Please remember: functional cookies (login session, shopping carts) do not need user consent. So every time you see one of this oversized cookie banners someone is trying (often through dark patterns) to make you accept the whole tracking and spying as well. Don't be mad at the legislative for creating the need for tracking consent. Be mad at the websites that are trying to stir you up against that law by annoying you with those banners.

The law should require them to recognize my do-not-track header as dissent and stop them from asking me again, as I have made my intention already pretty clear.

@daniel That would be neat for all not technical/functional cookies i agree. It would be better though for the internet to ditch all that spying bullshit and to selfhost their analytics.

Neither my, nor your wishes will be fulfilled without laws requiring it.
Marketing people seem to be obsessed with the idea of needing to know everything about their users, so they can improve the variables of their targeted advertising campaigns.
They currently seem to have no incentive to stop this behaviour.

@daniel @mzumquadrat
Luckily uBlock has "annoyances" list you just have to enable that should hide most consent popups (which means you don't consent to tracking).

For all that understand German and are interested in cookie warnings I can recomment this docu/interview:

Starts at 00:11:00.

@mzumquadrat @D22 Thank you for the link. The video is quite long - I will watch it later.

@mzumquadrat IANAL, but from my knowledge, analytics that parse the logs, or are selfhosted on the same domain, don't need such popups either.

So even if your business requires some statistics and tracking, there are 'proper' ways to do that, without selling out your customers to an ad-network or dataminer. Which was another attempt by the legislation.

But fought against, by those datahoarders by making it annoying and looking unavoidable.

@berkes Yes, selfhosted analytics is also defined as functional/technical. But it is more lucrative to offload the tracking to a dataminer. :(

@mzumquadrat Thanks for clarifying.

I don't agree with the 'lucrative' part, though. The gains from not having a cookiewall can be large for certain businesses.

And hosting your inhouse plausible, matomo or such, can be acquired as SAAS. For mere dollars a month. Not everyone needs a matomo cluster.

Goaccess, stats built in your CMS, the reporting feature of your ecommerce, a free tier at a SAAS: cheap options enough.

This hackernews-featured article recently found and that shares your data with up to 647 different companies if you "accept all" cookies

@berkes Lucrative is not always monetarily. It is also lucrative to offload analytics to a third party to shift responsibilities to the third party. So basically you have someone else to blame/ to use as scapegoat.

@mzumquadrat good point.

The middle-ground, where you pay matomo or plausible or such, for the hosting on your domain, would cover many of such cases, though.

AFAIK there is no legal requirement that says you have to do it all by yourselves. Then It's more a matter of buying from a privacy-friendly, technically sound, and potentially selfhostable provider.

@berkes You are right, there is no legal requirement. But a phrase i often heard regarding plausible, matomo is: Well i never heard of it. Why shouldn't we use google analytics? Everyone uses that.

@mzumquadrat argument fortified in the great book 'crossing the chasm' on getting new tech into markets with established 'monopolies'.

Anyway, the simple answer, her, is: 'because it allows you to remove the cookie popup.'

Which should be compelling to many a marketing manager, analyst or business owner.

@berkes But then they have to explain to management why they aren't using the cool <hypetech> everyone around them is using. I totally agree with your argument though.

@mzumquadrat @berkes this is the big issue, in my experience: parts of the company (often marketing) *think* they're forced to use GA because insights and seo and whatnot, but in fact it's more because it's all they know (I'd superficially).

@berkes why doesnt google offer a "selfhosted" version of their analytics then? As far as I understand, they would just have to serve it through a subdomain of the website, but keep the backend identical.


@felix afaik, they do (did?).

But also afaik: that would mean they are not allowed to read the data, then. Which is counter to their businessmodel.

Ja, leider ist der DNT Header immer eine Kann- und keine Mussleistung. :(

@mzumquadrat @Hermann Viele Webseiten hat auch in den Datenschutzerklärung erklärt, dass sie trotz des DNT-Headers nichts ändern werden :blobcatcoffee:

@mzumquadrat well...they do need user consent. You can disable cookies in well-designed web browsers. You can set your consent there....without that consent login will not work, but c'est la vie

Sure, that's always an option. But in a better world this should not be necessary.

@mzumquadrat for sure there needs to be something between "lock your computer in a lead box, unpowered, in a concrete bunker and hide in a corner" and "give me your first born and let 100 men fuck you on zoom in order to load a search engine". We can always aspire to better and for consent to be more and more granular

@mzumquadrat "We just need you to sign this for data protection..."

Please fill out this notice of opposition and mail it to our postal address...

@rune @Hermann @Parnikkapore @mzumquadrat @lightmeter @solarkraft @Trojaner @dualhammers @daniel @Lofenyy @maikek @x51 @D22 @berkes @felix I'm much more annoyed about sites that turn into infinite redirects when cookies are disabled than about Evil-Bit-style laws.

@L29Ah and most of these sites don't even bother to tell you why this happens. And some sites just freeze bc they use those damn google recaptchas, which i do not even see (i block everything from google).

@mzumquadrat Can you say a bit more about this? Which law? Which jurisdiction?

@poebbel Sure, GDPR (european data protection law) and the Directive 2009/136/EC (often called cookie law) state that functional cookies, which also includes selfhosted tracking one, have implicit consent from the visiting party. Every other cookie that is not strictly necessary for the website to function (in a technical sense) requires informed consent by the visiting party

@mzumquadrat thanks Marcel. Thanks also for mentioning dark patterns. Hadn't heard that term before.


> you must... receive users’ consent before you use any cookies except *strictly necessary cookies*


> Strictly necessary cookies: These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site [example: cart]

> Preferences cookies: Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past. [example: language, region, auto-login]

@mzumquadrat I (re)searched that for my future reference. Legalese is hard and confusing :( and I feel like that page is the "dumbed down" version, and still I don't fully understand it. Are "login cookies" that keep you logged in and span sessions "functional", as opposed to always-login single-session "critical"? What even is a "session"? has some more info, like "the browser defines when the 'current session' end". Thanks I guess :(

First of all: I see that i forgot a :) at the end of my message thanking you for linking the gdpr website. So again, thank you for linking that site. :) It made it a little bit easier to read about that whole topic (i basically tried to understand the official documents). And i agree: It is very hard to understand legalese terms. Login-Cookies are i think also okay under the GDPR and require no consent since it is very hard to abuse them for tracking purposes.

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.