I appreciate the article, given that I recently spent an inordinate amount of hours dealing with my personal blog's cookie banner. But something seems off. For example:
> Hacker news have all that and more, but don't have a cookie banner. No problem.
That line, in the context of "Cookies are fine", seems rather misleading.
HN probably has "no problem" because it's not in the EU, and so it's out of its reach. But if it was, I bet they would need a cookie banner - or some other mechanism to *at least* explain the purpose of their cookie/s. Notably, the current cookie section in their privacy policy is surprisingly, disappointingly generic boilerplate that doesn't explain anything.
"You'll notice the words "cookie" or "banner" appears nowhere in there. That's because they are not in the law at all."
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002:-
(25) However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.
It's important to note that there are two laws that are relevent for cookie banners: GDPR and the ePrivacy Directive. It is summed up here: https://gdpr.eu/cookies/
Firefox is not the only web browser that supports addons, and on iOS in fact it doesnt support them :) I hope the rest in the post is valid however but this bit is not.
Most American small businesses have no idea what's happen. They don't want to sue and put up the banner. It's not nefarious, it's the law not understanding how it would be interpreted.
Whilst this is not supported by many browsers yet, I understand* that the California Attorney General has welcomed GPC* as complying with the CCPA, and that it does satisfy the European GPDR.
The thing I dont get is.. if the cookie banner is not required outside the EU and all companies benefit from tracking the user with cookies, why are they showing the banner outside the EU?
I appreciate the article, given that I recently spent an inordinate amount of hours dealing with my personal blog's cookie banner. But something seems off. For example:
> Hacker news have all that and more, but don't have a cookie banner. No problem.
That line, in the context of "Cookies are fine", seems rather misleading.
HN probably has "no problem" because it's not in the EU, and so it's out of its reach. But if it was, I bet they would need a cookie banner - or some other mechanism to *at least* explain the purpose of their cookie/s. Notably, the current cookie section in their privacy policy is surprisingly, disappointingly generic boilerplate that doesn't explain anything.
"You'll notice the words "cookie" or "banner" appears nowhere in there. That's because they are not in the law at all."
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002:-
(25) However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.
It's important to note that there are two laws that are relevent for cookie banners: GDPR and the ePrivacy Directive. It is summed up here: https://gdpr.eu/cookies/
DHH is that you? You seem to moo and have the same disdain about Apple as him.
Firefox is not the only web browser that supports addons, and on iOS in fact it doesnt support them :) I hope the rest in the post is valid however but this bit is not.
Most American small businesses have no idea what's happen. They don't want to sue and put up the banner. It's not nefarious, it's the law not understanding how it would be interpreted.
There is a nice add-on Consent-O-matic which auto-rejects those cookie banners as well: https://github.com/cavi-au/Consent-O-Matic
Your code example is actually the reverse :D
accept_tracking = request.META.get('HTTP_DNT') == '1'
1 = do not track, 0 = tracking accepted, so the above could would track only if it's been asked not to.
The sucessor to DPC is GPC, https://globalprivacycontrol.org/ - the Global Privacy Control.
Whilst this is not supported by many browsers yet, I understand* that the California Attorney General has welcomed GPC* as complying with the CCPA, and that it does satisfy the European GPDR.
* https://www.loeb.com/en/insights/publications/2021/07/global-privacy-control-consumer-led-enforcement
The thing I dont get is.. if the cookie banner is not required outside the EU and all companies benefit from tracking the user with cookies, why are they showing the banner outside the EU?