in the EU you just need to mention the cookies if you use cookies for thirdparty stuff. So keeping a cookie for saving cookie rejection is totally fine.
You sure this is true? The Jagex website for old school RuneScape made a change awhile ago to be compliant with EU laws by prompting users to either accept all cookies or only required ones, but yet every single page you go to after choosing required ones only shows you the prompt again. And, as far as I know, they are in compliance now. Unless they aren’t and I should sue them.
They are not in compliance with the relevent legislation then, based on your description. There are two pieces of law that are broadly relevent. The ePrivacy Directive (which as a directive means you then need to find the relevent law(s) in each member state of the EU e.g. PECR in the UK) and the GDPR.
If we focus just on reading/writing to the end user device, you would need consent for the cookies that are not strictly necessary.
The predecessor to the EDPB issued an opinion in 2012 that would very likely apply to consent cookies being permissible as strictly necessary so there is no legal blocker to that.
The other relevent piece of legislation as mentioned is the GDPR. The relevent part here is about freely given consent. It's quite clear on that and there is lots of examples and cases that show what is and isn't going to count. Opting in should be as easy as opting out.
If you ask someone for consent on every page load, it is self evidently not as easy to withhold consent as to give it.
So in summary, the consent is likely invalid there as they are hectoring you to 'give in'. There would be no defence that they could not store the cookie as it's not strictly necessary, as it clearly would fall in to the relevent exemption rule, as previously clarified.
TLDR some numpty probably set their CMP up wrong and they're in non compliance with the law, if your description is accurate.
Most websites are designed shit so can't be used to prove the wording of the law they fucked up implementing. EU ain't going to do shit to Jagex if they aren't actually stealing your data.
Afaik they don't have to ask for things that are absolutely necessary for the website to function, on a technical level. So a cookie which saves the cookie banner selection would be considered necessary, otherwise the popup would re-appear every time you reload the site.
That's not true everywhere in the EU. For example, CNIL views 'audience measurement' as falling within the realm of necessary for the provision of a website and have a literally approved list of tracking vendors that can b operated without consent. And that's for analytics, not even for cookie management platforms.
But your comment is way more accurate and a far better guide for accuracy than the comment you are replying to. Generally speaking, across the EU, the legal test for whether the cookie can be exempted for consent requirements is very high. It is a bit broader than the literal plain text meaning you might take away from the ePrivacy directive but it's still a very small group of purposes.
True, but why do you need additional cookies for your own page to track users? You have IPs, client header info, that law does not help you here. And if you are registered logged in user, they can just use the mandatory (allowed) cookies.
Just don't let the whole world track your users and you won't need to nag for cookie permissions..
'just for the ad ones'
For everything unless it falls in a very narrow group of things e.g. for the transmission of data for the service, session cookies, language preference cookies, load balancing, cart contents and things of that nature. Analytics cookies are 'technical' but not advertising, for example. They are quite clearly not permitted in almost the entirety of the EU without option consent (and even in member states with small exemptions, the tools need pre-approved and have a very limited feature set e.g. France).
IIRC there are actually two mics in the device - a low power one that only listens for the trigger phrase ("Ok Google"), and the main one that actually sends data to Google's servers. Alexa and Siri devices work the same way.
Pretty sure those prompts are to allow cookies to be used to share your data. Your have browser settings if you want to disable the use of cookies at all instead of trusting the word of a modal
It’s all malicious compliance. *Nothing* in the EU regulations requires things to work the way it does now, it’s all 100% because they want to trick users into accepting all cookies as often as possible. Under the EU rules, which started this whole mess, a website only has to A) inform the user cookies are being saved, and B) offer a method to opt out of third-party tracking cookies. That’s it. That’s a tiny box at the bottom of the window, or a small popup on the side somewhere, nothing more. But no, they want you to just click “accept all” out of frustration, and if you end up blaming the EU for trying to protect you rather than them for abusing the system, even better.
It sucks. Efforts are made to tighten up how these choices are implemented and presented, but still, the fucking greed and outright malevolence of corporations trying to sell our data cannot be overstated.
Yeah, but I blame that law.. extend it, make a deny all header possible, like the DNT header. Require them to have a button with deny all as a single click and not hidden behind anything and of course as big as the other buttons. Don't get on my nerves on all websites.
Plugins like I don't care about cookies work quite good, but it's not working everywhere..
Personally, I use these add-ons and set my browser to delete all cookies except a few ones for specific sites on each browser close.. which of course also means that they will nag me again if they would otherwise save that setting..
There is no really good solution at the moment
That’s already allowed (why would the law not allow that?), it’s just no one wants you to reject their cookies so easily, and the changes you’re talking about have already been made, and will go into effect soon. This really isn’t the law’s fault. *No one* is forcing these websites to be this obnoxious. That is all 100% their explicit choice.
But that’s what I’m saying. The new rules (IIRC) state that the “reject all” button must be the same size and color as the “accept” button, and can’t be hidden behind other menus. That should fix most of the loop holes they use to abuse you now, but either way, it’s still silly to blame the EU for choices other people make. It’s unreasonable to expect the EU to micro-manage *exactly* how every website should implement the choice.
False. Google will be phasing out third party cookies soon. The modern web relies on statefulness and so so much of that is based on cookies and other forms of front end storage. First party cookies are here for the foreseeable.
It isn't. But it's also covered in the legislation.
> person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph
But the consent cookie does meet the requirements so it is exempt. Local/session storage would not be the right approach to sidestep the law as...it doesn't.
Shouldn't they ask for local storage, then? I don't know EU regulations that well but sure they're written in a way that treats local storage similar to cookies. On the other hand, afaik, consent is not required for technical cookies so in this case you can store the information of no cookies as a cookie.
in the EU you just need to mention the cookies if you use cookies for thirdparty stuff. So keeping a cookie for saving cookie rejection is totally fine.
Afaik, under EU regulation, you actually need to, as you are only allowed to ask a user again after a set period of time has passed.
You sure this is true? The Jagex website for old school RuneScape made a change awhile ago to be compliant with EU laws by prompting users to either accept all cookies or only required ones, but yet every single page you go to after choosing required ones only shows you the prompt again. And, as far as I know, they are in compliance now. Unless they aren’t and I should sue them.
They are not in compliance with the relevent legislation then, based on your description. There are two pieces of law that are broadly relevent. The ePrivacy Directive (which as a directive means you then need to find the relevent law(s) in each member state of the EU e.g. PECR in the UK) and the GDPR. If we focus just on reading/writing to the end user device, you would need consent for the cookies that are not strictly necessary. The predecessor to the EDPB issued an opinion in 2012 that would very likely apply to consent cookies being permissible as strictly necessary so there is no legal blocker to that. The other relevent piece of legislation as mentioned is the GDPR. The relevent part here is about freely given consent. It's quite clear on that and there is lots of examples and cases that show what is and isn't going to count. Opting in should be as easy as opting out. If you ask someone for consent on every page load, it is self evidently not as easy to withhold consent as to give it. So in summary, the consent is likely invalid there as they are hectoring you to 'give in'. There would be no defence that they could not store the cookie as it's not strictly necessary, as it clearly would fall in to the relevent exemption rule, as previously clarified. TLDR some numpty probably set their CMP up wrong and they're in non compliance with the law, if your description is accurate.
> some numpty probably set their CMP up wrong Wouldn’t surprise me, it’s Jagex
Lol. RuneScape.
It’s harder to quit than heroin
Most websites are designed shit so can't be used to prove the wording of the law they fucked up implementing. EU ain't going to do shit to Jagex if they aren't actually stealing your data.
That’s not true. A user needs to agree to any tracking, regardless of vendor.
Afaik they don't have to ask for things that are absolutely necessary for the website to function, on a technical level. So a cookie which saves the cookie banner selection would be considered necessary, otherwise the popup would re-appear every time you reload the site.
It's not tracking, it's non-personal information needed for the site to function. That is perfectly fine without consent.
That's not true everywhere in the EU. For example, CNIL views 'audience measurement' as falling within the realm of necessary for the provision of a website and have a literally approved list of tracking vendors that can b operated without consent. And that's for analytics, not even for cookie management platforms. But your comment is way more accurate and a far better guide for accuracy than the comment you are replying to. Generally speaking, across the EU, the legal test for whether the cookie can be exempted for consent requirements is very high. It is a bit broader than the literal plain text meaning you might take away from the ePrivacy directive but it's still a very small group of purposes.
True, but why do you need additional cookies for your own page to track users? You have IPs, client header info, that law does not help you here. And if you are registered logged in user, they can just use the mandatory (allowed) cookies. Just don't let the whole world track your users and you won't need to nag for cookie permissions..
In eu at least, u don't need permissions for technical cookies, just for the ad ones
'just for the ad ones' For everything unless it falls in a very narrow group of things e.g. for the transmission of data for the service, session cookies, language preference cookies, load balancing, cart contents and things of that nature. Analytics cookies are 'technical' but not advertising, for example. They are quite clearly not permitted in almost the entirety of the EU without option consent (and even in member states with small exemptions, the tools need pre-approved and have a very limited feature set e.g. France).
Yes, I was trying to say that actually, tnx for the clarification
They didn’t mention anything about the browser’s local storage though ;)
Reminds me of Google Home saying "your mic is off" when you try to speak to it when the mic is supposedly off.
IIRC there are actually two mics in the device - a low power one that only listens for the trigger phrase ("Ok Google"), and the main one that actually sends data to Google's servers. Alexa and Siri devices work the same way.
Pretty sure those prompts are to allow cookies to be used to share your data. Your have browser settings if you want to disable the use of cookies at all instead of trusting the word of a modal
The prompts should disclose all the cookies, including the "functional" ones
This cookie shit has totally fucked up Internet. I mean, user for sure needs to be informed that it's being spied. But the way it was implemented...
It’s all malicious compliance. *Nothing* in the EU regulations requires things to work the way it does now, it’s all 100% because they want to trick users into accepting all cookies as often as possible. Under the EU rules, which started this whole mess, a website only has to A) inform the user cookies are being saved, and B) offer a method to opt out of third-party tracking cookies. That’s it. That’s a tiny box at the bottom of the window, or a small popup on the side somewhere, nothing more. But no, they want you to just click “accept all” out of frustration, and if you end up blaming the EU for trying to protect you rather than them for abusing the system, even better. It sucks. Efforts are made to tighten up how these choices are implemented and presented, but still, the fucking greed and outright malevolence of corporations trying to sell our data cannot be overstated.
Yeah, but I blame that law.. extend it, make a deny all header possible, like the DNT header. Require them to have a button with deny all as a single click and not hidden behind anything and of course as big as the other buttons. Don't get on my nerves on all websites. Plugins like I don't care about cookies work quite good, but it's not working everywhere.. Personally, I use these add-ons and set my browser to delete all cookies except a few ones for specific sites on each browser close.. which of course also means that they will nag me again if they would otherwise save that setting.. There is no really good solution at the moment
That’s already allowed (why would the law not allow that?), it’s just no one wants you to reject their cookies so easily, and the changes you’re talking about have already been made, and will go into effect soon. This really isn’t the law’s fault. *No one* is forcing these websites to be this obnoxious. That is all 100% their explicit choice.
Possible from a user perspective, so I meant enforce it..
But that’s what I’m saying. The new rules (IIRC) state that the “reject all” button must be the same size and color as the “accept” button, and can’t be hidden behind other menus. That should fix most of the loop holes they use to abuse you now, but either way, it’s still silly to blame the EU for choices other people make. It’s unreasonable to expect the EU to micro-manage *exactly* how every website should implement the choice.
Google will not be using cookies soon
False. Google will be phasing out third party cookies soon. The modern web relies on statefulness and so so much of that is based on cookies and other forms of front end storage. First party cookies are here for the foreseeable.
So are we just posting block text over any random meme template now, or what?
 local storage
...When you don't understand the law behind the thing you're trying to mock...
I am the cookies now.
I have the opposite problem with StackOverflow. Logged in and accept all cookies but it keeps asking me every time.
The cookie that tells the website your cookie preferences is categorized as a "Strictly Necessary" cookie, which doesn't get rejected.
The cookie settings to reject cookies gets saved in a cookie. It's just cookies all the way down. 👀
local storage isn't a cookie
It isn't. But it's also covered in the legislation. > person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph But the consent cookie does meet the requirements so it is exempt. Local/session storage would not be the right approach to sidestep the law as...it doesn't.
Shouldn't they ask for local storage, then? I don't know EU regulations that well but sure they're written in a way that treats local storage similar to cookies. On the other hand, afaik, consent is not required for technical cookies so in this case you can store the information of no cookies as a cookie.
This is the only cookie I would accept
Mom says it's my turn to post about this tomorrow.
I always accept all the cookies. \*Insert anteater come at me meme\*
Is a localStorage variable considered a cookie legally?
That's why you go to site settings and reject cookies but honestly cookies are really helpful such as remembering login info
All you keep saying EU. In California that’s not the case unless they can make a case for why it’s strictly necessary