Conversation

Notices

1. Embed this notice
   Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 18:10:47 JST Aral Balkan

   Look, Jeff Atwood, it’s difficult to take you seriously when you write authoritatively on a subject you clearly don’t understand.

   GDPR doesn’t mandate cookie notices.

   Cookie notices are *malicious compliance* by the surveillance-driven adtech industry.

   If you’re not tracking people, you do not need a cookie notice, period. If you’re only using first-party cookies for functional reasons, you do not need a cookie notice, period.

   If you’re using third-party cookies to track people – i.e., if you’re sharing their data with others – then *you must have their consent to do so*. Because, otherwise, you are violating their privacy. Even then, the law doesn’t mandate a cookie notice.

   How would you conform to EU law without a cookie notice if your aim wasn’t malicious compliance?

   You would not track people by default and you would make it so they have to go your site’s settings to turn on third-party tracking if, for some inexplicable reason, they wanted that “feature”.

   Boom!

   No cookie notice necessary.

   What’s that?

   But that would destroy your business because your business is founded on the fundamental mechanic of violating people’s privacy?

   Good.

   Your business doesn’t deserve to exist.

   Because the real bullshit here isn’t EU legislation that protects the human right to privacy, it’s the toxic Silicon Valley/Big Tech business model of farming people for data that violates everyone’s privacy and opens the door to technofascism. https://infosec.exchange/@codinghorror/115120175033311443

   • Haelwenn /элвэн/ :triskell: likes this.
   • Peter Krefting repeated this.
   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 18:21:29 JST Aral Balkan

     in reply to

     • Writing Slowly

     @writingslowly There’s an easy solution to that. We pass a GDMR and effectively outlaw their business model (don’t hold your breath).

     https://ar.al/2018/11/29/gdmr-this-one-simple-regulation-could-end-surveillance-capitalism-in-the-eu/

   • Embed this notice
     Writing Slowly (writingslowly@aus.social)'s status on Sunday, 31-Aug-2025 18:21:30 JST Writing Slowly

     in reply to

     @aral whether or not this is technically correct it totally nails how I feel about cookie notices. They're obviously compliance theatre. I hate them all, especially when you have to accept 'necessary cookies' or else you get them all (you probably get them all anyway). Plus which data privacy gaslighter even needs cookies now? They've probably moved on to even more invasive methods. Oh, did I mention I hate cookies and their stupid fake notices?

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 19:11:54 JST Aral Balkan

     in reply to

     • Jeff Atwood
     • Fabien

     @fabienmarry @codinghorror Yes. I’d be completely fine with legislating that every browser reinstate that feature, have it on by default, and compel sites to obey it without asking again. That would also solve the problem.

   • Embed this notice
     Fabien (fabienmarry@mastodon.social)'s status on Sunday, 31-Aug-2025 19:11:55 JST Fabien

     in reply to

     • Jeff Atwood

     @aral @codinghorror and wasnt his second suggestion already tried, as the do not track feature feature built into browsers then promptly ignored by ad tech?

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 19:11:59 JST Aral Balkan

     in reply to

     • Matthias Bach
     • yahe

     @yahe @marix That’s why I used “EU law” and “EU legislation” everywhere else but without the lex generalis, we wouldn’t have the lex specialis.

   • Embed this notice
     yahe (yahe@chaos.social)'s status on Sunday, 31-Aug-2025 19:12:01 JST yahe

     in reply to

     • Matthias Bach

     @aral @marix You‘re correct on a wholly different level.

     GDPR doesn’t mandate cookie notices.

     Actually, the GDPR isn’t relevant regarding cookies at all. But Directive 2002/58/EC as lex specialis to the GDPR is.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 19:17:11 JST Aral Balkan

     in reply to

     • Vassil Nikolov | Васил Николов

     @vnikolov I think Upton Sinclair said it best… :)

   • Embed this notice
     Vassil Nikolov | Васил Николов (vnikolov@ieji.de)'s status on Sunday, 31-Aug-2025 19:17:12 JST Vassil Nikolov | Васил Николов

     in reply to

     Indeed.

     Now, how to make Jeff Atwood and those who listen to him take heed?
     Regrettably, I don't know...
     🙁

     @aral

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 19:18:21 JST Aral Balkan

     in reply to

     • Charlie Stross
     • Coral (bleached era)

     @coral @cstross 🤷♂️

   • Embed this notice
     Coral (bleached era) (coral@empty.cafe)'s status on Sunday, 31-Aug-2025 19:18:22 JST Coral (bleached era)

     in reply to

     • Charlie Stross

     @aral @cstross why is Jeff anchoring this around a 15 year old vuln anyway?

   • Embed this notice
     Robert Kingett (weirdwriter@caneandable.social)'s status on Sunday, 31-Aug-2025 21:46:04 JST Robert Kingett

     in reply to

     • Piggo :verified_horse:

     @piggo @aral I was amazed at all of the replies. I was like, you mean this many people actually read him? I have no idea who he is. Then again, I did have someone in tech tell me that my blog is in violation of GDPR because I don’t have a cookie banner. I tried to explain that I don’t need one, but they insisted. my website is https://sightlessscribbles.com/

   • Embed this notice
     Piggo :verified_horse: (piggo@piggo.space)'s status on Sunday, 31-Aug-2025 21:46:06 JST Piggo :verified_horse:

     in reply to
     @aral not the first time he's completely wrong
     Rich Felker repeated this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Sunday, 31-Aug-2025 21:51:06 JST Rich Felker

     in reply to

     • conejo :bun_lurk:🐰:tinyGo:

     @conejo @aral You left out 30 of their partners.

   • Embed this notice
     conejo :bun_lurk:🐰:tinyGo: (conejo@social.tinygo.org)'s status on Sunday, 31-Aug-2025 21:51:08 JST conejo :bun_lurk:🐰:tinyGo:

     in reply to

     @aral "We respect your privacy so much, pinky promise, please accept the cookies we share with our 1458 partners" 🤦♀️🤦♀️

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 22:52:02 JST Aral Balkan

     in reply to

     • Simon Eilting

     @eseilt Couldn’t agree more.

     https://ar.al/2018/11/29/gdmr-this-one-simple-regulation-could-end-surveillance-capitalism-in-the-eu/

   • Embed this notice
     Simon Eilting (eseilt@mastodon.scot)'s status on Sunday, 31-Aug-2025 22:52:03 JST Simon Eilting

     in reply to

     @aral all correct.

     My own criticism of that EU law is that they didn't bother to check if there were ever any reason to let yourself be voluntarily tracked - there isn't. The whole thing should've been a law that makes it illegal.

   • Embed this notice
     Leeloo (leeloo@chaosfem.tw)'s status on Sunday, 31-Aug-2025 22:54:26 JST Leeloo

     in reply to

     @aral
     Even simpler: Look at the DNT http header.

     Only fall back to cookie notices when the browser doesn't send it.

     It was interesting how quickly Mozilla deprecated the DNT header after an EU court ruled that yes, it is a valid answer.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 22:59:17 JST Aral Balkan

     in reply to

     • Leeloo

     @leeloo This.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 23:00:12 JST Aral Balkan

     in reply to

     • Pino Carafa

     @rozeboosje That would work. https://ar.al/2018/11/29/gdmr-this-one-simple-regulation-could-end-surveillance-capitalism-in-the-eu/

   • Embed this notice
     Pino Carafa (rozeboosje@masto.ai)'s status on Sunday, 31-Aug-2025 23:00:13 JST Pino Carafa

     in reply to

     @aral exactly. The EU needs to mandate that

     1. Every browser needs to, by default, be set to allow "strictly necessary cookies" only.
     2. Every site that wants to serve EU users must honour this setting.
     3. Impose massive fines on sites that don't do this or that choose to interpret "strictly necessary only" in "creative" ways.

     So that anybody who does not want other cookies has to do exactly nothing to achieve that.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 23:06:27 JST Aral Balkan

     in reply to

     • Bleep

     @bleepbloop 💕

   • Embed this notice
     Bleep (bleepbloop@ravenation.club)'s status on Sunday, 31-Aug-2025 23:06:28 JST Bleep

     in reply to

     @aral beautifully put.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 23:08:10 JST Aral Balkan

     in reply to

     • Rune

     @praerien 1. You don’t need third-party cookies for analytics. Services exist that provide analytics without third-party tracking.

     2. The “UX” (design) of cookie consent banners is anti-pattern implemented by the adtech industry exactly to invoke this reaction and misdirect your ire from the tracking itself to the law meant to protect your rights.

     3. Your suggested solution would, indeed, nip this in the bud. This is why the surveillance industry made sure to remove Do Not Track the moment they realised it could be used for this purpose. (After all, it has served Mozilla/Silicon Valley’s purpose of delaying regulation for a decade and now had become a liability.)

   • Embed this notice
     Rune (praerien@mastodon.nu)'s status on Sunday, 31-Aug-2025 23:08:11 JST Rune

     in reply to

     @aral I didn't read the 🦷 from Jeff. I fully understand the no tracking and I'm glad I live in the eu and privacy is taken seriously. But I also understand the need for cookies , at least for analytics and I think the cookie consent ux is awful. I get cookie consent blind and click allow all ... Usually the default.. to get to the content. It could be super nice if the cookie-banners could steered by request accept headers as standard. In that way I would only need to set the browser settings

   • Embed this notice
     NKT (dss@infosec.exchange)'s status on Sunday, 31-Aug-2025 23:34:51 JST NKT

     in reply to

     @aral So in your world, how do you sell a customer a thing, without having to have a salesman call them? Oh wait, phone numbers can't be collected either, without permission...
     Yes, many sites are using it for adverts, but lots are also trying to sell a product that isn't the browser.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 23:34:51 JST Aral Balkan

     in reply to

     • NKT

     @Dss In my world, which the same world you live in, if a person provides their phone number to have a sales person call them, they are consenting to have the sales person call them and you can use their phone number for the purpose of having a sales person call them which is what the person has given you permission to do.

     Do you need a cookie notice for that?

     No.

     (That said, it’s not my job to fix toxic business models.)

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 23:37:47 JST Aral Balkan

     in reply to

     • webhat
     • child of baphomet

     @shram86 I’d reconsider. There are good folks there too, like @webhat.

   • Embed this notice
     child of baphomet (shram86@mastodon.gamedev.place)'s status on Sunday, 31-Aug-2025 23:37:48 JST child of baphomet

     in reply to

     @aral infosec.exchange is proving to be an instance worth ignoring over misinformation and malpractice

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 23:38:57 JST Aral Balkan

     in reply to

     • Pino Carafa
     • Claudius

     @claudius @rozeboosje This.

   • Embed this notice
     Claudius (claudius@darmstadt.social)'s status on Sunday, 31-Aug-2025 23:38:58 JST Claudius

     in reply to

     • Pino Carafa

     @rozeboosje @aral 4. Actually enforce those laws.

   • Embed this notice
     NKT (dss@infosec.exchange)'s status on Sunday, 31-Aug-2025 23:39:00 JST NKT

     in reply to

     • webhat
     • Frank Zimper

     @webhat @fzimper @aral I'm blocking you for being an idiot. "snitch tooting"? The exactly two people already in the conversation?

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Sunday, 31-Aug-2025 23:39:00 JST Aral Balkan

     in reply to

     • webhat
     • Frank Zimper
     • NKT

     @Dss @fzimper And you’re (NKT) getting blocked for your comment to @webhat.

   • Embed this notice
     webhat (webhat@infosec.exchange)'s status on Sunday, 31-Aug-2025 23:39:01 JST webhat

     in reply to

     • Frank Zimper

     @fzimper @aral blocked for snitch tooting

   • Embed this notice
     Frank Zimper (fzimper@bildung.social)'s status on Sunday, 31-Aug-2025 23:39:02 JST Frank Zimper

     in reply to

     • Vassil Nikolov | Васил Николов

     @vnikolov

     post removed as my link was already in the original posting. I still think it would've been better to post this as a reply to Jeff's post.

     @aral

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Monday, 01-Sep-2025 02:46:47 JST Aral Balkan

     in reply to

     • Anton Gerasimov

     @Oytis You don’t need third-party cookies to implement analytics.

   • Embed this notice
     Anton Gerasimov (oytis@mastodon.social)'s status on Monday, 01-Sep-2025 02:46:48 JST Anton Gerasimov

     in reply to

     @aral It's not just adtech. Every business, including small ones, wants analytics. If you voluntary refuse to track your visitors, you are putting your business to a disadvantage - that's just a law of nature in a free market society that businesses will try to avoid it. So any legislation introduced should account to it, and either make malicious compliance impossible or not introduce restrictions that are contrary to common practice at all.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Monday, 01-Sep-2025 02:50:24 JST Aral Balkan

     in reply to

     • Szymon Nowicki

     @hey Yes, aggregate analytics – what you describe – does not constitute tracking.

     (That is different from anonymised data; anonymised data can be deanonymised using other data sets – a common practice within the people farming industry.)

   • Embed this notice
     Szymon Nowicki (hey@social.nowicki.io)'s status on Monday, 01-Sep-2025 02:50:25 JST Szymon Nowicki

     in reply to

     @aral small correction. You can still track people, just not share it with everyone and their dog.

     If you have data in your system you're free to use it for analytics. As long as it's anonymized, so, properly aggregated.

     No consent needed.

   • Embed this notice
     Ensō (ensoyote@furry.engineer)'s status on Monday, 01-Sep-2025 05:54:59 JST Ensō

     in reply to

     @aral I had a brief and regrettable stint at a German ad tech firm while GDPR came into force. The conversation in the room was literally "how do we make this as inconvenient as possible for people so that they just click accept?" Advertising should be illegal.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Monday, 01-Sep-2025 14:52:22 JST Aral Balkan

     in reply to

     • Peter Atwood

     @patwood 💕

   • Embed this notice
     Peter Atwood (patwood@mastodon.social)'s status on Monday, 01-Sep-2025 14:52:23 JST Peter Atwood

     in reply to

     @aral Thanks for this. Many believe a cookie notification is the only way to be GDPR compliant. None of my websites have them. The fact that I use very few frameworks and need only simple analytics helps. And I intend to keep it that way.

   • Embed this notice
     Elric (elricofmelnibone@mastodon.social)'s status on Monday, 01-Sep-2025 14:53:27 JST Elric

     in reply to

     @aral Jeff is a clever cookie. He knows this. I don't know why he's being obnoxious about this.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Monday, 01-Sep-2025 14:53:27 JST Aral Balkan

     in reply to

     • Elric

     @elricofmelnibone Upton Sinclair has entered the chat.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Monday, 01-Sep-2025 15:13:25 JST Aral Balkan

     in reply to

     • Calyo Delphi

     @dragonarchitect The easiest way is to keep aggregate stats collected on the server and you won’t need to ask for individual consent.

   • Embed this notice
     Calyo Delphi (dragonarchitect@rubber.social)'s status on Monday, 01-Sep-2025 15:13:27 JST Calyo Delphi

     in reply to

     @aral Genuine question:

     If I hosted my own private analytics tracker (something like Matomo (née Piwik), e.g.) just so I could have funny numbers to look at because I like to look at numbers but do nothing meaningful with them, would that require a cookie banner?

     I'd pondered about just having a static notice in the footer of my site that just says "This site uses some functional cookies and one (1) tracking cookie for a self-hosted analytics dashboard because I like to look at Numbers™."

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Monday, 01-Sep-2025 18:38:11 JST Aral Balkan

     in reply to

     • noyb.eu
     • Jonathan Schofield
     • David Chisnall (*Now with 50% more sarcasm!*)

     @david_chisnall @urlyman @noybeu Indeed. And yes they are but enforcement of GDPR should fall on the shoulders of more than one small law firm. Good thing they exist but it also shows how messed up the system is in general.

   • Embed this notice
     Jonathan Schofield (urlyman@mastodon.social)'s status on Monday, 01-Sep-2025 18:38:12 JST Jonathan Schofield

     in reply to

     @aral excellent ✊

   • Embed this notice
     David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Monday, 01-Sep-2025 18:38:12 JST David Chisnall (*Now with 50% more sarcasm!*)

     in reply to

     • noyb.eu
     • Jonathan Schofield

     @urlyman @aral

     It's often not even malicious compliance. Most of these banners don't even meet the requirements of the GDPR, specifically that you must be able to withdraw consent at any time and that you mist give informed consent (i.e. that you must know what you have consented to to be able to grant consent).

     @noybeu is doing a great job going after some of these people.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Tuesday, 02-Sep-2025 01:22:03 JST Aral Balkan

     in reply to

     • Matias N. Goldberg

     @matiasgoldberg Yes it is very much part of the equation.

     A first-party functional cookie (e.g., to store log-in state): no consent necessary.

     First-party *aggregate* statistics: no consent necessary.

   • Embed this notice
     Matias N. Goldberg (matiasgoldberg@mastodon.gamedev.place)'s status on Tuesday, 02-Sep-2025 01:22:04 JST Matias N. Goldberg

     in reply to

     @aral Misleading. If you implement first party cookies for your own analytics to improve your website (like... what content is more popular, what pages are broken from UX standpoint), you still have to show the cookie notice.

     Whether it's first or third party is not part of the equation.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Tuesday, 02-Sep-2025 02:45:33 JST Aral Balkan

     in reply to

     • Matias N. Goldberg

     @matiasgoldberg I said aggregate not “anonymised”. The latter is bullshit.

   • Embed this notice
     Matias N. Goldberg (matiasgoldberg@mastodon.gamedev.place)'s status on Tuesday, 02-Sep-2025 02:45:35 JST Matias N. Goldberg

     in reply to

     @aral Start filtering by anything useful like first time visitors, Country and age bucket and it quickly stops being "aggregate".

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Tuesday, 02-Sep-2025 22:55:39 JST Aral Balkan

     in reply to

     • Andrew Kelley
     • Jeff Atwood

     @codinghorror @andrewrk I think what people are trying to tell you is that you’re part of the problem.

     You’re not just any “user of the internet”, you’re a developer. You have agency. Don’t like cookie banners? Great! Lead by example: remove them from the sites you own and control (i.e., stop tracking people on the sites you own and control. Find other ways to make money.)

   • Embed this notice
     Jeff Atwood (codinghorror@infosec.exchange)'s status on Tuesday, 02-Sep-2025 22:55:40 JST Jeff Atwood

     in reply to

     @aral see https://infosec.exchange/@codinghorror/115125536547866194 and https://infosec.exchange/@codinghorror/115125608059317211 and https://infosec.exchange/@codinghorror/115125640938926097 and https://mastodon.social/@JeffGrigg/115125709120669754

     Rich Felker repeated this.
   • Embed this notice
     Andrew Kelley (andrewrk@mastodon.social)'s status on Tuesday, 02-Sep-2025 22:55:40 JST Andrew Kelley

     in reply to

     • Jeff Atwood

     @codinghorror @aral

     you make money from ads on stack exchange so you are biased in the conversation.

     switch business models to be ad-free and then I want to hear your perspective after that.

   • Embed this notice
     Jeff Atwood (codinghorror@infosec.exchange)'s status on Tuesday, 02-Sep-2025 22:55:40 JST Jeff Atwood

     in reply to

     • Andrew Kelley

     @andrewrk @aral I'm biased as a user of the internet who is SO FUCKING TIRED OF CLICKING ON COOKIE BANNERS

     Rich Felker and Jesse 🇫🇷 repeated this.
   • Embed this notice
     Andrew Kelley (andrewrk@mastodon.social)'s status on Wednesday, 03-Sep-2025 02:10:54 JST Andrew Kelley

     in reply to

     • Jeff Atwood

     @codinghorror @aral my website does not have cookie banners but yours does