undefined | Better HN

0 pointsdeveloper25y ago0 comments

tldr; uBlock Origin removing the html element containing the "we use cookies" banner is effectively the same as clicking "OK" or "Accept", even without notifying the site/server. If there are any exceptions, they are extremely rare.

---

Long answer:

The vast majority of sites that show the GDPR "we use cookies" banner remember you clicked "OK" or "Accept" by setting a boolean value, either in its own cookie or as a key-value in your session cookie's storage (whether stored client-side or server-side). The ONLY thing the boolean does is determine whether or not to show the banner. That's it. I've never known of a company or site that changes the privacy/retention behavior of its features based on clicking "OK" or "Accept".

As I understand it this solution doesn't follow the law, as users are supposed to be able to decline cookies and somehow still maintain state; the lawmakers don't understand a session is necessary for things like logins, so of course companies compromise with a simple banner that you need to accept/dismiss to "grant permission". When was the last time you saw a "Decline Cookies" button? If you click it, does the site work as expected? Answer: probably not, or the site uses the same cookie/session strategy anyway without telling you.

Source: I've seen dozens of such implementations, and they're all the same. If the cookie/session value indicates not to show banner, then the layout/view simply skips outputting the banner. No other line in the entire code base ever reads the value of that cookie/session.

0 comments

Lazare5y ago

> as users are supposed to be able to decline cookies and somehow still maintain state; the lawmakers don't understand a session is necessary for things like logins

The lawmakers do understand that, you are allowed to use sessions and cookies for essential tasks like tracking login state, and no popup is necessary in this case.

I wouldn't be shocked if you are correct and many devs are indeed completely ignoring the legal requirements here, but that may be in part due to developers not understanding the legal requirements or believing incorrectly (as you seem to) that the requirements are not technically feasible.

A simple, GDPR compliant solution would be a tickbox for "remember me across visits" next to the login form. If ticked you get a persistent cookie, if unticked just a temporary session that goes away when the browser is closed. No popup is needed.

Kiro5y ago

You don't need a tickbox either if it's just a login cookie.

ksec5y ago

Thank You. This is new to me.

If login Cookies are allowed, and your login site already has your profile hence your Ads preference. Why do they still need to use cookies banners?

2 more replies

Shish2k5y ago

> users are supposed to be able to decline cookies and somehow still maintain state

GDPR only applies to non-essential tracking & advertising cookies. Login cookies are always allowed, and you don’t need a banner to state that you use those.

Jaruzel5y ago

Is this true? What about shopping cart cookies, especially as a 'guest'? Does that need Cookie op-in, legally?

lozenge5y ago

"the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent."

If the site's using a common framework, convenient and essential uses will be combined in a "session id" cookie which needs re-developing, or just slap a cookie warning on it.

https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...

belorn5y ago

We can look to the GDPR text itself to answer that. Is the cookie there in order to create a profile with other information in order to identify a natural person. If yes, then the company is required to treat that cookie identifier with the same care and requirements as other sensitive personal data like social security numbers, passport numbers, personal ID numbers, and so on.

Law is fuzzy by nature, but it seems pretty clear that a shopping cart cookie is exempted from needing consent. Functionality of services that are expressly requested by users do not need consent, and in this case we have users that want to put items inside a cart in order to buy it. If that creates a profile on the server, and that profile is combined with other information, and then used outside the scope of the customer relationship, then we are moving into the area where consent is needed.

We can draw a parallel to data collected offline. A person go to a store and talk to a sales representative about buying a product and having it shipped home. At what point do the sales person need to ask for GDPR consent? The answer is likely the point where the sales person saves a profile of that customer on the computer, and the profile is intended to be used outside the context of that purchase.

1 more reply

developer2OP5y ago

Which sounds a lot like the "DNT" (do not track) or Microsoft's "P3P" (Platform for Privacy Preferences Project) headers. Which both failed, because if companies were required to respect those standards, all advertising and tracking would be extremely easy for users to opt out across the board as a single global preference.

The problem is that each site can choose its own text to display, which buttons/options it shows, and how those settings are supposedly enforced. This doesn't belong in the html of a site. This is exactly what a cross-browser preference should be doing. Which should probably be a modern–and most importantly standardized equivalent–of the P3P header. Every site should have a static set of options it can request, so users are used to accepting or declining the same set of permissions regardless of the site that is visited. Otherwise agreeing to the per-site cookie banner is just as convoluted as expecting users to read Terms and Conditions policies. I have never read the text in a cookie banner, and I never will. I click the OK/Accept button immediately, just like any T&C/ULA.

Imagine if requesting webcam, microphone, notifications, or gps/location permissions were possible by a site including its own custom banner, and if you clicked OK/Accept, it immediately got access to those features. Of course browsers don't allow this, because sites would abuse it and trick users into granting permissions when not desired. Instead, your browser provides a standardized prompt for requesting such permissions. There is no reason for tracking cookies to be exempt from being required to follow the same model.

vertex-four5y ago

The trick of the GDPR vs those browser technologies is that there’s actually regulation because obviously the industry can not be trusted to self-regulate.

Indeed, there should be an enforced UI, but that’s not how the EU tends to regulate on privacy, and without EU regulation none of the companies currently trying to entirely ignore the GDPR will use it. They have put out guidance that some current attempts at pretending to comply are illegal, and I expect to see fines regarding that in the next couple of years - the difficulty is creating a solid case that isn’t going to undermine the GDPR through case law. I wonder, though, if there were a dirt simple API for consent in the browser, whether independent developers who would honestly like to comply would use it.

tcgv5y ago

I have been increasingly seeing cookie banners that provide more options than just the typical "Ok" or "Accept" buttons, such as a more restrict cookie tracking configuration. Not sure if selecting the more restrict config will have any effect in those sites though, besides just hiding the banner in future visits.

j / k navigate · click thread line to collapse