Jan Wildeboer 😷
Tech bros love to whine about "The EU cookie policy" that simply doesn't exist the way they imagine it. All these popups are the most radical way to interpret the explicit consent demanded by regulations when sending data to a 3rd party or collecting personal data by the site itself. An ongoing provocation by the ad/tracker industry to blame their ruthless data hoarding on the EU.
AxiomEvalEvery time you see such a cookie consent pop-up, you know you are on a website that has accepted to share your data with some data collecting entity. That they are willing to hand over parts of the page content to be filled by a 3rd party. And allow that 3rd party to aggregate and sell their visitors data to the highest bidder. So stop blaming "the EU" and ask yourself if this is the internet we want.
The ad/tracker "industry" used the same tactics to ruin the DNT (Do Not Track) flag that we had years ago. Because they simply don't WANT to give users an option to just say no. And they have convinced their customers that "enhancing" the web with these popups is the only acceptable way to work. And these customers just accept that.
To make this very clear: user/visitor consent is only needed for data typically going to 3rd parties. All cookie laws, including GDPR and CCPA, allow essential first-party cookies to be exempt from collecting user consent before performing their actions. So the simple, non-persistent session cookie on your site DOES NOT need a consent popup AT ALL. Regardless of what the ad/tracker "industry" tries to insinuate.
And finally: This is all IMHO. My personal frustration. The web wasn't created to be an invasive data collection engine in the hands of a few. It became what it is for many reasons. But it doesn't have to stay that way. Do your little part. Create static pages whenever that's sufficient. Resist including external scripts/tracker stuff. We can return to a #BetterWeb :) Yes, I am that optimistic!
OK. Some more clarifications now that this thread has hit Hacker News. For cookies under GDPR consent is needed for the "not strictly necessary" ones. This typically means all 3rd party (tracking) cookies that are not strictly needed for the website to work. 1/n
Strictly necessary cookies, like simple session cookies that are valid until the end of the session and used e.g. to store/refernce form inputs ARE exempted. This typically boils down to 1st party cookies. BUT. If you store not strictly necessary information in that same or another 1st party cookie, consent is needed. 2/n
If you use technologies like analytics and DO NOT store individual information about the data subject (GDPR lingo for user/visitor) like IP address you again are exempted. 3/n
Does this sound complicated? Yes. But not that much, IMHO. Whenever you store information that contains PD (Personal Data) that is not strictly necessary for your site to work, you need consent.. BUT that does NOT mean these gargantuan popups with a gazillion of options the ad/tracking "industry" forces upon us. A simple yes/no is sufficient and actually mandated. 4/n
UPDATE: changed PII (personally identifiable information) to PD (Personal data) as in GDPR PD is the context.
A good example: https://european-union.europa.eu/index_en A non-intrusive bar at the bottom with a clear choice. That doesn't block using the site (until you agree, the site treats you as if you have not agreed. Simple). With a link to clearly written explanation.
And if you really care about the basics: this document from 2012(!) explains in quite a lot of detail which cookies are exempted and which are not: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
Frost, wolf of winter 🐺🎄
@jwildeboer The clear decline button is something we don't often see!
And then there's those companies that go "ah, yes, linking your different devices together is an Essential Thing!" *growls*
Alan Fuller@jwildeboer I agree, it isn't actually that hard for many websites to comply without an annoying popup.
Marcus Bointon@alan @jwildeboer more than that - by default all straightforward sites are compliant, at zero cost and effort. They then go out of their way to spend dev $$$ to add shitty tracking, and then complain about the cost effort required to remove it. Somehow the adtech industry has managed to convince people that the second step is required, when it’s entirely unnecessary.
@Synchro @jwildeboer you really mean Google Analytics don't you, which probably 99% of websites have installed and 99% of the website owners have no idea how to use the information it captures.
Niclas Hedhman@jwildeboer
Every now and then I check the list of "3rd parties" (with the silly option to on/off each one individually) and the list exceeded 300 companies.
But isn't it also that outside EU, there is no "cookies popup", or?
The current situation is insane, and I don't understand why almost no one cares about it.
@jwildeboer This is all really good to know, thanks!
ploum@jwildeboer : those gargantuan popups are all done by the same joint-venture which was founded with the intent of making it more complex for users to refuse tracking than to accept it.
According to some recent belgian judgment, those famous gargantuan popups are *not* GDPR compliant.
So this is illegal pro-tracking lobbies propaganda. But they managed to instill in people mind the idea that it’s EU fault. There are adverstisers, lying is their profession after all…
https://www.linkedin.com/pulse/truth-behind-cookie-banners-alexander-hanff-cipp-e-cipt-fip-/
The truth behind cookie banners
Given all of the soundbites coming out of the UK over the past couple of weeks in relation to Cookie Banners - I decided it is time that someone told the truth about the history which led us to this point. First and foremost, what qualifies me to comment on these issues? The answer to that is really
Andy Davies@jwildeboer I presume you’re talking about 1st party analytics with this statement?
With 3rd party analytics the visitor’s IP address is exposed to the provide so consent is required in that case
Tom Verbeure@jwildeboer Concretely: I have a static website that doesn't use Google Analytics, but if I were to add it, would I need to add the cookie popup?
bazzargh@jwildeboer there's a good example for this: https://www.goatcounter.com/ ... privacy respecting analytics that should not require the popup.
ben@jwildeboer This is not true. The cookie consent requirement is not because you process personal data. It actually has little to do with GDPR in the first place, it's due to Article 5(3) of the ePrivacy Directive. If your cookies are not "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service" you need consent, whether you process personal data or not.
Dr. Dek 👨🚀🐧🚀 )@jwildeboer
My webserver is storing the IP address of all requests, should I get consent for this as well?
My webserver is storing the IP address of all requests, should I get consent for this as well?
Ellie@jwildeboer it's sadly quite a common reaction on Hacker News for people to look for the "one simple trick" technical decision that would be within the law but allow unlimited consent free tracking. It ignores that (a) most laws don't work like that, (b) the EU is much more likely to smack a "technically permissible by the letter but not by the spirit of the law" trick than the US still
Daniel Gibson@jwildeboer
what about the cookie to store the users login, so they don't have to login again every time they reopen the browser (or whatever starts a new session)? does that already need consent? (it isn't *strictly* necessary, but not having it greatly reduces usability)
what about the cookie to store the users login, so they don't have to login again every time they reopen the browser (or whatever starts a new session)? does that already need consent? (it isn't *strictly* necessary, but not having it greatly reduces usability)
Cassandrich@jwildeboer I would think if you store a session cookie that allows reidentification of a user when they return, that's not part of keeping state they've intentionally set (like a cart they've added items to), that's non essential and should require consent. The "always create session cookies" mindset is a problem.
Allan Svelmøe Hansen@jwildeboer While I wholeheartedly agree with your point about the gigantic and super annoying 1000 options consent screens;
The definition of 'strictly necessary' does differ from e.g. preference and functional, so I'd personally be careful with the "typically means" and I'd verify any given interpretation with (at least) the national governance and/or err on the side of caution.
I hate implementing cookie banners, but I'd hate for clients to be fined even more.
Kevin Karhan 
@jwildeboer you mean like @aral and others with the #web0 mainfesto?
@jwildeboer @aral *nodds in agreement*
I mean there's rarely any "added value" in using these.
Like there's hardly any necessity for SSO on something like a restaurant or shop's website, much less need for analytics beyond what #Matomoto nee. #Piwik can do by looking at the webserver logs...
And even that would be overkill since SMEs won't actually optimize their website - heck most large enterprises don't even do that if you surf from #EDGEland...
Ludovic :Firefox: :FreeBSD:@jwildeboer for that we need more engine diversity, eg more people coming back to firefox, people jumping on the servo boat etc ...
Kevin Wittek@jwildeboer Love this thread 🙏
René Schwietzke@jwildeboer Mine are static, just because the security update craziness drives me crazy. That is not sustainable.
WesDym@jwildeboer I really miss GeoCities.
vascorsd@wesdym @jwildeboer there's neocities.
Paul@jwildeboer where does sending event information to someone like Mixpanel for first party analytics around page use etc. fall in this?
Basil@jwildeboer I remember how difficult it was helping my wife with her Squarespace site to try and configure it to not collect data.
Please! I beg you! I don't want user tracking and analytics!
Don't be silly, sir. You need it.
Mx Autumn 
@jwildeboer the amount of time I have wasted explaining to clients that they do not need a cookie consent popup or banner is far too many hours.
noname@jwildeboer
This right here "user/visitor consent is only needed for data going to 3rd parties." Should be shout from the tallest building in every city around the world.
This right here "user/visitor consent is only needed for data going to 3rd parties." Should be shout from the tallest building in every city around the world.
jnbhlr@jwildeboer what about non-essential first party cookies? My understanding is you need consent for them.
@jnbhlr You need consent when collecting data that allows identification of the data subject. A simple session cookie doesn't fit that definition. It's not a simple black and white thing between essential and non-essential. My point is that these pop-ups deliberately insinuate that this all somehow can only be solved by giving broad consent by default.
DerGatt@jwildeboer @jnbhlr under the e-privacy directive cookies without consent are only allowed if they are essential for the function of a website.
Your point is still vallid, selling data is not necessary to run a website.
Your point is still vallid, selling data is not necessary to run a website.
That monocatDepending on what you mean by pii and what is collected (ie - do you mean email?)
under gdpr you might ask for data held.
Could a service be created that examines cookies and puts a data requests or deleton requests for dpo@domains within said cookies (data requests are more of a pita than deletion requests)
I concede I'm not really thinking on validity here, but this kind of approach would be an evil way of creating admin level consumer bite back .
@jwildeboer They just try to FUD people knowing that they can skinner-box people into clicking "accept all" by making "decline all" inaccessible [aka. needing to decline 100+ trackers manually!]...
Still, I'd still politely ask for consent for 1st party cookies [even tho I could legally avoid it] and offer people the choice to "decline all" with the info that this may break functionality if they choose so.
But that's just me believing in consent and autonomy of users.
Frank Bennett 🇯🇵@jwildeboer I'm trying to get Chrome Web Store approval of a plugin that manipulates cookies for the sole purpose of creating a rendered internal image in order to extract publish bibliographic details from the page. The latest objection is that I haven't supplied a "prominent notice." I hope they're not demanding a popup, that would drive me straight to the GDPR regulators to get something to hit Google over the head with. Smells like obstruction, but waiting on response.
Steve Hill 🏴🇪🇺@jwildeboer This is not true. The exemptions in PECR (UK) are given in 6(4):
"(a)for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
(b)where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user."
There is nothing in the legislation to differentiate 1st / 3rd party cookies.
@jwildeboer As an aside, recital 66 of the ePrivacy Directive says "The methods of providing information and offering the right to refuse should be as user-friendly as possible." - I can think of very few examples which meet this requirement.
Graham IX@steve @jwildeboer also, someone else mentioned "PII". European law is concerned with "personal data" not "personally identifiable information" - nice explainer here (inc anonymous vs pseudonymous identifiers) https://blog.pangeanic.com/the-difference-between-pii-and-gdprs-personal-data
@grahamix @jwildeboer That article mentions that "general email addresses not containing personal data ([email protected])" are not personal data, which I think is risky. e.g. A small company with a single sales person may have [email protected] routed directly to that single person. Arguably, if there it a 1:1 relationship between an email address and a natural person, that could be considered personal data (no different to an individual having [email protected], where "blah" isn't their name).
Eddie Coldrick 💻@jwildeboer Many companies also violate GDPR, that says that consent must be "freely given". Therefore, you cannot choose on a person's behalf and say "if you don't like it, leave". You must provide an opportunity to reject. The UK also has PECR, which determines further restrictions on cookies - the following, applicable to non-essential cookies: the service must say what cookies will be set; explain what the cookies will do; and obtain consent to store cookies on devices
More details - The ICO
More details - The ICO
Mike 
@jwildeboer this is the part I was always curious about. We use local session cookies for basic internal stuff, but nothing that ever gets sent anywhere.
The pop up always felt grossly unnecessary for this.
Gilles Gagniard@jwildeboer Actually, consent isn't even needed for legitimate 3rd-party cookies ! In GDPR parlance, Data Controllers can subcontract the Data Processors (ie. third parties) of their choice, which they are fully responsible of. This doesn't require a user consent in itself. The Controller decides whether processing is legitimate, or requires a consent, and the Processor needs to respect it.
Yury Molodtsov@jwildeboer the only thing these cookie warnings do is teach people to click the first button they see on a website. This doesn't protect anyone. I also don't understand why there is a distinction between first-party and third-party actors here. If you're happy to run a website without analytics, you surely can, but that's not how any business can operate.
🐘🕊@jwildeboer we still have DNT
Fabrice Desré@jwildeboer fwiw, DNT was killed by Microsoft when they shipped IE with DNT enabled by default. That alone made most services ignore it.
keplerniko@jwildeboer exemplified when I visit a U.S. site and it just says, ‘content not available in your region’
Loy@jwildeboer Consent-o-matic is great for this btw. It tries to click "No, gtfo with ur trackers" automagically 👌
Steve Williams
Timo Grün@jwildeboer
Also: If you see the words “We value your privacy”, know that this is actually doublespeak for “We value your data, it pays for our yachts”.
Also: If you see the words “We value your privacy”, know that this is actually doublespeak for “We value your data, it pays for our yachts”.
Allen Stenhaus@khoji @jwildeboer "We are an equal opportunity employer" means "We're hoping to hire as many women & minorities as possible because we know we can pay you less."
Chuck@khoji @jwildeboer "we value your privacy" at 10¢ on the open market