Analysis of economic and productivity losses caused by cookie banners in Europe

Correct URL: https://legiscope.com/blog/hidden-productivity-drain-cookie-...

> This situation calls for an urgent revision of the ePrivacy Directive

Shame companies cannot live without tracking cookies, and shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss".

You know the best way of not having to put up cookie banners on your website? Don't store PII in cookies. You know the best way of not having to care about GDPR? Don't store PII.

> shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss"

You can wish upon a star that humans weren’t the way we are. In the real world, this was a predictable response to a stupid rule. (And in some cases a necessary one. For example, for websites requiring a login or reliant on ads.)

> know the best way of not having to care about GDPR? Don't store PII

This is a nothing to hide argument [1]. Proving compliance with GDPR is tedious and expensive even if you’re fully compliant. (Proving no jurisdiction is easier.)

[1] https://en.m.wikipedia.org/wiki/Nothing_to_hide_argument

> for websites requiring a login

They don't need consent for that.

> reliant on ads

Yes. For me, this has been eye-opening about how many different ad agencies there are snooping on my browsing history. It was bad enough when it was just the (UK) government passing a law to do that, now I've got websites with more "trusted partners" monitoring my every move than my high school had students.

> This is a nothing to hide argument

"Don't store PII" does not seem to be that, to me?

If anything, the opposite party gets that criticism, given that the default is allowing private agencies to spy on everyone?

Saying you don’t need to worry about GDPR if you don’t keep PII is the “nothing to hide” argument. There is still a cost to demonstrating compliance that goes beyond complying.

Maybe an analogy will make it click: If you have marijuana on you in a country where marijuana is illegal, then finding marijuana on you is illegal. If you don't have marijuana on you, you're not doing anything illegal.

Replace marijuana with "personal data" and imagine it is about websites with visitors within EU. If they're not storing, processing and/or transmitting personal data, there is no compliance requirements (from GDPR at least).

> If you have marijuana on you in a country where marijuana is illegal, then finding marijuana on you is illegal. If you don't have marijuana on you, you're not doing anything illegal

This is a good analogy. By making the marijuana illegal, you also implicitly widen search powers. You can’t arrest someone you think smells like weed if weed is legal. (Or answer a neighbor’s complaint that they suspect they’re growing weed.)

Same idea. If you say you aren’t storing personal data and I say you are, someone’s got the authority to check. Those checks and confirmations cost time and money. With a complain-investigate set-up like GDPR (and American securities law), the burden is on the respondent.

> By making the marijuana illegal, you also implicitly widen search powers.

Nope, you don't. Those are two different things.

There are plenty of things that are made illegal without giving the government the power to search for them.

> You can’t arrest someone you think smells like weed if weed is legal.

You can't arrest someone by smelling like weed in any democracy where it's illegal either.