I wish there was a standard browser API for this. If the law is going to force this to be a thing, and it's not going away, web standards should respond.
It could even just be a flag in the cookie itself declaring that something isn't strictly necessary.
It can't be. At least not if you want to accept cookies. Declining is easy. You can just decline everything (technically) not necessary.
The problem is, that consent must be given freely and fully informed. And this is the catch. Automatic acceptance isn't fully informed and with that the consent isn't valid.
So it would put the companies in danger and therefore no company could honor this standard.
Sadly - as it would make live more easy. But it would be enough if companies would just not use dark patterns. If there is a banner the "Accept all" and the "Deny all" must be both be the same level of "easy-ness" and the same amounts of clicks (and wait time). Only if you want to you would need to dive into the detailed categories.
And even there: Most sites abuse "legitimate interest". Everything non essential should by default be inactive. But sadly it isn't.
Disclaimer: I am a data analyst/Web analyst. I do this stuff for a living for clients. Still I value these things highly. And would love for it to be implemented correctly.
Non-essential cookies could be enabled via a configuration menu opened by the user at a time of their choosing. But everybody knows no user is going to do that, particularly unprompted. So they create a pop-up banner to do both the prompting and the configuration.
And everybody knows most users, when they see a pop-up, are just looking for the sequence of button presses needed to remove the pop-up. So they make sure that that's "enable all cookies" because they know if it's "only enable essential cookies" vanishingly few users will enable non-essentials. Why would they?
If everything non-essential were required to be inactive by default I think the pop-ups would disappear entirely. There'd be no point to them because vanishingly few users would ever change the defaults.
We had something like that called DNT, and not only did nobody honor it, but it was used as an extra fingerprinting vector, totally defeating its purpose.
According to the GDPR, all non-essential tracking should be off by default, so "decline" is already the default if companies were compliant with the regulation (which is a big "if").
I was in ad tech once. We obeyed it. Lots of traffic went through us. No one cared that we obeyed it and our competitors didn’t.
Left the code in anyway but that’s the thing about these things: consumer behavior reveals that they don’t actually give a fuck about whether anyone obeys this or not except for the time when they want to be outraged.
The thing is that from a user's perspective there's no way to tell whether someone obeys it or not because lying is not punished, so the safe thing to do is to assume the worst in all cases.
Right. It's rational for the user not to care. The point is that it was designed to fail since there's no closed loop verification. i.e. DNT was a bad design.
I think the point is that you already can decline by default - by turning off cookies. IMO an API for cookie consent would be most useful if you could always accept functional cookies any none of the rest, but even that likely wouldn’t pass the test of being informed consent for every website that might use functional cookies a bit differently.
How do sites abuse Legitimate Interest? LI is something vendors declare to the IAB, not the sites. These CMPs just present that information to the user (in complicated ways) so they can Accept/Decline/Object.
By pretending that advertisement and tracking are part of Legitimate Interest, and having a "secondary section" that is not only pre-accepted, but also overrides the proper consent part.
To really decline consent in those cases, you must uncheck all "Legitimate Interest" checkboxes. Not only those things are not legitimate interest, this also overrides the lack-of-consent provided by users for a couple vendors.
Legitimate interest is not a get out of jail free card. You can't apply it to everything and pretend you got consent.
LI is separate Legal Basis to Consent, that's why there are two lists in the CMP.
The user's choices for each Legal Basis are sent separately in the TCF consent strings and entities are expected to adhere to these rules. One does not override the other.
The full list of the LI purposes claimed by adtech players is available at [0]
As for why they're enabled by default... I'd imagine there's a legal reason. GDPR doesn't just apply to adtech, it's everything.
In any case, it's not sites that are the issue. It's the CMP screens.
> LI is separate Legal Basis to Consent, that's why there are two lists in the CMP.*
I never said the opposite and never said that was problem. Presenting non-Legitimate Interest as if it were, however is shady and probably illegal.
> The user's choices for each Legal Basis are sent separately in the TCF consent strings and entities are expected to adhere to these rules.
I never said that being separated is a problem. The problem is using anything that is firmly NOT in the Legitimate interest camp as if it were, and using that to mislead customers.
> One does not override the other.
It does in this case, and it is easily verifiable. Even if I disallow a certain tracking vendor, it will still load stuff from this vendor in websites, even though nothing from this vendor configures "Legitimate Interest". And all my data will still be piped to those adware, etc, vendors, that provide no functions other than adware, tracking and other shady stuff that GDPR requires consent for.
> As for why they're enabled by default... I'd imagine there's a legal reason. GDPR doesn't just apply to adtech, it's everything.*
That's beside the point. If it were really Legitimate Interest, there would be no need for asking.
That's not informed consent but if you decide to accept everything without reading anything, it's your right to do it. You won't be able to complain in case of "surprises". So yes, a browser could come with an "Accept all" setting, probably disabled by default, but which browser vendor is going to go through the trouble of implementing that, proposing an API and above all getting every Privacy Agency of the world to accept that?
Clicking a checkbox that says "accept all tracking/cookies purpose from any website" and having the browser accept for you absolutely is informed consent.
A court would look at this and a person who mindlessly clicked "accept all" on every website as equivalent.
Browsers could propose an API for this functionality and no doubt some websites would implement it. They havent but they could.
Whether there's any point is another question. Websites would probably rather use dark patterns to get us to click accept all, so any API that went beyond accept all and allowed a standardized user policy on data collection would have a limited uptake.
> Clicking a checkbox that says "accept all tracking/cookies purpose from any website" and having the browser accept for you absolutely is informed consent.
IANAL so it's pointless for me to argue on that point. Of course if somebody is happy to accept in advance any privacy policy and will confirm all of those automated choices in a court (if they'll ever be challenged, can't think why), no problem with that.
My point was that we shouldn't expect a major browser vendor to go through all the process to build an API with those legal implications. I wouldn't bet on major websites adopting that API anyway. It looks so much following the letter of the law and circumventing the spirit of it. Very risky, both legally and as a middle finger to the regulators.
>It looks so much following the letter of the law and circumventing the spirit of it.
I dont think this is true either. The consent options would typically come under a few pretty well defined headers (e.g. advertising) and could include the capability of raising specific exceptions for nonstandard requests.
If I sign a form that says "I accept all medical procedures being done to me in the next month.", that wouldn't be informed consent for a surgery two weeks later if I hadn't been aware of the risks of the surgery at the time that I signed the form. Being informed of the specifics for a particular procedure is necessary, not just being informed of the general risks of medical procedures.
In the same way, GDPR requires informed consent about the specific use of data by a specific data controller. From https://gdpr-info.eu/issues/consent/ :
> For consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’.
The proposed browser-based solution that sends an automated acceptance on behalf of the user would not qualify as informed consent in the context of the GDPR, because the consent was given prior to the human being informed about the specific use by the specific site.
>If I sign a form that says "I accept all medical procedures being done to me in the next month.", that wouldn't be informed consent
Medical consent is a whole different kettle of fish and I may be off base here but I am pretty sure you can preauthorize consent for, e.g. theres a risk you may become unconscious and need follow up treatment.
>The proposed browser-based solution that sends an automated acceptance on behalf of the user would not qualify as informed consent
It's absolutely possible to have all of this information sent in an API to software acting on behalf of the user. The user has been informed and the obligations of the website will have been discharged. What the users browser does with this is the users business.
We cannot have a modern technological society if we treat tracking with the same concern we treat medical consent.
That road leads to banning street photography and CCTV, and being able to get a gag order to stop people from saying "Yeah I saw Brian at the bar last night". When does it stop?
There are no uses of cookies an average user cares about that aren't already illegal.
They are basically all for the same thing, to spy on you and sell your data to third parties to the fullest extent of the law, excluding any data you would actually notice being sold like credit card numbers, and many users don't care.
This is a late reply, but I'd been thinking on what you said and wanted to figure out where my disagreement lay. I think the biggest issue is that scale must be considered, and not merely whether each individual action is justified.
* Asking if somebody saw Brian at the bar last night is acceptable. Asking everybody if they saw Brian somewhere is acceptable in limited circumstances, such as Brian having been kidnapped. Asking everybody to list out who they saw and when is an unacceptable violation of privacy.
* Street photography is acceptable. Taking a picture once every day of the same house may be acceptable, such as if it is a historically interesting building, or if it is your own house. Collecting millions of street photographs, along with the time they were taken and who was in each photograph, is an unacceptable violation of privacy.
* CCTV is acceptable. Maintaining records of CCTV indefinitely may be acceptable, depending on the type of building. (e.g. The Pentagon may be justified in keeping CCTV recordings indefinitely, but the local laundromat is not.) Linking CCTV cameras together into a centralized query-able network that tracks people between locations is an unacceptable violation of privacy.
There are two common features that I realized in these examples. First, even if an individual action is acceptable and justified, repetition and coordination of that action may not be. This is similar to how saying hello when crossing paths with somebody is a courtesy and a pleasantry, but saying hello to the same person every 30 seconds is stalking. The difference in scale produces a different in outcome.
Second, there exist gradations of privacy, rather than being a binary divide between public and private spaces. Between a completely private space, such as a person inside their own home with the windows drawn, and a completely public space, such as a person giving a speech on live TV, there are intermediate spaces. A person who is walking down the street has partial privacy, where their actions may be remembered by passersby for a day or two, but wouldn't be remembered a month or a year later. In the past, these gradations of privacy were maintained by the limits of human memory and the high cost of technological memory, but the cost of technological memory has fallen to a point where this social construct is breaking down.
Summing up, I would say that we cannot have a modern technological society if we *don't* treat tracking with the same concern we treat medical consent.
I'm really surprised nobody caught this and that the law even managed to pass unmodified.
They're treating "Accept cookies" with the same seriousness you'd expect from "Do you consent to me putting a whole package of cookie dough up your rear".
The whole GDPR seems to be one step away from censorship. And it seems almost like the real intent has less to do with user choice and informed consent, and more to do with just trying to kill off data collection as a business model completely, before we have a replacement for it.
In Germany, the media sites that offered "either tracking/advertising" on vs "paid content approach" were already in court with that practice and won.
The current situation is, that the courts decided, that the business model (advertising and by that tracking the sh*t out of people) is valid if they offer an alternative were people pay them for access to the content.
I hope that's true, because disallowing the tracking based business model completely would be a horrendous thing causing making it harder for people who aren't rich to be informed.
I don't think it means that when asked for consent, the user must have an easy way to deny that consent. As the user can always decide to simply not use the website.
There is a misconception, they don't want it do be convenient, the all purpose is to as annoying as possible and legal, to force you to use the easy allow-all-path.
So even if there is an API they won't use it. They don't want to give you a choice, they want that you to allows all access.
And Google was caught exploiting a weakness in the P3P implementation to bypass it entirely. Google was also caught exploiting a loophole in Safari when it added 3rd party cookie blocking: https://www.zdnet.com/article/google-pays-17m-to-settle-safa...
AdTech companies want to track you, and it's naive to think they will ever honestly and voluntarily use any APIs that blocks it.
Current deliberately-awful cookie consent prompts are malicious compliance aimed to make law makers look incompetent and make people resent privacy protection laws.
Oh absolutely! I just like to bring up P3P whenever someone inevitably says there should be a standard for 'cookie popups'. AFAIK, P3P actually goes further than all/nothing: it distinguishes between 1st-party/3rd-party, required/optional, which details are involved (IP, email address, etc.), data retention periods, etc. Plus, this was all implemented, in the most popular browser (at the time), a full two decades ago!
The context has obviously changed: there used to be no consequences for lying/bypassing (I didn't actually know about the Google case you mention; although it doesn't surprise me!), and most importantly: there were no consequences for not bothering to put it on a site at all. Hence the low adoption, and hence it died away. That's now changed, there's a chance some "non evil" sites might bring it back.
> Current deliberately-awful cookie consent prompts are malicious compliance aimed to make law makers look incompetent and make people resent privacy protection laws.
Yep. That's why machine-readable requests, with default-deny responses from user agents, won't appear any time soon; especially in browsers made/sponsored by adtech giants! The inconvenient, manual-effort is a feature of consent popups (at least, for those who came up with the idea; most sites just jumped on the band-wagon)
They'll use an API if it makes it easier and less noticable to track most people. They should do a study and find out how many people will just set "Enable all cookies from all sites".
If the number of people who would use "Deny all nonessential" is less than the number of people who currently deny consent, it's a win for them.
That's the main issue here; the EU mandated consent and gave guidelines on what that consent might look like, but they left implementation down to the industry, which decided to do it themselves (often using dark patterns, for which some companies already got fined) instead of integrating it in browsers.
I remember 20 odd years ago now when Firefox came out with a popup blocker standard, built-in. Whatever happened to this "we need to reduce annoyances on the internet" movement? Why aren't the browsers themselves doing more against it?
I mean I know that Chrome and Firefox won't block ads by default because it affects their bottom line (Chrome through Google ads, Firefox through Google money), but what about GDPR consent forms and newsletter sign-up popups?
> I remember 20 odd years ago now when Firefox came out with a popup blocker standard, built-in. Whatever happened to this "we need to reduce annoyances on the internet" movement? Why aren't the browsers themselves doing more against it?
There was Do-Not-Track, but the industry decided it shouldn't be respected.
I would love for an update to GDPR, stating that any automated form of refusal for consent, including the Do-Not-Track header, must be treated as an explicit refusal and may not result in additional requests.
I wouldn't be surprised if Googles consent form intentionally broke every GDPR rule. First time I saw it it didn't bombard me with dark patterns, it sent me down a rabbit hole of near infinite options where I couldn't even tell if any of them where relevant for Google search. They don't want to give users a quick and easy way to opt out, especially not while they are still working on replacement APIs that use sleight of hand, confusing technobabble and a decent amount of hand waving to not only avoid GDPR restrictions but make your browser track you for them. This isn't just Google, Mozilla seems to have sold out to Meta and is working on its own tracking API.
Facebooks (or I guess Meta, I noticed it on the Occulus website) approach is the worst I've seen, with no clear way to decline. At least google and the others give you the option, they just make you do a load of work for it (and then at the end present you with a blue "accept all" button and a grey "accept selected" button), Facebook literally just gives you an accept all button and, if I recall correctly, a small hyperlink to view their policy in which you have the option to go through all the settings and decline.
The cookies are just one outward sign of data collection.
GDPR isn't about cookies, it's about collecting, storing and transferring data. Done properly, GDPR notices should allow users to opt in to having data about themselves collected by the interested company (and other things like acknowledging the relationships and responsibilities formed by that consent - like requesting deletion and having it honoured).
We just happen to use cookies to do much of that collection. We also already had "the cookie law", so it seems "pragmatic" to piggy back the two things, for the sake of "user convenience".
GDPR creates responsibilities and guidance on all the database tables, the system designs, the job descriptions and so on which operate around data about people.
There's no valid reason for the third party cookies. There are browsers that get this right (lynx lets you choose to accept and reject cookies (including an "always/never and never bother me about it again option.)
I had same issue with other solutions I tried. Consent-O-Matic is the only extension I found so far that doesn't break pages. But it doesn't handle all consents unfortunately.
To add to this, blocking the GDPR pop-ups is legally equivalent to declining all but the essential cookies. This is because GDPR establishes a default that users may not be tracked, and explicit, freely given, informed consent is an exception to that general rule. If the pop-up is ignored, blocked, or contains insufficient information, then the exception is not granted, and the site may not track you.
Granted, whether or not sites are following the law is another matter altogether.
I'm part of the team working on consent-o-matic at Aarhus University, and it's great to see the project getting some attention here.
We've been running the project on a bit of a shoestring budget, but we are currently working on improving detection and adding more CMPs.
We are also testing the plugin for Safari on both MacOS and iOS, and hopefully have it released soon. I can attest that it is very nice to have on the phone, and it makes me very happy every time I see my phone autofill a pop-up :-)
Since creating rules is one of the more time consuming parts of maintaining the project, we are happy for any help we can get through pull requests to the rule lists.
You can configure what categories of tracking you will allow, and then there's custom rules for a wide range of CMPs to apply those preferences automatically.
I wish there was an open source project for developers to implement those darn consent forms.
Adsense offers an automatic consent modal. But the problem with that one is that it not only displays the consent modal but also injects a smaller widget into the site. It looks like the widget only pops up when the user scrolls down to the bottom of the page. Unfortunately, that also makes it pop up when the page is not longer than the screen. So pages where all content fits on one screen look really shitty.
Anybody who has a website with Adsense here? How do you guys deal with this?
Anybody here who wrote their own consent modal?
I am about to implement my own. Unfortunately that will then not be automatically handled by extensions like the one in this post or ublock. Putting the burden of clicking it away on my users. Even on the 50% that use an ad blocker anyhow :/
First of all, GDPR is not about cookies. It is about personal data. And so far, courts have considered the user's IP to be personal data.
Since advertisers need to know if you really show their ads, the ads need to send some signal back from the user to the advertiser. So ads always send the user's IP to a third party: The advertiser or a trusted intermediary.
Assuming no consent to that for everybody would mean that the revenue of my website goes to zero. And I would not be able to run it anymore. As the ones paying for the costs are the users who consent.
I wish more people would just use self-hosted analysis tools and stop tracking people across sites. I think github does this and they wrote a blog post detailing their reasoning.
Unfortunately, the default for many is Google Analytics. It would be very nice to have a client-side analytics provider with a default position of total anonymity.
If you're collecting analytics data yourself you still need to comply with GDPR so you still need a cookie banner for anything but extremely basic analytics.
If you don't want to do business in the EU, sure. Collecting the data of EU citizens and using it for advertising purposes means you're doing business in the EU though.
This applies whether it's you doing the collecting or Google's "free" analytics service.
Of course if you're a running a small website you'll probably get away with it. For now.
What I'd be much more interested in is some form of automated reporting of GDPR violations.
EDIT: not to knock on the efforts of this developer though! Just thinking that actually holding websites accountable would be a way out of this internet harassment arms race in the long run.
I've tried this, and on its own, it works really, really well. It does what I want, and gets me less distraction on websites. All in all great.
Where it started not working so well was in conjunction with NoScript (which I've started using recently).
Then on some pages, it stalls, showing a notification while waiting for a consent-dialog to show up, before eventually giving up. But because of NoScript the dialog itself is blocked and will never show up.
In these cases Consent-O-Matic is actually creating a bigger distraction than it needs to.
If you care about your data being harvested it's not the same though. This one actually declines tracking. I don't care about cookies often accepts all tracking for you.
"""In most cases, it just blocks or hides cookie related pop-ups. When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do). It doesn't delete cookies."""
I just block them using ublock origin, right click -> block element.
One problem is that often, those forms insert a "overflow: hidden" into either <body> or <html>, meaning the page cannot scroll anymore. Twitter does this too.
It's possible to just remove it with the dev tools, but it's quite annoying.
Not sure what it should do, but after installing it it just did nothing on a few German news sites I tested it on. It also did nothing on my own site (using klaro.js). I would still have to click and do the same steps that I would have done without the plugin.
I have never accepted or denied any cookie dialog, anywhere; I just zap them away with uBlock Origin. Adding a blanket rule about ##onetrust-consent-sdk to my filter list went a surprisingly long way toward reducing these annoyances.
I just found out that if you block all cookies for google.com in your browser, they will never ask you for your consent. Very helpful if you clear your cookies regularly. You can also do the same for youtube.com.
The answer isn't to change web standards but to abolish GDPR. If you think GDPR has done good to anyone besides bureaucrats, I've got an EULA for you to agree to.
Correct me if I'm wrong but isn't the cookie law different than GDPR?
My understanding is that GDPR concerns how you use PII and contact information and the requirement that you be able to request your data be deleted. So I expected a data removal request form and/or a contact consent form.
I run a site that’s 6 years old and has about 1,000 active users in a week, and 100,000 lifetime users. Maybe that’s considered small? People create images on it, and I store those images. But how many GDPR data requests have I had this entire time?
I wish people would stop confusing cookie-consent laws and GDPR. They are quite distinct laws and are giving GDPR a bad rap for wholly the wrong reasons.
However, neither of these is a "cookie law". In particular:
- The laws cover much more than "cookies"; e.g. they're just as applicable to browser fingerprinting, Flash "supercookies", etc.
- Cookies which perform a requested job have implied consent: users visit an online store because they want to use the shopping cart functionality; if they don't agree to having a shopping cart cookie, they can leave the online store. (In contrast, users don't visit online stores in order to be tracked by advertisers; so separate, explicit consent is required)
And GDPR largely superseded cookie consent IMO. As in: you don't even have to ask consent if the cookies are strictly necessary: https://gdpr.eu/cookies/
The consent form situation did not get this bad until GDPR was passed. Prior to GDPR cookie-consent forms were simple "Yes" or "No" buttons without all the insane pages of toggles.
GDPR did mandate defaulting all of those toggles to "decline" though, even though some are trying to get clever and add additional toggles for "legitimate interest" (which isn't how that works legally but AFAIK nobody has been sued over that yet).
The follow-up privacy legislation also bans the current dark pattern of making the "accept all" button more prominent and obvious than "decline all" at least requiring both to be equally prominent. The flow of having to go through "manage" or "see options" or other shenanigans as links in order to decline all has always been in violation of the GDPR and could theoretically open you up to the fines as it demonstrates intent.
Yeah but providing an opt-out toggle for "legitimate interest" is a good indicator that the interest is actually not legitimate enough to require manual opt-out. And in practice I've seen it mostly used as a gotcha to make it harder to opt out of every single advertising partner individually.
"But we want to show you ads to finance our website and our advertising partners want to abuse your privacy" is not a legitimate interest.
This gets back to GP's point about GDPR vs ePrivacy Directive. Legitimate Interest is a separate Legal Basis under GDPR (and does in fact allow opt-out). But the ePrivacy Directive does not recognize Legitimate Interest. You cannot use Legitimate Interest as a basis for making a cookie opt-out.
Just because that correlated in time doesn't mean it's what the law actually implies.
Informed consent about cookies was a law that predated the GDPR.
The consent boxes only got worse because, with GDPR, you suddenly have regulators who care about these things and are empowered to impose hefty fines. So people stopped ignoring the whole space of privacy, as they had been before.
One of the declared goals of GDPR is to reign in "profiling". So the industry started trying to desparately weave a narrative on the grounds of consent: they wanted to create an electronic paper trail that would somehow support their claim that people were consenting under the rules of the GDPR to being profiled.
But consent under the definition of the old cookie directive does not meet the standard required under the GDPR for consenting to profiling [1]. People like Max Schrems are actively engaged in trying to get the industry to turn away from their noncompliant ways [2]. Especially the use of certain UI dark patterns has already lead to hefty fines [3].
My hope is that, when this has all played out through the legal system, it will become clear to the industry that the stuff they are trying to get you to consent for them to do, is just outlawed altogether, thus scoring a victory for privacy on the web and rendering that consent-stuff moot.
If not, regulators may need to get involved to make it more clear, that this is the intended outcome, which I have no doubt they eventually will.
I also have high hopes that, eventually, GPC will become enshrined in law [4]
It could even just be a flag in the cookie itself declaring that something isn't strictly necessary.