[throwaway_sb666]

I agree that a cookie banner is pointless. But they are even on government websites, so obviously something has gone terribly wrong along they way (hint: lobbyism).

My thinking goes like this:

1. The law explicitly talks of requesting consent.

2. Incentives will drive actors to request additional permissions if possible (you always get some legal, can claim ignorance, etc)

3. People get constant intrusions wasting our collective time and attention on an enormous scale.

The current law is encouraging this type of user-hostile behavior. This is stating an objective fact, since the current situation is clearly a result of the current law.

If any type of consent-banner or opt-in method is allowed, industry groups will lobby for loopholes they can use to trick users using whatever mechanism the law leaves at their disposal.

Just outright ban the use of cross-site tracking and user profiling. We don't have a societal need for this to be legal.

[anaccountexists]

The most common use of “tracking” cookies is just to be able to count unique views for your site, which I think is a perfectly reasonable thing to want to do. Knowing the impact of your site is something pretty much every website producer (including governments, individuals, and businesses) wants to do.

Other examples of where cross-site tracking is useful is for preventing online payments fraud. You have a similar IRL version of this where your bank will freeze your card if it sees purchases being made in different countries simultaneously.

Somewhere along the line, counting views or helping reduce fraud for customers turned into “store full demographic information about someone who never signed up for our service”, which is where everything went wrong in my mind. The cookies themselves aren’t the problem, it’s how they’re being used.

[throwaway_sb666]

> The most common use of “tracking” cookies is just to be able to count unique views for your site, which I think is a perfectly reasonable thing to want to do.

Sure, and I don't remember if this is currently legal without need to notify/ask, but I think it should be.

As long as the tracking data is legally and technically isolated to only domains/apps/devices controlled by the same entity... Most people have the expectation that a website/business will be able to remember them across visits from the same browser.

But people will not necessarily have this expectation of being recognized across domains or different devices - indeed most people won't know it's even possible - so anything facilitating such identify/profile correlation should be considered illegal tracking by default. The specific technical method of creating the correlation should not matter. Honestly this could extend to non-web profile building as well.

The exception, of course, is if the user has self-identified by logging in.

> Other examples of where cross-site tracking is useful is for preventing online payments fraud. You have a similar IRL version of this where your bank will freeze your card if it sees purchases being made in different countries simultaneously.

True, completely agree. There are already blanket exemptions for certain uses in the GDPR and those should be extended as needed for use cases that have legitimate value. Cookie law should be changed so no need to ask/inform the user about these use cases other than in the website's privacy statement, where such tracking should be stated.

Industries handling such tracking data should be regulated and audited to ensure proper handling and use of the data. Again I think this should be applied as a broader principle, and I think for example loyalty programs should be also audited to ensure compliance with legal uses of the collected data.

[msl]

> they are even on government websites

Could you give some examples please? I checked all the government websites I could think of and didn't see any.

[throwaway_sb666]

https://gdpr.eu/cookies/ lol ;-)

https://european-union.europa.eu/

https://www.sundhed.dk/

https://www.securite-sociale.fr/

4 out of 4 in my case. May I ask which ones you checked, I'm genuinely curious, cause I really don't remember seeing any official website in the EU without cookie banner in many years.

[msl]

Okay, the first two are pretty hilarious, but as far as I can tell, the first one doesn't actually set any cookies if you don't react to the banner, and the second one sets just this: "{"cm":false,"all1st":false,"closed":false}", which seems acceptable.

The other two are trickier to judge, but contain (user?) identifiers, which could certainly be used for tracking, so I'll have to concede your point.

Edit: I had to recheck some of the sites I'd previously checked, as your examples helped me realize that my browser does a lot of blocking. It turns out that just one of my examples was actually a good one: https://finlex.fi/en/

Edit2: Found others: https://www.suomi.fi/frontpage and https://vnk.fi/en/frontpage

Both actually do set cookies, but apparently nothing requiring consent.

[throwaway_sb666]

Terve! Not surprised to see Finland slightly ahead of the curve.

I think the default is that most people, professionals included, don't understand the law and throw in the banner-spam to be on the safe side or because of outdated checklists.

I have zero problem with (edit: first-party) cookies, only with the web being a horrible UX for 95% of people, so hope more official websites can lead the way, so that pop-ups can slowly be de-normalized in peoples minds.

Edit:

> https://finlex.fi/en/

Nice find. Also:

https://oikeusministerio.fi/en/frontpage

Can they inform Denmark?

https://www.justitsministeriet.dk/