This whole thing is ridiculous. While adding these widgets to blocking filters seems like a workable short-term solution, the entire cookie notice scheme is unworkable in the long run. The problem is, this crap will stack up in the future, and none of it will ever get abolished. On some sites, I get a triple-stacked legalese warning banner, and I have to manually close all three of them.
Since internet law will only get worse, maybe it's time for a "real" technical solution to this. For example, if we had a standardized HTML element attribute to mark these widgets, browser/adblock makers could enable people to opt out of displaying them. It might look something like this:
Frankly, the requirement of notice could (and should) be pushed on to user agents – not sites. For one, it would help standardize both the user experience of notices – and leave the UX of website specific notices alone – but also it would improve the current state of things where many (most?) sites in the EU simply don't care or know about the legislation.
The last thing we need is more cruft sent across the wire.
Google has recently been sending out warnings to AdSense publishers who serve content to the EU that they will receive a violation if they are not serving these cookie notices.
This accounts for the seeming uptick in cookie notices.
To my knowledge, Google has not enforced this in the past.
My solution was to use CloudFlare to get geotags and PHP to serve the warning to only to those who live in the EU, but to each his own.
But the browser doesn't know why it's set. The idea of the law is to distinguish between cookies which are used for the operation of the site (e.g. login cookies) and the ones that are not (mostly advertising tracking). You only need to give notice about the latter.
That only works if cookies are infrequent enough, like location data, which they aren't. Also there's no way for the browser to know how the cookie is used. I'm all for a technical solution, but I'm not sure it's possible to do "cruft free" without rethinking some things.
And as far as there isn't any "cookie law" on the books, it's about compliance with data protection and privacy regulation. So the EU isn't standing in the way of the industry to do that in another way.
This is what I like about the lynx text browser[0], on navigating to a new host it prompts you to reject or accept cookies: http://i.imgur.com/GEpYVVs.png
The "real" technical solution here is to standardize a modern authentication system separate from cookies and have things like "do not track" actually work. The industry has, seemingly deliberately, failed to do that. So the EU has rightfully argued from "first principle" that privacy and data protection is more important than the status quo in the industry.
The point would be that you would have to authenticate before being tracked. Today disabling cookies will break login function of a lot of sites. I'm unfortunately short on time, but you should be able to find a discussion about this around HTTP/2.
Why block them? It's good that websites have to be more transparent with how they are tracking users.
It is however inconvenient for the websites. They could always stop using privacy-invading ad networks and external services which track users and then they wouldn't have to show any message.
Because I have better things to do with my time than click to close the message on every single website I visit.
If you actually read them then good luck to you. I think most people either a) don't care or b) install a global blocker to suit their particular privacy requirements.
EU citizens are under no obligation to support business models that have a negative effect (be it small or large) on their lives, nor are they obliged to make it technically convenient for companies to conduct their business.
There are many business models which do not come with moral dilemmas and that do not fall under the incidence of this law. Data mining and tracking might be trendy, but it's not a free for all, there need to be rules and the privacy of users must be respected. If some companies are unable to do fulfill these basic and fair requirements, that is strictly their problem.
These laws are still evolving and changing. Different for every country. We don't have something international we can build standards upon at this point in time.
It seems to me there would also be an active push against any such implementation because it would make current solutions for getting around this type of cruft more effective than it already is.
Although if we were going to go this route I'd like to see it be a server-side rather than included in the markup. The browser could detect that you are visiting a new domain and request relevant information upon connection.
> These laws are still evolving and changing. Different for every country. We don't have something international we can build standards upon at this point in time.
Not every country. This is EU legislation after all; any website hosted in one of the 28 member countries has to abide.
This stupid cookie notification law was actually the main reason why I had to enable cookies permanently. My browser used to delete all cookies at the end of the session (when I closed the browser) except for a few whitelisted domains.
Then these notices popped up everywhere. So where do the sites store the information that you've already seen the notifications? In the cookies of course! So if you're actually serious about your privacy and delete cookies you will the the notices every time...
The reason that the EU cookie law broke down is that directly after the EU directive was issued, several lawyers from large companies changed their interpretation of an older 1995 directive that dictate how consent is given. The directive says that consent require "specific and informed indication", but lawyers from very large companies decided that the act of continuing using a website was the same thing as giving "specific and informed indication", thus users agreed to whatever policy or agreement that is linked in the banner.
I visited a conference during that time which had a panel where those lawyers was discussing this and even brought up a question if a person really could agree to 20 pagers of policy document from the mere fact of just continuing using the website, and their collective answer was yes (through one agreed that 30 pages would be too much). To my knowledge no legal case has ever tested this, and thus we got this ridiculous cookie notice system where things has gone from bad to worse after the 2002 directive.
You assume that every page need to have tracking cookies or that a websites would choose to have a blocking dialog if that was required in order to store and accessing information on users’ equipment. Even if we do those assumptions, its not a good result for anyone and there need to be some peace rather than war between the industry and politics, and making the concept of consent meaningless is a very risky move going forward.
Afaik you need it if you use Google Adwords. Not sure if Adwords could be changed in a compliant way.
I recently started out to implement the cookie header on my site, and discovered things are rather unclear. For example, couldn't Google somehow get global consent for all Google Ads?
There also doesn't seem to be a way to ask for consent and only trigger Google Ads if consent is given.
Maybe there are some things that Google could improve to alleviate the situation. But advertising probably also depends on at least a little bit of tracking.
If they (the politicians) want to outlaw online advertising, maybe they should just say so directly?
If anyone can spare 5-10 minutes a week to help me and a couple of others maintain this list (testing and merging pull requests, closing issues, etc.), I'd be very appreciative!
You can contact me here or send an email to cookies[at]prebake[dot]eu
If an extension like Prebake (which I realize just a filter list) added a 'DNT: 0' HTTP header (Do Track instead of Do Not Track), then automatically dismissing cookie notices would be a "legitimate" new solution and not be "cheating" (as some might call it). If the user also runs a ad or tracker blocker, well, that's their business and a different problem. ;)
I think they hoped this law would encourage sites that people don't expect to have cookies to not set cookies until necessary.
Like state sponsored news sites for example. I mean, really: why on earth does a site like that need to set cookies? To remember which videos I have watched?
The real problem here is probably Google Analytics.
Even assuming that law was necessary (debatable), the idiotic thing was asking millions of websites to do this, instead of automatically in a handful of browsers. Not to mention absurdities like the fact that you need cookies to remember that the user doesn't want cookies, or even worse: https://twitter.com/jgrahamc/status/633551359774691328
Perhaps something is deeply wrong with the way companies approach the internet if millions of them have to display a notice that they are tracking their users.
No, I can see that you are not familiar with the law, I don't blame you because nobody is, since it's incredibly vague about when applies and AFAIK nobody has yet been fined. There are hundreds of companies doing wrong things, no doubt. The "millions" are collateral damage.
I am basing my statements on http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm (the chapter EU legislation on cookies). According to this guide, the following cokies are exempt from consent: user-input (forms, shopping carts), authentication (for the session), user-centric security, multimedia player, ui customization, social network for logged in members.
No it's neither straightforward nor fair. Because it's a whitelist (and a short one), not a blacklist. You can not legislate like that, making potentially illegal any use case that you could have missed or any future use case.
And there is plenty of legitimate usages that are not whitelisted. The most notorious is non-shared traffic analysis. Meaning what basic google-analytics offers and half of the internet uses. There is absolutely nothing wrong with knowing how many unique visitors you got today, and everyone with a website wants to know that.
> There is absolutely nothing wrong with knowing how many unique visitors you got today, and everyone with a website wants to know that.
Maybe people running those websites want to know that, but as a visitor, I might not want that. Being ablet o tell "how many unique visitors you got today" implies that you can group actions by unique visitors, and thus tell e.g. exactly what I was doing on your website over the course of days. If I'm not logged in, I might not want that.
And don't get me wrong - I'm not really a strong privacy advocate or something. Most of the time I don't care much about tracking. But while in theory there's nothing wrong in tracking unique visits, we all know that the primary use of this is to manipulate users and shit ads on them, nowadays mostly cross-site. It's entirely reasonable people get fed up of being on the receiving end of someone else's malice.
> Maybe people running those websites want to know that, but as a visitor, I might not want that. Being ablet o tell "how many unique visitors you got today" implies that you can group actions by unique visitors, and thus tell e.g. exactly what I was doing on your website over the course of days. If I'm not logged in, I might not want that.
That's like asking the guy behind the counter in a shop to not look at you because as long as you are not buying anything you don't want him to know you are there. You are entitled to your feelings but if you don't want to be seen don't go there, or care enough to open an incognito window.
> But while in theory there's nothing wrong in tracking unique visits, we all know that the primary use of this is to manipulate users and shit ads on them, nowadays mostly cross-site.
No, primary use is regular analytics. 99.9% of websites on the internet are not amazon. And if the law was for cross-site information sharing cookies then this would be a totally different debate, but it is not.
Without cookies you can not measure anything but IPs, and IPs are meaningless. You can not count unique users because in a given office you get 50 people/IP. You can not count new/recurrent users because most ISPs don't offer fixed IPs.
me neither but, assuming that you _had_ to choose, why not? As a user: you get a single standard non-intrusive message you can disable (like remember password). As a website you have one less problem.
Adsense have recently notified publishers that they need to implement a cookie law compliance solution.
I don't know how aggressively they [google] will have to enforce this but the possibility of losing adsense revenue will be a hugely motivating factor.
So the number of sites the need such warnings is about to increase massively.
Or how about Google making a form of Adsense that doesn't track users?
I somehow have a feeling that large corporations intentionally are trying to make this law ridiculous. E.g. why blogspot pages would need such warnings? Please Google just stop tracking.
I acknowledge some benefits of this law, but I vehemently oppose it from the perspective of freedom of speech. I know it's an american innovation, but I think other countries should adopt the same principle that code (and algorithms/protocols) should be considered protected speech. I don't like this law because it interferes with http protocol by dictating how the protocol should be used. EU should not curtail the speech of W3C and of any users of their protocol. If you created a popular protocol then other entities shouldn't suddenly and arbitrarily start dictating how users of your protocol should now use it.
EU should either create their own version of http or create their own client for http, which would be relatively cheap as they would only have to fork firefox or chromium and add sandboxing bound to domanins. Some infrastructure is already there with sandboxing in the form of incognito/private window, it only needs to be extended so that each domain is automatically in its own sandbox instead of just websites you open in incognito window.
The law does not require sites to put up giant banners for every page load. As belorn points out, this was caused by the interpretation of nervous lawyers and hasn't ever been tested in court.
Tried this before and it helps only so much. Many sites actually don't work before you accept cookies (they pose it as a requirement and tell you that cookies keep you logged in, even though the cookie law is only applicable to tracking cookies) so you need to see the banner before you can see the page. Examples: fok.nl and tweakers.net.
I've been using a different filter list[1] for more than a year, and it's really useful as I already use self-destructing-cookies[2] to exercise control over which cookies my browser will remember, meaning that pretty much all sites think I've never visited before and therefore try to annoy me with their cookie banner.
It seems uBlock (Safari 9) doesn't recognise this when i add it to the 3th party filters/custom URLs - when i click "parse" i don't get to see a new row with a checkbox. example:
Cookies are integral to the operation of every modern website. They offer security in the form of features like csrf protection or maintaining login state between visits. There is sufficient protection for cookies in the form of encryption and a laundry list of further details which have been added over the years.
There are far larger security related concerns on the web. The cookie warnings are on par with if you had to agree with Javascript running on any page you visit in the EU. So, yes, I want to auto-accept.
As a developer I feel like I'm not going to make special considerations that ensure you can use forms on my website without cookies enabled. And I'm not going to find another way to detect and re-instate your login state.
It's a misconception that you need to show this warning if you use cookies. You only need to show it if you use tracking cookies. Which means Google Analytics.
Don't use GA and you don't need to show it. Your login cookies etc and anything "essential to the operation of the website" are all explicitly excluded.
I honestly wasn't aware that was the law. I thought it was all cookies, that's what the warning messages are worded to sound like they are saying, thank you for correcting me. My question then is, websites are phoning home through use of iframes? Because those cookies aren't accessible on different domains than the ones they were issued.
Am I to understand companies are loading their own domain in hidden iframes that phone home when I visit a website? Like it checks the iframe's top window location and tracks what pages I'm on? Now you have me feeling paranoid.
What can be done about that. Google analytics arguably is a very useful service.
This law aims to protect users from being tracked across multiple websites. There are exceptions in place and most websites would not need to display any message, unless they are in fact helping track their users.
If they include services like Google analytics they should absolutely display the message.
It almost sounds like the law is too weak. Despite all the cookie notices I've seen, I never knew they were only asking permission to track me across sites. If that's what the law is for, then perhaps the warnings need to be even more obtrusive to deter sites from doing such tracking.
From my experience, most of the sites that have this warning only have a single button: accept. No way to disallow the cookies that get stored regardless of how you react to that popup. This will just save me a click.
It warns users who don't accept cookies that the website uses cookies, at every connexion. It doesn't warn users who accept them that they're used, putting aside the first connexion.
It should be the other way around. The website should warn the user that a cookie is used when the website just accepted a cookie from the browser. The privacy concern happen at this very moment, when you phone back to the website, not when the website phones you information.
Since internet law will only get worse, maybe it's time for a "real" technical solution to this. For example, if we had a standardized HTML element attribute to mark these widgets, browser/adblock makers could enable people to opt out of displaying them. It might look something like this:
And ideally, there would be a JavaScript API to query this as well, maybe piggy-backed on the Permissions API: