If they're doing fingerprinting then they're clearly collecting too much data. If they need javascript to collect their metrics, they're clearly collecting too much data.
I use JS to record the amount of visitors (technically pageviews) that reached the end of an article on my blog to get a sense for completion rate. Surely that is not too much?
You can collect anything without limits as long as you don’t associate this data with identification data / profiles.
An amount of visitors isn’t creating any privacy concern. That would be another situation if you stored individual completion rates associated with, say, an IP or worse, an user account. You would still technically be able to do it but not without clear consent from the user.
MartijnHols is talking about using javascript, not cookies (or similar mechanisms). It is possible to use JS without cookies. If they're not using cookies, nor fingerprinting, nor storing PII, or anything else that breaks the spirit of the laws then it doesn't need a cookie banner, but under some jurisdictions you need disclosure about the potential data aggregation (even if it's just "increment a counter") to be in your privacy policy.
Collecting non-personalized aggregate data without any tracking mechanisms (cookies, fingerprinting, PII storage) is mostly fine in jurisdictions that implement GDPR and ePrivacy, as long as the usage also aligns with that (example: you also can't cheat and use AI or whatever to break privacy post-facto).
"Everything needs cookie banners" is a take as bad as "Nothing needs cookie banners".
> You can collect anything without limits as long as you don’t associate this data with identification data / profiles.
That's completely wrong, the whole article is about the issue of reading data from the visitors device and needing a cookie banner for that. So you can't "collect anything without limits" in fact you can't collect any data from the visitor device. Which leaves a very narrow option of counting without using things from the device.
> in fact you can't collect any data from the visitor device
But this is not true.
You can definitely collect and store all sorts of data (including PII) for legitimate purposes, and without a cookie banner. For example: collecting and storing data required to provide the service itself requested by customers, login data, collecting address for delivering a package, shopping cart persistence, language selection, some preferences, fraud detection, rate limiting, DDOS protection, JS polyfill application, logging, resolution optimization.
By the way, ePrivacy is not really about the data collection itself (this is more in the GDPR's wheelhouse), but rather about storage in the user's device, among other things.
For the legitimate purposes regulated by the ePrivacy Directive, the Matomo link in the article also mentions it, in the "When Consent Is Not Required" section. You posted a link to it yourself, here: https://news.ycombinator.com/item?id=42820474
Here's a demonstration of how cookie banners are redundant if you only have legitimate purpose: you can click "deny" and the website still works and performs collection and storage. "To still work" is legally required by the GDPR. For those cases, all you need is a Privacy Policy.
In fact it would be impossible to comply to both ePrivacy and GDPR at the same time if consent was required for legitimate purpose actions!
And of course: as long as you reuse any of this legitimately collected data for advertising or analytics, you need extra consent, but I assume this is clear.
The pendulum is swinging back but or 5+ years and arguably today still most people think collecting any data is too much. i.e They want total anonymity.
Personally I want a middle ground for Page View, returned visitors within ~30 days, but this isn't a popular view on HN.
Technically you need one, because you're using session storage for something that is not strictly necessary to make the page work. It's in the article.
Author seems to have buried the lede, because the real meat of the problem is described only in the last third of post. It's not about technology, it's about the scope and intent. Or if we had to distill the opening premise of the post into a single word response:
> All web analytics need to somehow track individual users.
Wrong.
Suitably anonymised, unintrusive first-party statistical analytics are fine. Stalking users is not.
ObDisclosure: I used to wear the DPO hat in my previous job, and assist in the practicalities in my current one.
The article picks Fathom fingerprinting but there are differences. Other services like Plausible also include time element. So to plausible every day you are someone else. Unlike Fathom, Plausible cannot track unique visitors per month. Fathom is pretty sneaky here and its not surprising because they have been pretty sketchy in past.
EU law is very much based on interpretation and “spirit” of the law and Plausible lawyers just think its enough to not be able track individuals but track overall flows of masses.
Most of these "cookie free" analytics vendors keep talking about how cleverly they have anonymised the data, but this article finally gets it right: That does not matter for cookie popups. Anonymisation is only relevant to GDPR, but you still need cookie banners under the ePrivacy directive.
1. It is trivial to have a metric about how many requests were made for a link on a site, say a/
2. It is legally very much non-trivial to have a metric about how many requests were made to a/ followed by requests to b/
One way to solve 2. would be to change links based on earlier interaction server-side. So instead of [a/, b/], the requests would be [a/, a.b/] IMO, this should be legal, but might not under strict interpretation of the law.
Sounds like the early days of the web, when cookies weren’t widely used.
User sessions were created with a URL query parameter, like `?sessionid=`, and every page would pick up the sessionid and include it in every link on the page.
You can turn on the referrer header for same site, however I suspect the author would argue that this would be contrary to GDPR. There is also the ping attribute on links, but again, if we accept the author's premise...
There's a distinction between first-party data and third-party data. You can view your own server logs - but sending over user data to a service like Google Analytics is what is regulated.
It's not explicit in the directive, but it is right there in the working docs so it's pretty clearly a principle:
> the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards.
You left out the context of your quote[0], where the Working Party explicitly states that first party analytics are not exempt from Article 5.3. Your quote leads up to their opinion that they _wish_ it was exempt, since it represents little privacy risk, but that it would require the article to be re-visited.
This is a world I am very familiar with in my day job.
IP address is pretty definitively regulated as PII under GDPR rules. Our lawyers consider that any sort of hash or other derivative would still be PII, and thus require consent.
(While it's theoretically possible to do analytics on someone without an IP address, browser fingerprinting alone has a half life of ~24 hours. It's not a reliable enough indicator for any business purposes.)
But it's all kind of moot anyway. It hasn't been extensively tested by case law, so no corporate lawyer is going to tell you to go with the innovative black box solution.
In our industry, we all await for the completion of the ePrivacy directive. But I suspect regulators have put themselves into a bit of a corner. At the end of the day, TCP/IP is inherently a non-anonymous protocol. Your identifiers are baked into the architecture of the internet as fundamentally as your home address is known to the mail system and your license plate is to the transit system.
> At the end of the day, TCP/IP is inherently a non-anonymous protocol, as fundamentally as your home address is known to the mail system
Yes. And the irony is that the German "privacy purists" use the non-private system of having your actual name in post boxes instead of apartment numbers
It would be so funny if they shot themselves in the foot with it, but it's not going to happen unfortunately
An address is already PII, whether you pseudonymize it with apartment numbers or not.
Also I think in practice the bigger concern with IPs is that the IP itself is PII at the time you collect it, so you're always processing PII even if the hash or other such "anonymized" data you store may end up not technically being PII if there's no way to correlate it to an actual person after the fact (which wouldn't be the case for a simple hash which can be deanonymized with rainbow tables).
> An address is already PII, whether you pseudonymize it with apartment numbers or not.
The full address is PII. But a street level address isn't necessarily, if it points to an appt block.
The problem with the mail boxes is that you're leaking that a "Mr. Smith" is living at that address. Now with Mr. Smith this is not such a big problem but if you're looking for "Mr. LessUnique" then it is
If you're arguing that landlords should have to get written consent to post a tenant's name on the mail boxes and door bell, then I agree. If we're talking about tenants doing it themselves, then there's no privacy issue unless someone else collects that information and uses it for other purposes.
Curious to know why browser fingerprinting has a “half life” of 24h? I always assumed it would be more static compared to an IP address and therefore a more powerful tracking mechanism (albeit more shady / less legally understood compared to using IPs).
Most of the non-IP components of fingerprinting are pretty goofy things like browser version, device, screen size, etc. If you are dealing with web traffic in any meaningful number, you have to dip into really minute details to tell apart visitor 10,001 from 10,002.
More often than not, the details that make your device unique on one day will not stay unique by day two. Your browser might change versions, you might resize your viewport, install a font, etc.
I believe phone apps can get more conclusive device IDs via the SDK, but for web traffic cookies and IP addresses are still the only reliable identifiers. I would take any study or hypothetical about fingerprinting with a massive grain of salt if they don't keep a stable match for 30 days.
It routes you to a chat room based on your browser fingerprint. You can check back every so often and see that your room has changed. If your hardware/fingerprint is generic enough, you’ll see other people’s messages in “your” room.
> IP address is pretty definitively regulated as PII under GDPR rules. Our lawyers consider that any sort of hash or other derivative would still be PII, and thus require consent.
Probably more helpful to phrase this as Personal Data instead of “PII” as the latter does not appear in the GDPR once and the former is much broader in scope than pii data.
Personal data (while being what GDPR uses) is not as precise. Key is "identifiable".
For example "likes french fries" is "personal data" in the general sense but not gdpr since it is not identifiable since you cant figure out who it is talking about. Your name, address, etc is identifiable because it can be tied to a physical person.
GDPR is not concerned with whether or not the data is identifiable. If it is linked to an individual, it is personal data.
In the context of an analytics package, a pageview would be considered personal data because it is associated with an individual user.
Article 4 is pretty clear.
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This whole cookie banner situation is a disaster. Companies know that you will not accept their cookies and have decided to use the "legitimate interest" loop hole. So if you select reject all cookie, the legitimate interest ones are not rejected unless you go an uncheck them manually.
Here is an example of what I am talking about, I think some companies are catching on and hiding it better but those soulless marketers will find anyway to track you.
I regret to inform you that solutions like Ad Naseum are snake oil.
Bot-clicks and LLM networks are already pretty pervasive clickers of ads. Most ad networks already have ways of filtering out noisy clicks. And anyone dumping real money into ads will be smart enough to tie their ROI to conversion events, not clicks.
Yeah everyone who isn’t purposefully burning money has people whose sole job is just to spend less money on stuff that doesn’t work and more money on stuff that does. Pretty much every platform (DSP) has some fancy deep learning that bids up or down based on the quality of the individual bid (taking into account the user, host, banner size, likeliehood of fraud, etch
Well the specific profile that they build on me will be a mess. I don’t see many ads and when I receive one it is not very targeted at all as if they don’t know what I actually like and what my real interests are…
I'm not sure this is a good thing. Wouldn't this make advertisers think their ads are doing better than they are? Which would then encourage them to advertise even more?
Ads are doing worse, not better. The purpose of an ad isn't to be clicked but to increase revenue. In the end of the year data will show clicks have gone up but other more important metrics haven't.
Who is guilty for tracking users? The site relying an income from ads with user-tracking, or the company buying the ads based on tracking instead of some less invasive method of distribution?
No, it will ad noise to their data and make their profile of me a mess and very inaccurate. If they make models from this data it will be fundamentally flawed (Garbage in = Garbage out)
It’s still gonna cost them that click, if every site I go to will cost advertisers money I’m good.
Also if it doesn’t work why did Google go out of their way to make it hard to install? If it was truly harmless to advertisers Google would not have done anything.
It's not a loophole. Strict necessity is well defined, and per the opinion quoted in the fine article:
> While [cookie-based analytics] are often considered as a ‘strictly necessary’ tool for website operators, they are not strictly necessary to provide a functionality explicitly requested by the user […]. As a consequence, these cookies do not fall under the [exemption].
Companies can still do it illegally of course, and many do, but there is no law that can stop people from doing illegal things.
Just stop tracking people across sites and you’re good. Cookies, localstorage or fingerprinting makes no difference. The distinction is whether you track users or not.
You are allowed to use cookies to your heart’s content, as long as the cookie is necessary for the functionality of your site, like a session id, or a shopping cart id.
> [You must] Receive users’ consent before you use any cookies except strictly necessary cookies.
What is worse, ALMOST ALL POPUPS ARE STILL ILLEGAL.
Having the decline option hidden behind an extra click on ”Manage Cookies” makes it easier to accept than to decline. You should also be able to withdraw the given consent at any time, But I have never noticed a site with that functionality.
> Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
For my mom‘s small business, I actually tried to craft something compliant by hand (because I can). It’s surprisingly hard to get it right! Like, don’t load external scripts unless consent has been given, reflect that in the interface, and allow to withdraw consent. For example, there’s a maps embed showing the store address. But that’s can only be displayed if you actually consent to the prompt! So that means you’ll need to hold a list of script sources to add to the document head if the respective category has been accepted, but not earlier.
Most implementations get this wrong, loading third-party scripts and snippets in normal script tags, assuming the users will consent anyway.
By the way: this also aligns with the implementations of the ePrivacy directive done by individual countries.
Just go and read individual laws of each country, but the myth that "even login and shopping cart cookies need consent" is just a myth. It would be impossible to comply to both ePrivacy and GDPR if this was the case.
As much as the cookie banner industry is trying to tell you, you don't need TrustArc, OneTrust or other shady products on every website. Just don't do shady shit. First because you don't need it, second because, as you said, these products are almost always doing some illegal shit.
As with all legal questions (IANAL): it depends. Can you demonstrate legitimate interest for "using" those parts of the IPv4 address? If yes, then no.
The IPv4 address combined with a timestamp identifies the typical person almost uniquely. Tracking this data over time allows narrowing it down further. This makes it PII for all intents and purposes.
Anonymizing an IP adress by truncating it is a form of processing. So technically you are "processing PII" which makes this subject to the GDPR. If the result is sufficiently anonymous, any data that is attached to further is probably not considered PII unless that additional data helps de-anonymizing the truncated IP. I guess you could have situations where the first two parts of the IPv4 are sufficiently unique in your data set for it still to be sufficient to uniquely identify a person (e.g. when you know that only one IP had these first two parts in the given context) but that's a freaky edge case.
PII or not, the more important question is what legal basis you have for storing and processing it. Consent is one mechanism and it's what requires "banners" - or really: consent forms, as the legally required default action is "reject all non-essential" even if most implementations blatantly ignore this and pretend otherwise - and note that "essential" here means "not requiring consent".
So if you have a different mechanism, you're golden, although truncating still makes sense given that it complies with the requirement for "data minimization" (i.e. being frugal in what you collect). "Legitimate interest" could for example be security-based. You should also make sure to only store this data as long as actually necessary and err on the side of that duration being shorter than longer.
Thanks. It's a bit unfortunate. I essentially only want to keep a visitor count. So I have to show the the same banner (at least to be on the cautious side) as the guy who is sharing my data with their 732 "partners"? :-/
Somewhere in the original article it was mentioned that even hashing is not enough to make data non-PII. I assume then that's also out of questions?
Think about it the other way around. Is that visitor counter essential for your site? No. It’s cool. It’s interesting to know how many have visited, but that’s it. Now all you need to do is asking visitors if it’s okay to record their visit for the purpose of cool statistics. There is no requirement in the law to have a banner, or legalese speak. The only thing that actually matters is that you ask for consent in a way that actually shows why you want to track them.
Poof. What if I don't keep the IP at all and just the timestamp? Essentially "Someone visited at 23:12 January 20th", nothing else stored. Still banner needed?
Unlike many so-called privacy analytics providers, we actually hired (and continue to do so) a professional DPO (former CNIL employees) and we advise our clients to seek counsel and provide them with necessary disclosures for them to make necessary decisions.
At the end of the day, it is our clients that need to make that assessment. Yes, it is our opinion, backed by professional assessment, that in our default set-up you don’t need "cookie banner”, but we are also clear that you should seek counsel of privacy professional.
- There is no way the browser can be instructed to not send the browser agent. Moreso it could be argued that this is needed for making the site work (legitimate interest). Though yes, if it's an extra call to an external URL I would say this is problematic
- As mentioned by the Plausible opinion, it is not being stored. It is also not an unique identifier
As an addendum, when legal discussions happen here it seems they focus a lot more on the fine print than on the big picture. And while the fine print does have its importance, the bigger picture is what has the most impact
(though yeah I agree with the 2012 Working Party opinion there)
> Moreso it could be argued that this is needed for making the site work (legitimate interest).
If you process the UA to "make the site work" then yes. One example for that would be a site that has the purpose of showing the visitor their user agent string (like "what is my IP?" sites do for your IP). Another might be to provide a different view for mobile devices though that has largely been solved with responsive design.
If you process the UA to fingerprint visitors to "improve the experience" by showing them ads or performing usage analytics over time to see what works and what doesn't, that's different. Arguably analytics can have a legal basis other than consent but that doesn't give you a carte blanche for what data you can use and how.
> it is not being stored
That doesn't really matter as long as it is PII as processing PII still requires a legal basis even if you don't store it. Collecting, processing, storing and sharing all require a legal basis even if that basis might be trivial.
> We’ll be focusing our efforts on the ePrivacy Directive,
The author doesn't seem to know that an EU Directive is not binding law. They're mostly irrelevant. It only matters how member states implement Directives. Some states like Germany didn't change any laws at all regarding the EPD.
The author clearly states they are aware of this and links to an analysis of the implemented laws:
“Note that this is a directive, not a regulation, meaning it is up to the individual EU countries to implement the directive into law. We’ll arbitrarily ignore this distinction, and I will only be considering the wording of the directive itself in this article.
If you’re interested, the guys over at Matomo have done the hard work of looking at the implemented laws. Worth a read!”
The ePD is intended to be replaced by the ePR but the ePD has already been implemented in several countries so it's a good abstraction of those implementations if you don't want to look at the specifics of each one individually.
> Some states like Germany didn't change any laws at all regarding the EPD.
This is false. Germany implemented the ePD[0] by replacing the TKG with the TDDDG in 2021. You may have missed this as it wasn't a big news story and German law still awkwardly refers to "telecommunications" when also talking about the Internet.
> EU Regulations like the GDPR are different.
Yes, that's why the ePR will largely replace the implementations of the ePD by acting as directly binding law for all EU member countries rather than requiring individual implementations.
> Nachdem der deutsche Gesetzgeber zuletzt mit einer Novelle des Telekommunikationsgesetzes (TKG) und dem Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) zum 1. Dezember 2021 noch die europäischen Vorgaben aus der E-Privacy-Richtlinie in deutsches Recht umsetzte, wird die künftige E-Privacy-Verordnung unmittelbar in den Mitgliedstaaten gelten.
Emphasis added. Highlighted part approximately translates to "the ePrivacy guideline was implemented in German law".
The original ePD was issued in 2002 and implemented by Germany in an update to the TKG in 2004 (and in an update to the UWG if you want to be pedantic). This precedes the GDPR by 12 years.
The GDPR is not a superset of the ePD. The GDPR did however lead to the recasting of the ePD in directive 2018/1972/EU (to clarify some ambiguities/conflicts created by the GDPR), which is what in turn led to the creation of the TTDSG which implemented the recast ePD and replaced parts of the TKG and TMG. The TTDSG in turn was renamed to the TDDDG when the DDG replaced the TMG due to the EU Digital Services Act.
So my statement that the TDDDG implemented the ePD was not entirely correct as the full story is a bit more complicated: the ePD was implemented in the TKG in 2004, the TTDSG implemented the recast ePD in 2021, the TTDSG was renamed to TDDDG in 2024. Also the TKG itself still exists, however parts of it were moved into the TTDSG/TDDDG.
But saying that the ePD did not lead to any changes in German law is wrong for both the original ePD and the recast ePD. Saying that the GDPR is a superset of the ePD is also wrong because if this were true, the ePD could have simply been replaced instead of having to be recast. And saying that the TDDDG didn't lead to substantial changes is only technical correct when referring to the renaming of the TTDSG to the TDDDG (which, again, was due to the EU DSA, not the EU GDPR nor ePD) but is, again, wrong when referring to the underlying TTDSG.
Here's a fairly comprehensible German language article about some of the changes in the TTDSG:
Of course "substantial changes" is subjective but that's different from what you originally claimed about Germany "not changing laws at all", which I've hopefully demonstrated isn't true by any means.
Aren't these details are mostly irrelevant? Can you name one additional requirement introduced with TTDSG or TDDDG which wasn't covered by the GDPR already?
The user agent string by itself is not PII. The user agent string in context can be PII.
Here's an example you might be familiar with from a business setting: sometimes you can't disclose the identity of certain customers but you really want to talk about them as a reference when selling your product. So instead of "Microsoft" you might say "a big company from Redmond". You're not identifying which company you are talking about but you're providing enough context clues to narrow it down to the point where the most likely company you might be referring to is Microsoft. If you then go on to say something about "the big company from Redmond", that information will clearly be tied to Microsoft (or a very small group of companies where Microsoft is the most likely one) and you might be violating the non-disclosure agreement without ever having explicitly named the customer.
Back in the day, a user agent string would only tell you the OS and browser, with version numbers often only narrowing it down to maybe a year or so. But with browser and OS releases becoming so frequent, the exact version numbers alone will already often vary even between users using "the same" browser and OS and additionally it may sometimes contain information about plugins and other installed software. Alone this is unlikely to narrow it down enough to qualify as "personally identifiable" but that depends entirely on what else you store alongside it (and things like timestamps are definitely additional important context clues).
Yeah, people seem to ignore the ePrivacy directive. I frankly don't know why it needs to be revised or replaced by something new, it seems like the GDPR handles it all and more.
Some sites need them, or they would not exist. A page with ads, where the advertisers what to know, at mleast, how many times their ad was displayed. They have an aproximation of this number for printed press, for TV, for the radio.
I have a lot of sites that are also banner free, but they are paid with other means (usually grants). But when the money ends, the sites go down.
The sad thing with analytics is that the dreadful banner makes it look like my site that only sets a cookie to know what is an unique visitor looks the same than other site that collects hundreds of data variables and then sell the data to hundreds of third parts, making the data sharing a business in itself.
If you're collecting the data for fraud prevention, that would be covered by "legitimate interest" which does not require consent.
The problem with ads is that they don't want to only do fraud prevention, they also want to do deep behavioral analytics and targeting. You can't do that with data you collected for the purpose of fraud prevention because it's a different purpose altogether.
> The sad thing with analytics is that the dreadful banner makes it look like my site that only sets a cookie to know what is an unique visitor looks the same than other site that collects hundreds of data variables and then sell the data to hundreds of third parts, making the data sharing a business in itself.
If your cookie only exists to identify visitors across requests for purposes that meet the definition of legitimate interest or any other legal basis for a mechanism than consent, you do not need a "banner" (really: consent form). You don't even need a notice, just a privacy policy explaining it. An example for this are session cookies for logins - cookies for things like dark mode are slightly different but you don't have to frontload the consent request for that.
We don't shove a consent form in people's faces when we first talk to them just because of all the things we might need their consent for later in the day. I'm not sure why so many of us think we need to do this for websites that don't immediately require that consent to do something with it. Especially when consent can be withdrawn (or given) at any time.
Totally unrelated to cookies, but: Looks like a nice product! Have you figured out a way to integrate with ECS / Fargate? That's where our high volume ALBs are pointed at.
If you want to get in touch, click Join the beta and drop us an email, old school, no strings attached. We’re currently testing Marketplace integration, the rest has already been battle tested.
But seriously no, it’s not, it’s never going to be as the topic is very niche, and it’s only ever consulted by people who have an interest in the product, that received the link by me or the marketplace.
I think the benefits of the “insights” I would get from tracking viewers are outweighed by the inconvenience I would cause to my customers.
If they're doing fingerprinting then they're clearly collecting too much data. If they need javascript to collect their metrics, they're clearly collecting too much data.
I use JS to record the amount of visitors (technically pageviews) that reached the end of an article on my blog to get a sense for completion rate. Surely that is not too much?
You can collect anything without limits as long as you don’t associate this data with identification data / profiles.
An amount of visitors isn’t creating any privacy concern. That would be another situation if you stored individual completion rates associated with, say, an IP or worse, an user account. You would still technically be able to do it but not without clear consent from the user.
This is wrong, read the article.
Your answer aligns with GDPR, but cookie banners come from the ePrivacy directive. The author is one of the few to describe it well.
MartijnHols is talking about using javascript, not cookies (or similar mechanisms). It is possible to use JS without cookies. If they're not using cookies, nor fingerprinting, nor storing PII, or anything else that breaks the spirit of the laws then it doesn't need a cookie banner, but under some jurisdictions you need disclosure about the potential data aggregation (even if it's just "increment a counter") to be in your privacy policy.
Collecting non-personalized aggregate data without any tracking mechanisms (cookies, fingerprinting, PII storage) is mostly fine in jurisdictions that implement GDPR and ePrivacy, as long as the usage also aligns with that (example: you also can't cheat and use AI or whatever to break privacy post-facto).
"Everything needs cookie banners" is a take as bad as "Nothing needs cookie banners".
I was responding to this:
> You can collect anything without limits as long as you don’t associate this data with identification data / profiles.
That's completely wrong, the whole article is about the issue of reading data from the visitors device and needing a cookie banner for that. So you can't "collect anything without limits" in fact you can't collect any data from the visitor device. Which leaves a very narrow option of counting without using things from the device.
> in fact you can't collect any data from the visitor device
But this is not true.
You can definitely collect and store all sorts of data (including PII) for legitimate purposes, and without a cookie banner. For example: collecting and storing data required to provide the service itself requested by customers, login data, collecting address for delivering a package, shopping cart persistence, language selection, some preferences, fraud detection, rate limiting, DDOS protection, JS polyfill application, logging, resolution optimization.
By the way, ePrivacy is not really about the data collection itself (this is more in the GDPR's wheelhouse), but rather about storage in the user's device, among other things.
For the legitimate purposes regulated by the ePrivacy Directive, the Matomo link in the article also mentions it, in the "When Consent Is Not Required" section. You posted a link to it yourself, here: https://news.ycombinator.com/item?id=42820474
Here's a demonstration of how cookie banners are redundant if you only have legitimate purpose: you can click "deny" and the website still works and performs collection and storage. "To still work" is legally required by the GDPR. For those cases, all you need is a Privacy Policy.
In fact it would be impossible to comply to both ePrivacy and GDPR at the same time if consent was required for legitimate purpose actions!
And of course: as long as you reuse any of this legitimately collected data for advertising or analytics, you need extra consent, but I assume this is clear.
>Surely that is not too much?
The pendulum is swinging back but or 5+ years and arguably today still most people think collecting any data is too much. i.e They want total anonymity.
Personally I want a middle ground for Page View, returned visitors within ~30 days, but this isn't a popular view on HN.
I do that, plus a little more (page being closed), with an identifier in session storage. If doNotTrack is turned on, the session storage is skipped.
I do not have a consent banner, and I do not believe that I need one.
Technically you need one, because you're using session storage for something that is not strictly necessary to make the page work. It's in the article.
According to GDPR: you're fine if you're just calling an endpoint and not storing any PII anywhere.
According to ePrivacy: it is fine as your backend is storing this data, and not the user's computer.
Author seems to have buried the lede, because the real meat of the problem is described only in the last third of post. It's not about technology, it's about the scope and intent. Or if we had to distill the opening premise of the post into a single word response:
> All web analytics need to somehow track individual users.
Wrong.
Suitably anonymised, unintrusive first-party statistical analytics are fine. Stalking users is not.
ObDisclosure: I used to wear the DPO hat in my previous job, and assist in the practicalities in my current one.
Anyone who fooled themselves into believing that “cookie banners” were just about cookies is due a good wake up call like this.
It was always about tracking but the hid it behind the euphemism cookie
The article picks Fathom fingerprinting but there are differences. Other services like Plausible also include time element. So to plausible every day you are someone else. Unlike Fathom, Plausible cannot track unique visitors per month. Fathom is pretty sneaky here and its not surprising because they have been pretty sketchy in past.
EU law is very much based on interpretation and “spirit” of the law and Plausible lawyers just think its enough to not be able track individuals but track overall flows of masses.
Most of these "cookie free" analytics vendors keep talking about how cleverly they have anonymised the data, but this article finally gets it right: That does not matter for cookie popups. Anonymisation is only relevant to GDPR, but you still need cookie banners under the ePrivacy directive.
> you still need cookie banners under the ePrivacy directive
Only if you store data in the browsing (using cookies, localStorage, or any other technical means), no?
The article claims that loading JavaScript that sends back information comes under the ePDs definition of accessing stored data:
> So sending out JavaScript code that instructs the terminal equipment to send back information is… accessing the information.
In the end, it all boils down to this:
1. It is trivial to have a metric about how many requests were made for a link on a site, say a/
2. It is legally very much non-trivial to have a metric about how many requests were made to a/ followed by requests to b/
One way to solve 2. would be to change links based on earlier interaction server-side. So instead of [a/, b/], the requests would be [a/, a.b/] IMO, this should be legal, but might not under strict interpretation of the law.
Sounds like the early days of the web, when cookies weren’t widely used.
User sessions were created with a URL query parameter, like `?sessionid=`, and every page would pick up the sessionid and include it in every link on the page.
That is just cookies. What GP was suggesting was a history trail, not a session id.
You can turn on the referrer header for same site, however I suspect the author would argue that this would be contrary to GDPR. There is also the ping attribute on links, but again, if we accept the author's premise...
There's a distinction between first-party data and third-party data. You can view your own server logs - but sending over user data to a service like Google Analytics is what is regulated.
No it's not. Nowhere in the ePrivacy Directive do they specify anything about first- vs third-party data.
It's not explicit in the directive, but it is right there in the working docs so it's pretty clearly a principle:
> the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards.
You left out the context of your quote[0], where the Working Party explicitly states that first party analytics are not exempt from Article 5.3. Your quote leads up to their opinion that they _wish_ it was exempt, since it represents little privacy risk, but that it would require the article to be re-visited.
[0] Section 4.3 of https://ec.europa.eu/justice/article-29/documentation/opinio...
This is a world I am very familiar with in my day job.
IP address is pretty definitively regulated as PII under GDPR rules. Our lawyers consider that any sort of hash or other derivative would still be PII, and thus require consent.
(While it's theoretically possible to do analytics on someone without an IP address, browser fingerprinting alone has a half life of ~24 hours. It's not a reliable enough indicator for any business purposes.)
But it's all kind of moot anyway. It hasn't been extensively tested by case law, so no corporate lawyer is going to tell you to go with the innovative black box solution.
In our industry, we all await for the completion of the ePrivacy directive. But I suspect regulators have put themselves into a bit of a corner. At the end of the day, TCP/IP is inherently a non-anonymous protocol. Your identifiers are baked into the architecture of the internet as fundamentally as your home address is known to the mail system and your license plate is to the transit system.
> At the end of the day, TCP/IP is inherently a non-anonymous protocol, as fundamentally as your home address is known to the mail system
Yes. And the irony is that the German "privacy purists" use the non-private system of having your actual name in post boxes instead of apartment numbers
It would be so funny if they shot themselves in the foot with it, but it's not going to happen unfortunately
An address is already PII, whether you pseudonymize it with apartment numbers or not.
Also I think in practice the bigger concern with IPs is that the IP itself is PII at the time you collect it, so you're always processing PII even if the hash or other such "anonymized" data you store may end up not technically being PII if there's no way to correlate it to an actual person after the fact (which wouldn't be the case for a simple hash which can be deanonymized with rainbow tables).
> An address is already PII, whether you pseudonymize it with apartment numbers or not.
The full address is PII. But a street level address isn't necessarily, if it points to an appt block.
The problem with the mail boxes is that you're leaking that a "Mr. Smith" is living at that address. Now with Mr. Smith this is not such a big problem but if you're looking for "Mr. LessUnique" then it is
If you're arguing that landlords should have to get written consent to post a tenant's name on the mail boxes and door bell, then I agree. If we're talking about tenants doing it themselves, then there's no privacy issue unless someone else collects that information and uses it for other purposes.
Curious to know why browser fingerprinting has a “half life” of 24h? I always assumed it would be more static compared to an IP address and therefore a more powerful tracking mechanism (albeit more shady / less legally understood compared to using IPs).
Most of the non-IP components of fingerprinting are pretty goofy things like browser version, device, screen size, etc. If you are dealing with web traffic in any meaningful number, you have to dip into really minute details to tell apart visitor 10,001 from 10,002.
More often than not, the details that make your device unique on one day will not stay unique by day two. Your browser might change versions, you might resize your viewport, install a font, etc.
I believe phone apps can get more conclusive device IDs via the SDK, but for web traffic cookies and IP addresses are still the only reliable identifiers. I would take any study or hypothetical about fingerprinting with a massive grain of salt if they don't keep a stable match for 30 days.
There’s actually a site to test this… https://fingrprintr.pages.dev (i made it)
It routes you to a chat room based on your browser fingerprint. You can check back every so often and see that your room has changed. If your hardware/fingerprint is generic enough, you’ll see other people’s messages in “your” room.
> IP address is pretty definitively regulated as PII under GDPR rules. Our lawyers consider that any sort of hash or other derivative would still be PII, and thus require consent.
Probably more helpful to phrase this as Personal Data instead of “PII” as the latter does not appear in the GDPR once and the former is much broader in scope than pii data.
Personal data (while being what GDPR uses) is not as precise. Key is "identifiable".
For example "likes french fries" is "personal data" in the general sense but not gdpr since it is not identifiable since you cant figure out who it is talking about. Your name, address, etc is identifiable because it can be tied to a physical person.
GDPR is not concerned with whether or not the data is identifiable. If it is linked to an individual, it is personal data.
In the context of an analytics package, a pageview would be considered personal data because it is associated with an individual user.
Article 4 is pretty clear.
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
https://gdpr-info.eu/art-4-gdpr/
Sorry! PII is still the industry shorthand.
This whole cookie banner situation is a disaster. Companies know that you will not accept their cookies and have decided to use the "legitimate interest" loop hole. So if you select reject all cookie, the legitimate interest ones are not rejected unless you go an uncheck them manually.
https://old.reddit.com/r/mildlyinfuriating/comments/1cn306c/...
Here is an example of what I am talking about, I think some companies are catching on and hiding it better but those soulless marketers will find anyway to track you.
What can you do about it? Poison their data.
https://adnauseam.io/
This is not a loop hole. Claiming that something is legitimate interest while it isn't is just good old breaking the law.
Just because computer is able to do something, doesn't make it legal.
Also: just because me or a lawyer says it's legal or illegal, doesn't automatically make it. This sort of thing needs to go to court.
I regret to inform you that solutions like Ad Naseum are snake oil.
Bot-clicks and LLM networks are already pretty pervasive clickers of ads. Most ad networks already have ways of filtering out noisy clicks. And anyone dumping real money into ads will be smart enough to tie their ROI to conversion events, not clicks.
Perhaps, but bot clicks and LLM networks are not domestic users with off-the-shelf browsers doing other legitimate activities in a website.
Also: the ad networks don't care about your ROI, they'll still charge if they don't catch the fraud.
Ad networks can't charge you if you stop buying ads because you're not getting a good ROI.
Yeah everyone who isn’t purposefully burning money has people whose sole job is just to spend less money on stuff that doesn’t work and more money on stuff that does. Pretty much every platform (DSP) has some fancy deep learning that bids up or down based on the quality of the individual bid (taking into account the user, host, banner size, likeliehood of fraud, etch
Well the specific profile that they build on me will be a mess. I don’t see many ads and when I receive one it is not very targeted at all as if they don’t know what I actually like and what my real interests are…
> https://adnauseam.io/
I'm not sure this is a good thing. Wouldn't this make advertisers think their ads are doing better than they are? Which would then encourage them to advertise even more?
Ads are doing worse, not better. The purpose of an ad isn't to be clicked but to increase revenue. In the end of the year data will show clicks have gone up but other more important metrics haven't.
Who is guilty for tracking users? The site relying an income from ads with user-tracking, or the company buying the ads based on tracking instead of some less invasive method of distribution?
No, it will ad noise to their data and make their profile of me a mess and very inaccurate. If they make models from this data it will be fundamentally flawed (Garbage in = Garbage out)
As the other poster told you, they filter it out.
It’s still gonna cost them that click, if every site I go to will cost advertisers money I’m good.
Also if it doesn’t work why did Google go out of their way to make it hard to install? If it was truly harmless to advertisers Google would not have done anything.
The "definitely not heavily lobbied" loophole that lets EU claim good press for most of the law while leaving the backdoor wide open
It's not a loophole. Strict necessity is well defined, and per the opinion quoted in the fine article:
> While [cookie-based analytics] are often considered as a ‘strictly necessary’ tool for website operators, they are not strictly necessary to provide a functionality explicitly requested by the user […]. As a consequence, these cookies do not fall under the [exemption].
Companies can still do it illegally of course, and many do, but there is no law that can stop people from doing illegal things.
Does that mean it's illegal to log the user's IP address and user-agent without getting their consent? Am I getting this right?
I’m so tired of the popups.
YOY DON’T NEED A POPUP TO USE COOKIES!
Just stop tracking people across sites and you’re good. Cookies, localstorage or fingerprinting makes no difference. The distinction is whether you track users or not.
You are allowed to use cookies to your heart’s content, as long as the cookie is necessary for the functionality of your site, like a session id, or a shopping cart id.
> [You must] Receive users’ consent before you use any cookies except strictly necessary cookies.
What is worse, ALMOST ALL POPUPS ARE STILL ILLEGAL.
Having the decline option hidden behind an extra click on ”Manage Cookies” makes it easier to accept than to decline. You should also be able to withdraw the given consent at any time, But I have never noticed a site with that functionality.
> Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
https://gdpr.eu/cookies/
For my mom‘s small business, I actually tried to craft something compliant by hand (because I can). It’s surprisingly hard to get it right! Like, don’t load external scripts unless consent has been given, reflect that in the interface, and allow to withdraw consent. For example, there’s a maps embed showing the store address. But that’s can only be displayed if you actually consent to the prompt! So that means you’ll need to hold a list of script sources to add to the document head if the respective category has been accepted, but not earlier. Most implementations get this wrong, loading third-party scripts and snippets in normal script tags, assuming the users will consent anyway.
The easy solution is to just not load external scripts. Done.
Yes, yes, yes.
By the way: this also aligns with the implementations of the ePrivacy directive done by individual countries.
Just go and read individual laws of each country, but the myth that "even login and shopping cart cookies need consent" is just a myth. It would be impossible to comply to both ePrivacy and GDPR if this was the case.
As much as the cookie banner industry is trying to tell you, you don't need TrustArc, OneTrust or other shady products on every website. Just don't do shady shit. First because you don't need it, second because, as you said, these products are almost always doing some illegal shit.
What if I only use the first two parts of the IPv4 address and nothing else. Does that still require banners?
As with all legal questions (IANAL): it depends. Can you demonstrate legitimate interest for "using" those parts of the IPv4 address? If yes, then no.
The IPv4 address combined with a timestamp identifies the typical person almost uniquely. Tracking this data over time allows narrowing it down further. This makes it PII for all intents and purposes.
Anonymizing an IP adress by truncating it is a form of processing. So technically you are "processing PII" which makes this subject to the GDPR. If the result is sufficiently anonymous, any data that is attached to further is probably not considered PII unless that additional data helps de-anonymizing the truncated IP. I guess you could have situations where the first two parts of the IPv4 are sufficiently unique in your data set for it still to be sufficient to uniquely identify a person (e.g. when you know that only one IP had these first two parts in the given context) but that's a freaky edge case.
PII or not, the more important question is what legal basis you have for storing and processing it. Consent is one mechanism and it's what requires "banners" - or really: consent forms, as the legally required default action is "reject all non-essential" even if most implementations blatantly ignore this and pretend otherwise - and note that "essential" here means "not requiring consent".
So if you have a different mechanism, you're golden, although truncating still makes sense given that it complies with the requirement for "data minimization" (i.e. being frugal in what you collect). "Legitimate interest" could for example be security-based. You should also make sure to only store this data as long as actually necessary and err on the side of that duration being shorter than longer.
Thanks. It's a bit unfortunate. I essentially only want to keep a visitor count. So I have to show the the same banner (at least to be on the cautious side) as the guy who is sharing my data with their 732 "partners"? :-/
Somewhere in the original article it was mentioned that even hashing is not enough to make data non-PII. I assume then that's also out of questions?
Think about it the other way around. Is that visitor counter essential for your site? No. It’s cool. It’s interesting to know how many have visited, but that’s it. Now all you need to do is asking visitors if it’s okay to record their visit for the purpose of cool statistics. There is no requirement in the law to have a banner, or legalese speak. The only thing that actually matters is that you ask for consent in a way that actually shows why you want to track them.
Poof. What if I don't keep the IP at all and just the timestamp? Essentially "Someone visited at 23:12 January 20th", nothing else stored. Still banner needed?
No. But then someone could ruin your stats by sitting there and refreshing all day long.
The price to pay if I don't want want to be in the same bucket with data dealers...
As always: it depends.
Most cases: no.
Some cases: yes.
You have to assess: Intent, International Data Transfer, Terminal Device Access (beyond cookies), etc.
https://wideangle.co/blog/what-is-consent-under-gdpr
Unlike many so-called privacy analytics providers, we actually hired (and continue to do so) a professional DPO (former CNIL employees) and we advise our clients to seek counsel and provide them with necessary disclosures for them to make necessary decisions.
At the end of the day, it is our clients that need to make that assessment. Yes, it is our opinion, backed by professional assessment, that in our default set-up you don’t need "cookie banner”, but we are also clear that you should seek counsel of privacy professional.
I disagree with the author's assessment:
- There is no way the browser can be instructed to not send the browser agent. Moreso it could be argued that this is needed for making the site work (legitimate interest). Though yes, if it's an extra call to an external URL I would say this is problematic
- As mentioned by the Plausible opinion, it is not being stored. It is also not an unique identifier
As an addendum, when legal discussions happen here it seems they focus a lot more on the fine print than on the big picture. And while the fine print does have its importance, the bigger picture is what has the most impact
(though yeah I agree with the 2012 Working Party opinion there)
> Moreso it could be argued that this is needed for making the site work (legitimate interest).
If you process the UA to "make the site work" then yes. One example for that would be a site that has the purpose of showing the visitor their user agent string (like "what is my IP?" sites do for your IP). Another might be to provide a different view for mobile devices though that has largely been solved with responsive design.
If you process the UA to fingerprint visitors to "improve the experience" by showing them ads or performing usage analytics over time to see what works and what doesn't, that's different. Arguably analytics can have a legal basis other than consent but that doesn't give you a carte blanche for what data you can use and how.
> it is not being stored
That doesn't really matter as long as it is PII as processing PII still requires a legal basis even if you don't store it. Collecting, processing, storing and sharing all require a legal basis even if that basis might be trivial.
> Note: I am not a lawyer.
> We’ll be focusing our efforts on the ePrivacy Directive,
The author doesn't seem to know that an EU Directive is not binding law. They're mostly irrelevant. It only matters how member states implement Directives. Some states like Germany didn't change any laws at all regarding the EPD.
EU Regulations like the GDPR are different.
The author clearly states they are aware of this and links to an analysis of the implemented laws:
“Note that this is a directive, not a regulation, meaning it is up to the individual EU countries to implement the directive into law. We’ll arbitrarily ignore this distinction, and I will only be considering the wording of the directive itself in this article.
If you’re interested, the guys over at Matomo have done the hard work of looking at the implemented laws. Worth a read!”
He links to an overview of national implementations: https://matomo.org/faq/general/eprivacy-directive-national-i...
The ePD is intended to be replaced by the ePR but the ePD has already been implemented in several countries so it's a good abstraction of those implementations if you don't want to look at the specifics of each one individually.
> Some states like Germany didn't change any laws at all regarding the EPD.
This is false. Germany implemented the ePD[0] by replacing the TKG with the TDDDG in 2021. You may have missed this as it wasn't a big news story and German law still awkwardly refers to "telecommunications" when also talking about the Internet.
> EU Regulations like the GDPR are different.
Yes, that's why the ePR will largely replace the implementations of the ePD by acting as directly binding law for all EU member countries rather than requiring individual implementations.
[0]: https://www.bfdi.bund.de/DE/Fachthemen/Inhalte/Telemedien/eP...
> Nachdem der deutsche Gesetzgeber zuletzt mit einer Novelle des Telekommunikationsgesetzes (TKG) und dem Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) zum 1. Dezember 2021 noch die europäischen Vorgaben aus der E-Privacy-Richtlinie in deutsches Recht umsetzte, wird die künftige E-Privacy-Verordnung unmittelbar in den Mitgliedstaaten gelten.
Emphasis added. Highlighted part approximately translates to "the ePrivacy guideline was implemented in German law".
> Germany implemented the ePD[0] by replacing the TKG with the TDDDG in 2021.
At that point, the GDPR was already in force. The GDPR is mostly a superset of the ePD, so I don't think the TDDDG lead to substantial changes.
That's again false. It is also nonsense.
The original ePD was issued in 2002 and implemented by Germany in an update to the TKG in 2004 (and in an update to the UWG if you want to be pedantic). This precedes the GDPR by 12 years.
The GDPR is not a superset of the ePD. The GDPR did however lead to the recasting of the ePD in directive 2018/1972/EU (to clarify some ambiguities/conflicts created by the GDPR), which is what in turn led to the creation of the TTDSG which implemented the recast ePD and replaced parts of the TKG and TMG. The TTDSG in turn was renamed to the TDDDG when the DDG replaced the TMG due to the EU Digital Services Act.
So my statement that the TDDDG implemented the ePD was not entirely correct as the full story is a bit more complicated: the ePD was implemented in the TKG in 2004, the TTDSG implemented the recast ePD in 2021, the TTDSG was renamed to TDDDG in 2024. Also the TKG itself still exists, however parts of it were moved into the TTDSG/TDDDG.
But saying that the ePD did not lead to any changes in German law is wrong for both the original ePD and the recast ePD. Saying that the GDPR is a superset of the ePD is also wrong because if this were true, the ePD could have simply been replaced instead of having to be recast. And saying that the TDDDG didn't lead to substantial changes is only technical correct when referring to the renaming of the TTDSG to the TDDDG (which, again, was due to the EU DSA, not the EU GDPR nor ePD) but is, again, wrong when referring to the underlying TTDSG.
Here's a fairly comprehensible German language article about some of the changes in the TTDSG:
https://cms.law/de/deu/publication/das-neue-ttdsg-ist-in-kra...
Of course "substantial changes" is subjective but that's different from what you originally claimed about Germany "not changing laws at all", which I've hopefully demonstrated isn't true by any means.
Aren't these details are mostly irrelevant? Can you name one additional requirement introduced with TTDSG or TDDDG which wasn't covered by the GDPR already?
I'm sorry, what? Is this actually arguing that consent is needed to log the user agent string?
Has this person studied law?
The user agent string by itself is not PII. The user agent string in context can be PII.
Here's an example you might be familiar with from a business setting: sometimes you can't disclose the identity of certain customers but you really want to talk about them as a reference when selling your product. So instead of "Microsoft" you might say "a big company from Redmond". You're not identifying which company you are talking about but you're providing enough context clues to narrow it down to the point where the most likely company you might be referring to is Microsoft. If you then go on to say something about "the big company from Redmond", that information will clearly be tied to Microsoft (or a very small group of companies where Microsoft is the most likely one) and you might be violating the non-disclosure agreement without ever having explicitly named the customer.
Back in the day, a user agent string would only tell you the OS and browser, with version numbers often only narrowing it down to maybe a year or so. But with browser and OS releases becoming so frequent, the exact version numbers alone will already often vary even between users using "the same" browser and OS and additionally it may sometimes contain information about plugins and other installed software. Alone this is unlikely to narrow it down enough to qualify as "personally identifiable" but that depends entirely on what else you store alongside it (and things like timestamps are definitely additional important context clues).
Yeah, people seem to ignore the ePrivacy directive. I frankly don't know why it needs to be revised or replaced by something new, it seems like the GDPR handles it all and more.
Do you really need analytics that much?
Enjoy my cookie and analytics free website: https://www.ZoneHero.io
I had to resist a lot of temptations, but hey, no banners!
Some sites need them, or they would not exist. A page with ads, where the advertisers what to know, at mleast, how many times their ad was displayed. They have an aproximation of this number for printed press, for TV, for the radio.
I have a lot of sites that are also banner free, but they are paid with other means (usually grants). But when the money ends, the sites go down.
The sad thing with analytics is that the dreadful banner makes it look like my site that only sets a cookie to know what is an unique visitor looks the same than other site that collects hundreds of data variables and then sell the data to hundreds of third parts, making the data sharing a business in itself.
If you're collecting the data for fraud prevention, that would be covered by "legitimate interest" which does not require consent.
The problem with ads is that they don't want to only do fraud prevention, they also want to do deep behavioral analytics and targeting. You can't do that with data you collected for the purpose of fraud prevention because it's a different purpose altogether.
> The sad thing with analytics is that the dreadful banner makes it look like my site that only sets a cookie to know what is an unique visitor looks the same than other site that collects hundreds of data variables and then sell the data to hundreds of third parts, making the data sharing a business in itself.
If your cookie only exists to identify visitors across requests for purposes that meet the definition of legitimate interest or any other legal basis for a mechanism than consent, you do not need a "banner" (really: consent form). You don't even need a notice, just a privacy policy explaining it. An example for this are session cookies for logins - cookies for things like dark mode are slightly different but you don't have to frontload the consent request for that.
We don't shove a consent form in people's faces when we first talk to them just because of all the things we might need their consent for later in the day. I'm not sure why so many of us think we need to do this for websites that don't immediately require that consent to do something with it. Especially when consent can be withdrawn (or given) at any time.
Totally unrelated to cookies, but: Looks like a nice product! Have you figured out a way to integrate with ECS / Fargate? That's where our high volume ALBs are pointed at.
If you want to get in touch, click Join the beta and drop us an email, old school, no strings attached. We’re currently testing Marketplace integration, the rest has already been battle tested.
Yes, at the moment we can handle everything that fits in a Target Group. Adding other constructs is not a big deal either.
Is it popular?
I don’t know I can’t know.
But seriously no, it’s not, it’s never going to be as the topic is very niche, and it’s only ever consulted by people who have an interest in the product, that received the link by me or the marketplace.
I think the benefits of the “insights” I would get from tracking viewers are outweighed by the inconvenience I would cause to my customers.