"You DON’T need consent for: First-party cookies used just for your own analytics (in most cases)"
They claim that, but the page they link to as the source says "You must...Receive users’ consent before you use any cookies except strictly necessary cookies.". So what exactly makes them think that first-party analytics cookies are "strictly necessary"? The Mastodon link in the at the start of page doesn't seem to work.
Case and point, the EU Data Protection Board has a cookie consent banner and only uses a first-party cookie for analytics.
https://www.edpb.europa.eu/concernant-le-cepd/mentions-legal...
Exactly. Analytics is one of the types of data for which permission is explicitly required.
Session auth cookies are the only ones the EU considers strictly necessary.
> Session auth cookies are the only ones the EU considers strictly necessary.
There are several others which are permissible. The EU has six examples.
https://commission.europa.eu/resources/europa-web-guide/desi...
This is what European Commission has determined to be acceptable for them. One very important distinction here is, as far as I understand, that EC is not bound by ePrivacy Directive as directives bound member states and require them to include them on their national law.
The text on that website does state that some DPAs have found some first-party analytics acceptable, but that's not something that is confirmed by CJEU. And ePD does not have single-stop shop so you need to follow every DPAs directions if you are offering services to that DPA's country.
Anyone that says the quote is the case doesn't know what they're talking about. For the love of god, just read the law text :(((
I wonder how many people provide consent through these banners. Is it frequent enough to be worth the terrible user experience?
I know some sites use dark patterns in their cookie banners, which I consider to be a helpful hint that the company doesn't respect the users.
Considering that for most banners the "consent" is the easy option I assume a lot. People want to get rid of the banners.
However I claim the point of the bad UX is to make users angry and then have them complain about EU etc. "demanding" those. In order to weaken the regulation of tracking. If they are successful (and they are making progress) "no more cookie banners" is a lot better headlines than "more tracking"
The failure of the EU was to not write into (an updated version of the law) that setting a specific HTTP header means "no", and "no" means "no" not "show me a popup to ask" (i.e. showing a popup in such cases would not be allowed).
It wouldn't matter because most of the consent flows you see are already not compliant. The problem is a perpetual lack of enforcement even for the blatant breaches. An HTTP header wouldn't change the situation, websites would still ignore it and still get away with it.
The consent flows are good enough that the companies selling them can claim that they're compliant, and enforcement is slow, partly because there are so many things that are not 100% clear.
The header would be a relatively clear cut situation, also opening the path to private enforcement via NOYB & Co.
A mandatory header would get implemented on sites that even halfway try to comply, and it would be extra easy to enforce on fully malicious sites. I think it would be useful.
Those are technically in violation of the GDPR since the opt out is required to be just as easy as the opt in.
No, they're directly in violation. This is fully settled; it's just that some companies are counting on it not being "the thing that gets an enforcement action".
In recent pop-ups, you are technically opted out by default(or at least that is how it is presented, I have not actually checked their cookie activity).
It is two clicks to confirm that choice and dismiss the pop-up versus one to accept all cookies but if you choose to interact with the site and ignore the pop-up instead, you are supposedly non-essential cookie free by default.
How is ease of opt out versus opt in objectively measured?
Most of the time both options are presented clearly and within a few pixels from each other, but opt-in is usually slightly more eye catching and/or more appealing. But the effort in terms of distance for mouse movement or number of clicks is the same. While that’s a design trick that will improve % of opt-in, how can it be argued that the opt-out was not as “easy”?
It is very common for there to be "accept all" and "more options" buttons where rejecting all requires multiple clicks via the latter. The sites which havea "Reject all" button right next to the "Accept all" one that's the same size and such aren't flagrantly violating the law.
The wording is such [0]:
> If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
> ... It shall be as easy to withdraw as to give consent.
Your example does appear muddy, but I also doubt any enforcement targetting such sites.
What however is extremely common is an "Accept all" vs "Manage settings" which opens up another panel, where there is still no "Reject all" option, and only various settings where you can "Save choices" which might or might not default to what you want. Such cases are obviously blatant rule violations, both in amount of clicks and obfuscation of consent.
[0] https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...
Then how is it some websites (I think the one I'm thinking of is The Sun or The Mirror) paywall the decline option? Presumably this is just illegal?
Except there are plenty of websites that are: accept cookies (yes) (no - you must pay), which is an extreme breach of GDPR.
But GDPR is toothless and ill thought out.
The effectiveness will vary with how well it will enforce, which is up to EU states to decide at the national level.
Most of the sites use dark patterns in the banners, from not presenting decline option to hiding and renaming it to be unrecognizable. For example I make an effort in always picking Decline All option if available and the practice shows that I click on Allow All in about 20-30% of all banners, because it was impossible to avoid. So I safely assume that general population clicks Allow All even more.
From what I understood—but I think it's been added more recently—declining all optional cookies must be as easy as accepting all cookies.
Exactly, it is defined in the GDPR law that declining should be as easy and accessible as accepting. So all of those companies with dark patterns are breaking the law.
I have been on a call with a CMP where they got mad at me for not resetting our user's preferences and because our 'do not accept' was high due to the fact i refused to de-promote it via a dark pattern. I kid you not.
fwiw; looking at our stats for the past year: No consent: 40.8% Full Consent: 31% Just closed the damn window: 28.1% Went through the nightmare selector: 0.07%
~1.5M impressions from GDPR areas
It's always those awful websites with a million popups, adverts, sites that reflow after 10 seconds, etc. They would be horrible to use even without the cookie banners.
“You DO need consent for: Third-party tracking cookies like Google Analytics, Facebook Pixel“ Since most websites use GA then yes most need the banners. You could say most sites don’t need GA but that’s a different argument.
GA is free while Fathom and Plausible are not. I think that's the main reason why GA is so popular and therefore why most sites need cookie consent banners.
That’s the argument made by the article.
Which is why this article has no value. The title is completely disconnected from market reality
Correction: none of them do. The Biggest misunderstanding in how tech works by the EU ruined usability for eternity.
I think if you are using Google adsense, u have to show this annoying thing to all your visitors...
But if you're including ads you're already past the point of caring about annoying your visitors.
Not at all. Ads can be displayed in a respectful fashion and not interfere with content. This is a a lost art, I know.
Disclaimer: I work on a consent product.
If you're in any way something beyond a hobbyist, you should probably get legal advice about whether you need to get affirmative or implicit consent, whether you need to handle universal opt-out signals (in California, Global Privacy Control signals are now legally required to be respected), etc.
Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
And a proper consent banner will immediately handle your GPC signal, and generally not show you anything (California now requires a visual notification that your preference has been respected).
I understand what the author is actually saying: you can design sites that don't require the tracking tools requiring consent. And yes, while true at a certain (small) scale, when you have hundreds of millions or billions of page loads per month, and several development teams, a partnership group, and a lot of moving parts, you'll forgive me for thinking this is impractical.
Consent banners don't have to be awful, I promise.
> Disclaimer: I work on a consent product.
Forgive me for immediately untrusting you on the matter because the reality distortion field must be strong. Cookie banners are an absolute crystal clear evil and there is absolutely no leeway for a different opinion here.
(Tracking is also an undisputed evil)
> Consent banners don't have to be awful, I promise.
False.
They absolutely have to be awful because that's the whole premise of the law. You have to get user's consent. In order to force the user to make a choice you have to make it more annoying than it is annoying to read your content while ignoring the popup. The only way to conform to the law is to make users' experience on your website miserable.
> true at a certain (small) scale, when you have hundreds of millions [...] this is impractical.
True.
However it is also impractical to actually use the consent dialog. Because all the trackers and tools that different teams are adding to the site - they have to communicate with the cookie popup somehow and no living programmer would be bothered to even think about it. Nothing good for the world comes out of presenting and respecting the cookie popup ().
Thus I see fake cookie consent popups that are actually ignoring users' choices.
() On my site I do my best to respect the user's choice and do NOT track them once they hopefully reject.
Why are you tracking when it's an undisputed evil? Reality distortion indeed.
Is getting consent interruptive? yes. Is that worse than not getting consent? Also yes.
Since you don't appear to want to give up the undisputed evil of tracking, then consent is what's left to you. You've made the same choice as everyone else.
I'd encourage you to respect GPC and DNT, so the (roughly 20%, depending on audience) of users that have it enabled can automatically opt out of your tracking without the "crystal clear evil" of a consent banner. Remember that in California you need to show some display that their consent choices have been observed.
> Why are you tracking when it's an undisputed evil?
Not that tracking. You know what I mean: tracking by ad networks and international corporations.
We are tracking events (users clicked on the button) in an anonymous fashion. We do not collect PII. We do not store IPs. We do not correlate behaviors with user ids. We simply track how many people clicked the button and on what page. This is hardly privacy invasive at all.
> Is getting consent interruptive? yes. Is that worse than not getting consent? Also yes.
I'm not entirely sure about the latter. First of all, I don't believe in the slightest that the site will respect my choice. Second, even if the site itself does, the ad network present on the site, definitely will track me no matter what.
In other words, consent banners are cargo cult, do not work in practice and are a net negative for the world.
> DNT
It was an obvious idea but didn't work, unfortunately due to the fact that ad network absolutely have to look down users' ass and they will not cease this practice.
> users that have it enabled can automatically opt out of your tracking
They can install adblock and wholesale opt out of all the bullshit, including insane cookie consent banners.
> Remember that in California you need
My business is not California or US based and thus I don't have to implement the vast variety of of cargo cult laws in existence.
> the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
The page describing the law has more examples of cases where you do not need consent than the ones you do.
https://commission.europa.eu/resources/europa-web-guide/desi...
Covered under the law: they are, they really are.
You're required to disclose. I didn't say consent.
This is precisely why I say talk to a lawyer. I appreciate the firmness of your conviction, but not reading what was explicitly stated, well.
> I appreciate the firmness of your conviction
I don’t understand how you could misread “firmness of conviction” in my comment. I made it as short, bland, and neutral as possible, on purpose. It’s just a statement of fact with a source.
A statement of fact in response to a thing I didn't say.
In fairness, I have worked for a company which did talk to a lawyer about this and ultimately we didn’t have a cookie banner nor a disclosure of the cookies used (cookies were minimal and without personal information, essentially site settings not even associated with accounts).
So I didn’t misinterpret what you said, it’s just that I have seen consent and disclosure always hand in hand.
It’s been years since I read the law in full myself, so it’s possible you’re right. I’m going by my own recollection (which can obviously be flawed) and the result of a lawyer’s interpretation (which is the thing you recommended) but I’m not one myself.
I still don’t understand (nor have you addressed) how you misread “firmness of conviction” in my words, especially when I purposefully did the opposite because I understand that these legal matters can get fuzzy.
> I have worked for a company which did talk to a lawyer about this
We have also retained lawyers in UK for the same matter and they could not come to an ultimate conclusion what constitutes tracking and what does not.
The whole matter is that brain damaged.
> proper consent banner
It is also quite complex to integrate a third-party consent management platform in a compliant way; the tool itself is a script, but it somehow needs to preempt loading of any other scripts until the right consent is given (there's also an argument whether the CMP being third-party is itself a breach of "data minimization" when such functionality can trivially be done in-house, or at least self-hosting the script).
The majority of sites fail at this, which already breaches the GDPR since merely loading a third-party script discloses your IP address and browser fingerprint to them.
It's not a big deal in their case because their CMP is itself configured to be non-compliant, but if you want to be compliant with a third-party CMP it's likely the effort to integrate it properly would be just as much as just doing it in-house.
CMPs generally don't do well with this. Admittedly.
> Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law
You're mixing GDPR up with the ePrivacy Directive (henceforth "ePrivacy", not to be confused with the proposed ePrivacy Regulation). GDPR Recital 30 describes how cookies should be understood in relation to the GDPR (to the extent that GDPR Article 4(1) didn't already make it clear), and GDPR Recital 15 affirms that "the act of writing any cookie" doesn't have any special treatment under GDPR. Whereas ePrivacy Article 5 ¶3 discusses "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user", and is the real source of nearly all "cookie consent" obligations in the EU. I hope you don't work on the legal side of the consent product!
Less pithily: I've noticed a lot of "consent" providers getting this basic stuff wrong, both in their marketing copy and in their actual products. I (along with most internet users) have a vested interest in any improvements in this area. I'm available to discuss this further, if that would be helpful – keeping in mind that while I know a lot more about this than many working professionals apparently do, I'm still very much an amateur with no formal legal training.
ePrivacy Directive as amended in 2009: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
GDPR as amended in 2016 (without recitals): https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
> I'm available to discuss this further, if that would be helpful.
That would not be helpful, because the whole business of "consent management" is to provide plausible deniability and the illusion of compliance to businesses without actually making them comply (since complying with the GDPR would incur significant cost and obsolete most of the marketing/analytics team's jobs).
I'm very sure they perfectly know what they're doing and have the budget for the best legal advice money can buy, it's just that their business is all about selling the illusion of compliance instead of actual compliance.
It's the fault of the regulators for still not cracking down on this after 8 fucking years. Detecting non-compliant consent flows is trivial with a web scraper.
> in their actual products
The products are configurable by the customer. Now you could indeed argue that the product should not offer an option to configure it in a way that would be in breach of the regulation it's supposed to help you comply with... but again see above.
I'm pleased when there's at least one configuration that isn't in breach of the regulations. Sadly, many providers don't even manage that.
I appreciate your precision. Most folks, unless discussing specific provisions, just use GDPR as an umbrella term, much like the CCPA is still used and inclusive of CPRA.
This response sounds suspiciously like competence. Do you mind disclosing which consent provider you work for, so I can have a look? (I only ever found one consent product I was really happy with, and it shut down a few months after I discovered it.)
It's DataGrail. I don't mind disclosing it, but I was kinda hoping not to because I'm really not here to advertise... I guess I won't say I know the subject, but do have some experience. lol.
I'd be happy to discuss directly if you want. Not sure how to exchange details if you're interested but we can figure something out I guess.
Unfortunately, DataGrail is a US-based company using Google Tag Manager to provide personal information about its website users to Facebook, Microsoft, Google, and other advertising companies. Per the Privacy Policy, the company seems to believe that pseudo-anonymization is sufficient to be allowed to keep and use personal data for any purpose, which it is not: per GDPR, data minimisation is necessary, but doesn't exempt you from properly fulfilling deletion requests. I can't find out how they actually use personal information collected from users: the best I can find is:
> If you have any questions about the lawful bases upon which we collect and use your personal data, please submit a request through the DataGrail’s Privacy Request Form or email DataGrail at privacy@datagrail.io.
Informing me of my "right to obtain" certain information without actually providing it is not okay; and the rather selective descriptions of the rights of the data subject feel like a GDPR Article 12 violation. (For example, it partially discusses Article 15(1), but omits Article 15(2).) Having investigated the Privacy Request Form (https://preferences.datagrail.io/form/access), it's requesting I identify myself in order to learn how my personal information's being used. I can't remember the exact reference, but I'm pretty sure this is explicitly forbidden by GDPR: something about not gathering or storing information with "it's needed to satisfy GDPR's bureaucratic requirements" as justification. (Yes, I know I can email instead: that's not the point.)
I could go on, but… it doesn't really matter how good a company's services are (and those services do look pretty good!) if I can't trust the company to begin with. DataGrail appears typical for the industry, rather than exemplary (as I had hoped it would be).
I had realized, "l'esprit de l'escalier," that your ask wasn't in earnest and you were just looking to raise issues.
Sorry to have bothered you, but I assure you that your Access or Deletion request will be processed when you submit it. I know that submitting an email in a form is so much different for you than sending an email (since you've characterized it as somehow acceptable).
Are you suggesting that we should "provide the information from your GDPR access request without you actually asking for us to do so, without any commercially reasonable verification?"
Note I won't be responding further: you're not in earnest. But I do assure you that any requests will be properly processed.
Had you communicated your consent preferences through GPC or DNT, all those scripts that you call out would have been blocked. Just for your awareness.
I genuinely expected that you worked for some niche company I'd never heard of. I wasn't looking specifically to raise issues: this is how I engage with this topic in earnest (example: https://meta.stackexchange.com/a/370343/308065). My persnickety behaviour has been appreciated by at least one Stack Exchange employee; and I assumed from https://www.datagrail.io/solutions/datagrail-vs-onetrust/ that your company would appreciate such criticism as well.
I did tell you that I was going to have a look, so I don't think my request was deceptive.
> I assure you that your Access or Deletion request will be processed when you submit it.
No no, I never assumed otherwise! (the complaint about pseudonymisation notwithstanding.) And it's entirely reasonable that those require submitting a form.
My complaint was that, as a visitor to the company's website, my personal information is shipped off to third-parties and used in ways that I am not informed about, and I have to specifically request to be informed via email (or the form) despite having no business relationship with the company, when I'm entitled to be informed before any such data collection takes place. "Contact us, and we'll tell you all about how all your personal information is used" is a wonderful service to provide, but it really really shouldn't be the only way to find that information out.
(Technically, my complaint was more general than this, but it did not extend to expecting the company to magically know when I want the data indexed as associated with me deleted, without me informing them.)
> I know that submitting an email in a form is so much different for you than sending an email (since you've characterized it as somehow acceptable).
The difference is that the form requires that I provide my "First Name" and "Last Name", when these are not relevant to the request. GDPR requires that you don't require this, and an emailed request likewise does not require this. (When I told Stack Exchange about their instance of this issue, they thanked me for pointing it out, and then they fixed it, very promptly. They're using OneTrust, so assuming DataGrail is feature-complete with respect to OneTrust, and that DataGrail are using their own software, it shouldn't be hard for DataGrail to fix it too.)
> Had you communicated your consent preferences through GPC or DNT, all those scripts that you call out would have been blocked.
I noticed, and that's appreciated! However, that's not relevant to GDPR, whose obligations apply regardless of whether GPC or DNT is sent. The use of these scripts must be opt-in (unless the rare exceptions apply where you can use a basis other than consent), otherwise you're not complying with GDPR.
Again, not saying the company's atypically bad. The issues I've raised are fairly common in the industry. If forced to pick one of these services, I might go with DataGrail, because the selection of services the company offers is (in my estimation) very good. (Most smaller providers do not offer anything like that, and most larger providers are much less trustworthy.) I would certainly choose DataGrail over OneTrust.
However, my programming ability is such that it'd be easier to roll my own than audit the services of a company who I have reason to believe will make mistakes. I don't have reason to believe that the mistake-making is limited to whoever maintains the company's website (probably the marketing department), because I'd expect responsible higher-ups to tell a non-compliant marketing department to cut it out. I'm sure this means little, except that I am not your company's target market – nor the target market of most of the B2B privacy-tech industry.
Cookie consent banners make me immediately think if I should just leave the site and not care about the content.
wouldn't be so sure about that in Germany, even if technically and legally true. i've heard too many times about spamigation cases where shysters send mass cease and desist letters. even if those are complete bullshit and without substance you're well advised to respond and competent at that - which means you'll have to invest in a lawyer ... yadda yadda.
The way not to need cookie consent banners is to not do analytics tracking in the first place.
I often wonder what value it actually is.
Sure, you might understand your demographics better.. if you presume that the analytics are faultless at telling you this- which they're really not.
If you care about how your site is used, you don't need to set any cookies.
For my company, being able to view the user journey throughout the site in the analytics is pretty valuable.
We don't care who the specific users are - but the tracking gives us an idea of how many people use the site? do they have a good experience? are they giving us money? do we have a bug somewhere we're missing? etc.
All that is valuable as a business.
Back in the day we used to track user activity via a "hit id" (basically a random string) that was generated on the backend that added a "post" request to every page.
Idk if that was a good idea or not.
We depended on cookies for your cart and stuff.
The regulations are about tracking, and a chain of form fields and a cookie need to follow basically the same rules.
For some sites and businesses that's the right approach.
For some.
"Advertising or behavioral tracking cookies"
Any real business needs to do behavioral tracking for campaign conversions, add-to-cart, customer acquisition, funneling, retention, personalization, etc.
I love how we all hate cookie banners and say they are unnecessary, but are salaries are all paid by apps that do behavioral tracking.
Only hobby blogs can get by without it.
I appreciate the list of reasons to cookies are useful. Despite having worked in technology for 25 years, I couldn't have articulated that list off the top of my head. I have never worked for a website that made money that way.
I think that means not ALL websites need invasive tracking.
> website that made money that way
Some of those scenarios are dubious as to whether they actually bring profit and "make money". They can very well be a net loss and are merely there to justify the job of the advertising/marketing/analytics/etc team, who is conveniently charge of crunching those numbers and obviously would never put any adverse numbers forward.
Same thing in advertising - there's a lot of middlemen in the industry that are happy to take their cut, cook the numbers and look the other way despite no actual impact on sales.
So while I don't disagree these things can make money when in the right hands and done in moderation, the reality is that there's a shit ton of waste and deadweight in the industry. It may very well be that the actual (vs self-reported) profit from ad/marketing efforts is negative and merely covers the paychecks of said ad/marketing teams.
can you give examples of serious online businesses that are not doing those things?
Here are the industries that I've worked in that all did behavioral tracking for the above applications
* gaming
* music industry
* healthcare
* social media
* news
* internet search
* online retail
B2B SaaS
Sales, marketing, CS, self-service all need behavioral tracking. Can you share a practical example?
You don't seem to understand that one can do behavioral tracking without sharing all personal data with Facebook and Google. GDPR is mainly focused on who you share the data with. Performance tracking of core business processess including traffic sources can be done without involvement of Facebook and Google.
It's totally legit to spend a career helping the folks at Facebook and Google to soak up more private information about everyone so the Trump campaign can improve targeting of the fake news advertisements for the presidential election campaigns. But it is not ethical.
No thats not true
Disagreed. You can absolutely do all analytics, personalization and marketing in-house on your properties. You only need data sharing if you want to influence advertising on other properties or if you display others' ads on yours.
Whether you want to do so is a different matter. This obviously requires (potentially custom) software and infrastructure, vs throwing in GTM and calling it a day. If there is no regulatory reason for it (there isn't - this aspect of the GDPR is not enforced), most businesses won't bother and will take the easy option.
1st party behavior tracking still requires consent. And nearly every business needs third party integrations. I’m still waiting for someone to give me a working example (a real business )
The level of "tech" for a lot of trade and local businesses is often just a mobile phone and word of mouth, no online advertising industrial complex necessary. Those are still very real businesses. When advertising is used it's likely "old school" advertising with no tracking or analytics.
Ironically, if you are looking for a tradesman and do stumble upon an online ad or very polished web presence, be wary as it's basically guaranteed to lead to a boiler room full of scammers who will overcharge you and farm out the actual work to the lowest bidder. Sample: https://en.wikipedia.org/wiki/Locksmith_scam
You are confidently incorrect. Consent is not needed if you only track for your own business and do not send the data to other businesses. One of the big GDPR-compliant website analytics tools, matomo, even has a dedicated page on this topic: https://matomo.org/blog/2021/10/matomo-exempt-from-tracking-...
"Matomo has also been approved by the French Data Protection Authority (CNIL) as one of the select few web analytics tools that can be used to collect data without tracking consent."
more info: https://matomo.org/gdpr-analytics/
You linked the wrong page
technically the quote was included on the linked page, but I added a second link to make it more clear :)
i meant the subject matter. a long list of specs doesn't help the discussion.
Just give an example. If this hypothetical solution is so easy, why are examples hard to come by?
There's no _need_ to use cookies for tracking purposes though, it's usually just easier/cheaper/quicker (or requested by the marketing department) to use off the shelf software than actually spend the time to implement these things.
But if you have a cart, you need a cookie banner regardless of any tracking you are doing.
Even the biggest tech companies, with surplus engineering resources, do third party integrations.
"easier / cheaper / quicker" means that will be the solution . You can't tell your boss "let's spend more money, more time, more risk" on getting it done.
you don't need a banner for shopping carts, or personalisation
the heuristic for whether you need the banner is essentially: is the user deriving the benefit, or just the operator?
if it's the latter you definitely need the banner
> the heuristic for whether you need the banner is essentially: is the user deriving the benefit, or just the operator?
This is just as bogus as the user vs developer distinction in copyleft world.
Of course users benefit from the operator knowing if their design decisions are actually on the right track.
how does the user browsing the site right now benefit from activity tracking?
the specific user right now, not a hypothetical user at some point in the future (if the business continues to exist)
answer: they don't
They need to tell themselves that "data privacy" is a non-issue because otherwise they would have to take responsibility for feeding Facebook/Google all of their users for many years, which directly resulted in fake news laced political advertisements which micro-targeted voters in the presidential elections.
The book "careless people" clearly documents how Facebook engineers were embedded in the Trump campaign to run fake news advertisements micro-targeted to US voters.
It takes a lot of strength to resolve such a fundamental cognitive dissonance, especially if your self image is the talented techie who made money without hurting anyone.
It's a shame this is downvoted. It doesn't make it right, but it is true.
Until the regulation actually gets enforced so that everyone is on a level playing field and does not do such things, you will be at a disadvantage if you're the only one to comply, so the winning strategy is to not comply and engage in such practices just like your competitors do.
> you will be at a disadvantage if you're the only one to comply, so the winning strategy is to not comply
"need" is the wrong word for this. And the comment doesn't talk about it as a prisoner's dilemma, it says "need" unconditionally. The downvotes are not sad.
I wish I had a nickel for all the downvotes I’ve earned for describing things as they are
You can track conversions exactly without using analytics or cookies, by using promotion codes.
"you can" and no one does.
It's not that uncommon. It's a completely reliable solution to the problem of attributing sales and knowing how much each advertising channel generate individually in sales.
But taking into account that almost all jobs in advertising depend on keeping it "a mystery", it's no surprise that relatively few companies do it.
After all, it looks better if you tell your boss or your customer that they had 40 000 "impressions" thanks to your campaign, rather than 400 definite sales.
It is very convenient when you can point to others for moral absolution when the victims are invisible to you.
I’m describing what people are doing .
Unfortunately culprit may the privacy laws, irrespective of their good intentions, precisely because the 'banner' does not materially do anything but create an arbitrary annoyance.
It's not a better experience, it's a worse experience, because users will click on 'whatever' and therefore the goal of the privacy laws are not met.
Given the current situation - things would be improved by merely providing users with a consistent way to check on cookie status aka with a 'privacy link' up top that always gives clear info about privacy - but with no popup.
Or - given the current situation - it may be more appropriate to be more assertive with privacy and not allow one-click opt-in because it's just too much?
The fact is, the popups are just bad - the don't accomplish what the are trying to accomplish and we need a more UX friendly way to regulate. Which could be lighter or more restricting, one way or another.
I think we should accept that certain kinds of tracking should be allowed by default for many cases. It don't think it's a violation of privacy for companies to map an individuals experience across their property, as long as user is anonymous, there are other checks etc. Sharing data between sites is completely another thing altogether.
I consider all those pop-ups to be illegal. The use case in my opinion does not warrant pissing off users by distracting them via such pop-ups. Here I classify slide-ins the same as pop-ups. I don't even read what is written there since I already don't care. I kind of have to use extensions to workaround this spam. The EU bureaucrats are very confused here - they cost a lot of money and don't really improve much at all. Plus, when they hand over data to the USA from EU citizens, it already puts them at logical odds - either you are consistent in what you do, or you simply shouldn't act in an orthogonal manner that degrades the user experience via laws. That's just nonsensical.
Why would pissing off users be illegal? Websites can do whatever they want, I don't like those popups and just leave the page when they show up.
[dead]