27 Comments

Please stop recommending unnecessary and redundant extensions.

Users can simply enable "AdGuard/uBO – Cookie Notices" in their uBlock Origin filter list settings, and use the "💬 Report an issue" button to report cookie overlays that aren't hidden yet.

Expand full comment

I'll leave the comment because the information is useful, but note that coming into someone's blog in comments, starting with telling the authors what and what not do to, is a big leap.

Expand full comment

I appreciate the article, given that I recently spent an inordinate amount of hours dealing with my personal blog's cookie banner. But something seems off. For example:

> Hacker news have all that and more, but don't have a cookie banner. No problem.

That line, in the context of "Cookies are fine", seems rather misleading.

HN probably has "no problem" because it's not in the EU, and so it's out of its reach. But if it was, I bet they would need a cookie banner - or some other mechanism to *at least* explain the purpose of their cookie/s. Notably, the current cookie section in their privacy policy is surprisingly, disappointingly generic boilerplate that doesn't explain anything.

Expand full comment

If you want a site in the EU, framesoft (https://framasoft.org), which hosts a tons of services, doesn't welcome you on their home page with a cookie banner.

But I took HN as an example because:

- it's well known and technically trusted by geeks

- they have a huge readership in europe

- plenty of US only venture use a cookie banner like a Pavlovian reflex

- the americans are the ones complaining the most about the cookie banner

- people don't know much about framasoft outside of europe

Expand full comment

The Framasoft site doesn't set any cookie, so of course they don't need a cookie banner. I would test what happens if they have any (e.g.) Youtube embed, or when one leaves a comment in their blog, but I don't want to spam.

Anyway, to be clear I do agree that presenting a cookie banner shouldn't be the default - just like tracking shouldn't be.

Expand full comment

Like I said, framasoft is a portal: they offer many apps as a service, such as a mastodon instance: https://framapiaf.org.

Each service uses cookies (framapiaf has 2). And they have analytics (that's by design on social medias).

But it's done in a way that doesn't require consent because it's not invasive.

Expand full comment

I see that framapiaf sets 1 cookie when I click in "se connecter", and I see there is no cookie banner. But I don't see why it doesn't need consent nor explanation. In fact I don't even see an easily accesible privacy policy, which makes me wonder how compliant they are. Does framasoft.org/legals apply to framapiaf.org? Not clear!

"It's not invasive" sounds easy to debate, even more so than "strictly necessary".

And I'm thinking that in the EU you get a warning for GDPR problems, so framasoft might wait to see if this is actually a problem; notably their legals page is dated 2014, and much has rained since then. But maybe a lawsuit-happy society like the USA might more naturally just cover their asses with blanket banners.

Expand full comment

"You'll notice the words "cookie" or "banner" appears nowhere in there. That's because they are not in the law at all."

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002:-

(25) However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

Expand full comment

Thanks for pointing that out. I rephrased it.

Expand full comment

It's important to note that there are two laws that are relevent for cookie banners: GDPR and the ePrivacy Directive. It is summed up here: https://gdpr.eu/cookies/

Expand full comment

The checklist is espacialy useful

Expand full comment

DHH is that you? You seem to moo and have the same disdain about Apple as him.

Expand full comment

DHH trolls in Ruby, I complain in Python. There is a huge field to cover.

Expand full comment

Firefox is not the only web browser that supports addons, and on iOS in fact it doesnt support them :) I hope the rest in the post is valid however but this bit is not.

Expand full comment

That's not what the article says. The exact sentence is:

> it's the only browser with a **good enough** add-on ecosystem to block all this.

What's more, firefox doesn't really exist on iOS because Apple only allows safari engine to exist for now.

So Firefox and Chrome are just thin shells on top of the OS browser. This is slowly changing (with iOS 17.4), thanks again to... the EU.

But I get your point, Apple's user are indeed locked out by their vendor and cannot benefit from this.

Expand full comment

Most American small businesses have no idea what's happen. They don't want to sue and put up the banner. It's not nefarious, it's the law not understanding how it would be interpreted.

Expand full comment

I don't blame those US small businesses for what they have done. And if they want to, and can effectively, block all EU visitors then sure they could skip that. If none of the other US state regs that require similar existed. But obviously they likely can't effectively stop EU visitors (who are covered even if this article claims otherwise, regardless of where their personal data is collected) and it'd be a shame if the web ended up so highly partitioned. Several major US-focussed US media outlets just blanket ban EU visitors, as do plenty of random US-focused businesses (I can't plan what to pick up from home depot before travelling over, nor look up items to help friends over there fix problems, I recently learned).

If the possible consequences of a single breach were trivial, well defined, businesses could objectively make a decision - they may get 5 EU visitors a year because they're a US-focussed site and nobody would care about trying to get a 5x €10 judgement ordered in case the company owner ever took a trip or the company shipped goods to the EU. But that's not how it's worded. A member state could feasibly make an expensive claim against a non-EU company because the country's citizens' data has not been accessed in a way the legislation requires. While it can't compel the company's representatives to attend any sort of hearing, it can hold one anyway.

All of which is moot, because none of it works as intended and no member has even taken action against the EU companies with infringing cookie banners. Really what's needed is for some big sites who don't collect overly sensitive data to say they're taking those pointless banners away because they don't change any outcomes. Maybe then we'll have banner-less sites, sites with banners still where you have to unclick consent for partners/marketting/etc like many have in their customise menus... and a few sites chancing their arm with no banner, clear breaches, and action taken against them to compel them to stop or to be clearer about what they're doing.

Expand full comment

Given how many banners are illegal, we can see mistakes are well forgiven.

Expand full comment

Small businesses are not the core of the problem. Either they have a professional that create their own platform, or use a sass. In both cases the IT professionals behind the software should do their due diligence. It's literally 10 minutes of googling.

This is an instance in which the text is easy to find and to interpret.

Expand full comment

There is a nice add-on Consent-O-matic which auto-rejects those cookie banners as well: https://github.com/cavi-au/Consent-O-Matic

Expand full comment

Your code example is actually the reverse :D

accept_tracking = request.META.get('HTTP_DNT') == '1'

1 = do not track, 0 = tracking accepted, so the above could would track only if it's been asked not to.

Expand full comment

Indeed, lol. That's how blogging keeps you grounded: people can see how dumb I really am.

Expand full comment

The sucessor to DPC is GPC, https://globalprivacycontrol.org/ - the Global Privacy Control.

Whilst this is not supported by many browsers yet, I understand* that the California Attorney General has welcomed GPC* as complying with the CCPA, and that it does satisfy the European GPDR.

* https://www.loeb.com/en/insights/publications/2021/07/global-privacy-control-consumer-led-enforcement

Expand full comment

The thing I dont get is.. if the cookie banner is not required outside the EU and all companies benefit from tracking the user with cookies, why are they showing the banner outside the EU?

Expand full comment

My understanding is that the law says that it applies to all European citizens (or some such definition), regardless of where they are, or connect from, in the world.

Expand full comment

That's not enforceable. You can enforce laws on your citizens, but not on the citizens of other countries. Ad publishers in the USA falls into that category.

Expand full comment

Ignorance of the law, FUD, laziness, because it's cheaper to implement it once for everything...

As you noticed, very few people actually read the law, it looks more like twitter reactions than actual business strategies.

Expand full comment