I'm still extremely skeptical of it because in practice it basically added a cookie banner to every every website I visit infrequently with no particular benefit to me.
The cookie banner is there to punish people who have cookies turned off or set to be deleted upon browser/tab close - and generally annoy everyone else.
Think about how obsessive companies are about "UX" and how disruptive the banner is. Bitch-slapping people for fighting against tracking is more important to them than the user being able to access or use the site at all.
Obviously, because in our digital economy, users are cattle. Companies are obsessive about UX so the users shut up and eat grass and allow themselves to be milked or sheared. Refusing to participate? A cow that eats grass but doesn't let itself be milked gets shot, so in some sense maybe we should be grateful for the bitch-slapping...
Most EU national government websites have cookie banners. Even the European Commission website has a cookie banner!
This should have been implemented at the browser level. Let the browser generate a nice consistent UI to nag EU users when visiting websites about accepting cookies and let the rest of us opt out.
The standard for cookies should be updated with a way to include or retrieve a description of each cookie separately. Then, require sites to provide that description, and let users choose per cookie in the browser.
That's nonsense. It's not about the cookies, it's about the data collection. You can use cookies without having to use a cookie banner by simply not gathering data you don't need. And if you do gather that data without using cookies you still need to ask for consent.
I can tell you, with absolute certainty, that nobody knows how to implement the law or what it even means, legislators, lawyers, engineers alike. There was a good somewhere and now we're in hell.
Nah, companies don't want to implement it as it's bad for their business model so they feign ignorance.
I still remember being at an all hands at a former employer where the team presenting the revised cookie banners promoted as a benefit that it had opt in rates that would make an authoritarian dictator embarrassed to claim as uninfluenced
As someone who was helping to implement GDPR for clients when it took effect, it was a nightmare. We didn’t know exactly what to do, or when, or where, or to whom. The easiest solution for a lot of the implantations was “do the most so we don’t miss something, and pull back bits as we know more”.
You're right in the sense that it tends to be hard to understand things when your salary depends on you not understanding them. This seems to describe most web developers from the number of non-compliant consent popups in the wild.
If your claim is that sites that use cookie banners don't understand the law, I don't know how we square that claim with the European Commission site's cookie banner. Certainly, the government itself can interpret the law successfully, right?
That would be horrendous and would play right into the advertiser's hands which want you to "just click accept".
Cookies should be categorised as essential and non-essential and the website should specify which laws it is considering when it categorises them as such. The GDPR definition of "legitimate interest" (which is a bit vague but it's not that hard to understand it) should be explicitly clarified so that companies can't claim that a whole swathe of shit they opted you into automatically is "legitimate interest" if they also give you the option to opt out.
At this point they can still attach descriptions to each cookie (hopefully using some standardised interface so you don't have to literally send these with every cookie, localized) and then your browser can still present you with the idiotic: "here's what we would like you to use" interface, but streamline the process with the ability to just opt out of anything which won't outright break the website.
Although this still opens it up for abuse by companies putting things like: "your preference for us not popping up an annoying full-page message every time you visit a new page" into a "non-essential" cookie to incentivise you to just accept them all.
Honestly I think we should just have Joe "Sensible Person" judge company's websites for whether they're being actively malicious in any way and force the closure of any company which is considered actively malicious along with the destruction of all company IP and liquidation of non-IP assets. All the company owners should also be banned from owning/running any other company for 10 years. (only half kidding)
As someone who has worked on the Danish public sector I have a slightly different take on the public websites. They should never have been using things like 3rd party analytics to begin with.
I understand it’s was media and communication departments do, and that it’s natural that the people working within them would want to do so regardless of where they work. It’s their trade after all, unfortunately they bring the exact same “user engagement” mindset with them into the public sector. Well, at least in my anecdotal experience with a handful of these departments in 7-8 different cities around here. You can of course make good points on user metrics on a public website, but they should frankly work very different than they would on most web sites. On a public website it should be the goal to get to user to leave the site as quickly as possible, because the longer they hang around the more time they are spending finding what they need. That’s not what happens with these metrics in my experience, however, instead they are used to do what you might do on a news site.
That’s just one side of it, however, because the privacy concerns are their own issue. If you absolutely want metrics on a public website at least have the courtesy to build your own. It should be illegal for public web sites to use 3rd party tracking. I know why they use it, it’s for the same reason they spend a ridiculous amount of money on custom designs systems build on top of what is usually SharePoint or Umbraco. They refuse to hire the Django (insert any other extremely low maintenance system) expertise because it’s expensive on the “long term budget”, even though it would be much cheaper than 3rd party tools and consultants on the actual long term budget. Anyway, that is another point. But it really pisses me off when public websites need you to allow 3rd party tracking because they aren’t using it in any way which serves the public.
Worst of all is that cookie banners are explicitly a private industry way of dealing with their refusal to respect “do-not-stab”. Public websites could simply put their bullshit into their privacy page. Of course nobody would go there and turn on 3rd party cookies, but why should the public care?
Or if the legal department is concerned that someone could claim a cookie is non-functional, so to save the uncertainty and expense they advise always showing the banner. Especially since everyone else does.
It seems like there should be a parallel to “tragedy of the commons” that talks about how a good idea coupled with extreme penalties can lead to a bad outcome by making any risk calculation result in “jesus we just can’t take any chances here”.
nobody cared about their privacy because there was no widespread systematic effort to invade it.
I don't care about my privacy in the street despite it being public because there's no-one following my every step taking note of where I go, how fast, what music I'm listening to, what I'm looking at... (although the astute reader will argue that this is less and less true, there's more and more tech tracking our activity in real life too)
The only hope I still have is for some kind of fully local LLM-driven "agent" browser that does the browsing for me, navigating search engines, cookie banners and showing me what it found, nothing else.
Unfortunately entire businesses are built around preventing people from using bots, for obvious reasons, so the only obvious way forward to make browsing the web a better experience will also mean ending up on the wrong side of that battle.
> ... "it basically added a cookie banner to every every website I visit" ...
Yeah, no. Hostile advertising companies added that cookie banner as a form of "malicious compliance" with the law purely to annoy everyone like a buncha spoil't little brats who didn't get their way, so now they're gonna make everyone suffer... If we get a similar law in the USA, you can expect to see annoyances just like it (and probably worse) on sites hosted here, too.
The worst part is that it wasn’t even malicious compliance: the cookie banners they added seldom even satisfied law, in ways completely obvious if you just read the law (which is pretty easy reading, only a few thousand words for the relevant parts). I don’t understand why relevant commissions didn’t make more noise about that, because it was obvious that major players were deliberately poisoning public perception.
Can you source your claim? Because it seems like it would create a competitive advantage for a non-hostile advertising company. Websites aren’t any happier about cookie banners than users are. If it’s just an emotional, spiteful reaction, the grownups should be able to make a fortune.
You'd think there'd be some "competitive advantage" to be had, but when their entire industry is built upon tracking and profiling everyone they possibly can, they'll do anything they can, fighting tooth-and-nail to the very end against any legislation that somehow interferes with their tracking, even if it means resorting to childish and petty temper tantrums that further enshittify the web. What little "competition" exists in that industry all fully believe that building massive profiles on everyone is the only way to make any money at advertising. They've been allowed to get away with it for so long that they can't even remember there was a time when tracking everyone all the time everywhere wasn't even a thing (and yet advertisers still managed to advertise back then, somehow)...
Actually I thought I was clear in my framing that, if site owners are unhappy with cookie banners, it is unlikely that a conspiracy of ad networks would force them to accept the nuisance.
The claim is that no sites value their user experience enough to pick an ad solution with a better experience. I doubt that claim.
When GDPR was first going through the public circuit I remember reading the proposed laws and being pleasantly surprised to find that they specifically called out and forbade the likely workarounds, including the obnoxious banners we now see everywhere.
I would love to know what happened. Did the laws get "revised" to re-open the loophole? Was superseding legislation passed? Did the courts reject it? Are there enforcement issues?
That sounds like a legal minefield - I would point out that GDPR-style legislation exists because the legislators don't trust the industry to assess what is reasonable. So the industry would be in a position where:
1) They aren't trusted to be reasonable about user consent.
2) They are only to take action when they judge it is reasonable to check user consent.
It'd probably be a very rocky process to nail down what those words like "loophole" and "workaround" mean as the advertisers start abusing prescribed no-banner situations.
Cookie banners are malicious compliance and the failure to do anything about them is indicative as to how much the EU cares about privacy vs how much they want to be seen to be caring about privacy.
Clearly you don't have a browser plugin that simply opts out of all cookie banners. Ultimately, the webs ites have a financial interest in malicious compliance, so you either work within the system as given or throw your hands in the air and let every and all sites rape your data.
It is, however worth at least considering restrictions on continuously following a person in public places and reporting all their observed activities to a third party.
Of course there are practical limitations on that kind of physical surveillance. It's expensive, tends to attract attention, and even nation states can only do it to a few people at a time. Information technology allows it to scale to almost everyone, almost all the time, for a small fraction of a corporate budget.
Perhaps it's worth at least considering restrictions on that.
> It is, however worth at least considering restrictions on continuously following a person in public places and reporting all their observed activities to a third party.
I don’t see any difference between online “tracking” and real world stalking. If some one was following you every where you went taking notes on everything you did, interrupting you and preventing you from actually doing what your were actually wanting to do, you’d be able to have the police intercede in your behalf. Only now we think it is different because “on a computer”.???
OK but that's the sites themselves doing it. If every shop puts an annoying greeter on the door or something, that's not something you would call the police about.
You are the culmination of your life's experiences. Going by your definition, one could infer an individual has zero intrinsic ownership of any non-health data. Which I categorically object to.
You have ownership over your own memories and records.
Other people also own their own memories and records - some of which may be about you.
At least, this is how it was for most of human history.
Now some people think they should be able to demand everyone destroy records about them. If it was possible, no doubt they'd also demand people destroy any memories about them as well.
ePD in 2002 mandated cookie banners well before GDPR in 2018. But yes, point taken that well intentioned regulation can be poorly implemented and have negative repercussions.
I know of no regulation that mandated cookie banners. I just know a lot of sites who chose to use banners because the operators are somewhere between weasely and malicous.
I'm just going to click "yes," stop asking.