Most active commenters
  • 1718627440(3)

←back to thread

Internet's biggest annoyance: Cookie laws should target browsers, not websites

(nednex.com)
582 points SweetSoftPillow | 14 comments | 22 Oct 25 12:12 UTC | HN request time: 0.001s | source | bottom
Show context
michaelmauderer ◴[22 Oct 25 12:36 UTC] No.45668112[source]
The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.

"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...

Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.

replies(27): >>45668188 #>>45668227 #>>45668253 #>>45668318 #>>45668333 #>>45668375 #>>45668478 #>>45668528 #>>45668587 #>>45668695 #>>45668802 #>>45668844 #>>45669149 #>>45669369 #>>45669513 #>>45669674 #>>45670524 #>>45670593 #>>45670822 #>>45670839 #>>45671739 #>>45671750 #>>45673134 #>>45673283 #>>45674480 #>>45675431 #>>45678865 #
crazygringo ◴[22 Oct 25 12:52 UTC] No.45668318[source]
No, the problem is 100% the law, because it was written in a way that allows this type of malicious compliance.

Laws need to be written well to achieve good outcomes. If the law allows for malicious compliance, it is a badly written law.

The sites are just trying to maximize profit, as anyone could predict. So write better laws.

replies(20): >>45668365 #>>45668389 #>>45668443 #>>45668540 #>>45668630 #>>45668809 #>>45668823 #>>45668886 #>>45669084 #>>45669675 #>>45670704 #>>45671579 #>>45672352 #>>45672518 #>>45672991 #>>45673713 #>>45674575 #>>45675918 #>>45676040 #>>45676756 #
1. atoav ◴[22 Oct 25 13:26 UTC] No.45668809[source]
No. The law does not allow it.

To quote Article 4(11) – Definition of Consent

> ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Meaning if you force users into pressing a button or let them scroll through 1000 no options, with one easy yes option, you have not collected their free consent. Congrats you broke the law.

Meaning if you just have them click yes, but not informed them about the harmful data collection you did not collect free consent.

The law is pretty clear on that.

replies(2): >>45669263 #>>45669399 #
2. Measter ◴[22 Oct 25 13:57 UTC] No.45669263[source]
Wouldn't this also mean that if a user was using one of those browser extensions that automatically click "yes" to close the pop, then the site would not have informed consent, and therefore would not be allowed to collect the data?
replies(3): >>45670178 #>>45671200 #>>45672191 #
3. wutbrodo ◴[22 Oct 25 14:07 UTC] No.45669399[source]
I may be missing something, but I don't see how this clearly precludes that behavior.

Which descriptor do you think is unambiguously violated by making it easier to provide consent than withhold it? To my eyes, both 'freely' and 'informed' are plausibly upheld.

It would be very straightforward to specify that consent and withholding must be equally accessible in the interface, instead of splitting hairs about definitions of "freely given". This is what people refer to when they say the law is poorly written

replies(1): >>45669806 #
4. croon ◴[22 Oct 25 14:38 UTC] No.45669806[source]
> Which descriptor do you think is unambiguously violated by making it easier to provide consent than withhold it?

> Art 7(3) It shall be as easy to withdraw as to give consent. [0]

But legal interpretation of GP I believe is reaching the consensus that that phrasing too is broken by that implementation:

> Free and informed consent (Art. 7 GDPR): Consent is valid only if it is freely given. When the option to decline is hidden or unnecessarily cumbersome, the user's choice is affected and consent is no longer "free." [1]

[0] https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...

[1] https://www.ictrechtswijzer.be/en/complaint-about-cookies-wi...

replies(1): >>45678726 #
5. 1718627440 ◴[22 Oct 25 15:00 UTC] No.45670178[source]
Yes. Who the hell uses such a browser extension, though? I use an extension, that always clicks no, but why would anyone want to always be tracked?
replies(1): >>45670895 #
6. dspillett ◴[22 Oct 25 15:45 UTC] No.45670895{3}[source]
Be careful with just clicking the big “decline” button. That skips past your opportunity to “object to legitimate interests”¹ in many cases.

--------

[1] Here “legitimate interest” essentially means “we see your preference not to be stalked, but we want to so we are going to make it that bit more faf to opt out, because fuck you and the privacy we lie about caring about”.

replies(2): >>45671932 #>>45679597 #
7. SpicyLemonZest ◴[22 Oct 25 16:04 UTC] No.45671200[source]
That seems too clever. If you set up a browser extension that automatically writes your signature on any contract people email to you and returns it, I'm pretty sure you're bound by those contracts.
8. pasc1878 ◴[22 Oct 25 16:54 UTC] No.45671932{4}[source]
And that is breaking the law. The decline button means decline all.
replies(1): >>45679169 #
9. immibis ◴[22 Oct 25 17:15 UTC] No.45672191[source]
If a child wearing stilts and a long coat walks into a movie theater where children can enter for free, and buys an adult ticket, then watches the movie, is he entitled to sue the theater and claim a refund?

Programming your computer to automatically click "yes" sounds like affirmatively giving consent to all popups to me. The standard for consent here is lower than for things like sex.

10. wutbrodo ◴[23 Oct 25 06:13 UTC] No.45678726{3}[source]
Ah appreciated, that is indeed exactly what I was asking about!

Now I'm left wondering why enforcement was supposedly so hard. Seems like shooting fish in a barrel, especially given that some very large websites were in clear violation of this article

replies(1): >>45680437 #
11. dspillett ◴[23 Oct 25 07:27 UTC] No.45679169{5}[source]
> And that is breaking the law.

Definitely the spirit of it, though some claim not the letter or it due to loopholes.

> The decline button means decline all.

It certainly should, but I never trust it does (with other dark patterns on show I'm all out of benefit-of-the-doubt) and go into to "details" to look for objection toggles. Not that I particularly trust those anyway, but that is a different niggle!

replies(1): >>45679502 #
12. 1718627440 ◴[23 Oct 25 08:22 UTC] No.45679502{6}[source]
Decline all means decline everything the law says you need consent for. The Google dialog kind of describes it perfectly: "Decline all cookies for this additional purposes".
13. 1718627440 ◴[23 Oct 25 08:36 UTC] No.45679597{4}[source]
There are websites that let you opt out of legitimate interests? That is a term of the law which means that you don't need user content.

The extension I use is called Ghostery and it also claims to block other tracking.

14. croon ◴[23 Oct 25 10:58 UTC] No.45680437{4}[source]
Subjective take: Huge amount of small actors, and the big actors have a financial interest in shifting the conversation to blaming the EU for their annoying dark patterns over protecting customers from privacy violations and tracking to the detriment of their financials.