back to article Is this the way the cookie wall crumbles? Dutch data watchdog says nee to take-it-or-leave-it consent

Take-it-or-leave-it cookie walls don't comply with the General Data Protection Regulation, the Dutch data protection authority has said. Cookie walls - meaning you can't come in unless you eat them - also known as tracking walls, are some of the most severe strategies used by companies to slurp folks' data and stalk them …

  1. Mage Silver badge
    Flame

    Good

    Even before GDPR most sites abusing intent of Cookie directive. Many newspapers (UK), Google, Tumblr etc are abusive in the giant page of options.

    Unless the site has a login you are using there is NO good reason for a cookie.

    1. big_D Silver badge

      Re: Good

      Yes, I visited a local paper site and had to manually disable over 70 cookies in the preferences pane. There was no option to disable all. A lot of other sites do it properly, but such site as the paper or ones that refuse access altogether should have their knuckles proverbially rapped.

      1. Doctor Syntax Silver badge

        Re: Good

        "Yes, I visited a local paper site and had to manually disable over 70 cookies in the preferences pane. There was no option to disable all."

        You're missing the real issue here. You should have been offered the option to enable them individually.

        1. big_D Silver badge

          Re: Good

          Correct, it is opt-in, not opt out, but nevertheless something like that is designed in the hope people will just accept it - and won't report it.

    2. Kubla Cant Silver badge

      Re: Good

      Unless the site has a login you are using there is NO good reason for a cookie.

      You need to distinguish between persistent and temporary cookies. One of the most common uses of cookies is to preserve state between requests. Even without any login, any site that isn't just brochureware probably needs session state. It's possible to preserve state without cookies using request and response data, but this is really just a diy cookie.

      When properly implemented, session cookies are harmless. Their lifetime and accessibility should both be limited to the current session.

      1. Charlie Clark Silver badge

        Re: Good

        Indeed, a shopping cart is the example par excellence of why you need something like cookies. You could pass session ids around as part of the URL if only they couldn't be subverted so easily…

        I wonder how http/2 fits into this, because it does explicitly allow for persistent connections.

        1. Keith Langmead

          Re: Good

          "Indeed, a shopping cart is the example par excellence of why you need something like cookies. You could pass session ids around as part of the URL if only they couldn't be subverted so easily…"

          Except of course in the case of the shopping cart, those cookies may be required in order for the website to provide the service that the visitor is actively choosing to use, as such the website operator may not even require consent (no expert but I think contract / legitimate interest would cover it).

          1. Mage Silver badge

            Re: shopping cart is the example par excellence

            You'd have to log in. You are a customer. They will be gathering your name, address, payment etc. A cookie isn't a problem then.

            1. big_D Silver badge

              Re: shopping cart is the example par excellence

              A lot of sites you can browse and shop and only after you have everything in your basket do you go to the checkout and either sign in or give your payment details.

      2. Mage Silver badge

        Re: Good

        Explain, why a news site, or anything where you didn't need to log in, needs a session cookie? It doesn't.

        Any site to do with purchases, tax etc needs a login.

        Commenting should never be without a login.

        I struggle to remember using a site that needs a session state, that you didn't have to log into first.

      3. John Brown (no body) Silver badge

        Re: Good

        "Even without any login, any site that isn't just brochureware probably needs session state."

        That would be the ones "essential to the operation of the site" which are allowed under both GDPR and the previous incarnations. That's the problem. Most of the "cookie banners" simply say "we use cookies, deal with it or piss off" because the site operators either don't understand the law or are deliberately abusing it.

  2. Pascal Monett Silver badge
    Thumb Up

    God bless the Dutch

    And blessed be the GDPR, which is really starting to look like the thing that is going to give us back our Internet experience.

    1. A Non e-mouse Silver badge

      Re: God bless the Dutch

      GDPR (Like any law or regulation) will only work if the authorities actually enforce it and there are meaningful consequences for non-compliance.

      1. BebopWeBop Silver badge

        Re: God bless the Dutch

        Well they seem to be starting to issue enforcement n the major players at least - thank goodness we are part of a major trading block - ohhhh whoops

        1. John Brown (no body) Silver badge

          Re: God bless the Dutch

          "Well they seem to be starting to issue enforcement n the major players at least - thank goodness we are part of a major trading block - ohhhh whoops"

          If the UK want's to be able to trade/transfer data with the EU then we'll need to retain GDPR or something so close to it as makes no difference. And we'll have to show we enforce it to at least a similar level as the EU, or we lose a lot of our connections. On the other hand, we could just keep applying imported US fig leaves and pretend everything is ok until the next legal challenge. Rinse and repeat.

    2. Anonymous Coward
      Anonymous Coward

      Re: God bless the Dutch

      A internet full of popup messages asking you to make decisions about something that ultimately could be much better handled in a browser that just denies cookies until you enable them on a per site basis?

      Sites are just horrible to use now. It's a absolute mess.

      The internet now sucks more than ever!

  3. Tezfair
    Thumb Up

    I just surf privately now

    I got fed up of being hit with cookie messages so I have an addin in Firefox - temporary containers which opens links in a private session then when i leave the cookies etc are deleted. Seems to work well, especially when opening youtube links as I can now watch a clip without it knowing and saving what I watched.

    1. big_D Silver badge

      Re: I just surf privately now

      I've put around 30,000 tracking addresses (and the complete Facebook domain name space - around 1,500 tracking addresses) in my hosts file and set them to 0.0.0.0 (unroutable).

      1. Doctor Syntax Silver badge

        Re: I just surf privately now

        I doubt they're worried. They'll have more domains tomorrow.

      2. A.P. Veening

        Re: I just surf privately now

        "I've put around 30,000 tracking addresses (and the complete Facebook domain name space - around 1,500 tracking addresses) in my hosts file"

        That works nicely for one computer, but what else is sharing your internet connection at home? Get yourself a Pi-Hole and be done with it for your whole home. As a nice fringe benefit, your hosts file will get a lot smaller as well.

        1. eldakka Silver badge

          Re: I just surf privately now

          Get yourself a Pi-Hole and be done with it for your whole home.

          A Pi-Hole might protect your devices while using your home network, but it won't help when those mobile devices (phones, tablets, laptops) are used on other networks - friends, work, random hotspot, etc.

          For laptops at least you could create a virtual machine running the PiHole software, but that could be more difficult with Android/iOS devices.

          If you were really keen, could probably make a battery-operated PiHole and use that in between your device and the network being accessed.

        2. Anonymous Coward
          Anonymous Coward

          Re: I just surf privately now

          if the Apps etc behave and use DNS. however, this wont work with DoH - which everyone seems to be moving to - HTTP used for DNS over secure channels. goodbye nice DNS control :(

      3. John Brown (no body) Silver badge

        Re: I just surf privately now

        "in my hosts file"

        And you are absolutely sure that all your internet enabled apps are honouring the hosts file?

      4. Anonymous Coward
        Anonymous Coward

        Re: I just surf privately now

        "set them to 0.0.0.0 (unroutable)."

        You should really be using 127.0.0.1 (or explicitly blackholing if your OS supports it).

        0.0.0.0 wasn't really intended for the purpose you're using it for.

  4. Maelstorm Bronze badge

    Dump cookies after browser closes.

    Just about every browser out there (so far I haven't seen one that doesn't) have settings that allow the user to delete cookies when the browser closes. So hit the big red X periodically to dump the cookies.

    1. brym

      Re: Dump cookies after browser closes.

      The only problem with this approach is the next time you visit the site, it'll detect there's no cookies and nag you again - if it doesn't already nag you every single time you visit regardless, like alot of the local rag (i.e. Newsquest) websites do.

  5. nematoad Silver badge
    Mushroom

    Good.

    "The next stage will be to see whether European data protection agencies take enforcement action."

    I hope they do.

    I am currently in a dispute with the hosting company of a SIG that I am a member of. They have recently been bombarding all members with warnings to move to one of their accounts stating "The sooner you connect your forum account with a XXXXX account, the better, since it will happen anyway." Charming.

    On looking at their "privacy policy" it basically states that they will scrape every bit of your personal data and flog it to the highest bidder. I am not happy with this "take it or leave it attitude" so if push comes to shove I will leave but in the meantime I have sent them a letter based on a template provided by the ICO. Oh, and I have let NOYB know what is going on. The hosting company now have 28 calendar days to respond. This, I presume, starts on the day they receive my letter because if not, they have 20 calendar days due to the slowness of the postal system in the US. It took 8 days to get delivered. What were they using, a tortoise?

  6. lsces

    Dutch take is right ...

    I keep hitting these sort of 'walls' and when you look under the cover there are hundreds of third party sites listed and all selected by default, and no way to unselect except one at a time. I just go elsewhere so the choice is obvious - they lose any chance of my accessing their site :) This mainly seems to be media services and news sites often linked to from my main news feed the BBC so perhaps we should be flagging this back to them so they can provide better third party sources?

    1. eionmac

      Re: Dutch take is right ...

      BBC do not vet or take any responsibility for third party sources. They are just quoted for your information.

      The (usually local) Paper newspapers / websites with lots of individual "no-consent forms" have caused me to stop buying their published newspapers and stopped trying to access them. Double penalty, as a pre read on web usually caused me to buy paper.

  7. chivo243 Silver badge
    Mushroom

    On a related note

    I've just recently come up against sites that don't allow access when an adblocker or content filter is detected. Screw them, block me? I won't be visiting their site again, and they're going on Nixon's list...

  8. DropBear Silver badge
    Facepalm

    Bastard, the lot of them...

    Unfortunately, a vast proportion of sites deals with this in a "we are hereby notifying you that you will be tracked - there's nothing you can do about it" fashion, linking to nothing more than a privacy statement or a list a entities they use to track you, without any options attached; at most, they vaguely handwave in the direction of those, saying "how you may or may not deal with those is not our problem". Do you know what GOG's (who are allegedly the good guys see DRM and all that - well at least the less bad buys...) banner looks like...? Well, prepare to be amazed:

    "Not like it changes anything but we are obligated to inform you that we are using cookies - well, we just did. More info on cookies."

    Yes, really. Literally. And guess what, there's a comprehensive list of all types of cookies in existence on that page, and not a single checkbox. There is this instead:

    "HOW DO I CONTROL COOKIES?

    Although most web browsers automatically accept cookies, you may adjust settings on your browser or device to prevent the reception of cookies, or to provide notification whenever a cookie is sent to you. Further information about the procedure to follow in order to disable cookies can be found on your Internet browser provider’s website via your help screen. Also, some of our partners are members of the Networking Advertising Initiative (“NAI”) and/or the Digital Advertising Alliance (“DAA”) – organizations who offer a single location to opt out of receiving tailored ads. If you wish not to have your information used for the purpose of serving you targeted ads, you may opt-out by visiting the DAA's Consumer Choice page and/or the NAI’s Consumer Opt-Out page. Please note this does not opt you out of being served advertising. You will continue to receive generic, or non-targeted, ads."

    How in the blazes is this possibly legal?!?

    1. A.P. Veening

      Re: Bastard, the lot of them...

      "How in the blazes is this possibly legal?!?"

      It shouldn't be, but you can start by blaming D. Trump, the fake president of the USA.

    2. hoola

      Re: Bastard, the lot of them...

      Quite, and it is getting worse. The other day I ended up on the website of our local paper to read something. The cookie blah came up and I had a look as previously I had rejected them. I now could not access the site and the option was to "Agree", nothing else. The only way to get rid of the window that covered the page was to use the browser back button. I investigated more closely to discover something in the region or 600 to 800 cookies (I stopped counting at 100" for "Our partners", all of which had to be individually deselected. A quick check on who own the paper and there other titles showed a random selection to be the same. This includes national titles. Reach PLC,

      What also needs stopping is the growing prevalence of cookies that cannot be turned off as you need to go to a third party site, and usually create an account an login to "opt out"

      As you say, total bastards the lot of them.,

  9. naive

    There is no free lunch

    Be careful what one wishes for. Operating a website costs a ton of money.

    By restricting the operator of a website to make a few pennies by slinging a few customized ads, the "free" internet as we know it will slowly die out.

    We end up with an internet controlled by big tech, and governments, because all the smaller initiatives are strangled by complex legislation and the limitation to earn some money.

    Even when a website asks for permission to place a cookie, compare what a big privacy win a website offers compared to going to a shop:

    - The shopkeeper can see ones car

    - The visitor of a shop often gets registered by several security camera's

    - The shopkeeper knows which bank one uses when paying with cards..

    etc...

    No idea why they are complaining, these people are probably lefties, once again now trying to kill of free internet with rules and limitations.

    1. cantankerous swineherd Silver badge

      Re: There is no free lunch

      operating my website costs next to nothing. perhaps it's just broucherware :-(

    2. Anonymous Coward
      Anonymous Coward

      Re: There is no free lunch

      I don't agree with the invasive overuse of security cameras or with ANPR either. I mostly pay by cash, so for now card profiling isn't a big issue.

      What's your point?

    3. Jamie Jones Silver badge

      Re: There is no free lunch

      How on earth do/did tv stations manage to survive with trackerless adverts, huh?

      As I read your post, I struggled to understand how someone could come up with such a silly argument, but then:

      "these people are probably lefties"

      Ahhh, that explains it. You are one of those who likes the abuses of facebook et al. and scoff at any clampdown, because... .SOCIALISM!

      As for "internet with rules and limitations", you know it's your lot that got rid of net neutrality right?

      But of course, laws to stop ISPs censoring your internet are in themselves censorship, according to FOX logic. (except FOX presenters don't believe that, they just now the stupid replublican voters will)

  10. cosmogoblin

    I know it's not a proper solution - these operators were in a morally dubious area before GDPR, and are now explicitly breaking the law, and this should be dealt with properly.

    But whenever I come across any of these, unless I actually want to use legitimate cookie functionality (i.e. log in), I reopen in a TOR private tab.

    Private because cookies are automatically deleted on exit; TOR to prevent them linking my private session to my non-private through my IP.

    1. Mage Silver badge

      Cookie blocking

      Why is block 3rd party off by default? I enable that on the browser straight after install. It's never broken ANY functionality. How are they even legal even before GDPR?

      Also I block all or most cookies on most sites I don't login to. That also blocks Google's nasty multipage consent popup on search. Which has no "don't agree" or cancel. Blocking google cookies is the only way.

      I use uMatrix

      Also reduces my exposure to tracking and malware.

      1. Jamie Jones Silver badge

        Re: Cookie blocking

        I have a cron job that uses sql to set all third party cookies to temporary, and also limit the lifetime of persistent cookies from non-whitelisted. It's the only way to do it on some android browsers...

        But yes, the whole third-party cookie thing is to deliberately get around the mechanism for cookies not being able to traverse their domain - a mechanism from a spec. from back before large global ad companies using common domains existed. Third-party cookies should have been permanently voided in the spec. and all browsers at that point.

  11. Missing Semicolon Silver badge
    Holmes

    All that is necessary is honesty

    The cookie dialog should say:

    "Access to badgerbotherers.com is not free.

    Click >here< to select a subscription option,

    or >here< to continue, and pay for access by sharing tracking information.

    Click >here< for information on what information we capture, and who we share it with"

    There is no actual reason why a web site should be free. Since the dialog is now just about payment options, the issue of GDPR does not arise, as the information<>access trade is now explicit.

    1. Mage Silver badge

      Re: All that is necessary is honesty

      No, many sites do not want to charge. They are either free (no scraping or adverts), basically the owner is paying for it. Or advert funded (need not have evil tracking & javascript, an image/text & link is all that's needed). Or funded some other way (Government, Support for stuff you bought, crowdfunded such as Wikipedia). Some are funded by adverts sold by the illegal snake oil of stealing your activity on the site and across as much of the Internet as possible (Facebook/Instagram/Whatsapp, Google/Alphabet). Others are selling stuff, so the site is free (Amazon, eBay).

      Only a minority of sites suit a pure subscription model.

    2. John Brown (no body) Silver badge

      Re: All that is necessary is honesty

      "There is no actual reason why a web site should be free. Since the dialog is now just about payment options, the issue of GDPR does not arise, as the information<>access trade is now explicit."

      Wrong. GDPR explicitly says that access to the site must not be restricted by forcing tracking on the user with the only alternative to be to pay. And anyway, people choosing not to be tracked are far less likely to be the people who click on adverts, so the site is losing nothing whether they show targetted or "random" ads. Or are they still getting revenue per eyeball rather than per click?

  12. mark l 2 Silver badge

    I personally don't see a problem with a commercial website offering the option to accept the cookies or leave the website. If that is the only choice they don't get my business. I see it as no different than when a physical store might have a sign that says 'No shirt, No shoes, No service" it is your choice to go in the store or shop somewhere else that has a less restricted policy.

    Obviously if it were a service providers website or a government run one that you have to access then that is a different matter and you should not then be required to accept cookies to access it.

  13. Garymrrsn

    Ultimate Gotcha

    The worst offenders I've found are the ones where you have to accept their cookie and privacy policy in order to view their cookie and privacy policy.

  14. Sebastian A

    Since Firefox and Palemoon have recently removed the option to allow or block cookies on a per-site basis, I've had to switch to cookie-handling addons, and most of my browsing these days is done in private windows, with only my core trusted sites allowed in a normal window. Close the window, and the cookies are gone.

    Don't sites realise the more draconian their policies get, the greater the inevitable backlash will be?

  15. novice2

    Surprised that no-one has mentioned that The Register has a non compliant cookie policy...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019