real world comparison could be that strangers approach you and ask you to put colourful ribbons on your wrist. What does it matter when you agree to let them put on the wristband when you discard it the moment younare out of their eyes?
Do you think websites just discard your personal information when you stop using them?
No, it’s like someone comes up to you and and says they want to put a wrist band on you. To do so, they ask you to agree to a contract that gives you consent for them to track you using any means that they wish. They then give you a bright shiny wristband that you throw away and they track you with CCTV cameras and drones.
That’s not what’s happening though. It’s not the wristband (the cookie). It’s that effectively all means they want, your IP, ETags, browser fingerprinting, and most likely a combination of these are legally used if you consent. Even if you delete everything you still have the IP, and if you somehow hide/switch that you still have browser fingerprinting.
It’s a lot more like have a camera drone following you, watching you discarding your wristband, or watching you putting your mask on or whatever you want for the real world comparison of changing your IP would be.
There is ways to work with browser fingerprinting as well, but that’s on the rare side to do properly.
Of course working around these things and things like deleting cookies is great if you don’t trust the reject button which is reasonable. Just go on a random website and see what you get despite rejecting everything.
Browser fingerprinting works by estimation, not a specific result. Even if the fingerprint is unique, then it can be differently unique between different sessions of the same user. So it’s another tool for statistic analysis, not a “following camera drone” that is always able to detect intentional evasion. And even if it is able sometimes to detect it, then there’s still a statistical uncertainity of the result.
This is a great point! Fingerprinting is hard to evade from.
With these things I always wonder how much it makes the “market share” statistics plummet. There is such features, there is extensions, there is a correlation of Firefox and privacy minded people, there is a correlation between the websites and mechanisms market share statistics use and the websites that Firefox users actually visit.
The Wikimedia stats seemed like a good indication of actual usage shares, since it’s tracked on the server side and because it’s a reasonably sized/used/famous website.
Link to Wikimedia stats: Wikimedia Foundation Browser Statistics – All Sites by Browser. In the last 30 days, 4.3% of requests used a Firefox or Firefox Mobile user agent.
I generally use uBlock’s element picker to remove those.
ublock has additional rules to remove annoyances of many kinds, including cookie prompts. If they never show you never need to consent to them.
I use Cookie AutoDelete to manage domains I accept cookies from.