.
I'll not hold my breath
The UK's Information Commissioner's Office (ICO) is getting tough on website design, insisting that opting out of cookies must be as simple as opting in. At question are advertising cookies, where users should be able to "Accept All" advertising cookies or reject them. Users will still see adverts regardless of their selection …
See what happens at The Daily Mail, in my opinion one of the worst to use the UI of one button to accept all, or separate pages of sliders to individually reject each advertising partner and there is a lot of them wishing to track you. ICO is right, if you can do a button to accept all, you can do one for reject all and reject should always be the default option.
Indeed it should. I've made this point several times to the relevant govt. committees and been ignored every time. The whole issue of cookie banners has an entirely wrong emphasis. Often, intrusive banners are used to block access to content until a decision has been obtained, with the default being all cookies accepted. That's not offering choice, it's coercion pure and simple. The law does not require banners -- indeed the law requires that there should be no loss of service relating to cookie acceptance or not (and by inference that means relating to the choice process itself). But the regulator just ignores this aspect of the problem.
The ideal situation would be no cookies by default and a reasonably sized non-intrusive option button or link for use by those who might want to accept. But that will of course never come about because practically nobody would accept if given a fair choice. And by the way, the law does not apply solely and literally to cookies -- it applies to all tracking devices and methods but we never get given the option to accept or reject javascript trackers for example, although they can be far more intrusive than cookies, and many web sites fail to operate at all if scripting is turned off, thereby effectively forcing us to accept being tracked. Yet another thing the regulator has failed to act upon.
Has the ICO just aquired a new boss or something? One who knows where their gonads are?
To me there is no excuse for any more than a session cookie if you are logged in.
Then let's remember that GDPR is about tracking, not just cookies. How do we detect and punish the passive tracking?
"Then let's remember that GDPR is about tracking
Actually it's PECR (the privacy and e-commerce regulations). The GDPR is silent on online tracking.
I am pissed off at my bank, Nat West, they keep on sending me spam. The latest "Alain fancy winning £10,000 this holiday season? T&Cs apply".
They need to have my email address. I never, as far as I am aware, agreed to receive this stuff, I have replied asking them to stop sending it.
I wonder if the ICO would do anything about this ?
I am pissed off at my bank, Nat West, they keep on sending me spam.
How do you know it's actually them? It is trivially easy to fake emails. If it really is them then GDPR means that there has to be a way for you to opt out of it. Check their website for contact preferences. If you have told them you don't want marketing related emails and they are still sending them then you need to start threatening them with GDPR.
I left NatWest after their IT failed around 2012 and customers' payments were missing for a couple of days. I was glad I had when they had similar problems again and again.
I recently took the £200 bribe to try them again, and it quickly became clear that £200 wasn't enough in exchange for the pain. The NatWest experience was bad and it's now *terrible*.
Ditch them.
First Direct's phone service is great and they'll bribe you to switch. Starling's app is great and they do not need to bribe people to switch. Other banks exist.
Yes, and a few years ago it was found to bring in more income. The ad duopoly are taking 51% of the advertising fee after all.
Hey ElReg, fancy having a stab at doubling your profit?
Additionally, and not coincidentally, the publishers had to insert the ads themselves. This gave an opportunity to ensure minimum production values and that the content fitted editorially.
Online advertising, as currently construed, gives precisely zero control to the publisher over what is embedded in their publications. Can you tell?
Publishers should go back to selling ad space themselves. They should serve it themselves, and assume responsibility for it. In return they can take back control over their ratecards.
-A.
Also, when you see an advert in a newspaper or on TV, everybody really is seeing the same advert.
When you see an advert on the Internet, other people looking at the same website with the same non-advertising content probably are seeing different adverts. And if your racist uncle sees some sentiment being expressed in an advertisement that he would have expected to make the usual suspects scream blue murder, yet they do not seem to be complaining about it, that might not be because it's socially-acceptable after all, but because the advert was deliberately targeted away from anyone the advertisers think might be likely to complain about it .....
Global Privacy Control (GPC) is essentially the old Do-Not-Track header, only this time wiht force of law. It is already mandatory in California, and the EU is considering it. One browser setting to automatically reject all cookie banners. The UK should also endorse this. Of course this does not preclude enforcement against dark patterns like not having a "Reject All" button as prominent as the "Accept All" one, or making unsubscribing harder than joining.
"Legitimate interest" is the worst, especially when they default to "on" and there is no "object to all" function, but this method usually works to turn them all off:
Open developer tools (command+option+I on Mac, f12 on Linux and Windows) and select Console.
Type the following at the console prompt (NB, capitalisation-sensitive):
Z=document.getElementsByTagName("input")
(it should say something like "HTMLCollection" and a list of input elements)
for (i=0;i<Z.length;++i) Z[i].checked=false
(all the switches shown on screen should turn off)
Save your preferences and close the developer tools.
My usual reaction to those sites with > 5 "legitimate interest" (partner) tracking choices defaulting to opt-in is to leave the site for good.
Even though it would not make much difference as my browser is set up to only keep cookies for the session duration and clean all of them when i close the browser.
But it says in the dialog:
What do I check and not check? It is legitimately interesting tracking you. Don't you not think so too?
Honestly, if you have sufficiently powerful hardware, it's probably best just to spin up a whole brand new, disposable VM every day, and create a new user for any site you really don't trust.
It all feels more than a little bit like keeping rice from sticking by cooking each grain in a separate pot; but you really don't know what's going on out there, and it's probably better safe than sorry.
Hey, that's a Strongly Worded Letter, if you don't mind. And if that doesn't work, the threat of a Very Strongly Worded Letter.
The only way to make it count is to ensure the board has skin in the game. If the Strongly Worded Letter doesn't work, follow it up with ninja assassins to take out the entire board. A couple of firms suffering decapitation strikes(*) would encourage the others(**) wonderfully.
(*) Literally as well as figuratively :-)
(**) Thank you, M. François-Marie Arouet.
Cookies can be tamed in the browser, if the browser makers decide to. Some are clearly more likely to do that than others - the big players won't do anything that hurts their ad revenue (Apple, Google, Microsoft I'm looking at you here!) but it's perfectly possible.
Waterfox does a pretty good job of it out of the box, firefox can be configured to do it fairly easily too. Increasingly users are getting fed up of being seen as the product and are turning more & more to technical countermeasures to take back control of their personal data - just look at the number of people using ad-blockers now.
Advertisers & data brokers are driving this - they seem to have completely failed to understand that consumers simply DO NOT WANT to be tracked, analyzed, catalogued and fed a curated diet of crap to inflate corporate profits. They miss the point that what I'm looking for now is NOT what I want to see in adverts several hours later - by then there's a damn good chance I'll have found it & bought it so their profiling is worse that useless, it's actually annoying. Annoying enough that I, and many more, are reacting to it negatively and in at least some cases coming away with a negative view of the brands involved.
When brands go to war with their customers the brand always loses.
I've got a banner showing on my screen that says "Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law." It has a button to "Accept All Cookies" and another to "Customize Settings". The latter leads to a banner that has all but Necessary unchecked and an "Accept Selected" button. Opting out requires TWO CLICKS and two screens, opting in only requires one click. I know the cookie issue for the site in question has been commented on before on this site because I loved the irony then just as I love the irony now.
Anybody care to take a guess at the formerly British now American tech news website I'm referring to?
I don't want to have to click to reply about cookies for every single site I visit. It destroys the web.
Just give us some detailed browser settings that the website interrogates and then follows in 99% of cases.
Anyone with illegitimate intentions is going to ignore what we want anyway.
d
The bottom line of this is money. You want a free access website, so the site deploys adverts to earn enough to provide that "free" access and to make a profit. The advertisers want to know if their adverts are effective (value for money) on the site so they want ways of finding out how many of your sites users have bought or considered buying their product. This requires some form of tracking as otherwise there would be no way of knowing if their advert spend was worth the effort. The alternative is pretty bad as advertisers will either stop advertising on a site or else reduce their spend there if they don't think they are getting value for money. Over time that tracking got used for other purposes like targeted advertising. I've never been a fan of advertising or tracking and the attitude (greed) of some sites and advertisers makes me avoid them like the plague, but beware of what you wish for as when enough people block all ads those "free" sites are soon going to disappear. Yes, you have a right to privacy but the site you are accessing has a right to earn an income and that money has to come from somewhere.
The problem is that the stats are usually completely wrong because of things like click fraud.
When I used to buy advertising, I could call the print publications I wanted to advertise in, negotiate a good price and be sure that they shifted so many print copies of something I knew my targets would read and the ad would appear in just the pages they would look at.
If I bought advertising online now, I'd doubtless..
.. end up next to something praising Hitler on Twitter
.. pay for something 'seen' by the webspider bots of a Chinese search engine company
.. encourage a site whose owner doesn't have 'enabling genocide' as one of his biggest regrets, despite having done just that
.. be blocked by anyone with a clue.
Why give them more time to come into line with the law they have been breaking for years already? Just prosecute now.
If you confront a serial offender, it doesn't seem right to say "you've got 30 days to stop or we'll prosecute"
I can only assume there is some legal hoop they (the ICO) have to jump through by giving notice.
El Reg isn't exactly a beacon of shining light here. Two buttons: I can "Accept All Cookies", or, if I want "more info and to customizer [my] settings, there's a different button for that.
Granted the additional settings aren't a maze of millions of sliders, but it's still actively more difficult to opt out than opt in.