Mastodawn

Adrian Ziobro Sep 2, 2025

Look, Jeff Atwood, it is difficult to take you seriously when you write authoritatively on a subject you clearly don’t understand.

GDPR doesn’t mandate cookie notices.

Cookie notices are *malicious compliance* by the surveillance-driven adtech industry.

If you’re not tracking people, you do not need a cookie notice, period.

If you’re only using first-party cookies for functional reasons, you do not need a cookie notice, period.

If you’re using third-party cookies to track people – i.e., if you’re sharing their data with others – then *you must have their consent to do so*. Because, otherwise, you are violating their privacy. Even then, the law doesn’t mandate a cookie notice.

How would you conform to EU law without a cookie notice if your aim wasn’t malicious compliance?

You would not track people by default and you would make it so they have to go your site’s settings to turn on third-party tracking if, for some inexplicable reason, they wanted that “feature”.

Boom!

No cookie notice necessary.

What’s that?

But that would destroy your business because your business is founded on the fundamental mechanic of violating people’s privacy?

Good.

Your business doesn’t deserve to exist.

Because the real bullshit here isn’t EU legislation that protects the human right to privacy, it’s the toxic Silicon Valley/Big Tech business model of farming people for data that violates everyone’s privacy and opens the door to technofascism.

https://infosec.exchange/@codinghorror/115120175033311443

Jeff Atwood (@[email protected])

Look, EU, it is difficult to take you seriously when you forced all this cookie notification bullshit on us. That feature a) should not exist and b) if it did, should be a BROWSER feature not "every website in the entire world now has to bother everyone forever about this stupid thing" https://blog.codinghorror.com/breaking-the-webs-cookie-jar/

Infosec Exchange

Jonathan Schofield Aug 31, 2025

@aral excellent ✊

David Chisnall (*Now with 50% more sarcasm!*)Sep 1, 2025

It's often not even malicious compliance. Most of these banners don't even meet the requirements of the GDPR, specifically that you must be able to withdraw consent at any time and that you mist give informed consent (i.e. that you must know what you have consented to to be able to grant consent).

@noybeu is doing a great job going after some of these people.

Aral Balkan Sep 1, 2025

@david_chisnall @urlyman @noybeu Indeed. And yes they are but enforcement of GDPR should fall on the shoulders of more than one small law firm. Good thing they exist but it also shows how messed up the system is in general.

Writing Slowly Aug 31, 2025

@aral whether or not this is technically correct it totally nails how I feel about cookie notices. They're obviously compliance theatre. I hate them all, especially when you have to accept 'necessary cookies' or else you get them all (you probably get them all anyway). Plus which data privacy gaslighter even needs cookies now? They've probably moved on to even more invasive methods. Oh, did I mention I hate cookies and their stupid fake notices?

Aral Balkan Aug 31, 2025

@writingslowly There’s an easy solution to that. We pass a GDMR and effectively outlaw their business model (don’t hold your breath).

https://ar.al/2018/11/29/gdmr-this-one-simple-regulation-could-end-surveillance-capitalism-in-the-eu/

GDMR: this one simple regulation could end surveillance capitalism in the EU

GDMR: The regulation EU citizens deserve. No, you didn’t misread it and, no, it’s not a typo. GDMR – the General Data Minimisation Regulation – can end surveillance capitalism in the EU. The problem is that no such regulation exists. So, let’s change that, starting now. To be effective, GDMR must be succinct and precise. The essence of it can be expressed in a single article with two paragraphs:

Aral Balkan

Georg Weissenbacher Aug 31, 2025

@aral @writingslowly There’s a problem with point 1 - who decides what “can be built”? For instance: Many legislators want companies to implement encrypted communication in a way such that they - and only they - can listen in. Numerous experts believe such a system can’t be built (at least not securely).

If I’d run a company I’d rather not end up in court where a lawyer explains to me what can be built and what not.

Aral Balkan Sep 1, 2025

@GeorgWeissenbacher @writingslowly I’m one of those experts.

Yes, regulation, like any legislation can be good or bad. That said, if you run, say a construction company, a lawyer does explain to you what can and can’t be built. You don’t just get to dig up a park and put in luxury apartments because you feel like it. You don’t get to construct a factory and dump your sewage into the sea. Or, more to the point, if you run a cinema, you don’t get to put cameras in the bathrooms. There are many things you don’t get to do if you run a company because they would infringe on the rights of others and your right to make a profit doesn’t supersede that.

I hope you’re teaching your students that they should be thoughtful in what they build so that it benefits humanity. We don’t need more things, we need more things that improve human welfare. And the last thing we need are more libertarian techbros who think they can do whatever they want in pursuit of their gluttonous profiteering and that rules don’t apply to them. That’s how we end up with technofascism.

Georg Weissenbacher Sep 1, 2025

@aral @writingslowly I understand that there are regulations, and of course I'm all for that. But they need to be specific. Building codes, for instance, are very clear (at least where I live). They specify the minimum height of rooms, size of the windows (for appropriate lighting), ventilation requirements, etc.

Fleur Bergman Sep 1, 2025

@aral @writingslowly Another way to outlaw their business model is to outlaw advertising. That has my vote! (Imagine how much prettier our streets will be...)

Veronica Olsen Aug 31, 2025

@writingslowly What annoys me is that they've managed to give people the impression that the cookie banner nonsense is the EU's fault. GDPR has been a huge help, and these tantrums the tech industry is throwing is, as Aral says, malicious compliance.

Giorgio Maone 🚫✊🧅Aug 31, 2025

@aral GDPR for dummies👌

TC Won't Give In To Lies Aug 31, 2025

🎯

Not enough people understand how techbros choose horrible user interfaces and design/moderation decisions to turn people against even the most basic and essential customer safety regulations.

I believe the current age-gating outrage is astroturfed too.

Marcus Bointon Aug 31, 2025

@aral @TCatInReality it’s also funny when they complain about how difficult compliance is, and how having to comply with privacy laws so suddenly, when the ePD has been in force since 2002!
Since when is not doing something more difficult than doing something?

Luke Aug 31, 2025

@TCatInReality @aral this is what caused me to leave the private sector. Tech companies use language of progress and idealism to recruit researchers and designers who genuinely want to address problems for real people, but then delegate final decision-making power to product managers and other minor demons who, using the language of "scope" and "realism," minimize research and selectively gut designs until their original purpose is completely subverted.

TC Won't Give In To Lies Aug 31, 2025

Make no mistake, those decisions are driven by an overzealous focus on profit and domination that comes right from the top. Those middle managers know what they must do to get/keep the job.

Even the CEO would be replaced in a heartbeat of they every put customer, employees or the environment above profit.

Luke Aug 31, 2025

@TCatInReality @aral goes without saying. No human-centered design under capitalism.

Worik Sep 1, 2025

@TCatInReality @aral I am outraged at "age gating"

On the face of it it is a solution that will not work to a problem that does not exist

In reality it is away of removing anonymous internet access. It will fail there too.

Just stupidity and meanness through and through

TC Won't Give In To Lies Sep 1, 2025

I disagree. There absolutely are real world harms by not having age gated spaces.

Age gates are all over the IRL world and we all understand why. Similarly, we have centuries of safety and consumer rights IRL that we understand but fail to apply online.

To me, the issue isn't whether to have these measures online, it is how to get bad faith techbros to do it.

For more: https://mastodon.social/@TCatInReality/114978769873355129

Worik Sep 1, 2025

@TCatInReality @aral the internet, as it is designed, will frustrate this. A packet does not know who stands behind the process that sends it

TC Won't Give In To Lies Sep 1, 2025

Yes, I've heard the architecture argument and it (conveniently) ignores the front and end points of delivery.

It's the equivalent of saying a bullet does not know who shoots it or where, while ignoring all the other possible points of safety. It's a common gunmaker defence.

The internet is a service and common service safety and liability rules should apply. There's nothing special about it - except billionaires skewing the discussion.

Worik Sep 1, 2025

@TCatInReality @aral

> For more: https://mastodon.social/@TCatInReality

I read that thread.

I remain unconvinced that it is possible to have privacy preserving age verification protocols. I think it is a contradiction. To be of any use the age ID must be attached to a personal ID and that musf be associated to a real person.

To use the vape shop example it is like having to sign a register to enter.

It is not hard to imagine being reluctant to sign in to R18 places.

TC Won't Give In To Lies Sep 1, 2025

So, your best counter-argument is that some people will be "reluctant" to provide age verficiation?

OK, two lines of reply:
1) Implied is that the reluctance is due to fears of data misuse. I get that, which is why I argue we need much better regulation and enforcement of data privacy - because that has been a problem long before (and indep of) age verification.

Con't

TC Won't Give In To Lies Sep 1, 2025

2) market forces will then create more all-age sites to capture as much "reluctant" audience as possible. Of course, it won't provide everything age gated, but most. And surely more all-age sites is preferable (and safer), therefore a good trend to be encouraged.

There is something seriously rotten in the online business model if a company can only make money with data theft, exploitation and extreme content. IMO, we change the dynamic through better regularions.

TC Won't Give In To Lies Sep 1, 2025

A third response to the "reluctance" argument.

There was a time where porn was not online and you needed to show ID to buy a magazine or *register* at a video store to get adult titles.

Were some people "reluctant" to do so? Sure. And the world went on.

No one is entitled to a life free of uncomfortable experiences. But the market, and a functional democratic system, will do all it can to consider the tradeoffs and make it easy *and* safe.

Stephan Eggermont Sep 3, 2025

@TCatInReality @worik @aral no, not fear of, absolute certainty. And that needs to be solved first

Fabien Aug 31, 2025

@aral @codinghorror and wasnt his second suggestion already tried, as the do not track feature feature built into browsers then promptly ignored by ad tech?

Aral Balkan Aug 31, 2025

@fabienmarry @codinghorror Yes. I’d be completely fine with legislating that every browser reinstate that feature, have it on by default, and compel sites to obey it without asking again. That would also solve the problem.

NKT Aug 31, 2025

@aral @fabienmarry @codinghorror That's a better solution, and then you only meet the committee notice when you add something to a basket, or log in, or whatever. A bit like auto blocking those "Follow this website?" notifications until you at least interact with the website!

Knud Jahnke Aug 31, 2025

I'm running a website for a science consortium and we don't track, we don't sell anything, and we don't have to worry about visitor data storage and protection, and we do not need any cookie clicked on the site. Very simple, very relaxing.

It also prevents the need for a data protection responsible person, because no data is being collected.

Je ne suis pas goth Aug 31, 2025

@knud but even if you sold something, you would not need to put up a cookie banner : to sell something you require some information to complete the sale (address where to ship, and/or info about the means to pay for the good or service sold). None of that would be illegitimate.

Knud Jahnke Aug 31, 2025

@jenesuispasgoth @aral

Absolutely. And the best online shops for me don't even require me to provide data - they take name and address from Paypal (yes, I know, that company has it's own issues) and use that to send me stuff.

The bad ones want phone numbers, some birthdates and whatnot. Nothing to do with my purchase.

Je ne suis pas goth Aug 31, 2025

@knud lots of physical, brick-and-mortar shops also try to ask me for my email address or phone number. I either give a wrong one or flat out refuse (depending on the urgency of what I'm trying to purchase – sometimes I the cashier tells me they *have* to input something, and they're not responsible for terrible customer care practices where they work).

Knud Jahnke Aug 31, 2025

@jenesuispasgoth @aral

Not here (Germany). Not gonna happen. On the other hand people seem to be happy to fork over their whole purchase history via reward-program apps...

FreediverX Aug 31, 2025

@jenesuispasgoth @knud @aral
I will not jump through hoops for retailers. My response to requests for my email or phone number is always “absolutely not.”

Je ne suis pas goth Aug 31, 2025

@freediverx when I say no, 90% of the time they fill in some fake info by themselves. :)
@knud @aral

MidgePhoto Sep 1, 2025

@freediverx @jenesuispasgoth @knud @aral
(Some part of that is that occasionally the manufacturer realises that under certain circumstances the Evaluatronic Instantiator(TM) you just bought might develop a fault in its Ingenuity Engine causing it to catch fire, and would like to/has a duty to tell you that and provide an Imaginative Dedeflagrator to plug into it to prevent that.

#SafetyNotice #dedeflagrator #Evaluatronic

Michael Weiss Aug 31, 2025

@jenesuispasgoth @knud @aral in the US, you can always use your local area code and the phone number 867-5309. Inevitably, every purchase tracking program has someone who registered using that number.

https://en.wikipedia.org/wiki/867-5309%2FJenny?wprov=sfla1

867-5309/Jenny - Wikipedia

michel v Aug 31, 2025

@jenesuispasgoth @knud @aral I work in e-commerce in Europe. Mostly the banners are there because such websites do use a lot of third party services for purposes that range from marketing campaign monitoring to user session recordings (for debugging). Apart from developing everything in house or hosting the tools, there aren’t a lot of ways to avoid the banners.

Aral Balkan Aug 31, 2025

@michelv @jenesuispasgoth @knud Use first-party tools or privacy respecting ones. It’s entirely possible if the desire is there.

michel v Aug 31, 2025

@aral @jenesuispasgoth @knud it is partly possible indeed; thing is, it costs much more money in initial setup and recurring upkeep, with less flexibility and no tangible benefit in a market where users have "accepted" the ubiquity of the banner.

Aral Balkan Aug 31, 2025

@michelv @jenesuispasgoth @knud Yes, it is easier to violate human rights than to respect them. Doesn’t make it right.

michel v Aug 31, 2025

@aral @jenesuispasgoth @knud you’re right, I’m a soulless monster. Hyperbole much?

Knud Jahnke Aug 31, 2025

@michelv @aral @jenesuispasgoth

How about leaving me out of this thread continuation, thank you.

Aral Balkan Aug 31, 2025

@knud 👍

Aral Balkan Aug 31, 2025

@michelv @jenesuispasgoth Your words, not mine.

@aral Exactly. And his "all websites" particularly grates because I could point him at a bunch of websites I've been involved with that don't have any cookie notice for the reasons you say.

Vassil Nikolov | Васил Николов Aug 31, 2025

Indeed.

Now, how to make Jeff Atwood and those who listen to him take heed?
Regrettably, I don't know...
🙁

Aral Balkan Aug 31, 2025

@vnikolov I think Upton Sinclair said it best… :)

Frank Zimper Aug 31, 2025

post removed as my link was already in the original posting. I still think it would've been better to post this as a reply to Jeff's post.

webhat Aug 31, 2025

@fzimper @aral blocked for snitch tooting

NKT Aug 31, 2025

@webhat @fzimper @aral I'm blocking you for being an idiot. "snitch tooting"? The exactly two people already in the conversation?

Aral Balkan Aug 31, 2025

@Dss @fzimper And you’re (NKT) getting blocked for your comment to @webhat.

Diogo Constantino Aug 31, 2025

@aral they are even almost never compliance as most of them don't follow requirements for being compliant by making it hard to refuse all, and by having so much information and "partners", that makes it impossible for any human been to actually be informed by all of them, and therefore, can't ever exist informed consent.

Coral (bleached era)Aug 31, 2025

@aral @cstross why is Jeff anchoring this around a 15 year old vuln anyway?

Aral Balkan Aug 31, 2025

@coral @cstross 🤷‍♂️

Bodo Tasche Aug 31, 2025

@aral @geeksam @codinghorror also: there was a Browser Setting. It was misused by the tracking industry and because of that worthless and removed 🤬

Don Marti Aug 31, 2025

@bitboxer @aral @geeksam @codinghorror DNT is gone but the technically similar but legally required (in some jurisdictions) GPC is back.

Right now it's not clear what a GPC should mean in the EU but @robin explained how it could work: https://berjon.com/gpc-under-the-gdpr/

(good intro from the POV of an ad-supported site https://www.adexchanger.com/data-privacy-roundup/if-youre-a-publisher-and-you-dont-know-what-a-uoom-is-then-read-this/ )

GPC under the GDPR

The Global Privacy Control is making steady progress towards adoption. As a global signal supported by browsers, it's a natural question to ask what it means under regimes such as the GDPR. Here's my personal take.

Robin Berjon

Bodo Tasche Aug 31, 2025

@dmarti @aral @geeksam @codinghorror @robin TIL. Nice. Thank you.

Don Marti Aug 31, 2025

@bitboxer @aral @geeksam @codinghorror @robin

An EU web publisher or retailer does not have to wait for regulators—they can already treat a pageview with GPC as if the user had seen the "consent management" dialog and refused all

Sass, David Aug 31, 2025

@aral this is why #GitHub was able to remove the banner back in 2020 - the good old days.

https://github.blog/news-insights/company-news/no-cookie-for-you/

Funny enough, 5 years later the banner is back on $GitHub Blog, I guess being owned by $MSFT changes things...

No cookie for you

The developer community remains the heart of GitHub, and we’re committed to respecting the privacy of developers using our product.

The GitHub Blog