Can the horrendous cookie banner by the EU be rolled back?
37 comments
Cookie banners aren't required for a working web. User-abusing organisations would like you to think that, because they want you to blame the EU rather than them. The fact is, if a cookie is strictly required to provide the service the user is requesting, then explicit consent is not required (it's implied by the user requesting the service in the first place).
Cookie banners are only required for sites that abuse users.
Unfortunately there are many organisations who are duped into thinking that they need cookie banners when they do not. That helps the agenda of the user-abusing organisations.
Cookie banners are only required for sites that abuse users.
Unfortunately there are many organisations who are duped into thinking that they need cookie banners when they do not. That helps the agenda of the user-abusing organisations.
We can still blame the regulator, that they introduced legislation they do not enforce. If all those dark pattern usages would lead to prosecution, they would be gone already.
I fear the assumption was that the market participants would be enticed to force each other to comply, but what if all participants want to break the law?
I fear the assumption was that the market participants would be enticed to force each other to comply, but what if all participants want to break the law?
Enforcement is happening. For example: https://www.cnil.fr/en/cookies-cnil-fines-google-total-150-m...
But yes, I'd like it to be happening faster.
But yes, I'd like it to be happening faster.
Two cases out of millions ...
I would recommend reading the ePrivacy Directive [1] and understanding it before you try to roll it back (see Chesterton's fence).
It's really a very reasonable rule. Before you use somebody else's computer you have to ask for permission. In fact cookie only turns up once in the PDF as it's an example of something you (the webserver) may want to store on somebody else's machine. If you think this request isn't reasonable I have a cryptominer I'd be happy to put on your machine.
[1]: https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...
It's really a very reasonable rule. Before you use somebody else's computer you have to ask for permission. In fact cookie only turns up once in the PDF as it's an example of something you (the webserver) may want to store on somebody else's machine. If you think this request isn't reasonable I have a cryptominer I'd be happy to put on your machine.
[1]: https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...
Yes, but companies have mostly chosen the most annoying method they possibly could have to implement that. If either non-strictly necessary cookies were required to be off by default, or there were a button that does the equivalent of denying all non-essential cookies, then you'd be halfway there. If it weren't a modal, but a small banner at the top or bottom of the screen that allowed you to operate with non-strictly necessary cookies turned off and gave you options to turn them on, that would be even better.
I guess the EU just needs better product managers or something.
I guess the EU just needs better product managers or something.
> It's really a very reasonable rule.
Impact on users is annoying pop up every time you visit a new web site, which ask s for permission to store cookies. It doesn't seem like a reasonable rule. Storing cookies is reasonable. That's how the web works. Don't need special permission for it, and asking for permission every time serves no purpose other than irritating users.
Impact on users is annoying pop up every time you visit a new web site, which ask s for permission to store cookies. It doesn't seem like a reasonable rule. Storing cookies is reasonable. That's how the web works. Don't need special permission for it, and asking for permission every time serves no purpose other than irritating users.
Storing cookies is reasonable if I am using the remote computer to something more than just “go there to see a post or just navigate”. Otherwise, what would they care about the computer I am using?
Go to any newspaper and just browse? I do not want a cookie for that.
Go to youtube because I have seen a link which might be interesting? I do not want a cookie for that.
I would allow a cookie if I am going to fill a form. Otherwise, I do not deem it reasonable.
Accesible servers are there to serve. My computer is not.
Go to any newspaper and just browse? I do not want a cookie for that.
Go to youtube because I have seen a link which might be interesting? I do not want a cookie for that.
I would allow a cookie if I am going to fill a form. Otherwise, I do not deem it reasonable.
Accesible servers are there to serve. My computer is not.
You don't need a cookie banner for cookies that are necessary for your website functionality. For example auth cookie doesn't need a banner.
However, most of the websites are using cookies for advertising and sharing data with 3rd parties, that's why they have the banner.
However, most of the websites are using cookies for advertising and sharing data with 3rd parties, that's why they have the banner.
> Impact on users is annoying pop up every time you visit a new web site, which ask s for permission to store cookies.
Go read the directive, it doesn't require a banner or an obtrusive banner.
Go read the directive, it doesn't require a banner or an obtrusive banner.
> it doesn't require a banner or an obtrusive banner.
And yet, that's the impact on users.
And yet, that's the impact on users.
The best way to change a useful law is to convince people it's not useful.
The best way to distract people from unpopular activities is to point the finger at someone else.
(Rather like how in the UK "health and safety" is used as cover for unpopular decisions.)
The best way to distract people from unpopular activities is to point the finger at someone else.
(Rather like how in the UK "health and safety" is used as cover for unpopular decisions.)
> It's really a very reasonable rule. Before you use somebody else's computer you have to ask for permission.
Your own example of a cryptominer shows how incorrect your idealized statement is: there is nothing to prevent websites from running cryptominers. Some do. It's not illegal.
This idea of consent is idealized & fluffy & sounds neat & compact, but every time we open a website we are letting sandboxed but fairly arbitrary code run, code that can talk to & connect to a huge amount of othrr systems (CORS permitting).
The flipside is that it's your browser, your useragent. You are free to write extensions or disable javascript or block images or block 3rd party traffic or whatever.
And that kind of brings me around to cookies & the EU mandate here. Im not sure why a human interface here splashed on each page is at all a good thing. This is the sort of approach to the problem I'd expect from people who have no grasp of technology no sense of what is possible. Earlier approaches like Do Not Track[1] provided a far more concise & less disruptive general alternative . Or perhaps we could say cookies need markup as to their purpose, create some categories, & such that we can build browsers that can execute our preferences more elegantly. We could have created a new web api that sites serving EU citizens had to implement, to better enable the browser.
The crime of ePrivacy is that it specifies a solution which must be entirely in-band to the page. The media has to advertise it's privacy capabilities, a user has to go through custom, ah-hoc, non-standard dialogs proprietary to each site. Mandating any kind of out-of-band / machine-to-machine interface here would have done so much to prevent this obnoxious trashy low-quality muck we are now mired in. It's cheap & distracting & clicking through to secure your rights is a pointless ritual. This solution sucks. I agree it's a good that's enabled, but this is a trashy mandate, and it's significantly increased the trashfire feel of the web. It was imminently avoidable, better was so close at hand, but the lawmakers didnt seem to have any real grasp or vision of what they were up to or would create.
[1] https://en.wikipedia.org/wiki/Do_Not_Track
Your own example of a cryptominer shows how incorrect your idealized statement is: there is nothing to prevent websites from running cryptominers. Some do. It's not illegal.
This idea of consent is idealized & fluffy & sounds neat & compact, but every time we open a website we are letting sandboxed but fairly arbitrary code run, code that can talk to & connect to a huge amount of othrr systems (CORS permitting).
The flipside is that it's your browser, your useragent. You are free to write extensions or disable javascript or block images or block 3rd party traffic or whatever.
And that kind of brings me around to cookies & the EU mandate here. Im not sure why a human interface here splashed on each page is at all a good thing. This is the sort of approach to the problem I'd expect from people who have no grasp of technology no sense of what is possible. Earlier approaches like Do Not Track[1] provided a far more concise & less disruptive general alternative . Or perhaps we could say cookies need markup as to their purpose, create some categories, & such that we can build browsers that can execute our preferences more elegantly. We could have created a new web api that sites serving EU citizens had to implement, to better enable the browser.
The crime of ePrivacy is that it specifies a solution which must be entirely in-band to the page. The media has to advertise it's privacy capabilities, a user has to go through custom, ah-hoc, non-standard dialogs proprietary to each site. Mandating any kind of out-of-band / machine-to-machine interface here would have done so much to prevent this obnoxious trashy low-quality muck we are now mired in. It's cheap & distracting & clicking through to secure your rights is a pointless ritual. This solution sucks. I agree it's a good that's enabled, but this is a trashy mandate, and it's significantly increased the trashfire feel of the web. It was imminently avoidable, better was so close at hand, but the lawmakers didnt seem to have any real grasp or vision of what they were up to or would create.
[1] https://en.wikipedia.org/wiki/Do_Not_Track
> The crime of ePrivacy is that it specifies a solution which must be entirely in-band to the page.
You mind quoting where it requires an in-band solution?
You mind quoting where it requires an in-band solution?
I'm still surprised we haven't seen – as far as I'm aware – a proposal to integrate the cookie consent notice as a unified browser specification that websites would have to go through to ask for permission, just like they have to for displaying notifications, use the webcam, microphones, etc.
"This website wants to share your information with the following third-part services...", with a way for me to save my preferences for various services so I don't have to select for each individual website I visit.
"This website wants to share your information with the following third-part services...", with a way for me to save my preferences for various services so I don't have to select for each individual website I visit.
I'm definitely not surprised. The global consensus seems to be that, if the user gets the real choice, then the vast majority of users (more than 80%) will refuse the cookie. If it gets standardized in browser, then most companies will lose their precious data.
Yes, in fact it is already solved!
It's very easy: Just don't use any cookies. You can still serve text, images, videos, anything. It just works, you don't need a cookie notice, your pages are faster, and you even save money on hosting static content.
It's very easy: Just don't use any cookies. You can still serve text, images, videos, anything. It just works, you don't need a cookie notice, your pages are faster, and you even save money on hosting static content.
Correct me if I'm wrong, but functionally required cookies (such as for persistent login) are exempt from having to show a consent notice?
It's a slippery slope: many "entrepreneurs" consider showing ads and tracing user activity an essential function.
There are exemptions for strictly necessary cookies, in which case explicit user consent isn't required. However, you still have to inform users about these cookies.
The question is, though, what constitutes strictly necessary cookies in which use case. It also isn't clearly stated anywhere - or otherwise agreed upon, in which way you have to inform your users about these cookies.
Hence, many website providers opt for the legally-safest, but terrible in terms of UX, alternative of displaying a cookie banner.
The question is, though, what constitutes strictly necessary cookies in which use case. It also isn't clearly stated anywhere - or otherwise agreed upon, in which way you have to inform your users about these cookies.
Hence, many website providers opt for the legally-safest, but terrible in terms of UX, alternative of displaying a cookie banner.
Cookies serve a purpose. They can't just be used for serving ads that follow you.
Case in point: the very website we're using right now. While it's true that Hacker News would be possible without cookies, for commenting and voting you'd then have to log in each time your browser session has been closed, which would make for a less than optimal user experience.
Case in point: the very website we're using right now. While it's true that Hacker News would be possible without cookies, for commenting and voting you'd then have to log in each time your browser session has been closed, which would make for a less than optimal user experience.
My comment was obviously humorous.
But I'd honestly argue that your view of cookies is very conservative.
Why is the user experience less than optimal? Why can't the browser remember your credentials and automatically sign you on? (It could, of course - e.g. using client-side certificates!).
We should also ask ourselves whether the user experience on some website (which lasts seconds, and is mostly irrelevant) is more important than the privacy of its users, which will be impacted forever (through first-party data collection, third-party data collection and sharing / resale of data).
But I'd honestly argue that your view of cookies is very conservative.
Why is the user experience less than optimal? Why can't the browser remember your credentials and automatically sign you on? (It could, of course - e.g. using client-side certificates!).
We should also ask ourselves whether the user experience on some website (which lasts seconds, and is mostly irrelevant) is more important than the privacy of its users, which will be impacted forever (through first-party data collection, third-party data collection and sharing / resale of data).
So you want it to be rolled back to what exactly? To a time where any website you visit or get redirected to can set any number of cookies that can track you forever across the web?
They can do it now, they just have to harass you first.
Yeah, and some people will decline. I'd rather be harassed than tracked.
Decline might mean you can opt-out and use the service or it might mean access is denied.
There are many different legal definitions of "privacy", one of them is "the right to be left alone", from that viewpoint widespread harassment might be worse than accumulating dossiers that are used tactfully.
The Soviet Union tried towards the end, but having 50 people assigned to track and harass somebody like Andrei Sakharov is no way to run a civilization, never mind promote full employment. If a society is accumulating dossiers that it can't take real action on that's different from having that system coupled to a harassment machine which is orders of magnitude more expensive than dossier building.
There are many different legal definitions of "privacy", one of them is "the right to be left alone", from that viewpoint widespread harassment might be worse than accumulating dossiers that are used tactfully.
The Soviet Union tried towards the end, but having 50 people assigned to track and harass somebody like Andrei Sakharov is no way to run a civilization, never mind promote full employment. If a society is accumulating dossiers that it can't take real action on that's different from having that system coupled to a harassment machine which is orders of magnitude more expensive than dossier building.
I'd rather be tracked than inconvenienced.
Go away banners. They are annoying.
Go away banners. They are annoying.
The issue is less with the regulation, but with site owners who try to collect as much information as they can, then make cookie banners, which are more complex than requested by the regulation and then put blame in EU in order to annoy everybody to create pressure on the EU instead of simply complying with the requirements and respecting users.
Yes, install an ad blocker. uBlock Origin is the best.
Giant hosts lists like Energized Unified [0] block such domains too - use adAway [1] or similar.
How are people still complaining?
[0] https://block.energized.pro/unified/formats/hosts
[1] https://adaway.org/ ; https://f-droid.org/en/packages/dnsfilter.android/
How are people still complaining?
[0] https://block.energized.pro/unified/formats/hosts
[1] https://adaway.org/ ; https://f-droid.org/en/packages/dnsfilter.android/
I blame the EU cookie banners for other forms of intrusive pop-ups that have proliferated since then.
There has always been a contingent of people on every project who speak for the end user, who fought every proposal for an intrusive pop-up.
When the cookie pop-ups came it was "the law" and we had no choice. It set a precedent for "it's OK to have a pop-up to ask people if they want notifications" (why not ask them if they want a hole in their head?) and for various forms of ads that cover the content and can be impossible to close on mobile without "accidentally" clicking on the ad.
There has always been a contingent of people on every project who speak for the end user, who fought every proposal for an intrusive pop-up.
When the cookie pop-ups came it was "the law" and we had no choice. It set a precedent for "it's OK to have a pop-up to ask people if they want notifications" (why not ask them if they want a hole in their head?) and for various forms of ads that cover the content and can be impossible to close on mobile without "accidentally" clicking on the ad.
The "horrendous cookie banner by the EU"? I'm not aware of the EU making that much banners on the web. I'm aware of rules about cookies, and companies making horrendous banners to try to get around it, but that's it.
If you can set/ give consent via browser ui then the banner is obsolete. Unfortunately I’m not hearing any noises coming from that direction.
It’s not just for cookies btw.
It’s not just for cookies btw.
Yes. Just STOP USING COOKIES!
Is there any chance of it being rolled back? Or are we going to live with this monstrosity forever?