[Closed] Educate me about cookies!

Some sites have the ‘Reject’ button easily accessible, whereas others force you to manually deselect 10+ checkboxes. I thought that was illegal to make rejecting cookies more difficult than approving them? If that’s the case, to whom can I report offending sites?

It contravenes GDPR yes. But that's an EU law; a lot of sites are US based and don't really care. You can report things to the Information Commissioners Office - https://ico.org.uk/make-a-complaint/cookies/ - but as far as I know it's pretty toothless to go up against the likes of Facebook and Google. And doesn't have the manpower to chase down every small offender.

I’ve come across some sites that simply say “If you don’t want cookies, disable them completely in your browser” and there’s no way to disable the cookies except by blocking all cookies in Safari. I always back out of those sites, but aren’t they also illegal?

Yes, they also contravene GDPR.

3) What is ‘legitimate interest’ and why are those cookies different? I’m sure it doesn’t mean that the other cookies are illegitimate, but it’s confusing wording.

'Legitimate Interest' is an alternative to 'Consent'. Whereas 'Consent' should mean you have to opt-in first, Legitimate Interest means 'we're just going to do it anyway' and you can opt-out later. It does have legitimate purposes (i use it in some of my work) but IMO cookies - for the most part - aren't really one of them.

Not sure on the Safari questions! The whole thing is a pain in the arse.

Like a lot of things cookies started out trying to solve a problem, in this case the problem was that HTTP is a stateless protocol, each time you send a request to a web site it knew nothing about your previous requests and this made for a bad user experience.

So Netscape invented the cookie, a small file placed on the client that could store some state information that persisted between each request. For a while everything was lovely but then people started seeing ways to abuse the cookies to do things like tracking and then we ended up here.

On my Windows PC I use Privacy Badger to help control tracking cookies:

Privacy Badger (privacybadger.org) is a browser extension that automatically learns to block invisible trackers. Privacy Badger is made by the Electronic Frontier Foundation, a nonprofit that fights for your rights online.

It doesn't work on Safari but there are alternatives

1) It’s supposed to be easy to opt-out. Some sites have the ‘Reject’ button easily accessible, whereas others force you to manually deselect 10+ checkboxes. I thought that was illegal to make rejecting cookies more difficult than approving them? If that’s the case, to whom can I report offending sites?

Depends where you are. Chances are you are referring to GDPR- which is a European regulation, so report them to the EU (via your relevant government). Since we left the EU, the UK is still following "equivalence" regulation (for the time being), so you can report them to the ICO https://ico.org.uk/for-organisations/report-a-breach/ . The reality is though, there are so many offenders, it would be impossible to police. The ICO are taking steps against serious offenders (eg. Facebook), but aren't bothered by most.

2) I’ve come across some sites that simply say “If you don’t want cookies, disable them completely in your browser” and there’s no way to disable the cookies except by blocking all cookies in Safari. I always back out of those sites, but aren’t they also illegal?

Yes that's illegal, but see above- what are you going to do? The UK government have already said they would like to 'review' the cookie banners. Chances are what they mean is remove the need for them, rather than improve the enforcement.

3) What is ‘legitimate interest’ and why are those cookies different? I’m sure it doesn’t mean that the other cookies are illegitimate, but it’s confusing wording.

This is where GDPR is a bit too vague. There are lots of real reasons you need to use cookies: the legislators quoted things like online banking when writing it, another legitimate interest may well be this site (to track that you've logged in).
In reality, a lot of companies have used the legitimate interest to argue their business model wouldn't work without them- this wasn't the point and is being tested in court at the moment.

4) Safari supposedly blocks 3rd party tracking cookies. Should I therefore just accept all cookies, safe in the knowledge that Safari will be blocking them behind the scenes?

I think this is correct, but others may know more about Apple than me.

5) Is there a way to selectively delete all cookies except those for sites I whitelist? E.g. a few sites where I want to stay logged in. I’m on Mac/Safari. Or a script that deletes all the offending cookies on a daily basis?

Yes- look for "manage website data"

6) I quite like Safari, and the way tabs are synced across all my devices etc. Do I have better cookie-blocking options if I switch to another browser?

Firefox has similar cookie blocking, and Brave is probably a more private browser.

7) Am I over-thinking? Should I stop worrying and learn to love the cookies?

Not really- it is a serious problem. I would add though, some sites do helpful things with cookies: the right level of targeting and measurement would mean sites can make money better and you would see more relevant adverts- although it is used in intrusive ways, it could also be used in manageable ways.
It's also worth pointing out the alternatives to cookies right now are far more concerning.
Google tried to create an alternative which they thought would be more private (FLOC)- it ended up being a horror show- you could track far more than cookies can and it is illegal to use in the EU.
Apple talk about being private, but they are still tracking you just as much (just not sharing this with anyone else). The outcome is that they are closing down competitors and the hovering up the advertising market. Privacy is good, but it is being used as a cover to create alarming monopolies.

Part of the problem is cookies do some stuff you probably want (like allowing a site to know you've previously chosen cookie settings).

A few sites have nice user friendly interfaces making it clear what you're opting in our out of and why, most of them are trying to frustrate users into clicking accept all.

What I do is have my browser delete/forget everything when I close it (firefox).

It is slightly annoying as I have to re-log into things every time, for example, if I want to go onto facebook use a private/ingonito window, or I just shut my browsser down, open it again, log into facebook, then close the browser again when Im done and reopen it again to continue going about my day.

" What I do is have my browser delete/forget everything when I close it (firefox)."

Theres more than just the standard cookie storage, there is a 2nd folder/file thingy that has thousands in it and remains even when you seemingly delete the firefox ones.

I can't remember where it is exactly off hand, you go through Control Panel settings and its in one of those.

I was interested how the Guardian seemed to remember how many articles I'd read, despite me using the standard 'delete cookies' option, so considered those must be being stored elsewhere. A bit of rummaging in the system and I found them, and deleted the lot and it was literally thousands.

After which the Guardian didnt seem to remember how many free articles I'd read, so I guess i deleted the right thing.

You mean here?

C:\Users\me\AppData\Local\Microsoft\Windows\INetCache

I don’t understand why people think it’s OK to let megacorporations follow your every move online?

Most people really don’t care and aren’t bothered, they just happily continue posting rubbish on every social media format going and leave it at that.

In iOS, I use a variety of browsers, Safari, Firefox, Brave, DuckDuckGo and Ghostery Dawn, and all of them have DuckDuckGo set as default search. If you go into settings, you can find various buttons that allow you to control tracking. Yes, you’ll still get popups, but usually, if you tap the additional/more info, it shows what’s been blocked, which is the majority of the really devious tracking that goes on.

There's so much other tracking etc. going on when you visit a web-site I wouldn't get too concerned about cookies. Also Inprivate type browsing is pretty much just removing the local footprint of your browsing activity - it's not stopping tracking. Then you've got stuff like "do not track" requests - which are actually completely voluntary on the web-site side as to whether they adhere to that request. Oh then there's all the data you're sending MS and Google etc. when you're typing URLs in (Safe Browsing and Smartscreen protection etc.).

I've just spent a few months implementing browser security controls for a client (and it's still by no means secure).

Technically it is not GDPR, or for the UK, the Data Protection Act 2018.
The "Cookie law" is the ePrivacy Directive, which as a directive was enacted into local law in each member state. The UK law is the Privacy and Electronic Communicates Regulations PECR, which was first enacted in 2003 so is very old.

Basically it says you cannot read or write non-essential data a users device without consent. So Amazon can place a cookie for he shopping basket or session when you log in to their site without consent as it is essential to the existence of the website. But any other performance, ad, tracking or personalisation is optional.

There is a big drive across Europe to update guidance to make it as easy to reject all as it is to accept all, but that is on a country by country basis as it is done under their local law. France and Spain have been very active in prosecuting cookie infringement.

There is cross over into the data protection laws where the data gathered is personal data. As an example there is a big case going on at the moment about the Ad industry and it is expected that the current method of tracking will be found to be in breach of GDPR. The outcome of that would seem to be more context based ads, rather than fully personal targeted ads.

The EU is trying to update the ePrivacy directive to a regulation, and was supposed to do this alongside the GDPR, but there has been a lot of difficulty in getting this across the line, with no end in sight.
Brexit has caused chaos in this space, as now there is divergence in the law as the EU moves forward with their agenda, and the UK doing their own thing. The UK wanting to ease the burden on businesses. They are not looking to reduce the protections under the law from my understanding, but the hoops that companies are having to just through which was caused a huge headache, and is driving a lot of companies to be non-compliant with crazy rules. The problem is that this is causing more red tape and headaches as there is now 2 differing requirements to be met by companies.

The rules aren’t “crazy”, it’s just that everyone wants to break them.

It’s simple, cookies for tracking/following people around the internet require consent, let the user opt out.

All that sharing of data with Google, Facebook and others is great for companies to use to improve their marketing and working practices, but real consent is required. Let the user opt out.

No.

Let the user opt in.

Thanks, some good info here so far.

Presumably the issue is that no user in their right mind would ever opt in to tracking unless it was mandatory?

Apparently, at the moment around 90% of people just 'accept all' cookies. Presumably if enough people get interested in blocking them, then loads of websites will starting denying service to people who don't accept cookies (an extra source of revenue for some sites).

It seems I'm justified in being a bit concerned. The legal side sounds completely toothless, and I suspect our current government will want to move to less regulation, if anything.

I've installed Brave, something I've been meaning to do for a while. It seems quite nice and already I'm getting a quieter user experience than Safari. Though, there's a major issue that it can't access keychain for all those 20 random character algorithmically-generated passwords I'm using on different websites, which is more than a bit annoying.

It would help if sites all had a cookie that recorded you cookie choice, so that you don't have to go through the useless process of confirming your choice every time. Or is the need to re-consent every time something in the regulations?

Let the user opt in.

Most sites have a “click one big obvious button to opt in” action… it’s the opting out option that can be deliberately difficult to find and activate. Or even missing completely.