[HN Gopher] We made our SaaS home page cookie-free
___________________________________________________________________
We made our SaaS home page cookie-free
Author : jivings
Score : 317 points
Date : 2020-11-03 12:53 UTC (10 hours ago)
(HTM) web link (blog.leavemealone.app)
(TXT) w3m dump (blog.leavemealone.app)
| jlelse wrote:
| BunnyCDN is nice! Switched from Cloudflare one or two years ago
| and not looking back, it's a "real" CDN and doesn't require
| cookies.
| pier25 wrote:
| I tried to use their push CDN service but I could never upload
| a file through their API. I went back and forth with support
| but nothing got solved.
|
| Also, the API for their dashboard was super slow for me. I mean
| waiting up to 10 seconds for every click on the dashboard or
| API interaction.
| axelthegerman wrote:
| Can't find it right now but I definitely uploaded some files
| via their API - weird you couldn't figure it out together
| with support.
|
| Also their pages load as fast as anything these days, no
| problem there either.
|
| Super happy with BunnyCDN - even the pricing!
| gkbrk wrote:
| I have a script [1] that uploads my website to BunnyCDN.
|
| [1]: https://github.com/gkbrk/scripts/blob/master/bunnycdn-
| sync.p...
| pier25 wrote:
| Thanks, I don't know Python but it looks pretty standard.
| It's similar to what I did in Node.
| aratob wrote:
| It's interesting to see the visitor stats [0] on the blog itself
| , provided by Simple Analytics:
|
| 12K hits for the blogpost, HN is the top traffic source with 7,5K
| referrals.
|
| [0]: https://simpleanalytics.com/blog.leavemealone.app
| [deleted]
| [deleted]
| ThePhysicist wrote:
| Well, cookies are not per se evil and you can use them in a
| privacy-friendly way. You should ask for consent for non-
| functional cookies (for the Cloudflare cookie you probably
| wouldn't need to ask for consent, for example) and make sure your
| consent workflow is compliant with the GDPR. The European Data
| Protection Board just published guidelines on this btw (in May):
| https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_gui...
|
| We e.g. offer an open-source consent management solution that is
| compliant with GDPR (as much as you can say that with confidence)
| and which you can self host: https://github.com/kiprotect/klaro
|
| Building sites without cookies is possible but it's a bit extreme
| IMHO. Properly scoped and limited first-party cookies do not pose
| a large privacy risk to indivuals and can make certain legitimate
| use cases like analytics much easier (or even possible, in some
| cases).
| stevage wrote:
| Urgh, the irony - can't open this page, because there is some
| problem to do with too many redirects. Which you can maybe fix by
| clearing cookies.
| jivings wrote:
| Ghost instance crashed, I assume HN hug of death! It's back
| now.
| donbrae wrote:
| Getting redirects too. The page on the Wayback Machine:
| http://web.archive.org/web/20201103140506/https://blog.leave...
| flibble wrote:
| Can anyone recommend and good articles on how to track paid
| advertising without being reliant on cookies?
| the_gastropod wrote:
| A little bit off topic, but this thing looks suspiciously a _lot_
| like https://lunchmoney.app/ and as far as I can tell is totally
| unrelated. Even the Lunch Money logo is used under the pricing
| section... Is this just a coincidence / did Lunch Money also use
| some stock illustrations that're used here? Or is just good old
| fashioned copying?
| danieleguia wrote:
| nice write-up with good suggestions on how to accomplish the no
| cookie page
| danieleguia wrote:
| Nice write-up on how to make a cookie-free page. Thanks
| eli wrote:
| _> But it 's possible to hit this button again and re-enable
| Cloudflare forwarding temporarily if we find ourselves under
| attack, so I figure this is a good option._
|
| Plan to redeploy your production server to a new IP address too
| since the attacker will still be able to hit it directly.
| Waterluvian wrote:
| Can you not just reject or ignore all connections not coming
| from cloud flare? Or does that still do damage during a ddos?
| jgrahamc wrote:
| That doesn't help if your pipe to the Internet is full (think
| Gbps) or if the router/switch can't process packets fast
| enough (think Mpps).
| nwsm wrote:
| I was recently tasked with making an "Accept our use of cookies"
| banner for our public site. Before that banner we did not store
| any cookies at all; now we have one to store their consent.
| alangibson wrote:
| At least 90% of the banners I get hit with around the web are
| automatically not GDPR compliant because they require you to
| opt out. It's amazing to think of the effort that's been
| expended implementing them while still failing to follow the
| law.
|
| I'd call it a legal fig leaf, but it doesn't cover up anything
| at all.
| cuu508 wrote:
| It's a legal face mask with the nose sticking out
| swyx wrote:
| i could see an excellent webcomic being made out of this
| unfunco wrote:
| If you don't store cookies at all then you don't need the
| banner, you don't need consent to be doing nothing.
| TonyTrapp wrote:
| Try explaining that to the non-technical people the
| requirement came from.
| chrisweekly wrote:
| Respectfully, educating stakeholders is part of your job.
| Until you accept and embrace that, you're likely to remain
| stuck in roles doing useless things.
| outworlder wrote:
| How do you know so much about his job role?
| Klinky wrote:
| If they heard from legal they need it and legal hourly
| rate is greater than engineering hourly rate, they will
| rather waste engineering time than spend legal time to
| save engineering time.
| Griffinsauce wrote:
| Legal won't be maintaining this feature ad infinitum will
| it?
|
| Also: it might be interesting to try and find some
| metrics on conversion impact for those stakeholders.
| You're making the product worse.
| libria wrote:
| _Attempting_ to educate stakeholders is part of your job.
| Forcing them to accept your reasoning may not be possible
| and they may have other reasons for their decisions that
| you may not know about or they may not wish to reveal
| (legal, marketing, internal politics, etc).
|
| And at some point in pushing back, disagree-and-commit is
| the right thing to do.
| encom wrote:
| That shouldn't be very difficult. It's not a complex
| situation.
|
| I don't have a sign in front of my house saying "Beware of
| the dog", because I don't have a dog.
| TonyTrapp wrote:
| Since the topic touches law, it's more complex to some
| people than you might think. To us it's obvious, but
| someone else might think that they better be safe than
| sorry and not get sued for accidentally setting a (non-
| essential) cookie somewhere without letting the user
| know. I definitely know some people who'd rather
| implement such "unnecessary" things than exposing
| themselves to a potential legal trap.
| bavila wrote:
| I would recommend thinking like a lawyer and writing a
| memo like one. Legal writing and analysis follows a very
| common pattern known as IRAC (Issue, Rule, Analysis,
| Conclusion):
|
| (1) Identify the issue; (2) Quote all relevant rules; (3)
| Analyze the rules in light of your specific factual
| circumstances; and (4) Reach a reasonable conclusion
| based on your analysis of the rules.
|
| This is how your company's legal team is making
| recommendations to management. You have to fight fire
| with fire. The only advantage your legal department may
| have over you is access to more comprehensive legal
| research services like Westlaw and LexisNexis. But at the
| end of the day, all they're doing is researching what the
| law is and how the courts are interpreting the law.
| Search for the right terms on Google, and you can do a
| pretty damn good job at crafting credible arguments. We
| don't need the lawyers always acting like they're at the
| top of the food chain.
| virtue3 wrote:
| Lawyers would argue that it might be a good idea to put
| up a sign if your neighbors have a dog that could attack
| them.
|
| (weak argument but somewhat funny).
|
| Lawyers are ultra cautious. If you can -guarantee- that
| no one is going to magically add tracking/google
| analytics or some such to your site than sure, tell them
| you don't need the banner.
| mewpmewp2 wrote:
| I would say big picture wise it is wiser to add the
| banner unless it hurts your conversions.
| rootusrootus wrote:
| OTOH, if you got asked often enough if you had a scary
| dog, you may consider putting up a sign saying "There is
| no dog here."
| JoshTriplett wrote:
| At which point the more common question will become
| "what's with the sign?", and the sign may become the
| bigger source of concern.
|
| (See also https://knowyourmeme.com/memes/a-lot-of-
| questions-already-an... .)
|
| You might instead consider asking people why they're
| asking, and figuring out ways to promote more widespread
| understanding.
|
| Concretely: you might actively promote adblockers and
| tell people why they should use them. And rather than
| saying "we don't use tracking cookies", you could explain
| "here's why so many sites have cookie banners, here's why
| we don't".
| mewpmewp2 wrote:
| Or you could focus on your business goals... And just be
| safe legally.
| JoshTriplett wrote:
| I'm not suggesting doing it proactively; I'm suggesting
| doing it in response to the question, if people
| repeatedly ask the question. "No, and here are other ways
| to protect yourself" is stronger and more definitive than
| just "no".
| mewpmewp2 wrote:
| What if you might consider adding some analytics later
| down the road, but are afraid someone will forget about
| the cookie banner at that point?
| hobby-coder-guy wrote:
| Get better at explaining. It isn't difficult.
| samoa42 wrote:
| also perfect excuse to introduce some other usage of
| cookies
|
| https://news.ycombinator.com/item?id=24979895
| [deleted]
| mewpmewp2 wrote:
| What if you might consider adding some analytics later down
| the road, but are afraid someone will forget about the cookie
| banner at that point?
|
| Maybe the customer wants to not worry if some new developer
| is tasked with analytics and maybe this developer forgets
| about the cookie banner.
| reaperducer wrote:
| _If you don 't store cookies at all then you don't need the
| banner, you don't need consent to be doing nothing._
|
| That was his point. He was illustrating the absurdity he has
| to deal with.
| rustybolt wrote:
| I'll bite: So why did you need it in the first place?
| nwsm wrote:
| Eventually we'll add an analytics plugin and need the banner.
| But at the time it was one of those "every site has one"
| decisions from non-technical folks. Similar frustration with
| arbitrary password requirements on the same site.
| DarkWiiPlayer wrote:
| > password requirements
|
| Tell your higher-ups I hate them. I decide what my password
| is and if its secure enough considering how much I value a
| given service.
| airstrike wrote:
| Sometimes I really want my password to be 123123!
| reaperducer wrote:
| _Sometimes I really want my password to be 123123!_
|
| Yes, I do.
|
| For example, I have a laptop that is airgapped from the
| internet. But macOS still requires a password to
| differentiate between users.
|
| Fortunately, Apple permits four-digit numbers to be used
| for logins, and doesn't impose its own views on the
| situation.
| Alupis wrote:
| Probably an unpopular opinion - but if you do not have a
| physical presence in the EU, and you're not the size of
| some Unicorn corp, you can completely ignore these silly
| cookie banners for now and instead focus on things that
| actually matter for your startup.
| dvtrn wrote:
| What are we as technical operators even good for if our
| counsel, judgment and recommendations (things I thought we
| were even hired for as valuable key contribution points)
| are frequently overridden by non-technical people who in
| the best cases don't understand the evidence shown, in the
| worst don't even care to?
| wdb wrote:
| Well, if you use Cloud Armour and you try to change the
| password it apparently doesn't like the password to start
| with $ and then this blocks the whole request.
|
| Two options to solve disable the specific rule or change
| the password requirements. Sometimes the latter is the
| easiest in some companies.
| alangibson wrote:
| My "dysfunctional product design process" alarm is going
| off.
|
| The idea of implementing an annoying popup to support
| something you _might_ do in the future for any reason is
| madness.
|
| And do they not realize that user credentials are a huge
| liability? Why would you want to support anything related
| to user identity if you don't need to.
| mewpmewp2 wrote:
| I don't think it is irrational ot madness at all. Imagine
| having to switch developers and then you ask for
| analytics from your new developer. Very easy to happen
| that they could forget about the cookie banner.
|
| I would go as far as to say it is wise to deal with it
| once and for all.
|
| Especially since implementing the banner takes such short
| amount of time. Worrying about it will waste many times
| more brain cycles and once again there is always a chance
| someone forgets about it in the future and legal worries
| will be infinitely more costly.
| reaperducer wrote:
| _My "dysfunctional product design process" alarm is going
| off._
|
| Very few companies are large enough to have a "product
| design process."
|
| In situations like this, it's usually some paper-pusher
| saw it on his favorite web site and thinks it should be
| on the company's, too.
|
| Middle managers gotta middle manage.
| kubanczyk wrote:
| > Middle managers gotta middle manage
|
| Hilarious, stealing it!
|
| Originally at
| https://news.ycombinator.com/item?id=23797037
| Angostura wrote:
| "We've used advanced technology design to ensure we are
| compliant without the need for the ugly banners other sites
| are forced to use"
| reaperducer wrote:
| _Before that banner we did not store any cookies at all; now we
| have one to store their consent._
|
| Some of the web sites I manage have sections in their Terms of
| Service outlining how we handle cookies, and store user login
| information.
|
| These are web sites that store no cookies, and do not have user
| logins.
|
| But whatever the legal department wants, the legal department
| gets.
|
| When I feel generous, I chock it up to Legal future-proofing
| the situation. When I'm not, I call it trendchasing.
| TeMPOraL wrote:
| > _When I feel generous, I chock it up to Legal future-
| proofing the situation. When I 'm not, I call it
| trendchasing._
|
| In my even less charitable mood, I'd call it copy-pasting ToS
| templates to avoid doing work.
| mewpmewp2 wrote:
| I am guilty of doing that for my MVPs. I just go extra safe
| everything, because I would rather get to market sooner.
| TeMPOraL wrote:
| Yeah, and I don't hold it against very early stage
| startups or Show HNs. But if your company has lawyers in-
| house preparing these texts, that's more surprising then.
| ATsch wrote:
| It's extra fun because there's really two options:
|
| a) the cookies are necessary for technical reasons. This means
| you don't need to ask for permission
|
| b) the cookies are for marketing, which means you must be able
| to decline without consequences
|
| Half of the banners do neither of these things and are thus
| either unnecessary or insufficient.
| eli wrote:
| For GDPR or CCPA?
| stefgodjibayo wrote:
| GDPR and PECR (CCPA is primarily aimed at preventing
| selling of data)
| vmception wrote:
| sidenote: I wish California would pass a Right to be
| Forgotten like the EU has. That would be epic.
|
| Maybe I make that ballot measure myself, given so many
| "digital measures" having so much interest here already.
| withinboredom wrote:
| Filed bankruptcy? No problem. Just make the credit
| companies forget about it!
|
| After moving from the US to the EU, I've thought about
| trying to use that right on my credit history in the US.
| I don't think it would work, but it would be entertaining
| if they even responded.
| vmception wrote:
| The right is about search engines and data brokers
| Angostura wrote:
| b) the cookies are for marketing, which means you must be
| able to decline without consequences
|
| Nope - 'decline' has to be the default assumption for GDPR
| compliance. You only need the banner if you want people to
| opt in.
| ATsch wrote:
| That's true, but in the context of a popup this means you
| must be able to deny or dismiss it without consequences.
| imiric wrote:
| That doesn't prevent dark UI patterns to highlight "Accept"
| and hide "Reject" as much as possible, or not having a
| "Reject all" button. Some sites deliberately make you
| manually click on "Reject" for each "ad partner", at which
| point I bail out or disable JS or scrape the text if I'm
| really interested in the content.
|
| The web of 2020 has become a hostile and ad infested place.
| I miss the simplicity of the 90s, but it might be nostalgia
| bias.
| mattrick wrote:
| To be fair the web of the early 2000s was full of ads
| too. I remember a time when people still used Yahoo as
| their homepage which was basically just a giant ad
| delivery platform with even more invasive ads than we
| have today. That's not to say that today is much better.
| It seems like most sites today try to walk the line
| between ad revenue and user retention.
| marcosdumay wrote:
| Yes, it was full of ads, but not tracking. Some ads were
| targeted to the sites they were displayed, and not to the
| person reading it.
| enriquto wrote:
| > That doesn't prevent dark UI patterns to highlight
| "Accept" and hide "Reject" as much as possible
|
| I giggle every time I find this dark pattern thinking it
| is the modern equivalent of the ballots for the Austrian
| Merging referendum of 1938 [1]
|
| [1] https://en.wikipedia.org/wiki/1938_Austrian_Anschluss
| _refere...
| MaxBarraclough wrote:
| These dark patterns are very widespread, and are even
| seen on generally reputable websites like TomsHardware,
| but are they actually GDPR compliant?
|
| GDPR enforcement is approximately zero, to my knowledge,
| so I don't know if there's even really an answer to the
| question.
|
| For what it's worth, Wikipedia gives the impression no-
| one really knows. https://en.wikipedia.org/wiki/General_D
| ata_Protection_Regula...
| mattmanser wrote:
| The new dark pattern is to default everything off, but
| then have a separate switch labelled "legitimate
| reasons", which are all turned on for default.
|
| For example https://www.telegraph.co.uk/ (right wing UK
| newspaper). In the pop-up it says "You can also review
| where our partners claim a legitimate interest to use
| your data and, should you wish, object to them doing
| so.".
|
| If you click manage it opens with "user consent"
| selected, where everything is turned off. Click save
| means they're not going to start tracking you, right?
|
| Wrong, if you switch to "legitimate purpose", you'll see
| that everything is turned on. All those ad companies
| claim they have a legitimate purpose to be tracking you,
| even though you have zero business relationship with
| them.
|
| Unless the ICO hands out some very heavy fines to those
| companies, the whole thing's become a farce, just like
| the cookie law was.
| GordonS wrote:
| > This means we are now just using Cloudflare for DNS. But it's
| possible to hit this button again and re-enable Cloudflare
| forwarding temporarily if we find ourselves under attack, so I
| figure this is a good option.
|
| Without this enabled, attackers know what your backend IP address
| is, so even if you enabled it later, they could continue to DDOS
| your IP directly, without doing a DNS lookup.
|
| You'd only get what you want if you both re-enabled this _and_
| switched to different IP addresses.
| mattrick wrote:
| You could firewall off non-Cloudflare requests:
| https://support.cloudflare.com/hc/en-us/articles/201897700-A...
| Okx wrote:
| A software firewall is useless against a DDoS attack. It will
| only serve to help your IP not get discovered in the first
| place.
| eloff wrote:
| Also the Cloudflare cookie is clearly for technical purposes,
| not marketing. So no consent is needed under GDPR, in my
| understanding. Getting rid of it didn't accomplish anything
| useful.
| calcifer wrote:
| > Also the Cloudflare cookie is clearly for technical
| purposes, not marketing.
|
| How do you know that? Because they say so?
| edoceo wrote:
| Here's what they say for anyone who's looking
|
| https://www.cloudflare.com/en-gb/gdpr/introduction/
| varispeed wrote:
| Isn't the problem about actual tracking and not the cookies? If
| you track someone without using any cookie you still need to ask
| for consent. I kind of don't understand the this post. Can
| someone explain why is it okay to track someone without cookie?
| tarjei wrote:
| I've been thinking of trying to combine self-hosted analytics and
| adding ad info in the urls of ads so I can track if a user
| arrived at my site via an ad without divulging that to any third
| parties.
|
| Has anyone tried something like that? Did it work? Obviously what
| you give up is retargeting but that may have to go anyhow.
| hapidjus wrote:
| Isn't this basically UTM Tracking?
| wongarsu wrote:
| Tracking ads via URL parameters is pretty standard (utm
| parameters), and self-hosted matomo can be set to run without
| cookies. This means that some metrics can't be tracked [1]. The
| most impactful of those is attributing people to a campaign if
| come via an ad, view your website, but only convert after
| leaving and coming back some time later.
|
| If you leave cookies enabled everything just works just just as
| you would expect, with full conversion tracking etc. Some ad
| services try to optimize ads according to tracking data you
| send them, which obviously doesn't work if you don't run their
| tracking code.
|
| 1: https://matomo.org/faq/general/faq_156/
| marban wrote:
| I store the url param in a DB and rewrite the Url to a cleaned
| one via JS in case the user bookmarks the page.
| patja wrote:
| I always thought this was a fairly common practice so you can
| verify you are getting the ad traffic you paid for.
| jivings wrote:
| TL:DR; We set out to have a no-cookie homepage. Replaced Google
| Analytics, Crisp Chat and Cloudflare with privacy friendly
| alternatives!
| criddell wrote:
| Just out of curiosity, how important is live chat? I don't
| think I've ever had a good experience using a site's chat
| function.
| stjohnswarts wrote:
| Back when I was doing web stuff for clients I got a lot of
| help through hostgator chat function and it was great. It all
| depends on how knowledgeable the person on the other side is.
| The medium is fine in and of itself.
| criddell wrote:
| I've had two types of experience.
|
| One - the person on the other end works for a different
| company and they can answer a few common questions, but
| everything else is "call this 800 number." Cell phone
| companies do this.
|
| Two - the person immediately says "give me your phone
| number and lets talk on the phone" (car dealers are
| terrible for this).
|
| I guess there is a third type - companies using a laughably
| terrible bot. I encountered this with Sony after I bought a
| game online and it wouldn't start. I eventually called in
| and they instantly refunded my money because I think it was
| a common problem.
| jivings wrote:
| We have a rather difficult onboarding process and users often
| message via the chat for help.
|
| For the homepage I'd say visitors message _rarely_ so it is
| less useful. That said, the ones that do are usually the same
| who convert as they are already fairly qualified leads and
| just want a little extra info before they sign up.
| gcatalfamo wrote:
| How do you retarget on potentially interested customers?
| mrweasel wrote:
| How effective is retargeting? I'm understand that it varys
| from business to business, but from what I saw 5 years ago in
| consumer electronic, gaming and toys, it's not really going
| to be a significate revenue source.
|
| The retargeting most of us are see is the failed kind where
| you're trying to sell a fridge to the person who already
| ordered one two days ago, and you're the person who sold it,
| but your retargeting partner does actually support
| registering a purchases.
| shostack wrote:
| It varies by advertiser. Smart ones do incrementality
| testing to prove its added value and optimize accordingly.
| jsjohnst wrote:
| > The retargeting most of us are see is the failed kind
| where you're trying to sell a fridge to the person who
| already ordered one two days ago
|
| I've paid close attention over the past few years and have
| found >80% of the retargeted ads are for something _I just
| purchased_ (and they are usually the "single purchase" type
| product, similar to the fridge analogy you used)
| konha wrote:
| Very effective.
|
| Even if a big share of your ad impressions falsely target
| someone who already bought (see sibling comment) the
| remaining impressions lead to an increase in conversions at
| a comparatively low cost per conversion.
|
| As you said, this will vary from business to business, but
| I have seen very successful retargeting campaigns in b2c
| e-commerce as well as b2b lead generation.
| bochoh wrote:
| I think the whole point of being privacy focused is that you
| don't retarget and your product sells by its own merits.
| ponderingfish wrote:
| That's hard and I hope they can achieve this strategy!
| jamiequint wrote:
| > your product sells by its own merits
|
| This is a common yet naive thing to say that is rarely ever
| true in practice.
| Geee wrote:
| There's no cookie banner on apple.com, but they use cookies.
|
| There's a cookie banner on google.com, but no way to decline.
| maxton wrote:
| Assuming Apple is only using cookies for technical purposes,
| like providing a way to log in or use a shopping cart, then
| there is no need to use a banner. Google needs the banner
| because they are using cookies for advertising and tracking
| purposes, and you can probably guess why there's no way to
| decline
| m1aw wrote:
| Is it necessary to get consent from the user about _cfduid?
|
| From what I understand functional cookies are excluded from the
| consent banner.
| stjohnswarts wrote:
| They wanted to get rid of cookies as much as possible as that's
| part of their business plan (privacy). So they found a better
| CDN that didn't use cookies at all, so I'd say they made out
| like a bandit.
| achairapart wrote:
| The problem with _cfduid is that it is essentially a third-
| party cookie (even if it's set on your own domain).
|
| So I think you are still required to inform users of the cookie
| usage, the purpose of the cookies and link to the relevant
| Cloudflare privacy/cookie policies.
| jivings wrote:
| This is what I assumed too.
| distantsounds wrote:
| how to make a website sans cookies:
|
| don't use cookies.
|
| saved you all a click.
| raxxorrax wrote:
| You could use localstorage and a script for setting/getting the
| info via xmlhttp. Technically not a cookie and there is nothing
| automatically send.
|
| I think cookies are great if they weren't abused as much.
|
| (not saying the site is using any alternative approaches, I
| think their ambition is laudable)
| cseleborg wrote:
| I believe localStorage is equivalent to cookies as far as the
| European cookie banner directive is concerned.
| volument wrote:
| The eDirective states that the browser and device
| information (like the URL) is private data and you need a
| permission to access it for non-essential purposes such as
| analytics. This is why Simple Analytics also needs a cookie
| banner, contrast to what their marketing says.
| Vespasian wrote:
| I'm not quite up to date, was it passed since 2018? I
| remember it being delayed quite a bit.
|
| My Google-Fu has proved insufficient.
| volument wrote:
| EU is still working on a new version of the directive. I
| heard they have been doing it for three years now.
| cseleborg wrote:
| Well... turns out, it's not that easy. I, too, removed the
| cookies from my website [1] and was thrilled to finally get rid
| of the cookie banner, but had to jump through some hoops:
|
| - It's a WooCommerce store. WooCommerce stores one persistent
| cookie to keep track of your cart. I had to hack up a little
| snippet of PHP code to turn that into a session cookie. It's
| not quite documented behavior, but the hack feels robust enough
| that I can live with it. (Sessions cookies are allowed, as per
| GDPR.)
|
| - YouTube embeds had to go, as even their youtube-nocookie
| domain sets cookies (thanks, YT). Vimeo has a "dnt" option that
| seems close to what I want, but it still sets some ID in
| localStorage, which the GDPR views as equivalent to cookies in
| this regard. So my current workaround is to just have the video
| thumbnail and link to the proper video on YT, but that sucks
| because now my visitors leave the website.
|
| - Replaced Google Analytics with self-hosted Matomo, carefully
| configured to not set cookies (it's not trivial), which now
| regularly brings my cheap hosted server to the limit ;-)
|
| So even a relatively simple website that does little fancy is
| not easy to get free of cookies.
|
| [1] https://dascask.com
| tleb_ wrote:
| > Sessions cookies are allowed, as per GDPR.
|
| Would you have a source? Reading through this page[0] I don't
| get the impression this is right. Session cookies are cookies
| nonetheless that can be used to identify users and if they
| are used that way, consent should be asked and given before
| usage.
|
| [0]: https://gdpr.eu/cookies/
| ss3000 wrote:
| I enjoyed the post and appreciate that more people are looking
| for privacy focused alternatives to traditional vendors.
|
| Though I'm disappointed hear that one of the conclusions seems to
| be there's no privacy-focused chat vendor that does something as
| simple as not collecting identifying information on users until
| they interact with the chat app, with integrated consent
| collection (which is essentially what they've implemented with
| their fork).
|
| Maybe the wider HN community might know of such a service?
| mickael-kerjean wrote:
| There's ton of open source ones, I use intergram
| (https://github.com/idoco/intergram) but there's more:
|
| - https://github.com/LiveHelperChat/livehelperchat
|
| - https://github.com/chatwoot/chatwoot
|
| - https://github.com/papercups-io/papercups
| jivings wrote:
| I think there's a gap in the market here!
| Aldipower wrote:
| This is a really good write up! I wish more companies and SaaS
| put this the cookie-less directive on top of their priorities. We
| are do the same, expect we have a jwt-cookie, but which is
| strictly bound to our domain. Additionally we avoid third-party
| scripts and apps, fonts or things like the facebook commenting
| system. Basically all stuff sending user traces to foreign
| parties. We did a write-up about this here, if you are
| interessted, how we did it:
| https://www.tredict.com/blog/we_do_not_track_you/
| Hnrobert42 wrote:
| In case leavemealone.app is reading these messages, I will leave
| this here. I failed to sign up. After clicking the sign up
| button, the button began pulsing but did nothing more. When I
| tried reporting the failure via chat, nothing happened when I
| clicked send. After clicking send, I noticed that my initial chat
| message had been truncated halfway. I don't know if these two
| failures are related.
|
| I am using Firefox Focus on an iPhone 7 running iOS 14.1.
| jivings wrote:
| We're getting a bit smashed by HN traffic right now and server
| is running a little more slow than usual! I hope you check back
| in a little while.
| volument wrote:
| Cookies are not an issue for GDPR, it's all about respecting
| users' privacy. In fact you can freely store anonymous data to
| cookies, localStorage, and sessionStorage without issues. The
| problem comes when you are dealing with personally identifiable
| information such as permanent identifiers.
|
| You definitely need a "cookie banner" when using Simple
| Analytics, Fathom, or Plausible. Any service that accesses the
| device information such as the URL needs a permission from the
| user according the ePrivacy directive.
|
| We have consulted EU law specialists when building our upcoming
| analytics service that is as privacy-friendly as Simple
| Analytics, while still measuring important things like retention
| and conversions. More information:
|
| https://volument.com/learn/data-privacy
| AdriaanvRossum wrote:
| Founder of Simple Analytics [1] here. There is a lot of
| information around cookie banners that is just not true. For
| example cookies are not limited to the technology of cookies,
| it contains any piece of information that you can use the track
| a user. An IP address, localStorage, sessionStorage, ... You
| are allowed to add a functional cookie with a dark mode setting
| for example without a cookie banner. You can't use an analytics
| cookie without a cookie banner.
|
| What you are sharing is simply not true and I will clarify. A
| cookie banner is required when you store PII data. This is
| personal identifiable information. This includes, but is not
| limited to an IP address, a cookie with an user identifier, ...
| You are free to collect data that is not part of this without a
| cookie banner. You are also referring to a URL as being device
| information, this is not device information but basically a
| page view. You are allowed to collect page views and URLs that
| a linked to this page views with a cookie banner.
|
| You are describing retention for your business. That's only
| possible with a cookie banner. It makes perfect sense because
| you need to calculate retention somehow. If you can calculate
| retention and conversions you are tracking a user. So you need
| a cookie banner.
|
| Cookie banners are also a thing that are implemented on the web
| in many wrong ways. You should always have a way to disable
| cookies. Just a "accept all cookies" is legally invalid under
| the GDPR. The e-Privacy was already in place before the GDPR
| and the GDPR is somewhat a clarification of it.
|
| Simple Analytics does not use cookies and does not require a
| cookie banner. We don't track your visitors and don't calculate
| retention or conversions. If your service does this, they a
| tracking your user and you might need a cookie banner.
|
| [1] https://simpleanalytics.com
| briandear wrote:
| > You can't use an analytics cookie without a cookie banner.
|
| In what country? There is certainly no US law to my
| knowledge, that says that.
| shawabawa3 wrote:
| Everyone's talking about EU law
| volument wrote:
| That depends solely on what is an "analytics cookie". If
| it's a permanent identifier, then it's considered PII and
| requires a GDPR consent. Otherwise GDPR doesn't care. You
| can freely store foo=bar to a cookie.
| tipiirai wrote:
| Hey. Founder of Volument[1] here. We consulted EU law
| specialists on this particular matter. You are right: you
| definitely need a cookie banner when you store or process PII
| data. But GDPR is just an extension to ePrivacy, which says
| that you also need the cookie banner when any of the device
| information is accessed (such as the browser URL) for non-
| essential purposes.
|
| The ePrivacy is just a _directive_ and doesn't oblige to
| anything. It's the local laws of Europe that do. We have
| compiled a detailed list of all the European countries and
| the respective laws that require an analytics service for
| opt-in or opt-out style banner. [2]
|
| Retention is not possible without cookies or localStorage,
| but you can measure retention without storing or processing
| any PII information.
|
| [1] https://volument.com [2] https://volument.com/learn/data-
| privacy
| XCSme wrote:
| > non-essential purposes
|
| How is that defined? For many businesses it is essential to
| know conversion rates and which users buy, especially if
| they invest in ads so they can calculate their ROI and know
| if their campaigns bring in profit or loss, which I think
| it's pretty "essential".
| ratww wrote:
| It means essential for the usage of the website, as in
| technically essential, like login or shopping cart.
|
| The law doesn't say anything about it, though: this is
| just the interpretation and how courts have been treating
| it, so I wouldn't try to find loopholes around the word
| "essential" if you intent to follow it.
|
| A court has ruled that tracking cookies used by ad
| networks, analytics and retargeting require consent [1].
|
| Nothing stopping you from analysing your logged-user
| data, though (as long as you disclose it to your
| customers and comply with the rest of GDPR), so it's
| possible to have those kinds of measurements even without
| those stupid cookie banners.
|
| [1] https://techcrunch.com/2019/10/01/europes-top-court-
| says-act...
| fanf2 wrote:
| I am confused. What do you mean by "browser URL"? Do you
| mean the URL of the page that the user accessed? How is
| that not essential? How is it specific to the user's
| device?
| volument wrote:
| Yes: the location information on the browser. You cannot
| access it for non-essential _purposes_ without user
| consent. See Article 5 / Statement 3 in the ePrivacy
| directive[1]
|
| [1] https://eur-lex.europa.eu/legal-
| content/EN/TXT/HTML/?uri=CEL...
| fanf2 wrote:
| The browser sends the URL to the server to download the
| page so you can't avoid receiving the URL before
| receiving consent from the user. You get to see the URL
| without accessing the user's device.
|
| Your citation does not mention URLs or clarify why they
| might be non-essential.
| ratww wrote:
| An example:
|
| If you're using it to display a page (say: React Router),
| then it's essential functionality.
|
| If you're using the URL to propagate a unique hash
| between pages that is used to identify the user for
| marketing purposes, then it requires consent.
| ephimetheus wrote:
| Ah, this would make sense. They mean if I put data in the
| url and retrieve it from there.
| www.example.com/search?q=abcd would be fine in that
| interpretation.
| klohto wrote:
| I would argue that atleast for Czech Republic, the notice
| is not required if the processed data is crucial to
| providing the service the user requested. You cite Article
| 89(3) of the Electronic Communications Act, where it's
| stated that "... nor does it apply to the cases where such
| technical storage or access activities are needed for the
| provision of an information society service explicitly
| requested by the subscriber or user.". This part was also
| modified several times, most recently at 2018 in 20/2018 s.
| 687
| volument wrote:
| The list is only for non-essential services such as
| website analytics. Is there a better cite for Czech
| Republic? Happy to edit.
| klohto wrote:
| Nope, you're spot on with the citation! I got confused
| and thought the discussion here is around essential
| cookies/data :)
| ThePhysicist wrote:
| The GDPR is not a clarification of the ePrivacy directive, on
| the contrary. The ePrivacy directive "particularises" certain
| aspects of the GDPR. National implementations of the ePrivacy
| directive (which, unlike the GDPR, needed to be put in laws
| within each EU country) that e.g. regulate certain aspects of
| electronic communication have priority over the GDPR as a
| "lex specialis". Wherever such provisions do not exist, the
| GDPR takes precedence as a "fallback legislation".
|
| If you don't trust my word on this you might want to check
| out the official stance of the European Data Protection Board
| on this (from 2019): https://edpb.europa.eu/sites/edpb/files/
| files/file1/201905_e...
|
| The EU is working on an ePrivacy regulation btw, which will
| indeed replace the ePrivacy directive, but it's not likely
| that it will be passed before 2021 or 2022.
| villgax wrote:
| The cloudflare cookie still persists.
| speedgoose wrote:
| I wish cloudfare could allow removing this cookie. I'm willing
| to pay for that feature.
| dkyc wrote:
| That cookie can be disabled on Cloudflare's Enterprise plan
| [0] (which, to be fair, starts at like $60k a year).
|
| [0] https://support.cloudflare.com/hc/en-
| us/articles/200170156-U...
| judge2020 wrote:
| The enterprise plan is a very custom plan - if you only
| need access to one or two features and/or only have a few
| million requests a month, the price can be pretty cheap
| (much less than the 5k/mo price advertised on the CF
| dashboard), but if you want mission-critical features like
| bot management[0], access to China datacenters[1], etc. it
| definitely can get into the 6-figure range - and they do
| have over 550 customers paying 6 figures or more [2].
|
| But just getting one to remove the cookie is probably not
| worth it since it will end up costing more than a business
| plan (200/mo) regardless.
|
| 0: https://www.cloudflare.com/products/bot-management/
|
| 1: https://www.cloudflare.com/network/china/
|
| 2: http://d18rn0p25nwr6d.cloudfront.net/CIK-0001477333/0976
| 9260... (page 63)
| eli wrote:
| I think you can negotiate with them if you only need some
| enterprise features.
| speedgoose wrote:
| Alright. I can budget 100EUR per year so I will keep the
| cookie.
| achairapart wrote:
| It's funny that you have to pay more in order to have less.
|
| Cloudflare, if you are listening: Just give us an option to
| disable this cookie. Thanks!
| 3pt14159 wrote:
| How would they know that you're you without the cookie?
| speedgoose wrote:
| I wasn't thinking as a visitor, but as a website owner who
| use cloudfare.
| [deleted]
| jivings wrote:
| It's currently still there on the blog site because I was
| worried that HN would smash my server and haven't moved it over
| to BunnyCDN yet ^^
| kaszanka wrote:
| I wish you luck on your move -- I love to see people dropping
| Cloudflare's MITM service that mistreats Tor users (among
| others).
| input_sh wrote:
| FYI a site owner can whitelist Tor as a "country" to stop
| mistreatment of Tor users. Of course, hardly anyone that
| uses Cloudflare does that.
| Saar1991 wrote:
| i like the idea of having a public analytics tracking page. How
| early in your journey did you introduce that?
| jivings wrote:
| From the start!
| Jsharm wrote:
| Naively did not realise using cloudflare as a cdn meant
| subjecting users to cookies. I don't have a consent banner...
| Does Netlify?
| [deleted]
| donbrae wrote:
| Netlify doesn't seem to have a consent banner but sites hosted
| on it don't set cookies, despite using Cloudflare (at least
| that's my experience hosting a blog on it).
| iruoy wrote:
| Netlify doesn't use cloudflare. Their DNS[1] is managed by
| NS1 and they host their websites on the edge[2] instead of
| using a cdn.
|
| [1]: https://ns1.com/blog/netlify-leverages-ns1-to-improve-
| perfor...
|
| [2]: https://www.netlify.com/products/edge/
| donbrae wrote:
| Ah, thanks. Didn't realise that.
| wongarsu wrote:
| At least under EU cookie laws and GDPR you shouldn't need a
| consent banner for Cloudflare cookies, as they provide
| essential functions (for availability and security) and don't
| track users. You might have to mention them and their purpose
| in your privacy policy though.
|
| https://support.cloudflare.com/hc/en-us/articles/200170156-U...
| goes in some detail what the cookies do and (more importantly
| here) what they don't do.
| ancymon wrote:
| You might be kind of wrong. I think you don't need consent.
| But the cookie law still requires notification banner (which
| is basically the same thing). That's because cookie usage by
| itself (no matter the purpose) requires notification.
| ATsch wrote:
| https://ico.org.uk/for-organisations/guide-to-
| pecr/cookies-a...
|
| Here's what the UK Regulator says.
|
| It's a bit unfortunate, there was a follow-up to this law
| that much improved the cookie nagging, but unfortunately it
| seems to have been stopped in it's tracks by lobbyists
| because of its restrictions on ad tracking.
| [deleted]
| wongarsu wrote:
| Following the link from there to https://ico.org.uk/for-
| organisations/guide-to-pecr/guidance-... you find this
| paragraph:
|
| """ Are we required to provide information and obtain
| consent for all cookies?
|
| No - PECR has two exemptions to the cookie rules.
| Regulation 6(4) states that: (4)
| Paragraph (1) shall not apply to the technical storage
| of, or access to, information - (a) for the
| sole purpose of carrying out the transmission of a
| communication over an electronic communications network;
| or (b) where such storage or access is
| strictly necessary for the provision of an information
| society service requested by the subscriber or user.
|
| """
|
| Strictly nessesary includes "Cookies that help ensure
| that the content of a page loads quickly and effectively
| by distributing the workload across numerous computers
| (this is often referred to as 'load balancing' or
| 'reverse proxying')". That covers at least one of the
| Cloudflare cookies directly, and gives good indication
| that the other two also qualify.
| ancymon wrote:
| But the regulator guide is about GDPR. And it's
| consistent with what I wrote - GDPR law does not require
| consent for such cookies. So the regulator is ok with no
| consent.
|
| Apart from GDPR law, there's also separate EU Cookie
| Legislation which was passed before GDPR. This regulation
| require clear user notification (not consent) that
| cookies are used. As far as I know (but I might be wrong,
| I don't follow it) this law is still in place and GDPR
| did not replace it. So that means you still need cookie
| notification banner (but not with "I accept" button but
| with "I understand").
| ThePhysicist wrote:
| No that's not true, look at article 5(3) of the
| directive, it exempts strictly necessary cookies as well
| (it doesn't reference cookies in particular but applies
| to all kinds of storage technologies instead):
| https://eur-
| lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...
| ancymon wrote:
| I am not sure what exactly do you mean is not true. But
| in fact the article you linked says about pre-gdpr cookie
| consent. So it kind of contradicts what I said. But in
| practice to gather such consent it was allowed to say "if
| you don't consent, please disable cookies in your
| browser" and that's what I meant about "I understand"
| button. Regarding the exempt for this notification, I am
| not sure if CF cookies should be considered as strictly
| necessary.
| sergiosgc wrote:
| The cookie law is no more. GDPR superseded it. It requires
| user consent, but only in some cases. Under GDPR, cookies
| that are not "personal information" (those that do not
| track users) do not require consent.
| speleding wrote:
| This is a common misconception. The GDPR is about
| protecting user's information, it's not really about
| cookies (the entire 88 page law mentions cookies only
| once).
|
| The ePrivacy Regulation is intended to replace the cookie
| law (ePrivacy Directive) eventually, but it hasn't yet.
| tarasmatsyk wrote:
| This is an awesome idea, I really love the writing and products
| presented (TLDR; SimpleAnalytics, BunnyCDN, Intergram). Good luck
| with LMA, this is an awesome product
|
| IMO, the "cookies banner" does not help to make internet safer,
| only worsening UI, add a few more banners and there is no content
| left. How many people who don't know how internet works hit
| "Disagree" if we still refuse to pay for e-services
| romanovcode wrote:
| ERR_TOO_MANY_REDIRECTS
| perlpimp wrote:
| Safari cannot open the page because too many redirects occurred.
| jivings wrote:
| I assume HN hug of death! It's back now.
___________________________________________________________________
(page generated 2020-11-03 23:00 UTC)