Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you are advocating for European products, I would expect you to use Plausible or similar products instead of Google Analytics. This would allow you to avoid displaying the cookie banner.



> This would allow you to avoid displaying the cookie banner.

That isn't actually true (or at least is only allowed in the "it's a small enough violation of the law that the enforcers have bigger fish to fry" sense).

Cookie banners are required to gather informed consent, which is relevant for two EU legislations: the ePD, which requires it to access or store _any_ data from terminal equipment, and the GDPR which requires it for personally identifiable data. Most people only consider the latter, but the former is a much bigger hurdle to pass.

Despite Plausible's claim of not requiring cookie banners, their processing still accesses data from the terminal equipment. That was made very explicitly clear in a 2023 guideline from the EDPB[1].

The one saving grace for Plausible is that the ePD is a Directive, so the actual implementation into law differs by Member country. The claim might be true for some EU countries, but certainly isn't for all.

I've written a longer analysis of this in the context of Plausible for anyone interested[2] (although it might be worth skipping the first section, to get to the meat of the issue).

[1] https://www.edpb.europa.eu/our-work-tools/our-documents/guid... [2] https://jfagerberg.me/blog/2022-06-09-analytics-cookie-compl...


> Despite Plausible's claim of not requiring cookie banners, their processing still accesses data from the terminal equipment.

Since Plausible is selling a product that clearly claims this, who is on the hook in case a user of Plausible gets a fine?


The user can always sue Plausible for lying about their product to get their damages back. In the end, the user of these services is responsible for maintaining the privacy of their customers/visitors.


I'm not a lawyer but Company using Plausible gets fined, but then they can sue Plausible. most likely.

But GDPR enforcement is more like 'you need to fix this, if you don't you get the fine' - if you are actually helpful and do your duty to improve the process the fine is usually reduced.


I would like to turn this comment into a gold plaque and point to it any time an HN commenter repeats the “EU privacy regs and GDPR are actually super simple!” narrative.

As someone living in Europe who watches the EUs best and brightest mostly go to work in consulting firms because the only growth industry in the EU is “companies spending money on regulatory compliance,” it pains my soul.


I think you're posting a strawman here. ePD is known to be bad (though for different reasons depending on who you ask), GDPR on the other hand _is_ easy to understand and follow.


Understanding the GDPR is quite easy, but following it can be quite hard if you're intending to violate people's privacy. If you read the GDPR because you want to enable the full Google Analytics suite without users even knowing, the GDPR will read like an absolute nightmare.


Except it isn't. I too thought this was the case. Please talk to a lawyer sometime for a more nuanced take (I begrudgingly have).

The funniest part about GDPR is that currently any organization that uses pretty much any US tech is in violation of the latest rulings, including much of the EU government itself running on Microsoft tech.

If you've just been consuming journalist or internet comment narratives on this topic you have no idea.


oh I know. And considering the CLOUD act that's how it should be. Maybe I shouldn't have written "easy to follow" since stuff like backups can get tricky and DSARs can be a pain on the receiving side, but it is certainly easy to understand. I do hope that GDPR does add a wedge for getting less dependent on US companies that obviously do not care about privacy at all.

But please also share the more nuanced take on the GDPR of your lawyer. You can't go around making claims like that without substantiating them ;).


They are used for different things. If you are doing paid marketing or other more or less complex marketing Plausible doesn’t cut it.


Could you be more specific? As far as I know, they have bunch of features like funnels, goals, revenue attributions etc.: https://plausible.io/docs/top-referrers


When doing paid marketing you need to track users as hard as you can otherwise you have no clue which ads work and which don’t, what are profit margins etc.

With GA, google uses cookies, fingerprinting and all other possible options to track correct attribution from various channels.

So even with ad blockers you can get a pretty accurate picture. It is also tightly integrated with google ads.

Plausible can tell you what users do inside your app. But honestly this is so basic you can pretty much build same functionality with a few sql queries.


folks mess "cookie banner" with "consent banner". many people do conflate them, but in some jurisdictions (e.g., the EU under GDPR), a "cookie banner" typically includes a consent mechanism.

if you're tracking users for analytics using cookies, fingerprinting, or any other method that identifies them (even probabilistically), you generally need explicit consent under GDPR and similar privacy laws. The key point is that it's not just about cookies; any persistent tracking requires consent.


> The key point is that it's not just about cookies; any persistent tracking requires consent.

The law mandates that you inform the user if you are setting any type of cookies. So its necessary to have a banner even if you don't need to get consent. You could inform the user in other ways, but cookie banners are easier.


It was an interesting day when EU legislators made our Apache access logs questionably-legal.


Only if you’re not using cookies for anything else.


Wrong. Functionally necessary cookies like login or shopping cart cookies need no banners.


Right, yes, I was thinking about advertising cookies and additional functionality but you are of course correct for those examples.


$ wget -qO - https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE... | pdftotext - - | grep -i banner | wc -l

0


   Article 6
   Lawfulness of processing
   1. Processing shall be lawful only if and to the extent that at least one of the following applies:
   (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
   (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Point (a) covers purposes that require cookie-banner. Point (b) covers login or shopping cart cookies, as these are necessary for the performance of a contract to which the data subject is party.


Also relevant to cookies, ePrivacy directive Article 5 (3):

Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...


It doesn't mention "banner" because it doesn't prescribe the exact user interface. But people seeking to comply often choose the banner as a solution.


That says nothing useful. The legislation refuses to be specific and you have to know what all the relevant ICO decisions are, which is why compliance is so frustratingly vague.


you can just not track the users, that might be easier.


You really think law would be such a highly sought-after and highly-compensated field if it was that easy?


That’s cynical and edgy, but misses the mark. There are several reasons why rules tend to be more specific about the outcomes than the ways to get there.

This decreases the attack surface for loopholes. What is desirable is the end result, not the technical details.

The law is actually clearer because the intent is clearly spelt out. The point of the law is to protect privacy, not cover every screen with cookies banners.

This leaves room for different implementations and flexibility (yay, competition).

It makes the law more resilient, because it does not need to be re-engineered every time anything happens. 10 years from now, even if cookies and banners have completely vanished, the core of the law will still be relevant.

This is why debates about the spirit and the letter of laws translate poorly across the Atlantic. Different places have different approaches.


I completely agree with your points. However, my admittedly snarky comment was regarding the idea that simply searching for a term across a document is how one decides legal validity, with no regard to alternate jargon, definitions, and of course, as you point out outcomes.


My snark detector my need re-calibration :)

These are trying times.


So covering every screen with cookie banners is a form of malicious compliance?


Indeed.


It should be easy.


The law is written to prevent loopholes and exploits -- an extremely hard task, given the number of people willing to break it for even the slightest profits. The sheer number of these "false exits", that, then need to be covered, makes making reading and interpreting the law a hard endeavor. And a very precise one. It could be easier by some fraction, but never anywhere near easy.


There are competing incentives. Governments/politicians want to make it easy for companies to comply in order to encourage economic investment, and also to gain goodwill among their voters. Legal institutions want to make things appear as complicated and uncertain as possible so that they make more money selling lawyers.

The end result is that you get mixed messages, depending on where the information ultimately came from.

I personally don't know how hard it actually is to comply with GDPR, but I know that it has to be easier than it's made out to be.


absence of evidence != evidence of absence




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: