The article omits the really obvious solution: don't use all these cookies on your site. Many of us use google analytics for convenience but in reality there's really no reason for it on most sites. Basic login or technical protection measures are all perfectly fine - so storing an IP to make sure you're not getting ddosed is not an issue.

This law is not aimed at the average homebrew website or restaurant menu page - it's for the big abusers, like Google.

"It's for the big abusers, like Google".

If the law actually said that, it would be great.

You never want laws to be ambiguously applied and to presume exemption because "it wouldn't happen to me". People will abuse laws: there will be spam scams aplenty selling snake-oil solutions, and ambulance chasers threatening to sue companies because they can. Excess legislation comes at a cost.

I am in favour of better privacy but I fail to see how counting unique visitors on a blog should become a crime. By setting the standard that everyone is violating the law, you encourage everyone to ignore your law.

Their infographic is hilarious: https://silktide.com/images/uploads/images/Cookie-Law-infogr...

But I can't see this changing in the medium term without some high-profile fines; someone needs to fine a major media company or similar simply for having Google analytics enabled. Then everyone will shout about their world collapsing, and try to find new forms of allowed dark pattern.

Really the only way to get out ahead of this mess would be to "lean in" and make a browser-level technological mechanism for providing consent. Maybe standardise the "session cookie" somehow, so all the required functionality can hang off that.

> But I can't see this changing in the medium term without some high-profile fines

I'm counting on the German cease-and-desist industry to kick-start that - now that I think about it, I'm actually surprised it has happened yet.

It hasn't happened because it only works against private people which can't afford good legal representation.

Their entire 'industry' is just shitting on people in the lower middle classes and below for a few hundreds bucks per case.

With this they'd actually have to represent in court for every case. It's easier for them to just keep leeching of people that can't fight back

There is a healthy cease-and-desist industry working in the field of online shops. I wouldn't classify their owners as lower middle class. You are right that a lot of cases go to court but they often side with the one sending the letter.

You mean the shops run by a single person, often as secondary income besides their day job? Yes, I consider them middle class.

It's very rare that they sue a gmbh or ag. They generally only go for soft targets

> make a browser-level technological mechanism for providing consent

ad-blockers and Private windows?

This will be annoying if every single website spams permission requests on first visit.

I hope that if I say 'No' on one website to doubleclick, adwords, analytics, etc, those aren't going to just reappear for every other website.

If it's purely something each website is implementing, that won't happen, so I'm looking forward to some standard that all browsers will use.

The UK could have just developed their own adblocker or educated everyone about adblocking, cookie blacklisting, browser settings, anything would be fine.

Do you think the average visitor will take time to go through each message and only enable 1st party services required for the website to function? Just like the annoying cookie banner, people will quickly become blind to that section of the screen and spam click on whatever appears just so they can get rid of it and read the page.

In my opinion the ability to give consent for cookies or anything else should be standardised part of browsers and another W3C standard. This should be integral part of browser, the same way as for consent for camera or microphone use.

> It’ll likely take heavy fines before people will care to go through the whole process of “cookie-lawing” and “GDPR-ing” their websites again.

This line is a bit disingenuous, as all of these guidelines are simply what “GDPR-ing” was supposed to be in the first place. Any website owner that contracted for someone to make their website GDPR-compliant that runs afoul of these rules should insist on getting their money back.

There is a setting for Google Analytics which makes it pinky promise to not store too much information and with that setting you don’t need banners.

Would you trust that promise coming from a company whose bottom line relies on violating such promises?

It’s not about you trusting them, it’s about satisfying the requirements of the law.

If you don’t mind letting a malicious company stalk your users then by all means go and “satisfy the requirements of the law”.

Obviously around 0% of website owners do as they had to be forced into not pushing tracking cookies onto you by default. The decision is not mine to make as a user.

This is a good thing. And there's probably still some way to go with this. A step-by-step approach makes sense to me. Sure it's a nuisance for developers (although I'm certainly not complaining about the extra work) but it's better for users to see regular progress regarding their privacy. Surveillance capitalism has gone a bit crazy over the last decade and lawmakers are steadily reeling it back in. I fully support the ICO's recommendations

: but it's better for users to see regular progress regarding their privacy.

First and foremost, it will desensitize people about these messages, until they habitually click on everything presented to them.

... including giving away the title to their soul.

This is nothing new. These guidelines reflect the GDPR’s intent and everyone had 2 years to prepare for it before it went into effect.

They are in effect and everyone breaks them. I guess we need to wait for first "cookie" fine for any panic/changes to happen.

yep, I work at what is a processor in terms of the GPDR and made a action plan of how we should comply and help our customers to comply. Guess how much of that got done? Absolutely nothing. But of luckely we have quarterly meetings to how to improve out compliance etc, of which we have so far had none.

The trouble is that the industry seems to focus more on what they can get away with then what they need to change. Even the GPDR consultants/privacy lawyers focus not on what is required by law, but on how to circumvent as much of it as possible.

All 'BeCAUse iT Is sUcH a drACOnian LaW' - Well guess why that is the case. We keep perverting it in the name of marketing. It's just a race to the bottom in the end.

Part of the problem is the missing fines:

If there is no regulatory punishment for ignoring the law, than any organization following the law actually has a commercial disadvantage against all the opponents not following the law.

That's way no one is willing to follow the rules. Legal requirements that do not get enforced are just meaningless.

Author here. What’s new is the ICO has changed their guidance: they had explicitly stated analytics was acceptable in the past. The law itself hasn’t changed, but what most people thought was compliant is now unambiguously not.