Unfortunately this is not what I anticipated based on the title (a user-based tool that circumvents pop-ups). It is a suggestion for website owners that they not use any tracking pixels or analytics on their websites.
I’m sure that works great for this guy’s blog, but I’d guess that it would hobble a startup’s ability to understand/optimize their customer funnel to abandon tracking entirely.
I mean, it’s factually correct. It’s just that we (HN readers? web users?) would assume that it’s about preventing them as a web user, and the author is talking about preventing them as a creator/hoster.
> Want to know why I don’t have a cookie notice on this site? It’s because I don’t track you.
Obviously doesn’t work for any website that requires creating an account and logging in.
Thanks everyone for upvoting a nothingburger to the top of front page.
Edit: Okay, I didn’t know cookie notice isn’t required for login cookies (apparently I never used a cookie banner on my sites anyway, cookie law be damned). Anyway, the nothingburger point still stands.
when a user sends a http request to a remote server with a client that saves cookies on their behalf, it's not consent?
not arguing with you, per se, I just don't understand how sending a request to someone else has somehow become "involuntary" under the law. the server didn't come looking for you, your program asked it to send you the cookie.
Could privacy based browsers implement a way of giving bad data to cookies? Poison the cookie jar, so to speak. An add-on would be nice but being able to point to a browser and say "this is attacking the issue" would be nice.
I saw this discussed before, and I think the conclusion was that this is just escalating an arms race. It just adds noise. Far better to just disengage if you can.
I find the way the article is written interesting.
Indeed, the title is misleading and you will learn nothing on the technical part.
However, the idea here is to be vocal about what society we want.
The goal is to say, as an individual:
- I am not ok anymore that so much sensitive data are collected
- I know data collection had negative impacts on individuals and society
- I can, and we should live without collecting so much data
- Individuals and society should come before companies
I'm not sure if the author is trolling or actually presenting this as some groundbreaking insight. I thought it was obvious to anyone that no cookies means no cookie notice (and there are plenty of static websites that do this). The point is that most websites try to make money, and making money means advertisements, and advertisement (often) means tracking.
Advertisement doesn't mean tracking. When someone buys a radio/TV Superbowl ad they don't track who heard/saw it. When you buy a newspaper/magazine ad you don't track who reads it. You can sometimes target a particular neighborhood, but that is all the more you get, and no tracking of who got it.
The ability to track doesn't really add that much value to most ads. The only time it is helpful is if you want to get a specific person across many different platforms. If you have a niche product that is useful, but niches generally have better ways to get their target (ie the forums frequented by their target). When someone advertises a car they don't need to track - they need to get everybody in the world because that is their potential customer base.
> The only time it is helpful is if you want to get a specific person across many different platforms.
There are surely other uses. For instance, I might want to know if my ad is being shown again to a return visitor or for the first time to a new visitor.
> When someone buys a radio/TV Superbowl ad they don't track who heard/saw it
Not long ago there was a front-page HN post about Smart TVs. From a lot of the comments I gather that, at least for TV, they now do. Possibly for some forms of radio too.
I do support this stance, but depending on your setup, there are gotchas website operators should be aware of. I see CDNs as a major hidden aspect: for the government, it looks like you're tracking people, even if you're not. So you'll need to host those JS and CSS frameworks on your own server, which I think is not that much of a problem, just something to be aware of.
However, the next issue is using Cloudflare or similar front ends. For example, I use their free tier on most of my websites. These reverse proxying services / DDOS mitigators / TLS terminators tend to set identifying cookies which website operators have little to no control over.
My point is that the web ecosystem contains lots of integration points that could lead to operators being liable in the eyes of the law, even if they're not actively tracking their users themselves - the services they use, do.
are you liable for third party's using your site for tracking? If you're not using cookies yourself, but you accidentally or otherwise include resources from third parties that are used for tracking, do you still have to display the cookie notice?
I think so, yes. For example, if you're including a Facebook button, that counts. So including JS from a CDN would also have to count. And when you're using a reverse proxy, I think it's not distinguishable anymore whether it's you personally collecting user behavior of whether it's Cloudflare doing it on your "behalf".
Perfection is not when there's nothing more to add, it's when there is nothing more to take away.
My website is also 'bare-bones'. What do we need all that extraneous crap for? People who want to look at it will. People who don't want to look at it won't.
Want more eyes on your site? Make it more interesting.
There's obvious merit to this, and it harkens back to a 'purer' day of the internet.
But, big - huge - businesses exist (often exclusively) on the internet in 2020, and suggesting that nobody should worry about collecting metrics on traffic/usage is really not feasible when your bottom line depends on making sure those numbers are moving in the right direction.
Don't get me wrong: those companies collect too much. There's no need to do some of the deep, cross-site data sharing that most big web sites do. But analytics? Advertisements? Seems like fair game. Even if you run a boutique blog, you're going to want more real-world feedback than "hit me up on Twitter."
The larger complaint here (at least in the first half of the article) seems to be the lack of elegant ways to present this compliance. Nobody seems to do it in a way faithful to the law without ruining your browsing experience. Maybe that's the point.
Seems like moving it into the browser permissions model could be a good way - in a similar way to websites can ask for permission to show notifications or use your camera, and the browser handles prompting the user etc.
At the very least, it'd be more consistent across websites, you could see in your browser settings at any time which sites you have allowed to store cookies, probably set a global allow/reject etc.
I'm sure there are various reasons why this hasn't been done though
Really interesting human behaviour occurs when the subject isn't being watched. There's numerous headings for this in various fields: "hawthorne effect", "panopticon", "heisenberg effect" etc.
Of course, in principle the "cookie banner" should alert you to this, that's the point. But after a while people just get used to them. At least it's better than them not being there though ... can't say you weren't warned!
Do businesses really need cookies? Surely logging page visits is enough for most purposes; it can be corroborated with sign-ins if you have already agreed to sign up. Anything else is usually for tracking, usually the intrusive thought.
Businesses don’t have an inherent right to your data. There’s countless bans on much more nefarious practices that “didn’t work” at the time.
You only need to set a cookie when the user logs in. So as long as the user isn't logged in or in the process of logging in there's no need for a banner.
You only need a banner if you use cookies for tracking. If all your cookie does is enable the login form, you don't need the banner. That's the "one weird trick" TFA describes.
Ha. I see what the writer did here. I was expecting a legal or technical solution of a different kind lol.
Now if I were to send this article to the business team at my company in order to make a point about privacy I’m sure it would result in one way.
They’d be pissed I wasted their time telling them not to track based on the views of the author who clearly doesn’t understand and hasn’t fully articulated the business implications of not tracking which are numerous.
No track is like security regulations in healthcare. Yes it makes sense but when you think about the implications to the system as a whole there will be negative impact.
1. Loss of jobs (lack of data collection in business)
2. Loss of lives (greater security requirements in healthcare)
Why loss of jobs? Because guys like Jeff Bezos will lay-off staff before impacting his and his shareholders wealth in any significantly negative way.
Lets start with an analogy. Solving noisy fans via a specially designed radiator case is clever. Saying "just don't use fans" is useless smugness. This "article" is useless smugness.
Yes, not using cookies is a way to avoid it. To be useful for anything but personal satisfaction the function fulfilled needs to be solved as well. Even if it is a niche and highly qualified solution like "a low bandwidth largely plain HTML website with lower yielding non-tracking ads or a donation page can actually yield more money per hosting cost but results in far smaller websites" would still be infinitely better.
> Saying "just don't use fans" is useless smugness.
Is it? You can buy fanless computers of various kinds, and it may make sense to do so in certain scenarios. One shouldn't put a fan in a computer "because computers have to have fans", but that's the approach a lot of companies take to tracking. Data gets hoarded and never looked at.
What a lot of people don't know is that you're allowed to use cookies for analytics purposes with GDPR, as long as you're anonymizing and as long as they're not used for cross-site/device tracking and advertisement.
The Dutch personal data authority even published a guide for Google Analytics explaining exactly what to do: https://www.autoriteitpersoonsgegevens.nl/sites/default/file... and they ruled that you don't need permission to enable the cookies when you do. You do need to have a privacy policy however.
I do wonder why so many big websites have chosen to present huge annoying cookie banners to people that are still, at first glance, a clear violation of GDPR. (Like having no explicit opt-in, often not offering an opt-out besides the notice to close the site etc.)
Why annoy your users if your are not compliant anyways?
They're okay. Login cookies are fine for instance, so are temporary shopping cart cookies, etc. Everything that you use to deliver functionality that the user explicitly requested is generally fine.
The rules are somewhat imprecise, but basically any functional cookies do not need to have consent as it is implied by the user using the service. This includes thinks like the user-identifier to know who is logged in for example.
Haha, I discovered this loophole too when GDPR was introduced. I also removed all tracking code especially from smaller sizes. I don't care about tracking users there.
I’m sure that works great for this guy’s blog, but I’d guess that it would hobble a startup’s ability to understand/optimize their customer funnel to abandon tracking entirely.