Hacker News new | ask | show | jobs
by Tharkun 2826 days ago
I disagree with the GDPR "success story" part of your comment. So far it's backfired entirely. The goal was to provide users with more control, and (from the standpoint of such a user) to reduce relentless personal data harvesting.

That hasn't happened. What's happened is more annoying "we use cookies and track you"-banners all over the internet. As a user who doesn't use cookies, these damned things won't even go away and keep coming back. It hasn't given me more control. At all. If anything, it's made me more trackable on the internet (because now I'll have to use cookies to tell people I don't want their god damned cookies).

Online newspapers are the worst. "Here's a front page you can read, and maybe the start of an article, if you want more, you have to give us permission to track you -- or you can just fuck off". What exactly has GDPR solved here? Nothing. Before this nonsense, I could simply tell my browser not to accept cookies from these sites, and I could tell my plugins to ignore their tracking stuff. But at least I could read the newspaper without any hassle. Now all I get is more annoying popups and less contents. Thanks, GDPR.

Yes, I'm being snarky. Yes, I know the idea of the law is pretty solid. But no, I'm not at all happy with the outcome.
7 comments
tomp 2825 days ago
Yea, I agree.

AFAIK GDPR does explicitly legislate against all that - dialogues should be "opt-in" and should include a simple "no" option, and that sites shouldn't "ban" you for not clicking "yes".

But unless EU actually starts delivering some hefty fines, the law is just a dead tree.

link
ezoe 2825 days ago
But if the site relies on cookies and localStorage and cannot work without it, "no" option is equivalent of "ban".

And it's their computer that allows the usage of cookies and localstorage. All modern web browsers has an option to disable them. It's technically stupid.

link
tomp 2825 days ago
Nah, the equivalent is "using the website with degraded experience", not "can't read the article, we'll redirect you to the home page instead".
link
reitanqild 2825 days ago
> But if the site relies on cookies and localStorage and cannot work without it, "no" option is equivalent of "ban".

This - unless I misread it - is flat out wrong for most of the cookie warnings I see.

There's no valid reason for a news site to need cookies or similar except for logins.

It can be proved easily by wiping cookies and verifying the site still works.

link
RandomInteger4 2825 days ago
I think they're saying that a lot of sites use cookies instead of the web storage api to store the option on the dialog, meaning that even if the dialogue are opt-in, they won't work unless the user enables cookies.

Basically a fundamental misunderstanding of the difference between cookies and local storage on the part of the web developers of many sites; i.e. cookies are sent with every request, whereas localstorage isn't and these sites should be storing the option to not use cookies in the localstorage instead of cookies, and I think I'm repeating myself because I haven't had my coffee after taking a nap, but that's neither here nor there or anywhere.

link
Aunche 2825 days ago
> GDPR does explicitly legislate against all that - dialogues should be "opt-in"

That's can't be a real part of GDPR, can it? I don't see how you can fine someone for shitty website design.

link
the_gipsy 2825 days ago
They should, in theory, fine websites that do install cookies before you give consent, or refuse to give sevice that doesn’t strictly require cookies (e.g. an article).
link
Aunche 2825 days ago
If the cookie only stores the preference to not show the dialog box. That should be GDPR compliant.
link
RandomInteger4 2825 days ago
You should be using localstorage from the web storage API and not cookies. Cookies are sent to the server with every request. Local Storage is not.
link
AdamM12 2825 days ago
How do you suppose the site make money off their visits? To me what you want sounds like freeloading.
link
craftyguy 2825 days ago
You seem to have no problem 'freeloading' HN.
link
AdamM12 2825 days ago
They don't run ads to generate revenue. Most content sites do.
link
makapuf 2825 days ago
You can definitely put ads without deep profiling. They can even be relevant. Just advertise for fishing accessories in fishing articles. Or hardware load balancers on Slashdot. Why not? Better than serving me whatever someone in my family has looked before (that is if I didn't have an adblocker for the past 10 tears)
link
taysic 2825 days ago
Probably most content people read does not easily translate to a product as in your fishing example. Generally, ads with no targeting are not very profitable.
link
usepgp 2825 days ago
There are ads on the front page designed to look like content.
link
craftyguy 2825 days ago
There are ads on HN (the "xyz is hiring", and I suspect a non-zero number of articles posted/promoted to the front page are paid ads made to look like content.
link
true_religion 2825 days ago
The hiring ads are not external ads. HN is 100% a marketing and PR tool to generate good will amongst developers, and startup founders.

If it ever starts to not benefit ycombinator, then the aite goes away.

link
AdamM12 2825 days ago
Ok so how's that work for a news site? Don't they need some kind of tracking to get relevant info on what their users are interested in?
link
simion314 2825 days ago
The law was not created to piss off the minority of users that do not use cookies or use plugins or extension to protect themselves, the law is intended for all users to be informed and to allow them to protect themselves.

There are many people, like my father that don't even realize that his data was collected and sold behind his back, hopefully we get some fines soon so the websites implement the law right.

What I do if I really want to read a news article I will open it in a private window, accept that crap and close the window when done, but most of the time I will not read that website and go to ones that respect the users like Europen new websites.

link
zwp 2825 days ago
> Online newspapers are the worst

Oracle. Here's July's Critical Patch Update page:

http://www.oracle.com/technetwork/security-advisory/cpujul20...

On my my domestic ADSL line the cookie pop-up takes almost 10s to load. It presents 67 checkboxes to select from. There is no default selection, so this requires at least 3 more clicks (at least the non-obligatory cookies are grouped). Submitting the form takes another ~4s -- it even has a progress bar. (Thankfully they aren't using TLS so it's not quite as slow as it could be).

Earlier this summer this component was broken and I just couldn't use oracle.com.

link
mariushn 2825 days ago
Same for offline businesses. Go to a bank, they'll ask your consent for handling personal data ("It's a GDPR law"). If you don't want to sign, they won't do business with you. No bank will.

So, it's just one more paper to sign, and doesn't help the actual consumer. I would have expected more of "Don't send me any promotional/survey questions unless I opt in", or "Never share my data with 3rd parties, period".

link
bulatb 2825 days ago
> If you don't want to sign, they won't do business with you.

That's illegal. Consent to processing can not be a prerequisite for service. [0] (Otherwise GDPR would have no power, even in theory.)

If the processing is so important that service cannot be provided without it, or wouldn't be legal to offer, it's covered under Art. 6(1)(b), (c), or (f): performance of a contract, legal obligation, or legitimate interest of the business. Consent—Art. 6(1)(a)—is what you use when you just want the data but don't actually require it to offer the service.

Saying "Sign consent or go away" is saying "We could serve you without this, but we want it, so we're lying and saying we can't."

It seems like almost everyone has chosen this weird malicious non-compliance (maximum annoyance but without the compliance) as their GDPR strategy.

Maybe lawyers found a way to claim that left is right and up is down.

[0] Art. 7(4): https://gdpr-info.eu/art-7-gdpr/

link
vukk 2825 days ago
Perhaps you should go read the thing, you might be positively surprised. The first thing you want is there, the second is a more complicated question. Sometimes some of your data is actually really needed, e.g. when required by the law. GDPR is a compromise: you have to state explicitly where the data is going and you better keep it safe, under the threat of a possibly hefty penalty.

This ^ is a shortened simplified statement. You can argue semantics or maybe that I'm just flat out wrong if you wish, but that'll mean you read the GDPR, a win in itself.

link
kruczek 2825 days ago
> What's happened is more annoying "we use cookies and track you"-banners all over the internet.

Not exactly. What happened on many sites is that along with that notification you are given an option to opt out of tracking and view crazy-long lists of partners with whom data is shared. So on those sites the user is given both choice and greater transparency. (Although I admit usually the choice is presented in such a way that it is easy to accept and difficult to reject - which is actually prohibited by GDPR.)

However on the other hand, as you say, there are sites which only give notification without giving any choice - which is also prohibited by GDPR. So I'd say the law is good, now we need to see it enforced and actually punish sites which do not follow it.

link
pbhjpbhj 2825 days ago
AIUI the "allow being tracked to gain access" is unlawful.
link
Tharkun 2825 days ago
Apparently "allow being tracked to gain more access" somehow isn't. As far as I can tell that's what every major newspaper in Belgium is doing. I suspect they've got folks in their employ who speak legalese.

But then newspapers in Belgium are pretty horrible in general. They're exempt from paying VAT, even for content they sell online. Online-only news sites don't get this exemption and have to charge 21% VAT, so the entrenched newspapers have something of an unfair advantage there. But anyway, that's a different rant entirely. Just an illustration of their general scumminess.

link
tensor 2825 days ago
Is it ok to say "you get a discount if you allow being tracked"? As a practical matter, these places need to earn money to exist, so either you get served ads or you pay directly. It's highly unreasonable to expect free service.
link
Bjartr 2825 days ago
And the GDPR says "good riddance to you if you can only make money by tracking people without the tracking itself being part of your value to them".

Not all business models deserve to succeed.

link
betterunix2 2825 days ago
IOW the EU is picking winners and losers in the market. If your business model is based on building models of user behavior and monetizing that, you will not be allowed to succeed. If your business model is based on holding a monopoly on the reproduction or display of entertainment, you will be allowed to succeed, at the expense of tech companies whose technologies might have otherwise made your business model obsolete.

The most likely outcome will be a distorted market in Europe and European tech companies becoming even less relevant and even less able to compete in other regions of the world.

link
pluma 2825 days ago
Yes, it's codifying ethical standards into law. I take it you think the US banning slavery was overreach because it made certain business models illegal? You may disagree, but the basis of the GDPR is that privacy and control over your own personal data is a human right, so violating that right is no legitimate business model.
link
tensor 2825 days ago
What? You can make money by charging people for it. Don't want to pay for newspapers for example? Without ads you can either pay up directly or not enjoy the publication.

I don't understand where this entitlement for free stuff comes from.

link
Bjartr 2825 days ago
I don't know why you think I was advocating for free stuff. I was not. I'm happy to pay for content I want. It's what time companies should be doing instead of not charging, tracking invasively, and selling user data. If you can convince people to pay for your content then the market is telling you you don't have a viable business.
link
taysic 2825 days ago
I think the issue with GDPR is that you can't deny service if they don't want to pay and don't want to be tracked. Iow, you can't ask them to pay if they don't want to be tracked. That's where the complaint about demanding a free service comes from.
link
pbhjpbhj 2825 days ago
You can serve ads without unsolicited harvesting of PII.
link
Dormeno 2825 days ago
This paper says it is lawful.

https://www.iabeurope.eu/wp-content/uploads/2017/11/20171128...

link
MiddleEndian 2825 days ago
You may be interested in http://prebake.eu/ to block them.
link
sleavey 2825 days ago
"By using these filters, you are allowing sites to set cookies by default, without you first being notified, and are agreeing to allow the sites you visit to set cookies."

Does lack of interaction with a (blocked) cookie banner give implicit consent to be tracked?

link
scaryclam 2825 days ago
No, since implicit consent is disallowed by the GDPR.
link
sleavey 2825 days ago
I'm a bit confused why the filter list's page says that then. I'm not sure why they need such a disclaimer, even if what it said was true.
link
TheCoelacanth 2825 days ago
The page is about the pre-GDPR cookie law, not about GDPR. Under the pre-GDPR cookie law, requiring an opt-out rather than an opt-in was allowed. Under GDPR, it is not.
link
MiddleEndian 2825 days ago
The user I replied to has cookies disabled anyway, so that should not be an issue in this case.
link
DavidVoid 2825 days ago
Or alternatively https://www.i-dont-care-about-cookies.eu/
link