Analysis of economic and productivity losses caused by cookie banners in Europe

People blame the cookie banners themselves or the legislation that "made them necessary" but somehow never seem to blame the web companies for doing the naughty things on their websites that make them subject to the law.

The "cookie banner problem" exists because it's primarily end users that are shouldering the burden of them, and not the companies. For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner. For everyone else, it's thousands of wasted seconds per year. Make the law hit companies where it hurts: their balance sheets.

> never seem to blame the web companies for doing the naughty things on their websites

Part of the problem is that the law didn't seek to distinguish between tame first-party cookies and the really naughty third-party cookies so the burden is equal regardless of how malicious the service is.

> For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner.

This is actually not true. There's a lot more that goes into a cookie banner than you might realize, and there's now an industry dominated by a small handful of players (Osano vs OneTrust)

They don't technically even need a banner per se, just respect the user's "do not track" browser setting, or put it in a settings screen, or don't use any 3rd party trackers.

But a lot of businesses assume they need to ask permission for placing any cookies, which is simply not correct. Local analytics tracking is fine, it's only when the user can be tracked across multiple separate websites that they need explicit permissions. And the user should not be annoyed into making that decision.

> There's a lot more that goes into a cookie banner than you might realize, and there's now an industry dominated by a small handful of players (Osano vs OneTrust)

Isn't this industry for those, who want to share their website data automatically with 100+ partners? For others, who don't really share that much data with others, less relevant.

It did though? You don't need a banner for actually legitimate use (session Cookie, settings, etc)

The things they're calling legitimate use just isn't, which is why they need banners.

Businesses are stupid. More at 11.

Yay capitalism.

Well yeah because the "naughty things" are totally allowed. Can you blame them for trying to make money legally, and most people would say fairly morally (most people in the real world; not on HN).

I think 90% of the blame lies with the EU. They had experience from the cookie law that this would happen.

It like... say you would rather people didn't drink alcohol in pubs (because of all the scary violence it leads to). You can

1. Ban alcohol in pubs.

2. Allow alcohol in pubs.

3. Allow alcohol in pubs but only if people recite the lord's prayer before every purchase.

3. is obviously a dumb choice, yet it's the one they chose.

I keep seeing this misinformation going around, and it has been going around since almost day 1 of when the directive became known. I'm not sure where it's coming from, or who initially thought it worked like that, but judging by the comments in this submission it seems like a ton of people are very misinformed about how these things actually work.

The cookie banner has nothing to do with first -party vs third-party.

The cookie banner is required depending on the purpose of the cookies, not the party setting them.

> Part of the problem is that the law didn't seek to distinguish between tame first-party tokens and the really naughty third-party tokens

Maybe I'm an outlier, but ideally I don't want them collecting any "tokens" without my consent. I don't care if they're first party or third party or birthday party. I should be able to browse web sites in peace without some company collecting anything. If the web site doesn't work exactly the way I'd expect because I did not provide that consent, then that's on me.

If you are just running a static websites, maybe. But if you are going to run a website with any services on it (video content, eCommerce, member management, etc) you are going to have partners. Establishing a browser session with every single one would be pretty onerous (and honestly much worse for privacy) so a first-party cookie is a pretty good compromise.

>But a lot of businesses assume they need to ask permission for placing any cookies, which is simply not correct.

Partly because of laziness, partly because of pessimistic legal compliance.

This seems like the best way to go. Companies should have to respect "do not track" and browsers should have to enforce it to the extent that it is technically possible. And "do not track" should be per-domain at least.

Scummy companies won't magically disappear or stop scummy practices. We can and should blame them, but it's pretty much obvious that the legislation (despite good intents!) resulted in a de-facto shitshow that failed to recognize basic social/behavior sciences, technical details, or anything else.

It should've been an user-agent centered feature rather than individual website gimmick - that's the only way it could've possibly worked. After that, companies can try to continue doing whatever shit they want to try, but none of their identifiers would be persisted unless user agent allows it. (This does not account for fingerprinting, but that's a whole other story.)

Instead, legislators made some weird decisions that failed to account for human and corporate nature (greed), and we ended up with more popups and banners than ever.

D: Drink in pubs till 10pm including no alcohol purchases after 10.

That's the law here in Scotland. As annoying as it is, the same law doesn't apply in the rest of the UK but it's reasonable.

The second cookies are blocked the industry moved to fingerprinting and other methods

It's like piracy, there's only so much you can do plugging holes

Cookie banners always felt like a feel-good solution. Made worse by inconsistent UIs, differing button texts, long explanations, etc.

It totally does make the distinction.

If you use cookies for auth, no need to disclail it.

Better, you don't need a banner even of you do track users for anybody with DNT. So you can offer a seamless experience.

They just don't care.

> and there's now an industry dominated by a small handful of players (Osano vs OneTrust)

Because of that there are now neat categories of cookies / cookie purposes.

Would be nice if we could select one time in our browser “necessary cookies only”, and that would be communicated to every website visited, without the need for a banner. But that’s user friendly and that’s anathema to the modern web :)

So how to these things actually work?

If this is true, you have not helped them to understand in any way.

The elephant in the room is that almost no one wants to host website without at least some sort of website analytics service, which does not fall under legitimate use. So that's why even a small blog is going to have a cookie banner.

There are some analytics companies out there that advertise cookieless analytics, but they are either a) too simple for enterprise or b) a much, much worse privacy and compliance risk.

> It's like piracy, there's only so much you can do plugging holes

I say keep on plugging. When you make a law and bad actors find loopholes, the solution isn't to throw up your hands and say "Well, we tried!" The solution is to continuously refine the law as loopholes are found. Laws should get regular patch releases.

> you don't need a banner even of you do track users for anybody with DNT

This is not true. The specific text of the law requires that websites have to provide details about their cookies, and then document and store user preferences.

If you just honored the DNT, you would still be out of compliance.

And I blame the EU for not making this the law. Just force everyone to adhere to the setting and be done with it. But no, instead we got this bullshit.

The problem is the law didn't go far enough.

Instead of requiring companies to put up a banner if they did certain tracking activities via cookies the law should have simply outright banned the tracking activities entirely.

Anything goes as long as it is useful for the user.

Funny example: If they chose not to accept your spying cookies you get to set a cookie to store that choice.

Yes that seems to standard practice in modern government. Impose a series of ineffective rules that do more harm on the public than helps them, and when it fails just invent new ones without considering why the last one failed. And most importantly don't get rid of the previous rules, just let them stick around a decade after it's been apparent they were ineffective.

How can the banners be necessary because of “naughty things” when the banners do absolutely nothing to mitigate those things in any way? All those things are still happening AND people have to waste time clicking useless banners.

Even this can be done without a banner, as long as these analytics do not contain any way to link them to individuals/specific users

It's admittedly sound advice to create a banner for such a usecase however, as sanitizing all user data from these events is hard to guarantee, and you'd have to do just that to keep it legal

I hope you'll be glad to know that this law already hits companies where it hurts, because many people will close the tab after the slightest annoyance.

I hope you're happy that this law already encourages people to stay within a few big websites (where they've already clicked away the cookie banner) and not explore anything new (where they'd have to click away a cookie banner every time).

Someone might think: surely seeing ads targeted for them instead of random ads must be useful / beneficial for the user!

> somehow never seem to blame the web companies for doing the naughty things on their websites that make them subject to the law.

If I do not want a website to set any cookies, the correct course of action is to tell my user-agent to not keep any cookies from it.

This is it. This isn't the EU's fault and the post isn't quantifying the benefit of requiring explicit consent in these banners. It's all about efficiency and productivity as if it's all that matters in the world. It doesn't care about users' right to privacy or their right to control their own data.

All you can get this way is that you'll still have temporary cookies, removed after closing the tab, you will still have the banner, but this time the banner will popup each time you'll enter the website, because there's no cookie that will tell the banner that it has already been displayed.

I have it like this. But with that, I'm using a banner autoclicker. So the company gets my data, although different each time I enter the website, and I don't see any banners. Win/win?

Well that's a thought everyone can identify with, but objectively speaking, they're paying with their energy to build the website, and paying their money to host it. Yet you would want to browse it for no cost at all.

How to resolve this?

Sure, and that's a perfectly reasonable law. There's no "oh you actually can sell alcohol after 10pm as long as your customers fill in a 5 page form, which is what the EU has caused.

The other elephant is that while everyone has analytics, only one in five companies pays someone with an actual clue how to interpret them to look at them regularly, and only one in five of those companies has a decision making structure that allows them to act meaningfully in response to insights gained.

Or, crazy idea, don't have invasive user-tracking cookies? Github doesn't even have a cookie banner and they're one of the largest websites on the planet.

After seeing websites pull shit like "legitimate interest" where they share data with 9 trillion of their "partners", they can all rot for all I care.

The first step is data minimization. The second step is informed and revokable consent. Everything else follows from there.

Do targeted ads increase the amount of personal data that needs to be stored and processed and the number of entities that will access it? Yes they do. Are they required for the site to serve its stated purpose? No, unless the site is marketing itself as literally a curated stream of targeted ads. So they require informed and revokable consent (i.e. opt-in). Even if you think they're beneficial to the user.

It's not about what's beneficial. It's about what's required. That's why most sites try to group services by categories like "functional", "analytics", etc. If you want to embed a Google Maps view to help people find your physical store, that's beneficial but still requires consent because it shares their data with a third party (i.e. Google) when the browser loads that map. Of course in this case you don't even need a banner, you could just have a placeholder (often called "content blocker") instead of the map with the option to consent to loading the map and storing that decision so the user doesn't have to see the placeholder again.

> But if you are going to run a website with any services on it (video content, eCommerce, member management, etc) you are going to have partners.

No? At least not in the scale that would require these consent services. Services like member management are literally required to operate the website so those can go into the privacy policy (as would e.g. hosting on AWS or using a CDN).

The reason these consent services exist is that a lot of websites are just content mills that operate entire on behavioral advertising, whether it's the web version of a newspaper or just SEO blog spam. These often use hundreds of "partners" for analytics, ads, targeting, re-targeting, etc. And they desperately try to trick visitors into opting into those.

For your run of the mill Wordpress website you can just get a plugin like https://devowl.io/wordpress-real-cookie-banner/ - and in many cases the free version is good enough.

You're framing website use as transactional but for financial transactions we literally require informed consent.

Also you seem to be operating under the assumption that your personal data is something that can be used as payment. The GDPR literally does not allow that just as human rights don't allow committing yourself to indentured servitude. You can't sign away your rights. If you share personal data you continue to have rights to that data and can revoke your consent. It doesn't stop being your data just because you handed it over, even if you did so willingly.

If your business model can't work without exploiting your users' personal data, your business model no longer works and it's your job to find a new business model that does. There are plenty of business models that only worked when indentured servitude was legal (let's not have the debate about prison labor in the US) and I'm sure you would agree that it's fine for those business models to no longer work. It's part of the risk of doing business. Innovate. Disrupt. Or perish.

If you're using third party cookies you have to display a "please consent" button.

If you're not, then all you need is a privacy policy somewhere stating that you use cookies and that they are all first party.

That seems fair to me. I like to know if cookies are used or not regardless if they are site or third party only.

Yeah, you're probably right. If Github, where most users are logged in, can do without a cookie banner, some random blog probably can do as well.

I think it's impossible to be 100% legal.

Many times, the user IP, which is considered PII, is stored in various servers/routers log that you have no access to...

Well, too bad.

When it comes to processing other people's data you don't get to do whatever you want.

Maybe try running a website without analytics before throwing a tantrum.

> none of their identifiers would be persisted unless user agent allows it.

Wrong.

And the GDPR is not just for the web.

I think you could also link to google maps.

Yea, companies are so used to laissez faire that when they're finally told "too bad, so sad" they throw a tantrum, sue, cry, and eventually comply as maliciously as the possibly can, to show the world how upset they are that they can't simply do whatever they want.

Lots of misinformation on the internet wrt this, and I am not a lawyer either.

It's especially tragic because Google serves you countless factually incorrect articles if you search for gdpr, which doesn't help with this endless amount of confusion.

You might be interested to know that an IP address isn't actually PII, because that's a concept of California privacy regulation and they don't care about them

https://techgdpr.com/blog/difference-between-pii-and-persona...

It's a different story for gdprs personal data however. Because there are individuals with static IPs - which makes it possible to link these IP addresses to individuals. If you could only omit these, you could technically use ipadresses however you want too. But I admit that that's kinda unrealistic ( • ‿ • )

> Wrong

How? I fail to understand why if a browser, configured to not persist anything by default (without a consent) would persist anything. Save for a bug, of course.

There is basic non-identifying logging that is almost entirely necessary to operate a website. I assume you're okay with that much?

It's perfectly fair, but it's also extremely annoying. That's the whole point.

> Part of the problem is that the law didn't seek to distinguish between tame first-party cookies and the really naughty third-party cookies so the burden is equal regardless of how malicious the service is.

It does, or rather the law doesn't state cookies at all. It has nothing to do with cookies.

All the law says is you require informed consent if you want to harvest personal data and use it for tracking. Cookies are a common way to do that. But cookies used for session and whatnot are exempt, because they're not used for tracking.

The problem is companies are maliciously compliant.