Honestly I think the GDPR/cookie consent providers should be held equally liable as the website owner for the collective violations facilitated by their product.
I think being able to go after the enablers and profiteers would make enforcement much easier.
An officially maintained list of legal/illegal libraries and services could help website owners to chose a known legal solution. Right now it's hard to expect website owners 'do the right thing' when there's so much contradictory information out there.
> Honestly I think the GDPR/cookie consent providers should be held equally liable as the website owner for the collective violations facilitated by their product.
Is that a big loss? I can't picture anyone, outside of their employees and shareholders who would be negatively affected by TrustArc disappearing overnight. I just checked their website and it seems like their entire business is GDPR pseudo-compliance targeted at businesses who can't legitimately comply with the GDPR.
A better analogy was if you were forced to use the toilet every time you entered a store you haven't been to previously... Just why in the world would I need to take part in such a wasteful charade.
More charitably and historically accurate, it's the result of hardcore political negotiations with the originally proposed legislation watered down due to pressure from politicians and governments influenced by lobbyists.
But yeah, the result is too complicated to be effectively enforced, sadly. So further reform is needed.
Yeah, but it's hard to enforce a law at scale when the difference between legal and illegal behavior is not obvious to a layperson. The law is too technical.
It also has shouldn't have options where a user can simply allow further data collection, since this makes it hard clearly say whether a certain practice is legal or not, since it "will depend".
This creates more friction to enforcement. If things were more clear-cut, enforcement could be automated, and you would probably see those fines roll out.
It is harder to say "this software library is illegal to use in the EU" if there are certain circumstances where it's not.
> ...the difference between legal and illegal behavior is not obvious to a layperson.
GDPR and cookie law is not hard to understand, so that excuse is a little bit lame to be honest. Besides, if you really need to understand what you must do by law, you should hire a lawyer. That's the same as with any other law.
What I meant to say was that pressure to enforce laws only happen if there is public pressure to see the law implemented, and when the concepts are too abstract/intangible, the public disengages more easily from the issue.
Political will for improvements and funding is more likely to happen with more public support as counter to the influence of industry lobbists.
Public support is easier to rally when people can personally relate, or ideally share a pain point. A good candidate would be the annoying pop-up boxes. Frame them as dangerous because increasing the risk of online data and identity leaks. Solution to this threat to public security is to eliminate them by default answer. Simple law proposal.
IMO, the problem with GDPR is the same problem we have with a lot of European laws. There's nobody who's incentivized to enforce compliance.
If you were able to sue for GDPR violations, either on your own or in a class lawsuit, you would have an incentive to prove that the violation has indeed occurred. As long as your lawyer was working on commission, they would share that incentive.
As it stands, all you can do is file a complaint with your GDPR office and hope it makes a difference. You don't get any money from that, so hiring a lawyer to get such a complaint right is an expense you will not get reimbursed for. More importantly, the person investigating your complaint is probably on a salary, not a commission, so they don't personally care about how successful they are.
Compare that to the ADA[1], for example, where you literally get legal firms looking for disabled Americans, finding places that don't comply with the law and suing them. Enforcement was partially privatized, and the free market, as it often does, found a better and more efficient way of enforcing the law than the government could dream of.
> Enforcement was partially privatized, and the free market, as it often does, found a better and more efficient way of enforcing the law than the government could dream of.
I'm not a fan of this. You're replacing one kind of dark-pattern wielding, stain-on-underpants-of-society, predator with another!
You will spawn industries of failed lawyers going after the easy money, i.e. clueless everyday people who inadvertently misconfigured wordpress and can't afford a lawyer when they get threatened with court cases if they don't pay the extortion fees.
Just like asshole copyright lawyers under Germany's shitty jurisdiction extending their disgusting and threatening attacks on everyday citizens around Europe who dare to have a personal webpage without being experts in copyright law. As with ad-tech, also not the kind of enterprises we need to have in our society. Also wouldn't shed a tear for that industry to just die.
If you do this kind of thing you need to directly target the companies enabling the illegal behavior, not the website owners.
You can actually sue under the GDPR and get compensation.
Article 79 explicitly gives data subjects "the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation"
Article 82 states that if someone has "suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered".
Everyone and their dog who has been getting away with bad behavior is going to take that stance as a stalling tactic. It might be true, but either way it's going to have a lot of bad-faith weight behind it, so we need to make our strategy robust to that inevitability.
I'll default to skepticism but keep my mind open to proposals that are concrete and specific.
Yeah like instead of having them on the street, they could have a shop and you could tax them a lot and make sure people know what they are getting into.
Same with sharing personal data - maybe not a bad parallel :)
Isn't this already the case? Does anyone actually think that you give voluntary informed consent to something by being annoyed into pressing a button?
No, if you show a cookie banner your users do not opt-in. So a cookie banner is pointless since it doesn't actually give you permission to store cookies you couldn't store before. So we already have the law, we just don't enforce it.
I agree that a cookie banner is pointless. But they are even on government websites, so obviously something has gone terribly wrong along they way (hint: lobbyism).
My thinking goes like this:
1. The law explicitly talks of requesting consent.
2. Incentives will drive actors to request additional permissions if possible (you always get some legal, can claim ignorance, etc)
3. People get constant intrusions wasting our collective time and attention on an enormous scale.
The current law is encouraging this type of user-hostile behavior. This is stating an objective fact, since the current situation is clearly a result of the current law.
If any type of consent-banner or opt-in method is allowed, industry groups will lobby for loopholes they can use to trick users using whatever mechanism the law leaves at their disposal.
Just outright ban the use of cross-site tracking and user profiling. We don't have a societal need for this to be legal.
The most common use of “tracking” cookies is just to be able to count unique views for your site, which I think is a perfectly reasonable thing to want to do. Knowing the impact of your site is something pretty much every website producer (including governments, individuals, and businesses) wants to do.
Other examples of where cross-site tracking is useful is for preventing online payments fraud. You have a similar IRL version of this where your bank will freeze your card if it sees purchases being made in different countries simultaneously.
Somewhere along the line, counting views or helping reduce fraud for customers turned into “store full demographic information about someone who never signed up for our service”, which is where everything went wrong in my mind. The cookies themselves aren’t the problem, it’s how they’re being used.
> The most common use of “tracking” cookies is just to be able to count unique views for your site, which I think is a perfectly reasonable thing to want to do.
Sure, and I don't remember if this is currently legal without need to notify/ask, but I think it should be.
As long as the tracking data is legally and technically isolated to only domains/apps/devices controlled by the same entity... Most people have the expectation that a website/business will be able to remember them across visits from the same browser.
But people will not necessarily have this expectation of being recognized across domains or different devices - indeed most people won't know it's even possible - so anything facilitating such identify/profile correlation should be considered illegal tracking by default. The specific technical method of creating the correlation should not matter. Honestly this could extend to non-web profile building as well.
The exception, of course, is if the user has self-identified by logging in.
> Other examples of where cross-site tracking is useful is for preventing online payments fraud. You have a similar IRL version of this where your bank will freeze your card if it sees purchases being made in different countries simultaneously.
True, completely agree. There are already blanket exemptions for certain uses in the GDPR and those should be extended as needed for use cases that have legitimate value. Cookie law should be changed so no need to ask/inform the user about these use cases other than in the website's privacy statement, where such tracking should be stated.
Industries handling such tracking data should be regulated and audited to ensure proper handling and use of the data. Again I think this should be applied as a broader principle, and I think for example loyalty programs should be also audited to ensure compliance with legal uses of the collected data.
4 out of 4 in my case. May I ask which ones you checked, I'm genuinely curious, cause I really don't remember seeing any official website in the EU without cookie banner in many years.
Okay, the first two are pretty hilarious, but as far as I can tell, the first one doesn't actually set any cookies if you don't react to the banner, and the second one sets just this: "{"cm":false,"all1st":false,"closed":false}", which seems acceptable.
The other two are trickier to judge, but contain (user?) identifiers, which could certainly be used for tracking, so I'll have to concede your point.
Edit: I had to recheck some of the sites I'd previously checked, as your examples helped me realize that my browser does a lot of blocking. It turns out that just one of my examples was actually a good one: https://finlex.fi/en/
Terve! Not surprised to see Finland slightly ahead of the curve.
I think the default is that most people, professionals included, don't understand the law and throw in the banner-spam to be on the safe side or because of outdated checklists.
I have zero problem with (edit: first-party) cookies, only with the web being a horrible UX for 95% of people, so hope more official websites can lead the way, so that pop-ups can slowly be de-normalized in peoples minds.
Necessary site functionality, without the spyware. Unfortunately, most websites sites are funded by spyware, so the minimum cookies to keep the internet economy running would have to include the spyware.
Disagree. Let it burn, it's the only way. (change my mind?)
This made me think of the Ukraine war, and how the sanctions may turn out to be a bigger help to climate crisis than any political entity could muster on the basis of the impeding climate snafu. Sometimes radical action is the right course of action; for democracy-(pre)serving reasons our governance systems often inhibit change unless most of the population is rallied around a specific cause as we see with Ukraine. That is the time for radical change to happen, or democracies would never progress. End of sidetrack :)
EDIT: I mean, Strong agree with "Necessary site functionality, without the spyware. ", but disagree with last part
I was just asserting out that a law that banned spyware-based advertising would harm the current website ecomomy which is largely based around spyware. I would like to see an end to mass spying, and therefore the creation of a different kind of funding mechanism. That could indeed be brought about by law, but that seems a bit too violent to me. I think what we're missing is a better alternative.
I read an interesting article (from the mid 2000s? Will update if I can find it) arguing that microtransactions will never work due to the cognitive burden of paying for hundreds (or thousands!) of tiny things a day.
Brave's BAT seems to solve this part of the problem by automating the payments based on how much time the user spends on each site. It would require everyone to switch to Brave and use their crypto thing to make it work, so it's obviously "suboptimal".
> I was just asserting out that a law that banned spyware-based advertising would harm the current website ecomomy which is largely based around spyware.
I think that largely, the website economy is based around advertising. I honestly doubt the advertising-centered business model would disappear even if large-scale tracking did. Would it be less targeted and less efficient on a micro-level - yes probably.
But less abusive advertising would also have upsides for website owners: Privacy conscious people are increasingly blocking all ads, losing them eyeballs. Privacy friendly ads may be given a pass.
Right now it's mostly impossible for privacy-conscious people to support a website the like by looking at their ads. The adtech industry is to blame for this for data-raping people. Website owners would benefit from a sustainable advertising model, where users don't have to make the choice between not contributing financially, vs sacrificing their privacy to data leeches. All the websites crying over ad-blockers would instead be forced to use legal ad networks that don't rely on illegal tracking, and people might again be willing to look at ads for content.
Brave is an interesting take, but I think the more optimal solution is to just ban the practice of tracking and shadow-profile building. Problem solved, and I don't need to encourage people to install ad-blockers anymore.
>Would it be less targeted and less efficient on a micro-level - yes probably.
I remember reading not too long ago that tracking did not increase profits! I find that hard to believe because once the tracking gets good enough, they actually start showing me ads for things I actually might want to buy! (Imagine that!) In my experience, Facebook's ads (at least on Instagram) show me really cool things, while Google (who should know way more about me) shows me complete garbage on all its platforms (YouTube being worst of all).
Re: less abusive advertising
I'm considering making some (hopefully!) profitable web games but I'm averse to putting ads on them. After giving it some thought I realized my main objection wasn't aesthetics / UX (though that is certainly a concern when it comes to "art" -- I want my games to be beautiful and ads sort of kill the vibe there) -- my main concern was actually running strange 3rd party fingerprinting / zombie-tracker / god-knows-what. If it was just a clearly labeled affiliate link, eg. <a><img>, that would do away with most of my concerns! (And simplify my GDPR compliance by just.. not storing anything.. and eliminate the need for those horrible banners :)
In general I'm averse to government regulations, but this might be a rare case where the alternative (rampant spying) is worse... After that, all that remains is to get the governments to ban themselves from spying too ;)
> Facebook's ads (at least on Instagram) show me really cool things, while Google (who should know way more about me) shows me complete garbage
I personally remember being pretty shocked at how the Facebook like button & social login spread to everywhere and they could track you all around. Long time ago. Facebook probably knows a lot more about you than you think.
"This made me think of the Ukraine war, and how the sanctions may turn out to be a bigger help to climate crisis than any political entity could muster on the basis of the impeding climate snafu."
Huh? Here in germany there is talk by politicians that climate policies have to stand back now and we need to rely more on the coal plants and not close them, as it was planned.
I really hope, that the actual solutions will be more renewables and nuclear, but I am a bit pessimistic about it.
Germany is in a very tough spot energy-wise and is the most impacted by the Russian sanctions. A lot of house heating is gas and that isn't something you can change in 6 month. So in the very short term they probably need coal to replace the gas where possible so that stockpiles can meet next winters demand for heating.
But for medium-term, a lot of infrastructure investment will be needed. Times are such that the public will be quick to condemn investment in fossil energy, so there will be pressure to find green solutions where feasible.
The other day I saw a headline that France had stopped subsidizing gas heating installations. I don't get why it took a Russian war to do that, but apparently it did.
There have been many other such headlines. Will it matter? Probably some, maybe a lot... one can hope.
Showing an ad next to a news article is not fundamental to the function of a news site, even if it's how the bills are paid. You can't degrade the experience because visitors reject cookies. So you can't do a "we'll show you the article but only if you agree to ads". And you have to make the reject-all-cookies the default choice and easier than accepting. It's pretty simple.
Obviously there’s no definition, but I’d say a reasonable baseline is when a user expects a stateful interaction on the stateless medium that is the web. So for example, a multistage checkout process.
And, to make it even more precise, I would call cookies, which are for login, also as non-essential, unless a visitor really wants to log in, meaning they navigate to the login page.
This means, that be default, I don't need any cookies, because I don't want to log in to most websites I visit. Only if I want to log in, I have need for such cookies.
...hit the nail on the head. By 'as close to none' I pretty much meant "any cookie that isn't about authentication and/or holding state of something as an authenticated user that would matter"
For each cookie present, an independent third party expert would be willing to testify that the cookie is required in order for the website to operate as the user expects.
As much as this may really damage the sector I work in, I’d cherish the clarity a stance like this could provide.
There are many businesses trying to be compliant whilst maintaining access to metrics their business depends on.
Compliance is very difficult at this time as the legal advice is shifting in different territories and there is conflicting guidance when you start to dig into it.
Id rather see a selection of activities and tactics entirely banned/regulated rather than this directive which is clearly too open to interpretation.
Appreciate the sentiment. Policy changes will probably always hurt somebody. The expectation is the the economy will realign around new goals.
In this case it's even simpler since a software company would like be able to develop a new product with hopefully more value to society than the vast majority of data collecting companies provide. I'm also not too afraid for tech workers being able to find other jobs, although I'm sorry for any other collateral damage.
I think being able to go after the enablers and profiteers would make enforcement much easier.
An officially maintained list of legal/illegal libraries and services could help website owners to chose a known legal solution. Right now it's hard to expect website owners 'do the right thing' when there's so much contradictory information out there.