As much as I loathe the cookie warnings, I'm constantly amazed at situations that don't avoid them. For example: there is no reason that PayPal needs to serve 3rd party cookies in a payment flow.
I've actually started to reject nonessential cookies most of the time now. Doubt it matters at all.
I worked for a payment gateway years ago, when safari rolled out their initial blocking of third party cookies back in 2013 it broke some of our transaction flows yes.
There are a bunch of different kinds of payment gateway integrations, with various tradeoffs.
However a common pattern, at least at the time, was to use an iframe with the payment form in it.
Our form was multi page, and used cookie based sessions to track state between pages, so when they started being blocked, the payment form stopped working for safari users.
The solution we chose at the time was to put the session id into the URL, but that has it's own security issues. There are other ways to address that particular issue that don't involve cookies, but would have required a significant rewrite of the system.
Some potentially legitimate ongoing use cases for 3rd party cookies, would be remembering payment details, and one click checkout across various sites that use the same payment gateway.
If the use is required for the site to function, the data may be shared. The only ones you can reject are the ones that are not necessary, which usually involves ad trackers and similar things.
It should also be noted that these popups are likely not legal (or rather, they probably don't constitute informed consent under the the GDPR), but that's a completely different discussion to be had.
What 3rd party cookie is needed to process a payment? It's obnoxious I have to take care of the cookie situation what seems like every time I start a PayPal payment flow.
They almost feel like a passive-aggressive thing at this point. There's no reason a cookie banner needs to be a modal dialog that blacks out the rest of the web page.
It’s like prop 65 posters warning about carcinogens in California. If people insist you warn them about something they are doing, you get around it by forcing everyone to do it for everything so people start ignoring them.
>If people insist you warn them about something they are doing, you get around it by forcing everyone to do it for everything so people start ignoring them.
Who does "you" refer to in this sentence? A random business that doesn't like the warnings? How can that random business force everyone to do it for everything?
AFAIK GDPR requires that consent can be removed as easily as it was granted - where's the modal pop-up on every screen allowing me to revoke my prior consent and have their advertising partners delete any gathered data?
You really don't understand why people don't want to have their internet history logged or be tracked as they browse the internet? Cookies that track you are bad. The banners are bad too.
How do I grant universal consent to be tracked so that I can browse the web in peace? The law failed to consider this and made the browsing experience considerably worse for those of us who couldn't care less about being tracked.
Not to mention teaching users who are not tech-savvy to blindly click "I Accept" and "I Agree" without thinking about it which is an absolute disaster since such users cannot distinguish between a marketing cookie prompt and an OS elevation prompt coming from a piece of malware they just downloaded.
This tends to be an unpopular opinion here, but I agree completely. We had almost gotten rid of popups entirely, and now we have something worse, a required annoying banner that often causes the whole window to redraw and move around.
Since untracked ads pay 80-90% less than tracked ones, they are borderline required by every site that requires advertising to survive (most websites).
In a way I'm sure it's added to vendor lock in, any random Google result you click is guaranteed to hit you with the banner, which on mobile is especially annoying when since they're also required to be prominent (ie take up half the screen because everything in that law is incredibly vague).
The ad/pop-up blockers need to start also blocking the dumb modal windows for this. It might be easier too, there's financial insentive in breaking the blocker
My guess is that the original intent of the legislation wasn't to force users to click about 20 buttons in order to opt-out (IANAL but this seems to run directly counter to the mandate that it must be as easy to withdraw consent as it is to give it?). I agree that the current experience sucks, although unlike you I'd prefer not to be tracked. That being said, the EU has shown that it continues to iterate legislatively on issues around privacy - see the recent Digital Markets Act, for example. I guess my point is that legislation doesn't always get it right the first time, but I'd much rather see an evolutionary approach to fixing a problem than simply throwing up our hands.
Thanks for the recommendation! I am indeed sketched out by most extensions that require the all-hosts permission but this one does seem pretty legit so I'll give it a shot.
This is a fair concern. The particular extension is developed by Aarhus University, which is a major university in Denmark. Not a guarantee it won't do anything bad, but it should give you more comfort than any random extension developer.
As I understand it, the GDPR did not make web browsing a worse experience. Rather, folks tasked with compliance at a few companies came up with a horrible solution that probably doesn't actually comply, and everyone started copying it. GDPR requires consent; it doesn't require you to come up with the most obnoxious way to obtain it.
Can you think of another way to implement it that wouldn't be just as obnoxious though? I feel like anything that could be perceived as unobtrusive could just as likely be seen as trying to hide or minimize the presence of the banner which might be construed as a violation of the law.
I feel like EU regulators should have worked with web standards committees to add a technical means and requirement to classify cookies. Then browser vendors could allow users to choose which types of cookies they are willing to accept from which websites.
> Can you think of another way to implement it that wouldn't be just as obnoxious though?
A link to a page where visitors can opt-in would work just fine and not be obnoxious. The banners are obnoxious not because it's impossible, but because the very idea of consent goes against the business' goals. Or their just lazy: You don't need PII to track marketing performance, and if you aren't unnecessarily collecting PII, you don't need to ask.
> I feel like EU regulators should have worked with web standards committees to add a technical means and requirement to classify cookies.
Hardly anyone would use it, because most companies aren't seriously interested in getting consent. They are interested in data, and consent is merely a hoop to jump through.
There's currently hullabaloo regarding the Global Privacy Control HTTP header as a spiritual successor to Do Not Track. It's already enforceable in California under the California Consumer Protection Act and the specification suggests they are also targeting GDPR compliance (although I don't know how close/feasible that is).
If it were to see widespread adoption then all you would have to do is change a setting in your browser.
I think that (maybe) a possible better way might be, instead of such cookie popups, to have:
- Needing writing a documentation (which is viewable even if cookies, CSS, and JavaScripts are disabled) about what each cookies means. (This includes both necessary and unnecessary cookies.)
- Writing a better web browser(s) with more user controls, and can more easily modify it and recompile, etc. (This way, you can more easily adjust individual cookies more finely, including which cookies are enabled, duration overrides, values, etc.)
> Only consent is needed for cookies that aren't strictly necessary.
Do you mean “Consent is only needed...”, because while the existing word order is grammatically viable, it doesn't communicate anything that makes sense with the rest of the post.
The nuisance is an intentional choice by the bad actors in marketing to make you mad about the banner instead of their business practices of tracking you everywhere.
Understand that cookie banners are malicious compliance and they make a lot more sense.
This is an utterly annoying failure of legislation. The law could have mandated that a standardized mechanism to opt in (or even out!) would be implemented by major browsers and the relevant standards, providing APIs for websites to integrate. It could have even been about that vague and still be more effective and less counterproductive. The actual legislation invites this sort of abuse. Understanding that the abuse is intentional is a component of understanding the situation. But the blame for it doesn’t absolve the law, it implicates it.
If the vague proposal I’m suggesting sounds outlandish, that’s more or less how every major browser implements other requests for intrusive APIs as a matter of protecting users. Even when they do it half-heartedly they do it by developing a standard with their more invested peers which is far less prone to universal abuse.
I agree it was a weak legislation, but I think governments failed at the time to realize just how blatantly crooked the tech industry is, and is willing to be. I think it's taken a while but more aggressive actions are starting to be taken. Though ultimately I don't think we'll have straightened out Big Tech until we have laws on the books that let us put Pichai and Zuckerberg in prison. As long as their actions can be aspired to instead of a cautionary tale, more will follow in their footsteps.
There are no laws in Australia requiring cookie banners, and yet I get hit with them constantly. So the law is clearly not the reason for these annoying banners.
The EU laws require the banners to be shown to all EU citizens regardless of the country they're in, right? I think the only way to be absolutely safe is to show cookie banners everywhere.
No it doesn't. It stipulates that the site operators need informed consent to track you using cookies. So what they do is nag you with dark patterns to obtain it, creating an annoying experience.
Developer here. Its much easier and a lazy way to enable for everyone, rather than tracking ips, citizenship and show accordingly. Developers are lazy.
*Edit: Sorry if this came off as rude but it was a legitimate question. I honestly cannot think of another plausible reason that would explain the proliferation of the banners.
Yep, this is why we can't have nice things. Nice things sometimes sound nice initially but they have major design flaws and made by people who don't know much about things. But these people have monopoly of coercion on you so you can't really do anything about it.
> “The legislative department is everywhere extending the sphere of its activity, and drawing all power into its impetuous vortex.” -Madison, Federalist No. 48
I've actually started to reject nonessential cookies most of the time now. Doubt it matters at all.