The GDPR does <i>not</i> require websites to inform users that a website sets cookies. There is nothing in the GDPR about cookies.<p>It's the ePrivacy Directive[0] that deals with cookies (or, rather, "[storing] information or to gain[ing] access to information stored in the terminal equipment of a subscriber or user"). This is a law that pre-dates the GDPR.<p>If you can't get that right, frankly I question whether anything you write on the subject is correct.<p>[0] Directive 2002/58/processing of personal data and the protection of privacy in the electronic communications sector - <a href="https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058" rel="nofollow">https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A...</a>
It's pretty well known that cookie-walls are rife with anti-consumer patterns. Going to something like formula1.com requires me to click more than a 100 times to object to the 'legitimate interests' of as many companies. Which is a pretty terrible anti-pattern when I don't want to be tracked at all...<p>After reading the abstract, it seems the authors try to classify cookies using a special browser extension called "CookieBlock" [1]. I hope they are successful, because I hate being tracked on the internet.<p>[1]<a href="https://github.com/dibollinger/CookieBlock" rel="nofollow">https://github.com/dibollinger/CookieBlock</a>
Right, as with the cookie laws companies seem to have collectively come to the idea that "they can't catch us all!"<p>So far they seem to be correct. I would really like to see the courts deal a few black eyes over this, I hope this tool can help.
Handy guide to GDPR for web developers:<p>* You can't set all your cookies first, then ask permission.<p>* You can't set all your cookies whether the user accepts them or not.<p>* You can't tell users to stop using the website if they don't want cookies.<p>* You can't convince any business owner to follow the above rules.
Part of my job is to maintain GDPR compliance for corporate websites. Even for companies that legitimately want to exceed compliance, you would not believe how much of a pain in the ass it is.<p>The first company wanted to do it "right". So we enabled opt-out by default for all cookies. Which requires setting an anonymized master cookie to check everytime we load a webpage to see if we are allowed to set other cookies. And since IP-detection was not allowed, we did it for all website visitors. And because we have to remember your settings, we had to create a seperate anonymized database outside of our normal website.<p>And the website broke ALL THE TIME. Product configurators, shopping carts, forms, downtime detection - all this stuff relied on cookies. And for several months the web team had a constant nightmare of customer complaints about broken stuff.<p>In the first year we ended up spending close to $250k on legal advice from European lawyers, and most of the advice boiled down to "you're not going to get in trouble if you just do what everyone else is doing". Seriously.<p>Since then it's gotten better - most third party vendors have done a better job of offering anonymized cookie versions of their products. Or there is just more industry guidance available on what kind of cookies can be considered sufficiently anonymous.<p>For people who claim GDPR compliance is clear and straightforward - I can't believe they actually have much experience working in Privacy. Actual implementation gets... very opaque. Especially when the law says it's illegal to deny service based on their cookie preference, but some services are literally impossible to provide without a cookie of some form.
Whenever people go "it's been four years, this law is too complicated", I am reminded that every now and again the US Supreme Court has to deal with issues that relate to the constitution.
Oh the irony of this site itself having a "we use cookies, got it?" banner while lamenting this exact perceived lack of choice. I always laugh a little when I see those anyway, knowing that my browser's settings and privacy extensions are blocking the cookies and tracking connections either way.<p>Did we consider that if everyone is breaking the law, the law itself might need a rework?
Brave has an option to block cookie notices - you need to enable the "Filter obtrusive cookie notices" list in brave://adblock.
<a href="https://twitter.com/shivan_kaul/status/1488989740690853888" rel="nofollow">https://twitter.com/shivan_kaul/status/1488989740690853888</a><p>We're experimenting with blocking cookie notices by default in Nightly. There's webcompat risk - some websites just break if you block the cookie notice. "Works on 90% of websites" is just not good enough when deploying to 50 million Web users.
Given the amount of confusion and conflicting interpretations of GDPR we get on HN, I'm not really surprised. Then there's always the vocal minority that is fully convinced that GDPR is very simple and clear.
What about a wiki system + workflow tool for documenting all GDPR infringements on every website of interest with auto-submission of a complaint to the regulatory agencies?
I really think we should reject the law and make another one that requires the browser vendors to provide the appropriate notices (think of what currently happens with non-https connections) and (browser enforced) choices.<p>No added work for website developers, no lawyers required, no dark patterns. Common icons and warnings the user can recognize easily because they would be the same for every website.
I doubt that very much. A lot of the indieweb sites don't bother collecting information about their users so they don't need to show information pop-ups nor worry about GDPR. I know I don't.
The cookie consent stuff has always seemed straight forward to me, but maybe I've had it wrong this whole time. It does really say a lot that 95% of websites had a violation. I wish that we could make the GDPR entirely client-side.<p>Semi-related: my understanding is that it's impossible for American hosting companies to comply with GDPR (due to the CLOUD act).<p>If that's the case, and you're American/using an American host, is there any point in even trying to comply?
Isn't there insane money to make just suing everybody in breach of gdpr? I always thought there were laywers scouring the internet in search of a quick buck.
I run a website with a few hundred thousand monthly active users. I get tons of mails from users telling me how much they love it. One unintrusive, smallish Adsense banner pays for everything. For years now, everyone was happy.<p>Now Google sent me an email that they want me to gather user consent before showing Adsense. They offer an automatic consent modal. But the problem with that one is that it not only displays the consent modal but also injects a smaller widget into the site. It looks like the widget only pops up when the user scrolls down to the bottom of the page. Unfortunately, that also makes it pop up when the page is not longer than the screen. So pages where the content fits on the screen behave really really shitty. Maybe that is the reason why I have never seen it used anywhere.<p>And of course loading the consent script from Google before getting consent is not in line with GDPR in the first place.<p>Other consent solutions I see around the web are heavy third party widgets that do a lot of complicated stuff. And because they are third party scripts, they are also not in line with the GDPR.<p>I have not found any indie developers who have implemented their own consent solution. And as far as I understand it, Google has no communication channel. They just threaten to kick you off Adsense. So all I can do is implement my own solution and wait if it happens or not.<p>I started to implement my own consent banner now. Not sure if I will get it right so that it pleases Google.<p>I fear that this whole GDPR thing might be the end of my website.
Honestly why can't browsers just implement a option in there settings?
Let the users decide in one place if the want to consent to extra none essential cookies.
And add a extra field to exclude certain sites in case you have a domain that you want to grant permission.
That's the end result of extremely complicated legislation. Everyone breaks it, but you only get caught if you stick out enough.<p>Uncharitably, it's a way for the government to arbitrarily prosecute anyone they please.
Government regulation that outsources/hides the cost on consumers and businesses needs additional scrutiny. Did anyone analyze the full cost of these regulations? It must be insanely high.