> When you see one of those cookie popups it is a sign that the website is trying to get more information out of you than they need.

Or the owner of the website has failed to understand the nature of the law. Given the amount of confusion in this comment section this also seems likely.

The ones which deliberately make the flow for closing the popup and accessing the site without 'consenting' are the ones I think are actually acting malicously.

As with most law, you're not excused from following it if you fail to understand it.

If the admin of a site thinks they need a cookie banner when they don't, it's really because they haven't really bothered to give much thought to reducing the amount of data collection they do on their users.

But I bet it's not really that common, website admins who think they need a cookie banner when they really do not. What is WAY more common: the website admins that do need a cookie banner, but ONLY because they use Google Analytics, and don't realise this is a choice they get to make.

Or people (right here in this thread) saying "I can't make a useful website otherwise" -- it's not that the law is hard to understand, it's not. It's that they refuse to give the problem any thought. The ones "failing to understand the nature of the law", actually just don't give a crap. It's like a butcher complaining "Why do I have to label my meat with 'made from tortured animals', I have to kill them right? I can't possibly produce any meat without using this rusty spoon that I've used for decades".

> The ones which deliberately make the flow for closing the popup and accessing the site without 'consenting' are the ones I think are actually acting malicously.

You can easily not act maliciously, and still be a crucial part of the problem. That's also what laws are for, even if you cross them non-maliciously, you get punished. That's because people "not understanding the nature of the law", when it directly applies to their business, is undesirable, and really a responsibility they should carry.

> Or the owner of the website has failed to understand the nature of the law.

Oh, sure, but if they don't understand it then they probably shouldn't be gathering people's data either.

GDPR is pretty complex, but website operators have proved for years and years that they can't be trusted to do the right thing themselves, so here we are.

Giant cost to society?

An exageration, but in aggregate, the time wasted on this by users having to close yet another pop-up (and being more reluctant to browse new websites), and providers implementing the functionality on their websites is not negligible.

I hate the consent popups, but to me they signal something different to me than I think perhaps they do you or the parent commenter.

Bear in mind:

- Extra data collection or processing must be opt in.

- Not opting in must be as easy as opting in.

- The content must be available if the user chooses not to opt in.

Then:

For instance, you go to a site, tumblr.com for example. Why is not important. You get a consent popup. Opting in to extra data collection is easy but you don't want to. Navigating this consent popup is almost impossible. within a few clicks you are lost, you find a list of several hundred "partners" tumblr wants to share your data with. All are checked and need to be individually unchecked. You still can't work out how to opt out.

To me it's like someone's trying to scam you out of your data. They are so desperate to get your information that they are jumping through all sorts of hoops to try to trick you into giving it.

Do I really want to give my data so an entity that is acting so creepily? Nope. I close the window.

"Providers" that have previously wasted time on making sure all the data collection, tracking and adtech on their site worked perfectly.

That time "wasted" now, is time spent to fix their mistake.

The mistake of thinking they could collect data on me and sell it to third parties in perpetuity.

Both these time wasters are on website providers. If they stuck to collecting only what they need to provide the service, they wouldn't need to ask for consent. Alas, they're greedy, but then they don't get to complain.

How much time and effort have gone into compliance, it's insane. That's measurable. The real cost is the delay to new projects, uncertainty, increased costs - its what we wont have...

But the flip side is we get back control of our data. Having to treat users data and privacy with respect seems like a completely reasonable thing to ask, and it takes you longer to create something because you're now having to do that then that's good right?

It being inconvenient to you to treat people's data and privacy with respect seems like something it's hard to feel sorry for.

Asking for consent doesn't significantly increase complexity and cost. The required level of audits to support a world without asking for consent - now that would increase complexity and cost.

And no, not asking for consent and collecting data without supervision is not an option, neither legally nor ethically.

There is a lot more to GDPR than the consent popup.

GDPR isn't about the popup, but is about consent, and having to get it to be allowed to process personal data.

The cost of compliance is directly proportional to the amount of personal data you're processing.

GDPR compliance is usually expensive because people ignore Art. 5.1.(c):

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)

If you choose to collect personal data, you're responsible for handling it with due care. If you don't want that responsibility, don't collect the data. If your business model is predicated on doing shady things with personal data, find a different business model.

I know some people in adtech, and the time they spend on "compliance" isn't really a very big chunk of the total time spent on why they need compliance in the first place.

But I'm eagerly awaiting your measurements ...

Truly. Even if it shows the really big numbers you seem to imply. Because that shows something about their choice. How much trouble they're willing to go through to track you regardless.

Tracking has a giant cost to society, the sole reason it exists is so we can be manipulated by advertisers into spending more than we otherwise would have.

GDPR isn't very hard to understand, it's just that website owners want to have their cake and eat it too. Looking around for loopholes to do analytics that aren't actually what the user came to the site for is fundamentally the thing that the legislation is targeting, and all this handwringing about cookie popups and consent and anonymized data is "complicated" simply because it is not in the nature of the law. You do that, you need permission, period, and you need to be OK with people saying "no, I'd really rather you not do that".

> GDPR isn't very hard to understand

It may not be terribly difficult to understand, but it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints.

> Looking around for loopholes to do analytics that aren't actually what the user came to the site for is fundamentally the thing that the legislation is targeting...

Totally agree, and this shouldn't be done.

> ...this handwringing about cookie popups and consent and anonymized data is "complicated" simply because it is not in the nature of the law. You do that, you need permission, period, and you need to be OK with people saying "no, I'd really rather you not do that".

This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.

Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?

> it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints

The only different "constraints" relevant here would be "we get to play fast and loose with the data we collect or allow to be collected about users, without repercussions".

If that wasn't the "constraints" they were operating under, they have no problem now either.

> Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.

> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?

This is indeed where we disagree, except the law also disagrees with you:

It's. Not. About. Cookies.

It's simply about collecting and storing more data on your users than you strictly need to run your business.

There's really nothing technological about it, if you did it with pen and paper, you'd be subject to the same GDPR. Talking about HTTP response headers or "waging a war against cookies" is just misleading.

> It may not be terribly difficult to understand, but it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints.

As a developer, I agree. As an end user, I am OK with this.

If organisations have to think hard about what data they collect, because it means they have to think hard about how to safely store and destroy it, then that's a good thing.

It has been easy to collect, store and disseminate user data without thought for a long time, and website operators have proved they can't (in general) act responsibly.

> This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive

My honest opinion about most of the consent popups I see is that they are at best trying to weasel out of having to comply with the regulations, or at worst applying dark patterns to trick the user into "consenting".

I am sure there are some honest people with consent popups out there, but I'm not generally generous enough to attribute anything other than malice or incompetence.

> this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution.

For sure, but it works both ways. There is a (potential) financial penalty for not taking care of user data, but at the same time, there's a pretty large cost to a user if their data is spaffed all over databases on the Internet when they didn't want that.

Also, I'm pretty sure if you are actually trying to be GDPR compliant then your first interaction with the information commissioners office will be them trying to help you comply, and you do always have the option of just deleting the data if you can't treat it safely.

> Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.

I feel like I read somewhere that telling the user to adjust their cookie settings in the browser was speficically discussed, and not allowed, but I could be wrong.

> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?

It would be a mistake to think that Cookies are the focus of the GDPR. See https://gdpr.eu/cookies/:

"However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30."

The GDPR is about user privacy, cookies are one of the primary tools for violating it, and the most prominent artefact seen on the web, so it's the focus of a lot of discussion, but the main thrust of the regulations aren't around cookies themselves.

It is significantly unlikely that there will be opt in banners for JS, HTTP, TCP, phone calls, cameras at the beach, or just looking at people with your eyes any time soon.

> I feel like I read somewhere that telling the user to adjust their cookie settings in the browser was speficically discussed, and not allowed, but I could be wrong.

Consent must be informed and specific, so simply asking users to set their browser to accept or reject all cookies (regardless of purpose) is not compliant.

On the other hand, if browsers get their act together and standardize a consent API with the necessary features, then browser-based consent management would surely be compliant. GDPR and ePrivacy don't address this explicitly, though GDPR Recital 32 considers consent by “choosing technical settings for information society services”.

Centralising consent in browsers is a key consideration in the proposal for an updated ePrivacy Regulation, but the EU is not going to mandate specific technologies. Everyone is well aware of the mess that is the Do-Not-Track header.

These are good points. It definitely cuts both ways.

I'm not against GDPR, and I'm glad these issues are getting attention. I just want to make sure we recognize there is a lot of nuance here, and there are real costs and second- and third-order consequences to consider.