Most active commenters
  • ffsm8(3)

←back to thread

Analysis of economic and productivity losses caused by cookie banners in Europe

(legiscope.com)
332 points vegasbrianc | 16 comments | 14 Nov 24 22:23 UTC | HN request time: 2.237s | source | bottom
Show context
ryandrake ◴[14 Nov 24 22:58 UTC] No.42142148[source]
People blame the cookie banners themselves or the legislation that "made them necessary" but somehow never seem to blame the web companies for doing the naughty things on their websites that make them subject to the law.

The "cookie banner problem" exists because it's primarily end users that are shouldering the burden of them, and not the companies. For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner. For everyone else, it's thousands of wasted seconds per year. Make the law hit companies where it hurts: their balance sheets.

replies(11): >>42142202 #>>42142212 #>>42142251 #>>42142326 #>>42142345 #>>42142452 #>>42142625 #>>42143095 #>>42143203 #>>42144003 #>>42144503 #
legitster ◴[14 Nov 24 23:04 UTC] No.42142202[source]
> never seem to blame the web companies for doing the naughty things on their websites

Part of the problem is that the law didn't seek to distinguish between tame first-party cookies and the really naughty third-party cookies so the burden is equal regardless of how malicious the service is.

> For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner.

This is actually not true. There's a lot more that goes into a cookie banner than you might realize, and there's now an industry dominated by a small handful of players (Osano vs OneTrust)

replies(7): >>42142217 #>>42142245 #>>42142273 #>>42142291 #>>42142347 #>>42142352 #>>42150500 #
1. ffsm8 ◴[14 Nov 24 23:11 UTC] No.42142245[source]
It did though? You don't need a banner for actually legitimate use (session Cookie, settings, etc)

The things they're calling legitimate use just isn't, which is why they need banners.

replies(2): >>42142265 #>>42142396 #
2. diggan ◴[14 Nov 24 23:13 UTC] No.42142265[source]
I keep seeing this misinformation going around, and it has been going around since almost day 1 of when the directive became known. I'm not sure where it's coming from, or who initially thought it worked like that, but judging by the comments in this submission it seems like a ton of people are very misinformed about how these things actually work.
replies(2): >>42142355 #>>42142383 #
3. azinman2 ◴[14 Nov 24 23:21 UTC] No.42142355[source]
So how to these things actually work?
replies(1): >>42142520 #
4. pessimizer ◴[14 Nov 24 23:25 UTC] No.42142383[source]
If this is true, you have not helped them to understand in any way.
5. legitster ◴[14 Nov 24 23:27 UTC] No.42142396[source]
The elephant in the room is that almost no one wants to host website without at least some sort of website analytics service, which does not fall under legitimate use. So that's why even a small blog is going to have a cookie banner.

There are some analytics companies out there that advertise cookieless analytics, but they are either a) too simple for enterprise or b) a much, much worse privacy and compliance risk.

replies(3): >>42142801 #>>42144795 #>>42146454 #
6. 6510 ◴[14 Nov 24 23:43 UTC] No.42142520{3}[source]
Anything goes as long as it is useful for the user.

Funny example: If they chose not to accept your spying cookies you get to set a cookie to store that choice.

replies(1): >>42143302 #
7. ffsm8 ◴[15 Nov 24 00:29 UTC] No.42142801[source]
Even this can be done without a banner, as long as these analytics do not contain any way to link them to individuals/specific users

It's admittedly sound advice to create a banner for such a usecase however, as sanitizing all user data from these events is hard to guarantee, and you'd have to do just that to keep it legal

replies(1): >>42146295 #
8. dkarras ◴[15 Nov 24 02:00 UTC] No.42143302{4}[source]
Someone might think: surely seeing ads targeted for them instead of random ads must be useful / beneficial for the user!
replies(1): >>42145260 #
9. Earw0rm ◴[15 Nov 24 07:59 UTC] No.42144795[source]
The other elephant is that while everyone has analytics, only one in five companies pays someone with an actual clue how to interpret them to look at them regularly, and only one in five of those companies has a decision making structure that allows them to act meaningfully in response to insights gained.
10. hnbad ◴[15 Nov 24 09:30 UTC] No.42145260{5}[source]
The first step is data minimization. The second step is informed and revokable consent. Everything else follows from there.

Do targeted ads increase the amount of personal data that needs to be stored and processed and the number of entities that will access it? Yes they do. Are they required for the site to serve its stated purpose? No, unless the site is marketing itself as literally a curated stream of targeted ads. So they require informed and revokable consent (i.e. opt-in). Even if you think they're beneficial to the user.

It's not about what's beneficial. It's about what's required. That's why most sites try to group services by categories like "functional", "analytics", etc. If you want to embed a Google Maps view to help people find your physical store, that's beneficial but still requires consent because it shares their data with a third party (i.e. Google) when the browser loads that map. Of course in this case you don't even need a banner, you could just have a placeholder (often called "content blocker") instead of the map with the option to consent to loading the map and storing that decision so the user doesn't have to see the placeholder again.

replies(1): >>42146698 #
11. XCSme ◴[15 Nov 24 12:30 UTC] No.42146295{3}[source]
I think it's impossible to be 100% legal.

Many times, the user IP, which is considered PII, is stored in various servers/routers log that you have no access to...

replies(2): >>42148595 #>>42148724 #
12. account42 ◴[15 Nov 24 12:51 UTC] No.42146454[source]
Well, too bad.

When it comes to processing other people's data you don't get to do whatever you want.

Maybe try running a website without analytics before throwing a tantrum.

replies(1): >>42148424 #
13. 6510 ◴[15 Nov 24 13:24 UTC] No.42146698{6}[source]
I think you could also link to google maps.
14. ryandrake ◴[15 Nov 24 16:32 UTC] No.42148424{3}[source]
Yea, companies are so used to laissez faire that when they're finally told "too bad, so sad" they throw a tantrum, sue, cry, and eventually comply as maliciously as the possibly can, to show the world how upset they are that they can't simply do whatever they want.
15. ◴[15 Nov 24 16:52 UTC] No.42148595{4}[source]
16. ffsm8 ◴[15 Nov 24 17:07 UTC] No.42148724{4}[source]
Lots of misinformation on the internet wrt this, and I am not a lawyer either.

It's especially tragic because Google serves you countless factually incorrect articles if you search for gdpr, which doesn't help with this endless amount of confusion.

You might be interested to know that an IP address isn't actually PII, because that's a concept of California privacy regulation and they don't care about them

https://techgdpr.com/blog/difference-between-pii-and-persona...

It's a different story for gdprs personal data however. Because there are individuals with static IPs - which makes it possible to link these IP addresses to individuals. If you could only omit these, you could technically use ipadresses however you want too. But I admit that that's kinda unrealistic ( • ‿ • )