So . . . the EU drives regulation to enforce seeking consent as a mandatory step, followed by browsers like brave programmatically defeating the ability of companies to seek consent? Two wrongs don't make a right.
What is the end game here, it's like watching dumb and dumber. I want a great web experience just like the next person, but not at the cost of jeopardizing the successful freemium model of the internet that has given billions of people access.
The EU didn't making seeking consent mandatory, they made tracking people without consent illegal (except to the extent that it's necessary for the service). These companies are perfectly able to simply not track people without displaying cookie banners.
This is simply automating the process of ignoring the request for consent to track you. The result is (legally) that the website may not track you because it did not receive affirmative consent. That really is the end goal, to stop companies from tracking consumes like this while still allowing for legitimate business deals.
I'd respect those moves grounded in the argument for a universal human right to privacy were it not for the glaring exceptions made to the EUs own security agencies and God knows what else under the national security exception.
Everyone in the industry tracking the privacy moves in GDPR acknowledges that far from improving privacy, they are intended to blunt US tech companies' success in the continent. And . . that's perfectly fine, i guess positioning it as a moral defense of privacy just doesn't sit well with me.
Everyone in the industry tracking the privacy moves in GDPR acknowledges that far from improving privacy, they are intended to blunt US tech companies' success in the continent.
No, this is by far the minority view and is held purely by people who are ignorant about the requirements and functionality of GDPR.
The likely endgames of 'no tracking' (accelerated by automating rejection rate up to 100%) are:
- drastically reduced free content (see the rise of paywalls on most news sites)
- an arms race to find other ways to track (see rise of cookieless tracking and retargetting approaches, first party cloaking, etc)
Not to say the latter wouldn't always be there, and but fact is a good chunk of the web is free and stuffed with ads because that's the only way to stay afloat, people simply don't want to pay for content.
How is Brave's action wrong? It's the user who needs top enable the feature of "I don't want to consent ever, please ignore such requests".
If this state was the normal, and later they were to stop blocking cookie banners that you explicitly chose to always reject, it would be seen like a huge harrassment from companies to the user.
Maybe the end game is that we managed to realize what practices were beyond acceptable, and finally forbid them via legislation.
I hate these banners. Often times, they pop up in a non-obvious location and cause the entire page to freeze - scrolling doesn't work, links and buttons don't work. I have force quit my browser on more than one occasion because I couldn't figure out there was a cookie banner on the screen.
So, in your estimation, which side am I on - Dumb, or Dumber?
Doesn't Brave block 3rd party cookies? What's the point of the banner? My cookie knowledge is entirely based on enterprise and small server-side web apps, but I assumed that 3rd party cookies were evil and allowed facebook\facebag's of the world to track people covertly. And not every webapp is going to use JSON web tokens so the ability to use first-party tokens is sort of a requirement for auth and session management
Analytics info can be interesting and neat, but given how bad the adverts I see on Facebook are, and how badly wrong Twitter categorised me according to what I found by downloading all the data they stored on me, I don't think it's anything like as useful as its proponents say it is.
(Except, possibly, for automatic bug tracking; but even then, the value is in the stack trace, not the personal info).
It's so simple: the browser should expose a user configuration setting, which can be used by any website to automatically answer whatever question the consent banner thinks it needs to ask. At the highest level, three settings: Ignore, Reject all, Accept all. More fine-grained settings could be standardized (conceivably), although I would be surprised if many people cared to use them.
This is one of the first ideas people tried, more than a decade ago before GDPR was even a thing. The Do Not Track header was proposed in 2009 and implemented only in Firefox. The problem is that advertisers don't want this solution, because they want you to accept all cookies and a single browser-wide config setting makes denying way too easy. so they just ignored the setting, and nothing ever came of it.
Please read my comment again. Comment banners are the consequence of regulation.
I'd rather poke my eye out than stick up for them. What i'm calling out is the dangerous series of events over the past few years which have been rooted in good intent to preserve privacy, that seem to be having the fallout of destroying the web experience.
[edit] I can't believe HN has turned into a reddit style downvote brigade so i'll just post my response to the below comments in this edit since i can't reply anymore <shrug>
And you've made my point exceedingly clear[1] That pretty much is the ambiguity left up to the whims and fancies of the EU bureaucracy to enforce.
According to noyb.eu , the entity behind famous decisions at the CJEU, consent IS INDEED required[2] for ANY cookies to be stored on a users device. It isn't about data collection , if some rando agency or court finds Github or HN use fingerprinting of user preferences (as an example) or are LIKELY TO. . . it is considered a breach.
A French agency fined Google and Facebook heavily for merely providing a more complex refusal flow for cookies than the accept flow.
Comment banners are the consequence of regulation.
No, consent banners are a consequence of scummy companies trying to vacuum up your personal data for nefarious reasons. They are not required by any regulation, aside from in cases where a company is asking to use your data in non-essential ways.
Consent banners are definitively not required by the GDPR. Consent is only required for non-essential collection of user data, or for non-essential processing of user data. For example, Strava would not need consent to collect user GPS location, as that is core to the product that Strava provides to users. Hacker News would require consent to collect user GPS location, as user GPS location is not essential for posting links/comments. In addition, because consent is specific to a use of data and not to the collection of data, Strava would require additional consent in order to use that GPS data for advertising.
The GDPR doesn't require consent pop-ups. Companies choose to add consent pop-ups when they exceed the minimum amount of personal data collection.
Please substantiate your claims. Your single sentence managed to pack three unsubstantiated claims into it.
* "Started with" implies that there were no motivating factors for the GDPR, nor a situation being responded to. Online surveillance is a clear harm being done to users, to which the GDPR is a clear response.
* "Ignorant lawmakers" implies that the law was poorly crafted with little subject matter knowledge. This hasn't been my experience in reading it, that the GDPR is well-crafted to make certain unethical business models be infeasible, while avoiding impact to data collection that is essential to a service.
* "Made web browsing worse" implies that the current state in which surveillance must make itself known is worse than the previous state in which surveillance could be done silently. I would argue that it is a better state, as knowledge of a hostile act is the first step in preventing it.
Has “surveillance capitalism” subsided at all after the GDPR? Did any company announce that it affected their revenue negatively?
How many people are saying “we are so glad we have cookie banners everywhere”. I’m also sure that every small business is glad to have to decipher the huge law.
* Explicit claim: "Websites complied with the law" The GDPR does not allow a refusal of consent to take more steps than an acceptance of consent. I have only seen a scant handful of websites where this is the case. Instead, refusal requires following additional links, sometimes disguised as "privacy policy details", disabling each pre-selected consent box, etc.
* Implicit claim: "Websites complied with the law" implies that the websites took the only method by which they could be compliant. This is incorrect. Websites had a choice, and could have stopped surveilling users instead. This is a breakage in the causal chain between the passing of the GDPR and the omnipresent cookie banners.
* Explicit claim: "Web browsing got worse". Appeals to a majority are not sufficient. A user-hostile website being required to announce itself as such is an improvement.
So your contention is that it’s not a bad law. It’s just an unenforced law and therefore is still ineffective?
As far as appealing to the majority, if the majority don’t like the consequences of a law, in a democratic society isn’t that prima facie a bad law unless the law is to protect the minority from the majority?
If the websites complied with a law in a form that made web browsing worse and didn’t achieve its intended purpose - isn’t that yet another sign of a badly written law?
The hitmen (using your analogy are the websites that track) are still killing just as many people. But now it’s just making it harder to drink a glass of water.
Are the two sentences completely uncorrelated? Yes, so is the effect of the GDPR on websites.
Well, it’s simple. Did Facebook announce any ill effects during it quarterly results caused by GDPR? No.
Did they announce a decline in revenue caused by Apple’s ad tracking transparency - yes by the tune of billions and they called that out as the reason,
He's not sticking up for it. He's pointing out a truth. For example, in countries like the UK, as a website owner I have a legal requirement to get consent. Brave in this example would be forcefully removing the ability for me to get the consent that I legally require.
I don't believe in consent banners but that doesn't remove my legal requirements. I've got to stick to the law whether I like it or not.
> as a website owner I have a legal requirement to get consent
Consent !== cookie-banners. Hey, you don't have a legal requirement to track people at all; it follows that there's no legal requirement to get consent to track. Tracking must be opt-in, so just provide a menu option or something, that lets your visitor opt-in to tracking, if they love being tracked (let us know how many people opt-in to tracking, if you haven't gated the entire site on a consent banner).
Maybe your site provides features that depend on tracking? No prob - gate those features with a consent dialog.
Maybe you don't want any visitors you can't track? Well, that really means that your homepage should be an opt-in dialog, returning a 404 if you opt out.
Brave is giving users the ability to automatically say no to your cookie banners. People who use Brave don't want to be tracked and will never consent to it.
You're making a mass assumption based on your usage of Brave there. Most people I know who downloaded Brave (general people, not the YCombintor/tech power user types) initially got Brave purely because they wanted to earn tokens while browsing.
They don't care about the tracking/ad blocking side of things.
Which is funny considering that Brave is a for profit company and nearly all of their money comes from displaying ads. It's popular for blocking a thing that the company needs to survive, while not caring about all the websites they block ads on.
What is the end game here, it's like watching dumb and dumber. I want a great web experience just like the next person, but not at the cost of jeopardizing the successful freemium model of the internet that has given billions of people access.