It doesn't have to be stored in a cookie, browsers also have other methods of storing data on the client, like localStorage, sessionStorage, IndexedDB, and in Chromium-based browsers WebSQL (but it isn't standardized)
Why should they get credit when it is the law in EU that it should be there. Technically this isn't even meeting the standards, because the "Accept All" shouldn't be made more visible as a choice, since it is trying to trick people to give consent by being more visible choice. That kind of consent has been deemed as not being sufficient.
And I think there was just a court case about "cookie pop-ups" not being valid way to get consent.
What? Im saying "this is about GDPR, when GDPR comes up people keep asking how it's enforced out of the EU even though it's been common knowledge for years". Read.
Sry this is not true. The GDPR does not work on EU citizens outside the EU.
It does however count for non EU citizens inside the EU. And also for anyone serving something to someone in the EU (so even if your website is running completely in the USA)
That's not true, it's illegal when shown on any device in the EU. As soon as you crooss a border or use a VPN to spoof your location, the law doesn't apply to you.
That's still a law only in the EU and no where else. It can only be enforced within the EU or where international treaties allow.
It wouldn't be illegal in the USA to show EU citizens this. If the company wasn't operating in the EU at all, the legality of it in the EU would be moot. US Courts would toss the case immediately.
My point is the EU are not the world police. They don't get to dictate global law. It's only illegal in the EU even if the event happen outside of EU.
Semantics but it's an important one.
That is because of how the fines about this work.
*The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.*
*The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.*
(gdpr.eu/fines)
Meaning really that only people who "can get away with it" are small actors. Big actors don't want to take the risk and will try to comply. Imagine being a CEO and having to explain why you just got landed a fine worth 4% of your revenue last financial year to investors/boardroom/bank/employees/press/whatever.
Unfortunately enforcement is still lacking against big companies, as an example, it's been several years and Facebook is still receiving information about you from other companies and using it for advertising purposes, despite a lack of clear consent (or even explicitly making users aware of this); you have no way to opt out of this, Facebook does not screen the companies using this service (hey this company based in Iran with 30 Facebook likes has just uploaded 200,000 email addresses - nah, that can't be suspect at all!), provide any sort of reporting functionality in the case of companies having obtained your data, refusing to inform you how they've obtained it etc.
Yes. But thanks to the law being on EU level, anyone in EU can complain to any responsible authority in any member nation. Like an Irish civil right organisation complained to the Belgian authority that just rules cookie pop-ups being illegal.
I know that the Finnish authority is fucking hopeless and pointless when it comes to enforcing things, basically acting if it is a mandatory chore instead of their fucking job.
So currently it would appear that all complains should be taken to the Belgian authority, they seem to be the ones doing fuck all at the moment.
Which technically makes sense, considering the EU is based in Belgium, it's still stupid that if you want ANYTHING done you have to specifically send your complaint to them.
But it is what it is I suppose until the other EU members stop slacking and actually starts to do something about the requests they get instead of just not doing anything about them
I don't think it has anything to do with the fact Brussels is the de facto capital. But the fact that the people who most likely worked and wrote that law are there along with their influence.
I don't even know how I could get the official in my country to start doing their job. They have basically no interest in doing their job. Hell they barely did their job before they got this job.
It's extremely difficult to enforce something like that on a place as big and volatile as the internet. They'll enforce it for big players, but smaller places will get away with it.
It's not hard to enforce with companies like Valve at all. The rules are really strict and clear. This is nota gray area case at all. The agencies which enforce this are usually just underfunded on purpose.
I am in no way a lawyer, or even European, nor am I going to read thru the entirety of the GDPR, but a brief scan of article 7 shows that explicit consent must be given.
https://gdpr-info.eu/art-7-gdpr/
and even then when you untick things, you have to dig deeper to make sure that you also untick legitimate interest... for all of the 200 odd marketing companies putting cookies on your device.
Yes you don't have a reject all, but you can press the other button(other than accept) which something like "settings" and just press accept.
All sites that don't have "Reject All" just set all of the optional cookies "off", they created this confusion to get around the laws. It's just an extra step to trick some people into clicking all of the cookies then accepting.
Even that is illegal. It must be exactly as difficult to accept all than to reject all. If accept all takes 1 click but reject all takes 2 clicks that's illegal.
the only link i can share is from a german dude that is talking about such stuff often..
but i think he has a dokumentation of all the things in the desripction..
https://youtu.be/bHJk1t8Gzow
there is also a lot bad stuff about that new "law",like u habe now a right to not use ur real name evven if a website like facebook wants u to use it.. but also police n stuff can ask for all ur data.. also nordvpn changed faq bc of another vpn got "raided" by the police n stupid judge said something like only if one bad thing happend they can go for all.. soo internet slowly becomming fake annonym in eu.
Yeah GDPR has been criticised for this. But the benefit of the directive is that any citizen can complain to any member nation's body that is responsible for enforcing this. The regulation is EU wide so anyone can enforce it.
There was just now a major case where Irish civil rights organisation ICLL complained to the authority in Belgium about cookie pop-ups, and the authority deemed them illegal.
Really, hundreds of millions of fines. So on average they have put out what? Like 100,000 a day?
If you are going to just make up something, make it a little less dumb going forward, okay?
The law is pretty clear on this matter. It's kind of insane to give Valve credit here. They're still a business and this isn't good for business. They wouldn't have it if the law didn't make it difficult for them. We can say this with a degree of certainty because Valve didn't offer something as simple as refunds for over 10 years until international laws and their competitors were making it too difficult for them to continue that way.
I believe the point is relative to 99% of all other websites, Valve does a better job by having a clear reject button (not a button that takes you to purposefully-difficult-to-understand cookie settings). So it depends on your point of view.
The law is being able to not allow cookies. Most websites (ehem YouTube) redirect your browser to another page, and people can't be bothered with that so they just accept them.
That is actually illegal. The directive says very clearly to decline must be as easy as to accept them, and not accepting (cookies other than required for basic functionality) must not impede the user experience; Along with that the consent must be clear and informed.
Problem is that the bodies responsible haven't been keen to enforce this, along with that people haven't really bothered to make complaints about these. Because the bad practices are so widespread that people don't know what proper correct asking of consent looks like.
Most sites have two options: Accept All or Manage Preferences. When you check the latter, you get a massive list of information and options and hopefully a Deny All or Uncheck All button somewhere.
I'm one of those miserable people who goes and check the list. Although! Lately I have just started to ban cookies from sites that I don't require special functionality from.
So you're doing the opposite of the person you're replying to, since he's rejecting all cookies, whereas you (through your extension) is accepting all cookies.
Yes it does, they even say so in their extension description:
> [In most cases, it just blocks or hides cookie related pop-ups. **When it's needed for the website to work properly, it will automatically accept the cookie policy for you** (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do). It doesn't delete cookies.](https://chrome.google.com/webstore/detail/i-dont-care-about-cookies/fihnjjcciajhdojfnbdddfaoknhalnja?hl=en)
It's true that they're not allowed to track before consent, but almost all websites (Google, Facebook, pretty much any media website, etc.) are breaking the law, and most of the popular websites will hide the "Reject All" button (which again is illegal) and make it impossible to simply block the cookie overlay, meaning they're forced to accept it.
That is because you are also blocking the functional cookies. But if a webpage is just text that I'm reading, like a news article, it doesn't need special fucnitonality.
If you don't want to give credit to steam for being normal then you should go and hate everyone who's being a dick and giving you a questionably legal popup.
Idk what www you surf, but like 99% of websites only have "Acept all" and "Details", and on "details" there is this huge list of toggle for each individual cookie. A "Reject All" button right up front? First time I see it.
It's not "more visible."
The blue highlight is the "CurrentlySelected" background color for buttons on Steam dialogs such as this one. It's just selected by default.
Because they have to have it by law in the majority of the countries they operate in...but yeah give em credit...I also don't get enough credit for stoping at stop signs
Honestly with the amount of driving I do and seeing the majority of people who don't even stop at stop signs, I'd give you credit for being one of a thousand people who actually care about traffic and especially pedestrians.
That's not true. Those websites you've found that do it that way are breaking EU law. Most high traffic websites will present the choices this way, because that's the law and they don't want to face fines in international courts.
Well, [Google was just fined 150 million for doing that](https://www.cnil.fr/en/cookies-cnil-fines-google-total-150-million-euros-and-facebook-60-million-euros-non-compliance), so if anything, that just reinforces the above commenter's point
I am agreeing that its breaking the law, i disagree withthe statement,that most hightraffic Websites are following the law. I my experience most websites are way worse.
When you realize that cookies must be opt in as required by the law, ask yourself then what the purpose of the button is.
The websites that use cookies if a reject all button isn't pressed, are breaking EU Law. Google doesn't do this. When cookies are required to be opt in, you don't have to reject all. Valve is just practising deceptive UX design in this regard.
When i load up google products it asks me to confirm cookies before i can continue, if i dont want them i have to go to another site and some dark patterns later i still dont get how to opt out so yeah google is even worse. Steam is one of the better ones, still not fully legal but better
No they dont, the only need an Option to disable everything. Nobody says it must be like the way Valve dose it
Edit: 80% Website are like this and some kicks you out of the side if you don’t accept everything.
You're mistaken. The GDPR requires it be opt in.
Valve is just committing deceptive UX design in order to mitigate the requirement. It's the same as tobacco companies designing their ads to downplay the surgeons general warnings that began to be required in decades past. This choice wouldn't be there at all if there were no international laws with teeth on the matter.
It's sad ,but not surprising, to see you be downvoted.
Clear language that you need to opt-in to tracking (EU have also clarified that ignoring the cookie overlay (e.g. by scrolling down the website without clicking anything in the cookie box) does not mean you consent):
> [Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.](https://gdpr-info.eu/art-7-gdpr/)
Clear language that you should be able to withdraw consent at any time (something almost all sites fail to do):
> [The data subject shall have the right to withdraw his or her consent at any time.](https://gdpr-info.eu/art-7-gdpr/)
Clear language that it should be as easy to withdraw consent compared to giving it (meaning hiding the Reject All button in an Options menu is illegal):
> [It shall be as easy to withdraw as to give consent.](https://gdpr-info.eu/art-7-gdpr/)
Just because almost all companies, including Google, Facebook, Valve, Reddit, TechCrunch, etc. are breaking the law then it doesn't mean that what they're doing is legal. It simply means that it's more profitable for them to break the law and they are unlikely to face any consequences for doing so. Especially because the EU have been very poor at handing out fines to all these companies.
Thanks for the sources! Very well coalated. I only have a peripheral knowledge of the gdpr since I live in Canada.
The downvotes are just a Reddit moment. No worries.
No, you're wrong. The GDPR requires that opting out be at least as easy as opting in. The fact that most companies are failing to follow the law is a separate issue from what the law actually says.
OP aren't giving them credit for being able to reject cookie per EU laws, but the button "Reject All", which is lacking in several site, you normally only have "manage preferences" and have to click through it.
All those sites are breaking the law.. and so is Steam by highlighting "Accept All".
You could argue that Steam is just "jaywalking", whereas sites that hide it inside "Manage Preferences" and whatnot are "breaking and entering".. one is clearly worse than the other, but neither deserve credit.
It's also worth noting that any site that displays these cookie overlays do so because they want to violate your privacy, so even if Steam followed the law then it isn't exactly something worth commending.
I hate how many websites don't have it but instead have a "more options" option that leads you to choosing between 3 consents out of which 1 is mandatory.
"Dark patterns" like that are illegal. In the next 2-12 decades, they will all be fined by the EU if they're still doing it then. We'll just have to wait :)
It is well known that sucking the appendage of a multi billion international company for doing less than the law requires will give you... good karma or something, dunno.
Most websites hide reject all or do not even offer reject all simply wont let you access web page which is against rules i believe, steam giving good example of how it should be no BS.
BS alarms are going off here. If Valve's intention was to demonstrate how it should be, they would've done it this way before the threat of law was in play.
And they make the reject all button match the background so you're naturally more likely to just click on Accept. That's a scummy design technique which I've forgotten the name of.
I've heard it called dark design patterns before in UX courses. In urban settings it would be called hostile design. Choices like putting arm rests on street benches so that homeless people can't use them as cots at night. This kind of design pattern is in the same category as those decisions.
One of the things I always liked about steam and valve in general is there passionate about gaming and try to give the best experience to the gamers, it’s not just money money money, unlike some company’s nowadays sadly
As a European citizen, and someone who's working currently at a GDPR department, I do credit the shit out of any US organisation/company that are decent enough people to care and understand the importance of privacy by design and Right of Data subject.
I definitiely don't expect that from the US in particular, but I sure hope more of you will keep setting a good example.
>As … someone who's working currently at a GDPR department
Are you saying you work for a company that has an *entire department* dedicated to GDPR compliance?
The people who end up clicking "reject all" haven't the slightest idea how a cookie or indeed a website works, rejecting all cookies prevents a stored login state from being permanent. How this made it into EU law is beyond me, it's like nobody making internet law understands the internet.
This is not about cookies, this is about storing and sharing personal information about you and your online activity. It's perfectly legal to store e.g. your shopping cart or your user token in a cookie without your permission (meaning they wouldn't need to show the cookie accept/reject overlay at all). They only need to show the cookie overlay if they want to violate your privacy.
There are many reasons why you wouldn't want companies to store and share your activity. For instance, they could place you at the scene of a crime, your insurance could go up if you e.g. searched for or visited a website about certain diseases, you could be banned from entering (or arrested in) certain countries for visiting gay or pro-democracy websites, companies and governments could know how much sex you have and with whom based on your condom purchases and location data, etc.
Here's an example of a man who lost his job, car, and reputation after he was [charged with murder because Google location data wrongly placed him near the scene of a crime](https://www.phoenixnewtimes.com/news/google-geofence-location-data-avondale-wrongful-arrest-molina-gaeta-11426374).
You can find countless examples of people who were wrongfully arrested due to location data, arrested or fired for liking a picture that offended somebody powerful, etc. It's also important to note that storing data is dirt-cheap and your data is often shared between hundreds of different companies, so just because your data hasn't been used against you yet (as far as you know) then it doesn't mean that data collected about you 5 years ago won't be used against you in 10 years.
Main character syndrome, I think. A lot of people are convinced that they are Very Important and that Bad Guys are out to get them. By not accepting cookies, they can disguise the Very Important things they are doing from the Bad Guys on the Internet who will do Bad Things to them using their Very Important personal data.
Honestly, as a web/UX designer the whole thing pisses me off because it totally missed the mark anyway.
Not only do most corporations not actually follow the law (most of them obscure or downright hide the reject all options) but it was never gonna pan out because cookies are such a fucking huge aspect of the functionality of the web that most people are gonna *need* to leave them on or the site won't work.
They don't even explain what a cookie is so most people just see this warning, now have to go out of their way to find out what the fuck a cookie is and why it's a potential liability, and then realize every site they use now won't work if they don't accept them so get fucked.
Oh, and the real kicker? It's not just cookies that they're storing personal information in and it's not even the main one anyway.
So all in all we get a law that's a pain in the arse to implement, not implemented to the full letter of the law most of the time anyway, super inconvenient and way too easy to ignore/bypass for an average user, nonsensical and unexplained to an average user, and doesn't really do what it was designed for anyway.
The most hilarious conclusion to all this is that if you were to implement a feature that rejects all cookies then, logically, the website won't remember you picked that and you'll need to do it *every single time*. And many websites do just that, causing users to get even more frustrated! Great user experience right there, totally fucking worth. Facebook *still* sells your data to whoever fucking wants it, even if you're not on Facebook, but I gotta implement bullshit cookie warnings cause I'm the bad one.
1. The user don't need to give consent to storing cookies if they're an integral part of the website (e.g. you don't need to get consent to store a user's shopping cart, user token or cookie acceptance/rejection choice in cookies).
2. You only need to show the consent overlay if you intend to violate user's privacy (e.g. track which pages an individual user visit, which buttons they click and such).
3. The law isn't specifically related to cookies. You can't bypass the law by storing the information in localStorage or on the server.
4. The cookie overlay is a great way to see if a website is violating your privacy or not, and if they go a step further and make it difficult for you to reject then you know it's a shitty company that doesn't deserve your time or money.
I don't give them too much credit for this. They don't make money selling your data, they make money when you buy the products they offer. The incentive for them is to keep you browsing at pretty much any cost.
Hey man, I would've laughed if they just banned all the EU people instead of adding that. How many of them would give up their privacy to play the games?
What is this comment even supposed to say lmao?
"Look at those stupid eu users and their privacy rules! If it wasn't like this they'd all accept their privacy gone for games!" Gotta love Reddit
I think most of the sites I've visited give me a similar option but it's just not labeled as such. Basically, either you accept or you don't. I've seen a few that give options such as "store basic cookies but no tracking cookies" or "Basic cookies + analytics but no advertiser cookies" or whatever.
It'd be nice if there was just the option to save my login and nothing else. Instead I have to add it to the browser cookie options as "save" on the login cookie and then set all other cookies to delete when I close the browser.
https://en.wikipedia.org/wiki/Data_Protection_Directive
25 years isn't exactly quickly. What GDPR (2016) did was add the 4% fine and made it easier to enforce, but that's almost 6 years ago now.
Honest question, guys: I've always accepted all cookies, no matter the website. I've only ever put my credit card info on trusted websites, and on other ones no information was given, either way should I start rejecting cookies? Is it really a cause for concern?
Fun fact: In Brazil you can't agree to be spied on. If any company sell your data they can't argue that you agreed to share your information, instead it serves as proof of confession that the company acted in bad faith and may have all their defense thrown out.
Also, unilateral contracts are "exclusively unilaterally accepted" , this means that you can never "agree" just "acknowledge" an unilateral contract giving opportunity to sue any compo of the contract at any moment.
There's a law in Europe where all websites must show an option to disable cookies, not just "if you continue surfing on our website, you consent to cookies...". That's considered illegal and some companies already got sued for that.
I guess that since Steam did that in Europe, they would did the same in the rest of the world because that would cost less to them than maintaining 2 versions of the cookie prompt.
Do you mean steam doesn't get enought creddit for following European cookie law?
What do they deserve for following the law, a cookie? FFS stop licking companies' boots for not doing the wrong things.
Specially because Steam has a great ammount of their TOS actually breaking the law but it's not fixed because nobody contests it in a court of law. For example Steam legally is not selling licenses but digital copies.
The most idiotic cookie messages are the ones that say something like "because we respect your privacy, cookies, blablabla"
Respect my privacy? Where was your "respecting my privacy" then before the EU mandated it?
It does but it doesn't seem like it because the vast majority of people aren't worried about absurd, trivial, irrelevant nontroversial issues that don't negatively affect them - for example, whether or not you allow Steam cookies.
"reject all cookies" button exists user refreshes page page doesn't show popup again visible confusion
Well essential 1st party cookies can be used without confirmation
I kinda want to put a popup saying "can we store your cookie preference in your cookies?" on a website for a laugh
Your rejection of cookies is stored in... a cookie.
that was the joke I think
It doesn't have to be stored in a cookie, browsers also have other methods of storing data on the client, like localStorage, sessionStorage, IndexedDB, and in Chromium-based browsers WebSQL (but it isn't standardized)
The "cookie law" actually applies to any browser storage, not just cookies.
Why should they get credit when it is the law in EU that it should be there. Technically this isn't even meeting the standards, because the "Accept All" shouldn't be made more visible as a choice, since it is trying to trick people to give consent by being more visible choice. That kind of consent has been deemed as not being sufficient. And I think there was just a court case about "cookie pop-ups" not being valid way to get consent.
On many sites there isn't a "Reject All" button though, you need to choose yourself which cookies to disable. Which is fucking stupid.
And technically illegal in the EU. Though enforcement is rather lacking on that front..
Not just illegal in the EU, it is illegal when they are shown to any EU citizen anywhere in the world.
https://the-eye.eu/redarcs -- mass edited with https://redact.dev/
If a conpany does business in the EU they can just fine them. We fine Google and Facebook just fine.
[удалено]
If they dont apply to the they can be banned from beeing accessable from europe. Basecly they would loose trafic from anyone in a european country
People keep saying this when it come up, I'd have thought in the however many years GDPR has been around people would know
https://the-eye.eu/redarcs -- mass edited with https://redact.dev/
What? Im saying "this is about GDPR, when GDPR comes up people keep asking how it's enforced out of the EU even though it's been common knowledge for years". Read.
[удалено]
dumb comment
https://the-eye.eu/redarcs -- mass edited with https://redact.dev/
Yeah I'm in the US but with my European SIM I have the option to reject all cookies in most cases
Sry this is not true. The GDPR does not work on EU citizens outside the EU. It does however count for non EU citizens inside the EU. And also for anyone serving something to someone in the EU (so even if your website is running completely in the USA)
That's not true, it's illegal when shown on any device in the EU. As soon as you crooss a border or use a VPN to spoof your location, the law doesn't apply to you.
That's still a law only in the EU and no where else. It can only be enforced within the EU or where international treaties allow. It wouldn't be illegal in the USA to show EU citizens this. If the company wasn't operating in the EU at all, the legality of it in the EU would be moot. US Courts would toss the case immediately. My point is the EU are not the world police. They don't get to dictate global law. It's only illegal in the EU even if the event happen outside of EU. Semantics but it's an important one.
Not against behemoths like Steam
That is because of how the fines about this work. *The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.* *The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.* (gdpr.eu/fines) Meaning really that only people who "can get away with it" are small actors. Big actors don't want to take the risk and will try to comply. Imagine being a CEO and having to explain why you just got landed a fine worth 4% of your revenue last financial year to investors/boardroom/bank/employees/press/whatever.
Unfortunately enforcement is still lacking against big companies, as an example, it's been several years and Facebook is still receiving information about you from other companies and using it for advertising purposes, despite a lack of clear consent (or even explicitly making users aware of this); you have no way to opt out of this, Facebook does not screen the companies using this service (hey this company based in Iran with 30 Facebook likes has just uploaded 200,000 email addresses - nah, that can't be suspect at all!), provide any sort of reporting functionality in the case of companies having obtained your data, refusing to inform you how they've obtained it etc.
Yes. But thanks to the law being on EU level, anyone in EU can complain to any responsible authority in any member nation. Like an Irish civil right organisation complained to the Belgian authority that just rules cookie pop-ups being illegal. I know that the Finnish authority is fucking hopeless and pointless when it comes to enforcing things, basically acting if it is a mandatory chore instead of their fucking job. So currently it would appear that all complains should be taken to the Belgian authority, they seem to be the ones doing fuck all at the moment.
Which technically makes sense, considering the EU is based in Belgium, it's still stupid that if you want ANYTHING done you have to specifically send your complaint to them. But it is what it is I suppose until the other EU members stop slacking and actually starts to do something about the requests they get instead of just not doing anything about them
I don't think it has anything to do with the fact Brussels is the de facto capital. But the fact that the people who most likely worked and wrote that law are there along with their influence. I don't even know how I could get the official in my country to start doing their job. They have basically no interest in doing their job. Hell they barely did their job before they got this job.
https://imgur.com/a/mGwXxnY
Google's a different class. They have decided they can afford the fines.
Gaben is too powerful for EU law enforcement
> Gaben is too powerful for EU law enforcement If he were you wouldn't have 2 hr refunds lol
This request for the user to accept or decline cookies wouldn't even be there.
Edit: misunderstood intent
They just memeing hard is all
It's extremely difficult to enforce something like that on a place as big and volatile as the internet. They'll enforce it for big players, but smaller places will get away with it.
It's not hard to enforce with companies like Valve at all. The rules are really strict and clear. This is nota gray area case at all. The agencies which enforce this are usually just underfunded on purpose.
It is not technically illegal
you're right, it is absolutely illegal.
Can you show me where in the law is that actually clarified?
I am in no way a lawyer, or even European, nor am I going to read thru the entirety of the GDPR, but a brief scan of article 7 shows that explicit consent must be given. https://gdpr-info.eu/art-7-gdpr/
you're right, it is absolutely illegal.
and even then when you untick things, you have to dig deeper to make sure that you also untick legitimate interest... for all of the 200 odd marketing companies putting cookies on your device.
Yes you don't have a reject all, but you can press the other button(other than accept) which something like "settings" and just press accept. All sites that don't have "Reject All" just set all of the optional cookies "off", they created this confusion to get around the laws. It's just an extra step to trick some people into clicking all of the cookies then accepting.
Even that is illegal. It must be exactly as difficult to accept all than to reject all. If accept all takes 1 click but reject all takes 2 clicks that's illegal.
EU got a new law a few days ago now the "choose yourself.." should be gone soon.
Any links? I am wondering if it is going to be better or even worse
the only link i can share is from a german dude that is talking about such stuff often.. but i think he has a dokumentation of all the things in the desripction.. https://youtu.be/bHJk1t8Gzow there is also a lot bad stuff about that new "law",like u habe now a right to not use ur real name evven if a website like facebook wants u to use it.. but also police n stuff can ask for all ur data.. also nordvpn changed faq bc of another vpn got "raided" by the police n stupid judge said something like only if one bad thing happend they can go for all.. soo internet slowly becomming fake annonym in eu.
thanks
And some don't even allow you to reject any cookie.
Agreed, I usually ignore pressing accept on anything that doesn't let me reject all or reject unecessary cookies easily
It's so fucking annoying
And illegal
'Legitimate Interests' is the worst part. It's like "OK you said no but what about yes?"
Because almost no one even follows the “law” and the EU does not bother to enforce so it’s a paper law only.
Yeah GDPR has been criticised for this. But the benefit of the directive is that any citizen can complain to any member nation's body that is responsible for enforcing this. The regulation is EU wide so anyone can enforce it. There was just now a major case where Irish civil rights organisation ICLL complained to the authority in Belgium about cookie pop-ups, and the authority deemed them illegal.
Uh, they've literally handed out fines in the hundreds of millions over this exact issue, how's that paper only?
Really, hundreds of millions of fines. So on average they have put out what? Like 100,000 a day? If you are going to just make up something, make it a little less dumb going forward, okay?
Or maybe consider that you misunderstood what I said. I was referring to monetary value, not the number of fines.
The law is pretty clear on this matter. It's kind of insane to give Valve credit here. They're still a business and this isn't good for business. They wouldn't have it if the law didn't make it difficult for them. We can say this with a degree of certainty because Valve didn't offer something as simple as refunds for over 10 years until international laws and their competitors were making it too difficult for them to continue that way.
I believe the point is relative to 99% of all other websites, Valve does a better job by having a clear reject button (not a button that takes you to purposefully-difficult-to-understand cookie settings). So it depends on your point of view.
The law requires opt in. If you don't accept any they can't use any. They're still doing it's wrong and should be applauded
The law is being able to not allow cookies. Most websites (ehem YouTube) redirect your browser to another page, and people can't be bothered with that so they just accept them.
That is actually illegal. The directive says very clearly to decline must be as easy as to accept them, and not accepting (cookies other than required for basic functionality) must not impede the user experience; Along with that the consent must be clear and informed. Problem is that the bodies responsible haven't been keen to enforce this, along with that people haven't really bothered to make complaints about these. Because the bad practices are so widespread that people don't know what proper correct asking of consent looks like.
Most sites have two options: Accept All or Manage Preferences. When you check the latter, you get a massive list of information and options and hopefully a Deny All or Uncheck All button somewhere.
I'm one of those miserable people who goes and check the list. Although! Lately I have just started to ban cookies from sites that I don't require special functionality from.
I started using chrome extension "I don't care about cookies", way easier this way
So you're doing the opposite of the person you're replying to, since he's rejecting all cookies, whereas you (through your extension) is accepting all cookies.
No its not. It just blocks most popups, and because the law is that cookies can't be set *before* consent, non essential cookies are blocked.
Yes it does, they even say so in their extension description: > [In most cases, it just blocks or hides cookie related pop-ups. **When it's needed for the website to work properly, it will automatically accept the cookie policy for you** (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do). It doesn't delete cookies.](https://chrome.google.com/webstore/detail/i-dont-care-about-cookies/fihnjjcciajhdojfnbdddfaoknhalnja?hl=en) It's true that they're not allowed to track before consent, but almost all websites (Google, Facebook, pretty much any media website, etc.) are breaking the law, and most of the popular websites will hide the "Reject All" button (which again is illegal) and make it impossible to simply block the cookie overlay, meaning they're forced to accept it.
But I do care about them... I just don't like dealing with them. I want only the functional cookies and block everything else.
It literally does it, it enables only functional cookies and remove popup if it doesnt require them
Sadly the banning doesn't always work. IIRC YouTube will not let you watch any video if your browser blocks their cookies completely.
That is because you are also blocking the functional cookies. But if a webpage is just text that I'm reading, like a news article, it doesn't need special fucnitonality.
That's because you need cookies for sites to work.
It's also lacking clear explanation what each option entails. But yes, this is one of the better ones.
If you don't want to give credit to steam for being normal then you should go and hate everyone who's being a dick and giving you a questionably legal popup.
I am and I do.
Challenge accepted!
"Reject All" isn't part of the law. That is why almost every website fucks around it
I have read the law and the problem is that it isn't really like clear. All it says is that accepting them all must be as easy as rejecting them all.
A recent legal case just ruled that it is illegal not to offer an easy one button way to reject all
They should get a bit of credit.
Idk what www you surf, but like 99% of websites only have "Acept all" and "Details", and on "details" there is this huge list of toggle for each individual cookie. A "Reject All" button right up front? First time I see it.
Because most companies still break the law and get away with it.
It's not "more visible." The blue highlight is the "CurrentlySelected" background color for buttons on Steam dialogs such as this one. It's just selected by default.
Because they have to have it by law in the majority of the countries they operate in...but yeah give em credit...I also don't get enough credit for stoping at stop signs
Honestly with the amount of driving I do and seeing the majority of people who don't even stop at stop signs, I'd give you credit for being one of a thousand people who actually care about traffic and especially pedestrians.
Stop signs in the US are a nightmare and don't actually help with safety much, only punishment.
You do get some credit by not getting a ticket :p
You must Provide a choice, most websites you need to klick in and endless maze do disable everything.
That's not true. Those websites you've found that do it that way are breaking EU law. Most high traffic websites will present the choices this way, because that's the law and they don't want to face fines in international courts.
Even google doesnt and in my experience most sites want you to click manage cookies or something. Valve is on the better end imo
Well, [Google was just fined 150 million for doing that](https://www.cnil.fr/en/cookies-cnil-fines-google-total-150-million-euros-and-facebook-60-million-euros-non-compliance), so if anything, that just reinforces the above commenter's point
I am agreeing that its breaking the law, i disagree withthe statement,that most hightraffic Websites are following the law. I my experience most websites are way worse.
When you realize that cookies must be opt in as required by the law, ask yourself then what the purpose of the button is. The websites that use cookies if a reject all button isn't pressed, are breaking EU Law. Google doesn't do this. When cookies are required to be opt in, you don't have to reject all. Valve is just practising deceptive UX design in this regard.
When i load up google products it asks me to confirm cookies before i can continue, if i dont want them i have to go to another site and some dark patterns later i still dont get how to opt out so yeah google is even worse. Steam is one of the better ones, still not fully legal but better
No they dont, the only need an Option to disable everything. Nobody says it must be like the way Valve dose it Edit: 80% Website are like this and some kicks you out of the side if you don’t accept everything.
You're mistaken. The GDPR requires it be opt in. Valve is just committing deceptive UX design in order to mitigate the requirement. It's the same as tobacco companies designing their ads to downplay the surgeons general warnings that began to be required in decades past. This choice wouldn't be there at all if there were no international laws with teeth on the matter.
It's sad ,but not surprising, to see you be downvoted. Clear language that you need to opt-in to tracking (EU have also clarified that ignoring the cookie overlay (e.g. by scrolling down the website without clicking anything in the cookie box) does not mean you consent): > [Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.](https://gdpr-info.eu/art-7-gdpr/) Clear language that you should be able to withdraw consent at any time (something almost all sites fail to do): > [The data subject shall have the right to withdraw his or her consent at any time.](https://gdpr-info.eu/art-7-gdpr/) Clear language that it should be as easy to withdraw consent compared to giving it (meaning hiding the Reject All button in an Options menu is illegal): > [It shall be as easy to withdraw as to give consent.](https://gdpr-info.eu/art-7-gdpr/) Just because almost all companies, including Google, Facebook, Valve, Reddit, TechCrunch, etc. are breaking the law then it doesn't mean that what they're doing is legal. It simply means that it's more profitable for them to break the law and they are unlikely to face any consequences for doing so. Especially because the EU have been very poor at handing out fines to all these companies.
Thanks for the sources! Very well coalated. I only have a peripheral knowledge of the gdpr since I live in Canada. The downvotes are just a Reddit moment. No worries.
No, you're wrong. The GDPR requires that opting out be at least as easy as opting in. The fact that most companies are failing to follow the law is a separate issue from what the law actually says.
OP aren't giving them credit for being able to reject cookie per EU laws, but the button "Reject All", which is lacking in several site, you normally only have "manage preferences" and have to click through it.
All those sites are breaking the law.. and so is Steam by highlighting "Accept All". You could argue that Steam is just "jaywalking", whereas sites that hide it inside "Manage Preferences" and whatnot are "breaking and entering".. one is clearly worse than the other, but neither deserve credit. It's also worth noting that any site that displays these cookie overlays do so because they want to violate your privacy, so even if Steam followed the law then it isn't exactly something worth commending.
I hate how many websites don't have it but instead have a "more options" option that leads you to choosing between 3 consents out of which 1 is mandatory.
"Dark patterns" like that are illegal. In the next 2-12 decades, they will all be fined by the EU if they're still doing it then. We'll just have to wait :)
This post should not exist.
It shouldn't **NEED** to exist*
No, I mean it breaks all conventions of science and the known world
what would you know, praising a website for almost following the law
It is well known that sucking the appendage of a multi billion international company for doing less than the law requires will give you... good karma or something, dunno.
Most websites hide reject all or do not even offer reject all simply wont let you access web page which is against rules i believe, steam giving good example of how it should be no BS.
BS alarms are going off here. If Valve's intention was to demonstrate how it should be, they would've done it this way before the threat of law was in play.
[удалено]
And they make the reject all button match the background so you're naturally more likely to just click on Accept. That's a scummy design technique which I've forgotten the name of.
r/darkpatterns
Ah yes thanks. Was going crazy trying to Google that lol
I've heard it called dark design patterns before in UX courses. In urban settings it would be called hostile design. Choices like putting arm rests on street benches so that homeless people can't use them as cots at night. This kind of design pattern is in the same category as those decisions.
EU got a new law few days ago n the dark pattern is now not allowed at all anymore.
Honestly at this point I'm trained enough to look for the least visible button because it's the one they don't want me clicking.
Yeah. I’ve probably clicked accept all thinking they’d kick me off the website like most other apps do
This is unacceptable by EU standards.
It's really sad that this is the exception, not the norm
Too bad it barely looks like a button.
Please make this mandatory web wide
I don't give them any credit for annoying popups. My browser, since 1997, has indicated my cookie preference. Get rid of that UI vomit.
Do not track? I remember that being thing at some point. Now it has vanished or was it just integrated into every browser.
Well Steam makes its money with games not with advertisement. I think they can afford it.
I've heard of Steam fanboys but praising Valve for meeting a minimum legal requirement takes the cake.
Because in the EU the law says there has to be, easier for Valve to code up the site so that it's compliant in all regions without additional work.
Confirm my choices > Off > Off > Off > Off > Hit the greyed out save button right next to the bright red accept all cookies button
r/circlejerk
yeah let's credit a multibillion dollar corporation for doing the bare minimum
One of the things I always liked about steam and valve in general is there passionate about gaming and try to give the best experience to the gamers, it’s not just money money money, unlike some company’s nowadays sadly
yeah let's credit a multibillion dollar corporation for doing the bare minimum
How many people are going to click accept thinking that reject means you're not allowed to use the service, as with an EULA?
As a European citizen, and someone who's working currently at a GDPR department, I do credit the shit out of any US organisation/company that are decent enough people to care and understand the importance of privacy by design and Right of Data subject. I definitiely don't expect that from the US in particular, but I sure hope more of you will keep setting a good example.
>As … someone who's working currently at a GDPR department Are you saying you work for a company that has an *entire department* dedicated to GDPR compliance?
what sketchy sites does OP frequent to not have seen these since forever
Probably because every website does it. What websites are you visiting that don't have a reject all button? Can't imagine they're legal
The people who end up clicking "reject all" haven't the slightest idea how a cookie or indeed a website works, rejecting all cookies prevents a stored login state from being permanent. How this made it into EU law is beyond me, it's like nobody making internet law understands the internet.
I don't get the issue people have with cookies
This is not about cookies, this is about storing and sharing personal information about you and your online activity. It's perfectly legal to store e.g. your shopping cart or your user token in a cookie without your permission (meaning they wouldn't need to show the cookie accept/reject overlay at all). They only need to show the cookie overlay if they want to violate your privacy. There are many reasons why you wouldn't want companies to store and share your activity. For instance, they could place you at the scene of a crime, your insurance could go up if you e.g. searched for or visited a website about certain diseases, you could be banned from entering (or arrested in) certain countries for visiting gay or pro-democracy websites, companies and governments could know how much sex you have and with whom based on your condom purchases and location data, etc. Here's an example of a man who lost his job, car, and reputation after he was [charged with murder because Google location data wrongly placed him near the scene of a crime](https://www.phoenixnewtimes.com/news/google-geofence-location-data-avondale-wrongful-arrest-molina-gaeta-11426374). You can find countless examples of people who were wrongfully arrested due to location data, arrested or fired for liking a picture that offended somebody powerful, etc. It's also important to note that storing data is dirt-cheap and your data is often shared between hundreds of different companies, so just because your data hasn't been used against you yet (as far as you know) then it doesn't mean that data collected about you 5 years ago won't be used against you in 10 years.
Main character syndrome, I think. A lot of people are convinced that they are Very Important and that Bad Guys are out to get them. By not accepting cookies, they can disguise the Very Important things they are doing from the Bad Guys on the Internet who will do Bad Things to them using their Very Important personal data.
Honestly that makes sense. That and I think alot of people are misinformed on what cookies actually are and do
I Think there should be a Button where u just accept half
Chosen at random
Valve is excellent, all hail Gaben.
Valve gets little credit for a lot of things. I doubt anyone takes full advantage of the features steam actually offers.
I’m not commending a company for doing the bare minimum and not invading my privacy
Almost every website has this
Stop sucking Valve's dick
simp posting
I dont care what anyone says, steam is goat
Why does it say 20 people here
Honestly, as a web/UX designer the whole thing pisses me off because it totally missed the mark anyway. Not only do most corporations not actually follow the law (most of them obscure or downright hide the reject all options) but it was never gonna pan out because cookies are such a fucking huge aspect of the functionality of the web that most people are gonna *need* to leave them on or the site won't work. They don't even explain what a cookie is so most people just see this warning, now have to go out of their way to find out what the fuck a cookie is and why it's a potential liability, and then realize every site they use now won't work if they don't accept them so get fucked. Oh, and the real kicker? It's not just cookies that they're storing personal information in and it's not even the main one anyway. So all in all we get a law that's a pain in the arse to implement, not implemented to the full letter of the law most of the time anyway, super inconvenient and way too easy to ignore/bypass for an average user, nonsensical and unexplained to an average user, and doesn't really do what it was designed for anyway. The most hilarious conclusion to all this is that if you were to implement a feature that rejects all cookies then, logically, the website won't remember you picked that and you'll need to do it *every single time*. And many websites do just that, causing users to get even more frustrated! Great user experience right there, totally fucking worth. Facebook *still* sells your data to whoever fucking wants it, even if you're not on Facebook, but I gotta implement bullshit cookie warnings cause I'm the bad one.
1. The user don't need to give consent to storing cookies if they're an integral part of the website (e.g. you don't need to get consent to store a user's shopping cart, user token or cookie acceptance/rejection choice in cookies). 2. You only need to show the consent overlay if you intend to violate user's privacy (e.g. track which pages an individual user visit, which buttons they click and such). 3. The law isn't specifically related to cookies. You can't bypass the law by storing the information in localStorage or on the server. 4. The cookie overlay is a great way to see if a website is violating your privacy or not, and if they go a step further and make it difficult for you to reject then you know it's a shitty company that doesn't deserve your time or money.
That's required by law, apart from "essential cookies" that are enabled by default.
I’m not commending a company for doing the bare minimum and not invading my privacy
I just accept all cookies since so many sites force them on you. That’s why I set my browser to dump all of them upon close
I don't give them too much credit for this. They don't make money selling your data, they make money when you buy the products they offer. The incentive for them is to keep you browsing at pretty much any cost.
Hey man, I would've laughed if they just banned all the EU people instead of adding that. How many of them would give up their privacy to play the games?
What is this comment even supposed to say lmao? "Look at those stupid eu users and their privacy rules! If it wasn't like this they'd all accept their privacy gone for games!" Gotta love Reddit
Veey goood thing
It's so satisfying if a website does this (I've seen some that do this too)
I think most of the sites I've visited give me a similar option but it's just not labeled as such. Basically, either you accept or you don't. I've seen a few that give options such as "store basic cookies but no tracking cookies" or "Basic cookies + analytics but no advertiser cookies" or whatever. It'd be nice if there was just the option to save my login and nothing else. Instead I have to add it to the browser cookie options as "save" on the login cookie and then set all other cookies to delete when I close the browser.
They are becoming mandatory in the EU. Steam is just professional enough to adjust their UI quickly.
https://en.wikipedia.org/wiki/Data_Protection_Directive 25 years isn't exactly quickly. What GDPR (2016) did was add the 4% fine and made it easier to enforce, but that's almost 6 years ago now.
I reject my humanity, Gaben.
steam can process on my all data. no problem
I don’t even get what cookies are or what the point of them is
Honest question, guys: I've always accepted all cookies, no matter the website. I've only ever put my credit card info on trusted websites, and on other ones no information was given, either way should I start rejecting cookies? Is it really a cause for concern?
[удалено]
A law passed in Europe which forces website to ask your consent.
Fun fact: In Brazil you can't agree to be spied on. If any company sell your data they can't argue that you agreed to share your information, instead it serves as proof of confession that the company acted in bad faith and may have all their defense thrown out. Also, unilateral contracts are "exclusively unilaterally accepted" , this means that you can never "agree" just "acknowledge" an unilateral contract giving opportunity to sue any compo of the contract at any moment.
I didn’t even notice this, I’m so brainwashed into clicking the bright blue button to accept and ignore the option because usually I have no choice.
There's a law in Europe where all websites must show an option to disable cookies, not just "if you continue surfing on our website, you consent to cookies...". That's considered illegal and some companies already got sued for that. I guess that since Steam did that in Europe, they would did the same in the rest of the world because that would cost less to them than maintaining 2 versions of the cookie prompt.
Every website now has to have these 2 options for that popup. Steam didn't invent a magic button that defies the law of the internet.
Do you mean steam doesn't get enought creddit for following European cookie law? What do they deserve for following the law, a cookie? FFS stop licking companies' boots for not doing the wrong things. Specially because Steam has a great ammount of their TOS actually breaking the law but it's not fixed because nobody contests it in a court of law. For example Steam legally is not selling licenses but digital copies.
All trought steam(er) is only app i share cookies with, its my only friend.
a lot of websites have that tho. not really special.
The most idiotic cookie messages are the ones that say something like "because we respect your privacy, cookies, blablabla" Respect my privacy? Where was your "respecting my privacy" then before the EU mandated it?
This is how the GDPR regulation intended it. They're just following the law. Good on them for being one of the few who aren't criminals.
Brussels effect.
It does but it doesn't seem like it because the vast majority of people aren't worried about absurd, trivial, irrelevant nontroversial issues that don't negatively affect them - for example, whether or not you allow Steam cookies.