Sometimes you'll see people saying things like:

Using cookies to track state on a website, that is only used for that website, is fine. You don't need to ask for consent.—rrwo

Or:

You don't need a cookie banner to be allowed to create cookies. You only need them if you're using them for something like tracking.—y4mi

Something like, "as long as you design your site properly and don't abuse storage you don't need to ask your European visitors for permission." While I'm not working in this area anymore, am not a lawyer, and am not attempting to give you legal advice, if you read the regulation this interpretation is completely off.

Cookie banners are a response to the 2002 ePrivacy Directive (full text, guidance). While the ePrivacy Directive may be superseded soon by the (pretty similar) ePrivacy Regulation, it's still the current rule. It requires you to get consent from visitors before you store information on their computer (cookies, localStorage, etc) unless this behavior is "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user" [1]. This isn't "in order to" or even "necessary in order to", it's "strictly necessary in order to". Which is quite firm!

This excludes, for example, using a cookie for basic single-site analytics (4.3), where you want to figure out where users are getting stuck on your site or to populate a "users who viewed this product ended up buying this other product" box. Even though this information helps you improve your site for future visitors, including potentially this one, it isn't 'strictly necessary' for serving this user right now.

If the user puts an item in their shopping cart you can set a cookie, because that's how you honor their request, but it's still quite restrictive (2.3):

a merchant could set the cookie either to persist past the end of the browser session or for a couple of hours in the future to take into account the fact that the user may accidentally close his browser and could have a reasonable expectation to recover the contents of his shopping basket when he returns to the merchant's website in the following minutes.

Maintaining a shopping cart across days isn't "strictly necessary" and so requires explicit consent. Despite it being a useful thing users may be expecting: if I put things in my cart, don't check out, and come back the next day, I'm going to be frustrated if the site has forgotten my selections!

Similarly, say you have a "language" dropdown or a "dark mode" checkbox". Unless you have explicitly marked the UI control with text like "uses cookies" (3.6) you can't persist this setting for future visits.

The overall effect of this is that most sites will not be ePrivacy-compliant unless they either (a) get cookie consent from users or (b) hire a lawyer to review each of the things they do in the context of ePrivacy, and make careful changes to keep everything within the tight bounds of "strictly necessary". It's not surprising we see so many cookie banners!


[1] Technically it's also allowed if it's "for the sole purpose of carrying out the transmission in the electronic communications network and provided that the information is not stored for any period longer than is necessary for the transmission and for traffic management purposes, and that during the period of storage the confidentiality remains guaranteed". But the "strictly necessary" criterion covers almost everything in practice.

New to LessWrong?

New Comment
28 comments, sorted by Click to highlight new comments since: Today at 6:14 AM

Maintaining a shopping cart across days isn't "strictly necessary"

 

This seems like an extremely draconian interpretation of the law. I'd say that maintaining a shopping cart across days is a legitimate part of a service the user requested, and while multi-day shopping carts are not "strictly necessary" for the service as a whole, cookies are strictly necessary for that part.

Notably, the website of the Court of Justice of the European Union itself stores cookies for "display preferences, such as language, contrast colour settings or font size" automatically without the user being able to opt out. This is pretty strong circumstantial evidence to me that doing so is actually okay.

To find out what interpretation is correct I'd like to see some actual court case where it's discussed. From my cursory search online, the violations (e.g.) seem to be a lot more flagrant than this.

 

In any case the question of why the cookie banners are so common has a simpler explanation, I think. Websites don't really know much more of the law than we do, and they don't have the time or skill to evaluate their entire web tech stack for potential issues. In the end they err on the side of caution by copying what others do, in what's partially carefulness and partially cargo-cult.

This "draconian interpretation" is straight from the guidelines I linked: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf

Notably, the website of the Court of Justice of the European Union itself stores cookies for "display preferences, such as language, contrast colour settings or font size" automatically without the user being able to opt out. This is pretty strong circumstantial evidence to me that doing so is actually okay.

When I go to that site and click on the language dropdown I get a cookie pop-up telling me how they will use cookies on the site.

I read the opinion now. You're right in that their analysis too is actually rather harsh! E.g, no long-term shopping carts are allowed, only for the current session plus "a few hours" which presumably would stretch to tomorrow but not more. Still, I'd say that it's really strict compared to the actual court cases, and probably in any case wouldn't prevent a website from delivering an optimal experience for the user without needing a cookie banner at all. if I was designing a shopping website I wouldn't lose sleep over having a shopping cart expire after a week, assuming I could actually justify that the users would benefit from it.

For the curia.europa.eu cookie banner they present it doesn't give you the opportunity to reject "technical" cookies, just the analytics and YouTube stuff. That implies that the cookies for language and such is exempt, and the reason for the banner is those other ones. They also set the "clicked the cookie banner"-cookie expiry time to a year, also implying it's okay to store it for that length of time.

it doesn't give you the opportunity to reject "technical" cookies, just the analytics and YouTube stuff

I think that's because then the weaker "legitimate purpose" standard applies? ("Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.")

How about the possibility of malicious compliance? Companies have obnoxious cookie banners to 1) make the path of least resistance accepting all the cookies and 2) as a bonus, serve as propaganda against the cookie directive.

And among the companies who aren't doing it for malicious compliance, many of them may be copying ideas from companies who do without realizing why they do it.

I think #1 is definitely the case: if you have to put up a banner even to do normal things that few people object to, might as well also include profitable things that are less popular. On the other hand, there are also a bunch of things that are important for the proper functioning of websites in the long term but are pretty hard to convey clearly in a banner. This is things like, as a way to verify that changes haven't broken your site you typically want to roll them out gradually as an A/B test, which requires collecting enough metrics that you can tell whether and how A and B are performing differently. This is good for users in aggregate in that the site gets improvements faster and is less likely to have broken functionality, but is just kind of complicated.

I'm slightly privacy-obsessed and my browser is configurated to always throw away all cookies every time I close the session. For me (and presumably for those who wrote the EU regulation), seeing lots of annoying banners is way more acceptable than having my navigation data stored away by unknown actors without my consent.

The spirit of the norm is quite clear: you can use a cookie without consent if the service would not function at all without that cookie. This basically means that session cookies for recognizing logged users are okay, and everything else is probably not. No matter what the SEO guy says, a tracker cookie for site analytics is not strictly necessary for the service to be provided. I hold the view that single-page sites without authentication features should not require cookies at all (I've personally designed sites without cookies for small conferences, it's not a mortal sin to use pure HTML).

The overall effect of this is that most sites will not be ePrivacy-compliant unless they either (a) get cookie consent from users or (b) hire a lawyer to review each of the things they do in the context of ePrivacy, and make careful changes to keep everything within the tight bounds of "strictly necessary".

Asking for consent does not allow you to escape having to decide which cookies are necessary and which aren't. After the DSGVO, it's not enough to ask "is it okay that we store cookies on your computer". The user has to be informed about the purposes of the cookies and be able to say "I don't want unnecessary cookies". 

The ePrivacy directive has:

"Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose."

My understanding is "legitimate purpose" is far weaker than "strictly necessary".

Now, you're right that the DSVGO/GDPR is often interpreted as banning cookie walls (guidelines):

"39. In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)"

But my understanding is this only applies to gathering consent to do something otherwise prohibited under the GDPR.

The introduction says:

The concept of consent as used in the Data Protection Directive (hereafter: Directive 95/46/EC) and in the e-Privacy Directive to date, has evolved.
The GDPR provides further clarification and specification of the requirements for obtaining and
demonstrating valid consent. These Guidelines focus on these changes, providing practical guidance to ensure compliance with the GDPR and building upon the Article 29 Working Party Opinion 15/2011 on consent. 

Then later:

Therefore, in this document, the EDPB expands upon and completes earlier Article 29 Working Party Opinions on specific topics that include reference to consent under Directive 95/46/EC, rather than replacing them.

Later in a text, it specifies:

Ad. (ii): Consent mechanisms must not only be granular to meet the requirement of 'free', but also to meet the element of 'specific'. This means, a controller that seeks consent for various different purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes.

I'm no lawyer but to me, that sounds like "completing the Data Protection Directive" means adding new requirements to it.

Also not a lawyer, but if they were trying to modify something so specific as the ePrivacy directive line I quoted I think they would have said so?

Generally, all the cookie banners started popping up after GDPR was published. 

One part of the guideline on consent says:

With regard to the existing e-Privacy Directive, the EDPB notes that references to the repealed
Directive 95/46/EC shall be construed as references to the GDPR.

It's unfortunate how complex those guidelines happen to be, but I do think what's meant is that the GDPR norms on consent apply more widely.

all the cookie banners started popping up after GDPR was published

Really? I remember them going back decades

My experience was seeing them all appear after GDPR

Not literally "all" - they've existed for a long time, but until GDPR it was pretty rare except on heavily-regulated EU sites.  It's only recently that the EU has appeared more willing to enforce this on non-EU sites for companies who do business with EU citizens and might someday have part of their business based in the EU.  Though I don't know of many actual enforcement actions, it may be just follow-the-crowd threshold effects: if your competitors are annoying their users this way, you probably should too.

Edit: I wish I'd used this opportunity to introduce the term "cargo-cult regulatory compliance".  I think worth a deeper exploration of the complexity of the modern regulatory world and the sheer quantity of "follow the crowd, rather than understanding the written and unwritten requirements" that exists.  

I remember that GDPR changed behaviors a lot but I don't have a good way to check.

I agree it's hard to tell. Looking at archive.org most pages don't show cookie banners even for recent things. I did find that the "I don't care about cookies" Firefox extension goes back to at least 2014 [1] and says "EU regulations require that any website using cookies must ask the user's permission before installing them. These warnings appear on most high traffic websites until the visitor agrees with the website's terms and conditions. Imagine how irritating that becomes when you surf anonymously or if you delete cookies automatically when closing your browser."

[1] https://web.archive.org/web/20140326174218/https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-about-cookies/

if I put things in my cart, don't check out, and come back the next day, I'm going to be frustrated if the site has forgotten my selections!

Ironically, I get frustrated by the inverse of this. If I put something in my shopping cart, I definitely don’t still want it tomorrow. I keep on accidentally having items that I don’t want in my order when I check out, and then I have to go back through all the order steps to remove the item (since there’s hardly ever a removal button from the credit card screen). It’s so frustrating! I don’t want you to remember things about me from previous days, just get rid of it all.

I see that for longer periods, but even overnight?

Why do non-EU-based companies/websites bother to comply with this directive? For that matter, why do even big firms with an EU presence comply? I can see why a firm with an EU office or employees might worry about some legal risk, but (a) is it really true that the EU would devote significant enforcement resources to prosecuting/fining "victimless" violations of this directive? (b) for sufficiently popular websites (Amazon, FB, ...) surely the companies have more leverage than the EU, since I'd think that one of these firms even threatening to stop serving European customers (or employing EU programmers for that matter) would cause vastly more political backlash compared to the amount of genuine political support for the (policy motivation behind the) annoying cookie banners.

If amazon or facebook were breaking the rules, the EU would probably love to go after them and hit them with giant fines. They are multinational corporations, they are big tech, they are even American! Fining them for continuing to operate in the EU would be very popular across a lot of the political spectrum.

OK, maybe I'm wrong about the politics as regards large multinationals. (Although I'm not sure I'm wrong.)

But that argument says nothing about why a website like JSTOR (non-profit, US-based) complies. I'm skeptical that anyone would try to enforce against them, and also that any such enforcement would have actual legal consequences. EU tries to fine JSTOR, JSTOR says "we are in the US" and doesn't pay, then...? Does anyone actually think the EU is going to force all European ISPs to block JSTOR? I suppose if JSTOR uses EU-based datacenters to serve some content to European users, those could be shut down. I do not think that would be a popular move with European academics.

If a firm has a policy of "we will follow the law except when we can get away with breaking it", they may miscalculate what they can get away with and be hit with fines. Having an ethical injunction to try to follow the law in all cases, even when you think you might get away with not following it, is the safest policy.

Of course, in practice big companies do skirt the law and try to get away with it, but for that to be rational there needs to be a sufficient payoff for it. In practical terms, it doesn't cost FB/Amazon anything to comply with cookie banner laws, nor would they get any real benefit from breaking them. So even if the risk was small, why take it?

Decisions on whether or not to enforce laws are not made in the EU by directly elected politicians driven by the desire to be popular with the population. 

Practically we do see Facebook and Amazon getting fined: https://www.wsj.com/articles/facebooks-whatsapp-fined-around-270-million-for-eu-privacy-violations-11630576800

AFAICT those fines have not been for missing cookie banners. And if I were Mark Zuckerberg, I might think to myself, "the EU is going to shake us down for 'privacy violations' no matter what we do, so why should I bother making our user experience worse with annoying cookie banners?" 

(Also, to some extent, FAANG-scale companies may get fined but serve as a shield for all smaller companies. If you were a Brussels bureaucrat with a focus on fining websites for privacy issues, and you could get hundreds of millions for targeting a FAANG [not that you get to keep any of that money or plausibly tell yourself that your work improved the world in any meaningful way, but hey whatever floats your boat], would you bother fining Joe Startup $100k for imperfect privacy practices in the app they're running from their garage in San Bruno?)

The size of the fine depends on the number of privacy violations. 

Brussels bureaucrats are not the only people who can bring lawsuits for GDPR violations. A startup that makes money through an app likely has European customers and thus there are assets that could be targeted. 

In practice, both the Google Play Store and the Apple store have rules that enforce privacy. Especially, Apple is quite willing to tell Joe Startup that his app needs to follow the rules if it wants to be in their store. 

Small players could be fined to set precedents that can be used against larger players.

I guess simple text based browsers and websites that just show the minimal information you want in a way the user can control are not cool enough, and so we have all those EU regulations that "solve" a problem by making it worse.