”Cookie banner” is a misnomer. These consent popups are usually asking for you to consent to having hundreds if not thousands of companies build and sell a profile of you. They will combine your behavior and device data from various sources, identify you across platforms by linking device IDs, and ultimately sell your privacy to the highest bidder.
Typically, you can’t even turn these permissions off, nor can you deny consent or object to their purposes: they are increasingly claiming they are for ”fraud prevention” or some other technical purpose which doesn’t land under consent or the ”legitimate interest” umbrella.
... All so I can have ads that are actually more relevant to me.
Sounds horrible. >..<
The (...fortunately a) handful of places I've worked at which dealt with this sort of thing were very strict about removing PII.
I'm more concerned about only being shown information (not just ads for products) relevant to my click-tuned interests as I think that's just contributing massively to political polarization.
Maybe I'm unique in this experience, but the "actually more relevant to me" part is just never true. Most of the ads I see that are delivered via these auctions are just garbage or scams or "relevant" in a tenuous pointless way.
The only really relevant ads I've seen are from blogs that literally just sell ad space to brands and the ad is just a simple image link you can click on. Philosophy blog? Philosophy book ad. High end men's clothing blog? High end men's clothing brand ad.
I get hyper-targeted ads trying to sell me electrical distribution equipment and air handling units because I run commercial electrical work (mostly mechanical equipment focused) and search for a lot of equipment part numbers. They’re on target, but ineffective.
None of the ads could ever be effective, I have my supply houses that I buy from and they don’t advertise online.
I do have a decent amount of buying power at work (single digit millions a year) but no internet ad from an electrical distributor is ever going to influence my purchasing decision.
The cookie thing is just a red herring. Who gives a damn about cookies? Are they suddenly a privacy problem after decades in use? The people who want to track you (including these crooked governments who are pretending to care about cookies) are doing much more than using cookies these days. Which is exactly why they felt it safe to raise this giant kerfuffle about cookies. It's a distraction.
Cookies have always been a privacy problem. That other, greater privacy invasions exist does not mean that cookies ought not be addressed or ought be tolerated.
Simply enable the “cookie notices” list in ublock origin (available on every platform now, even iOS). According to the EU law if you don’t click accept it’s equivalent to denying.
> According to the EU law if you don’t click accept it’s equivalent to denying.
The result is the same. Technically there's no such thing as denying, only providing (explicit) consent. If consent is required and no consent is provided, then there is no ground for processing.
How do you object to the site's legitimate interest use of your personal data? That is a legal grounds for processing, which can be enabled by default as long as you are provided with an option to actively object.
>How do you object to the site's legitimate interest use of your personal data?
With the legitimate individual control over one own data required to run a healthy society and unavoidable to sustain a democracy. If a business can't exist without threatening society, the sooner it's going out of existence the better.
If it is an actual legitimate interest then you would likely be expected to contact the site out of band to object to the use of your data. Depending on the technical details you might not be able to continue using the site after a successful objection. In some cases the site might be able to reject your request.
The cookie banner thing is intended to allow the user to explicitly provide consent, should they for some reason wish to do so.
It’s also to check if something works. I recently added something new and while I cannot and will not track any personally identifying information, I still need some data if people go through the whole process alright. That covers legitimate interest. It’s the minimum data I collect and its get wiped after some time.
An IP address is not "personally identifiable data". You can not know who the person is just because you got an IP address in the request.
We are almost 10 years into the GDPR, and we still have these gross misunderstandings about how to interpret it. Meanwhile, it has done nothing to stop companies from tracking people and for AI scrapers to run around. If this is not a perfect example of Regulatory Capture in action, I don't know what is.
- they don't care about the cookies they are setting on their properties, if most of the functionality they have require you to be authenticated anyway.
- These "smaller websites" are exactly the ones more likely than not to be Google's and Facebook's largest source of data, because these sites are the ones using Google Analytics/Meta Pixel/etc.
This is not my experience at all with Facebook. Since six months ago or so, Facebook is saying my three option are to pay them a subscription, accept tracking, or not use their products. I went with option three, but my reading of the GDPR as that it's illegal for them to ask me to make this choice.
I'm in Spain, this is probably not the same worldwide.
The "Reject all" does not in fact reject all. They are taking extreme liberties with the "legitimate interest" clause to effectively do all tracking and analytics under it.
The YouTube consent screen for example includes this as a mandatory item:
> Measure audience engagement and site statistics to understand how our services are used and enhance the quality of those services
I don't believe this complies with the GDPR to have this mandatory.
> An IP address is not "personally identifiable data".
GDPR says it is [1][2].
> We are almost 10 years into the GDPR, and we still have these gross misunderstandings
Because people would rather smugly and confidently post about their gross misunderstandings. If only there was some place to read about this and learn. I’ll give you the money shot to save 10 more years:
> Fortunately, the GDPR provides several examples in Recital 30 that include:
> Internet protocol (IP) addresses;
From Recital 30:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses
When an IP address is linked to any other data, then it counts as PII. By itself, it's not.
So, sure, if you stick the user's IP address on a cookie from a third-party service, you are sharing PII. But this is absolutely not the same as saying "you need to claim legimate interest to serve anything, because you will need their IP address".
An IP address linked with the website being accessed is already PII.
When serving content, you're by necessity linking it to a website that's being accessed.
For example, if grindr.com had a display in their offices that showed the IP address of the request that's currently being handled, that's not saving or publishing or linking the data, but it's still obvious PII.
IPs are PII even before you inevitably link them to something in your logs. If you can make a case that you absolutely don’t store them anywhere, they’re just transiently handled by your network card, maybe you get away with it but only because someone else along the stream covers this for you (your hosting provider, your ISP, etc.)
Source: I have been cursed to work on too many Data Protection Impact Assessments, and Records of Processing Activities together with actual lawyers.
Basically we are in agreement: IP addresses, by themselves, are not PII, only when they are linked to other information (a cookie, a request log) then it consitutes processing.
So, apologies if I was not precise on my comment, but I still stand by the idea: you don't need to a consent screen that says "we collect your IP address", if that's all you do.
Also: the consent has to be informed consent. Me clicking away a nag banner, even if I click "accept" isn't informed consent by the definition of the law.
You want to share my data with your 300+ "partners" legally? Good luck informing me about all the ways in which every of those single partners is using my data. If you are unable to inform me I can't give consent, even if I click "Accept all". That is however a you-problem, not a me-problem. If you share my data nontheless you are breaking the law.
Undoing whatever data collection and sharing, as well as seeking and obtaining restitution, is probably a much harder problem to solve (for you) if you select accept.
Breaks many websites though and you'll be wondering why something doesn't work and then you have to remember you checked that ublock checkbox a few months ago.
I think in the last 12 months of using that unlock list I've only counted less than five times where sites have broken with that list enabled, I don't have to even disable the entire list. You just disable u-block for that specific site
I've found it to happen much more frequently than that, unfortunately. Usually it's because the modal is two DOM elements - a backdrop, that fades out the rest of the content and sits on top of it/prevents interaction; and the actual consent modal. Websites then use various mechanisms to prevent scrolling. uBlock is often only removing the actual dialog, so you end up with a page you can't scroll up or down and can't interact with.
If you're going to turn the filters on, it's worth being aware of this because it's far from flawless.
Until this moment, I did the same thing… but right now I realize, this behavior incentivizes a domain owner to intentionally break their site, to trick the visitor to disable their blocker.
Then the browser: refreshes the page, downloadz all the thingz… presents cookie banner.
I’ve been using uBlock (or Brave) for years now, and when “something doesn’t work right” the first thing I often do is lower my shields… :facepalm:
From now on, I’ll just bounce. Keep your cookies, I’m not hungry.
Complain and use a different site. There are only few websites which offer a truly unique service. If enough complain and walk away, something might finally change.
LinkedIn - it takes you to the allow/deny page but doesn't automate things. It used to be that the LinkedIn login would get stuck in a cycle around this, but now it just dumps you on to the consent page.
This extension gives you more choice than denying or allowing everything though, you get granular choice automatically applied to all websites where it works
This extension gives me my preferered web experience. Namely it tries to automatically fill in the cookie pop-ups for you, instead of hiding it. You can actually enable functional cookies, which are useful. Then when filling the cookie popup doesn't work, you can fill it in manually. This is a huge improvement over the ublock hiding of popups, which actually breaks sites time to time.
What works pretty well for me is the "i don't care about cookies" extension for firefox; my default privacy policy is to throw away cookies when the browser restarts, which I do a few times per day anway.
Th consent is about tracking and your data, not specifically cookies. If you accept them tracking and selling your data then deleting cookies only impacts one way that happens.
I disagree with this idea that businesses should have to keep their customers secret. If I go to Wal-Mart, then I should be free to tell my neighbors about what products were on sale and also how the produce was old / left to spoil. I’m not sure why that should be different for the store.
That extension might allow tracking. From their Chrome add-on page:
When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do).
Deleting cookies is insufficient because of browser fingerprinting, which you just consented to.
True, but considering that the extension was bought in 2022 by Avast, maybe it has its own tracking built in by now or will have something concerning done to it in the future. So even if the user does not care about cookies that much I would still recommend this new extension over "I don't care about cookies"
But this thread stars with someone saying they don’t care about cookies because they’ll delete them anyway. That’s different than saying they don’t care about their privacy, so it’s worth pointing out that accepting every cookie banner does have privacy implications beyond just having cookies placed.
It always impresses me how its actually easy not to need these banners yet everyone will consistently participate in the civil disobedience of annoying their users. No doubt in the hope of making people mad at the EU.
To the point that people are worried when cookie banners are not required now. I have had a few worried conversations on why our site doesn’t have a cookie banner.
The answer is simple, we don’t track our users, and login is explicit consent and functionality which doesn’t require a prompt under GDPR.
If it's that easy to not need the banners, I'd expect EU websites themselves to lead the "no cookies needed" movement.
Yet https://european-union.europa.eu displays a cookie banner for tracking on what is essentially a static informational site. If the EU itself feels tracking is valuable enough to warrant the banner on their own pages, it's hard to fault businesses (whose survival actually depends on understanding their audience) for making the same choice.
At least they're compliant with their own regulation, I suppose.
The EU websites require the cookie consent due to this section of the cookie policy:
> Third-party providers on Commission websites
* YouTube
* Internet Archive
* ScribbleLive
* Google Maps
* Twitter
* TV1
* Vimeo
* Microsoft
* Facebook
* Google
* LinkedIn
* Livestream
* SoundCloud
* European Parliament
These third-party services are outside of the control of the European Commission. Providers may, at any time, change their terms of service, purpose and use of cookies, etc.
——
In other words, due the embeds that track users, consent is needed.
They also have their own analytics in the same section, by the letter of the rules: they indeed need explicit consent, which would be obviated if they didn’t run analytics and didn’t embed stuff.
It's really enraging. Even EU's official sites use the banners, and probably for sites where they wouldn't (or at least shouldn't) even be needed.
It seems that very few, even lawyers, really understand when explicit consent is not needed, and instead we get cargo culting of pointless consent banners everywhere.
The situation has become such that "consents" aren't really meaningful at all, as people just want to get rid of the banner, and it becomes US style contract theatre.
Same with https actually. I still reach some home made website or paper published in this or that legit small university or department without a certificate. Most browser send messages like this is a life threatening move.
I've seen that in a few places, yeah! I think I personally would just put something in the footer and have a specific page for it that I can link people to.
I really hope that I never end up in a situation where someone tells me "well the conversion rate would be much higher if you just stopped fighting it and put up the damn banner".
Regular user here. Cant live without this addon, I absolutely love this. Its been a while since I have to manually dismiss a consent popup. Although the redirects from Google and company can get a bit annoying.
It goes through the "reject all tracking" flow. Other solutions automate clicking "accept all tracking" (since that's usually simpler), or just hide the pop-ups.
Trump promised tariffs would bring Manufacturing Consent back. The consent industry voluntarily complied, as demanded -- fully automated and GDPR-compatible -- in stark contrast to his own well-documented contempt for and violation of consent.
Typically, you can’t even turn these permissions off, nor can you deny consent or object to their purposes: they are increasingly claiming they are for ”fraud prevention” or some other technical purpose which doesn’t land under consent or the ”legitimate interest” umbrella.
Sounds horrible. >..<
The (...fortunately a) handful of places I've worked at which dealt with this sort of thing were very strict about removing PII.
I'm more concerned about only being shown information (not just ads for products) relevant to my click-tuned interests as I think that's just contributing massively to political polarization.
The only really relevant ads I've seen are from blogs that literally just sell ad space to brands and the ad is just a simple image link you can click on. Philosophy blog? Philosophy book ad. High end men's clothing blog? High end men's clothing brand ad.
None of the ads could ever be effective, I have my supply houses that I buy from and they don’t advertise online.
I do have a decent amount of buying power at work (single digit millions a year) but no internet ad from an electrical distributor is ever going to influence my purchasing decision.
Liberty demands the end of systems of control.
The result is the same. Technically there's no such thing as denying, only providing (explicit) consent. If consent is required and no consent is provided, then there is no ground for processing.
https://noyb.eu/en/your-right-object-article-21
With the legitimate individual control over one own data required to run a healthy society and unavoidable to sustain a democracy. If a business can't exist without threatening society, the sooner it's going out of existence the better.
The cookie banner thing is intended to allow the user to explicitly provide consent, should they for some reason wish to do so.
Legitimate interest is for example a website using your IP to send you the necessary TCP/IP packets with the website's content upon request.
Many websites use the term "legitimate interest" misleadingly (or even fraudulently), but that's not how GDPR defines it.
We are almost 10 years into the GDPR, and we still have these gross misunderstandings about how to interpret it. Meanwhile, it has done nothing to stop companies from tracking people and for AI scrapers to run around. If this is not a perfect example of Regulatory Capture in action, I don't know what is.
I'd argue that's the opposite of regulatory capture.
- they don't care about the cookies they are setting on their properties, if most of the functionality they have require you to be authenticated anyway.
- These "smaller websites" are exactly the ones more likely than not to be Google's and Facebook's largest source of data, because these sites are the ones using Google Analytics/Meta Pixel/etc.
I'm in Spain, this is probably not the same worldwide.
The YouTube consent screen for example includes this as a mandatory item:
> Measure audience engagement and site statistics to understand how our services are used and enhance the quality of those services
I don't believe this complies with the GDPR to have this mandatory.
GDPR says it is [1][2].
> We are almost 10 years into the GDPR, and we still have these gross misunderstandings
Because people would rather smugly and confidently post about their gross misunderstandings. If only there was some place to read about this and learn. I’ll give you the money shot to save 10 more years:
> Fortunately, the GDPR provides several examples in Recital 30 that include:
> Internet protocol (IP) addresses;
From Recital 30:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses
[1] https://gdpr.eu/eu-gdpr-personal-data/
[2] https://gdpr.eu/recital-30-online-identifiers-for-profiling-...
So, sure, if you stick the user's IP address on a cookie from a third-party service, you are sharing PII. But this is absolutely not the same as saying "you need to claim legimate interest to serve anything, because you will need their IP address".
When serving content, you're by necessity linking it to a website that's being accessed.
For example, if grindr.com had a display in their offices that showed the IP address of the request that's currently being handled, that's not saving or publishing or linking the data, but it's still obvious PII.
You are not sharing with a third-party, but that sure falls into processing and publishing it.
Source: I have been cursed to work on too many Data Protection Impact Assessments, and Records of Processing Activities together with actual lawyers.
So, apologies if I was not precise on my comment, but I still stand by the idea: you don't need to a consent screen that says "we collect your IP address", if that's all you do.
You want to share my data with your 300+ "partners" legally? Good luck informing me about all the ways in which every of those single partners is using my data. If you are unable to inform me I can't give consent, even if I click "Accept all". That is however a you-problem, not a me-problem. If you share my data nontheless you are breaking the law.
If you're going to turn the filters on, it's worth being aware of this because it's far from flawless.
Then the browser: refreshes the page, downloadz all the thingz… presents cookie banner.
I’ve been using uBlock (or Brave) for years now, and when “something doesn’t work right” the first thing I often do is lower my shields… :facepalm:
From now on, I’ll just bounce. Keep your cookies, I’m not hungry.
https://news.ycombinator.com/item?id=30625218
https://news.ycombinator.com/item?id=41479882
https://news.ycombinator.com/item?id=35562230
Instead i use this https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies
To the point that people are worried when cookie banners are not required now. I have had a few worried conversations on why our site doesn’t have a cookie banner.
The answer is simple, we don’t track our users, and login is explicit consent and functionality which doesn’t require a prompt under GDPR.
Yet https://european-union.europa.eu displays a cookie banner for tracking on what is essentially a static informational site. If the EU itself feels tracking is valuable enough to warrant the banner on their own pages, it's hard to fault businesses (whose survival actually depends on understanding their audience) for making the same choice.
At least they're compliant with their own regulation, I suppose.
The EU websites require the cookie consent due to this section of the cookie policy:
> Third-party providers on Commission websites
* YouTube
* Internet Archive
* ScribbleLive
* Google Maps
* Twitter
* TV1
* Vimeo
* Microsoft
* Facebook
* Google
* LinkedIn
* Livestream
* SoundCloud
* European Parliament
These third-party services are outside of the control of the European Commission. Providers may, at any time, change their terms of service, purpose and use of cookies, etc.
——
In other words, due the embeds that track users, consent is needed.
They also have their own analytics in the same section, by the letter of the rules: they indeed need explicit consent, which would be obviated if they didn’t run analytics and didn’t embed stuff.
Option b) ask the consent in the embed.
Analytics can be done without banner requiring tracking, e.g. https://plausible.io/
It seems that very few, even lawyers, really understand when explicit consent is not needed, and instead we get cargo culting of pointless consent banners everywhere.
The situation has become such that "consents" aren't really meaningful at all, as people just want to get rid of the banner, and it becomes US style contract theatre.
I really hope that I never end up in a situation where someone tells me "well the conversion rate would be much higher if you just stopped fighting it and put up the damn banner".
https://support.mozilla.org/en-US/kb/cookie-banner-reduction