Mastodawn

Look, EU, it is difficult to take you seriously when you forced all this cookie notification bullshit on us. That feature a) should not exist and b) if it did, should be a BROWSER feature not "every website in the entire world now has to bother everyone forever about this stupid thing" https://blog.codinghorror.com/breaking-the-webs-cookie-jar/

Breaking the Web’s Cookie Jar

The Firefox add-in Firesheep caused quite an uproar a few weeks ago, and justifiably so. Here’s how it works: * Connect to a public, unencrypted WiFi network. In other words, a WiFi network that doesn’t require a password before you can connect to it. * Install Firefox and the Firesheep

Coding Horror

Jeff Atwood Aug 30, 2025

I'm in this picture and I don't like it.

@codinghorror how is stack exchange at all involved??

Jeff Atwood Aug 30, 2025

@javier every website on the world is involved

scy Aug 31, 2025

@codinghorror @javier Websites that don't use cookies are not involved. Neither are websites that only use cookies that are _required_ for the website to function, e.g. session tokens.

It's only when you'd like to use cookies to track users and deliver personalized ads that you have to deal with this stuff.

It's a choice.

Most websites simply don't choose the privacy-friendly option.

JdeBP Aug 31, 2025

@scy @codinghorror @javier

And tell themselves the comforting lie that it is the E.U. forcing them to do this.

Veronica Olsen Aug 31, 2025

@JdeBP They peddle this bullshit very deliberately. Far too many users believe it's the EU's fault, when it is the predatory tech industry.

@scy @codinghorror @javier

@veronica @JdeBP @scy @javier
Most people would expect someone like @codinghorror to know better.
So why didn't you know better, @codinghorror ?

fedithom Aug 31, 2025

@scy
THIS!
@codinghorror @javier

Claudius Aug 31, 2025

@scy @codinghorror @javier one of the big problems nobody talks about: tech is largely only explained by entities who have no incentive to explain it *well*.

Google, Meta, large ad networks are all like "stupid EU makes us do Cookie banner".

While the actual regulation is actually pretty good. The regulation is basically "don't fuck around with user data. But if you do, you at least need to tell the user".

RealGene ☣️Aug 31, 2025

@claudius @scy @codinghorror @javier
I had to take a corporate-required online training on the GDPR. It was about 15 slides, very clearly explained what you could and could not collect without permission, and what you had to do to protect and dispose of the data when no longer needed. It took about 20 minutes to complete, and I got almost all of the 'learning assessment ' questions correct, which meant I didn't have to do it twice.

Of course, I wasn't within a thousand miles of working on the corporate websites that the knowledge applied to…

ArneBab Sep 1, 2025

@claudius That’s the best description I’ve seen so far -- thank you!
@scy @codinghorror @javier

older Aug 31, 2025

No. Github is a good example.

cy Aug 31, 2025

@codinghorror @javier No, it‘s not and you know that.

Magnus Ahltorp Sep 1, 2025

@codinghorror @javier This is definitely not true. Good websites don’t have nag questions that don’t even comply with the law, only pretending they do.

Jason Petersen (he)Aug 30, 2025

@codinghorror @Viss the EU reacted to behavior by tech companies. If the tech companies hadn’t have had this behavior, the EU wouldn’t have done this.

buherator Aug 31, 2025

@jason @codinghorror @Viss And they reacted in a way that made said behavior even worse. Well done!

David Karlaš Aug 31, 2025

@Viss @jason @codinghorror @buherator How it made it worse? Less websites use 3rd party tracking cookies, Github is one such example.

buherator Aug 31, 2025

@davidkarlas @Viss @jason @codinghorror I don't have hard data on this unfortunately, but I tend to browse in incognito, so I get all cookie notifications all the time. Based on this experience GH is a rare exception. I must add, that this is in part because the EU is not only failing in proper enforcement, but also communication as I know of multiple well intentioned site owners who implemented this BS because they didn't understand the regulation.

To be fair I also hear marketing crying over constent requirements, which is good, but overall the adtech industry is still thriving while user experience deteriorated. In other words the regulation doesn't have the intended effect, while causing negative externalities, making things worse. (Please don't tell me it should be adtech that should play nicely, while the regulation is there because they don't play nicely in the first place)

Rickyx Aug 31, 2025

@buherator @codinghorror @jason @Viss @davidkarlas this book has like 80 of small written pages of proof that the gdpr is a reaction ( besides the book itself): https://en.wikipedia.org/wiki/The_Age_of_Surveillance_Capitalism?wprov=sfla1
It is a good read that I recommend.

The Age of Surveillance Capitalism - Wikipedia

Zenie Aug 31, 2025

I love that you don't like it.

Stop tracking people. Problem solved.

Tracking is not necessary. It is immoral.
It is tracking that ruins the internet, not cookie notices.

Världens bästa Kille™Aug 31, 2025

@Zenie @codinghorror Funny thing: From a marketing standpoint all that tracking is useless.

It’s good for selling ad space, but worthless for making ads. True story.

Don Marti Aug 31, 2025

@thelovebing @Zenie @codinghorror GitHub managed to get to a compromise: cookie banners only on content for "marketing to enterprise users" but don't hassle most users on most pages https://github.blog/news-insights/company-news/no-cookie-for-you/

(EU law requires consent to be "freely given, specific, informed and unambiguous" and nobody knows enough about today's surveillance business practices to do that in most places, so it's an open question how long these will work anyway. Depends on status of the EU/USA trade war I guess)

No cookie for you

The developer community remains the heart of GitHub, and we’re committed to respecting the privacy of developers using our product.

The GitHub Blog

Michael J. Nicholson Aug 31, 2025

@Zenie
It's not the legislation that's tbd problem. It's the malicious compliance by companies that want dats they have no real need of, either "just in case" or so they csn sell it.

My main hate is the 70+ "legitimate interest" exceptions that need 70+ clicks to disable. I immediately leave those sites. @codinghorror

Zenie Aug 31, 2025

@michjnich @codinghorror

Totally agree. The thing we all know is legitimate
Interest isn't. No cookies would be best. But that means no surveillance.

Aral Balkan Aug 31, 2025

@codinghorror Then change your business model.

@codinghorror Where?

Paul SomeoneElse Aug 31, 2025

I love these responses to famous internet guy playing the victim, and people on fedi
not having it.

John Lusk Aug 31, 2025

This. Came here and glad I found it.

Lori M Olson Aug 31, 2025

So? Stop with the malicious compliance. Fixed!

https://mastodon.ar.al/@aral/115122589711327817

Aral Balkan (@[email protected])

Look, Jeff Atwood, it is difficult to take you seriously when you write authoritatively on a subject you clearly don’t understand. GDPR doesn’t mandate cookie notices. Cookie notices are *malicious compliance* by the surveillance-driven adtech industry. If you’re not tracking people, you do not need a cookie notice, period. If you’re only using first-party cookies for functional reasons, you do not need a cookie notice, period. If you’re using third-party cookies to track people – i.e., if you’re sharing their data with others – then *you must have their consent to do so*. Because, otherwise, you are violating their privacy. Even then, the law doesn’t mandate a cookie notice. How would you conform to EU law without a cookie notice if your aim wasn’t malicious compliance? You would not track people by default and you would make it so they have to go your site’s settings to turn on third-party tracking if, for some inexplicable reason, they wanted that “feature”. Boom! No cookie notice necessary. What’s that? But that would destroy your business because your business is founded on the fundamental mechanic of violating people’s privacy? Good. Your business doesn’t deserve to exist. Because the real bullshit here isn’t EU legislation that protects the human right to privacy, it’s the toxic Silicon Valley/Big Tech business model of farming people for data that violates everyone’s privacy and opens the door to technofascism. https://infosec.exchange/@codinghorror/115120175033311443

Aral’s fediverse server

Tad Fisher Sep 1, 2025

@codinghorror if you don't like it then don't share user data with third parties. It's actually that simple.

Eric Vitiello Aug 30, 2025

@codinghorror It really is obnoxious that this isn’t a browser function. I would have saved SO many hours of effort.

Jeff Atwood Aug 30, 2025

@pixel exactly!

karttu Aug 31, 2025

@codinghorror @pixel https://consentomatic.au.dk/

Consent-O-Matic

Simon Raboczi Aug 31, 2025

@pixel @codinghorror If cookies are free, every site will set cookies. ¯\_(ツ)_/¯

doragasu Aug 31, 2025

@pixel @codinghorror On Firefox I use consent-o-matic add-on to deal with many of these automatically. Unfortunately there are a lot of popups I still have to suffer.

Jernej Simončič �Aug 31, 2025

@pixel @codinghorror Browsers did have a function for this, called Do Not Track. But ad networks loathed it, so instead they made the cookie prompts as obnoxious as possible (btw, that cookie banner is illegal – there should've been a "Deny" option next to "Accept all").
I do agree that EU not requiring adherence to Do Not Track was a missed opportunity.

goedelchen Aug 31, 2025

@jernej__s @pixel @codinghorror The EU regulation should be that third party cookies require a written, notarized consent form with provisions on how the user will be paid for tracking data.

dusoft Aug 31, 2025

@pixel @codinghorror GPC. Is it implemented in your browser?

Fazal Majid Aug 31, 2025

@dusoft @pixel @codinghorror mine does, Vivaldi

You can test yourself at https://global-privacy-control.vercel.app

Global Privacy Control — Interacting With The GPC Signal

Learn how to detect the “Global Privacy Control” (GPC) signal, a proposed specification backed by over a dozen organizations.

gorsefan Aug 31, 2025

@dusoft @pixel @codinghorror exactly. The ad industry ignored DNT because they could. GPC dates from 2024. We’ve been dealing with gdpr for many more years. Soon after California passes laws that impact US traffic to US businesses, W3 come up with GPC 🤔🤔

Will chromium implement it? Seems unlikely. There are plugins, which I expect Google will see ad favourably as adblockers, if they get traction. The problem here is not the EU, it’s Google.

gorsefan Aug 31, 2025

@pixel @codinghorror @dusoft

I work on a Google & IAB TCF-certified CMP and we will need to implement GPC, even though it won’t appear in Chrome unless lawmakers can force Google into doing so. Not holding my breath.

Roche Limit Aug 31, 2025

@pixel
DNT is already there, but ignored by every site I visit. The effort sites go to to make this whole tracking-whore thing make money is astounding. But in a bad way.
@codinghorror

Hakan Bayındır Aug 31, 2025

@rochelimit @pixel @codinghorror Interestingly, there's one cookie-consent vendor which notes "Your opt-out signal is honored".

When I look at selections they come "disabled" by default, but I go through reviewing them anyway.

So it's not dead dead, but many ad networks "just don't care".

rakoo Aug 31, 2025

@pixel
it was, but websites used it to track even more so 🤷

@codinghorror

StarkRG Sep 1, 2025

@pixel @codinghorror
Everyone should install Privacy Badger from the @eff

https://privacybadger.org/

You can also disable cookies more broadly or set your browser's security higher, though that can sometimes break things that you don't want broken.

To be honest, though, privacy badger and ublock manage to disable most tracking without breaking anything else, even if those notices continue to pop up. Turning on the Do Not Track browser functionality can actually make you easier to track.

Privacy Badger

Electronic Frontier Foundation

Nik Aug 30, 2025

@codinghorror The EU did not force cookie notifications. Site operators decided that it was easier to make everyone click through notifications instead of only using the data they legitimately needed.

Cassandrich Aug 30, 2025

@codinghorror That's a myth perpetrated by adtech industry. There is no EU obligation to spam cookie notices. There's an obligation not to track without explicit consent, and everyone illegally uses the cookie nag popups as a basis for claiming consent (which it's not). A legitimate, non malicious site has no need for cookie nags. Ever.

Cassandrich Aug 30, 2025

@codinghorror Moreover there *was* a browser feature to set it globally and all the assholes running websites refused to honor it and instead used your setting as an additional fingerprinting bit to track you.

Jeroen Baert Aug 31, 2025

@dalias @codinghorror This. All those banners tell you is "this website doesn't respect your privacy"

And there was a "Do Not Track"-flag, but respecting that was voluntary. :/

Christian "Schepp" Schaefer Aug 31, 2025

@jbaert @dalias @codinghorror 💯 this!

Also here is more about the DNT HTTP header as a refresher: https://en.m.wikipedia.org/wiki/Do_Not_Track

Ad tech started ignoring it altogether when IE10 was shipping with it enabled by default, instead of having to opt in.

Do Not Track - Wikipedia

Anton Piatek Aug 31, 2025

@dalias @codinghorror yup, exactly this

Furosshu Aug 31, 2025

@dalias do you mean the dnt header? I just recently visited geizhals.de and noticed that they honor the Do-not-track header and set the cookie settings accordingly. But it's the only website I came by since this hole cookie banner shit show started which does this.
@codinghorror

Geizhals Preisvergleich Deutschland

Preisvergleich für PC-Hardware, Software, Video/Foto, Unterhaltungselektronik, Sport & Freizeit und Haushalt in Deutschland

Geizhals.de

Gerard Cunningham ✒️Aug 31, 2025

@frosch @dalias @codinghorror

Eventually an EU court will declare DNT legally binding, and there will be wailing and gnashing of teeth.

Cassandrich Aug 31, 2025

@faduda @frosch @codinghorror That's why Google and Mozilla removed the setting.

Gerard Cunningham ✒️Aug 31, 2025

@dalias @frosch @codinghorror

Won't matter. I can add a plugin, and it clearly expressed my preference. That's enough for a Court to make a ruling.

Cassandrich Aug 31, 2025

@faduda @frosch @codinghorror Yeah but they'll try to argue it's no longer a meaningful part of the protocol. Not saying this should be treated as valid, but that's the strategy here and likely why Google pushed to remove it.

Matteꙮ Italia Aug 31, 2025

@faduda @frosch @dalias @codinghorror I kinda remember a sentence by a German court that went in that direction, but all I can find is https://stackdiary.com/german-court-bans-linkedin-from-ignoring-do-not-track-signals/, which is related but that's not what I was remembering 🤔

German court bans LinkedIn from ignoring "Do Not Track" signals

The Berlin Regional Court found LinkedIn's ignoring of "Do Not Track" signals and publishing of profiles without permission to be illegal. The ruling supported consumer control over personal data.

Stack Diary

Gerard Cunningham ✒️Aug 31, 2025

@cvtsi2sd @frosch @dalias @codinghorror

This one?

https://mastodon.ie/@faduda/114511676551071713

Gerard Cunningham ✒️ (@[email protected])

A consent system relied upon by tech giants including Google, Microsoft, Amazon and X to serve targeted online advertising has been ruled to be incompatible with the GDPR. https://www.irishlegal.com/articles/ad-tech-giants-dealt-major-blow-in-gdpr-ruling

mastodon.ie