BorupAug 12, 2025
Periodic reminder that EU did not mandate cookie popups.
Cookie popups are yet another example of malicious complience by an industry that wants to use and abuse data about us all.
Show threadZoë (english toots)Aug 12, 2025
@borup
EU: "You have to ask for consent before tracking."
Companies: "Hey, you can't access our website before telling us if we can send information about you to these tens of companies (in fact we were doing it without ask… Wait, I mean, we value your privacy)."
Show thread🐧DaveNull🐧 ☣️pResident Evil☣Aug 12, 2025

@OatPotato @borup To this day, many websites still don't ask for consent. Cookie banners are just cookies wall with only OK/Accept button

At best there's a hidden Refuse grey link/submenu, which is illegal, as refusing should by as easy as accepting.

While still
- place tracking cookies at 1st load before the banner is even loaded 🤡
- continue to use tracking after users have refused
- such banner often ignore non-cookie based trackers (hidden pixel, AT Internet/piano/google tracking scripts…)

Show thread🐧DaveNull🐧 ☣️pResident Evil☣Aug 12, 2025

@OatPotato @borup

Some even have a shitton of individually actionable on/off switches¹ for like 10 or more processing purposes + several hundreds of switches for "parteners", with no "Refuse all" button, and a big green "Accept all"…

The ones using IAB TCF form are the worst offenders…

1. Or they seem turned off but each and every PII processing purpose switch is doubled with a hidden and/or greyed out "legimate interest" although many purposes have nothing to do with "Legitimate interest".

Show threadZoë (english toots)Aug 12, 2025

@devnull @borup for the "shitton of individual switches", some countries have made this illegal: the law says you MUST show a button to refuse everything on one click. But not all companies are doing it still.

And yes, the "legitimate interest" is the worst thing EU could let open, the line between legitimate and not really legitimate can be very flexible…

Show threadShadSterlingAug 12, 2025
@OatPotato @devnull @borup this is still backwards; the rule should be that they must not use cookies for more than login and/or TOS acceptance without an explicit opt-in, and must not interrupt the user to ask. Instead, they may provide opt-in controls, so long as those controls do not interfere with the primary content of the page. And similar for other surveillance mechanisms like spying pixels
Show threadJordi RosellAug 12, 2025
@ShadSterling @OatPotato @devnull @borup login, add to carts, guest checkout...
Show thread🐧DaveNull🐧 ☣️pResident Evil☣Aug 12, 2025

@jrosell Assuming it's an ecommerce website that supports guest checkout… Which many websites are not

Also, most ecommerce websites force users to create accounts by NOT allowing guest checkout and by misusing email addresses for unsolicited "news" letters…

For many websites, it's actually just login/session cookies…

Either way, all these cookie types are clearly distinct from tracking cookies… Not using tracking cookies by default and w/o consent is NOT hard…

@ShadSterling @OatPotato @borup

Show threadJordi RosellAug 12, 2025
@devnull @ShadSterling @OatPotato @borup the thing is, I don't see the point to asking permission for cookies such as login, guest checkout, shoping carts, etc.
Show thread🐧DaveNull🐧 ☣️pResident Evil☣Aug 12, 2025

@jrosell

Except no one talked about "asking for permission for functional cookies such as login, guest checkout, shoping carts"

From the very beginning, it was all about enabling TRACKING cookies AND non-cookie-based tracking (script trackers, hidden pixels…) by default, without consent…

@ShadSterling @OatPotato @borup

Show threadJordi RosellAug 12, 2025
@devnull @ShadSterling @OatPotato @borup the UE. As far as I know, you can't have an ecommerce shopping cart persisting weeks from a guest user without cookie consent in the UE.
Show threadkazordAug 13, 2025
@jrosell @devnull @ShadSterling @OatPotato @borup technical data like shopping cart can be store in cookie or local storage without problems
Compagnies wnat to deliver tracking cookie ans cross website cookie to get a few bucks on people data (or track user shopping process)
Show threadJordi RosellAug 13, 2025
@kazord @devnull @ShadSterling @OatPotato @borup in fact, personalization purpose like that require consent
Show threadkazordAug 13, 2025
@jrosell @devnull @ShadSterling @OatPotato @borup shopping cart doesn't require explicit consent as it the purpose of the website.
(Also you do not need a cookie banner for technical cookies)
Tracking cookie need consent as its absolutely not require to buy a thing on the website
Show threadJordi RosellAug 13, 2025
@kazord the main issue here is having a "shopping cart persisting WEEKS", I guess
Show threadkazord
@jrosell local storage is build for that, data on client side (not needed for the website) that can stay forever
My shopping data, save on my local computer
What the problem with that ?
Aug 13, 2025 at 11:42amWeb
Show threadJordi RosellAug 13, 2025
@kazord i've been adviced legally to ask the user for personalization consent (with or without cookies)