Look, EU, it is difficult to take you seriously when you forced all this cookie notification bullshit on us. That feature a) should not exist and b) if it did, should be a BROWSER feature not "every website in the entire world now has to bother everyone forever about this stupid thing" https://blog.codinghorror.com/breaking-the-webs-cookie-jar/

I'm in this picture and I don't like it.

@codinghorror That's a myth perpetrated by adtech industry. There is no EU obligation to spam cookie notices. There's an obligation not to track without explicit consent, and everyone illegally uses the cookie nag popups as a basis for claiming consent (which it's not). A legitimate, non malicious site has no need for cookie nags. Ever.

@codinghorror Moreover there *was* a browser feature to set it globally and all the assholes running websites refused to honor it and instead used your setting as an additional fingerprinting bit to track you.

@codinghorror

I'm sorry I usually really like your takes but this one is just not true: the only thing the EU Cookie Law requires is consent for cookies that are not technically necessary, so mostly tracking features in our current internet, which are extremely privacy-intrusive. Useful features such as login, shopping cart, settings etc. -- none of that requires any cookie banner. So websites making use of cookie banners only do that because they don't want to respect their users' privacy

@luap42 ok BUT AT THE BROWSER LEVEL FOR THE LOVE OF GOD

@dalias not true. It is a LEGAL REQUIREMENT. Or you will be sued. By lawyers. And money.

@codinghorror how is stack exchange at all involved??

@javier every website on the world is involved

@codinghorror It really is obnoxious that this isn’t a browser function. I would have saved SO many hours of effort.

@pixel exactly!

@codinghorror No, if you are not tracking you have not broken any law and you will not be sued.

@codinghorror
Or you could, you know, not track people. Silly, I know.

@dalias @codinghorror in analogy:
EU made it illegal to “sucker punch people” ie collect personal data without consent. That’s not the same as legit personal data collection eg an online shop needs your delivery address to mail your order you just made to you.

Cookie banners are basically giving someone a quick “sorry” after punching them - it’s a loophole that shouldn’t exist. No sorry needed if you don’t punch anyone.

@leymoo @codinghorror They're not even a loophole. It's been ruled that they don't meet the GDPR requirements. But enforcement is lax. Really every site with cookie banners instead of genuine opt-in should be facing tens or hundreds of millions of euros in fines.

@codinghorror @Viss the EU reacted to behavior by tech companies. If the tech companies hadn’t have had this behavior, the EU wouldn’t have done this.

@dalias @codinghorror yeah fair. I see some progress has been made on allowing ad free meta product usage (with payment).

But the banners I think are harder to enforce because it’s just so many companies, large and small.

@leymoo @codinghorror It's also that the garbage web frameworks make it basically impossible to comply. EVERY SINGLE ONE automatically generates a session cookie for you on first access, despite having no legitimate reason to track a session for you. Instead this should happen only when you opt to log in, or add something to your cart or whatever (at which point you should *then* get the prompt for consent to store that data, and an option to store cart contents locally instead of server-side).

@dalias @leymoo @codinghorror yes indeed! before we joined Internet Safety Labs, the org published a spec for how that relationship between the visitor and the company should work, in an ideal world

not because anybody is going to follow that spec unless legally required to... just because sometimes you need to make your position clear

@dalias @codinghorror We got decent progress on encouraging https by mainstream browsers soft blocking http.

I can see a route where:
- html (new version) has some sort of header “data collected” statement with categories
- browsers can flag or not depending on personal settings
- browser defaults encourage broadly decent behaviour from companies or risk getting soft blocked for the general population.

@dalias @codinghorror yep because they’re coming from a “it’s not a big deal to perform mass surveillance without consent” point of view. Most of them are an inaccessible mess without a lot of extra work too, sadly.

@dalias @leymoo @codinghorror anyway: during our time at Google we were occasionally party to VP-level decision-making around privacy topics

we can attest, from our own direct knowledge, that tech companies habitually intentionally refuse to engage with public-policy debates so that they can later paint the laws and regulations that come out of those debates as uninformed by industry realities

@codinghorror @javier Websites that don't use cookies are not involved. Neither are websites that only use cookies that are _required_ for the website to function, e.g. session tokens.

It's only when you'd like to use cookies to track users and deliver personalized ads that you have to deal with this stuff.

It's a choice.

Most websites simply don't choose the privacy-friendly option.

@ireneista @dalias @codinghorror yep, pretending I had no ethics, thats how I’d do it.

I am much happier helping build software in industries where they accept regulation is necessary. Turns out people are keen on trains not smashing into things, ships staying afloat and not on fire, and money arriving in the correct account.

@codinghorror @dalias German here: the gist of GDPR is: people must know when someone connects personal data.

You can perfectly life without a cookie banner if you don't set one for arbitrary visitors. That was the intended result. But reality instead invented this UX nightmare, because we can't have nice things.

For me it just shows how fucked up today's web actually is.

@dalias @leymoo @codinghorror If they process your data only as strictly necessary to do things you explicitly asked for, they don’t need to ask for consent separately. E.g. if you order something to be shipped to you, entering your shipping address and clicking the order button implies consent to use your address for shipping that order. They still need to have a published privacy policy, but there’s no need to ask “May we use the shipping address you gave us for the order to ship your order?”

If they want to also send you ads to that address or use it to build a customer profile that’s an entirely different matter, and they’d need to ask for consent.

@ireneista @dalias @leymoo @codinghorror

"industry realities".

translation: regulations haven't made doing whatever it is expensive enough to affect profits/stock enough for boards to be willing to spend any resources at all to avoid/fix something...

@paul_ipv6 @dalias @leymoo @codinghorror that is correct.

@ireneista @dalias @leymoo @codinghorror

i have scars from attempting to assist in generation of technically sane but useful tech regulation...

"fixed in the next release. take the money now." isn't just for software dev. apparently it's what many politicians think about our planet/environment, etc.

@dalias @leymoo @codinghorror that sort of bullshit was a lot of why we now work in civil society, instead.

the industry claims that self-regulation is the appropriate model, but then refuses to be held accountable by its own internal processes (which we were part of). therefore, change must be driven from outside the system rather than within.

@ireneista @dalias @codinghorror Self regulation is how we got that poop-filled cruise ship. And bridges that fell down a lot (in the 1800s).

@leymoo @dalias @codinghorror the regulations are written in blood, as the saying goes. it's true in every field that has regulations. none are silly or unimportant; the fight to get them in place was too immense to be fought for trivial stakes.

@codinghorror

True, but my point remains. This shitty experience we're collectively having here this isn't "the EU forcing cookie notification on people", it's "the malicious compliance of companies that profit from user tracking."

Every company that shows you an cookie popup has made the choice to put a few fractions of pennies of possible future profit ahead of your experience.

https://gdpr.eu/cookies/

@paul_ipv6 @dalias @leymoo @codinghorror yes. techno-solutionism is a distinct and recognizable strain of this larger body of solutionist rhetoric - the idea that whatever problems come up, can be solved later, without thought to the cost meanwhile.

@ireneista @dalias @leymoo @codinghorror

ah, the old "move fast, break things", just being sure to move fast enough to flee any prosecution.

i miss the days when "do cool shit, solve hard problems" was the focus. vast parts of the benefits of our 60s/70s space program wasn't as much the space part as all the stuff we learned and all the tech that was discovered and repurposed for earth.

going to be a while before the idea that research is a good thing without an immediate stock bump that quarter comes back.

@Gottox this. Ubiquitous cookie banners are straight up malicious compliance by the ad industry @codinghorror @dalias

@leymoo @dalias @codinghorror > But the banners I think are harder to enforce because it’s just so many companies, large and small.

Why not use the fines to fund more enforcement?

@lispi314 @leymoo @codinghorror Likely there's pressure on the enforcement bodies not to enforce.

@codinghorror @lispi314 @leymoo Literally the only people doing that are the ones who are trying to use user suffering (via malicious compliance) as leverage to get what they want - rollback of regulation.

@codinghorror @lispi314 @leymoo They may be well-intentioned* but they're not well-designed or doing everything right. They're tracking visitors without their consent.

* Normally I would not even call this well-intentioned, but as I said upthread, the fact that every web framework *automatically sets session cookies assuming you want to break the law and track users* even when the user has not indicated that they want to do something like log in or store a shopping cart, means a lot of people *don't even know they're doing it*. But this doesn't excuse it; it just makes them "well-intentioned".

@dalias @lispi314 @leymoo the issue is far too nuanced to cover to cover in this limited medium. The short version is, users should have sane, safe defaults they don't have to think about for 90% of their activity. For critical web sites, perhaps. Forcing everyone to constantly think about minutiae is an overwhelmingly bad strategy.

@codinghorror The EU did not force cookie notifications. Site operators decided that it was easier to make everyone click through notifications instead of only using the data they legitimately needed.

@codinghorror That the EU 'forced' cookie banners is flat-out false. It was a *choice* for sites like yours to persist in the intensive collection of data about your users to feed in to the surveillance capitalism machine. As genuinely admirable as your philanthropy is, it was built on this.

@Gottox @codinghorror @dalias also, by default a website complies with GDPR.

The choices by those in charge (collecting ad revenue or choosing a harmful technical library) is what then makes a website require needing consent.

@codinghorror @luap42 the donottrack header is exactly that at the browser level; if it's set no need to ask the user about consent they're explicitly denying. For non-tracking, i.e., technically necessary (auth,user settings) cookies, that banner is not necessary

the browser setting exists, it's not honored by website operators, which choose to show banners instead, and is being torpedoed by google, who is earth's dominant ad network and browser supplier.

the EU (in that case) isn't at fault.

@codinghorror @luap42 here's the stock firefox browser setting you wish for; it's right there.

@codinghorror it not being a browser feature is part of the dark pattern, i think. Data brokers and google would loose their business modell if this would be a browser feature and everyone selected to not agree. (Why would anyone ever select otherwise?)

@codinghorror The EU just said that sites had to get consent for certain things. It's the websites who decided to comply in the most annoying way possible.

@codinghorror That would be some of the propaganda you are not immune to.

@codinghorror Look, USA, your utter failure to protect citizens’ privacy makes it difficult to take you…*checks notes*…did not in fact make the list of the top 100 reasons why we can’t take you seriously right now

@codinghorror Don’t blame the EU. Respect
DNT: 1

https://en.wikipedia.org/wiki/Do_Not_Track

@funkylab @codinghorror @luap42 Well, akschualllly the Do-Not-Track header has been deprecated because it was widely disrespected for being enabled by default in some cases, so websites argued that DNT doesn't really reflect the users' choices.

Therefore, DNT has been replaced by the Global-Privacy-Control header which is required to be disabled by default. @funkylab's screenshot shows the GPC setting.

@codinghorror Not sure how GPC is not precisely the “at the browser level” you are describing.

@pixelcode @funkylab @luap42 well, good, does it do away with all these cookie pop ups and banners over time?

@codinghorror "Encrypting everything just to protect that one lousy cookie header seems like a whole lot of overkill to me.

I’m not holding my breath for that to happen any time soon, though. "

Looks like you were wrong about both this and the GDPR cookies.

@aurelian good! Wake me up when I am no longer clicking 15 different cookie banners per day, please!

@codinghorror As for why this isn't a browser feature, it was and is! It is a *choice* by your industry to disregard this, by ignoring DNT and not implementing GPC in major browsers. Did your site honour DNT? Does it honour GPC in places where it is not legally obliged to?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/DNT
https://globalprivacycontrol.org/

@codinghorror complain to the site, it's not the EU's fault.

I'm still amazed that all the UI/UX people have allowed sites to continue to have this bad UX.

@codinghorror @willegible I wouldn't mind some ads. What I do mind is the tracking bullshit and potential malware injection into the sites.

@codinghorror

1. Institutions succeed in obtaining rights for citizens.
2. Tech companies instead of complying threaten to turn tables and take away services from citizens.
3. Citizens instead of getting angry at tech companies complain about institutions.
4. Citizens realise too late that they have no rights.

@codinghorror hey, EU doesn't force cookie banners on websites. Just... don't track your users with third party scripts and no consent mechanism is necessary then.

For context: I work as a website GDPR compliance auditor

@codinghorror if you only use cookies for loggin users in, you don't have to gather consent beforhand or have any dismissable popup.

The popup is a made-up requirement by the ad industry

@codinghorror and EU didn't say that this cannot be a browser feature. It's the browser vendors that chose not to implement it as a browser feature.

Stop collecting user data then, and quit acting like the UE offended your mother.

@codinghorror
"Human nature" is not an argument. What are you talking about?

@willegible

@codinghorror
You can still serve ads and not have a cookie banner... Just don't serve personalised ads. This is how the internet worked before and still how regular media works.
@willegible

@pixel @codinghorror Browsers did have a function for this, called Do Not Track. But ad networks loathed it, so instead they made the cookie prompts as obnoxious as possible (btw, that cookie banner is illegal – there should've been a "Deny" option next to "Accept all").
I do agree that EU not requiring adherence to Do Not Track was a missed opportunity.

@codinghorror EU can be blamed for a lot of things, but it's definitely not forcing websites to collect users data to serve targeted ads, pretending otherwise is disinginuous.

@codinghorror Well, first of all EU didn't force that on websites, ad companies did. And second, the do-not-track in Firefox was shunned by ad companies.
At least point the blame at the correct entity.
Also, I don't think you'd like the EU to force browsers to do stuff. In that case you'd probably be complaining about that instead.

@codinghorror @dalias May I point out that Wikipedia has no cookie banner?

@MonniauxD @dalias please!

@codinghorror Your complaint is disingenuous. The EU didn't require cookie banners, it required that collection of personal information only be done with explicit user consent. This hardly bans free advertising-supported content, and it has always been entirely possible for the web content industry collectively to define a less intrusive mechanism for collecting that consent. Your industry just hasn't bothered. Why might that be?

@codinghorror And by the way, GDPR has absolutely no problem with serving ads that *aren't* targeted using personal information. There were a lot of choices that could have been made by the web industry here. It consistently made ones that prioritised revenue over user protection.

@dalias @codinghorror I love the cookie autodelete firefox extension. Along with tmp containers it geves a quite nice protection I believe. But I still view all the dark-patterned dialogs and say no to cookies :)
Btw, I recently for the first time experienced a site stating that they respected the do not track header: usopen.org.

@codinghorror

If it only it was possible for websites to exist without tracking the shit out of every user.

But no, these evil popups which the EU definitely said every site must have stand in the way of the newsletter sign-up popup, the three overlaid autoplaying videos, the half screen ads, and the push notifications popup that we're all just dying to see.

Wait no you can just not treat visitors like a commodity to be shopped around. Because that's gross.

@codinghorror

GDPR does not force cookie notices if you have only functional cookies.

You need notices when you want to invade privacy. Then you must give people a choice. https://gdpr.eu/cookies/

@jason @codinghorror @Viss And they reacted in a way that made said behavior even worse. Well done!

@scy @codinghorror @javier one of the big problems nobody talks about: tech is largely only explained by entities who have no incentive to explain it *well*.

Google, Meta, large ad networks are all like "stupid EU makes us do Cookie banner".

While the actual regulation is actually pretty good. The regulation is basically "don't fuck around with user data. But if you do, you at least need to tell the user".

@ireneista @leymoo @dalias @codinghorror Same goes for safety regulations on almost every tool and device. Amount of harm caused by digital advertising and massive scale surveillance companies is large, but the conflicts of interest are so largely overlapping with people in positions of power that things sadly got rather bad.

@autiomaa @leymoo @dalias @codinghorror yes. we feel qualified to say, since worrying about this is our day job, that a lot of what's going on there is that policymakers have little access to technical expertise about computers, except via people who are still highly sympathetic to industry narratives. in fact, a lot of it is via registered lobbyists.

@leymoo @dalias @codinghorror

(our own beliefs, especially around ethics, changed dramatically during our time at that company. we're ashamed to admit that, when we were young, we bought the industry lines. we never pretended to hold a view we didn't actually hold, it's only that we worked hard to see the world as it really is, with unclouded eyes, and when we finally saw past our own ideological blinders, we realized we'd been horribly wrong.)

@paul_ipv6 @dalias @leymoo @codinghorror yes. after leaving the company, we did a few years of soul-searching, and part of what we were asking ourselves was: do we still believe in that dream, of making a better world in part by actually making stuff?

we concluded that we do, but that the dream itself is grievously wounded and needs our help.

@leymoo @codinghorror @dalias @lispi314 it’s not nuanced at all; it’s very, very simple: Don’t do dodgy shit, and you don’t have to request consent. Your take merely underlines that you have fallen completely into the bogus malicious compliance trap that adtech set for you. It’s not the regulation’s fault, though you could legitimately blame the lack of enforcement for its prevalence.

@Synchro @codinghorror @dalias @lispi314 the transition to the bulk of the web using https is considered nuanced and technical to the bulk of the population and yet we managed it.

The issue here is appetite and misaligned incentives - adtech money has helped maintain a huge number of open source projects (and others) that run the web right now, why would they bite the hand that feeds them and voluntarily turn off an income stream (historically, data collected without consent for free).

@codinghorror @dalias @lispi314 If this was actually wanted, I’d expect something in HTML7 at the point it appears. Things that people needed flash or browser extensions for historically can frequently be done these days using html & css.

Then the (co-operative) browsers add the soft block/warning enough (like they did for sites not running on https) and orgs will catch up. This has actually worked, which is why I’m touting it.

This is not happening practically however when Google (ie Chrome, Android) has as much of the adtech market it has and the market dominance in browser usage. (I’ll be honest, I’m expecting Apple to do their thing like the app store changes in iOS maybe if we manage it - not pretending they are the good guys more that their income doesn’t rely on ads so they can use it as a selling point to gain money).

The problem is you are in the “awkward phase” of that overall (likely positive) journey, where companies think if they make it annoying enough for consumers the laws will be reversed and they can ignore their legal obligations. And the blocker here is Google basically running both android and chrome, the market dominance they get from that *and* having most of their income from ads and data collection.

Remove google’s “need” to collect data (originally without any modicum of consent) for free to make money, cookie banners have no need to exist.

@codinghorror @dalias @lispi314 @leymoo this is a cop-out. Website creators, who have the intention to use the data poorly, are intentionally making the user experience poor, and not even actually complying with the letter law. Saying that this medium is to limited to cover this nuanced topic, shows you don't even understand the topic being discussed

@codinghorror wait a sec... is this the right link?

A blog post from 2010 on how it's a bad idea to demand that every website uses https, but considering that a better authentication protocol won't come, demanding https is our best bet?

How's that relevant to cookie popups?

And how has noone in this thread noticed this before? Did they not read the blogpost?

@codinghorror Sorry, but this is bullshit US propaganda. There is no obligation to have a cookie banner (my blog does not have one, for instance), even if you use cookies (a lot of important usages, such as logging in and out are excluded).

#factChecking

@dalias @codinghorror This. All those banners tell you is "this website doesn't respect your privacy"

And there was a "Do Not Track"-flag, but respecting that was voluntary. :/

@Viss @jason @codinghorror @buherator How it made it worse? Less websites use 3rd party tracking cookies, Github is one such example.

@davidkarlas @Viss @jason @codinghorror I don't have hard data on this unfortunately, but I tend to browse in incognito, so I get all cookie notifications all the time. Based on this experience GH is a rare exception. I must add, that this is in part because the EU is not only failing in proper enforcement, but also communication as I know of multiple well intentioned site owners who implemented this BS because they didn't understand the regulation.

To be fair I also hear marketing crying over constent requirements, which is good, but overall the adtech industry is still thriving while user experience deteriorated. In other words the regulation doesn't have the intended effect, while causing negative externalities, making things worse. (Please don't tell me it should be adtech that should play nicely, while the regulation is there because they don't play nicely in the first place)

@codinghorror @lispi314 @leymoo We only have to constantly think about it because site owners are constantly assaulting us. What "sane, safe defaults" would you propose? That we just go back to "they're allowed to do this because it's too annoying when they whine to us that they're not"?

Nothing nuanced about this unless you're on their side.

@dalias

Session cookies in themselves are fine - no PII involved and no third party tracking. If you only set one of those you don't need consent, the same way you don't need to consent to set a "no cookies consent" cookie

@leymoo @codinghorror

@pgcd @leymoo @codinghorror Nope, a session cookie is tracking. It enables processing data on you like "the same person who looked at products A, B, and C yesterday bought products C and D today". Likewise choosing what to show you based on that profiling. It might also reveal things about you to other ppl you share a computer with like "somebody using this computer was looking for information on contraceptives or HRT" etc.

Session cookies are unlawful tracking unless you consented to it by logging in to the site with the understanding and intent that you have a persistent profile and what that profile will be used for was made clear.

@buherator
"Made" as in "the poor web sites and ad tracking networks had no choice"???

Really?

@codinghorror @jason @Viss

@dalias @pgcd @codinghorror weirdly an interesting rule on thumb (anecdotally) on identifying movement/tracking of data is to open the site with a Chinese IP address and see how much they block or slow down (disclaimer - use a western site).

@lazyb0y from my previous answer: "Please don't tell me it should be adtech that should play nicely, while the regulation is there because they don't play nicely in the first place"

@leymoo @dalias @codinghorror I might be wrong, but I read some time ago that you don't even need consent if you keep the data (for example my delivery address) to yourself. The GDPR prompts are only mandatory when you want to share (sell) data with (to) third parties.

@doragasu @dalias @codinghorror So there’s a set of legitimate reasons by law to process or store personal data about a person. Consent is one of them, so broadly if someone is asking for your consent it’s because their purposes don’t fall under one of the other legitimate reasons.

@leymoo @dalias @codinghorror https://gdpr.eu/gdpr-consent-requirements/

@leymoo @dalias @codinghorror If someone is asking for consent with one of those nasty banners, it's because it wants to sell your data to its 853 partners.

@autiomaa @leymoo @dalias @codinghorror that being the case, it's quite important for those of us who have this background and have humanity's interests at heart, to do what we can to share our knowledge and experience in ways that change that dynamic.

@ireneista @autiomaa @dalias @codinghorror And when attempts do manage to break the lobbyist barrier, so few people with the right knowledge are in the policy room you get nonsense like the UK’s recent online safety bill.

@leymoo @ireneista @dalias @codinghorror It's the problem with lobbying: very few highly skilled people have enough free time to help decision makers without getting paid for the advice. It would help if leaders would pay for the advice of professionals, but somehow that is seen as a bad thing in the public sector (as a "waste" of tax money).

And people who mainly work in the consulting industry have gotten so used to fulfilling almost any requests from their customers that it's incredibly difficult to find consultants who would be willing to promote ethics and safety (without increased risk of losing their own jobs for keeping people's digital safety in mind).

@dalias @codinghorror Indeed, but I would say it was 100% entirely predictable that this would be the outcome, and so on that basis the regulations were really badly thought out.

Personally, I think some rules on this are a tad far, it makes sense for a site to have logs and track sessions - if only to improve the site or understand traffic. The bad bit is the third parties and cross site targeted ads and profiles and shite we see in the advertising industry.

@revk @dalias @codinghorror There is no need for popups to have logs and track sessions.

@richlv @revk @codinghorror There is no legitimate business reason to track sessions for users who are purely reading, not buying stuff from you or posting their own things to your site. Session cookies without consent (which can be implicit in logging in) are violations. But they're so widespread due to bad software assuming anyone with a website wants to track & exploit their visitors that fixing it will be an enormous task.

@codinghorror @dalias no, you need a legal basis according to the GDPR. Consent (which many people already pointed out the banner is not) is just one of them.

It’s just laziness of companies to choose the banner route.

@dalias @codinghorror

Here is how my company's compliance lawyers explained it to me. There aren't really EU-wide laws. There are "directives", and each individual country then passes laws that aim to meet the goals of that directive. To make sure you're compliant with all of them, it's easiest to err on risk-avoidant side, even though it is all deeply stupid.

@codinghorror I find it difficult to believe that the EU meant for those cookie banners to be the response to their requirements. It is nothing else than malicious compliance.

After doing some digging it seems that functional cookies do not require consent, but the tracking that is shared with third-parties does (that would be advertisers and social network trackers).

@dalias @pgcd @codinghorror although to counter the main point I can think of some reasonable uses (this is offhand, others may know better) of cookies and tracking them in a session:
- accessibility prefs
- overriding location or language from your browser temporarily
- other forms of information that directly improve a user experience eg you collapsed a sidebar to see other content better, you’d like that retained across pages.

@leymoo @pgcd @codinghorror These don't need identifying session cookies with the prefs stored server side. The prefs themselves can just be stored as cookies, the way cookies were intended to be used. This avoids any tracking.

If a user opts to login, they may want the prefs stored server side so they persist across clearing cookies, etc. But this isn't possible if they're being associated with a non logged in session key that would be unrecoverable itself.

@dalias do you mean the dnt header? I just recently visited geizhals.de and noticed that they honor the Do-not-track header and set the cookie settings accordingly. But it's the only website I came by since this hole cookie banner shit show started which does this.
@codinghorror

@frosch @dalias @codinghorror

Eventually an EU court will declare DNT legally binding, and there will be wailing and gnashing of teeth.

@faduda @frosch @codinghorror That's why Google and Mozilla removed the setting.

@dalias @pgcd @codinghorror oh yep I misread your message - I thought you were saying no cookies at all!

@codinghorror The EU didn't "force anything".

"If you want to track (or share information), you must seek consent"
Websites had various alternatives.

1. Don't do it. No consent needed.
2. Need? Then Ask.

Nowhere in the docs is mentioned that it should be borderline impossible to say no (or to use a banner)

This is on companies, not the EU. The alternative is they do it behind the scenes without your consent.

Of course bureaucracy made it possible to abuse loopholes. And here we are.

@codinghorror GDPR never mandated cookie banners. GDPR mandated user consent. There was a browser feature for that: the DNT HTTP header. That header was deprecated because nobody respected it. It was just easier to enforce user consent through cookie banners and dark patterns.

Nothing here is EU's fault. You want a better option? Campaign for a legislation to enforce the website to respect DNT.

Or… Just don't track?

@codinghorror The EU does not force cookie notifications. It forces CONSENT for cookies set SPONTANEOUSLY by websites.

Any cookies set by an action from the user (e.g. setting the language, logging in, ...) do not require consent.

It is the industry that forces that cookie notification bullshit because they can't stop themselves from tracking you.

I live in the EU. I see cookie notices many times every day. I still applaud the EU on this.

@codinghorror

My web sites don't have cookie popups because they don't track people.

They're not obligatory. Just respect people's privacy.

@codinghorror nah. The EU didn't "force the cookie notice" on anyone. It just requires that if you track people, you need their consent. If data brokers choose to make the most hideous dark patterned interfaces for that, then that's on them.

Tracking people without their consent is called stalking. You sure you want to defend that?

@codinghorror It *is* a browser in-built function. It has been since 2009. Websites just ignore it because "muh business model". Besides GDPR doesn't mandate cookie banners.

@codinghorror You've got things exactly backwards dude. It's the largely US-based advertisement giants that are pushing those cookie notifications at you, and it WAS a browser feature but the same advertisement giants fucked that up for us

@codinghorror Those horrible popups are just malicious compliance most of the time. What makes it difficult taking EU seriously is the push for Chat Control.

@codinghorror
You chose to put up cookie notifications they are not mandatory. Just don't track your users that's all. We do it and we're fine. Stop blaming good legislation for your mistakes.

@codinghorror Look, Jeff, it is difficult to take you seriously when you spread an easily disproven and false claim about cookie banners. You should a) maybe spend a few more minutes researching this and b) if you want to blog about this, correctly blame the RESPONSIBLE parties for reacting to a law by trying to immediately step around it instead of just complying

@dalias @frosch @codinghorror

Won't matter. I can add a plugin, and it clearly expressed my preference. That's enough for a Court to make a ruling.

@faduda @frosch @codinghorror Yeah but they'll try to argue it's no longer a meaningful part of the protocol. Not saying this should be treated as valid, but that's the strategy here and likely why Google pushed to remove it.

@jbaert @dalias @codinghorror 💯 this!

Also here is more about the DNT HTTP header as a refresher: https://en.m.wikipedia.org/wiki/Do_Not_Track

Ad tech started ignoring it altogether when IE10 was shipping with it enabled by default, instead of having to opt in.

@Synchro @leymoo @codinghorror @dalias @lispi314 the fact that most frameworks with a cookie opt-in popup will remember your decision ONLY if you click "accept all", but if you click "reject all" they popup again and again, is clearly indicative of the dark pattern the data collector wishes the user to fall into.

It's likely that they excuse this behavior by saying some variation of "but if the user rejects all cookies then we can't store the fact that they rejected all cookies, and we'll have to ask them again next time" which is bullshit because they're ABSOLUTELY storing OTHER basic information about that user, they just choose not to store this. The only lasting solution to eliminate opt-in popups is to not be tracking user information in the first place.

@codinghorror Then change your business model.

@codinghorror
Nope, only those who monetize user data tracking
@javier

@codinghorror

I love that you don't like it.

Stop tracking people. Problem solved.

Tracking is not necessary. It is immoral.
It is tracking that ruins the internet, not cookie notices.

@codinghorror It’s 100% the EU’s fault. People thinking otherwise are living in a fantasy world. It’s the law of unintended consequences to which it would seem they paid no attention. It irritates me no end that the web is plagued by this crap, and that I watch dev teams waste their valuable time complying with regs no user cares about.

@paulgrav @codinghorror 🤡

@codinghorror @dalias @lispi314 @leymoo Just take the L, bro.

@buherator @codinghorror @jason @Viss @davidkarlas this book has like 80 of small written pages of proof that the gdpr is a reaction ( besides the book itself): https://en.wikipedia.org/wiki/The_Age_of_Surveillance_Capitalism?wprov=sfla1
It is a good read that I recommend.

@dalias @pgcd @leymoo @codinghorror

under GDPR, session cookies as normally understood meet the definition of "strictly necessary" and do not require explicit consent

If your session cookie is persistent, it's not a session cookie anymore. Not persisting from one browser session to another is kind of a defining characteristic of a session cookie.

@lackthereof @pgcd @leymoo @codinghorror Maybe we're going by different definitions of "session". It sounds like you think it's a short-lived thing that disappears when you terminate the browser. Which, even if that were the definition, would still mean it... never disappears. Most of us have browser "sessions" 10+ years old. Mobile doesn't even have a sense of terminating the browser.

The definition I'm going by is an identifier, regardless of lifetime, that establishes distinct HTTP requests as originating from the same browser. There is no "strictly necessary" reason to do this unless the purpose of the site is maintaining a stateful interaction with the user. If the visitor is just reading your site, there is no legitimate business interest in knowing whether the load of page A and the load of page B came from the same person.

> We value your privacy.

This is false.

@dalias @codinghorror

@p oh no, that's actually brutally honest. It means: 'your privacy has a measurable value to us, and there is a market where we can sell it' @dalias @codinghorror

@codinghorror

So? Stop with the malicious compliance. Fixed!

https://mastodon.ar.al/@aral/115122589711327817

@Gottox @codinghorror @dalias The fun thing is, all of you is both right and wrong at the same time. 😅 Let me explain.

First of all, I must explain the difference between an European directive and regulation. An European directive is a text that is not directly enforceable, each member state must re-write it in its own law, which allows some divergence between all member states although it's still quite the same thing. On the other side, an European regulation is directly enforceable and therefore is the same for all member states, except if it explicitly permits otherwise.

Now, about the cookies regulation. Contrary to popular belief, it does not comes from GDPR but from European directive 2002/58/EC (modified in 2009). The main idea of this text is to forbid cookies unless the user consented to those cookies. And obviously there is an exceptions for technical cookies like session, language preference, theme, shopping cart and so on.
@Foxboron : you asked where it is written, so here is the European directive (and I will not link to every member state law that re-wrote this text):
https://eur-lex.europa.eu/eli/dir/2002/58/oj?locale=en

Before you think that @codinghorror was right and the EU forbid all non-technical cookies without user consent, you should note that this text and GDPR are overlapping. According the the hierarchy of norms, also known as Kelsen's pyramid, international treaty, and therefore GDPR, takes precedence over national law, and therefore the re-writing of any European directive in the national law must be done in a way that it is compatible with the international treaties.

Because there is both GDPR and the national law of each member state, the subject of cookies and consent is quite hard to understand. Skipping the boring legal part, here is what there is to know about this topic:
- technical cookies are exempted from user consent;
- analytics tools may also be exempted from user consent if some conditions are met;
- all other analytics tools must ask for user consent;
- using non-technical cookies is always considered by GDPR as a data processing, whether or not is is exempted from user consent (this will only change the legal basis of the processing);
- user consent is defined in the GDPR, which has a few requirements for it to be valid;
- because there is a data processing, GDPR required that users be informed of many things;
- each member state can enforce this based on its own law, GDPR's "one-stop-shop mechanism" can be completely bypassed.

By the way, the french data protection authority publishes a list of analytics tools that have been explicitly approved for not requiring user consent, sometimes under the condition of a specific configuration.
https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies-solutions-pour-les-outils-de-mesure-daudience
The link is in french but I'm quite sure all of you knows how to translate it.

@dalias @codinghorror DNT failed because Microsoft turned it on by default instead of making it a real user choice.

@fabrice @codinghorror As soon as the option exists, the only legitimate default value is "no, do not track". A browser that makes the default "yes, track me" has now made the browser vendor the guilty party violating user consent.

@rodolphe Thank you for the explanation.

@dalias @pgcd @leymoo @codinghorror
I mean, it is not persisted to disk on the client. It only lives in memory for the duration of the browser process.
This is the RFC-defined default behavior if you do not override it by explicitly setting one of the "max-age" or "expires" attributes on cookie creation.

@lackthereof @pgcd @leymoo @codinghorror "Duration of browser process" is not even well defined on mobile. It's async-killed and transparently restarted under system controlled conditions, and to the user (and handling of cookie lifetimes) it's as if it's never closed.

But regardless, sites don't even use nominally transient session cookies. They use long lived ones and constantly refresh them.

@dalias

I'm sorry but you're still taking about what you do with it. No framework I ever used forced me to track your shopping cart or sell your activity.

@lackthereof @leymoo @codinghorror

@pgcd @lackthereof @leymoo @codinghorror They set a session cookie on first access that's subsequently sent back to the server on each access.

@codinghorror Yeah, it's not part of the GDPR, it's an effect of surveillance capitalism. Go to https://ccc.de there are no cookie banners. 🤷‍♂️

@leymoo @codinghorror @dalias @pgcd true, but remember that PII is a US concept that doesn’t exist in EU law; any mention of it is usually a red flag. It’s “personal data”, and the definition is quite different.

@Synchro

Correct, i took a shortcut that may ne misleading but the point stands: session cookies *in themselves* are perfectly fine, the same way getting your IP is perfectly fine.
It's what you do with them, where things become more complicated - storing, sharing etc.

@leymoo @codinghorror @dalias

@pgcd @Synchro @codinghorror @dalias I think it was jumped on because one of the reasons for poor enforcement of GDPR in teams I’ve worked with is the lack of understanding of the definitions of personal data vs PII, so people are keen to stamp it out. But yeah, in agreement on the main point 😊

@leymoo @pgcd @codinghorror @dalias An example I've used in conf talks about this is that the colour red by itself is neither PII nor personal data. But if it's stored as your favourite colour, it *is* personal data, though it's still not PII.
It's very hard to define PII well – it ends up in star-bellied sneetch territory

@Synchro @leymoo @pgcd @codinghorror Also: personal data at scale inherently becomes identifying.

@codinghorror > it is difficult to take you seriously when you forced all this cookie notification bullshit on us.

There is nothing in the law that says you have to add a cookie wall for most websites - and the law says that in the cases where the sites must get your consent, that the cookie wall is not sufficient.

It is literally useless, other than making *YOU SPECIFICALLY* and people like you blame the EU for companies' evil behavior.

@codinghorror
Do you *really* think this? 🤦‍♀️

May I recommend you to dig into what protecting privacy means, and what it has to do with the alledged prescsription of cookie banners.

@dalias @codinghorror that’s all very nice in theory, but it was always going to end up with what we have, due to the way this regulation was brought in. With having to incessantly click Accept on every single website out there. Only a small fraction of people care to do anything else. Thus reducing the experience for almost everyone and annoying millions every day. The cookies are not just used for ads, but every analytics tool out there. Key to running sites.

@Setok @dalias @codinghorror Not if you do analytics based on your own web server logs. You only need consent if you use a data guzzling third party analytics tool.

@dalias @codinghorror the correct way to do this would’ve been to enforce a DNT standard, working with W3C and browser makers. The manner with which this was brought in meant continuous work for everyone.

@mkoek @Setok @dalias @codinghorror that is in fact not how all EU jurisdictions interpret it and while some have taken lax views, there's no special exemption in the EU law for tracking your users if you do it first party.

@ikuturso @mkoek @Setok @codinghorror Indeed, retention and processing are subject to regulation.

@codinghorror this is... dramatically wrong in a great many ways

@pixel @codinghorror consent o Matic!

@dalias @codinghorror No, the correct behavior is to not send the header at all by default, and make sure the user makes an informed choice.

@fabrice @codinghorror Um, no. Unless the meaning defined by the protocol for requests lacking the header is to interpret it as "no consent to track", as an implementor once you know about the header, the choice to omit the header is equivalent to the choice to request tracking on the user's behalf without their consent.

@dalias @codinghorror You realize all clients won't support it, right? So the server side, anyways, has to deal with 3 states: no header, DNT=yes, DNT=no. The server side is still free to decide what to do when no header is sent. But anyway, DNT is dead...

@fabrice @codinghorror Yes I realize that. No, in any workable ethical and legal regime, the server side is not "free to decide what to do when no header is sent". But if server side is potentially (illegally) treating lack of information as consent, a client that operates in the user's interests cannot omit the header by default.

@fabrice @codinghorror In any case, yes, DNT is essentially dead due to lack of political will to enforce it and sites abusing it as an extra bit of fingerprinting data in the absence of any consequences for doing that.

But it's still meaningful to consider what ethical and legal obligations we should expect in any future protocol that aims to automate this.

@codinghorror Soon you'll be able to set consent on the browser end: https://doc.searls.com/myterms/ It just takes IEEE even longer than the EU sometimes. Hope it doesn't end up being binned like Do Not Track was. If only self-regulation worked.

@codinghorror Tell me you don't know what you're talking about without telling me you don't know what you're talking about.

Also, tell me you're a spoiled brat who expects to leech off of your users without ... you get my point.

Nobody is forcing you to have cookie notifications. Not sharing data with 3rd parties does not mean you can't run ads and monetise. Will it be harder to do it ethically, fairly and legally? Sure. But only because the ad industry keeps telling you non-targeted, non-invasive ads are worthless. They're not, they're just even more spoiled brats than you.

@codinghorror the EU didn't force any cookie notification shit on anyone. It just said that you couldn't share personally identifying information about people without their permission.

It's EASY to run a website without sharing personally identifying information. All those websites with cookies popups? They're spying on you.

@codinghorror just don’t have tracking cookies and there will be no banner

@codinghorror

@codinghorror @davey_cakes Sorry, but that's just plain wrong. If the industry had just obeyed Do Not Track, you would not have to ask the users explicitly. This is an entirely home-made problem. And by home-made I mean by the content industry, aka You. Actually, browser still supports DNT. If you respect that, you will never have to ask.

(And. no, saying that "this is a drug" does not in fact exonerate you. It just makes you a drug dealer.)

@codinghorror @dalias no, it's not required. None of the EU companies I've been at needed cookie banners, and neither do you.

There's one simple trick: just don't track users. It's even possible to run ads without tracking. Print media has done so for decades!

@mkoek @dalias @codinghorror tell that to the thousands of startups desperately trying to balance with a billion other things they're trying to do. That's just not a practical suggestion when the third party analytics are much faster to set up, better understood, and generally superior too than some self-hosted thing cobbled together.

As mentioned, the reality we are in today with cookie popups everywhere was 100% predictable and the regulation was thus poorly considered.

@Setok @dalias @codinghorror I would not advise startups to behave unethically because it’s easier, no. In fact, shouldn’t it be an eye opener that a law that requires people to do the right thing (don’t track people without consent) is viewed as wrong simply because it takes a tiny bite out of the ability to move fast and break things?

@mkoek @dalias @codinghorror frankly, yes. The law hasn’t changed anything of substance. Companies still use the same analytics tools. But now users are constantly nagged at, and companies have increased costs and slower go to market times as they need to faff with these things.

Perfect example of regulation that is completely misguided, and is a nuisance to almost everyone, bar a few people on Mastodon. Wrong approach.

@Setok @dalias @codinghorror it hasn’t changed anything because it’s not enforced (well almost)

@mkoek @Setok @dalias it hasn’t changed anything because it does not address root causes. Users want everything for free, forever, and content creators want to make money to feed themselves and their families. Until we resolve THAT, we will be stuck in endless combat between these two opposing forces. And the money is going to find a way to inevitably win because it has to. You have to make a living somehow. Free everything is great and all but it is never ever ever gonna be “free.”

@dennmans if that ever becomes effective in any meaningful way, I'll eat my hat.

@codinghorror @lackthereof @pgcd @leymoo The answer is don't try to make things as a business that can't be profitable without violating people's privacy. It's that simple. There's no right to your business model working.

@codinghorror @justjanne No, but if you want to run a publication funded by ads, you do it exactly the same way it worked in the print model. Advertisers don't get to spy on your readers. You vet their ads to make sure they're not scams or things that would hurt your reputation, and they pay you based on your reputation and belief that their ad will reach an audience that will benefit their business. No auctions. No brokers. No third-party embeds. No malware. Just static ad text and images vetted by the publisher's advertising department.

@codinghorror @dalias @lackthereof @pgcd I take back my earlier statement about you not deserving a pile on.

And.. users are ok to pay if it’s valuable to them. Whether it’s pay per user, donation based or government or charity funded. If they’re not willing to pay and they have the means to pay… it’s not a viable product.

@leymoo @lackthereof @pgcd Looked like the pile-on provoked him to drop the mask and say what he really believes:

That surveillance capitalists have a right to their business model.

@codinghorror @justjanne The word belief was fairly inconsequential and not a distinguishing characteristic of the model I proposed. Right now, advertisers are believing all the lies of the adtech cult, like that personalized ads work. I don't see why you're grasping at it. You could strike the words "and belief" out of the post you replied to and it would mean the same thing.

@codinghorror you might wish to read up on what exactly the EU demands; cookie notifications aren’t it. They never were.

@dalias @lackthereof @pgcd well they are welcome to operate In jurisdictions that permit that. That does however eliminate the EU, India, S Korea, Japan and at least California.

@AugierLe42e @codinghorror GDPR just makes it more obvious and more obnoxious.

@codinghorror @Setok @dalias I am actually fine with Facebook charging €6 (iirc) for a privacy-friendly account. Also fine with the new kind of cookie banners on some newspaper websites that say up front that either they track you, or you pay for access. Just be honest about it. It’s the sneaky profile building that I totally agree with being illegal.

@mkoek @Setok @dalias the least-worst path here is being honest "what is this so-called 'free' really costing me", but do it without one zillion popups please.

@AugierLe42e @codinghorror The one problem there is that it doesn't even do that. Cookie banners are just a smear campaign; they are not sufficient under gdpr.

@codinghorror @mkoek @Setok Really telling what kind of person would blame the pigs and not the farmer...