It takes more clicks to reject their cookies than accept them, so France fines Facebook and Google over €200m Google and Facebook have come a little unstuck in the cookie department as French watchdog Commission Nationale de l'Informatique et des Libertés (CNIL) slapped the pair with a €150m and €60m fine respectively. The CNIL kicked off its investigations after receiving complaints regarding the way cookies can be refused on …
No, it's because there are multiple valid reasons a company may process your data whether you like it or not.
For example, they may have a legal obligation to issue you a refund long after you've closed your account. To do that they need to track you down and assure that they've found the right person, something that requires private data about you.
Patent? They sent me a hen party wedding veil instead of the memory stick I ordered. When I called and pointed this out they said keep the veil and we’ll send out the correct item asap. To be fair they did and I donated the veil to a local charity shop who were bemused that I had it.
Well, at risk of yet further downvoting from people that choose not to understand the law, consider marketing purposes.
It's reasonable and appropriate for websites to market goods and services to you, and to seek to tailor that marketing to meet their understanding of your needs. They have a legitimate interest in processing your personal data to do this, and using a cookie to support that activity should be legal.
Don't ask me, ask the ICO: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/#marketing_activities
But look, I didn't write the law, I don't enforce it, I don't grant permission for any marketing or tracking cookies and I block them using browser plug-ins. If you really don't like a site's claim of Legitimate Interest go write to the ICO about it.
Come to think about it, 'legitimate interest' has no business being mixed with cookie consent: the EU 'cookie law'* requires consent for storing cookies on user devices, there is no alternative to consent such as legitimate interest or other GDPR Article 6(1) lawful basis.
* ePrivacy Directive (2002/58/EC) amended by Directive 2009/136 with the CJEU Planet 49 (C-673/17) decision (with the latter bringing in GDPR consent; as such the ePrivacy Directive predates and is distinct from the GDPR)
There seems to be some confusion as to what that means.
To illustrate with an example: you have a raffle and each one of us can only register once, in the interests of fairness to all other concerned. Within that context, a company keeping track of who has registered in order to detect duplicates would most likely be considered a valid legitimate interest, whereas the same company using the data to send advertising to you would not. They could separately ask for consent for that, providing clear information, etc., but it's not legitimate interest.
I personally tend to allow site to store information, select functional and reject anything else (Unless forced to click more than a few, anything with legitimate interest options gets the reject all button clicked then the site closed).
I am wasting years of my life with this crap
Browser makers really need to offer an option "save cookies for this site, but scrap them when the tab is closed" along with a list of the cookies with any potentially useful ones (e.g. login token, basket contents) being filtered to the top of the list to be manually excluded.
Upvote for this. I use this and it lets you autodelete cookies after you close the last tab for a given web site. I have about a dozen sites whitelisted (including the Register) where I allow them to persist until I close the browser, which happens about once every month or two when I reboot for some reason.
The net result is that I can blithely click "accept all" to get rid of the stupid annoying dialog on a one-off site I'm visiting, and the cookie monsters get nothing since all the cookies go away a few seconds/minutes later when I close that tab!
While I generally allow some sites, it is somewhat ironic (not the Alanis Morisette version) that El Reg is running this headline while also being "guilty" of the practice. Accept all El Reg cookies - 1 click. Customise El Reg cookie settings - 2 clicks (assuming "Tailored advertising" and "analytics" are default unticked in this dialog).
Wish someone would do something sensible about Javascript, too, but it would no doubt be abused by all and sundry so perhaps should keep quiet about this and deal with the pain of working out which domain is needed for a website to actually function (in particular 3rd party payment processors)
Firefox containers go even further: they let you keep cookies separate for different tabs on the same site, as well as throwing them away when you close the tab. I have a very, very short list (it has no more than 3 or 4 sites on it) where I allow their tabs to share or retain cookies. The list does include ElReg, of course!
Yes, using Firefox 78.0.14esr on Debian Bookworm - other versions may be different.
I use two extensions: Firefox Multi-Account Containers and Temporary Containers. I can't remember exactly how they divide up the tasks, but between them they let you specify that tabs should by default open in their own container but you can assign a shared container to all the tabs for a particular site if you wish.
For example, I have a container for ElReg, one for Amazon and one for Programming (which includes GitHub and few FOSS sites). Everything else opens in per-tab temporary containers. And you can tell a tab to reopen in a different container if you want (which I use occasionally to login to a site using a GitHub account, for example - others might do the same with a Facebook account or something).
chrome on chromebook has exactly that - at default - no third party extensions required... I assumed all chrome instances do, but I only use chrome on the chromebook, so maybe not.
theregister is one of only 4 sites I have whitelisted.
It does however mean you're constantly getting those "please accept our cookies" popups on just about every site
I see quite afew sites that don't have a reject all button, have a few basic on off buttons and then hidden away in the 'our partners' section, dozens of legitimate interest buttons.
I just reject the entire site as it is obvious they have less interest in doing business with me than taking and selling/sharing my data.
These sites have a standard format that somebodyhas sold them, so now the moment that box appears, I go elsewhere.
National geographic....
Fucking ludacris 46 trackers alone ....
Heart fm (rubbish radio station).... cant remember why i went there ...gave up ... 52 cookies didnt stick around to check illagitimate "interest"
We care about your privacy and security
Then stop fucking tracking, monitoring and slurping
as much of my usage as possible....
Now that the mood board, kinwah fart sniffing brigade are all earth friendly, would love to know what all this extra commpute does in terms of energy comsumption ?? Since bitcoin gets a rapp why not cookies and tracking and over use of java script
I am wasting years of my life with this crap
Countless years of human effort are lost to this crap. I accept all cookies. My only browser extension is "I don't care about cookies" which at least stops some of the crap. As I've said before I wish there was a browser setting I could set to take me back to those happy and productive days when I didn't need to choose cookies to accept or agree to privacy policies before being able to do anything productive.
I also use the "I Don't Care About Cookies" add-on to ignore/auto accept cookie requests, but I use it in conjunction with the "Cookie AutoDelete" one. So, while I may accept all cookies, they are purged after I quit the site. Maybe they still keep some identifying data on their side or some persistent stuff on mine, but, with the help of NoScript and uBlock Origin I feel I have my back pretty well covered. Am I missing something?
"People trust us to respect their right to privacy and keep them safe...."
They what?!
I rather think that most people either A) don't realise how much G invades their privacy or B) regard them as a necessary evil to get stuff done on the great wide interwibble.
When countries start issuing the multi-billion fines that Facebook deserve for their advertising practices, then we'll talk. There is no rule that they won't break, no invasion of privacy they won't make, if someone has paid them to force an advert on you. They'll show you adverts for things that are forbidden by their own rules - and in some cases, international law - from companies that you have blocked. They'll even cancel your decision to block a company, literally unflagging a setting and acting like you never set it.
I don't think fines are the right solution. Mainly because they can just become cost of sales and probably expensed.
A simpler solution should be to just adopt the same tech utilised to monitor other home invaders. So fit all C-level execs involved in privacy invasion with ankle tags. Then for every type of data slurped, publish that under each execs corporate bio page. Add say, 10yrs in jail for any attempt to avoid publication of their 'private' information.
It may just be a way to administer a clue-bat, although may require building a few more prisons.
Rofl
Why don't they just ask nicely* instead of imposing ludicrous, unlawful fake penalties that will never be paid and are completely unenforceable?
[*If the ICO asks nicely, you still have to comply.]
Oh yes, because it's just political grandstanding.
I agree that wrist-slaps are deserved by companies who make it too hard to opt out, but this is silly.
"...ludicrous, unlawful fake penalties..."
Unlawful? Who says?
It's the French imposing this fine for activities conducted on French soil so unless the US and France have a secret treaty which says that US companies only answer to US law when ever they conduct business in France then the fines are lawful.
As for ludicrous, well if Google wants to play on French turf then they must accept French rules, and if they don't they either pay up or leave.
I have no idea if you are a US citizen but a world exists outside the US with their own laws and sovereignty.
We French have a saying: «nul n'est censé ignorer la loi».
That particularly applies to company who literally spend millions paying lawyers.
The CNIL even conveniently published a how-to describing the rules, with pictures, that many websites with much less income than Google managed to understand :
https://www.cnil.fr/fr/cookies-et-traceurs-comment-mettre-mon-site-web-en-conformite
So arguing that Google is still too new at the World Wide Web thingy, had no idea they could search the internet to find that information and needed somebody to come hold their hand to guide them, that's unlikely to work.
The saying is very nice and all, but the unfortunate truth is that the law is often unclear, and you sometimes don't know what it means until a judge says so. The French civil law system is slightly more clear on that point than the Anglosphere common law, which is worse because it explicitly puts court rulings above written statutes. When it sometimes takes years for courts to reach a final decision, it's a bit taking the piss to claim that "everybody should know the law".
Well, you're certainly no lawyer.
For the vast majority of laws (at least in common law countries), ignorance of the law (and therefore lack of guilty mind) is most certainly a very valid defense. And that's true to the extent that it's the default, and when a governing body intends otherwise, intends to create what's known as strict liability, that MUST be explicitly written into the law.
For the vast majority of laws, no criminal intent == no crime.
I presume you're talking about mens rea, in which case you've massively missed the mark.
Criminal intent has nothing whatsoever to do with knowing or understanding the law.
If you run out of a shop with a bottle of wine without paying you may (should you be believed) have a lack of intent defense if you forgot the bottle was on your person (and you intended to pay for it).
You absolutely would not have a defense if you weren't aware it was a crime.
There are quite a number of sites with a boilerplate list of dozens of trackers and scum, with an easy to use button to disallow cookies except the many marked as "Legitimate interest" that need to be selected one by one by one.
It's horseshit anyway as this boilerplate rubbish always lists the same sites over and over. Forget one, and I'm pretty sure they'll accept that as given consent over and above the many times you've said get lost.
But, yes. Accept all needs a corresponding Reject all.
Lots of sites seems to use OneTrust to present their cookie validation dialogue. And the arms-long list of partners and vendors you mention is probably the list from IAB (some advertising conglomerate). That's like three hundred or so "partners" all claiming legitimate interest and you often have to go unselect them individually. Some one should just slap down OneTrust for not following the symmetrical UX rule.
My experience is that a large number of German and Scandinavian sites have either a “reject all” or “only necessary “ button. UK and Iberian sites you often have to switch off by category, and with US sites you consider if it really is that interesting.
Similarly, I often find settings mostly off in the first group and everything on in the latter.
Why?
I have a 'do not track' toggle set in my browser. Its status is provided in my HTTP headers. If sites read and acted on that, my cookie preferences would be known to them with zero clicks.
Give 'do not track' legal force, backed by the right to make financial claims for breaching it. Let's see Facebook survive 800 million individual lawsuits.
"All websites (including this one) should have a one-click policy to allow or reject cookies. Period."
Nah. Every website should not use cookies at all. Period.
There is no valid reason to have these. But plenty of evil ones.
As well as making the interwebs a much nicer place, getting rid of cookies would seriously piss off advertisers, marketroids, influencers (whatever they are) and the other unpleasant life-forms who are all destined for the B ark. Which is a bonus.
But persistant ones, I'm happy to kill.
Also, if your site only uses session cookies for the basic actual use of a website after login, and no others, then you don't need a cookie accept banner as there isn't really anything.
Unfortunately, as it's a fashion to install as many ad brokers and marketers on your website and load JS from 90 external domains and a couple of meg of leery code (yes, Daily Mail, you were the worst offender the last time I looked).
Also, if you want to do stats, you do have server logs, and you can anoymise those by stripping the 4th byte of the dotted quad... but for a lot of companies who don't have any IT knowledge, it's easier to shove a "service as a service" from some 3rd party on there and manage your site from there rather than rolling your own.
You do call out a good point that's often lost in the noise. The regulations does not require the cookie consent banner if you use any cookies, only if you use cookies which could be viewed as tracking and/or storing personally identifiable information. Simply session cookies or retaining your cookie preferances are perfectly fine and doesn't need a pop-up.
Of course, many companies are acting very passive aggressive about this and making the experience worse for the users, presumably in order to "show them how bad these laws are".
I would say that 90% of the cookie opt-in procedures make it much easier to opt-in than opt out. There should be three options on the dialog:
1. Opt-out - (May provide a warning that things might not work properly)
2. Opt-in Fully (Should indicate what you are getting yourself into)
3. Opt-in to cookies used for distinct reasons - this should provide a method of selecting cookies used for website operation, marketing cookies, performance measurement cookies, ...
Anything other than this is an attempt to get consent for marketing cookies.
that only FB and Google are fined.
Because, every single french newspaper site is exactly like FB and Google, as far as cookies go. Plus thousands of other french sites, of course.
But probably it's better seen, politically, to fine FB and Google, rather than Le Parision, Media Part, Le Monde etc ...
Downvote.
The paper I read - ouest-france.fr - pops up the usual cookie nonsense with Accept and Customise options, and below that in smaller text is "Continue without accepting".
Just looked at lemonde.fr and they offer the exact same choices, including the continue without accepting (at the top this time).
So that's the first two French papers I've looked at (and the only two I can remember the names of) that are not at all like Facebook and Google. Oh, and if you go to customise the cookies (on either site, just tried it) all the additional non-essential crap is off by default.
A site has to store the fact that you've said 'no' to cookies, which it does by ... storing a cookie.
Sites should have a standard query string which specifies the user's choice without using cookie storage. This would avoid those of us who delete cookies on browser exit having to go through the preference rigmarole _every single time_.
Quite, as long as this is framed as opt-out instead of opt-in; with opt-in the cookie would be needed to store the fact that the user has in fact opted in (including to storing the opt-in cookie itself). Opt-in, of course, is the proper, GDPR way of doing things. Besides, most anything really necessary can be done with session cookies which don't fall under the EU 'cookie law' / ePrivacy Directive as they are by definition not stored on user devices (this, of course, hangs on the exact meaning of 'store' in this context; given that the legislator's intent here is protecting privacy by preventing tracking allowing session cookies without consent seems reasonable as they aren't much good for tracking).
The 'cookie law' is actually EU Directive 2009/136, an amendment to the ePrivacy Directive (2002/58/EC) so it dates back to 2009. However, at the time it was - unfortunately - left open what exactly consent for storing cookies on a user device means and so the likes of Google and Facebook came up with the aggressive interpretation that things like 'consent' banners with only an ok-button would do.
Eventually (01OCT2019) there was the CJEU Planet 49 (C-673/17) decision though: GDPR consent rules apply to cookie consent. So it seems it took about two years from that to a decision by the CNIL. This doesn't seem too bad given that Google and Facebook have likely worked hard to delay it; now, of course, they will appeal and will no doubt work even harder to drag that on as long as possible.
I think that the Internet would be a lot nicer if we banned all cookies and payments for advertising - this would have the potential to significantly boost social media but would make visiting a social media site reasonably harmless. "Advertising" for your products would be completely fine on your own website and while social media could talk about things, it need to be illegal to steal and sell their users.
Imagine a world where people can make a little money by just being "good" people?
In the past, you could set your web browser to prompt whether to accept a given cookie. It was a bit of a hassle when you went on a site for the first time. But was interesting as it showed how much tracking crap some sites wanted to put on your computer.
They have since gotten rid of that functionality and I have to wonder how much marketing and analytics companies paid them to remove that feature.
I never saw a good reason (at least not good to me or general consumers) for that feature removal.
mozilla, all script blockers, tracking blockers, I delete cookies AND off line data after *every use, and then I turn off my wifi until I need the interwebz again. Not a lie.
Then I make sure I have updates and everything it might download paused for thirty days before I turn the interwebz back on. I don't always catch it before I turn my pc back on, so I usually just use a very old mac for anything web related and then clean it all afterwords. This is how we have to use the web now.
I still know they are collecting me by ip. They are the spyware.
To learn more about protecting privacy I have been playing around with VPN's, virtual one time use VM's and strict browser settings to reduce exposure to the evil G.
The result is that I now get bombarded with cat food, lipstick, perfume and mascara commercials when watching my daily sequence of history, car and gun youtube videos.
It really amazed me that this happened, since none of the commercials served make any sense based on the selected content.
Probably it is just G's way to flip the finger.
My take from this is that it is debatable whether creepy ads are worse than non-sense ads.
If cookies are the price to get relevant ads, ads which will be served anyway since sites like youtube cost fortunes to run, perhaps it is an acceptable tradeoff.
There are ways to watch YouTube streams independently of YouTube's control. Bonus: no invasive tracking¹ and no adverts.
¹ - they'll still have your IP address, but this doesn't seem to be used as what you watch outside of the YouTube environment doesn't affect their automatic suggestions.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
