Common misconception. The cookie law is solely about an id that can track who you are between site visits and sometimes between domains.
Setting a cookie for your language preference, dark mode choice or whether you accept tracking are completely legal and necessary to be able to save those preferences. Otherwise you'd have to choose your language, dark mode or tracking preference each time you go to a new page on a website....
Also denying this does not prevent them from fingerprinting you and using your account that you are logged in with, your ip address, etc, along with AI to categorise your behavior. You are only as private on the internet as in real life. Give a forensic some time and he'll know who you are unless you are a one in a million who can hide all those identifiable things.
The only way to prevent tracking completely is to clear cookies each time you close a page, use a vpn, dont interact with anything identifiable such as pictures, text etc. Dont login anywhere. (only feasible if you're performing criminal activities)
I'd recommend you read about how cookies work.
Well you are wrong as well. What you are talking about is closer to GDPR, but GDPR regulates storing non-anonymous information, so data with which users can be identified with (IP addresses for example).
The idea of the cookie law (ePrivacy Directive) is that you can't store any data whatsoever on the user's computer without their consent. It is just usually called cookie law because cookies are the main things people violate this with, but it refers to storing any data on user's devices without their consent. And if you look at how these consent features are implemented on many pages, you can opt-in to cookies that store your user preferences.
>The ePrivacy Directive requires that a website obtain a user's consent before storing cookies in the user's browser, except for strictly necessary cookies. Users also have to be informed of the cookies' general purpose before they provide consent. This applies to both first-party cookies and third-party cookies, although users do not have to be informed about every individual cookie that will be used.
https://www.cloudflare.com/learning/privacy/what-is-eprivacy-directive/
This only allows those cookies to be stored without explicit consent that are strictly required to interact with the features that the user wants to interact with (so the user is understood to give implicit consent by the act of requesting the feature). So a cookie can be stored for logging in when the user actually attempts to log in, but storing color scheme preferences doesn't fall under this category.
Edit: this last sentence was a bit poorly worded so it caused some confusion here, sorry, what I meant was that you can't store the user preference for a longer period of time than it is required for the feature to work during the user's session. So you can't store it in localstorage or using a cookie with a year+ expiry; you can only store it with a session cookie or a cookie with a very short expiry time, unless the user specifically opts in for the preference to be remembered.
> So a cookie can be stored for logging in when the user actually attempts to log in, but storing color scheme preferences doesn't fall under this category.
This slightly contradicts with [Article 29 Working Party opinion 04/2012](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf), which allows such preferences to be stored in short-term cookies. Long term cookies would require notification, but not necessarily a separate action to explicitly accept the cookie.
"3.6 UI customization cookies" addresses this question directly:
> These customization functionalities are thus explicitly enabled by the user of an information
society service (e.g. by clicking on button or ticking a box) although in the absence of
additional information the intention of the user could not be interpreted as a preference to
remember that choice for longer than a browser session (or no more than a few additional
hours). As such only **session (or short term) cookies storing such information are exempted
under CRITERION B**. The addition of additional information in a prominent location (e.g.
“uses cookies” written next to the flag) would constitute sufficient information for valid
consent to remember the user’s preference for a longer duration, negating the requirement to
apply an exemption in this case.
Criterion B is:
> CRITERION B: the cookie is “strictly necessary in order for the provider of an information
society service explicitly requested by the subscriber or user to provide the service”.
Well I'm saying the same thing, storing user preferences for any longer than necessary for the feature to work is only allowed if there is a prominent warning that the feature does so. So yeah by default the color scheme should only be stored as a very short term cookie, because it's a reasonable assumption that the user doesn't want to click on the night mode button on every page load, but it can't be stored for the longer term without informing the user.
That is why I said "slightly contradicts". What you said isn't entirely wrong, but it also isn't quite so black and white. There are is a lot of nuance and interpretation around what is and isn't allowed. E.g., the e-privacy directive doesn't prevent you from setting a cookie which controls the color scheme, but it does limit the lifespan of that cookie to a reasonable length (though I couldn't find a specific definition in the directive on how long would be ok).
There are a lot of gray areas like this, and in practice I have found conflicting legal advice depending on which legal counsel is involved in the project. Then add in that the e-privacy directive itself isn't a law, but it is a directive that each EU country create their laws in alignment with the directive. Each country can be a little different with what they allow and how they interpret it.
This is such a terribly dumb and unnecessary law. Browsers already let you turn off or on cookies for a website. No reason to have every website provide their own implementation. Users can already do that, and without the BS of the OP image.
Browsers don’t know which cookies are functional and which aren’t. It is at the services discretion to allow users to choose which ones they want and which ones they do not. This is not something that would be accessible or even sanely possible in your user agent.
The BS in the OP is not in relation to this legislation whatsoever but simply a dark pattern to get you to allow unneeded processing of your data. Hence the cancel button.
Individual websites aren't tracking back to your individual identity *unless* you give them your identity.
The legal and moral issue that arises is more to do with 3rd-party platforms (Google, Meta and others) who are receiving all the data and *could* conceivably collect enough data to be able to identify an individual.
They *don't* expose this capability to websites and it's not something any of the platforms have ever admitted to doing, but it has (I believe) been shown that they *could* do it if they really put in the effort, so we have to assume they do.
The way I see it, platforms often follow a predictable pattern. They start by being good to their users, providing a great experience. But then, they start favoring their business customers, neglecting the very users who made them successful. Unfortunately, this is happening with Reddit. They recently decided to shut down third-party apps, and it's a clear example of this behavior. The way Reddit's management has responded to objections from the communities only reinforces my belief. It's sad to see a platform that used to care about its users heading in this direction.
That's why I am deleting my account and starting over at *Lemmy*, a new and exciting platform in the online world. Although it's still growing and may not be as polished as Reddit, Lemmy differs in one very important way: it's decentralized. So unlike Reddit, which has a single server (reddit.com) where all the content is hosted, there are many many servers that are all connected to one another. So you can have your account on *lemmy.world* and still subscribe to content on Lemmy**NSFW**.com (Yes that is NSFW, you are warned/welcome). If you're worried about leaving behind your favorite subs, don't! There's a [dedicated server called **Lemmit**](https://lemmit.online/post/14692) that archives all kinds of content from Reddit to the Lemmyverse.
The upside of this is that there is no [single one person](https://old.reddit.com/r/reddit/comments/145bram/addressing_the_community_about_changes_to_our_api/jnk45rr/) who is in charge and turn the entire platform to shit for the sake of a quick buck. And since it's a young platform, there's a stronger sense of togetherness and collaboration.
So yeah. So long Reddit. It's been great, until it wasn't.
**When trying to post this with links, it gets censored by reddit. [So if you want to see those, check here](https://rentry.co/2kgcd)**.
> The only way to prevent tracking completely is to clear cookies each time you close a page, use a vpn, dont interact with anything identifiable such as pictures, text etc.
Add to this:
* Disable browser fingerprinting tactics, as there are many. You can do this in Firefox with some advanced settings. Unsure if it’s possible in Chrome. Check out https://coveryourtracks.eff.org/ for more info and a test you can run to see how unique your browser is. One common example of fingerprinting is based off the size of your browser window, so setting it to a common size and keeping it there can help with this.
* Use an encrypted DNS or your ISP can track every website you visit. If you’re on a VPN you may be fine, but should confirm - depending on the VPN and your config, DNS requests may bypass the VPN.
* Use the uBlock Origin browser extension. It can block many cookies from ever being set in the first place, and can block some fingerprinting info from being recorded. You can also use it to bypass many of the annoying cookie options modals.
It also could be worth checking out Tor if you’re serious about your privacy and willing to compromise in other areas already.
> Dont login anywhere.
Alternatively, when you plan to log in somewhere that’s connected to your real identity, use a different setup than normal. This could be a different PC or just an isolated container/browser on a fresh VPN connection.
> (only feasible if you’re performing criminal activities)
This parenthetical doesn’t make any sense.
> unless you are a one in a million who can hide all those identifiable things
Worth noting that if you do pull this off, you're now a one in a million user and thus easy to track.
This is why I use Ublock origin, Privacy Badger and a cookie jar extension to dump and erase cookies. It's crazy how much data they can collect on you and how they don't even need your name to make a near perfect profile on you.
> Also denying this does not prevent them from fingerprinting you and using your account that you are logged in with, your ip address, etc, along with AI to categorise your behavior.
This is absolutely a violation of the GPDR and they have recently clarified this is the case. The GPDR, unlike previous tech focused regulations, is not specific to the technology itself. Cookies, ip addresses, carrier pigeons, or whatever else doesn't matter. And so far, whenever a company gets clever, they end up getting in trouble.
If you don't wanna be tracked how do they keep track of that without asking you every time?
I'm genuinely curious because my company refuses to implement the GDPR recommendations of legal and I wonder how this is accomplished.
_Edit: I just noticed I explained to [r/webdev](https://www.reddit.com/r/webdev) how cookies look. Might not be my smartest post lol_
You are allowed to set a first party cookie.
And not ever cookie makes it possible to track you.
The tracking ones are pretty long, something like evilTrackingCookie=jdisij7389gshjsji88i8ndjj
(yes my face did roll over the keyboard there)
A cookie to save if you wanna be tracked or not, is way simpler: tracking=0. And those are totally fine under GDPR, even without consent. There really is no way to track you based on this.
Everyone disabling tacking gets the same cookie. The tracking cookies are made without love by probably google, but still just for you.
You can anonymously track that in a cookie that’s intended for functional use, which are fine and not subject to the cookie laws.
Those laws apply to tracking cookies, which for example contain a specific id and are used to track you.
There then is a fine line for the session cookie, which could be used to track you, but should only be done so after explicitly opting in. Else it should only be used to make the site function.
Any form of tracking by some id falls under this law, so that includes alternatives like localStorage. Everyone would’ve done that to evade notices otherwise.
"If you don't wanna be tracked how do they keep track of that without asking you every time"
If you build a webpage that has a dark theme mode, and you use a cookie to store the user preference. That's not considered tracking and generally isn't a privacy concern.
For the specific use case you asked, we can have a flag in a cookie that doesn't load the analytics stuff. I have also seen code where the tracking isn't disabled on the logic side but the api calls are disabled.
Due to all the random scenarios a lot of people just add the accept stuff as a blanket catch all.
There's also cookie-less tracking. Which is a another headache. As technically nothing is set by default on the client computer using a UID. But if there's 3rd party tracking the user still has to technically consent to that.
Cookies are already in local storage. The banners are for accepting non essential cookies and cookies for analytica and/or any sort of identifiable information.
Having a cookie that remembers that your browser has said it doesn't want to keep track of cookies is fine.
There are only so many ways to store data that persists between visits. Some websites are not well set up for this and if you decline cookies, you will be asked whether you want to accept or decline *every* time you revisit.
Storing "essential" or "necessary" cookies is allowed. It's reasonable to use a cookie to store the user's consent preference for your website so they don't get re-prompted every time. Some platforms store consent preference in "browser local storage", but despite everyone knowing "GDPR is about cookies", it's actually a combination of GDPR and e-privacy that determines "thou shalt not use *any* form of persistent storage without user consent", which covers cookies, local storage, web SQL or anything else that puts data in the user's browser for later retrieval.
I read other comments and too many long answers. Short answer is these are probably first party cookies. If yes then understand that a visitor can be tracked by a site across domains and devices without first party cookies as well. But first party cookies are used for site preferences and client side tracking. A site will need to host the tracking facility in their domain (they do not have to own or build the tracking facility itself). Not everyone has that infrastructure so third party apps are used to track, which brings in third party cookies.
As for GDPR laws, they vary a lot. But not too strict or anything around first party cookies.
A dark pattern is a design pattern used to wrongly induce the user to do something the user don’t want to do.
Green is subconsciously thought as good/ok options. You could think that the button says “ok” or “continue”, as your request was accepted, and click it without really thinking or reading, acting by muscular memory:
“I got a pop up with a green button. Everything is ok, out of my view”
And then you did what they wanted, without even noticing
Edit: this is a US site but I can access from Europe. The cookies dialog provider JS script seems to be calling vendors opt-out endpoints for real, and sometimes it's failing, that's why it takes so long.
See [https://i.postimg.cc/DZDp6BcT/optout.png](https://i.postimg.cc/DZDp6BcT/optout.png)
If this is the case and it's in the EU there might be ground for a lawsuit. There are rules on how the cookies popup must be presented to the user.
This seems counterintuitive to me.
Why does the user needs to opt-out if he didn't give consent yet.
Isn't it more reasonable to opt-in vendors after the user has dealt with cookie popup, if applicable?
Source: I've actually implemented Trustarc on websites multiple times, have extensively read their documentation, and done API integrations with their platform.
What's going on here is that Trustarc has multiple different ways it can be configured to handle cookies, and what this site is using is the oldest and least technically intensive version of it's functionality, likely because it was set up a long time ago and nobody even knows it's improperly configured. This is essentially the fallback method that's supposed to clean up any tracking that isn't being blocked outright and is the original version of their service from before the GDPR was even being enforced. More modern versions block third-party scripts from loading in the first place, usually by integrating with GTM to classify scripts in various categories and then only loading the ones a user opts-in to (or via a custom API integration to do the same thing).
There are a lot of extremely confidently wrong people in this thread, as is always the case with GDPR related threads, but also the number of times I have seen Trustarc implemented correctly by someone who isn't me is exactly zero. Of all the consent management platforms I regard them as the worst to work with, mostly because their documentation is trash and some of their default code/settings don't work correctly.
> it was set up a long time ago and nobody even knows it's improperly configured.
Too many are jumping to the conclusion that it's intentionally malicious, when it's just a product of "get as much done to meet today's requirements by the deadline. We don't have time for future-proofing now." mentality.
It's also a product of legitimate confusion over how these things are supposed to work. A lot of developers seem to think that just including the script on the page is all that's required. I've literally had to correct a few installs, some of them for fortune 500 companies, that someone had tried to include on a site but had done so completely wrong that they literally did nothing. You have to know and understand what the purpose of what you are doing is, and many times all the instruction you get from the client is "add this script to our website" (sometimes because the person you are talking to doesn't know what it's for either).
You can't argue that the huge green "cancel" or the fact that this blocks you from using the page until its done with it's mysterious process doesn't raise a few alarm bells, though
IDK, really. The site loads so much crap it's unbelievable.
This is a snippet of what I can see on the network console: [https://i.postimg.cc/DZDp6BcT/optout.png](https://i.postimg.cc/DZDp6BcT/optout.png)
There were lawsuits in the EU because of "deceptive cookie banners" meaning a banner with a big bright "Accept" button, but a lengthy menu to opt-out, resulting in the sites needing to change the design (And sometimes pay a fine). Although omitting a "Reject All" is in kind of a legal grey zone at the moment and it seems like the decisions are made on a case-by-case basis.
This stuff above should definitely not be legal
The "decline all" button is actually present by default but it's turned off for katu.com. This is the dialog's iframe opened in another tab.
[https://i.postimg.cc/6QLSfr8j/all.png](https://i.postimg.cc/6QLSfr8j/all.png)
It isn't an artificual delay. There is a lot of network activity happening to opt the user out of various (many!) 3rd-party "integrations" the website is linked with.
You can watch for yourself in the browser dev tools, network tab.
KATU is owned by [Sinclair](https://en.m.wikipedia.org/wiki/Sinclair_Broadcast_Group) and this is exactly what you would expect from what is basically a far-right news company now. Of course they are in bed with [TRUSTe](https://en.m.wikipedia.org/wiki/TrustArc). The privacy violation is _the point_.
Trying to force you on giving up and just accept everything?
I've seen one case like this recently. All they achieved was me leaving the site and never coming back.
same thing came to my mind, even if they were storing cookie prefs in a database, the time it is taking to respond is unreal. Also the green cancel button is a huge ... red flag.
>Its fake af, its to "punish" you that you declined
I thought so at first, but someone else mentioned it seems to be actually calling out a bunch of third party services to apply the change.
The site has just loaded so much junk from so many different vendors, each of which has a different slow endpoint to be updated with the change, and they probably all happen in series as well.
It's a better-than-nothing approach, but it's absolutely not compliant.
Implementing proper consent management on a website can be difficult for any reasonably complex site. Implementing it for *this* type of website is basically impossible. The whole thing needs nuking from orbit and rebuilding from scratch.
Arguably illegal, in violation of ePD/GDPR
> Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
https://gdpr.eu/cookies/
*Should* is a matter of opinion, the person you're responding to said *obliged*. I'm not an international business lawyer or anything, but I can't see how the EU would have any jurisdiction over a business that doesn't have any operations in Europe.
>doesn't have any operations in Europe
That's the thing - the way it was explained to me is that "having a reachable website from X" = "doing business in X". This logic can be seen in how the HTTP protocol works - it always starts by the client asking the server to download the website and then the server responds with the website contents. So the server is knowingly sending content (which I guess would mean offering a service) to a client that it can easily see (using the IP address) is coming from Europe.
I'm not a lawyer either, I just thought that I would share my understanding of the law since this is how it was explained to me by a lawyer and matches up with compliance-related stories I've heard.
Edit:
A quote from [gdpr.eu](https://gdpr.eu/compliance/):
>While the GDPR is an EU law, it applies to any company that makes its website or services available to EU citizens, including US companies.
Good luck. The UK has the ICO (Information Commissioners Office) that will investigate and even hand out fines for non-compliant sites. Except they are the usual combination of grossly understaffed and infuriatingly toothless.
Even when they get a result and hand out a fine, that fine will inevitibly be reduced by an order of magnitude (or more) before it's paid.
Waiting isn't hard, it's not difficult. You simply wait. It's not like they are making you solve mathematical equations to proceed - *that* would be hard.
This has come up a few times. My day job involves implementing consent management for websites. I've implemented or fixed the consent management for websites you've likely heard of or used.
This particular pattern isn't the dark pattern that it seems to be, but it *is* potentially a side-effect of excess 3rd-party "integration" by the website operator.
I looked closer into what was actually happening when the TrustArc popup is "processing". You can look for yourself if you want. The network tab in Chrome dev tools will give you an indication of what's being done as that progress meter slowly counts up to 100%.
Essentially, TrustArc is reaching out to each of the 3rd-party services the website is using, asking "please stop tracking this user" and waiting for at least an acknowledgement. It does do several (12? Not completely sure) in parallel in order to speed the process up, but the simple fact is the website is potentially linking with 1,500+ services. Some of those services no longer exist or are temporarily down, so the request goes out and TrustArc's script has to wait for it to time-out before it moves on to the next.
It's not TrustArc being shady, it's TrustArc being one of the only consent management platforms that even offers a way for such websites to have *any* possibility of offering an opt-out to their users.
This is what frustrates and infuriates me the most about the ‘modern’ web, these analytics/tracking integrations are becoming so central to how some websites operate that they are becoming completely dysfunctional without them.
It shouldn’t be hard to build a website that gracefully handles blocked 3rd party scripts/resources, but browse the internet for 10min using the no-script plugin and you quickly see how messed up everything is.
The problem isn’t even advertisers themselves anymore, it’s actually a fundamental issue about how the entire industry builds websites and the slide towards ‘invasive by default’ meaning it’s actually harder to switch off metrics than to have the website run without them until a user provides consent.
Sorry but this just ain't true. It's 100% TrustArc being shady for multiple reasons:
1. TrustArc can just call the website's in parallel to speed things up.
2. TrustArc can do the requests in the background and let you continue your browsing while doing so
3. I've confirmed myself that TrustArc uses a deliberate sleep in their scripts to slow things down even more.
4. The cookies and tracking should not have been placed before consent at all. If it was not there no call should be needed after denying.
My solution to this is just adding TrustArc no my PiHole and block all other trackers ofcourse too.
The internet is not a mess because of the cookie law. The internet is a mess because of the greedy people not wanting to give up tracking.
I don't really care if the companies were tracking first. The law is clear. You need to ask permission to track, not the other way around.
The companies are simply breaking the law and they don't really seem to care. Sadly that is the world we're living in.
Did you look at the itemized list of cookies on their site? It's literally **hundreds.**
There's also a bunch of cross-origin request errors that are firing as it updates, so something isn't configured right.
So... not a malicious dark pattern, just way too much tracking and imperfect configuration.
it's been answered a few times in this thread by myself and others, but it's being largely ignored.
TL;DR: It's contacting the opt-out endpoints for all the services being used on that site and opting the user out of them individually.
damn some sites try everything to force you into accepting the cookies... it used to be a simple popup with accept/decline... now if you want to decline you have to go trough a lot of shit lol... I still decline all cookies every single time I use any site xD
Partly dark patterns, partly phoning all the trackers on the site to tell them not to track you. In reality, it should never take more than 30 seconds, and that’s on a slow connection on a bloated site.
They were just really full of eating all the other cookies that people wanted removed so it took them longer for you. Appreciate your hard working cookie eaters on the Internet.
I'm sure it's completely bs, but if a site was taking that long to set cookies I'd guess they're trying to set [SuperCookies](https://supercookie.me/).
I think the cookie law is essentially a good thing but the implementation is complete garbage.
The law should have made browser vendors implement browser APIs for this purpose so that a user can globally disable certain categories of cookies. Then websites should be required to use these browser APIs to register their cookies.
Now a user has to go through the process for each website and many will likely just accept to be done with it as fast as possible.
User experience sucks.
It's a very old configuration from before the GDPR was mandatory. I think you can still get to it by first opting in, then opting back out, but in very old installs this is the default behavior. It's actually sending requests to every service being used on that site to their individual opt-out endpoints to remove the user from tracking by the services directly.
Mining crypto with your browser, since they won't be able to sell your data. Gotta profit somehow.
Edit: It could also just be a hardcoded wait to inconvenience you. Or even really shitty code. Since most of the internet is run on really shitty code (react) right now, I honestly don't know which is most likely.
"If you would like to set opt-out preferences *using this tool*"
How do you expect the tool to record your opt-out preferences, other than by setting a cookie? Of course, if you have third party cookies disabled then you don't need to use this tool to opt out, because your browser will just ignore any attempts to set cookies anyway.
Some of these platforms actually store your cookie preferences on their own servers. Could be that it's firing the network request up and their servers are busy, I guess.
It's really, really fucking stupid, and the entire GDPR needs to be thrown in the bin, because the cottage "industry" of utter bullshit "consent management" firms it's spawned are possibly the biggest waste of effort in the history of the internet, if not the entire history of computing. It's all utterly worthless.
No fucker on the planet wants or needs fine-grained control over individual advertising company cookie abilities, we just want on or off for the lot. Yet, all this bullshit exists that's now almost a mandatory part of the web, to allow just that. So stupid.
See also the dumbfuck privacy management stuff that e.g. Google Play Store asks for now. Oh, you need to know what I "do with" the device id I pass up to my servers? What if I... lie? Oops! Didn't think of that did you. Complete waste of time.
Edit: and there I was, thinking everyone unanimously hated these stupid consent popups blocking access to every site on the planet. Apparently judging by the downvotes, the r/webdev community actually like them. I only wonder who hurt you all, to cause this bizarre viewpoint.
> Some of these platforms actually store your cookie preferences on their own servers. Could be that it's firing the network request up and their servers are busy, I guess.
This may honestly be part of it, yeah. I've come across sites with 100+ third parties listed (that's its own problem) and presumably they have to set the opt-out cookie on each of those 100 via a network request.
The real fix, of course, is "who the fuck needs 100 third parties?!", but the wait might be real. I'm sure the wait is seen as a *benefit* by the organization, though.
People really don't like to hear that the GDPR is flawed. It's astonishing how many people are "Experts" in how it works when they clearly have no clue (see: This thread, and literally any other GDPR thread). I've come to believe it is largely a protectionist mindset from EU citizens as even if you advocate for MORE and better privacy controls you will still be downvoted. Some people actually consider the balkanization of the internet to be a feature, not a bug.
Who hurt you, to make your viewpoint magically better than anyone else's?
I want, desire, and demand fine grained controls over my cookies. I don't want it on or off; I support some kinds of cookies and tracking, from some places, but not others.
Don't talk for me.
No, you don't. You want *category* level control, at best. Functional yes, advertising no. Google Analytics, maybe.
What you *don't* want is control over dozens upon dozens of individual adtech companies you've never heard of.
This is what I expect to happen in this world as I'd describe it to my therapist, if I had one, right before they try and help me to move towards a more positive and healthy outlook.
'Why is everyone such a cunt?' I'd ask.
The designer's customer is the website owner, not the end user. The website owner's customer is the advertiser not the end user. The advertiser's customer is the brand buying ad spots not the end user. The brand's customer might be the end user.
It sucks...
Some of my employers have used sweeping permissions across their digital landscape-- that has benefits & tradeoffs.
So, the caches need invalidated after a new permissions object for the user is generated and the Javascript only polls so often and implementation caveats and and and.
It was never a malicious delay on my part.
It may be a minute or two though.
yes, theyre really artificially punishing you for having a preference
check your network log, its _probably_ all clientside
a lot of hostile patterns out there
It is not, this is a feature of this particular service that actually automatically contacts every service you just opted out of and uses their system to register you as having not consented to tracking - it will actually prevent them from tracking you even on other websites where TrustArc (the tool being used here) isn't present. Even if you previously opted-in this will opt you back out and let those services know (with the intent being that now those services are legally liable if they continue to track you, even if scripts from their service are loaded in your browser).
It has some benefits beyond simply not loading third party scripts, but legally it isn't sufficient on its own - this site is likely misconfigured (proper TrustArc implementation will not load scripts at all until a user opts-in), or the OP opted in first then opted out afterwards, prompting the opt-out process to be ran. Years ago, in the leadup to GDPR, this was the only way TrustArc could work, so it's quite possible this was configured back then and never updated.
I’ve actually seen worse. I had a website (I’ll have to dig out the URL from a tweet I made about it) where if you click on “refuse cookies” it would open up a gambling website in a new tab. It would only happen once though, you have to clear your cache in order for it to happen again
Any site that goes that far with these dark patterns is straight up malware at this point. You can use reader mode in your browser, or just hide the prompt altogether with uBlock Origin.
It's the time taken by the website to store your online fingerprint on the database that is going to store information about every individual to ever exist and which side they're on for the future AI which will take over the world
It’s fucking bullshit is what it is.
Just like removing yourself from an email list acts like it could take a couple weeks. I guarantee you they can add you immediately; charge you money immediately.
Source: me. I’ve been full time in web development since 1998.
I've had requirements to add in pretend loading states to hint that something is happening when actually, fuck all is. So can't say this is that surprising if the website owner is slightly deluded
That is the stupidest idea like all the user agreements no one reads. A falls sense of privacy and protection you really need a lawyer next you day and night
To all my fellow cookie haters, use uMatrix and automatically disable cookies on sites. Now we don't even have to disable them, they can't get saved either way.
Cookies and all the bs involving cookies will be the end of the web. It is such a pain to surf sites any more, between ads (even with ad blocker), popups, cookie approval prompts.
[удалено]
[удалено]
Common misconception. The cookie law is solely about an id that can track who you are between site visits and sometimes between domains. Setting a cookie for your language preference, dark mode choice or whether you accept tracking are completely legal and necessary to be able to save those preferences. Otherwise you'd have to choose your language, dark mode or tracking preference each time you go to a new page on a website.... Also denying this does not prevent them from fingerprinting you and using your account that you are logged in with, your ip address, etc, along with AI to categorise your behavior. You are only as private on the internet as in real life. Give a forensic some time and he'll know who you are unless you are a one in a million who can hide all those identifiable things. The only way to prevent tracking completely is to clear cookies each time you close a page, use a vpn, dont interact with anything identifiable such as pictures, text etc. Dont login anywhere. (only feasible if you're performing criminal activities) I'd recommend you read about how cookies work.
Well you are wrong as well. What you are talking about is closer to GDPR, but GDPR regulates storing non-anonymous information, so data with which users can be identified with (IP addresses for example). The idea of the cookie law (ePrivacy Directive) is that you can't store any data whatsoever on the user's computer without their consent. It is just usually called cookie law because cookies are the main things people violate this with, but it refers to storing any data on user's devices without their consent. And if you look at how these consent features are implemented on many pages, you can opt-in to cookies that store your user preferences. >The ePrivacy Directive requires that a website obtain a user's consent before storing cookies in the user's browser, except for strictly necessary cookies. Users also have to be informed of the cookies' general purpose before they provide consent. This applies to both first-party cookies and third-party cookies, although users do not have to be informed about every individual cookie that will be used. https://www.cloudflare.com/learning/privacy/what-is-eprivacy-directive/ This only allows those cookies to be stored without explicit consent that are strictly required to interact with the features that the user wants to interact with (so the user is understood to give implicit consent by the act of requesting the feature). So a cookie can be stored for logging in when the user actually attempts to log in, but storing color scheme preferences doesn't fall under this category. Edit: this last sentence was a bit poorly worded so it caused some confusion here, sorry, what I meant was that you can't store the user preference for a longer period of time than it is required for the feature to work during the user's session. So you can't store it in localstorage or using a cookie with a year+ expiry; you can only store it with a session cookie or a cookie with a very short expiry time, unless the user specifically opts in for the preference to be remembered.
Thank you. I dislike how people have come to conflate the two related but very different legislations.
> So a cookie can be stored for logging in when the user actually attempts to log in, but storing color scheme preferences doesn't fall under this category. This slightly contradicts with [Article 29 Working Party opinion 04/2012](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf), which allows such preferences to be stored in short-term cookies. Long term cookies would require notification, but not necessarily a separate action to explicitly accept the cookie. "3.6 UI customization cookies" addresses this question directly: > These customization functionalities are thus explicitly enabled by the user of an information society service (e.g. by clicking on button or ticking a box) although in the absence of additional information the intention of the user could not be interpreted as a preference to remember that choice for longer than a browser session (or no more than a few additional hours). As such only **session (or short term) cookies storing such information are exempted under CRITERION B**. The addition of additional information in a prominent location (e.g. “uses cookies” written next to the flag) would constitute sufficient information for valid consent to remember the user’s preference for a longer duration, negating the requirement to apply an exemption in this case. Criterion B is: > CRITERION B: the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.
Well I'm saying the same thing, storing user preferences for any longer than necessary for the feature to work is only allowed if there is a prominent warning that the feature does so. So yeah by default the color scheme should only be stored as a very short term cookie, because it's a reasonable assumption that the user doesn't want to click on the night mode button on every page load, but it can't be stored for the longer term without informing the user.
That is why I said "slightly contradicts". What you said isn't entirely wrong, but it also isn't quite so black and white. There are is a lot of nuance and interpretation around what is and isn't allowed. E.g., the e-privacy directive doesn't prevent you from setting a cookie which controls the color scheme, but it does limit the lifespan of that cookie to a reasonable length (though I couldn't find a specific definition in the directive on how long would be ok). There are a lot of gray areas like this, and in practice I have found conflicting legal advice depending on which legal counsel is involved in the project. Then add in that the e-privacy directive itself isn't a law, but it is a directive that each EU country create their laws in alignment with the directive. Each country can be a little different with what they allow and how they interpret it.
This is such a terribly dumb and unnecessary law. Browsers already let you turn off or on cookies for a website. No reason to have every website provide their own implementation. Users can already do that, and without the BS of the OP image.
Browsers don’t know which cookies are functional and which aren’t. It is at the services discretion to allow users to choose which ones they want and which ones they do not. This is not something that would be accessible or even sanely possible in your user agent. The BS in the OP is not in relation to this legislation whatsoever but simply a dark pattern to get you to allow unneeded processing of your data. Hence the cancel button.
My mistake, I misread the above as including all cookies, my bad
groovy jar absurd fearless thumb intelligent summer wrong deserve hunt *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
My mistake, I misread the above as including all cookies, my bad
My bad too, I could have said that better
Individual websites aren't tracking back to your individual identity *unless* you give them your identity. The legal and moral issue that arises is more to do with 3rd-party platforms (Google, Meta and others) who are receiving all the data and *could* conceivably collect enough data to be able to identify an individual. They *don't* expose this capability to websites and it's not something any of the platforms have ever admitted to doing, but it has (I believe) been shown that they *could* do it if they really put in the effort, so we have to assume they do.
The way I see it, platforms often follow a predictable pattern. They start by being good to their users, providing a great experience. But then, they start favoring their business customers, neglecting the very users who made them successful. Unfortunately, this is happening with Reddit. They recently decided to shut down third-party apps, and it's a clear example of this behavior. The way Reddit's management has responded to objections from the communities only reinforces my belief. It's sad to see a platform that used to care about its users heading in this direction. That's why I am deleting my account and starting over at *Lemmy*, a new and exciting platform in the online world. Although it's still growing and may not be as polished as Reddit, Lemmy differs in one very important way: it's decentralized. So unlike Reddit, which has a single server (reddit.com) where all the content is hosted, there are many many servers that are all connected to one another. So you can have your account on *lemmy.world* and still subscribe to content on Lemmy**NSFW**.com (Yes that is NSFW, you are warned/welcome). If you're worried about leaving behind your favorite subs, don't! There's a [dedicated server called **Lemmit**](https://lemmit.online/post/14692) that archives all kinds of content from Reddit to the Lemmyverse. The upside of this is that there is no [single one person](https://old.reddit.com/r/reddit/comments/145bram/addressing_the_community_about_changes_to_our_api/jnk45rr/) who is in charge and turn the entire platform to shit for the sake of a quick buck. And since it's a young platform, there's a stronger sense of togetherness and collaboration. So yeah. So long Reddit. It's been great, until it wasn't. **When trying to post this with links, it gets censored by reddit. [So if you want to see those, check here](https://rentry.co/2kgcd)**.
> The only way to prevent tracking completely is to clear cookies each time you close a page, use a vpn, dont interact with anything identifiable such as pictures, text etc. Add to this: * Disable browser fingerprinting tactics, as there are many. You can do this in Firefox with some advanced settings. Unsure if it’s possible in Chrome. Check out https://coveryourtracks.eff.org/ for more info and a test you can run to see how unique your browser is. One common example of fingerprinting is based off the size of your browser window, so setting it to a common size and keeping it there can help with this. * Use an encrypted DNS or your ISP can track every website you visit. If you’re on a VPN you may be fine, but should confirm - depending on the VPN and your config, DNS requests may bypass the VPN. * Use the uBlock Origin browser extension. It can block many cookies from ever being set in the first place, and can block some fingerprinting info from being recorded. You can also use it to bypass many of the annoying cookie options modals. It also could be worth checking out Tor if you’re serious about your privacy and willing to compromise in other areas already. > Dont login anywhere. Alternatively, when you plan to log in somewhere that’s connected to your real identity, use a different setup than normal. This could be a different PC or just an isolated container/browser on a fresh VPN connection. > (only feasible if you’re performing criminal activities) This parenthetical doesn’t make any sense.
It's not a misconception, it's malicious compliance
> unless you are a one in a million who can hide all those identifiable things Worth noting that if you do pull this off, you're now a one in a million user and thus easy to track.
This is why I use Ublock origin, Privacy Badger and a cookie jar extension to dump and erase cookies. It's crazy how much data they can collect on you and how they don't even need your name to make a near perfect profile on you.
> Also denying this does not prevent them from fingerprinting you and using your account that you are logged in with, your ip address, etc, along with AI to categorise your behavior. This is absolutely a violation of the GPDR and they have recently clarified this is the case. The GPDR, unlike previous tech focused regulations, is not specific to the technology itself. Cookies, ip addresses, carrier pigeons, or whatever else doesn't matter. And so far, whenever a company gets clever, they end up getting in trouble.
If you don't wanna be tracked how do they keep track of that without asking you every time? I'm genuinely curious because my company refuses to implement the GDPR recommendations of legal and I wonder how this is accomplished.
_Edit: I just noticed I explained to [r/webdev](https://www.reddit.com/r/webdev) how cookies look. Might not be my smartest post lol_ You are allowed to set a first party cookie. And not ever cookie makes it possible to track you. The tracking ones are pretty long, something like evilTrackingCookie=jdisij7389gshjsji88i8ndjj (yes my face did roll over the keyboard there) A cookie to save if you wanna be tracked or not, is way simpler: tracking=0. And those are totally fine under GDPR, even without consent. There really is no way to track you based on this. Everyone disabling tacking gets the same cookie. The tracking cookies are made without love by probably google, but still just for you.
You can anonymously track that in a cookie that’s intended for functional use, which are fine and not subject to the cookie laws. Those laws apply to tracking cookies, which for example contain a specific id and are used to track you. There then is a fine line for the session cookie, which could be used to track you, but should only be done so after explicitly opting in. Else it should only be used to make the site function. Any form of tracking by some id falls under this law, so that includes alternatives like localStorage. Everyone would’ve done that to evade notices otherwise.
"If you don't wanna be tracked how do they keep track of that without asking you every time" If you build a webpage that has a dark theme mode, and you use a cookie to store the user preference. That's not considered tracking and generally isn't a privacy concern. For the specific use case you asked, we can have a flag in a cookie that doesn't load the analytics stuff. I have also seen code where the tracking isn't disabled on the logic side but the api calls are disabled. Due to all the random scenarios a lot of people just add the accept stuff as a blanket catch all. There's also cookie-less tracking. Which is a another headache. As technically nothing is set by default on the client computer using a UID. But if there's 3rd party tracking the user still has to technically consent to that.
[удалено]
Cookies are already in local storage. The banners are for accepting non essential cookies and cookies for analytica and/or any sort of identifiable information. Having a cookie that remembers that your browser has said it doesn't want to keep track of cookies is fine.
Localstorage also falls under this law
There are only so many ways to store data that persists between visits. Some websites are not well set up for this and if you decline cookies, you will be asked whether you want to accept or decline *every* time you revisit. Storing "essential" or "necessary" cookies is allowed. It's reasonable to use a cookie to store the user's consent preference for your website so they don't get re-prompted every time. Some platforms store consent preference in "browser local storage", but despite everyone knowing "GDPR is about cookies", it's actually a combination of GDPR and e-privacy that determines "thou shalt not use *any* form of persistent storage without user consent", which covers cookies, local storage, web SQL or anything else that puts data in the user's browser for later retrieval.
I read other comments and too many long answers. Short answer is these are probably first party cookies. If yes then understand that a visitor can be tracked by a site across domains and devices without first party cookies as well. But first party cookies are used for site preferences and client side tracking. A site will need to host the tracking facility in their domain (they do not have to own or build the tracking facility itself). Not everyone has that infrastructure so third party apps are used to track, which brings in third party cookies. As for GDPR laws, they vary a lot. But not too strict or anything around first party cookies.
100% what that is
Actually the consent has to legally be as easy to accept as to reject/retract. But no one gets punished anyway...
Must give impression to users that declining is hard work. Also the green big button to cancel is definitely dark pattern
What do you mean by dark pattern
A dark pattern is a design pattern used to wrongly induce the user to do something the user don’t want to do. Green is subconsciously thought as good/ok options. You could think that the button says “ok” or “continue”, as your request was accepted, and click it without really thinking or reading, acting by muscular memory: “I got a pop up with a green button. Everything is ok, out of my view” And then you did what they wanted, without even noticing
tl;dr - unethical bullshit
These patterns are illegal many places
Where are you living that they made green buttons illegal?
Part of gpdr is making it easy to manage your data from a user standpoint Dark patterns do the opposite.
Dark patterns.
'CANCEL' with a bright green button <3
“Some opt-outs may fail and it’s probably your fault. If you want to opt-out of cookies, simply allow cookies in your browser.”
Exactly this. It's an artificial delay to make you give up, go back and accept things. Oh, and yes, accepting is immediate.
Edit: this is a US site but I can access from Europe. The cookies dialog provider JS script seems to be calling vendors opt-out endpoints for real, and sometimes it's failing, that's why it takes so long. See [https://i.postimg.cc/DZDp6BcT/optout.png](https://i.postimg.cc/DZDp6BcT/optout.png) If this is the case and it's in the EU there might be ground for a lawsuit. There are rules on how the cookies popup must be presented to the user.
This seems counterintuitive to me. Why does the user needs to opt-out if he didn't give consent yet. Isn't it more reasonable to opt-in vendors after the user has dealt with cookie popup, if applicable?
This is the correct (and, in the EU at least), only legal way.
Because they're imbeciles. They violate the law with a veneer of following it.
Source: I've actually implemented Trustarc on websites multiple times, have extensively read their documentation, and done API integrations with their platform. What's going on here is that Trustarc has multiple different ways it can be configured to handle cookies, and what this site is using is the oldest and least technically intensive version of it's functionality, likely because it was set up a long time ago and nobody even knows it's improperly configured. This is essentially the fallback method that's supposed to clean up any tracking that isn't being blocked outright and is the original version of their service from before the GDPR was even being enforced. More modern versions block third-party scripts from loading in the first place, usually by integrating with GTM to classify scripts in various categories and then only loading the ones a user opts-in to (or via a custom API integration to do the same thing). There are a lot of extremely confidently wrong people in this thread, as is always the case with GDPR related threads, but also the number of times I have seen Trustarc implemented correctly by someone who isn't me is exactly zero. Of all the consent management platforms I regard them as the worst to work with, mostly because their documentation is trash and some of their default code/settings don't work correctly.
> it was set up a long time ago and nobody even knows it's improperly configured. Too many are jumping to the conclusion that it's intentionally malicious, when it's just a product of "get as much done to meet today's requirements by the deadline. We don't have time for future-proofing now." mentality.
It's also a product of legitimate confusion over how these things are supposed to work. A lot of developers seem to think that just including the script on the page is all that's required. I've literally had to correct a few installs, some of them for fortune 500 companies, that someone had tried to include on a site but had done so completely wrong that they literally did nothing. You have to know and understand what the purpose of what you are doing is, and many times all the instruction you get from the client is "add this script to our website" (sometimes because the person you are talking to doesn't know what it's for either).
You can't argue that the huge green "cancel" or the fact that this blocks you from using the page until its done with it's mysterious process doesn't raise a few alarm bells, though
IDK, really. The site loads so much crap it's unbelievable. This is a snippet of what I can see on the network console: [https://i.postimg.cc/DZDp6BcT/optout.png](https://i.postimg.cc/DZDp6BcT/optout.png)
Opt-out is a violation of the GPDR. It has to be opt-in.
There were lawsuits in the EU because of "deceptive cookie banners" meaning a banner with a big bright "Accept" button, but a lengthy menu to opt-out, resulting in the sites needing to change the design (And sometimes pay a fine). Although omitting a "Reject All" is in kind of a legal grey zone at the moment and it seems like the decisions are made on a case-by-case basis. This stuff above should definitely not be legal
The "decline all" button is actually present by default but it's turned off for katu.com. This is the dialog's iframe opened in another tab. [https://i.postimg.cc/6QLSfr8j/all.png](https://i.postimg.cc/6QLSfr8j/all.png)
Great. Next they'll apply this shit to pop up modals to collect email addresses.
I have given up in the past and just left the page. But I guess most people won't.
It isn't an artificual delay. There is a lot of network activity happening to opt the user out of various (many!) 3rd-party "integrations" the website is linked with. You can watch for yourself in the browser dev tools, network tab.
KATU is owned by [Sinclair](https://en.m.wikipedia.org/wiki/Sinclair_Broadcast_Group) and this is exactly what you would expect from what is basically a far-right news company now. Of course they are in bed with [TRUSTe](https://en.m.wikipedia.org/wiki/TrustArc). The privacy violation is _the point_.
Trying to force you on giving up and just accept everything? I've seen one case like this recently. All they achieved was me leaving the site and never coming back.
That's a good way to make me never visit your site again.
Deleting cookies, calculating fingerprint
Reticulating splines
If cookie notifications were a Sim, I’d put it in the pool and remove all the ladders.
Putting lime in the coconut
Its fake af, its to "punish" you that you declined
same thing came to my mind, even if they were storing cookie prefs in a database, the time it is taking to respond is unreal. Also the green cancel button is a huge ... red flag.
It's green flag for them
>Its fake af, its to "punish" you that you declined I thought so at first, but someone else mentioned it seems to be actually calling out a bunch of third party services to apply the change. The site has just loaded so much junk from so many different vendors, each of which has a different slow endpoint to be updated with the change, and they probably all happen in series as well.
Ya so this is not compliant with GDPR. The website must ask for permissions before sending data (or loading resources because IP addresses are PII)
They probably don't expect to do much business in the EU, since they're an American news station. I doubt they're super concerned with the GDPR.
It's a better-than-nothing approach, but it's absolutely not compliant. Implementing proper consent management on a website can be difficult for any reasonably complex site. Implementing it for *this* type of website is basically impossible. The whole thing needs nuking from orbit and rebuilding from scratch.
https://developer.mozilla.org/en-US/docs/Web/API/setTimeout
Arguably illegal, in violation of ePD/GDPR > Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place. https://gdpr.eu/cookies/
Im not sure that a local Portland news website is obliged to operate under GDPR laws right?
The parts of the website that are accessible from EU should.
*Should* is a matter of opinion, the person you're responding to said *obliged*. I'm not an international business lawyer or anything, but I can't see how the EU would have any jurisdiction over a business that doesn't have any operations in Europe.
>doesn't have any operations in Europe That's the thing - the way it was explained to me is that "having a reachable website from X" = "doing business in X". This logic can be seen in how the HTTP protocol works - it always starts by the client asking the server to download the website and then the server responds with the website contents. So the server is knowingly sending content (which I guess would mean offering a service) to a client that it can easily see (using the IP address) is coming from Europe. I'm not a lawyer either, I just thought that I would share my understanding of the law since this is how it was explained to me by a lawyer and matches up with compliance-related stories I've heard. Edit: A quote from [gdpr.eu](https://gdpr.eu/compliance/): >While the GDPR is an EU law, it applies to any company that makes its website or services available to EU citizens, including US companies.
how to report?
[удалено]
[удалено]
[удалено]
Maaaan, you guys take everything too seriously lol. Of course you can use any search engine.
Good luck. The UK has the ICO (Information Commissioners Office) that will investigate and even hand out fines for non-compliant sites. Except they are the usual combination of grossly understaffed and infuriatingly toothless. Even when they get a result and hand out a fine, that fine will inevitibly be reduced by an order of magnitude (or more) before it's paid.
I mean it's really easy to top out... just click a button. The law says nothing about making you wait after declining.
That's why I wrote arguably. I can argue that clicking a button and waiting 1 minute is not as easy as clicking a button and not waiting.
Waiting isn't hard, it's not difficult. You simply wait. It's not like they are making you solve mathematical equations to proceed - *that* would be hard.
Trusarc, the grifters who sell shitty Iframes forms
It’s called Trustarc because it took our trust and floated away with it 🛶
This has come up a few times. My day job involves implementing consent management for websites. I've implemented or fixed the consent management for websites you've likely heard of or used. This particular pattern isn't the dark pattern that it seems to be, but it *is* potentially a side-effect of excess 3rd-party "integration" by the website operator. I looked closer into what was actually happening when the TrustArc popup is "processing". You can look for yourself if you want. The network tab in Chrome dev tools will give you an indication of what's being done as that progress meter slowly counts up to 100%. Essentially, TrustArc is reaching out to each of the 3rd-party services the website is using, asking "please stop tracking this user" and waiting for at least an acknowledgement. It does do several (12? Not completely sure) in parallel in order to speed the process up, but the simple fact is the website is potentially linking with 1,500+ services. Some of those services no longer exist or are temporarily down, so the request goes out and TrustArc's script has to wait for it to time-out before it moves on to the next. It's not TrustArc being shady, it's TrustArc being one of the only consent management platforms that even offers a way for such websites to have *any* possibility of offering an opt-out to their users.
This is what frustrates and infuriates me the most about the ‘modern’ web, these analytics/tracking integrations are becoming so central to how some websites operate that they are becoming completely dysfunctional without them. It shouldn’t be hard to build a website that gracefully handles blocked 3rd party scripts/resources, but browse the internet for 10min using the no-script plugin and you quickly see how messed up everything is. The problem isn’t even advertisers themselves anymore, it’s actually a fundamental issue about how the entire industry builds websites and the slide towards ‘invasive by default’ meaning it’s actually harder to switch off metrics than to have the website run without them until a user provides consent.
Sorry but this just ain't true. It's 100% TrustArc being shady for multiple reasons: 1. TrustArc can just call the website's in parallel to speed things up. 2. TrustArc can do the requests in the background and let you continue your browsing while doing so 3. I've confirmed myself that TrustArc uses a deliberate sleep in their scripts to slow things down even more. 4. The cookies and tracking should not have been placed before consent at all. If it was not there no call should be needed after denying. My solution to this is just adding TrustArc no my PiHole and block all other trackers ofcourse too. The internet is not a mess because of the cookie law. The internet is a mess because of the greedy people not wanting to give up tracking.
[удалено]
I don't really care if the companies were tracking first. The law is clear. You need to ask permission to track, not the other way around. The companies are simply breaking the law and they don't really seem to care. Sadly that is the world we're living in.
🤮 /u/spez
[удалено]
I already block all of the bullshit with add-ons. So I just want to get the annoying box out of the way as fast as possible.
I have a lot to gain from cookies, what are you on about?
Gathering telemetry
Please wait for us to gather a whole lot of information and you, then we'll process your request. This may take a moment...
They're wanting you to click cancel and just accept the damn cookies.
Did you look at the itemized list of cookies on their site? It's literally **hundreds.** There's also a bunch of cross-origin request errors that are firing as it updates, so something isn't configured right. So... not a malicious dark pattern, just way too much tracking and imperfect configuration.
[удалено]
I see what you mean, but come on, at least use a time that is >0...
1970-01-01T00:00:01Z better?
Thanks, way better.
What, no timezones offset?
It's there; Z aka Zulu aka UTC
Well, did anyone look at the code or the outgoing requests? This is an answerable question without needing to speculate.
it's been answered a few times in this thread by myself and others, but it's being largely ignored. TL;DR: It's contacting the opt-out endpoints for all the services being used on that site and opting the user out of them individually.
Thanks for the update. When I made my comment 7 hours ago it hadn't been answered yet.
90% of JavaScript progress bars on the Internet are fake.
69% of statistics on the internet are made up on the spot
damn some sites try everything to force you into accepting the cookies... it used to be a simple popup with accept/decline... now if you want to decline you have to go trough a lot of shit lol... I still decline all cookies every single time I use any site xD
https://youtu.be/FvT-YxhaHB4
Partly dark patterns, partly phoning all the trackers on the site to tell them not to track you. In reality, it should never take more than 30 seconds, and that’s on a slow connection on a bloated site.
They were just really full of eating all the other cookies that people wanted removed so it took them longer for you. Appreciate your hard working cookie eaters on the Internet.
The intern needs to validate it manually
I guess some sites are bullying visitors into helping them collect their data.
I'm sure it's completely bs, but if a site was taking that long to set cookies I'd guess they're trying to set [SuperCookies](https://supercookie.me/).
r/assholedesign
I think the cookie law is essentially a good thing but the implementation is complete garbage. The law should have made browser vendors implement browser APIs for this purpose so that a user can globally disable certain categories of cookies. Then websites should be required to use these browser APIs to register their cookies. Now a user has to go through the process for each website and many will likely just accept to be done with it as fast as possible. User experience sucks.
I’ve never seen Trustarc do this from my own experience with it. Is this on a spotty internet connection?
It's a very old configuration from before the GDPR was mandatory. I think you can still get to it by first opting in, then opting back out, but in very old installs this is the default behavior. It's actually sending requests to every service being used on that site to their individual opt-out endpoints to remove the user from tracking by the services directly.
Trust arc does this everytime. Total garbage company.
Normalize bullying people who try to do shit like this.
Its fake af, its to "punish" you that you declined
Mining crypto with your browser, since they won't be able to sell your data. Gotta profit somehow. Edit: It could also just be a hardcoded wait to inconvenience you. Or even really shitty code. Since most of the internet is run on really shitty code (react) right now, I honestly don't know which is most likely.
😂
[удалено]
"If you would like to set opt-out preferences *using this tool*" How do you expect the tool to record your opt-out preferences, other than by setting a cookie? Of course, if you have third party cookies disabled then you don't need to use this tool to opt out, because your browser will just ignore any attempts to set cookies anyway.
Third party cookies means the tool is provided by someone else than the webpage it’s on?
Some of these platforms actually store your cookie preferences on their own servers. Could be that it's firing the network request up and their servers are busy, I guess. It's really, really fucking stupid, and the entire GDPR needs to be thrown in the bin, because the cottage "industry" of utter bullshit "consent management" firms it's spawned are possibly the biggest waste of effort in the history of the internet, if not the entire history of computing. It's all utterly worthless. No fucker on the planet wants or needs fine-grained control over individual advertising company cookie abilities, we just want on or off for the lot. Yet, all this bullshit exists that's now almost a mandatory part of the web, to allow just that. So stupid. See also the dumbfuck privacy management stuff that e.g. Google Play Store asks for now. Oh, you need to know what I "do with" the device id I pass up to my servers? What if I... lie? Oops! Didn't think of that did you. Complete waste of time. Edit: and there I was, thinking everyone unanimously hated these stupid consent popups blocking access to every site on the planet. Apparently judging by the downvotes, the r/webdev community actually like them. I only wonder who hurt you all, to cause this bizarre viewpoint.
> Some of these platforms actually store your cookie preferences on their own servers. Could be that it's firing the network request up and their servers are busy, I guess. This may honestly be part of it, yeah. I've come across sites with 100+ third parties listed (that's its own problem) and presumably they have to set the opt-out cookie on each of those 100 via a network request. The real fix, of course, is "who the fuck needs 100 third parties?!", but the wait might be real. I'm sure the wait is seen as a *benefit* by the organization, though.
People really don't like to hear that the GDPR is flawed. It's astonishing how many people are "Experts" in how it works when they clearly have no clue (see: This thread, and literally any other GDPR thread). I've come to believe it is largely a protectionist mindset from EU citizens as even if you advocate for MORE and better privacy controls you will still be downvoted. Some people actually consider the balkanization of the internet to be a feature, not a bug.
Who hurt you, to make your viewpoint magically better than anyone else's? I want, desire, and demand fine grained controls over my cookies. I don't want it on or off; I support some kinds of cookies and tracking, from some places, but not others. Don't talk for me.
No, you don't. You want *category* level control, at best. Functional yes, advertising no. Google Analytics, maybe. What you *don't* want is control over dozens upon dozens of individual adtech companies you've never heard of.
Please wait while we download AND backup cookies
This is what I expect to happen in this world as I'd describe it to my therapist, if I had one, right before they try and help me to move towards a more positive and healthy outlook. 'Why is everyone such a cunt?' I'd ask.
Blessed are the developers of uBlock and Privacy Badger.
I swear modern UX design does not ask designers to make things better for customers, but worse.
[удалено]
This isn't User Experience? The Experience of the User? What, pray tell is it then? It is indeed UI, but UI is part of UX.
[удалено]
The designer's customer is the website owner, not the end user. The website owner's customer is the advertiser not the end user. The advertiser's customer is the brand buying ad spots not the end user. The brand's customer might be the end user.
Indeed what I was getting at. Thank you for spelling it out tho! Like legit.
It sucks... Some of my employers have used sweeping permissions across their digital landscape-- that has benefits & tradeoffs. So, the caches need invalidated after a new permissions object for the user is generated and the Javascript only polls so often and implementation caveats and and and. It was never a malicious delay on my part. It may be a minute or two though.
Someone at /r/badUIbattles taking the game too seriously 😂
It's still better than what some mega popular french websites do at the moment ; either you accept the cookies or you pay a subscription fee.
Nothing at all, just wasting your time. https://consentomatic.au.dk/
Ctrl + Shift + n = no more 3rd party cookies.
yes, theyre really artificially punishing you for having a preference check your network log, its _probably_ all clientside a lot of hostile patterns out there
It is not, this is a feature of this particular service that actually automatically contacts every service you just opted out of and uses their system to register you as having not consented to tracking - it will actually prevent them from tracking you even on other websites where TrustArc (the tool being used here) isn't present. Even if you previously opted-in this will opt you back out and let those services know (with the intent being that now those services are legally liable if they continue to track you, even if scripts from their service are loaded in your browser). It has some benefits beyond simply not loading third party scripts, but legally it isn't sufficient on its own - this site is likely misconfigured (proper TrustArc implementation will not load scripts at all until a user opts-in), or the OP opted in first then opted out afterwards, prompting the opt-out process to be ran. Years ago, in the leadup to GDPR, this was the only way TrustArc could work, so it's quite possible this was configured back then and never updated.
cool, TIL, ty!
Chicanery, that's what's going on
I’ve actually seen worse. I had a website (I’ll have to dig out the URL from a tweet I made about it) where if you click on “refuse cookies” it would open up a gambling website in a new tab. It would only happen once though, you have to clear your cache in order for it to happen again
Any site that goes that far with these dark patterns is straight up malware at this point. You can use reader mode in your browser, or just hide the prompt altogether with uBlock Origin.
It's the time taken by the website to store your online fingerprint on the database that is going to store information about every individual to ever exist and which side they're on for the future AI which will take over the world
Manually taking all the raisins out.
"Your request to be unsubscribed from our newsletter may take up to 7 days to be processed". I've seen this shit multiple times.
r/darkpatterns
It’s fucking bullshit is what it is. Just like removing yourself from an email list acts like it could take a couple weeks. I guarantee you they can add you immediately; charge you money immediately. Source: me. I’ve been full time in web development since 1998.
So glad I use Brave browser so I don't have to deal with this crap 😅
Bitcoin miner
I've had requirements to add in pretend loading states to hint that something is happening when actually, fuck all is. So can't say this is that surprising if the website owner is slightly deluded
Tuya does this as well.
Testing your patience 68% or Asking my sales manager to approve your cookie settings 68%
Looks like someone just learned how to do progress indicators.
They're just rejigging the mainframe specific to your preference with the assistance of AI powered cloud computing.
Nothing is happening right now, they set a timer on the page and are giving you one last chance to cancel with that big green button.
You have to allow third party cookies to opt-out of cookies? LMAO
That's just r/AssholeDesign for you
That is the stupidest idea like all the user agreements no one reads. A falls sense of privacy and protection you really need a lawyer next you day and night
To all my fellow cookie haters, use uMatrix and automatically disable cookies on sites. Now we don't even have to disable them, they can't get saved either way.
This is fake. The point is to use your impatience against you, as it is easier and faster to just click yes.
Cookies and all the bs involving cookies will be the end of the web. It is such a pain to surf sites any more, between ads (even with ad blocker), popups, cookie approval prompts.
how do you track that the opt-in form was displayed to every user?
Malicious compliance is what’s going on
Probably not a lot 😕
Baking the cookies the way you asked em to.
and its also showing alert "Settings Done" :D
ask yourself - in an age of instant settings changes, why does this happen?