[bimguy]

You are not a big fan of the EU after this? They seem to care more about privacy and rights of the people within the majority of the countries that make up the EU then any other outside country that I could name.

Then again, I'm not American so I can easily see the influence your country has on most other countries, so to say the "EU have enormous capacity for overreach at the expense of participating countries and their citizens" is completely ignorant and oblivious.

[michalu]

> You are not a big fan of the EU after this? Downloading apps from internet is a very cheap price for becoming a "big fan of EU" :D

[pg_1234]

The EU should make a public service announcement.

Something along the lines of:

"We urge all EU citizens with Apple devices to have an alternate means of accessing critical internet services like banking, to protect themselves in the event we are forced to block all Apple services EU-wide for legal non-compliance."

... then watch AAPL stock drop below NVDA ...

... and Apple come crawling back, suitably obedient.

[whywhywhywhy]

or more likely learn extremely quickly that their citizens prefer their iPhones to their politicians, there would be protests within the hour if they ever blocked iPhones.

Weird to me how common it has become in the last 5 years for people to gleefully cheer for tyranny and control.

[no_time]

Yes, the tyranny of... forcing Apple to open up its walled garden. I am cheering for that and more. Mandate open bootloaders. Mandate user installed EK (Endorsement Key) on all TCB enabled devices.

[VladTheImpalor]

You mean the tyranny and control of Apple? With their removing headphone jack, lightning cable, walled garden and all that?

[whywhywhywhy]

A product you consent to is hardly the same as the government cutting off the ability to use your phone and it sounds very silly to compare the two.

By no means do I agree with the walled garden, I just think cheering for such an absurd idea of the government disabling your phone to fight something most users don't even understand or care about is bizarre.

[Etherlord87]

> A product you consent to is hardly the same as[...]

...The government you also consent to in elections and by deciding where you live?

I'm so sick of this argument: you chose to buy iPhone, it was your decision... But a large part of the law protects citizens against their bad judgement: we don't allow slave contracts or selling your organs.

Within some use-cases, and to a larger degree within some groups of people, Apple is a monopolist. People get *addicted* from Apple ecosystem. If you had a Mercedes house, with a Mercedes charger to your Mercedes Car, that you would park on a Mercedes parking spot near your workplace, it wouldn't be so easy to replace your car with another brand.

[DirkH]

"Tyranny and control"

I can't get the boomer comic where the guy pulls the calendar and sees the next year is 1984 out of my head now.

[capr]

"forced" to block... seems like the only ones who can use force is them

[zuppy]

no, they shouldn't, this will affect customers who already purchased the product and have no fault in this silly war that apple wants to start. no matter what they do, it should only apply to new devices.

[simondotau]

Excuse me, Apple started it? That's absurd. Apple have been running their little fiefdom mostly unchanged for almost fifteen years and it's only in the past few years that the EU has chosen to intervene in their marketplace. The EU started this fight; Apple is just doing whatever they can to resist change.

[ImPostingOnHN]

> Apple have been running their little fiefdom mostly unchanged for almost fifteen years and it's only in the past few years that the EU has chosen to intervene in their marketplace

You literally just described Apple "starting it". They took the initial action (~15 years ago, by your words), starting it, and the other parties reacted, after that action.

[simondotau]

I’m sorry, what fight did Apple start with the EU fifteen years ago? You do know what a fight is, right?

[ImPostingOnHN]

They started engaging in the sort of anticompetitive behavior that the EU laws in question were written to discourage or forbid, as you yourself noted when you pointed out that apple's actions took place before said legislative reactions. Here's the quote from you:

> Apple have been running their little fiefdom mostly unchanged for almost fifteen years

Apple could have started out being more consumer friendly from the beginning, and it wouldn't have been starting a fight with consumers. But they didn't, and now they're reaping the consequences.

[capr]

Ya, can't square the two? Check this out: violence actually works, so should we beat our kids?

[xgl5k]

The EU is not exactly doing this exclusively for privacy. This is a geopolitical ploy to thwart America's dominance in Tech, as a cope for not being able to produce any homegrown rivals to America's tech giants.

[_cenw]

Why do Americans always read backroom politics into everything.

How does the GDPR help EU tech companies? I hope you're not about to tell me it's a ploy to bundle up resources for compliance in US companies or it levels the ground for the EU to be able to compete somehow. It caused enough headaches for us too.

Sometimes a good thing is just a good thing. The US supposedly was a country that had laws made without sinister corporatism at work at one point too.

[DirkH]

An alternative - and you have to admit reasonable counter-hypothesis - is that everything you just wrote as a belief is - to some degree - American Cope to explain away why the US can't have what Europe does.

Also known as projection.

[chargingmarmot]

Well, yeah, but isn't the EU also responsible for all the trash cookie-consent notifications I get from every website now?

Overall, I'm happy they're actively involved. The hands-off attitude in the US is terrible.

[frankvdwaal]

No, it's the builders of the consent notifications who are responsible for that. They are often skirting or even breaking EU law to make it a headache to refuse. The GDPR says, for example, that refusal should be just as easy as acceptance. Having to click to another screen to do that is... not that.

In reality a cookie consent notification can just as well be a small widget somewhere with an accept and refuse button, but it's the builders of these frameworks that have a vested interest in getting you to press accept.

I've applied for a job at one of these companies about a year ago, and I asked them about it. They said to me that according to their metrics, there's about 30% more acceptance if they only bury their Refuse button, so it's a legal risk they are willing to take.

Needless to say, when they invited me for a second conversation, I politely refused.

No, the shitty cookie screens with dark patterns is not the responsibility of the EU - although you could make the argument that the EU should have been stricter or more prescriptive.

[mft_]

It's not just the dark-pattern cookie popups that are a problem - it's having any mandatory cookie popups --even the fairly-designed ones-- on virtually every website that you ever open. That's what's crappy about the implementation.

I once read a light-hearted analysis of the cumulative time wasted by humanity due to the original USB plugs/sockets being unidirectional. I suspect a similar analysis of these cookie popups would be shocking.

Hah, first Google hit: https://www.linkedin.com/pulse/billions-hours-now-being-wast.... (Not sure I agree with the numbers used, but the order of magnitude probably isn't too far wrong)

[MaKey]

Cookie banners are not mandatory. If you're just using technical cookies you don't need a banner at all. Websites with them want to track you, that's why they have them. They need to ask for your permission to do so, which I think is a good thing. So instead of being mad at the EU we should be mad at those websites trying to get as much data as possible from their users.

[olivierduval]

Actually, websites could "not track" BY DEFAULT (so no popup) and have a nice widget in a corner asking for consent to track, explaining why they need it, without this widget being obstructive...

The problem is definitly NOT THE REGULATION but the way that websites have become a data/cash machine...

[account42]

> Actually, websites could "not track"

Yes, why not stop there?

[RunSet]

If you don't collect data you don't need to ask permission to collect data.

https://lokilist.com/about.php

Likewise, a "privacy policy" explains the extent to which your privacy will be violated.

[speleding]

The regulation could have been much better though. For one, it's unclear if Google Analytics cookies qualify. Spain and Austria say one thing, The Netherlands says another, so out of an abundance of caution websites put them everywhere.

I also think it would have been very feasible for the EU to define that a browser could ask for consent once and then apply that to many/all sites by sending a header. So the popup would only be needed for people without a browser that has implemented it.

[dotancohen]

  > Spain and Austria say one thing, The Netherlands says another

I thought that it is very clear that GA cookies qualify for the banner notification. What should I be reading to hear the opposing opinion?

[frankvdwaal]

Well, note that I said it could just as well be a widget on the website somewhere.

There's no such thing as a mandatory cookie popup. You don't need to get explicit consent if your website needs certain cookies to do what the user wants it to do. Placing a session cookie to log in is fine, for example. And it's also fine to place tracking cookies if and only if the user goes to aforementioned widget and presses the "please track me" button.

But users don't want that, obviously, so websites are built to force you to acknowledge the choice. The problem here is not the implementation of the law - it's the attitude of the website builders.

[tpm]

What if the websites respected my user-agent (browser) setting called "Do not track"? Zero hours would be wasted. I think geizhals.at is one of the few that does this.

In other words, the websites are showing cookie popups in you face because they really, really do want to track you, and for that they need your explicit consent. Nobody forced them to track you. The implementation does not matter; the intentions are crappy.

I think there is a recent court ruling saying websites should respect DNT settings as a (rejection of) consent; if that would be adapted universally, we would be done with the popups.

edit: https://dig.watch/updates/german-court-affirms-legal-signifi...

[BiteCode_dev]

No banner is required. No interaction at all in fact.

Companies can comply with the law by following the old and standard DNT header. It's transparent to the user, no pop up of any kind.

They chose not to.

They are the ones you should be angry at, not the EU.

[macinjosh]

Law making bodies are responsible for all consequences of their legislation whether they are intentional or not. They are the ones in charge so the buck stops with them. Make better laws.

[BiteCode_dev]

With this line of logic, you give absolution to anything immoral that is actually legal, saying the state should have done better.

[dotancohen]

That sounds like somebody familiar with compilers and interpreters, applying the same logic to law. That reasoning is flawed.

[gcbirzan]

But they're not mandatory. There is nothing stopping websites from not doing it, the previous poster was wrong. The GDPR requires consent, how you obtain that consent is irrelevant. Websites could not store cookies by default and you'd have to manually go and opt in. Maybe we even can have a per browser setting.

[account42]

Specifically, GDPR requires consent before you do (some) things the user might not want. You could simply not try to do those things and then you won't need to obtain consent at all.

It's absurd how used we have become to wantonly collecting user data that some people can't even imagine not doing that.

[gcbirzan]

Yeah. Or, you could make the opt-in something the user has to choose himself, like a link on the page.

[jeroenhd]

GDPR provides mechanisms for getting implicit consent for technically required cookies. For other types of data storage, explicit consent is required. And that's the problem, there are a lot of terrible websites out there that value their ability to stalk you and sell your information more than your ability to use the website.

For consent, the old "hide tracking terms in the terms of service" approach is not allowed anymore. That's where the popups come from, the user needs to know what they're consenting to if the data processing isn't actually required for the website to work.

I would like to see something like P3P (but better) to make a return. We have DNT and its followup, but they're not sufficiently scopable in my opinion.

[gcbirzan]

There's no implicit consent, technically required cookies have a different basis for processing. And, yes, I'm aware of that, my point is that people who create websites choose to force the consent box in front of you, there's nothing in the GDPR that mandates that. It could be a link at the bottom, some header...

[dotancohen]

  > Maybe we even can have a per browser setting.

DNT header?

[partitioned]

Then enforce the law. Making the regulation and letting people halfway get around it and not holding them accountable just made things worse for everyone

[berkes]

Also, and too often overlooked or silently ignored:

You don't need cookie popups! Really. You don't.

You only need to get consent to track users with software you don't run yourself. Or when you sell your data off to other companies.

Both are, unfortunately, the norm. But there's absolutely no technical reason to have these in place. Non at all. Plenty of alternatives for tracking that doesn't need consent. Or just not sell your customers' data off.

I would be infuriated if I found the bakery down the street is selling its security footage with my face on it, next to my sales and spending in that bakery. I'd expect them to at least warn me about this at the door. So I can then buy my bread elsewhere. That's what a consent banner is!

[hallway_monitor]

Thank you for this accurate analogy. Similar to what if the post office delivered all your mail for free but they also opened it and read it in order to send you advertising.

[Sander_Marechal]

> The GDPR says, for example, that refusal should be just as easy as acceptance.

Not true, actually! GDPR is a framework, and every EU country implements a national law according to that framework (e.g. the Dutch implementation is called "AVG"). The specific requirement that refusal must be as easy as acceptance is not in the GDPR, but several countries added it to their national implementation of the GDPR.

[frankvdwaal]

This is a misconception that I've seen going around, and I still wonder where it came from.

The Dutch implementation is called "Uitvoeringswet Algemene Verordening Gegevensbescherming", which, as the title states, is the law that implements the GDPR. "AVG" is just a translation for "GDPR", not the name of the law that implements it.

The Uitvoeringswet describes how the GDPR functions within Dutch law, for example, it describes the role that the Dutch Data Protection Authority plays. You can read the Uitvoeringswet right here: https://wetten.overheid.nl/BWBR0040940/2021-07-01

The GDPR (in Dutch AVG, in French RGPD, in Spanish RGPD, etc.) actually DOES state that it should be just "as easy to withdraw as to give consent" in Article 7. The directive (2016/679) can be found here: https://eur-lex.europa.eu/eli/reg/2016/679.

[underdeserver]

Eh.

> "as easy to with as to give consent"

The full Article 7, section 3, in English, says:

> The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

I think this can be interpreted as, you ask for consent, it doesn't have to be as easy to say no, but once consent is given - it should be as easy to withdraw it as it is to re-give it after it was withdrawn.

Somewhat badly worded, in my opinion. It doesn't unambiguously say "refusing consent every time it is requested should be as easy as accepting it."

[breisa]

That is a common misconception. In EU law, there are regulations and directives. Regulations are immediately active in all EU countries. In contrast, directives need to be translated into national law by each individual country. The GDPR is a regulation. (for details: https://european-union.europa.eu/institutions-law-budget/law... )

[bretpiatt]

Auto-deny and move on?

https://www.ghostery.com/blog/how-to-block-cookies-on-most-b...

[AshamedCaptain]

Disabling cookies will cause _more_ of the "cookie prompts" to appear, not less. Some pages these days even will prevent visiting them unless they can set a cookie...

Also, cookies are not the only method of tracking which is supposed to be disabled when you hit Deny.