1. 9

  2. 18

    It is good they are updating the guidance, but like it has been patently obvious that most companies have been outright lying about the law from the beginning, claiming it prevents things it doesn’t (e.g. login cookies), and putting up extremely obnoxious popups that are not remotely compliant - covering up content is prohibited (that denies access to the site), default accept is prohibited, the “to enhance the site” generic explanations we see is prohibited. Yet everyone does these obviously prohibited practices, then pretends it is such a burden.

    Frankly I kinda wish they’d just go ahead and ban the tracking advertisements and stop pretending there’s any real consent to it.

    1. 21

      Well, I mean, I have a hard time seeing the point made here…

      “Yeah, it makes it hard for us to comply”, maybe if you didn’t build your website around unethical tracking and useless resources right away, it could be easier to comply ?

      1. 6

        I think we’ve had more than enough years to prove that that argument is nonsense. You don’t need to be doing anything evil for compliance to be an expensive timesink.

        1. 9

          You don’t have to tell people about the tracking cookies you set if you don’t set any tracking cookies. Just sayin’…

          1. 2

            Sure, but at a pretty huge cost in useful interaction data that could be used to improve user experience. You want to know, not just what do users do when they get to a certain page, but break down those results according to things like: is this someone brand-new or have they interacted with us before? How does the response to $some_big_change differ between people who were using the site before the change, and people who visited for the first time after we launched it? Which features are used by people who give us money almost every time they visit, and which are used by people who keep coming back but never spend a cent? Without some kind of persistent visitor ID you can try to make data-driven improvements, but you’re really flying blind. To do a competent job you don’t need to do anything privacy-invading, you don’t need to send data to third parties, but you do need to do something that meets the yurpean definition of “tracking cookie”.

          2. 1

            I found this page because a compliance officer who couldn’t be bothered to read the actual directive came up with some “cookie” demands in a setting where there aren’t even any cookies, and their demands may turn out to be illegal despite an intention to play it safe with GDPR.

        2. 10

          They didn’t change the rules again, they noticed website owners weren’t following the existing rules.

          One thing that is somewhat true, and we should probably take to heart:

          The problem is down to the way webpages work. There’s no copy-and-paste plugin someone can add to their website which blocks cookies. In most cases, you’ll need code on your server, which means your website and your CMS will need to be modified by a programmer.

          This statement seems nonsensical to us; webpages don’t track anyone or add cookies by default. If they do so, it’s by design.

          But a lot of website operators are Steve Yegge’s turing-unaware racecar drivers. Even if they have good intentions, they can’t act upon them unless there’s a blinky light on their dashboard that tells them what’s happening.

          1. 9

            Asking before a website could set a cookie is actually how browsers from the 90s worked. Lynx still works like that by default.

            The problem with asking the browser is that … every website will just ask this. Even for something as pointless and intrusive as notifications every damn fucking website will ask you to send those horrible things. I have the notification permissions set to just “always deny” in Firefox.

            And if every website (including Lobsters, for example) would ask for cookie permissions people will just click “yes”. I would just click “yes”; life is short, I have better things to do than review 200 cookies every day. Besides, there are many more tracking techniques than just “cookies”, and the focus on just that is rather outdated.

            I’ve been trying to come up with a better alternative ever since the EPrivacy directive was introduced, and thus far I haven’t really managed to think of something better. I think the GDPR is a step in the right direction as it focuses less on “information stored in the browser” and more on “identifiable information”.

            Enforcement is an issue, but this is a fixable issue.

            1. 9

              Asking before a website could set a cookie is actually how browsers from the 90s worked.

              But that’s not what the law demands. Lobsters has no cookie popup. Neither does GitHub. Even though both sites use cookies.

              And it’s not because either of them are flouting the law, but because they’re not using the cookies for tracking. The browser can’t possibly know if a cookie is used for tracking, or for authentication, or even potentially for both. That’s one thing that makes legal solutions different from technical ones; the police have permission to check what the server side is doing, while your browser does not.

              1. 7

                I get your point here, but can we please not further spread the myth that “the police” go about enforcing laws like this? A better phrase may be “the courts” or more simply “the state”

                1. 1

                  Well, sure; but the article was talking about asking for permission to set any cookie, as I understood it anyway. I’m not sure it’s realistic to ask notifications only for “bad” cookies, that will only work if it’s enforced, and if the (current) law is enforced by the regulatory bodies then this entire proposal is a bit of a moot point as regular “cookie popups” will work pretty much identical.

                2. 2

                  https://www.goatcounter.com/ is certainly a step in the right direction!

                  1. 1

                    A saner default would just be to limit cookies to session duration and auto-delete them when all tabs from that origin are closed. I have the Firefox extension “Cookie AutoDelete” set to do this. If you visit a website for 30 seconds, you get cookies for 30 seconds.

                    The EU cookie law was insane from the beginning because browsers give people the power to control this in the first place. It would have made sense for something like, for example, facial recognition in a shopping mall, because that’s not something you have the power to prevent. It treats “setting cookies” as though it’s something done that bypasses browser controls, when literally no cookie can be set without the browser agreeing to it. The article above even suggests something resembling a browser permission request, but this misses the point that this should always have (and always has) been the role of the browser, and not some website-implemented website-specific UI.

                    1. 5

                      Most users don’t want their login and settings cookies to be deleted when they close a window; they just never want to have Google Analytics enabled, regardless of whether they keep their session open or not.

                      1. 3

                        I use Cookie AutoDelete as well, but I don’t think it’s really an option “for the masses”, at least not with the current implementation/UI. An improved version with a friendlier non-technical UI could perhaps be an option though.

                        But this still won’t prevent other types of fingerprinting/tracking, so it’s a very limited solution anyway. The more prevalent cookie blocking becomes, the more incentive there is to circumvent it and use other methods. This is why I don’t think these kind of technical means are really the road forward, unless all fingerprinting/tracking becomes impossible/hard, and that’s a lot easier said than done because a lot of these things rely on pretty essential features.

                    2. 4

                      At the end it says

                      Meanwhile the average user still doesn’t know what a cookie is, and blindly clicks on the Accept button.

                      This isn’t true. The beginning of the article even explains that it’s against the rules to emphasize accept over reject for cookies, which means the average user is going to click no. And why wouldn’t they?

                      1. 7

                        If that’s in the rules, it sure as hell isn’t followed. A lot of sites have a nice shiny “accept” button and a dimmer “manage my cookies” button.

                      2. 3

                        Seems like the article is from 2019, given that the orange site has a discussion link from that long ago for this URL.

                        …in which case: well, that didn’t work very well.

                        1. 1

                          Indeed. A meta tag on the page confirms it was published 2019-07-15.