undefined | Better HN

0 pointsatq21191y ago0 comments

There is never a good reason for cookie banners, by definition.

The rule is that if you have a good reason for your cookies (i.e., basically one that isn't user-hostile), you have nothing to worry about and don't need a cookie banner.

It's only when you engage in user-hostile practices, such as tracking, that you need to ask for consent.

I'm being sightly snarky, but that's really the essence of it.

0 comments

quesera1y ago

You are not wrong.

But beware the predatory lawyers who will come after you for ostensible violations of California’s Invasion of Privacy Act, California Penal Code section 630, et seq. (“CIPA”).

One company I work with received multiple arbitration demands (claimed "privacy" damages in excess of $25000 each, helpfully offered to settle for $5000 each!). And this company didn't even set any cookies or run any 3P tracking on their site!

Their (famous-you-know-them, expensive, California-based) lawyers said "yes, we are seeing this more and more. We can fight and win for $200K, or you can pay the $50K of claims outstanding and add a banner to your site".

Their CEO chose the less-expensive option. :-/

viraptor1y ago

Does the law even matter in this case? If the idea was to make you convinced you'd spend $200k to win a bogus case, you can be sued for literally anything...

quesera1y ago

This is true, but CIPA is the law that is being exploited for its ambiguous applicability. There are lawyers out there actively targeting companies who legitimately believe they do not need a cookie banner.

They seek out customers of the company ("Are you now, or have you been, a customer of X? You may be the victim of Y/eligible for legal settlement Z/etc.") They may even identify the corporate targets, and recruit new customers for their purpose.

And the way to avoid the issue completely is to add a stupid, superfluous, cookie banner. (Which, in the height of absurdity, requires adding a cookie).

It was a painful and semi-expensive lesson for this small company. And their expensive/prominent lawyers say they are seeing the problem increasing. (I asked why they didn't take the time to warn their clients, but did not get a satisfactory answer).

So it's worth a thought and a note when the idea of not needing a cookie banner comes up.

s__s1y ago

Very few people understand the law and just opt to defensively throw a cookie banner up on the site. Usually a 3rd party service.

At this point I’ve even had clients ask for it, thinking it makes their site more professional and credible, since everyone else does it.

DEADMINCE1y ago

> It's only when you engage in user-hostile practices, such as tracking, that you need to ask for consent.

Which is what the majority of sites want to do which is why there is a good reason for a cookie banner, by definition.

karaterobot1y ago

I believe that you need to inform users about the use of strictly necessary cookies as well. You just don't have to ask for consent before adding them.

https://gdpr.eu/cookies/:

> While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

There's nothing about a cookie banner in GDPR, it's just the most convenient (and, often, laziest) solution to the question of how to confidently say you've told users something.

j / k navigate · click thread line to collapse

0 comments

quesera1y ago

You are not wrong.

But beware the predatory lawyers who will come after you for ostensible violations of California’s Invasion of Privacy Act, California Penal Code section 630, et seq. (“CIPA”).

Their CEO chose the less-expensive option. :-/

viraptor1y ago

Does the law even matter in this case? If the idea was to make you convinced you'd spend $200k to win a bogus case, you can be sued for literally anything...

quesera1y ago

And the way to avoid the issue completely is to add a stupid, superfluous, cookie banner. (Which, in the height of absurdity, requires adding a cookie).

So it's worth a thought and a note when the idea of not needing a cookie banner comes up.

s__s1y ago

Very few people understand the law and just opt to defensively throw a cookie banner up on the site. Usually a 3rd party service.

At this point I’ve even had clients ask for it, thinking it makes their site more professional and credible, since everyone else does it.

DEADMINCE1y ago

> It's only when you engage in user-hostile practices, such as tracking, that you need to ask for consent.

Which is what the majority of sites want to do which is why there is a good reason for a cookie banner, by definition.

karaterobot1y ago

I believe that you need to inform users about the use of strictly necessary cookies as well. You just don't have to ask for consent before adding them.

https://gdpr.eu/cookies/:

> While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

There's nothing about a cookie banner in GDPR, it's just the most convenient (and, often, laziest) solution to the question of how to confidently say you've told users something.

j / k navigate · click thread line to collapse