Analysis of economic and productivity losses caused by cookie banners in Europe

What I find funny about the whole thing is that the grand majority of companies with cookie banners are not implementing them correctly, and therefore are still in breach of the law.

I see constantly banners on sites that set tracking cookies by default, and delete them if you reject them in the banner (or even worse, not delete them at all!) – this is not compliant as the cookies were set before consent was given

Also see banners where there is only a big "OK" button, with no visible option to reject, this is also not compliant!

One way to see it is that it's their way of passive-aggressive protest against a law they don't want. Maybe the aim was never to abide by the law, just to pretend and annoy people enough to draw them on your side.

A clear example of passive-aggressive protest was from Google, the removal of links to Google maps from the search results. Instead of providing a choice of multiple map providers, they just completely removed the links. To clarify: I'm in Europe (France).

And not to forget: Giving consent and rejecting to give consent must take equal effort, otherwise you are not compliant. This is veeeery easy to do. Literally just place 2 equal buttons next to each other ... Basically, all you need to do is not to spend additional effort to F things up. But surprise surprise! Most companies act as too incapable to implement it correctly. I _wonder_ what the reason could be ...

I take an even more cynical view: their intent is far from passive.

They want the end user to be irritated in the extreme. When users complain they'll say “we have to do this, the law says so, look, everyone else is doing the same thing” in the hope that people will support later action to have the privacy protections wound back.

Or Apple's childish hissy-fit, deliberately breaking offline app support in response to an edict about app stores.

Oh, it's definitely malicious compliance. I have no doubt.

Look at how Google does it for Blogger. There is an OK button and a "Learn more" one. There is no reject. Are you saying they are breaking the law? EU would love nothing more than to levy more fines.

You'd think that the $160+ million fine given to Google for incorrectly implementing their consent thingy would be a deterrent, but clearly not.

While the OP of this comment chain stated that laws are best if they are abstract, I think in this case the EU should have mandated an implementation as well, for example a browser based consent setting. Can be global, can be per-website. But the (ad)tech companies wouldn't like that, because as it turns out if given a fair choice, the majority of people would not opt-in, and they don't like that. Even though a small percentage of visitors that do opt in would already generate statistically significant results.

It's the same with the alternative, e.g. US sites simply not allowing access from the EU. They could just not have tracking. Advertisers could serve non-tracking ads, based on e.g. IP geolocation. But they don't like that because it's not as targeted as before the EU laws.

I always assumed they were and are breaking the law.

The message from these antagonistic companies is clearly: "Look at what they made me do to you!" And users (even here in the HN comment section) fall for it. Like a beaten spouse. Yessssssss, it's the evil EU.... Why do they force you to beat me up?

They are breaking the law. But enforcement lies with national agencies (unlike antitrust where the EU commission itself enforces). Most national agencies don’t bother, only the French CNIL had levied penalties - pretty much on every one of the big ad tech companies in the Faamgs, Bytedance and Twitter…

Yes.

GDPR says on Consent:

> The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.

Pretty clear, isn't it?

There have been subsequent rulings stating that not giving a equally styled no/reject option or letting people choose between one yes option and thousand separate no options is already a influence that nullifies consent.

Also specific means you can't just tell them you have to use a cookie for technical reasons and use it for tracking later — they might have given you consent for that cookie for the purpose you told them about, not for the purpose of tracking.

All kinds of actors try to bend the rules here, while the rules are verh clear.

> I see constantly banners on sites that set tracking cookies by default, and delete them if you reject them in the banner (or even worse, not delete them at all!) – this is not compliant as the cookies were set before consent was given

Depends on what you consider to be "cookies were set". I think it's a valid argument that cookies aren't set until a "Set-Cookie" HTTP header is sent to the server. The banner is just a form to decide whether or not to set the cookies prior to actually doing so. The banner switches aren't the cookies themselves.

> EU would love nothing more than to levy more fines.

They aren't paying attention then.

The market abuse that has allowed Chrome to become as dominant as it is has been a lot worse than what Microsoft did with IE.

What I mean is a lot of sites will add tracking cookies like say through a google analytics tag before the user has actually accepted them.

Then, if the user clicks to reject cookies in the banner they remove the tracking cookies etc – but this is not compliant since if the user takes no action they are being tracked by default.

Oh. Then I agree.