I wish there was a standard browser API for this. If the law is going to force this to be a thing, and it's not going away, web standards should respond.
It could even just be a flag in the cookie itself declaring that something isn't strictly necessary.
It can't be. At least not if you want to accept cookies. Declining is easy. You can just decline everything (technically) not necessary.
The problem is, that consent must be given freely and fully informed. And this is the catch. Automatic acceptance isn't fully informed and with that the consent isn't valid.
So it would put the companies in danger and therefore no company could honor this standard.
Sadly - as it would make live more easy. But it would be enough if companies would just not use dark patterns. If there is a banner the "Accept all" and the "Deny all" must be both be the same level of "easy-ness" and the same amounts of clicks (and wait time). Only if you want to you would need to dive into the detailed categories.
And even there: Most sites abuse "legitimate interest". Everything non essential should by default be inactive. But sadly it isn't.
Disclaimer: I am a data analyst/Web analyst. I do this stuff for a living for clients. Still I value these things highly. And would love for it to be implemented correctly.
Non-essential cookies could be enabled via a configuration menu opened by the user at a time of their choosing. But everybody knows no user is going to do that, particularly unprompted. So they create a pop-up banner to do both the prompting and the configuration.
And everybody knows most users, when they see a pop-up, are just looking for the sequence of button presses needed to remove the pop-up. So they make sure that that's "enable all cookies" because they know if it's "only enable essential cookies" vanishingly few users will enable non-essentials. Why would they?
If everything non-essential were required to be inactive by default I think the pop-ups would disappear entirely. There'd be no point to them because vanishingly few users would ever change the defaults.
We had something like that called DNT, and not only did nobody honor it, but it was used as an extra fingerprinting vector, totally defeating its purpose.
According to the GDPR, all non-essential tracking should be off by default, so "decline" is already the default if companies were compliant with the regulation (which is a big "if").
I was in ad tech once. We obeyed it. Lots of traffic went through us. No one cared that we obeyed it and our competitors didn’t.
Left the code in anyway but that’s the thing about these things: consumer behavior reveals that they don’t actually give a fuck about whether anyone obeys this or not except for the time when they want to be outraged.
The thing is that from a user's perspective there's no way to tell whether someone obeys it or not because lying is not punished, so the safe thing to do is to assume the worst in all cases.
Right. It's rational for the user not to care. The point is that it was designed to fail since there's no closed loop verification. i.e. DNT was a bad design.
I think the point is that you already can decline by default - by turning off cookies. IMO an API for cookie consent would be most useful if you could always accept functional cookies any none of the rest, but even that likely wouldn’t pass the test of being informed consent for every website that might use functional cookies a bit differently.
How do sites abuse Legitimate Interest? LI is something vendors declare to the IAB, not the sites. These CMPs just present that information to the user (in complicated ways) so they can Accept/Decline/Object.
By pretending that advertisement and tracking are part of Legitimate Interest, and having a "secondary section" that is not only pre-accepted, but also overrides the proper consent part.
To really decline consent in those cases, you must uncheck all "Legitimate Interest" checkboxes. Not only those things are not legitimate interest, this also overrides the lack-of-consent provided by users for a couple vendors.
Legitimate interest is not a get out of jail free card. You can't apply it to everything and pretend you got consent.
LI is separate Legal Basis to Consent, that's why there are two lists in the CMP.
The user's choices for each Legal Basis are sent separately in the TCF consent strings and entities are expected to adhere to these rules. One does not override the other.
The full list of the LI purposes claimed by adtech players is available at [0]
As for why they're enabled by default... I'd imagine there's a legal reason. GDPR doesn't just apply to adtech, it's everything.
In any case, it's not sites that are the issue. It's the CMP screens.
> LI is separate Legal Basis to Consent, that's why there are two lists in the CMP.*
I never said the opposite and never said that was problem. Presenting non-Legitimate Interest as if it were, however is shady and probably illegal.
> The user's choices for each Legal Basis are sent separately in the TCF consent strings and entities are expected to adhere to these rules.
I never said that being separated is a problem. The problem is using anything that is firmly NOT in the Legitimate interest camp as if it were, and using that to mislead customers.
> One does not override the other.
It does in this case, and it is easily verifiable. Even if I disallow a certain tracking vendor, it will still load stuff from this vendor in websites, even though nothing from this vendor configures "Legitimate Interest". And all my data will still be piped to those adware, etc, vendors, that provide no functions other than adware, tracking and other shady stuff that GDPR requires consent for.
> As for why they're enabled by default... I'd imagine there's a legal reason. GDPR doesn't just apply to adtech, it's everything.*
That's beside the point. If it were really Legitimate Interest, there would be no need for asking.
That's not informed consent but if you decide to accept everything without reading anything, it's your right to do it. You won't be able to complain in case of "surprises". So yes, a browser could come with an "Accept all" setting, probably disabled by default, but which browser vendor is going to go through the trouble of implementing that, proposing an API and above all getting every Privacy Agency of the world to accept that?
Clicking a checkbox that says "accept all tracking/cookies purpose from any website" and having the browser accept for you absolutely is informed consent.
A court would look at this and a person who mindlessly clicked "accept all" on every website as equivalent.
Browsers could propose an API for this functionality and no doubt some websites would implement it. They havent but they could.
Whether there's any point is another question. Websites would probably rather use dark patterns to get us to click accept all, so any API that went beyond accept all and allowed a standardized user policy on data collection would have a limited uptake.
> Clicking a checkbox that says "accept all tracking/cookies purpose from any website" and having the browser accept for you absolutely is informed consent.
IANAL so it's pointless for me to argue on that point. Of course if somebody is happy to accept in advance any privacy policy and will confirm all of those automated choices in a court (if they'll ever be challenged, can't think why), no problem with that.
My point was that we shouldn't expect a major browser vendor to go through all the process to build an API with those legal implications. I wouldn't bet on major websites adopting that API anyway. It looks so much following the letter of the law and circumventing the spirit of it. Very risky, both legally and as a middle finger to the regulators.
>It looks so much following the letter of the law and circumventing the spirit of it.
I dont think this is true either. The consent options would typically come under a few pretty well defined headers (e.g. advertising) and could include the capability of raising specific exceptions for nonstandard requests.
If I sign a form that says "I accept all medical procedures being done to me in the next month.", that wouldn't be informed consent for a surgery two weeks later if I hadn't been aware of the risks of the surgery at the time that I signed the form. Being informed of the specifics for a particular procedure is necessary, not just being informed of the general risks of medical procedures.
In the same way, GDPR requires informed consent about the specific use of data by a specific data controller. From https://gdpr-info.eu/issues/consent/ :
> For consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’.
The proposed browser-based solution that sends an automated acceptance on behalf of the user would not qualify as informed consent in the context of the GDPR, because the consent was given prior to the human being informed about the specific use by the specific site.
>If I sign a form that says "I accept all medical procedures being done to me in the next month.", that wouldn't be informed consent
Medical consent is a whole different kettle of fish and I may be off base here but I am pretty sure you can preauthorize consent for, e.g. theres a risk you may become unconscious and need follow up treatment.
>The proposed browser-based solution that sends an automated acceptance on behalf of the user would not qualify as informed consent
It's absolutely possible to have all of this information sent in an API to software acting on behalf of the user. The user has been informed and the obligations of the website will have been discharged. What the users browser does with this is the users business.
We cannot have a modern technological society if we treat tracking with the same concern we treat medical consent.
That road leads to banning street photography and CCTV, and being able to get a gag order to stop people from saying "Yeah I saw Brian at the bar last night". When does it stop?
There are no uses of cookies an average user cares about that aren't already illegal.
They are basically all for the same thing, to spy on you and sell your data to third parties to the fullest extent of the law, excluding any data you would actually notice being sold like credit card numbers, and many users don't care.
This is a late reply, but I'd been thinking on what you said and wanted to figure out where my disagreement lay. I think the biggest issue is that scale must be considered, and not merely whether each individual action is justified.
* Asking if somebody saw Brian at the bar last night is acceptable. Asking everybody if they saw Brian somewhere is acceptable in limited circumstances, such as Brian having been kidnapped. Asking everybody to list out who they saw and when is an unacceptable violation of privacy.
* Street photography is acceptable. Taking a picture once every day of the same house may be acceptable, such as if it is a historically interesting building, or if it is your own house. Collecting millions of street photographs, along with the time they were taken and who was in each photograph, is an unacceptable violation of privacy.
* CCTV is acceptable. Maintaining records of CCTV indefinitely may be acceptable, depending on the type of building. (e.g. The Pentagon may be justified in keeping CCTV recordings indefinitely, but the local laundromat is not.) Linking CCTV cameras together into a centralized query-able network that tracks people between locations is an unacceptable violation of privacy.
There are two common features that I realized in these examples. First, even if an individual action is acceptable and justified, repetition and coordination of that action may not be. This is similar to how saying hello when crossing paths with somebody is a courtesy and a pleasantry, but saying hello to the same person every 30 seconds is stalking. The difference in scale produces a different in outcome.
Second, there exist gradations of privacy, rather than being a binary divide between public and private spaces. Between a completely private space, such as a person inside their own home with the windows drawn, and a completely public space, such as a person giving a speech on live TV, there are intermediate spaces. A person who is walking down the street has partial privacy, where their actions may be remembered by passersby for a day or two, but wouldn't be remembered a month or a year later. In the past, these gradations of privacy were maintained by the limits of human memory and the high cost of technological memory, but the cost of technological memory has fallen to a point where this social construct is breaking down.
Summing up, I would say that we cannot have a modern technological society if we *don't* treat tracking with the same concern we treat medical consent.
I'm really surprised nobody caught this and that the law even managed to pass unmodified.
They're treating "Accept cookies" with the same seriousness you'd expect from "Do you consent to me putting a whole package of cookie dough up your rear".
The whole GDPR seems to be one step away from censorship. And it seems almost like the real intent has less to do with user choice and informed consent, and more to do with just trying to kill off data collection as a business model completely, before we have a replacement for it.
In Germany, the media sites that offered "either tracking/advertising" on vs "paid content approach" were already in court with that practice and won.
The current situation is, that the courts decided, that the business model (advertising and by that tracking the sh*t out of people) is valid if they offer an alternative were people pay them for access to the content.
I hope that's true, because disallowing the tracking based business model completely would be a horrendous thing causing making it harder for people who aren't rich to be informed.
I don't think it means that when asked for consent, the user must have an easy way to deny that consent. As the user can always decide to simply not use the website.
There is a misconception, they don't want it do be convenient, the all purpose is to as annoying as possible and legal, to force you to use the easy allow-all-path.
So even if there is an API they won't use it. They don't want to give you a choice, they want that you to allows all access.
And Google was caught exploiting a weakness in the P3P implementation to bypass it entirely. Google was also caught exploiting a loophole in Safari when it added 3rd party cookie blocking: https://www.zdnet.com/article/google-pays-17m-to-settle-safa...
AdTech companies want to track you, and it's naive to think they will ever honestly and voluntarily use any APIs that blocks it.
Current deliberately-awful cookie consent prompts are malicious compliance aimed to make law makers look incompetent and make people resent privacy protection laws.
Oh absolutely! I just like to bring up P3P whenever someone inevitably says there should be a standard for 'cookie popups'. AFAIK, P3P actually goes further than all/nothing: it distinguishes between 1st-party/3rd-party, required/optional, which details are involved (IP, email address, etc.), data retention periods, etc. Plus, this was all implemented, in the most popular browser (at the time), a full two decades ago!
The context has obviously changed: there used to be no consequences for lying/bypassing (I didn't actually know about the Google case you mention; although it doesn't surprise me!), and most importantly: there were no consequences for not bothering to put it on a site at all. Hence the low adoption, and hence it died away. That's now changed, there's a chance some "non evil" sites might bring it back.
> Current deliberately-awful cookie consent prompts are malicious compliance aimed to make law makers look incompetent and make people resent privacy protection laws.
Yep. That's why machine-readable requests, with default-deny responses from user agents, won't appear any time soon; especially in browsers made/sponsored by adtech giants! The inconvenient, manual-effort is a feature of consent popups (at least, for those who came up with the idea; most sites just jumped on the band-wagon)
They'll use an API if it makes it easier and less noticable to track most people. They should do a study and find out how many people will just set "Enable all cookies from all sites".
If the number of people who would use "Deny all nonessential" is less than the number of people who currently deny consent, it's a win for them.
That's the main issue here; the EU mandated consent and gave guidelines on what that consent might look like, but they left implementation down to the industry, which decided to do it themselves (often using dark patterns, for which some companies already got fined) instead of integrating it in browsers.
I remember 20 odd years ago now when Firefox came out with a popup blocker standard, built-in. Whatever happened to this "we need to reduce annoyances on the internet" movement? Why aren't the browsers themselves doing more against it?
I mean I know that Chrome and Firefox won't block ads by default because it affects their bottom line (Chrome through Google ads, Firefox through Google money), but what about GDPR consent forms and newsletter sign-up popups?
> I remember 20 odd years ago now when Firefox came out with a popup blocker standard, built-in. Whatever happened to this "we need to reduce annoyances on the internet" movement? Why aren't the browsers themselves doing more against it?
There was Do-Not-Track, but the industry decided it shouldn't be respected.
I would love for an update to GDPR, stating that any automated form of refusal for consent, including the Do-Not-Track header, must be treated as an explicit refusal and may not result in additional requests.
I wouldn't be surprised if Googles consent form intentionally broke every GDPR rule. First time I saw it it didn't bombard me with dark patterns, it sent me down a rabbit hole of near infinite options where I couldn't even tell if any of them where relevant for Google search. They don't want to give users a quick and easy way to opt out, especially not while they are still working on replacement APIs that use sleight of hand, confusing technobabble and a decent amount of hand waving to not only avoid GDPR restrictions but make your browser track you for them. This isn't just Google, Mozilla seems to have sold out to Meta and is working on its own tracking API.
Facebooks (or I guess Meta, I noticed it on the Occulus website) approach is the worst I've seen, with no clear way to decline. At least google and the others give you the option, they just make you do a load of work for it (and then at the end present you with a blue "accept all" button and a grey "accept selected" button), Facebook literally just gives you an accept all button and, if I recall correctly, a small hyperlink to view their policy in which you have the option to go through all the settings and decline.
The cookies are just one outward sign of data collection.
GDPR isn't about cookies, it's about collecting, storing and transferring data. Done properly, GDPR notices should allow users to opt in to having data about themselves collected by the interested company (and other things like acknowledging the relationships and responsibilities formed by that consent - like requesting deletion and having it honoured).
We just happen to use cookies to do much of that collection. We also already had "the cookie law", so it seems "pragmatic" to piggy back the two things, for the sake of "user convenience".
GDPR creates responsibilities and guidance on all the database tables, the system designs, the job descriptions and so on which operate around data about people.
There's no valid reason for the third party cookies. There are browsers that get this right (lynx lets you choose to accept and reject cookies (including an "always/never and never bother me about it again option.)
It could even just be a flag in the cookie itself declaring that something isn't strictly necessary.