I’m probably in the minority on this, but I’ve never ever built one of those “This site uses cookies, here’s some kind of explanation of why, and please click this OK button to accept that” bars that feels like they are on half of the internet.
Most of us just tediously click “yes” and move on. If you reject the cookie tracking, sometimes, the website won’t work. But most of the time, you can just keep browsing. They’re not too different from the annoying pop-up ads we all ignore when we’re online.
I’m extra-ignorant in that don’t even really get why they exist, despite being a professional web site builder.
Emily does a good job of rounding up the answer. It’s probably about what you think it is: a better safe than sorry play. Better annoy some users than get sued out of existence.
It’s also interesting that it’s not just one particular regulation that has people doing this. GDPR is a big one (despite being fairly light on mentions of cookies at all), but it’s really a couple of different regulations, including likely-upcoming ones, that have people implementing these obnoxious pop-ups.
I’m probably the weirdo that would rather get sued than show a fricking cookie banner.
Speaking of cookies though, and things that I’m ignorant about, I asked this question not long ago:
What does your brain assume a “Remember me?” checkbox is doing?
— Chris Coyier (@chriscoyier) September 12, 2019
My brain didn’t have an answer at the time. If I was pressed on it, I’d probably answer that it’s just snake oil, and that those checkboxes don’t actually do anything.
From the thread, the answer seems to be that most sites use cookies to store your logged-in user session. Cookies have expiration dates. The “Remember me?” option makes the cookie have a longer expiration date than if you didn’t check it.
The whole thread there is pretty fun. Lots of useful things and lots more jokes. I’m on board with the idea that anytime you check that box, some server, somewhere, plays this.
Update
There is some fair pushback on my take above.
I’m probably the weirdo that would rather get sued than show a fricking cookie banner.
Huge thanks to Laura Kalbag for having a conversation with me about this. Here’s the situation:
As I write, this website is illegal in Europe. And maybe everywhere? I’m not quite clear on that yet.
It’s because this site sets some cookies that are “non-essential” (unlike, say, a login cookie, which is “essential”). For example, I’ve written code myself (at the request of advertisers) to include an <img src="pixel.gif">
with their display advertisement. The purpose of that image is to track impressions, but it also can and does set a cookie, and probably can and does to other things besides track impressions, like attempt to show “targetted” ads. As I write, both MailChimp and Wufoo use these “tracking pixels” in ads that are running on this site. (I’ve actually reached out to see if removing them would be a deal-breaker or not, let’s see!)
So, because of those non-essential cookies, I’m required to show UI that asks for user’s consent. And here’s an important aspect as well: before they’ve answered, or if they don’t consent, I shouldn’t be including those tracking pixels at all (because I can’t control whether or not they set a cookie). That’s some fancy coding stuff that I just haven’t done. To do it without JavaScript is even fancier dancing.
So theoretically, legal action could be taken against me for this. There is some irony to the fact that a lot of sites with cookie-consent UI don’t even implement the opt-in nature of them, making them useless. And some extra irony in that to really do this correctly, it probably also requires cookies, which you’d be required to tell them about. It’s not the existence of the UI that counts, it’s actually not setting the cookies unless you have consent. I’m not particularly worried about being sued. Apparently so far it’s not governments taking actions but individual lawyers taking out cases on behalf of people. I would guess these will gain steam in coming years.
I am more compelled by the right thing to do argument, in that if you’re going to put a cookie on someone’s computer, you should tell them what it’s for and ask them if it’s OK first.
So I’m in a predicament. I don’t want to build a cookie consent UI. It will be difficult to program, technical debt to maintain, and worse, be annoying to users. I’d rather see if we can just ditch anything setting a third-party cookie, so I’m going down that road first.
The cookie law in Europe is the reason, not GDPR. The cookie law is not just not about cookies, but about local storage or any technique that can be used to track a user. The main reason almost everyone need a cookie warning message is because of Google Analytics.
The cookie law is part of GDPR https://gdpr.eu/cookies/
“I’m probably the weirdo that would rather get sued than show a fricking cookie banner.” Well… you live in the US. The changes of being sued over a cookie banner are slim. In the EU the government fines non-compliant website owners with fines up to 4 million euro’s. Not lawsuits, but these fines are the reason you see these banners. Bankruptcy in a letter on your doorstep… imagine that…
Visiting your website (CSS-tricks) is a business deal: you provide valuable content in exchange for personal data. You are selling this personal data to Doubleclick, Carbonads and Google Analytics in exchange for money and analytics. However, you are being sneaky about it (with your ‘though talk’ about not wanting a cookie banner). That is not very nice. I would reconsider that. Be honest. Tell your visitors you want to sell their data and why… and ask permission for it. That is what these cookie banners are for.
Honestly, I absolutely hate browsing on my mobile phone right now. Especially when those banners take up the whole screen space before I can have a meaningful interaction with the web site.
At least there are ways to block the cookies and the banners in desktop browsers.
I don’t build them at all, on any type of site I do. For some sites (my personal ones) I don’t even collect cookies or enable any type of tracking, but even on commercial sites for clients my advice has been to not implement the cookie warnings, for UX reasons.
For those that are afraid of being sued if not having the varnings, I haven’t seen one single case, or heard of an instance, where someone has been sued for not showing a cookie warning.
If people contemplate how to move forward, just build it for your next project, but don’t implement it. For the event that someone threatens to sue you can always say it was all a mistake in implementation, that you have indeed built it, and enable that line of code. But it will never happen and after having done that for a couple of projects you will reach the stage where I am now, and simply just not build it.
Just my $0.02
In EU, your website is simply illegal. Just ask a lawyer…
Chris, a cookie set to remember a user’s preference to opt in or out of cookies would be considered a “Strictly necessary cookie”. Such cookies are not subject to GDPR. Now it is recommended that necessary cookies still be explained on the website’s cookie list. https://gdpr.eu/cookies/
Also, GDPR is much larger than a cookie consent button. The overarching purpose is to give users control over their data and privacy by informing the user of what and how their data is being used/stored, giving them the ability to opt out of tracking, providing the option to request a copy of data that is tied to their name, and the option to request that their data be deleted. So a company also needs to demonstrate that they have documented the user’s consent, they are ready to provide the information requested by a user and they are prepared to honor a user’s request to be forgotten!
When GDPR went into effect, I had to build a cookie consent gate for a company based in the US but owned by a company in the UK. Their products are also available worldwide. And it is tricky. The consent should be confirmed before any analytics, pixels, cookies, etc. are loaded. I managed to use a mashup of GTM and the Hubspot cookie consent to implement a gate. No one really likes the consent banner, but it is legally necessary and we did not have to remove third party code/pixels.
Also worth noting that cookie consent can include “continuing” after notification – so scrolling or clicking on a link can confirm consent. Good info here on both how and what is required. https://www.iubenda.com/en/help/5525-cookies-gdpr-requirements.
The cookie consent law. I wonder what BS Brussels will dream up next to waste everyone’s money.
The warning is idiotic but it’s due to legal reasons. Be glad for how it works. The first draft suggested that the user must be asked at every roundtrip to the server. They realized that it’s sufficient to reuse the previous consent, though.
The checkbox usually determines whether to save the security token in local storage or session storage, which affects its lifespan.
You might also know that in some circumstances, it’s actually illegal to publish certain designs and you might face criminal charges, beside a law suit.
Chances of that are slim, so don’t break a sweat. Also, I agree with you that the consent thing is as useful as a pocket on the back of ones jacket.
The new law will require browsers to incorporate better cookies management and hopefully make web developers care less about this .
Instead of fining website owners, the eager bureaucracy should inform Europeans what a cookie is, how to delete them all, how to disable them all in browser settings, and how doing so will cripple their browsing experience.
They could also include instructions on how to disable JavaScript.
European politicians will cause the extinction of cookies, and they don’t even know why that may or may not be a good idea.
As a web developer I have implemented these banners with consent thanks to a combination of both JavaScript and ASP.Net and it didn’t take too long.
From a legal and ethical stand point you should 100% be doing this, but I understand how they can be obnoxious and annoying. However, would you rather a small cookie banner or a monetary fine? You’re practically asking for somebody to report you in this article. In my opinion, not a smart move.
So European law can be enforced in the US? I doubt it.
Cookie options should be more visible and built in at the browser level. Educating users about what cookies are on every site, it’s just daft, this can’t be the final solution to the problem.
As a Joe Schmo web designer, recently making sites for some non-profit organizations, we now have the problem of hiring a lawyer to figure out how to apply the sites to GDPR. And there are not even tracking cookies or analytics involved (yet). That lawyer will earn more money for his short and sweet expertise than I earn for making a site. Also, who is going to pay the lawyer? The client or I? They expect me to be the expert and tell them how their stuff applies to the law, which I am not. So I have to tell the client that they are about to enter GDPR hell and cover their a**** if they consider having a website. Not the best start for such a business relationship.
This whole GDPR thing is no good for anybody except for the careers of the politicians, that brought it up. They can now pretend to have done a good deed for the public, whereas they only have put the responsibility of regulating the exploitation of people as a resource for corporations to make big money on the internet in the hands of the weakest part in that chain und that is the content creators with good intention and good will. It lets people still click that “Join now for free”- button without thinking about the consequences.
Facebook and Google etc. can still outperform the EU and their stupid law just as they wish. They have the technical and legal resources to do whatever they want. And they have the ruthlessness to do so.
If you want to stop data misuse, then make it unsellable. Just like peoples vote. People can’t sell their vote for money. Why then can people give their private data in exchange for some service like Facebook? Privacy should just not be a product or a currency. And selling those data and thus make the world a 1984-like dystopia should just not be a legal business model.
Why not let money be the only currency?
I imagine something like Coil could be a solution for that. Need good search result? Pay with money over something like Coil. Not privacy data.
This whole cookie consent should be made part of the browser itself. FireFox is getting this right with the “Enhanced Tracking Protection” and Mozilla, and actually Google too, are trying to educate Joe & Jane Smith about why privacy matters. If websites could read out these settings through a browser API then there wouldn’t be a need for those “cookie consent” banners.
Unfortunately Joe & Jane probably do not ever care a bit about their “online privacy” when their checking their Email or procrastinating on Facebook. So everything should be set deliberetaly to “opt in” instead of “opt out”. Browser vendors and the big tracking companies, like Google, should get together and come up with a single standard of how to allow browser users to accept or reject the various types of cookies and then those awful banners are no longer needed. Then people stuck on legacy browsers like IE would get an additional incentive to finally drop their ancient browser and move to a more secure, faster and more private modern browser.
If the public fully understood the far-reaching privacy implications of cookie abuse and cross-site data sharing, most people would probably say that the cookie law was a good idea, it was just not implemented properly:
On many web sites that comply with the cookie law, we see a button to ACCEPT all cookies, but dont see a button to DECLINE them. If you want to decline, you are presented with a more or less complicated dialog window that includes various toggles and sub-menus. In some cases, this could also appear every time you visit another page on the site. This added complexity causes most viewers to simply give up and click on ALLOW, and that is by design:
The method of presentation is intended to annoy or confuse the user (the technical term is “dark patterns.”) The correct way is to place a DECLINE ALL non-essential cookies button next to the ACCEPT ALL non-essential cookies button. If the law mandated this kind of presentation, users would simply reject the non-essential cookies, and the mass rejection of non-essential cookies would eventually cause web sites to abandon their use, and soon you would be enjoying better security across the web, without all of these pop-ups. This was the intent of the law, but the authors did not realize how evil web designers would manage to subvert the law’s purpose while remaining technically compliant.
(example)
https://stackoverflow.com/questions/11756121/eu-cookie-law-third-party-session-cookie
With regards to an unrelated matter, a notoriously-corrupt member of the U.S. senate infamously stated that “we have to pass the bill to find out what’s in it.” That same legislative body has allowed ISP’s and financial institutions to sell or trade their customers transaction data. So in defense of the European parliament — at least they had some intent of protecting the public, but they still had to pass the bill to find out how well it works, and some revision may be warranted here. I think the key point of the linked article is:
“the Dutch data protection agency said these disclosures do not actually comply with GDPR because they’re basically a price of entry to a website: Until there’s an enforcement action or a regulator puts out an actual guidance document and says, ‘Here’s what we want and what we think people will read,’ you’ll have this gross user experience.”
While the cookie law is impractical to broadly enforce, large corporations that represent worthwhile targets to lawyers can be expected to comply… but if a site was required to function the same from the user’s perspective when non-essential cookies are rejected by the browser, that would eliminate the need for an alert dialog. Yet many web designers dont even bother to test the functionality of their site with popular browsers when cookies or javascript are disabled or restricted. At the very least, the server should inform the user when some client-side functionality is missing, instead of behaving erratically. For example, when you see duplicate posts coming from a web feedback form, it’s often because the writer had cookies disabled and the page simply refreshed when he submitted the form, without displaying the ordinary confirmation message. When choosing a web server platform or plug-in, the buyer should carefully consider the product’s error handling capabilities.
If websites want to store a cookie, let them store it in there files, not mine. After all they have your IP address to match it up with. I think it’s a scam to pass info to third parties without your consent