@OatPotato @borup To this day, many websites still don't ask for consent. Cookie banners are just cookies wall with only OK/Accept button
At best there's a hidden Refuse grey link/submenu, which is illegal, as refusing should by as easy as accepting.
While still
- place tracking cookies at 1st load before the banner is even loaded 🤡
- continue to use tracking after users have refused
- such banner often ignore non-cookie based trackers (hidden pixel, AT Internet/piano/google tracking scripts…)
Some even have a shitton of individually actionable on/off switches¹ for like 10 or more processing purposes + several hundreds of switches for "parteners", with no "Refuse all" button, and a big green "Accept all"…
The ones using IAB TCF form are the worst offenders…
1. Or they seem turned off but each and every PII processing purpose switch is doubled with a hidden and/or greyed out "legimate interest" although many purposes have nothing to do with "Legitimate interest".
@devnull @borup for the "shitton of individual switches", some countries have made this illegal: the law says you MUST show a button to refuse everything on one click. But not all companies are doing it still.
And yes, the "legitimate interest" is the worst thing EU could let open, the line between legitimate and not really legitimate can be very flexible…
@OatPotato Exactly. Lack of "Refuse all" button is illegal.
By the way, as an European Directive meant to have standardised data protection laws all across EU, GDPR is supposed to be interpreted the same by all EU countries. But not all DPAs are equal…
Some are more interested in being (mega) corpos friendly than actually protection citizens PII, because "Strict GDPR enforcement is anti-business and will kill the economy, China and USA don't have GDPR! what about competitiveness!?" 😩
@tortipede Yep, it's very common… Most notably IAB TCF form used by a shittons ton of websites… aka "Consent" (or actually Refusal¹) form for designed by the marketing and advertisment industry 🤡
I filed a complain about it in 2020 or 2021 against the IAB… CNIL took almost to years to answer me "We can't do anything about it for now, where waiting for the EU court to determine whether TC_String is PII" which have nothing to do with my complain (a shittons of dark patterns)
Then in 2024 or 2023³, the CNIL closed my complain because "IAB France website was closed", as if the CNIL didn't knew the IAB TCF was used by a shittons of 3rd party websites (which they knew AND I specified it in the complain, with examplr) 🤡
Since I can't file a complain against "almost everyone“ AND the same dark patterns and abusive purposes are so similar across different websites, I assume it's either by default or encouraged by the IAB, […]
[…] so I filed a complain against IAB france.
But apparently, their french website being offline is enough to close the case although the abi'use isbstill going strong 🤡
There also small font size aka "Needs an electronic microscope font size" light grey links (often with clear or light background making very hard to notice) "Continue without accepting" which is NOT equivalent Refuse.
That link just doesn't "Accept“ what isn't in "Accpted" state by default […]
[…] but doesn't Refuse what is opt-out²… So another dark pattern designed to mislead users into not refusing crap that shouldn't even need active steps to be turned off…
It's all so tucked up on so many levels…
1. Since they collect Refusal, not consent. Opt-out instead of opt-in
2. In many cases it shouldn't be on "Accepted" status by default to begin with, most purposes that are "Accepted" by default, require consent (mostly marketing crap)
3. Dont remember the exact years but I remeber the whole process took approximately 4 years for nothing
- off topic answers for some of my points (dark patterns)
and some others were ignored (opt-out instead of opt-in, super abusive purposes that are greyed out/can't be turned off like "Linking/aggregating data collected online and offline to identify users"… which implies being spied on even when not using such websites, maybe by buying PII or some other means) 🤡
@jrosell Assuming it's an ecommerce website that supports guest checkout… Which many websites are not
Also, most ecommerce websites force users to create accounts by NOT allowing guest checkout and by misusing email addresses for unsolicited "news" letters…
For many websites, it's actually just login/session cookies…
Either way, all these cookie types are clearly distinct from tracking cookies… Not using tracking cookies by default and w/o consent is NOT hard…
Except no one talked about "asking for permission for functional cookies such as login, guest checkout, shoping carts"
From the very beginning, it was all about enabling TRACKING cookies AND non-cookie-based tracking (script trackers, hidden pixels…) by default, without consent…
@jrosell No, data processing which is (actually!) necessary to accomplish what users asked for (perfomance of a contract) is a valid legal basis distinct from consent.
You're supposed to inform users about each data processing purpose (including all cookies) in a legible page. And not in a an intrusive annoying cookie banner with broad BS such as "to enhance user experience", forcing users to click "I accept" just to get rid of the banner (that's a dark pattern)
@devnull @ShadSterling @OatPotato @borup cart using session cookie (no constent asked) vs cart persist weeks (personalization cookie that requires consent). Isn't it?
The user should be able to click accept, refuse and define settings for each purpose... Not only "I accept."
@jrosell I'm not sure whether a persistent cart cookie would be actually considered as personalization or functional. But it wouldn't survive cookie cleaning (especially automatic cleaning)
I'd rather have
- session only cart cookies
- no stupid automatic "empty cart after x minutes“
- the ability to export/import cart
Yes it requires a few extra clicks for export/import but it survives cookies cleaning and can be used from another browser/profile/computer.
@ShadSterling Cart export is just plaintext (such as CSV) with unique identifiers (SKU, part number, EAN, ISBN… depending RL what you're selling) and human readable names for controlling file content even offline/before uploading…
I fail to see how it would enable you to "get free stuff" since the price is calculated by the website based on the current price at order time
As for the decompression bomb… If you just accept random files with no input control […]
1/2
@ShadSterling […] then it's your problem… By that "logic", "import/upload" should not exist on any site at all…
"Sorry, you can't upload your own avatar picture, it would enable decompression bomb. Just use our built-in pics. Nope sorry, this photo hosting site doesn't enable you to upload your photos, decompression bomb! Generate ones with our AI! Nope, you can't upload your own files on our file sharing plateform. AI rewrite it for you or else decompression bomb!"
@ShadSterling Forcing someone to create an account because they need to buy a single stuff once from a specific shop¹, is annoying as f… (often using accounts creation as an excuse to keep PI forever and misusing it…)
1. Either because they don't find it elsewhere or because it's much more expensive/only available there & on "marketplaces" => Random people buying stuff en masse to empty stocks, then reselling it 1,5-3× it's price without being able to handle warranty
@jrosell Not ssre why you think iths a win-win and no need for passvfword", it's still an account what needs a password et best or modern shitty non-changeable "cretendentials" (biometrics nonsense) at worst…
Users must use password managers bu the way, cause You can't trust websites to not leak cleartext "universal" passwords people use en 42 different sites
Any site forcing to use GAFAM++ accounts can be sure as hell I'll boycott it and go elsewhere…
@jrosell @OatPotato @devnull @borup if you’re keeping the cart in a cookie the user experience will be that when the user comes back to your site you’ve thrown away their cart. Don’t do that.
I’m not sure what cookie or tracker or spyware would be used for guest checkout
@OatPotato @devnull @borup EU law does not permit legitimate interest for or cookies. Unless cookie is necessary for the provision of the information society services being accessed, consent is the only valid legal basis under ePrivacy Directives.
#AdTech lobbyists tried to get it bolted into the ePrivacy Regulation but that died in the drafting stage.
@DaraghOBrien Actually GPDR art. 6 is pretty clear that legitimate interest is not just whatever marketing department claim is legitimate interest, without any condition.
The problem is GDPR is not properly enforced in some countries…. Many for-profit companies cheat in the open by claiming that literally every PII processing purpose they ever come up with is "legitimate interest", including advertisement and all kind of marketing super intrusive tracking....
Longer answer: people seem to forget that you don't need user consent to set basic cookies needed for the basic operation of a website, because you're providing a service the user has requested (ie., render the content on this website please). You only need a cookie pop-up thing if your default is to set unrelated / marketing cookies. If you don't do that, then you don't need a consent banner and you can have an opt in somewhere for people who want to be tracked for some fucking reason. That's why websites that aren't designed by utter bastards don't have those daft pop-ups even if you access them in europe.
In other words the burden should only be on people who make shit websites that gobble up data for marketing. But as the op said, because of malicious compliance by piece of shit companies and marketers, it's shifted to being the user's problem. The regulations should be tightened to prevent this kind of bullshit behavior imo, not relaxed or removed as you seem to be (?) implying.
@dumpsterqueer @hrbrmstr @borup i think the only valid criticism of GDPR is that it's not tight enough tbh. they could've mandated sites respect a
X-GDPR-Cookie-Consent: { reject-nonessential | ask | allow }
header in all HTTP requests, or at least mandate that the UI for the preference be provided by the browser and websites got to acquire the answer either as a header or thru a JS function
I don't get why they skipped something so obvious
@cadadr @dumpsterqueer @hrbrmstr @borup
I'm guessing that the bad actors forced a "compromise"
@untitaker @borup GDPR was created to collect fines.
The EU doesn't actually care about data privacy/human safety. Ref: ProtectEU
And, all cookie notices are annoying & fairly useless at this point.
@untitaker @borup I'll make sure to pass that on to the Council of Economic Advisers who I have talked policy with and a few other groups I do talk policy with.
Have fun living in your fantasy world, especially when ProtectEU goes into full swing.
Sannemen
Borup
Zoë (english toots)
🐧DaveNull🐧 ☣️pResident Evil☣
Tortipede
Jordi Rosell
Daragh Ó Briain
Óscar Morales Vivó
@PrivacyMatters
hrbrmstr 🇺🇦 🇬🇱 🇨🇦
tobi is writing bugs 
charlag
ipod squirrel 🎧🐿️
Three plus or minus five
Markus Unterwaditzer
Walter van Holst