Toot/thread author here. You are of course right. I couldn't pack all details in those toots. I had to break it down to the absolute basics that are often misunderstood: Not every cookie needs consent. The way this is presented nowadays in these popups is deliberately misleading and trying to move the blame to some anonymous political entity when in reality it simply isn't that way.
In theory, website owners could do as GitHub did and remove inessential cookies and get rid of annoying banners: https://github.blog/2020-12-17-no-cookie-for-you/ But in practice, website owners are worried about breaking laws and aren't experts and just follow what they see everyone else doing, and so put up banners. So in practice, the regulations are indeed the ultimate cause of annoying banners, even if in theory those are avoidable in some cases. The people who introduced the regulations were able to look at the ecosystem of website owners and predict that the consequences of the regulations would be the vandalism of the internet by banners that we've seen over the last few years.
It's not the EU that's causing the fear of breaking laws. It's the ad tech industry that is instilling that fear by fostering the "you need a cookie banner on your site now" FUD. If Joe Schmoe thinks he needs a cookie banner for doing nothing and puts one up, then from a user's perspective, all sites are equally bad.
Compare with "Ask App Not to Track" in iOS, which is enforced by the OS and actually means something. The tracking industry hates that one because it shows them for what they are (not all apps need to throw up that screen) and they don't get to blame the EU for it.
It's literally the EU that created a worthless regulation that hasn't meaningfully helped anyone.
I wish more browsers would just include extensions that automatically accept and hide these warnings. It's stupid we have to do this but this is the world we live in.
Yes, there's a cargo cult mentality (encouraged by the big players who would like everyone to believe they are just doing the same as the average wordpress blog), but one way of counteracting that is to educate website owners like the above posts aim to. It's important to realise this isn't just a consequence of the laws being passed but poor understanding of them, which is in part deliberately propagated by those who object to the law.
> But in practice, website owners are worried about breaking laws
That is weird argument. If one genuinely cannot bother to read the law or does not feel capable of fully comprehending the law why don't they simply consult a lawyer? Hiring professional accountants is somehow standard practice.
> And the alternative is to have to pay lawyers every time I want to start a business on the web?
I thought it was pretty commonplace to hire a lawyer to draft various application, bylaws, policies and stuff like that when founding a company, online or not.
> Yes because reading and interpreting an 11 chapter 99 section law is really simple…
GDPR really is very simple at the core: you are not allowed to collect personal information, unless. 99% of it are definitions of those exceptions.
> I thought it was pretty commonplace to hire a lawyer to draft various application, bylaws, policies and stuff like that when founding a company, online or not.
No it’s not. You can go to nolo.com and pay less than $300 to get incorporated
Even if you choose to hire a lawyer to do it, it’s a relatively simple process and it would cost a lot more to hire a lawyer who knows the technicalities of something like the GDPR and whether it’s applicable to your website.
Should I also include the lawyer in my product planning meeting?
> GDPR really is very simple at the core: you are not allowed to collect personal information, unless. 99% of it are definitions of those exceptions.
If it’s so simple, then why is it 99 sections and 11 chapter.
I would say yes, all businesses looking to make money need to invest money into all sorts of things to do this, including a lawyer. Even the smallest business should consult with counsel during the product design phase to ensure what they are building is legal. This doesn't seem to me to be unreasonable. Every company I have ever worked for, large and small, has had at least one lawyer weigh in on the product. You'd be careless not to.
No all businesses that want to make money do not hire a lawyer to vet their businesses and especially not their website design. Neither do they need to.
And you really don’t see why all of the ridiculous regulation in the EU might be part of the reason that no meaningful tech company comes out of the EU.
I'd have one very important addition, as you tend to use the word yourself even if you basically term at pointing out this distinction:
The law itself does not even mention "cookies", afaik.
It aims at regulating ANY kind of detection or storage of PII, regardless of it's technical nature.
"Cookies" are preferred nomenclature partly because non technical users kinda understand what it means, but it's VERY MUCH also part of the very tactics you are writing about: because "do you accept cookies?" is a really really cute obfuscation of "do you consent to us taking your fingerprints and tracking everything you do online?".
That also goes for calling the GDPR the "EU cookie law".
The EU already had a "cookie law" long before GDPR that already mandated informing users about the site's usage of cookies, but it was widely ignored or even unknown to publishers outside of the eu since it: didn't regulate consent & storage, referred to cookies specifically and had thus become easy to kite with modern tracking techniques even if anybody gave a damn, and also didn't impose any kind of substantial sanctions when breached.
The GDPR aimed to fix that and therefore explicitly avoids specifying any technology it should be applied to. It's applicable to cookies, server side tracking, fotos of you or paper forms just the same.
Now it sticks, and'll probably be used forever. But mastodon, the project, has long stopped calling it a toot, removed it from all UI and docs and explained why it changed.
This seems to conflict with the ePrivacy directive:
> Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment.
Your quote is from the 2002/58/EC directive, which is amended by directive 2009/136/EC [1]. The latter says :
> (66) [...] Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by
the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. [...]
Hence, so long as the use of cookies or similar is strictly necessary for the specific service requested by the user, a website doesn't have the obligation to obtain their permission.
