In the beginning of GDPR I remember me sitting in annoying meetings with lawyers who essentially became Product Owners and designers while I still thought the GDPR-Framework makes sense in itself and might help in practice.
But boy was I wrong. The people criticizing GDPR were right: Tech giants were able to cope better with the regulations while smaller domestic companies were put under an additional burden of excessive bureaucracy. And from what I perceive, there's now cookie banners everywhere while my personal data is still going into opaque silos.
Yeah. Mozilla with their ad-network visualization and browser extensions did more to privacy in practice than any GDPR regulation in which exchanging business cards became some kind of mexican standoff.
No that's not true, though it does get spouted very often in online comments.
It's true that a cookie banner (notification only) does not equal "the site can now do whatever it wants and is GDPR compliant thanks to the banner".
However, cookie notification banners are nothing to do with GDPR! They are to comply with an earlier (but still active after GDPR) bit of legislation, the 2002 'ePrivacy Directive' (sometimes known as the "cookies law").
If you don't go near personal data, but still want to use cookies for website functionality, then GDPR doesn't apply but you need to notify users of your use of cookies. If you are doing stuff that's covered under GDPR, then you obviously need to do more than just a cookie notification, and in most cases doing that 'more' will cover the non-personal cookies too so no need for a separate cookie notification on top.
edit to be more specific: section (25) includes "Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using." and "Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose." (meaning that unlike with GDPR, it's easier to say "these cookies are necessary, accept them or don't use this website")
And usual disclaimer, this is not legal advice, if you're doing anything affected by either the ePrivacy Directive or GDPR you'd do well to do one or both of getting specific advice from a lawyer with specific expertise in this area, and that if it's a personal site (or a company without the money for legal advice), better safe than sorry and better to give users more power (in terms of requiring their consent to use even cookies that might not need explicit opt-in to be legal, etc) than required rather than less. Both better in terms of liability, and in terms of ethics!
> However, cookie notification banners are nothing to do with GDPR! They are to comply with an earlier (but still active after GDPR) bit of legislation, the 2002 'ePrivacy Directive' (sometimes known as the "cookies law").
The cookie banners people are now complaining about are literally companies skirting or otherwise breaking GDPR. Because they now have to ask for your consent before the siphon your data and sell it wholesale to the highest bidder.
Sorry if I wasn't clear, there's confusion between banners put up because of GDPR and actual 'cookie banners'.
There are certainly plenty of examples of poorly implemented banners attempting to comply with GDPR while not actually being compliant, where consent is required, but I wouldn't call those 'cookie banners' since they generally talk about privacy and personal data, not just about cookies/local storage.
My point was that there are plenty of websites that don't need to comply with GDPR (because nothing they do falls under its scope), but they still need to comply with the ePrivacy Directive and therefore there are plenty of cookie banners used for that purposes that are a perfectly acceptable way of complying with that law - though because people are more familiar with GDPR than with the ePrivacy Directive, they see those banners and think it's a non-compliant attempt at dealing with GDPR.
I think, but don't quote me in that, that with ePrivacy you don't really need a banner, but an explanation that you use cookies. But that is a minor issue
I've been observing this space and a lot of those smaller companies didn't bother to ensure personal data is safe, so it's not like they're the victims here.
There was already one large crackdown on non-compliant cookie banners, and even large entities had to stop fooling around and implement them properly.
The leftovers need to be picked up one by one, but that necessarily takes time.
The people on this site who criticize the GDPR don't even know what the GDPR does, including you. Cookie banners aren't from the GDPR, they're from the ePrivacy Directive as amended in 2009. I don't understand how you people even mix this up, the cookie banners appeared several years before the GDPR existed. It's like this site is a big pity party of surveillance capitalists whining into an echo chamber, remixing and repeating each other's confusions without any feedback from reality.
Maybe (I'm too lazy to check this out). But from what I remember only after GDPR those banners went viral in clumsy, annoying, not useful and frequently unnecessary implementations. Maybe it's because of hefty fines introduced in the context of GDPR.
My point is: Did it help fighting privacy issues? I don't think so. Did it harm? I do think so. Will it ever be somehow measured for its effectiveness and be taken back/changed to be more effective? I don't think so. So better get rid of it.
I seem to recall that before the GDPR, cookie banners were basically a single "OK" button, annoying but at least usually floating near the bottom of the page. After GDPR. they became dark-patterned modal nests of unfathomable checkboxes and submenus.
I don't think it has made of jot of difference for privacy, but it sure has degraded the user experience of using the web.
> GDPR those banners went viral in clumsy, annoying, not useful and frequently unnecessary implementations. Maybe it's because of hefty fines introduced in the context of GDPR.
The problem is that not enough fines have been meted out. Had they been, we'd see less of the unuseful, annoying, unnecessary banners. Because they are this way on purpose: to make you "consent" to wholesale collection and trading of your data.
I was complaining about the cookies banners in 2009, but ok people tend to conflate the two but it is not fair to lash out to people saying they don't like X with a simple rebuff that the thing is actually called Y. China makes the hardware, America writes the software and the EU makes the regulation, is a very common critique of technical people in the tech sector who lack political and economical power compared to the value they create.
But boy was I wrong. The people criticizing GDPR were right: Tech giants were able to cope better with the regulations while smaller domestic companies were put under an additional burden of excessive bureaucracy. And from what I perceive, there's now cookie banners everywhere while my personal data is still going into opaque silos.