The cookie policy is a stupid value-signalling stunt with only negative real-life effects. The correct way of handling the problem would have been through request headers and browser settings, or simply, use the existing option of either allowing or disallowing cookies, and put this option on a per-site basis and a bit more into the users face..
Almost. It hardly worked as intended, but at least it increased awareness.
The fact that some sites tried to comply and actually provided a full list of all sites that they sell your private data to is somewhat a win. It got to a lot of wider public that realized "they sell it to 97 companies?!".
I personally think local governments or EU wide institutions should have a registry of companies and their sites with ratings, so we could integrate that directly in our browsers, company registries, phone dialer apps. iFixIt style.
- Clarity of EULA: 1/10, impossible to understand without lawyer's interpretation.
- Length of EULA: 1/10, pops up every week with no diff or summary of changes
- Legality: 4/10, historical track record of rules that are not compliant with local laws of xxx
- History: 1/10, no way to track what were the previous versions of the document or when they changed
- ...
EDIT:
to give some context and prove it's possible to provide metrics to legal documents, in Poland we have a formal "Registry of Forbidden Clauses" with references to lost court cases:
Request headers aren't going to do anything. Browser settings, maybe. If browsers were not owned by advertising companies, they'd just disallow this tracking and that would be the end of it.
This also solves nothing. It's up to the ethics of the company how they chose to group "none" "essential" and "all" and what kind of server-side tracking they do anyway.. It's no harder to do the wrong thing with the current system, but at least the headers would be invisible to the user.
Alternatively: Only allow the website to set cookies if it presents headers with the different options, in a standardized way so the user can chose to pre-set a preference and not be bothered with the cookie nag modal.
Besides cookies, there are tracking methods based on fingerprinting, IP and so on. None of them are permitted without explicit consent. This means that a site may not load resources from a third-party server without consent, since the request itself reveals enough information for fingerprinting and tracking.
Tracking is plainly not permitted without consent.
> Tracking is plainly not permitted without consent.
According to some poorly thought out law in certain territories, sure.
In practice, however, there is no technical mechanism by which users, or anyone else for that matter, can detect whether they're being tracked or consent to it. There are browser extensions conscious users can install to block certain browser features, but these are not infallible, and they're constantly playing a cat and mouse game with trackers.
The cookie policy only applies for cookies, not for general tracking. And even with it, companies loophole their way by claiming "legitimate interest". Many popular websites show cookie consent forms with upwards of a thousand of these companies, and deliberately use dark patterns to make it impossible to deny all of them. It's absolute insanity.
But in general, cookies are a red herring. They're used as sacrificial offering aimed at governments and the public to show that a company really cares about user privacy by not using them. When in reality they've been relying on far more sophisticated tracking methods for many years which are technically impossible for the public to even comprehend.
And let's not forget about the shady data broker market, where our data is perpetually transacted against our will or knowledge, let alone benefit.
We need far more technical experts in governments to pass strict regulation against this nonsense, in a way that it actually benefits the public. But I'm not holding my breath that this will ever happen, considering the corporatocracy we're living in.
If by "cookie policy" you mean GDPR, then it absolutely applies to general tracking, not just cookies. The actual technical means used for tracking has absolutely no bearing on legality.
Such data protection law means I can trust my bank will not track me and provide my personal data (all the booze and fags I've spent money on) to my insurance company, and my insurance company cannot accept such data gathered 'unfairly'.
The only people who object to such data protection laws are scummy tech companies who haven't yet understood unnecessary personal data is now a liability, not an asset.
The GDPR states I must give a specific opt-in approval to provide my personal data and allow it to be passed on.
You can use as many cookies as you like, but if you want to track me personally (advertisers take a bow) then you need my specific consent to do so. And so you should.
I'm amazed I have to keep explaining this to American web designers who should know better. This has been law in the UK and EU for quite some time now and is a prerequisite to doing business here.
When I'm on my phone and a website shows the ads popup, I open it in Brave, which just blocks everything. That's the current implementation of "do not track" settings.
GDPR compliance can be implement many ways, starting with not collecting data in the first place. Even if data is collected and sold it is still both possible and arguably even easier to implement GDPR compliance without cookie pop ups.
However, we have codecamp graduates gluing left-pad modules together until something works instead of engineers building websites and it shows.
The request from management to engineering was "make us gdpr compatible, show that cookie banner we see on other sites or some shit", implementation details were designed by IT.
