No, it's the builders of the consent notifications who are responsible for that. They are often skirting or even breaking EU law to make it a headache to refuse. The GDPR says, for example, that refusal should be just as easy as acceptance. Having to click to another screen to do that is... not that.
In reality a cookie consent notification can just as well be a small widget somewhere with an accept and refuse button, but it's the builders of these frameworks that have a vested interest in getting you to press accept.
I've applied for a job at one of these companies about a year ago, and I asked them about it. They said to me that according to their metrics, there's about 30% more acceptance if they only bury their Refuse button, so it's a legal risk they are willing to take.
Needless to say, when they invited me for a second conversation, I politely refused.
No, the shitty cookie screens with dark patterns is not the responsibility of the EU - although you could make the argument that the EU should have been stricter or more prescriptive.
It's not just the dark-pattern cookie popups that are a problem - it's having any mandatory cookie popups --even the fairly-designed ones-- on virtually every website that you ever open. That's what's crappy about the implementation.
I once read a light-hearted analysis of the cumulative time wasted by humanity due to the original USB plugs/sockets being unidirectional. I suspect a similar analysis of these cookie popups would be shocking.
Cookie banners are not mandatory. If you're just using technical cookies you don't need a banner at all. Websites with them want to track you, that's why they have them. They need to ask for your permission to do so, which I think is a good thing. So instead of being mad at the EU we should be mad at those websites trying to get as much data as possible from their users.
Actually, websites could "not track" BY DEFAULT (so no popup) and have a nice widget in a corner asking for consent to track, explaining why they need it, without this widget being obstructive...
The problem is definitly NOT THE REGULATION but the way that websites have become a data/cash machine...
The regulation could have been much better though. For one, it's unclear if Google Analytics cookies qualify. Spain and Austria say one thing, The Netherlands says another, so out of an abundance of caution websites put them everywhere.
I also think it would have been very feasible for the EU to define that a browser could ask for consent once and then apply that to many/all sites by sending a header. So the popup would only be needed for people without a browser that has implemented it.
Well, note that I said it could just as well be a widget on the website somewhere.
There's no such thing as a mandatory cookie popup. You don't need to get explicit consent if your website needs certain cookies to do what the user wants it to do. Placing a session cookie to log in is fine, for example. And it's also fine to place tracking cookies if and only if the user goes to aforementioned widget and presses the "please track me" button.
But users don't want that, obviously, so websites are built to force you to acknowledge the choice. The problem here is not the implementation of the law - it's the attitude of the website builders.
What if the websites respected my user-agent (browser) setting called "Do not track"? Zero hours would be wasted. I think geizhals.at is one of the few that does this.
In other words, the websites are showing cookie popups in you face because they really, really do want to track you, and for that they need your explicit consent. Nobody forced them to track you. The implementation does not matter; the intentions are crappy.
I think there is a recent court ruling saying websites should respect DNT settings as a (rejection of) consent; if that would be adapted universally, we would be done with the popups.
Law making bodies are responsible for all consequences of their legislation whether they are intentional or not. They are the ones in charge so the buck stops with them. Make better laws.
But they're not mandatory. There is nothing stopping websites from not doing it, the previous poster was wrong. The GDPR requires consent, how you obtain that consent is irrelevant. Websites could not store cookies by default and you'd have to manually go and opt in. Maybe we even can have a per browser setting.
Specifically, GDPR requires consent before you do (some) things the user might not want. You could simply not try to do those things and then you won't need to obtain consent at all.
It's absurd how used we have become to wantonly collecting user data that some people can't even imagine not doing that.
GDPR provides mechanisms for getting implicit consent for technically required cookies. For other types of data storage, explicit consent is required. And that's the problem, there are a lot of terrible websites out there that value their ability to stalk you and sell your information more than your ability to use the website.
For consent, the old "hide tracking terms in the terms of service" approach is not allowed anymore. That's where the popups come from, the user needs to know what they're consenting to if the data processing isn't actually required for the website to work.
I would like to see something like P3P (but better) to make a return. We have DNT and its followup, but they're not sufficiently scopable in my opinion.
There's no implicit consent, technically required cookies have a different basis for processing. And, yes, I'm aware of that, my point is that people who create websites choose to force the consent box in front of you, there's nothing in the GDPR that mandates that. It could be a link at the bottom, some header...
Then enforce the law. Making the regulation and letting people halfway get around it and not holding them accountable just made things worse for everyone
Also, and too often overlooked or silently ignored:
You don't need cookie popups! Really. You don't.
You only need to get consent to track users with software you don't run yourself. Or when you sell your data off to other companies.
Both are, unfortunately, the norm. But there's absolutely no technical reason to have these in place. Non at all. Plenty of alternatives for tracking that doesn't need consent. Or just not sell your customers' data off.
I would be infuriated if I found the bakery down the street is selling its security footage with my face on it, next to my sales and spending in that bakery. I'd expect them to at least warn me about this at the door. So I can then buy my bread elsewhere. That's what a consent banner is!
Thank you for this accurate analogy. Similar to what if the post office delivered all your mail for free but they also opened it and read it in order to send you advertising.
> The GDPR says, for example, that refusal should be just as easy as acceptance.
Not true, actually! GDPR is a framework, and every EU country implements a national law according to that framework (e.g. the Dutch implementation is called "AVG"). The specific requirement that refusal must be as easy as acceptance is not in the GDPR, but several countries added it to their national implementation of the GDPR.
This is a misconception that I've seen going around, and I still wonder where it came from.
The Dutch implementation is called "Uitvoeringswet Algemene Verordening Gegevensbescherming", which, as the title states, is the law that implements the GDPR. "AVG" is just a translation for "GDPR", not the name of the law that implements it.
The Uitvoeringswet describes how the GDPR functions within Dutch law, for example, it describes the role that the Dutch Data Protection Authority plays. You can read the Uitvoeringswet right here: https://wetten.overheid.nl/BWBR0040940/2021-07-01
The GDPR (in Dutch AVG, in French RGPD, in Spanish RGPD, etc.) actually DOES state that it should be just "as easy to withdraw as to give consent" in Article 7. The directive (2016/679) can be found here: https://eur-lex.europa.eu/eli/reg/2016/679.
> The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
I think this can be interpreted as, you ask for consent, it doesn't have to be as easy to say no, but once consent is given - it should be as easy to withdraw it as it is to re-give it after it was withdrawn.
Somewhat badly worded, in my opinion. It doesn't unambiguously say "refusing consent every time it is requested should be as easy as accepting it."
That is a common misconception. In EU law, there are regulations and directives. Regulations are immediately active in all EU countries. In contrast, directives need to be translated into national law by each individual country. The GDPR is a regulation. (for details: https://european-union.europa.eu/institutions-law-budget/law... )
Disabling cookies will cause _more_ of the "cookie prompts" to appear, not less. Some pages these days even will prevent visiting them unless they can set a cookie...
Also, cookies are not the only method of tracking which is supposed to be disabled when you hit Deny.
Overall, I'm happy they're actively involved. The hands-off attitude in the US is terrible.