Skip to content

One Cookie Popup? We demand Hundreds of them!

You can’t read any website anywhere in Europe without getting a completely useless “We too are using Cookies” overlay. This has been such a unmitigated success that there exists a separate “Kill all Cookie banners” category in every Adblocker available.

But, says the Article 29 group of European Privacy Commissioners, is by far not annoying enough, we can do worse. Consent cannot be given in general, you need to make this more specific.

That is, they demand hundreds of these overlays on each site (PDF).

Page 17 of that PDF:

The end-user must be able to give separate consent per  website or app for tracking for different purposes (such as social media sharing or advertising). […]

For both browsers and data controllers this means it would be invalid if they would only offer an option ‘to accept all cookies’, since this would not enable users to provide the required granular consent.

Right. How is this even practical.

Published inNeuland


  1. TH

    ||How is this even practical.


    By not using fucking hundreds of tracking bullshit.

  2. Essentially they want something like the Cookie Monster plugin, perhaps amended with a bit of semantics. Cookie Monster allows users to define a default policy (e.g., “No 3rd-party cookies”) and to modify it per site (e.g., ”but may set cookies.”). Take this, add a no-bullshit* semantics layer to give laypeople an idea about the consequences of blocking or not blocking certain cookies, make everything available for every major browser, and then shut up. If you want to make laws, find ways to punish gaming the system.

    *) Try to avoid the TRUSTe categories. We really just need two categories: (a) breaks the app or service (for the user, that is, not for the advertiser) and (b) does not break things for you.

  3. Simple: By limiting cookies to the minimal needed to fulfill your job.
    “Datensparsamkeit” was the motto here.

    The bigger issue is, if you decide that this is the law of the land, enforce it also against the big US companies. If you don’t, this is a clear unfair competition situation. So if they don’t plan to enforce this against Google&Co too, then limit the law of the land to similar conditions.

    • According to our politicians, data is the oil of the 21st century. If we accept this premise, then (1) Silicon Valley is the OPEC of the 21st century and (2) without much of an IT industry of your own we are in the same situation as a country without its own oil fields. As a consequence, we will enforce our ideas of data protection against GAFA* just as effectively as 20th-century developed countries enforced our ideas of universal human rights against OPEC states.

      *) Google, Amazon, Facebook, Apple

  4. Rainer Nagel

    The text demands the option for the user to give consent to single cookies. So it would be OK to show the user a banner with two options. One is to accept all cookies, the other is to give consent per cookie which directs the user to a separate web page.
    So only one banner :-)

  5. -thh

    Data protection is *never* practical. It doesn’t even try.

    • kris kris

      Yup. But I need my Internet to be practical.

    • Data protection is impractical on two levels. One is where data protection gets in the way of harm it aims to prevent, without itself causing collateral damage. This part almost everyone would accept and even welcome. The other is where outdated paradigms from the relational database era live on and clash with how the world works today. On this level, data protection is impractical for no reason _and_ fails to achieve its goals. We have written (in German) about this latter problem here:

Leave a Reply

Your email address will not be published. Required fields are marked *