Reminder that we've already had a spec for it. In the 90s! And it even has been implemented in the Internet Explorer: https://www.w3.org/P3P/ It did absolutely nothing for privacy. Google has been sending bogus P3P headers that broke IE's implementation and allowed all cookies.
Adtech companies don't want users to have an easy opt-out. They didn't want P3P. They didn't want DNT. They will not want this new spec, unless the spec is so bad that most users will agree by accident.
The annoying and confusing cookie banners are a feature. Besides making people agree through confusion or attrition, the banners are malicious compliance. Adtech companies putting them up want you to be pissed off at the banners. They want you to associate them with privacy, and conclude that privacy laws are pointless and should be repealed.
This exactly. This is also why I never feel "ashamed" when sites ask me to please disable my ad blocker because when I block ads they'll go out of business. Or why I'll always decline even "user respecting" ads on sites.
We're fighting the ad and tracking industry here, the internet equivalent of a gang member with a shiv and a length of pipe. I'm not going to fight nicely. I'll deny you any chance and any method I get.
> People are taking the piss out of you everyday. They butt into your life, take a cheap shot at you and then disappear. They leer at you from tall buildings and make you feel small. They make flippant comments from buses that imply you’re not sexy enough and that all the fun is happening somewhere else. They are on TV making your girlfriend feel inadequate. They have access to the most sophisticated technology the world has ever seen and they bully you with it. They are The Advertisers and they are laughing at you. You, however, are forbidden to touch them. Trademarks, intellectual property rights and copyright law mean advertisers can say what they like wherever they like with total impunity. Fuck that. Any advert in a public space that gives you no choice whether you see it or not is yours. It’s yours to take, re-arrange and re-use. You can do whatever you like with it. Asking for permission is like asking to keep a rock someone just threw at your head. You owe the companies nothing. Less than nothing, you especially don’t owe them any courtesy. They owe you. They have re-arranged the world to put themselves in front of you. They never asked for your permission, don’t even start asking for theirs.
I agree that we should not feel shame at blocking ads. I remember when the web was new and "pop-up blockers" became a thing. Ad companies and everyone using them have long ago burned any and all good will we might have had towards them and deserve nothing but our contempt.
Then Google came along promising no intrusive banner ads or popups. They would make their money from quieter personalized ads that knew what you wanted because they had more data about what you were doing. People loved the idea. It was going to save the internet from the horrible advertising industry.
Actually, I seem to remember that these ads were contextual at first, not related to any profile they would have built for you but only related to the content of the page.
Which is entirely different. Ads are still manipulative (by design), but at least purely contextual ads don't track you.
Just a small reminder for people using Firefox and ublock origin: you can remove almost all cookie prompts by enabling the annoyances filters in the addon settings
You can also block all sorts of annoyances. Last year I added ##.ytp-pause-overlay to my list, now when I click to pause embedded youtube videos all the useless crap like "more videos" does not show up. I also tend to block any sort of mouseover modals that show up on sites, like profiles on forums or reddit.
"Filter Lists" settings-tab -> expand "Annoyances" -> Fanboy's is by far the most popular one. Otherwise read the pages they link to / view the content (many have descriptions in content) - many of them are intended to work with Fanboy's, but if not you may have excessive duplicates.
Anyone not using Firefox/Ublock; you can use NoScript to block the banners, and a lot of other adtech (including some paywalls such as Bloomberg) as they are all JS-powered.
It's quite surprising to see how many JS plugins are in operation on a typical consumer site, and satisfying to know they were all blocked unless expressly permitted :)
And if you don't want to or can't install noscript, you can use my little hack https://noscript.it/ to view a page without javascript.
Note that it is a hack/poc and does not always work, especially the x-frame-detection is iffy so if you try it and just see a blank page try the "enable proxy" checkbox.
I use it every now and then on iOS to get around some especially obnoxious JS, but if there were more users I would be more motivated to improve it (hint hint:-)
Keep in mind, however, that you will end up enabling all the "Please enable Javascript to view our website (even though our website works well enough for your casual visit without it)" banners, that are enabled in the HTML by default and hidden by JS :)
For example, one particular maroon-headwear-related Linux distro's bug tracker has a particularly egregious blinking bright red banner, asking you to enable JS for the website to "function correctly", even though reading bugs on said tracker works fine without it.
The ad industry eventually ruins any medium it touches, and is responsible for spreading misinformation and propaganda that have killed millions.
It ruined print when every other newspaper and magazine page had an ad mixed in with the content. Sure you could get the paper for free, but how much content are you actually reading?
It ruined television when an hour-long show is interrupted several times to show 15 minutes of ads.
And now it's ruining the web with the advent of ad tech and the brilliant minds that get paid millions to think of new ways of squeezing more value out of people's attention. Web sites are riddled with ads now even worse than in the popup days. I have to navigate a legal minefield of dark patterns to ask them to please not track me or sell my data.
These are just the ways it ruins content and user experience. What about the misinformation? The lies from the tobacco industry, the political ads that overturn democracies, astroturfing and embedded marketing...? The list of shady and downright evil practices is too long to mention.
Advertising is a scourge on humanity. It needs to be strongly regulated and companies as influential as Google and Facebook need to switch to user respecting business models, for the sake of all of us.
You might show me ads, but not track me, privacy badger stops you from doing that. But if your ads are trying to track me, then privacy badger stops that too.
I'm not likely to bother blocking first-party images or other content so-delivered. Odds are I won't be bothered enough by those to block them, or if I am I'm more likely to abandon the site than to start blocking that kind of ad on every site.
The problems are the tracking and the ad networks that kinda treat both the viewer and their site-hosts as consumable resources, but that sites can't realistically avoid if they want/need ad support, because that's where all the money is. Break the ad networks, break tracking (and I mean legally, in both cases—tech means for blocking are doomed, IMO) and ad money won't go away, it'll be redirected to less-awful ways of delivering ads.
However I don't want any content which could be distracting or plain unsafe for mental wellbeing. One example are the ads for violent games on BlueStacks when I was using the emulator for Android education software for my children.
No thank you. Any content I can't control will be kicked.
Either by using adblockers or by just not using the service.
I dated a woman who experienced trauma in the past and she would routinely get horror movie trailers in YouTube. Even I found them disturbing. Neither of us had any interest in getting intrusive thoughts from watching assault and body horror. Putting in uBlock Origin did wonders for her well being.
The Deck was such a thing. It was sort of invite only because once you go first party you have no way to validate the user base so you need to trust the partner. For ads that result in direct sales this can be easy to do though.
It was more of an ad network, no? Also I think it shut down.
I'm talking about something even simpler than that. I have my own website and I have my own advertisers who want to put ads on it. I need a way to serve them and do contextual targeting (e.g. stories about a certain topic) and frequency capping and forecasting and the other sort of basic stuff I expect from Google Ad Manager.
> The annoying and confusing cookie banners are a feature.
Not just that, but I’ve never seen a cookie banner that does anything. Cookies get sent down with the page on the initial load. Whenever I’ve opened an inspector to see if cookies get unset by JavaScript in response to my “opting out,” I’ve never seen an effect. The same cookies get sent after I opt out: no change. Has anyone seen a cookie preference banner that actually does something?
smaller, local(to me) sites have started to have cookie banners that have an effect. My bank, 1/3 of the bigger news sites here etc...
They all started with a single "agree" button, then went to "agree/disagree" with no effect and are finally starting to come around to a functioning disagree button.
GDPR also helps here, as it defined what identifies an individual and that made most of the tracking PII even when it's all merged by a random ID that stays with the user. The effect is slow, but it's starting to work.
Hopefully the next step will be abandoning cookie banners and only using technically required cookies(don't need conset) and/or non-identifying tracking for aggregate results. This is a massive improvment on UX and actually gives the company more quality data that doesn't identify any single individual.
I'm personally pushing for aggregated tracking in my current company. It's an uphill battle, but one that can be won I think.
This. You can see the impact of this on the new iOS tracking permissions. Most people want to opt out, but can't. Regulators stepping in would spell the end of large sections of the online advertising industry, so I doubt it'll happen.
Regulators in the US do not seem to be completely in the pockets of the online advertisers quite yet, given recent legislation proposals. Regulators in the EU, even less so.
I thought this exactly. Kind of like US requiring pension plan options to be provided in a certain consistent layout etc., were this spec to be demanded by e.g. the EU, then it could see a really positive shift
The GDPR already explicitly forbids 95% of the cookie banners out there, but large companies decided to ignore it and simply face the fines if they in some hypothetical future will arrive. The rest of the industry followed.
Until the law that defined informed consent actually get enforced, a new law can not really fix it unless the regulators start to add the threat of jail time to repeat offenders.
> but large companies decided to ignore it and simply face the fines if they in some hypothetical future will arrive.
This is not the case. The fines are up to 2% of annual global turnover. This scares companies.
Moreover, some of the worst offending cookie banners are slowly being replaced by better ones as more and more organizations (such as noyb) file official complaints and companies get fined.
> This is not the case. The fines are up to 2% of annual global turnover. This scares companies.
You are wrong. The initial fine is much, much lower and companies have so long to dabble in wilful ignorance that it is at the moment not something that has teeth. Companies are like bullies, they don't respect threats - only harm.
> initial fine is much, much lower and companies have so long to dabble in wilful ignorance
Another diluent: the maximum fine is practically the lesser of 2% and the NPV of business in that European country, or, expansively, in Europe. If you have little business in Europe, it’s cheaper in some cases to simply close shop.
Automated enforcement is already easy if there was willingness to do it. The majority of non-compliant cookie banners use a handful of libraries and/or third-party services such as TrustArc so detecting these with a web scraper is be trivial.
Noyb - one of the organisations behind this proposal - have started contacting the operators of non-compliant websites,[0] as the first step in forcing them towards compliance.
If they change their ways then good, if not Noyb has a much more solid case when making a complaint to the SAs and/or the courts.
I mean, a good first step would be to start fining companies 2% of the revenue. Especially Google.
And then maybe automate the GDPR fines, because it's definitely possible to identify that a site puts up a non-compliant banner.
No need to add the threat of jail time, _especially_ if it isn't enforced.
Even so, it would be 0.2% per EU country, right? Because the legislation is transposed into member states legislation. I doubt that anybody would really want to fight (& risk losing) in even 5 member states per year...
It is time for the governments to take control back and start regulating BigTech: you can not easily opt-out from any data gathering from Google, Microsoft, Apple, Facebook, ... If you try it and turn it off on mobile phone and desktop you will constantly have issues and be flooded with messages like "turn on location services", etc. Yesterday I learned that my private calendar on my phone was replicated to Google Calendar >>for many years<< without my knowledge, because the default setting was to save new events into Google Calendar and not a local phone calendar... and I was not asked during setup if I would like that (I have turned off all replication / data sharing / etc.)... this is just crazy... they are basiclly STEALING MY DATA and sending it to the cloud where it is processed without my knowledge... I hope they pay BIG MONEY for these GDPR breaches...
I doubt there is an easy fix in cases like Google Calendar due to consumer expectations. Simply put, there are certain types of data that many consumers expect to be synchronised, and those of us who have the opposite expectation (or only want certain data to be synchronised) are likely in the minority.
This is somewhat different from most tracking done on the web, which is done for the exclusive benefit of those doing the tracking.
Recent Android phones sync a ton of stuff automatically - which I suppose you agree to by signing in with a Google account, but that's also typically required. I know this because on the last two Android phones I purchased, a set of old outdated contacts from my Google account were automatically synced to the phone as soon as I logged in, which I was required to do to begin using the device.
Believe me, I would have opted out of this had I been prompted to do so during setup.
I checked again exactly why this happened: Samsung Calendars app (which is a default calendar app on Samsung phones) has set a default calendar for my new events to my Google Calendar account. And if you just enter the event title and set the time (what one would usually do) - and leave all other settings untouched - then by default it will be added to your Google account which will then be synced to the cloud... You can change these settings (see [1]), but the default is wrong!
I would argue that times have changed. Sure, there's still misaligned interests between ad providers and users in terms of privacy. But I think the EU regulators found the right level of financial incentives to change some of the worst habits.
The ad industry is not monolithic, though. Some people want to genuinely move on to less privacy-invasive business models; others not. I have been to industry conferences where the advice was "well, if you do not like the Do Not Sell link on your site, maybe it's time to stop selling and start changing your business model."
What is different this time around compared to P3P, DNT, and other earlier mechanisms is that the times have changed. Privacy is a much bigger topic. There is much more reporting now about privacy. Users understand a bit better better (though, we are still far off from real transparency). Lawmakers and regulators are catching up. Many companies embrace privacy. There is a burgeoning privacy tech industry with quite a bit of venture funding.
Also, lessons were learned from earlier efforts. CalOPPA required recipients of DNT signals to only say whether they respect those. The CCPA regulations now require actual compliance. If the CCPA is applicable to your company, you have no choice but to respect it. And that is also true for automated browser signals. There is much stronger enforcement now behind more recent privacy laws. Virginia and Colorado recently enacted privacy laws, and it is likely that other states will do to.
Disclosure: I am an academic researcher working with collaborators of all stripes on Global Privacy Control
(GPC) [1, 2]. We are in touch with the good folks at ADPC and support their work. They are doing a fantastic job over there!
Thing is, how is regulation supposed to ever keep up with the rapid advancements of technology and advertising and the lobbies that come with all that revenue?
Capital and technology need not respect sovereign borders and laws as long as they can keep one step ahead of enforcement and still get enough revenue. The laws and lawmakers are fundamentally slower and weaker and poorer; by the time CCPA et al have an actual deterrent effect (beyond just mandated privacy notices), the industry will have moved on to some more sinister loophole.
It's an arms race that 1700s-style government simply cannot keep up with. It takes months to come up with new algorithmic loopholes, decades to change the law, one industry-friendly administration to undo all the progress.
Offloading privacy to government only works when you have strong states (China, the E.U. maybe). In the US, what's left of the federal government is too crippled to effectively tackle this (and arguably any technological problem) at scale. State-specific laws are subject to the same constraints, and additionally face the problem of enforcement across borders and Commerce Clause issues. If anything this will be an arms race between adtech and adblocking; Congress is the kid in the corner crying, "But I wanna play too!" and pretty much shrugged off by everyone else.
Simple the law should be written in a technology agnostic way. Something along the lines o f"Services shall not track user behavior beyond what is necessary to render service, and user behavior shall not be sold to, shared with, or otherwise made useable by third parties without user consent" Then it doesn't matter what technology you come up with in the future it is covered.
That doesn't really work long term. "necessary to render service" might include advertising dollars. And who is a "third party"... If ad networks reorganize into a cooperative that offers services directly to publishers in the manner of AWS, are they still a third party? And user consent, what if it becomes a requirement to consent before you can access data, or opting out gives you diminished functionality...
None of that is far fetched. Facebook, Google, Apple etc. all track and use first party data. If anything this just consolidates advertising power into the hands of an oligarchy that's already largely above antitrust law.
The law is never simple, exhaustive, or agile when it comes to regulating technologies.
GDPR has been the most successful of the bunch and all it really did was force a bunch of cookie notices and deletion processes. That still largely depends on people being lazily accepting advertising.
Any proposed law that singlehandedly destroys ad tech is unlikely to either pass or stay relevant for more than a few months.
I used to work in adtech. My position then, as now:
1. targeted ad buys are mostly a scam. Research shows that they are barely more effective than old-fashioned contextual ads.
2. Contextual ads, aka "dumb" ads, the kind that show ads based on the content they are displayed with, are fine.
3. adtech companies depend on advertisers not understanding (1) and publishers chasing dollars by signing up with ad targeting networks.
The ones that are actually making money are the ad networks, and it is in their interest to spread FUD about (1) and not offer (2), as they make their money as a percentage of every ad sale (auction) transaction, and the CPM is higher on targeted ads because of ignorance of (1)
This is intellectually lazy. You can't just assume that the large numbers of people who hold a position you disagree with do so only because they have some secret bias. It's a position which is not falsifiable and which absolves oneself of having to think critically about their own position.
One man's 'intellectually lazy' is another man's 'educated guess'. Or as this community loves to say about others, "“It is difficult to get a man to understand something, when his salary depends on his not understanding it.”
There are plenty of people online playing devil's advocate because one day they too could be rich and they don't want the harsh yoke of government regulation holding them back.
On HN, part of the audience is in closer proximity to that kind of wealth, and their arguments in favour of that status quo reflect this.
Call it whatever you like, it's still a an unfalsifiable claim resting on fallacious reasoning.
As a general best practice, if you are convinced something is true, ask yourself "what evidence would someone have to show me to convince me this is not true" - if you can't think of something, there's a problem.
I am completely outside of adtech influence and even I can recognize that the costs may outweight the benefits of the current state of government-attempted adtech regulation. Most arguing against these laws are either more libertarian wrt tech, or take umbrage with the specific nature and enforcement of the law.
Almost everyone wants privacy limits, they just don't agree on the current measures (or their previous ones, or the ones before that, or doubling down on continued failed policy approaches in the future).
P3P wasn't great. It's pretty hard to reduce the nuance of how you're proposing to use data down to a handful of fields that will be automatically processed.
I remember spending a silly amount of time trying to come up with a P3P policy that was both accurate and also didn't break sign-on for a single app that used multiple domains.
Liable for what? GDPR says you can only collect data if you have informed consent from the user. It does not imply any right on the side of the business to be able to obtain such consent.
> Adtech companies don't want users to have an easy opt-out. They didn't want P3P. They didn't want DNT. They will not want this new spec, unless the spec is so bad that most users will agree by accident.
Reminder that Internet advertising has a lot of actors with competing interests, and it is not usually the "adtech companies" who don't want users to have an easy-opt out, but publishers and to a lesser extent the advertisers. Many "adtech companies" would love to have clearer legal signals and simpler, industry-wide justification to collect less data.
Publishers have been very good at foisting all user frustration off on vague "adtech" (or alternately, adtech companies have been effective at reputation laundering for publishers/advertisers) but they're the ones that want to collect, share, and sell the data to be able to raise their rates.
Haha, no. You're falling for the trick, or maybe you're just 10 years behind.
Publishers (and retailers, and anyone with a dataset) seek out adtech partner companies, to justify high CPMs and to sell their audience data. Adtech companies are market-makers, it's been years since the data they can get independently of supply-side partners was worth shit.
The publisher is the one with the cookie warning and consent forms! The publisher is the one who wants you to log in with a stable ID! The publisher is the one with a model of you regardless of your ad or tracker blocker settings! The adtech companies will sell you downstream for sure, but the publishers are the ones deploying as many tricks as possible to gather data.
And yeah, adtech companies will advise them about how to effectively gather data. That's a lot less about "tricks" and more about how to build salable taxonomies instead of data lakes full of garbage. To the extent it's about tricks, it's more often the adtech companies having to patiently but firmly explain, no, you can't just hardcode a single consent state for all visitors and send that to us in lieu of a real CMP. (A purely theoretical example, of course...)
You're being very generous to adtech's role in this. Any undisclosed bias?
Adtech is very much instrumental in the race to extract as much value from attention as possible.
Adtech built a market for advertisers to target users based on interest (which may or may not be a scam[1]). Advertisers exploit this and other tools at their disposal (astroturfing, embedded marketing, etc.), but they're certainly not as vicious or out of control as what adtech can produce.
The publisher has my information if I give it to them or if they buy it somewhere. Adtech has it regardless of what I do. Why would a publisher even want a model of me when what they want is for their product to reach me on as many sites as possible, not just their own? An adtech company having as much information on everyone can serve many publishers, so it's no wonder the system is so centralized.
> Publishers (and retailers, and anyone with a dataset) seek out adtech partner companies, to justify high CPMs and to sell their audience data. Adtech companies are market-makers, it's been years since the data they can get independently of supply-side partners was worth shit.
You're correct, for large publishers ... I guess we could almost say they are adtech companies now.
IMO it's easier to just call them "surveillance companies" and be done with it. Regardless of whether they're collecting, storing, or processing surveillance data, they're all in the same business as Equifax, Google, Lexis-Nexis, and NSA.
The thing about this new spec is that it's compatible with the GDPR in a way that could make adopting this a legal requirement, given enough lobbying effort. It'd be a long battle, but I could foresee a future where regulators require adtech to implement this spec to obtain consent.
That won't stop them from additionally using cookie banners, out of spite. But I suspect many websites that currently have cookie banners only have them because they believe it to be necessary, and it's hard to push back on it. If such a spec came to be recognized as a way to obtain consent by regulation, it'd make it easy to point its way, and at least end the madness of cookie banners on websites that don't need it.
I agree. But I don't think it's because adtech want you to think privacy is shit; I think it's because by compelling you to click, they can run Javascript in the context of a user gesture.
I want a plugin that automatically says "OK" to cookie banners. My browser already blocks 3rd-party cookies. It only allows session cookies. Cookie banners are like fire-hydrant CAPTCHAs - they masssively increase the friction that web users have to deal with.
They also legitimise other kinds of popup window that websites present. I've noticed more and more popups appearing on first visit to a site, inviting me to subscribe to a newsletter or whatever. You often see a cookie banner, followed by a newsletter popup, followed by a Google login popup. Who knows, maybe there's a traffic-lights CAPTCHA.
Then finally you're into the site, and it turns out to be Washpo or NYT, and you can't read the article anyway, because it's paywalled.
>I want a plugin that automatically says "OK" to cookie banners.
Why would you want that? Even if you delete 3rd-party cookies that would still allow tracking companies to log your IP and track you through some other shady means which you've now consented to.
Because it makes no difference to my assurance-level which button I click. There's no way of knowing what they do serverside with your form submission (and it nearly always is a form submission).
Cookie approval has to be under the control of the user, not the website. So it has to be done by the browser or an extension. So if I have user-controlled cookie-approval, I might as well click "OK" on the form - the site might treat me better if I do.
I don't think that's quite in compliance with GPL3, but I'm not a lawyer. The bundled release artifact doesn't allow someone to build the extension, and I think GPL3 takes that into account. If I have a Java program, I have the bytecode, and unless it's been run through and obfuscator, I can pretty easily recreate the Java code. But the GPL3 doesn't count that as compliant.
But privacy laws are pointless and should be repealed.
All this noise about cookie privacy, fingerprinting, FLoC, tracking, etc. --- what are the actual harms that make these things bad? Has anyone in the real world ever experienced a concrete harm arising from interest targeting? Doubtful.
The EU privacy regime imposes a heavy regulatory burden in exchange for nothing. Information is a non-rivalrous good. Further limiting its dissemination will increase friction all over the internet, impose new transaction costs on previously free interactions, and make the whole network less useful for everyone. And for what? Assuaging the paranoia of a tiny fragile and vocal minority of privacy activists? Sorry, but that's not worth breaking the internet.
Information is power. The more information about more people with more depth to the graph is amassed by Big Tech and 3-letter agencies, the more soft power is accrued over large groups of people, economies, processes and even nations.
And this ability is currently asymmetric. While Big Tech and Big Govt knows nearly everything about everybody, ordinary citizens are denied data and transparency. And even if the data may be hypothetically available, its scale precludes analysis by anyone except highly funded groups.
Lack of privacy does translate to enormous soft power. It doesn't have to result in death, although the potential is there for that too. Democracy and individual liberty become meaningless except on paper.
I'm not sure that's what we want, in exchange for a few conveniences in the palm of our hands.
> The more information about more people with more depth to the graph is amassed by Big Tech and 3-letter agencies, the more soft power is accrued over large groups of people, economies, processes and even nations.
Is there any evidence that Big Tech and Big Government are actually controlling people by tagging them in some database (which no human actually inspects) as being interested in hiking gear and cookie recipes? Give me a break.
What you've described isn't a concrete harm, but an emotion --- specifically, fear. Lots of fears are baseless. So is this one. We shouldn't organize society around the baseless fears of tiny vocal minorities.
It should be, flatly, illegal to collect that sort of data about people without a business need to do so, and illegal to use it for any other purpose, transfer it to any other entity without the same restrictions on its use, et c., when it's needed (like: credit card companies and banks obviously need to know where & when you spend money, but they shouldn't be able to use those data for anything else at all—no aggregating and re-selling to others, no mining spending trends for investment intelligence, no targeting ads at you based on it, none of that).
Companies who track your information, including FAANG get regularly investigated and often fined for violating antitrust laws when they use the data they've gathered to limit or outright kill competition. I find it disingenuous to ask for evidence of some kind of vague "companies controlling people" when it's obvious that they do it on a larger scale all the time.
No, companies do not mind control people on an individual level, but what they do has all the traditional effects of monopolies/oligopolies that are not democratically controlled by the people affected but a handful of rich executives.
I'm not even going to go to the "advertising controls people" dialog tree. If it's not obvious why having the power of putting anything you want in front of billions of people is powerful, then I don't think there's a discussion worth having.
> it's not obvious why having the power of putting anything you want in front of billions of people is powerful, then I don't think there's a discussion worth having
There it is. It's not about tracking per se. It's really about control over advertising and information dissemination more broadly.
Motte: preserving user privacy by blocking cookies
Bailey: let's tightly control who can put messages in front of the general public
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."
UDHR is not a binding law, it is a "declaration". An aspirational statement of common understanding made by bureaucrats in a big conference in 1948, and is one of many such "declarations". Thus trying to cite a certain passage of this 70 year old declaration as if it had legal force today in any country on earth is a pretty odd thing to do. A declaration isn't even a treaty, and of course a treaty needs to be ratified to be in effect. So not only has the UNDR not been ratified by anyone, it can't be ratified as it is not even a treaty to begin with.
Now some nations may have decide to take some of the principles in this declaration and turn them into laws. But you will find that there is great variance in the human rights laws today even between, say, Canada and the U.S., or Mexico and Japan.
The fact of the matter is human rights are a social construct and they very much differ on what society your are in and what that society has decided are the rights it will observe. Looking around, we find very different definitions and intepretations of rights all around the world.
Additionally Article 8 of the European Convention on Human Rights[0]
>Everyone has the right to respect for his private and family life, his home and his correspondence.
>There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."
and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union[1]
>Everyone has the right to respect for his or her private and family life, home and communications.
and
>1. Everyone has the right to the protection of personal data concerning him or her.
>2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
>3. Compliance with these rules shall be subject to control by an independent authority.
Both of these documents are legally binding (the former on all member states of the Council of Europe,[2] and the latter on the EU and its member states)
Who defines what "privacy" means? You? Why? Can you point me to the place where the Universal Declaration of Human Rights talks about cookies and FLoC? The UCHR is not a blank check for banning anything you want in the name of "privacy".
There are a lot of angry people in this thread stating what they want, but none have offered an argument for why we should structure society around their whims. Sorry, but "you shouldn't be able to collect information" isn't an argument. It's a wish. Nobody is under any obligation to indulge the wishes of random strangers.
There's nothing in the Universal Declaration of Human Rights about privacy regarding medical records, but various jurisdictions agree that it's worth protecting.
> Sorry, but "you shouldn't be able to collect information" isn't an argument.
How about "private entities shouldn't be able to collect my information without my explicit consent".
> It's a wish. Nobody is under any obligation to indulge the wishes of random strangers.
The kind of question can only be asked by someone who has never been abused by a domestic partner, never been on the wrong end of debt collectors, the law, disgruntled employees, doxxers, or other real and persistent threats that are enabled by the data collection and aggregation that is the foundation of interest targeting.
Do abusive domestic partners, debt collectors, random employees, or angry doxxers have access to targeted advertising interest data? The "harm" you're discussing is hypothetical and extremely unlikely. I'm asking for concrete examples.
Debt collectors are huge data broker clients. (And sellers too - junk debt can go both ways on these markets.) Disgruntled employees leak a fair bit too.
The most frustrating thing about these cookie banners (more like cookie lightboxes) is that almost none of them are compliant with the rules. Unfortunately I don't have time to find the source right now, but I'm pretty sure I've read official EU guidance docs clearly stating that many "dark patterns" are simply illegal. For example making the "Accept all cookies" button require less effort than only accepting necessary cookies, which almost every page does.
I feel like the current state of cookie consent is completely broken, partly due to the complete lack of enforcement, and having a browser-specific setting that propagates to all pages would be great -- but again you have to think about incentives. If pages are not required to accept these settings, their incentive is to ignore them and to claim that since it's unfortunately not supported "yet" (read "ever"), you still have to wade through the cookie form.
At least in France, there's CNIL (Commission Nationale de l'Informatique et des Libertés) that started going after the top non-compliant websites and sending love letters like "you have N days to become compliant".
I have been building some sites where I have explicitly tried to remove or avoid cookies completely. It is really tricky as any third party script or embed can set cookies, which may be retained depending on browser version. We end up using generic cookie prompts just in case to appease corporate compliance even when nothing is usually set on the page. And the http nature of cookies make automating things much more difficult. You can't just drop in some javascript that overrides document.cookie, and even if you could it would not be supported by all browsers.
What I would like is to be able to whitelist domains in content security policy and reject everything else by default.
You want to avoid cookies entirely so that you don't need a cookie policy and that you don't need a cookie banner.
It's also significantly easier to convince a lawyer that you don't need these things if you can prove that there are no cookies whatsoever. And even then they'll be suspicious.
It's harder than it looks, just embedding a YouTube video for example already sets third-party cookies. Same with embedding a Twitter feed or Google Analytics. There are solutions for all of these things, but the standard/easy way of doing these things means your user gets a third-party cookie, which means you need the banner.
Of course I know that, but did you ever talk to someone who is not in technology but does have a say in determining what "we" need to do to cover "our" asses?
Say, a lawyer with the responsibility that all of our websites implement all of the relevant regulations?
You would think that they are up to date on what regulations you need to follow, but you'd be surprised. Many take a blanket "no risks under any circumstances" approach. These types can only be placated with the "we don't have any cookies at all" argument. And even then only barely.
What are "functional cookies"? Are analytics/telemetries cookies functional? Are cookies identifying google users so they can receive targeted content but also ads "functional"?
GDPR never bothered to specify. This is why GDPR is broken and sadly it broke the web.
The best ones are the ones that provide a list to 100 partners and ask you to visit them to opt out. Usually just close the tab when I hit one of those.
Also the providers that appear to offer a even choice of accept all/reject all, except you realise that they've classified a second "legitimate interest" option for everything which the reject all doesn't cover (because that would be objecting, not rejecting)
I recently came across a website that makes the "Accept all cookies" button secondary and the the "accept necessary" primary. It's such an effort to actually press the primary button — I have been so trained by the completely disdainful behavior of the majority of websites.
Well I needed to visit the website due to an unfortunate event in meatspace - in no way hacker news related. So it seems there's definitely at least two sites which do it!
But they pretend to be legal. They at least make an attempt to seem kind of legal. And that's what matters.
If you only accept a spec like this there is no way to pretend to be legal other than to accept it anymore. Make custom cookie banners totally illegal. Force the use of this. No dark patterns, no semi-legal trickery. Either you use it and accept it, or you don't. Take out the grey area.
That's my point: that if you create a standard like this but don't enforce it (which is not the same thing as its legality) it won't matter. What is the consequence going to be of ignoring it? Will it be enough to actually create an incentive more attractive than breaking the law?
Instead of permitting sites to request consent of the user directly, they should be required to request consent via an official EU site. It could work like an authorisation redirect flow. This would standardise the consent UI, and prevent sites from implementing dark patterns.
Ignoring the many obvious privacy issues with this proposal, have you considered how this would result in a legally mandated single point of failure for (nearly..) all web sites?
Yup, this is absolutely the case. Consent in order to count as consent has to be clearly affirmative, freely given, specific, informed, unambiguous and can be withdrawn.
It's EU, it varies by country. Each country takes the European GRPR law/guidelines and implements in on the national level. There may be slight differences. Your specific example where opting out must not cost more effort than opting in is specific to the UK GDPR implementation for instance.
The point is that it's not being enforced, so if we assume what you say is true for the sake of argument, then the only way that would be OK was if a different cookie banner was shown for visitors from the UK, which I highly doubt happens in any meaningful percent of cases.
No. The GDPR is an EU Regulation which is, by definition, a binding legislative act. It applies in its entirety across the EU - no exceptions, no opt-outs. EU Member States are allowed to interpret (to a greater or lesser degree) EU Directives when they translate them into national law[1]
The EU GDPR no longer applies in the UK because the UK is no longer a member of the EU. The EU GDPR has been incorporated into UK law (as the UK GDPR) but there's nothing preventing the UK Government varying it at any point in the future[2]
'A "directive" is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.'
> A "directive" is a legislative act that sets out ...
Maybe my wording was a bit vague. How about: "The GDPR is an EU Regulation which is, by definition, a binding legislative act which applies in its entirety across the EU without the need for Member States to pass any further national legislation. This is different to EU Directives, which EU Member Sates will implement by translating them into their own national law - which in turn does give Member States room to 'interpret' the Directive's requirements - subject to legal challenge in the Court of Justice of the European Union"
Why do they still think we want tracking cookies ? The ad industry should prepare for a future with no tracking instead of trying to survive with ever shadier tricks, IMO.
This won't work:
- browsers other than Chrome will say "no tracking" by default, tracking companies won't like that
- websites will ignore this, this will be known and people will be upset even more
notice that if you disable javascript by default most cookie banners disappear and everything becomes better. Then you can enable it per-site if you need something in particular.
I tried that for a month, but most sites I encountered on search engines will just break or even refuse to render unless I enable JS. At first, I tried to leave the site and find an alternative, but after a while I found myself enabling JS on every site I visit that requires it, which negates the whole point.
You should check out uMatrix to get even more fine grained control over sites.
I usually allow images on every page, that's it. Some need CSS, some need iframes, and a small subset of websites I visit are actual webapps that need javascript.
I love uMatrix but development on it has stopped so it won't receive bug fixes and it will probably stop working someday. I don't think I would recommend new users start using it.
Do we want personalized ads, though? I don't, but I suspect I'm in a small minority. If I want to purchase something, I'll go do some research. I specifically don't want ads that are designed to try to get me to purchase something I don't need based on some manipulative psychological model based on my browsing behavior.
A quick search makes it apparent to me that most people do want personalized ads, or at least think they do, while at the same time most people don't want the behind-the-scenes tech that makes it possible.
I think it also doesn’t really matter if we want or don’t want them - if people are more likely to click on personalized ads (I’d be surprised if they aren’t) then they’ll do it anyway. Just so happens it sounds appealing to some.
It includes JS. See section "8. JavaScript-based interaction". I guess the idea is that just as you can control cookies both via HTTP headers and JS, you will be able to request consent both via HTTP headers and JS.
When working in that industry, the cope is thinking people are ok with it, because it’s the “price” of free web content, and consumers are choosing it over anything with a paywall.
I hope free software micropayments payperview can be part of the web! Maybe with GNU Taler or Offset by Freedomlayer[0]
I agree. Wouldn’t we all love to go back to the old old internet, where people did things a) because they wanted to, or b) because you paid them to. Both of these things make sense and are how the world has worked for a long, long time. This vague, nebulous money from ads and tracking has all the wrong incentives. It’s not “make the best hammer” anymore, it’s “make an addictive hammer that you’ll never want to leave your hand”. TV has and had the same problem to a smaller extent, and sports are infected with it too
I honestly think there’s a good case to be made for banning advertising entirely, and replacing it with a societal stipend for art and media, or at least restricting it to specific places. The back of newspapers, for example.
I’m sure there are plenty of problems with and arguments against the idea, but it’s definitely worth discussing
It’s easy to say “ban this”, but what does it mean? Government laws are nothing without enforcement, and enforcement ultimately means sending armed men to people, and if they resist and protect themselves, ultimately threatening to kill them. Ads are bad, but such force is not justified.
The same with the stipend - we actually have this is my country Sweden, called “press support”. It’s a massive political tool because of the bias of the gov agency workers who administrate it. It has also been used by one party (C) to make a newspaper empire, making the party one of the richest in the world, in large part by milking these press support stipends. The same party recently had multiple pedophilia scandals, which they don’t write about in their own publications.
“Man plans, God laughs” and this applies to any attempt to centrally plan economics.
I personally hope Offset by Freedomlayer can be the solution to micropayments online. If only I could incentivise the author of it to make an iOS version
> Why do they still think we want tracking cookies?
Some people do. I would like to see relevant ads (of good special offers especially) if somebody could guarantee the ads are going to be humble and unintrusive), the goods advertised are of high quality and no-scam, the information they get from tracking can not be seen by any 3rd party (including legal authorities) and used for any purpose other than good recommendations under any circumstances ever.
When I just finished school I didn't mind cookies (and actually hoped ads relevance was going to increase and increase) because I didn't think about the dangers which come with them.
There are people who still believe they have nothing to hide and don't mind relevant offers.
I’m sure you’re right that a small minority doesn’t mind being tracked and provided personalised ads, but there are other problems too. Advertising brings poor incentives for businesses, even worse than usual. Engagement is king, and product satisfaction is hardly relevant
We know how small: 4% clicked to opt-in to IDFA tracking in iOS 14. And I suspect a large number of those are people who got confused and clicked on the wrong button.
I'm curious about the poor incentives for businesses advertising brings. I never imagined business is possible without advertising. If I were starting a business, I would probably target the people who don't block ads (despite the fact I myself do and help all my friends and relatives to).
Unless I’m misunderstanding you, I think you’re slightly misunderstanding me. It brings poor incentives for companies that make their money from selling advertising space. It does not bring poor incentives for businesses that advertise (besides the desire to censor content, but that’s a different issue).
If you’re still not clear on why it brings poor incentives, or you disagree, think about it this way:
For a company like Netflix, their customers are the people who use their service, and their product is their service. i.e. they’re selling how much you like their content. They don’t care about how long or addictively you watched it, as long as you pay every month. This is healthy.
For a company than runs a TV channel, their customers - for the most part - are advertisers, and their product is their viewers. They’re selling the viewership of their channel to companies. I.e. they’re selling how long and intently they can keep you watching their channel, and how easily they can get you to open your wallet. This is clearly unhealthy.
This applies heavily to the digital media environment too. I can give more examples, if it’d help
Instead of blocking cookies, work on more stuff that will block finger printing such as stuff that is mentioned in https://www.nothingprivate.ml
One spec could be split up the JS api into stuff that manipulate the dom and stuff that access GPU and other hardwares that may identify the browser or machine. Safari seems to be the only one that is doing anything in that area.
I don't see how this will be adopted without backing by legal threats. Even if this gets implemented on a voluntary basis, you need a fallback for browsers that don't support it. And if you need to have a version of the prompt with a user experience that isn't controlled by the browser, you might just as well use it to keep pushing the same dark patterns to everyone. Am I missing something?
Cookie banners works because they're everywhere and user has been trained to dismiss them as soon as possible. If this technology would get traction from major players, cookie banners will become an exception rather than norm. It means that users will be scared of those banners and might prefer to leave the website which will hurt the conversion.
If this movement is not backed by major web players, probably nothing will happen.
It would have to be enforced by legislation (As opposed to the dark patterns with cookie banners). If any company doesn't implement this fully compliant with the spec, fine them every year with 2-25% of the yearly revenue.
DNT is primarily about tracking, this new spec is more general and covers much more processing of personal data, and allows one to opt-in (or out) of specific instances of processing of specific (categories) of data.
in the 90s, we had a 'big cookie' scare. and laws were threatened (or passed?). And... MUCH of this came down to ... managing cookies (or other browser state) was (and is) largely so damn hidden behind layers of configs, menus and options.
We have a home button. We have forward and back. We have 'bookmark' buttons, which many people understand. A big 'COOKIE' button, on the main browser UI, that clearly show cookie info, with a big "GET RID OF ALL COOKIES" trashcan button right there.... that would have prevented 90+% of the scare and legislation efforts from the start.
I looked for "clear my cookies" - in 2021, it's still click '3 dots' or something else, then click something, then click something, then confirm. https://its.uiowa.edu/support/article/719
"But there's so much nuance - I want to keep some, and not others, etc".
We didn't have this many choices in 1998. My point is giving a big honking "get rid of it all" back then would have changed the trajectory of the entire discussion. It still might.
I've lived through 2 decades of having to deal with support people trying to help users "clear your cache" or "reset your cookies". "Private mode" does help to a degree, assuming you're dealing with somewhat tech-savvy folks.
The problem is, most people don't understand what cookie really is. If it's understood, you don't need to support so much clueless people and no sane politician in EU would made a cookie law.
The button you suggests cause more harm than good. Because people don't understand the cookie and think "is this button delete unnecessary data from my computer? Why not" and click it. Now all the legitimate data that were saved on their local storage is gone and they complains.
"Now all the legitimate data that were saved on their local storage is gone and they complains."
Not necessarily. Cookie !== localStorage (although... localStorage didn't exist at the time, IIRC).
My point was "we" (it/tech folks, but mainly browser makers) got ourselves in to this mess in the first place, and rather than making things more obvious and easier to deal with at that time, we seemed to double down on more obscure UIs.
I swear, pretty much every Netscape release, and later, for years, every other Firefox release, changed where/what/how cookie mgt was located in their UI.
"most people don't understand what cookie really is"
And that's... whose fault? Putting a big-ass 'COOKIE' button, with transparency in to what data is there, with quick options to remove it all, would have gone a LONG way to normalizing understanding. See some unknown shit in there? Delete it. If enough important things start breaking after deletion, people would have adapted (either users, or developers).
"delete unnecessary data" - there's pretty much nothing people put in cookies that is truly 'necessary' for most folks.
We didn't give people usable tools to manage this stuff, so eventually people turned to legislative means.
If it's opt-in, it's another bit of information to uniquely identify you (like Do-Not-Track is today.)
If it's opt-out and everyone will use it, ad companies will completely ignore this spec and keep tracking you.
The Internet is entirely in the hands of an advertising company. 90% of Internet users use Chrome and/or Android? Add Google Search and it's probably like 98%. Good luck with changing the status quo.
> Better to just agree to block all cookies, or to allow cookies.
But I want some cookies and some I do not. Also I don't want non-cookie based tracking either. Having a binary choice for a subcategory is not very helpful to me.
Tinder, Google, Amazon, Twitter, Facebook and other plaftorms can reliably ban an account without knowing the name, surname, birthdate. Just from the broad fingerprint of the device, email, phone number, Wifi SSIDs, location, and other data they collect. Yet they are showing the cookie and "privacy" splashscreens and popups on every visit. Every. Freaking. Time. Google with Youtube in particular. Isn't it malicious compliance?
A bit too late, but still great for users and for developers. Not so much for cookie banner services, but that's their own fault for providing cookie banners that cover half or more of screen, have confusing selections or none at all and uses dark patterns to push visitor to "Accept All" cookies.
And browsers should ask user for default preference only once, to prevent bothering with useless notifications from each website.
All this does is move the cookie banner from the website to the browser which still means I have to click approve every time I visit a new website. What I really would like to do is to get rid of these annoying cookie banners entirely and have something auto opt-in for me so I can get back to a decent web browsing experience a la pre-2017…
This is exactly what we're trying to do at Super Agent - check it out https://www.super-agent.com. Choose your preferences once and our extension will automate opt-in/opt-out where possible :)
Thanks for letting me know! Looking into it - we've used Wix to build our landing page, I believe this URL may be from a CDN they use to speed up content delivery.
I think the only "safe" auto complete it could provide with this spec is reject all. Otherwise it could just save a list of consents with unique IDs and look at your rejection list for another fingerprinting avenue.
I wonder if this fight over cookies is just a diversion. If we ever get an effective law or tech for cookies, won't the advertisers just shrug and switch to browser fingerprinting? I feel like the only solution is to educate users about AdBlockers and stuff like NoScript.
GDPR actually applies to any kind of tracking, it's not just cookies. You also need consent do fingerprinting that can identify individual users, for example.
This way you become mostly invisible to the ad and malware industry, no matter which browser you use.
Have JavaScript toggle next to address bar and keep JavaScript off by default. Most cookie banners will disappear.
Use Reader mode for daily news browsing. Most things will disappear except for main content. And it makes Internet less addictive.
The difference between swimming and drowning is subtle - flailing your limbs frantically vs relaxed movement. To many complex solutions will make us drown.
I would rather have a cookie-based approach where the opt-in dialog is clearly laid out via regulation.
At the top of the dialog a "decline"-button and to the right of it an "accept"-button. These buttons toggle all the toggles of the providers listed below those two buttons. You can then manually override each of the listed providers, which may be also grouped by purpose in order to ease selection. No nested dialogs are allowed.
Upon declination, one single cookie must get set, with a specific name, ie 'consent-acknowledge-status', with an expiry date of at least one week, where the consent selection is stored, so that it can be respected in future visits.
Regulations tend to become pretty stale pretty fast while tech moves on . Maybe users just need to pushback by picking browsers that respect privacy. We would do better by funding better privacy tech and educating consumers then chasing regulations that almost never get it right, bog down the user experience, and generally become a hassle to everyone involved.
Been thinking of making a chrome/firefox extension that will detect those cookie notifications and automatically nope out of them all for you and submit, but been too lazy to implement.
I understand that standards like these take years to make, but this should have been in the browsers for a loooong time at this point instead of every website implementing them differently.
I use the I don't care about cookies Plug-in. My browser forgets all the cookies when closed. Besides several privacy plug-ins, I the the temporary container plug-in.
It uses cosmetic filtering to block out the elements of the page that make up the cookie banners. The advantage is that you don't need to install another addon and it works on Firefox for Android.
The idea here is not blocking cookies, which are very useful, but rather to bypass the annoying "cookie banners".
Just as with Consent Banners, the website is still responsible for honouring your choices and not tracking you, either via Cookies or any other method.
I've done some basic reading on GDPR but can't honestly say I have it completely figured out. Can someone help me out with a use case that I come across frequently? Selling tracking data to third parties is the kind of thing noone wants to actually opt in to, and what I imagine GDPR partially tries to combat. (among other things)
What about site statistics keeping? If say a newspaper collects statistics about visitors to their articles, and does browser/user tracking by implementing cookies, for __internal__ use, rather than selling data to third parties. Is a cookie banner still neccesary for that kind of consent?
Personally, I don't care if my IP appears on any website log that I have visited, or if a unique cookie ID becomes present on the site until I clear my cookies. If i cared about my IP being tracked, or cookie IDs like that, I would browse using a VPN and "Private mode" in browser. What I do care about is the complex browser fingerprinting that keeps track of (essentially) my entire browser history, externally, with everything from my google searches, youtube videos, online purchases and website visits being visible in some kind of giant aggregate form.
Basically compare it to being videotaped when entering a store. Yeah sure, I might be a bit irked by the camera but I don't care too much. Comparing that to putting a camera on every street corner, and using facial recognition to generate a day by day pattern of all my visits to all stores the last 30 years, and I'm not a happy camper any more.
I would even go as far as cookie banners for the above tracking scenario, where you are tracked completely, should be illegal. That kind of "consent" can't even be gained by just clicking a <button> on a website, it would require a valid ID and signature at least.
And on the other hand, the "internal store videocamera" taping customers as they enter, perhaps even applying face recognition software to count unique visitors per year to the store, is hardly worth the hassle of a clicking a cookie banner personally. I'm certainly not averse to a position of not wanting to be tracked when entering a store or a webpage though, and if someone has a personal need to not be tracked like that, they should be able to apply basic non consent based tools to avoid being tracked. Like wearing sunglasses and a cap when entering the store, or browsing using a VPN.
Tracking visits to articles can be done entirely server side, no need for consent there as long as you just increment the counter by one. If you store PII to do it (IP address) you will need consent.
You don't need consent to store the IP in your server logs because that serves an undeniable legitimate interest for detecting abuse and diagnosing issues. However, you cannot use that information to generate statistics without consent.
As others said, gather as little as possible, for as short as possible, with a simple explanation and you should be golden. Lazy implementations (slapping Matomo on a server and calling it a day) do not comply with "as little as possible", and limitations in your tech stack ("we use cloudflare so we HAVE to use a cloudflare cookie") don't count either; it has to be as little as possible for the functionality to work, not for your developers to be comfortable.
Consult a professional for legal advice, but most websites don't strictly need consent popups. The advertisers do, and the marketeers want as much info as possible as well, but on a technical level, there's no need for most reasonable use cases to have a consent form. It all comes down to the bad decisions the website owners make.
I think it's disgusting that tracking has become the standard and opting out needs to be something special only some people can choose to do. Your comparison works for self-hosted monitoring (though I doubt a business that loudly proclaims, in text and audio so blind people can enter as well, that it tracks your ever move will get much business). However, most websites use third party trackers, so the comparison becomes closer to your own personal entourage if men in trenchcoats, following you around and occasionally writing something about you down.
Gather as little as you need, share it as little as you need, and keep it as long as you need to fulfil your customer's request. For anything else, get consent.
Any kind of private information you store or share needs consent.
This is why plausible.io doesn't require consent, but Google Analytics does.
I'm not an expert but I have read the text. You should talk to an expert.
Having said that my understanding is you don't need consent if the information processed is not personally identifying. The gdpr text is also quite clear that consent is just one of a number of legal bases for processing pii and there are a whole bunch of provisos for relying on it (which are still ignored on most sites)
For your stats use case I think the best option would be to store and log anonymized stats that wouldn't be considered personally identifiable information. And then you shouldn't need a consent form.
You can collect statistics all you want if you anonymize data such as IP addresses. But you can't collect and store PII (or even aggregate data that can be used to identify a certain user, aka fingerprinting) without consent, or without having a legitimate reason.
By legitimate reason I mean that you can freely collect information that is strictly necessary for performing tasks expected by customers. For example, you don't need explicit consent to collect a customer's address for delivering a package via Post. You can also have a cookie for login without requiring "cookie banner". However, you can't repurpose data you collected legitimately for other purposes, such as sending spam.
(Please notice that legitimate reasons don't include anything marketing-related, spam, selling to third parties. "Legitimate interest" in GDPR means the legitimate interest of the customer, not of the business)
About fingerprinting, if it can be used to identify single users, it becomes PII. This means fingerprinting also falls into GDPR.
Cookie banners are only necessary for tracking. The idea here isn't to obsolete cookies, just the banners, as the spec proposes a way to gather user consent through the user agent instead of a cookie banner.
Adtech companies don't want users to have an easy opt-out. They didn't want P3P. They didn't want DNT. They will not want this new spec, unless the spec is so bad that most users will agree by accident.
The annoying and confusing cookie banners are a feature. Besides making people agree through confusion or attrition, the banners are malicious compliance. Adtech companies putting them up want you to be pissed off at the banners. They want you to associate them with privacy, and conclude that privacy laws are pointless and should be repealed.