• josefrichter 8 days ago |
    This is probably the biggest fail in the history of the European Union.
    • dr_dshiv 8 days ago |
      At least the most visible one!
    • diggan 8 days ago |
      If that's true, I'd have to agree that the EU is doing very, very, very well if that is the biggest fail. Unlikely to be true though, for better or worse.
    • pantalaimon 8 days ago |
      Nah that’s the tethered bottle caps
      • popcalc 8 days ago |
        How's that a fail?
  • teruakohatu 8 days ago |
    I am about as far from Europe as you can get, and I think my fellow kiwis also spent an inordinate about of time clicking EU mandated cookie banners.

    Cookies should be enforced in the browser. I think all the major browsers block third party cookies now. Bad actors can use other fingerprints to do tracking.

    • nicce 8 days ago |
      > I think all the major browsers block third party cookies now. Bad actors can use other fingerprints to do tracking.

      One would hope so. Google cancelled the plans https://www.reuters.com/technology/google-scraps-plan-remove...

    • Rygian 8 days ago |
      "cookie" banners are required for any tracking, not just teaching based specifically on technical cookies.

      Blocking 3rd party cookies has no impact. Everyone and their cousin can technically track you with first party cookies.

    • GJim 8 days ago |
      You <------> The Point

      No "cookie banner" is required UNLESS you are using cookies to track me or personally idetify me.... in which case, you must ask my explicit consent to do so.

      Blame the parasitic adtech industry wanting trade your personal data. Not the EU for providing you with consumer protection.

      • randomdata 8 days ago |
        > Blame the parasitic adtech industry wanting trade your personal data.

        Blame them for what? We all understand that personal information is the currency that pays for these services. While we may not love that we have to pay (who does?), we accept it as a fair trade. Until governments get their ass in gear to make paying with more favourable currencies viable, that is going to remain, now just with extra clicks.

        > Not the EU for providing you with consumer protection.

        I guess a bandaid is better than nothing, but we'd be better off if the EU would tackle the real issue. Going there would ruffle some real feathers, though, so good luck. But if there is blame to go around, it is on the EU for being too afraid to ruffle them.

        • GJim 8 days ago |
          > we accept it as a fair trade.

          For it to be a fair trade, you must fairly ask permission for my personal data! That is the very essence of the GDPR!

          • randomdata 8 days ago |
            And the problem with the GDPR. In a typical market situation the onus is on the buyer to first offer payment. The beggar on the street saying "Sir, can you spare some personal information?" is not how anyone likes to do business.

            But that's where the GDPR has left things, thinking the problem is with the vendor, when in reality the problem is with the consumer spending beyond their means. Fair enough that the consumer needs protection from themselves, but, when it is a spending problem, why does that not come in the form of legal mandates over how one's wallet is used?

            Of course, this would be improved in a much better way if, again, governments would actually tackle the real problem.

        • kalaksi 8 days ago |
          No, everyone does not understand that and companies were not transparent with what they do with the data, what data they collected and who they shared it with. Not to mention, if you consider it a payment-like transaction, surely you'll want to give consent instead of blindly trusting random websites? These are some of the problems GDPR solves.
        • card_zero 8 days ago |
          > these services

          What are the services? Leave out sites where you pay for something with money, or banks, or subscription sites. Those often have tracking too, but they could exist without it. What services are the free ones providing?

          News is a special case, paying for journalism is a problem. Other than that:

          * Videos and images

          * Forums and blogs

          * Databases like IMDB

          * Random bits of information you want once in your life

          I'm struck by how the presence of any amount of website design makes all these things worse. It's not only too easy for them to get our data, it's too hard for us to get their data, because the presentation and theatrical impression of being a service is all self-aggrandizing and works to delay and capture users for more tracking and ads. All we really want is servers, not services.

          If somehow storage and processing was paid for by magical pixies, and available as a utilitarian series of gray bulletin boards with identical design, that would be much better than all the bloated sites that track visitors. It's wrong to portray this as a bargain in which we respect and appreciate some sort of service, and therefore ought to pay for it, because there is no service. They're not being paid for providing something wonderful, they're being paid for having got there first and for being well-known, or promoting themselves.

  • diggan 8 days ago |
    Correct URL: https://legiscope.com/blog/hidden-productivity-drain-cookie-...

    > This situation calls for an urgent revision of the ePrivacy Directive

    Shame companies cannot live without tracking cookies, and shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss".

    You know the best way of not having to put up cookie banners on your website? Don't store PII in cookies. You know the best way of not having to care about GDPR? Don't store PII.

    • dmafreezone 8 days ago |
      You know the best way to protect your PII from websites? Don’t use the internet.
    • JumpCrisscross 8 days ago |
      > shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss"

      You can wish upon a star that humans weren’t the way we are. In the real world, this was a predictable response to a stupid rule. (And in some cases a necessary one. For example, for websites requiring a login or reliant on ads.)

      > know the best way of not having to care about GDPR? Don't store PII

      This is a nothing to hide argument [1]. Proving compliance with GDPR is tedious and expensive even if you’re fully compliant. (Proving no jurisdiction is easier.)

      [1] https://en.m.wikipedia.org/wiki/Nothing_to_hide_argument

      • diggan 8 days ago |
        > this was a predictable response to a stupid rule

        It was predictable that ultimately people would blame the regulation instead of the companies? Not sure I understand what you mean, and even if you meant what I think you meant, not sure what the point is? People blame all sorts of things all the time...

        Edit since you've added more to your comment

        > Proving compliance with GDPR is tedious

        That's my point. No need to prove compliance if GDPR doesn't apply.

        • JumpCrisscross 8 days ago |
          > predictable that ultimately people would blame the regulation instead of the companies

          It was predictable this would result in disclosure/consent spam.

          > No need to prove compliance if GDPR doesn't apply

          If you are in the EU, GDPR applies. It may not be relevant. But you’re subject to it and its regulatory arms. (And if you have a competitor in the EU, it’s known practice you can waste time and money with requests and complaints.)

          Both laws’ aims are noble. But they require tweaks. Starting with the cookie banners would be smart.

          • diggan 8 days ago |
            > If you are in the EU, GDPR applies. It may not be relevant. But you’re subject to it and its regulatory arms.

            I think you might be missing that I'm talking about this from the companies perspective, not from the perspective of a person inside EU.

            If the company doesn't store any "personal data", GDPR has nothing to do with it. It's strictly about "personal data" as defined here: https://gdpr.eu/article-4-definitions/

            > (And if you have a competitor in the EU, it’s known practice you can waste time and money with requests and complaints.)

            Happen to have any quotes/sources for this? Would be the first time I've come across it myself. I'm genuinely interested in if it's being misused like that.

            • JumpCrisscross 8 days ago |
              > If the company doesn't store any "personal data", GDPR has nothing to do with it. It's strictly about "personal data"

              You’re still obligated to respond to requests, even if it’s no response. And data regulators will still follow up on groundless complaints.

              DMCA is strictly about copyright violation. If you’re not violating copyrights it should have nothing to do with you. But that isn’t how things play out in reality.

              > have any quotes/sources for this?

              No, just anecdotal. Every Magic Circle firm, however, will happily file complaints in multiple jurisdictions for you.

              I’ll admit I’ve used GDPR a touch vindictively after a customer service interaction went poorly. Lots of requests, wait for a minor fuck-up, escalate to multiple data regulators because I technically have multiple nexuses. European equivalent of copying your state AG on a letter, except the burden to respond is on the company.

            • kasey_junk 8 days ago |
              I built a GDPR request deletion system for a company right as GDPR came into effect. In the first year the only requests that came in were from privacy advocates and competitors.

              I don’t know if after that it saw more natural usage but I doubt it.

      • ben_w 8 days ago |
        > for websites requiring a login

        They don't need consent for that.

        > reliant on ads

        Yes. For me, this has been eye-opening about how many different ad agencies there are snooping on my browsing history. It was bad enough when it was just the (UK) government passing a law to do that, now I've got websites with more "trusted partners" monitoring my every move than my high school had students.

        > This is a nothing to hide argument

        "Don't store PII" does not seem to be that, to me?

        If anything, the opposite party gets that criticism, given that the default is allowing private agencies to spy on everyone?

        • JumpCrisscross 8 days ago |
          Saying you don’t need to worry about GDPR if you don’t keep PII is the “nothing to hide” argument. There is still a cost to demonstrating compliance that goes beyond complying.
          • diggan 8 days ago |
            Maybe an analogy will make it click: If you have marijuana on you in a country where marijuana is illegal, then finding marijuana on you is illegal. If you don't have marijuana on you, you're not doing anything illegal.

            Replace marijuana with "personal data" and imagine it is about websites with visitors within EU. If they're not storing, processing and/or transmitting personal data, there is no compliance requirements (from GDPR at least).

            • JumpCrisscross 8 days ago |
              > If you have marijuana on you in a country where marijuana is illegal, then finding marijuana on you is illegal. If you don't have marijuana on you, you're not doing anything illegal

              This is a good analogy. By making the marijuana illegal, you also implicitly widen search powers. You can’t arrest someone you think smells like weed if weed is legal. (Or answer a neighbor’s complaint that they suspect they’re growing weed.)

              Same idea. If you say you aren’t storing personal data and I say you are, someone’s got the authority to check. Those checks and confirmations cost time and money. With a complain-investigate set-up like GDPR (and American securities law), the burden is on the respondent.

              • marcosdumay 8 days ago |
                > By making the marijuana illegal, you also implicitly widen search powers.

                Nope, you don't. Those are two different things.

                There are plenty of things that are made illegal without giving the government the power to search for them.

                > You can’t arrest someone you think smells like weed if weed is legal.

                You can't arrest someone by smelling like weed in any democracy where it's illegal either.

                • diggan 7 days ago |
                  I agree with the rest of your comment but

                  > You can't arrest someone by smelling like weed in any democracy where it's illegal either.

                  isn't true. Sweden is super strict on usage and if even a "normal" person and/or neighbour would smell weed from you or your place they'd definitely call the cops on you. If a cop smelled weed on you in public you'd get arrested immediately no doubt.

                  Yet, most people consider Sweden a democracy :)

                  • marcosdumay 7 days ago |
                    I'm sorry, but I was partially pulling a No True Scotsman on that part.

                    If some random policeman can look at you, decide to arrest you with no real evidence, and it's all legal, that a huge Human Rights violation right there.

                    How does a judge deal with this? Do they rush to smell the culprit too?

    • vegasbrianc 8 days ago |
      Thanks, somehow the URL was truncated :(
    • Alupis 8 days ago |
      > Shame companies cannot live without tracking cookies

      Most cookies are entirely benign. Many cookies (or something like a cookie) are required for a website to operate normally. The EU law, while good intentioned, was/is too broad and failed to understand the realities of operating websites. This regulation has caused the entire world to be annoyed with useless cookie banners that 99% of people just reflexively click through - just like all of California's Prop65 warnings are ignored today.

      > Don't store PII.

      These hard-line statements defy reality. Many websites have legitimate need to store PII.

      > You know the best way of not having to care about GDPR?

      Don't be in the EU?

      Just ignore it. There are no consequences. If you don't have physical presence within the EU - there's little-to-zero the EU can do about it. The EU can think it's laws apply to the world all it wants - but the world disagrees.

      • whstl 8 days ago |
        > Many cookies (or something like a cookie) are required for a website to operate normally

        "Essential Cookies" do not need a consent banner.

        Case in point: Hacker News is 100% compliant AFAIK and has no banner.

        > Many websites have legitimate need to store PII.

        If there is actual legitimate interest or legal requirements, such as collecting an address for delivering a package or performing fraud-prevention, there is also no need for cookie banners.

        • Alupis 8 days ago |
          And if that data is "transferred" to a 3rd party for that analysis (aka. a REST call into their API) then you are back to requiring these annoying banners.

          Or, more common for ecommerce, "transferred" into an advertising algorithm so the business can gain more similar customers. Oh the horror!

          • whstl 8 days ago |
            What does "for that analysis" refers to? Fraud prevention?

            If so, it is legitimate interest to do fraud prevention, so there's no need for a consent banner, first or third-party. Naturally you can't go and use this data for a purpose that has no basis under legitimate interest.

            Another example: Cloudflare is running DDoS prevention under our noses here at HN, for example, but there's no need to ask for consent, even though Cloudflare is a third-party. Why? Because this is considered legitimate interest.

            > Or, more common for ecommerce, "transferred" into an advertising algorithm so the business can gain more similar customers

            For this you do need consent, if you transfer PII. If you don't want a banner you can replace it with a simple checkbox during the checkout process. Not only less hostile, but also more transparent than a banner.

            • Alupis 8 days ago |
              > What does "for that analysis"

              To understand how customer's shop on my website. Heatmaps, view port, device type, screen resolution, frequency of browsing, where their mouse hovers the most, page dwell time, etc.

              These are impossible tasks for most website operators to do themselves.

              > For this you do need consent, if you transfer PII. If you don't want a banner you can replace it with a simple checkbox during the checkout process. Not only less hostile, but also more transparent than a banner.

              Or... you can just ignore the EU because the EU doesn't matter. You know, like I originally asserted?

              > If you don't want a banner you can replace it with a simple checkbox during the checkout process

              This is the sort of mindset that crafted this poorly designed regulation in the first place. Most website operators are not going to willingly add a barrier at the final step of a conversion.

              If you are going to use my property and resources - it's my rules or don't come. Pretty simple...

              • whstl 8 days ago |
                You don't need banners just because something is third-party. If there is no PII and/or legitimate consent, you don't need a banner. There are GDPR compliant analytics platforms, fraud prevention, third-party payment gateways, for example. They don't need banners.

                As for the rest, it's quite inflammatory and I don't know how it relates to my comment, so I'll refrain from answering.

                • what 8 days ago |
                  You don’t need banners period. The EU doesn’t get to tell people how to operate their web properties. If EU citizens don’t like it, they can stop visiting those properties. Even simpler.
                  • tbrownaw 8 days ago |
                    > The EU doesn’t get to tell people how to operate their web properties.

                    Well, except for all the people in the eu. I'm pretty sure the eu does get to tell those people to do or not do things, online or not.

              • immibis 8 days ago |
                > Heatmaps, view port, device type, screen resolution, frequency of browsing, where their mouse hovers the most, page dwell time, etc.

                Sounds like information that is not personally identifying - if handled well.

      • diggan 8 days ago |
        > Most cookies are entirely benign. Many cookies (or something like a cookie) are required for a website to operate normally. The EU law was/is too broad - and has caused the entire world to be annoyed with useless cookie banners.

        Give reading the actual implementations a try. You'll quickly notice they actually thought of this. I wouldn't say it's "expertly crafted" by any means, but the banner is for a specific "class" of cookies, not just "abc=123" as you seem to think.

        • Alupis 8 days ago |
          You might try to argue many types of cookies are non-essential - but that would be because you lack experience in this domain.

          Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.

          The EU law compels a popup for these types of services/scripts and 99% of people just click through them because they are noise.

          Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.

          • diggan 8 days ago |
            > You might try to argue many types of cookies are non-essential - but that would be because you lack experience in this domain.

            I'm not arguing anything, read the directives and implementations yourself, then get back to me. While some might lack experience, others seem to lack reading comprehension. That's fine, we can always learn :)

            > Website operators have a right to study how people use their website

            In the EU, that depends. As a website operator at a certain scale, you cannot do whatever you want with personal data.

            > Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.

            Yeah, I mean that's cool and all, but maybe you're spending time discussing in the wrong HN submission then? I don't go around in submissions about "Golang is bad" commentating how you wouldn't have those issues if you didn't use Golang in the first place. Not my idea of curious conversation at all.

            Obviously EU directives and laws apply in EU

            • Alupis 8 days ago |
              > Obviously EU directives and laws apply in EU

              The EU designed these regulations to be viral and compel the world into compliance. The world does not need to comply, and largely does not. Multinational corporations with physical presence within the EU need to comply - but nobody else does, nor should they.

              > read the directives and implementations yourself, then get back to me.

              So we're arguing this down-thread of an article claiming our fuzzy European friends wasted nearly 600,000,000 hours last year clicking "I Accept" over and over? Seems like a well-designed regulation that's totally working super-duper well for the EU. Totally cut down on cookies!

          • ryandrake 8 days ago |
            > Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.

            I think reasonable people can disagree about this, and if enough reasonable people think that a web site operator should not have that "right" then they should be able to pass legislation to curtail it.

            As a user, I say I should have the right to control what data is collected by what company, and what they should be allowed to do with it. I should be empowered to decide what kind of data is "essential" for a company to collect about me, not the company. Reasonable people could disagree with me, too. These are not laws of physics.

            • Alupis 8 days ago |
              Why is this different than a brick-and-mortar to you? Do people feel they are "private" when shopping in a retail store with AI cameras tracking patterns and behavior, names and purchases collected at checkout, loyalty "discount" cards to get even more data, etc? Even without your name, they can identify you by recognition alone, aka. an anonymized cookie used to track a specific user's behavior.

              Somehow people think visiting someone else's private website grants them privileges to be entirely anonymous - it does not anymore so than shopping in a physical retail store.

              If we keep going down this path, websites will require a full ToS/EULA just to access the site...

              • ryandrake 8 days ago |
                For the record, I don't think brick and mortar stores should have an automatic right to surveil and study the personal information of in-person customers without their consent but I agree that ship has largely sailed.
            • what 8 days ago |
              You have a right to not visit websites that you think are collecting to much information about you. That’s about it.
              • gljiva 5 days ago |
                Yes, and I'm glad I can at least now tell such sites from others. Not allowing such malicious compliance would be better, but this is still an improvement over websites stealing data with no way of telling it happens
          • whstl 8 days ago |
            > Website operators have a right to study how people use their website just the same as a brick-and-mortar operator has the right to study how customers navigate their store isles.

            This can be done without a cookie banner, as long as no PII is collected for the purposes of that analysis.

          • BlackFly 8 days ago |
            > how customers navigate their store [a]isles.

            Sure, physical stores can do that in certain way, certainly they cannot reverse pickpocket GPS trackers into our pockets or stalk us around the city. You can ask your customers how they found about your store but they can lie or simply not answer. Cameras in the store? Fine. Cameras in the store bathroom? Not ok.

            It is a legitimate interest to understand where your customers are coming from and this can be done without cookies in an anonymous fashion. Similarly, you can understand what people purchase together in an anonymous fashion. Cookies and PII aren't needed for any of this.

            Cookies and PII are only necessary when you are trying to surreptitiously correlate people's purchase pattern with something that you shouldn't legitimately know like their sexuality or any given aspect of their identity.

            > Lastly - the EU and it's laws don't matter. What are they going to do about non-compliant foreign websites? Nothing.

            Rightly so. But if your third party processor is operating in the EU they will hold them liable for processing the data on EU citizens you send them without consent. That is between the EU and your provider.

    • r3trohack3r 8 days ago |
      > You know the best way of not having to care about GDPR? Don't store PII.

      I hear this a lot. As an American that hosts casual personal websites, I can't help but worry that I'm in violation of the GDPR.

      For example, my router logs connections for debugging. And my NGinx server maintains server logs for debugging.

      These contain IP addresses. I'm pretty sure those are considered PII under GDPR. And there are a lot of things I think that follow from that, things I haven't bothered to look into or implement. Like whatever policies, disclaimers, notifications, request handling processes, etc. that need to be in place to gather those logs.

      Whether or not I need a registered agent in the EU to host my website seems to be rather fuzzy too. It seems to come down to how "sensitive" the data I store in my logs are?

      Its also not clear to me whether my home router is subject to GDPR if it receives and logs a packet that was sent to it by an EU citizen, regardless of whether there was a public internet service hosted on that router or not.

      I mostly choose to not think about these things - but that nagging concern that my entire self-hosted digital presence violates European law does linger.

      • dijit 8 days ago |
        I get it, but you’re not in violation if you never pass those logs to anyone.

        GDPR is intentionally obfuscated and made scary by people who have an interest in others thinking the regulation is onerous and silly (so that it is eventually changed/removed).

        The regulation is not very hard to read, I would recommend you do it if you haven’t and boils down to: “don’t pass on (process) information without informed consent, if someone requests that you remove their account you should do so- and also don’t keep records around, and do your best not to let anyone access personal information”, the last one is technically unenforceable, but exists to prevent people leaving open access to data processors and bypassing consent more than anything else. A secondary benefit is that people take access controls a little more seriously by forcing breach disclosures.

        Even the cookie banners are not needed unless you’re setting cookies for data collection, especially for third-parties!

        There is a distinct irony in that all the online simplifications (“gdpr for dummies”, “the 7 things to comply with for gdpr”) are misleading and harder to read than the actual text of the regulation.

        EDIT; I was foolish to post this during the peak time for US people. It feels like the Americans want the GDPR to be perceived as a pain.

        • chris_pie 8 days ago |
          Huh? You're still a personal data processor.
          • dijit 8 days ago |
            For a start: Section 18 directly indemnifies the GP because they’re not a commercial entity.

            Section 49 gives, additionally, specific carve outs for logging even if they were a commercial entity.

            Consent is needed to pass logging data to third parties or to process it beyond end user functionality.

            Its easier to just read the regulation: https://eur-lex.europa.eu/eli/reg/2016/679/oj

        • porker 8 days ago |
          Agree with you. My only addition is to remember to read PECR (https://ico.org.uk/for-organisations/direct-marketing-and-pr...) alongside GDPR.
      • etaweb 8 days ago |
        Actually, all the cases you mentioned does not necessitate any consent from European users as long as you don't send these data to any third party. The only thing is, if you plan to store logs over time, it should be anonymized after 25 months. It's not that bad.
        • r3trohack3r 8 days ago |
          > it should be anonymized after 25 months

          Unless traffic volume causes truncation, turns out I’m not compliant!

      • BlackFly 8 days ago |
        You are not EU based, you are not a processor/controller operating in the union, public international law doesn't grant EU law jurisdiction: the GDPR has no direct effect on you.

        It could be that you are running ads and your ad provider is a processor in the EU and because they cannot handle jurisdictional consent well they attempt to pawn that off onto you in your terms and conditions. EU law has already decided that they cannot turn a blind eye however, if you aren't collecting consent then your processor has to assume that consent isn't given.

        So yeah, worry about your contracts with third parties that might try to sneak in liability transfers and how your own jurisdiction would deal with that. If your provider is transferring that kind of liability maybe they are trying to also make you liable in the case that their ad installs a virus, so I hope you are already aware of such third party liability transfers in your contracts if your jurisdiction allows for such things.

      • GJim 8 days ago |
        OP should not be downvoted for asking genuine questions and concerns.

        This type of downvoting on HN is getting silly and needs to stop.

        (And a thanks to those who did respond to OP with the advice he is not in GDPR violation. Frankly, a worrying number of HN readers are clueless about legislation that directly affects them, whether they like it or not.)

  • coldpie 8 days ago |
    Hop into your uBlock Origin settings and enable the Cookie Banner filters. Fixed. Enable the Annoyances filters too, while you're in there.

    If you're on iOS, the Kill Sticky bookmarklet does a decent job of cleaning these up without breaking most sites: https://www.smokingonabike.com/2024/01/20/take-back-your-web...

    • tonymet 8 days ago |
      content-based adblocking requires tremendous resources, and no longer works in Chrome, which is the primary browser.
      • coldpie 8 days ago |
        So use Firefox.
        • tonymet 8 days ago |
          tell that to the billion internet users who suffer from cookie banners. I'm talking about the network effect.
          • wtetzner 8 days ago |
            I'd think anyone capable of installing an adblocker in Chrome would be able to install Firefox + an adblocker.

            Obviously it would be better if adblocking wasn't required in the first place.

          • coldpie 8 days ago |
            I do tell them that. I can't help everyone, but I can help some.
      • ravenstine 8 days ago |
        Those resources are well spent.
        • tonymet 8 days ago |
          my point is that it's not "fixed". The issue plagues 99.9% of internet users.
      • elashri 8 days ago |
        > content-based adblocking requires tremendous resources

        That's not true. On average any overhead in browsing performance introduced by ad blocking is compensated by the elimination of tracking and ads elements of the pages. It saves bandwidth and are better for UX. We can argue about business models but claiming it requires tremendous resources is not true.

        And content-based ad blocking still works in chrome but in much more limited capability compared to superior browser like Firefox.

      • wil421 8 days ago |
        Switched to edge at work and Safari at home/mobile hasn't been a huge issue. Firefox is my secondary. Although I no longer do much web debugging, the switch from edge to chrome wasn't too painful.
      • barryrandall 8 days ago |
        But it's not the only browser. The popularity of a particular form of foolishness does not diminish its foolishness.
      • consteval 8 days ago |
        > content-based adblocking requires tremendous resources

        I don't have the evidence with me, but from what I've seen content-based blocking actually saves resources, both load times and memory. It's because Ads are not actually free or even cheap, you have to make a third-party request, load some content and JavaScript. So, if you spend a little to find and block those requests, you end up saving resources on average.

    • diggan 8 days ago |
      > Hop into your uBlock Origin settings and enable the Cookie Banner filters (and enable the Annoyances filters too, while you're in there). Fixed.

      Except for the pesky sites that somehow disable (or rather "not enable") certain things until you've "answered" the banner. Can't remember what site I hit that on most recently, but I had to disable uBlock, reload the page, click "Deny", and then the video/element worked.

      • cluckindan 8 days ago |
        And by hitting that ”deny” button, you have ”consented” to hundreds if not thousands of data brokers around the world processing all your personal data gathered throughout your life across all your devices. They can now freely buy your data from other brokers to enrich their profile of you.

        Should have unchecked those 973 legitimate interest checkboxes they hid under the ”affiliates” or ”vendors” or ”providers” or whatever.

        Next, they will resell that profile to political campaigns, advertisers, law enforcement, private dicks and security providers, the military, foreign intelligence services and drug cartel hit squads, to name a few. You could buy it too! Or your friends, enemies, neighbors, colleagues, bosses…

        • immibis 8 days ago |
          If they're doing that after you clicked Deny, the government can come down hard on them. Sadly, only the government - individuals can't sue companies for GDPR violations.
          • cluckindan 8 days ago |
            Legitimate interest checkboxes are technically not asking for consent, they are considered informational. OneTrust popups are especially inflammatory in this regard.
            • robin_reala 8 days ago |
              Legitimate interest can absolutely be opted-out of:

              (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

              https://eur-lex.europa.eu/eli/reg/2016/679/oj#006.001

              • cluckindan 8 days ago |
                Yes, by unchecking the 973 hidden checkboxes.
              • immibis 8 days ago |
                That doesn't say you can opt out. It says sometimes legitimate interests aren't enough. For example, as a hypothetical service provider I have a legitimate interest in tracking your GPS location everywhere you go, because it helps me predict what kind of service my customers like based on where they live and work. However, your right to not be tracked is more important, so I can't use my legitimate interest to justify the tracking in this case.
          • dietr1ch 8 days ago |
            Yeah right, legalized bribery means the elected leaders have priorities other than citizens.
          • tzs 8 days ago |
            Article 79 [1] gives individuals a right to sue for GDPR violations.

            [1] https://gdpr-info.eu/art-79-gdpr/

            • aziaziazi 8 days ago |
              That’s inspiring.

              Let’s team up the pissed off individuals and raid-sue one of the obviously abusing. One is nothing, but that could at least make more visibility of the borderline legality. And at best we win and go to the next one.

              Any law-worker?

            • robin_reala 8 days ago |
              One of my favourite HN threads is Confiks exercising his GDPR rights under the threat of litigation against Spotify: https://news.ycombinator.com/item?id=24764371
          • franga2000 8 days ago |
            So effectively, they're in the clear. The law also say not opting in should be as clear and asy as opting in, yet that is the case approximately 0% of the time.
    • al_borland 8 days ago |
      I use Hush on iOS.
      • coldpie 8 days ago |
        Oh nice, thanks. I'll give that a shot.
    • jtbayly 8 days ago |
      The most recent iOS (18) introduced a feature that lets you hide distracting things on the page. (Tap left side of the url field and select “Hide distracting items.” Then just tap what you want to remove and hit done.) I believe that they will stay hidden next time you visit the site.

      Regardless, I use Hush and another blocker and it has still come in very handy several times already, so I thought others would want to know about it.

    • serial_dev 8 days ago |
      While I appreciate your workarounds, the issue is not fixed. Almost everyone is going to keep clicking these stupid banners. It’s not okay, it’s not fixed until the rules are adjusted and we have less tracking and’s less pointless banners.
      • seeknotfind 8 days ago |
        So many pop-ups these days, for every little thing. Tracking. OS permissions. Browser permissions. Take a survey. Speak to our AI assistant. Do you agree to this. Donate. Sign up. Pay. So many clicks. Used to be viruses, but we have the same result with our complexity.
        • deprecative 8 days ago |
          It's not complex. It's simple. It's greed. It's absolutely ridiculous that we as a species put up with all of this nonsense because we have a faulty foundational understanding of what is and should be normal. The brain rot that we've subjected ourselves to is absolutely ludicrous.
          • seeknotfind 8 days ago |
            You can always find disagreement if you look for it. Maybe this is your thing, given user name, your account makes an interesting study on it. Though in this case, I wouldn't be so reductive. Not all complexity (I ascribe to the result) is due to bad intentions (e.g. greed). There's also the EU GDPR trying to protect kids. AI assistant might be a tool to try to help users. If you want to simplify the cause here, how about a lack of focus or failure to tame the complexity of the world with our technologies, or tendency to add rather than delete?
            • deprecative 7 days ago |
              Why do we need to protect kids? Greed. Why do we need AI to help people? Greed.

              It's not complex. There are complex things but understanding the cause of business doing business is not complex. It's simple.

              • seeknotfind 3 days ago |
                If you break things down in this way, the result is discontent, not a solution.
        • Gud 8 days ago |
          Most of them I don’t get because I don’t use a user hostile operating system.

          And it’s not really complexity, it’s deliberate choices being made.

          The internet used to be run by technologists.

          Now it’s run by project managers and web monkeys

      • freeone3000 8 days ago |
        So remove the consent exception against tracking? Simply make it illegal, banner or no?
        • aziaziazi 8 days ago |
          It’s not a tracking banner but a cookie banner and some applications have a legitimate need for cookies. They abuse what is legitimate, but you can’t ask regulators to check every site without a national (European?) white liste firewall (shouldn’t give them ideas…).

          Also, most tracking used to use cookies but if that becomes illegal there’s others ways.

          • idle_zealot 8 days ago |
            Cookies necessary to function properly don't require consent. It's only optional ones (ones that benefit the site, not the user).
            • creer 8 days ago |
              And these (optional ones) don't require a banner.
              • PittleyDunkin 8 days ago |
                How do you figure? How does the user opt in or out without an option to opt in or out?
                • creer 8 days ago |
                  the same way that they interact with any other web page? which never need banners? You don't need a banner to opt in or out (or ignore).

                  By this I mean the law is what it is but the implementation is deliberately hurting the visitors in the hope that they will click "yeah sure whatever" to be let through to the content. The harm does not come from the legislation but is deliberately anti-user by the web site owner. (Fine, in some cases it might be out of the box and merely lazy.)

                  • PittleyDunkin 8 days ago |
                    Right but that's not optional cookies functioning at all, that's simply rejecting them altogether. Why not just say that? It's also a much easier sentiment to agree with than these confusing semantics about optional cookies working fine if you just ignore the banner.
        • serial_dev 8 days ago |
          I don’t know how to fix it, but I know it isn’t fixed now. We have both tracking and cookie banners.
        • ikekkdcjkfke 8 days ago |
          Do Not Track header? It's the silver bullet but the stakeholders will argue it is invalid and cannot possibly be used to inform the server that the client wishes not to be tracked
          • Earw0rm 8 days ago |
            Someone needs to put a stake in those stakeholders.
            • account42 8 days ago |
              The only way to permanently rid yourself of information vampires.
      • coldpie 8 days ago |
        You're right, but I can't fix that. What I can do is help HN readers who didn't know about that filter list. Maybe they can help the people they know.
        • Gud 8 days ago |
          I’m happy! I didn’t know about it! Thx
    • whazor 8 days ago |
      Filters are unreliable, it is better to have the cookies banners automatically filled out via Consent-O-Matic: https://consentomatic.au.dk/

      Which works on Chrome, Firefox and iOS.

      The best part is that you can actually specify your preferences, but globally for all websites. I actually prefer to have the functionality cookies enabled.

    • chatmasta 8 days ago |
      Since when do bookmarklets work on iOS? How exactly do I use that?
      • xk_id 8 days ago |
        I just figured it out. You bookmark a normal website. Then you go to your bookmarks and edit the new entry you created; you can then change the URL to the javascript code. Finally, to activate the bookmarklet you have to tap on the address bar and then manually browse to the bookmark entry (it doesn’t work if you just type its name in the address bar and press Go, or if you select it from the suggestions list).
  • jp57 8 days ago |
    So like 1hr per person per year?
  • tonymet 8 days ago |
    This destroyed the world wide web, which was the major driver of the internet as a consumer application. I'm referring to the experience of intelligent & creative publishers sharing content openly on the web. This did far more to destroy the world wide web than ads or tracking
    • ben_w 8 days ago |
      Has Facebook ever not been hidden behind a login? Because even if that doesn't count as "intelligent & creative publishers", it certainly set a much harder trend to get around than the banners.
      • ImPostingOnHN 8 days ago |
        > Has Facebook ever not been hidden behind a login?

        Yes. Not sure when they added the loginwall, but it was relatively recently, compared to my birth.

        • ben_w 8 days ago |
          Hm. Could've sworn it had one back in 2009…
          • whstl 8 days ago |
            I think you two are talking about different things and are both correct. Facebook indeed had a login page back then, but you could use direct links to read public posts. Today it's roughly the same, but when you go to a direct link it shows a "Login Wall" that pesters you to sign up.
    • Cthulhu_ 8 days ago |
      Ads/tracking didn't destroy the web per se - besides the performance impact - but did/do destroy people's privacy.
    • pixodaros 8 days ago |
      If your site has no tracking, it does not need a cookie banner in the EU. AFAIK Wikipedia or Archive of our Own have none.
    • sensanaty 8 days ago |
      The only reason this exists is because of the ad/tracking parasites that infected the entirety of the internet.
  • Seanambers 8 days ago |
    This is the EU in a nutshell. You also have quite a few people defending this.

    GDPR is basically exactly what Bill Gurley talks about here ; https://www.youtube.com/watch?v=F9cO3-MLHOM

    Regulatory capture.

    • lysace 8 days ago |
      Also quite a few people (mostly from the north) fighting this idiocy.

      In general: Southern+Central EU wants to build a new USA. Northern states meanwhile want to reduce the power of the EU. A common market is really the only thing we want.

      UK had enough and quit.

      • diggan 8 days ago |
        > In general: Southern+Central EU wants to build a new USA. Northern states meanwhile want to reduce the power of the EU. A common market is really the only thing we want.

        As someone from the north (specifically Sweden) who now lives in the south (specifically Spain), I'm not sure there is majority in either places, either directions, to state this with confidence. Lots of swedes are happy with EU and wants to make it stronger, and lots of Spaniards who had enough of EU and wants it weaker.

        Maybe it looks differently in the center/eastern parts, haven't spent much time there admittedly.

        • lysace 8 days ago |
          It's weird that you're fixated on that, but yes, I am Swedish and live in Sweden.
          • dspillett 8 days ago |
            It's weird that you think it is weird for someone replying to your post to “fixate” on what is most of its relevant content.
  • Darkskiez 8 days ago |
    • IshKebab 8 days ago |
      That is dumb. The EU already knew this was the likely outcome because we already had stupid cookie warnings from the previous law.

      Regulation exists in the real world, not in some fantasy land where companies do what you want.

  • Y_Y 8 days ago |
    If websites respected Do Not Track then things would be a lot easier. I think we need a right to be listened to. Right now it's enough online to insist on only accepting information in one particular way, like having a noreply email and making people login and submit since shitty web form to respond. Putting your hands over your ears and tape over your mail slot doesn't work in real life, it shouldn't work on the web either.
    • chatmasta 8 days ago |
      I agree with you 100%, but to be ideologically consistent, we should admit that websites have as much of a right to ignore Do Not Track as we have to ignore their tracking scripts.
      • AyyEye 8 days ago |
        Websites aren't human.
        • chatmasta 8 days ago |
          Neither are browsers.
      • Terr_ 8 days ago |
        > but to be ideologically consistent, we should

        Not if it comes from "consumer protection", as opposed to "your computer, your rules."

        Treading down the latter too far leads into weird realms like "Hacking? I didn't make your computer do X, I simply sent it messages, it's your fault for not controlling its behavior."

      • PittleyDunkin 8 days ago |
        "Rights" are sort of a hollow concept compared to how society ought to function and are just a crappy workaround our society's inability to resolve basic conflict.
  • patrick0d 8 days ago |
    they could have made the law:

    >if you collect users data

    >you must ask first

    >add a yes or no button on a banner so they can pick

    but instead the eu citizens were let down by the legislators

    • kalaksi 8 days ago |
      Uhh, what do you think the law is?
    • whstl 8 days ago |
      This is indeed how it should be, and courts have consistently found enforced this.

      French law for example specifically says that any implementation must "allow the user to refuse the deposit of cookies as easily as to accept it." [1]

      [1] https://www.termsfeed.com/blog/cookie-consent-decline-reject...

    • Rygian 8 days ago |
      That's, in a nutshell, what the law says since 2018.

      Whatever you see in cookie banners is either malicious compliance or directly illegal (and already being prosecuted and resulting in fines).

    • immibis 8 days ago |
      that IS the law
  • taosx 8 days ago |
    The internet is broken and I don't think it's only in the EU. In the last years I found myself just avoiding using websites I'm not familiar with or confident they're not filled with ads and trackers, I've set-up some aggregators and custom readers to find and get the information I'm interested in. If I open a page that has the cookie banner that blocks me from reading the content or forces me to agree I just close it, it wouldn't have been that important anyway.
  • frereubu 8 days ago |
    "All" the EU needs to do is to mandate adherence to the Do Not Track setting in browsers, but then vast swathes of businesses based on unwanted and unethical tracking would go bust, so we have this really shitty stalemate.

    All websites we build adhere to the Do Not Track setting and don't even show a cookie banner if it's set. The only question is whether we should show a message to say that we're not tracking people because we see they've asked us not to! It's possibly a bit easier for us because we work primarily in the non-profit sector where ethics are perhaps a little higher up the agenda.

    • JumpCrisscross 8 days ago |
      > but then vast swathes of businesses based on unwanted and unethical tracking would go bust, so we have this really shitty stalemate

      They’d be supplanted by foreign competitors. That’s the actual stalemate.

      • ben_w 8 days ago |
        > They’d be supplanted by foreign competitors. That’s the actual stalemate.

        Most of the ad trackers I'm aware of are already foreign to the EU, so that doesn't seem to be even an economic threat from the EU's perspective.

    • ravenstine 8 days ago |
      Let those fuckers go out of business.

      I'm sorry, but if we are really so worried about businesses failing that we can't restore some amount of sanity, then something is wrong with society.

  • keketi 8 days ago |
    Because I use fresh incognito mode for each browsing session, I have to click through those consent popups on every website I visit. Quite frustrating to say the least.
    • evanb 8 days ago |
      You can use Consentomatic to have it automatically handled. It's from Aarhus University, open source.

      https://consentomatic.au.dk/

      • nicce 8 days ago |
        uBlock's cookie filters might be even more effective if you don't care to fine tune.
  • sharunkumarks 8 days ago |
    Link is dead now?
  • guywithahat 8 days ago |
    The whole thing is a colossal waste too, it was a law written by people who don't understand tech for special interest groups who don't want to actually make things better.

    If you don't want a website doing something on your computer, you start with the browser, not the website.

    • tchalla 8 days ago |
      Future headlines after a browser compliance law made - “EU is destroying innovation!”
      • guywithahat 8 days ago |
        You shouldn't need any kind of law here. Consumers have 100% of the power as it stands in regards to browser tracking. The innovation should be in browsers and plugins, not donottrack flags or compliance laws.
    • throwaway346434 8 days ago |
      Enforced by companies who are doing shady things with data in the most inconvenient way, rather than listening to DoNotTrack or https://globalprivacycontrol.org/

      Because if they can say "hey look over there, regulation bad"; they can escape regulation if it is repealed

    • RejectedChin 8 days ago |
      That's why they created DoNotTrack initially. Then browsers turned that on by default, ad revenue lowered, and sites/adcompanies decided to ignore it because it was turned on by default.
      • wtetzner 8 days ago |
        Maybe the legislation simply should have required DoNotTrack to be honored.
      • tbrownaw 8 days ago |
        1. Do not track was not the browser deciding what to do (that would be a similar shape as Firefox multi-account containers and incognito mode). It was a machine-readable way to tell the site what to do; ie the same incorrect model as the click-through banners we have now, just non-interactive.

        2. It was intended to be a way to communicate an actual intent from the user. Once it was set by default, it ceased to be an indicator of user intent.

        • roughly 8 days ago |
          > Once it was set by default, it ceased to be an indicator of user intent.

          This presumes that it isn’t the default user position. There are three people on the planet who actually want ad tracking, and they’re welcome to go change the setting, but default off was the correct setting.

    • calibas 8 days ago |
      The company that dominates the browser market also makes billions off of tracking people. That might be part of the problem.
    • hnbad 8 days ago |
      It's not about your computer, it's about your data. Tracking cookies are just one aspect. The GDPR is about consent and ownership of your personal data. It literally defines your rights with regard to your pesonal data.

      The GDPR and ePrivacy directive aren't just about cookies. They limit what a company can do with your data in general, who can access it and how long. Cookie banners are just a downstream consequence of it and the reason they're bad is that most companies try to be clever and design them maliciously in ways to coerce you into "opting in" even though this makes them non-compliant.

      If DPAs were serious about enforcing the law, every single website not giving at least equal visual weight to the "refuse all and continue" button (or hiding it behind other options or using individual "legitimate interest" toggle buttons to sneak in their partners despite the existence of the toggle button invalidating the claim of "legitimate interest") would be punished with the maximum fine because they have purposefully and maliciously violated the law.

    • GJim 8 days ago |
      > it was a law written by people who don't understand tech

      On the contrary; data protection law was written precisely by those who understand tech and the dangers of companies using it to gather and share your personal data.

      It's utterly bizarre people get annoyed for being asked explicit, opt-in consent to gather and share personal data on a case by case basis (as the law demands!), rather than get annoyed at the scummy SV adtech surveillance capitalists for seeking to share your data without consent.

      (Once again, "cookie banners" are not required if you aren't tracking me or gathering personal data. Case in point, Hacker News sets cookies and is entirely compliant with no need to ask any permissions from me)

      • anonzzzies 8 days ago |
        Maybe the parent of your comment works in adtech or has shares google?
  • ryandrake 8 days ago |
    People blame the cookie banners themselves or the legislation that "made them necessary" but somehow never seem to blame the web companies for doing the naughty things on their websites that make them subject to the law.

    The "cookie banner problem" exists because it's primarily end users that are shouldering the burden of them, and not the companies. For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner. For everyone else, it's thousands of wasted seconds per year. Make the law hit companies where it hurts: their balance sheets.

    • legitster 8 days ago |
      > never seem to blame the web companies for doing the naughty things on their websites

      Part of the problem is that the law didn't seek to distinguish between tame first-party cookies and the really naughty third-party cookies so the burden is equal regardless of how malicious the service is.

      > For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner.

      This is actually not true. There's a lot more that goes into a cookie banner than you might realize, and there's now an industry dominated by a small handful of players (Osano vs OneTrust)

      • nicce 8 days ago |
        > There's a lot more that goes into a cookie banner than you might realize, and there's now an industry dominated by a small handful of players (Osano vs OneTrust)

        Isn't this industry for those, who want to share their website data automatically with 100+ partners? For others, who don't really share that much data with others, less relevant.

        • legitster 8 days ago |
          If you are just running a static websites, maybe. But if you are going to run a website with any services on it (video content, eCommerce, member management, etc) you are going to have partners. Establishing a browser session with every single one would be pretty onerous (and honestly much worse for privacy) so a first-party cookie is a pretty good compromise.
          • hnbad 8 days ago |
            > But if you are going to run a website with any services on it (video content, eCommerce, member management, etc) you are going to have partners.

            No? At least not in the scale that would require these consent services. Services like member management are literally required to operate the website so those can go into the privacy policy (as would e.g. hosting on AWS or using a CDN).

            The reason these consent services exist is that a lot of websites are just content mills that operate entire on behavioral advertising, whether it's the web version of a newspaper or just SEO blog spam. These often use hundreds of "partners" for analytics, ads, targeting, re-targeting, etc. And they desperately try to trick visitors into opting into those.

            For your run of the mill Wordpress website you can just get a plugin like https://devowl.io/wordpress-real-cookie-banner/ - and in many cases the free version is good enough.

      • ffsm8 8 days ago |
        It did though? You don't need a banner for actually legitimate use (session Cookie, settings, etc)

        The things they're calling legitimate use just isn't, which is why they need banners.

        • diggan 8 days ago |
          I keep seeing this misinformation going around, and it has been going around since almost day 1 of when the directive became known. I'm not sure where it's coming from, or who initially thought it worked like that, but judging by the comments in this submission it seems like a ton of people are very misinformed about how these things actually work.
          • azinman2 8 days ago |
            So how to these things actually work?
            • 6510 8 days ago |
              Anything goes as long as it is useful for the user.

              Funny example: If they chose not to accept your spying cookies you get to set a cookie to store that choice.

              • dkarras 8 days ago |
                Someone might think: surely seeing ads targeted for them instead of random ads must be useful / beneficial for the user!
                • hnbad 8 days ago |
                  The first step is data minimization. The second step is informed and revokable consent. Everything else follows from there.

                  Do targeted ads increase the amount of personal data that needs to be stored and processed and the number of entities that will access it? Yes they do. Are they required for the site to serve its stated purpose? No, unless the site is marketing itself as literally a curated stream of targeted ads. So they require informed and revokable consent (i.e. opt-in). Even if you think they're beneficial to the user.

                  It's not about what's beneficial. It's about what's required. That's why most sites try to group services by categories like "functional", "analytics", etc. If you want to embed a Google Maps view to help people find your physical store, that's beneficial but still requires consent because it shares their data with a third party (i.e. Google) when the browser loads that map. Of course in this case you don't even need a banner, you could just have a placeholder (often called "content blocker") instead of the map with the option to consent to loading the map and storing that decision so the user doesn't have to see the placeholder again.

                  • 6510 8 days ago |
                    I think you could also link to google maps.
          • pessimizer 8 days ago |
            If this is true, you have not helped them to understand in any way.
        • legitster 8 days ago |
          The elephant in the room is that almost no one wants to host website without at least some sort of website analytics service, which does not fall under legitimate use. So that's why even a small blog is going to have a cookie banner.

          There are some analytics companies out there that advertise cookieless analytics, but they are either a) too simple for enterprise or b) a much, much worse privacy and compliance risk.

          • ffsm8 8 days ago |
            Even this can be done without a banner, as long as these analytics do not contain any way to link them to individuals/specific users

            It's admittedly sound advice to create a banner for such a usecase however, as sanitizing all user data from these events is hard to guarantee, and you'd have to do just that to keep it legal

            • XCSme 8 days ago |
              I think it's impossible to be 100% legal.

              Many times, the user IP, which is considered PII, is stored in various servers/routers log that you have no access to...

              • ffsm8 8 days ago |
                Lots of misinformation on the internet wrt this, and I am not a lawyer either.

                It's especially tragic because Google serves you countless factually incorrect articles if you search for gdpr, which doesn't help with this endless amount of confusion.

                You might be interested to know that an IP address isn't actually PII, because that's a concept of California privacy regulation and they don't care about them

                https://techgdpr.com/blog/difference-between-pii-and-persona...

                It's a different story for gdprs personal data however. Because there are individuals with static IPs - which makes it possible to link these IP addresses to individuals. If you could only omit these, you could technically use ipadresses however you want too. But I admit that that's kinda unrealistic ( • ‿ • )

          • Earw0rm 8 days ago |
            The other elephant is that while everyone has analytics, only one in five companies pays someone with an actual clue how to interpret them to look at them regularly, and only one in five of those companies has a decision making structure that allows them to act meaningfully in response to insights gained.
          • account42 8 days ago |
            Well, too bad.

            When it comes to processing other people's data you don't get to do whatever you want.

            Maybe try running a website without analytics before throwing a tantrum.

            • ryandrake 8 days ago |
              Yea, companies are so used to laissez faire that when they're finally told "too bad, so sad" they throw a tantrum, sue, cry, and eventually comply as maliciously as the possibly can, to show the world how upset they are that they can't simply do whatever they want.
      • Rygian 8 days ago |
        The cookie banner has nothing to do with first -party vs third-party.

        The cookie banner is required depending on the purpose of the cookies, not the party setting them.

      • ryandrake 8 days ago |
        > Part of the problem is that the law didn't seek to distinguish between tame first-party tokens and the really naughty third-party tokens

        Maybe I'm an outlier, but ideally I don't want them collecting any "tokens" without my consent. I don't care if they're first party or third party or birthday party. I should be able to browse web sites in peace without some company collecting anything. If the web site doesn't work exactly the way I'd expect because I did not provide that consent, then that's on me.

        • self_awareness 8 days ago |
          Well that's a thought everyone can identify with, but objectively speaking, they're paying with their energy to build the website, and paying their money to host it. Yet you would want to browse it for no cost at all.

          How to resolve this?

          • hnbad 8 days ago |
            You're framing website use as transactional but for financial transactions we literally require informed consent.

            Also you seem to be operating under the assumption that your personal data is something that can be used as payment. The GDPR literally does not allow that just as human rights don't allow committing yourself to indentured servitude. You can't sign away your rights. If you share personal data you continue to have rights to that data and can revoke your consent. It doesn't stop being your data just because you handed it over, even if you did so willingly.

            If your business model can't work without exploiting your users' personal data, your business model no longer works and it's your job to find a new business model that does. There are plenty of business models that only worked when indentured servitude was legal (let's not have the debate about prison labor in the US) and I'm sure you would agree that it's fine for those business models to no longer work. It's part of the risk of doing business. Innovate. Disrupt. Or perish.

        • smolder 8 days ago |
          There is basic non-identifying logging that is almost entirely necessary to operate a website. I assume you're okay with that much?
      • BiteCode_dev 8 days ago |
        It totally does make the distinction.

        If you use cookies for auth, no need to disclail it.

        Better, you don't need a banner even of you do track users for anybody with DNT. So you can offer a seamless experience.

        They just don't care.

        • legitster 8 days ago |
          > you don't need a banner even of you do track users for anybody with DNT

          This is not true. The specific text of the law requires that websites have to provide details about their cookies, and then document and store user preferences.

          If you just honored the DNT, you would still be out of compliance.

      • jorvi 8 days ago |
        > and there's now an industry dominated by a small handful of players (Osano vs OneTrust)

        Because of that there are now neat categories of cookies / cookie purposes.

        Would be nice if we could select one time in our browser “necessary cookies only”, and that would be communicated to every website visited, without the need for a banner. But that’s user friendly and that’s anathema to the modern web :)

      • consteval 8 days ago |
        > Part of the problem is that the law didn't seek to distinguish between tame first-party cookies and the really naughty third-party cookies so the burden is equal regardless of how malicious the service is.

        It does, or rather the law doesn't state cookies at all. It has nothing to do with cookies.

        All the law says is you require informed consent if you want to harvest personal data and use it for tracking. Cookies are a common way to do that. But cookies used for session and whatnot are exempt, because they're not used for tracking.

        The problem is companies are maliciously compliant.

    • Cthulhu_ 8 days ago |
      They don't technically even need a banner per se, just respect the user's "do not track" browser setting, or put it in a settings screen, or don't use any 3rd party trackers.

      But a lot of businesses assume they need to ask permission for placing any cookies, which is simply not correct. Local analytics tracking is fine, it's only when the user can be tracked across multiple separate websites that they need explicit permissions. And the user should not be annoyed into making that decision.

      • deprecative 8 days ago |
        Businesses are stupid. More at 11.

        Yay capitalism.

      • NL807 8 days ago |
        >But a lot of businesses assume they need to ask permission for placing any cookies, which is simply not correct.

        Partly because of laziness, partly because of pessimistic legal compliance.

      • ryandrake 8 days ago |
        This seems like the best way to go. Companies should have to respect "do not track" and browsers should have to enforce it to the extent that it is technically possible. And "do not track" should be per-domain at least.
      • AndroTux 8 days ago |
        And I blame the EU for not making this the law. Just force everyone to adhere to the setting and be done with it. But no, instead we got this bullshit.
    • IshKebab 8 days ago |
      Well yeah because the "naughty things" are totally allowed. Can you blame them for trying to make money legally, and most people would say fairly morally (most people in the real world; not on HN).

      I think 90% of the blame lies with the EU. They had experience from the cookie law that this would happen.

      It like... say you would rather people didn't drink alcohol in pubs (because of all the scary violence it leads to). You can

      1. Ban alcohol in pubs.

      2. Allow alcohol in pubs.

      3. Allow alcohol in pubs but only if people recite the lord's prayer before every purchase.

      3. is obviously a dumb choice, yet it's the one they chose.

      • doublerabbit 8 days ago |
        D: Drink in pubs till 10pm including no alcohol purchases after 10.

        That's the law here in Scotland. As annoying as it is, the same law doesn't apply in the rest of the UK but it's reasonable.

        • IshKebab 8 days ago |
          Sure, and that's a perfectly reasonable law. There's no "oh you actually can sell alcohol after 10pm as long as your customers fill in a 5 page form, which is what the EU has caused.
          • doublerabbit 8 days ago |
            If you're using third party cookies you have to display a "please consent" button.

            If you're not, then all you need is a privacy policy somewhere stating that you use cookies and that they are all first party.

            That seems fair to me. I like to know if cookies are used or not regardless if they are site or third party only.

            • IshKebab 8 days ago |
              It's perfectly fair, but it's also extremely annoying. That's the whole point.
    • drdaeman 8 days ago |
      Scummy companies won't magically disappear or stop scummy practices. We can and should blame them, but it's pretty much obvious that the legislation (despite good intents!) resulted in a de-facto shitshow that failed to recognize basic social/behavior sciences, technical details, or anything else.

      It should've been an user-agent centered feature rather than individual website gimmick - that's the only way it could've possibly worked. After that, companies can try to continue doing whatever shit they want to try, but none of their identifiers would be persisted unless user agent allows it. (This does not account for fingerprinting, but that's a whole other story.)

      Instead, legislators made some weird decisions that failed to account for human and corporate nature (greed), and we ended up with more popups and banners than ever.

      • account42 8 days ago |
        > none of their identifiers would be persisted unless user agent allows it.

        Wrong.

        And the GDPR is not just for the web.

        • drdaeman 8 days ago |
          > Wrong

          How? I fail to understand why if a browser, configured to not persist anything by default (without a consent) would persist anything. Save for a bug, of course.

    • dmix 8 days ago |
      The second cookies are blocked the industry moved to fingerprinting and other methods

      It's like piracy, there's only so much you can do plugging holes

      Cookie banners always felt like a feel-good solution. Made worse by inconsistent UIs, differing button texts, long explanations, etc.

      • ryandrake 8 days ago |
        > It's like piracy, there's only so much you can do plugging holes

        I say keep on plugging. When you make a law and bad actors find loopholes, the solution isn't to throw up your hands and say "Well, we tried!" The solution is to continuously refine the law as loopholes are found. Laws should get regular patch releases.

        • dmix 8 days ago |
          Yes that seems to standard practice in modern government. Impose a series of ineffective rules that do more harm on the public than helps them, and when it fails just invent new ones without considering why the last one failed. And most importantly don't get rid of the previous rules, just let them stick around a decade after it's been apparent they were ineffective.
    • Apreche 8 days ago |
      The problem is the law didn't go far enough.

      Instead of requiring companies to put up a banner if they did certain tracking activities via cookies the law should have simply outright banned the tracking activities entirely.

    • imgabe 8 days ago |
      How can the banners be necessary because of “naughty things” when the banners do absolutely nothing to mitigate those things in any way? All those things are still happening AND people have to waste time clicking useless banners.
    • amadeuspagel 8 days ago |
      I hope you'll be glad to know that this law already hits companies where it hurts, because many people will close the tab after the slightest annoyance.

      I hope you're happy that this law already encourages people to stay within a few big websites (where they've already clicked away the cookie banner) and not explore anything new (where they'd have to click away a cookie banner every time).

      • sensanaty 8 days ago |
        Or, crazy idea, don't have invasive user-tracking cookies? Github doesn't even have a cookie banner and they're one of the largest websites on the planet.

        After seeing websites pull shit like "legitimate interest" where they share data with 9 trillion of their "partners", they can all rot for all I care.

        • amadeuspagel 8 days ago |
          Yeah, you're probably right. If Github, where most users are logged in, can do without a cookie banner, some random blog probably can do as well.
    • tbrownaw 8 days ago |
      > somehow never seem to blame the web companies for doing the naughty things on their websites that make them subject to the law.

      If I do not want a website to set any cookies, the correct course of action is to tell my user-agent to not keep any cookies from it.

      • self_awareness 8 days ago |
        All you can get this way is that you'll still have temporary cookies, removed after closing the tab, you will still have the banner, but this time the banner will popup each time you'll enter the website, because there's no cookie that will tell the banner that it has already been displayed.

        I have it like this. But with that, I'm using a banner autoclicker. So the company gets my data, although different each time I enter the website, and I don't see any banners. Win/win?

    • Sakos 8 days ago |
      This is it. This isn't the EU's fault and the post isn't quantifying the benefit of requiring explicit consent in these banners. It's all about efficiency and productivity as if it's all that matters in the world. It doesn't care about users' right to privacy or their right to control their own data.
  • legitster 8 days ago |
    This is an example of the potential double-edged sword of passing legislation without input from lobbyists. On one hand, without an industry voice, they passed an amazingly ambitious set of protections. On the other hand, it doesn't seem like there was a technical industry expert who warned them of the implications.

    (I say that, but the EU bureaucrats that passed this law may actually see the immense numbers of popups as a win still - who knows).

    A revision is patently obvious to seemingly everyone - revise the law to instead mandate that websites respect the Do Not Track header, or at least have designed a more granular replacement. There's no reason you shouldn't just be able to set it once and your browser tracks it for you.

  • kalaksi 8 days ago |
    Unfortunately, even without consent banners, there's plenty of unnecessary clicking in this new golden age of (CSS) popups.
  • elashri 8 days ago |
    I would like to present my opinion that this amount of time is spent dealing with website malicious compliance with EU rules. And it is in general asking people to get tracked and present them with personalized track or share/sell the data to their partners. All of these does not happen and you don't have to do that if you don't track and collect information about your users. Well there are some genuine websites that needs that but I am talking about the general case.
  • sccomps 8 days ago |
    A lot of those hours might be saved if they mandate a “reject all cookies” button on the cookie banner.
    • Cthulhu_ 8 days ago |
      They do already, and big companies have already been fined for not offering them, which led to some smaller parties adding them. See here [0] for a list, amongst which was Microsoft getting a $65 million fine for not having an easy opt-out on Bing, or $162 million to Google for the same thing. Noncompliance should be reported.

      [0] https://www.cookieyes.com/blog/cookie-consent-fines/

      • what 8 days ago |
        Everyone should just geo block EU visitors instead.
        • taosx 8 days ago |
          I know a lot of people that wouldn't mind that.

          1. There are ways to bypass geo-block.

          2. People would build alternatives specifically for EU (with few exceptions).

          3. They could even offer those alternatives to US, but with better privacy out of the box.

          • marcosdumay 8 days ago |
            On #1, yeah, you can. But don't expect the site to respect the EU laws.

            I'm all for the hostile corporation to hostilize themselves into complete inaccessibility too. Let them build their castle, with a moat, and not let anyone near them. But unfortunately, they are still smarter than that.

            (But anyway, they seem to be getting dumber by the minute, so there's still hope.)

        • Sakos 8 days ago |
          Yeah, fuck everybody else's privacy. /s Why are you like this?
      • sccomps 8 days ago |
        majority of sites don't have a clear "reject/decline all" button. I think they deliberately make it complicated.
  • _qua 8 days ago |
    I don't even have the words to express how little I care if companies serve me targeted ads with cookies. On the other hand I absolutely despise what the average visit to website with a cookie banner has become.
    • dspillett 8 days ago |
      Blame the companies, not the regulations. A significant part of their reasoning behind byzantine stalking permissions banners is that they are deliberately inconveniencing people like you who don't care, so you can be weaponised against those of us who do in discussions about the regulations and related privacy matters.
  • osm3000 8 days ago |
    I can't believe any of this made a difference in privacy. There is ZERO chance that the law can be enforced here. I've worked in few startups in Europe, no one understand their obligation, let alone the consequences from third party services.

    This whole cookie banners, and GDPR in general, is as good as literature.

  • alpaca128 8 days ago |
    Correct headline: User-hostile websites waste 575M hours of Europeans' time every year.
  • edm0nd 8 days ago |
    rip

    >404 Not Found

  • Vagantem 8 days ago |
    Can recommend consent-o-matic Chrome extension which automatically selects "no" to everything!

    https://chromewebstore.google.com/detail/consent-o-matic/mdj...

  • edm0nd 8 days ago |
  • WarOnPrivacy 8 days ago |
    > actively tracking a user beyond their visit to a website is difficult or borderline impossible for website owners, as it would require a court order.

    I am skeptical of this claim. Partially due to the existence of trackers, beacons, 3rd party cookies and fingerprinting methods.

    > Identifying users typically requires a court order to process IP addresses

    And this one as well.

  • air7 8 days ago |
    I know that I'm in the minority, especially here, but I generally welcome paying with my data. it seems to me that companies need to generate revenue and they do this by extracting something of value from the user and that this thing by definition almost would be something the user isn't happy to just hand over: money, watching ads, electricity for mining crypto, personal data etc. It's some form of payment.

    for me personally out of all these options giving my data is my least painful payment option for one off services.

    • immibis 8 days ago |
      Then click the consent button. You have to consent to a payment being extracted from you.
  • ayaros 8 days ago |
    Why should websites even be trusted with implementing these banners in the first place? Browser vendors should be responsible for implementing these controls per-origin. Give a little banner pop-up built into Chrome, Firefox, Safari, and the rest. Have it display every time a new site sets a cookie for the first time. Or have it reject every cookie by default, unless I whitelist a site. This would result in a consistent user-experience across the board, and I'd actually be able to trust that I'm not being tracked.

    Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls. So now every website gets a shitty banner - on top of all the other annoying in-page banners and popups which are a staple of 2020s web design - that asks us if we want cookies. All these banners look different, are positioned differently on the page, appear at different times after the page is loaded, and function differently. So there's no consistency. And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies." How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?

    So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.

    So again, why isn't this the responsibility of browser vendors? Am I taking crazy pills? Am I going insane or is the world going insane?

    /rant

    • tbrownaw 8 days ago |
      > So again, why isn't this the responsibility of browser vendors?

      It should be, but then legislators don't get to brag about having Done Something and enforcers don't get to brag about punishing Bad People.

    • shiroiushi 8 days ago |
      >Am I going insane or is the world going insane?

      You haven't been reading the news lately, have you?

      • self_awareness 8 days ago |
        > You haven't been reading the news lately, have you?

        If you're referring to the US elections, then you might be interested in the fact that not everyone on HN is from US, and not everyone cares.

        • shiroiushi 8 days ago |
          You think the wars in Ukraine or the middle east only affect Americans?

          You think the change of administration in the US isn't going to affect the global economy?

          • self_awareness 8 days ago |
            You Americans are the last people who will be affected by whatever will happen to Ukraine. Even if Putin will punch through the whole EU up to Spain, you are still safe behind the great ocean, don't worry. Well, maybe he'll take Alaska. ;P
        • smolder 8 days ago |
          There is plenty going on in global news apart from US elections to be concerned about. Even apart from the wars, I think we've been acting insane for a few decades at least w.r.t. emissions and pollution. One person has intelligence, many, not so much.
    • Earw0rm 8 days ago |
      Essentially because the people drafting the laws are ignorant about technology, and have a kind of weird snobbery towards it. They like the shiny, but don't try and engage them in a conversation about what actually makes it tick.

      Knowing and caring how the plumbing actually works marks you out as a plumber, and sophisticated people don't concern themselves with those kind of details.

      (Also various corruptions in the drafting process itself, of the sort which tend to arise when you have a mega-nation with competing interests and power blocs, but in this case it's mostly just ignorance.)

    • hnbad 8 days ago |
      > Why should websites even be trusted with implementing these banners in the first place?

      Because these "banners" are not just about cookies but about data processing and storage. Cookies are just the most obvious and immediate aspect because they're browser-facing and thus consent needs to be obtained early on. But there's nothing special about cookies when it comes to the need to obtain consent (even the ePrivacy directive which singles them out only does so to explain what information needs to be disclosed in order for consent to be possible).

      > Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls.

      Yes. Because they break the law if they don't comply or try to trick you to "opt in".

      > So there's no consistency.

      Yes. Most consent dialogs are breaking the law by being intentionally non-compliant to mislead visitors into opting in. The ePrivacy directive makes it pretty clear what a compliant dialog would look like. For example if you have a big "accept all" CTA you need to have an equally prominent "reject all and proceed" CTA.

      > And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies."

      If they're strictly necessary, they are required for the site to function. Disabling them would make the site not work.

      > How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?

      Because that would break the law.

      > So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.

      No, we have created a law they have to follow and which they can be fined for violating. We have also established privacy and the right to your personal data as a universal right because everything else in the GDPR and ePrivacy directive follows downhill from that.

      They're not self-regulating, they're regulated. This is literally how regulation works: they have to follow the law or they risk a fine. The problem right now is some DPAs dragging their heels, most being underfunded and foreign companies getting special "One Stop Shop" deals where a ridiculously corrupt DPA (hello Ireland) gets to be the single DPA in charge of handling complaints about them.

      • ayaros 7 days ago |
        I realize there are indeed strictly necessary cookies for site functionality. Sites need to store state information, login data, information about what's in your cart, etc. I should be able to make that choice on a site by site basis - to decide if my relationship with a website is deep enough to be worthy of allowing it to store data on my computer beyond the contents of the page itself. I know whether I'm going to be logging into a site or not. I know whether I feel like making yet another user account or not. I know whether I want to actually consider buying something or not. And if I don't know for sure, I should have the option to allow cookies, and then to quickly revert that decision. And user interfaces can be built within the browser to make this level of control more accessible and understandable to the average person without being obtrusive or overly complex.

        In my opinion, the web needs to be less reliant on cookies and state data, and websites should be adaptable to situations where they cannot store or access it. Websites can easily provide UI feedback for this issue. For instance, a store website unable to save a cookie can place a banner at the top saying something like "please enable cookies for this website in order to use the shopping cart." And then it's up to browser vendors to provide a simple, consistent, intuitive user interface for enabling cookies - such a UI should minimize the amount of instructional info a site's banner will need to contain in the first place.

        The web really needs to be built around opting into site functionality on a site by site basis. It's been the opposite of this for a long time now and we've ended up where we are today... There are many reasons site operators will hate this, from legitimate concerns about usability or accessiblity, to business concerns about users not wanting to take the minimum amount of time to change a setting to add items to a cart resulting in reduced sales, or even malicious concerns about not being able to track users under a magnifying glass. As pissed off as these site owners will be, it's a change browser vendors can make without needing their permission the same way Apple added app-tracking-transparency controls much to the chagrin of companies like Facebook.

        And yes, users will find one reason or another to complain about this, despite the fact that it will be optional. "It's like Vista's UAC prompts all over again!" "I shouldn't have to do extra work to add stuff to my cart!" etc. That's great that they don't care about being tracked and if they want to be the cattle of data mining companies that's fine. But there are plenty of people who, given the choice, will prefer the alternative, and over time sites will adapt. If sites purposefully punish people for not enabling cookies, and websites are interested in pissing off thier users, well there's always the option to close that site and use another... in any case I'd rather deal with that kind of fight then the situation we have now.

    • daveoc64 8 days ago |
      The law isn't about cookies - it's about obtaining consent to process personal data.

      You need to ask permission to track people and to do other things with their personal data.

      Cookies are one method to do that, but any other method (like local storage or storing session state in a URL parameter) also counts.

      Hence, it is not possible to have a system where a browser can tell a site what kinds of processing the user thinks are OK, as it would be too complicated.

      • maxwell 8 days ago |
        Doesn't the Global Privacy Control header/property solve for this?
    • elric 8 days ago |
      Couldn't agree more. A browser used to be known as a User Agent [1], but most browsers no longer act in the user's best interest, but rather pander to adtech enablers. It is a sad state of affairs.

      [1] Shameless plug to my rant on the subject https://blog.melnib.one/2024/05/19/death-of-the-user-agent/

  • compootr 8 days ago |
    404ing for me... did this site get hugged to death?
  • aristofun 8 days ago |
    That what always happens when you give too much power to government - stupid people making stupid ineffective decisions.
  • jacknews 8 days ago |
    These calculations read like an episode of Silicon Valley.

    Sure the banners are a stupid idea and a little annoying, but these figures have no merit. There's no way 500m hours of productivity are going to materialize from removing the banners. Removing 'please subscribe' popups, and other ads, now that's altogether different...

  • amadeuspagel 8 days ago |
    There's a more insidious effect of cookie banners, which is that they make it annoying to follow external links, especially to websites that you haven't visited before. This disadvantages websites built for external links, like HN.
  • sottol 8 days ago |
    Analysis of economic and productivity losses caused by Youtube ads in <world>.

    <S>OMFG!!! YOUTUBE IS COSTING THE WORLD *750B EUR* PER YEAR. </S>

    How many hours of productivity are lost to Youtube ads?

    2.49 billion active users, average seems to be 29 hours per month, reddit reports 4 ads/10 minutes lately - so 24 ads/hour, 5 seconds each (even though that went up!), so 2mins of ads/hour or 1 hour of ads per month, 12 hours of ads per year!

    12 hours * 25 Eur/hour * 2.5B = 750B Eur

    (probably made some mistakes)

    Also, this article is ridiculous - like assuming all 400M European internet users are "productive" at 25Eur/h (30% are probably < 15 or > 65), people clicking 1200 banners per year because they visit 100 sites/month (12*100, right?!) and so on.

  • m3kw9 8 days ago |
    There is cookie banners in the US and canada
  • kylecazar 8 days ago |
    the angle of wasted productivity on the end-user's side seems ridiculous. If anything, count wasted resources in implementation for little gain for the end-user.

    "Assuming it takes an average of 5 seconds per interaction with a cookie banner".

    People don't spend 5 seconds clicking accept. They start reading their website, notice the banner in their periphery shortly after, and click it to go away.

    • self_awareness 8 days ago |
      I hope you're joking.

      The banner often obscures the view, and the user need to dismiss it in order to know if the page contains the information user looks for. But in order to dismiss it, you can click "Accept all" easily and job done, OR you need to enter options by clicking the "manage" button, find your way around the banner, understand what are the options and which ones are checked and which are unchecked, then click "consent" or whatever terminology is used, but only after finding the button.

      This easily can take up to a minute.

      Yes, sometimes there's the "reject all" button, but not always. Also you need to know how they define the "reject all" button, because sometimes it probably may be defined as "reject some".

      It's not a problem for me, because I autoclick them away with browser plugins, but when I'm on a mobile, the web is really hard to browse because of those banners.

  • class4behavior 8 days ago |
    Misleading headline: It's productivity loss caused by non-essential data collection.

    The EU does not mandate banners, it's the businesses choosing to bully their customers into accepting all tracking and profiling.

    • GJim 8 days ago |
      Is the right answer.

      It's stunning the number of people on HN (a tech news site!) who don't realise there is simply no requirement for "cookie banners" UNLESS you are using those cookies to track me or personally identify me (advertisers take a bow)..... In which case you need to ask my explicit permission to do so.

      And so you should.

  • pixodaros 8 days ago |
    Now count how much money and time is wasted loading all the spyware of typical commercial websites to generate a tiny value from selling ads and personally identifying information (the mobile data costs alone ...)
  • semiinfinitely 8 days ago |
    The previous headline was better
  • bryanrasmussen 8 days ago |
    My opinion is that cookie banners are so bad because of GDPR and not getting rid of the cookie law when GDPR was enacted.

    Then everybody kept their cookie banners around and folded GDPR requirements into it, making it more complex, and more necessary all over the place, and less likely for people to think do we need these cookies or not and do we need to show this banner because of fear of GDPR (potential fines are big!!)

  • foxglacier 8 days ago |
    Around the time this started, Google was going to penalize sites in its search ranking if they greeted users with an obtrusive popup. I thought that would strongly discourage cookie banners but then suddenly there was an explosion of stupid popups everywhere - newsletter signups, cookie banners, "special offers", overlaid ads, etc. I guess Google never did that thing?
  • littlestymaar 8 days ago |
    “Analysis of economic and productivity losses caused by companies implementing dark patterns in order to extort used consent

    FTFY

    And you could add an analysis of the productivity cost of those “Subscribe to out newsletter” and “The experience is better on the app” pop-ups please?

  • d--b 8 days ago |
    This doesn’t take into account the fact that some people just close the website, saving countless minutes of rabbit hole browsing…

    Oh and 5 seconds is unrealistically high.

  • snehk 8 days ago |
    The whole law should have been forcing sites to not ignore DoNotTrack bworser settings. It's a prime example of the EU being utterly useless because they don't understand the underlying issue and then choose a "solution" that's as much in your face as possible but doesn't change anything about the original problem. It's the whole plastic straw thing in digital form.
    • Earw0rm 8 days ago |
      This, exactly.

      And possibly requiring browser vendors to implement Do Not Track in an accessible and user-friendly way. (Those whose business models are reliant on ads might need a firm nudge there.)

    • cenamus 8 days ago |
      If only those websites just didn't use cookies when 99% of them don't need them. Easy to display the cookie terror banner and blame the EU while you're using it for "analytics".

      And the majority isn't even compliant, without a big disable button, instead hiding it through 10 different dark patterns in the cookie setting, where every misclick leads to accepting the whole array of spyware.

    • jajko 8 days ago |
      Its lazy engineering. Most sites dont need such functionality, but devs are either incompetent to rip it out of libraries they use, are stuck in web design patterns from 20 years ago themselves or its a simple business decision to trade user data. When was the last time you really needed cookies for your business and couldnt get around it with (usually better) tech?

      Dont blame the system (nonideal but darn good to be in place, compared to literally rest of the world where humans have simply less rights), when its companies failing knowingly basic rules.

    • mpeg 8 days ago |
      I don't think DNT settings were not considered – they were probably discarded as they hurt user privacy. Fingerprinting tools use the DNT setting as an extra flag to identify the user, so having it set to a non-default means you actually get tracked more, not less.
      • bawolff 8 days ago |
        The cookie banners still have to be implemented somehow. I dont think there is a difference in the amount of tracking here.
        • mpeg 8 days ago |
          My point is that if the tracking settings came from the browser whether it was DNT or another one, they would actually be used to track people more effectively by bad actors
    • randunel 8 days ago |
      No, it's not a prime example of the EU being utterly useless. It's a prime example of companies engaging in shady practises. This is what all the websites should have done: https://github.blog/news-insights/company-news/no-cookie-for...

      Quote from the blog post:

      > Well, EU law requires you to use cookie banners if your website contains cookies that are not required for it to work.

      • Kubuxu 8 days ago |
        It is quite ironic to get a cookie banner on tat page.
        • ben_w 8 days ago |
          And disappointing.

          Hopefully that doesn't mean my blog, currently hosted on github, is getting them again — those popups were one reason I moved away from Wordpress (well before the latest drama).

    • libertine 8 days ago |
      > It's a prime example of the EU being utterly useless

      That's a bold statement to claim that the largest trade block in the world is utterly useless, but I'll bite it.

      What was the underlying issue they didn't understand?

      • anonymousab 8 days ago |
        That companies will go with malicious compliance 9999 times out of 10,000. So ensuring compliance would require immense enforcement efforts from the get-go that still haven't really surfaced.
        • libertine 7 days ago |
          Where are you getting this information from?
  • Animats 8 days ago |
    Exemptions from cookie banners for small and medium-sized businesses (SMBs) using analytics, tracking user interactions on their websites, and managing basic advertising are imperative to mitigate unnecessary economic and productivity losses.

    Yeah, right. You don't have to use cookie banners if you don't use cookies. Unless you are running ads or profiling users, you can get equivalent data from server logs.

  • pmg101 8 days ago |
    Am I literally the only person who this doesn't bother? When I go to a site I click all the xs and buttons until I can see content, without any conscious engagement at all really.

    Sometimes when you go for a walk in the country there are stiles or gates to climb over and that is also fine.

    I feel like there's some kind of implied belief here that all interactions with the world should be perfectly frictionless which I think may be more of a niche view than is realised?

    • sureglymop 8 days ago |
      No. Same here and I agree with you. I think websites having to disclose what third party cookies they save is worth the small inconvenience. And if they maliciously comply, that hopefully leads to further regulations.
  • uniqueuid 8 days ago |
    I am kind of frustrated by the widespread misunderstandings in this thread.

    Laws are best when they are abstract, so that there is no need for frequent updates and they adapt to changing realities. The European "cookie law" does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.

    There is no doubt that the goals set by the law are sensible. It is also not evident that losing time over privacy is so horrible. In fact, when designing a law that enhances consumer rights through informed consent, it is inevitable that this imposes additional time spent on thinking, considering and acting.

    It's the whole point, folks! You cannot have an informed case-by-case decision without spending time.

    • mpeg 8 days ago |
      What I find funny about the whole thing is that the grand majority of companies with cookie banners are not implementing them correctly, and therefore are still in breach of the law.

      I see constantly banners on sites that set tracking cookies by default, and delete them if you reject them in the banner (or even worse, not delete them at all!) – this is not compliant as the cookies were set before consent was given

      Also see banners where there is only a big "OK" button, with no visible option to reject, this is also not compliant!

      • weinzierl 8 days ago |
        One way to see it is that it's their way of passive-aggressive protest against a law they don't want. Maybe the aim was never to abide by the law, just to pretend and annoy people enough to draw them on your side.
        • dominicrose 8 days ago |
          A clear example of passive-aggressive protest was from Google, the removal of links to Google maps from the search results. Instead of providing a choice of multiple map providers, they just completely removed the links. To clarify: I'm in Europe (France).
          • dspillett 8 days ago |
            Or Apple's childish hissy-fit, deliberately breaking offline app support in response to an edict about app stores.
        • dspillett 8 days ago |
          I take an even more cynical view: their intent is far from passive.

          They want the end user to be irritated in the extreme. When users complain they'll say “we have to do this, the law says so, look, everyone else is doing the same thing” in the hope that people will support later action to have the privacy protections wound back.

          • ryandrake 8 days ago |
            The message from these antagonistic companies is clearly: "Look at what they made me do to you!" And users (even here in the HN comment section) fall for it. Like a beaten spouse. Yessssssss, it's the evil EU.... Why do they force you to beat me up?
        • ragnese 8 days ago |
          Oh, it's definitely malicious compliance. I have no doubt.
      • zelphirkalt 8 days ago |
        And not to forget: Giving consent and rejecting to give consent must take equal effort, otherwise you are not compliant. This is veeeery easy to do. Literally just place 2 equal buttons next to each other ... Basically, all you need to do is not to spend additional effort to F things up. But surprise surprise! Most companies act as too incapable to implement it correctly. I _wonder_ what the reason could be ...
      • sourcecodeplz 8 days ago |
        Look at how Google does it for Blogger. There is an OK button and a "Learn more" one. There is no reject. Are you saying they are breaking the law? EU would love nothing more than to levy more fines.
        • actionfromafar 8 days ago |
          I always assumed they were and are breaking the law.
        • MagnumOpus 8 days ago |
          They are breaking the law. But enforcement lies with national agencies (unlike antitrust where the EU commission itself enforces). Most national agencies don’t bother, only the French CNIL had levied penalties - pretty much on every one of the big ad tech companies in the Faamgs, Bytedance and Twitter…
        • atoav 8 days ago |
          Yes.

          GDPR says on Consent:

          > The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.

          Pretty clear, isn't it?

          There have been subsequent rulings stating that not giving a equally styled no/reject option or letting people choose between one yes option and thousand separate no options is already a influence that nullifies consent.

          Also specific means you can't just tell them you have to use a cookie for technical reasons and use it for tracking later — they might have given you consent for that cookie for the purpose you told them about, not for the purpose of tracking.

          All kinds of actors try to bend the rules here, while the rules are verh clear.

        • eitland 7 days ago |
          > EU would love nothing more than to levy more fines.

          They aren't paying attention then.

          The market abuse that has allowed Chrome to become as dominant as it is has been a lot worse than what Microsoft did with IE.

      • Cthulhu_ 8 days ago |
        You'd think that the $160+ million fine given to Google for incorrectly implementing their consent thingy would be a deterrent, but clearly not.

        While the OP of this comment chain stated that laws are best if they are abstract, I think in this case the EU should have mandated an implementation as well, for example a browser based consent setting. Can be global, can be per-website. But the (ad)tech companies wouldn't like that, because as it turns out if given a fair choice, the majority of people would not opt-in, and they don't like that. Even though a small percentage of visitors that do opt in would already generate statistically significant results.

        It's the same with the alternative, e.g. US sites simply not allowing access from the EU. They could just not have tracking. Advertisers could serve non-tracking ads, based on e.g. IP geolocation. But they don't like that because it's not as targeted as before the EU laws.

      • jolmg 8 days ago |
        > I see constantly banners on sites that set tracking cookies by default, and delete them if you reject them in the banner (or even worse, not delete them at all!) – this is not compliant as the cookies were set before consent was given

        Depends on what you consider to be "cookies were set". I think it's a valid argument that cookies aren't set until a "Set-Cookie" HTTP header is sent to the server. The banner is just a form to decide whether or not to set the cookies prior to actually doing so. The banner switches aren't the cookies themselves.

        • mpeg 4 days ago |
          What I mean is a lot of sites will add tracking cookies like say through a google analytics tag before the user has actually accepted them.

          Then, if the user clicks to reject cookies in the banner they remove the tracking cookies etc – but this is not compliant since if the user takes no action they are being tracked by default.

          • jolmg 4 days ago |
            Oh. Then I agree.
    • bawolff 8 days ago |
      > The European "cookie law" does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.

      Would there exist any other method of implementing it that would be substantially different? Its hard to imagine. I suppose they could implement it by not having tracking cookies.

      I think the ideal situation is that people could just set it as a browser preference and be done with it. Oh wait they already can.

      • GJim 8 days ago |
        Setting a browser preference is not giving explicit opt-in informed consent to handle my personal data (for that is what this is about) on a case by case basis.

        That is what the law requires.

        Blame the unnecessary gathering of personal data (and think about why they want it!), not the 'cookie law'.

      • dspillett 8 days ago |
        It is more than about using cookies, despite the regulations being informally called cookie laws, any tracking and storage of PII is covered.

        > Would there exist any other method of implementing it that would be substantially different?

        A checkbox or button, anywhere on the page, that you can click to opt-in or ignore to not op-in. Once clicked the site/app has consent to track that consent, so the box can stay ticked (or be moved out of the way entirely as long as a way to retract consent is easily available, perhaps via an obvious link in page footers). Done. Informed consent implemented in a way that doesn't irritate any user (those that care either way, and those that don't care at all).

        They could even include a short bit of text begging people to opt in because it helps their site/app make more money from advertisers, without going as far as a pop-over or otherwise wasting a large portion of screen space.

        > Its hard to imagine.

        For those with very little imagination, perhaps.

        > … ideal situation is that people … set … a browser preference …. Oh wait they already can.

        Only with regard to cookies, and perhaps other local storage, which as I stated at the top is not at all the whole matter. And even within those limitations those options are rather ineffective against the experienced stalkers that the advertising industry consists of, because they can and will simply ignore things like DNT and will work around cookie/localstorage/other blocks using various other fingerprinting tricks.

        • Ylpertnodi 8 days ago |
          >A checkbox or button, anywhere on the page, that you can click to opt-in or ignore to not op-in.

          How about no click to opt out, and a click to opt in?

          • dspillett 7 days ago |
            That is essentially what I said, the default state being opted-out rather than there being an in/out/unknown tri-state, so my "ignore" and your "no click" are the same [in]action.
    • GJim 8 days ago |
      > I am kind of frustrated by the widespread misunderstandings in this thread.

      SV and the advertising industry thrives on those misunderstandings.

      Put simply, there is no need for "cookie banners" unless those cookies are being used to track or personally identify me (hello advertisers!), in which case, I need to give my opt-in informed consent to allow this; and so I should.

      Hardly surprising SV and the advertising industry campaigns against "cookie banners", rather than their own unethical trading in personal data without consent.

      • ryandrake 8 days ago |
        Silicon Valley in general has a huge problem understanding consent. If the world was a night club, "Silicon Valley" would be that creepy guy who goes up to everyone saying "You're dancing with me now, unless you opt out [Yes | Ask again later]."
    • weberer 8 days ago |
      I am informed and chose "No" each time. Why do EU lawmakers not allow me to automatically say no? All they have to do is add a line to the law enforcing companies to respect the DNT or GPC header.

      https://en.wikipedia.org/wiki/Do_Not_Track

      • daveoc64 8 days ago |
        Tracking isn't the only thing that the law covers.
      • crote 8 days ago |
        > Why do EU lawmakers not allow me to automatically say no?

        What do you mean? There is no law banning companies from honoring a DNT header, companies just choose not to do so. The law already allows it, it just doesn't mandate it.

        • weberer 8 days ago |
          >What do you mean? ... The law already allows it, it just doesn't mandate it.

          That's exactly what I meant by:

          >All they have to do is add a line to the law enforcing companies to respect the DNT or GPC header.

          • sangnoir 8 days ago |
            Microsoft, in its eagerness to hit Google's revenue, universally set DNT on its browser of the day, which muddied the water on informed consent, and gave Google and other trackers an excuse not to respect it, since it wasn't technically the user requesting not to be tracked, but Microsoft.
    • pickledoyster 8 days ago |
      Yes. It's not the regulation but the misguided implementation that's to blame.

      Sites and cookie banner plugins could just accept DNT signals from browsers and no productivity would be lost.

      • randomdata 8 days ago |
        DNT does not provide informed consent. It may, if set to not track, imply denial, but the reverse is not true. If DNT is accepting or unset, the site needs to fall back to the banner to get consent. And at that point you may as well prompt everyone with the banner instead of complicating the codebase with extra logic for a DNT edge case.
        • ben_w 8 days ago |
          Mm.

          For existing privacy options — location, microphone, camera — Safari on iOS has the options of "ask"/"deny"/"allow".

          I wouldn't be surprised by legislation for a Do Not Track option in DMA designed Gatekeepers' browsers, defaulting to "ask", where all three options must be handled accordingly by websites.

          "Ask" would also have to be the default behaviour when no preference is transmitted.

          • randomdata 8 days ago |
            Again, as the law in question requires informed consent, "allow" and "ask" end up being the same thing. A new DNT law as you propose would contradict the other law of which we speak.
            • Ntrails 8 days ago |
              Informed generalised denial could be accepted and no cookie banner shown surely?

              In much the same way no banner is required if no cookie is being set.

        • account42 8 days ago |
          I doubt there would be any concerns with "complicating the codebase" (really?) if there was a Yes-Track header that gave consent but no negative signal.
          • randomdata 8 days ago |
            There is a "Yes-Track" header – DNT: 0

            Granted, you can't legally use it like that where EU laws apply, per the GDPR. Hence the complaints about the GDPR you see in other comments.

            • smolder 8 days ago |
              It's not really a Yes Track if it's simply absent. The user hasn't requested to be tracked. I'm not even sure with it set to 0 that you can assume that intent. I guess it would depend on the browsers behavior, but as you say the law is not compatible with that use.
              • randomdata 8 days ago |
                According to the specification,

                DNT: 0 = Yes, track me.

                DNT: 1 = No, do not track me.

                > I'm not even sure with it set to 0 that you can assume that intent.

                That's the problem. Someone not paying attention might inadvertently set DNT: 0, which is why the law is written the way it is. But at the same time we have techies who knowingly and carefully set such values and want the service to acknowledge it, contrary to the law. Hence the contention.

      • secondcoming 8 days ago |
        There is a new signal, GPC, that does the same thing and has been blessed by the advertising industry.

        [0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Se...

        • JimDabell 8 days ago |
          > Non-standard: This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.

          I tried looking at the various browser standards positions, and as far as I can see, nobody has even asked Blink or WebKit if they are interested in supporting it. Is there any movement on this at all? The official website says that it’s part of “several major browsers”, but this seems dishonest when the biggest browser that supports it is Firefox with ~2.5% market share and no actual major browser seems to be aware of its existence.

          • secondcoming 8 days ago |
            There's movement from the Internet Advertising Bureau, they explicitly say that this signal must be adhered to if the header is present, and this signal must be forwarded to Demand Side Platforms.
            • JimDabell 8 days ago |
              I mean is there any movement in getting major browsers to adopt this?

              Normally when a spec. like this is written that needs adoption from web browsers, an explainer is written and then the major rendering engines are asked for their feedback. For instance, here’s an explainer:

              https://github.com/krgovind/first-party-sets

              Here’s where WebKit was asked for their position on it:

              https://github.com/WebKit/standards-positions/issues/93

              Here’s where Mozilla was asked for their position on it:

              https://github.com/mozilla/standards-positions/issues/350

              Here’s the process Blink goes through to get a new feature like this going:

              https://www.chromium.org/blink/launching-features/

              I tried to find where this was done for GPC and couldn’t find anything. Did they just write a spec. and not bother doing any of the work involved in getting it adopted? Or is there progress being made that I didn’t see? Hence my question: Is there any movement on this at all? Or is the process of getting it adopted by Blink and WebKit at absolute zero?

              • secondcoming 8 days ago |
                I have no idea about browser adoption. I’m just aware of adtech’s requirements around it.
    • egorfine 8 days ago |
      > does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.

      Good luck explaining alternative technology to the lawyers and then to the lawyers of the other party in court should the need arise, and then to the judge. While you are technically 100% right, I believe you will have a truly hard time implementing anything other than the cookie banners.

    • scotty79 8 days ago |
      > Laws are best when they are abstract ...

      Laws are only as good as their real world consequences.

      • zelphirkalt 8 days ago |
        There is a kernel of truth in that, but lets not forget, that laws alone don't have any consequences. It is the willingness to force people to comply with the law, that has the actual consequences. If our judges and governments and forces in general are not willing to pursue violations of the law, then we can have any law we want, it still won't matter. We do need more law enforcement on GDPR! A lot more.
        • scotty79 8 days ago |
          > laws alone don't have any consequences

          That's a very weird claim about something that the whole purpose of is to have at least some consequences.

    • scotty79 8 days ago |
      > You cannot have an informed case-by-case decision without spending time.

      Forcing me to make an informed decision where I don't care about the result is the one of the major ways of wasting my time.

      If you wanted to create a good law about this you should make it so I only have to make a case-by-case decision if I care about my privacy (as it's currently exploited) and do nothing if I don't.

      • GJim 8 days ago |
        > Forcing me to make an informed decision where I don't care about the result

        The UK and EU have decided _society_ cares, about the dangers due to unregulated sharing of personal data; hence the law requires informed consent to do this.

        If _you_ don't care, then that is your prerogative.

      • dspillett 8 days ago |
        > Forcing me to make an informed decision where I don't care

        The laws do not force that. Informed consent before tracking could be implemented other ways, perhaps even more easily.

        The companies choose to force you to make the decision, rather than making it something you could choose to click or choose to ignore, because forcing that increases the chance that people who do care will accidentally opt-in and people who don't care will get irritated and (as is evident in places in this thread) incorrectly blame the law.

        The companies make a point of inconveniencing people like you who don't care, so they can weaponise you against those of us who do. The companies are doing this to you, not the law.

        • scotty79 8 days ago |
          Companies want to track me. I want companies to track me.

          So what's the source of the friction if not law itself or its direct consequences?

          I think other parties try to force me to care when I don't by introducing all that friction.

          There's a talk about DNT. What's the reason no browser has "Please do track me and do whatever you wish with the data you manage to gather."?

          I think it would be quite popular. So it's probably prevented by the law itself.

          • dspillett 7 days ago |
            > Companies want to track me. I want companies to track me.

            If you actively _want_ companies to track you, then you take an unusual position.

            > So what's the source of the friction

            The right to privacy if you want it. Someone wanting to let people to follow you around should not override the preference of those who would prefer not. The "why should I care that other people care" argument is very similar to those who argue against smoking restrictions (or seatbelt requirements, and so on) because "it should be our choice" without thinking about the potential consequences to others.

            > if not law itself or its direct consequences?

            The source of friction is how the complaints have chosen to interpret the law. They have chosen to do this in a way that causes maximum inconvenience to anyone who want is protections (many are actually in direct contravention of the rules, despite their claims otherwise, but let's for a moment ignore that companies are actively breaking the law). That it also inconveniences people who want to be tracked is a desired sideeffect as it means those people are weaponised in ad-tech's favour in discussions about such matters.

            > I think other parties try to force me to care when I don't by introducing all that friction.

            As well as the binary "your choice" vs "my choice" that completely ignores those who have not yet stated there preference, have not yet decided, or do not yet even know there is a choice, or are just passing by. This is why active consent should be the default requirement.

            > There's a talk about DNT. What's the reason no browser has…

            Your premise is incorrect: Some browsers do. It doesn't work because companies ignore it. It is not in the laws that they shouldn't ignore it because ad-tech and their lobbyists successfully campaigned against that being in the legislation. Again: ad-tech is the reason for your inconvenience, not other people's preference not to be tracked.

            Part of the issue is that there is a conflict of interests in done quarters, with makers of browsers also being part of the ad-tech stalking business, another place the effects of this are seen is in changes that prevent us choosing to actively block being tracked because we can't express it choice more passively because DNT is ignored.

            > I think it would be quite popular.

            We very much agree there.

            > So it's probably prevented by the law itself

            It is not. Show me anywhere in the current legislation where UAs implementing a DNT flag (which, I say again, some do) or ad-hoc tech respecting such a flag is prevented (either directly, or by accidental interaction between rules).

            How about an alternative: have a one-click "track me if you want" flag? (Of course it would be terribly naive to think companies would not also just ignore that and track when it isn't set at thier convenience).

            • scotty79 7 days ago |
              > Some browsers do.

              Which browsers?

              > How about an alternative: have a one-click "track me if you want" flag?

              That's exactly what I was asking for. It should exist. My theory why it doesn't is that it wouldn't constitute informed case by case consent. So it's illegal.

              > Of course it would be terribly naive to think companies would not also just ignore that and track when it isn't set at their convenience

              I don't care about that because I want to be tracked, just silently.

              If I were to design law I wouldn't ban tracking. I would make sites that do track make the information they have on "me" available to me for viewing and possibly editing at my request.

              It wouldn't be even "cookie law" because whatever information you tie and store to whatever identity should be available to this identity.

              • dspillett 5 days ago |
                > Which browsers?

                Quite a few: https://caniuse.com/do-not-track

                Unfortunately the spec is official deprecated, rather than just ignored by sites, because without any regulatory weight it, well, would forever just be ignored by those who want to ignore it.

                > I would make sites that do track make the information they have on "me" available to me for viewing and possibly editing at my request.

                So, GDPR? That is not a cookie law but governs the tracking of PII, including the right to be given a report of what is stored about you and the right to be forgotten¹. Though it isn't finer grained than that: you can have yourself removed entirely and request corrections, but it does not prescribe any option for more selective deleting.

                ----

                [1] except where that would impinge on other regulation, for instance in industries my day job services companies have to keep certain details of people for certain lengths of time (indefinitely for those associated with selling pensions, for instance) for dealing with complaints and other regulator matters in the long term.

                • scotty79 5 days ago |
                  > https://caniuse.com/do-not-track

                  Oh. I think we have a misunderstanding. I thought you knew some browsers that support some sort of please-do-track-me-quietly.

                  > So, GDPR?

                  Right but about all data and all identities. You believe that holder of cookie <guid> likes cats? If my browser holds that cookie you should be forced by law to offer UI where I can see the preference for cats and possibly change it or delete it.

    • shadowgovt 8 days ago |
      Which is fine, but as an individual I'd just rather auto-click "accept all" and go on with my life. Be nice if that could be done without the button.

      If I don't want to be informed, there should be a way for me to signal my willingness to participate in uninformed consent.

    • brookst 8 days ago |
      I partly agree but feel you’ve conflated a few things:

      - Laws are best when abstract. This is true. Laws work best when they cover a class of behavior, not specific behaviors.

      - Requiring informed consent is good. This I disagree with with because it is a hard to measure outcome. Abstract, yes, but to the point where nobody knows what it means. The only way to meet this in spirit is to go so far overboard that nobody can ever say you didn’t try hard enough.

      - Mandating that huge populations spend time to make informed case by case decisions. This is like mandating pi=3. As soon as this became the goal the whole enterprise was doomed. The only way this happens is with notaries and witnesses , which is far too heavy a burden for visiting a website.

      The whole thing is noble intent, but disproportionate to the problem and not aligned with the putative goals.

      Regulation can be good, and it should be abstract, but it cannot mandate abstract outcomes. Imagine if speed limit signs said “speed limit: optimized balance of reduced time to destination and net cost of carbon emissions and amortized risk of accidents”

      • skydhash 8 days ago |
        I’d say the ability to have speed limits is the regulation. How it’s implemented vary depending on the road. Regulations should be abstract so that the implementation can be sensible and adaptive to the context.

        And everyone knows what “informed consent to tracking”. If you’re building something, you know when you intrude on your users’ privacy. But everyone chose forgiveness instead of permission, and now I throwing a fit when the latter is required.

      • close04 8 days ago |
        > nobody knows what it means

        The definition of consent is provided here. [0] There are clear application guidelines. To me it takes being intentionally obtuse or malicious in the interpretation when reading the text to come to the conclusion "I don't know what it means so I'll do the thing that benefits me".

        Imagine blowing through a stop sign and trying to explain that you don't know what it means, the Earth is moving so you could never really be in compliance. You're not wrong but it's clear that your incompliance doesn't come from a place of honest misunderstanding.

        > Mandating that huge populations spend time to make informed case by case decisions

        It's mandating that the user is given the tools to provide informed consent, not that they must use them properly. If you need to know what it means, the text is clear. If not and never needed to read it, it's easy to conclude it's hard, impossible even.

        [0] https://gdpr.eu/article-4-definitions/#:~:text=%E2%80%98-,co...

      • uniqueuid 8 days ago |
        Sure I find it reasonable to disagree on these points.

        I personally find informed consent to be a very desirable thing, because it aims at the goal of legislation, not at the means. If you think that citizens cannot, should not, or should not be required to profoundly understand what is happening to them in digital contexts, that's a specific point of view. From this you evaluate the trade-offs.

        My personal (humanistic) perspective is that a profound understanding and practical control over our digital lives are the prerequisite for dignity, which is the ultimate goal of a state.

        • brookst 8 days ago |
          That's really well put.

          > If you think that citizens cannot, should not, or should not be required to profoundly understand what is happening to them in digital contexts, that's a specific point of view.

          Yes, that is what I believe. Most especially the "required" word. I do believe they should be allowed, empowered, encouraged, and enabled to understand those things, but I do not think it is a good requirement.

          IMO people also have a right to not care about this. At their peril, perhaps, but who am I to tell someone that they may not use digital tools unless they commit to this understanding?

    • ApolloFortyNine 8 days ago |
      >Laws are best when they are abstract, so that there is no need for frequent updates and they adapt to changing realities.

      Couldn't disagree more, people (and even companies) have a right to know if they're breaking the law. Broad laws just make everyone (potentially) guilty. It's ripe for abuse and corruption.

      • uniqueuid 8 days ago |
        This is not what I meant. Laws are made concrete and understandable through either case law (harder for citizens to anticipate IMO) or through statutory interpretation in civic law traditions. Both (eventually) offer a clear understanding of the meaning and scope of a law.
    • GardenLetter27 8 days ago |
      Such basic functionality as cookies shouldn't need explicit consent. The consent is you navigated to the webpage, if you don't like it you can use a browser that doesn't set cookies.
      • vundercind 8 days ago |
        Tracking people with cookies is the part that requires consent.

        Setting cookies that aren’t used to track people, doesn’t require consent.

        The consent is for tracking that happens to use cookies, not for cookies themselves.

        • GardenLetter27 8 days ago |
          But you can configure all that client-side anyway.

          You choose what you save on your computer and send in responses, not the server sending you the HTML.

          The current situation is absurd, the EU just doesn't understand technology.

          • TheCoelacanth 8 days ago |
            Tracking is not configurable client-side. Blocking cookies is not sufficient to prevent tracking. Is it the EU that doesn't understand technology or you?
      • happymellon 8 days ago |
        Me navigating to a webpage is far from consent.

        How do I even know that you want to try and farm my personal data until I go there?

        Perhaps you should put a click through gateway that states that "proceeding on to this website will sell your personal information to spammy, scummy advertising".

        • GardenLetter27 8 days ago |
          Setting a cookie isn't farming personal data.

          You can configure your web browser to only send first-party cookies back and never set others. Or configure a subset of domains.

          If you're worried about it you should be doing that anyway, since the cookies could be set despite the pop-up (or some websites might ignore the consent pop-up requirement entirely).

          • happymellon 8 days ago |
            Consent isn't required for setting a cookie.

            You don't appear to know what the regulation is. The "cookie banner" isn't even about setting cookies, its data sharing.

    • marcosdumay 8 days ago |
      > You cannot have an informed case-by-case decision without spending time.

      No, that's bullshit. Nobody is after case-by-case decisions.

      People are under DoS attacks from corporations throwing single-sided contracts into them until they make a mistake and accept something.

      Those boxes are just that, harassment, done in the hope people will pay them to go away.

    • GardenLetter27 8 days ago |
      But you're the one saving and sending the cookies anyway - not the website.

      If you don't want to send some of them, then just configure your client not to do that.

      It's bizarre that the onus is put on the websites themselves to request consent before requesting that the client sets the cookies.

      • TheCoelacanth 8 days ago |
        The law isn't about cookies; it's about tracking regardless of the technical means used to implement it.
    • Rattled 8 days ago |
      Some of the most intrusive cookie banners I've seen are on EU institutional websites. If they can't find a way to provide access to information without pages of consent boxes what hope have the rest of us. The law came ten years too late and focused on a narrow technical step rather than the privacy goals directly.
    • franga2000 8 days ago |
      No user wants informed case-by-case decisions, we want to not be tracked. Making this a question that needs to be explicitly answered was already a bastardisation of the original intent of privacy legislation. A competent legislator would've required a user agent level option (like a more advanced version of DNT) that can be set globally and overriden per site. This could be written vaguely enough to not require patching as technology changes.

      And even if we wanted case-by-case consent, a standardised format and actually enforced rules against coerced consent would've also been quite easy to do.

  • yakcyll 8 days ago |
    The title originally claimed 575M hours spent every year by Europeans on cookie banners. That's 12 seconds on average a day per person. Hardly anything to complain about.
    • oasisaimlessly 8 days ago |
      An alternative interpretation:

      "575M hours spent every year by Europeans" = 850 average human lifespans per year

      Cookie banners in Europe have an effect vaguely comparable to "wasting" 850 human lives per year.

      • kalaksi 8 days ago |
        You can use similar big scary numbers and words for a lot of much worse and more time consuming things.
  • indulona 8 days ago |
    we have fought 20 years to get rid of popups, then EU comes in and shits all over the internet.
    • dspillett 8 days ago |
      Nope. Companies, especially ad-tech and other stalkers and the sites/apps who use their services, are doing the shitting.

      Nothing in the relevant regulations, from the EU, California, or anywhere else, in any way mandates the inconvenience that these companies are creating for you.

      • indulona 6 days ago |
        well, technically you are correct, since the consent is required only for non-essential cookies. which means third party / tracking cookies.
  • Gys 8 days ago |
    The numbers are much lower I think, at least nowadays.

    > On average, a user visits about 100 websites per month, totaling 1,200 websites per year.

    The number of 100 websites per month is pulled out of thin air. Following the links it seems to be based on the number of web PAGES visited DAILY by Americans in 2007.

    In my anecdata most people are online a lot but mostly in just a few apps and websites.

    So I guess all numbers in the article should be much much lower.

  • sensanaty 8 days ago |
    And how much time is wasted clicking away mailing list banners, popup ads, trying to parse the real download button on a page, watching through unskippable video ads, trying to decipher which part of a website is the article vs an ad etc?
  • devilmoon 8 days ago |
    So, about 1 and a half hours per European every year? That's pretty good to avoid gifting my data to adtech shitheads
  • cameldrv 8 days ago |
    Think about this: Cookie banners are only a small part of how bad UI wastes people's time. Computers could be so much more useful if more care was put into UI for widely used applications and OSes.
  • bogeholm 8 days ago |
    It’s interesting to consider the opportunity cost of these 1.42 hours/year, which the study completely misses.

    What would I have contributed to my GDP in the 5 seconds it took to ‘Reject all’ on Reddit?

  • satokausi 8 days ago |
    This calculation somehow assumes that clicking banners on your free time equals lost money in terms of production.

    If the average time for toilet visits per day is 12 minutes, we are losing 89.8 million hours a day collectively across Europe, and continuing the same logic in as in the article, with 25€/h this sums to 5% of EU GDP being spent down the drain.

    Maybe we should focus efforts on a productivity programme to ban bathroom visits?

    • elric 8 days ago |
      That's very much apples and oranges. One is a biological necessity, while the other is a consequence of surveillance capitalism.
    • hmmm-i-wonder 8 days ago |
      There are a few assumptions there that make me scratch my head

      1. the general 'utility' of informing users about cookies (or giving them the opportunity) and getting 'consent' is completely ignored. 2. The time spent is assumed to be 'working' productive time, not leisure time 3. They ignore the existence of tools that automate these (auto accept/reject)

      At this point, why not calculate the 'economic costs' of every activity we do outside of work? I imagine reading and watching TV and movies would have massive productivity hits...

  • ordu 8 days ago |
    I'm not sure I can accept their calculations. For example, I use "I do not care about cookies" + "Cookie AutoDelete". The first one claims it accepts only necessary cookies, closing or hiding all banners, while the second deletes all cookies when I leave the site.

    I spend ~0sec on these banners. How many are there people like me? The authors say nothing about this solution and it seems to me that they are not aware of the possibility of the automation. They just assume that each banner costs 5 seconds.

    Why 5 seconds? It is an eternity, to pick "reject" and click on it would take 0.5 seconds or so, wouldn't it? Yeah, I know, there are sites that do not allow just reject all and force you to uncheck a several dozen of checkboxes one by one, but these sites eat much more time than 5 seconds, it is more like 50 seconds. Maybe 5 seconds is an average value across all sites? But how it was calculated?

    But I agree, that the situation is stupid. It would be better to have a standard API common for all sites, that will allow addons to accept and reject cookies based on the user settings.

  • illiac786 8 days ago |
    To the companies out there with shitty cookie banners: just stop tracking. No more banner, no annoyed users, better engagement of your end users.
  • diffeomorphism 8 days ago |
    Short reality check. Browsers support default "no" since forever. The websites just refuse to accept it and insist on wasting your time out of spite.

    So modest proposal: Make these websites pay 575€ million/year for wasting citizens' time or have them accept that "no" means "no".

  • ApolloFortyNine 8 days ago |
    Lots of people here saying the banners are simply unnecessary, but with untargeted advertising paying over 90% less, it simply is necessary for any website with ads.

    If you got told tomorrow you had to start every conversation with "are you okay if I remember this" or you lose 90% of your salary, guess what you'd do.

  • atoav 8 days ago |
    It is literally that meme where the guy pushes a stick into the spokes of his own bicycle only to blame others.

    You don't need to ask people for their consent if you do not store personal data client side to track them. There are clear definitions what is personal and what isn't, you can store cookies for legitimate reasons which are also clearly outlined.

    So if you don't want to ask for consent, you can avoid that by not doing things that require it.

  • tim333 7 days ago |
    I wonder if anyone surveyed Europeans to see if they want the things? I get them in the UK and would be happier without them myself.