Please stop repeating this nonsense. The GDPR never mentioned cookie banners. This is the industry‘s shitty solution to forcing users to consent with tracking.
You can run a perfectly fine website with zero cookie banners if you simply don’t track your users and don’t expose them to third parties that do track them.
Hence, all websites implementing cookie banners are the culprits here, not the GDPR.
That's a false dichotomy - clearly there's more options than these two. There's definitely a better way to address this issue.
On the other hand, between those two, it arguably is worse, because we now live in worst of both worlds - we still get a ton of stalking but we now have those cookie banners on top of that.
I can block coockies using simple addons, which is WAY lower effort than clicking through a deliberate dark-pattern that is different on EVERY website (or using complex addons with lookup tables for every website).
It's not about cookies specifically, they're just one of the many ways you can be tracked.
You can't realistically block fingerprinting without serious effort, and you can't block your IP without using a VPN (which causes a bunch of other problems with sites not serving you).
the behaviour was already bad (sharing your personal information with 1000s of “trusted partners”), companies just want to keep doing it even if it inconveniences their users.
The correct analogy would be California’s toxic substance regulations.
They’re vaguely worded and enforcement is applied randomly based on whatever company is getting bad press at the time. So virtually everything sold in California carries a sticker saying essentially that “this product may cause birth defects.”
Even companies selling products that don’t contain any of these chemicals do so, out of fear of the asymmetric power wielded by the state.
Do a majority of train passengers jump the ticket barriers because they are afraid they might get fined billions of euros if they don’t?
The laws necessitating cookie banners came into effect long before GDPR. That would be the 2002 EU ePrivacy Directive. The GDPR (2018) concerns the handling and storing of personal information, the mandatory disclosure of how this is done, and the mandatory right users to ask what data is being stored and deleting that data. There aren't any cookie banners in native apps. But they still need to comply with GDPR. And you can get into trouble for mishandling privacy sensitive information.
That law has been pretty successful to the point where there have been debates in the US about adopting similar laws.
The common US media company interpretation to declare their websites an abusive UX disaster zone and put their contempt and complete disregard for their main product (users) on full display is entirely on them and their sleazy lawyers trying to find ways where they can still do their sleazy business. This is made worse by incompetent web designers deciding that this is apparently "the way things should be done" without questioning that. Most cookie banners are just the result of their (mis)interpretation of the law, lazy copying of some shitty website they once saw, and the perceived need to provide lots of legal ass coverage for what under GDPR is flat out just not allowed at all.
Worse, the jury is actually still out on whether the highly misleading language, dark patterns, etc. are actually not illegal in themselves. They might very well be. Lots of companies got some really bad advice regarding GDPR. And some EU companies have actually been fined for doing it wrong.
> You can run a perfectly fine website with zero cookie banners if you simply don’t track your users and don’t expose them to third parties that do track them.
I run an extremely simple static website with some JavaScript that lets the user keep track of their state between visits. I have no way to access their cookie, and nothing on the website sends data to me (in fact, can't, since it's a static site running on Cloudflare pages). I never really thought about whether or not I need to add a cookie banner, I just... Didn't.
Please stop repeating this nonsense defense of poorly designed policy.
When everybody is using it wrong, the problem isn’t “everybody.” The problem is your design.
Cookie consent should be a centralized browser based setting and nothing more. And the default should be some middle ground compromise that both the most privacy obsessed people AND businesses are not happy with.
I challenge you to demonstrate the supposed understanding you have that would explain why that website is following "industry‘s shitty solution to forcing users to consent with tracking." (and not even each industry website does such stupid full page banners) instead of using non-shitty solutions.
It's a good question, which has a very obvious answer: even government websites are built by clueless people and/or marketers and/or using shitty tech.
Which you can see when you click on "personalise" in the cookie banner.
You can, and I have, and it clearly requires almost any modern website to have a cookie banner. Which shouldn't be too surprising, when you go to gdpr.eu and see the cookie banner at the bottom. It's possible in principle to jump through the crazy hoops required to avoid it, but the only sites I've ever seen do so are national Data Protection Authorities.
Because American websites often don't bother with preemptive GDPR compliance, and DPAs consider first-party cookies of small websites to be a pretty low enforcement priority. My browser shows four persistent cookies, one for news.ycombinator.com and three for .ycombinator.com, that definitely require GDPR consent. In particular note that merely keeping you logged in across browser sessions requires a cookie banner, because that persistence is not strictly essential to the site's functionality; the official GDPR explainer (https://gdpr.eu/cookies/) calls this a "preferences cookie".
Only if you define "almost any modern website" as one that does precisely what the GDPR set out to deal with. If tracking wasn't as widespread we wouldn't have needed the regulation in the first place.
Tracking vs. non-tracking is not a distinction that the EU cookie rules recognize. A privacy respecting first-party analytics cookie, serving no other purpose than to let the website operator count how many distinct users visit a particular page, is still a not-strictly-necessary cookie which your users must provide informed consent for.
> A privacy respecting first-party analytics cookie, serving no other purpose than to let the website operator count how many distinct users visit a particular page, is still a not-strictly-necessary cookie which your users must provide informed consent for.
Obviously you haven’t either, because GDPR says nothing about cookie banners.
Cookie banners are the result of a different piece of legislation, the ePrivacy directive. Have you read that one too?
What about all the latest judicial actions regarding data transfers to 3rd parties that have gone back and forth due to ongoing legal cases? Legislation is totally irrelevant without the context of the latest judicial precedent.
Did you read the entirely of the schrems decisions and the analysis of what that means for using or offering any technology services? Having read GDPR is irrelevant when one day Google analytics is okay to use and the next day it's not due to one court case.
What about the latest data transfer agreements between the US and EU that invalidated the use of standard contractual clauses, and the above prior Schrems decisions? You've had years at this point.
Do you think it’s good to insult and assume bad faith from your fellow internet commenters about a topic you actually don't understand yourself?
Oh definitely, the decentralized private market absolutely got together in secret to devise a plan to undermine the beautifully designed EU legislation by using cookie banners.
My flower shop down the street that has a cookie banner on their Wix website is secretly trying to undermine the government.
It couldn't possibly be that the largely unaccountable central planners in the EU's technocratic maze of a government designed a dumb piece of legislation.
Who said anything about secret? They are doing it all in the open.
> My flower shop down the street that has a cookie banner on their Wix website is secretly trying to undermine the government.
Oh, your flower shop only sells you flowers. The 1421 "partners" on their website however are really glad that they tricked clueless people to include their "GDPR-compliant privacy-preserving" solutions.
> It couldn't possibly be that the largely unaccountable central planners in the EU's technocratic maze of a government got something wrong.
GDPR doesn't require huge obnoxious banners.
ePrivacy doesn't require huge obnoxious banners.
Industry: let's create huge obnoxious banners with all sorts of dark patterns to trick people into "consent" through innocent inconspicuous tool vendors like Interactive Advertising Bureau, and blame GDPR for requiring them.
Poor, poor sweet innocent companies. It's GDPR making them collect and keep your precise geolocation for 12 years across thousands of partners who care about your privacy: https://x.com/dmitriid/status/1817122117093056541
Sorry, cookie banners are a direct result of EU legislation, it really is that simple.
While your "evil data broker malicious compliance conspiracy" narrative is a popular one, especially on this website, that doesn't make it true and you've offered zero facts to support it either.
I've dealt directly with multiple companies in regards to this legislation, and know exactly why we made the decisions we did based on the legal advice given in each instance.
But I will not argue further. You want this conspiracy narrative to be true as it plugs into the tapestry of religious narratives that form your identity. Any facts or logic I can offer against this are no match.
However, could you not agree that moving forward, a centralized browser-based setting is the better solution for all parties involved?
> Sorry, cookie banners are a direct result of EU legislation, it really is that simple.
Please write to me the relevant part of the legislation that require a full screen cookie banner that requires you to manually click "no" on each of the 1000+ "partners".
> you've offered zero facts to support it either.
Ah yes, and you've provided a lot of support to your "cookie banners as we see them implemented by literal ad business industry groups are the result of the legislation"
> and know exactly why we made the decisions we did based on the legal advice given in each instance.
Oh, I do, too. The legal council is "since you insist on using fifteen different marketing tools each relying on tracking, we have to include these banners developed by the advertising and tracking industry to cover our assess".
> You want this conspiracy narrative
Once again: it's not a conspiracy theory. It's literally done in the open.
> could you not agree that moving forward, a centralized browser-based setting is the better solution for all parties involved?
GDPR has been around for 9 years now.
Somehow, world's largest advertising and user tracking company that incidentally makes the world's most popular browser came up with exactly zero proposals to do that.
In the same time they have come up with at least three to keep tricking people into tracking. The latest one was literally "how to build a more private web? by turning on tracking" https://x.com/dmitriid/status/1664682689591377923 ("no thanks" in those screenshots turns off data sharing and tracking)
But yes do tell me how this blatant open flaunting of user privacy is "conspiracy thinking".
Edit: also please tell me whether "we're creating a user profile on you, collect device identifiers and precise geolocation information, and storing that data for 12 years" is conspiracy thinking and the direct result of GDPR?
You can run a perfectly fine website with zero cookie banners if you simply don’t track your users and don’t expose them to third parties that do track them.
Hence, all websites implementing cookie banners are the culprits here, not the GDPR.