The EU legislation that mandated cookie consent popups has to take some “credit” for this state of affairs though. Custom cookie-consent UI per website has limitations.
After years of experiencing cookie popup hell, I’d say that a better way forward would be allowing users to configure their browsers to automatically communicate cookie preferences and consent, but regulators would have to work with the tech industry to make that happen.
And meanwhile companies will keep inventing workarounds like FLoC to track users without cookies.
> After years of experiencing cookie popup hell, I’d say that a better way forward would be allowing users to configure their browsers to automatically communicate cookie preferences and consent, but regulators would have to work with the tech industry to make that happen.
We tried that once before. Advertisers joined the board investigating making the "Do Not Track" header have legal weight, as an apparent sign of good faith, and then murdered it with endless bureaucracy that went nowhere.
We're trying to again with the Global Privacy Control headers [0], and I fully expect the same thing to happen again.
what level of awareness do you think the "majority of people" have about the implications of online tracking, of detailed behavioral profiling, of biased algorithmic influences on all online information experience etc.
somehow this particular industry can get away with standards and regulations that for any other industry would be the wildest dream of deregulatory heist
the "innovation" shtick has worn thin, its time to clean up the mess
Apple's App Tracking Transparency (if that's what you're referring to, as opposed to Intelligent Tracking Prevention) doesn't even default to anything. It asks you and gives you two equally-prominent options, but indeed even in that case the acceptance rate is still just 4% which I assume is either misclicks or ad-tech people.
> a better way forward would be allowing users to configure their browsers to automatically communicate cookie preferences and consent
Yes. I should only have to say once (or better still not at all) that I don't want to be tracked, and then it would automatically apply to everything.
> regulators would have to work with the tech industry to make that happen
"work with the tech industry" sounds a bit too much like the regulators think they get what they want, but the tech industry really get what they want.
Regulators need to be able to impose a solution on an unwilling tech industry, who'll never agree to it unless forced.
> And meanwhile companies will keep inventing workarounds like FLoC to track users without cookies.
Any such workarounds need to be explicitly make illegal.
Actually, you may wish to have an "extended" experience on some websites and not on others: all cookies are not either technically essentials or pure ad-junk tracking!!!
So it's sensible to allow a per-website configuration. Arguably, it would be better that this is included in the browser (like DoNotTrack was) with a configurable default (refuse all/always ask/accept all... and "always ask" ticked out of the box) and a widget showing if the website is in accept all/refuse all and allowing to change it... a bit like the uBlock extension
You can be tracked without cookies (or localstorage) trivially, it is commonplace.
You'd have to block requests to third parties. This is hard because it breaks most websites - all those that rely on cdns. You can wade through this with a script blocker like ublock origin and a whitelist but you don't really know what's happening unless you investigate each domain and script.
Even then you'd still be exposed to fingerprint tracking served through the original domain passing on to a third party at the back end.
Tracking isn't fixable with technological solutions alone.
People suggesting a user-based solution to this problem is like someone suggesting “well, you should just comprehensively read the terms of service and privacy policy for every website and product you use, and if you don’t agree, don’t use the site.” It’s an absurdly naive solution at best, and downright malicious solution at worst. In any case, people who believe this should be in the hands of the user don’t give a shit about the user, either actually or practically.
It is necessary but insufficient, because otherwise tracking Safari users would never have been possible. Despite that WebKit has had to consistently devote engineering effort into making these privacy invasions impossible.
WebKit, and I think Firefox now?, had to do further work to isolate same domain cookies to specific contexts.
At the same time there is Chrome, aggressively pushing new features that often happen to add new tracking mechanisms.
Google and Facebook depend on invading user privacy, that is their primary source of income. If there is any way they can track you, they will use it.
The only solution is legal, coupled with actual enforcement.
> Dear visitor, We use analytics cookies to offer you a better browsing experience. You have the choice to refuse or accept them.
> I refuse analytics cookies
> I accept analytics cookies
https://www.echr.coe.int has a small, non-intrusive banner about at the bottom (good), but their cookie policy does say they “generate anonymous analytics such as the number of documents downloaded.” Hopefully that’s not per user — if so that’s pretty much best-practice.
But clearly there’s a lot of variation even among EU institutions in how they approach cookie prompts.
The first two have two buttons of the same size, color and prominence at the bottom of the site allowing you to accept or refuse cookies. These are not cookie popups, and they don't promote one option over the other unlike what Facebook and Google were fined for here. So I'm not sure where you see a problem with these sites?
The problem with these is the cognitive overload that comes from dealing with cookie prompts on every website you visit, aka “cookie consent popup fatigue”. Regulators need to do better.
Cookie popups such as these wouldn’t be a problem if we had a handful of websites. But they’re not helpful on the modern web with tens or even hundreds of sites visited by nontechnical or simply busy / task-focused users every day.
Please have a look at the comment chain to get context about why I brought this up. The point is that the EU’s guidance around cookie popups is part of the problem today (I know they had good intentions though).
Yes well that is exactly why they are ensuring the "NO" button is at least as large as the "yes" button. It's still not critical since the point, again, is to make them annoying to use; offering choice is secondary.
A cookie popup allowing you to easily either accept or deny (you do not need consent for truly essential cookies) is legal and the intended way to do it, so at least those first two are perfectly fine - not sure about the last one. It is not fine or legal to have a giant accept button and hide the option to refuse behind a dozen buttons like "More information" or requiring you to spend two minutes denying consent for each individual cookie provider.
Thank you, yes that’s pretty much it. Except instead of “consent modals must be legal” I’d say “consent modals must be *established practice*”.
There is in fact case law which interprets the legislation and says explicit consent is required[1] but of course it doesn’t mandate modals.
However it does note[2] that
> That decision is unaffected by whether or not the *information stored or accessed on the user’s equipment is personal data*. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.
This sets a fairly high bar for getting consent for any identifier-laden cookie. So I can understand why people choose to use modals as a risk-reduction approach, and why it has become accepted practice. If you do end up in court, it’s reasonable to expect courts to consider established practice is while formulating their judgement.
However, I do fundamentally disagree with the notion that explicit consent at the time of first visit is a good model for ordinary internet users. It was a good first effort but regulators need to do better, and strengthen ways for users to effectively pre-set their consent preferences in advance, think ‘Do Not Track’ but with teeth.
his argument is that if not even the commission, which presumably would adhere to the regulation they themselves have written do it correctly, it suggests that the rules for cookies are different from what you claim.
There is no EU legislation that mandates cookie consent. In fact with the GDPR the old cookie-banner law that required you to inform of the usage of cookies was abolished. The cookie banners is the industries own perverted solution to the problem of asking for consent when there is no other legal basis for processing personal information.
This way to communicate it does exist and companies can decide to respect it. (Do but track flag).
It's mostly the fault of companies trying everything possible to trick people into agreeing even if they don't want to and shifting blaimn away.
Also GDPR is not technology specific, so it doesn't matter if the company tracks you using cookies or fingerprinting. (Through there are local predcessors of GDPR which are technology specific.)
Or regulators could stop micromanaging tech as a way to extort fines and pander to the public. Let those who care go elsewhere or use browser tech (like Firefox containers) and client side solutions to control privacy. 95%of people could care less about tracking and find the cookie popups a PITA. Regulating these things is a slow whack-a-mole game resulting in very poor use experience.
Most likely true, tech companies are probably secretly lobbying for these idiotic laws which end up increasing the cost of starting competitors. Ruining the end users experience on the web is just a side-effect, which may still help people to use apps with login into private gardens instead of browsing an open web.
Paying 200M fines is nothing if it discourages competitors from innovating and creating the next Facebook, after all.
It's a bit like what happened with VATMOSS. It was meant to hit Amazon and force them to pay VAT in each customer's country and not just in Luxembourg - and it ended up complicating the life of small e-commerces so much that they all moved to sell on Amazon instead of running their own e-commerce.
After years of experiencing cookie popup hell, I’d say that a better way forward would be allowing users to configure their browsers to automatically communicate cookie preferences and consent, but regulators would have to work with the tech industry to make that happen.
And meanwhile companies will keep inventing workarounds like FLoC to track users without cookies.