First thing I notice while browsing from EU is that there's only one option regarding cookies. Accept all! Even if I click "Learn more" there's no "accept necessary cookies" or "Reject cookies". First time I encounter something like this.
This is common on many, many sites like this because they do not have any tracking cookies or anything else that they would need consent for, but they're still required to display a cookie banner "notifying" you that cookies are "in use" as per the terms of the old 2009 ePrivacy Directive. In this case, it appears that projectaria.com sets 1) one cookie for the user's DPR (1 or 2) so that the backend can serve optimized images, 2) one cookie for the user's locale, and 3) one cookie for a CSRF token for form submission.
> but they're still required to display a cookie banner "notifying" you that cookies are "in use"
Common misconception but this is not true. If you use cookies only for functional purposes (not for tracking for example), you do not need to show any cookie banners. Like if you have a shopping cart and you have a cookie for keeping track of what's in it, it's for functional purposes for the user and hence needs no notice to be used.
> Exceptions from the requirement to provide information and
obtain consent
> Activities likely to fall within the
exception: [...] Some cookies help ensure that the
content of your page loads quickly [...] Certain cookies providing security that is essential to comply with the security requirements [...]
> Common misconception but this is not true. If you use cookies only for functional purposes (not for tracking for example), you do not need to show any cookie banners. Like if you have a shopping cart and you have a cookie for keeping track of what's in it, it's for functional purposes for the user and hence needs no notice to be used.
Personally, I would not put a cookie banner of any kind on my website. However, given this text:
The term 'strictly necessary' means that such storage of or access to information should be essential, rather than reasonably necessary, for this exemption to apply. However, it will also be restricted to what is essential to provide the service requested by the user, rather than what might be essential for any other uses the service provider might wish to make of that data. It will also include what is required to comply with any other legislation the person using the cookie might be subject to, for example, the security requirements of the seventh data protection principle.
Where the setting of a cookie is deemed 'important' rather than 'strictly necessary', those collecting the information are still obliged to provide information about the device to the potential service recipient and obtain consent.
I think it's clear why a more risk-conscious organization like Meta might take a more conservative reading of "Strictly necessary" that does not apply to e.g. bandwidth optimizations related to a device's DPI
You'll notice those last three words "and obtain consent".
Either the cookies are strictly necessary - in which case, there is no need to display a banner, or they aren't in which case you have to ask the user for consent.
"List non-necessary cookies, but don't ask for consent" isn't an option.
But it's easier and less risky to just always put in the standard language that everyone ignores and mindlessly clicks through anyway. Which is why this was very silly legislation. People helping develop future legislation (in the EU and elsewhere) should be aware of this as a cautionary tale of incentivizing theater with only cost and no benefit.
doesn't ot have to be opt in? you need to give consent. you can't gove consent until they've told you what cookies there are and click a button. if you don't click those can't be added if you're in the eu
What if the banner language suggests they might break GDPR, but in reality they are not doing those things? If my SaaS forces you to select a checkbox that states you're agreeing to allow me to set fire to your house (which is illegal) - would the sign up itself be breaking the law? IANAL, but I don't think it would be; I wont be breaking any laws until I commit arson.
It's breaking the law because you're essentially being forced to consent to some thing that they legally must give you the option to opt out of. It's not about them doing it, it's about the validity of their request for consent.
If I hire a hitman to murder somebody, but the hitman chickens out, I'm still guilty of having hired a hitman, even if nobody died.
I have to admit, for technical folks like ourselves, I don't understand why you care what options the dialog presents. Just use a "Kill Sticky" plugin to nuke the stupid dialog so you can read the page, or even Accept them, and then instruct your browser to do whatever you like with the cookies the site creates (i.e. delete them). It's all in your hands, the popup dialog doesn't do anything you can't do yourself.
Learned helplessness. Teach the citizens that the only thing protecting them from the Big Scary Internet is their benevolent government. Meanwhile the politicians collect millions from the mass media companies that lobbied for the god-awful implementation of the law we all ended up with, and as everyone gets worn down into Accepting All always, they simultaneously forget that their User Agent holds all the cards (or in this case, cookies), and it can be instructed to do anything the User wants with them.
Did you just take a problem that free market tech created and blame it on the government? ;)
User agent sovereignty would be nice... except the most used browser and 1/2 of smartphones are controlled by Google, the largest ad tracking company on the planet.
This particular problem with annoying cookie dialogs is actually a government-created problem though...
But I do agree with you that "free market tech" created the problem of "tracking cookies are ubiquitous and users don't know how to control them". But then regulators just layered another annoyance on top of that, instead of solving that actual problem.
Google, the same company that provides a litany of fine grained cookie retention options in its User Agent’s options page? Except thanks to the government’s antagonistic policies (read: big-media’s lobbying) those are useless as you need to keep on clicking the damn pop ups every time you visit a page “anew”.
Also never forget we already had a perfectly good solution in the form of Do Not Track headers that a benevolent governing body would have simply mandated abiding by. Instead we have this shithole.
The only way it ever would have been respected if it was required to cryptographically sign an acceptance of cookies, then the server was required to retain that attestation as proof of acceptance, subject to legal liability if they were found in possession of tracking data without a valid attestation.
Absent enforceability, even when the server actively and maliciously decided to ignore it, it was a toothless solution.
How can you prove that they respect your preferences in those consent theater pop ups?
I think those pop ups are the worst thing that ever happened to the web because they eliminated the moral authority that anyone had to say “it is user hostile to use pop ups”. Once the EU made it appear “required” and even “laudable” or “prosocial” there was no basis to say “you shouldn’t put this other popup in that will make users feel harassed”.
So now we get pages where the popups get in the way of the other popups.
I suppose the formalism around popups, and specifically when the EU decided to start levying fines on entities who used dark patterns to avoid the spirit of "accept/reject must be equally easy to click", convinced me that user-visible was a better way to win the fight.
Granted, it's not a technically optimal solution, but it may be a politically optimal one. Vis-a-vis the people vs the advertising industry.
I'm unconvinced that DNT would have ever garnered the same support as something that people, and specifically politicians, can see. Which would have led to ad money quietly carrying the day.
I'm hopefully after we've chiseled "Thou shalt respect user decisions" in stone deeply enough, we can flip back to enabling a user agent to automatically respond to that question for us.
It does make visible how absurd the situation is. You might imagine an advertising system would require one or two cookies but it's so shocking to see that some ordinary site would have 40 third part cookies. Some of that is the use of these embeds from the likes of Facebook, Twitter and YouTube and some of it is the "knives out" situation where nobody trusts anybody in the adtech universe and the answer is to have 10 different authorities collecting information and assume they can't all be colluding with each other. (e.g. everybody has a reason to understate or overstate views or clicks and naturally there is attrition in the pipeline so the numbers won't add up perfectly.)
That's a very good example of "argument-by-Google". You know what conclusion you want to achieve, so you just go around looking for statements that are either taken out of context or misunderstood and that can be backed by a (shallow) google search.
For the record: go back to the article that you are (wrongly) alluding to [0] and see how much the author has retracted. Also, see the response from Brave's Chief of Search.
I "have" to keep advocating them because all the opposition that is presented is always based on false information, biased and prejudiced and clearly made by people who never used the browser or tried to understand the value proposition.
There are tons of things to criticize about Brave (their "partnerships" with Binance and Solana, their complete lack of interest in making BAT an actual currency for payments online, them completely losing the train of decentralized social media) but none of that ever comes up from the detractors, only this kind of bullshit like the one you bring up.
I'm just going to quote the updated, follow up article:
The Brave Search API does not respect the site's licensing, and Brave is under the assumption that 1) because they are a search engine and 2) because they attribute the URI of data - this puts them in the clear to scrape and resell data word-for-word.
Brave steals data and resells it, and is not to be considered a trustworthy entity.
The article went from "selling personal data to AI companies" to "selling results in the API search with a longer summary than Google which might be a violation of fair use policy", and yet you still don't want to back down.
Aside from what ethbr0 said, which I agree, that you're blaming the victim, I want to address the "learned helplessness" idea.
I heard recently that's actually wrong. We are born helpless, and learning to take control. The helplessness is innate, and we learn to overcome it.
In democracy, the innate helplessness of citizens is overcome by learning to participate in governance - activism, elections, public functions and so on.
The people who say "government does nothing good ever" are the ones who want to keep people in their natural helpless state. It's like telling a student, "you're doing it all wrong and can never be good".
You are definitely not born helpless. Babies keep screaming until they get what they want. They also tirelessly try to master mobility. Learned helplessness would mean they wouldn't even try crying or moving.
I think you're arguing beside my point, I am referring to psychological concept of "learned helplessness", and how is that wrong. That concept doesn't imply that helpless people fall into a total coma, it just means that they don't attempt certain things.
Speaking from experience, babies and toddlers will attempt to do absolutely everything, including flying (which will fail) and using smartphones (where they succeed remarkably).
Learned helplessness can by definition manifest only after you have tried something and failed. Hence you cannot have learned helplessness after being born, because you had no opportunity to try anything yet.
Please don’t tell me you’re unironically arguing “learned helplessness” doesn’t exist because you “learned” you’re born “helpless” and the only path to actualizing change as an individual is through the official government sanctioned mechanisms… because if that is your honest argument… wow.
For reference, in my experience, the public works projects that get front page news coverage with tons of anecdotes from locals about how incredibly helpful and long-needed the installation was, are those that were completely unsanctioned.
And the only path to substantial policy change in all of history has always been violent revolution.
I am not sure what your argument is. I explicitly list activism as one of the options, so I don't claim you have to always go through official channels.
But especially in democracy, you have a lot of opportunities to use official ways to institute change, like being elected or vote.
I also think there is plenty of positive social change that happens non-violently.
I have to admit, for the non-technical folks like not-ourselves, I don't understand why people dont know about such "simple lifehacks" -->
You're knowledge is sound, but rather than condescedingly relegate people to your 'simple' workaround - the ENTIRE premise of cookies and tracking against ones implicit desire to be private, is assinine.
you should care because often this agreement is not about the technical detail of cookies, but allowing the company you are interacting with to share data about you with 3rd parties.
If you think which HTML div element you click on to dismiss a sticky banner has any bearing whatsoever on how your data is handled server-side, I've got a trip to the Titanic in an Oceangate submersible to sell you.
Legally it does, at least if you're in the EU. The only reason websites are slow on the uptake around this is that the legal gears are slow, however we have seen many considerable fines in this space in the last few years and things are improving.
That assumes that the entity ignoring the law is operating within it to the extent of requiring your consent. GDPR goes much wider than explicitly cookies.
You mean how much worse surfing the web got after it became visible, how much companies are tracking us? The problem is the tracking, not the banner. If you don't sell your readers data, you don't need a banner.
This one is tame compared with a whole industry of "data privacy" popups which hide "Legitimate Interest" opt-outs within Vendor lists containing hundreds of entries. Someone needs to slap some serious lawsuits on these gangsters.
This is a perfect example of how GDPR can present challenges to innovation. The fact the top comment in this announcement revolves around GDPR compliance and associated fines raises questions about whether companies will be motivated to share research and open source datasets in the future.
Isn't that a GDPR violation since they're not allowed to prevent access if you refuse to share data not necessary for the service to function? Since it's from Meta I suspect regulators would enjoy another thing to add to the list for future fine calculations.
It depends. If everything stored & tracked is genuinely necessary (as defined by the regulations) then consent is not required. If they are just telling you that they are storing & tracking necessary things like session information, then all is good (unless the things they store & track are not, in fact, strictly necessary and non-privacy-affecting).
Of course if they don't need consent, then why are they making a song & dance about it having us click an accept button?
It’s not really a dark pattern because they’re not tricking you into accepting or coercing more than is acceptable into doing so, they’re just not allowing you to decline. Which means if not accepting cookies is a dealbreaker for you, no problem, just: move along.
Dark pattern is a term normally used for legal, but immoral user experience.
In this case legality is questionable as they redirect you to other external sites to manage your "consent" https://optout.aboutads.info (at least from a European GDPR perspective)
