Also, it isn't the law that has been terribly implemented, although that could be argued as well, but rather the fault lies with the companies that do not want to abide by the law.
There are a few easy ways to check if a website is breaking the law:
- Is it as easy to say "no" to the consent as it is to say "yes"? If not, it's not legal, as the consent is not freely given.
- Is the website setting tracking cookies, or tracking you in some other way, before you have made your choice about the consent? If it is, it's not legal, as the consent must be opt-in not opt-out.
- Is it confusing? Then it's probably not legal, as the consent must be informed.
- Is there a button to "accept all" with no clear list of what you're accepting? Then it's not legal, as the consent must be specific and unambiguous.
You don’t, that’s the point of the law. As in, the old “EU cookie law” focused on you knowing the terms, but that proved ineffectual where every website operator said “accept or GTFO” (you’d think that would end up an unstable equilibrium, but it didn’t).
Thus the “new” GDPR is predicated on the idea that consent given under “... or GTFO” terms is invalid, given the imbalance in negotiating power, and said consent (where required) had to be voluntary by that definition. The result is cigarette-labelling-level malicious compliance on part of website operators (and compliance-in-a-box vendors they use).
Many of the things you see, such as requiring you to turn off every single “purpose” or “partner”, are manifestly illegal (or rather, don’t legally constitute voluntary consent, so showing them is legal but tracking you afterwards isn’t), but enforcement has been lackluster so far. We’ll see where we end up I guess. (I genuinely don’t know how I want this to go.)
That conforms to the earlier EU cookie directive, but not to the GDPR. Under the GDPR, consent much be freely and explicitly given, and must be as easy to revoke as it is to give. Clicking a link or scrolling down is not explicit. Since use of the site is conditional on accepting the tracking, the consent isn't freely given. Since there is no button to reject the cookies, it is harder to reject the tracking than it is to accept.
Failing all three conditions for acquiring consent, my conclusion is that the site is blatantly violating the GDPR.
Oh but that behaviour is actually pretty clearly not compliant with the EU cookie law. It just hasn't been enforced (which isn't great).
They're not allowed to make it harder to withdraw consent than to give it.
I've also found, on the few times I humoured their "consent" system, found that each of these "tracking providers" (?) needed to make a request to a different domain to withdraw consent, and some of them simply wouldn't load.
Cookies required for providing the service of the website don't require a consent notification (for example, if a website has a user management system). Search for the word "exempt": http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm
Every site seems to just add the pop-up to be on the safe side and/or have extra tracking scripts on their website.
Cookie consent is not compliant with GDPR - I need an ability to retract my consent as easily as I gave it, which zero of those sites actually provide.
If the EU ever actually starts enforcing GDPR, I expect a quick reckoning.
The website is funny. They call themselves "transparency platform" and they even got a .eu domain. Yet their cookie consent popup is so not GDPR conform, because it only has an "accept" button and not reject button at all.
Fortunately trusty ol' element zapper gets rid of this and one can still look at the actual content one came for.
Cookie banners aren't required per-se, and when the website wishes to do tracking that would require consent under the GDPR, the regulation mandates that the consent prompt should be clear, opt-in (aka pre-ticked checkboxes aren't allowed) and that accepting should be as easy as declining (so if opting in takes one click, so should opt-out).
The problem is that the GDPR is not being enforced seriously so these breaches of the regulation aren't being cleaned up. I'm not sure if it's malice or outright stupidity and the companies legitimately believe they are compliant (there is tons of bad and incorrect advice out there).
If you want things to change and you're in Europe, you should start by questioning the incompetence of your local data protection agency as they are the ones that have the power to investigate breaches & impose fines. In the UK, the Open Rights Group is raising money to sue our data protection agency for its incompetence/unwillingness to enforce the regulation, so maybe it's worth checking out: https://action.openrightsgroup.org/help-us-protect-your-data... (no affiliation)
False, the EU website has an ugly cookie bar with a button called "I accept" that everyone has been trained to click yes on.
"That "Analytics Advertising Feature" MUST be unchecked by default. Only users that actually want to be tracked are tracked."
False, users can be presented with an accept / reject button on a standard cookie bar, clicking accept can opt them into tracking - please LOOK at the EU website example I provided.
"Every "tracking feature" (cookies, fingerprinting, IP tracking, whatever) must be hard opt-in."
This can be done though an accept button on a website that users have been trained to click yes on. My earlier suggestion that folks do a study on how many users navigate into these policies for every website they visit to make fine grained selections if such options are even available stands as well.
"If a website only use functional cookies (colours, session, login, cart, language) they don't need consent, just disclosure (and it doesn't have to be an ugly cookie bar)."
I gave you an example of an ugly cookie bar on an EU website subject to GPDR - I can find many more.
This is the problem with these folks messing the net up. Everyone should do this / shouldn't do that, but no attention to what is actually happening.
I want to be clear, billion of pages are showing I accept buttons, some without reject buttons if they are disclosure only, some with reject buttons that kick you off the site, and some with reject buttons that opt you out of tracking, and users are being / have been trained by the EU alert notices / disclosure only notices (which generally DO have an I accept button) etc to waste their time clicking I accept everywhere.
This is bad for actual user choice, actual privacy.
Many on HN are ranting about how something like this is illegal or that the GDPR is easy. The answer is that the GDPR is NOT easy. That some would say that setting tracking cookies on landing without consent is not legal, others that it is, and the EU is all over on enforcement.
If you browse an EU website, they track you without any explicit consent.
I prefer this approach personally, all their websites used to have a modal pop-up, you could not move forward until you consented. Between phone, desktop etc etc, SO annoying. I'm sure it turned a lot of folks off GDPR, so they cheat with this to try and avoid annoying people (as many others do).
If a website fails to work if you don't click though the cookie banner, it's probably illegal in the EU. They cannot collect the covered data until you consent, but they also can't stop the website working if you don't. And if you didn't actively click the button, you can't have consented, and you definitely didn't consent if you deliberately hid the button.
And GDPR largely superseded cookie consent IMO. As in: you don't even have to ask consent if the cookies are strictly necessary: https://gdpr.eu/cookies/
Also worth remembering sites that simply dump their third party cookies before the prompt even loads up! Often someone doesn't understand how their cookie prompt script works, or simply doesn't care and assumes if people see the prompt they'll assume it's legal!
Textbook illegal, but major high-street global brand names do this, and there's no easy way to make them stop - regulators just can't move quickly enough or show enough teeth. We would need thousands of convictions per day to even scratch the surface - I'd estimate at least 9 in 10 sites I visit breaks the law in one way or another around their cookies and consent prompt.
Perhaps we need a way to commercialise and earn revenue from identifying the sites breaking the laws as you describe? The law demands "opt in" for Europe, yet everyone tries to skirt this and use dark patterns like forgetting the cookie settings of anyone who dares not accept everything. Many of these dark pattern techniques are actually illegal.
If you could commercialise each of these findings, we would have everyone compliant in a matter of weeks. SEC style whistleblower model (albeit on a smaller scale)?
When I load a website I have no idea what third-party assets are being loaded in or from where, and have no meaningful information ahead of time to know what I'm actually consenting to by typing "example.com" into the URL bar. Obviously, my IP will be sent to example.com, and I've arguably consented to that, but not to all the other third-party stuff that example.com might have loaded the page up with.
(this is also the argument around cookie consent: yes, the browser chooses to accept the cookie. users don't really get an opportunity to refuse them, though. So "the browser accepted the cookies" is not sufficient consent, as far as the EU is concerned)
There's no implicit consent, technically required cookies have a different basis for processing. And, yes, I'm aware of that, my point is that people who create websites choose to force the consent box in front of you, there's nothing in the GDPR that mandates that. It could be a link at the bottom, some header...
Also, it isn't the law that has been terribly implemented, although that could be argued as well, but rather the fault lies with the companies that do not want to abide by the law.
There are a few easy ways to check if a website is breaking the law:
- Is it as easy to say "no" to the consent as it is to say "yes"? If not, it's not legal, as the consent is not freely given.
- Is the website setting tracking cookies, or tracking you in some other way, before you have made your choice about the consent? If it is, it's not legal, as the consent must be opt-in not opt-out.
- Is it confusing? Then it's probably not legal, as the consent must be informed.
- Is there a button to "accept all" with no clear list of what you're accepting? Then it's not legal, as the consent must be specific and unambiguous.
It's not rocket science, anyone can read it up for example here https://gdpr-info.eu/issues/consent/
reply