As a European I encounter a lot dark patterns to circumvent privacy laws.
Some just ignore your choice and track you.
Some don't give you a reject option.
Some make it really really annoying (or slow) to reject.<p>Do you think it's possible to politely ask them on twitter to change? Maybe as a group?
Either a site has the opt out choice clear, marked by default (the bigger/more visible button), or it should be reported.<p>Obviously authorities can’t follow up on every small player here, so the key is to make an example by imposing some extremely large fines on some large companies.<p>Anyone who sees it should think “whatever we risk losing by losing 99% ad revenue is better than <i>THAT</i>”. Preferably sanctions should include personal sanctions on decisionmakers but I’m not sure if that’s possible as the regulation works now.<p>It needs to be made a proper criminal offense so that investigators have the tools they need.
An efficient way to go about this could be to find one of the companies that supplies these dark pattern services (sells cookie gateway services), demand lists of their customers and verify that they indeed used that product - and fine all off them off the face of the internet.
It's not illegal to just cookie-wall your whole site without options, or is it?<p>This site here e.g. does it: <a href="https://www.spiegel.de/" rel="nofollow">https://www.spiegel.de/</a><p>imprint is still reachable, but if you want to read this news site you'll have to allow all the tracking crap.
Why are you all talking about the "reject option", which implicitly considers the opt-in to be the default? The default MUST be the opt-out (for non-essential cookies), hence there is no "reject" because there must be the "accept".
Most websites, made by low budget webdevs which are thriving thanks to companies asking for low budget websites[1], do not consider - even in the EU - the <i>reject</i> option.<p>In the large majority of websites, Google Analytics fires even before the cookie banner, and the banner is only used to <i>inform</i> you that by continuing navigation you are accepting to be tracked.<p>Yes, this is illegal. But not enforceable.<p>[1]: there are devs selling websites for 500 dollars/euros.
I love how it says "Learn more and customize" but doesn't actually let you customize anything. Just shows you dozens of links where you can supposedly "Opt out" by going to the target directly.
UPDATE: the cookie banner was updated. A reject option is now available!<p><a href="https://twitter.com/LetMeReject/status/1366473613709365257?s=20" rel="nofollow">https://twitter.com/LetMeReject/status/1366473613709365257?s...</a><p>Thanks to everyone supporting this. We changed the world a little bit.<p>If you think this format has potential please follow @LetMeReject.
Checking whether cookie banners are compliant should be mostly straightforward for regulatory bodies. In 90% of cases it’s clear if there’s opt in or not.<p>Why can’t regulatory bodies set up automated flows and tools to handle this at scale? Don’t need to catch every case but they should be able to massively scale the complaints process for this.
This pattern is kind of like what MicroSoft did in the ninties with their license agreement: it was contained in the shrink-wrapped box and the agreement said that by opening the shrink-wrap you've accepted the terms.<p>These accept-only 'consents' do the same type of trolling. Sometimes they even say on top of that that by using the site you accept their use of cookies. (Which is OK, as long as they only use essential, e.g. session cookies, but a lot of the time it's not the case.)
> Google Analytics fires even before the cookie banner<p>That might well not be a problem, depending on how the configuration and setup of Google Analytics was done in that case.<p>From <a href="https://www.cookiebot.com/en/google-analytics-gdpr/" rel="nofollow">https://www.cookiebot.com/en/google-analytics-gdpr/</a><p>- turn on IP anonymisation<p>- don't send personal data<p>- don't send pseudonymous identifiers<p>- I add: tell GA to not set cookies and to not track the user (IIRC it's "storage" set to "none" and "storeGac" set to false)<p>If one does that when the user's not opted-in to "analytics" or "tracking", that ought to be enough to satisfy informed consent, no? The site is then just tracking page views, with no personal information or cookies to fly around.<p>If the user then opts-in to analytics then the site's code could well send more pseudonymous data to Google Analytics, with the user's consent, as well as tell GA it's fine to track the user around the site using a cookie or whatever other means.<p>Same goes for the setup for Adwords or similar: it's all in the hands of the website, and so long as things are configured to not track the user, it might be fine.<p>If a site's livelihood depends on showing ads to users, it doesn't mean that the user has to opt-in to ads. They ought to opt-in to being tracked by the ad provider.<p>So, configure _that_ -- no opt in? No tracking. Opt in? Tracking, remarketing, retargeting, what-have-you.<p>It's all about "playing safe" and _not_ tracking when the user's not opted in.<p>Many sites instead do it the other way around, and do it all until/unless the user's opted-out.<p>And even then, I wouldn't hold my breath that they're really doing it.<p>Some are, or at least try hard to.