@OatPotato @borup To this day, many websites still don't ask for consent. Cookie banners are just cookies wall with only OK/Accept button
At best there's a hidden Refuse grey link/submenu, which is illegal, as refusing should by as easy as accepting.
While still
- place tracking cookies at 1st load before the banner is even loaded 🤡
- continue to use tracking after users have refused
- such banner often ignore non-cookie based trackers (hidden pixel, AT Internet/piano/google tracking scripts…)
Some even have a shitton of individually actionable on/off switches¹ for like 10 or more processing purposes + several hundreds of switches for "parteners", with no "Refuse all" button, and a big green "Accept all"…
The ones using IAB TCF form are the worst offenders…
1. Or they seem turned off but each and every PII processing purpose switch is doubled with a hidden and/or greyed out "legimate interest" although many purposes have nothing to do with "Legitimate interest".
@devnull @borup for the "shitton of individual switches", some countries have made this illegal: the law says you MUST show a button to refuse everything on one click. But not all companies are doing it still.
And yes, the "legitimate interest" is the worst thing EU could let open, the line between legitimate and not really legitimate can be very flexible…
@jrosell Assuming it's an ecommerce website that supports guest checkout… Which many websites are not
Also, most ecommerce websites force users to create accounts by NOT allowing guest checkout and by misusing email addresses for unsolicited "news" letters…
For many websites, it's actually just login/session cookies…
Either way, all these cookie types are clearly distinct from tracking cookies… Not using tracking cookies by default and w/o consent is NOT hard…
Except no one talked about "asking for permission for functional cookies such as login, guest checkout, shoping carts"
From the very beginning, it was all about enabling TRACKING cookies AND non-cookie-based tracking (script trackers, hidden pixels…) by default, without consent…
@jrosell No, data processing which is (actually!) necessary to accomplish what users asked for (perfomance of a contract) is a valid legal basis distinct from consent.
You're supposed to inform users about each data processing purpose (including all cookies) in a legible page. And not in a an intrusive annoying cookie banner with broad BS such as "to enhance user experience", forcing users to click "I accept" just to get rid of the banner (that's a dark pattern)
@devnull @ShadSterling @OatPotato @borup cart using session cookie (no constent asked) vs cart persist weeks (personalization cookie that requires consent). Isn't it?
The user should be able to click accept, refuse and define settings for each purpose... Not only "I accept."
@jrosell I'm not sure whether a persistent cart cookie would be actually considered as personalization or functional. But it wouldn't survive cookie cleaning (especially automatic cleaning)
I'd rather have
- session only cart cookies
- no stupid automatic "empty cart after x minutes“
- the ability to export/import cart
Yes it requires a few extra clicks for export/import but it survives cookies cleaning and can be used from another browser/profile/computer.
@ShadSterling Cart export is just plaintext (such as CSV) with unique identifiers (SKU, part number, EAN, ISBN… depending RL what you're selling) and human readable names for controlling file content even offline/before uploading…
I fail to see how it would enable you to "get free stuff" since the price is calculated by the website based on the current price at order time
As for the decompression bomb… If you just accept random files with no input control […]
1/2
@ShadSterling […] then it's your problem… By that "logic", "import/upload" should not exist on any site at all…
"Sorry, you can't upload your own avatar picture, it would enable decompression bomb. Just use our built-in pics. Nope sorry, this photo hosting site doesn't enable you to upload your photos, decompression bomb! Generate ones with our AI! Nope, you can't upload your own files on our file sharing plateform. AI rewrite it for you or else decompression bomb!"
@ShadSterling Forcing someone to create an account because they need to buy a single stuff once from a specific shop¹, is annoying as f… (often using accounts creation as an excuse to keep PI forever and misusing it…)
1. Either because they don't find it elsewhere or because it's much more expensive/only available there & on "marketplaces" => Random people buying stuff en masse to empty stocks, then reselling it 1,5-3× it's price without being able to handle warranty
@jrosell Not ssre why you think iths a win-win and no need for passvfword", it's still an account what needs a password et best or modern shitty non-changeable "cretendentials" (biometrics nonsense) at worst…
Users must use password managers bu the way, cause You can't trust websites to not leak cleartext "universal" passwords people use en 42 different sites
Any site forcing to use GAFAM++ accounts can be sure as hell I'll boycott it and go elsewhere…
@jrosell These companies have no bunsiness on knowing what sites I use, what I buy, when I log in and infect my machine with their own tracking cookies…
If you want to make things easier for users and real "no need for password“, allow guest orders.
And use localstorage rather than cookies¹ and/or allow cart export/import in plaintext format² for long term cart retention.
Authorize only textfile for import. Look for unique IDs in the imported files and re-add…
@jrosell …all the corresponding items to cart, notify users if an item is not available or doesn't exit anymore.
"People will try to get free stuff" doesn't make sense… Price is calculated after import, based on the current price, not defined inside the exported file.
The file needs to contain only a Human readable name and a unique ID for each item so the post import script knows what to automatically add to the cart.
@jrosell You might add an indicative price in the exported file so users remember which costs what, approximately. but that doesn't mean you will have to parse it and use it for invoice… Doesn't matter if user puts 0€…
The only thing you parse is the unique identifier buy you should make sure you don't reuse the same ID for a different item, even if the product is not available anymore
@jrosell The code to calculate and display the price is already there (same one used for manually added items). It doesn't need to be in the cart file parser.
I don'tsee any valid reason to disallow guest order or cart export/import with sanitized input
1. Browser cleanup also delete it unless localstorage checkbox is unchecked
2. Plaintext being very lightweight, there's no need to compress it so no decompression involvedx therefore no decompression bomb risk
@jrosell Actually, I forgot an important field. Depending on what you're selling, a quantity field can be mandatory…
RS-online¹, an electronics components resseller, does it. You can export cart content in a CSV (plaintext, can be read by spreadsheet software), containing a bunch of fields, including RS interne and manufacturer't IDs as well au indicative price.
1. RS France. RS being gigantic international group, I never tried on others' countries RS sites…
@jrosell Not sure what your point here
Localstorage vs cookies is not about the law. The difference is technical, localstorage for bigger and/long term
And I've said from the beginning that
- I'm not focusing on cookies but on all kind of tracking (cookies or not) vs necessary data processing
- Performance of a contract is a valid legal basis
Using cookies (or localstorage) for shopping cart is necessary for performing "selling stuff to user" contract.
@jrosell Look at GPDR article 6.
There are 6 legal basis, some of which have nothing to do with an eshop
The mean 3 are
- consent for tracking, crapvertising, and anything that's none of the 5 others
- Legal obligations, which is broad. For example you need named and address for billing
- Performance of a contact. Cart doesn't work without cookies…
Unless you add tracking cookies when cart cookies are written/read which would be cheating… consent is not needed
@devnull I'll try to talk to some developers and see I can make it work :)
Do you know any site where this is already working as you would expect?
Borup
Zoë (english toots)
🐧DaveNull🐧 ☣️pResident Evil☣
ShadSterling
Jordi Rosell