Vivaldi update unleashes the 'Cookie Crumbler' to simply block any services asking for consent (sites may break)

The consent dialogs penalise users who are doing the right thing. I reset cookies when my browser quits. So I have to re-assent every session. I view them popping up as proof it's working. But it's a huge annoying penalty to pay for being security conscious.

And they are getting ever more annoying - the YouTube ones are particularly bad; whereas El Reg's is sitting here at the bottom of the screen unclicked...

Re: This.

It's just two clicks here. Hardly a dark pattern.

Re: This.

The Register, unlike some sites, does not have a "reject all" button alongside the "accept all" button.

Shame on you.

And no, you can't hide behind the "b...b...but it's the law! I HAVE TO DO IT" excuse.

Re: This.

More and more, I am seeing websites that have the popup contain two buttons : ont to accept all, in green (obviously), and one to check - in red.

Psychological wars aside, I am often surprised by a page that lists possible cookies in 3 sections : indispensable, operational and marketing - and often it's only the indispensable that is pre-allowed.

In other words, good behavior is spreading.

Of course, that may be a statistical quirk of the subset of websites that I visit vs the rest of them. YMMV.

Interestingly enough, these "tracking technologies" of yours aren't mentioned once in the GDPR.

Yup.

My business's online side strictly sets only cookies necessary for operation of the store, there's no analytics, ads, or third party cookies set in any form.

This is great because it means there's no tracking cookies at all. Thus, our cookie notice is a simple one liner "This website uses cookies to ensure you get the best experience on our website. Privacy Policy(link)" - with a single button "got it". So, no ridiculous long scary menu's asking what cookies to set.

The privacy policy lists all of the 6 possibly set cookies, which the website uses to configure itself:

PHPSESSID, language, currency, cnotify (got it button), display (grid/list product view, set if changed by user), customer (hashed customer ID, if logged in).

Other than that, no other cookies will be set at any time.. it makes complying with cookie law so much easier :-D.

But we're just a small family run retail business, so we don't need all the tracking or other junk that the big stores/businesses need.

Since we also only collect data strictly necessary to deliver items to the customer and process the transaction.. yup.. GDPR was a walk in the park too, pretty much all of the security requirements it requested were already implemented, users already had the ability to delete their accounts or view the data we held, and we don't sell customer data, nor share it with "partners". It took me about a week to sort a couple of minor legal bits out to ensure compliance with our third party payments provider (stripe).

Heck, even our in-store layaway system only collects their name and phone number as standard. An optional email address can be provided to match the account to an online account if they would like to be able to manage their layaway via our website (make payments, view etc, but must be activated in-store).

(Yes, all databases are encrypted, with proper security during communications between our custom in-store epos system and dedicated servers)

All in all, doing it yourself carefully, and only adding/using stuff you actually need saves a whole heap of legal stuff and expenses.

Added extra: TTFB around 115-180ms, page fully loaded in around 500ms-1s depending on amount of product images and internet speed ofc.

Sometimes, less is better.

The GDPR doesn't require consent for "cookies", it requires consent for "tracking technologies" of which cookies are one implementation. Cookies used for purposes other than tracking are not tracking technologies, and therefore not covered by the GDPR.

It doesn't require either.

It requires that you have a lawful purpose to collect, store or process personal information, regardless of whether that data is to be used for tracking or not. It's it's personal data relating to a natural person, then GDPR covers it. Cookies set for some non-essential, non-tracking purpose would still require consent.

Session cookies to cover things like logins and shopping baskets are necessary and are covered by either purpose 'b' ("Fulfilment of a Contract" - i.e. we can't provide site functionality to you without them) or purpose 'f' ("Legitimate Interest").

Non essential cookies, (for tracking or any other purposes) require consent (purpose 'a' under GDPR, and as described by "the Cookie Directive"), as no other lawful purpose would cover them.

You are of course correct that other tracking technologies, such as firing off a line of javascript on page load would be equally covered by GDPR as it relates to collecting personal user data. So could the processing of server logs containing things like client IP addresses. This is not restricted to cookies, but it's also not restricted to tracking vs. non-tracking.

There are plenty of sites out there which don't have "cookie banners" because they simply don't do anything non-essential. There are likewise millions of sites out there with completely unnecessary consent banners because people think "I need one of those", even though they don't actually set any non-essential cookies or do any data collection. And those in the middle who reassuringly - but unnecessarily - state "We only set essential cookies".

Re: The eternal popup predicament

In the bad old days I sent the team an email with a button that would install a Lotus Notes database. One of them sent a reply "It didn't work." I walked over to her desk and asked her to show me. She clicked the button, and an error message appeared on screen, which quick as lightning she clicked OK. Then she waited for something to happen, and when it didn't said to me, "See? It didn't work." So I said I wanted her to click the button, and this time when the error dialog appeared, not to click on it, so I could read the message. ... She clicked the button, and an error message appeared on screen, which quick as lightning she clicked OK. :) At which point, I had visions of the Saturday Night Live tech support guy, "Out of the way!" I restrained myself, and asked if it would be okay if I clicked the button instead. It turned out to be a permissions issue, which affected a couple of other users as well, easy to sort out.

There are ads on the Reg? I didn't realise.

Re: I don't care about cookie warnings

Is that the "I don't care who in the entire world knows everything that I do on my computer" version?

Re: Say what you will about FLoC

You already mentioned my proposed alternative: scorched earth. I'm not sure why I would be in favor of anything else.

Re: Say what you will about FLoC

I didn't downvote you, but I did upvote the scorched earth guy.

"If Google actually considers the criticisms leveled at FLoC and incorporates some changes to address them, and works with some of the researchers who panned the current implementation, they could be onto something."

Google is already onto something. That's the problem. Google *carefully* considered all the criticisms, but their only interest is in quelling the critics without changing what FLoC does.

Re: Choose your paranoia level:-

@Roger Greenwood

We fit into c1. As in, don't care and life is too short. We are far from clueless as somehow we manage to make a success of our business, therefore we have enough money. (Though sadly not millions)

Our answer to all this tracking thing is have one computer with no personal or customer info on it, to be used only for the internet. And it only takes a few seconds and 6 nouse clicks to clear caches and history. There are a couple of ad blockers on the machine, but life is too short to fight a battle we/you will never win.

And, kindly, dump the superior attitude

Re: What was once old is new.

Problem with selecting cookies is there's often so many of the damn things. Which is also the problem with some of the 'settings' nagware currently on websites. As others have pointed out "Yeh, Whatever" is a simple choice, trying to figure out which ones are really essential, and which aren't is generally obfusticated.

It's also been interesting to see how many websites seem to have outsourced their settings to scumbags like Quantcast.

Modern sites don't use popups

A pop-up is a window or tab which is spawned. Modern websites use CSS element hiding and other DOM manipulation techniques not covered by pop-up blockers. Of course, uBlock Origin, AdGuard and Adblock Plus all have ways to mitigate a lot of these annoyances using content filtering hooks.

Re: But aren't they required by EU law?

Two downvotes? Decided as none of the adverts make even 1p I've removed it all and the cookie acceptance box. Annoyance of GDPR having to have it.

Re: But aren't they required by EU law?

I downvoted because you didn't give a reason to have adverts on a web site that apparently only you use, intentionally. As for consent, since it is your web site, presumably you already consent to everything that it does.

I suppose that I could find your web site, accidentally, if Google knows about it. If it is a hosted Wiki, for instance.

Then you would have to have consent control on any feature of it that amounts to me providing information to the web site, instead of the other way around.

Otherwise, I suppose that "Authorized users only" and a login or PIN prompt as the front page would be enough to legally keep me out and let you in.

That just leaves that (1) running a web site may be not your main job or skill set and some of this stuff can be hard, and (2) what if you are temporarily working at the hardware key logger factory in the testing department.

For (2) you could create a separate account in your web site, stevie_when_at_keyloggers when you log in from that job.

For (1) you could just put all the data for your personal use onto Facebook and let them do the admin. But then using that in the workplace may be frowned on.

Re: Come on, Mozilla!

Repositories are there for *ubuntu, Raspbian and others. Apt updated to 3.8 yesterday. A dialogue-free visit to Vulture Towers today ...

This not good enough?

Re: Interesting...

"only used it to download Chrome a decent/real browser"

FTFY ;)

Re: Malicious Compliance

True but think it's the ICO isn't it? In the UK that deal with them? They'll do fuck all as already underfunded.

Re: Rubbish EU Law

If you had read the other comments, you wouldn't have written this rubbish. GDPR clearly distinguishes purposes and requirements. Arguing on a "rubbish EU / good Brexit" level, doesn't change those facts.

It's the more or less rubbish implementation many sites force down our throats, in the hope of eliciting unqualified reactions like yours, that are the real issue.