1. 33
  1. 20

    A peeve of mine are those so-called GDPR banners…. but the actual regulation says they cannot interfere with the use of the site to be compliant. If only that was actually enforced!

    1. 13

      This is my main frustration. All of these EU regulations were implemented with the right intent, but since the ad-industry failed to lobby, they are now fighting these regulations through malicious compliance.

      The fact that many people refer to these banner as “EU cookies banners” shows how the EU failed the battle of the public opinion, and the anti-privacy-industry won. The real issue is that websites set cookies just for me to read an article which could be served statically. They could serve ads related to the article content, the same way duckduckgo serve ads related to the search query. (And surprise, surprise, Duckduckgo has no cookie/GDPR banner) But somehow the ad-industry managed to shift the blame from their bad-practices to the EU in the public’s mind.

      Same goes with GDPR approval modals, many of them are non compliant. (Der Spiegel’s modal is literally “either you pay to subscribe, or accept our trackers. Otherwise you cannot access the article.”) But nothing is enforced…

      1. 11

        The fact that many people refer to these banner as “EU cookies banners” shows how the EU failed the battle of the public opinion, and the anti-privacy-industry won.

        Part of the reason for this is the neoliberal want that users should ~make a choice~ in the matter rather than banning the practice outright.

        1. 4

          All of these EU regulations were implemented with the right intent, but since the ad-industry failed to lobby, they are now fighting these regulations through malicious compliance.

          I think it’s moved beyond the ad industry, too. At my previous job, I tried and failed to convince our UI designers that our site didn’t need a cookie popup because the cookies we were setting (login session ID kinds of things) were all fine under EU regulations. Their rebuttal wasn’t to cite the regulations back at me and show me I was wrong, but rather to say, “Better safe than sorry.”

          1. 5

            “Better safe than sorry.”

            This is the insidious problem with most regulation. Good or neutral actors over-comply in harmful ways, and bad actors continue to fail to comply. Usually the problem with a bad actor isn’t that there is no regulation they are breaking, but that no one is making them comply (or that they have so much power no one can reasonably make them comply). More regs is not (usually) a solution to bad actors – better strategies for getting compliance is.

            1. 3

              [ I am not a lawyer, I am definitely not a lawyer who specialises in privacy regulations, this is not legal advice ]

              You could try pointing them at the GitHub blog post that describes how they reached GDPR compliance without a banner. You could also try asking them to look at bounce rates: how many people just leave the site entirely rather than clicking through the banner (I do this most of the time I see one, not sure how representative I am).

              Perhaps more effectively, you could talk to them about the flow to withdraw consent. The GDPR requires that this be visible. If visitors are granting consent then you must also provide an option for them to withdraw consent. This means that you also need a workflow for what it means to withdraw consent and what your process is for deleting the PII that you’ve collected on that visitor. Without this, you are definitely not safe: by requesting consent, you are publicly asserting that you are collecting PII and without a process for tracking this PII and withdrawing consent then you are open to liability because you’d have to prove to the regulator that you actually weren’t collecting PII in the first place (and are therefore misrepresenting the operation of your site to visitors, which may open you up to a different kind of liability). The mantra ‘better safe than sorry’ definitely applies but having a misleading tracking banner does not make you safer.

              1. 1

                Love it! I’m definitely going to pull that out of my hat if this situation arises again.

          2. 1

            Do you have a reference for where in the GDPR it says cookie banners can’t interfere with the site? Or an authoritative interpretation that says so? @acatton seems like you might know too.

            1. 1

              This page is pretty good: https://gdpr.eu/gdpr-consent-requirements/

              A few specific quotes:

              “Freely given” consent essentially means you have not cornered the data subject into agreeing to you using their data. For one thing, that means you cannot require consent to data processing as a condition of using the service. They need to be able to say no.

              Of course, the site owners might disagree that a big obtrusive popup that says in huge terms “YES” and then in tiny little grey text on the side “customize settings” that makes you jump through a few hoops to turn it off (and it is liable to randomly ask you again until you say yes) is not cornering the user and making clicking it a condition of using the service. Technically, you can say no and still get to the site, you just have to do all this first. But if their mantra is “better safe than sorry”, why risk having to litigate it?

              Consent must be specific Consent must be informed If the request for consent is vague, sweeping or difficult to understand, then it will be invalid.

              How many times have you seen something like “this site uses cookies to improve your experience”? That’s completely meaningless so it violates these too.

          3. 8

            Oh nice! It’s like a crowdsourced uBlock Origin’s manual right click → “Block Element”, but now you can call into JS and apply conditionals and such, rather than doing simple blocking.

            Actually, I’m not sure what the practical purpose of that is – are there modals/banners that warrant anything besides "addStyle 'display: none !important'"? I’m wary of extensions that can run arbitrary crowdsourced code on my browser.

            I’ve been accustomed to using this bookmarklet from 2013 as a sledgehammer for the same job – it hides everything with position: fixed, but this manual approach requires hitting the bookmarket every time you navigate the site. (highly recommend binding it to a keyboard shortcut, via userscripts)

            1. 5

              Yes, that’s right!

              Some modals have overlays or prevent the page from scrolling, in which case it’s often better to call someVar.close() or simulate a click on a close button to remove it completely. JavaScript is limited to function calls and clicks so it’s not completely arbitrary.

            2. 3

              Will have to try this.

              I had an idea to combat sticky elements via a tool for X that would open Firefox in an extremely tall window, but with the viewable portion restricted to the bounds of a wrapper window. The wrapper would intercept scrolling events to make the Firefox window move up and down within the wrapper window. Then sticky stuff at the top would be easy to scroll past (including the Firefox address bar, incidentally) and the sticky stuff at the bottom would rarely be seen. Then when Firefox changes their extension API or blocks functionality for “security” purposes, this solution would keep working. The approach certainly has its downsides.

              1. 2

                Does it block modals users want? For example those injected by a browser extensions. Can you whitelist for certain sites? Our browser extension uses modal pop ups that the user needs

                1. 2

                  It blocks specific modals. You can allow certain types of modals and whitelist websites but the aim is to only block modals that are useless or user-hostile.