@codinghorror
Or you could, you know, not track people. Silly, I know.

@dalias @codinghorror in analogy:
EU made it illegal to “sucker punch people” ie collect personal data without consent. That’s not the same as legit personal data collection eg an online shop needs your delivery address to mail your order you just made to you.

Cookie banners are basically giving someone a quick “sorry” after punching them - it’s a loophole that shouldn’t exist. No sorry needed if you don’t punch anyone.

@codinghorror @luap42 the donottrack header is exactly that at the browser level; if it's set no need to ask the user about consent they're explicitly denying. For non-tracking, i.e., technically necessary (auth,user settings) cookies, that banner is not necessary

the browser setting exists, it's not honored by website operators, which choose to show banners instead, and is being torpedoed by google, who is earth's dominant ad network and browser supplier.

the EU (in that case) isn't at fault.

@codinghorror it not being a browser feature is part of the dark pattern, i think. Data brokers and google would loose their business modell if this would be a browser feature and everyone selected to not agree. (Why would anyone ever select otherwise?)

@codinghorror @Viss the EU reacted to behavior by tech companies. If the tech companies hadn’t have had this behavior, the EU wouldn’t have done this.

@codinghorror The EU just said that sites had to get consent for certain things. It's the websites who decided to comply in the most annoying way possible.

@codinghorror That would be some of the propaganda you are not immune to.

@codinghorror @javier Websites that don't use cookies are not involved. Neither are websites that only use cookies that are _required_ for the website to function, e.g. session tokens.

It's only when you'd like to use cookies to track users and deliver personalized ads that you have to deal with this stuff.

It's a choice.

Most websites simply don't choose the privacy-friendly option.

@codinghorror

True, but my point remains. This shitty experience we're collectively having here this isn't "the EU forcing cookie notification on people", it's "the malicious compliance of companies that profit from user tracking."

Every company that shows you an cookie popup has made the choice to put a few fractions of pennies of possible future profit ahead of your experience.

https://gdpr.eu/cookies/

@codinghorror @dalias German here: the gist of GDPR is: people must know when someone collects personal data.

You can perfectly live without a cookie banner if you don't set one for arbitrary visitors. That was the intended result. But reality instead invented this UX nightmare, because we can't have nice things.

For me it just shows how fucked up today's web actually is.

@Gottox this. Ubiquitous cookie banners are straight up malicious compliance by the ad industry @codinghorror @dalias

@Gottox @codinghorror @dalias also, by default a website complies with GDPR.

The choices by those in charge (collecting ad revenue or choosing a harmful technical library) is what then makes a website require needing consent.

@codinghorror Look, USA, your utter failure to protect citizens’ privacy makes it difficult to take you…*checks notes*…did not in fact make the list of the top 100 reasons why we can’t take you seriously right now

@codinghorror That the EU 'forced' cookie banners is flat-out false. It was a *choice* for sites like yours to persist in the intensive collection of data about your users to feed in to the surveillance capitalism machine. As genuinely admirable as your philanthropy is, it was built on this.

@codinghorror Don’t blame the EU. Respect
DNT: 1

https://en.wikipedia.org/wiki/Do_Not_Track

@codinghorror As for why this isn't a browser feature, it was and is! It is a *choice* by your industry to disregard this, by ignoring DNT and not implementing GPC in major browsers. Did your site honour DNT? Does it honour GPC in places where it is not legally obliged to?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/DNT
https://globalprivacycontrol.org/

@dalias @codinghorror that’s all very nice in theory, but it was always going to end up with what we have, due to the way this regulation was brought in. With having to incessantly click Accept on every single website out there. Only a small fraction of people care to do anything else. Thus reducing the experience for almost everyone and annoying millions every day. The cookies are not just used for ads, but every analytics tool out there. Key to running sites.

@codinghorror GDPR never mandated cookie banners. GDPR mandates user consent. There was a browser feature for that: the DNT HTTP header. That header was deprecated because nobody respected it. It was just easier to enforce user consent through cookie banners and dark patterns.

Nothing here is EU's fault. You want a better option? Campaign for a legislation to enforce the website to respect DNT.

Or… Just don't track?

@Setok @dalias @codinghorror Not if you do analytics based on your own web server logs. You only need consent if you use a data guzzling third party analytics tool.

@mkoek @dalias @codinghorror tell that to the thousands of startups desperately trying to balance with a billion other things they're trying to do. That's just not a practical suggestion when the third party analytics are much faster to set up, better understood, and generally superior too than some self-hosted thing cobbled together.

As mentioned, the reality we are in today with cookie popups everywhere was 100% predictable and the regulation was thus poorly considered.