Hacker News new | ask | show | jobs
by mft_ 831 days ago
It's not just the dark-pattern cookie popups that are a problem - it's having any mandatory cookie popups --even the fairly-designed ones-- on virtually every website that you ever open. That's what's crappy about the implementation.

I once read a light-hearted analysis of the cumulative time wasted by humanity due to the original USB plugs/sockets being unidirectional. I suspect a similar analysis of these cookie popups would be shocking.

Hah, first Google hit: https://www.linkedin.com/pulse/billions-hours-now-being-wast.... (Not sure I agree with the numbers used, but the order of magnitude probably isn't too far wrong)
6 comments
MaKey 831 days ago
Cookie banners are not mandatory. If you're just using technical cookies you don't need a banner at all. Websites with them want to track you, that's why they have them. They need to ask for your permission to do so, which I think is a good thing. So instead of being mad at the EU we should be mad at those websites trying to get as much data as possible from their users.
link
olivierduval 831 days ago
Actually, websites could "not track" BY DEFAULT (so no popup) and have a nice widget in a corner asking for consent to track, explaining why they need it, without this widget being obstructive...

The problem is definitly NOT THE REGULATION but the way that websites have become a data/cash machine...

link
account42 831 days ago
> Actually, websites could "not track"

Yes, why not stop there?

link
RunSet 830 days ago
If you don't collect data you don't need to ask permission to collect data.

https://lokilist.com/about.php

Likewise, a "privacy policy" explains the extent to which your privacy will be violated.

link
speleding 830 days ago
The regulation could have been much better though. For one, it's unclear if Google Analytics cookies qualify. Spain and Austria say one thing, The Netherlands says another, so out of an abundance of caution websites put them everywhere.

I also think it would have been very feasible for the EU to define that a browser could ask for consent once and then apply that to many/all sites by sending a header. So the popup would only be needed for people without a browser that has implemented it.

link
dotancohen 830 days ago 

  > Spain and Austria say one thing, The Netherlands says another
I thought that it is very clear that GA cookies qualify for the banner notification. What should I be reading to hear the opposing opinion?
link
speleding 830 days ago
The Dutch privacy authority claims that a consent popup is only needed for tracking cookies, and cookies with a purely analytical purpose are explicitly exempted. (https://autoriteitpersoonsgegevens.nl/themas/internet-slimme...).
link
dotancohen 830 days ago
Thank you
link
frankvdwaal 831 days ago
Well, note that I said it could just as well be a widget on the website somewhere.

There's no such thing as a mandatory cookie popup. You don't need to get explicit consent if your website needs certain cookies to do what the user wants it to do. Placing a session cookie to log in is fine, for example. And it's also fine to place tracking cookies if and only if the user goes to aforementioned widget and presses the "please track me" button.

But users don't want that, obviously, so websites are built to force you to acknowledge the choice. The problem here is not the implementation of the law - it's the attitude of the website builders.

link
tpm 830 days ago
What if the websites respected my user-agent (browser) setting called "Do not track"? Zero hours would be wasted. I think geizhals.at is one of the few that does this.

In other words, the websites are showing cookie popups in you face because they really, really do want to track you, and for that they need your explicit consent. Nobody forced them to track you. The implementation does not matter; the intentions are crappy.

I think there is a recent court ruling saying websites should respect DNT settings as a (rejection of) consent; if that would be adapted universally, we would be done with the popups.

edit: https://dig.watch/updates/german-court-affirms-legal-signifi...

link
BiteCode_dev 830 days ago
No banner is required. No interaction at all in fact.

Companies can comply with the law by following the old and standard DNT header. It's transparent to the user, no pop up of any kind.

They chose not to.

They are the ones you should be angry at, not the EU.

link
macinjosh 830 days ago
Law making bodies are responsible for all consequences of their legislation whether they are intentional or not. They are the ones in charge so the buck stops with them. Make better laws.
link
BiteCode_dev 830 days ago
With this line of logic, you give absolution to anything immoral that is actually legal, saying the state should have done better.
link
dotancohen 830 days ago
That sounds like somebody familiar with compilers and interpreters, applying the same logic to law. That reasoning is flawed.
link
gcbirzan 831 days ago
But they're not mandatory. There is nothing stopping websites from not doing it, the previous poster was wrong. The GDPR requires consent, how you obtain that consent is irrelevant. Websites could not store cookies by default and you'd have to manually go and opt in. Maybe we even can have a per browser setting.
link
account42 831 days ago
Specifically, GDPR requires consent before you do (some) things the user might not want. You could simply not try to do those things and then you won't need to obtain consent at all.

It's absurd how used we have become to wantonly collecting user data that some people can't even imagine not doing that.

link
gcbirzan 830 days ago
Yeah. Or, you could make the opt-in something the user has to choose himself, like a link on the page.
link
jeroenhd 830 days ago
GDPR provides mechanisms for getting implicit consent for technically required cookies. For other types of data storage, explicit consent is required. And that's the problem, there are a lot of terrible websites out there that value their ability to stalk you and sell your information more than your ability to use the website.

For consent, the old "hide tracking terms in the terms of service" approach is not allowed anymore. That's where the popups come from, the user needs to know what they're consenting to if the data processing isn't actually required for the website to work.

I would like to see something like P3P (but better) to make a return. We have DNT and its followup, but they're not sufficiently scopable in my opinion.

link
gcbirzan 830 days ago
There's no implicit consent, technically required cookies have a different basis for processing. And, yes, I'm aware of that, my point is that people who create websites choose to force the consent box in front of you, there's nothing in the GDPR that mandates that. It could be a link at the bottom, some header...
link
dotancohen 830 days ago 

  > Maybe we even can have a per browser setting.
DNT header?
link