[saagarjha]

GDPR isn't very hard to understand, it's just that website owners want to have their cake and eat it too. Looking around for loopholes to do analytics that aren't actually what the user came to the site for is fundamentally the thing that the legislation is targeting, and all this handwringing about cookie popups and consent and anonymized data is "complicated" simply because it is not in the nature of the law. You do that, you need permission, period, and you need to be OK with people saying "no, I'd really rather you not do that".

[mcqueenjordan]

> GDPR isn't very hard to understand

It may not be terribly difficult to understand, but it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints.

> Looking around for loopholes to do analytics that aren't actually what the user came to the site for is fundamentally the thing that the legislation is targeting...

Totally agree, and this shouldn't be done.

> ...this handwringing about cookie popups and consent and anonymized data is "complicated" simply because it is not in the nature of the law. You do that, you need permission, period, and you need to be OK with people saying "no, I'd really rather you not do that".

This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.

Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?

[tripzilch]

> it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints

The only different "constraints" relevant here would be "we get to play fast and loose with the data we collect or allow to be collected about users, without repercussions".

If that wasn't the "constraints" they were operating under, they have no problem now either.

> Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.

> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?

This is indeed where we disagree, except the law also disagrees with you:

It's. Not. About. Cookies.

It's simply about collecting and storing more data on your users than you strictly need to run your business.

There's really nothing technological about it, if you did it with pen and paper, you'd be subject to the same GDPR. Talking about HTTP response headers or "waging a war against cookies" is just misleading.

[wlll]

> It may not be terribly difficult to understand, but it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints.

As a developer, I agree. As an end user, I am OK with this.

If organisations have to think hard about what data they collect, because it means they have to think hard about how to safely store and destroy it, then that's a good thing.

It has been easy to collect, store and disseminate user data without thought for a long time, and website operators have proved they can't (in general) act responsibly.

> This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive

My honest opinion about most of the consent popups I see is that they are at best trying to weasel out of having to comply with the regulations, or at worst applying dark patterns to trick the user into "consenting".

I am sure there are some honest people with consent popups out there, but I'm not generally generous enough to attribute anything other than malice or incompetence.

> this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution.

For sure, but it works both ways. There is a (potential) financial penalty for not taking care of user data, but at the same time, there's a pretty large cost to a user if their data is spaffed all over databases on the Internet when they didn't want that.

Also, I'm pretty sure if you are actually trying to be GDPR compliant then your first interaction with the information commissioners office will be them trying to help you comply, and you do always have the option of just deleting the data if you can't treat it safely.

> Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.

I feel like I read somewhere that telling the user to adjust their cookie settings in the browser was speficically discussed, and not allowed, but I could be wrong.

> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?

It would be a mistake to think that Cookies are the focus of the GDPR. See https://gdpr.eu/cookies/:

"However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30."

The GDPR is about user privacy, cookies are one of the primary tools for violating it, and the most prominent artefact seen on the web, so it's the focus of a lot of discussion, but the main thrust of the regulations aren't around cookies themselves.

It is significantly unlikely that there will be opt in banners for JS, HTTP, TCP, phone calls, cameras at the beach, or just looking at people with your eyes any time soon.

[latk]

> I feel like I read somewhere that telling the user to adjust their cookie settings in the browser was speficically discussed, and not allowed, but I could be wrong.

Consent must be informed and specific, so simply asking users to set their browser to accept or reject all cookies (regardless of purpose) is not compliant.

On the other hand, if browsers get their act together and standardize a consent API with the necessary features, then browser-based consent management would surely be compliant. GDPR and ePrivacy don't address this explicitly, though GDPR Recital 32 considers consent by “choosing technical settings for information society services”.

Centralising consent in browsers is a key consideration in the proposal for an updated ePrivacy Regulation, but the EU is not going to mandate specific technologies. Everyone is well aware of the mess that is the Do-Not-Track header.

[mcqueenjordan]

These are good points. It definitely cuts both ways.

I'm not against GDPR, and I'm glad these issues are getting attention. I just want to make sure we recognize there is a lot of nuance here, and there are real costs and second- and third-order consequences to consider.