[hartator]

No one wants to be tracked though but they want the website to work. “All cookies” seem to play with that line. Don’t track me but allow website to work must be enforced on the client side. It’s what we do with uBlock origin and things in the like.

[ncallaway]

The new GDPR cookie banners are much better.

They are required to have a button to let you manage preferences, and are required to allow you to disable all cookies that aren't necessary for the site to function.

So, on any GDPR cookie banner I always click the smaller "manage" link instead of the "accept all" button. On the manage page, disable every option provided, then close the modal. I've never had a site that offered this kind of banner break in any way because of the disabled cookies.

[Macha]

You probably have had sites that either had no such options, or stuffed some tracking into required/legitimate interest/essential sections and tracked you anyway however.

[ncallaway]

I probably have.

And I haven't paid close attention, as I'm an American citizen and couldn't pursue sites over such a blatant violation of the law.

Were I a European citizen, however, I would watch extremely closely and absolutely be bringing complaints against sites that did that.

[remram]

This is more clicks, is often broken, and even if the button exist it may be tiny and hidden at the bottom of the list of all partners.

If I just clicked a link to a random article from search or social media, I'm not spending a full minute getting past the prompt on a website I'll probably never visit again. I'll click accept, and make sure my browser is loaded with all possible privacy extensions so none of it works.

[jimmaswell]

> all cookies that aren't necessary for the site to function

You know what is necessary for a site to function? Revenue. Therefore advertising cookies are necessary for the site to function and we shouldn't need these banners.

[Macha]

Very clever, everyone else who didn't want to comply with the rules had the same thought.

However:

Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects [1]

Section 3.3, Paragraphs 51-53:

> 51. Online behavioural advertising, and associated tracking and profiling of data subjects, is often used to finance online services. WP29 has previously stated its view on such processing, stating

> > [contractual necessity] is not a suitable legal ground for building a profile of the user’s tastes and lifestyle choices based on his clickstream on a website and the items purchased. This is because the data controller has not been contracted to carry out profiling, but rather to deliver particular goods and services, for example

> 52. As a general rule, processing of personal data for behavioural advertising is not necessary for the performance of a contract for online services. Normally, it would be hard to argue that the contract had not been performed because there were no behavioural ads.This is all the more supported by the fact that data subjects have the absolute right under Article 21 to object to processing of their data for direct marketing purposes

> 53. Further to this, Article 6(1)(b) cannot provide a lawful basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service. Although such processing may support the delivery of a service, this in itself is not sufficient to establish that it is necessary for the performance of the contract at issue.

[1]: https://edpb.europa.eu/our-work-tools/our-documents/guidelin...

[ncallaway]

That's great and all, but then they're blatantly violating the clearly written rules of GDPR.

I'm an American citizen, so I have no real recourse with that, but their European citizens can bring the case to a regulator and they could very well be fined.

That interpretation goes against the spirit, and the very plain letter of the GDPR regulations.

That dog don't hunt.

[jimmaswell]

I'm aware Europe wouldn't actually accept this argument, it's just another reason I view GDPR as a blight on the web.

[ncallaway]

I mean, they rightly wouldn't accept the argument, because it's a poor argument given the protections that Europe has decided should exist for the privacy of individuals.

I happen to agree with the European values more than I agree with your values.

My data privacy should be a more important and more fundamental right than your ad revenue.