BorupAug 12, 2025
Periodic reminder that EU did not mandate cookie popups.
Cookie popups are yet another example of malicious complience by an industry that wants to use and abuse data about us all.
Show threadZoë (english toots)Aug 12, 2025
@borup
EU: "You have to ask for consent before tracking."
Companies: "Hey, you can't access our website before telling us if we can send information about you to these tens of companies (in fact we were doing it without ask… Wait, I mean, we value your privacy)."
Show thread🐧DaveNull🐧 ☣️pResident Evil☣Aug 12, 2025

@OatPotato @borup To this day, many websites still don't ask for consent. Cookie banners are just cookies wall with only OK/Accept button

At best there's a hidden Refuse grey link/submenu, which is illegal, as refusing should by as easy as accepting.

While still
- place tracking cookies at 1st load before the banner is even loaded 🤡
- continue to use tracking after users have refused
- such banner often ignore non-cookie based trackers (hidden pixel, AT Internet/piano/google tracking scripts…)

Show thread🐧DaveNull🐧 ☣️pResident Evil☣Aug 12, 2025

@OatPotato @borup

Some even have a shitton of individually actionable on/off switches¹ for like 10 or more processing purposes + several hundreds of switches for "parteners", with no "Refuse all" button, and a big green "Accept all"…

The ones using IAB TCF form are the worst offenders…

1. Or they seem turned off but each and every PII processing purpose switch is doubled with a hidden and/or greyed out "legimate interest" although many purposes have nothing to do with "Legitimate interest".

Show threadZoë (english toots)Aug 12, 2025

@devnull @borup for the "shitton of individual switches", some countries have made this illegal: the law says you MUST show a button to refuse everything on one click. But not all companies are doing it still.

And yes, the "legitimate interest" is the worst thing EU could let open, the line between legitimate and not really legitimate can be very flexible…

Show threadDaragh Ó BriainAug 12, 2025

@OatPotato @devnull @borup EU law does not permit legitimate interest for or cookies. Unless cookie is necessary for the provision of the information society services being accessed, consent is the only valid legal basis under ePrivacy Directives.

#AdTech lobbyists tried to get it bolted into the ePrivacy Regulation but that died in the drafting stage.

Show thread🐧DaveNull🐧 ☣️pResident Evil☣Aug 12, 2025

@DaraghOBrien Actually GPDR art. 6 is pretty clear that legitimate interest is not just whatever marketing department claim is legitimate interest, without any condition.

The problem is GDPR is not properly enforced in some countries…. Many for-profit companies cheat in the open by claiming that literally every PII processing purpose they ever come up with is "legitimate interest", including advertisement and all kind of marketing super intrusive tracking....

[email protected] @borup

Show threadDaragh Ó Briain
@devnull @borup yes. But ePrivacy directive is a lex specialis in the context of subscriber devices connected to public communications networks. Legitimate interest is not, in that context, a valid lawful basis. GDPR is not the only law that relates to data protection. EPrivacy Directives specifically deal with reading/writing data from/to subscriber devices , aka “cookies”.
Aug 12, 2025 at 11:20pmWeb