The accept button is a one time deal. You click it and never hear about it again. Deny on the other hand causes the same question to come up again and again. They want you either to get fed up and accept it or accidentally accept it.
> Deny on the other hand causes the same question to come up again and again.
Not in my experience. I click deny almost everywhere, even if it takes more clicks, but rarely do I see the banners come up again in a second visit. Tracking my choice is a functional cookie after all.
I do, however, simply close the tab when the banner occupies half the window (or I use reader mode to bypass it altogether). That's just obnoxious.
So they only pop up every time if you force them to respect your decision by not letting them store persistent cookies in the first place? To avoid the recurring interruptions all you have to do is trust the organisation that's employing this user-hostile pattern in the first place to respect your wishes and not be user-hostile more discreetly instead?
I'll tell you what is a one time deal: the explicit do not track preference that my browser automatically sends to every site I visit. They already know they don't need to bother asking me about these things every time. They just choose to overlook it.
It is my understanding that GDPR and CCPA both specify that consent is only needed for non-essential cookies (or some nebulous term they use) and you can make the argument that storing user preferences are essential. The laws in question don’t, however, have as strong language for the reverse case, i.e. you can ask for consent for cookies that may be considered essential and thus forbid yourself from storing the preference to deny resulting in harassment.
Oh that I fully agree; sorry, I was only thinking cookies. I too have got Android devices with built-in crapware that ask for permissions and ad tracking again and again because I keep tapping "no". Chinese brands are the worst at this, even the damned built-in file manager has ads.
I the dialog comes up repeatedly after deny, that's illegal in the EU actually.
Also, I don't know what the posters above are talking about, but more and more dialogs these days have a working Reject All button. Including that of Meta or Google. Bad actors are still left, but still.
Cookies for functionality that's necessary, i.e. expected by the user, are completely legal without any consent or notification.
Fact of the matter is, when you see a cookie banner, that's always for spyware shit that the service doesn't really need to serve the user (e.g., analytics, tracking).
> Cookies for functionality that's necessary, i.e. expected by the user, are completely legal without any consent or notification.
No that is not the case, though it's easy (and common) to mistakenly think that - in part due to the confusing nature of the various regulations and in part due to how frequently companies and websites purposefully misinterpret them for their benefit.
Firstly, there are legitimate reasons to ask for consent to store user data that relate to providing a service (eg if the service is storing a user's personal medical records, or many many possible functions within many services).
Secondly, even without personal information being used or stored, and therefore no GDPR to worry about nor consent needing to be sought, cookies are a separate matter. A different EU law (the 2009 update of the "ePrivacy Directive") requires EU users be notified of any cookie use - even something as obviously reasonable as providing the functionality of a "keep me logged in" checkbox, if you're doing it with a cookie (edit: or even something equivalent like using fingerprinting on the server side to remember people) you need to notify the user.
See, for example, the UK ICO's (the relevant department for dealing with UK's implementation of GDPR, ePrivacy Directive, etc) guidance on it:
> This means that if you use cookies you must:
> - say what cookies will be set;
> - explain what the cookies will do; and
> - obtain consent to store cookies on devices.
> PECR also applies to ‘similar technologies’ like fingerprinting techniques. Therefore, unless an exemption applies, any use of device fingerprinting requires the provision of clear and comprehensive information as well as the consent of the user or subscriber.
A cookie being necessary for actual core functionality does allow skipping over requiring consent, but not skipping the notification part. Which is why 14 years ago, years before GDPR arrived, EU sites all started putting "cookie banners" up, most of which didn't ask for consent and just appeared on the first site visit for each user even if they didn't actively dismiss it, since showing it once was widely considered to count as having notified.
Sorry for such a long comment, but the fact that these topics are so widely misunderstood means I think it's important not to make things worse by accidentally spreading misinformation like that in your comment.
I'm going to repeat … cookie banners are not necessary for functionality that the user expects to receive as part of the service provided. And yes, this is part of the ePrivacy Directive. And indeed, the cookie banners that only “notify” users, without requiring an acknowledgement to proceed, are not even legal.
Go to any Mastodon website right now. Why aren't they providing a cookie banner for notifying that session cookies are used?
GDPR isn't concerned with cookies. What the GDPR cares about is personal data and having a legal basis for processing. And “consent” is only one of those legal bases.
You don't need consent, for example, for using a home address for delivering pizza, since pizza delivery can't work without that home address. That's what's called a “legitimate” interest. You also don't need consent for keeping logs for security purposes, if the retention rate is reasonable (e.g., 3 months). You also don't need consent if the law demands that you keep certain records for fraud detection by law enforcement (e.g., banking).
--->
A vast majority of websites needing cookie banners or GDPR consent dialogs are doing spyware shit, which includes Google Analytics (85% of all websites), or behavioral advertising via RTB platforms. And the few websites that don't probably haven't spoken with lawyers yet.
If you're so convinced you're right about this point (which is not the view of lawyers I've seen spend tens of thousands worth of billable hours around GDPR and ePrivacy Directive... though I'm not in the legal profession myself, just somebody who has seen the legal advice about this at multiple tech companies, and it's a confusing enough area of law with little precedent set in courts yet, so it's absolutely not impossible that they and therefore I am wrong, though I don't think it's the case) maybe you could provide a source for the claim that's from an actual authority - like the source I provided from an actual government department responsible for implementation of enforcement of these laws, which disagrees with the view of GitHub, a company that may or may not have interpreted the law correctly?
Also, saying "I'm going to repeat..." to someone who had (rightly or wrongly) corrected something you said, is not really helpful, it's not adding to the argument and is more likely to push people away than to get them to reconsider your belief (almost made me just ignore your whole reply, to be honest). I'd suggest saving that phrase for when somebody had forgotten something you said, not when they think that what you said is wrong.
The IAB consent dialog is the worst, as it makes you consent to the entire advertising industry.
Those legitimate interests, however, are bullshit. Just because they claim it, doesn't mean it's true.
For instance, a DPA just claimed that Facebook can't claim a legitimate interest for behavioral advertising, so they'll have to ask for consent. Which will be interesting, because they won't be able to refuse service to those that decline.
The "legitimate interest" part of GDPR is just horrifically abused by so many companies, who act like it's a magic two words which allow them to collect personal information without consent because they said "ooooh we really do have a legitimate reason for this data" which is against both the spirit and the wording of the GDPR.
I really hope to see a few big cases where the EU fines companies for that, so that everyone else gets the picture and stops hiding behind legitimate fucking interest. But I don't know why that hasn't happened yet, hopefully it's just slow moving rather than a case of the laws implementing GDPR being fuzzy enough that countries are worried they wouldn't win the case in courts. (But if that were the case, hurry up and update the law!)
/side note: apologies on behalf of my profession, since it's largely marketing people who've led to these shitty practises. We're not all assholes, some of us do respect people's data, rights, and (lack of-)consent.
Meta also broke the record for the biggest fine this year (1.2 billion). The fines are coming, and if they go after the biggest players first (e.g., Meta, Google), it will send shockwaves through the entire industry.
When GDPR came into effect, being close to the advertising business then, I know some companies that closed shop in EU. But enforcement has been very moderate, at least in the beginning. There's also the issue that some DPAs are more active than others. On the other hand, it doesn't take a lot to set precedents, and EU countries may find that these fines are a nice way to add to the public budget.
A cookie like that doesn't need to contain any personal information and therefore does not need a user's consent to store under GDPR. As a cookie it does need the user to be notified (ePrivacy Directive aka its 2009 "cookies law" update), but that is/can be covered as part of the original request that the user clicks to reject optional cookies.
The only reason to forget that a user said no is because it's a hostile interface designed to get users to give in and give their "consent".
