I used to work in Pioneer Square, and there was a guy with a "portable" (think desktop PC in a milk crate, bungie corded to a foldable dolly) gaming pc playing on the regular. Granted this is back a bit.
Admittedly a beautiful design, but drip coffee isn't my preference. It does fit with the alien aesthetic in a certain weird way, because bauhaus design isn't exactly how either the Nostromo, H.R. Geiger, or the film really vibe.
No, they're directly in violation. This is fully settled; it's just that some companies are counting on it not being "the thing that gets an enforcement action".
If you're in any way something beyond a hobbyist, you should probably get legal advice about whether you need to get affirmative or implicit consent, whether you need to handle universal opt-out signals (in California, Global Privacy Control signals are now legally required to be respected), etc.
Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
And a proper consent banner will immediately handle your GPC signal, and generally not show you anything (California now requires a visual notification that your preference has been respected).
I understand what the author is actually saying: you can design sites that don't require the tracking tools requiring consent. And yes, while true at a certain (small) scale, when you have hundreds of millions or billions of page loads per month, and several development teams, a partnership group, and a lot of moving parts, you'll forgive me for thinking this is impractical.
Consent banners don't have to be awful, I promise.
Forgive me for immediately untrusting you on the matter because the reality distortion field must be strong. Cookie banners are an absolute crystal clear evil and there is absolutely no leeway for a different opinion here.
(Tracking is also an undisputed evil)
> Consent banners don't have to be awful, I promise.
False.
They absolutely have to be awful because that's the whole premise of the law. You have to get user's consent. In order to force the user to make a choice you have to make it more annoying than it is annoying to read your content while ignoring the popup. The only way to conform to the law is to make users' experience on your website miserable.
> true at a certain (small) scale, when you have hundreds of millions [...] this is impractical.
True.
However it is also impractical to actually use the consent dialog. Because all the trackers and tools that different teams are adding to the site - they have to communicate with the cookie popup somehow and no living programmer would be bothered to even think about it. Nothing good for the world comes out of presenting and respecting the cookie popup ().
Thus I see fake cookie consent popups that are actually ignoring users' choices.
() On my site I do my best to respect the user's choice and do NOT track them once they hopefully reject.
Why are you tracking when it's an undisputed evil? Reality distortion indeed.
Is getting consent interruptive? yes. Is that worse than not getting consent? Also yes.
Since you don't appear to want to give up the undisputed evil of tracking, then consent is what's left to you. You've made the same choice as everyone else.
I'd encourage you to respect GPC and DNT, so the (roughly 20%, depending on audience) of users that have it enabled can automatically opt out of your tracking without the "crystal clear evil" of a consent banner. Remember that in California you need to show some display that their consent choices have been observed.
> Why are you tracking when it's an undisputed evil?
Not that tracking. You know what I mean: tracking by ad networks and international corporations.
We are tracking events (users clicked on the button) in an anonymous fashion. We do not collect PII. We do not store IPs. We do not correlate behaviors with user ids. We simply track how many people clicked the button and on what page. This is hardly privacy invasive at all.
> Is getting consent interruptive? yes. Is that worse than not getting consent? Also yes.
I'm not entirely sure about the latter. First of all, I don't believe in the slightest that the site will respect my choice. Second, even if the site itself does, the ad network present on the site, definitely will track me no matter what.
In other words, consent banners are cargo cult, do not work in practice and are a net negative for the world.
> DNT
It was an obvious idea but didn't work, unfortunately due to the fact that ad network absolutely have to look down users' ass and they will not cease this practice.
> users that have it enabled can automatically opt out of your tracking
They can install adblock and wholesale opt out of all the bullshit, including insane cookie consent banners.
> Remember that in California you need
My business is not California or US based and thus I don't have to implement the vast variety of of cargo cult laws in existence.
> the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
The page describing the law has more examples of cases where you do not need consent than the ones you do.
I don’t understand how you could misread “firmness of conviction” in my comment. I made it as short, bland, and neutral as possible, on purpose. It’s just a statement of fact with a source.
In fairness, I have worked for a company which did talk to a lawyer about this and ultimately we didn’t have a cookie banner nor a disclosure of the cookies used (cookies were minimal and without personal information, essentially site settings not even associated with accounts).
So I didn’t misinterpret what you said, it’s just that I have seen consent and disclosure always hand in hand.
It’s been years since I read the law in full myself, so it’s possible you’re right. I’m going by my own recollection (which can obviously be flawed) and the result of a lawyer’s interpretation (which is the thing you recommended) but I’m not one myself.
I still don’t understand (nor have you addressed) how you misread “firmness of conviction” in my words, especially when I purposefully did the opposite because I understand that these legal matters can get fuzzy.
It is also quite complex to integrate a third-party consent management platform in a compliant way; the tool itself is a script, but it somehow needs to preempt loading of any other scripts until the right consent is given (there's also an argument whether the CMP being third-party is itself a breach of "data minimization" when such functionality can trivially be done in-house, or at least self-hosting the script).
The majority of sites fail at this, which already breaches the GDPR since merely loading a third-party script discloses your IP address and browser fingerprint to them.
It's not a big deal in their case because their CMP is itself configured to be non-compliant, but if you want to be compliant with a third-party CMP it's likely the effort to integrate it properly would be just as much as just doing it in-house.
> Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law
You're mixing GDPR up with the ePrivacy Directive (henceforth "ePrivacy", not to be confused with the proposed ePrivacy Regulation). GDPR Recital 30 describes how cookies should be understood in relation to the GDPR (to the extent that GDPR Article 4(1) didn't already make it clear), and GDPR Recital 15 affirms that "the act of writing any cookie" doesn't have any special treatment under GDPR. Whereas ePrivacy Article 5 ¶3 discusses "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user", and is the real source of nearly all "cookie consent" obligations in the EU. I hope you don't work on the legal side of the consent product!
Less pithily: I've noticed a lot of "consent" providers getting this basic stuff wrong, both in their marketing copy and in their actual products. I (along with most internet users) have a vested interest in any improvements in this area. I'm available to discuss this further, if that would be helpful – keeping in mind that while I know a lot more about this than many working professionals apparently do, I'm still very much an amateur with no formal legal training.
> I'm available to discuss this further, if that would be helpful.
That would not be helpful, because the whole business of "consent management" is to provide plausible deniability and the illusion of compliance to businesses without actually making them comply (since complying with the GDPR would incur significant cost and obsolete most of the marketing/analytics team's jobs).
I'm very sure they perfectly know what they're doing and have the budget for the best legal advice money can buy, it's just that their business is all about selling the illusion of compliance instead of actual compliance.
It's the fault of the regulators for still not cracking down on this after 8 fucking years. Detecting non-compliant consent flows is trivial with a web scraper.
> in their actual products
The products are configurable by the customer. Now you could indeed argue that the product should not offer an option to configure it in a way that would be in breach of the regulation it's supposed to help you comply with... but again see above.
I appreciate your precision. Most folks, unless discussing specific provisions, just use GDPR as an umbrella term, much like the CCPA is still used and inclusive of CPRA.
This response sounds suspiciously like competence. Do you mind disclosing which consent provider you work for, so I can have a look? (I only ever found one consent product I was really happy with, and it shut down a few months after I discovered it.)
It's DataGrail. I don't mind disclosing it, but I was kinda hoping not to because I'm really not here to advertise... I guess I won't say I know the subject, but do have some experience. lol.
I'd be happy to discuss directly if you want. Not sure how to exchange details if you're interested but we can figure something out I guess.
Unfortunately, DataGrail is a US-based company using Google Tag Manager to provide personal information about its website users to Facebook, Microsoft, Google, and other advertising companies. Per the Privacy Policy, the company seems to believe that pseudo-anonymization is sufficient to be allowed to keep and use personal data for any purpose, which it is not: per GDPR, data minimisation is necessary, but doesn't exempt you from properly fulfilling deletion requests. I can't find out how they actually use personal information collected from users: the best I can find is:
> If you have any questions about the lawful bases upon which we collect and use your personal data, please submit a request through the DataGrail’s Privacy Request Form or email DataGrail at privacy@datagrail.io.
Informing me of my "right to obtain" certain information without actually providing it is not okay; and the rather selective descriptions of the rights of the data subject feel like a GDPR Article 12 violation. (For example, it partially discusses Article 15(1), but omits Article 15(2).) Having investigated the Privacy Request Form (https://preferences.datagrail.io/form/access), it's requesting I identify myself in order to learn how my personal information's being used. I can't remember the exact reference, but I'm pretty sure this is explicitly forbidden by GDPR: something about not gathering or storing information with "it's needed to satisfy GDPR's bureaucratic requirements" as justification. (Yes, I know I can email instead: that's not the point.)
I could go on, but… it doesn't really matter how good a company's services are (and those services do look pretty good!) if I can't trust the company to begin with. DataGrail appears typical for the industry, rather than exemplary (as I had hoped it would be).
I had realized, "l'esprit de l'escalier," that your ask wasn't in earnest and you were just looking to raise issues.
Sorry to have bothered you, but I assure you that your Access or Deletion request will be processed when you submit it. I know that submitting an email in a form is so much different for you than sending an email (since you've characterized it as somehow acceptable).
Are you suggesting that we should "provide the information from your GDPR access request without you actually asking for us to do so, without any commercially reasonable verification?"
Note I won't be responding further: you're not in earnest. But I do assure you that any requests will be properly processed.
Had you communicated your consent preferences through GPC or DNT, all those scripts that you call out would have been blocked. Just for your awareness.
I genuinely expected that you worked for some niche company I'd never heard of. I wasn't looking specifically to raise issues: this is how I engage with this topic in earnest (example: https://meta.stackexchange.com/a/370343/308065). My persnickety behaviour has been appreciated by at least one Stack Exchange employee; and I assumed from https://www.datagrail.io/solutions/datagrail-vs-onetrust/ that your company would appreciate such criticism as well.
I did tell you that I was going to have a look, so I don't think my request was deceptive.
> I assure you that your Access or Deletion request will be processed when you submit it.
No no, I never assumed otherwise! (the complaint about pseudonymisation notwithstanding.) And it's entirely reasonable that those require submitting a form.
My complaint was that, as a visitor to the company's website, my personal information is shipped off to third-parties and used in ways that I am not informed about, and I have to specifically request to be informed via email (or the form) despite having no business relationship with the company, when I'm entitled to be informed before any such data collection takes place. "Contact us, and we'll tell you all about how all your personal information is used" is a wonderful service to provide, but it really really shouldn't be the only way to find that information out.
(Technically, my complaint was more general than this, but it did not extend to expecting the company to magically know when I want the data indexed as associated with me deleted, without me informing them.)
> I know that submitting an email in a form is so much different for you than sending an email (since you've characterized it as somehow acceptable).
The difference is that the form requires that I provide my "First Name" and "Last Name", when these are not relevant to the request. GDPR requires that you don't require this, and an emailed request likewise does not require this. (When I told Stack Exchange about their instance of this issue, they thanked me for pointing it out, and then they fixed it, very promptly. They're using OneTrust, so assuming DataGrail is feature-complete with respect to OneTrust, and that DataGrail are using their own software, it shouldn't be hard for DataGrail to fix it too.)
> Had you communicated your consent preferences through GPC or DNT, all those scripts that you call out would have been blocked.
I noticed, and that's appreciated! However, that's not relevant to GDPR, whose obligations apply regardless of whether GPC or DNT is sent. The use of these scripts must be opt-in (unless the rare exceptions apply where you can use a basis other than consent), otherwise you're not complying with GDPR.
Again, not saying the company's atypically bad. The issues I've raised are fairly common in the industry. If forced to pick one of these services, I might go with DataGrail, because the selection of services the company offers is (in my estimation) very good. (Most smaller providers do not offer anything like that, and most larger providers are much less trustworthy.) I would certainly choose DataGrail over OneTrust.
However, my programming ability is such that it'd be easier to roll my own than audit the services of a company who I have reason to believe will make mistakes. I don't have reason to believe that the mistake-making is limited to whoever maintains the company's website (probably the marketing department), because I'd expect responsible higher-ups to tell a non-compliant marketing department to cut it out. I'm sure this means little, except that I am not your company's target market – nor the target market of most of the B2B privacy-tech industry.
Modals are, IMO, the literal worst UX element you can hate your users with. There are certainly valid use cases, but _absolutely not_ should be the default.
How come? I find them nice to allow for certain actions that don't really require navigation, and may want the user to easily return whenever they do anything in the modal or not. I understand it is historically bad due to accessibility, but there's more native support for it now. Assuming it is implemented with that in mind, is it still bad?
Perfectly delivered, the Reese's commercial that keeps on giving. Although to fully match the analogy, there'd need to be some form of Kotlin+swift hybrid with a crinkly wrapper.
Hey, I'm the lead developer on DataGrail's(1) Consent product (cookie banner). I know a fair bit from having been involved with this for years, and talking to a lot of customers.
Happy to answer questions and clear up misconceptions, especially the one about "giving DNT force of law": we already have Global Privacy Control (GPC), and it's already required in (significant parts of) the US, and it's being enforced.
I can say we've tried really hard to prevent a lot of the malicious user interface issues, and to respect the GPC and DNT signal (no banner pop). We've tried to balance the company's need to keep compliant (because frankly, many of the complaints here about "legalese" aren't just deceptive UI (dark patterns), but done on the advice of counsel), and still operating (marketing needs analytics/ad tracking). And we're concerned about the user experience for what is admittedly an intrusive tool, but required.
(1) I'm not a spokesperson for the company, experiences and opinions are mine.
A lot of consent banner implementations have a clear accept all and then an intentionally obtuse alternative where you have to manually untick every "partner" you don't want to give data to. Presumably this is more profitable, as a lot of people will just click accept all instead of wasting their time.
A lot of people in the thread are speculating that this approach is illegal, but it seems to have widespread use across the web. Why doesn't DataGrail do this? Was it something requested by advertisers/management that your team pushed back on?
It's pretty clear from my reading of the (EU) laws that giving prominence to "Accept all" and not having the same level of prominence for "Essential only" is not acceptable. US is a whole different story, but has some bright points: GPC is already required in several states, and spreading. This removes the need for a consent banner to show on screen, which is great.
Our primary job is to make our customers compliant, so we try to "push them into the valley of success". That means GPC and DNT "do the right thing" by default, no deceptive design (dark patterns), etc.
reply