Most active commenters
  • dspillett(7)
  • scotty79(6)
  • randomdata(4)
  • GardenLetter27(4)
  • uniqueuid(3)
  • GJim(3)
  • secondcoming(3)

←back to thread

332 points vegasbrianc | 78 comments | | HN request time: 0.845s | source | bottom
1. uniqueuid ◴[] No.42144954[source]
I am kind of frustrated by the widespread misunderstandings in this thread.

Laws are best when they are abstract, so that there is no need for frequent updates and they adapt to changing realities. The European "cookie law" does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.

There is no doubt that the goals set by the law are sensible. It is also not evident that losing time over privacy is so horrible. In fact, when designing a law that enhances consumer rights through informed consent, it is inevitable that this imposes additional time spent on thinking, considering and acting.

It's the whole point, folks! You cannot have an informed case-by-case decision without spending time.

replies(16): >>42145020 #>>42145131 #>>42145155 #>>42145209 #>>42145333 #>>42145656 #>>42145815 #>>42145852 #>>42146272 #>>42146629 #>>42147195 #>>42147452 #>>42147781 #>>42148046 #>>42148053 #>>42150487 #
2. mpeg ◴[] No.42145020[source]
What I find funny about the whole thing is that the grand majority of companies with cookie banners are not implementing them correctly, and therefore are still in breach of the law.

I see constantly banners on sites that set tracking cookies by default, and delete them if you reject them in the banner (or even worse, not delete them at all!) – this is not compliant as the cookies were set before consent was given

Also see banners where there is only a big "OK" button, with no visible option to reject, this is also not compliant!

replies(5): >>42145538 #>>42146028 #>>42147215 #>>42147228 #>>42150714 #
3. bawolff ◴[] No.42145131[source]
> The European "cookie law" does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.

Would there exist any other method of implementing it that would be substantially different? Its hard to imagine. I suppose they could implement it by not having tracking cookies.

I think the ideal situation is that people could just set it as a browser preference and be done with it. Oh wait they already can.

replies(2): >>42145177 #>>42146192 #
4. GJim ◴[] No.42145155[source]
> I am kind of frustrated by the widespread misunderstandings in this thread.

SV and the advertising industry thrives on those misunderstandings.

Put simply, there is no need for "cookie banners" unless those cookies are being used to track or personally identify me (hello advertisers!), in which case, I need to give my opt-in informed consent to allow this; and so I should.

Hardly surprising SV and the advertising industry campaigns against "cookie banners", rather than their own unethical trading in personal data without consent.

replies(1): >>42147864 #
5. GJim ◴[] No.42145177[source]
Setting a browser preference is not giving explicit opt-in informed consent to handle my personal data (for that is what this is about) on a case by case basis.

That is what the law requires.

Blame the unnecessary gathering of personal data (and think about why they want it!), not the 'cookie law'.

6. weberer ◴[] No.42145209[source]
I am informed and chose "No" each time. Why do EU lawmakers not allow me to automatically say no? All they have to do is add a line to the law enforcing companies to respect the DNT or GPC header.

https://en.wikipedia.org/wiki/Do_Not_Track

replies(3): >>42145443 #>>42145518 #>>42149011 #
7. pickledoyster ◴[] No.42145333[source]
Yes. It's not the regulation but the misguided implementation that's to blame.

Sites and cookie banner plugins could just accept DNT signals from browsers and no productivity would be lost.

replies(2): >>42145475 #>>42146292 #
8. daveoc64 ◴[] No.42145443[source]
Tracking isn't the only thing that the law covers.
9. randomdata ◴[] No.42145475[source]
DNT does not provide informed consent. It may, if set to not track, imply denial, but the reverse is not true. If DNT is accepting or unset, the site needs to fall back to the banner to get consent. And at that point you may as well prompt everyone with the banner instead of complicating the codebase with extra logic for a DNT edge case.
replies(3): >>42145575 #>>42146222 #>>42149038 #
10. crote ◴[] No.42145518[source]
> Why do EU lawmakers not allow me to automatically say no?

What do you mean? There is no law banning companies from honoring a DNT header, companies just choose not to do so. The law already allows it, it just doesn't mandate it.

replies(1): >>42145922 #
11. weinzierl ◴[] No.42145538[source]
One way to see it is that it's their way of passive-aggressive protest against a law they don't want. Maybe the aim was never to abide by the law, just to pretend and annoy people enough to draw them on your side.
replies(3): >>42145560 #>>42146050 #>>42146564 #
12. dominicrose ◴[] No.42145560{3}[source]
A clear example of passive-aggressive protest was from Google, the removal of links to Google maps from the search results. Instead of providing a choice of multiple map providers, they just completely removed the links. To clarify: I'm in Europe (France).
replies(1): >>42146063 #
13. ben_w ◴[] No.42145575{3}[source]
Mm.

For existing privacy options — location, microphone, camera — Safari on iOS has the options of "ask"/"deny"/"allow".

I wouldn't be surprised by legislation for a Do Not Track option in DMA designed Gatekeepers' browsers, defaulting to "ask", where all three options must be handled accordingly by websites.

"Ask" would also have to be the default behaviour when no preference is transmitted.

replies(1): >>42145671 #
14. egorfine ◴[] No.42145656[source]
> does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.

Good luck explaining alternative technology to the lawyers and then to the lawyers of the other party in court should the need arise, and then to the judge. While you are technically 100% right, I believe you will have a truly hard time implementing anything other than the cookie banners.

15. randomdata ◴[] No.42145671{4}[source]
Again, as the law in question requires informed consent, "allow" and "ask" end up being the same thing. A new DNT law as you propose would contradict the other law of which we speak.
replies(1): >>42146322 #
16. scotty79 ◴[] No.42145815[source]
> Laws are best when they are abstract ...

Laws are only as good as their real world consequences.

replies(1): >>42146636 #
17. scotty79 ◴[] No.42145852[source]
> You cannot have an informed case-by-case decision without spending time.

Forcing me to make an informed decision where I don't care about the result is the one of the major ways of wasting my time.

If you wanted to create a good law about this you should make it so I only have to make a case-by-case decision if I care about my privacy (as it's currently exploited) and do nothing if I don't.

replies(2): >>42145997 #>>42146103 #
18. weberer ◴[] No.42145922{3}[source]
>What do you mean? ... The law already allows it, it just doesn't mandate it.

That's exactly what I meant by:

>All they have to do is add a line to the law enforcing companies to respect the DNT or GPC header.

replies(1): >>42150143 #
19. GJim ◴[] No.42145997[source]
> Forcing me to make an informed decision where I don't care about the result

The UK and EU have decided _society_ cares, about the dangers due to unregulated sharing of personal data; hence the law requires informed consent to do this.

If _you_ don't care, then that is your prerogative.

20. zelphirkalt ◴[] No.42146028[source]
And not to forget: Giving consent and rejecting to give consent must take equal effort, otherwise you are not compliant. This is veeeery easy to do. Literally just place 2 equal buttons next to each other ... Basically, all you need to do is not to spend additional effort to F things up. But surprise surprise! Most companies act as too incapable to implement it correctly. I _wonder_ what the reason could be ...
21. dspillett ◴[] No.42146050{3}[source]
I take an even more cynical view: their intent is far from passive.

They want the end user to be irritated in the extreme. When users complain they'll say “we have to do this, the law says so, look, everyone else is doing the same thing” in the hope that people will support later action to have the privacy protections wound back.

replies(1): >>42147844 #
22. dspillett ◴[] No.42146063{4}[source]
Or Apple's childish hissy-fit, deliberately breaking offline app support in response to an edict about app stores.
23. dspillett ◴[] No.42146103[source]
> Forcing me to make an informed decision where I don't care

The laws do not force that. Informed consent before tracking could be implemented other ways, perhaps even more easily.

The companies choose to force you to make the decision, rather than making it something you could choose to click or choose to ignore, because forcing that increases the chance that people who do care will accidentally opt-in and people who don't care will get irritated and (as is evident in places in this thread) incorrectly blame the law.

The companies make a point of inconveniencing people like you who don't care, so they can weaponise you against those of us who do. The companies are doing this to you, not the law.

replies(1): >>42148204 #
24. dspillett ◴[] No.42146192[source]
It is more than about using cookies, despite the regulations being informally called cookie laws, any tracking and storage of PII is covered.

> Would there exist any other method of implementing it that would be substantially different?

A checkbox or button, anywhere on the page, that you can click to opt-in or ignore to not op-in. Once clicked the site/app has consent to track that consent, so the box can stay ticked (or be moved out of the way entirely as long as a way to retract consent is easily available, perhaps via an obvious link in page footers). Done. Informed consent implemented in a way that doesn't irritate any user (those that care either way, and those that don't care at all).

They could even include a short bit of text begging people to opt in because it helps their site/app make more money from advertisers, without going as far as a pop-over or otherwise wasting a large portion of screen space.

> Its hard to imagine.

For those with very little imagination, perhaps.

> … ideal situation is that people … set … a browser preference …. Oh wait they already can.

Only with regard to cookies, and perhaps other local storage, which as I stated at the top is not at all the whole matter. And even within those limitations those options are rather ineffective against the experienced stalkers that the advertising industry consists of, because they can and will simply ignore things like DNT and will work around cookie/localstorage/other blocks using various other fingerprinting tricks.

replies(1): >>42148028 #
25. account42 ◴[] No.42146222{3}[source]
I doubt there would be any concerns with "complicating the codebase" (really?) if there was a Yes-Track header that gave consent but no negative signal.
replies(1): >>42147633 #
26. shadowgovt ◴[] No.42146272[source]
Which is fine, but as an individual I'd just rather auto-click "accept all" and go on with my life. Be nice if that could be done without the button.

If I don't want to be informed, there should be a way for me to signal my willingness to participate in uninformed consent.

27. secondcoming ◴[] No.42146292[source]
There is a new signal, GPC, that does the same thing and has been blessed by the advertising industry.

[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Se...

replies(1): >>42146519 #
28. Ntrails ◴[] No.42146322{5}[source]
Informed generalised denial could be accepted and no cookie banner shown surely?

In much the same way no banner is required if no cookie is being set.

29. JimDabell ◴[] No.42146519{3}[source]
> Non-standard: This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.

I tried looking at the various browser standards positions, and as far as I can see, nobody has even asked Blink or WebKit if they are interested in supporting it. Is there any movement on this at all? The official website says that it’s part of “several major browsers”, but this seems dishonest when the biggest browser that supports it is Firefox with ~2.5% market share and no actual major browser seems to be aware of its existence.

replies(1): >>42149106 #
30. ragnese ◴[] No.42146564{3}[source]
Oh, it's definitely malicious compliance. I have no doubt.
31. brookst ◴[] No.42146629[source]
I partly agree but feel you’ve conflated a few things:

- Laws are best when abstract. This is true. Laws work best when they cover a class of behavior, not specific behaviors.

- Requiring informed consent is good. This I disagree with with because it is a hard to measure outcome. Abstract, yes, but to the point where nobody knows what it means. The only way to meet this in spirit is to go so far overboard that nobody can ever say you didn’t try hard enough.

- Mandating that huge populations spend time to make informed case by case decisions. This is like mandating pi=3. As soon as this became the goal the whole enterprise was doomed. The only way this happens is with notaries and witnesses , which is far too heavy a burden for visiting a website.

The whole thing is noble intent, but disproportionate to the problem and not aligned with the putative goals.

Regulation can be good, and it should be abstract, but it cannot mandate abstract outcomes. Imagine if speed limit signs said “speed limit: optimized balance of reduced time to destination and net cost of carbon emissions and amortized risk of accidents”

replies(3): >>42146871 #>>42147721 #>>42148551 #
32. zelphirkalt ◴[] No.42146636[source]
There is a kernel of truth in that, but lets not forget, that laws alone don't have any consequences. It is the willingness to force people to comply with the law, that has the actual consequences. If our judges and governments and forces in general are not willing to pursue violations of the law, then we can have any law we want, it still won't matter. We do need more law enforcement on GDPR! A lot more.
replies(1): >>42148254 #
33. skydhash ◴[] No.42146871[source]
I’d say the ability to have speed limits is the regulation. How it’s implemented vary depending on the road. Regulations should be abstract so that the implementation can be sensible and adaptive to the context.

And everyone knows what “informed consent to tracking”. If you’re building something, you know when you intrude on your users’ privacy. But everyone chose forgiveness instead of permission, and now I throwing a fit when the latter is required.

34. ApolloFortyNine ◴[] No.42147195[source]
>Laws are best when they are abstract, so that there is no need for frequent updates and they adapt to changing realities.

Couldn't disagree more, people (and even companies) have a right to know if they're breaking the law. Broad laws just make everyone (potentially) guilty. It's ripe for abuse and corruption.

replies(1): >>42148496 #
35. sourcecodeplz ◴[] No.42147215[source]
Look at how Google does it for Blogger. There is an OK button and a "Learn more" one. There is no reject. Are you saying they are breaking the law? EU would love nothing more than to levy more fines.
replies(4): >>42147234 #>>42149123 #>>42149807 #>>42151826 #
36. Cthulhu_ ◴[] No.42147228[source]
You'd think that the $160+ million fine given to Google for incorrectly implementing their consent thingy would be a deterrent, but clearly not.

While the OP of this comment chain stated that laws are best if they are abstract, I think in this case the EU should have mandated an implementation as well, for example a browser based consent setting. Can be global, can be per-website. But the (ad)tech companies wouldn't like that, because as it turns out if given a fair choice, the majority of people would not opt-in, and they don't like that. Even though a small percentage of visitors that do opt in would already generate statistically significant results.

It's the same with the alternative, e.g. US sites simply not allowing access from the EU. They could just not have tracking. Advertisers could serve non-tracking ads, based on e.g. IP geolocation. But they don't like that because it's not as targeted as before the EU laws.

37. actionfromafar ◴[] No.42147234{3}[source]
I always assumed they were and are breaking the law.
38. GardenLetter27 ◴[] No.42147452[source]
Such basic functionality as cookies shouldn't need explicit consent. The consent is you navigated to the webpage, if you don't like it you can use a browser that doesn't set cookies.
replies(2): >>42147619 #>>42147646 #
39. vundercind ◴[] No.42147619[source]
Tracking people with cookies is the part that requires consent.

Setting cookies that aren’t used to track people, doesn’t require consent.

The consent is for tracking that happens to use cookies, not for cookies themselves.

replies(1): >>42147963 #
40. randomdata ◴[] No.42147633{4}[source]
There is a "Yes-Track" header – DNT: 0

Granted, you can't legally use it like that where EU laws apply, per the GDPR. Hence the complaints about the GDPR you see in other comments.

replies(1): >>42149132 #
41. happymellon ◴[] No.42147646[source]
Me navigating to a webpage is far from consent.

How do I even know that you want to try and farm my personal data until I go there?

Perhaps you should put a click through gateway that states that "proceeding on to this website will sell your personal information to spammy, scummy advertising".

replies(1): >>42148065 #
42. close04 ◴[] No.42147721[source]
> nobody knows what it means

The definition of consent is provided here. [0] There are clear application guidelines. To me it takes being intentionally obtuse or malicious in the interpretation when reading the text to come to the conclusion "I don't know what it means so I'll do the thing that benefits me".

Imagine blowing through a stop sign and trying to explain that you don't know what it means, the Earth is moving so you could never really be in compliance. You're not wrong but it's clear that your incompliance doesn't come from a place of honest misunderstanding.

> Mandating that huge populations spend time to make informed case by case decisions

It's mandating that the user is given the tools to provide informed consent, not that they must use them properly. If you need to know what it means, the text is clear. If not and never needed to read it, it's easy to conclude it's hard, impossible even.

[0] https://gdpr.eu/article-4-definitions/#:~:text=%E2%80%98-,co...

43. marcosdumay ◴[] No.42147781[source]
> You cannot have an informed case-by-case decision without spending time.

No, that's bullshit. Nobody is after case-by-case decisions.

People are under DoS attacks from corporations throwing single-sided contracts into them until they make a mistake and accept something.

Those boxes are just that, harassment, done in the hope people will pay them to go away.

44. ryandrake ◴[] No.42147844{4}[source]
The message from these antagonistic companies is clearly: "Look at what they made me do to you!" And users (even here in the HN comment section) fall for it. Like a beaten spouse. Yessssssss, it's the evil EU.... Why do they force you to beat me up?
45. ryandrake ◴[] No.42147864[source]
Silicon Valley in general has a huge problem understanding consent. If the world was a night club, "Silicon Valley" would be that creepy guy who goes up to everyone saying "You're dancing with me now, unless you opt out [Yes | Ask again later]."
46. GardenLetter27 ◴[] No.42147963{3}[source]
But you can configure all that client-side anyway.

You choose what you save on your computer and send in responses, not the server sending you the HTML.

The current situation is absurd, the EU just doesn't understand technology.

replies(1): >>42148542 #
47. Ylpertnodi ◴[] No.42148028{3}[source]
>A checkbox or button, anywhere on the page, that you can click to opt-in or ignore to not op-in.

How about no click to opt out, and a click to opt in?

replies(1): >>42154291 #
48. GardenLetter27 ◴[] No.42148046[source]
But you're the one saving and sending the cookies anyway - not the website.

If you don't want to send some of them, then just configure your client not to do that.

It's bizarre that the onus is put on the websites themselves to request consent before requesting that the client sets the cookies.

replies(1): >>42148507 #
49. Rattled ◴[] No.42148053[source]
Some of the most intrusive cookie banners I've seen are on EU institutional websites. If they can't find a way to provide access to information without pages of consent boxes what hope have the rest of us. The law came ten years too late and focused on a narrow technical step rather than the privacy goals directly.
50. GardenLetter27 ◴[] No.42148065{3}[source]
Setting a cookie isn't farming personal data.

You can configure your web browser to only send first-party cookies back and never set others. Or configure a subset of domains.

If you're worried about it you should be doing that anyway, since the cookies could be set despite the pop-up (or some websites might ignore the consent pop-up requirement entirely).

replies(1): >>42150072 #
51. scotty79 ◴[] No.42148204{3}[source]
Companies want to track me. I want companies to track me.

So what's the source of the friction if not law itself or its direct consequences?

I think other parties try to force me to care when I don't by introducing all that friction.

There's a talk about DNT. What's the reason no browser has "Please do track me and do whatever you wish with the data you manage to gather."?

I think it would be quite popular. So it's probably prevented by the law itself.

replies(1): >>42154540 #
52. scotty79 ◴[] No.42148254{3}[source]
> laws alone don't have any consequences

That's a very weird claim about something that the whole purpose of is to have at least some consequences.

53. uniqueuid ◴[] No.42148496[source]
This is not what I meant. Laws are made concrete and understandable through either case law (harder for citizens to anticipate IMO) or through statutory interpretation in civic law traditions. Both (eventually) offer a clear understanding of the meaning and scope of a law.
54. TheCoelacanth ◴[] No.42148507[source]
The law isn't about cookies; it's about tracking regardless of the technical means used to implement it.
55. TheCoelacanth ◴[] No.42148542{4}[source]
Tracking is not configurable client-side. Blocking cookies is not sufficient to prevent tracking. Is it the EU that doesn't understand technology or you?
56. uniqueuid ◴[] No.42148551[source]
Sure I find it reasonable to disagree on these points.

I personally find informed consent to be a very desirable thing, because it aims at the goal of legislation, not at the means. If you think that citizens cannot, should not, or should not be required to profoundly understand what is happening to them in digital contexts, that's a specific point of view. From this you evaluate the trade-offs.

My personal (humanistic) perspective is that a profound understanding and practical control over our digital lives are the prerequisite for dignity, which is the ultimate goal of a state.

replies(1): >>42150628 #
57. ◴[] No.42149011[source]
58. ◴[] No.42149038{3}[source]
59. secondcoming ◴[] No.42149106{4}[source]
There's movement from the Internet Advertising Bureau, they explicitly say that this signal must be adhered to if the header is present, and this signal must be forwarded to Demand Side Platforms.
replies(1): >>42149393 #
60. MagnumOpus ◴[] No.42149123{3}[source]
They are breaking the law. But enforcement lies with national agencies (unlike antitrust where the EU commission itself enforces). Most national agencies don’t bother, only the French CNIL had levied penalties - pretty much on every one of the big ad tech companies in the Faamgs, Bytedance and Twitter…
61. smolder ◴[] No.42149132{5}[source]
It's not really a Yes Track if it's simply absent. The user hasn't requested to be tracked. I'm not even sure with it set to 0 that you can assume that intent. I guess it would depend on the browsers behavior, but as you say the law is not compatible with that use.
replies(1): >>42149603 #
62. JimDabell ◴[] No.42149393{5}[source]
I mean is there any movement in getting major browsers to adopt this?

Normally when a spec. like this is written that needs adoption from web browsers, an explainer is written and then the major rendering engines are asked for their feedback. For instance, here’s an explainer:

https://github.com/krgovind/first-party-sets

Here’s where WebKit was asked for their position on it:

https://github.com/WebKit/standards-positions/issues/93

Here’s where Mozilla was asked for their position on it:

https://github.com/mozilla/standards-positions/issues/350

Here’s the process Blink goes through to get a new feature like this going:

https://www.chromium.org/blink/launching-features/

I tried to find where this was done for GPC and couldn’t find anything. Did they just write a spec. and not bother doing any of the work involved in getting it adopted? Or is there progress being made that I didn’t see? Hence my question: Is there any movement on this at all? Or is the process of getting it adopted by Blink and WebKit at absolute zero?

replies(1): >>42150778 #
63. randomdata ◴[] No.42149603{6}[source]
According to the specification,

DNT: 0 = Yes, track me.

DNT: 1 = No, do not track me.

> I'm not even sure with it set to 0 that you can assume that intent.

That's the problem. Someone not paying attention might inadvertently set DNT: 0, which is why the law is written the way it is. But at the same time we have techies who knowingly and carefully set such values and want the service to acknowledge it, contrary to the law. Hence the contention.

64. atoav ◴[] No.42149807{3}[source]
Yes.

GDPR says on Consent:

> The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.

Pretty clear, isn't it?

There have been subsequent rulings stating that not giving a equally styled no/reject option or letting people choose between one yes option and thousand separate no options is already a influence that nullifies consent.

Also specific means you can't just tell them you have to use a cookie for technical reasons and use it for tracking later — they might have given you consent for that cookie for the purpose you told them about, not for the purpose of tracking.

All kinds of actors try to bend the rules here, while the rules are verh clear.

65. happymellon ◴[] No.42150072{4}[source]
Consent isn't required for setting a cookie.

You don't appear to know what the regulation is. The "cookie banner" isn't even about setting cookies, its data sharing.

66. sangnoir ◴[] No.42150143{4}[source]
Microsoft, in its eagerness to hit Google's revenue, universally set DNT on its browser of the day, which muddied the water on informed consent, and gave Google and other trackers an excuse not to respect it, since it wasn't technically the user requesting not to be tracked, but Microsoft.
67. franga2000 ◴[] No.42150487[source]
No user wants informed case-by-case decisions, we want to not be tracked. Making this a question that needs to be explicitly answered was already a bastardisation of the original intent of privacy legislation. A competent legislator would've required a user agent level option (like a more advanced version of DNT) that can be set globally and overriden per site. This could be written vaguely enough to not require patching as technology changes.

And even if we wanted case-by-case consent, a standardised format and actually enforced rules against coerced consent would've also been quite easy to do.

68. brookst ◴[] No.42150628{3}[source]
That's really well put.

> If you think that citizens cannot, should not, or should not be required to profoundly understand what is happening to them in digital contexts, that's a specific point of view.

Yes, that is what I believe. Most especially the "required" word. I do believe they should be allowed, empowered, encouraged, and enabled to understand those things, but I do not think it is a good requirement.

IMO people also have a right to not care about this. At their peril, perhaps, but who am I to tell someone that they may not use digital tools unless they commit to this understanding?

69. jolmg ◴[] No.42150714[source]
> I see constantly banners on sites that set tracking cookies by default, and delete them if you reject them in the banner (or even worse, not delete them at all!) – this is not compliant as the cookies were set before consent was given

Depends on what you consider to be "cookies were set". I think it's a valid argument that cookies aren't set until a "Set-Cookie" HTTP header is sent to the server. The banner is just a form to decide whether or not to set the cookies prior to actually doing so. The banner switches aren't the cookies themselves.

replies(1): >>42181891 #
70. secondcoming ◴[] No.42150778{6}[source]
I have no idea about browser adoption. I’m just aware of adtech’s requirements around it.
71. eitland ◴[] No.42151826{3}[source]
> EU would love nothing more than to levy more fines.

They aren't paying attention then.

The market abuse that has allowed Chrome to become as dominant as it is has been a lot worse than what Microsoft did with IE.

72. dspillett ◴[] No.42154291{4}[source]
That is essentially what I said, the default state being opted-out rather than there being an in/out/unknown tri-state, so my "ignore" and your "no click" are the same [in]action.
73. dspillett ◴[] No.42154540{4}[source]
> Companies want to track me. I want companies to track me.

If you actively _want_ companies to track you, then you take an unusual position.

> So what's the source of the friction

The right to privacy if you want it. Someone wanting to let people to follow you around should not override the preference of those who would prefer not. The "why should I care that other people care" argument is very similar to those who argue against smoking restrictions (or seatbelt requirements, and so on) because "it should be our choice" without thinking about the potential consequences to others.

> if not law itself or its direct consequences?

The source of friction is how the complaints have chosen to interpret the law. They have chosen to do this in a way that causes maximum inconvenience to anyone who want is protections (many are actually in direct contravention of the rules, despite their claims otherwise, but let's for a moment ignore that companies are actively breaking the law). That it also inconveniences people who want to be tracked is a desired sideeffect as it means those people are weaponised in ad-tech's favour in discussions about such matters.

> I think other parties try to force me to care when I don't by introducing all that friction.

As well as the binary "your choice" vs "my choice" that completely ignores those who have not yet stated there preference, have not yet decided, or do not yet even know there is a choice, or are just passing by. This is why active consent should be the default requirement.

> There's a talk about DNT. What's the reason no browser has…

Your premise is incorrect: Some browsers do. It doesn't work because companies ignore it. It is not in the laws that they shouldn't ignore it because ad-tech and their lobbyists successfully campaigned against that being in the legislation. Again: ad-tech is the reason for your inconvenience, not other people's preference not to be tracked.

Part of the issue is that there is a conflict of interests in done quarters, with makers of browsers also being part of the ad-tech stalking business, another place the effects of this are seen is in changes that prevent us choosing to actively block being tracked because we can't express it choice more passively because DNT is ignored.

> I think it would be quite popular.

We very much agree there.

> So it's probably prevented by the law itself

It is not. Show me anywhere in the current legislation where UAs implementing a DNT flag (which, I say again, some do) or ad-hoc tech respecting such a flag is prevented (either directly, or by accidental interaction between rules).

How about an alternative: have a one-click "track me if you want" flag? (Of course it would be terribly naive to think companies would not also just ignore that and track when it isn't set at thier convenience).

replies(1): >>42156798 #
74. scotty79 ◴[] No.42156798{5}[source]
> Some browsers do.

Which browsers?

> How about an alternative: have a one-click "track me if you want" flag?

That's exactly what I was asking for. It should exist. My theory why it doesn't is that it wouldn't constitute informed case by case consent. So it's illegal.

> Of course it would be terribly naive to think companies would not also just ignore that and track when it isn't set at their convenience

I don't care about that because I want to be tracked, just silently.

If I were to design law I wouldn't ban tracking. I would make sites that do track make the information they have on "me" available to me for viewing and possibly editing at my request.

It wouldn't be even "cookie law" because whatever information you tie and store to whatever identity should be available to this identity.

replies(1): >>42169030 #
75. dspillett ◴[] No.42169030{6}[source]
> Which browsers?

Quite a few: https://caniuse.com/do-not-track

Unfortunately the spec is official deprecated, rather than just ignored by sites, because without any regulatory weight it, well, would forever just be ignored by those who want to ignore it.

> I would make sites that do track make the information they have on "me" available to me for viewing and possibly editing at my request.

So, GDPR? That is not a cookie law but governs the tracking of PII, including the right to be given a report of what is stored about you and the right to be forgotten¹. Though it isn't finer grained than that: you can have yourself removed entirely and request corrections, but it does not prescribe any option for more selective deleting.

----

[1] except where that would impinge on other regulation, for instance in industries my day job services companies have to keep certain details of people for certain lengths of time (indefinitely for those associated with selling pensions, for instance) for dealing with complaints and other regulator matters in the long term.

replies(1): >>42169133 #
76. scotty79 ◴[] No.42169133{7}[source]
> https://caniuse.com/do-not-track

Oh. I think we have a misunderstanding. I thought you knew some browsers that support some sort of please-do-track-me-quietly.

> So, GDPR?

Right but about all data and all identities. You believe that holder of cookie <guid> likes cats? If my browser holds that cookie you should be forced by law to offer UI where I can see the preference for cats and possibly change it or delete it.

77. mpeg ◴[] No.42181891{3}[source]
What I mean is a lot of sites will add tracking cookies like say through a google analytics tag before the user has actually accepted them.

Then, if the user clicks to reject cookies in the banner they remove the tracking cookies etc – but this is not compliant since if the user takes no action they are being tracked by default.

replies(1): >>42185436 #
78. jolmg ◴[] No.42185436{4}[source]
Oh. Then I agree.