Isn't this already the case? Does anyone actually think that you give voluntary informed consent to something by being annoyed into pressing a button?
No, if you show a cookie banner your users do not opt-in. So a cookie banner is pointless since it doesn't actually give you permission to store cookies you couldn't store before. So we already have the law, we just don't enforce it.
I agree that a cookie banner is pointless. But they are even on government websites, so obviously something has gone terribly wrong along they way (hint: lobbyism).
My thinking goes like this:
1. The law explicitly talks of requesting consent.
2. Incentives will drive actors to request additional permissions if possible (you always get some legal, can claim ignorance, etc)
3. People get constant intrusions wasting our collective time and attention on an enormous scale.
The current law is encouraging this type of user-hostile behavior. This is stating an objective fact, since the current situation is clearly a result of the current law.
If any type of consent-banner or opt-in method is allowed, industry groups will lobby for loopholes they can use to trick users using whatever mechanism the law leaves at their disposal.
Just outright ban the use of cross-site tracking and user profiling. We don't have a societal need for this to be legal.
The most common use of “tracking” cookies is just to be able to count unique views for your site, which I think is a perfectly reasonable thing to want to do. Knowing the impact of your site is something pretty much every website producer (including governments, individuals, and businesses) wants to do.
Other examples of where cross-site tracking is useful is for preventing online payments fraud. You have a similar IRL version of this where your bank will freeze your card if it sees purchases being made in different countries simultaneously.
Somewhere along the line, counting views or helping reduce fraud for customers turned into “store full demographic information about someone who never signed up for our service”, which is where everything went wrong in my mind. The cookies themselves aren’t the problem, it’s how they’re being used.
> The most common use of “tracking” cookies is just to be able to count unique views for your site, which I think is a perfectly reasonable thing to want to do.
Sure, and I don't remember if this is currently legal without need to notify/ask, but I think it should be.
As long as the tracking data is legally and technically isolated to only domains/apps/devices controlled by the same entity... Most people have the expectation that a website/business will be able to remember them across visits from the same browser.
But people will not necessarily have this expectation of being recognized across domains or different devices - indeed most people won't know it's even possible - so anything facilitating such identify/profile correlation should be considered illegal tracking by default. The specific technical method of creating the correlation should not matter. Honestly this could extend to non-web profile building as well.
The exception, of course, is if the user has self-identified by logging in.
> Other examples of where cross-site tracking is useful is for preventing online payments fraud. You have a similar IRL version of this where your bank will freeze your card if it sees purchases being made in different countries simultaneously.
True, completely agree. There are already blanket exemptions for certain uses in the GDPR and those should be extended as needed for use cases that have legitimate value. Cookie law should be changed so no need to ask/inform the user about these use cases other than in the website's privacy statement, where such tracking should be stated.
Industries handling such tracking data should be regulated and audited to ensure proper handling and use of the data. Again I think this should be applied as a broader principle, and I think for example loyalty programs should be also audited to ensure compliance with legal uses of the collected data.
4 out of 4 in my case. May I ask which ones you checked, I'm genuinely curious, cause I really don't remember seeing any official website in the EU without cookie banner in many years.
Okay, the first two are pretty hilarious, but as far as I can tell, the first one doesn't actually set any cookies if you don't react to the banner, and the second one sets just this: "{"cm":false,"all1st":false,"closed":false}", which seems acceptable.
The other two are trickier to judge, but contain (user?) identifiers, which could certainly be used for tracking, so I'll have to concede your point.
Edit: I had to recheck some of the sites I'd previously checked, as your examples helped me realize that my browser does a lot of blocking. It turns out that just one of my examples was actually a good one: https://finlex.fi/en/
Terve! Not surprised to see Finland slightly ahead of the curve.
I think the default is that most people, professionals included, don't understand the law and throw in the banner-spam to be on the safe side or because of outdated checklists.
I have zero problem with (edit: first-party) cookies, only with the web being a horrible UX for 95% of people, so hope more official websites can lead the way, so that pop-ups can slowly be de-normalized in peoples minds.
Necessary site functionality, without the spyware. Unfortunately, most websites sites are funded by spyware, so the minimum cookies to keep the internet economy running would have to include the spyware.
Disagree. Let it burn, it's the only way. (change my mind?)
This made me think of the Ukraine war, and how the sanctions may turn out to be a bigger help to climate crisis than any political entity could muster on the basis of the impeding climate snafu. Sometimes radical action is the right course of action; for democracy-(pre)serving reasons our governance systems often inhibit change unless most of the population is rallied around a specific cause as we see with Ukraine. That is the time for radical change to happen, or democracies would never progress. End of sidetrack :)
EDIT: I mean, Strong agree with "Necessary site functionality, without the spyware. ", but disagree with last part
I was just asserting out that a law that banned spyware-based advertising would harm the current website ecomomy which is largely based around spyware. I would like to see an end to mass spying, and therefore the creation of a different kind of funding mechanism. That could indeed be brought about by law, but that seems a bit too violent to me. I think what we're missing is a better alternative.
I read an interesting article (from the mid 2000s? Will update if I can find it) arguing that microtransactions will never work due to the cognitive burden of paying for hundreds (or thousands!) of tiny things a day.
Brave's BAT seems to solve this part of the problem by automating the payments based on how much time the user spends on each site. It would require everyone to switch to Brave and use their crypto thing to make it work, so it's obviously "suboptimal".
> I was just asserting out that a law that banned spyware-based advertising would harm the current website ecomomy which is largely based around spyware.
I think that largely, the website economy is based around advertising. I honestly doubt the advertising-centered business model would disappear even if large-scale tracking did. Would it be less targeted and less efficient on a micro-level - yes probably.
But less abusive advertising would also have upsides for website owners: Privacy conscious people are increasingly blocking all ads, losing them eyeballs. Privacy friendly ads may be given a pass.
Right now it's mostly impossible for privacy-conscious people to support a website the like by looking at their ads. The adtech industry is to blame for this for data-raping people. Website owners would benefit from a sustainable advertising model, where users don't have to make the choice between not contributing financially, vs sacrificing their privacy to data leeches. All the websites crying over ad-blockers would instead be forced to use legal ad networks that don't rely on illegal tracking, and people might again be willing to look at ads for content.
Brave is an interesting take, but I think the more optimal solution is to just ban the practice of tracking and shadow-profile building. Problem solved, and I don't need to encourage people to install ad-blockers anymore.
>Would it be less targeted and less efficient on a micro-level - yes probably.
I remember reading not too long ago that tracking did not increase profits! I find that hard to believe because once the tracking gets good enough, they actually start showing me ads for things I actually might want to buy! (Imagine that!) In my experience, Facebook's ads (at least on Instagram) show me really cool things, while Google (who should know way more about me) shows me complete garbage on all its platforms (YouTube being worst of all).
Re: less abusive advertising
I'm considering making some (hopefully!) profitable web games but I'm averse to putting ads on them. After giving it some thought I realized my main objection wasn't aesthetics / UX (though that is certainly a concern when it comes to "art" -- I want my games to be beautiful and ads sort of kill the vibe there) -- my main concern was actually running strange 3rd party fingerprinting / zombie-tracker / god-knows-what. If it was just a clearly labeled affiliate link, eg. <a><img>, that would do away with most of my concerns! (And simplify my GDPR compliance by just.. not storing anything.. and eliminate the need for those horrible banners :)
In general I'm averse to government regulations, but this might be a rare case where the alternative (rampant spying) is worse... After that, all that remains is to get the governments to ban themselves from spying too ;)
"This made me think of the Ukraine war, and how the sanctions may turn out to be a bigger help to climate crisis than any political entity could muster on the basis of the impeding climate snafu."
Huh? Here in germany there is talk by politicians that climate policies have to stand back now and we need to rely more on the coal plants and not close them, as it was planned.
I really hope, that the actual solutions will be more renewables and nuclear, but I am a bit pessimistic about it.
Germany is in a very tough spot energy-wise and is the most impacted by the Russian sanctions. A lot of house heating is gas and that isn't something you can change in 6 month. So in the very short term they probably need coal to replace the gas where possible so that stockpiles can meet next winters demand for heating.
But for medium-term, a lot of infrastructure investment will be needed. Times are such that the public will be quick to condemn investment in fossil energy, so there will be pressure to find green solutions where feasible.
The other day I saw a headline that France had stopped subsidizing gas heating installations. I don't get why it took a Russian war to do that, but apparently it did.
There have been many other such headlines. Will it matter? Probably some, maybe a lot... one can hope.
Showing an ad next to a news article is not fundamental to the function of a news site, even if it's how the bills are paid. You can't degrade the experience because visitors reject cookies. So you can't do a "we'll show you the article but only if you agree to ads". And you have to make the reject-all-cookies the default choice and easier than accepting. It's pretty simple.
Obviously there’s no definition, but I’d say a reasonable baseline is when a user expects a stateful interaction on the stateless medium that is the web. So for example, a multistage checkout process.
And, to make it even more precise, I would call cookies, which are for login, also as non-essential, unless a visitor really wants to log in, meaning they navigate to the login page.
This means, that be default, I don't need any cookies, because I don't want to log in to most websites I visit. Only if I want to log in, I have need for such cookies.
...hit the nail on the head. By 'as close to none' I pretty much meant "any cookie that isn't about authentication and/or holding state of something as an authenticated user that would matter"
For each cookie present, an independent third party expert would be willing to testify that the cookie is required in order for the website to operate as the user expects.
As much as this may really damage the sector I work in, I’d cherish the clarity a stance like this could provide.
There are many businesses trying to be compliant whilst maintaining access to metrics their business depends on.
Compliance is very difficult at this time as the legal advice is shifting in different territories and there is conflicting guidance when you start to dig into it.
Id rather see a selection of activities and tactics entirely banned/regulated rather than this directive which is clearly too open to interpretation.
Appreciate the sentiment. Policy changes will probably always hurt somebody. The expectation is the the economy will realign around new goals.
In this case it's even simpler since a software company would like be able to develop a new product with hopefully more value to society than the vast majority of data collecting companies provide. I'm also not too afraid for tech workers being able to find other jobs, although I'm sorry for any other collateral damage.
No, if you show a cookie banner your users do not opt-in. So a cookie banner is pointless since it doesn't actually give you permission to store cookies you couldn't store before. So we already have the law, we just don't enforce it.