Ask HN: GDPR pop-ups are getting so annying, what should we do about it?
Lately, I close every website that shows me a big, junky, stupid GPDR cookie consent (e.g. https://www.runnersworld.com/), but honestly I don't find many websites that has a reasonably small and well-designed cookie consent (e.g. https://www.rei.com/).
It seems that these pop-ups are designed to annoy users to force them to click on the Accept button right away, and most of them hide the rejection button somewhere, or make it difficult to find.
The reader mode on the browser works well sometimes, but it's not a permanent way to get rid of those pop-ups.
These pop-ups are making it hard to enjoy the Internet, what do you suggest to do to get rid of these pop-ups?
Thank you. These pop-ups are making it hard to enjoy the Internet, what do you suggest to do to get rid of these pop-ups? Embrace them. Learn to love them. They're a good feature. Making websites explicitly require permission to do (subjectively) negative things like tracking users is a massively positive step in the right direction towards us all having ownership and agency over of our lives as we spend time online. Sure, it means we have to do a little work to say yes or no when a site wants to do something, but that's the cost of privacy. It's not very high. There could be technical solutions (eg browsers could sent a header to automatically consent with the initial request) or you could use a plugin (eg consent-o-matic), but really, this stuff is important enough that "Eurgh! I had to click a button again! I'd sacrifice my privacy not to have to do that any more!" is a really bad take in my opinion. > "Eurgh! I had to click a button again! I'd sacrifice my privacy not to have to do that any more!" is a really bad take in my opinion. I assume you don't surf in incognito mode. The collective amount of hours wasted clicking those popups must be enormous. The collective amount of hours wasted clicking those popups must be enormous. You can't add them up and use that time though. That time is always going to be fragmented in to unusable bits. Millions of people wasting 2s each is not equivalent to thousands of hours of lost productivity. Likewise, one person wasting 2s many of times a year can't be replaced with a useful hour. The 'lost time' argument doesn't make sense. It's not just the 2s, it's also the frustration wasting time on something that adds no value at all. On its own this might not matter, but many of these small actions (not necessarily cookie related) do affect your productivity because they affect your mood. But they're not unusable bits of time. That 2 seconds you spend would be 2 seconds sooner that you would be done with the website. If you visit 100 websites in a session then that does add up to 200 seconds wasted in that session. >Making websites explicitly require permission to do (subjectively) But that's already happening. Your browser just sends the data automatically. Putting this burden on the website just means that an actual nefarious actor will track you anyway. After all, how are you going to check that they actually don't save all that data your browser vomits at them? If you want privacy then you have to make sure your browser doesn't send out that information in the first place. Once you've done that then GDPR is useful for plugging the holes for the non-bad actors. Comply with the law, don't gather unnecessary PII and poof - no need for popups. My understanding is that you must tell people if you set cookies for any purpose, regardless of whether they are collecting personal data. Therefore, pretty much any content management solution, Wordpress site etc. will need to display a cookie consent banner. I think you need cookie banner only if you use non-essential cookies. For example if you use cookies only for user auth, you don't need to display any notification about that. My understanding was that you need consent before storing or accessing information on user's devices. No, Reubensson is correct. The rules for what is essential are generally fairly strict, but only non-essential needs consent. It's so 'simple' to do that even the EU's own website has the pop up: Yes, because they do use cookies in a way that requires them to inform you about it. It's clean, readable, and devoid of dark patterns that are so prevalent. >Third-party cookies >Some of our pages display content hosted by contracted services on domains external to europa.eu, for example our contractor who helps operating the Europe Direct Contact Centre. The external hosting may need cookies in order to function. >Name of the cookie: PHPSESSIONID >Service: Europe Direct contact form >Purpose: Session info (random number), used for dealing with multi-language forms. No additional information stored >Cookie type and duration: Third-party session cookie, set by our contractor. Deleted after you quit your browser >Some of our pages display content from external providers, e.g. YouTube, Facebook and Twitter. >To view this third-party content, you first have to accept their specific terms and conditions. This includes their cookie policies, which we have no control over. >But if you do not view this content, no third-party cookies are installed on your device. But but but …every company needs all possible data about you because of “legitimate business interests”! I use a chrome extension to auto accept everything. They are incredibly annoying. I wish i could do that on my phone. I do not know any non techy who gives them more than 1 second of thought. They annoy everyone without doing anything good. My hope is the EU passes real privacy regulation at the company level. This cookie popup accomplishes nothing beyond annoying everyone. I think what we can do about it is exactly what you've been doing: close the sites that purposefully make them obnoxious. The GDPR does not require these consent prompts to be this horrible. Websites make them that way to annoy users into getting mad at the privacy legislation _and_ also just click "Allow" by default to get to the content. Any website that uses such tactics is not a website I'm interested in using. Bingo. Well said I use the uBlock Origin filters for "annoyances" on Firefox, both desktop and mobile, and I don't ever see them. The filter is not enabled by default. They’re not necessary unless you’re doing non-annoymised tracking, like, for example, using the Devil’s Spawn that is Facebook Pixel. If websites are doing this, and asking you to consent they need to be punished - hit the back button and boycott them forever. It’s completely unnecessary - the web would be a so much better place is we all did this. How are you going to boycott the entire internet? Most websites I visit show this pop up and it’s more convenient to just click ok than to move to 5 different screens and waste another 30 seconds. This is what happens when you don’t address every aspect of side effects when making the law. People get accustomed to it just like those California cancer warning labels that are basically useless and nothing but a waste. > Most websites I visit show this pop up and it’s more convenient to just click ok than to move to 5 different screens and waste another 30 seconds So they don't comply with the law. People working for these sites choose to make this difficult and harder than its supposed to be. Have you considered, perhaps, the entire internet and the business community is boycotting the rules because it has many loop holes and is poorly thought out? We all know of SponsorBlock and its user-submitted segments for the YouTube videos, right? Well, can't we build the similar addon and the crowd-sourced database, but one that would submit specific rule (page elements, and click order) to block everything - incl. "legitimate interest" bullshitery- except the barest of essential cookies? Why haven’t they been implemented as a browser feature? And how comes the larger websites don’t seem to need the banners? We need Google to stop showing sites like these in their results. The user experience is shit so don't send them any traffic. To me it seems like they're usually similar enough and have broadly similar controls that it should be something that users should be able to configure from their browsers on a blanket basis, which should be provided in some standard HTTP headers/accessible through JS. I just put an ip-address to country list in my middleware and block all the GDPR countries. Now I have no issue with popups or cookies. Honestly, I'd like to see more people follow that. I got the idea from others and it seems like a perfect solution. People who can't/don't want cookies cannot really use any site I've ever worked on. It makes no sense building things for people who won't ever be customers. It must be really odious for you to respect the people that use your website. Thank you for removing yourself. Here's the thing. The GDPR isn't really that great a set of rules. It's too vague, and really hard to manage. I do however treasure privacy rights. That's why I don't use cloud flare. It blocks TOR, and many VPN's. I've almost built my site to favour those methods of privacy, and I highly recommend them to people I have paid the price of being on TOR often enough. Heaps of sights are beyond my reach. People have the right to avoid cookies, but those rights come at a cost. Oddly most of my users are from the EU, they just use VPN's > It's too vague, and really hard to manage. It's really not. Don't collect or process personally identifying information, and you're in immediate compliance. You do understand that the requirement isn't "site needs to work without any cookies"? You can use cookies with GDPR.
Are you aware of split into 4 cookie categories?
Is it surprising that people want some privacy and you can actually disagree to tracking? Of course, people should be able to disable tracking more like: i don't want to be tracked by alphabet and Facebook, rather than turning it off for every website separately. In an - at least in theory - open system some if not all players over time will maximise their gain from it. So advertisers wants your data, because the more they have, the more they can earn from specialised trageting. (This is why I believe Facebook is an advertising platform, not a social network, but I digress). So at some point you can only access information when logged in and (lets say for the sake of making a point) give your name, dob and much more. (Sounds familiar, like a paywall?). The GDPR makes it inconvenient to have and track all that data if not outright illegal for some cases. And asking for confirmation to use cookies to track a user is the neccessary evil to highlight that you are tracked. I understand the annoyance it creates for you and other users. Its still necessary. And, if I may add that, its some kind of a new understanding I got for other systems as well. Releated example: There will - over time - no better google "competitor". Know why? Because if there is, at some point, then SEO will optimize the f** out of that competitor, too and make it maximally worse for everyone. Just like the optimization in the example above with the data. Except that the GDPR is a law for EU Citicens while google/the competitor only has to make it tolarable for them and their ad renvenue. I find that perspective incredibly frustrating: Systems will get worse to a point of equilibrium, but its not the kind of "nice to work with" you and I have in mind.
(Edit: Spelling) advertisement as webcontent is the modern spam.
I wouldn't be surpriced if this is now the majority of all internet traffic.
It used to be that spam was email related and the major internet traffic. Cookie banners have nothing to do with the GDPR. They are a requirement of the ePrivacy Directive from 2002. GDPR is a preview into what a more regulated web would look like and it’s awful. What should we do? Fight it. Demonstrate the pointlessness of the regulation now that everyone has a taste of it.
Complacency will lead to more regulation. Leading to regulators able to shut down your site for not following arcane rule 345 subsection A. You think it’s a joke, but this is how it starts. The GDPR mandate explicit consent and websites really want your consent because they rely on those cookies. So we end up with those dark patterns pop-ups because of the usual law of incentives and self-interest. As a consequence, IMHO the only way to get rid of those pop-ups is to change the GDPR to mandate a simpler format. But that's not straightforward when there are potentially cookies for different functions and each requires specific consent... We're touching a fundamental issue with wanting to regulate the way the GDPR do... It’s only required if you’re doing non-anonymized tracking, which websites don’t have to do at all and is completely unethical. A few weeks back someone lost a case in Germany because they used google fonts, and forgot to tell people. After that, I say, why take the risk? I have more important things to think about. Is this an indictment and is it fair to say GDPR is a poorly implemented regulation? I am a pro-privacy advocate but like those cancer warning labels in California, I always accept cookies and move on. Billions of people spend a few seconds everyday clicking on these cookie banners. What would be the economic damage vs. privacy benefits? I appreciate what companies like Apple does with regards to privacy because it actually makes my life easier, not more difficult. Another problem is the imprecise language of GDPR. "It's mostly not enforced for small businesses" doesn't cut it when it comes to adherence to law. Businesses need assurance, not ambiguity. GDPR does not mandate those pop-ups, most of them are not compliant and only exist as a way to try pretend to comply with the law. I didn't say it’s a mandate. It’s a terrible side effect and a loop hole. The second part of my comment is about businesses going though GDPR checklists. I did one for my firm. It’s not too bad but if you read the entire GDPR booklet, there are varying levels of adherence to GDPR. Most small businesses check off things but the boots-on-the-ground effects are negligible. On the other hand, you could technically be liable for lawsuit, but what I hear is that GDPR isn’t enforced for small businesses like mine. That’s troubling. My fear is.. I'm one of the "isn't often" exceptions. I don't use an electric skateboard, or j-walk. I've been fined for both. If there is an edge case for a fine, they will fine me. In general GDPR are enforced across the board. But there are so many websites and companies that there are no resources to check everyone if a breach is not brought to the attention of the relevant authority. Is explicit consent mandated? Between the GDPR and other cookie laws, explicit consent for each specific use is required, as far as I understand. If so, pop-ups are an unavoidable consequence because, again, websites don't really want to ask you they want you to consent (obviously since they rely on this) > for each specific use For non-essential uses. I think they are ugly, clumsy and annoying because the companies that are forced to show them resent that and want it to fail. It feels like they’re saying to me “Look at this horrible thing I’m forced to present to you, I’m not letting you read what you’re here for until you go through the most annoying way of responding” It should be a browser feature but chrome has dominant market share and why would they do anything in the interests of their users’ data security (which of course jeopardises their adtech empire). We need a better browser…. Don’t say Firefox. Brave could be it I suppose. > We need a better browser…. Don’t say Firefox. Brave could be it I suppose. Brave is just based on Chromium... it might have lots of different features, but still Chromium it is under the hood. That's just for rendering though isn't it? Brave are free (and do) add any features they like on top of that.