Ask HN: Cookie popups – how annoyed are you?
In the EU, web sites must obtain permission before tracking users. This leads to very annoying cookie consent popups. Is anybody else here frustrated by them?
I'm semi-seriously considering launching an EU citizens' initiative to fix this. Here's how it can work: The EU directive responsible for the cookie popups is (afaict) 2009/136/EC, par. (66). It says cookie acceptance can be a browser setting but does not give details. The EU initiative could extend this to say web operators must respect the "Do Not Track" header.
Do Not Track is a special header that browsers can send to say "I don't want to be tracked" or "I agree to being tracked". It already exists in some browsers - but hardly any web site honors it. If the EU directive would mention that DNT must be honored, then web sites would have no further need to display their consent popups when the header is set.
My problem is that such an initiative would likely require a huge time investment. It needs 1M signatures. That would likely be very hard work.
If the response here is overwhelmingly positive, I might be more inclined to throw myself at this problem. Please upvote or comment if you think this might be worthwhile.
I'm both mildly annoyed and strongly in favor of them, since they have taught me how incredibly pervasive website tracking of my personal data is. If a website tracks me, I want to know about it, and I want to be reminded to consider whether the website provides value worth giving up my privacy for.
Besides, recent iterations of the cookie banner are (supposed to be) more than just an ok button - they are supposed to provide an opt out mechanism for all non-required tracking. See, for an example, theguardian.com
The ePrivacy regulation is being negotiated right now, your best bet is to join the lobbying. It's for certain that there will be some amendments to the GDPR and ePrivacy directive regarding the way cookies and tracking are handled for websites. In Germany the Bitkom is a good place to start if you want to make your voice heard, they have a working group on data protection that comments on the EU legislation process (you'll be a bit late to the party regarding the ePrivacy regulation though, not sure if there's still much room for change).
I don't think a citizen initiative will be likely to succeed as the regulation has been in the works for a long time and will probably be passed in one form or another, and I really doubt the EU would want to amend the handling of cookies a third time.
BTW I develop an open-source CMP (https://github.com/kiprotect/klaro) and the problem is a bit more complex than honoring the DNT header, as the user needs to grant or decline his/her informed consent for all non-essential third-party services. In the long run I think this functionality should be implemented directly in the browser, but again this will require more than a single header IMHO.
I think these are a user disaster because they are training people to click "OK" on a pop up. Which will turn out to be very bad from a security perspective.
They're covering what I want to read, they effectively make my screen smaller.
Would the EU directive also mandate there be no consent popups? Otherwise they'll probably remain and annoy people, even if they are mandated to follow DNT.
It's an absolute disaster.
The default should be to only allow the basics for a cookie. And if the user wants to opt in for sharing all their data, a specific page for that should be present.
It is more an issue for me at least that it fucks with my intelligence somehow.
Of course I do not want to share my data with anyone and at the same time don't try to fucking trick me to hit the "all cookies" button.
I am absolutely furious about it.
I have an extension installed to agree to them all. I dislike them and they serve no purpose. I would be glad to help you. I have a website that gets a lot of tech visitors to reach 1 million if I can help: https://downforeveryoneorjustme.com/
My email address is bwbbwb@gmail.com.
I mostly don't see them thanks to additional rules from "Easylist-Cookie List" in my adblocker, so eh.
I would not sign your initiative since I believe it is dangerous and would make the web worse. Here's why:
You propose to make web protocols/standards and national laws tightly coupled for the long run, to solve a usability problem in the short run. That's the wrong hammer for this delicate ceramic vase. Can you imagine what it would take to evolve web standards if they have to do so in tandem with the laws of dozens of different countries? If the law says cookie acceptance can be a browser setting without giving details, that's not too little detail. Even mentioning cookies might be too much detail for a law.
I am annoyed too, but I direct my annoyance at the entity that made the wrong usability and privacy decision, which is the organisation behind the website in question. Website owners (should) have every incentive not to annoy their users. Designing websites without cookie consent pop-ups is possible, legal, and a competitive advantage. As a user, removing the pop-ups automatically is also fairly simple. Let it play out. It's gotten worse before it gets better, but I believe GDPR is ultimately a force for good.
I would sign it in a heartbeat. The surfing experience has been really degraded.
Maybe off topic, but if the only cookie set is for Google Analytics, and I anonymize ip - do I still need consent from users? My understanding is that only data that can be tracked to a certain user needs consent per gdpr?