Analysis of economic and productivity losses caused by cookie banners in Europe

(legiscope.com)

332 points vegasbrianc | 1 comments | 14 Nov 24 22:23 UTC | HN request time: 0.223s | source

Show context

ayaros ◴[14 Nov 24 23:30 UTC] No.42142419[source]▶

Why should websites even be trusted with implementing these banners in the first place? Browser vendors should be responsible for implementing these controls per-origin. Give a little banner pop-up built into Chrome, Firefox, Safari, and the rest. Have it display every time a new site sets a cookie for the first time. Or have it reject every cookie by default, unless I whitelist a site. This would result in a consistent user-experience across the board, and I'd actually be able to trust that I'm not being tracked.

Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls. So now every website gets a shitty banner - on top of all the other annoying in-page banners and popups which are a staple of 2020s web design - that asks us if we want cookies. All these banners look different, are positioned differently on the page, appear at different times after the page is loaded, and function differently. So there's no consistency. And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies." How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?

So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.

So again, why isn't this the responsibility of browser vendors? Am I taking crazy pills? Am I going insane or is the world going insane?

/rant

replies(6): >>42144037 #>>42144165 #>>42144760 #>>42145172 #>>42145472 #>>42145761 #

hnbad ◴[15 Nov 24 09:11 UTC] No.42145172[source]▶

>>42142419 #

> Why should websites even be trusted with implementing these banners in the first place?

Because these "banners" are not just about cookies but about data processing and storage. Cookies are just the most obvious and immediate aspect because they're browser-facing and thus consent needs to be obtained early on. But there's nothing special about cookies when it comes to the need to obtain consent (even the ePrivacy directive which singles them out only does so to explain what information needs to be disclosed in order for consent to be possible).

> Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls.

Yes. Because they break the law if they don't comply or try to trick you to "opt in".

> So there's no consistency.

Yes. Most consent dialogs are breaking the law by being intentionally non-compliant to mislead visitors into opting in. The ePrivacy directive makes it pretty clear what a compliant dialog would look like. For example if you have a big "accept all" CTA you need to have an equally prominent "reject all and proceed" CTA.

> And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies."

If they're strictly necessary, they are required for the site to function. Disabling them would make the site not work.

> How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?

Because that would break the law.

> So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.

No, we have created a law they have to follow and which they can be fined for violating. We have also established privacy and the right to your personal data as a universal right because everything else in the GDPR and ePrivacy directive follows downhill from that.

They're not self-regulating, they're regulated. This is literally how regulation works: they have to follow the law or they risk a fine. The problem right now is some DPAs dragging their heels, most being underfunded and foreign companies getting special "One Stop Shop" deals where a ridiculously corrupt DPA (hello Ireland) gets to be the single DPA in charge of handling complaints about them.

replies(1): >>42152498 #

1. ayaros ◴[15 Nov 24 23:29 UTC] No.42152498[source]▶

>>42145172 #

I realize there are indeed strictly necessary cookies for site functionality. Sites need to store state information, login data, information about what's in your cart, etc. I should be able to make that choice on a site by site basis - to decide if my relationship with a website is deep enough to be worthy of allowing it to store data on my computer beyond the contents of the page itself. I know whether I'm going to be logging into a site or not. I know whether I feel like making yet another user account or not. I know whether I want to actually consider buying something or not. And if I don't know for sure, I should have the option to allow cookies, and then to quickly revert that decision. And user interfaces can be built within the browser to make this level of control more accessible and understandable to the average person without being obtrusive or overly complex.

In my opinion, the web needs to be less reliant on cookies and state data, and websites should be adaptable to situations where they cannot store or access it. Websites can easily provide UI feedback for this issue. For instance, a store website unable to save a cookie can place a banner at the top saying something like "please enable cookies for this website in order to use the shopping cart." And then it's up to browser vendors to provide a simple, consistent, intuitive user interface for enabling cookies - such a UI should minimize the amount of instructional info a site's banner will need to contain in the first place.

The web really needs to be built around opting into site functionality on a site by site basis. It's been the opposite of this for a long time now and we've ended up where we are today... There are many reasons site operators will hate this, from legitimate concerns about usability or accessiblity, to business concerns about users not wanting to take the minimum amount of time to change a setting to add items to a cart resulting in reduced sales, or even malicious concerns about not being able to track users under a magnifying glass. As pissed off as these site owners will be, it's a change browser vendors can make without needing their permission the same way Apple added app-tracking-transparency controls much to the chagrin of companies like Facebook.

And yes, users will find one reason or another to complain about this, despite the fact that it will be optional. "It's like Vista's UAC prompts all over again!" "I shouldn't have to do extra work to add stuff to my cart!" etc. That's great that they don't care about being tracked and if they want to be the cattle of data mining companies that's fine. But there are plenty of people who, given the choice, will prefer the alternative, and over time sites will adapt. If sites purposefully punish people for not enabling cookies, and websites are interested in pissing off thier users, well there's always the option to close that site and use another... in any case I'd rather deal with that kind of fight then the situation we have now.

↑