Hacker News new | ask | show | jobs
by frankvdwaal 831 days ago
No, it's the builders of the consent notifications who are responsible for that. They are often skirting or even breaking EU law to make it a headache to refuse. The GDPR says, for example, that refusal should be just as easy as acceptance. Having to click to another screen to do that is... not that.

In reality a cookie consent notification can just as well be a small widget somewhere with an accept and refuse button, but it's the builders of these frameworks that have a vested interest in getting you to press accept.

I've applied for a job at one of these companies about a year ago, and I asked them about it. They said to me that according to their metrics, there's about 30% more acceptance if they only bury their Refuse button, so it's a legal risk they are willing to take.

Needless to say, when they invited me for a second conversation, I politely refused.

No, the shitty cookie screens with dark patterns is not the responsibility of the EU - although you could make the argument that the EU should have been stricter or more prescriptive.
4 comments
mft_ 831 days ago
It's not just the dark-pattern cookie popups that are a problem - it's having any mandatory cookie popups --even the fairly-designed ones-- on virtually every website that you ever open. That's what's crappy about the implementation.

I once read a light-hearted analysis of the cumulative time wasted by humanity due to the original USB plugs/sockets being unidirectional. I suspect a similar analysis of these cookie popups would be shocking.

Hah, first Google hit: https://www.linkedin.com/pulse/billions-hours-now-being-wast.... (Not sure I agree with the numbers used, but the order of magnitude probably isn't too far wrong)

link
MaKey 831 days ago
Cookie banners are not mandatory. If you're just using technical cookies you don't need a banner at all. Websites with them want to track you, that's why they have them. They need to ask for your permission to do so, which I think is a good thing. So instead of being mad at the EU we should be mad at those websites trying to get as much data as possible from their users.
link
olivierduval 831 days ago
Actually, websites could "not track" BY DEFAULT (so no popup) and have a nice widget in a corner asking for consent to track, explaining why they need it, without this widget being obstructive...

The problem is definitly NOT THE REGULATION but the way that websites have become a data/cash machine...

link
account42 830 days ago
> Actually, websites could "not track"

Yes, why not stop there?

link
RunSet 830 days ago
If you don't collect data you don't need to ask permission to collect data.

https://lokilist.com/about.php

Likewise, a "privacy policy" explains the extent to which your privacy will be violated.

link
speleding 830 days ago
The regulation could have been much better though. For one, it's unclear if Google Analytics cookies qualify. Spain and Austria say one thing, The Netherlands says another, so out of an abundance of caution websites put them everywhere.

I also think it would have been very feasible for the EU to define that a browser could ask for consent once and then apply that to many/all sites by sending a header. So the popup would only be needed for people without a browser that has implemented it.

link
dotancohen 830 days ago 

  > Spain and Austria say one thing, The Netherlands says another
I thought that it is very clear that GA cookies qualify for the banner notification. What should I be reading to hear the opposing opinion?
link
speleding 830 days ago
The Dutch privacy authority claims that a consent popup is only needed for tracking cookies, and cookies with a purely analytical purpose are explicitly exempted. (https://autoriteitpersoonsgegevens.nl/themas/internet-slimme...).
link
dotancohen 830 days ago
Thank you
link
frankvdwaal 830 days ago
Well, note that I said it could just as well be a widget on the website somewhere.

There's no such thing as a mandatory cookie popup. You don't need to get explicit consent if your website needs certain cookies to do what the user wants it to do. Placing a session cookie to log in is fine, for example. And it's also fine to place tracking cookies if and only if the user goes to aforementioned widget and presses the "please track me" button.

But users don't want that, obviously, so websites are built to force you to acknowledge the choice. The problem here is not the implementation of the law - it's the attitude of the website builders.

link
tpm 830 days ago
What if the websites respected my user-agent (browser) setting called "Do not track"? Zero hours would be wasted. I think geizhals.at is one of the few that does this.

In other words, the websites are showing cookie popups in you face because they really, really do want to track you, and for that they need your explicit consent. Nobody forced them to track you. The implementation does not matter; the intentions are crappy.

I think there is a recent court ruling saying websites should respect DNT settings as a (rejection of) consent; if that would be adapted universally, we would be done with the popups.

edit: https://dig.watch/updates/german-court-affirms-legal-signifi...

link
BiteCode_dev 830 days ago
No banner is required. No interaction at all in fact.

Companies can comply with the law by following the old and standard DNT header. It's transparent to the user, no pop up of any kind.

They chose not to.

They are the ones you should be angry at, not the EU.

link
macinjosh 830 days ago
Law making bodies are responsible for all consequences of their legislation whether they are intentional or not. They are the ones in charge so the buck stops with them. Make better laws.
link
BiteCode_dev 830 days ago
With this line of logic, you give absolution to anything immoral that is actually legal, saying the state should have done better.
link
dotancohen 830 days ago
That sounds like somebody familiar with compilers and interpreters, applying the same logic to law. That reasoning is flawed.
link
gcbirzan 831 days ago
But they're not mandatory. There is nothing stopping websites from not doing it, the previous poster was wrong. The GDPR requires consent, how you obtain that consent is irrelevant. Websites could not store cookies by default and you'd have to manually go and opt in. Maybe we even can have a per browser setting.
link
account42 830 days ago
Specifically, GDPR requires consent before you do (some) things the user might not want. You could simply not try to do those things and then you won't need to obtain consent at all.

It's absurd how used we have become to wantonly collecting user data that some people can't even imagine not doing that.

link
gcbirzan 830 days ago
Yeah. Or, you could make the opt-in something the user has to choose himself, like a link on the page.
link
jeroenhd 830 days ago
GDPR provides mechanisms for getting implicit consent for technically required cookies. For other types of data storage, explicit consent is required. And that's the problem, there are a lot of terrible websites out there that value their ability to stalk you and sell your information more than your ability to use the website.

For consent, the old "hide tracking terms in the terms of service" approach is not allowed anymore. That's where the popups come from, the user needs to know what they're consenting to if the data processing isn't actually required for the website to work.

I would like to see something like P3P (but better) to make a return. We have DNT and its followup, but they're not sufficiently scopable in my opinion.

link
gcbirzan 830 days ago
There's no implicit consent, technically required cookies have a different basis for processing. And, yes, I'm aware of that, my point is that people who create websites choose to force the consent box in front of you, there's nothing in the GDPR that mandates that. It could be a link at the bottom, some header...
link
dotancohen 830 days ago 

  > Maybe we even can have a per browser setting.
DNT header?
link
partitioned 830 days ago
Then enforce the law. Making the regulation and letting people halfway get around it and not holding them accountable just made things worse for everyone
link
berkes 830 days ago
Also, and too often overlooked or silently ignored:

You don't need cookie popups! Really. You don't.

You only need to get consent to track users with software you don't run yourself. Or when you sell your data off to other companies.

Both are, unfortunately, the norm. But there's absolutely no technical reason to have these in place. Non at all. Plenty of alternatives for tracking that doesn't need consent. Or just not sell your customers' data off.

I would be infuriated if I found the bakery down the street is selling its security footage with my face on it, next to my sales and spending in that bakery. I'd expect them to at least warn me about this at the door. So I can then buy my bread elsewhere. That's what a consent banner is!

link
hallway_monitor 830 days ago
Thank you for this accurate analogy. Similar to what if the post office delivered all your mail for free but they also opened it and read it in order to send you advertising.
link
Sander_Marechal 831 days ago
> The GDPR says, for example, that refusal should be just as easy as acceptance.

Not true, actually! GDPR is a framework, and every EU country implements a national law according to that framework (e.g. the Dutch implementation is called "AVG"). The specific requirement that refusal must be as easy as acceptance is not in the GDPR, but several countries added it to their national implementation of the GDPR.

link
frankvdwaal 830 days ago
This is a misconception that I've seen going around, and I still wonder where it came from.

The Dutch implementation is called "Uitvoeringswet Algemene Verordening Gegevensbescherming", which, as the title states, is the law that implements the GDPR. "AVG" is just a translation for "GDPR", not the name of the law that implements it.

The Uitvoeringswet describes how the GDPR functions within Dutch law, for example, it describes the role that the Dutch Data Protection Authority plays. You can read the Uitvoeringswet right here: https://wetten.overheid.nl/BWBR0040940/2021-07-01

The GDPR (in Dutch AVG, in French RGPD, in Spanish RGPD, etc.) actually DOES state that it should be just "as easy to withdraw as to give consent" in Article 7. The directive (2016/679) can be found here: https://eur-lex.europa.eu/eli/reg/2016/679.

link
underdeserver 830 days ago
Eh.

> "as easy to with as to give consent"

The full Article 7, section 3, in English, says:

> The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

I think this can be interpreted as, you ask for consent, it doesn't have to be as easy to say no, but once consent is given - it should be as easy to withdraw it as it is to re-give it after it was withdrawn.

Somewhat badly worded, in my opinion. It doesn't unambiguously say "refusing consent every time it is requested should be as easy as accepting it."

link
breisa 830 days ago
That is a common misconception. In EU law, there are regulations and directives. Regulations are immediately active in all EU countries. In contrast, directives need to be translated into national law by each individual country. The GDPR is a regulation. (for details: https://european-union.europa.eu/institutions-law-budget/law... )
link