> For example, say I want to embed an instagram post on my website.

In that case, you could:

a) get a license (your suggestion),

b) link but not embed Instagram pages, or

c) embed in such a way that it shows a user-controlled notification that opening the embed will connect to Instagram and as a consequence sends data to Meta.

And indeed, some websites use c) without any problem, they even integrate it into the cookie popup. BBC even steps it up: all of their Twitter citations are screencapped and linked instead of other websites just embedding Twitter (in their defense, they can say that this is to preserve the context in case that the user subsequently deleted the post).

> c) embed in such a way that it shows a user-controlled notification that opening the embed will connect to Instagram and as a consequence sends data to Meta.

This is how we arrive at cookie popups and annoying "you're leaving our website" notifications. I posit that perhaps both of these could be a feature of HTTP protocol and the browsers - i.e. a browser could just display a small standard icon in its UI notifying user that he's consenting to cookies, and another one notifying him that he's being redirected outside of the domain he's in, The user could then configure the browser to auto-accept or auto-deny such attempts, review all the consents he's given earlier etc. - all in all, it would result in much better UX.

Google has probably not proposed and implemented something like this in Chrome already only because it would actually improve privacy and that's obviously not in their interest. Which proves that de facto giving up Web standards to the commercial entity was never a good idea. If the EU was better at execution, they would mandate something like this as the law, instead of the current requirements which can be met by just spamming users with popups no one reads.

The "annoying" popups is also how you end up with businesses like plausible analytics that provide analytics, but don't require the popup, because they dont store the information that causes the popup to be required.

So, working as intended I think.

We were not better off 15 years ago. We were just blissfully unaware of the problem of large-scale PII collection that was already metastasizing in the shadows.

Imagine a kind of decision square. Rows are "consciously" and "unconsciously", Columns are PII collection, and privacy (no PII collection) .

This gives us a list of 4 possible scenarios (from least to most desirable). 1. unconscious privacy, 2. unconscious PII collection , 3. conscious PII collection, 4. conscious privacy

In detail (least to most desirable situation)

Box 1: Early internet everyone had unconscious privacy. No one was collecting PII, and no one was aware of it.

Box 2: Early 21st century, people started collecting PII at an ever increasing (and frankly alarming) rate. You may have encountered tall tales where people got sent baby advertisements before they themselves even knew they were pregnant.

Box 3: The goal of the GDPR, shine a light on the situation and make everyone conscious that there is a problem; and unveil the extent.

Box 4 (future): fix the underlying problem.

GDPR already addresses box 4 a little bit. Just by shining a light on these practices, some of the slightly shady bits at the edges are already solved.

Now that the situation is visible and known, we can take further political steps at mitigation.

> Early 21st century, people started collecting PII at an ever increasing (and frankly alarming) rate. You may have encountered tall tales where people got sent baby advertisements before they themselves even knew they were pregnant.

What's disheartening is that in physical stores, this already started happening in the '90s, mainly for analysis of loyalty programs' data.

> i.e. a browser could just display a small standard icon in its UI notifying user that he's consenting to cookies

If you need to notify the user that he is "giving consent" then there is no consent.

> and another one notifying him that he's being redirected outside of the domain he's in

There is rarely a reason to redirect to other domains. The most common case is making outbound links go through a redirect for tracking purposes - and that I won't miss.

>> and another one notifying him that he's being redirected outside of the domain he's in

> There is rarely a reason to redirect to other domains. The most common case is making outbound links go through a redirect for tracking purposes - and that I won't miss.

You misunderstand this part, which is forgivable if you're outside Germany. This is about the mandatory "You're leaving X, we do not have control on their data collection or endorse this site's contents. Do you want to continue?" you'll see on German-language website because a court in Hamburg says that they're implicitly liable if they didn't state that.

c) is very popular among various German websites I frequent. Instead of the embedded content there is a blank area and you can consent with one click to send your data to $service which will then load the embedded content. Sometimes it also includes a direct link so you can open the embedded content in whichever way you like. I don't find this to intrusive or annoying, especially since the website can save your choice for later and can choose to never ask you again.

> they can say that this is to preserve the context in case that the user subsequently deleted the post).

And this is how it should be done, otherwise you read the article a few years latter and see a strange mess with empty holes.

Or in Instagram’s case for me, you read the article and see a strange mess with empty holes today, because your IP address hasn’t logged into any Meta properties in the past year and so Instagram won’t serve you embeds anymore.

Option c is how the Danish BBC-equivalent does it, and I deeply appreciate that kind of care for their users.

I agree that this is a big danger. When this thinking is taken too far you have an easy weapon in hand to destroy websites of your competition, the result would be having no websites in Germany anymore. But so far I've only seen clear-cut cases as this - that Google Fonts is not a valid option has been obvious since the DSGVO, maybe longer. So I refuse to be concerned and trust in a honest best effort approach (I host websites in Germany, there is always risk in that).

The website tried to rely on legitimate interest as the legal basis for processing the data, and that precisely requires a balancing test between the interests of the website host and the interests of the data subject.

If you want to make sure that you're not getting the balancing test wrong, you can always go for the legal basis of last resort: consent. Just ask the user whether you can load content from Instagram and only do it if they agree. In fact, since in parallel to the question of your legal basis under GDPR, you also have to comply with the cookie provision from the e-Privacy Directive, where there is no "legitimate interest" exception to the requirement to ask for consent, you will have to ask for consent anyway (as Instagram embeds place cookies).

> In fact, since in parallel to the question of your legal basis under GDPR, you also have to comply with the cookie provision from the e-Privacy Directive, where there is no "legitimate interest" exception to the requirement to ask for consent, you will have to ask for consent anyway (as Instagram embeds place cookies).

I don't think that's true. The cookie provision is misunderstood when you think you have to ask for consent for functional cookies. Follows from the GDPR, and there is no specific cookie law actually implemented in european countries. See also https://gdpr.eu/cookies/. Ah, but maybe I misunderstood and you are only talking about the cookie set by the embed?

It is not true that "functional" cookies are generally exempt from the consent requirement. What is concretely exempt are necessary cookies for a service that the user explicitly requested. This is not the case for cookies placed by Instagram embeds.

These are the guidelines on consent exemption by the Article 29 Working Party (the European Data Protection Board's predecessor) that explain it: https://ec.europa.eu/justice/article-29/documentation/opinio...

Sorry, but an opinion from 2012 has no chance to be relevant if it disagrees with the current GDPR interpretation I linked to. Note how it explains that the ePrivacy Regulation is not in effect. I do not see how there could be any basis to legislate cookie usage if it is not linked to private data/analytics, if this happens it will not survive the courts I think. I do understand that this cookie consent interpretation is common - one just has to look at those stupid cookie consent forms on private blogs - but it does not follow from real legislation.

However:

> This is not the case for cookies placed by Instagram embeds.

Yeah, I can see how this is complicated and how it fits the topic. It's not a third party cookie for the embed, but for the website it might be, and is it even a functional cookie? I doubt it. I'm not sure how those would be judged and what is a reasonable way to work with embeds. It's only certain that there is not a solution as easy as it was in this case, where self-hosting the fonts was possible.

You're making the mistake of thinking that the cookie consent requirements are somehow a consequence of GDPR. The cookie consent requirements exist separately from and additionally to GDPR as a consequence of the e-Privacy Directive. What GDPR changed in regard to cookie consent is what exactly constitutes "consent", as it updated the Data Protection Directive in that regard, but it did not change when consent for cookies is required.

Other than court judgments, the Article 29 Working Party opinion is the most authoritative opinion you will get on the interpretation of the e-Privacy Directive, which is the "real legislation" that you need to look at.

edit: Nobody claims that the e-Privacy Regulation is in effect, by the way -- of course it isn't, it hasn't even been passed. The cookie consent clause of the e-Privacy Directive is however in effect, and has been since 2009.

Also the e-Privacy Directive does exempt strictly necessary cookies from any consent requirements, or am I completely confused now?

Edit: No, I'm not. The GDPR page I linked states the situation that follows both from the GDPR and the e-Privacy Directive. It also fits to what is written in the directive itself.

Strictly necessary cookies for a service the user explicitly requested. And, importantly, this is true even if no personal data is involved and the process is therefore not covered by GDPR at all -- the cookie clause of e-Privacy Directive applies regardless.

Careful. That is an 100% unofficial site. It is not chartered or funded by the EU. The linked article is from “Richie Koch”an editor working on human rights stories who wrote the article on behalf of Proton VPN, which runs the GDPR.eu site as a content marketing scheme. The linked article is not the law and not official guidance, though it provides a reasonably good summary.

Everything sqrt2 says in the comments is entirely correct, as far as I can tell.

Fair point. And thanks. I think now that my position - while how it should be, consistent with the GDPR and repeated at multiple places - is possibly not in line with a court decision from 2019 or so, that interpreted the e-Privacy Directive in a wrong way imho, and at the very least might depends on local practice of how EU "law" is applied. So you two are probably right.

Ridiculous to govern non-privacy relevant tech usage like this. I still think that's illegal where I live. Regardless, let's hope the e-Privacy Regulation or future court decisions solve this.