[jonesjohnson]

the issue was never the law.

the issue were the 100s of tracking cookies and that websites would use dark patterns or simply not offer a "no to all" button at all (which is against the law, btw.)

Most websites do. not. need. cookies.

It's all about tracking and surveillance to show you different prices on airbnb and booking.com to maximise their profits.

https://noyb.eu/en/project/cookie-banners (edit: link)

[layer8]

The issue is the lack of enforcement of the law. And instead of strengthening the enforcement, they are diluting the law now.

[rebolek]

I think that most websites need cookies. I have a website with short stories. It lets you set font size and dark/bright theme, nothing special. Do I want to store your settings on server? No, why should I waste my resources? Just store it in your browser! Cookies are perfect for that. Do I know your settings? No, I don't, I don't care. I set a cookie, JS reads it and changes something on client. No tracking at all. Cookies are perfect for that. People just abuse them like everything else, that's the problem, not cookies.

And BTW because I don't care about your cookies, I don't need to bother you with cookie banner. It's that easy.

Also, if I would implement user management for whatever reason, I would NOT NEED to show the banner also. ONLY if I shared the info with third side. The rules are simple yet the ways people bend them are very creative.

[int_19h]

A cookie is something that is sent to the server, by design - that's their whole point! So if the only part of your code that needs them lives on the client, cookies are the wrong mechanism for that - use localStorage instead.

[graemep]

> lets you set font size and dark/bright theme,

You do not need cookies for either of these. CSS can follow browser preferences, and browsers can change font sizes with zoom.

I am not sure these cookies are covered by the regulations. No personal so not covered by GDPR. They might be covered by the ePrivacy directive (the "cookie law").

[nightpool]

Unfortunately, because these types of preferences (font size, dark/light mode theme) are "non-essential", you are required to inform users about them using a cookie banner, per EU ePrivacy directive (the one that predates the GDPR). So if you don't use a cookie banner in this case, you are not in compliance.

[gregopet]

That's not true. You can use those cookies, you just need to explain them somewhere on the site. No opt in required.

I talked with our then national information law official (funny fact, same person is currently president of our country), rule of thumb is if you're not using your users' personal data to pay for other people's services (e.g Google analytics) or putting actual personal data in them, you're generally fine without the banner.

Further, if you're a small shop or individual acting in good faith and somehow still violated the law, they will issue a warning first so you can fix the issue. Only the blatant violations by people who should've known better will get a fine instantly (that is the practice here, anyway, I assumed that was the agreement between EU information officers)

[zrn900]

> Most websites do. not. need. cookies.

All websites need cookies, at least for functionality and for analytics. We aren't living in the mid-1990s when websites were being operated for free by university departments or major megacorps in a closed system. The cookie law screwed all the small businesses and individuals who needed to be able to earn money to run their websites. It crippled everyone but big megacorps, who just pay the fines and go ahead with violating everyone's privacy.

[gregopet]

Functional cookies are fine. Even analytics is fine if you're using your own (though said own analytics must also company with GDPR personal data retention rules).

What is not fine is giving away your users' personal data to pay for your analytics bill.

[rpastuszak]

I'm not sure why this is being downvoted?

[zdragnar]

The premise is that the intent of the law was good, so everyone should naturally change their behavior to obey the spirit of the law.

That isn't how people work. The law was poorly written and even more poorly enforced. Attempts at "compliance" made the web browsing experience worse.

[norman784]

The implementors of the banners did it in the most annoying way, so most users will just accept all instead of rejecting all (because the button to reject all was hidden or not there at all), check steam store for example their banner is non intrusive and you can clearly reject or accept all in one click.

[Qwertious]

The law wasn't poorly written, most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous that people think it's the fault of the law itself.

[filoleg]

> [...] most websites just don't follow the law. Yes, they're doing illegal things, but it turns out enforcement is weak so the lawbreaking is so ubiquitous [...]

I just checked the major institutional EU websites listed here[0], and every single one (e.g., [1][2][3]) had a different annoying massive cookie banner. In fact, I was impressed I couldn't find a single EU government website without a massive cookie banner.

I don't know if it is due to the law enforcement being so weak (or if the law itself is at fault or whatever else). But it seems like something is not right (either with your argument or EU), given the EU government itself engages in this "lawbreaking" (as defined by you) on every single one of their own major institutional websites.

The potential reason you brought up of "law enforcement is just weak" just seems like the biggest EU regulatory environment roast possible (which is why I don't believe it to be the real reason), given that not only they fail to enforce it against third parties (which would be at least somewhat understandable), but they cannot even enforce it on any of their own first party websites (aka they don't even try following their own rules themselves).

0. https://guides.libraries.psu.edu/european-union/official-ser...

1. https://www.europarl.europa.eu/portal/en

2. https://www.consilium.europa.eu/en/

3. https://european-union.europa.eu/index_en

[vladms]

> "lawbreaking" (as defined by you)

What do you mean? The original post mention 1000 cookies and no button to reject them. The sites you mention do have only two buttons (accept/reject). So they are following the law and not engaging in dark patterns.

[gregopet]

That is unfortunate, EU could well present itself as an example of how things can be done right. Unfortunately incompetence and/or indifference, plus lack of IT talent willing to work for the public sector is also a thing in politics. It's an opportunity lost for sure.

[JumpCrisscross]

> law wasn't poorly written, most websites just don't follow the law

I honestly haven't found the banners on EU websites any less annoying or cumbersome than those on shady operators' sites.

[whstl]

Most websites in the EU also aren't following the law.

[nemomarx]

people intentionally made the banners annoying or tried to make the reject button smaller / more awkward so that they could keep tracking.

Definitely a failure of enforcement, but let's not pretend that was good faith compliance from operators either

[masfuerte]

I'd settle for companies obeying the letter of the law. They don't do that either.

[dspillett]

> Attempts at "compliance" made the web browsing experience worse.

Malicious compliance made the web browsing experience worse. That and deliberately not complying by as much as sites thought they could get away with, which is increasing as it becomes more obvious enforcement just isn't there.

[weberer]

Because the issue is due to a failure in the law. The failure of not enforcing the "do not track" setting from browsers that would avoid the need for these annoying pop-ups in the first place.

[whstl]

A lot of people at HN work in industries that track, or are the ones choosing to use the banners in the first place.