Is there any way to do this automatically? If there isn't - there should be. Maybe people should use some special tag for them, so that it would be easy for users to block them on all the websites, if they want to.
So I would say the filter works pretty well, I didn't get a single popup of any sort ever since.
Yes, I sometimes get some real content removed. If something looks strange, I temporarly deactivate uBlock. Last time it was a GDPR checkbox at a store checkout.
It’s amazing how much of a difference this makes. I was starting to find the web so hostile. Every page an annoying battle with cookie pop ups.
I am so genuinely happy
Practically I assume most of the sites are breaking the law, because that's how I expect webdev's to think and because most of the cookie banners aren't nearly up to spec to satisfy the law so I assume they aren't being that careful.
---
Long answer:
The vast majority of sites that show the GDPR "we use cookies" banner remember you clicked "OK" or "Accept" by setting a boolean value, either in its own cookie or as a key-value in your session cookie's storage (whether stored client-side or server-side). The ONLY thing the boolean does is determine whether or not to show the banner. That's it. I've never known of a company or site that changes the privacy/retention behavior of its features based on clicking "OK" or "Accept".
As I understand it this solution doesn't follow the law, as users are supposed to be able to decline cookies and somehow still maintain state; the lawmakers don't understand a session is necessary for things like logins, so of course companies compromise with a simple banner that you need to accept/dismiss to "grant permission". When was the last time you saw a "Decline Cookies" button? If you click it, does the site work as expected? Answer: probably not, or the site uses the same cookie/session strategy anyway without telling you.
Source: I've seen dozens of such implementations, and they're all the same. If the cookie/session value indicates not to show banner, then the layout/view simply skips outputting the banner. No other line in the entire code base ever reads the value of that cookie/session.
The publisher is trying to adhere to a law (for better or for worse) by giving the user visibility into technologies and data usage.
A plugin hiding that by default can lead to all sorts of nastiness.
* Pause your blokcer
* Reload the site and accept/deny cookies
* Resume your blokcer
Right click on ad / pop up -> Block Element ( a rule is automatically generated ) -> Create. Voila ! You might have to do it 2-3 times for the same element as it might have several layers. But then you're done and you haven't been forced into clicking "ok"
( With uBlock Origin )
The solution? Cookie consent should be a built-in feature of browsers and http, not something that is reimplemented in a slightly different way by every single website.
Your browser should pop up a standardised cookie consent request when you browse a new site, and enforce your selection as part of its security policy. If you choose to block all cookies (ie: private browsing mode) then the cookie consent request wouldn’t need to appear at all.
It goes to show what the real world incentives really are. The only way to get this fixed is to more specifically regulate user tracking and online advertising by tracking. There will be people who decry this, but the advertising industry has brought this on itself.
The whole world shouldn't have to deal with the burden of one bad decision from EU. There should be a way to petition this. Imagine if this had happened due to a decision by some country like China.
I think it should be "Oops, this hasn't worked as planned and has been abused, let's try Y instead now"
Some of the most ardent proponents of GDPR have been quoted as saying that implementing its requirements is so easy that they themselves could do it and that people simply should stop complaining.
Further than this, the corporations that are tracking us actively would like you tell you they don't care about DNT, and they've no obligation to respect any DNT user[2]: "The DAA does not require companies to honor DNT signals fixed by the browser manufacturers and set by them in browsers. Specifically, it is not a DAA Principle or in any way a requirement under the DAA Program to honor a DNT signal that is automatically set in IE10 or any other browser." This is point blank saying that DNT may as well be used as another way for you to be tracked, from one of the biggest places for advertising online. This is an international discussion; it's not just companies in the US[3] that feel this way either.
[1] https://lists.w3.org/Archives/Public/public-tracking/2018Oct... [2] https://digitaladvertisingalliance.org/press-release/digital... [3] https://youradchoices.com/participating
Didn't we have that from day 1? A browser is free to disable cookies.
The EU laws are more concerned about the intent of the cookies. Are they functional cookies or tracking cookies designed to reduce user privacy.
The people working on any given law (regulation) tend to be well-informed, and so are the parliamentarians that take lead roles on an issue.
Part of the problem here is that websites are less-well informed on the law: session cookies, for example, do not require a warning IIRC. But many websites using only those needlessly ask for permission.
One mistake in thinking by lawmakers was to assume that websites would chose to forgo third-party and long-lasting cookies in cases where they are of marginal utility. This obviously didn’t happen, partly because everyone started using cookie warnings and they therefore became normalized.
It should be noted that unlike the previous iteration, the current warnings ask for consent and tend to include a not-too-difficult-to-reach option to deny it.
I believe many people (and parliamentarians) that are passionate about privacy issues would also argue that the current situation is still better than quietly using your data. If you value privacy high enough, it rather quickly outweighs any annoyance, even if the latter is far more prominent in daily life.
The GDPR requires consent for tracking technologies for non-essential purposes. It can be cookies, but is not limited to them. Local storage or browser fingerprinting fits the bill as well.
Moving the cookie consent management into the browser won't fulfill the intent of the law - sure, cookies are now disabled by the browser, but what about fingerprinting or server logs? A compliant site will still need to ask for consent for those.
When it comes to user experience, the regulation explicitly sets rules around how you ask for consent. Consent should be freely given so that users are not forced to opt-in (you can't force them to accept, so cookie popups where opting out is not possible or "by using this site you agree to our use of cookies" notices are not compliant). Tracking should also be opt-in, so pre-ticked checkboxes or where the flow to accept is easier than the one to decline (one click to accept, several clicks to decline) is not compliant either.
Finally, functional cookies such as for shopping carts or logged-in user sessions are explicitly allowed without requiring consent nor disclosure.
The problem here is not the design of the law but the lack of enforcement of it. All those obnoxious sites where you'd want to ad-block the consent popup are not compliant by default and should be fined. If the law was enforced we'd quickly see changes around this and consent popups would become unobtrusive.
Quote:
> This puts browsers in the direct path of legislation in any given country’s demands. Features in browsers should be based only on user needs. Only when a law absolutely targets browsers should they do anything regarding legislation.
[Edit] remove the code block
> “Anyone who thinks that the Communist regimes of Central Europe are exclusively the work of criminals is overlooking a basic truth: The criminal regimes were made not by criminals but by enthusiasts convinced they had discovered the only road to paradise. They defended that road so valiantly that they were forced to execute many people. Later it became clear that there was no paradise, that the enthusiasts were therefore murderers.” - Milan Kundera, The Unbearable Lightness of Being
This is all government.
I'm not sure why we keep expecting anything other than regulatory capture with government intervention.
https://www.i-dont-care-about-cookies.eu/abp/
Also on that same page you can enable some of the 'Annoyances' filters. Just be aware that some of them block social media buttons (FB/Twitter like/follow embeds), which you may not want.
Example website for which blocking the cookie popup does not work with uBlock Origin: https://tweakers.net/
Ghostery doesn't have as many bells and whistles, but it does greatly minimize the main annoyances out there, and it doesn't slow anything down noticeably.
It might all be a moot point by this time, since Youtube has changed how they load in such a way that it stutters no matter what because it is so busy downloading absolutely every item on a page all at one time instead of prioritizing the video stream like it did about a decade ago (back when you could pause a video and it would download fully even while not yet playing, thus avoiding the bottlenecks altogether...).
Ironically that puts me back to pausing everything first just to give all the useless off-screen crap enough bandwidth to load without ruining the video experience.
No matter how much faster technology gets, they find a way to make it more and more sluggish every time.
To argue that this leglislation would've had a good effect in some hypothetical alternative world where businesses had different incentives is beside the point!
(Side note, if it were not for govt investment in the dentralized, open internet, we'd probably all be using some ungodly-advanced version or America Online. So I'm certainly not advocating govt has no place in tech!)
Liability doesn't work with a lack of enforcement.
Doesn't the 2009 ePrivacy directive exclude "strictly necessary" cookies [1], not "non-tracking" cookies? Like GDPR, I think no website wants to be the first to test what falls under "strictly necessary", under the EU directive and every country's specific implementation.
They really should have listed specific exemptions on the directive. Here's hoping that the new ePrivacy regulation will have them and/or just repeals the cookie popup.
Cherry picking an outlier, then attributing one side of the relationship as completely as fault and sarcastically implying it's generally representative isn't an honest depiction of reality.
I've seen lip service to this clear misrepresentation of reality my whole life. I don't let it slide anymore. We can do better.
A corporation doesn’t have the power of the state to threaten to take away property or liberty.
Functional cookies like shopping carts, logged-in user sessions, etc do not require disclosure nor consent.
Furthermore consent is only valid if it's opt-in (and not opt-out, so pre-ticked checkboxes are not compliant) and if it's just as easy to decline as to accept (so if it takes more clicks to say no than yes then they're in breach already).
Don't blame the EU for this, blame the website operators and their broken business models.
Seriously, I wonder if adding those cookie banner impacted tracking in any significant manner, because it definitely significantly impacted the usability of the web.
Replace it with a single "session token" value that you are allowed to set. Can only be created in response to a form post. No cross domain.
Make all the other web API stuff an smartphone-style opt in. "This app requires the following permissions: "Store private data in your browser. Only do this for site you trust as this can be used to track you." etc.
Maybe all the above can be made into an extension as a stop gap.
I'd imagine a flood of junk data would increase the cost of tracking.
Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors.
Browsers have provided this functionality for 10+ years. Why the law didn't target the user/browser level instead of the website level is beyond me.
If anything maybe we should encourage having a "master preference" set in the browser, something like DNT (but not so easily ignorable) that just tells all websites on the user's behalf to only allow the absolute minimum number of cookies needed for the site to function. A small message on the bottom of the page could give more details or allow manual changes.
OctoberCMS for example sets a cookie for every user and there's no way of turning this off, and lots of WordPress plugins just don't care with no option to disable this behaviour .
So most banners are just a notification rather than a choice. e.g. Continue to use the site and you automatically opt in. Which is not the intended goal for the law.
But it turns out that 100% OK is still not good enough. This whole thing should really be managed either by the browsers or by an extension and the consent request should come in a standard, machine digestable way (XML, json, what not). You could then just set your preferences once, that should work for most sites and every now and then (but less and less frequently) you'd be asked about what to do with unknown cookies on unknown sites.
In short, just because part of the industry is trying to circumvent regulation and because the current implementation is not the most efficient, we should not give up on the whole idea.
There are probably some context where “informed consent” is a sensible legal basis for processing data. But no-one in their right mind would freely agree to all this tracking that those pop-ups are trying trick you into. So instead of trying to make “consent” easier to give, just assume that is wont be given.
I can think of two or three entities I interact with for whom I might enter such a consensual agreement with. Neither are “sites”, and the web is not the primary way I interact with them, so a browser would not be to tool to maintain those agreements.
Amusingly I've just followed a link on HN to The Economist [https://www.economist.com] - their popup offers a link to "manage your cookies" where you can untick huge numbers of them or click "Opt Out All". Great - did that, however on returning to the page found the popup still covers part of the page :-)
However, we must remember Hanlon's Razor.
Normal cookies required for the functioning of the website - e.g. session tracking, user input, etc. are exempted and don't require user consent.
See for ex. here (the official cookie guidelines for EU institutions' websites): https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies
Don't blame these BS popups, interstitials, click-through wrappers etc. on Europe, that's purely site operators' laziness, legal CYA (force these wrappers even where not required) and greed where various analytics and tracking cookies (which do require consent) are being deployed.
If I happen to click a link on a news aggregator website like this one, then why would the website I visit (possibly for the first time) require my browser to accept cookies?
I worked in web dev when these regulations were introduced, and any idiot could see that most companies would take the laziest, safest route to complying with them, in a way that would put a massive burden of inconvenience on the user.
If the EU was competent, they wouldn't have needed warning about this outcome. But they were warned, again and again and again. They chose to ignore it and screwed over their constituents for nothing.
If that doesn't work, I use a bookmarklet called "Remove Sticky"[2]. I type "bre" and hit enter when sticky things pop up to get them gone.
[1]: https://chrome.google.com/webstore/detail/vimium/dbepggeogba...
It'll probably have about as much adoption as Do-Not-Track...
Any idea if there's a chance to get this one day?
In theory that would've covered it, along with a setting on startup / a review notification every once in a while, but without the legislation backing it, it wasn't successful.
The dialogues are only necessary because the website owners want to send you tracking cookies. If they choose not to, there is no need for any kind of banner, native or otherwise.
So? The only difference between what I suggest and what we have is user friendliness. The law is already here.
Is this a violation of human rights?
On the one hand, these notices are akin to EULAs some programs make you click through when you first run them. We're more desensitized to those now, but they were never mandatory.
On the other, I can't remember the last time an app maker got in trouble for keeping track of what users do. I can see it making sense to know that a single entity has been tracking you through a diversity of websites, but you enabled cookies in your browser for a reason. The site I deliberately chose to download and run the code of shouldn't need my permission to save state for that site.
Android prompts you when an app needs permissions. OSX has started promoting you for permission the first time an app wants to access the filesystem. Seems a bit arbitrary to make websites handle that.
(Not surprising, given that a the largest one, being or close to being a de-facto monopolist, has conflict of interests on the matter of user tracking and profiling.)
We get a legal solution which is poorly understood, has weird unintended side effects (because it was made by non-experts) essentially breaking things (just... non-technically), and doesn't really prevent the bad actors from continuing what they did.
> Whatever the intent of the GDPR was, the practical result is that now I have to click away the annoying "we're using cookies" popup on every website.
"Whatever the intent of docker was, the practical result is that now my computer runs slower. (Thanks Obama.)"
I've also seen some weird post score swings, like mildly pro-Trump things going down to -3, then back up to +3. We know there's a lot of orgs out there actively trying to influence social media, I wonder if any of them have downvote farms or bots pointed at HN? I'd be disappointed to learn that real HN regulars just reflexively downvote like that.
I don't see the suspect downvotes that grandparent sees though. Maybe gone already?
HN has a way of defending Trump and quickly down voting direct criticism of conservatives, at least in my own n=1 experience.
edit: ...and this comment was flagged. Case in point.
But yeah, this could be handled in a more user friendly way, if there was a standard way to express the consent options (with the cookies and their functionalities) that the browsers could parse. Then the page could check if the browser handles it or if it has to fall back to what they're doing now.
And now that we're talking about it, Firefox does have something similar accessible from the URL bar, called "Enhanced tracking protection".
Argh, makes me angry just thinking about it. The web is becoming increasingly painful to use through a UI browser.
It literally crawls all elements in page, tests their computed style and removes those with sticky position (and a bit more). Works quite well for me.
[0] https://alisdair.mcdiarmid.org/kill-sticky-headers/ [1] http://myfonj.github.io/utils/bookmarklets/sweep-stickies.ht... [2] https://greasyfork.org/en/scripts/370572-sweep-stickies
- For Safari, if you're using 1Blocker, in "General" > "Block Annoyances".
- For NextDNS, I thought I saw "Annoyances" but could not find it now. Should have it somewhere.
- Chrome have a plethora of Extensions that "don't care about cookies" or similar. Other than that, as someone else commented, uBlock Origin > Settings > Filters List > Annoyances
This is a library of rules for navigating through common consent popups on the web. These rules can be run in a Firefox webextension, or in a puppeteer orchestrated headless browser. Using these rules, opt-in and opt-out options can be selected automatically, without requiring user-input.
This library is primarily used by the cliqz browser in order to automate user-consent, and make a cleaner browsing experience. There is also a standalone addon that can be installed in Firefox.
/* "custom" */
[class*="as-oil"]:not(body, html),
[class*="optanon"]:not(body, html),
/* "generic" */
[class*="consent"]:not(body, html),
[id*="consent"],
[class*="gdpr"]:not(body, html),
[id*="gdpr"],
[class*="announcement"]:not(body, html),
[id*="announcement"],
[class*="policy"]:not(body, html),
[id*="policy"],
[class*="cookie"]:not(body, html),
[id*="cookie"] {
display: none!important;
visibility: hidden!important;
transform: scale(0)!important;
opacity: 0!important;
width: 0!important;
height: 0!important;
z-index: -1!important;
background: transparent!important;
color: transparent!important;
font-size:0!important;
}Instead I have the EU asking me about Cookies on every other web page.
There are numerous sites I go to regularly incognito to log in as an admin vs. end-user: several have low-profile, low-contrast cookie warnings which disable all other menus until you acknowledge them (without an apparent overlay). Just that little extra bit of friction every day adds up.
The DPAs often only work off consumer reports.
You need to know that these popups are a result of two separate laws: The ePrivacy directive aka Cookie Law, and GDPR. GDPR is enforceable one that you care about. A web site can process your data (e.g. for personalized ads) for one of the explicitly given reason, the most common ones being "legitimate interest", "fulfillment of a contract" and "consent".
There have been a couple recent statements about what counts and doesn't count as legitimate interest, fulfilling a contract, and consent.
You also have the right to ask the controller of the data (not the processor) for a list of data stored about you. Try it with one of said web sites! Make a clean cookie jar, use the site and only the site, send them the cookie jar, and see what data they store. (If they don't, file a complaint with the DPA)
The GDPR is pretty clear that opting out must be the default choice, but it wouldn’t surprise me if some use a system that only follows that if it is actually shown.
On a related note, has anyone ever seen the corresponding consent popup that would let me opt back out of tracking cookies? I haven't. Which strikes me as weird, since consent was supposed to be as easily to rescind as it is to grant it.
I have but only once, I don't remember where, it was probably an obscure site that didn't have whatever I was looking for. The pop-up was a big list of third party companies with checkboxes (Android style, slide left to uncheck) that had to be disabled individually. I don't think that was legal, consent was given by default unless I manually unchecked each box. There was of course no "uncheck all" button.
So not only do they not inform the user about the risks associated with this invasion of privacy which is a prerequisite for informed consent, they also take away the option to explicitly say no.
Even though opting out of tracking is the default, sites are probably placing cookies and fingerprinting the user's browser on their first visit anyway before they even see the consent pop up. So ignoring the pop up is probably not a real option either.
I tried external list for Ublock as well. They say they will remove those things but they sometimes break things. Video's or slideshows for example did not seam to work when Ublock removed the cookie pup-ups.
https://techcrunch.com/2020/05/06/no-cookie-consent-walls-an...
2. Also, many of those panels have "Accept all" as a default option. Many make it purposely hard to disable some trackers without going deep down into crowded cookies preference pages. This is also the wrong way of complying to GDPR, and the sites that do it must be appropriately punished. The default should be "Deny all except for non-third-party functional cookies".
3. In the meantime, NoScript helps blocking some of that crap. If you never whitelist domains like cookielaw.com you're unlikely to see many of them.
Not really. GDPR says that non-transactional cookies should default off.
The law could say something like: If you are collecting data in order to create an profile of a person, and the person did not ask you to do a job which require such profiling, then you must ask for permission.
Nothing about cookies, nothing about a popup, just intention and consent. And here come the surprise. That is current GDPR. It mention cookies exactly once, as part of an non-exhausted example list of identifiers which is commonly used in order to profile people. Cookies has the same importance in GDPR as profiling a person based on what screen resolution your device has, and you may notice that there are no screen-resolution-accept-banners anywhere.