Why not just let browsers controls who sets what cookies?
I'm tired the endless cookie popups, can we come up with an "allow cookies if the browser accepts them" standard as long as that guarantees no cookie popups?
Then browser vendors can ship a delete all non same origin cookies on tab close or something.
This is (mostly) based on EU law; entities that set cookies and track user data are required to get opt-in permission from users before doing so, and if the user declines, the entity cannot offer a degraded service.
At least that's the idea. In practice, almost everyone just throws up a banner that says "fuck you, we're selling your data as hard and as fast as we can," with no opt-out available, but they pretend that this is compliant with the law.
My favorite of the week: Doordash. Doordash does not use two-factor authentication, except for one thing: opting out of having your data sold. For that, it sends an SMS message to your phone. Since I signed up for them using a landline, the SMS message is lost.
Its a shame the EU became laser focused on cookies, which can be managed technically by browser settings, and not on dark patterns like these. Or how US consumers complain about being able to subscribe to a service via the web but must call a customer service person to cancel, often with a lengthy wait, dropped calls, and being transferred to a sometimes rude 'retention specialist.'
There's so much more pressing than just cookies imo.
Contrary to popular belief, GDPR has nothing to do with cookies and isn't even about the web specifically. It is - as it says right in the name - a General Data Protection Regulation.
> 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
This if from article 7 of the GDPR [0]. Clearly the situation described involves a much harder time withdrawing consent than giving it - which goes against the law.
I may have misunderstood what you meant but how is this being laser focused on cookies? This articles applies beyond the Internet anyway.
Oh man this makes my blood boil, another reason ill never thouch MS again is they they removed the cancel xbox live subscription button for NZ subscribers and I assume other locales where they didnt have some law forbidding it, the feature to cancel was there but they decided if they could to hold you hostage and made you call and waste lots of time via as painfull process as possible to cancel
The new one I'm seening is you opt out easily enough, but there's a subtly hidden tab called 'legitimate interest' and every ad network claims to have a legitimate interest in harvesting your data, even though you've got no business relationship with them.
What should be happening is every company that's done that should be getting massive fines, but instead all the enforcement agencies are doing nothing.
If a company is going to lie or skirt the law about their cookie use, why show the banner at all? It's almost worse to show a decline option that does nothing.
Malicious compliance is still compliance. Somebody being told "Please watch the pressure gauge." and then staring at it as it goes outside of safe regions is doing exactly what they were asked to do. This is blatant noncompliance with the thinnest veneer of respectability.
Yeah, people should start reporting these sleazy sites to their authorities if in the EU. I'm hoping that GPDR enforcement will eventually get up to speed.
Except that those authorities are often stripped of resources toothless organizations often made to serve as digital potemkin villages to the public, everyone knows this and can't be bothered one second of their life to be wasted on that bs.
I typed "cnil fines" (the CNIL being the French data watchdog) on google which led me to their sanction page [0] which features 100M€ fines to Google and 35M€ to Amazon _last week_. It is surely not much in the grand scheme of thing but surely this is more than a mere Potemkin village.
That's true, but I wish they spread their reach wider. These fines to Google/Amazon/Facebook make the news, but are just a slap on the wrist to these giants. What would work much better is a wider campaign of smaller fines, so that everybody in the sleazy business would know or heard of someone who was fined.
I typed "UK data watchdog" (for I did not know its name) and while it is true that I needed more clicks than for France, I found their enforcement page with their list of fines [0]: £18m here, £2m there...
They also had a massive budget shortfall which meant they sent out what amounted to a protection racket letters demanding £40 per year from every UK business, even though almost none of those businesses should be paying it.
All this while simultaneously investigating the ad industry, finding it is egregiously breaking the law, but then doing nothing about it.
The UK's ICO is taking an extremely broad definition of who should be paying it, but an extremely narrow definition of who it should enforce against.
I might add that the £40 it is demanding is almost 3 times the normal £15 yearly fee for running a business in the UK.
Legitimate interest exists, and we use it at work. But because I work in the field of security, and for the sake of our infrastucture, we log specific informations and might drop a mandatory cookie at a time.
Everything outside that field cannot, I guess, be considered as legitimate interest.
The absolutely funniest interpretation of ”legitimate interest” is in a recurring spam message I get from (of all things) an email lead marketing company.
They have small print after each of their emails that says that GDPR allows them to email me because they believe I might be legitimately interested in purchasing their services.
It's not really about cookies but more about non-essential information gathering, of which tracking is a part, and some forms of tracking use cookies. So basically, three levels deep before we go from the law to cookies. Then again, people have an easier time talking about 'cookie popups' instead of 'information harvesting', which sadly hides the real issue.
What keeps back Mozilla to implement this setting and lobby for a general Web API for expressing cookie consent? As far as I can tell, their users would be extremely happy about that.
Because it won't take off. Right now, the advertisers are basically hoping for you to be too lazy to click around ten minutes to find the 'no'-option. If every user would be presented with a fairly weighted chance once, hardly anyone would click yes. Accepting this standard would undermine their business even more.
It can, first iteration used the Do-not-track header, but that died in the standardization process, now there are a movement for the Global Privacy Control header that you can read about here: https://globalprivacycontrol.org/
Once, and only once, since GDPR was implemented, I found a banner that was actually compliant with the GDPR. It defaults to allowing only necessary cookies, requires affirmative consent before any other cookies are used, and makes rejection of tracking have no additional steps compared to accepting tracking. Every other banner I have seen will violate those in some way, either saying that continued use of the site constitutes acceptance, or requiring unchecking of several boxes before clicking accept, or requiring going to dozens of affiliate websites in order to search out and disable tracking settings there.
As in, this is the first GDPR banner I've seen that is actually legal under the GDPR.
Sad but true, i wish there was some way to change the current state of affairs, but EU is a juggernaut that has lost track of its citizens wishes regarding cookies.
One of the most precious things we have is time and the constant cookie interruptions are a nuisance that should be kept from sight.
Does this mean that sites that offer free but ad-supported content still have to offer that content? So I can watch those free Youtube movies and listen to those Spotify tracks ad-free because EU Law says fuck you.
How is this fair?
Edit: Okay, okay, non-targeted (and no 3rd party) ads are okay, got it xD
You can display ads just fine without using cookies. You just can’t track people across the web.
Also Spotify can easily require a free login and associate everything with that, no tracking cookies required. They just can’t associate your playlist with your web browsing habits.
No, it just means those ad-supported sites cannot use cookies to spy on you in the name of personalized ads. They are still free to display "generic" ads including content-related ads. Same as old school TV, radio and print ads really, which couldn't track me either but sustained those broadcasting companies and publishers well enough.
Billboards, newsletter ads, flyers etc won't track whether you look at them as well, and last time I checked print advertisement still kinda sold.
Tracking is not necessary to show ads. Certainly there are business models which depend on this, but hey who says our society benefits from those? Targeted advertisement and free informed democracies don't mix well IMO.
Especially ironically, Facebook has been taking out newspaper ads to whine about how it needs targeted advertising to survive, and how mean Apple is harming them.
1. A law that aims to prevent stealing should be deterring thieves, not just regulating padlocks.
2. Technical measures are insufficient because cookies are regulated by purpose. A third-party cookie for fraud detection is allowed; a first-party cookie for analytics requires consent. It also prevents using necessary cookies for secondary purposes, something that literally cannot be accomplished through technical means alone.
As a minor point, the so-called "cookie law" also regulates browser fingerprinting. I have a hard time imagining that you could legislatively mandate effective anti-fingerprinting approaches.
The reason you are provided many free services is because you ARE tracked / analyzed and marketed to. That is the CORE of the business. The popup will say, do you accept this cookie and being tracked to use this free service. Everyone literally clicks yes. I can't believe the billions of wasted clicks and manhours that have gone into this charade.
> Why not just let browsers controls who sets what cookies?
Because it doesn't have anything to do with cookies. You don't need a banner if you use CSRF cookies, you don't need a banner if you use them for stuff like CloudFlare's anti-DDoS script, and you certainly don't need a banner if your site requires cookies for basic functionality like logging in.
The browser can't possibly tell what the server is doing with its cookies. It might even be using a single cookie as CSRF protection and ad tracking at the same time.
> Then browser vendors can ship a delete all non same origin cookies on tab close or something.
That doesn't prevent Facebook or Twitter or advertisers in general from tracking you across dozens of pages or more, it just means that they'll have to issue you a new cookie each session.
I feel that browsers should implement a permissions grant pop-up for when a site attempts to set a cookie with SameSite=none, and the cookie api can be extended to enable explanations to be given by the developer.
This essentially moved the banner into the browser, and will make will make ad networks tell websites to not use SameSite=none, but use SameSite cookies and tell those ad networks behind the scenes. There are plenty of ads now already that are seemingly first party hosted (and go as far as transmitting the ad content through e.g. websockets to avoid adblocker detection).
This is where we were before the GDPR. You can order your browser not to accept any cookies. But since you need atleast one cookie (or other way of persisting data on the client) for stateful http connections the burden to sort out the bad ones is on the consumer. This is exactly what the legislation wanted to prevent.
I would like to store a cookie or a client-side cert to remain logged in, but not the other cr. Granted, they could use that cookie to track me, but this is what GDPR is about.
IIRC, Internet explorer used to ask you for each cookie, circa 2000. These pop-ups became more and more common with time. The web would be unusable with those nowadays.
Practically there is only one browser, Chrome. And we know that it's not in Googles interest to do any of that. They are actively fighting and diluting tools and techniques that would prevent tracking.
Why not just let browsers controls who sets what cookies?
I'm tired the endless cookie popups, can we come up with an "allow cookies if the browser accepts them" standard as long as that guarantees no cookie popups?
Then browser vendors can ship a delete all non same origin cookies on tab close or something.