I think a lot of companies comply with cookie banners the way that they do just to annoy users, as a protest against regulation. If they can irritate users as much as possible while complying, they think they can turn users against the regulation itself rather than the way that they comply. I don't know if this applies in this particular case, but I know at least some companies do that so it's worth considering. Other than that, maybe the answer is that they were just trying not to be obvious, or that it was totally different divisions responsible for each?

But almost no company complies with the law anyways. They need to have a "reject all" button; a "more options" button is not enough. So any company that has a cookie banner without a "reject all" option might as well not have a banner at all.

A lot of European companies do have a reject all button thank god :) But yeah more need that.

American companies are the worst: "Accept" and "More info". :)

We do. At least for the part of the product I was responsible for I made sure that the tracking script is really only loaded if the user explicitly clicks yes.

It's sometimes hard to make marketing understand why this is an issue in the first place but then we are B2B in a mostly offline industry so it doesn't matter as much.

>I think a lot of companies comply with cookie banners the way that they do just to annoy users,

in my experience they don't actually understand what they are required to do, they then think the easiest way to handle it is to pay for some outside expertise with of course the understanding that they would still like to get some ad money.

This is exactly it. We have web properties that only have one cookie at all - the cookie to store the result of the cookie pop up!

There are benefits to being a US based company that doesn't target EU users, even if it doesn't reject EU users, I guess.

I can't think of a way to actually use any kind of tracking cookies, even non-ad/sales/data-harvesting related that wouldn't be annoying in EU.

Of course, if you manage your own load balancing, could definitely combine a load-balancer pinning cookie (uuid) for "all" uses as a single "essential" cookie.

Load balancing would fall under "essential" cookies that don't require a permissions. No banner necessary.

See GitHub.

You can't use the data for other purposes though.

Tracking without cookies requires consent no matter how you implement it. Claiming it to be essential won't fly if, say your Marketing or sales team has access.

Why cannot load balancing be implemented without cookies?

using a cookie that is essential for non-essential purposes, is not allowed. So using a load-balancer cookie is fine, as long as it's only used for load balancing.

Once it's used for other (technically non-essential) needs as well, one needs to find another basis for processing or ask permission for that second purpose(consent basis).

Also, if the LB cookie can be non-identifying, while fullfilling the stated technical purpose, it must not allow identifying users. So for LB cookies, one must not use a unique ID per user, but an LB ID instead. Something like "node1", "node2" etc...

To be more inconspicuous ?

I honestly don't know how people in Europe surf the web, it's so annoying now. When I was just in Germany, every site I'd have a GDPR popup, then the ads would load, then some random ad would popup with a close button the size of a pixel. This was on major sites. The modern web is so broken, the GDPR popup made it worse. Why can't you just have a browser wide setting to accept or deny GDPR in force. In the US it's bad enough, now with the GDPR popups, it has become almost unusable, especially on mobile.

I don’t understand why the blame is put on GDPR (which is NOT the reason for cookie banners btw, it’s the ePrivacy directive). Websites choose to have cookie banner because they have abusive cookies, tracking, etc. Some websites such as GitHub famously made the choice to remove tracking cookies, and now do not need a cookie banner. Forcing websites to clearly display their crappy practices is a good thing. Forcing websites to ask for user consent before tracking them is good.

The GDPR just missed a step. They should have mandated an automated way for users to present their preference. Like the old DNT flag for instance. With the legal framework behind it that would have made that flag actually useful and browsers would have brought it back quickly.

I assume this didn't happen due to industry lobbying.

AFAIK there was a legislative initiatives to do exactly that and the ad industry whined about it.

I think the result would have been similar to what happened when apple did it's Facebook nerf. Within the margin of error no one wants to be tracked and the ad industry knows this despite their fake "user-benefit" Spiel.

In the end it didn't happen and I can't recall what it was called.

It was a mistake though. Because now the politicians get blamed for the cookie banner chaos.

I hope they will go back on this and mandate DNT after all.

> Why can't you just have a browser wide setting to accept or deny GDPR in force.

Because that's what was tried before GDPR, and it has proven to be a conclusive failure. https://en.wikipedia.org/wiki/Do_Not_Track

It’s not the same thing. I’d love something like <meta> tags where the websites declare their cookies, with a standardized set of metadata. We could have a browser native permission system like we have for microphone, camera, geolocation, and the possibility to allow or disallow cookies in a unified way. Blocking the undeclared/disallowed cookies would then be done at the browser level, so there would be no need to trust that the websites actually respect the settings

I'd like something like an <ad> tag to go along with it, where the contents are sandboxed by the browser separate from the rest of the page. Mainly as a cudgel against sites which are very anti-adblocker.

Yeah it was by Microsoft https://en.wikipedia.org/wiki/P3P

It was only a failure because it was not mandatory to obey it. GDPR missed a big chance to do that.

> some random ad would popup with a close button the size of a pixel.

Run an adblocker. The Web was a total mess even before GDPR came along and not limited to Europe. If the issue of denying sites a revenue stream bothers you then perhaps make yourself a promise that you'll turn it off when ad networks stop being a vector for malware and/or stop engaging in the un-permitted collection and sale/abuse of personal data.

Personally, I run NoScript (as well as ad blockers) and so cookie popups are relatively rare on my Mac, but I still get them on iOS. I don't like them, but I see them as a warning that the site is going to try to exploit my personal data in return for serving me content.

It's also worth pointing out that there is no actual need to have a cookie banner unless you're doing something with the data that actually needs permission. For instance basecamp.com was GDPR/ePrivacy directive compliant when I was there, but never needed a banner because they decided to stop collecting and processing personal data in a way that required permission.

I use Consent-O-Matic browser addon which automatically hides cookie banners and rejects them in the background.

I don't think they thought they were breaking the law: you can read their arguments summarized in the decision and they're plausible: https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046768989. I also suspect that if they had been successful in keeping the jurisdiction to their home authority in Ireland (which has a reputation of being much less strict), they would not have been found to be out of compliance.

Lawyers are rarely hired by the defense to pen long arguments why they were intentionally breaking the law. They’re always going to argue that they didn’t do it, and if they did do it they didn’t intend to ( because intentionally violating can have higher penalties ).

> 46. En défense, la société explique que le cookie " MUID " est un cookie multi-finalités, utilisé à des fins essentielles et non essentielles pour éviter d’utiliser plusieurs cookies chacun pour une finalité, afin de réduire le nombre de lectures et écritures d’informations entre le terminal de l’utilisateur et " bing.com". La société indique que seules les finalités essentielles sont activées avant que l’utilisateur donne son consentement. La société fait valoir qu’elle considère comme des finalités essentielles à la fonctionnalité de " bing.com " : les finalités de lutte contre la fraude, y compris la fraude publicitaire, de sécurité telles que la prévention des attaques par déni de service, de détection des logiciels malveillants et de lutte contre la désinformation. La société soutient que ces finalités indissociables sont strictement nécessaires à la fourniture des services " bing.com " tels que demandés par l’utilisateur. La société précise qu’en l’absence de consentement de l’utilisateur, la seule finalité publicitaire pour laquelle le cookie " MUID " est utilisé est la publicité non ciblée dans le cadre de la lutte contre la fraude publicitaire.

They tried to be clever by re-using the same cookie for multiple purpose essential and non-essential (the “essential” purpose being related to ad fraud detection) so they claimed they did not need consent to set the cookie. And since they argued that they chose to use a single cookie “to reduce the number of reads and writes”, which is bullshit, they were clearly not acting in any kind of good faith here. The regulator did not condemn them for the bad faith argument though, but because “ad fraud detection doesn't qualify as essential”, so their “smart” move of mixing essential and non-essential purposes within the same cookie wasn't even properly done:

> En outre, le rapporteur précise, en réponse à l’argumentation de la société considérant la finalité de lutte contre la fraude au sens large comme une finalité essentielle exemptée de consentement, que seule la finalité de lutte contre les attaques en déni de service pourrait être exemptée de consentement. Le rapporteur relève que les autres finalités évoquées ne relèvent pas du champ des exemptions prévues par l’article 82 de la loi Informatique et Libertés puisqu’elles n’ont pas vocation à faciliter une communication électronique et ne sont pas strictement nécessaires à la fourniture d’un service expressément demandé par l’utilisateur.

The regulator then remarked that mixing both kinds of purpose within the same cookie is explicitely forbidden anyway: (emphasis mine, on the relevant part)

> En premier lieu, s’agissant des cookies et autres traceurs multi-finalités, la formation restreinte rappelle que l’article 82 de la loi Informatique et Libertés exige un consentement aux opérations de lecture et d’écriture d’informations dans le terminal d’un utilisateur mais prévoit des cas spécifiques dans lesquels certains traceurs bénéficient d’une exemption au consentement : soit lorsque celui-ci a pour finalité exclusive de permettre ou faciliter la communication par voie électronique soit lorsqu’il est strictement nécessaire à la fourniture d’un service de communication en ligne à la demande expresse de l’utilisateur.

Before this decision I think using the same cookie for both inessential and essential purposes was something that many people still thought was okay, as long as (as Microsoft claimed they were doing) when you do not have permission to use the cookie for inessential purposes you only use it for essential purposes.

But yes, this all ended up being irrelevant since the court decided that they were using it for non-essential purposes before getting permission.