[dustinmoris]

Honestly, if you’re just a small personal website or blog then just don’t bother with those idiotic cookie consent banners. Use Google Analytics or whatever makes you happy and nobody will ever say anything to you unless you’re an extremely famous person and even then the chances of someone ever bothering you regarding a GA cookie is very unlikely. Especially if you’re a tech blog your readers know how cookies work and how to protect themselves from “tracking” so you’re not even doing anyone a favour. It’s pure annoyance with zero benefit. Obviously if you’re a big corp you’ll have to comply, but I’d even question then what the EU is really going to do. Just write a page of how you use data and be honest, transparent and ethical about it and spare yourself to bastardise your beautiful website with EU shenanigans. And I’m from the EU and even dislike it.

[jraph]

Honestly, please respect the laws (unless you are doing civil disobedience, I won't judge you) and people even if they are techies.

You don't want to show me a banner because it's painful? Right, I agree. Just don't opt me in into this crap and then you don't need to show me the banner.

You can use your server logs to measure your audience.

[yostrovs]

You want the warning banners simply because it's a law or do they actually help you with something? Out of curiosity, do you ever break driving laws such as speed limits?

[krsdcbl]

"the banner" is nowhere stated in the law. it's a way people have chosen to comply with the law, and most of the implementations currently out there are still in violation of what the law states. The law simply mandates you get informed, "written" consent from any visitor before tracking them or collecting PII in any form or function.

[herio]

Just read up on it and it's actually a bit more detailed, it requires active consent.

https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_gui...

Statement 82 reads:

"The GDPR does not allow controllers to offer pre-ticked boxes or opt-out constructions thatrequire an intervention from the data subject to prevent agreement(for example ‘opt-out boxes’)."

This in my mind pretty much invalidates most of the existing cookie banners out there, not to mention the multi layered messes some sites do (oath comes to mind).

[krsdcbl]

yep, that's exactly what i mean by "informed & written" - quite literally it must be active by definition of "informed", but furthermore in a way that is clear to the user of WHAT he actively consented to, and written meaning "proveable".

[toomanybeersies]

Cookie banners predate GDPR by a decade or two.

[krsdcbl]

and most importantly, don't suffice to fulfill gdpr. User must not only be informed OF the usage of cookies, but of any means of tracking, and must be presented a way to access the content WITHOUT having to load said cookies or tracking measures

[yostrovs]

If it simply stated what you say (may I have the quote?), few would be in violation of it, again as you say.

[jraph]

It's difficult to quote what does not exist, but yes, GDPR only require asking explicit consent (which can be implemented in different ways, cookie banners being one).

And this is not for cookies required for technical reasons (seesion cookies and cookies to save preferences) - you don't need consent for them. Only for marketing / statistical cookies. See [1], it does a good job of explaining this.

[1] https://gdpr.eu/cookies/

[jraph]

Supposing that I break laws such as speed limits, it's still something I should not do, voluntarily anyway.

Look, I'm not that much into respecting laws for the sake of respecting laws. I actually don't really like rules all that much. And there are shitty laws. GDPR and speed limits aren't in my opinion though. I find them sensible. If you think they are not, I got you covered with my civic disobedience parenthesis.

That said, breaking the law has risks, you cannot lightly advise people breaking it as they feel like it.

Where did you read that I want cookie banners? They ask me whether I want to be tracked. They are nonsense, often bad UX, and often riddled with dark patterns. The GDPR never forced anyone to implement them. It requires explicit consent for tracking in essence, which cookie banners often do a very bad job of.

If you think that as a visitor I am not going to opt in, don't ask me, and definitely don't force me into it with dark patterns. If you think your cookie banner is going to annoy me, well don't design your website this way, or you are not being coherent. Or, more accurately, you are solving a problem that is yours, not mine, and yet putting the burden on me.

[t0astbread]

Maybe you don't want them but someone else who visits your website does. You can't assume everyone dislikes the same laws as you and since it's a law people kind of have a right to it.

[oarsinsync]

The position was “don’t break laws that provide my right to privacy”

The response is “what about all these laws you break yourself?”

I don’t think that’s particularly valuable.

[yostrovs]

I think it is helpful to point out that some laws are poorly written, are pointless, too aggressive, or impossible to comply with properly. When someone realizes that there are laws they themselves break, hopefully they tone down their conviction that they're law abiding and others are not. This then helps to process the actual problems with individual laws.

[jsinai]

Do you really need Google Analytics if you just have a small personal website?

Now that we know the privacy cost, is it worth sending yet another node of a user’s browsing behavior from a presumably well intended personal website?

[XCSme]

If you're just a small personal website and still need analytics, than just use a self-hosted solution, as it will be really cheap (or even free) to host and your data is never sent to 3rd parties.

For example, if you have a WordPress site, you could install https://www.usertrack.net as a WP plugin and all data will be stored locally.

[krsdcbl]

honestly this is terrible advice. I know it's annoying to many people, but the EU isn't autonomously pursuing corps big or small - its legislation will kick into action if _anyone_ files a complaint after visiting your website, and you'll be subject to the same possible penalties as anyone.

[camillomiller]

Iirc, though, the law states that the fine will come only if you don’t comply with an initial warning, which will always have to be the first step. In that case, you can easily comply and not be fined.

[krsdcbl]

absolutely, but that hardly means OPs approach of "just fk it" is sane advice

[krageon]

This is vapid reactionary nonsense of the worst kind: The kind that gives you bad advice and appeals to you to accept it from a position of outrage. Anyone can and should make an informed choice not to follow rules they find problematic, that decision should not be based on how upset you feel.

[yostrovs]

You forgot to add that it's important to also ensure you don't have enemies in relevant govt positions before deciding on your cookie policy.

[simpss]

GDPR doesn't apply to personal websites where there is no company behind the website.

edit: here's a source: https://gdpr-info.eu/art-2-gdpr/

This Regulation does not apply to the processing of personal data:

(c) - by a natural person in the course of a purely personal or household activity;

[zinekeller]

You have misinterpreted that (which I understand if you're American, since the word personal have a different legal definition there).

Purely personal activities is not really interpreted as "I have a personal blog" sense, but in "I need to call my friends" sense. If you are indiscriminately processing data of possibly hundreds of people (note that at least on cases in Austria, it can be as low as 50 individuals), it is no longer purely personal and is now partially commercial, and unless you have other reasons to collect the data (research or you have actively obtained consent), you cannot simply do this.

[simpss]

I completely agree, if you're acting outside of personal bounds this does not exclude you. ex, generating profit by selling ads, which gets taxed as income.

Probably shouldn't have tacked on the company bit.

[detaro]

"personal or household activity" is not the same as "not a company", so it really can depend on what you are doing with your personal website.

[PeterisP]

A personal blog would likely qualify for that, however, many personal websites would not pass the test of "no connection to a professional or commercial activity" (from https://gdpr-info.eu/recitals/no-18/) - if you sell something on that site, or have ad revenue, or use it as advertisement for your professional consultations, then it's not purely household activity.

If you have a bootstrapped web startup project that you want to launch (e.g. collecting "pre-sales" signups from a minimum viable product), then it's definitely not purely personal or household activity even before you have registered a company.

[simpss]

yes, that is a good clarification. Probably shouldn't have tacked on the "not a company" bit.

A person without a company can act outside of the personal bounds.

[dageshi]

I agree.

This is one of those laws on the books to punish people who the EU (or relevant national government) think needs to be punished. It's end result is just endless fucking annoyance to use any website and from every one of these threads I read all the annoying cookie permission and opt in popups ar e probably illegal under the GDPR anyway. If I'm going to slap google analytics on a personal site, I'm going to do it and not worry.

For all I know doing that might be forbidden under the GDPR or it might not, I don't care to find out.