Look, Jeff Atwood, it is difficult to take you seriously when you write authoritatively on a subject you clearly don’t understand.
GDPR doesn’t mandate cookie notices.
Cookie notices are *malicious compliance* by the surveillance-driven adtech industry.
If you’re not tracking people, you do not need a cookie notice, period.
If you’re only using first-party cookies for functional reasons, you do not need a cookie notice, period.
If you’re using third-party cookies to track people – i.e., if you’re sharing their data with others – then *you must have their consent to do so*. Because, otherwise, you are violating their privacy. Even then, the law doesn’t mandate a cookie notice.
How would you conform to EU law without a cookie notice if your aim wasn’t malicious compliance?
You would not track people by default and you would make it so they have to go your site’s settings to turn on third-party tracking if, for some inexplicable reason, they wanted that “feature”.
Boom!
No cookie notice necessary.
What’s that?
But that would destroy your business because your business is founded on the fundamental mechanic of violating people’s privacy?
Good.
Your business doesn’t deserve to exist.
Because the real bullshit here isn’t EU legislation that protects the human right to privacy, it’s the toxic Silicon Valley/Big Tech business model of farming people for data that violates everyone’s privacy and opens the door to technofascism.
infosec.exchange/@codinghorror…
Look, EU, it is difficult to take you seriously when you forced all this cookie notification bullshit on us. That feature a) should not exist and b) if it did, should be a BROWSER feature not "every website in the entire world now has to bother everyone forever about this stupid thing" blog.codinghorror.com/breaking…Breaking the Web’s Cookie Jar
The Firefox add-in Firesheep caused quite an uproar a few weeks ago, and justifiably so. Here’s how it works: * Connect to a public, unencrypted WiFi network.Jeff Atwood (Coding Horror)
Andreas Kilgus likes this.
reshared this
Jonathan Schofield
in reply to Aral Balkan • • •David Chisnall (*Now with 50% more sarcasm!*)
in reply to Jonathan Schofield • • •@urlyman
It's often not even malicious compliance. Most of these banners don't even meet the requirements of the GDPR, specifically that you must be able to withdraw consent at any time and that you mist give informed consent (i.e. that you must know what you have consented to to be able to grant consent).
@noybeu is doing a great job going after some of these people.
webhat reshared this.
Aral Balkan
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Writing Slowly
in reply to Aral Balkan • • •Aral Balkan
in reply to Writing Slowly • • •@writingslowly There’s an easy solution to that. We pass a GDMR and effectively outlaw their business model (don’t hold your breath).
ar.al/2018/11/29/gdmr-this-one…
GDMR: this one simple regulation could end surveillance capitalism in the EU
Aral BalkanGeorg Weissenbacher
in reply to Aral Balkan • • •@writingslowly There’s a problem with point 1 - who decides what “can be built”? For instance: Many legislators want companies to implement encrypted communication in a way such that they - and only they - can listen in. Numerous experts believe such a system can’t be built (at least not securely).
If I’d run a company I’d rather not end up in court where a lawyer explains to me what can be built and what not.
Aral Balkan
in reply to Georg Weissenbacher • • •@GeorgWeissenbacher @writingslowly I’m one of those experts.
Yes, regulation, like any legislation can be good or bad. That said, if you run, say a construction company, a lawyer does explain to you what can and can’t be built. You don’t just get to dig up a park and put in luxury apartments because you feel like it. You don’t get to construct a factory and dump your sewage into the sea. Or, more to the point, if you run a cinema, you don’t get to put cameras in the bathrooms. There are many things you don’t get to do if you run a company because they would infringe on the rights of others and your right to make a profit doesn’t supersede that.
I hope you’re teaching your students that they should be thoughtful in what they build so that it benefits humanity. We don’t need more things, we need more things that improve human welfare. And the last thing we need are more libertarian techbros who think they can do whatever they want in pursuit of their gluttonous profiteering and that rules don’t apply to them. That’s how we end up with technofascism.
Veronica Olsen 🏳️🌈🇳🇴🌻
in reply to Writing Slowly • • •@writingslowly What annoys me is that they've managed to give people the impression that the cookie banner nonsense is the EU's fault. GDPR has been a huge help, and these tantrums the tech industry is throwing is, as Aral says, malicious compliance.
@aral
Giorgio Maone 🚫✊🧅
in reply to Aral Balkan • • •TC Won't Give In To Lies
in reply to Aral Balkan • • •🎯
Not enough people understand how techbros choose horrible user interfaces and design/moderation decisions to turn people against even the most basic and essential customer safety regulations.
I believe the current age-gating outrage is astroturfed too.
account di Schrödinger reshared this.
Yahe
in reply to Aral Balkan • • •@marix You‘re correct on a wholly different level.
GDPR doesn’t mandate cookie notices.
Actually, the GDPR isn’t relevant regarding cookies at all. But Regulation 2002/58/EC as lex specialis to the GDPR is.
Aral Balkan
in reply to Yahe • • •Florian Zumkeller-Quast
in reply to Aral Balkan • • •Michael T. Richter
in reply to Aral Balkan • • •@codinghorror Are we sure that Jeff Atwood isn't an early LLM experiment? The straight-up overconfidence as he spouts completely incorrect and ignorant shit feels an awful lot like ChatGPT and its coterie of concussed digital parrots.
Oh, wait. The "voice" of these is modelled after what techbrodudes think sounds smart. I may have put the teleological cart before the horse.
Fabien
in reply to Aral Balkan • • •Aral Balkan
in reply to Fabien • • •NKT
in reply to Aral Balkan • • •Knud Jahnke
in reply to Aral Balkan • • •I'm running a website for a science consortium and we don't track, we don't sell anything, and we don't have to worry about visitor data storage and protection, and we do not need any cookie clicked on the site. Very simple, very relaxing.
It also prevents the need for a data protection responsible person, because no data is being collected.
Je ne suis pas goth
in reply to Knud Jahnke • • •@knud but even if you sold something, you would not need to put up a cookie banner : to sell something you require some information to complete the sale (address where to ship, and/or info about the means to pay for the good or service sold). None of that would be illegitimate.
@aral
michel v
in reply to Je ne suis pas goth • • •Aral Balkan
in reply to michel v • • •michel v
in reply to Aral Balkan • • •Aral Balkan
in reply to michel v • • •michel v
in reply to Aral Balkan • • •Aral Balkan
in reply to michel v • • •Knud Jahnke
in reply to michel v • • •@michelv @jenesuispasgoth
How about leaving me out of this thread continuation, thank you.
Aral Balkan
in reply to Knud Jahnke • • •Stuart
in reply to Aral Balkan • • •Vassil Nikolov | Васил Николов
in reply to Aral Balkan • • •Indeed.
Now, how to make Jeff Atwood and those who listen to him take heed?
Regrettably, I don't know...
🙁
@aral
Aral Balkan
in reply to Vassil Nikolov | Васил Николов • • •Frank Zimper 🕯️🐘
in reply to Vassil Nikolov | Васил Николов • • •@vnikolov
It would be a start to tag
@codinghorror and/or link to his post
infosec.exchange/@codinghorror…
@aral
Jeff Atwood
2025-08-30 22:54:27
webhat
in reply to Frank Zimper 🕯️🐘 • • •NKT
in reply to webhat • • •Aral Balkan
in reply to NKT • • •Diogo Constantino
in reply to Aral Balkan • • •Coral’s smaller fruits
in reply to Aral Balkan • • •Aral Balkan
in reply to Coral’s smaller fruits • • •mkj
in reply to Aral Balkan • • •As for some of the points raised in the linked thread…
GDPR article 21 paragraph 5.
In any sane world, that would cover DNT and GPC. So *any* web site which explicitly asks for consent when the relevant request has either of those request headers set to indicate to not track is *already* in non-compliance.
Of course, like you point out, there would likely be nothing stopping a site from offering visitors the *option* to be tracked anyway.
reshared this
Rokosun reshared this.
Aral Balkan
in reply to mkj • • •Bodo Tasche
in reply to Aral Balkan • • •Sass, David
in reply to Aral Balkan • • •this is why #GitHub was able to remove the banner back in 2020 - the good old days.
github.blog/news-insights/comp…
Funny enough, 5 years later the banner is back on $GitHub Blog, I guess being owned by $MSFT changes things...
No cookie for you - The GitHub Blog
Nat Friedman (The GitHub Blog)Rune
in reply to Aral Balkan • • •Aral Balkan
in reply to Rune • • •@praerien 1. You don’t need third-party cookies for analytics. Services exist that provide analytics without third-party tracking.
2. The “UX” (design) of cookie consent banners is anti-pattern implemented by the adtech industry exactly to invoke this reaction and misdirect your ire from the tracking itself to the law meant to protect your rights.
3. Your suggested solution would, indeed, nip this in the bud. This is why the surveillance industry made sure to remove Do Not Track the moment they realised it could be used for this purpose. (After all, it has served Mozilla/Silicon Valley’s purpose of delaying regulation for a decade and now had become a liability.)
mkj
in reply to Rune • • •@praerien Install uBlock Origin and turn on at least the "EasyList - Cookie Notices" list.
@aral
mathew
in reply to mkj • • •Pēteris Caune
in reply to mathew • • •@mathew @mkj @praerien some do, some don't. Some don't because they're oblivious, some intentionally.
You can check in Chrome: load a page in Incognito window, then press F12 to open developer tools, then go to Application > Cookies, and see if there's _ga, _fbp, or any of the other usual suspects.
Pēteris Caune
in reply to Pēteris Caune • • •@mathew @mkj @praerien
I made a script that tracks Latvian websites that have the "load cookies first then ask for permission" problem: https://sīkdatnes.lv
For problematic sites, I send an informal email explaining the problem and asking to fix it. In case of no action, I send a formal, signed complaint. And then in case of no action, I report them to our country's DPA.
In quite a few cases the informal email is enough, and the issue gets acknowledged and fixed.
Aral Balkan
in reply to Pēteris Caune • • •conejo 🐰
in reply to Aral Balkan • • •FreediverX
in reply to Aral Balkan • • •Thanks for this response. That post pissed me off and I was wondering how long I’d have to wait for someone to call out the Benevolent Plutocrat on his bullshit.
Velocipede Rider
in reply to Aral Balkan • • •True, load Vivaldi.com or our forums or indeed any site we run. No cookie banners. We have been asked before how we manage to do this but it ain't rocket science.
Also look at all the Mastodon sites, no banners, unlike X, Threads, etc. How? We all know how. 😉
Pino Carafa
in reply to Aral Balkan • • •exactly. The EU needs to mandate that
1. Every browser needs to, by default, be set to allow "strictly necessary cookies" only.
2. Every site that wants to serve EU users must honour this setting.
3. Impose massive fines on sites that don't do this or that choose to interpret "strictly necessary only" in "creative" ways.
So that anybody who does not want other cookies has to do exactly nothing to achieve that.
Aral Balkan reshared this.
Aral Balkan
in reply to Pino Carafa • • •GDMR: this one simple regulation could end surveillance capitalism in the EU
Aral BalkanClaudius
in reply to Pino Carafa • • •Aral Balkan
in reply to Claudius • • •IzzyOnDroid ✅
in reply to Pino Carafa • • •Piggo
in reply to Aral Balkan • • •Robert Kingett
in reply to Piggo • • •Sightless Scribbles
sightlessscribbles.comLeeloo
in reply to Aral Balkan • • •Even simpler: Look at the DNT http header.
Only fall back to cookie notices when the browser doesn't send it.
It was interesting how quickly Mozilla deprecated the DNT header after an EU court ruled that yes, it is a valid answer.
Aral Balkan reshared this.
Aral Balkan
in reply to Leeloo • • •Loïc Denuzière
in reply to Aral Balkan • • •Really the main problem of this enforcement is that it came too late, when (almost) everyone was already dependent on collecting private data. That made it easy for the industry to collectively decide that intrusive popups would be the simplest way to comply.
What were people going to do, take their business to the competition? Doesn't matter, they do it too.
If regulation had come earlier, then the first ones to use popups would have been seen as obnoxious assholes and lost visitors.
Simon Eilting
in reply to Aral Balkan • • •all correct.
My own criticism of that EU law is that they didn't bother to check if there were ever any reason to let yourself be voluntarily tracked - there isn't. The whole thing should've been a law that makes it illegal.
Aral Balkan
in reply to Simon Eilting • • •@eseilt Couldn’t agree more.
ar.al/2018/11/29/gdmr-this-one…
GDMR: this one simple regulation could end surveillance capitalism in the EU
Aral BalkanVirginicus
in reply to Aral Balkan • • •LiquidParasyte
in reply to Aral Balkan • • •"Yes, you can naively argue that every website should encrypt all their traffic all the time, but to me that's a "boil the sea' solution."
Talk about takes that didn't age well
Vex
in reply to Aral Balkan • • •Aral Balkan
in reply to Vex • • •bleep
in reply to Aral Balkan • • •Aral Balkan
in reply to bleep • • •NKT
in reply to Aral Balkan • • •Yes, many sites are using it for adverts, but lots are also trying to sell a product that isn't the browser.
Aral Balkan
in reply to NKT • • •@Dss In my world, which the same world you live in, if a person provides their phone number to have a sales person call them, they are consenting to have the sales person call them and you can use their phone number for the purpose of having a sales person call them which is what the person has given you permission to do.
Do you need a cookie notice for that?
No.
(That said, it’s not my job to fix toxic business models.)
Don Marti
in reply to Aral Balkan • • •Lin et al. found that ad blocker users are more satisfied with the products and services they buy than non-users. There _is_ a theoretical economic role of advertising but surveillance advertising is failing at it
Lots of pro-surveillance advocacy from academics, but they don't cite some of the best sources in their own field, or some of the best points in the body copy of the papers they do cite—even Google refers to de-personalizing the ads as a "protection" blog.zgp.org/advertising-perso…
advertising personalization: good for you?
blog.zgp.orgchild of baphomet
in reply to Aral Balkan • • •Aral Balkan
in reply to child of baphomet • • •webhat
in reply to Aral Balkan • • •Simon Cox
in reply to Aral Balkan • • •@codinghorror
Well said @aral 👏👏👏
Rigo Wenning
in reply to Aral Balkan • • •zbrando
in reply to Aral Balkan • • •Nicole Parsons
in reply to zbrando • • •@zbrando
#pluralistic calls it the "fatfinger economy" (deliberately redesigning an interface to increase the likelihood of clicking on the wrong thing)
doctorow.medium.com/https-plur…
pluralistic.net/2022/05/15/the…
On occasion the consequences can be huge.
en.m.wikipedia.org/wiki/Fat-fi…
Flash Crash - a human error magnified 100-fold by AI
verifiedinvesting.com/blogs/ed…
bloomberg.com/news/articles/20…
Fatfingering a cookie banner might also be a security flaw, can be used for ransomeware.
Flash Crashes and Fat Fingers: When Technology Disrupts Markets
Verified InvestingRyan
in reply to Aral Balkan • • •@steverowling I’m always sure to let clients know they don’t need a cookie banner if they’re not tracking people. And funnily enough many of them hate cookie banners enough to not bother with GA or whatever else. I do offer @Plausible for insights into website usage though.
Sadly clients who want to advertise or hire marketing companies are a different story.
Thorsten Butz 🎗️
in reply to Aral Balkan • • •That’s the problem with theory and practise : in real life an army of lawyers and „experts“ advice you to behave exactly like all the others. And all the public services provide bad examples since they behave exactly in the same wrong way.
In reality, GDPR brought the opposite results of what we wanted to achieve.
Hyperlink Your Heart
in reply to Aral Balkan • • •mx alex tax1a - 2020 (5)
in reply to Aral Balkan • • •Szymon Nowicki
in reply to Aral Balkan • • •small correction. You can still track people, just not share it with everyone and their dog.
If you have data in your system you're free to use it for analytics. As long as it's anonymized, so, properly aggregated.
No consent needed.
Aral Balkan
in reply to Szymon Nowicki • • •@hey Yes, aggregate analytics – what you describe – does not constitute tracking.
(That is different from anonymised data; anonymised data can be deanonymised using other data sets – a common practice within the people farming industry.)
Szymon Nowicki
in reply to Aral Balkan • • •Anton Gerasimov
in reply to Aral Balkan • • •Aral Balkan
in reply to Anton Gerasimov • • •Veronica Olsen 🏳️🌈🇳🇴🌻
in reply to Aral Balkan • • •Pteryx the Puzzle Secretary
in reply to Veronica Olsen 🏳️🌈🇳🇴🌻 • • •And some are so malicious that there *isn't* an actual way to not say yes. "By clicking Accept or X on this banner [with no Reject or even Preferences button...]"
disorderlyf
in reply to Aral Balkan • • •Hannah
in reply to disorderlyf • • •@disorderlyf This feature already exists. It is just that ad-tech ignored that users were sending a do-not-track request and instead they opted for trying to nudge everyone into accepting their surveillance, by making obnoxious cookie banners.
en.wikipedia.org/wiki/Do_Not_T…
proposed HTTP header field that requests web applications to disable individual user tracking
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)Aral Balkan
in reply to Hannah • • •@uncanny_static @disorderlyf It’s worse than that: this was a feature spearheaded by Mozilla (Silicon Valley’s acceptable face) and it had the very real effect of staving off regulation for a decade (“look, we are self regulating”). The moment people realised it could be used to communicate consent within the framework of GDPR, the feature was deprecated.
Sadly, some folks still think Mozilla are the good guys.
Walter van Holst
in reply to Aral Balkan • • •Queen Calyo Delphi
in reply to Aral Balkan • • •Genuine question:
If I hosted my own private analytics tracker (something like Matomo (née Piwik), e.g.) just so I could have funny numbers to look at because I like to look at numbers but do nothing meaningful with them, would that require a cookie banner?
I'd pondered about just having a static notice in the footer of my site that just says "This site uses some functional cookies and one (1) tracking cookie for a self-hosted analytics dashboard because I like to look at Numbers™."
Aral Balkan
in reply to Queen Calyo Delphi • • •Parade du Grotesque 💀
in reply to Aral Balkan • • •khm
in reply to Aral Balkan • • •Elric
in reply to Aral Balkan • • •Aral Balkan
in reply to Elric • • •Peter Atwood
in reply to Aral Balkan • • •Aral Balkan
in reply to Peter Atwood • • •Ensō
in reply to Aral Balkan • • •reshared this
Aral Balkan reshared this.
NymanTech
in reply to Aral Balkan • • •John-Mark Gurney
in reply to Aral Balkan • • •joriki
in reply to Aral Balkan • • •Jeff Atwood
in reply to Aral Balkan • • •see infosec.exchange/@codinghorror… and infosec.exchange/@codinghorror… and infosec.exchange/@codinghorror… and mastodon.social/@JeffGrigg/115…
Jeff Atwood
2025-08-31 21:37:57
Simon Dassow
in reply to Jeff Atwood • • •Jernej Simončič �
in reply to Jeff Atwood • • •Andrew Kelley
in reply to Jeff Atwood • • •@codinghorror
you make money from ads on stack exchange so you are biased in the conversation.
switch business models to be ad-free and then I want to hear your perspective after that.
Jeff Atwood
in reply to Andrew Kelley • • •Aral Balkan
in reply to Jeff Atwood • • •@codinghorror @andrewrk I think what people are trying to tell you is that you’re part of the problem.
You’re not just any “user of the internet”, you’re a developer. You have agency. Don’t like cookie banners? Great! Lead by example: remove them from the sites you own and control (i.e., stop tracking people on the sites you own and control. Find other ways to make money.)
William Pietri
in reply to Aral Balkan • • •@codinghorror @andrewrk
Orman
in reply to Aral Balkan • • •Andrew Kelley
in reply to Jeff Atwood • • •feld
in reply to Andrew Kelley • • •tecteun
in reply to Aral Balkan • • •Mirko
in reply to Aral Balkan • • •kel
in reply to Aral Balkan • • •HEAR! FUCKING! HEAR!
DEATH TO CAPTCHA!!!
LONG LIVE THE FREE INTERNET!!!
Matias N. Goldberg
in reply to Aral Balkan • • •Misleading. If you implement first party cookies for your own analytics to improve your website (like... what content is more popular, what pages are broken from UX standpoint), you still have to show the cookie notice.
Whether it's first or third party is not part of the equation.
Aral Balkan
in reply to Matias N. Goldberg • • •@matiasgoldberg Yes it is very much part of the equation.
A first-party functional cookie (e.g., to store log-in state): no consent necessary.
First-party *aggregate* statistics: no consent necessary.
Matias N. Goldberg
in reply to Aral Balkan • • •Aral Balkan
in reply to Matias N. Goldberg • • •Grievous Angel
in reply to Aral Balkan • • •@codinghorror I remind you that this is Jeff Attwood you are finger wagging at here. He is wrong on this take. But if you really think this invalidates his critique of capitalism or his significant charity work then I think you might consider reappraising your position.
And picking a better target next time.
Cairo Braga [gts]
in reply to Grievous Angel • • •Jeff Atwood
in reply to Cairo Braga [gts] • • •stony kark
in reply to Grievous Angel • • •Jeff Atwood
in reply to stony kark • • •Grievous Angel
in reply to Jeff Atwood • • •Jeff Atwood
in reply to Grievous Angel • • •fog
in reply to Jeff Atwood • • •zeh
in reply to Jeff Atwood • • •the market agrees with you. and you really mean that as a validation argument. sigh
it certainly agrees with charity washing operations to cover up its crimes, and expunging exploiter guilt.
the market agrees with the most brutal exploitation of people and resources it can force upon us. it agrees with discriminating to separate people, it agrees with climate collapse. it fucking agrees with genocide and war.
fuck the market.
@aapis @grievousangel @aral
Andreas
in reply to Aral Balkan • • •99 % agree. But to be fair, the cookie banner did serve as an important wake up call, back in the day. It's also, to this day, an easy way to discern which pages absolutely don't give a shit. But 100 % agree that if no data is collected, no consent is required.
(Cookiebanner != gdpr consent)
craignicol
in reply to Aral Balkan • • •craignicol
in reply to Aral Balkan • • •if GitHub doesn't need a cookie banner, there's no technical reason for a site to have them, it's always a privacy reason
techcrunch.com/2020/12/17/gith…
GitHub says goodbye to cookie banners | TechCrunch
Frederic Lardinois (TechCrunch)Mike Sax
in reply to Aral Balkan • • •Cy
in reply to Aral Balkan • • •The goal of the GDPR was to get companies to STOP tracking users There's no reason that they couldn't have made their websites non-tracking by default, or configurable at the browser. Instead they want to make the user annoyed that they have to say no, every time.
This is very similar to the way we got to the point of banning plastic straws when we wanted to ban plastic fishing nets.