Why have we accepted the cookie pop-up situation across the web?

Well, it's basically malicious compliance. They're supposed to be super annoying because the people which need them do things which have been deemed unacceptable from the legislature. Instead of complying, they choose this obnoxious practice so they could continue with what they've been doing for years, which is monitoring every action a visitor does.

You don't need a cookie banner to be allowed to create Cookies. You only need them if you're using them for something like tracking.

A session cookie, selected theme etc is all fine without that banner

There already is a better solution and always has been, it's called setting cookie preferences at the browser level and then leaving it.

Trying to regulate the option for cookie preferences at the individual site level was always a stupid idea. The average person visits thousands of websites every year. Of course nobody is going to take the time to do that.

If the lawmakers in the EU were intelligent, they would have created a law that forced all web browsers to provide "X" privacy setting features for EU-domiciled users (where X is what they were aiming to achieve).

In addition to not burdening the entire world with time wasting popups all day, this option would have also had the bonus of not burdening millions of small businesses around the globe with complex regulation and legal liability.

Not to mention the total lack of enforceability of the current law when it comes to websites operated outside of the EU.

If done at the browser-level you really only have to police <10 companies.

Laws that require software companies to implement a user choice should really contain some wording against dark patterns. EU lawmakers could have been warned: A similar thing happened back when Microsoft was forced to give users in the EU a choice of browsers, when they created the most confusing dialog possible and hoped that users would just click OK to Internet Explorer out of desperation.

For me personally, when those data protection laws where implemented, seeing the extent of the market for user tracking was a shock to me. The respect that I lost for actually quite a lot of companies as a consequence has informed some purchasing decisions. And I don’t think anybody would mind those banners if the opt-out option you want to click is reachable with a single, easily visible button.

Edit: Responses suggest that the GDPR already contains something to that effect. Glad to know. If that’s true, then I guess it’s time for court cases to sort this out.

I haven't accepted it. Out of all the websites i've designed over the years, exactly 0 have cookies for visitors. When there is login for members, then there is a cookie which is not used for tracking (but rather for providing the service the member asked for) and therefore legally does not require a consent banner.

I use the "I don't care about cookies" browser extension with "Cookie AutoDelete". Cookies are managed client-side, those banners are redundant. The purpose of open standards is that you can have a user-agent that does whatever you want it to do, so take advantage of that.

Cookie banners are the dictionary definition of a meme. They give the site makers a piece of mind, helping them sleep better at night, even if they may have no other practical purpose. Other site makers see them and reproduce them because it gives them the same piece of mind, exposing the banners to more site makers. Obviously, there are better ways to get a piece of mind as webmaster, but you'd need first to explain the problem to a lot of people before anything changes.

I like them. They are a sure signal which websites to avoid. Same as 'allow notification' banners.

Although, to be honest, some (smaller) sites do it just because 'everybody does that' and they think they have to to comply to the law.

The worst part is, after all this time, most users are desensitized by all the banners and ads that pop up so they click whatever button they can to get rid of it. I’m guilty of it myself.

This isn’t the privacy solution we needed. It hasn’t changed the way users are tracked — it’s only annoyed people. The law needs to be reshaped to punish abusive companies, not users.

There's a great Safari extension for this called Hush[1].

After installing this, I rarely see any cookie popups.

[1] https://oblador.github.io/hush/

There is too much to gain from tracking website visitors. Most companies that run websites would rather subject visitors to the pop-up in order to satisfy the law, than to remove tracking.

I love the banners! Sites don't need them for basic functionality, so when you see one you know that you're at a site out to sell your data and violate your privacy.

I feel like I can immediately tell how shady a site is by how annoying and passive aggressive their cookie banners are.

Here's how it works:

1. Privacy advocates are worked up about cookies.

2. Lawmakers decide to do something, it'll look good.

3. Web depends on ads, so they find workarounds.

4. Everyone suffers.

5. Return to step 1. <-- You are here.

Being pedantic here, but please stop calling them cookie popups. You are only helping the industry which uses this terms to disguise their intentions. They were never about cookies, they are only about tracking. You don't need consent to use cookies, you just need consent for using them for tracking. If you were not using any cookies at all, but would rather use Etag/Canvas/AdId etc., you would still need the consent popup.

So please everyone, lets call them what they actually are, they are tracking popups.

"We" in the EU haven't, really. Lawsuits are taking place regarding how the dialogs are designed but they take forever to go anywhere.

I agree, if anything we should have one accept banner when you open a web browser.

I'd prefer to have a single prompt for all websites read something like: "You are about to browser the internet. The internet can track you, just like a native application but transparently such that you can inspect and see who and how it is done easily using built in tools to the web browser. Click accept to keep it this way? Otherwise, expect vendors find harder to understand and detect methods." [Proceed to the Internet, Stay home Instead]

Why don't we make browser plugins that automagically click through the popups and reject as many cookies as possible? It seems like this could be crowdsourced such that when the plugin doesn't already know the site, it asks the user to manually go through the process of rejecting as many cookies as possible, and then submits those actions to a database such that future visitors don't need to go through all the clicks.

What's much worse: These popups have basically trained the average user to simply click the biggest, most colorful button with "OK" | "Accept All" on it, whenever something suddenly pops up on a website.

This is what happens when politicians, completely divorced from technical realities design "solutions" to something...

I have not accepted the situation and there is zero cookies popups on any of my sites / apps (some of them are huge businesses in EU). Guess what, no legal issues at all :)

The call for help for "isn't there a better solution" and "this is a tech board" make me want to say what follows, hoping it doesn't sound too nasty:

Vote, that's the best solution when it comes to stuff that affects everyone around you.

>Why have we all accepted this ridiculous situation?

Because we use blockers? I hope yall do.

>Isn't there a better solution?

You decide what cookies you want to store. No one needs to aks you and you dont need to comply with any nonsense someone puts up and "forces" you to read.

Theoretically, you should have UX advantage by not showing annoying cookie pop-ups. The catch is, you are not allowed to share their data with 3rd parties, therefore if you like to have no cookie pop-up's you should respect your visitors privacy.

These cookie warnings are not compulsory or anything like that, what is compulsory is to inform the user and let them choose what information you are going to share with others about them.

My only guess is, those who operate the websites value the returns from data sharing more than the returns of a good user experience. They even engineer those pop-ups to be as annoying as possible to opt-out so that the users compel to share their data.

There is a solution which balances site owners' need to track with a respectful consent UX (e.g. no immediate consent prompt): https://transcend.io/blog/defeating-cookie-banners

Many sites prompt right away because they want to begin tracking right away. Transcend Consent transparently converts all unconsented web tracker emissions into local tracking, which can be replayed later with consent.

Instead of prompting for consent on first visit, these prompts could be integrated into the sign up or checkout flow in a website.

> Why have we accepted the cookie pop-up situation across the web?

I've never accepted that. When I stumble upon a website harassing me with obnoxious cookie (or whatever) pop-ups right away, I just feel overwhelmed and oppressed, and then I hit the 'Back' button in a second without even thinking about it because it seems so natural to react like that. (Just imagine the same situation IRL: you enter in a shop and suddenly someone rushes at you to get you to sign some papers: naturally, you'd leave the place without thinking about it.)

The solution is to click "deny" and stop visiting those websites.

Another solution is to attempt to reform governments to pass laws much faster and amend them quickly when workarounds like this come up. It took 4-5 years for this law to go from being first proposed to passed, and about 1 week for every website to throw up the banner.

Another is to directly pay for the services that these websites currently use ads to fund.

All solutions require significant effort or sacrifice on our part, so they probably won't happen.

I have just given up and disabled JavaScript on mobile. It has made browsing the mobile web much less awful even if I occasionally run into a site that doesn't work with js. It's reasonably trivial to enable on a per site basis if you need it.

Most sites are semi broken, but at least you can read them.

Most search engines are hilariously broken though which is sort of a bonus. Bing can't search from the input in the page. Google infinite redirects.

It's important to understand that while people might think that the pop-ups are required by the law, this is not true and most pop-ups today have no legal effect regardless of what you click. The GDPR requires express consent. If the pop-up uses a dark pattern to make "refusing consent" difficult, then clicking on whatever it takes to make the pop-up go away isn't consent.

And just setting a cookie doesn't necessarily need consent either, if it's used directly to provide the service (eg. a cookie to track your login session or your shopping basket).

A change requires the authorities to actually start enforcing this. https://noyb.eu is campaigning for this.

Well non-profits like NOYB are starting to create automatic systems to send GDPR complaints to non-compliant websites.

"Blame it on the GDPR? Many internet users mistake this annoying situation as a direct outcome of the GDPR, when in fact companies misuse designs in violation of the law. The GDPR demands a simple “yes” or “no”, as reasonable people would expect, but companies often have the power over the design and narrative when implementing the GDPR."

See: https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-is...

It's a combination of a certain group of people who will fight to the death for their "right" to maintain complete ignorance of all things "computer" (beyond the absolute requirement of locating the power button to get started, and knowing that "(e)" icon for "Explorer"/"Edge" means "Internet"), and an out of control advertising industry who will fight to the death for their "right" to abuse such people's lack of understanding of everything "computer" in order to monetize and spy upon every little detail of everyone's every single move upon the Internet that the advertising industry has inexplicably and arbitrarily decided that they alone own and control all the rules and operations thereof.

people like to think they are "doing something" even if it clearly does nothing. Kind of a collective guilt complex

The solution is to use they "i don't care about cookies" chrome extension

What do you mean by “we” have “accepted” any such situation?

Most of the people working on sites with those banners aren’t here on this board. Even if they were, what do you want them to do? Refuse to work? Quit on principle? It’s not like we’re talking about unsafe bridges that are going to kill people.

Users? Plenty of users are annoyed by these things but obviously not enough to dent traffic numbers or encourage the rise of alternatives. Plenty of technical hacks throughout the comments here if you’re looking for a solution for yourself, but nothing scalable is really possible.

Regulatory agencies? They take a very long time to work and can only go after so many websites at a time. As others have mentioned, lawsuits are happening but it will take time for it to work through the courts and agencies and even more time beyond that to propagate through industry as “doing this will can get your company sued” for those companies that even care about such things.

The funny thing is, the tracking cookies aren't even necessary. There is plenty of data in things like canvas, fonts, GPU capabilities, IP address etc which are perfectly capable of de-anonymising anybody on the web, and the storage for the tracking could be done entirely server side. Cookies are just used for this because devs are lazy.

Have we accepted the popups? The tracking agencies have clearly set the goal to make the user experience as bad as possible if you want to deny the prompts.

As far as I'm concerned, we should just blanket ban these trackers all together. The industry has been given the chance to play nicely and to care about the people they're collecting data from, and they chose war on consent.

Fuck it, make the DNT header a legally binding way to deny consent.

I consider every company with these invasive popups to be antisocial. Not enough people care enough for the practice to disappear, but I definitely don't just accept it. I accept the simple prompts that go yes/no/specify, with the yes and no equally easy to use, but that's the best you'll get from me.

Any website claiming that trackers have "legitimate interest" is made by absolute assholes.

I have not accepted it: I immediately close the tab almost every time I see the first pop-up on a website.

For example, I no longer use Stackoverflow since they started showing these pop-ups, ostensibly to force me to accept what I regard as an invasion of privacy. When reading a web page, I would like to be able to concentrate on the content without any distractions, and my feeling is that a site that shows pop-ups does not respect this sufficiently.

As to solutions: Wherever I can, I support all measures that let a website get rid of any existing pop-ups, for example by advocating for less tracking and more respect for users' privacy and ability to quickly obtain the information they want.

This question really bothers me as well. I remember the time when designers came in and taught developers not to use pop ups, because pop up annoy and scare users.

I prefer browsing the web using uBlock Origin just to get rid of all the bloat. However there are several sites that are not compatible. And I’m pretty much directly closing the browser tab.

I wonder, whether it’s just me staying away from sites that annoy me to hell, because all the sites still use such pop ups. Following I wonder, whether site maintainers use all the analytics crap tools anyway. I mean, all the pop ups must have some sort of impact? Honest question: are there any site maintainers analyzing there logs and might answer my questions?

This should be temporary. The popups are basically just dark patterns. Once there has been a few fines for sites using dark patterns, it will hopefully be better. These fines though have to be making a proper example, using all the available opportunity to impose penalties.

We need to see a few proper company-ending fines dealt before it gets better. If a couple of massive sites are wiped off the face of the internet for using a generic pre-packaged cookie wall, that should (hopefully!) scare everyone into compliance.

Cookie questions should be unobtrusive and single click to be without tracking, never limit the service provided (no “we need to show tracking ads to pay the bills”).

Because some people at some point just didn’t have balls to put stupid people (it’s not a world of geeks anymore) in place, while others didn’t care.

Same pattern is happening everywhere and has been happening since the beginning of times.

Yes, changing the colours so green means no, dark patterns within dark patterns.

Perhaps a plug-in to go via archive.is, but that’s a slippery slope and really people would need to contribute to archive.is to keep it alive.

In Norway it's super strict. We have a very non-intrusive popup on our site https://tvangssalgbolig.com/

I actually like a lot of them, and they've improved a ton since the start in general.

I'm fine with measuring performance, and sometimes tailoring content, but prefer to opt-out of ad targeting and offline matching.

Most all of them are missing proper opt-outs that really should be there, however it's a good start.

Thinking about it, the one I have the most disdain for is The Guardian's; it has a quick UI but the accept-all button is labelled "Yes I'm Happy".

The solution is to build cookie confirmation dialog into browser. Exactly the way we're dealing with camera/microphone/geolocation/notification permissions.

This will provide a stnadardized way and then you can have a big red "no cookies unless absolutely necessary" button

that or https://www.i-dont-care-about-cookies.eu/

Is there really any enforcement taking place? What happens if sites just refuse to implement the cookie banner/question and go on with business as usual?

I’m more interested in the 99% of websites that are relatively low volume. It just simply wouldn’t be a regulatory priority for me if I was launching a new site, yet I see newly launched sites/MVPs/etc that already have the banners implemented.

It's just like clicking "Accept" when installing something, a fact of life we're all stuck with.

We all realize that this is the law in Europe, and the pop-ups are consistent enough that its safe to just accept the cookies.

If enough people (not in the EU) break this pattern in a bad way, the shit will fly. You could do something like that, but reputation points will be lost in the process.

https://www.i-dont-care-about-cookies.eu/

Usually I don't accept cookies. Sometimes it's not that hard, but sometimes you would need to click through like hundreds(!) of checkboxes, so you don't want the cookie from them, which is ridiculous.

I would accept only one cookie, that I don't want to accept any other cookie, but surprisingly usually they don't store this information. :(

uBlock Origin blocks cookie pop-up modals, and also prevents most tracking so even if you accept something you shouldn't, it won't have any effect (or so I believe -- I have not actually tested this myself).

Anyway it's not perfect, but it's good enough for my needs.

Do we need cookies at all in a modern web browsers with LocalStorage and SessionStorage? I beleive it is time to selectively turn on cookies on relevant websites, like we do with camera, geolocation and notification access in browser. Whitelist, problem solved.

It should have been mandatory to obey the do not track flag.. Then that flag would have made actual sense and the cookie popups could have been done away with. Just one setting in the browser itself.

I think it's legislators that messed this one up.

Are there any good browser extensions for dealing with these banners? (auto clicking or blocking?)

On a side note, recently I built a website and did not need cookies at all (even though you can buy stuff, but there's not shopping cart)

My company has these banners even though we don't share information with 3rd parties. We are too scared of lawsuits based on the vague language of the law. Seems silly to me, but it's above my pay grade.

There must be a better solution. Basically the legislative body needs to be more nimble and adjust a law based on its real world effects.

If you think these pop ups "solve" user privacy in any way, let me suggest you another wonderful measure to "solve" climate change: all light switches will need to have a tiny touchscreen display next to them and if their energy source is not 100% renewable then you'll need to tap through a bunch of warning popups to agree to the terms. Each light switch manufacturer can also design this however they see fit.

That will totally solve climate change, right? Based on some comments here I'm sure some would love it and would wear headlamps to places and won't turn on the lights that have those tiny touch screens.

I also don't know why we have accepted them. I would have wished that browser vendors made these dialogues a part of the web specification so that the UX/UI is at least streamlined.

Of course not. But the popup situation is a mere aftereffect from the base cause - abuse of user's private data. It is there that all anger and frustration should be directed at.

I think the cookies acceptance should be done by browser settings.

That's what happens when we glorify the legal system and let lawyers inflict the nonsense upon people.

This absolutely has no useful utility and causes moderate harm on everyone.

Has to be a browser preference and not a site preference.

I guess this is because most people never clear their cookies and visit mostly the same sites, so they see these popups infrequently enough.

I agree, I always thought that simply using a web browser should be considered consent to accept cookies since it’s part of how they work.

Not really related to the question but I find it amusing that we have cookie popup blockers similar to ad blockers now.

Ha! I think the real question is whether LightG is on advertiser's payroll, or just really ignorant.

I am betting on evil

> Why have we all accepted this ridiculous situation?

Because we have JavaScript turned on by default?

Wait why doesn't logged-out YouTube have a cookie consent popup?

Accepted? Do you have a choice to opt-out?

Isn't this the fault of EU regulators? GDPR says that a website cannot degrade the service for users who decline to be tracked, yet almost all these popups make it harder to reject cookies than to accept.

see: GDPR, law of unintended consequences.

The solution is to stop voting corrupt idiots into the EU parliament.