[MakersF]

The law forced the companies to be explicit about what they do, and ask for consent.

The user experience is made shit by the companies doing shady things. If they didn't do shady shit, they wouldn't have to display any banner.

I'd rather be informed, at least I can make a decision that way.

Why shoot the messenger?

The part that is missing is making rejecting as easy as accepting. So far there are a lot of dark patterns, but there are sites that make it very clear and easy, and I appreciate it.

[speleding]

How is something like having Google Analytics on your site "shady shit"? I would think counting unique visitors is a legitimate business interest for most businesses. And there is no way to do that without a cookie, or without storing IP address (which is considered personally identifiable info).

The law could have been much better if it simply asked browser makers to provide a single place to configure your preference, and then forced companies to abide by that setting.

[TeMPOraL]

> How is something like having Google Analytics on your site "shady shit"? I would think counting unique visitors is a legitimate business interest for most businesses.

Just because it's free and somewhat nice looking, doesn't mean it isn't shady shit. Maybe all you care about is counting unique visitors, but by doing that with Google Analytics, you're exposing your visitors to a complex surveillance product that collects data for its own purposes, and it sees much more than what's needed to just count unique visits.

[HenryBemis]

What people don't see about GA, is that the data doesn't stop at you: "here is your data, X unique visitors, have a nice day".

It has a wider lifecycle: "this is YOUR data, and we collect, maintain, process, sell these data to a myriad other sources for a myriad other purposes". GA just feeds these monsters.

Most GA users just don't care about their clients/readers privacy. Or they care 'a little' but they care 'a lot more' in monetizing.

We externalize the costs, or find shady revenue streams. As long as people think "it's free therefore it is good and I like it" we are not progressing.

[currysausage]

Use first-party, privacy-friendly tracking solutions. Usually, first-party cookies don’t require consent.

I would love to have a technical solution for browser-wide consent management, but it wouldn’t solve the issue of granular, informed consent for all the shady things that are possible in adtech.

Also, the law certainly doesn’t prohibit a technical solution, but that really is something that the industry should work out.

[sdflhasjd]

I'm sure it's possible to do analytics in a user friendly way - you can do basic analytics without storing IPs or using cookies.

The problem is that Google Analytics isn't _just_ collecting data for you, it's collecting a trove of other data that it's using to track and link users accross other websites.

[xorcist]

> How is something like having Google Analytics on your site "shady shit"?

The fact that a question can be phrased like this really illuminates how much society has changed in 20 years.

Not so long ago sharing data between sites was definitively shady. Then Google somehow institutionalized it, and now it is completely mainstream.

> I would think counting unique visitors is a legitimate business interest

Yes, that's not it. Identifying people are, and collecting their personal data is.

[sergeykish]

There was a simple place — Do Not Track (DNT), ignored by industry.

Truly open culture does not accept tracking, for example there is no way to count Linux users. And people would not be kin to those who track physical news papers.

Meanwhile I use uMatrix and uBlock Origin.

[Silhouette]

Truly open culture does not accept tracking

The purpose of the tracking matters, though. Truly open culture also doesn't attempt fraud, DoS attacks, data breaches, and all the other nasty things that some people who are hoping not to get caught and punished do online. Unless you can prevent all such threats, it's unreasonable to expect websites whose operators might be held responsible for the consequences not to monitor how their own systems are being used and who is using them.

[TeMPOraL]

DNT never worked - and never could, because it had no legal backing.

What happened was entirely predictable to anyone who understands how the market works: there were some volunteers who honored DNT while it was opt-in, but that mostly ended when one of the browsers decided to make sending DNT enabled by default.

The industry wasn't, isn't, and is never going to self-regulate itself out of a significant revenue stream. That's why we ended up with GDPR - a proper solution with legal backing - which almost works. It would be working, if EU member states were more eager to pursue violations and issue fines.

[rlpb]

> I would think counting unique visitors is a legitimate business interest for most businesses. And there is no way to do that without a cookie, or without storing IP address (which is considered personally identifiable info).

Setting a cookie is not in itself a GDPR violation. Collecting personally identifiable information is. You can collect unique visitors by setting a cookie but without collecting personally identifiable information, so no consent popup would be required for that:

1. Set a "site last visited: <date>, <serial-of-the-day>" cookie if it is not set.

2. Count hits as appropriate by examining the cookie - without collecting IP addresses.

Since no personally identifiable information is being collected with this scheme, consent is not required.

[matrik]

there is a way to count unique visitors without cookies and storing ip addresses indeed. have you heard of hyperloglogs? it’s very limited but works.

[mavhc]

What's wrong with parsing your own log files locally?

[speleding]

Whether you parse log files locally, or in the cloud, or use a cookie really doesn't matter to the GDPR. They only mention the word "cookie" once in the entire law, it's independent of technology, as it should be. If you store personal information (like IP address) in your log files, you still need consent.

[dingaling]

The 'cookie law' under discussion here predates GDPR by seven years, and mentions cookies repeatedly...

[speleding]

There is no cookie law. There was a privacy directive 7 years earlier, but it did not have any fines associated with it so no one really cared. We are discussing the GDPR that superseded the GDPR.