Cookie opt out

Anything about use of this forum : NOT about cycling
User avatar
admin
Site Admin
Posts: 1514
Joined: 14 Dec 2006, 8:27pm
Location: Lancing, West Sussex
Contact:

Re: Cookie opt out

Post by admin »

mjr wrote: 7 Jun 2021, 10:54pmIt does not have to be a pop-up or annoying to comply with the law.
I'm afraid it does have to be annoying. The law says we're not allowed to store any non-essential cookies on your computer until you have explicitly opted to allow us to. Any website that assumes first, and asks second, is technically illegal.

Perversely, to record the fact that you don't want us to store non-essential cookies we have to store... ...a cookie! Then, if you delete all cookies to avoid being tracked, we have to ask you again for your consent!
mjr wrote: The GDPR cookie opt-in law is not good law because it has not achieved the desired effect of reducing data-sharing and naughty programmers have subverted it by complying in annoying ways with pop-ups, hard-to-find "decline" buttons and dancing bears.
Correct, the law does not stop data sharing in any way. In fact it encourages people to click "Allow All Cookies" just to get rid of the popup!

Developers would much rather not have to annoy their website visitors!
mjr wrote: Having a consent request which doesn't display on non-JavaScript browsers is not complying with the law, is it? Of course, there are thousands of websites ahead of you in the firing line for that mistake. The ICO should never be short of work as long as this law exists!
I really don't know. I don't think the ICO know either. It's a horrible, annoying, unenforceable, pointless mess. Meanwhile, advertisers like Google are working on clever ways to track you via other means (such as browser "fingerprints").
User avatar
admin
Site Admin
Posts: 1514
Joined: 14 Dec 2006, 8:27pm
Location: Lancing, West Sussex
Contact:

Re: Cookie opt out

Post by admin »

mjr wrote: 7 Jun 2021, 10:54pm Unless something changed, PHPBB doesn't have to use cookies for sessions. It can use a PHPSESSID in the URL instead: plus side is you don't have to accept any cookies, but the drawback is you cannot share links to the forum as easily.
You don't need GDPR opt-in for cookies that are necessary for the website to work. The session cookies are fine, legally.

[The term "cookie" in the law applies to anything used to track visitors, so an ID in a URL would also come under the GDPR legislation, as would keys in hidden image URLs, client-side data, and the like. Putting session-specific things in URLs is horrible, as request URLs are very commonly logged.]
drossall
Posts: 6115
Joined: 5 Jan 2007, 10:01pm
Location: North Hertfordshire

Re: Cookie opt out

Post by drossall »

mjr wrote: 7 Jun 2021, 10:54pmThe GDPR cookie opt-in law is not good law because it has not achieved the desired effect of reducing data-sharing and naughty programmers have subverted it by complying in annoying ways with pop-ups, hard-to-find "decline" buttons and dancing bears.
Fundamentally, all cookies do is allow sites to remember data between page requests. This is useful if, for example, you want them to remember that you are signed in, what's in your basket, or what search you were doing and you now want to see page 2 for. The problem is that remembering you can also be used for less obvious purposes, such as tracking your behaviour. I've never completely understood how we came to be restricting cookies, as opposed to restricting tracking.
Unless something changed, PHPBB doesn't have to use cookies for sessions. It can use a PHPSESSID in the URL instead: plus side is you don't have to accept any cookies, but the drawback is you cannot share links to the forum as easily.
Or, to put it another way, there are other ways of remembering you between page requests. These could in principle be used to achieve many of the same things as cookies, good or bad. The down-side is that they are often less secure than cookies; for example, when you share a link in the way that mjr describes, you risk embedding your unique session ID, which is supposed to be different from everyone else's.
Having a consent request which doesn't display on non-JavaScript browsers is not complying with the law, is it? Of course, there are thousands of websites ahead of you in the firing line for that mistake. The ICO should never be short of work as long as this law exists!
The disadvantage of not doing it in Javascript is that it's likely be embedded in the page and/or even more intrusive and annoying. And you can only do that if you have a site system that can vary pages (to include the warning or not). And many cookies are set in Javascript anyway; therefore, if the warning doesn't appear, neither will many of the cookies!
drossall
Posts: 6115
Joined: 5 Jan 2007, 10:01pm
Location: North Hertfordshire

Re: Cookie opt out

Post by drossall »

admin wrote: 7 Jun 2021, 11:03pm
mjr wrote: Having a consent request which doesn't display on non-JavaScript browsers is not complying with the law, is it? Of course, there are thousands of websites ahead of you in the firing line for that mistake. The ICO should never be short of work as long as this law exists!
I really don't know. I don't think the ICO know either. It's a horrible, annoying, unenforceable, pointless mess. Meanwhile, advertisers like Google are working on clever ways to track you via other means (such as browser "fingerprints").
Well the ICO uses the Cookie Consent tool that I mentioned earlier. That's Javascript. It works using Javascript to delete the cookies that you don't want (so, strictly, they still get set, but they have lives slightly longer than those of some fundamental particles before Cookie Consent deletes them again). Thus the ICO's banner, and some of its cookies, and its way of complying, all depend on Javascript. So I don't think they'll be coming after CUK any time soon.
User avatar
mjr
Posts: 20308
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: Cookie opt out

Post by mjr »

admin wrote: 7 Jun 2021, 11:03pm
mjr wrote: 7 Jun 2021, 10:54pmIt does not have to be a pop-up or annoying to comply with the law.
I'm afraid it does have to be annoying. The law says we're not allowed to store any non-essential cookies on your computer until you have explicitly opted to allow us to. Any website that assumes first, and asks second, is technically illegal.
It doesn't have to be annoying. For example, a site could simply not store non-essential cookies until someone has logged in and make the consent request part of the login. (I realise this is difficult for people using site software made by unwilling others.)
Correct, the law does not stop data sharing in any way. In fact it encourages people to click "Allow All Cookies" just to get rid of the popup!

Developers would much rather not have to annoy their website visitors!
I think it is dodgy implementations of consent requests (popups, emphasising the "exploit my browser" button) which encourage that, not the law. You say developers don't want to annoy, but the widespread crap letter-of-the-law implementations suggests otherwise. I do wonder if some of the worst popups are partly protests against the law, trying to persuade users like Mick F to campaign for repeal of measures intended to protect them, so that advertisers and their fellow travellers can once again poo in the cookie jar.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.
User avatar
mjr
Posts: 20308
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: Cookie opt out

Post by mjr »

drossall wrote: 7 Jun 2021, 11:18pmThus the ICO's banner, and some of its cookies, and its way of complying, all depend on Javascript. So I don't think they'll be coming after CUK any time soon.
As mentioned, the ICO itself has a history of crap noncompliant website. It is disappointing to have a flagship and regulator like that.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.
User avatar
Mick F
Spambuster
Posts: 56359
Joined: 7 Jan 2007, 11:24am
Location: Tamar Valley, Cornwall

Re: Cookie opt out

Post by Mick F »

admin wrote: 7 Jun 2021, 10:54pm
Mick F wrote: 7 Jun 2021, 6:46pm I have Adblock etc, but whenI click on the link, I get this .................

Screen Shot 2021-06-07 at 18.45.51.png
Your AdBlock Plus is mangling the URL for some reason (hence the "abp" in the error message).

Copy and paste this into your browser address bar:

https://www.i-dont-care-about-cookies.eu/
That isn't the issue. The website works fine, it's just that Safari isn't on the list, and when I click on Adblock I get the "unable to connect" message.

I have Adblock installed on my computer.
Mick F. Cornwall
Psamathe
Posts: 17650
Joined: 10 Jan 2014, 8:56pm

Re: Cookie opt out

Post by Psamathe »

My understanding is that these cookie notices are only needed when the web site wants to start doing things like tracking you - which to my mind makes it quite reasonable to ask and not annoying in the slightest. If sites don't want to annoy their visitors with such pop-ups then they should stop trying to track them.

It is possible to have a perfectly good, useful and functional web site without getting Google Analytics involved.

Ian
User avatar
admin
Site Admin
Posts: 1514
Joined: 14 Dec 2006, 8:27pm
Location: Lancing, West Sussex
Contact:

Re: Cookie opt out

Post by admin »

mjr wrote: 8 Jun 2021, 8:44am It doesn't have to be annoying. For example, a site could simply not store non-essential cookies until someone has logged in and make the consent request part of the login. (I realise this is difficult for people using site software made by unwilling others.)
Ah, but then you miss the vast majority of visitors who never log in. If you have any sort of website visitor analytics you still need to ask them for permission before they access the website.
mjr wrote:I think it is dodgy implementations of consent requests (popups, emphasising the "exploit my browser" button) which encourage that, not the law. You say developers don't want to annoy, but the widespread crap letter-of-the-law implementations suggests otherwise.
Send me a link to a site that implements a GDPR-compliant cookie opt-in, in a non-intrusive way, and I'll copy what they've done!

Almost all sites go for a compromise, which isn't strictly GDPR-compliant (e.g. saving cookies without prior permission), but which is not too annoying or restrictive either (so you can visit the website easily).
mkr wrote:I do wonder if some of the worst popups are partly protests against the law, trying to persuade users like Mick F to campaign for repeal of measures intended to protect them, so that advertisers and their fellow travellers can once again poo in the cookie jar.
A few of them, yes, certainly. But the Big Sites like Cycling UK only add the popups to avoid being in breach of the law.

Remember that the legal opt-in requirement fails to prevent dodgy websites storing cookies and tracking people to sell their private data. It even fails to prevent sites setting cookies without consent: you have to look to see, and few people bother doing that on every website they visit.

Browser settings do protect your privacy, whatever the website wants to do. That is where the emphasis should be to protect privacy: where you have control, not where the control belongs to someone unknown.
User avatar
admin
Site Admin
Posts: 1514
Joined: 14 Dec 2006, 8:27pm
Location: Lancing, West Sussex
Contact:

Re: Cookie opt out

Post by admin »

Psamathe wrote: 8 Jun 2021, 10:31amMy understanding is that these cookie notices are only needed when the web site wants to start doing things like tracking you - which to my mind makes it quite reasonable to ask and not annoying in the slightest. If sites don't want to annoy their visitors with such pop-ups then they should stop trying to track them.
Sort-of, yes. But just using Google Analytics to tell you how many visitors you have, or how visitor numbers increased following an advertising campaign, probably also requires a cookie notice. That's not tracking anyone. Although it's a very grey area and the subject of much discussion. Is aggregated data which cannot contain any personal data exempt, or is the fact that you've allowed personal data to be sent to Google for their counting something that needs to be approved?
It is possible to have a perfectly good, useful and functional web site without getting Google Analytics involved.
True, but Google Analytics can provide extremely useful information about how your website pages, and your advertising campaigns, are performing.

Which is why you see Cookie pop-ups on so many websites these days. A big annoyance and only marginally useful for privacy.
User avatar
admin
Site Admin
Posts: 1514
Joined: 14 Dec 2006, 8:27pm
Location: Lancing, West Sussex
Contact:

Re: Cookie opt out

Post by admin »

Mick F wrote: 7 Jun 2021, 6:46pm I have Adblock etc, but whenI click on the link, I get this .................
The error message says "Safari can't open... ...because macOS doesn't recognize Internet addresses starting with "abp:".

So something, perhaps with the initials "ABP" has mangled the URL in a way that means Safari can't understand it. My best guess is that the "something" is Adblock Plus.

If you disable Adblock Plus temporarily, the link should then work fine.
User avatar
chris_suffolk
Posts: 738
Joined: 18 Oct 2012, 10:01pm

Re: Cookie opt out

Post by chris_suffolk »

admin wrote: 7 Jun 2021, 10:46pm Phew, that opened a hornets' nest!

OK, the current state of play is:
  1. The Forum uses cookies for sessions (necessary for the Forum to work) and Google Analytics (visitor statistics). We do not give or sell your data to any third parties.
  2. Legally, we are required to have a GDPR cookie opt-in system for the Google Analytics cookies. Like many sites we've avoided doing so, because it's technically difficult and annoying for visitors. Those who wish to block Google tracking can do so with browser plugins or settings.
  3. The cookie warning provided by phpBB is not GDPR compliant, and is merely a nuisance. It was tried, briefly, this afternoon, and then switched off again.
  4. There are no cookie warnings on this forum, currently, but we will be adding a pop-up soon to ensure that Cycling UK is complying with the law.
The GDPR cookie opt-in law is not good law, it creates annoyance on compliant sites and fails to protect privacy on sites that might be sharing your data without you knowing. But it is the law.

To minimise annoyance, I can recommend setting tight cookie preferences in your browser (which will work on all sites you visit) and installing something like "I don't care about cookies" plugin to block the annoying popups on many sites you might visit.

Note: not all devices or browsers will show cookie warning pop-ups. Some will fail to execute some required JavaScript, or might already be blocking the pop-ups due to other privacy-related settings.
So, firstly you agree that you legally have to have an opt-out facility, button or whatever. And, yes, that might be hard to do, and no, you don't want to do it - but it's the law - so JUST GET ON WITH IT.

Secondly, yes I can opt out through browser settings, but that places the onus upon me, and you're not allowed (nor shoud you expect) to request me to do that to avoid your legal obligations. After all, you've had in excess of 4 years to get this sorted from the point it was first discussed in the EU and elsewhere up until now.

So, these two points combine, into stating that you need to get this done. Telling me that you are LOOKING INTO IT is NOT good enough. You need to give me a definitive timescale, and I suggest we are talking days or a couple of weeks at most, else I will send this to the ICO, as I have done with other onn-compliant sites that refuse to change. In you own words

"we've avoided doing so, because it's technically difficult and annoying for visitors.",

so lets see if the enforcing body takes the same view.
Psamathe
Posts: 17650
Joined: 10 Jan 2014, 8:56pm

Re: Cookie opt out

Post by Psamathe »

admin wrote: 8 Jun 2021, 10:59am
Psamathe wrote: 8 Jun 2021, 10:31amMy understanding is that these cookie notices are only needed when the web site wants to start doing things like tracking you - which to my mind makes it quite reasonable to ask and not annoying in the slightest. If sites don't want to annoy their visitors with such pop-ups then they should stop trying to track them.
Sort-of, yes. But just using Google Analytics to tell you how many visitors you have, or how visitor numbers increased following an advertising campaign, probably also requires a cookie notice. That's not tracking anyone. Although it's a very grey area and the subject of much discussion. Is aggregated data which cannot contain any personal data exempt, or is the fact that you've allowed personal data to be sent to Google for their counting something that needs to be approved?
It is possible to have a perfectly good, useful and functional web site without getting Google Analytics involved.
True, but Google Analytics can provide extremely useful information about how your website pages, and your advertising campaigns, are performing.

Which is why you see Cookie pop-ups on so many websites these days. A big annoyance and only marginally useful for privacy.
But then you are tracking people who visit your site so it is quite right that you ask your site visitor for permission. If you want to track them it is perfectly reasonable to ask them first.

That said I do disagree with aspects of the GDPR rules e.g. I don't regard IP address as "personal data" as we have no way to tie that (normally temporary) identifier to an individual. But when I do occasionally use my ISPs assigned IP address it does not seem to change often - though most of my internet activity is done through shared IP addresses which apart from providing privacy, also makes the practice of tracking less reliable (as anybody tracking combines my activity with a 13 years old fanatic gamer's activity with somebody in a retirement home reading their grandchildren's Facebook posts ...).

And there seem several aspects to GDPR that become academic e.g. my hosting provider's web server maintains logs but because they configured that collection it is their responsibility, nothing to do with me and I don't have to declare that data collection to visitors nor provide e.g. means to selectively provide or delete collected data. But if I take those logs into some analysis package (e.g. awstats) then it does become a GDPR issue (for me). But then that is moving outside the scope of discussing cookie approval.

Ian
User avatar
admin
Site Admin
Posts: 1514
Joined: 14 Dec 2006, 8:27pm
Location: Lancing, West Sussex
Contact:

Re: Cookie opt out

Post by admin »

chris_suffolk wrote: 8 Jun 2021, 11:16amSo, firstly you agree that you legally have to have an opt-out facility, button or whatever. And, yes, that might be hard to do, and no, you don't want to do it - but it's the law - so JUST GET ON WITH IT.
I agree that we might need to have an opt-in cookie facility, and that to provide one is difficult and unpopular with many users. But we might not: it's complicated.
chris_suffolk wrote:Secondly, yes I can opt out through browser settings, but that places the onus upon me, and you're not allowed (nor shoud you expect) to request me to do that to avoid your legal obligations. After all, you've had in excess of 4 years to get this sorted from the point it was first discussed in the EU and elsewhere up until now.
I was only advising that if you want control over your privacy, browser settings are the best way. Trusting websites to do the right thing is not always a Good Idea, even if they have something that looks like a cookie opt-in system.
chris_suffolk wrote:So, these two points combine, into stating that you need to get this done. Telling me that you are LOOKING INTO IT is NOT good enough. You need to give me a definitive timescale, and I suggest we are talking days or a couple of weeks at most,
We might need to add a GDPR pop-up to the Forum, yes. We're looking into it, and have no idea of timescale to give you.
chris_suffolk wrote:else I will send this to the ICO, as I have done with other onn-compliant sites that refuse to change. In you own words

"we've avoided doing so, because it's technically difficult and annoying for visitors.",

so lets see if the enforcing body takes the same view.
Please do consider reporting the Forum to the ICO. It would help to clear up our legal requirements if we could get their attention.
User avatar
admin
Site Admin
Posts: 1514
Joined: 14 Dec 2006, 8:27pm
Location: Lancing, West Sussex
Contact:

Re: Cookie opt out

Post by admin »

Psamathe wrote: 8 Jun 2021, 11:39amBut then you are tracking people who visit your site so it is quite right that you ask your site visitor for permission. If you want to track them it is perfectly reasonable to ask them first.
What is "tracking"?

I take it to mean "We can see what this visitor looked at, where they came from, and where they went. We can serve them targetted adverts because we know their preferences. If they're on Facebook, we also know the network of their family and friends, their political views, and more."

I don't think "We counted another visit to that web page" as necessarily being "tracking". But it is, in a way.
Psmamathe wrote:That said I do disagree with aspects of the GDPR rules e.g. I don't regard IP address as "personal data" as we have no way to tie that (normally temporary) identifier to an individual.
I would say that IP addresses are highly personal data: it is often relatively easy to tie IP addresses to people, to track them or find out their personal information. The law-makers tend to agree, but it's a grey area again.
Post Reply