Jan Wildeboer π·
Tech bros love to whine about "The EU cookie policy" that simply doesn't exist the way they imagine it. All these popups are the most radical way to interpret the explicit consent demanded by regulations when sending data to a 3rd party or collecting personal data by the site itself. An ongoing provocation by the ad/tracker industry to blame their ruthless data hoarding on the EU.
Every time you see such a cookie consent pop-up, you know you are on a website that has accepted to share your data with some data collecting entity. That they are willing to hand over parts of the page content to be filled by a 3rd party. And allow that 3rd party to aggregate and sell their visitors data to the highest bidder. So stop blaming "the EU" and ask yourself if this is the internet we want.
The ad/tracker "industry" used the same tactics to ruin the DNT (Do Not Track) flag that we had years ago. Because they simply don't WANT to give users an option to just say no. And they have convinced their customers that "enhancing" the web with these popups is the only acceptable way to work. And these customers just accept that.
To make this very clear: user/visitor consent is only needed for data typically going to 3rd parties. All cookie laws, including GDPR and CCPA, allow essential first-party cookies to be exempt from collecting user consent before performing their actions. So the simple, non-persistent session cookie on your site DOES NOT need a consent popup AT ALL. Regardless of what the ad/tracker "industry" tries to insinuate.
And finally: This is all IMHO. My personal frustration. The web wasn't created to be an invasive data collection engine in the hands of a few. It became what it is for many reasons. But it doesn't have to stay that way. Do your little part. Create static pages whenever that's sufficient. Resist including external scripts/tracker stuff. We can return to a #BetterWeb :) Yes, I am that optimistic!
OK. Some more clarifications now that this thread has hit Hacker News. For cookies under GDPR consent is needed for the "not strictly necessary" ones. This typically means all 3rd party (tracking) cookies that are not strictly needed for the website to work. 1/n
Strictly necessary cookies, like simple session cookies that are valid until the end of the session and used e.g. to store/refernce form inputs ARE exempted. This typically boils down to 1st party cookies. BUT. If you store not strictly necessary information in that same or another 1st party cookie, consent is needed. 2/n
If you use technologies like analytics and DO NOT store individual information about the data subject (GDPR lingo for user/visitor) like IP address you again are exempted. 3/n
Does this sound complicated? Yes. But not that much, IMHO. Whenever you store information that contains PD (Personal Data) that is not strictly necessary for your site to work, you need consent.. BUT that does NOT mean these gargantuan popups with a gazillion of options the ad/tracking "industry" forces upon us. A simple yes/no is sufficient and actually mandated. 4/n
UPDATE: changed PII (personally identifiable information) to PD (Personal data) as in GDPR PD is the context.
A good example: https://european-union.europa.eu/index_en A non-intrusive bar at the bottom with a clear choice. That doesn't block using the site (until you agree, the site treats you as if you have not agreed. Simple). With a link to clearly written explanation.
And if you really care about the basics: this document from 2012(!) explains in quite a lot of detail which cookies are exempted and which are not: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
Frost, wolf of winter πΊπ
@jwildeboer The clear decline button is something we don't often see!
And then there's those companies that go "ah, yes, linking your different devices together is an Essential Thing!" *growls*
Alan Fuller@jwildeboer I agree, it isn't actually that hard for many websites to comply without an annoying popup.
Marcus Bointon@alan @jwildeboer more than that - by default all straightforward sites are compliant, at zero cost and effort. They then go out of their way to spend dev $$$ to add shitty tracking, and then complain about the cost effort required to remove it. Somehow the adtech industry has managed to convince people that the second step is required, when itβs entirely unnecessary.
@Synchro @jwildeboer you really mean Google Analytics don't you, which probably 99% of websites have installed and 99% of the website owners have no idea how to use the information it captures.
Niclas Hedhman@jwildeboer
Every now and then I check the list of "3rd parties" (with the silly option to on/off each one individually) and the list exceeded 300 companies.
But isn't it also that outside EU, there is no "cookies popup", or?
The current situation is insane, and I don't understand why almost no one cares about it.
@jwildeboer This is all really good to know, thanks!
ploum@jwildeboer : those gargantuan popups are all done by the same joint-venture which was founded with the intent of making it more complex for users to refuse tracking than to accept it.
According to some recent belgian judgment, those famous gargantuan popups are *not* GDPR compliant.
So this is illegal pro-tracking lobbies propaganda. But they managed to instill in people mind the idea that itβs EU fault. There are adverstisers, lying is their profession after allβ¦
https://www.linkedin.com/pulse/truth-behind-cookie-banners-alexander-hanff-cipp-e-cipt-fip-/
The truth behind cookie banners
Given all of the soundbites coming out of the UK over the past couple of weeks in relation to Cookie Banners - I decided it is time that someone told the truth about the history which led us to this point. First and foremost, what qualifies me to comment on these issues? The answer to that is really
Andy Davies@jwildeboer I presume youβre talking about 1st party analytics with this statement?
With 3rd party analytics the visitorβs IP address is exposed to the provide so consent is required in that case
Tom Verbeure@jwildeboer Concretely: I have a static website that doesn't use Google Analytics, but if I were to add it, would I need to add the cookie popup?
bazzargh@jwildeboer there's a good example for this: https://www.goatcounter.com/ ... privacy respecting analytics that should not require the popup.
ben@jwildeboer This is not true. The cookie consent requirement is not because you process personal data. It actually has little to do with GDPR in the first place, it's due to Article 5(3) of the ePrivacy Directive. If your cookies are not "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service" you need consent, whether you process personal data or not.
Dr. Dek π¨βππ§π )@jwildeboer
My webserver is storing the IP address of all requests, should I get consent for this as well?
My webserver is storing the IP address of all requests, should I get consent for this as well?
Ellie@jwildeboer it's sadly quite a common reaction on Hacker News for people to look for the "one simple trick" technical decision that would be within the law but allow unlimited consent free tracking. It ignores that (a) most laws don't work like that, (b) the EU is much more likely to smack a "technically permissible by the letter but not by the spirit of the law" trick than the US still
Daniel Gibson@jwildeboer
what about the cookie to store the users login, so they don't have to login again every time they reopen the browser (or whatever starts a new session)? does that already need consent? (it isn't *strictly* necessary, but not having it greatly reduces usability)
what about the cookie to store the users login, so they don't have to login again every time they reopen the browser (or whatever starts a new session)? does that already need consent? (it isn't *strictly* necessary, but not having it greatly reduces usability)
Cassandrich@jwildeboer I would think if you store a session cookie that allows reidentification of a user when they return, that's not part of keeping state they've intentionally set (like a cart they've added items to), that's non essential and should require consent. The "always create session cookies" mindset is a problem.
Allan SvelmΓΈe Hansen@jwildeboer While I wholeheartedly agree with your point about the gigantic and super annoying 1000 options consent screens;
The definition of 'strictly necessary' does differ from e.g. preference and functional, so I'd personally be careful with the "typically means" and I'd verify any given interpretation with (at least) the national governance and/or err on the side of caution.
I hate implementing cookie banners, but I'd hate for clients to be fined even more.
Kevin Karhan 
@jwildeboer you mean like @aral and others with the #web0 mainfesto?
@jwildeboer @aral *nodds in agreement*
I mean there's rarely any "added value" in using these.
Like there's hardly any necessity for SSO on something like a restaurant or shop's website, much less need for analytics beyond what #Matomoto nee. #Piwik can do by looking at the webserver logs...
And even that would be overkill since SMEs won't actually optimize their website - heck most large enterprises don't even do that if you surf from #EDGEland...
Ludovic :Firefox: :FreeBSD:@jwildeboer for that we need more engine diversity, eg more people coming back to firefox, people jumping on the servo boat etc ...
Kevin Wittek@jwildeboer Love this thread π
RenΓ© Schwietzke@jwildeboer Mine are static, just because the security update craziness drives me crazy. That is not sustainable.
WesDym@jwildeboer I really miss GeoCities.
vascorsd@wesdym @jwildeboer there's neocities.