The vast majority of people DO NOT care about cookies nor do they care about trackers.
However, there is a very real productivity loss with all the cookie prompts - both trying to implement them, getting around them, and the billions of people who have to click on them every single day.
You’re missing the point of the article. The banner is only needed if your business relies on handing over info about the user to 3rd party. And yes, it’s reasonable to make sure user knows about it. The fact that these pop ups are annoying is the fault of the creator, not the regulation.
Try accessing Apple.com or iCloud.com. No cookie pop up, yet one of the most successful businesses in history. You don’t have to be annoying
What info? My IP address and the pages I've visited inside their site? By visiting a site I know I'm giving that info to them, they can do whatever they want with it.
Why is it a stupid law? Why should businesses be free to look up the IP and figure out who is looking at their page? An IP can reveal a lot of information, especially if there's servers hanging off of it.
GDPR is not a complex law no matter how shady businesses and clueless devs are trying to tell you. It's also been in effect for 7 years. You'd think it's enough time to have at least some clue on what it's about.
And yet we still have these inane threads on HN claiming it's about cookie popups, and people having no idea what info trackers collect.
> vast majority of people DO NOT care about cookies nor do they care about trackers
I highly doubt that. Do give people simpler ways to opt-out of all tracking, and they‘d happily chose that. Currently we have two problems: 1) The consent button is one click for cookies, the other is several clicks away. 2) The layman does not now how to choose a setting to always opt-out of tracking.
I've got an easy one for you: stop embedding google analytics and others. You don't need a cookie banner when you only have operational ones or better yet, none at all.
You can have GDPR-compliant analytics, like what Fathom does.
I also built my own analytics solution that simply shows me my blog article reads per day, week, month, and year (that is all I care about). It's a simple bit of JS that sends a request to my endpoint when the user spends 30 seconds on a page with an article. I also do some light user agent filtering (no "curl" or "python" in the agent string, for example).
I might start logging the referrer in the future to see where my traffic is coming from. However, I am very far from needing cookies or a GDPR notice. I doubt there's a need for cookies at all for most analytics. Even if you wish to track user flow in your website, you can do it with IPs (or hashed IPs to not store the actual IPs) only. An IP is unlikely to change while a user is browsing the website.
It seems to my mind that we only see so many GDPR notices because many websites use dinosaur software like Google Analytics that hasn't been keeping up with the times.
> many websites use dinosaur software like Google Analytics that hasn't been keeping up with the times
Or maybe has a conflict of interest, and its true purpose is to act as spyware on behalf of Google? Google absolutely has the skills to build a GDPR-compliant version if they wanted to.
The problem is that they aren't in the business of giving away free stuff. GA is only free because they need to give you an incentive to deploy their spyware - they'll happily let you in on (some) of the data they collect in exchange for you spreading it.
They could probably spy on users in a GDPR-compliant way. GDPR isn't about not tracking users, it is about protecting their personal data. All that analytics providers must do in principle is make sure to never associate certain types of data (phone numbers, names, addresses, and similar) to the user fingerprint they use for advertising.
As far as I understand (and I could be wrong), the cookie notices exist because analytics providers do not guarantee that this personal data won't be associated with the cookie fingerprint in their systems. Cookies themselves are only mentioned once in relation to this in the GDPR text:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
If the advertising ID/fingerprint was kept unassociated with personal data capable of identifying a natural person, there would be no need for the cookie notice in my understanding. However, I am not a lawyer.
Well, I'm glad I don't use GA on my personal site, then, even if it means I have no idea what traffic levels it gets. GA is incredibly popular though - I would guess the vast majority of blogs etc. use it and have no consent to do so.
Anonymization (if you actually believe Google despite their conflict of interest and previous GDPR breaches) still happens on their server, so the IP address (which counts as personal data) is still transmitted there.
I guess you may actually make it truly anonymous from a GDPR point of view if you proxy all calls through your own server and strip out anything that can be used to reidentify a user - so no IP addresses, session IDs, etc.
At least part of the intent of the law was that websites would reduce the amount of tracking if they have to explicitly ask for consent. You can build your website with just functional cookies (session cookie, storing preferences like dark mode, etc) and cookie-less tracking, and go without any cookie popups.
Somehow the industry decided it's better to annoy your users with consent for 50 different trackers with the most in-your-face popup possible to cause users to reflexively hit consent instead.
> Somehow the industry decided it's better to annoy your users with consent for 50 different trackers with the most in-your-face popup possible to cause users to reflexively hit consent instead.
GDPR actually has provisions against this kind of malicious compliance - the problem is a chronic lack of enforcement, despite it being trivial to detect with a web crawler.
Of course the simple solution that we all know is to not collect the damn data in the first place. But marketing boffins the world over will never willingly do this unless it’s enforced by law, so we’re left with the user’s taking on the burden of clicking deliberately confusing stuff and not knowing whether they’ve ended up consenting or not.
Also accepting them cookies is one single click but rejecting them feels like entering the dark realm with multiple options and not knowing where to click. I am software dev but still have to use just enough mental resources to reject all of the non essential ones. How the fuck is this legal.
It is not legal for webs to make rejecting cookies more complicated than accepting them.
In fact, the French data protection authority CNIL has issued orders to around sixty players that do not make refusing cookies as easily as accepting them. They have also fined companies such as Google and Facebook for making it harder to reject cookies than to accept them. The CNIL has ordered these companies to provide a means of refusing cookies as simple as the existing means of accepting them.
Also, under GDPR, it is not legal for websites to make rejecting cookies more complicated than accepting them. In May 2020, the EU updated its GDPR guidance to clarify that cookie walls do not offer users a genuine choice because if you reject cookies you’re blocked from accessing content. It confirms that cookie walls should not be used. Companies such as Google have introduced new options to reject tracking cookies in Europe after their existing dialog boxes were found to be in violation of EU data laws.
Now what I don't know is if users outside of EU get the evil-twin version of those popups when visiting websites. My experience browsing the www is just not as bad as many people describe because I usually get a "reject all" button or when "managing" the cookies, they are all disabled by default and I can simply save the options.
People are definitely aware of them. The trouble lies with how easy opting-out is. Many websites have included options to just opt for the "compulsory" option. The only concern now is how many of them would willingly provide that option.
Most people do not care because they don't really see/understand how it affect them. Just like most people probably don't care about HVAC regulation, welding regulation for system under pressure and other very technical field.
They will see the issue and care about it when something happen. We have a lot of regulation about welding under high pressure because we know from experience what happen when we have no rules (things go boom).
What happen when we have no regulation about tracker ? We get massive data leaks from poorly secured data hoarding company (hello Equifax). This is dangerous in many many ways: Identity theft, scam & spam, identifying people with certain political view, from a minority of some sort, etc...
GDPR does not solve all this issue, some company can still hoard massive amount of data about you (it is always scary to ask for a data extraction from Meta, Twitter, ... and how you have a "profile") and have bad security, but it does limit in how many hand this data circulate and how easy it is to gain access to.
> To make this very clear: user/visitor consent is only needed for data going to 3rd parties. All cookie laws, including GDPR and CCPA, allow essential first-party cookies to be exempt from collecting user consent before performing their actions. So your session tracking cookie on your site DOES NOT need a consent popup AT ALL.
Most consent dialogs can be avoided, were it not that the surveillance capitalist services need your data, and shove these dialogs full of deceptive design in your face. In hopes to have as many people as possible complain about the regulations, and use that pressure to lobby them away again.
My bank doesn't use 3rd party cookies, but they have a modal wall you have to click through anyway that explains that they DO NOT use cookies.
This is insanity. Their explanation is that users are so accustomed to these cookie walls that a site without one would feel suspicious and unsafe.
I very much blame the EU on this, because the EU policy has solved NOTHING, tracking still happens just as before, except now users just have to go through more friction. Of course I am also pissed at the websites and entities that sell my data, but that is irrelevant to my gripe with the EU.
Superficially, the banners appeared due to how the law was made and how it's implemented. The noble intention is one thing and the pragmatic reality is another.
It's correct to blame the businesses for creating the banners but also unfair to treat the matter as if the businesses and the EU are on a level playing field. The EU makes laws - it has cheat codes to achieve what it wants.
It's like defensive driving. You may not be at fault if someone crashes into you but you may have had the power to prevent it.
> 7 years of complaining about it hasn't changed that.
Funnily how "7 years of complaining" was, and continues to be, only about the EU. Not about the predatory businesses creating these banners (often in direct violation of GDPR).
> Or enforce the existing ones.
That's definitely the biggest criticism you can level at EU: they are too slow in enforcing this.
I blame the businesses for destroying the social fabric of the internet, and I simultaneously blame the EU for implementing pointless regulations that do not solve the first problem while making life miserable for its subjects.
Businesses: destroy the social fabric of the internet
Regulation, literally: do not collect people's data without their consent if you don't require that data for services you provide. Applies in equal measure to websites, banks, grocery stores, shit processing plants and nuclear power stations.
...
4ad: I still blame the EU, and it's a pointless regulation.
You seem to think that the EU should be imune from criticism because it tries to do the right thing.
No, when politicians make things worse and absolutely don't solve any problem they promised they will solve then they should be held accountable, removed from positions of power, and replaced with competent people who write better regulation.
Edit to your edit: indeed, the EU is mostly about making people miserable while convincing them it's actually better for them.
Is he right though? I work with affiliate people a lot, and they hate cookie-consent popups. Even when you do all your analytics inhouse with self-hosted matomo, if you want to use a cookie, you need consent is what the lawyers say unanimously. And these aren't "we want you to ask for consent because we secretly want more privacy" lawyers, these are "I get paid to find a way for you to do your tracking in the easiest way possible and I don't care about privacy" lawyers.
> Even when you do all your analytics inhouse with self-hosted matomo, if you want to use a cookie, you need consent is what the lawyers say unanimously
If you use a cookie for Matomo tracking than yes, you need consent. You are using a cookie for a non essential service (analytics), so you need to ask consent.
But that primarily says that Github doesn't care about cookies (or consent), not that you (not being a multinational corporations with an army of lawyers and millions in lobbying spending) can do the same.
I'm pretty sure those cookies are non-compliant if you look at them closely, because none of them are necessary for the operation of the service. a) a default value doesn't need to be stored in a cookie -- and it has to be a default value, because you haven't selected a color scheme or a timezone b) login-state does not require a cookie: either you're logged in and have a session, or you aren't, and you don't, c) there's no reason for a session on the public facing side that doesn't contain any private/individualized data, unless you want to use these session cookies to track users -- and it's only about users as bots will typically ignore cookies.
My money is on "Microsoft knows that cookie consent is optional if you're not a small European company".
So why do even the official website of the European commission and the European parliament have a cookie consent button? One would assume that they are not "capitalist services".
Unfortunately big tech surveillance capitalists (which is different than "capitalist services", mind you) are court suppliers of IT services that EU institutions depend upon.
Edit: And as the sibling said, in many cases it may be restricted to analytics and simple 'reject' suffices, which is at least better than some of the intricate dialog designs.
I mean, you could literally read what their banner says. E.g. Eu Paarliament
"We use analytics cookies to offer you a better browsing experience. You have the choice to refuse or accept them. Reject. Accept".
Those analytic cookies are not required for the functioning of the website, and those web sites are required to ask for your consent to gather any additional data.
Having a clear cut "CALL TO ACTION" dialogue option which presents one positive ( don't track me ) and one negative ( track me ) option. People choose the positive one.
Cookies/tracking banners on website completely obfuscates the choice. Negative option ( track me ) is presented as the pearly gates to heaven and easy to click. Positive option ( don't track me ) is presented as these mathematical puzzle where you must know what to click or your dog gets executed.
So yeah people care about not being tracked when presented with clear instructions to which one is bad and which one is good.
However, there is a very real productivity loss with all the cookie prompts - both trying to implement them, getting around them, and the billions of people who have to click on them every single day.
We've got to come up with a better solution.