It's a great idea but here are already browser add-ons that deal with the majority of cookie-consent pop-ups that I get and a box to tick if they don't so they can update their database. I use Consent-O-Matic (recommended by a denizen of this forum who's name I can't remember, but thanks) but others are available.
Embattled users worn down by privacy options? Let them eat code
The people are defeated. Worn out, deflated, and apathetic about the barrage of banners and pop-ups about cookies and permissions. Illustration of someone shrugging while looking uncertain and a question mark over their head Brits hate how big tech handles their data, but can't be bothered to do much about it READ MORE …
COMMENTS
-
-
Tuesday 8th October 2024 06:52 GMT Anonymous Coward
GDPR etc is a joke and an opportunity for governments to "create (useless) jobs".
The law should FORBID ANY TRACKING and data sharing with 3rd parties, UNLESS YOU ARE LOGGED IN and agreed to specific data processing. Otherwise anonymity must be respected unconditionally. Stop bothering people with cookie nonsense and device settings.
Maybe 20 years ago this was OK, but now it is time to cut off the big-tech tentacles and let them innovate without the surveillance shortcut.
The moment data is shared with a 3rd party, a user must be informed by their (shared anyway) email: who got access to the data and why.
-
Tuesday 8th October 2024 10:34 GMT StewartWhite
That's fine but most people outside techiedom will not do this or anything like it and Big Tech will in any case be snooping on you by whatever other means they can, e.g. LinkedIn having a default opt-in for AI scraping until enough people complained - they're likely still scraping it whether you do or don't tick/untick the relevant box and woe betide you if you ever forget to tick a new box that they add at 3am on Xmas Day for an hour hidden behind a section in their Anti-Slavery Statement labelled "Beware of the leopard!" as they'll take that to be your implied consent to donate your liver whilst still alive.
It's a fundamental industry problem with the attitude of "The regulators are toothless and don't really care so we must get as much info as we can ASAP then pretend to change our behaviour if/when somebody notices".
-
Tuesday 8th October 2024 11:48 GMT cookiecutter
we should not need to go through the hassle of having these extra controls on our browsers; OR even worse..trying to explain them to older relatives.
We need to see some good HARD slaps of companies and tech. firms. Especially non tech firms who didn't bother hiring the right people and decided to make stuff up as they went along.
If your business model is so crap that you have to subsidise it with selling customer data , then no sympathy. you deserve the slapping, the fines and the potential going to the wall.
I can't remember the site, but one of the sites I browsed had nearly 1500 "partners"...that kind of fuckwittery is inexcusable
-
-
Monday 7th October 2024 08:58 GMT Korev
The user gets to configure their own default responses in the browser's privacy settings, and the cookie law option box disappears. Sites and services can ask to have their special cookies opted in, but the price to the users for not thinking about such options is zero.
I already have "Do not track" enabled on every device I own/use, it's a shame that honouring this is not mandated by law.
-
-
Monday 7th October 2024 19:00 GMT Headley_Grange
That could easily be fixed by making tracking an opt-in service, which others have suggested. The law should be changed such that tracking is traceably opt in so when I complain to the ICO* about being tracked they just contact google/meta/etc and request proof that I have actively opted in and in the absence of proof someone goes to prision.
*I know from experience that the ICO never do anything, but eh.
-
-
-
-
-
Monday 7th October 2024 09:13 GMT Richard 12
Only if the ICO actually deigns to enforce it.
The real problem is that enforcement isn't happening. Every single one of the "annoying" cookie popups is flat illegal. Every single one of the "pay or track" demands is illegal.
There are any number of mid-sized targets, prosecute them. Then prosecute the big ones, and the small ones will fall into line of their own accord.
And yet, it took how many years for Ireland to ask for the tax they're due, and they even fought against it - presumably because certain high-up politicians and civil servants wanted the revolving door to keep revolving.
-
Monday 7th October 2024 11:31 GMT OhForF'
It is hard to write a law in unambigious words so it does not allow someone to either dodge it entirely or comply with it in some very malicious way - like was done with those cookie banners.
In other words: it does matter if Google and/or Apple and the the entire ad industry do not like it and start the next round of malicious compliance.
-
-
Monday 7th October 2024 09:24 GMT Dan 55
Just like PICS, only IE implemented it and website owners couldn't be bothered to categorise their sites.
And this is even more doomed to failure because the whole of the advertising industrial complex is propped up on cookies and won't do anything that could prejudice its own profits (certainly not the "right thing"), unless it's written in law* and in that case it'll lobby, scream, and shout, and implement it in bad faith.
* By the EU of course.
-
-
Monday 7th October 2024 09:14 GMT NohSpam
yes, yes and thrice, yes!
which is why I've suggested (for ages and ineffectually) that we should lobby EU legislators to standardise the form, which should incorporate mandatory easy (one click) opt-out of all cookies and a separate but mandatory (one click) opt out of all 'legitimate' interest options. Being a standard specification it should also allow sites to silently take your preference and go with that. Sites should also have to display a menu option in a top level menu for adjusting privacy choices either after their default has been silently adopted by the site or they have made an explicit choice they'd like to adjust.
I like the API twist mentioned in the article though.
-
Monday 7th October 2024 09:40 GMT Marcel
Re: yes, yes and thrice, yes!
Of course this should have been standardized in a protocol like HTTP, TLS, HTML, CSS, etc. It should be a browser setting and websites can dump 90% of their javascript that is dealing with ads, consent, and other legal crap. What I hope though is that if this is legislated, it will not legislate cookies, but legislate banning tracking and selling your data, which is the real problem. Cookies are just one of the many technical means to track you. We would not like ad companies in use other sneaky ways that are not cookies, but still track you and sell your data without you knowing.
-
Monday 7th October 2024 11:42 GMT OhForF'
Re: yes, yes and thrice, yes!
There are at least two standard implementations to refuse tracking (Globaly Privacy Control and Do Not Track). All that is missing is a law saying those have to be treated as a legally binding instruction with meaningful fines if ignored and more fines for those that are meant to enforce it if they do not do their jobs.
-
-
Monday 7th October 2024 09:42 GMT Andy The Hat
Re: yes, yes and thrice, yes!
but I think you'll find that all 138 companies listed will have "legitimate interest" - they are all making money out of you - so all need to be individually listed in a helpful, easy to click series of check buttons for the user to consent to individually ... GDPR was never about actual user control, it was only about the appearance of user control because data makes money, money makes tax ... so there is no interest to actually stop that data flow.
-
Monday 7th October 2024 10:07 GMT Anonymous Coward
Re: yes, yes and thrice, yes!
"...money makes tax..."
I'm not sure that link in your chain of reasoning holds up, to be honest. If the big boys paid a decent share of revenue as tax, then I might agree with you (and it might justify letting them get away with it).
In other news, Max Schrems won another case against Meta:
https://www.rte.ie/news/business/2024/1004/1473586-schrems-privacy-dispute-with-meta/
-
Monday 7th October 2024 10:50 GMT Andy The Hat
Re: yes, yes and thrice, yes!
As I see it, the judgement says old data can't be used - 10 days, 10 weeks, 10 years ... what is old? I believe the GDPR only refers to outdated data. In the UK version the ICO guidelines state
"The UK GDPR does not dictate how long you should keep personal data. It is up to you to justify this, based on your purposes for processing. You are in the best position to judge how long you need it." so plenty of holes to wander through there ...
And then there's the use of restricted data sets. Does the GDPR define those data sets? Again the ICO states
" If you do not need to identify individuals, you should anonymise the data so that identification is no longer possible."
Unless meta are supplying raw data to advertisers what data is actually allowed when consented under GDPR? Having said that the article sort of suggests the passing of identifiable data as Meta is reported as saying "it's the advertisers responsibility ..." at one point)
-
-
-
-
Monday 7th October 2024 09:33 GMT Mark White
What really annoys me...
Sites claiming Google Analytics is a necessary cookie.
Legitimate interest options you have to scroll and unselect every single one of them.
Sites where opting out is required on every visit (or for a few, every page) but opting in is once and done. Can we have a cookie for tracking our cookie choices we can opt into (or is designated necessary)?
-
Monday 7th October 2024 17:01 GMT Anna Nymous
Re: What really annoys me...
That would require a cookie, which wouldn't be allowed to be set if you decline setting cookies.
However, the point is not to get your informed consent. The point is specifically to wear you down so that you allow them to set cookies. Some of the evidence for this assertion is that it's easier to let them set all cookies than it is to decline them.
If one really wanted a solution: wouldn't it be much easier to just respect Do-Not-Track? Because that signal is pretty easy and pretty much covered everything needed. I don't think I know anyone who can or would make an informed decision on "Sure, I want to be tracked by X and Y but not by A and B, oh, and C is fine as well, but only for purpose D". DNT is simple enough.
Even if that setting comes with a default value of 'on' (indicating "I wish to not be tracked"), it's still a default and should be respected. Note that it was argued that "because firefox sets Do-Not-Track to true by default, it's not what the visitor 'really' wants, thus we can and will ignore it" but that's just plain BS. If advertisers really cared about explicit user intention, they'd opt for the more certain "a user who switched it from 'Do-No-Track' to 'Track-me-please' has given explicit consent to be tracked and so is fair game".
This quote by Frank Bitterlich comes to mind on the tracking that we are subjected to:
I'm sick and tired of the constant "... but we need the advertising revenue" whining. You're not making any advertising revenue. You're making tracking revenue. ... Who on this planet would accept someone ringing your door bell and going, "Excuse me, sir, we need to make sure the junk mail we fill your mailbox with is relevant, so I just need to have a quick look at your book shelves and the products in your fridge. If you could just step aside for a second..."
-
-
Monday 7th October 2024 09:58 GMT anthonyhegedus
Unfortunately for me, and luckily for the websites, I'm usually in a bit of a hurry to find information, and didn't want to consent to anything first. So when I get the cookie popup (and I don't always, because I use Consent-o-matic too), I worry that if I click Don't Accept, it won't remember that I said no, and will ask me permission next time I go to that site, so I often click 'Accept'. And yet I still get the popup.
Especially in Facebook on my mobile, where facebook's own browser is awful, and it asks me every time anyway.
I don't see what good any of this does. My browsing history is still tracked.
-
-
Monday 7th October 2024 12:49 GMT Anonymous Coward
Lot of people do, Meta-owned properties have far more than critical mass, so avoiding them adds friction to interacting with friends, including IRL friends
Having the browser remember your 3rd party & not required for function 1st party opt outs, but also retain your login/cart would be ideal
-
-
-
Monday 7th October 2024 10:22 GMT BinkyTheMagicPaperclip
Tie it to domain renewal - APIs are utterly useless
It's exactly the same as a cookie - the decent companies will spend money and effort catering for it.
The companies who deliberately don't conform, or can't be bothered, will continue not to comply or bother. This also provides them a competitive advantage.
Nothing will happen until there is enforcement. Fairly large to very large websites have been failing to comply for *years* so forgive me if I think the ICO will ever actually do anything.
A thought. Tie it to domain renewal. Starting on the next domain renewal for everyone, if your domain is marked as being non GDPR compliant the owner has until the next renewal year to fix this[1], otherwise the renewal does not occur and their domain becomes unreachable. If the customer complies just before renewal, and then breaks compliance they face fines or a shortening of their registration.
[1] yes, I'm aware this causes issues with everyone bulk purchasing multiple years. Given many large companies will comply, the float necessary to e.g. potentially refund a customer any years booked beyond year+1 might not have to be that large.
-
Monday 7th October 2024 18:38 GMT Anonymous Coward
Re: Tie it to domain renewal - APIs are utterly useless
"Starting on the next domain renewal for everyone, if your domain is marked as being non GDPR compliant the owner has until the next renewal year to fix this[1], otherwise the renewal does not occur and their domain becomes unreachable."
How can a domain be compliant/non-compliant with GDPR?
You mean the service(s) hosted via that domain and its sub-domains? Such as websites, services/applications? Email servers? other HTTP/HTTPS end-points? SIP/XMPP servers? etc
How exactly is a domain registrar going to determine compliance? Are they going to have to hire GDPR-experienced staff and be somehow legally empowered to force the domain "owners" to provide whatever docs etc that the registrar demands to "prove" GDPR compliance?
-
Monday 7th October 2024 22:55 GMT BinkyTheMagicPaperclip
Re: Tie it to domain renewal - APIs are utterly useless
To Be Decided is the answer - likely to be a mixture of regulatory and other bodies, and end user reporting. I don't claim to have worked out all the answers for a general idea in a couple of minutes. The point is for not meeting GDPR to stop being toothless.
A lot of the lack of compliance is very obvious, it's just no-one is enforcing it. From the egregious (refusing to disable tracking) to the irritating but still illegal (restricting certain functionality to tracking being enabled). That would resolve 95% of issues, leaving only the 5% of arguing if not entirely straight forward data collection and usage are appropriate.
Obviously if it's a hosting service with subdomains owned by multiple customers that complicates things slightly, but on the whole I'm concentrating on a company offering services on a domain name.
If they're not compliant, they get an extended warning (a year to start with, less time after that, progressively less if they keep 'complying' and then immediately reverting to become non compliant).
If they don't meet the warning the entire domain gets turned off, as that's under control of the registrars. Harsh, yes, but they've had *a year to comply with something they should have complied with anyway*.
I mean, it will never happen. Companies gaining revenue from abusing GDPR to various degrees will kick and moan, and the regulatory bodies will back down because it generates money, despite the fact it's a law and they're in direct violation of it.
-
Tuesday 8th October 2024 01:03 GMT Anonymous Coward
Re: Tie it to domain renewal - APIs are utterly useless
"A lot of the lack of compliance is very obvious, it's just no-one is enforcing it."
Not necessarily obvious - you appear to be focusing on one specific point - a website using a domain name.
Domain names can be used for various purposes, I could set up a business that uses a certain domain name only for email or for SIP or something else and either not have any website at all, or have a website on a completely different domain name.
So how is determining GDPR compliance / non compliance of email or SIP or other service(s) "obvious" then?
You're just assuming "domain name" == "website"
-
Tuesday 8th October 2024 10:30 GMT BinkyTheMagicPaperclip
Re: Tie it to domain renewal - APIs are utterly useless
I'm well aware domains are used for many purposes. I am not about to go writing a specification in five minutes, out of necessity not all detail are included.
Companies are already prosecuted for GDPR violations from e-mail, post (probably fairly rarely these days), SIP or actual POTS calls. The mechanisms exist.
This Register article is specifically targeting websites, proposing solutions for websites ('Web APIs'), and it's generally what most end users will encounter in terms of requesting permissions, cookies, and suchlike.
-
-
-
-
-
Monday 7th October 2024 10:55 GMT cc201516
Irony
The irony of reading such an article on this site, which uses one of the worst cookie notice providers there is
Battling through a multitude of primary and legitimate notice options on its first page only to find an option at the bottom for vendor preferences, where every single vendor needs declining individually, scrolling through what seems like thousands
It's easier just to not bother going to these sites anymore
-
Monday 7th October 2024 13:05 GMT Norfolk N Chance
Re: Irony
The other irony is reading this article here.
Anyone employed in an industry connected to the web (physically or by market) probably relies upon data harvesting revenue to a greater or lesser extent - ask yourself would your job exist without it? I suspect for many readers the answer is uncertain.
Personally I think data harvesting is a disease - is it really the best we can do with interconnected computers?
Then I look at Snaptwit and Instaface and now I'm uncertain...
-
Monday 7th October 2024 17:07 GMT Anna Nymous
Re: Irony
> Anyone employed in an industry connected to the web (physically or by market) probably relies upon data harvesting revenue to a greater or lesser extent.
Probably, and I think it's pretty telling w.r.t. the actual main product-facade that is being peddled by those organizations.
If your revenue model is coming from providing a no-cost-to-end-users service/content and subsidizing this via advertisement, you are explicitly stating that "no-one thinks what I provide is valuable enough to give me real money, no-one would give me money for what it is that I do, so I have to forcibly extract it from them in another way by selling their information and eyeballs". You're literally stating that what you "sell" is not worth money.
I am aware that this site here gets by via advertising. I would actually pay real money for access to El Reg.
Icon is me rummaging in my jacket pocket, finding the random coins that always get lost in there...
-
Monday 7th October 2024 17:34 GMT BinkyTheMagicPaperclip
Re: Irony
Yes. Work is absolutely bound to the web, we're services and saas.
There is *zero* reliance on data harvesting because we're boring, business to business, and regulated in various areas. We take a lot of care to comply with GDPR and data security.
I'd also note when I was involved with certain American companies they were considerably less compliant than the EU companies I've dealt with.
-
-
Monday 7th October 2024 20:57 GMT ChoHag
Re: Irony
I have two register cookies, in order to use this forum, and I have never accepted or declined anything in a cookie tracking dialog on this site nor has one ever got in my way.
There are certainly things one could pull up the register for, but its approach to cookies it not one of them.
I have met their developers and they are quite serious about that.
-
-
Monday 7th October 2024 12:29 GMT hfo1
Opt-in?
It feels like the easiest option would be a to make this an opt-in process rather than an opt-out one? Then all the incentives would be on the organisations to simplify and standardise their processes. Disinterested users would be protected by default. Maybe allow essential cookies with penalties if somebody tried to stretch the definition of essential.
-
Monday 7th October 2024 14:06 GMT Irongut
> The user gets to configure their own default responses in the browser's privacy settings, and the cookie law option box disappears
Great idea, why don't we call it DO NOT TRACK? Oh right, we have that already and it does not work.
Back to the drawing board Rupert, like an Apple engineer you invented something that already exists.
-
Monday 7th October 2024 17:26 GMT Anna Nymous
> Great idea, why don't we call it DO NOT TRACK? Oh right, we have that already and it does not work.
It does work, it signals your intent that you wish not to be tracked.
However, it is being sabotaged by those who benefit from ignoring that intent, and are hell-bent on exploiting and abusing you and everything there is to you. The problem is not that "it doesn't work", the problem is that is being actively circumvented/ignored/... Your signaled intent is intentionally ignored and discarded. That is the problem.
The argument put forth in support of DNT not working is like saying "Telling people you don't want to be murdered and then you are murdered doesn't work, so it doesn't work". The problem is not the sign, the problem is the violent actions on the part of the abuser. To take it a step further: you shouldn't even have to opt-out, you shouldn't even have to say you don't want it. The fact that someone applies it to you is wrong in the first place. If you really want to be tracked, state that. Then these abusers can have their way with you!
-
Monday 7th October 2024 18:17 GMT doublelayer
Or in other words, it doesn't work. Its failure to work is not because the technology is wrong. It's not because people can't use it or servers can't direct it. It's because those who would have to honor it are not and those who would make them are doing nothing. If they made an API that automatically filled the cookie selection boxes, that would help, but any company that wanted could still set whatever cookies they want. They could say that collection was a strictly necessary cookie. They could say that there was a mixup in their code that ended up setting the wrong cookies. They could set a cookie which was meant to indicate that data collection isn't desired but happens to work as a fingerprint anyway. The suggested API is little different from the do not track signal in that it has no technological enforcement of compliance, if such a thing is even possible, so without strong enforcement from somewhere else, it won't make a change. If you had strong enforcement from somewhere else, you could use the DNT setting, this API, or any similar indicator.
-
Tuesday 8th October 2024 01:35 GMT Anonymous Coward
"It does work, it signals your intent that you wish not to be tracked."
"Their" excuse for ignoring it is that on browsers that set DNT by default then DNT does *not* actually clearly signal *your* intent, as a browser sending DNT could be doing so because either (a) the browser defaulted to sending it, or (b) you specifically set it to be sent, and that "they" cannot distinguish between those 2 scenarios.
I am not saying this is "correct" / "valid", I'm just pointing out their excuse for ignoring DNT.
-
-
-
Monday 7th October 2024 14:44 GMT JulieM
Time to get spiky
We need to start turning to more proactive forms of defence. Browsers need to have the option not just meekly to accept or reject cookies (on an individual basis, keeping logs of cookies not set in case some site functionality depends on them and using some heuristics to determine which ones might be related to broken functionality); but to return "crumbled" cookies, different from what the site tried to set, for the purpose of thwarting trackers.
We need to be more like certain fruit stones; which are quite safe if allowed to pass through the body unaltered, but release deadly cyanide if chewed.
-
Monday 7th October 2024 14:47 GMT Filippo
You're suggesting a technical solution to a social problem. It won't work.
More details: your proposal could be implemented in a technical sense, but it can't work if the web server doesn't comply. And the web server is under the offenders' control.
How are you going to force the offender web servers to comply? There are no technical means to do so.
Are you going to suggest using legislation? And enforcement? Yes? How should that work, and how are you going to get it through your nearest parliament? Okay, now you're thinking about the real problem. Get back to me when you've got a solution.
-
Monday 7th October 2024 14:50 GMT Persona
Cookie-addicted businesses will hate this idea, but it's hard to construct a logical reason why it's a bad idea.
No, cookie-addicted businesses would love it, because > 95% users if able would configure it to accept all cookies. Thus saving them the irritation of that cookie pop up slowing them from doing what they visited the web site for.
The only thing that will stop people from accepting all cookies is evidence of bad things happening if you do so. The author likens it to being like a house with faulty wiring or a car going wrong. We all understand those problems, and know of relevant examples, so people react to them accordingly. So where are the examples of cookies being bad? By being bad I don't mean allowing the user to be tracked and possibly presented with tailored adverts directing them to a bad web site, I mean examples that show actual real financial loss with a cookie being the root cause.
-
Monday 7th October 2024 17:25 GMT andy the pessimist
would this work?
Since the cookes are written to a local sqlite file could you write very large variable names and invalid data. The website reading cookie process may crash.
Little Bobby tables may cause so.e damage too.
If they have been sloppy in the website coding bad things will happen.
-
Tuesday 8th October 2024 01:10 GMT ebyrob
I keep trying to convince my boss...
It doesn't matter what you click on the cookie popup. You have no privacy anyways and that pop-up shouldn't be there in the first place.
If you don't want to be tracked, don't go on the internet. Especially to big sites like www.theregister.com (kidding, more like cnn.com msn.com etc). Your IP address is going to be known and they are going to "collaborate" with other sites (ad.doubleclick.net) to know absolutely everything about you just based on your IP (or any of N usernames N "web-auth-tokens" etc.)
If we had any hope of privacy and control it would come through the security and technology of groups like the W3C and our browser vendors (one of which owns ad.doubleclick.net oddly enough). I've never in a million years expected to have a government entity protect my technological interests. The fact they try, especially outside their own jurisdiction, just tends to make things worse instead of better.
-
Tuesday 8th October 2024 04:53 GMT Cincinnataroo
Maybe all we need is a public list of all the people involved in creating this consent form disaster.
Maybe also a mandatory form on all websites using these forms telling you what you consented to, with common identifiers of the miscreants involved, and a way to down it as say JSON and CSV.
-
Tuesday 8th October 2024 08:12 GMT John Robson
Or have the browser ask when a cookie is read - and remember that allow/deny (by domain for a deny, by specific cookie for an allow) in the browser.
As various people have said upthread - they have cookies reset on every browser session... that's great, but some sessions are pretty long, and that also gets rid of authentication cookies (which is less of an issue nowadays with autofill from your chosen password manager).
I don't care if FaecesBook et al. put a cookie on my machine, I care that they don't get to read it back.
This should all be handleable by the browser - accept all cookies and just deny reading them by default...