I love the way companies simply refuse to not track us. You guys seen those cookie popups that are like “accept and continue” or “reject and pay” where you have to actually pay to reject cookies? I cannot believe that’s legal at all. Total scumbags.
I hate the websites that have “Accept all” or “Accept necessary only”, but if you use a privacy browser that refuses all cookies the site works anyway.
Their “necessary” cookies aren’t actually necessary, you just can’t reject them.
I wonder if there’s even a difference between “all” and “necessary”.
Yes, you’re spot on; it’s mostly about elements and functionality not working. Just as a heads up, I work in the WordPress ecosystem so the following brief descriptions will be focused on PHP based sites. I’m sure there are ways round using cookies, such as using localStorage in JavaScript etc. Anyway!
The biggest thing you’ll run into is anything to do with login systems. Any website that offers a login/account typically makes use of cookies, in order to let the website “remember” that you’re logged in, between page navigation.
One of our clients offers a comparison calculator for investments. This calculator relies on cookies when you want to “save” your results, and also makes use of them when you’re not logged in, in order to allow you to access your previous runs of the calculator without having to create an account.
Another of our clients, also in the financial space, produces documents containing financial info about funds, and marketing materials. These docs are subject to strict compliance rules determining what can be shown to users based on what “type” of investor is viewing the site, and where in the world they’re viewing from.
Anybody visiting the site self-identifies by manually selecting an investor “type” and a location. This info gets set into a cookie, and the site serves content based on the values in that cookie. If the site can’t identify the cookie or it has an invalid value, it’ll basically be unusable, in order to protect the company themselves.
Another example might be shopping carts or session storage. Anything that persists from page to page. Does the site have an option for dark mode display? Probably stored in a cookie. Option to change the display language? Yeah, also likely a cookie.
Yeah, 100%! And the languages one generally opens up to a third-party system like WeGlot, whether the cookie is first-party or not. It’s sort of amazing to me how collaborative the modern web is, but also just how insecure it can be.
It can be really locked down but I would say at least half of the wordpress sites online (and wordpress powers something like 20%+ of the whole open internet, iirc) pull in all sorts of third-party scripts and code that isn’t vetted by the people including them (including me! Only so many hours in a workday, after all).
A lot of news sites! Let me see if I can find one.
I’m pretty sure I saw it on Autosport earlier today. Just opened it in Chrome (ew) – see screenshot!
Edit: reading the popup, I assume the legal loophole is that you technically CAN revoke consent after accepting, without paying, by visiting a whole separate page and doing it there. Ultra scummy!
Oh! Ok. I was under the impression the verbiage had the word Reject in it somewhere; that’s on me. It makes much more sense now, and I get what you’re saying. Thanks for the clarification!
I actually do think I’ve seen variations in this wording over the course of a few months. I’m going to go digging around sites I think are probably less scrupulous to see if I can find examples.
Boom, gotcha. First absolute rag that came to mind. Check it! Screenshot:
Edit: also it’s totally on me that you thought the word Reject was in there - I put it in quotes and then provided an example that didn’t contain it, sorry! 😂
For gdpr it has to be available for a “reasonable price” from what I remember. Facebook has gotten in trouble for this due to the high price they’re charging.
I love the way companies simply refuse to not track us. You guys seen those cookie popups that are like “accept and continue” or “reject and pay” where you have to actually pay to reject cookies? I cannot believe that’s legal at all. Total scumbags.
I hate the websites that have “Accept all” or “Accept necessary only”, but if you use a privacy browser that refuses all cookies the site works anyway.
Their “necessary” cookies aren’t actually necessary, you just can’t reject them.
I wonder if there’s even a difference between “all” and “necessary”.
As a web developer, I can confirm that there are sometimes necessary cookies that aren’t just for the wankstains in marketing!
What would happen if a browser never saved those cookies? Would the website fail to load, some elements not run, or something else?
I’m always curious about edge cases and failure modes.
Yes, you’re spot on; it’s mostly about elements and functionality not working. Just as a heads up, I work in the WordPress ecosystem so the following brief descriptions will be focused on PHP based sites. I’m sure there are ways round using cookies, such as using
localStoragein JavaScript etc. Anyway!The biggest thing you’ll run into is anything to do with login systems. Any website that offers a login/account typically makes use of cookies, in order to let the website “remember” that you’re logged in, between page navigation.
One of our clients offers a comparison calculator for investments. This calculator relies on cookies when you want to “save” your results, and also makes use of them when you’re not logged in, in order to allow you to access your previous runs of the calculator without having to create an account.
Another of our clients, also in the financial space, produces documents containing financial info about funds, and marketing materials. These docs are subject to strict compliance rules determining what can be shown to users based on what “type” of investor is viewing the site, and where in the world they’re viewing from.
Anybody visiting the site self-identifies by manually selecting an investor “type” and a location. This info gets set into a cookie, and the site serves content based on the values in that cookie. If the site can’t identify the cookie or it has an invalid value, it’ll basically be unusable, in order to protect the company themselves.
Another example might be shopping carts or session storage. Anything that persists from page to page. Does the site have an option for dark mode display? Probably stored in a cookie. Option to change the display language? Yeah, also likely a cookie.
Yeah, 100%! And the languages one generally opens up to a third-party system like WeGlot, whether the cookie is first-party or not. It’s sort of amazing to me how collaborative the modern web is, but also just how insecure it can be.
It can be really locked down but I would say at least half of the wordpress sites online (and wordpress powers something like 20%+ of the whole open internet, iirc) pull in all sorts of third-party scripts and code that isn’t vetted by the people including them (including me! Only so many hours in a workday, after all).
It’s not.
I usually go into zapper mode on ublock to remove the pop up without agreeing, but they probably treat that as “accept and continue”.
Much better: when this happens, I block frames and scripts from loading through ublock.
I personally have never seen a pay to reject. What types of websites have you come across that do that? I’m genuinely curious.
A lot of news sites! Let me see if I can find one.
I’m pretty sure I saw it on Autosport earlier today. Just opened it in Chrome (ew) – see screenshot!
Edit: reading the popup, I assume the legal loophole is that you technically CAN revoke consent after accepting, without paying, by visiting a whole separate page and doing it there. Ultra scummy!
Oh! Ok. I was under the impression the verbiage had the word Reject in it somewhere; that’s on me. It makes much more sense now, and I get what you’re saying. Thanks for the clarification!
I actually do think I’ve seen variations in this wording over the course of a few months. I’m going to go digging around sites I think are probably less scrupulous to see if I can find examples.
Boom, gotcha. First absolute rag that came to mind. Check it! Screenshot:
Edit: also it’s totally on me that you thought the word Reject was in there - I put it in quotes and then provided an example that didn’t contain it, sorry! 😂
They’re doing that because of the GDPR.
That’s sort of what I’m saying, though; I would have thought this would have been a violation of some of the guidelines around consent in the gdpr
For gdpr it has to be available for a “reasonable price” from what I remember. Facebook has gotten in trouble for this due to the high price they’re charging.