Most active commenters
  • Alupis(6)
  • whstl(4)
  • diggan(3)

←back to thread

Analysis of economic and productivity losses caused by cookie banners in Europe

(legiscope.com)
332 points vegasbrianc | 21 comments | 14 Nov 24 22:23 UTC | HN request time: 1.479s | source | bottom
Show context
diggan ◴[14 Nov 24 22:43 UTC] No.42141994[source]
Correct URL: https://legiscope.com/blog/hidden-productivity-drain-cookie-...

> This situation calls for an urgent revision of the ePrivacy Directive

Shame companies cannot live without tracking cookies, and shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss".

You know the best way of not having to put up cookie banners on your website? Don't store PII in cookies. You know the best way of not having to care about GDPR? Don't store PII.

replies(5): >>42142003 #>>42142011 #>>42142019 #>>42142081 #>>42142098 #
1. Alupis ◴[14 Nov 24 22:51 UTC] No.42142081[source]
> Shame companies cannot live without tracking cookies

Most cookies are entirely benign. Many cookies (or something like a cookie) are required for a website to operate normally. The EU law, while good intentioned, was/is too broad and failed to understand the realities of operating websites. This regulation has caused the entire world to be annoyed with useless cookie banners that 99% of people just reflexively click through - just like all of California's Prop65 warnings are ignored today.

> Don't store PII.

These hard-line statements defy reality. Many websites have legitimate need to store PII.

> You know the best way of not having to care about GDPR?

Don't be in the EU?

Just ignore it. There are no consequences. If you don't have physical presence within the EU - there's little-to-zero the EU can do about it. The EU can think it's laws apply to the world all it wants - but the world disagrees.

replies(2): >>42142125 #>>42142131 #
2. whstl ◴[14 Nov 24 22:56 UTC] No.42142125[source]
> Many cookies (or something like a cookie) are required for a website to operate normally

"Essential Cookies" do not need a consent banner.

Case in point: Hacker News is 100% compliant AFAIK and has no banner.

> Many websites have legitimate need to store PII.

If there is actual legitimate interest or legal requirements, such as collecting an address for delivering a package or performing fraud-prevention, there is also no need for cookie banners.

replies(1): >>42142350 #
3. diggan ◴[14 Nov 24 22:56 UTC] No.42142131[source]
> Most cookies are entirely benign. Many cookies (or something like a cookie) are required for a website to operate normally. The EU law was/is too broad - and has caused the entire world to be annoyed with useless cookie banners.

Give reading the actual implementations a try. You'll quickly notice they actually thought of this. I wouldn't say it's "expertly crafted" by any means, but the banner is for a specific "class" of cookies, not just "abc=123" as you seem to think.

replies(1): >>42142157 #
4. Alupis ◴[14 Nov 24 22:59 UTC] No.42142157[source]
You might try to argue many types of cookies are non-essential - but that would be because you lack experience in this domain.

Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.

The EU law compels a popup for these types of services/scripts and 99% of people just click through them because they are noise.

Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.

replies(4): >>42142210 #>>42142220 #>>42142247 #>>42145748 #
5. diggan ◴[14 Nov 24 23:05 UTC] No.42142210{3}[source]
> You might try to argue many types of cookies are non-essential - but that would be because you lack experience in this domain.

I'm not arguing anything, read the directives and implementations yourself, then get back to me. While some might lack experience, others seem to lack reading comprehension. That's fine, we can always learn :)

> Website operators have a right to study how people use their website

In the EU, that depends. As a website operator at a certain scale, you cannot do whatever you want with personal data.

> Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.

Yeah, I mean that's cool and all, but maybe you're spending time discussing in the wrong HN submission then? I don't go around in submissions about "Golang is bad" commentating how you wouldn't have those issues if you didn't use Golang in the first place. Not my idea of curious conversation at all.

Obviously EU directives and laws apply in EU

replies(1): >>42142241 #
6. ryandrake ◴[14 Nov 24 23:06 UTC] No.42142220{3}[source]
> Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.

I think reasonable people can disagree about this, and if enough reasonable people think that a web site operator should not have that "right" then they should be able to pass legislation to curtail it.

As a user, I say I should have the right to control what data is collected by what company, and what they should be allowed to do with it. I should be empowered to decide what kind of data is "essential" for a company to collect about me, not the company. Reasonable people could disagree with me, too. These are not laws of physics.

replies(2): >>42142306 #>>42143816 #
7. Alupis ◴[14 Nov 24 23:10 UTC] No.42142241{4}[source]
> Obviously EU directives and laws apply in EU

The EU designed these regulations to be viral and compel the world into compliance. The world does not need to comply, and largely does not. Multinational corporations with physical presence within the EU need to comply - but nobody else does, nor should they.

> read the directives and implementations yourself, then get back to me.

So we're arguing this down-thread of an article claiming our fuzzy European friends wasted nearly 600,000,000 hours last year clicking "I Accept" over and over? Seems like a well-designed regulation that's totally working super-duper well for the EU. Totally cut down on cookies!

8. whstl ◴[14 Nov 24 23:11 UTC] No.42142247{3}[source]
> Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.

This can be done without a cookie banner, as long as no PII is collected for the purposes of that analysis.

9. Alupis ◴[14 Nov 24 23:16 UTC] No.42142306{4}[source]
Why is this different than a brick-and-mortar to you? Do people feel they are "private" when shopping in a retail store with AI cameras tracking patterns and behavior, names and purchases collected at checkout, loyalty "discount" cards to get even more data, etc? Even without your name, they can identify you by recognition alone, aka. an anonymized cookie used to track a specific user's behavior.

Somehow people think visiting someone else's private website grants them privileges to be entirely anonymous - it does not anymore so than shopping in a physical retail store.

If we keep going down this path, websites will require a full ToS/EULA just to access the site...

replies(1): >>42142357 #
10. Alupis ◴[14 Nov 24 23:20 UTC] No.42142350[source]
And if that data is "transferred" to a 3rd party for that analysis (aka. a REST call into their API) then you are back to requiring these annoying banners.

Or, more common for ecommerce, "transferred" into an advertising algorithm so the business can gain more similar customers. Oh the horror!

replies(1): >>42142409 #
11. ryandrake ◴[14 Nov 24 23:21 UTC] No.42142357{5}[source]
For the record, I don't think brick and mortar stores should have an automatic right to surveil and study the personal information of in-person customers without their consent but I agree that ship has largely sailed.
12. whstl ◴[14 Nov 24 23:28 UTC] No.42142409{3}[source]
What does "for that analysis" refers to? Fraud prevention?

If so, it is legitimate interest to do fraud prevention, so there's no need for a consent banner, first or third-party. Naturally you can't go and use this data for a purpose that has no basis under legitimate interest.

Another example: Cloudflare is running DDoS prevention under our noses here at HN, for example, but there's no need to ask for consent, even though Cloudflare is a third-party. Why? Because this is considered legitimate interest.

> Or, more common for ecommerce, "transferred" into an advertising algorithm so the business can gain more similar customers

For this you do need consent, if you transfer PII. If you don't want a banner you can replace it with a simple checkbox during the checkout process. Not only less hostile, but also more transparent than a banner.

replies(1): >>42142532 #
13. Alupis ◴[14 Nov 24 23:45 UTC] No.42142532{4}[source]
> What does "for that analysis"

To understand how customer's shop on my website. Heatmaps, view port, device type, screen resolution, frequency of browsing, where their mouse hovers the most, page dwell time, etc.

These are impossible tasks for most website operators to do themselves.

> For this you do need consent, if you transfer PII. If you don't want a banner you can replace it with a simple checkbox during the checkout process. Not only less hostile, but also more transparent than a banner.

Or... you can just ignore the EU because the EU doesn't matter. You know, like I originally asserted?

> If you don't want a banner you can replace it with a simple checkbox during the checkout process

This is the sort of mindset that crafted this poorly designed regulation in the first place. Most website operators are not going to willingly add a barrier at the final step of a conversion.

If you are going to use my property and resources - it's my rules or don't come. Pretty simple...

replies(3): >>42142862 #>>42142916 #>>42148547 #
14. ◴[15 Nov 24 00:36 UTC] No.42142862{5}[source]
15. whstl ◴[15 Nov 24 00:45 UTC] No.42142916{5}[source]
You don't need banners just because something is third-party. If there is no PII and/or legitimate consent, you don't need a banner. There are GDPR compliant analytics platforms, fraud prevention, third-party payment gateways, for example. They don't need banners.

As for the rest, it's quite inflammatory and I don't know how it relates to my comment, so I'll refrain from answering.

replies(1): >>42143804 #
16. what ◴[15 Nov 24 03:47 UTC] No.42143804{6}[source]
You don’t need banners period. The EU doesn’t get to tell people how to operate their web properties. If EU citizens don’t like it, they can stop visiting those properties. Even simpler.
replies(1): >>42144048 #
17. what ◴[15 Nov 24 03:50 UTC] No.42143816{4}[source]
You have a right to not visit websites that you think are collecting to much information about you. That’s about it.
replies(1): >>42176510 #
18. tbrownaw ◴[15 Nov 24 04:50 UTC] No.42144048{7}[source]
> The EU doesn’t get to tell people how to operate their web properties.

Well, except for all the people in the eu. I'm pretty sure the eu does get to tell those people to do or not do things, online or not.

19. BlackFly ◴[15 Nov 24 10:58 UTC] No.42145748{3}[source]
> how customers navigate their store [a]isles.

Sure, physical stores can do that in certain way, certainly they cannot reverse pickpocket GPS trackers into our pockets or stalk us around the city. You can ask your customers how they found about your store but they can lie or simply not answer. Cameras in the store? Fine. Cameras in the store bathroom? Not ok.

It is a legitimate interest to understand where your customers are coming from and this can be done without cookies in an anonymous fashion. Similarly, you can understand what people purchase together in an anonymous fashion. Cookies and PII aren't needed for any of this.

Cookies and PII are only necessary when you are trying to surreptitiously correlate people's purchase pattern with something that you shouldn't legitimately know like their sexuality or any given aspect of their identity.

> Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.

Rightly so. But if your third party processor is operating in the EU they will hold them liable for processing the data on EU citizens you send them without consent. That is between the EU and your provider.

20. immibis ◴[15 Nov 24 16:46 UTC] No.42148547{5}[source]
> Heatmaps, view port, device type, screen resolution, frequency of browsing, where their mouse hovers the most, page dwell time, etc.

Sounds like information that is not personally identifying - if handled well.

21. gljiva ◴[18 Nov 24 20:23 UTC] No.42176510{5}[source]
Yes, and I'm glad I can at least now tell such sites from others. Not allowing such malicious compliance would be better, but this is still an improvement over websites stealing data with no way of telling it happens