They claim that, but the page they link to as the source says "You must...Receive users’ consent before you use any cookies except strictly necessary cookies.". So what exactly makes them think that first-party analytics cookies are "strictly necessary"? The Mastodon link in the at the start of page doesn't seem to work.
https://www.edpb.europa.eu/concernant-le-cepd/mentions-legal...
Session auth cookies are the only ones the EU considers strictly necessary.
There are several others which are permissible. The EU has six examples.
https://commission.europa.eu/resources/europa-web-guide/desi...
The text on that website does state that some DPAs have found some first-party analytics acceptable, but that's not something that is confirmed by CJEU. And ePD does not have single-stop shop so you need to follow every DPAs directions if you are offering services to that DPA's country.
I know some sites use dark patterns in their cookie banners, which I consider to be a helpful hint that the company doesn't respect the users.
However I claim the point of the bad UX is to make users angry and then have them complain about EU etc. "demanding" those. In order to weaken the regulation of tracking. If they are successful (and they are making progress) "no more cookie banners" is a lot better headlines than "more tracking"
The header would be a relatively clear cut situation, also opening the path to private enforcement via NOYB & Co.
It is two clicks to confirm that choice and dismiss the pop-up versus one to accept all cookies but if you choose to interact with the site and ignore the pop-up instead, you are supposedly non-essential cookie free by default.
Most of the time both options are presented clearly and within a few pixels from each other, but opt-in is usually slightly more eye catching and/or more appealing. But the effort in terms of distance for mouse movement or number of clicks is the same. While that’s a design trick that will improve % of opt-in, how can it be argued that the opt-out was not as “easy”?
> If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
> ... It shall be as easy to withdraw as to give consent.
Your example does appear muddy, but I also doubt any enforcement targetting such sites.
What however is extremely common is an "Accept all" vs "Manage settings" which opens up another panel, where there is still no "Reject all" option, and only various settings where you can "Save choices" which might or might not default to what you want. Such cases are obviously blatant rule violations, both in amount of clicks and obfuscation of consent.
[0] https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...
But GDPR is toothless and ill thought out.
fwiw; looking at our stats for the past year: No consent: 40.8% Full Consent: 31% Just closed the damn window: 28.1% Went through the nightmare selector: 0.07%
~1.5M impressions from GDPR areas
If you're in any way something beyond a hobbyist, you should probably get legal advice about whether you need to get affirmative or implicit consent, whether you need to handle universal opt-out signals (in California, Global Privacy Control signals are now legally required to be respected), etc.
Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
And a proper consent banner will immediately handle your GPC signal, and generally not show you anything (California now requires a visual notification that your preference has been respected).
I understand what the author is actually saying: you can design sites that don't require the tracking tools requiring consent. And yes, while true at a certain (small) scale, when you have hundreds of millions or billions of page loads per month, and several development teams, a partnership group, and a lot of moving parts, you'll forgive me for thinking this is impractical.
Consent banners don't have to be awful, I promise.
Forgive me for immediately untrusting you on the matter because the reality distortion field must be strong. Cookie banners are an absolute crystal clear evil and there is absolutely no leeway for a different opinion here.
(Tracking is also an undisputed evil)
> Consent banners don't have to be awful, I promise.
False.
They absolutely have to be awful because that's the whole premise of the law. You have to get user's consent. In order to force the user to make a choice you have to make it more annoying than it is annoying to read your content while ignoring the popup. The only way to conform to the law is to make users' experience on your website miserable.
> true at a certain (small) scale, when you have hundreds of millions [...] this is impractical.
True.
However it is also impractical to actually use the consent dialog. Because all the trackers and tools that different teams are adding to the site - they have to communicate with the cookie popup somehow and no living programmer would be bothered to even think about it. Nothing good for the world comes out of presenting and respecting the cookie popup ().
Thus I see fake cookie consent popups that are actually ignoring users' choices.
() On my site I do my best to respect the user's choice and do NOT track them once they hopefully reject.
Is getting consent interruptive? yes. Is that worse than not getting consent? Also yes.
Since you don't appear to want to give up the undisputed evil of tracking, then consent is what's left to you. You've made the same choice as everyone else.
I'd encourage you to respect GPC and DNT, so the (roughly 20%, depending on audience) of users that have it enabled can automatically opt out of your tracking without the "crystal clear evil" of a consent banner. Remember that in California you need to show some display that their consent choices have been observed.
Not that tracking. You know what I mean: tracking by ad networks and international corporations.
We are tracking events (users clicked on the button) in an anonymous fashion. We do not collect PII. We do not store IPs. We do not correlate behaviors with user ids. We simply track how many people clicked the button and on what page. This is hardly privacy invasive at all.
> Is getting consent interruptive? yes. Is that worse than not getting consent? Also yes.
I'm not entirely sure about the latter. First of all, I don't believe in the slightest that the site will respect my choice. Second, even if the site itself does, the ad network present on the site, definitely will track me no matter what.
In other words, consent banners are cargo cult, do not work in practice and are a net negative for the world.
> DNT
It was an obvious idea but didn't work, unfortunately due to the fact that ad network absolutely have to look down users' ass and they will not cease this practice.
> users that have it enabled can automatically opt out of your tracking
They can install adblock and wholesale opt out of all the bullshit, including insane cookie consent banners.
> Remember that in California you need
My business is not California or US based and thus I don't have to implement the vast variety of of cargo cult laws in existence.
The page describing the law has more examples of cases where you do not need consent than the ones you do.
https://commission.europa.eu/resources/europa-web-guide/desi...
You're required to disclose. I didn't say consent.
This is precisely why I say talk to a lawyer. I appreciate the firmness of your conviction, but not reading what was explicitly stated, well.
I don’t understand how you could misread “firmness of conviction” in my comment. I made it as short, bland, and neutral as possible, on purpose. It’s just a statement of fact with a source.
So I didn’t misinterpret what you said, it’s just that I have seen consent and disclosure always hand in hand.
It’s been years since I read the law in full myself, so it’s possible you’re right. I’m going by my own recollection (which can obviously be flawed) and the result of a lawyer’s interpretation (which is the thing you recommended) but I’m not one myself.
I still don’t understand (nor have you addressed) how you misread “firmness of conviction” in my words, especially when I purposefully did the opposite because I understand that these legal matters can get fuzzy.
We have also retained lawyers in UK for the same matter and they could not come to an ultimate conclusion what constitutes tracking and what does not.
The whole matter is that brain damaged.
It is also quite complex to integrate a third-party consent management platform in a compliant way; the tool itself is a script, but it somehow needs to preempt loading of any other scripts until the right consent is given (there's also an argument whether the CMP being third-party is itself a breach of "data minimization" when such functionality can trivially be done in-house, or at least self-hosting the script).
The majority of sites fail at this, which already breaches the GDPR since merely loading a third-party script discloses your IP address and browser fingerprint to them.
It's not a big deal in their case because their CMP is itself configured to be non-compliant, but if you want to be compliant with a third-party CMP it's likely the effort to integrate it properly would be just as much as just doing it in-house.
You're mixing GDPR up with the ePrivacy Directive (henceforth "ePrivacy", not to be confused with the proposed ePrivacy Regulation). GDPR Recital 30 describes how cookies should be understood in relation to the GDPR (to the extent that GDPR Article 4(1) didn't already make it clear), and GDPR Recital 15 affirms that "the act of writing any cookie" doesn't have any special treatment under GDPR. Whereas ePrivacy Article 5 ¶3 discusses "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user", and is the real source of nearly all "cookie consent" obligations in the EU. I hope you don't work on the legal side of the consent product!
Less pithily: I've noticed a lot of "consent" providers getting this basic stuff wrong, both in their marketing copy and in their actual products. I (along with most internet users) have a vested interest in any improvements in this area. I'm available to discuss this further, if that would be helpful – keeping in mind that while I know a lot more about this than many working professionals apparently do, I'm still very much an amateur with no formal legal training.
ePrivacy Directive as amended in 2009: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
GDPR as amended in 2016 (without recitals): https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
That would not be helpful, because the whole business of "consent management" is to provide plausible deniability and the illusion of compliance to businesses without actually making them comply (since complying with the GDPR would incur significant cost and obsolete most of the marketing/analytics team's jobs).
I'm very sure they perfectly know what they're doing and have the budget for the best legal advice money can buy, it's just that their business is all about selling the illusion of compliance instead of actual compliance.
It's the fault of the regulators for still not cracking down on this after 8 fucking years. Detecting non-compliant consent flows is trivial with a web scraper.
> in their actual products
The products are configurable by the customer. Now you could indeed argue that the product should not offer an option to configure it in a way that would be in breach of the regulation it's supposed to help you comply with... but again see above.
I'd be happy to discuss directly if you want. Not sure how to exchange details if you're interested but we can figure something out I guess.
> If you have any questions about the lawful bases upon which we collect and use your personal data, please submit a request through the DataGrail’s Privacy Request Form or email DataGrail at privacy@datagrail.io.
Informing me of my "right to obtain" certain information without actually providing it is not okay; and the rather selective descriptions of the rights of the data subject feel like a GDPR Article 12 violation. (For example, it partially discusses Article 15(1), but omits Article 15(2).) Having investigated the Privacy Request Form (https://preferences.datagrail.io/form/access), it's requesting I identify myself in order to learn how my personal information's being used. I can't remember the exact reference, but I'm pretty sure this is explicitly forbidden by GDPR: something about not gathering or storing information with "it's needed to satisfy GDPR's bureaucratic requirements" as justification. (Yes, I know I can email instead: that's not the point.)
I could go on, but… it doesn't really matter how good a company's services are (and those services do look pretty good!) if I can't trust the company to begin with. DataGrail appears typical for the industry, rather than exemplary (as I had hoped it would be).
Sorry to have bothered you, but I assure you that your Access or Deletion request will be processed when you submit it. I know that submitting an email in a form is so much different for you than sending an email (since you've characterized it as somehow acceptable).
Are you suggesting that we should "provide the information from your GDPR access request without you actually asking for us to do so, without any commercially reasonable verification?"
Note I won't be responding further: you're not in earnest. But I do assure you that any requests will be properly processed.
Had you communicated your consent preferences through GPC or DNT, all those scripts that you call out would have been blocked. Just for your awareness.
I did tell you that I was going to have a look, so I don't think my request was deceptive.
> I assure you that your Access or Deletion request will be processed when you submit it.
No no, I never assumed otherwise! (the complaint about pseudonymisation notwithstanding.) And it's entirely reasonable that those require submitting a form.
My complaint was that, as a visitor to the company's website, my personal information is shipped off to third-parties and used in ways that I am not informed about, and I have to specifically request to be informed via email (or the form) despite having no business relationship with the company, when I'm entitled to be informed before any such data collection takes place. "Contact us, and we'll tell you all about how all your personal information is used" is a wonderful service to provide, but it really really shouldn't be the only way to find that information out.
(Technically, my complaint was more general than this, but it did not extend to expecting the company to magically know when I want the data indexed as associated with me deleted, without me informing them.)
> I know that submitting an email in a form is so much different for you than sending an email (since you've characterized it as somehow acceptable).
The difference is that the form requires that I provide my "First Name" and "Last Name", when these are not relevant to the request. GDPR requires that you don't require this, and an emailed request likewise does not require this. (When I told Stack Exchange about their instance of this issue, they thanked me for pointing it out, and then they fixed it, very promptly. They're using OneTrust, so assuming DataGrail is feature-complete with respect to OneTrust, and that DataGrail are using their own software, it shouldn't be hard for DataGrail to fix it too.)
> Had you communicated your consent preferences through GPC or DNT, all those scripts that you call out would have been blocked.
I noticed, and that's appreciated! However, that's not relevant to GDPR, whose obligations apply regardless of whether GPC or DNT is sent. The use of these scripts must be opt-in (unless the rare exceptions apply where you can use a basis other than consent), otherwise you're not complying with GDPR.
Again, not saying the company's atypically bad. The issues I've raised are fairly common in the industry. If forced to pick one of these services, I might go with DataGrail, because the selection of services the company offers is (in my estimation) very good. (Most smaller providers do not offer anything like that, and most larger providers are much less trustworthy.) I would certainly choose DataGrail over OneTrust.
However, my programming ability is such that it'd be easier to roll my own than audit the services of a company who I have reason to believe will make mistakes. I don't have reason to believe that the mistake-making is limited to whoever maintains the company's website (probably the marketing department), because I'd expect responsible higher-ups to tell a non-compliant marketing department to cut it out. I'm sure this means little, except that I am not your company's target market – nor the target market of most of the B2B privacy-tech industry.
Sure, you might understand your demographics better.. if you presume that the analytics are faultless at telling you this- which they're really not.
If you care about how your site is used, you don't need to set any cookies.
We don't care who the specific users are - but the tracking gives us an idea of how many people use the site? do they have a good experience? are they giving us money? do we have a bug somewhere we're missing? etc.
All that is valuable as a business.
Idk if that was a good idea or not.
We depended on cookies for your cart and stuff.
For some.
Any real business needs to do behavioral tracking for campaign conversions, add-to-cart, customer acquisition, funneling, retention, personalization, etc.
I love how we all hate cookie banners and say they are unnecessary, but are salaries are all paid by apps that do behavioral tracking.
Only hobby blogs can get by without it.
I think that means not ALL websites need invasive tracking.
Some of those scenarios are dubious as to whether they actually bring profit and "make money". They can very well be a net loss and are merely there to justify the job of the advertising/marketing/analytics/etc team, who is conveniently charge of crunching those numbers and obviously would never put any adverse numbers forward.
Same thing in advertising - there's a lot of middlemen in the industry that are happy to take their cut, cook the numbers and look the other way despite no actual impact on sales.
So while I don't disagree these things can make money when in the right hands and done in moderation, the reality is that there's a shit ton of waste and deadweight in the industry. It may very well be that the actual (vs self-reported) profit from ad/marketing efforts is negative and merely covers the paychecks of said ad/marketing teams.
Here are the industries that I've worked in that all did behavioral tracking for the above applications
* gaming
* music industry
* healthcare
* social media
* news
* internet search
* online retail
It's totally legit to spend a career helping the folks at Facebook and Google to soak up more private information about everyone so the Trump campaign can improve targeting of the fake news advertisements for the presidential election campaigns. But it is not ethical.
Whether you want to do so is a different matter. This obviously requires (potentially custom) software and infrastructure, vs throwing in GTM and calling it a day. If there is no regulatory reason for it (there isn't - this aspect of the GDPR is not enforced), most businesses won't bother and will take the easy option.
Ironically, if you are looking for a tradesman and do stumble upon an online ad or very polished web presence, be wary as it's basically guaranteed to lead to a boiler room full of scammers who will overcharge you and farm out the actual work to the lowest bidder. Sample: https://en.wikipedia.org/wiki/Locksmith_scam
"Matomo has also been approved by the French Data Protection Authority (CNIL) as one of the select few web analytics tools that can be used to collect data without tracking consent."
more info: https://matomo.org/gdpr-analytics/
Just give an example. If this hypothetical solution is so easy, why are examples hard to come by?
But if you have a cart, you need a cookie banner regardless of any tracking you are doing.
"easier / cheaper / quicker" means that will be the solution . You can't tell your boss "let's spend more money, more time, more risk" on getting it done.
the heuristic for whether you need the banner is essentially: is the user deriving the benefit, or just the operator?
if it's the latter you definitely need the banner
This is just as bogus as the user vs developer distinction in copyleft world.
Of course users benefit from the operator knowing if their design decisions are actually on the right track.
the specific user right now, not a hypothetical user at some point in the future (if the business continues to exist)
answer: they don't
The book "careless people" clearly documents how Facebook engineers were embedded in the Trump campaign to run fake news advertisements micro-targeted to US voters.
It takes a lot of strength to resolve such a fundamental cognitive dissonance, especially if your self image is the talented techie who made money without hurting anyone.
Until the regulation actually gets enforced so that everyone is on a level playing field and does not do such things, you will be at a disadvantage if you're the only one to comply, so the winning strategy is to not comply and engage in such practices just like your competitors do.
"need" is the wrong word for this. And the comment doesn't talk about it as a prisoner's dilemma, it says "need" unconditionally. The downvotes are not sad.
But taking into account that almost all jobs in advertising depend on keeping it "a mystery", it's no surprise that relatively few companies do it.
After all, it looks better if you tell your boss or your customer that they had 40 000 "impressions" thanks to your campaign, rather than 400 definite sales.
It's not a better experience, it's a worse experience, because users will click on 'whatever' and therefore the goal of the privacy laws are not met.
Given the current situation - things would be improved by merely providing users with a consistent way to check on cookie status aka with a 'privacy link' up top that always gives clear info about privacy - but with no popup.
Or - given the current situation - it may be more appropriate to be more assertive with privacy and not allow one-click opt-in because it's just too much?
The fact is, the popups are just bad - the don't accomplish what the are trying to accomplish and we need a more UX friendly way to regulate. Which could be lighter or more restricting, one way or another.
I think we should accept that certain kinds of tracking should be allowed by default for many cases. It don't think it's a violation of privacy for companies to map an individuals experience across their property, as long as user is anonymous, there are other checks etc. Sharing data between sites is completely another thing altogether.