The function of the website for the website owner is to make money. Setting cookies helps with that. The EU law says I have to disclose lots of stuff and get your consent before tracking you. So every website added a disclosure and consent button, and every user clicked on it.

If you think of the wasted power of a billion warning / notifications a day, you realize how little folks will pay attention to these warnings, it's the only way to get on with your life is to tune these warnings out.

SERIOUSLY - can't someone do a study in the EU showing that their constant warnings mean folks have totally tuned them out?

Most implementations where there's only a disclosure/consent button are not compliant and are as good as not having anything.

Here's how the GDPR options of an European website looks like: https://imgur.com/a/ckOivi7

That "Analytics Advertising Feature" MUST be unchecked by default. Only users that actually want to be tracked are tracked.

Every "tracking feature" (cookies, fingerprinting, IP tracking, whatever) must be hard opt-in, and the website has to provide an option for the user to opt-out if they change their mind.

If a website only use functional cookies (colours, session, login, cart, language) they don't need consent, just disclosure (and it doesn't have to be an ugly cookie bar).

Go to this website:

https://europa.eu/

This is the official EU website.

EVERYONE is being trained to click I accept.

And then they do a nonauthenticated javascript scrip insert into a secure page ON THEIR HOMEPAGE. You gotta love it.

  <script type="text/javascript" src="http://ec.europa.eu/wel/surveys/wr_survey01/wr_survey.js"></script>

What would provide users some actual security is if their browser would block this unauthenticated insert of javascript if its in a secure page. In other words, DON'T trust the website to do the right thing, just take control at the browser level.

No.

Look again.

There's a very clear "I refuse cookies" button, which I can click and continue to the website. [1]

The point of those things is that I can refuse cookies or tracking without retaliation and without loss of functionality. Remember: functional cookies don't require consent.

They are doing it right.

It is all the non-compliant companies with only the "Accept" button that are training users to click on it. Those cookie bars are not compliant with GDPR at all.

[1] https://imgur.com/a/tj7egN0

I agree that this is an excellent approach, but the wording should be a lot clearer. When I see “This site uses cookies to offer you a better browsing experience” and a yes/no choice, I assume I’ll be missing out if I choose 'no'. Really, there should be an explicit reference to 'tracking', and a reassurance that everything will work perfectly if I choose 'yes'.

Look again please.

"Here's how the GDPR options of an European website looks like: https://imgur.com/a/ckOivi7 "

False, the EU website has an ugly cookie bar with a button called "I accept" that everyone has been trained to click yes on.

"That "Analytics Advertising Feature" MUST be unchecked by default. Only users that actually want to be tracked are tracked."

False, users can be presented with an accept / reject button on a standard cookie bar, clicking accept can opt them into tracking - please LOOK at the EU website example I provided.

"Every "tracking feature" (cookies, fingerprinting, IP tracking, whatever) must be hard opt-in."

This can be done though an accept button on a website that users have been trained to click yes on. My earlier suggestion that folks do a study on how many users navigate into these policies for every website they visit to make fine grained selections if such options are even available stands as well.

"If a website only use functional cookies (colours, session, login, cart, language) they don't need consent, just disclosure (and it doesn't have to be an ugly cookie bar)."

I gave you an example of an ugly cookie bar on an EU website subject to GPDR - I can find many more.

This is the problem with these folks messing the net up. Everyone should do this / shouldn't do that, but no attention to what is actually happening.

I want to be clear, billion of pages are showing I accept buttons, some without reject buttons if they are disclosure only, some with reject buttons that kick you off the site, and some with reject buttons that opt you out of tracking, and users are being / have been trained by the EU alert notices / disclosure only notices (which generally DO have an I accept button) etc to waste their time clicking I accept everywhere.

This is bad for actual user choice, actual privacy.

That's because they're using cookies that are not essential to the functioning of their website.

> The function of the website for the website owner is to make money.

Making money is not functionality to me. (Also, note that your website doesn't have to make money: I run my personal blog at a monetary loss, just like many other people.)

> The EU law says I have to disclose lots of stuff and get your consent before tracking you. So every website added a disclosure and consent button, and every user clicked on it.

Right, what they didn't realize that everyone would just make it super annoying in an attempt to lampoon the law instead of actually changing their behavior because they'd just make usage of their website conditional on it. Hence GDPR, where now users can actually click "no" and not be penalized for it.

Not only does your website not have to make money, it doesn’t have to:

- make money via advertising

- make money via advertising that tracks the user

- make money via advertising that tracks the user and hands over that data to a third party

- make money via advertising that tracks the user, hands over that data to a third party, and opens a security hole in doing so

I’m increasingly annoyed as I go down that list, but I might be willing to accept some of the behaviour at the top of it.

I'm just saying that it's 90% visual and 10% effectual (and I think I'm being generous), and likely makes the average person think good strides have been taken towards the problem of line tracking, which I don't think it really helps. It's the perfect level of highly visible and almost useless that it may in fact be counter-productive.

Implementations where there's only an "Accept" option are not following law, though.

The user must opt-in of their own volition, must be able to reject the tracking cookies (or any kind of tracking) and must be able to opt-out later as well.

Btw: Functional cookies (colours, session, login, cart, language) don't need consent, just disclosure (and it doesn't have to be an ugly cookie bar).

It explicitly _doesn't_ target cookies, it explicitly targets any and all stored information that can be resolved to "a specific person", which simply includes things like session and tracking cookies.

Session cookies are allowed (without consent) if your site has something like login or stored settings. You don’t need consent if the cookie is required to provide a function to the user.

Only cookies that are used to track user behavior, and can be tracked back to that particular user are disallowed. So things like Facebook like buttons would require consent (since Facebook will use the info gained to target you with ads in another context) while basic Google Analytics or similar is fine as it only presents aggregated data to the site owner and does not leak data cross-site. Some GA features do require consent though (like demographics tracking) as it requires Google to cross-reference between sites. You can generally turn these off (I think they even are off by default?)

Note that implementation of the law also differs between EU countries. So a few are more strict. It is up to the national privacy agency to set exact rules.

What do you mean? If I have a website and ONLY use a single cookie to save a setting for the user for the background color - I still have to get the user to accept the cookie, right?

No. It's a functional cookie. You don't need permission for functional cookies.