I do it for my user's privacy & safety and was doing most of it well before this whole GDPR discussion even started.

Yes, exactly, it's too bad that it requires "menaces" for publishers to be responsible.

Since most of the other threads are talking about Adsense, I thought this might be an appropriate thread to monitor compliance by certain bodies:
[ec.europa.eu...]
This is the European Commission website. No cookie consent banner. Sets cookies without information about specific cookies. Has a 'cookies' page with quite vague details on what they all are and how to decline them.

This is the European Commission website. No cookie consent banner. Sets cookies without information about specific cookies. Has a 'cookies' page with quite vague details on what they all are and how to decline them.

Just checked, the only cookie they set is one called "has_js" , which is certainly to detect if javascript is active. This kind of cookie doesn't require any consent or information.

Keep in mind that only cookies which are related to tracking and/or collecting personal information are concerned by the GDRP/ePrivacy. For all other cookies, there is no need to ask for consent, or even show and informational banner.

I can see another five things all starting with pk. in my Storage Inspector on Firefox....

Two ids, one ref and two ses. Note that I haven't personalised anything.

from some behind-the-scenes convos...

> What GDPR does that's frankly weird is mandate
> that websites allow the complete deletion of a user.

Yes, it is a mess.

a) If you delete a user name (with out blocking reuse) a user name can be recycled and thus someone can impersonate someone else (already happened on another forum yesterday)
b) Some forum software allows people to quote one another - there is no way to delete that sub-quoting really short of a huge team of monkey editors
c) Most forums are strictly anonymous. Anon signup - general anon email (gmail/hotmal/yahoo ...etal)
d) Most forums are spidered and cached by third parties including public caching systems, search engines, partner networks, isp caches, and even foreign governments.
e) Most of us in the US are required by law to retain data that may be used in legal actions. (say someone slanders someone else in a forum and then asks to have their data deleted - it could be illegal in the US to delete)
f) IP addresses are not personally identifiable. Tor networks... vpns... private vpns... proxy caches. etal - all mean that you don't know who is a user and who is not. How many Yahoo emails can you sign up?
g) Email Addresses are not personally identifiable. How many Yahoo emails can you signup in one hour? There are hundreds of free email providers - including some that expire in 10mins.


>GDPR strikes me as a "feel good" policy

I totally agree. However; getting websites and software makers to rethink privacy is a net plus for everyone. I do like that the focus is on the end user for a change.

The problem I see is that it is just another thing to drive small websites out of business by raising the bar again that only big corporate sites can match.

My final thought is that it is time to #BlockChainTheInternet

I tried with both Chrome and Firefox, cleared cache, but I have only one cookie set, called has_js, this is odd.

>>I tried with both Chrome and Firefox, cleared cache, but I have only one cookie set, called has_js, this is odd.

the site in question also sets three cookies starting _pk ... these are tracking cookies set by piwik analytics (now called matamo)
they are set using js - so perhaps QuaterPan you have js turned off?

although looking at their cookies policy they do say, they set a cookie ...

if you have agreed (or not) to our use of cookies on this site

however they didn't ask my permission! i just deleted all the cookies and refreshed and they didn't ask if i agreed or not, perhaps the rules don't apply to themselves!

... so typical EU ... quite amusing though, considering this is the official website of the EU

so perhaps QuaterPan you have js turned off?

No. I don't know why I have only this Cookie set (has_js) and not the others.

however they didn't ask my permission! i just deleted all the cookies and refreshed and they didn't ask if i agreed or not, perhaps the rules don't apply to themselves!

It depends if these cookies are carrying "personal information". There is tracking and tracking. For example, if this is to count number of visitors, there are no need of a cookie consent. If the statistic service they use are anonymizing IP, there is no need of a consent either.

Cookies which are concerned by consents are those which are used to identify a particular person for the purpose of identifying this person.

For example, the problem with Google Analytics, is/was, that Google is also collecting browsing information from your site, to feed its own system, including personalized ads. Even if you do not have adsense on your site, but use analytics, Google will take in consideration that such or such user visited your site, and use this to provided personalized ads, at others sites for this user. So, in that case, you can see the cookie is used to identify a particular person, and profile him. And THIS requires consent.

i agree with what you say and actually matamo can be set anonymise ip addresses ... my point about the eu website was that in their cookie policy they actually say they set a cookie specifically to record your preference for accepting cookies or not - yet in my case they never asked me.

preference for accepting cookies or not - yet in my case they never asked me.

I haven't been to the site lately, but IIRC they have a pre-checked box on their Cookie or Privacy page, which you can un-check if you want.

ETA
Here: [ec.europa.eu...]

Thank you Shaddows ... interesting that they opt you in unless you explicitly opt out - the opposite of what i thought (possibly wrongly) was the correct way of doing it.

Just for fun i opted out, however they have not set a cookie with my preference that i've opted out
and they continue to serve me the piwik cookies!

Yeah, the cookie-consent scaremongering (from the consultants now bringing you the GDPR debacle) meant the industry went OTT.

The key is that the old Directive does not say your need "explicit" consent. As long as it is clear and in your boilerplate text, you are good to go.
ePrivacy Directive: [eur-lex.europa.eu...]
ICO Guidance: [ico.org.uk...]

If you are minded to look, it is Art 6 of the ePrivacy Directive.

The key is that the old Directive does not say your need "explicit" consent.

Depends of interpretation, the French regulator said :

For cookie consent to be valid, it shall be freely expressed BEFORE the cookie is set, the user having been informed of the purpose of the cookies set.
[cnil.fr...]

But they mentioned that the consent can be expressed by scrolling down the web page the user is browsing (what we call continuing browsing). But it means that at least it requires an action from the user (accepting cookies, scrolling or changing page), BEFORE writing a cookie.

This is the pertinent clause:

3. For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his/her consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time.

It is interesting that the supervising authorities have different interpretations, but as this is a Directive and not a Regulation, enforcement is up to Member States.