Look, EU, it is difficult to take you seriously when you forced all this cookie notification bullshit on us. That feature a) should not exist and b) if it did, should be a BROWSER feature not "every website in the entire world now has to bother everyone forever about this stupid thing" blog.codinghorror.com/breaking…
Breaking the Web’s Cookie Jar
The Firefox add-in Firesheep caused quite an uproar a few weeks ago, and justifiably so. Here’s how it works: * Connect to a public, unencrypted WiFi network.Jeff Atwood (Coding Horror)
Questa voce è stata modificata (6 giorni fa)
Ciccio dell’Oca reshared this.
Jeff Atwood
in reply to Jeff Atwood • • •javier
in reply to Jeff Atwood • • •Jeff Atwood
in reply to javier • • •scy
in reply to Jeff Atwood • • •@javier Websites that don't use cookies are not involved. Neither are websites that only use cookies that are _required_ for the website to function, e.g. session tokens.
It's only when you'd like to use cookies to track users and deliver personalized ads that you have to deal with this stuff.
It's a choice.
Most websites simply don't choose the privacy-friendly option.
reshared this
Oblomov, el Celio 🇪🇺 🇺🇦 e Fabrizio T. reshared this.
fedithom
in reply to scy • • •THIS!
@codinghorror @javier
Claudius
in reply to scy • • •one of the big problems nobody talks about: tech is largely only explained by entities who have no incentive to explain it *well*.
Google, Meta, large ad networks are all like "stupid EU makes us do Cookie banner".
While the actual regulation is actually pretty good. The regulation is basically "don't fuck around with user data. But if you do, you at least need to tell the user".
reshared this
Eugene Alvin Villar 🇵🇭, Fabrizio T. e Oblomov reshared this.
JdeBP
in reply to scy • • •@scy @javier
And tell themselves the comforting lie that it is the E.U. forcing them to do this.
#EULaw
Veronica Olsen 🏳️🌈🇳🇴🌻
in reply to JdeBP • • •@JdeBP They peddle this bullshit very deliberately. Far too many users believe it's the EU's fault, when it is the predatory tech industry.
@scy @codinghorror @javier
Dec [{()}]
in reply to Veronica Olsen 🏳️🌈🇳🇴🌻 • • •Most people would expect someone like @codinghorror to know better.
So why didn't you know better, @codinghorror ?
older
in reply to Jeff Atwood • • •No. Github is a good example.
@javier
taziden
in reply to Jeff Atwood • • •@javier
Aral Balkan reshared this.
cy
in reply to Jeff Atwood • • •Magnus Ahltorp
in reply to Jeff Atwood • • •Jason Petersen (he)
in reply to Jeff Atwood • • •Oblomov reshared this.
Zenie
in reply to Jeff Atwood • • •I love that you don't like it.
Stop tracking people. Problem solved.
Tracking is not necessary. It is immoral.
It is tracking that ruins the internet, not cookie notices.
Aral Balkan reshared this.
Aral Balkan
in reply to Jeff Atwood • • •Airikr
in reply to Jeff Atwood • • •Tad Fisher
in reply to Jeff Atwood • • •Nik
in reply to Jeff Atwood • • •Oblomov reshared this.
PAUL!!!
in reply to Jeff Atwood • • •Oblomov reshared this.
Jeff Atwood
in reply to PAUL!!! • • •Marcus Müller
in reply to Jeff Atwood • • •@luap42 the donottrack header is exactly that at the browser level; if it's set no need to ask the user about consent they're explicitly denying. For non-tracking, i.e., technically necessary (auth,user settings) cookies, that banner is not necessary
the browser setting exists, it's not honored by website operators, which choose to show banners instead, and is being torpedoed by google, who is earth's dominant ad network and browser supplier.
the EU (in that case) isn't at fault.
Oblomov reshared this.
Marcus Müller
in reply to Marcus Müller • • •Pixelcode 🇺🇦
in reply to Marcus Müller • • •@funkylab @luap42 Well, akschualllly the Do-Not-Track header has been deprecated because it was widely disrespected for being enabled by default in some cases, so websites argued that DNT doesn't really reflect the users' choices.
Therefore, DNT has been replaced by the Global-Privacy-Control header which is required to be disabled by default. @funkylab's screenshot shows the GPC setting.
@codinghorror Not sure how GPC is not precisely the “at the browser level” you are describing.
Jeff Atwood
in reply to Pixelcode 🇺🇦 • • •Osma A 🇫🇮🇺🇦
in reply to Jeff Atwood • • •@codinghorror @pixelcode @funkylab @luap42
Cassandrich
in reply to Jeff Atwood • • •reshared this
Giulia 🐳, Dún Piteog, Aral Balkan, Catalin Cimpanu, RevK, webhat, Robert Kingett e FediThing 🏳️🌈 reshared this.
Jeff Atwood
in reply to Cassandrich • • •Morten Linderud
in reply to Jeff Atwood • • •@dalias
Ok, where does it say that?
Enno T. Boland
in reply to Jeff Atwood • • •German here: the gist of GDPR is: people must know when someone collects personal data.
You can perfectly live without a cookie banner if you don't set one for arbitrary visitors. That was the intended result. But reality instead invented this UX nightmare, because we can't have nice things.
For me it just shows how fucked up today's web actually is.
Oblomov reshared this.
punIssuer
in reply to Enno T. Boland • • •Leroy
in reply to Enno T. Boland • • •@Gottox @dalias also, by default a website complies with GDPR.
The choices by those in charge (collecting ad revenue or choosing a harmful technical library) is what then makes a website require needing consent.
reshared this
Dún Piteog reshared this.
Cassandrich
in reply to Jeff Atwood • • •Aral Balkan reshared this.
Ashley Rolfmore (leymoo)
in reply to Cassandrich • • •@dalias in analogy:
EU made it illegal to “sucker punch people” ie collect personal data without consent. That’s not the same as legit personal data collection eg an online shop needs your delivery address to mail your order you just made to you.
Cookie banners are basically giving someone a quick “sorry” after punching them - it’s a loophole that shouldn’t exist. No sorry needed if you don’t punch anyone.
Oblomov reshared this.
Cassandrich
in reply to Ashley Rolfmore (leymoo) • • •Ashley Rolfmore (leymoo)
in reply to Cassandrich • • •@dalias yeah fair. I see some progress has been made on allowing ad free meta product usage (with payment).
But the banners I think are harder to enforce because it’s just so many companies, large and small.
Cassandrich
in reply to Ashley Rolfmore (leymoo) • • •Irenes (many)
in reply to Cassandrich • • •yes indeed! before we joined Internet Safety Labs, the org published a spec for how that relationship between the visitor and the company should work, in an ideal world
not because anybody is going to follow that spec unless legally required to... just because sometimes you need to make your position clear
Irenes (many)
in reply to Irenes (many) • • •anyway: during our time at Google we were occasionally party to VP-level decision-making around privacy topics
we can attest, from our own direct knowledge, that tech companies habitually intentionally refuse to engage with public-policy debates so that they can later paint the laws and regulations that come out of those debates as uninformed by industry realities
Paul_IPv6
in reply to Irenes (many) • • •@ireneista @dalias @leymoo
"industry realities".
translation: regulations haven't made doing whatever it is expensive enough to affect profits/stock enough for boards to be willing to spend any resources at all to avoid/fix something...
Irenes (many)
in reply to Paul_IPv6 • • •Paul_IPv6
in reply to Irenes (many) • • •@ireneista @dalias @leymoo
i have scars from attempting to assist in generation of technically sane but useful tech regulation...
"fixed in the next release. take the money now." isn't just for software dev. apparently it's what many politicians think about our planet/environment, etc.
Irenes (many)
in reply to Paul_IPv6 • • •Paul_IPv6
in reply to Irenes (many) • • •@ireneista @dalias @leymoo
ah, the old "move fast, break things", just being sure to move fast enough to flee any prosecution.
i miss the days when "do cool shit, solve hard problems" was the focus. vast parts of the benefits of our 60s/70s space program wasn't as much the space part as all the stuff we learned and all the tech that was discovered and repurposed for earth.
going to be a while before the idea that research is a good thing without an immediate stock bump that quarter comes back.
Irenes (many)
in reply to Irenes (many) • • •that sort of bullshit was a lot of why we now work in civil society, instead.
the industry claims that self-regulation is the appropriate model, but then refuses to be held accountable by its own internal processes (which we were part of). therefore, change must be driven from outside the system rather than within.
Ashley Rolfmore (leymoo)
in reply to Irenes (many) • • •Irenes (many)
in reply to Ashley Rolfmore (leymoo) • • •Daniel Schildt
in reply to Irenes (many) • • •Irenes (many)
in reply to Daniel Schildt • • •Daniel Schildt
in reply to Irenes (many) • • •pgcd
in reply to Cassandrich • • •@dalias
Session cookies in themselves are fine - no PII involved and no third party tracking. If you only set one of those you don't need consent, the same way you don't need to consent to set a "no cookies consent" cookie
@leymoo @codinghorror
Cassandrich
in reply to pgcd • • •@pgcd @leymoo Nope, a session cookie is tracking. It enables processing data on you like "the same person who looked at products A, B, and C yesterday bought products C and D today". Likewise choosing what to show you based on that profiling. It might also reveal things about you to other ppl you share a computer with like "somebody using this computer was looking for information on contraceptives or HRT" etc.
Session cookies are unlawful tracking unless you consented to it by logging in to the site with the understanding and intent that you have a persistent profile and what that profile will be used for was made clear.
The Lack Thereof
in reply to Cassandrich • • •@dalias @pgcd @leymoo
under GDPR, session cookies as normally understood meet the definition of "strictly necessary" and do not require explicit consent
If your session cookie is persistent, it's not a session cookie anymore. Not persisting from one browser session to another is kind of a defining characteristic of a session cookie.
Cassandrich
in reply to The Lack Thereof • • •@lackthereof @pgcd @leymoo Maybe we're going by different definitions of "session". It sounds like you think it's a short-lived thing that disappears when you terminate the browser. Which, even if that were the definition, would still mean it... never disappears. Most of us have browser "sessions" 10+ years old. Mobile doesn't even have a sense of terminating the browser.
The definition I'm going by is an identifier, regardless of lifetime, that establishes distinct HTTP requests as originating from the same browser. There is no "strictly necessary" reason to do this unless the purpose of the site is maintaining a stateful interaction with the user. If the visitor is just reading your site, there is no legitimate business interest in knowing whether the load of page A and the load of page B came from the same person.
LisPi
in reply to Ashley Rolfmore (leymoo) • • •> But the banners I think are harder to enforce because it’s just so many companies, large and small.
Why not use the fines to fund more enforcement?
David Monniaux
in reply to Jeff Atwood • • •Jeff Atwood
in reply to David Monniaux • • •Emmanuel Wald
in reply to Jeff Atwood • • •Julien
in reply to Jeff Atwood • • •erinaceus
in reply to Jeff Atwood • • •I have to agree with @dalias here. The law is not about cookies or cookie banners. The law is about tracking and handling personal data. You are even generally allowed to handle personal data if:
1. it is technically or legally necessary for your service
2. you _only_ use that data for the intended purpose
3. you delete it if you do not need it anymore.
For other things, you need consent. The banners are to get your consent to share your data with 90+ different third parties.
Marcus Bointon
in reply to Jeff Atwood • • •Davey
in reply to Jeff Atwood • • •What if I told you that site owners could just show a Yes/No popup instead of sending visitors down a rat maze to subdue them into data collection?
This is 100% malicious compliance and if you can't see it, you're not looking closely enough in this matter.
Signed, someone whose sites don't have popups cus I'm not invested in collecting user data.
Raphael Lullis
in reply to Jeff Atwood • • •Mark Koek
in reply to Jeff Atwood • • •ÐДѷє ۷ǿȵ ຣ
in reply to Jeff Atwood • • •@dalias no, you need a legal basis according to the GDPR. Consent (which many people already pointed out the banner is not) is just one of them.
It’s just laziness of companies to choose the banner route.
Markus Fink
in reply to Jeff Atwood • • •lj·rk
in reply to Jeff Atwood • • •@dalias Oh ffs, this isn't true and you should know better than perpetuating that lie.
I host multiple websites. None with cookie banners. This works even for news, e.g. @gamingonlinux -- and Liam isn't even hosting in the EU but AUS. But he, correctly, thinks that just not needing a cookie banner is exactly the right thing to do.
Liam @ GamingOnLinux 🐧🎮
in reply to lj·rk • • •Liam @ GamingOnLinux 🐧🎮
in reply to Liam @ GamingOnLinux 🐧🎮 • • •taziden
in reply to Jeff Atwood • • •@dalias
Tobias
in reply to Jeff Atwood • • •NMDoerner
in reply to Jeff Atwood • • •@dalias
Absolute nonsense.
No need for banners if you don't track users.
Stop telling bullshit.
justJanne
in reply to Jeff Atwood • • •@dalias no, it's not required. None of the EU companies I've been at needed cookie banners, and neither do you.
There's one simple trick: just don't track users. It's even possible to run ads without tracking. Print media has done so for decades!
James Cridland
in reply to Jeff Atwood • • •@dalias My main website is GDPR compliant and has no cookie banner. Instead, *if* I set a cookie that can be made to track someone, I ask *when* I set the cookie (ie when you log in).
Setting a cookie that doesn’t track a visitor does not require consent.
Joe Brockmeier (@jzb)
in reply to Jeff Atwood • • •@dalias The reaction you're having is *exactly* what ad tech companies hope for.
Their malicious "compliance" is not required by the GDPR, but that's how they've chosen to strike back at users for daring to use legislation to try to protect their data.
Cassandrich
in reply to Cassandrich • • •reshared this
Dún Piteog reshared this.
Furosshu
in reply to Cassandrich • • •@codinghorror
Geizhals Preisvergleich Deutschland
Geizhals.deGerard Cunningham ✒️
in reply to Furosshu • • •Eventually an EU court will declare DNT legally binding, and there will be wailing and gnashing of teeth.
Matteꙮ Italia
in reply to Gerard Cunningham ✒️ • • •German court bans LinkedIn from ignoring "Do Not Track" signals
Alex Ivanovs (Stack Diary)Gerard Cunningham ✒️
in reply to Matteꙮ Italia • • •@cvtsi2sd @frosch @dalias
This one?
mastodon.ie/@faduda/1145116765…
Gerard Cunningham ✒️ (@faduda@mastodon.ie)
mastodon.ieRevK
in reply to Cassandrich • • •@dalias Indeed, but I would say it was 100% entirely predictable that this would be the outcome, and so on that basis the regulations were really badly thought out.
Personally, I think some rules on this are a tad far, it makes sense for a site to have logs and track sessions - if only to improve the site or understand traffic. The bad bit is the third parties and cross site targeted ads and profiles and shite we see in the advertising industry.
Rihards Olups
in reply to RevK • • •RevK
in reply to Rihards Olups • • •@richlv @dalias OK I may have not quite explained my concern. But that may be better another day.
I fully agree the pop-ups are stupid, and unfounded. We have no pop-ups on our company sites.
Guillaume Rischard
in reply to RevK • • •Kristoffer Lawson
in reply to Cassandrich • • •Mark Koek
in reply to Kristoffer Lawson • • •Oblomov reshared this.
Kristoffer Lawson
in reply to Mark Koek • • •@mkoek @dalias tell that to the thousands of startups desperately trying to balance with a billion other things they're trying to do. That's just not a practical suggestion when the third party analytics are much faster to set up, better understood, and generally superior too than some self-hosted thing cobbled together.
As mentioned, the reality we are in today with cookie popups everywhere was 100% predictable and the regulation was thus poorly considered.
Mark Koek
in reply to Kristoffer Lawson • • •Oblomov reshared this.
Kristoffer Lawson
in reply to Mark Koek • • •@mkoek @dalias frankly, yes. The law hasn’t changed anything of substance. Companies still use the same analytics tools. But now users are constantly nagged at, and companies have increased costs and slower go to market times as they need to faff with these things.
Perfect example of regulation that is completely misguided, and is a nuisance to almost everyone, bar a few people on Mastodon. Wrong approach.
Mark Koek
in reply to Kristoffer Lawson • • •Oblomov reshared this.
Jeff Atwood
in reply to Mark Koek • • •Jeff Atwood reshared this.
codemonkey_uk
in reply to Jeff Atwood • • •Oblomov reshared this.
Jeff Atwood
in reply to codemonkey_uk • • •Mark Koek
in reply to Jeff Atwood • • •Jeff Atwood
in reply to Mark Koek • • •Cassandrich
in reply to Jeff Atwood • • •Jeff Atwood
in reply to Cassandrich • • •Cassandrich
in reply to Jeff Atwood • • •@mkoek @Setok When the behavior of some humans is actively hostile towards others I care about, I absolutely am going to work against that behavior, and encourage others to do so too.
Not doing that is how we got where we are. Letting bad people keep pushing norms and boundaries to do harmful things they wanted to make money doing.
webhat reshared this.
LisPi
in reply to Cassandrich • • •Fun fact about this: This relates to the nature vs nurture argument.
Nurture accounts for a lot and there's considerable archeological evidence for egalitarian societies.
"Real world human behavior" is either a uselessly constrained set designating exclusively the state of current societies, or a uselessly broad term that can encompass basically any possible society.
G
in reply to Jeff Atwood • • •that's funny because SO doesn't pay the content creators either 😀
and the main point left out on these discussions all the freaking time:
the reason the popups exist is because the cost of a thousand advertising "impressions" is roughly less than a cent for an unknown user, and around $12 for a user with a full profile, hence sites try to match you every visit.
Oblomov reshared this.
Jeff Atwood
in reply to G • • •Liam Proven
in reply to Jeff Atwood • • •@mkoek @Setok @dalias
“Information wants to be free; information [also] wants to be expensive.” -- Stewart Brand
craphound.com/gbbt/Cory_Doctor…
Jeff Grigg
in reply to Liam Proven • • •@lproven @mkoek @Setok @dalias
Even being the "card-carrying Libertarian" that I am, I have long said that the most fundamental errors of Libertarian philosophy are to assume that
(1) reliable information is free
[It is not. It is expensive and difficult to obtain. There's no "want" about that; it's just reality.]
and
(2) people are rational.
[Like, do I really need to explain this? Especially in the context of current politics? 🙄 ]
reshared this
Oblomov reshared this.
Jeff Atwood
in reply to Jeff Grigg • • •I agree very strongly with both of these points, there is nuance here for sure, but these two points get to the heart of the matter. 💛
p.s. I am NOT and HAVE NEVER BEEN a libertarian, for the record, because..
Stryder Notavi
in reply to Jeff Grigg • • •@JeffGrigg @lproven@vivaldi.net @codinghorror @mkoek @Setok @dalias Honestly, fully realising the consequences of 1 and 2 are one of the reasons I'm no longer a Libertarian - because the best way to address 1 and to a lesser extent 2 is through shared resources (public library, weather service, schools, etc) as infrastructure that we all pay for.
Suddenly having some kind of shared social obligation actually starts making sense.
reshared this
Oblomov reshared this.
Jeff Atwood
in reply to Stryder Notavi • • •LeeRayl
in reply to Jeff Atwood • • •@StryderNotavi @JeffGrigg @mkoek @Setok @dalias but being a libertarian has been bastardized into stupidity. Libertarians formed an entire state, Utah.
The Mormon community is a libertarian success story. Libertarianism isn’t about individualism as it’s made to sound today.
Political concepts mean nothing without consequences and conviction, doesn’t matter your beliefs.
Much like most other forms of politics and religion, most don’t fully understand outside their small world view.
Call it whatever, it’s still just theory but if people need a good working version of actual libertarianism start with closed communities like Mormons, Amish, Huttlers, and the actual theory is solid.
Just like small successful communities of socialists, communists, Catholics, Buddhist, etc…
I am not advocating for that, just pointing out that libertarianism is not the picture of tin foil Tim grumbling about taxes and more like closed communities we live amongst.
justJanne
in reply to Jeff Atwood • • •@mkoek @Setok @dalias
As society, we've decided that some business models shouldn't exist.
You could make the same argument about root causes and money trying to find a way about many other business models society has deemed unwanted.
Of course it's a game of whack-a-mole, but that's true whether the business model is ad telemetry (aka surveillance capitalism), fake gucci bags or cooking meth.
Luckily, the tide is slowly and surely turning against telemetry driven content.
Jeff Atwood
in reply to justJanne • • •Greg Hills
in reply to Jeff Atwood • • •@mkoek @Setok @dalias
"Users want everything for free, forever, and content creators want to make money to feed themselves and their families"
Wait a minute. Who are the users and who are the content creators on Stack Overflow? All the content creators were users. The ones who decided to monetise that site were a third category, site owners. Their desire for income was legitimate, but don't pretend it was the downtrodden content creators crying for money for their children.
Riku Voipio
in reply to Jeff Atwood • • •@mkoek @Setok @dalias People would be willing to pay for content, if there was a frictionless micropayment method. But no, the idea of "paying" online is to register an account, enter credit card details and subscribe for year.
Once up a time people shouted at street corners "content" and by giving a few pennies you would get the daily paper of content. Peak UX.
Bert
in reply to Jeff Atwood • • •@mkoek @Setok @dalias false dichotomy: there is more than the 2 extremes “free” and “personalised adds” …
There’s still the “passive advertising” choice where
advertisers/ad platforms study which sites their target audience frequently stop, and post non-tracking ad’s there.
As frustrating as cookie banners are, they are a EU symptom for a (mostly) US cause.
These are not the indignations you’re looking for …
FediThing 🏳️🌈
in reply to Cassandrich • • •Eric Vitiello
in reply to Jeff Atwood • • •reshared this
Robert Kingett reshared this.
Jeff Atwood
in reply to Eric Vitiello • • •Jordan Maris 🇪🇺 🇺🇦 #NAFO
in reply to Eric Vitiello • • •Fritz Adalis
in reply to Jeff Atwood • • •Oblomov reshared this.
Nfoonf
in reply to Jeff Atwood • • •Oblomov reshared this.
Ed
in reply to Jeff Atwood • • •reshared this
Oblomov e Bluebabbler reshared this.
mhoye
in reply to Jeff Atwood • • •Oblomov reshared this.
mhoye
in reply to Jeff Atwood • • •True, but my point remains. This shitty experience we're collectively having here this isn't "the EU forcing cookie notification on people", it's "the malicious compliance of companies that profit from user tracking."
Every company that shows you an cookie popup has made the choice to put a few fractions of pennies of possible future profit ahead of your experience.
gdpr.eu/cookies/
Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu
Richie Koch (GDPR.eu)reshared this
Oblomov e Comandante Virgola reshared this.
➴➴➴Æ🜔Ɲ.Ƈꭚ⍴𝔥єɼ👩🏻💻
in reply to mhoye • • •Sebastian Lauwers
in reply to ➴➴➴Æ🜔Ɲ.Ƈꭚ⍴𝔥єɼ👩🏻💻 • • •@AeonCypher @mhoye Then they’re incompetent. I’ve built and operated dozens of websites, from personal blogs to websites serving billions of views for big pharma. None of them have a cookie notice (or at least had them when I left), because they’re not needed unless you actively and aggressively track people.
Did it require educating and fighting overly cautious legal departments? Absolutely. Was it relatively trivial? Also yes.
➴➴➴Æ🜔Ɲ.Ƈꭚ⍴𝔥єɼ👩🏻💻
in reply to Sebastian Lauwers • • •@teotwaki @mhoye I'm responsible for European compliance. You are completely, totally, factually incorrect.
If you use _any_ cookies whatsoever that is data from the user (including, for example, click behavior) you are required to give notice under GDPR, regardless of whether or not they are tracking you.
If you use any third party service that _may_ be tracking, then you are required to give a banner and forward that to the integrated system.
The reason a bunch of websites (e.g. gouv.fr sites) have options for things that don't exist on the site (like marketing cookies) is because it's plug and play with a ton of javascript frameworks -or- because of a third party integration (like datadog for site monitoring etc)
Increasingly GDPR cookie violations are being enforced, companies are scared, and people are reaching for the most expedient solution.
That claim that "they’re not needed unless you actively and aggressively track people" is just radically incorrect. You need permission for _any_ cookie that monitors and stores _any_ personal data (including user behavior) whatsoever.
Jeff Atwood
in reply to ➴➴➴Æ🜔Ɲ.Ƈꭚ⍴𝔥єɼ👩🏻💻 • • •Cassandrich
Unknown parent • • •Jeff Atwood
Unknown parent • • •Cassandrich
Unknown parent • • •@lispi314 @leymoo They may be well-intentioned* but they're not well-designed or doing everything right. They're tracking visitors without their consent.
* Normally I would not even call this well-intentioned, but as I said upthread, the fact that every web framework *automatically sets session cookies assuming you want to break the law and track users* even when the user has not indicated that they want to do something like log in or store a shopping cart, means a lot of people *don't even know they're doing it*. But this doesn't excuse it; it just makes them "well-intentioned".
Yann Droneaud
in reply to Jeff Atwood • • •aeris
in reply to Yann Droneaud • • •Legally, banners are not lawfull here too. It's only companies which try to keep unlawfull process alive… But authorities refuse to really act against this, because lots of money/business/jobs in game.
Legally, consent accept CAN'T be browser side (not specific, positif and unambiguous action). But refuse can be, and is (developer.mozilla.org/en-US/do…)
But nobody give a shit of this.
Sec-GPC header
developer.mozilla.orgJonas Høgh
in reply to Jeff Atwood • • •Oblomov reshared this.
William Oldwin
in reply to Jeff Atwood • • •Oblomov reshared this.
William Oldwin
in reply to William Oldwin • • •As for why this isn't a browser feature, it was and is! It is a *choice* by your industry to disregard this, by ignoring DNT and not implementing GPC in major browsers. Did your site honour DNT? Does it honour GPC in places where it is not legally obliged to?
developer.mozilla.org/en-US/do…
globalprivacycontrol.org/
Global Privacy Control — Take Control Of Your Privacy
globalprivacycontrol.orgreshared this
Oblomov reshared this.
Anthony Rabine
in reply to Jeff Atwood • • •Djoerd Hiemstra 🍉
in reply to Jeff Atwood • • •Don’t blame the EU. Respect
DNT: 1
en.wikipedia.org/wiki/Do_Not_T…
proposed HTTP header field that requests web applications to disable individual user tracking
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)reshared this
Oblomov e Jeff Atwood reshared this.
pgcd
in reply to Jeff Atwood • • •It's a *perfect* strategy, if your goal is to get the user to accept the cookies out of sheer frustration.
Which should be evidence enough of who decided for this pattern.
Adtech industry figured it's easier to zerg users into submission, and this is the result.
@dalias @lispi314 @leymoo
Aurelian Dumanovschi
in reply to Jeff Atwood • • •"Encrypting everything just to protect that one lousy cookie header seems like a whole lot of overkill to me.
I’m not holding my breath for that to happen any time soon, though. "
Looks like you were wrong about both this and the GDPR cookies.
Jeff Atwood
in reply to Aurelian Dumanovschi • • •Aurelian Dumanovschi
in reply to Jeff Atwood • • •the responsibility is on site operators. @pluralistic has no cookie banners because he doesn't track. My Mastodon instance has no cookie banners because it doesn't track. And it uses cookies to remember logins.
I think it's lawyers and greed from C levels that ruined the web here, not politicians.
hambier
in reply to Jeff Atwood • • •@aurelian ublock origin has specific rules to filter them out. It works wonderfully on the desktop and on mobile. (Firefox/Linux and Firefox/Android)
That is the browser-based solution you're asking for.
(Without it the web is indeed unusable but put the blame where it is due ffs.)
Kuba Orlik
in reply to Jeff Atwood • • •hey, EU doesn't force cookie banners on websites. Just... don't track your users with third party scripts and no consent mechanism is necessary then.
For context: I work as a website GDPR compliance auditor
Kuba Orlik
in reply to Kuba Orlik • • •if you only use cookies for loggin users in, you don't have to gather consent beforhand or have any dismissable popup.
The popup is a made-up requirement by the ad industry
Kuba Orlik
in reply to Kuba Orlik • • •GunChleoc
in reply to Kuba Orlik • • •@kuba The one mistake that the EU has in the regulation is to strictly outlaw dark patterns, but id I remember correctly they did push that the decline option has to be as easy as the accept option. Compliance is still somewhat iffy though.
Speaking of browser implementation, vendors could simply have used the already existing "Do Not Track" option to comply and made a little footer with an explanation on where to set it if people haven't opted out.
Robert Kingett
in reply to GunChleoc • • •Kuba Orlik
in reply to Robert Kingett • • •William Oldwin
Unknown parent • • •Robert Berger
in reply to Jeff Atwood • • •Except you want to sell visitor data...
Jesse
Unknown parent • • •complain to the site, it's not the EU's fault.
I'm still amazed that all the UI/UX people have allowed sites to continue to have this bad UX.
Oblomov reshared this.
BohwaZ
in reply to Jeff Atwood • • •Roadskater, Ph.D.
Unknown parent • • •BohwaZ
Unknown parent • • •@willegible
doragasu
in reply to Jeff Atwood • • •GunChleoc
Unknown parent • • •dallo
Unknown parent • • •"Human nature" is not an argument. What are you talking about?
@willegible
Bluebabbler
in reply to Jeff Atwood • • •2. Tech companies instead of complying threaten to turn tables and take away services from citizens.
3. Citizens instead of getting angry at tech companies complain about institutions.
4. Citizens realise too late that they have no rights.
Jonas Høgh
Unknown parent • • •lertsenem
in reply to Jeff Atwood • • •Claudius
Unknown parent • • •@willegible sites used to run ads without data collection. It's not that hard. Tech topic? Run ads for tech stuff. Creativity topic? Run ads for creative supplies.
This has worked for decades.
Fish Id Wardrobe
Unknown parent • • •dusoft
in reply to Jeff Atwood • • •Tykayn
in reply to Jeff Atwood • • •yup totally, another text of la made to let shittyfiers run business as usual.
how about do not track feature that is widely ignored but already implemented ? and yeah, if people making websites did not think it would be a good idea to give every people's privacy to analytics there would be no need for such cookie popups as it is already stated.
GrumpyDad 🇺🇦🇵🇸
in reply to Jeff Atwood • • •At least point the blame at the correct entity.
Also, I don't think you'd like the EU to force browsers to do stuff. In that case you'd probably be complaining about that instead.
Rihards Olups
Unknown parent • • •Arguing that personal information must be collected because people prefer to pay less is shifting the blame to the victims.
Stricter enforcement is needed to make it less profitable to be assholes.
Marcus Bointon
in reply to Jeff Atwood • • •Davey
in reply to Jeff Atwood • • •If it only it was possible for websites to exist without tracking the shit out of every user.
But no, these evil popups which the EU definitely said every site must have stand in the way of the newsletter sign-up popup, the three overlaid autoplaying videos, the half screen ads, and the push notifications popup that we're all just dying to see.
Wait no you can just not treat visitors like a commodity to be shopped around. Because that's gross.
🌈☔🌦️🍄🌱🍉
in reply to Jeff Atwood • • •Yes it should be a browser feature. But no, this blame is not with the EU. They just require consent if you do overt user tracking. Even if you would want advertising, this form is toxic as fuck and enough sites do the invasive tracking without advertising.
There is a related browser feature that helps here: the do not track header. If you honor that, you do not need to show a cookie banner when set.
Pixdigit
in reply to Jeff Atwood • • •Rickyx
Unknown parent • • •I don't think is EU, it is just an implementation of a regulation:
we could blame the data capitalism for this path.
This banner is done to force/make easier to accept every tracker of the 1728 partners of the website but different strategies could be implemented to avoid this bad UX.
Ah, well, but then could be more difficult to track the user between sites...
NB. This posted example does not comply with the GDPR.
tinkel
in reply to Jeff Atwood • • •GDPR does not force cookie notices if you have only functional cookies.
You need notices when you want to invade privacy. Then you must give people a choice. gdpr.eu/cookies/
#EU #GDPR #privacy #internet
Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu
Richie Koch (GDPR.eu)Vitalik
in reply to Jeff Atwood • • •Expertenkommision Cyberunfall
in reply to Jeff Atwood • • •Joris Meys
in reply to Jeff Atwood • • •nah. The EU didn't "force the cookie notice" on anyone. It just requires that if you track people, you need their consent. If data brokers choose to make the most hideous dark patterned interfaces for that, then that's on them.
Tracking people without their consent is called stalking. You sure you want to defend that?
Kerfuffle
in reply to Jeff Atwood • • •Gero Stein
in reply to Jeff Atwood • • •Bart Vandeputte
in reply to Jeff Atwood • • •Davey
Unknown parent • • •those points I can agree with, but it was the industry that decided something which is a privacy disaster was a cool and normal solution to this.
And any time people are asked, overwhelmingly they hate being tracked for targeted advertising, in the US or the EU.
And now ad revenue has gone off a cliff anyway thanks to AI scrapers, so I dunno, maybe it was an evolutionary dead end when every hot B2C start-up always settled on targeted advertising. So much for innovation, like.
René Seindal
in reply to Jeff Atwood • • •My web sites don't have cookie popups because they don't track people.
They're not obligatory. Just respect people's privacy.
Stéphane Bortzmeyer
in reply to Jeff Atwood • • •Sorry, but this is bullshit US propaganda. There is no obligation to have a cookie banner (my blog does not have one, for instance), even if you use cookies (a lot of important uses, such as logging in and out are excluded).
#factChecking
webhat
in reply to Jeff Atwood • • •Wolf480pl
in reply to Jeff Atwood • • •wait a sec... is this the right link?
A blog post from 2010 on how it's a bad idea to demand that every website uses https, but considering that a better authentication protocol won't come, demanding https is our best bet?
How's that relevant to cookie popups?
And how has noone in this thread noticed this before? Did they not read the blogpost?
Carlos Rodrigues 🪣
in reply to Jeff Atwood • • •The EU does not force cookie notifications. It forces CONSENT for cookies set SPONTANEOUSLY by websites.
Any cookies set by an action from the user (e.g. setting the language, logging in, ...) do not require consent.
It is the industry that forces that cookie notification bullshit because they can't stop themselves from tracking you.
I live in the EU. I see cookie notices many times every day. I still applaud the EU on this.
rugk
in reply to Jeff Atwood • • •See mastodon.ar.al/@aral/115122589… Aral is correct, gdpr does not mandate cookie notices.
Aral Balkan
2025-08-31 09:08:32
FreediverX
in reply to Jeff Atwood • • •Niels Moseley
in reply to Jeff Atwood • • •Sir l33tname
in reply to Jeff Atwood • • •Augier (fr & en) 🇵🇸🇺🇦☭🏴
in reply to Jeff Atwood • • •GDPR never mandated cookie banners. GDPR mandates user consent. There was a browser feature for that: the DNT HTTP header. That header was deprecated because nobody respected it. It was just easier to enforce user consent through cookie banners and dark patterns.
Nothing here is EU's fault. You want a better option? Campaign for a legislation to enforce the website to respect DNT.
Or… Just don't track?
reshared this
Fabrizio T. e Oblomov reshared this.
Radote Chill Pépère 🌶️
in reply to Augier (fr & en) 🇵🇸🇺🇦☭🏴 • • •Thank you.
Cookie banners are just malicious compliance from companies.
Augier (fr & en) 🇵🇸🇺🇦☭🏴
in reply to Augier (fr & en) 🇵🇸🇺🇦☭🏴 • • •reshared this
Matteꙮ Italia, Oblomov, lucaotta, Fabrizio T., Dún Piteog e Dún Piteog reshared this.
nLupo
in reply to Augier (fr & en) 🇵🇸🇺🇦☭🏴 • • •Peter Bindels
in reply to Augier (fr & en) 🇵🇸🇺🇦☭🏴 • • •hambier
in reply to Jeff Atwood • • •It was a missed opportunity indeed. Instead of allowing non-essential tracking cookies if the user naïvely agrees to them, they should just have been banned outright. No banners needed.
As for technically required cookies like session ids no banner is necessary.
Martin Marconcini
in reply to Jeff Atwood • • •The EU didn't "force anything".
"If you want to track (or share information), you must seek consent"
Websites had various alternatives.
1. Don't do it. No consent needed.
2. Need? Then Ask.
Nowhere in the docs is mentioned that it should be borderline impossible to say no (or to use a banner)
This is on companies, not the EU. The alternative is they do it behind the scenes without your consent.
Of course bureaucracy made it possible to abuse loopholes. And here we are.
Lazy B0y
in reply to Jeff Atwood • • •Dont try to track peoples privacy, then you have nothing to fear.
Track people for shitty ad targeting and whatnot, then you get regulated.
What actual reason do sites even have to share my data with 27854 gazillion "partners"?
Correct: None.
hambier
Unknown parent • • •@dalias @lispi314 @leymoo A well-intentioned website does not need a cookie banner! I hate the banners as much as you do (ublock takes care of them though...) but the culprit is 100% the website operator doing obnoxious tracking and not the regulation.
If you want to criticize the EU, go ahead, there is lots to criticize, but here the blame is clearly on site owners.
hambier
Unknown parent • • •Karl
in reply to Jeff Atwood • • •I find it difficult to believe that the EU meant for those cookie banners to be the response to their requirements. It is nothing else than malicious compliance.
After doing some digging it seems that functional cookies do not require consent, but the tracking that is shared with third-parties does (that would be advertisers and social network trackers).
Paul Grave
Unknown parent • • •Kornel
in reply to Jeff Atwood • • •This has been a browser feature since 2002: w3.org/TR/P3P/
It has been implemented in IE, but Google sabotaged it by deliberately sending invalid syntax to bypass it.
Browsers tried again with the DNT spec. The tracking industry ignored it again.
It should have been solved with an easy opt-out, but there's a multi-trillion business that needs the opt out to be difficult as possible, and benefits from making people associate privacy with stupid annoyances.
The Platform for Privacy Preferences 1.0 (P3P1.0) Specification
www.w3.orgVärldens bästa Kille™
in reply to Jeff Atwood • • •I published my business’ site this Friday. No cookie consent necessary.
It’s all a matter of what cookies you (don’t) use.
Tobias
in reply to Jeff Atwood • • •Cookie Notices are *NOT* necessary by default.
We do review those, and, yes, there are websites that dont need cookie banners. Why? because they don't track their users. Simple as that.
Parigot-Manchot φ
in reply to Jeff Atwood • • •zrb
in reply to Marcus Bointon • • •the fact that most frameworks with a cookie opt-in popup will remember your decision ONLY if you click "accept all", but if you click "reject all" they popup again and again, is clearly indicative of the dark pattern the data collector wishes the user to fall into.
It's likely that they excuse this behavior by saying some variation of "but if the user rejects all cookies then we can't store the fact that they rejected all cookies, and we'll have to ask them again next time" which is bullshit because they're ABSOLUTELY storing OTHER basic information about that user, they just choose not to store this. The only lasting solution to eliminate opt-in popups is to not be tracking user information in the first place.
Kees de Kooter 🍉
in reply to Jeff Atwood • • •Veronica Olsen 🏳️🌈🇳🇴🌻
in reply to Paul Grave • • •Attie Grande
in reply to Jeff Atwood • • •Resurfacing this post from 2010 (with a series of poor, flawed and very outdated opinions) is a mighty odd thing to do...
Not to mention that cookie banners are only required for 3rd party cookies (e.g: tracking / ad networks / etc...), which means you're sharing user data with other random / unknown entities. If you don't want to present a cookie banner, then don't share user data without their consent. Simple.
cy
in reply to Jeff Atwood • • •Hey Gus
in reply to Jeff Atwood • • •cy
Unknown parent • • •soc
in reply to Jeff Atwood • • •sbi
Unknown parent • • •@davey_cakes Sorry, but that's just plain wrong. If the industry had just obeyed Do Not Track, you would not have to ask the users explicitly. This is an entirely home-made problem. And by home-made I mean by the content industry, aka You. Actually, browser still supports DNT. If you respect that, you will never have to ask.
(And. no, saying that "this is a drug" does not in fact exonerate you. It just makes you a drug dealer.)
DJGummikuh
in reply to Jeff Atwood • • •sbi
in reply to Jeff Atwood • • •That's shady AF.
Francis 🏴☠️ Gulotta
Unknown parent • • •as a large fashion model,
in reply to Jeff Atwood • • •Bredroll
in reply to Jeff Atwood • • •Simon Brooke
in reply to Jeff Atwood • • •the EU didn't force any cookie notification shit on anyone. It just said that you couldn't share personally identifying information about people without their permission.
It's EASY to run a website without sharing personally identifying information. All those websites with cookies popups? They're spying on you.
Bruno Nicoletti
in reply to Jeff Atwood • • •Future Sprog
in reply to Jeff Atwood • • •There is a browser feature for this. It’s called Do Not Track. You include “DNT: 1” in your request. It is handled invisibly.
Unfortunately many website operators maliciously turned this into an excuse to make the web worse and decided to ignore the header and nag everyone all the time.
@codinghorror
/madonius
in reply to Jeff Atwood • • •CCC | Startseite
ccc.dePeter Bindels
in reply to Jeff Atwood • • •> it is difficult to take you seriously when you forced all this cookie notification bullshit on us.
There is nothing in the law that says you have to add a cookie wall for most websites - and the law says that in the cases where the sites must get your consent, that the cookie wall is not sufficient.
It is literally useless, other than making *YOU SPECIFICALLY* and people like you blame the EU for companies' evil behavior.
Szymon Nowicki
in reply to Jeff Atwood • • •USA, it is difficult to take you seriously
youtube.com/watch?v=Pp9MwZkHiM…
- YouTube
www.youtube.comRebolek
in reply to Jeff Atwood • • •gadgetoid
in reply to Jeff Atwood • • •Jordan Maris 🇪🇺 🇺🇦 #NAFO
in reply to Jeff Atwood • • •Santiago
in reply to Jeff Atwood • • •vurpo 🏳️⚧️ (2869)
in reply to Jeff Atwood • • •you fell for the american adtech propaganda. cookie notices, consent popups, banners are NOT required if you ONLY use cookies for necessary functional purposes such as storing someome's login session. cookie popups are an invention of the adtech industry, not the EU.
what's that, you're tracking your users beyond what's required to make the website function? figures.
dragonfrog
in reply to Jeff Atwood • • •the EU didn't force cookie consent pop-ups, it forced consent pop-ups *if the cookies are used for third party surveillance*.
The obnoxious behaviour isn't the pop-up it's the surveillance. The pop-up just makes the obnoxious behaviour visible. If website owners don't want to be seen to be obnoxious, they used to be able to choose to hide what they were up to, now they must choose not to be obnoxious.
That's a good thing.
kravietz 🦇 likes this.
reshared this
kravietz 🦇 e calma piatta reshared this.
kravietz 🦇
in reply to dragonfrog • • •Dennis Mansell
Unknown parent • • •MyTerms
Doc Searls WeblogJeff Atwood reshared this.
ltning
in reply to Jeff Atwood • • •Tell me you don't know what you're talking about without telling me you don't know what you're talking about.
Also, tell me you're a spoiled brat who expects to leech off of your users without ... you get my point.
Nobody is forcing you to have cookie notifications. Not sharing data with 3rd parties does not mean you can't run ads and monetise. Will it be harder to do it ethically, fairly and legally? Sure. But only because the ad industry keeps telling you non-targeted, non-invasive ads are worthless. They're not, they're just even more spoiled brats than you.
Cassandrich
Unknown parent • • •Cassandrich
Unknown parent • • •Cassandrich
Unknown parent • • •@mkoek @Setok There's nothing wrong with that, except calling it a "bloodlust" rather than a virtue.
We have the physical/technological capacity to give them that.
The only thing we lack is the political will to stop the people who want to hoard it.
Jeff Atwood
Unknown parent • • •I Fight For The Users
Jeff Atwood (Coding Horror)Cassandrich
Unknown parent • • •@mkoek @Setok I don't care if you disagree with that.
I do care about the adtech cartel you're carrying water for and the harm it does to people I love.
sbi
Unknown parent • • •Ick.
ltning
Unknown parent • • •No it does not. The ad companies are creating this pain through malicious compliance.
If you can't see that then you should take a step back and look at the history of advertising on the internet and see how we got here in the first place.
In fairness, I was initially annoyed with the GDPR as well, until I realised what the industry has actually been doing.
As you've been told many times in this thread, nobody is forced to implement cookie popups. The choice to hand your users' data to 3rd parties simply triggers a requirement to get consent to do so. And if you collect personal data, likewise. Just like it's a conscious, and I'd argue malicious, choice to ignore "do-not-track", thus requiring you to inform the user they're being tracked.
Stop being an advertising and data broker industry apologist.
sbi
Unknown parent • • •No, Jeff. You yourself said that people want "everything free", so the drug is not the information itself, but that it seems free (while it isn't).
You can easily solve this. I spent money on numerous apps for my phone which gave me the choice to either pay with money or with personal data. I picked money, other users didn't. But at least they were able to make an informed choice.
And the information necessary to do this is what you attacked.
Open Risk
Unknown parent • • •dunno, imho thats overstating it. People pay for pretty much everything, either directly, or indirectly via taxes. And many of the things that are now supposed to be "free" used to be paid for (newspapers, magazines etc.) without even thinking about it.
rather than a deep homo sapiens malfunction, the issue is more of a silly mix of adtech conditioning (here, free email for your data) and publishers not gettting their act together for the digital age.
@dalias @mkoek @Setok
Oblomov reshared this.
sbi
Unknown parent • • •@davey_cakes I came into this sub-thread after you wrote "free content (ad subsidized) is a hell of a drug." I cannot seem to read from this that bought content is a drug, so you said yourself it being free turns it into a drug.
Again: You do not have to put up a warning unless you want to sell people's information *despite* them already having told you (DNT) they don't want you to—which is shady AF. So you're blaming the EU for the mess you got yourself in by acting shady.
Meh.
Tyler Smith
Unknown parent • • •@dalias @lackthereof @pgcd @leymoo
That's what advertising is for. Is it no longer possible to do advertising without surveillance?
Reverting to advertisements based on the content of a page, rather than who is viewing it, would also make it easier to break Google's stranglehold on the web.
And maybe it's time to stop promising everything can be free forever. That's the first lie that enshittification is built on.
Pieter
in reply to Jeff Atwood • • •Companies forced cookie walls on us by doing data collection I don't want. Ideally I'd be able to disable these shenanigans once on browser level and be done with it.
Until then I'll use Consent-O-Matic to tell companies no.
Augier (fr & en) 🇵🇸🇺🇦☭🏴
Unknown parent • • •@nlupo
Oblomov reshared this.
Jeff Atwood
Unknown parent • • •Dennis Mansell
Unknown parent • • •@claudius to be honest, I think the third time still won't be the charm.
But we need the commons to be much more competitive with big tech before we can ban internet advertising.
Claudius
in reply to Dennis Mansell • • •@dennmans DNT and GPC: en.m.wikipedia.org/wiki/Global…
What makes you think "third time's the charm"?
We either abolish ad-tech (and actually enforce it!) or we find technological guarantees of some kind.
Saying "please" will not be enough, we have seen it time and again that this particular line of business can not be trusted to follow specs or even the law. #AdTech
web technology for signalling legally binding notice to prevent sale of user information
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)Claudius
in reply to Jeff Atwood • • •@dennmans To clarify: I'm not asking to ban all kinds of advertisement. I'm asking to specifically outlaw tracking, microtargeting and whatever the fuck data brokers do.
It will be hard to ban ads, because on the less intrusive side of things, it becomes a bit blurry what an ad even is. And, frankly, I don't mind ads themselves all that much. I don't even run an adblocker (but I do use Privacy Badger, I'm not a monster).
Maki
in reply to Jeff Atwood • • •ermo | Rune Morling
in reply to Jeff Atwood • • •Have you ever been exposed to addons.mozilla.org/en-GB/firef… ?
The point is to standardise the consent tracking and respecting the user's cookie (= privacy) settings.
If you dislike the resulting user experience so much, perhaps a better use of your time would be to use your platform to drive the tech industry towards respecting people's digital privacy by default?
Or is that not your goal here?
Consent-O-Matic – Get this Extension for 🦊 Firefox (en-GB)
addons.mozilla.orgvarx/tech
in reply to Jeff Atwood • • •Jeff, I think you should take some time to actually read up on this stuff, because this is an embarrassingly wrong take.
The EU mandated informed consent for tracking and marketing cookies. You're linking to a post about *login* cookies, which are completely irrelevant and would not be covered.
Jeff Atwood
in reply to varx/tech • • •schrotthaufen
in reply to Jeff Atwood • • •Jeff Atwood
in reply to schrotthaufen • • •edmeme
in reply to Jeff Atwood • • •This is not what the law asks for. Essential cookies, like those to authenticate a user do not require consent at all.
Even though an alternative authentication method existed, like your 2010 article calls for, tracking cookies are lucrative for sites (like nytimes and their 340 'vendors') and would exist in some way or form.
Also, I would consider what I do in any given site private and deserving encryption, regardless of the authentication method
gdpr.eu/cookies/
Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu
Richie Koch (GDPR.eu)Krišs
in reply to Jeff Atwood • • •beasom
in reply to Jeff Atwood • • •