Typically, you can’t even turn these permissions off, nor can you deny consent or object to their purposes: they are increasingly claiming they are for ”fraud prevention” or some other technical purpose which doesn’t land under consent or the ”legitimate interest” umbrella.
Sounds horrible. >..<
The (...fortunately a) handful of places I've worked at which dealt with this sort of thing were very strict about removing PII.
I'm more concerned about only being shown information (not just ads for products) relevant to my click-tuned interests as I think that's just contributing massively to political polarization.
The only really relevant ads I've seen are from blogs that literally just sell ad space to brands and the ad is just a simple image link you can click on. Philosophy blog? Philosophy book ad. High end men's clothing blog? High end men's clothing brand ad.
None of the ads could ever be effective, I have my supply houses that I buy from and they don’t advertise online.
I do have a decent amount of buying power at work (single digit millions a year) but no internet ad from an electrical distributor is ever going to influence my purchasing decision.
Liberty demands the end of systems of control.
The result is the same. Technically there's no such thing as denying, only providing (explicit) consent. If consent is required and no consent is provided, then there is no ground for processing.
With the legitimate individual control over one own data required to run a healthy society and unavoidable to sustain a democracy. If a business can't exist without threatening society, the sooner it's going out of existence the better.
The cookie banner thing is intended to allow the user to explicitly provide consent, should they for some reason wish to do so.
Legitimate interest is for example a website using your IP to send you the necessary TCP/IP packets with the website's content upon request.
Many websites use the term "legitimate interest" misleadingly (or even fraudulently), but that's not how GDPR defines it.
We are almost 10 years into the GDPR, and we still have these gross misunderstandings about how to interpret it. Meanwhile, it has done nothing to stop companies from tracking people and for AI scrapers to run around. If this is not a perfect example of Regulatory Capture in action, I don't know what is.
I'd argue that's the opposite of regulatory capture.
- they don't care about the cookies they are setting on their properties, if most of the functionality they have require you to be authenticated anyway.
- These "smaller websites" are exactly the ones more likely than not to be Google's and Facebook's largest source of data, because these sites are the ones using Google Analytics/Meta Pixel/etc.
I'm in Spain, this is probably not the same worldwide.
The YouTube consent screen for example includes this as a mandatory item:
> Measure audience engagement and site statistics to understand how our services are used and enhance the quality of those services
I don't believe this complies with the GDPR to have this mandatory.
GDPR says it is [1][2].
> We are almost 10 years into the GDPR, and we still have these gross misunderstandings
Because people would rather smugly and confidently post about their gross misunderstandings. If only there was some place to read about this and learn. I’ll give you the money shot to save 10 more years:
> Fortunately, the GDPR provides several examples in Recital 30 that include:
> Internet protocol (IP) addresses;
From Recital 30:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses
[1] https://gdpr.eu/eu-gdpr-personal-data/
[2] https://gdpr.eu/recital-30-online-identifiers-for-profiling-...
So, sure, if you stick the user's IP address on a cookie from a third-party service, you are sharing PII. But this is absolutely not the same as saying "you need to claim legimate interest to serve anything, because you will need their IP address".
When serving content, you're by necessity linking it to a website that's being accessed.
For example, if grindr.com had a display in their offices that showed the IP address of the request that's currently being handled, that's not saving or publishing or linking the data, but it's still obvious PII.
You are not sharing with a third-party, but that sure falls into processing and publishing it.
Source: I have been cursed to work on too many Data Protection Impact Assessments, and Records of Processing Activities together with actual lawyers.
So, apologies if I was not precise on my comment, but I still stand by the idea: you don't need to a consent screen that says "we collect your IP address", if that's all you do.
You want to share my data with your 300+ "partners" legally? Good luck informing me about all the ways in which every of those single partners is using my data. If you are unable to inform me I can't give consent, even if I click "Accept all". That is however a you-problem, not a me-problem. If you share my data nontheless you are breaking the law.
If you're going to turn the filters on, it's worth being aware of this because it's far from flawless.
Then the browser: refreshes the page, downloadz all the thingz… presents cookie banner.
I’ve been using uBlock (or Brave) for years now, and when “something doesn’t work right” the first thing I often do is lower my shields… :facepalm:
From now on, I’ll just bounce. Keep your cookies, I’m not hungry.
- https://addons.mozilla.org/en-US/firefox/addon/cookie-auto-d...
- https://github.com/JobcenterTycoon/cookie-auto-decline
Not sure if it's as advanced, but does a good job at declining or simply hiding the banners.
When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do).
Instead i use this https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies
To the point that people are worried when cookie banners are not required now. I have had a few worried conversations on why our site doesn’t have a cookie banner.
The answer is simple, we don’t track our users, and login is explicit consent and functionality which doesn’t require a prompt under GDPR.
Yet https://european-union.europa.eu displays a cookie banner for tracking on what is essentially a static informational site. If the EU itself feels tracking is valuable enough to warrant the banner on their own pages, it's hard to fault businesses (whose survival actually depends on understanding their audience) for making the same choice.
At least they're compliant with their own regulation, I suppose.
The EU websites require the cookie consent due to this section of the cookie policy:
> Third-party providers on Commission websites
* YouTube
* Internet Archive
* ScribbleLive
* Google Maps
* TV1
* Vimeo
* Microsoft
* Livestream
* SoundCloud
* European Parliament
These third-party services are outside of the control of the European Commission. Providers may, at any time, change their terms of service, purpose and use of cookies, etc.
——
In other words, due the embeds that track users, consent is needed.
They also have their own analytics in the same section, by the letter of the rules: they indeed need explicit consent, which would be obviated if they didn’t run analytics and didn’t embed stuff.
Option b) ask the consent in the embed.
Analytics can be done without banner requiring tracking, e.g. https://plausible.io/
It seems that very few, even lawyers, really understand when explicit consent is not needed, and instead we get cargo culting of pointless consent banners everywhere.
The situation has become such that "consents" aren't really meaningful at all, as people just want to get rid of the banner, and it becomes US style contract theatre.
I really hope that I never end up in a situation where someone tells me "well the conversion rate would be much higher if you just stopped fighting it and put up the damn banner".
https://support.mozilla.org/en-US/kb/cookie-banner-reduction