Tell HN: Common Misconceptions About Cookies and Consent

49 points

4 years ago

After participating in a few past discussions in HN, I have noticed many comments whose main argument is developed upon one or several of the following misconceptions. Disclaimer: I am an EU citizen.

Misconception: "The browser decides to send cookies." Wrong: A browser, or user-agent in general, will never invent a cookie out of thin air, and therefore it never sends a cookie unless it has been set by the webserver beforehand (either with an HTTP header 'Cookie' or with JavaScript code). [1]

Misconception: "Consent forms are mandatory for all cookies." Wrong: Cookies that are essential for the proper functioning of the website (e.g. supporting a login session) do not need any consent form, and can be set silently. [2]

Misconception: "Consent forms are mandatory _just_ for cookies." Wrong: User consent must be obtained for any kind of processing of the user's personal information (where no other lawful basis exists for the processing), no matter what technical solution achieves that processing. Example: A tracking pixel needs the same consent form as a tracking cookie. [3]

Misconception: "By browsing this site, you implicitly accept tracking cookies." Wrong: Consent must be opt-in, informed, freely given. If it's not freely given, it is not consent. Also, the user must be able to revoke consent just as easily as consent was given. [3]

Misconception: "If a user doesn't like cookies, they can just disable them in their browser." Wrong: Some cookies may be essential for proper functioning of websites. Browsers cannot technically propose any means to disable only non-essential cookies, that's outright impossible. The only entity capable of deciding if a cookie is essential or not is the website that sets the cookie. [2]

Misconception: "Marketing or tracking cookies can be disabled: just disallow third-party cookies." Wrong: marketing or tracking cookies can also be set by the first-party, ie. the website being visited. Example: Google Analytics. [4]

Misconception: "Cookies are morally justified because the webmaster has to cover the cost of running the website." I disagree: that reasoning is only valid for not-for-profit websites. If the webmaster struggles to cover the cost of running the website and cannot find a legitimate source of income, they are welcome to shut it down. No website is entitled to make money off of non-consenting visitors. "Staying afloat" is not a right of the webmaster, it is a privilege.

Cheers!

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

[2] https://www.cookieyes.com/blog/cookie-consent-exemption-for-strictly-necessary-cookies/

[3] https://blog.chino.io/gdpr-compliant-consent-tracking/

[4] https://www.optimizesmart.com/google-analytics-cookies-ultimate-guide/

21 comments