European Union set to revise cookie law, admits cookie banners are annoying

It would be nice if the options weren't like "Enable all cookies" and "navigate 4 menus that try to convince you to enable all cookies."

It would be better if you could set your preference on the browser once and never have to mess with it again unless you want to have exceptions for specific sites
- In theory this is done. There is a Do Not Track (DNT) header that is browser defined. Does anyone use it? Do they fuck.
AFAIK the regulation already says that the "only necessary" should be available with one click. I think the issue is that it's difficult to go after all the small pages that are breaking the law. The big ones like YT of Google already have the 'disable all' button on top, I'm guessing because EU complained.
- It doesn't say that it should be available with one click.
  
  It says that accepting should be just as easy as declining. Which also includes things like not being allowed to have a "greyed out" button to reject while the accept button is big and sparkly.
- It depends on the country. GDPR is not a law. It's a framework that countries use to implement national laws. GDPR doesn't say anything about one-click rejection, but some countries added it to their national law.
- I want an "only necessary cookies except one cookie to remember I clicked this option" button available with one click.

Just make it illegal to sell user data to "data partners", and use cross site tracking.

Nobody actually "consents" to this shit. They just don't read.

I really wish we had a simulated world sandbox to try these ideas out in. I suspect this might lead to the end of most free websites.
- TV never targeted commercials directly at "Dave Smith, likes fishing and interracial porn, lives in Chesterfield, searched for new cameras recently", but they still operated.
- Which free websites? The modern web is just:
  
  (Quasi-)monopolistic platforms (meta, google, xitter, etc.)
  
  Newspapers
  
  SEO filler
  
  Webshops
  
  Free sites already operating out of the goodwill of some random admin and making single-digit ad revenue anyway <-- you are here
  
  Porn aggregators
  
  SEO filler
  
  SEO filler
  
  Wikipedia
  
  End of list
  
  The only ones whose business model would truly be threatened and whose loss would be problematic are newspapers.
  OTOH newspapers accidentally cornering themselves in a "freemium" business model has fucked journalism over so bad I'm not sure how it could even be worse.
  
  Free websites like the ones we are on barely exist anymore anyway, because how the fuck do you "compete" in the "free marketplace of search indexing" when some russian troll is burying you to page 5 of google's search results and you can't reach anyone via facebook or twitter without paying thousands?
- They can just run ads without all the tracking bullshit and data collection like they do on every other medium with free ad supported content like radio and television. Somehow I can watch TV and listen to the radio for free and they manage to stay running without monitoring my every move.
  
  Might be less profitable for them but so be it. Just because tracking helps their business doesn't mean it is justified.

I'm not a fan of the cookie consent popups, but I do appreciate the EU actually trying to do something to protect people's privacy. Seemingly the only major entity to do so right now.

A better solution would be to force sites to care about the Do Not Track browser setting that currently does nothing as told by the browsers themselves.

The irony of DNT becoming another data point to fingerprint you with sucks.

Just add 2 things:

Cookie settings are possible to set in the browser for all pages.
There's a reject all button on every cookie banner.

There’s a reject all button on every cookie banner.

Most importantly, those banners should be streamiled to look the same at the very least. No highlighing "ACCEPT ALL" while graying out "reject all" nonsense. No swapping the buttons left and right, top to bottom trickery. I'd prefer if the browser takes care of it all, though. I'm already using a plugin for that, though it comes with draw backs.
- Which plugin do you use?
- Right, this!
  
  Tired of all the dark patterns.
No, just ban the collection of user data and selling to 3rd parties. Enormous fines for anyone still doing it. Destroy this entire industry please.
- The EU is primarily pro-business, but that also means being against anti-competitive and underhanded business practices
  
  The browser thing sounds like a good solution (although there must be a reason why DNT headers weren't made legally binding, potentially as they wanted to allow people to pick and choose what cookies they allow based on what they thought was "too far" or something but that's conjecture), however disallowing all user data will likely lead to companies not being able to advertise to people who are interested in their products, something which the EU will see as a negative and would also cause an uptick in scams and misinformation as you see in low quality advertising space at the moment
No there most definitely is not. Most banners have a big yes button, and you need to scroll to a settings button and then do five more things to not get cookies.
- He said that should be added
- So true. And then you have Schibsted, Norways biggest media conglomerate; the only way to reject cookies is that you have to log in in order to reject it! According to the cookie law (no idea what it's called), it's illegal. It's been reported to the EU and Norwegian government numerous times, but nothing happens. Fuck Schibsted!!
- I meant it should be added as a default thing you have in every one of those things.
But even if you reject all, you still allow them to track you through the legitimate interest cookies
- That doesn't sound like a legitimate interest and should be fined or something.
well, not on every cookie banner
The reject all is already a thing. (Well is not all all, but reject all except necessary but those doesn't matter much, they are not tracking).

That said usually is not called this way as obvious, sometimes is just "reject" without the all, "accept only necessary", "decline", etc or you have to close the banner etc or they use some other confusing pattern.

What's annoying is the "Reject" button hidden on another page. That should be illegal.

And it actually is... Quote from the GDPR:

It shall be as easy to withdraw as to give consent.
- The problem isn't the law. It's that it isn't enforced.
Plus the 'legitimate interests' of 3rd parties
- Yeah, definition of "legitimate interest" is definitely being stretched well beyond it's breaking point.
Pretty sure it is

It should be just a browser option.

You set cookies on or off, ans the browser sends the option in the headers. Websites just need to take the option from the header instead of a banner.

It already exists and is called "do not track".
- Unfortunately by sending DNT you are merely suggesting to the server that you wish to not be tracked. There's no requirement for the server to actually care about you at all.
  
  Now, if DNT were actually legally binding though - that would indeed be very cool.
That has been tried with the DoNotTrack header. Turned out servers didn't oblige by it.
- That's because it was entirely voluntary. It should be integrated in the browser by law, and the choice should be binding
- Yeah, but if the EU required sites to pay attention to them...
There are addons (for firefox at least) where the cookie banner will come up but your browser auotmatically refuses all cookies.
- Yes, but it often doesn't work and even when it does the site is unusable while it works, which for some particularly awful banners is several minutes. The situation is worse on mobile where most people have a browser that you can't install add-ons to (and I'm not sure if that one works in firefox mobile anyway)
- https://consentomatic.au.dk/
  
  This is the one I use. It's FOSS and developed at a university.
Am I mistaken in believing it is an already a browser option?

Off the top of my head Qutebrowser and Falkon both support not-saving 3rd party cookies.
- Your browser can not save third party cookies, but it might break some sites. Some advertising situations allow the use of first-party cookies, and blocking first-party cookies will break most sites.
  
  In either case you will still have to fill out the consent form, and if the consent is stored in the kind of storage you block, then you will have to fill it out every single time you visit.
The DuckDuckGo browser has this baked in as 'Cookie Pop-up Protection'. It doesn't quite get rid of them all, and doesn't let you set a default for what you want (it'll basically pick the most privacy-forward option) but I've found it works pretty well.
if website has a choice, then they will often choose an option that benefits them the most.

Good news is third party is being phased out now https://developer.mozilla.org/en-US/blog/goodbye-third-party-cookies/

They should do something about "consent platforms" using various DNS tricks and thousands of domain names to bypass/evade user blocks.

I wasn't so bothered about some non-invasive ads a few years ago, but I absolutely despise any kind of ad now TBH, and it's mainly down to how persistent some of these platforms are with their evasion tactics

Also pretty ironic for their popups to talk about "respecting" my privacy when these platforms literally do the opposite of that to show their popup in the first place. I will not support any of them, in any way, on my network.

As soon as I see a new one appear when browsing, I chuck it into dnsdumpster so it can get recorded with the rest of them, and then block the new list from dnsdumpster (grid icon) on my network.

The EU law explicitly says no consent by default and users have to opt in. All of these cookie banners are breaking the law, the law doesn't need to change it just needs enforcing and these banners will disappear. We already have a do not track header and that could be complied with but it's enforcement that is the problem.

How do they break the law? The opt-in forces them to ask you first and that's what the annoying banners do. Sites that don't care about tracking also don't show these pop-ups.
- The default should always be “no”. The user has to opt in.
  
  The law specifically says not to do the super complex dark pattern deny every 3rd part cookie manually by hand - crap.
  
  The problem is that it’s not enforced

Now don't make it worse!

Narrator: They made it worse
- 'they always can, they always will'

I'd be happy to keep the ones that say:

"we notice you are in europe and we can't use our cookies to track you so you can't come to our website"

It's good to know sites with policies like that to ensure I never visit them.

"It is literally impossible for us not to spy on you or sell your data. Sorry not sorry bye."
Typically, those already have geo filters because they can't be bothered to implement EU requirements.

Unless you're outside of the EU, of course, in which case you'll probably be tracked no matter what.
- One example I know if is my hometown newspaper, dentonrc.com; I have a friend who moved to Europe and was annoyed that they geo-blocked him, but I can't really blame them. How many people are really gonna visit the site for a small American newspaper from the EU? From a business perspective it makes no sense for them to pay a developer to do more than the bare minimum.

What if this wasn't a website issue but a browser one. Browsers invented cookies so browsers should be the ones to implement the banner feature. All Developers would then be forced to implement fallbacks to their cookies since the user could turn cookies off. If it was browser based fix then it would be a consistent UI and developers wouldn't be able to do shady shit(at least with cookie consent is concerned)

Damn, this is a really great solution. Then I could decide once if I wanted the cookies and the browser would decline/accept(lol) all from that point.
- Ahh a good idea. Basically guarantees it will never get done.
Technically you can do this already with some firefox settings, or with extensions. Set your preference and forget.

Eh, I think cookies should just be opt-in unless they're absolutely necessary for the site to function.

Then all cookies will be considered necessary. It's very hard to legislate the edge case.
- It's already the case that necessary cookies don't need permission, but websites do not abuse this to not show the prompt. This is because the legislation has teeth.
This is exactly the spirit of the cookie law
Companies already bundle their invasive data collection with necessary features so if you block it than the website just won't work, this would incentivise that behavior if necessary cookies are automatically approved.
- Ah yes, the good ol Internet ~~Exploder~~ Explorer tactic
This is what the regulation was all about. The law did not said anything about cookies, they are the core web technology, just that you must be asked for personal data processing.

At least the regulation show us how shady internet is. That banner only shows up if the website is going to use cookies to use your data as a way to make profit. The fact that every website is doing that was eye opening for a lot of people.

Lol I'm a web developer who has put hundreds of those banners on clients' sites. Not as part of some nefarious data-selling scheme, but rather as a shallow tickbox exercise in order to comply with laws about technology they don't understand.

In this case, assuming ignorance over malice is the way to go.
- In this case i assume you're an ingnorant developer who didn't thought of better options to comply with the law

Not only are they annoying, they go half way to legitimising the theft of user data.

Exactly. Identify what uses are legitimate and what uses aren't, and legislate directly. None of this consumer consent crap because it's meaningless to consumers. No consumer benefits from their browsing habits being under surveillance.
- Was done before too, but now the websites simply need a banner for using categories of cookies which require it (tracking, marketing, ..)
  And we already have GDPR at least limiting activities in a broad sense. (of course lots of leeway, but still much better than before)
  You cannot do more with a cookie banner you couldnt already do before.

I bet they will keep adding loopholes to keep websites bullying their visitors.

why bother making legal frameworks when you can't enforce them, there are hundreds of thousands of website including very prominent ones that hide the "reject all cookies" button after a second screen prompt. or flat out force you to opt-out of every second cookie category , just so you give up. they haven't been fined. and they know EU authorities aren't bothered either, so they keep infringing on the GDPR.

Lawmaking is a slow and tedious process full of compromises, and the EU is apparently the only governmental body that cares enough to actually do something against the wild west of digital tracking. I for one am happy about that, and contrary to public opinion the GDPR is actually being enforced (albeit not strictly enough).
I saw one that required you to decline every single company that was purchasing marketing data from the site. It was like 300 companies long where you had to click the slider to turn them each off individually.

Sometimes, it’s difficult to discern which setting of the slider is on or off. They use nonstandard colors or don’t explain in text which setting signifies each option.
My biggest qualm is that usually these sites won't save it when you only allow necessary cookies. So they will ask you for every single session until you give in.

A start would be to require sites to remember non-consents for at least as long as they remember consents. Why do I have to be asked about cookies by every site every month?

That sort of thing is stored in a cookie.
- You don't need permission for that particular one, though, it's site functionality and the user can reasonably expect that that kind of thing gets remembered.
  
  Lots of stuff doesn't need permission, when you're seeing a banner either you're dealing with someone clueless, or they want to track you. Or both, of course.
Web developer here. A “cookie” is just a piece of information stored on your machine. A cookie can be a setting, saved app data, or a tracking id.

The reason you keep seeing the banner is because by saying “no” to cookies, you’re telling them they don’t have permission to store ANYTHING on your computer. Which is fine. Your computer your call.

But if they can’t store anything on your computer, there’s no way to remember that setting next time you come to the website. No local setting storage means they don’t have the stored “no cookies” setting to load. Likewise there’s no tracking id they could potentially look your setting up in their own database by.

Web site requests are “stateless”. That means that, to a web server, each and every single request to a server is its own brand new, separate connection with no link to any other connection. The only way to share data between individual requests is via some kind of stored “state”. That state can come from your computer in the form of cookies, or from the server in the form of sessions. But linking a connection to a session requires your computer providing a session id; and guess how your computer has to store a session id? If you guessed “in a cookie” you win.

Are cookie popups annoying? Oh holy Christ yes, both from a web user standpoint and from the stand point of having to implement them as a developer. But by outright rejecting cookies (and/or auto-wiping your cache/cookies when you close the browser), you’re telling the website it’s not allowed to store your preferences for not having cookies and eliminating the websites ability to recall that preference at all.
- The reason you keep seeing the banner is because by saying “no” to cookies, you’re telling them they don’t have permission to store ANYTHING on your computer.
  
  That's not how the regulation works. You don't need to ask for permission to remember settings the user actually set themselves. Those companies don't want to remember.
- I know how HTTP works. These banners are supposed to (and are legally allowed to) store a cookie saying you have refused. Websites are allowed to store session cookies with displaying a banner at all.
No cookies storing your answer
- No, they set a cookie to store it, but with a low retention period, so you get bugged again.
Because you are cleaning your cache/cookies and wiping out the record of your selection, or outright rejecting them so they are never saved to begin with.

A serious law would be like (but in legalese):

By default you CANNOT use tracking cookies
If you want to use them you should have a Table that classify them based on how much fingerprint do they take
Then you have to explicitly ask the user in the most clear and unintrusive way possible if you can track them
And the consent should last 30 days max

That is actually really close to what is present now. The EU never said "use cookie banners" but rather "if you really want to track people, they have to say yes". And most commercial websites decided to make it hard to say no, now everyone blames the EU for doing so. Your second point is not yet implemented, this would be really good for consumers.
- They never should have made opt-in an option in the first place. All the legitimate reasons to store data are already permitted without asking permission (required for the site to function, or storing data the user specifically asked the site to store such as settings). All that's left is things no one would reasonably choose to consent to if they fully understood the question, so they should have just legislated that the answer is always "no". That plus a bit more skepticism about what sites really "need" to perform their function properly. (As that function is understood by the user—advertising is not a primary function of most sites, or desired by their users, so "needed for advertising to work" does not make a cookie "functional" in nature. Likewise for "we need this ad revenue to offer the site for free"; you could use that line to justify any kind of monetization of private user data.)
Seriously I hate how disabling cookies is a hassle that you have to do on a seperate settings site... Where you get another cookie banner obstructing half of the settings
Sounds like the current law, except for the last point. The problem is with enforcing compliance.

And you know what? That’s cool. They’re not doubling down, they’re not staying the course. I’ve spent a lot of time in the EU and yeah, those cookie pop ups absolutely are annoying, but as a US citizen it’s a reminder of how the EU is trying to protect its citizens, FBFW, how the US is still bending to corporatocracy, and I am simultaneously envious and annoyed as I click “Alle Ablehnen”.

Just don't remove it entirely, currently companies will at least pretend to comply.

bEFORE yOU cONTINUE tO gOOGLE sure is annoying though.

Remove banners, just make the companies respect the browser setting.
Please do remove it entirely.

I manufacture data about myself. Businesses want to collect this data for their commercial benefit and profit, without paying me. Cookie splash screens almost provide a method for this to happen legitimately, while still not providing me fair consideration.

Businesses should be prohibited from collecting user data, from taking value, without paying for it.
- How could you enforce a ban on any kind of user data and how could such a compensation system even work?

It would be less annoying if you could easily tell it that you don't want garbage. Instead, when you select your preferences you have to go through a whole list of options. By the time you're finished customizing your cookie preferences you've forgotten why the hell you went to the page and what the hell the page is. It's ridiculous. It should be as simple as having two buttons: one for accepting the site's default garbage and another for for rejecting the site's default garbage.

The browser extension Consent-o-matic does this and was developed with money from the European Commission.

All of these comments that say different things, but all sound like "just do X, I'm an expert in EU laws and their theoretical consequences". It's as simple as that, is it? Wonder why nobody thought of that before.

Admittedly, but I for one can say with justified self-reliance that I expected this outcome even before the directive was in force.
- Nice

Oh. Someone at the EU Commission started to use websites? 🤔

OH THANK f'ING GOD

I actually just landed in the EU for the first time since 2014, and i'm honestly quite pleased with the notifications i'm getting (albeit not the ones discussed here). The first time I opened AirBnB since landing, it asked me permission for all the data it wanted to collect for targeted advertizing, and I was actually able to turn off most of it. I wish the US had the same.

The website popups are quite annoying, but those are easier to control anyway by picking better browsers and extensions.

Ban adtech

Adtech is in another US

Common European Union W

Ah. I wasn't aware of that. Thanks!

About time. Last time I pointed out the uselessness of cookie banners, the reddit hivemind downvoted me to heck.

If a service wants to proccess your personal data they must get a consent. What's useless about that?
- For starters, calculate how many million man hours it's wasted. This very article is them admitting they went about it the wrong way

Cookie Monster approves.

Because asking nicely and hoping always worked that well...

Finally. They are total bullshit.

This is the worst output of EU regulation ever. How has it taken them so long to realise it's annoying?! Don't they use the internet in Brussels?

You dont need a cookie banner if you dont want to invasively track the users.
So its really the fault of the websites for wanting to use categories of cookies which do require a banner (ad and tracking).
- Indeed
  
  Plenty of websites that don't have a cookie banner like Wikipedia and Lemmy. And both of them are completely legal.
  
  It is only after the cookie banner that we now know how many websites are actually selling our data, turns out it is the grand majority of them.
You must hate your doctor for giving you the diagnosis of your illness :P