This does not work with GDPR compliant sites (the few that exist). I wonder if it would make sense to use something similar to [0] to auto-accept, note in the results that there is a consent gate and then list the trackers in the accepted state?
This is indeed a very positive and smart move. Despite the fact that
- a lot of sites just don't really play along (they'll just show you a nag popup that you have to OK, but they'll plant their tracking cookies before that anyway)
- a lot of sites deliberately make it hard to opt out (this ranges from having to click around in the consent manager to outright sending you to a 20 page PDF that tells you that you can disable cookies in your browser if you want to - this, BTW, is clearly not an acceptable solution according to GDPR), don't show you the content if you don't accept all their tracking cookies (this is also illegal)
- some sites just make it a bit harder than it could be (you can see the very same consent boxes on other sites with a more user friendly 'opt out all' option)
- some sites do 100% OK
But it turns out that 100% OK is still not good enough. This whole thing should really be managed either by the browsers or by an extension and the consent request should come in a standard, machine digestable way (XML, json, what not). You could then just set your preferences once, that should work for most sites and every now and then (but less and less frequently) you'd be asked about what to do with unknown cookies on unknown sites.
In short, just because part of the industry is trying to circumvent regulation and because the current implementation is not the most efficient, we should not give up on the whole idea.
Also, it isn't the law that has been terribly implemented, although that could be argued as well, but rather the fault lies with the companies that do not want to abide by the law.
There are a few easy ways to check if a website is breaking the law:
- Is it as easy to say "no" to the consent as it is to say "yes"? If not, it's not legal, as the consent is not freely given.
- Is the website setting tracking cookies, or tracking you in some other way, before you have made your choice about the consent? If it is, it's not legal, as the consent must be opt-in not opt-out.
- Is it confusing? Then it's probably not legal, as the consent must be informed.
- Is there a button to "accept all" with no clear list of what you're accepting? Then it's not legal, as the consent must be specific and unambiguous.
At my company’s site[1] we have a non-intrusive banner at the bottom which lets you agree or disagree to tracking cookies, or just ignore it and browse the site.
You don’t get served any tracking cookies until you agree.
This fulfills the explicit consent requirement of GDPR as well as the requirement for people to be able to use your site even if they don’t accept cookies.
We get much less analytics then we used to - many people just ignore the cookies bar, either knowingly or just because they don’t notice it. But it’s totally worth it.
I hope the EU starts fining non-compliant (i.e. 99% of) sites aggressively, specifically those that pretend to care about your privacy, but don’t really (“Agree” button only).
The irony is, popups to accept cookies are not GDPR compliant, unless there's an opt-out option. You cannot force tracking on someone as a condition of loading your website.
(you can, of course, serve generic ads instead, if they opt out, or serve generic ads by default and not show a popup at all)
I want to be able to opt out of tracking. GDPR has improved my life.
Websites that want to make it easy for me give me a “reject all cookies” button. It is not the fault of GDPR that most websites want to trick you into just clicking “accept all.”
I use EasyList Annoyances with my adblocker, it hides all cookies/GDPR popups. If the website respects GDPR and waits for my click on the "Accept" button, I'll never see it and tracking shouldn't be enabled (many websites still don't respect that basic concept nonetheless)
No, I just block cookies from ALL sites except the few that I need to log into. GDPR is mostly irrelevant to me for that reason.
The unfortunate result is that the goddamn GDPR warnings keep popping up, because ironically, the way those websites remember that you either "accepted" or "denied" the tracking request is to leave a cookie, and I don't allow or want to allow that cookie.
EDIT: Separately, there are many websites that only have an "accept" button and no "decline" button. By blocking the modal dialog boxes, I never actually "accepted", and therefore they never got my permission to track. Ha!
On a side note, I noticed a rare tracking consent banner. You may want to update it to track users and respect GDPR correctly. It should be possible to refuse as easily as accepting to be tracked, with the same button size and colour, for example. The tracking should start after consent is given. Also, GDPR isn’t so much about accepting cookies but giving consent to be tracked. So many websites get it wrong, and the likelihood that you will have issues is very close to zero, but since it looks like you implemented your banner yourself, you may be interested.
False, the EU website has an ugly cookie bar with a button called "I accept" that everyone has been trained to click yes on.
"That "Analytics Advertising Feature" MUST be unchecked by default. Only users that actually want to be tracked are tracked."
False, users can be presented with an accept / reject button on a standard cookie bar, clicking accept can opt them into tracking - please LOOK at the EU website example I provided.
"Every "tracking feature" (cookies, fingerprinting, IP tracking, whatever) must be hard opt-in."
This can be done though an accept button on a website that users have been trained to click yes on. My earlier suggestion that folks do a study on how many users navigate into these policies for every website they visit to make fine grained selections if such options are even available stands as well.
"If a website only use functional cookies (colours, session, login, cart, language) they don't need consent, just disclosure (and it doesn't have to be an ugly cookie bar)."
I gave you an example of an ugly cookie bar on an EU website subject to GPDR - I can find many more.
This is the problem with these folks messing the net up. Everyone should do this / shouldn't do that, but no attention to what is actually happening.
I want to be clear, billion of pages are showing I accept buttons, some without reject buttons if they are disclosure only, some with reject buttons that kick you off the site, and some with reject buttons that opt you out of tracking, and users are being / have been trained by the EU alert notices / disclosure only notices (which generally DO have an I accept button) etc to waste their time clicking I accept everywhere.
This is bad for actual user choice, actual privacy.
That conforms to the earlier EU cookie directive, but not to the GDPR. Under the GDPR, consent much be freely and explicitly given, and must be as easy to revoke as it is to give. Clicking a link or scrolling down is not explicit. Since use of the site is conditional on accepting the tracking, the consent isn't freely given. Since there is no button to reject the cookies, it is harder to reject the tracking than it is to accept.
Failing all three conditions for acquiring consent, my conclusion is that the site is blatantly violating the GDPR.
This is a GDPR consent prompt and the GDPR covers more than just cookies. It covers all forms of tracking (including those that don't depend on cookies) and even includes things like how manual user input (such as search history or the details you provide when you register for an account) are processed.
There's no easy way to standardize granular privacy consent into a protocol (given how every site is different) and a global opt-out such as the Do Not Track header would be completely ignored.
That "Analytics Advertising Feature" MUST be unchecked by default. Only users that actually want to be tracked are tracked.
Every "tracking feature" (cookies, fingerprinting, IP tracking, whatever) must be hard opt-in, and the website has to provide an option for the user to opt-out if they change their mind.
If a website only use functional cookies (colours, session, login, cart, language) they don't need consent, just disclosure (and it doesn't have to be an ugly cookie bar).
The concept of tracking as per the GDPR goes beyond cookies though. It includes any kind of personal data collection, and personal data refers to anything that can uniquely identify a person with reasonable certainty.
So cookies aren't the only thing that requires consent - things like browser fingerprinting and even collecting IP addresses for non-essential purposes (aka you can probably claim legitimate interest if you collect them for technical or fraud prevention reasons, but using that data for analytics or marketing would require consent).
This is also why I think clicking "accept all" on the cookie prompts with cookies disabled at the browser level isn't a good idea. You're still giving them permission to stalk you using other means than cookies, and they very well know that. At least use an ad-blocker which blocks the consent prompts completely - technically you never provided permission, so while they might still stalk you at least they don't have a legal basis for doing so.
The GDPR is less about the technical aspect of data collection and more about the intent behind said collection and the planned use for the collected data, something the browser can't really tell.
In the EU, web sites must obtain permission before tracking users. This leads to very annoying cookie consent popups. Is anybody else here frustrated by them?
I'm semi-seriously considering launching an EU citizens' initiative to fix this. Here's how it can work: The EU directive responsible for the cookie popups is (afaict) 2009/136/EC, par. (66). It says cookie acceptance can be a browser setting but does not give details. The EU initiative could extend this to say web operators must respect the "Do Not Track" header.
Do Not Track is a special header that browsers can send to say "I don't want to be tracked" or "I agree to being tracked". It already exists in some browsers - but hardly any web site honors it. If the EU directive would mention that DNT must be honored, then web sites would have no further need to display their consent popups when the header is set.
My problem is that such an initiative would likely require a huge time investment. It needs 1M signatures. That would likely be very hard work.
If the response here is overwhelmingly positive, I might be more inclined to throw myself at this problem. Please upvote or comment if you think this might be worthwhile.
GDPR does not specify what technology to use to acquire consent [1], as long as the user consent. Trackers could honor the DNT header if they wanted to, and show the banner as a fallback for browsers not sending the header.
Except that refusing to serve people who reject cookies is explicitly not allowed by the GDPR. You cannot make tracking a requirement for using your site.
[0]: https://www.i-dont-care-about-cookies.eu/
reply