Analysis of economic and productivity losses caused by cookie banners in Europe

> This situation calls for an urgent revision of the ePrivacy Directive

Shame companies cannot live without tracking cookies, and shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss".

You know the best way of not having to put up cookie banners on your website? Don't store PII in cookies. You know the best way of not having to care about GDPR? Don't store PII.

You can wish upon a star that humans weren’t the way we are. In the real world, this was a predictable response to a stupid rule. (And in some cases a necessary one. For example, for websites requiring a login or reliant on ads.)

> know the best way of not having to care about GDPR? Don't store PII

This is a nothing to hide argument [1]. Proving compliance with GDPR is tedious and expensive even if you’re fully compliant. (Proving no jurisdiction is easier.)

[1] https://en.m.wikipedia.org/wiki/Nothing_to_hide_argument

It was predictable that ultimately people would blame the regulation instead of the companies? Not sure I understand what you mean, and even if you meant what I think you meant, not sure what the point is? People blame all sorts of things all the time...

Edit since you've added more to your comment

> Proving compliance with GDPR is tedious

That's my point. No need to prove compliance if GDPR doesn't apply.

It was predictable this would result in disclosure/consent spam.

> No need to prove compliance if GDPR doesn't apply

If you are in the EU, GDPR applies. It may not be relevant. But you’re subject to it and its regulatory arms. (And if you have a competitor in the EU, it’s known practice you can waste time and money with requests and complaints.)

Both laws’ aims are noble. But they require tweaks. Starting with the cookie banners would be smart.

Most cookies are entirely benign. Many cookies (or something like a cookie) are required for a website to operate normally. The EU law, while good intentioned, was/is too broad and failed to understand the realities of operating websites. This regulation has caused the entire world to be annoyed with useless cookie banners that 99% of people just reflexively click through - just like all of California's Prop65 warnings are ignored today.

> Don't store PII.

These hard-line statements defy reality. Many websites have legitimate need to store PII.

> You know the best way of not having to care about GDPR?

Don't be in the EU?

Just ignore it. There are no consequences. If you don't have physical presence within the EU - there's little-to-zero the EU can do about it. The EU can think it's laws apply to the world all it wants - but the world disagrees.

You're dealing with the EU. Stupidly high fines happen weekly.

I think you might be missing that I'm talking about this from the companies perspective, not from the perspective of a person inside EU.

If the company doesn't store any "personal data", GDPR has nothing to do with it. It's strictly about "personal data" as defined here: https://gdpr.eu/article-4-definitions/

> (And if you have a competitor in the EU, it’s known practice you can waste time and money with requests and complaints.)

Happen to have any quotes/sources for this? Would be the first time I've come across it myself. I'm genuinely interested in if it's being misused like that.

I hear this a lot. As an American that hosts casual personal websites, I can't help but worry that I'm in violation of the GDPR.

For example, my router logs connections for debugging. And my NGinx server maintains server logs for debugging.

These contain IP addresses. I'm pretty sure those are considered PII under GDPR. And there are a lot of things I think that follow from that, things I haven't bothered to look into or implement. Like whatever policies, disclaimers, notifications, request handling processes, etc. that need to be in place to gather those logs.

Whether or not I need a registered agent in the EU to host my website seems to be rather fuzzy too. It seems to come down to how "sensitive" the data I store in my logs are?

Its also not clear to me whether my home router is subject to GDPR if it receives and logs a packet that was sent to it by an EU citizen, regardless of whether there was a public internet service hosted on that router or not.

I mostly choose to not think about these things - but that nagging concern that my entire self-hosted digital presence violates European law does linger.

Thank you for making it clear you wasn't taking the conversation seriously, I almost thought someone could hold opinions like that in real life, but I'm happy it wasn't so.

GDPR is intentionally obfuscated and made scary by people who have an interest in others thinking the regulation is onerous and silly (so that it is eventually changed/removed).

The regulation is not very hard to read, I would recommend you do it if you haven’t and boils down to: “don’t pass on (process) information without informed consent, if someone requests that you remove their account you should do so- and also don’t keep records around, and do your best not to let anyone access personal information”, the last one is technically unenforceable, but exists to prevent people leaving open access to data processors and bypassing consent more than anything else. A secondary benefit is that people take access controls a little more seriously by forcing breach disclosures.

Even the cookie banners are not needed unless you’re setting cookies for data collection, especially for third-parties!

There is a distinct irony in that all the online simplifications (“gdpr for dummies”, “the 7 things to comply with for gdpr”) are misleading and harder to read than the actual text of the regulation.

EDIT; I was foolish to post this during the peak time for US people. It feels like the Americans want the GDPR to be perceived as a pain.

"Essential Cookies" do not need a consent banner.

Case in point: Hacker News is 100% compliant AFAIK and has no banner.

> Many websites have legitimate need to store PII.

If there is actual legitimate interest or legal requirements, such as collecting an address for delivering a package or performing fraud-prevention, there is also no need for cookie banners.

Give reading the actual implementations a try. You'll quickly notice they actually thought of this. I wouldn't say it's "expertly crafted" by any means, but the banner is for a specific "class" of cookies, not just "abc=123" as you seem to think.

"Our former model is over. We are overregulating and underinvesting. In the two to three years to come, if we follow our classical agenda, we will be out of the market."

"If we want clearly to be more competitive and have our place in this multipolar order; first, we need a simplification shock."

"The EU could die, we are on a verge of a very important moment."

https://www.politico.eu/article/emmanuel-macron-france-europ...

Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.

The EU law compels a popup for these types of services/scripts and 99% of people just click through them because they are noise.

Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.

They don't need consent for that.

> reliant on ads

Yes. For me, this has been eye-opening about how many different ad agencies there are snooping on my browsing history. It was bad enough when it was just the (UK) government passing a law to do that, now I've got websites with more "trusted partners" monitoring my every move than my high school had students.

> This is a nothing to hide argument

"Don't store PII" does not seem to be that, to me?

If anything, the opposite party gets that criticism, given that the default is allowing private agencies to spy on everyone?

I've worked with two firms that have faced GDPR complaints. It's "up to", not "immediately on your first offence".

It's not specifically GDPR - it's the degree of overregulation in every sector, for almost every aspect of doing business. I was also speaking facetiously about large companies in particular - for example, just 12 hours ago, Facebook got hit with another $700 million fine. You don't have to be Facebook for the chilling effect. Or, the EU's stuff with Apple, the $12 billion fine against the will of Ireland, which has Apple assessing the profitability of even being in Europe.

I'm not arguing anything, read the directives and implementations yourself, then get back to me. While some might lack experience, others seem to lack reading comprehension. That's fine, we can always learn :)

> Website operators have a right to study how people use their website

In the EU, that depends. As a website operator at a certain scale, you cannot do whatever you want with personal data.

> Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.

Yeah, I mean that's cool and all, but maybe you're spending time discussing in the wrong HN submission then? I don't go around in submissions about "Golang is bad" commentating how you wouldn't have those issues if you didn't use Golang in the first place. Not my idea of curious conversation at all.

Obviously EU directives and laws apply in EU

I think reasonable people can disagree about this, and if enough reasonable people think that a web site operator should not have that "right" then they should be able to pass legislation to curtail it.

As a user, I say I should have the right to control what data is collected by what company, and what they should be allowed to do with it. I should be empowered to decide what kind of data is "essential" for a company to collect about me, not the company. Reasonable people could disagree with me, too. These are not laws of physics.

The EU designed these regulations to be viral and compel the world into compliance. The world does not need to comply, and largely does not. Multinational corporations with physical presence within the EU need to comply - but nobody else does, nor should they.

> read the directives and implementations yourself, then get back to me.

So we're arguing this down-thread of an article claiming our fuzzy European friends wasted nearly 600,000,000 hours last year clicking "I Accept" over and over? Seems like a well-designed regulation that's totally working super-duper well for the EU. Totally cut down on cookies!

This can be done without a cookie banner, as long as no PII is collected for the purposes of that analysis.

You’re still obligated to respond to requests, even if it’s no response. And data regulators will still follow up on groundless complaints.

DMCA is strictly about copyright violation. If you’re not violating copyrights it should have nothing to do with you. But that isn’t how things play out in reality.

> have any quotes/sources for this?

No, just anecdotal. Every Magic Circle firm, however, will happily file complaints in multiple jurisdictions for you.

I’ll admit I’ve used GDPR a touch vindictively after a customer service interaction went poorly. Lots of requests, wait for a minor fuck-up, escalate to multiple data regulators because I technically have multiple nexuses. European equivalent of copying your state AG on a letter, except the burden to respond is on the company.

Somehow people think visiting someone else's private website grants them privileges to be entirely anonymous - it does not anymore so than shopping in a physical retail store.

If we keep going down this path, websites will require a full ToS/EULA just to access the site...

Replace marijuana with "personal data" and imagine it is about websites with visitors within EU. If they're not storing, processing and/or transmitting personal data, there is no compliance requirements (from GDPR at least).

This one?

"The EU fined online giant Meta almost 800 million euros on Thursday for breaching antitrust rules by giving users of its Facebook social network automatic access to classified ads service Facebook Marketplace." - https://fortune.com/europe/2024/11/14/eu-fines-meta-840-mill...

Because if so, that's going to have the opposite of a chilling effect, as it is anti-trust.

Likewise, what Apple got with Ireland, while Apple has to pay, it's something Ireland did wrong by illegally giving Apple a tax dodge to encourage it to base itself in Ireland rather than anywhere else in Europe — if that's "chilling": good. We don't want tax-dodgers. If Apple can't be profitable in Europe without dodging taxes, something's gone very badly wrong for them.

Now, I'm not saying the EU doesn't over-regulate, as that kind of claim about any government is like saying that a software project contains zero functions that are never invoked by a user. But I am saying the scope of your rhetoric is not sufficiently supported by the evidence provided.

Or, more common for ecommerce, "transferred" into an advertising algorithm so the business can gain more similar customers. Oh the horror!

This is a good analogy. By making the marijuana illegal, you also implicitly widen search powers. You can’t arrest someone you think smells like weed if weed is legal. (Or answer a neighbor’s complaint that they suspect they’re growing weed.)

Same idea. If you say you aren’t storing personal data and I say you are, someone’s got the authority to check. Those checks and confirmations cost time and money. With a complain-investigate set-up like GDPR (and American securities law), the burden is on the respondent.

If so, it is legitimate interest to do fraud prevention, so there's no need for a consent banner, first or third-party. Naturally you can't go and use this data for a purpose that has no basis under legitimate interest.

Another example: Cloudflare is running DDoS prevention under our noses here at HN, for example, but there's no need to ask for consent, even though Cloudflare is a third-party. Why? Because this is considered legitimate interest.

> Or, more common for ecommerce, "transferred" into an advertising algorithm so the business can gain more similar customers

For this you do need consent, if you transfer PII. If you don't want a banner you can replace it with a simple checkbox during the checkout process. Not only less hostile, but also more transparent than a banner.

Unless traffic volume causes truncation, turns out I’m not compliant!

To understand how customer's shop on my website. Heatmaps, view port, device type, screen resolution, frequency of browsing, where their mouse hovers the most, page dwell time, etc.

These are impossible tasks for most website operators to do themselves.

> For this you do need consent, if you transfer PII. If you don't want a banner you can replace it with a simple checkbox during the checkout process. Not only less hostile, but also more transparent than a banner.

Or... you can just ignore the EU because the EU doesn't matter. You know, like I originally asserted?

> If you don't want a banner you can replace it with a simple checkbox during the checkout process

This is the sort of mindset that crafted this poorly designed regulation in the first place. Most website operators are not going to willingly add a barrier at the final step of a conversion.

If you are going to use my property and resources - it's my rules or don't come. Pretty simple...

Section 49 gives, additionally, specific carve outs for logging even if they were a commercial entity.

Consent is needed to pass logging data to third parties or to process it beyond end user functionality.

Its easier to just read the regulation: https://eur-lex.europa.eu/eli/reg/2016/679/oj

As for the rest, it's quite inflammatory and I don't know how it relates to my comment, so I'll refrain from answering.

I don’t know if after that it saw more natural usage but I doubt it.

Well, except for all the people in the eu. I'm pretty sure the eu does get to tell those people to do or not do things, online or not.

It could be that you are running ads and your ad provider is a processor in the EU and because they cannot handle jurisdictional consent well they attempt to pawn that off onto you in your terms and conditions. EU law has already decided that they cannot turn a blind eye however, if you aren't collecting consent then your processor has to assume that consent isn't given.

So yeah, worry about your contracts with third parties that might try to sneak in liability transfers and how your own jurisdiction would deal with that. If your provider is transferring that kind of liability maybe they are trying to also make you liable in the case that their ad installs a virus, so I hope you are already aware of such third party liability transfers in your contracts if your jurisdiction allows for such things.

Sure, physical stores can do that in certain way, certainly they cannot reverse pickpocket GPS trackers into our pockets or stalk us around the city. You can ask your customers how they found about your store but they can lie or simply not answer. Cameras in the store? Fine. Cameras in the store bathroom? Not ok.

It is a legitimate interest to understand where your customers are coming from and this can be done without cookies in an anonymous fashion. Similarly, you can understand what people purchase together in an anonymous fashion. Cookies and PII aren't needed for any of this.

Cookies and PII are only necessary when you are trying to surreptitiously correlate people's purchase pattern with something that you shouldn't legitimately know like their sexuality or any given aspect of their identity.

> Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.

Rightly so. But if your third party processor is operating in the EU they will hold them liable for processing the data on EU citizens you send them without consent. That is between the EU and your provider.

This type of downvoting on HN is getting silly and needs to stop.

(And a thanks to those who did respond to OP with the advice he is not in GDPR violation. Frankly, a worrying number of HN readers are clueless about legislation that directly affects them, whether they like it or not.)

Nope, you don't. Those are two different things.

There are plenty of things that are made illegal without giving the government the power to search for them.

> You can’t arrest someone you think smells like weed if weed is legal.

You can't arrest someone by smelling like weed in any democracy where it's illegal either.

Sounds like information that is not personally identifying - if handled well.

> You can't arrest someone by smelling like weed in any democracy where it's illegal either.

isn't true. Sweden is super strict on usage and if even a "normal" person and/or neighbour would smell weed from you or your place they'd definitely call the cops on you. If a cop smelled weed on you in public you'd get arrested immediately no doubt.

Yet, most people consider Sweden a democracy :)

If some random policeman can look at you, decide to arrest you with no real evidence, and it's all legal, that a huge Human Rights violation right there.

How does a judge deal with this? Do they rush to smell the culprit too?