[mziel]

You can read more about the cookie law here: https://www.cookielaw.org/the-cookie-law/

Basically EU wanted sites to obtain consent to use users' cookies (and for the users to give/take away that consent). However, pretty much all the sites just decided to provide you with a banner saying something like "if you're using this site you agree to our cookie policy". Therefore the law became ineffective and just a nuisance to the users.

This notion of "implied consent" is being actively fought with GDPR. You have to provide explicit consent to the usage of your data. And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service).

With ePrivacy this will go one step further. Right now you only need to provide opt-out, which means most people will likely leave it as it. Going forward those additional services (marketing purposes, ad tracking) will need to be strictly opt-in (and there's already internal research done in some companies showing that marketing/ad opt-in rates will be 10-12% at best).

[askvictor]

But what's the alternative approach to the cookie law? A yes/no consent page before your site, and if you click no, the user doesn't get to access it? Because that's basically the same thing, but even more annoying.

[tgsovlerkhgsel]

If you click no, a single, non-tracking cookie (i.e. "optout=true", not a session ID) is set, and you get to use the parts of the web site that don't require cookies to function (which, for 99% of the cookie banners I've seen, is all I wanted).

Furthermore, if I remember correctly, no explicit consent is required where the cookie has to be used for features the user requested, like a shopping cart.

So, if the law was actually written to require what it was supposed to require, and actually enforced, a web site operator would have the options to either:

a) implement an opt-out globally across the entire site to ensure no part sets a cookie and doesn't track them, with a high risk if you get it wrong, annoy every visitor with a modal yes/no before letting them onto the site (which would hurt your conversion rates etc.), where the "no" would be a meaningful choice that would still let them use your site, and there would be very little incentive for the user to click yes

b) stop tracking users unnecessarily in general

As it is written, the options are:

a) implement an opt-out globally across the entire site to ensure that no part sets a cookie and doesn't track the users, with a high risk if you get it wrong

b) slap an annoying banner on your web site

One of these options is significantly less work and allows you to keep tracking users, so guess what gets done.

[haeffin]

Which is why there is the "And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service)." point - you're not allowed to deny access to a newspaper article if somebody does not consent.

[akvadrako]

Unless you are charging for the content, I suppose.

[xg15]

Not tracking users.

From what I understand, the GDPR also disallows denying users access to a site if they don't consent to an unrelated data collection.

[kuschku]

Websites in the Netherlands (and German public broadcasters) already follow the original ideal:

Before accessing the website, you get a choice between yes and no.

If you select no, the site will not do any tracking, no analytics — some sites disable ads in that case entirely. You still get to access the site.

If you select yes, you getthe tracking.

[BukhariH]

Honestly asking... Does anyone ever click yes?

[tgsovlerkhgsel]

Probably, because many other sites implement it as "yes means you get to go to the site, the no button is a link to google.com"

[whyever]

No, you could outlaw degrading functionality, which is what they are doing in the new law.

[askvictor]

How do you do this for services where functionality is reliant on tracking etc? E.g. some of Google's services.

[tobylane]

You can only degrade when the users denial exactly relates to the function of the service.

I have history turned off in google maps. I can’t name the points I make, it tells me I need to turn history and tracking back on. I hope that becomes an unjustifiable degrade.

[emiliobumachar]

I may have understood wrong, but it seems to me that for your maps degrade, the tracking may relate very much to the function of the service. How is the server supposed to remember the name you gave to each point without tracking you? Remember, there are many round-trips to the server when you're scrolling and resizing a map. They could always move point-naming override client side, but that's a pretty big change.

[zaarn]

You don't do these services without obtaining the user consent first. Simple as that.

[a_imho]

IMO the cookie law was good and (ianal) but a banner in your face is not consent, not in an opt-in way at least.

[vageli]

If you're made aware of the terms and can choose to leave, that's pretty much consent. Do you sign a paper agreeing to all the terms when you enter a car park? Of course not! It's a class of contracts called contracts of adhesion. [0]

[0]: https://en.m.wikipedia.org/wiki/Standard_form_contract

[PeterisP]

EU consumer rights specify many (types of) terms that are considered unfair in various common contracts, so if they're included in a standard form contract offered to consumers, they're automatically considered null and void. I.e. it's a general legal principle that because such contracts aren't negotiated, there's one-sided leverage, and certain classes of terms are inherently abusive to consumers, therefore even if a consumer "agrees" to them and signs a contract including these terms, they shall not be considered binding.

GDPR extends this concept also to consent for processing private data - there are some ways how that consent can be granted and received, but contracts of adhesion are not (will not be when GDPR comes in force) one of them. In particular, GDPR specifies that anything included in such a "take it or leave it" contract is not considered "freely given" consent and thus such a contract does not and can not give you any rights to use that data, no matter what is written there.

[boomlinde]

The cookie banner does not put me in a "take it or leave it" position. By the time I get to learn of the terms—by any reasonable definition a prerequisite for consent—the other party has already set a bunch of cookies.

[s73v3r_]

Contracts of adhesion are almost universally derided as being quite one sided and shitty to people.

[a_imho]

How is GDPR different in this regard?

[iagovar]

But op-int for what? For being tracked? Using you data? Just showing you an ad?

[mziel]

You're supposed to enumerate all uses of the data (and they need to be sufficiently detailed and specific). The user has a choice to opt-in/out of each of them separately.

There is currently no detailed description as to what the definition of "sufficiently" is. For example:

- can I use your data to build a targeting machine learning model?

- can I use it to target you?

- do I need specific opt-in for every model?

Most things in GDPR are not specified in order to both give flexibility to the sites and to reduce the number of loopholes (which are technically legal but against the spirit of the law). You need to decide on the implementation and be ready to defend it in case of an audit.

[TomMarius]

Defend it? What happened with "innocent until proven guilty"?

[cyphar]

This is a corporate regulation, not a criminal case. When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws. I don't see why auditing for GDPR compliance should be different to auditing for VAT compliance.

[TomMarius]

> When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws

Not true. There are some countries where it works like this, but also countries where it's the opposite. In some EU countries this got ruled as unconstitutional. In some other countries, this got ruled by the highest court of law as unlawful.

> This is a corporate regulation, not a criminal case.

That doesn't matter in most EU countries.

[zaarn]

The GDPR does somewhat turn handling private data into "guilty until proven innocent".

Until you prove otherwise, by means of contract, legitimate business interest, law or consent, assume private data is meant to remain private.

[xxs]

This isn't a criminal case.

[TomMarius]

Most of European constitutions don't limit this principle to criminal cases - actually most of the time it specifically says that it especially applies to interaction with government on top of criminal cases.

[s73v3r_]

The industry decided to vacuum up every last little bit of data they could get their hands on. They've very much already been proven guilty. This is now probation for the industry.