this post was submitted on 19 Mar 2024
92 points (92.6% liked)

Privacy

31859 readers
389 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
top 17 comments
sorted by: hot top controversial new old
[–] [email protected] 43 points 7 months ago

Most of the cookie banners are breaking GDPR. The requirement under GDPR is that privacy must be the default and users can select to opt in. So most of the banners you come across that default to all tracking are against the law already. The legislation didn't stop them being annoying in this way but a few prosecutions for the breaches and dark patterns would set things off on a better path.

[–] [email protected] 26 points 7 months ago

Yeah I've been saying this to people. Don't get mad at GDPR, get mad at companies who harvest your data

[–] [email protected] 19 points 7 months ago (2 children)

companies could show their annoying banners only to the EU residents.

It's starts out badly by assuming that web servers are able to tell which country their visitors reside in.

The "do not track" header is not turned on by default in most web browsers. If it not being present were legally safe to take as granting permission to track everything, many of the big web publishers would've gladly done so. Making it mandatory to respect the DNT header would have required a different law than the one we got. But it probably still wouldn't have been the best option.

The right answer to getting rid of tracking cookies is the 3rd-party data isolation pioneered by Firefox, combined with fingerprint-resistant browsers that clear all but whitelisted cookies on tab close or browser exit.

[–] [email protected] 7 points 7 months ago (2 children)

Did you read the article to the end? The entire point is that these banners are not needed at all, anywhere in the world.

[–] [email protected] 3 points 7 months ago (1 children)

That conclusion depends on two things: That the "do not track" header would suffice instead, which I think it doesn't as things stand; or that all builders of web sites would do better not to make any attempt to (for example) keep track of which of their visitors have been there before, which is not going to happen for reasons that are obvious. If those obvious reasons are found to be inadequate, they should at least be addressed to make the point convincingly.

Otherwise one might as well go ahead and say that most of what exists on the web today is not needed at all, which is also technically true. It's strange to see it suggested that it's wrong to think law makers "should have known" that something like what happened would be the result. It was inevitable from the start, and as I recall much talked-about. The sites that have cookie banners are all trying to sell you something, and the sales department is not going to willingly give up the best tools it's had since the 1990s when the cost is just looking slightly more sleazy to first-time visitors.

[–] [email protected] 3 points 7 months ago* (last edited 7 months ago) (1 children)

or that all builders of web sites would do better not to make any attempt to (for example) keep track of which of their visitors have been there before

If there is a technical reason to do so, the GDPR explicitly allows doing so without any consent banner... and if there isn't other than harvesting data to sell it to advertisers, then yes there is no reason to have that.

[–] [email protected] 2 points 7 months ago (1 children)

The article seems to confirm what's been my understanding which is that that pretty much anything beyond "session cookies" or the like is covered, whether or not the data collected gets sold or transferred to anyone else.

But yes, there are reasons why data gets sold to advertisers as well. Commercial incentives which are strong and predictable. Regulations should not be designed as if they aren't there.

[–] [email protected] 2 points 7 months ago (1 children)

Commercial incentives which are strong and predictable. Regulations should not be designed as if they aren’t there.

The entire point of the GDPR is to reign in those "commercial incentives" to spy on users for a little extra money from advertisers.

But I am starting to get the feeling I am trying to argue with someone who makes a living out of spying on users and selling that data to advertisers, which makes this argument moot.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

Nope, I'm not one of them. But I have worked for large companies in the past and therefore have met them.

The GDPR has done substantial good, not least in just getting people to talk about this sort of thing. But the cookie banners are and always have been ridiculous and a sign of one of its failures. An outright ban on surveillance capitalism business models would suit me better.

[–] [email protected] -1 points 7 months ago

Which may be correct, but given that they mangled the argument in that section, we can't exactly trust the rest.

[–] [email protected] 2 points 7 months ago

Also, it's not just which country they are in right now. It's what country they are a citizen of. It's impossible to know that for a random visitor, so the default is to show it to everyone.

[–] [email protected] 11 points 7 months ago (1 children)

Banner? Why? What'd she do?

[–] [email protected] 1 points 7 months ago
[–] [email protected] 11 points 7 months ago

The other side of this is US websites that display "not available in your region" instead of the content.

[–] [email protected] 9 points 7 months ago* (last edited 7 months ago)

I think this is companies making something annoying blaming it on EU privacy laws and then they thinking people will be against these laws in other countries because of the inconvenience.

Same strategy of companies doing things like putting "Contents may be hot." on hot coffee and encouraging people to make fun of the McDonald's Hot Coffee lawsuits. People think it was a joke when it was McDonald's deciding to keep coffee extremely hot since it last longer, they saved so much money on coffee they could easily pay people off who got 2nd and 3rd degree burns because of the extremely hot coffee. But then one elderly women got severely burned in the groin area and the jury got so angry they awarded her a couple days worth of McDonald's coffee profit. Don't let companies do this type of thing!

[–] [email protected] 9 points 7 months ago (1 children)

It's mostly correct what the article says but I'll never really understand why you would quote some laws and not say which ones you're quoting. The relevant parts here are not from GDPR but from the ePrivacy Directive 2002/58/EC, i.e. the more specialised law on what the EU calls electronic communications. And its Article 5, paragraph 3, which is about "information stored on the terminal equipment", meant to include cookies without calling them such, was added to the law in 2009, 7 years before GDPR was adopted.

[–] [email protected] 7 points 7 months ago* (last edited 7 months ago)

It should also be noted that a directive isn't an "EU Law", since it cannot be enforced directly (as opposed to a EU regulation such as the GDPR). It's basically a framework that all EU member states have agreed they would each pass as a Law in their own jurisdiction (which explains the first quote in the article beginning by "Member States shall ensure ...").

Since eprivacy is "just" a directive, each member state has since passed their own implementing Law that have the same basis but can vary in their specifics, so rules on tracking and cookies aren't the exact same in each member state.