"You DON’T need consent for: First-party cookies used just for your own analytics (in most cases)"
They claim that, but the page they link to as the source says "You must...Receive users’ consent before you use any cookies except strictly necessary cookies.". So what exactly makes them think that first-party analytics cookies are "strictly necessary"? The Mastodon link in the at the start of page doesn't seem to work.
Exactly. Analytics is one of the types of data for which permission is explicitly required.
Session auth cookies are the only ones the EU considers strictly necessary.
This is what European Commission has determined to be acceptable for them. One very important distinction here is, as far as I understand, that EC is not bound by ePrivacy Directive as directives bound member states and require them to include them on their national law.
The text on that website does state that some DPAs have found some first-party analytics acceptable, but that's not something that is confirmed by CJEU. And ePD does not have single-stop shop so you need to follow every DPAs directions if you are offering services to that DPA's country.
I wonder how many people provide consent through these banners. Is it frequent enough to be worth the terrible user experience?
I know some sites use dark patterns in their cookie banners, which I consider to be a helpful hint that the company doesn't respect the users.
Considering that for most banners the "consent" is the easy option I assume a lot. People want to get rid of the banners.
However I claim the point of the bad UX is to make users angry and then have them complain about EU etc. "demanding" those. In order to weaken the regulation of tracking. If they are successful (and they are making progress) "no more cookie banners" is a lot better headlines than "more tracking"
The failure of the EU was to not write into (an updated version of the law) that setting a specific HTTP header means "no", and "no" means "no" not "show me a popup to ask" (i.e. showing a popup in such cases would not be allowed).
It wouldn't matter because most of the consent flows you see are already not compliant. The problem is a perpetual lack of enforcement even for the blatant breaches. An HTTP header wouldn't change the situation, websites would still ignore it and still get away with it.
Those are technically in violation of the GDPR since the opt out is required to be just as easy as the opt in.
No, they're directly in violation. This is fully settled; it's just that some companies are counting on it not being "the thing that gets an enforcement action".
How is ease of opt out versus opt in objectively measured?
Most of the time both options are presented clearly and within a few pixels from each other, but opt-in is usually slightly more eye catching and/or more appealing. But the effort in terms of distance for mouse movement or number of clicks is the same. While that’s a design trick that will improve % of opt-in, how can it be argued that the opt-out was not as “easy”?
It is very common for there to be "accept all" and "more options" buttons where rejecting all requires multiple clicks via the latter. The sites which havea "Reject all" button right next to the "Accept all" one that's the same size and such aren't flagrantly violating the law.
I have been on a call with a CMP where they got mad at me for not resetting our user's preferences and because our 'do not accept' was high due to the fact i refused to de-promote it via a dark pattern. I kid you not.
fwiw; looking at our stats for the past year:
No consent: 40.8%
Full Consent: 31%
Just closed the damn window: 28.1%
Went through the nightmare selector: 0.07%
~1.5M impressions from GDPR areas
It's always those awful websites with a million popups, adverts, sites that reflow after 10 seconds, etc. They would be horrible to use even without the cookie banners.
“You DO need consent for:
Third-party tracking cookies like Google Analytics, Facebook Pixel“ Since most websites use GA then yes most need the banners. You could say most sites don’t need GA but that’s a different argument.
GA is free while Fathom and Plausible are not. I think that's the main reason why GA is so popular and therefore why most sites need cookie consent banners.
That’s the argument made by the article.
Which is why this article has no value. The title is completely disconnected from market reality
Correction: none of them do. The Biggest misunderstanding in how tech works by the EU ruined usability for eternity.
I think if you are using Google adsense, u have to show this annoying thing to all your visitors...
But if you're including ads you're already past the point of caring about annoying your visitors.
Unfortunately culprit may the privacy laws, irrespective of their good intentions, precisely because the 'banner' does not materially do anything but create an arbitrary annoyance.
It's not a better experience, it's a worse experience, because users will click on 'whatever' and therefore the goal of the privacy laws are not met.
Given the current situation - things would be improved by merely providing users with a consistent way to check on cookie status aka with a 'privacy link' up top that always gives clear info about privacy - but with no popup.
Or - given the current situation - it may be more appropriate to be more assertive with privacy and not allow one-click opt-in because it's just too much?
The fact is, the popups are just bad - the don't accomplish what the are trying to accomplish and we need a more UX friendly way to regulate. Which could be lighter or more restricting, one way or another.
I think we should accept that certain kinds of tracking should be allowed by default for many cases. It don't think it's a violation of privacy for companies to map an individuals experience across their property, as long as user is anonymous, there are other checks etc. Sharing data between sites is completely another thing altogether.
Disclaimer: I work on a consent product.
If you're in any way something beyond a hobbyist, you should probably get legal advice about whether you need to get affirmative or implicit consent, whether you need to handle universal opt-out signals (in California, Global Privacy Control signals are now legally required to be respected), etc.
Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
And a proper consent banner will immediately handle your GPC signal, and generally not show you anything (California now requires a visual notification that your preference has been respected).
I understand what the author is actually saying: you can design sites that don't require the tracking tools requiring consent. And yes, while true at a certain (small) scale, when you have hundreds of millions or billions of page loads per month, and several development teams, a partnership group, and a lot of moving parts, you'll forgive me for thinking this is impractical.
Consent banners don't have to be awful, I promise.
> the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
The page describing the law has more examples of cases where you do not need consent than the ones you do.
https://commission.europa.eu/resources/europa-web-guide/desi...
Covered under the law: they are, they really are.
You're required to disclose. I didn't say consent.
This is precisely why I say talk to a lawyer. I appreciate the firmness of your conviction, but not reading what was explicitly stated, well.
> proper consent banner
It is also quite complex to integrate a third-party consent management platform in a compliant way; the tool itself is a script, but it somehow needs to preempt loading of any other scripts until the right consent is given (there's also an argument whether the CMP being third-party is itself a breach of "data minimization" when such functionality can trivially be done in-house, or at least self-hosting the script).
The majority of sites fail at this, which already breaches the GDPR since merely loading a third-party script discloses your IP address and browser fingerprint to them.
It's not a big deal in their case because their CMP is itself configured to be non-compliant, but if you want to be compliant with a third-party CMP it's likely the effort to integrate it properly would be just as much as just doing it in-house.
> Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law
You're mixing GDPR up with the ePrivacy Directive (henceforth "ePrivacy", not to be confused with the proposed ePrivacy Regulation). GDPR Recital 30 describes how cookies should be understood in relation to the GDPR (to the extent that GDPR Article 4(1) didn't already make it clear), and GDPR Recital 15 affirms that "the act of writing any cookie" doesn't have any special treatment under GDPR. Whereas ePrivacy Article 5 ¶3 discusses "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user", and is the real source of nearly all "cookie consent" obligations in the EU. I hope you don't work on the legal side of the consent product!
Less pithily: I've noticed a lot of "consent" providers getting this basic stuff wrong, both in their marketing copy and in their actual products. I (along with most internet users) have a vested interest in any improvements in this area. I'm available to discuss this further, if that would be helpful – keeping in mind that while I know a lot more about this than many working professionals apparently do, I'm still very much an amateur with no formal legal training.
ePrivacy Directive as amended in 2009: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
GDPR as amended in 2016 (without recitals): https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
> I'm available to discuss this further, if that would be helpful.
That would not be helpful, because the whole business of "consent management" is to provide plausible deniability and the illusion of compliance to businesses without actually making them comply (since complying with the GDPR would incur significant cost and obsolete most of the marketing/analytics team's jobs).
I'm very sure they perfectly know what they're doing and have the budget for the best legal advice money can buy, it's just that their business is all about selling the illusion of compliance instead of actual compliance.
It's the fault of the regulators for still not cracking down on this after 8 fucking years. Detecting non-compliant consent flows is trivial with a web scraper.
> in their actual products
The products are configurable by the customer. Now you could indeed argue that the product should not offer an option to configure it in a way that would be in breach of the regulation it's supposed to help you comply with... but again see above.
I'm pleased when there's at least one configuration that isn't in breach of the regulations. Sadly, many providers don't even manage that.
I appreciate your precision. Most folks, unless discussing specific provisions, just use GDPR as an umbrella term, much like the CCPA is still used and inclusive of CPRA.
This response sounds suspiciously like competence. Do you mind disclosing which consent provider you work for, so I can have a look? (I only ever found one consent product I was really happy with, and it shut down a few months after I discovered it.)
It's DataGrail. I don't mind disclosing it, but I was kinda hoping not to because I'm really not here to advertise... I guess I won't say I know the subject, but do have some experience. lol.
I'd be happy to discuss directly if you want. Not sure how to exchange details if you're interested but we can figure something out I guess.
Cookie consent banners make me immediately think if I should just leave the site and not care about the content.
The way not to need cookie consent banners is to not do analytics tracking in the first place.
I often wonder what value it actually is.
Sure, you might understand your demographics better.. if you presume that the analytics are faultless at telling you this- which they're really not.
If you care about how your site is used, you don't need to set any cookies.
For my company, being able to view the user journey throughout the site in the analytics is pretty valuable.
We don't care who the specific users are - but the tracking gives us an idea of how many people use the site? do they have a good experience? are they giving us money? do we have a bug somewhere we're missing? etc.
All that is valuable as a business.
Back in the day we used to track user activity via a "hit id" (basically a random string) that was generated on the backend that added a "post" request to every page.
Idk if that was a good idea or not.
We depended on cookies for your cart and stuff.
"Advertising or behavioral tracking cookies"
Any real business needs to do behavioral tracking for campaign conversions, add-to-cart, customer acquisition, funneling, retention, personalization, etc.
I love how we all hate cookie banners and say they are unnecessary, but are salaries are all paid by apps that do behavioral tracking.
Only hobby blogs can get by without it.
I appreciate the list of reasons to cookies are useful. Despite having worked in technology for 25 years, I couldn't have articulated that list off the top of my head. I have never worked for a website that made money that way.
I think that means not ALL websites need invasive tracking.
> website that made money that way
Some of those scenarios are dubious as to whether they actually bring profit and "make money". They can very well be a net loss and are merely there to justify the job of the advertising/marketing/analytics/etc team, who is conveniently charge of crunching those numbers and obviously would never put any adverse numbers forward.
Same thing in advertising - there's a lot of middlemen in the industry that are happy to take their cut, cook the numbers and look the other way despite no actual impact on sales.
So while I don't disagree these things can make money when in the right hands and done in moderation, the reality is that there's a shit ton of waste and deadweight in the industry. It may very well be that the actual (vs self-reported) profit from ad/marketing efforts is negative and merely covers the paychecks of said ad/marketing teams.
can you give examples of serious online businesses that are not doing those things?
Here are the industries that I've worked in that all did behavioral tracking for the above applications
* gaming
* music industry
* healthcare
* social media
* news
* internet search
* online retail
You don't seem to understand that one can do behavioral tracking without sharing all personal data with Facebook and Google. GDPR is mainly focused on who you share the data with. Performance tracking of core business processess including traffic sources can be done without involvement of Facebook and Google.
It's totally legit to spend a career helping the folks at Facebook and Google to soak up more private information about everyone so the Trump campaign can improve targeting of the fake news advertisements for the presidential election campaigns. But it is not ethical.
Disagreed. You can absolutely do all analytics, personalization and marketing in-house on your properties. You only need data sharing if you want to influence advertising on other properties or if you display others' ads on yours.
Whether you want to do so is a different matter. This obviously requires (potentially custom) software and infrastructure, vs throwing in GTM and calling it a day. If there is no regulatory reason for it (there isn't - this aspect of the GDPR is not enforced), most businesses won't bother and will take the easy option.
you don't need a banner for shopping carts, or personalisation
the heuristic for whether you need the banner is essentially: is the user deriving the benefit, or just the operator?
if it's the latter you definitely need the banner
> the heuristic for whether you need the banner is essentially: is the user deriving the benefit, or just the operator?
This is just as bogus as the user vs developer distinction in copyleft world.
Of course users benefit from the operator knowing if their design decisions are actually on the right track.
how does the user browsing the site right now benefit from activity tracking?
the specific user right now, not a hypothetical user at some point in the future (if the business continues to exist)
answer: they don't
They need to tell themselves that "data privacy" is a non-issue because otherwise they would have to take responsibility for feeding Facebook/Google all of their users for many years, which directly resulted in fake news laced political advertisements which micro-targeted voters in the presidential elections.
The book "careless people" clearly documents how Facebook engineers were embedded in the Trump campaign to run fake news advertisements micro-targeted to US voters.
It takes a lot of strength to resolve such a fundamental cognitive dissonance, especially if your self image is the talented techie who made money without hurting anyone.
It's a shame this is downvoted. It doesn't make it right, but it is true.
Until the regulation actually gets enforced so that everyone is on a level playing field and does not do such things, you will be at a disadvantage if you're the only one to comply, so the winning strategy is to not comply and engage in such practices just like your competitors do.
I wish I had a nickel for all the downvotes I’ve earned for describing things as they are
You can track conversions exactly without using analytics or cookies, by using promotion codes.
"you can" and no one does.
It is very convenient when you can point to others for moral absolution when the victims are invisible to you.
I’m describing what people are doing .
I consider all those pop-ups to be illegal. The use case in my opinion does not warrant pissing off users by distracting them via such pop-ups. Here I classify slide-ins the same as pop-ups. I don't even read what is written there since I already don't care. I kind of have to use extensions to workaround this spam. The EU bureaucrats are very confused here - they cost a lot of money and don't really improve much at all. Plus, when they hand over data to the USA from EU citizens, it already puts them at logical odds - either you are consistent in what you do, or you simply shouldn't act in an orthogonal manner that degrades the user experience via laws. That's just nonsensical.
Why would pissing off users be illegal? Websites can do whatever they want, I don't like those popups and just leave the page when they show up.