European Union Justice Commissioner Didier Reynders recently told German newspaper 'Welt am Sonntag' that the European Commission is aware of how annoying cookie consent banners have become...
Web developer here. A “cookie” is just a piece of information stored on your machine. A cookie can be a setting, saved app data, or a tracking id.
The reason you keep seeing the banner is because by saying “no” to cookies, you’re telling them they don’t have permission to store ANYTHING on your computer. Which is fine. Your computer your call.
But if they can’t store anything on your computer, there’s no way to remember that setting next time you come to the website. No local setting storage means they don’t have the stored “no cookies” setting to load. Likewise there’s no tracking id they could potentially look your setting up in their own database by.
Web site requests are “stateless”. That means that, to a web server, each and every single request to a server is its own brand new, separate connection with no link to any other connection. The only way to share data between individual requests is via some kind of stored “state”. That state can come from your computer in the form of cookies, or from the server in the form of sessions. But linking a connection to a session requires your computer providing a session id; and guess how your computer has to store a session id? If you guessed “in a cookie” you win.
Are cookie popups annoying? Oh holy Christ yes, both from a web user standpoint and from the stand point of having to implement them as a developer. But by outright rejecting cookies (and/or auto-wiping your cache/cookies when you close the browser), you’re telling the website it’s not allowed to store your preferences for not having cookies and eliminating the websites ability to recall that preference at all.
The reason you keep seeing the banner is because by saying “no” to cookies, you’re telling them they don’t have permission to store ANYTHING on your computer.
That’s not how the regulation works. You don’t need to ask for permission to remember settings the user actually set themselves. Those companies don’t want to remember.
Another web developer here, that is how the California and European rules are interpreted. If we’re acting in good faith we do not store anything.
Maybe you can find a way to argue user settings and session cookies don’t require consent, but I am not a lawyer and I err on the side that doesn’t put me out of business.
It’s not about “finding a way to argue”, but “follow the law”. Which means “analyse every data point and categorise it”. When you do that for remembering cookie settings, going down the three-part test, 1) The purpose of not annoying users is legitimate, 2) It is necessary to store a single boolean for that, 3) Balancing: As our previous analysis left us with a single boolean we simply note that that’s not personal data.
This kind of stuff shouldn’t be done by lawyers but your data protection officer. Random lawyers will have all kinds of crazy opinions about the regulations because they don’t understand that area of law enough to interpret it. Heck your run off the mill US lawyers won’t even understand European legal theory enough to understand it. Data protection officers, however, are trained and certified to do exactly those calls.
I don’t know about education in the US but back in the early 00s, when I was still polishing lecture hall chairs with my butt, data protection was part of the mandatory curriculum. Not an official certification, but like 80% of what you needed to know to pass a certification test, and about 500% of what you need as a developer, which is spotting when something should get looked at.
As to putting you out of business: Even if my analysis was wrong (it isn’t), this isn’t “fine into bankruptcy” but “polite letter” territory. All those companies using dark patterns in cookie banners, OTOH, are risking serious action. It could even be argued that not remembering accept/reject settings is in itself a dark pattern, but again that would be “polite letter” territory.
I know how HTTP works. These banners are supposed to (and are legally allowed to) store a cookie saying you have refused. Websites are allowed to store session cookies with displaying a banner at all.
Web developer here. A “cookie” is just a piece of information stored on your machine. A cookie can be a setting, saved app data, or a tracking id.
The reason you keep seeing the banner is because by saying “no” to cookies, you’re telling them they don’t have permission to store ANYTHING on your computer. Which is fine. Your computer your call.
But if they can’t store anything on your computer, there’s no way to remember that setting next time you come to the website. No local setting storage means they don’t have the stored “no cookies” setting to load. Likewise there’s no tracking id they could potentially look your setting up in their own database by.
Web site requests are “stateless”. That means that, to a web server, each and every single request to a server is its own brand new, separate connection with no link to any other connection. The only way to share data between individual requests is via some kind of stored “state”. That state can come from your computer in the form of cookies, or from the server in the form of sessions. But linking a connection to a session requires your computer providing a session id; and guess how your computer has to store a session id? If you guessed “in a cookie” you win.
Are cookie popups annoying? Oh holy Christ yes, both from a web user standpoint and from the stand point of having to implement them as a developer. But by outright rejecting cookies (and/or auto-wiping your cache/cookies when you close the browser), you’re telling the website it’s not allowed to store your preferences for not having cookies and eliminating the websites ability to recall that preference at all.
That’s not how the regulation works. You don’t need to ask for permission to remember settings the user actually set themselves. Those companies don’t want to remember.
Another web developer here, that is how the California and European rules are interpreted. If we’re acting in good faith we do not store anything.
Maybe you can find a way to argue user settings and session cookies don’t require consent, but I am not a lawyer and I err on the side that doesn’t put me out of business.
It’s not about “finding a way to argue”, but “follow the law”. Which means “analyse every data point and categorise it”. When you do that for remembering cookie settings, going down the three-part test, 1) The purpose of not annoying users is legitimate, 2) It is necessary to store a single boolean for that, 3) Balancing: As our previous analysis left us with a single boolean we simply note that that’s not personal data.
This kind of stuff shouldn’t be done by lawyers but your data protection officer. Random lawyers will have all kinds of crazy opinions about the regulations because they don’t understand that area of law enough to interpret it. Heck your run off the mill US lawyers won’t even understand European legal theory enough to understand it. Data protection officers, however, are trained and certified to do exactly those calls.
I don’t know about education in the US but back in the early 00s, when I was still polishing lecture hall chairs with my butt, data protection was part of the mandatory curriculum. Not an official certification, but like 80% of what you needed to know to pass a certification test, and about 500% of what you need as a developer, which is spotting when something should get looked at.
As to putting you out of business: Even if my analysis was wrong (it isn’t), this isn’t “fine into bankruptcy” but “polite letter” territory. All those companies using dark patterns in cookie banners, OTOH, are risking serious action. It could even be argued that not remembering accept/reject settings is in itself a dark pattern, but again that would be “polite letter” territory.
I know how HTTP works. These banners are supposed to (and are legally allowed to) store a cookie saying you have refused. Websites are allowed to store session cookies with displaying a banner at all.