> Worse, people (including on HN) actively blaming the EU for it.
The EU is exactly to blame for it.
The activity isn't illegal, and the EU didn't make it illegal.
What the *EU did* was make it so that companies engaging in that legal activity now had to disclose it in some way, and thee cookie popups are the best way to do that.
It's ridiculous to try and say the EU isn't to blame when they introduced and approved the legislation directly responsible for the popups.
> and thee cookie popups are the best way to do that.
No, the best way to do it is not invade people’s privacy. You can have ads without targeting (we did it forever before the internet) and you do not need cookie warnings if your cookies aren’t invasive.
> No, the best way to do it is not invade people’s privacy. You can have ads without targeting
You are deliberately missing the point and shifting the goalposts.
You're talking about asking a business voluntarily not engage in lucrative legal business activities. Why would they do that? There are so many more important things business should voluntarily abstain from by that reasoning.
No, as long as the behavior remains legal, a business has every right to engage in such activity.
The only reason the cookie popups are a thing is because the **EU** mandated some sort of notification which basically mapped to these popups.
So it's the EU to lame. No question about it. A business engaging in legal activity is not to blame, since it's the regulations around that activity and not the businesses practicing the activity that are the topic of discussion here.
Stop shifting the buck. It's so incredibly dishonest.
> You're talking about asking a business voluntarily not engage in lucrative legal business activities. Why would they do that?
It is baffling that you can make that claim without realising your mistake. Yes indeed, why would businesses do that voluntarily? The answer is they aren’t doing it voluntarily, they are forced by law. In other words, the EU has made the practice illegal. Specifically, it is illegal to engage in that data collection without consent.
Let’s take tobacco warning labels as another example. Governments decided that tobacco companies have to print large warnings on cigarette packs. They didn’t make it illegal to sell tobacco, but if you want to do it you have to include those labels.
Do you also blame governments for mandating those warning labels and would prefer there to be none? I mean, you do you, but please don’t accuse others of goal shifting and dishonesty simply because you misunderstood an argument. My position has remained consistent, I gave the poison example (which you chose to ignore) in the first post.
> It is baffling that you can make that claim without realising your mistake.
I'm not making any mistake. You continue to make the mistake to blame the businesses doing *legal* activities and complying with the *EU Regulation* that dictates the cookie popups.
> The answer is they aren’t doing it voluntarily,
They are not abstaining from legal behavior that makes them money, like literally every other business in acceptance.
Which means they are not doing anything remarkable, yet you are remarking on it. Why?
> In other words, the EU has made the practice illegal.
Not exactly. The EU has very specifically made the practice legal, but with regulations.
You're doing the equivalent of blaming tobacco companies for including graphic warnings on their packaging as is the case in some countries, when it's not them doing it voluntarily, it's a result of those governments imposing it.
> Specifically, it is illegal to engage in that data collection without consent.
Exactly. The *EU* regulated that informed consent is required, requiring some kind of popup to the user.
So, those companies are engaging in an explicitly legal practice, and doing so in the way the *EU* forces them to do so. So EU gets the blame.
> Let’s take tobacco warning labels as another example. Governments decided that tobacco companies have to print large warnings on cigarette packs. They didn’t make it illegal to sell tobacco, but if you want to do it you have to include those labels.
I genuinely typed my analogy above before I read this part of your reply. Amazing.
> Do you also blame governments for mandating those warning labels
YES!
Those warnings only exist because the governments are imposing them as a requirement.
Seriously, what's not to get here? If we follow your reasoning on the popups, to be consistent you would blame the tobacco companies for those warnings existing.
> simply because you misunderstood an argument.
What is it you think I've misunderstood? What do you think I think your position is as opposed to what it actually is? I'm certain I haven't misunderstood a thing.
What is the subject of the blame you were implicitly referring to in your first comment where you say "Worse, people (including on HN) actively blaming the EU for it."
What is the 'it' your refer to, if not the cookie popups?
> My position has remained consistent
Yes, your position is that the popups are not to be credited to the EU, which is absolutely wrong. They only exist because the EU dictates they need to for companies engaging in a specific legal activity.
You say in your first post "The label isn’t the problem! ", but that's the topic of discussion, that's the subject of the blame we are debating how to assign.
The issue of companies data collection and distribution practices are worth discussing, any any illegal activity needs to be dealt with. But that isn't relevant to who gets the blame/credit for the popups.
I think your point of view is overlooking the concept of loophole or more precisely, malicious compliance.
Businesses can make a separate page, a settings page, where you enable tracking. This solves the problem.
But obviously the cookie popup is HUGE to cover your view of the page and it's as confusing as possible, even with the requirement of an explicit reject all button.
This is textbook malicious compliance, and the EU has been trying to combat it (the explicit reject all button), but I suspect they don't want to codify in law the exact pattern they want to see (law becomes outdated)
> I think your point of view is overlooking the concept of loophole or more precisely, malicious compliance.
I don't think I am, because even if the cookie popups were made with the genuine best intentions to adhere to the regulations, no malicious compliance at all, the people I am disagreeing with would still blame the corporations engaging in legal activity and not the regulations themselves that dictate the popups.
I don't doubt malicious compliance exists or is a problem, but I don't think it makes much of a difference in this context.
That is addressed right at the top of the page on a prominent explanatory banner with a blocky information icon:
> Use of the cookie consent kit is mandatory on each page of the DGs and executive agencies-owned websites, regardless of the cookies used.
I really wish people made a minimum of effort to engage in good faith. It took you longer to post your comment than it would’ve taken to read that notice.
EU: Don't track users, don't obtain vast amounts of data on users, don't sell that data to third parties. If you you do, ask users for informed consent.
Industry: we hear you. Here's "informed consent" form riddled with dark patterns because we believe that all data is ours by God's decree, and our 15 000 "partners" agree with us
Make a good product that does not rely on exploiting user data. Advertise in relevant locations without tracking (e.g. if you sell cars, advertise on a car-centric website/forum/magazine).
You don't have to reply to every comment I make in reply to someone else in this thread, just FYI.
> Make a good product that does not rely on exploiting user data. Advertise in relevant locations without tracking (e.g. if you sell cars, advertise on a car-centric website/forum/magazine).
No, none of this is a light pattern. It's just abstaining from the activity entirely.
What are you on about? Do you realise you replied to me first, and the two times I replied to you responding to someone else were on the same thread that goes back to my original comment? No one’s after you, I just looked at the child replies in my post. Honestly I didn’t even realise I was replying to the same person. Complaining about it happening twice is quite the persecution complex.
> the two times I replied to you responding to someone else
---
> Honestly I didn’t even realise I was replying to the same person.
I find that very odd, not to pay attention to who you are replying to, but OK.
> quite the persecution complex.
Nah. It's a pretty common behavior or 'pattern' that some people who feel strongly about a position will reply to other child comments by a person they are debating with.
I find it frustrating because it normally leads to a lot of redundancy, with the same points being repeated in multiple places, just wasting time.
I mistakenly thought that's what you were doing. I apologize.
That's not a light pattern, that's giving up the activity entirely.
If an activity is explicitly legal, even with regulations, then there should be a light pattern for that activity is there is a dark pattern.
Look at selling cigarettes in the 80s. A dark pattern would be trying to influence kids on the low, which mascots like Joe Camel.
A light pattern would not be abstaining from selling cigarettes entirely, analogous to what you suggest, but rather voluntarily adding labels to packaging and taking other precautions.
> What's not right? Giving up pervasive and invasive tracking and selling user data?
Exactly. Abstaining isn't a light pattern. A light pattern would be doing the thing in a non malicious way.
> GDPR, literally, is: if you use data not strictly required for the functioning of your business, ask user for consent.
You're missing the point. You were alleging businesses are using dark patterns while being in compliance with the law. I'm asking what a light pattern would be for collecting as much data as possible which is an explicitly legal activity as long as the regulations are followed.
You answered not engaging in that activity at all, which is not an answer.
"Abstaining from selling hard drugs to minors isn't a light pattern. Show me how we can sell hard drugs to minors even with all the regulations in place"
Though I hate analogies, but this is what this sounds like to me.
> I'm asking what a light pattern would be for collecting as much data as possible which is an explicitly legal activity as long as the regulations are followed.
You either follow GDPR or do not engage in this activity. What is so hard to understand?
Instead the industry came up with the obnoxious cookie banners tricking users into providing any and all data and selling that data to thousands of "partners".
> Though I hate analogies, but this is what this sounds like to me.
The difference though is that selling drugs to kids is flat out illegal, no ifs ands or buts.
Data collection is explicitly legal as long as regulations are followed, so I think it's a flawed analogy.
> What is so hard to understand?
That the businesses are complying with the GDPR but you're still saying it's a dark pattern and complaining about what they are doing.
I need to remind you at this point the topic of discussion is who is responsible for the cookie popups, not the morality or legality of the activity that the EU felt required regulation. The answer is the EU, because that's how they chose to address the issue.
> Instead the industry came up with the obnoxious cookie banners tricking users into providing any and all data and selling that data to thousands of "partners".
Most cookie banners are not deceptive at all. They are the result of complying with the legislation the EU mandated.
In fact, the cookie banners that are as straightforward and clear as possible, and as non intrusive as possible, are an example of a light pattern in this context.
This is correct. However, I always thought that legislation is pretty stupid. It isn't exactly comparable to alcohol/tobacco warnings. Actually, I always thought they are stupid too, but at least they can count as an "informed nonsent", since it's pretty clear, what's the harm they are taking about.
Cookies, on the other hand... Even for me, who was perfectly aware of the problem long before this legislation, and who was privacy-oriented to begin with, it isn't clear, what's the consent I'm giving. First off, I know everybody uses cookies, and almost everybody uses some trackers. Second, even me, somewhat informed user, I don't really understand, what is that information they are sharing with third parties, and why should I care. I feel kinda stupid when I bother to press "reject all". Like, does it even matter, what I choose? Wouldn't they do it anyway, whatever they do? Then, I use ublock and I hope it helps. If it doesn't, well, tough luck, but what do I do? I do want to read that one paragraph from the medium/NYT article I found on Google, despite how much I hate them. I won't stop using the internet because of... whatever this is.
I can only imagine, what it's like for average user, who is, let's be honest, pretty clueless. I guess for them it is indeed the EU who is too blame here.
GDPR is more useful, but still I'm not sure if it really helps. Like, I remember someone complaining that before GDPR you could bulk-download gpx files from Strava, and now you can only request .fit files, that are supposed to containt more data, but really aren't that useful for most. Well, it's not GDPR you should blame, it's Strava and all their partners/competitors (especially Garmin, god I hate them so much). They are successfully making life harder for you, because they don't want it to be easy to get your own data back. And who is to stop them? Maybe it's a matter of time, I don't know, but it doesn't seem GDPR is effectively enforcing what it is supposed to.
The cookie law and GDPR are often conflated, but they are different things. It doesn’t help that websites engage in malicious compliance, thus making everything more confusing.
I’ll leave you with two links. The first explains which kinds of cookies do not require consent. You’ll see the list is pretty reasonable. The second is to noyb, a non-profit fighting for privacy (the name means “none of your business”), who has been doing good work thanks to the GDPR.
> Even for me, who was perfectly aware of the problem long before this legislation, and who was privacy-oriented to begin with, it isn't clear, what's the consent I'm giving.
Indeed, and that's exactly what the industry wants. Show me where exactly GDPR mandates the cookie dialogues. Or ePrivacy Directive for that matter.
> Well, it's not GDPR you should blame, it's Strava and all their partners/competitors
Yes. And yet you somehow twist it to blame GDPR
> but it doesn't seem GDPR is effectively enforcing what it is supposed to.
The EU is exactly to blame for it.
The activity isn't illegal, and the EU didn't make it illegal.
What the *EU did* was make it so that companies engaging in that legal activity now had to disclose it in some way, and thee cookie popups are the best way to do that.
It's ridiculous to try and say the EU isn't to blame when they introduced and approved the legislation directly responsible for the popups.