"""
When a user visited the page google.fr, an information banner displayed at the bottom of the page, with the following note “Privacy reminder from Google”, in front of which were two buttons: “Remind me later” and “Access now”.
This banner did not provide the user with any information regarding cookies that had however already been placed on his or her computer when arriving on the site. The information was also not provided when he or she clicked on the button “Access now”.
"""
Wow. I though those reminders were about some updated policy, I didn't realise they were supposed to ask for consent.
Could someone try standing with a sign saying "A reminder from me" in the google offices reception for 2 minutes and then walk out with whatever wasn't bolted down to see if they themselves consider that an adequate way to ask for consent?
> Could someone try standing with a sign saying "A reminder from me" in the google offices reception for 2 minutes and then walk out with whatever wasn't bolted down to see if they themselves consider that an adequate way to ask for consent?
That would be hilarious. But I think they know what they are doing (i.e. using dark patterns).
I've seen this banner, knew it was related to the RGPD but haven't figured out how to opt out and to not accept.
> haven't figured out how to opt out and to not accept
There doesn't seem to be an easy way. A lot of their proposed opt-outs rely on either disabling cookies browser-wide, installing an extension or creating/signing into an account and customizing your advertising preferences there (which means providing them even more info as part of the account creation and relying on their good faith to actually opt you out).
To the best of my knowledge none of these things are compliant with the GDPR:
* consent must be granular, so browser-wide cookie-blocking doesn't comply because disabling cookies entirely means you lose functionality (the GDPR mandates that you can opt-out of non-essential tracking but retain all other functionality)
* mandating that people register for an account might run afoul of the "data minimization" principle (among others), meaning that you must collect the minimum amount of data to fulfil the required purpose; asking people to register/sign into an account (thus providing even more information) just to opt-out of non-essential tracking seems non-compliant
* consent must be opt-in (seems like cookies were placed before the user explicitly agreed to it)
* it must be as easy to opt-out as it is to opt-in, yet in Google's case the opt-in is one-click away (though it doesn't matter since apparently they set cookies even before the user clicks that) but opt-out is way more involved (and relies on reconfiguring the browser)
"trackingEnabled: 0" does not require consent and lets you acknowledge
"consentId: abc134" then looking that up in or even "consentDenied: exact timestamp" could be used to identify a user so would require consent. I suspect lots of companies want to use the second so they can choose to bug you for [more] consent at a later date, or choose to interpret the first as not allowed in case bugging the user again enough times does get consent.
I've worked hard to block the HTML div with ublock origin, but recently it's messing with the html, adding overflow:hidden at weird places. I've added a rule to fix it but it's not a silver bullet.
Youtube videos must be restarted because of the consent thing pauses the video or ask to sign in.
I'm wondering if I've been noticed by Googles ad engineers because they must have developed tools related to this rgpd thing.
On Facebook it's even worse.
To be honest it's a fun game of cat and mouse and I'm so happy to have Firefox, containers, strict mode, etc.
Google is fined 100 millions because tracking cookies are saved on the device before opting-in AND after opting-out, and because the cookie modal isn't clear enough. [1]
Amazon is fined 35 millions for similar reasons, but the amount is lower because they acknowledged and fixed the issues in September 2020. [2]
Typical Google. Let us not even get started with the impossibility of loading Google in private mode without needing to agree to everything. Rejecting all is a dance that takes more time and mental resources than the amount i want to spend for the few times I want to turn on private mode and search something. My colleagues have also declared defeat and just accept everything. Hope the fine bites.
And after Google, everyone else. I am so annoyed by sites making it a real struggle rejecting cookies. Most of the time, I just don't use those anymore. Not sure if that helps, so.
1) To get people to quickly simply accept all cookies because time is money and its too complex.
2) To get scare them away. If you don't wanna be the product, at least save us money.
3) To make them waste their time (= money) on their privacy.
Boss won't like #3, neither does the wife. So its like #1. Sure, whatever. Or, those who stick to their principle and can refrain their curiosity or need for information to go for #2.
The advertising industry (I almost wrote undustry, go figure) is so rotten, that I will gladly just shell out some money to buy something of quality instead. I just gotta be sure it isn't money wasted ie. that I (or whoever I buy it for) will use it. With advertising services which are free, the real product is also the demo, but their model is to get you hooked.
If they don't comply within three months, they start getting another copy of this fine every day until they do.
Which is to say, the punitive fines are not enough for them to not play games with the rules... but once they're caught they do have to fall in.
This demonstrates the need for constant enforcement diligence by regulators: These companies can and will continue to flagrantly disregard the law unless regularly checked.
Everybody is so focused on 'cookies' as if the technology itself was regulated. The web developers (or marketing agencies or whatever) are also slow to learn what proper data protection means, and slap popups and banners on everything, making the web disgusting and regulations seem misguided.
A session cookie, especially after a login, may not require consent at all. Describe in your policy what personal data, if any, is tied to the session, and what you do with it. Most places collect and process only what is necessary to deliver a service and fulfill a contract. Let users read this policy and possibly contact you to make changes to their data.
Of course, this is not what happened here with Google and Amazon. In the meantime it is so unfortunate to see cookies becoming "illegal" taboo.
What about a session cookie that is used for more than just authentication like for example tying browsing sessions on different devices by the same user together?
If it's only to provide the stated purpose of the site (think those "scan a QR code and approve this login on your other device" setups), it likely falls under the legitimate interest exception. If it's to provide cross device tracking for better advertising, then you need consent.
Lawyers are unlikely to take kindly to arguments of the "Well technically the advertisments are an integral part of the site", that will surely be raised in response to this. This is why the law is not code and gets interpreted by judges.
The issue should not be phrased as "breaching cookie rules", as murdering someone with an automatic weapon is also not discussed as a "violation of human tissue guidelines".
What I find ironic is Google actually goes to extreme lengths to protect your data. Compare that to all the third-party trackers loaded by random-etailer.com.
> The CNIL rejected the companies’ arguments that it had no right to impose the sanctions because their respective European headquarters are in Ireland and Luxembourg
So they are fine with taking French money, but want to be above their laws?
This is actually a really important part of the issue.
One of the things that stops GDPR from being a total clusterfuck is the so-called "one-stop shop mechanism." Each country has its own regulator, so GDPR is enforced by 27 different government agencies. BUT, anyone only ever has to deal with one. For EU residents, the regulator of the country where they reside. For businesses, the regulator of the country of their primary establishment. Regulators are supposed to cooperate in such a way that a company has a single, local point of contact.
(Related: If US companies push for federal privacy regulation, it's because they would rather have 1 law to follow rather than 50 different ones.)
Almost all US companies establish their EU subsidiaries in Ireland for tax reasons. As a result, the Irish regulator is basically in charge of GDPR enforcement against US companies. This is... not ideal. Ireland a conflict of interest, because of the tax stuff.
(I'm not an expert on this. My understanding is that the Irish regulator seems to be operating in good faith, but is under-funded, and is going up against the legal defense teams of Google, Facebook, Amazon, etc., simultaneously, all on its lonesome.)
Several of the larger and more privacy-focused countries, like Germany and France, have been openly critical of Ireland's slow enforcement of US tech giants. In the past, CNIL (France) has said that Google's establishment in Ireland is a legal fiction rather than a legitimate business establishment. But if this gets appealed to an EU court, this is going to be a huge point of contention.
(Possibly the only point of contention, because I don't see any way that Google's actions are in compliance with GDPR/ePrivacy Directive.)
> The GDPR does however provide for a potentially significant derogation to the 'one-stop-shop' approach. Specifically, any DPA (irrespective of whether or not they are the lead DPA) is given competency to deal with any complaint lodged against it, or deal with any breaches of the GDPR, if the case relates only to an establishment in its Member State (even if that establishment is not the 'main establishment' of the controller or processor) or substantially affects data subjects in that Member State7. In such cases, the local DPA is required to inform the lead DPA without delay and the lead DPA will have three weeks to decide whether or not the case should be dealt with via the co-operation procedure (discussed below)8.
The reason France could act on his own is that ePrivacy is not subject to the one-stop shop mechanisme. Each country can choose to act independantly. They are not saying that Ireland is not relevant for GDPR-related issues.
This is the whole point of having your headquarters in those countries: make money in country X but be taxed according to country Y laws. Why would they not want to be under country Y laws for things other than taxes?
I can't help but feel that fines by countries of big corps is just so routine that it's probably part of the budget. Sure we see fines, but what happens to the money from the fines! Do they go to the users impacted - nope. Do changes happen as a result - slowly if at all. It's all kinda like some form of taxation upon the user/people as we all know any large fine upon a corporation - who ends up paying for it...the users/people..again.
> that fines by countries of big corps is just so routine
You get a fine contingent on not following the law, so... just follow the law? Fines need to be big for big corporations if they are to pose a risk worth avoiding.
> Do they go to the users impacted - nope.
As with any fine, it goes to government, which means that same expenditure requires less taxes. So it gets shared among all french population. Which is a good proxy for “users impacted by google cookies in France”.
> Do changes happen as a result - slowly if at all.
So if 2 companies are fined for not complying with a law, the problem is that the law is overly punishing / fining does not work? It would seem the other way, that the fine risk was not big enough!
> who ends up paying for it...the users/people..again.
Which are also the ones that receive the money, through their government.
Right, I feel this is just a new source of income for governments. They seem to be too keen on handing out fines in those areas where it‘s simple to do so, but fail to act in other areas where the consumer is constantly being hurt e.g. right to repair, warranty laws, right to return digital products.
> fail to act in other areas where the consumer is constantly being hurt e.g. right to repair, warranty laws, right to return digital products.
This is the EU we’re talking about. It’s a bit weak on right to repair at the moment. But on warranties and digital product returns, we have some pretty strong and effective protections.
That’s not true, you don’t have the right to return digital products at the moment (discs, software, video games etc). For warranties, there are a lot of problems consumers face that don’t get talked about, but I won’t get into detail here.
That's how it works and it works well: let's be fair, the law is not always 100% clear. Some companies try to find the line, have the budget for it, and find it when they get slapped. The goal is not to kill the infringing company, it is to force them to adapt their business models.
In France, as we see here in the difference in fines between Amazon and Google, the fines are not a flat rate: repeated offenses lead to harsher sentences.
Normally, they should be allowed to rectify the problems without getting a fine. But if you do that you don’t get the free money. It looks like the tech companies are just being treated as cash cows by governments.
It literally is. Check out Google’s quarterly earnings reports, they have a line item for “European Commission fines” under “Accrued expenses and other current liabilities”.
I've never managed to find the place where to refuse consent on Google's sites. Some try to make it particularly difficult, but Google is outright malevolent when it comes to this. Fortunately, that only happens when I'm on a machine that's not mine or on a browser I use specifically for bad actors.
On my main machine uMatrix does all the heavy lifting of shutting the tracking down.
To a non computer, non regulation person, this is a hilarious headline. A dog in France is apparently fining a number and a rainforest for presumably stealing some cookies.
On one hand, the data harvesting targeted by cookie laws and associated privacy stuff is important and legislators/regulators are right to target it.
OTOH, effectiveness is pretty marginal. There have been some (minor) gains on disclosure. Somewhat better progress on data selling/sharing/security. But, no real gains on consent, which is a big part of the regulatory effort and this specific case. Between dark patterns, take-it-or-leave it propositions and predatory defaults... I don't think most people have a more censenting relationship with amazon or google than before.
Regulators (also prosecutors, often) tend to focus enforceability on easy to prosecute, legible stuff. "Must contain small print" rules. This is how we end up with such meticulous small print norms for advertising pharmaceuticals, financial products and other regulated industries.
Fines themselves do not deter profitability monsters like this and the "fix" is going to be an update to the popup, small print, naming of buttons and other things that don't really matter much outside of a legalistic perspective.
I'm all for the goals of these efforts. Consent. Privacy. Non-abusive relationships with companies generally. That said, I'm worried that most of the regulatory enforcement efforts are focused on technicalities without reference to real world achievements.
> OTOH, effectiveness is pretty marginal. There have been some (minor) gains on disclosure. Somewhat better progress on data selling/sharing/security. But, no real gains on consent, which is a big part of the regulatory effort and this specific case.
From experience, a lot of folks were waiting to see what Google/Amazon/FB/etc were doing and using them as examples of what to do. These fines should help apply some downward pressure now that the regulator has explicitly called out this illegal behaviour.
I agree, and it's a good point about the industry using Google/Amazon/FB/etc as a template. I hadn't considered that in this context.
My greater reason for "scoring" progress on consent as "no real gains" is less about "compliance" and more about the goals of this compliance. What does consent mean to a non-lawyer and would do we want legislators/regulators to pursue it in the first place?
The model of consent being litigated here doesn't, imo, lead to noticeably more choice or dominion vis a vis companies. It just leads to technicalities about how popups need to be designed. Form rather than substance.
I think the reason these laws have been more effective on disclosure is that the legible, lawyerly definition of disclosure is the same as the common sense one. Consent... not so much. The actual point is not whether or not a document was correctly initialed on page 6.
> no real gains on consent, which is a big part of the regulatory effort and this specific case
Consent is regulated under the GDPR and the majority of consent banners/popups you see today are not compliant. For example, the regulation explicitly mandates that pre-ticked checkboxes are not compliant and that it must be as easy to accept than to decline.
According to the article, this fine is for a breach of the ePrivacy rules (which is the earlier - and somewhat stupid - "cookie law") which exclusively cares about cookies as opposed to the broader goal of the GDPR. On the plus side, enforcement of ePrivacy might suggest that we'll see enforcement of the GDPR too, and that's great news.
Ultimately compliance is defined by precedent, and by example. Both are being established here, in this case. So, good point about the actual act their being charged under.
Either way though, the concept of consent is similar in the GDPR. It is notable that GDPR makes more effort to define consent better, and implicitly deals with the fact that choice and such are important.
How that translates into enforcement/compliance... I guess we'll see. I think we both agree that none of these recent legislative changes (also in the US and elsewhere) have given us much improvement on consent, so far. You just might be more optimistic than me on prospects.
I think the problem is a hard one, at least within our current normative frames. A regulator has very few nearby examples to draw on, for an enforceable model of consent. They need a binary, but a broader concept of consent isn't very amenable to that.
The interaction between the "cookie law" and GDPR is a bit complex, and maybe things will become clearer after a few court cases.
For example, the recent clarification said:
"The GDPR does not allow controllers to offer pre-ticked boxes or opt-out constructions that require an intervention from the data subject to prevent agreement (for example ‘opt-out boxes’)."
But of course that applies to PII, not all cookies, and so if you have generic analytics cookies that do not result in PII then this does not apply. I think.
it takes a lot of time for regulators to catch up with all the shenanigans the bigger offenders are pulling.
But, it does give internal employees the tools to fix it in smaller companies, or smaller companies that use the services of these global companies(ex, google analytics).
Pre-gdpr, if I raised some of these points in any of my workplaces, nothing ever came out of it. Now, it's a different story.
Same with direct-marketing spam e-mails, where a customer complains.
It'll take some time for regulators to sort out the big offenders, but the regulation is already having a positive effect within smaller companies.
Typical nature of doing business in Europe. Arbitrary laws, borne in good faith but implemented so badly and erratically that everyone is forced to ignore them. The same laws are then wielded as a baton against whomever the state wishes to punish at the time.
What makes you forced to ignore them? By default, your business is likely in compliance. It's only once you start collecting user data that you have to be careful with it.
The GDPR is actually pretty simple :
"say what you do, do what you say, let the user say no"
The clusterfuck comes from every single ad-based business toeing the line in a giant tug of war between PR, legal & revenue.
If google had simply written :
"
Hey, we have a tracker on almost every website in the world, which we will use to monitor all your browsing habits and share with [this list of 100 other business].
This tracking pay for the app you are about to use.
[Continue Tracking] [No thanks]
"
They would be fine (legally, not financially), instead they use some king of weird pop-up with no meaning, and they now have to pay the price.
European companies in the USA or Asia are exposed to the same arbitrary laws that favor local players. They only are wielded at major strategic actors rather than small startups though.
Because that EU regulation deals with people’s right to privacy, and control over their data in the abstract. It not limited to just websites and the internet, browsers and cookies are just one of many places where compliance should be achieved.
The regulation applies equally to my handwritten, paper notes I take when interviewing people for a job, to the candidate's CV, and, well, to every source of personal data.
Attempts have been done on this, not once (P3P [1]), not twice (DNT [2]), but multiple times (several expired RFCs, GPC [3]). This sounds like the evil bit (RFC 3514 [4]) at this point.
Lawmakers are generally hestitant to prescribe specific technological implementations because technology moves faster than laws. Imagine if radio spectrum regulations hadn't applied to wifi because they'd specifically specified TV/radio.
You can do this somewhat abstractly. By saying "when storing user data it must inform the user agent the purposes of that data using a standard mechanism". Then for http you can bless some RFC and the standard way.
I really wish it was done in-browser - then we wouldn't have to deal with shitty UIs and dark patterns.
The DNT (Do Not Track) header was far too simplistic, and completely unrealistic.
I'm imagining having to specify a purpose when creating cookies, such as "session cookie", "advertising", "tracking", and then dealing with consent using a consistent, built-in browser mechanism.
Would be really interesting to flesh out this idea and get feedback, in the unlikely case that it hasn't been done before...
Google earned more than 100 million with current solution (by automatically setting the cookie) and will earn much less by waiting for the user's approval... So maybe they just waited for the first fine...
I think there's no difference between never saving cookies and blocking all cookies. Most browsers have the option to block all cookies (just checked Safari and it's in the Privacy tab in settings).
It's more complicated than just that: the sites are designed that they just don't work if the browsers don't show them the cookies they saved before. And there's the whole story about the "third party cookies" and on today's pages there is often much more "third party" content than anything else and there are often dependencies on third parties to even see the content.
So to be able to somehow reduce the exposure, while avoiding every time clicking for a long time to accept and reject all the conditions from some big sources like Google (where in Google case is anyway not possible to affect much in spite of what one clicks, as the EU sees), one way would be to construct the compartments, i.e. keep a few "related" sites inside of something that the sites see as a unique browser. Then one has to maintain as easy as possible all that, to appear to the sites as "unique browsers", while using one.
Firefox has the "containers" for that but the use of them is, as far as I've tried, a bit clumsy -- it's still quite hard to manage what happens in which container -- there's too much manual work to do and it's easy to make errors, even if the user has the general idea of how he'd like to compartmentalize his surfing.
Chrome, of course, is less interested to enable their users to hide something from Google.
And Firefox is also not guaranteed to ultimately do exactly what the user would like the most, especially as the users for years flocked to Chrome, directly showing that they "don't care" giving Google what Google wants, as long as it's more "convenient." The structure of Mozilla entities is also somehow made to induce some decision problems which became more prominent with the time.
It doesn't seem that the "free market" can solve this, and EU intervening long-term could work, if they manage to be consistent enough and manage to enforce that. But it takes a lot of time.
>Is there a browser that pretends to accepts all cookies but never saves them?
I use the Temporary Containers extension in Firefox, and I think that comes pretty close. Every tab can hive its own cookies, separate from all other tabs, which disappear when the tab is closed.
I've got mine setup to delete cookies for a domain when the last tab for that domain is closed. I also run Ublock Origin, don't accept third party cookies, and have javascript turned off for all domains by default.
The law isn't really just about cookies. You could use local storage, indexed DB, WebSQL (RIP) whatever the law would still apply. Disabling browser storage will break everything single website on the internet that has a session mechanism. The alternative is to append a session ID to every single link on a page. consumer router admin pages often do that instead of using cookies.
Accept them for the session only (I guess all browsers have this option). As a bonus, this won't break every site (because yes, cookies are an important part of the web).
Firefox has some extensions for fine grained rules on cookies. After you get annoyed by things breaking because cookies don't live for long enough, you can install one and set a different lifetime for the ones you want.
Unfortunately, the CINL here is not protecting users. Nobody wants those annoying Cookie reminders. I believe this is just a form of taxation that they are not able to get in another way.
Do these laws apply to browser local storage and all other ways to save info? And once a user says "no" to cookies/tracking how is that saved, in a cookie?
As may have pointed out, GDPR does not focus on cookies per se, but Amazon (previously) and Google has put tracking cookies even while declining them. The point is Google is not putting only the "I have opt out" cookie, but putting instead "I have opt out and my ID is 751DBC849846494494A894984" cookie (which is the issue at hand).
Edit: this should be opt-in really, as tracking is explicitly stated as a consensual activity.
GDPR covers personal information, regardless of when or where it's stored.
The ePrivacy Directive (which is called the "EU Cookie Law," the same way that the ACA is called "Obamacare") covers reading or writing data from a user's terminal device. That will include cookie-equivalents like local storage. In fact, because it covers "reading" separate from "writing," it also includes reading browser settings like user-agent string or location/language headers, and 99% of fingerprinting techniques.
Cookies require consent unless they are essential to the service that was requested by the user. The canonical example is using a cookie to manage a user's shopping cart on an ecommerce site. Shopping is what the user has requested to do, a cookie (or moral equivalent) is basically necessary to do that, no consent required.
By extension, denying cookies is a positive action taken by the user directing the site to alter its behavior. If a cookie is needed to perform that task, it's allowed even if cookie consent has otherwise been denied.
Honestly, I'm all for the GDPR but the cookie regulations are pathetic. If I store your language preference in a cookie is that the same as if I store a unique identifier so I can track you where-ever you go on the internet (as long as the site has enabled some silly facebook type button)? Of course not, it's the intent which is wrong not the simple act of offering cookies to your browser.
If they really wanted to make cookies completely optional then they should have pushed the responsibility onto browsers. At least then we'd have a consistent interface rather than some javascript which pops up 10 seconds after the page has loaded.
It's called ePrivacy. Necessary trackers are excluded from consent. This is a directive so each country will have its specific interpretation, for the french one, you can go to the CNIL's website. The final document is not translated, but you can read the draft[1], specifically the 9th paragraph.
In the case of GDPR, storing language preferences in a cookie does not need user consent because it's used to make the website work.
For example session cookie, storage of what a cart, or preferences on locale storage or cookie are fine.
This cookie insanity has to stop. Instead of adding popups everywhere, users should’ve been trained to use the options of their browsers, which have existed for decades.
I do not want to disable all cookies, I'm perfectly happy to use credential cookies or a shopping cart, I do not want to disable everything indiscriminately.
> I do not want to disable all cookies, I'm perfectly happy to use credential cookies or a shopping cart
The cookie banner that you have to refuse/accept only concerns cookies that are not necessary for the proper functioning of the site. So login cookies or shopping cart are unaffected by the consent, and if your site has nothing else than this, it does not need to ask for consent.
Many sites, upon clicking reject, do not actually disable anything and simply suggest you disable cookies in your browser (sometimes with instructions).
Probably not. That's why we need legal enforcement, and not "users learn how to use the cookie options of their browsers" as these sites and the top level comment on this thread suggest.
Pop-ups being aggressive/undismissable is in breach of the GDPR, so given enough enforcement the problem will self-resolve. These fines are a great first step I'd say (though long overdue).
We're at the stage now where they can reasonably reliably track you without cookies. I think we need to focus more on restricting what companies can do with data than focusing on asking users permission for things. Popup-hell doesn't help anyone in my opinion.
GDPR deals with identifiers that can tie data to a single individual. Cookie IDs are just one way of doing that, true.
That's why GDPR is so powerful and a well thought out regulation. Replace the technology completely, but GDPR still applies as user-unique identifiers are still used. ex, cookie with fingerprint.js, nothing really changes. You still need to ask for consent for user-level tracking.
GDPR works well in this direction but it still adds in the informed consent which caused alot of the popups and the original cookie law was the EU as well. Basically, the EU while making the internet better is also making it worse. But it's a process and I think GDPR is a move in the right direction.
You can't just scrape websites and ignore robots.txt, you will get into infinite loops. That doesn't mean people don't do it anyway, but "first pass" scraping it is more efficient to respect robots.txt, and then you can come in with a human to figure out if anything behind robots.txt is surreptitiously possible to scrape. On the other hand, Google etc. do not care enough, they just respect robots.txt because they don't need to index your site if you don't want them to, it hurts you more than it hurts them.
DNT has no mutual benefit, the benefit is only to the end-user asking not to be tracked. The benefit is also not immediate, it's somewhere down the road. Ignoring robots.txt can immediately cause problems for both the client and server.
There is an incentive to not abuse their own server time serving robots, essentially creating the status quo.
Meanwhile, advertisers value users' data like gold. Unlike server time, most advertisers are okay to collect their own data for advertising purposes, and this causes them to have an unwritten agreement to collect data. Unless there is a stronger stick to force them otherwise, it is in their best interests to collect data and you need to have active intervention to prevent it.
Server operators are more capable of blocking badly behaving bots than users are of blocking adtech companies. Consequently you follow the limits in robots.txt or you risk getting blocked.
On the other hand, if you follow the limits in DNT, you get nothing, and the consequences of not doing so are ... nothing, so companies did not follow that. (See also P3P for another previous attempt)
If any browser vendor just pushed a trivial standard like
X-Consent: no-cookies
X-Consent: cookies-ok
Sites would have gobbled that header up overnight, and the other browsers would have received substantial pressure to follow.
But it's a missed beat by now, nobody is paying to have hundreds of thousands of web sites updated for such a thing even if it did exist.
Sucks none of the major browser vendors are based in Europe or this might have happened. Meanwhile, I'm no lawyer, it's not clear whether the header would pass the legal test, but I'm sure a sufficiently motivated party might have a good shot at arguing that it did
DNT is too simple, there should be new better standard integrated in web browsers. The never ending popups with absolutely 0 constancy across sites is atrocious, moreover if I rejected a cookie for a domain on site A I will be prompted on site B if I want to reject it again.
For every domain that wants to create cookies, I should be prompted by the browser (like I allow camera access) if I authorize it to do so, we can even imagine that each domain would have cookies purpose information ('mydomain.com/cookies_policy') in JSON that the browser is able to present to the user (describing each cookie of the domain). Then the browser would be responsible to never create cookies that I rejected.
The main advantage would be that in incognito mode I would not have to repeat myself 10 times a day.
If you want to see an example of a more granular policy that the browsers (well, Internet Explorer, but it was the majority browser at the time) implemented also being ignored, see P3P: https://en.wikipedia.org/wiki/P3P
Ultimately the only cookie an users will willingly accept is the sessionid/rememberme. And the "remember me" checkbox is consent enough under the GDPR.
Behing all the legalese and marketing-speach, all the other purposes boils down to :
- We are too lazy to setup a matomo, so we are giving google your browsing pattern.
- FB is forcing us, so we can pay ever so slightly less for ads
- Google is offering to tell us your sex and age
- If we dont track you, we will show you a viagra ad.
- Through 4 intermediaries, we can pay this totaly-objective-blog which sent you here.
I'd love to hear from someone with a complex cookie consent pop-up, but i'd bet there is about 80% "accept all" (because the users have been trained to do it) 19% "reject all", and no-one is mixed.
So the do-not-track would have been accurate enough.
Main difference is that Do Not Track was an industry incentive, not a legal requirement like the GDPR is. They could have made it legally binding, but they chose not to.
Hrm fair point. I'm not sure DNT could have been repurposed to imply consent under much newer regulations, but you're generally right, this mechanism predated the EU regs and somehow was passed up.
"Somehow" is because there was nobody enforcing it, so nobody had any incentive to honor the request. Legislative approach is the only way to have an actual effect.
DNT was also intended to be an explicit opt out. However Internet Explorer enabled by default for three years, giving the industry an excuse to question its validity and ignore it. Privacy centric Microsoft or intentional sabotage?
On the contrary, companies should be trained not to use dark patterns to trick people and not to abuse cookies by tying together tracking and spying with visiting a web site.
The cookie banners being annoying is because these companies want it to be annoying so you don't pay attention and just click accept without actually learning what they do with your data.
If I visit a website like say, Instagram, they shouldn't leave any tracking before I've had a chance to read the privacy agreement, decide it's not for me and navigate away.
Sadly, that's exactly what they do and it's about time they were made to follow the GDPR, at least within the EU.
The legislation was to discourage tracking. Unfortunately it backfired and now the web is even more shit. Easy tracking, particularly via Google and ad networks, is considered so important to basically everyone that deploys it (metrics, revenue), that they feel it's acceptable to put the banners up, rather than develop a different way of gathering and managing the data they want.
The fines aren't large enough. Google Analytics is on 50% of all web content (I should research the actual figure). The fine should reflect the effect that has on Goog's revenue, rather than this pocket-money sum.
> rather than develop a different way of gathering and managing the data they want.
European laws doesn't care what way it is done.
It doesn't need to be cookies, it could be actual magic for that matter and EU would still fine them if they use it to collect user data without consent.
And, as others have pointed out: login cookies seems to be fine (as long as one doesn't use them to collect data.)
Wouldn't websites fail in obscure ways if you disabled cookies? That would mean few people would disable them, so in turn web developers wouldn't care about making the errors less obscure, etc.
> Wouldn't websites fail in obscure ways if you disabled cookies?
I believe that the way most people who care about this issue have them enabled, but deleted when the browser is closed. Therefore nothing breaks while your browser is opened, and if you restart it, you basically get a fresh start (signed off everywhere).
This banner did not provide the user with any information regarding cookies that had however already been placed on his or her computer when arriving on the site. The information was also not provided when he or she clicked on the button “Access now”. """
Wow. I though those reminders were about some updated policy, I didn't realise they were supposed to ask for consent.
Could someone try standing with a sign saying "A reminder from me" in the google offices reception for 2 minutes and then walk out with whatever wasn't bolted down to see if they themselves consider that an adequate way to ask for consent?