Many "cookie banners" have finally started to work in the EU. Once you deny PII processing many sites don't load GA etc... The time of malicious compliance is starting to pass. Some sites have figured it out and realized they really don't need personalized analytics and have replaced implementations with privacy respecting ones(ex, plausible). This lets them remove the dark-patternish banner and no additional consent is required as all data is pooled together and one persons actions truly can't be singled out.
GDPR obviously has other good effects but as PII processing through cookies is what most people know, I chose that as an example. Email tracking links & pixels are another good example.
There's also a big difference between 2018 and 2025 when discussing GDPR in work contexts and saying that implementing this or that tracking would be illegal.
It's a slow process, but it's working as intended.
Enforcing sites not calling out to third party data processors via client-side JavaScript is detectable and enforceable, but taking such actions server-side is undetectable (and therefore unenforceable).
yes, that's a possibility, but we're far from server-side GA implementations and we do have an option to make a data request to figure out what companies are doing.
If they get caught lying (and that tends to happen in the end) that's another violation that is taken seriously nowadays.
For example, my e-mail server started picking up messages from DELETEDmyname@mydomain.org. Making it pretty clear a company did not respect my wishes to completely delete all data and user account references. They simply changed my email in the DB.
Once you deny PII processing many sites don't load GA etc
The way you phrase this is expressly non-compliant with the GDPR, because what you're describing is an opt-out. To be compliant, websites should only load GA etc after you accept PII processing.
Sorry. They do wait and force a choice before loading the external scripts.
That's the only mechanism one can use to really be compliant as GA (and other providers) stick identifiers onto the session as soon as the script has been loaded.
Just a few days ago, they updated their android application info and stated they're going to share location data with third parties for "Advertising or Marketing" purposes...[1]
They also removed a promise to "never sell your data" in their FAQ[2] 2 weeks ago.
Sure, but my point is that Firefox has been funded by Google since 2006, and by having it as the default search engine, Firefox has been sending suggestion queries and searches to Google.
Of course, the nuance here is that this was part of a user action, i.e., the user probably wants to search, so they expect data to be sent to Google (although the address bar suggestions are a gray area IMO). However, what hasn't been expected, and the whole purpose of the GDPR, is that Google does store your search history for advertising purposes without user consent.
So, even if it was unavoidable, Firefox has already been selling user data to Google by simply making it the default search engine and getting paid to do it.
BTW, the GDPR is really strict, and I'll know that Firefox actually sells my data (in a way that I don't expect) when I'll see a GDPR interstitial about it for getting my consent. For instance, when you first open Microsoft's Edge in the EU, they inform users that they're going to share their data with the entire advertising industry.
As I understand, these "data safety" sections are what Google gives app owners to comply with "right to be informed". If they say "we're sharing location data with third parties for Advertising purposes" I'm believing it.
I agree that they should really be asking for consent as well, but they don't seem to be doing that. We've got no way to use legitimate location related functionality and deny advertising related usecases. Remember, consent must be specific and granular.
It'll be a while, until enforcement catches up. It's taken ~6 years for cookie banners to get a "reject" button and those are really easy to review and enforce.
It'll happen though, enforcement is just slow. GDPR is a fairly well written regulation, as far as corner cases and catching workarounds goes. So unless the laws change, enforcement will catch up eventually.
Isn't that just what has to be selected in the play store to allow the app to access/use the localization framework in Android? It doesn't guarantee they're sharing information. They could still do it on a site by site bases with in-app approvals?
I guess the concept has gone from "We don't support this at all" to "We support it but won't be evil, you have to trust us."
How much do we trust Mozilla/Firefox? You could always go read the code yourself: https://hg.mozilla.org/mozilla-central or just do what most people do and hope someone else audits it :)
There's a choice between first party(collected) and third party(shared). Also a list of purposes one chooses from. This could include "App functionality", "Analytics", "Account management", etc...
Two of the possible 3rd party choices are "Advertising or marketing" and "Personalization". These two have been chosen for firefox. This includes sharing data with advertising partners.
A change to those options is what triggered the notification. It's not a requirement for using location features.
I'd say a part of figuring out what they are doing is reading such information. Even if the code itself doesn't reflect it yet, it's usually listed in preparation.
It's also a good way to figure out the code needs to be reviewed :)
using a cookie that is essential for non-essential purposes, is not allowed. So using a load-balancer cookie is fine, as long as it's only used for load balancing.
Once it's used for other (technically non-essential) needs as well, one needs to find another basis for processing or ask permission for that second purpose(consent basis).
Also, if the LB cookie can be non-identifying, while fullfilling the stated technical purpose, it must not allow identifying users. So for LB cookies, one must not use a unique ID per user, but an LB ID instead. Something like "node1", "node2" etc...
When the permission is withdrawn, the other party cannot collect more data. And the existing data that they collected would need to be deleted if the user asks them to. If the withdrawal of permission also involves permissions regarding data storage and processing, it would mean that the company would need to destroy any personal data that they have.
If withdrawing is meant to be “undo consent”, how would you make that as easy as the initial “one click to consent”? Would you not have to show a banner on every page view, with a one click option to “withdraw”?
You'll have to go and ask the legislators what they were imagining. Thankfully it's not being interpreted quite as literally. Sometimes pragmatism saves the day.
I agree with you though. It's sad that content is being reformulated for those reasons.