[HN Gopher] We made our SaaS home page cookie-free ___________________________________________________________________ We made our SaaS home page cookie-free Author : jivings Score : 317 points Date : 2020-11-03 12:53 UTC (10 hours ago) (HTM) web link (blog.leavemealone.app) (TXT) w3m dump (blog.leavemealone.app) | jlelse wrote: | BunnyCDN is nice! Switched from Cloudflare one or two years ago | and not looking back, it's a "real" CDN and doesn't require | cookies. | pier25 wrote: | I tried to use their push CDN service but I could never upload | a file through their API. I went back and forth with support | but nothing got solved. | | Also, the API for their dashboard was super slow for me. I mean | waiting up to 10 seconds for every click on the dashboard or | API interaction. | axelthegerman wrote: | Can't find it right now but I definitely uploaded some files | via their API - weird you couldn't figure it out together | with support. | | Also their pages load as fast as anything these days, no | problem there either. | | Super happy with BunnyCDN - even the pricing! | gkbrk wrote: | I have a script [1] that uploads my website to BunnyCDN. | | [1]: https://github.com/gkbrk/scripts/blob/master/bunnycdn- | sync.p... | pier25 wrote: | Thanks, I don't know Python but it looks pretty standard. | It's similar to what I did in Node. | aratob wrote: | It's interesting to see the visitor stats [0] on the blog itself | , provided by Simple Analytics: | | 12K hits for the blogpost, HN is the top traffic source with 7,5K | referrals. | | [0]: https://simpleanalytics.com/blog.leavemealone.app | [deleted] | [deleted] | ThePhysicist wrote: | Well, cookies are not per se evil and you can use them in a | privacy-friendly way. You should ask for consent for non- | functional cookies (for the Cloudflare cookie you probably | wouldn't need to ask for consent, for example) and make sure your | consent workflow is compliant with the GDPR. The European Data | Protection Board just published guidelines on this btw (in May): | https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_gui... | | We e.g. offer an open-source consent management solution that is | compliant with GDPR (as much as you can say that with confidence) | and which you can self host: https://github.com/kiprotect/klaro | | Building sites without cookies is possible but it's a bit extreme | IMHO. Properly scoped and limited first-party cookies do not pose | a large privacy risk to indivuals and can make certain legitimate | use cases like analytics much easier (or even possible, in some | cases). | stevage wrote: | Urgh, the irony - can't open this page, because there is some | problem to do with too many redirects. Which you can maybe fix by | clearing cookies. | jivings wrote: | Ghost instance crashed, I assume HN hug of death! It's back | now. | donbrae wrote: | Getting redirects too. The page on the Wayback Machine: | http://web.archive.org/web/20201103140506/https://blog.leave... | flibble wrote: | Can anyone recommend and good articles on how to track paid | advertising without being reliant on cookies? | the_gastropod wrote: | A little bit off topic, but this thing looks suspiciously a _lot_ | like https://lunchmoney.app/ and as far as I can tell is totally | unrelated. Even the Lunch Money logo is used under the pricing | section... Is this just a coincidence / did Lunch Money also use | some stock illustrations that're used here? Or is just good old | fashioned copying? | danieleguia wrote: | nice write-up with good suggestions on how to accomplish the no | cookie page | danieleguia wrote: | Nice write-up on how to make a cookie-free page. Thanks | eli wrote: | _> But it 's possible to hit this button again and re-enable | Cloudflare forwarding temporarily if we find ourselves under | attack, so I figure this is a good option._ | | Plan to redeploy your production server to a new IP address too | since the attacker will still be able to hit it directly. | Waterluvian wrote: | Can you not just reject or ignore all connections not coming | from cloud flare? Or does that still do damage during a ddos? | jgrahamc wrote: | That doesn't help if your pipe to the Internet is full (think | Gbps) or if the router/switch can't process packets fast | enough (think Mpps). | nwsm wrote: | I was recently tasked with making an "Accept our use of cookies" | banner for our public site. Before that banner we did not store | any cookies at all; now we have one to store their consent. | alangibson wrote: | At least 90% of the banners I get hit with around the web are | automatically not GDPR compliant because they require you to | opt out. It's amazing to think of the effort that's been | expended implementing them while still failing to follow the | law. | | I'd call it a legal fig leaf, but it doesn't cover up anything | at all. | cuu508 wrote: | It's a legal face mask with the nose sticking out | swyx wrote: | i could see an excellent webcomic being made out of this | unfunco wrote: | If you don't store cookies at all then you don't need the | banner, you don't need consent to be doing nothing. | TonyTrapp wrote: | Try explaining that to the non-technical people the | requirement came from. | chrisweekly wrote: | Respectfully, educating stakeholders is part of your job. | Until you accept and embrace that, you're likely to remain | stuck in roles doing useless things. | outworlder wrote: | How do you know so much about his job role? | Klinky wrote: | If they heard from legal they need it and legal hourly | rate is greater than engineering hourly rate, they will | rather waste engineering time than spend legal time to | save engineering time. | Griffinsauce wrote: | Legal won't be maintaining this feature ad infinitum will | it? | | Also: it might be interesting to try and find some | metrics on conversion impact for those stakeholders. | You're making the product worse. | libria wrote: | _Attempting_ to educate stakeholders is part of your job. | Forcing them to accept your reasoning may not be possible | and they may have other reasons for their decisions that | you may not know about or they may not wish to reveal | (legal, marketing, internal politics, etc). | | And at some point in pushing back, disagree-and-commit is | the right thing to do. | encom wrote: | That shouldn't be very difficult. It's not a complex | situation. | | I don't have a sign in front of my house saying "Beware of | the dog", because I don't have a dog. | TonyTrapp wrote: | Since the topic touches law, it's more complex to some | people than you might think. To us it's obvious, but | someone else might think that they better be safe than | sorry and not get sued for accidentally setting a (non- | essential) cookie somewhere without letting the user | know. I definitely know some people who'd rather | implement such "unnecessary" things than exposing | themselves to a potential legal trap. | bavila wrote: | I would recommend thinking like a lawyer and writing a | memo like one. Legal writing and analysis follows a very | common pattern known as IRAC (Issue, Rule, Analysis, | Conclusion): | | (1) Identify the issue; (2) Quote all relevant rules; (3) | Analyze the rules in light of your specific factual | circumstances; and (4) Reach a reasonable conclusion | based on your analysis of the rules. | | This is how your company's legal team is making | recommendations to management. You have to fight fire | with fire. The only advantage your legal department may | have over you is access to more comprehensive legal | research services like Westlaw and LexisNexis. But at the | end of the day, all they're doing is researching what the | law is and how the courts are interpreting the law. | Search for the right terms on Google, and you can do a | pretty damn good job at crafting credible arguments. We | don't need the lawyers always acting like they're at the | top of the food chain. | virtue3 wrote: | Lawyers would argue that it might be a good idea to put | up a sign if your neighbors have a dog that could attack | them. | | (weak argument but somewhat funny). | | Lawyers are ultra cautious. If you can -guarantee- that | no one is going to magically add tracking/google | analytics or some such to your site than sure, tell them | you don't need the banner. | mewpmewp2 wrote: | I would say big picture wise it is wiser to add the | banner unless it hurts your conversions. | rootusrootus wrote: | OTOH, if you got asked often enough if you had a scary | dog, you may consider putting up a sign saying "There is | no dog here." | JoshTriplett wrote: | At which point the more common question will become | "what's with the sign?", and the sign may become the | bigger source of concern. | | (See also https://knowyourmeme.com/memes/a-lot-of- | questions-already-an... .) | | You might instead consider asking people why they're | asking, and figuring out ways to promote more widespread | understanding. | | Concretely: you might actively promote adblockers and | tell people why they should use them. And rather than | saying "we don't use tracking cookies", you could explain | "here's why so many sites have cookie banners, here's why | we don't". | mewpmewp2 wrote: | Or you could focus on your business goals... And just be | safe legally. | JoshTriplett wrote: | I'm not suggesting doing it proactively; I'm suggesting | doing it in response to the question, if people | repeatedly ask the question. "No, and here are other ways | to protect yourself" is stronger and more definitive than | just "no". | mewpmewp2 wrote: | What if you might consider adding some analytics later | down the road, but are afraid someone will forget about | the cookie banner at that point? | hobby-coder-guy wrote: | Get better at explaining. It isn't difficult. | samoa42 wrote: | also perfect excuse to introduce some other usage of | cookies | | https://news.ycombinator.com/item?id=24979895 | [deleted] | mewpmewp2 wrote: | What if you might consider adding some analytics later down | the road, but are afraid someone will forget about the cookie | banner at that point? | | Maybe the customer wants to not worry if some new developer | is tasked with analytics and maybe this developer forgets | about the cookie banner. | reaperducer wrote: | _If you don 't store cookies at all then you don't need the | banner, you don't need consent to be doing nothing._ | | That was his point. He was illustrating the absurdity he has | to deal with. | rustybolt wrote: | I'll bite: So why did you need it in the first place? | nwsm wrote: | Eventually we'll add an analytics plugin and need the banner. | But at the time it was one of those "every site has one" | decisions from non-technical folks. Similar frustration with | arbitrary password requirements on the same site. | DarkWiiPlayer wrote: | > password requirements | | Tell your higher-ups I hate them. I decide what my password | is and if its secure enough considering how much I value a | given service. | airstrike wrote: | Sometimes I really want my password to be 123123! | reaperducer wrote: | _Sometimes I really want my password to be 123123!_ | | Yes, I do. | | For example, I have a laptop that is airgapped from the | internet. But macOS still requires a password to | differentiate between users. | | Fortunately, Apple permits four-digit numbers to be used | for logins, and doesn't impose its own views on the | situation. | Alupis wrote: | Probably an unpopular opinion - but if you do not have a | physical presence in the EU, and you're not the size of | some Unicorn corp, you can completely ignore these silly | cookie banners for now and instead focus on things that | actually matter for your startup. | dvtrn wrote: | What are we as technical operators even good for if our | counsel, judgment and recommendations (things I thought we | were even hired for as valuable key contribution points) | are frequently overridden by non-technical people who in | the best cases don't understand the evidence shown, in the | worst don't even care to? | wdb wrote: | Well, if you use Cloud Armour and you try to change the | password it apparently doesn't like the password to start | with $ and then this blocks the whole request. | | Two options to solve disable the specific rule or change | the password requirements. Sometimes the latter is the | easiest in some companies. | alangibson wrote: | My "dysfunctional product design process" alarm is going | off. | | The idea of implementing an annoying popup to support | something you _might_ do in the future for any reason is | madness. | | And do they not realize that user credentials are a huge | liability? Why would you want to support anything related | to user identity if you don't need to. | mewpmewp2 wrote: | I don't think it is irrational ot madness at all. Imagine | having to switch developers and then you ask for | analytics from your new developer. Very easy to happen | that they could forget about the cookie banner. | | I would go as far as to say it is wise to deal with it | once and for all. | | Especially since implementing the banner takes such short | amount of time. Worrying about it will waste many times | more brain cycles and once again there is always a chance | someone forgets about it in the future and legal worries | will be infinitely more costly. | reaperducer wrote: | _My "dysfunctional product design process" alarm is going | off._ | | Very few companies are large enough to have a "product | design process." | | In situations like this, it's usually some paper-pusher | saw it on his favorite web site and thinks it should be | on the company's, too. | | Middle managers gotta middle manage. | kubanczyk wrote: | > Middle managers gotta middle manage | | Hilarious, stealing it! | | Originally at | https://news.ycombinator.com/item?id=23797037 | Angostura wrote: | "We've used advanced technology design to ensure we are | compliant without the need for the ugly banners other sites | are forced to use" | reaperducer wrote: | _Before that banner we did not store any cookies at all; now we | have one to store their consent._ | | Some of the web sites I manage have sections in their Terms of | Service outlining how we handle cookies, and store user login | information. | | These are web sites that store no cookies, and do not have user | logins. | | But whatever the legal department wants, the legal department | gets. | | When I feel generous, I chock it up to Legal future-proofing | the situation. When I'm not, I call it trendchasing. | TeMPOraL wrote: | > _When I feel generous, I chock it up to Legal future- | proofing the situation. When I 'm not, I call it | trendchasing._ | | In my even less charitable mood, I'd call it copy-pasting ToS | templates to avoid doing work. | mewpmewp2 wrote: | I am guilty of doing that for my MVPs. I just go extra safe | everything, because I would rather get to market sooner. | TeMPOraL wrote: | Yeah, and I don't hold it against very early stage | startups or Show HNs. But if your company has lawyers in- | house preparing these texts, that's more surprising then. | ATsch wrote: | It's extra fun because there's really two options: | | a) the cookies are necessary for technical reasons. This means | you don't need to ask for permission | | b) the cookies are for marketing, which means you must be able | to decline without consequences | | Half of the banners do neither of these things and are thus | either unnecessary or insufficient. | eli wrote: | For GDPR or CCPA? | stefgodjibayo wrote: | GDPR and PECR (CCPA is primarily aimed at preventing | selling of data) | vmception wrote: | sidenote: I wish California would pass a Right to be | Forgotten like the EU has. That would be epic. | | Maybe I make that ballot measure myself, given so many | "digital measures" having so much interest here already. | withinboredom wrote: | Filed bankruptcy? No problem. Just make the credit | companies forget about it! | | After moving from the US to the EU, I've thought about | trying to use that right on my credit history in the US. | I don't think it would work, but it would be entertaining | if they even responded. | vmception wrote: | The right is about search engines and data brokers | Angostura wrote: | b) the cookies are for marketing, which means you must be | able to decline without consequences | | Nope - 'decline' has to be the default assumption for GDPR | compliance. You only need the banner if you want people to | opt in. | ATsch wrote: | That's true, but in the context of a popup this means you | must be able to deny or dismiss it without consequences. | imiric wrote: | That doesn't prevent dark UI patterns to highlight "Accept" | and hide "Reject" as much as possible, or not having a | "Reject all" button. Some sites deliberately make you | manually click on "Reject" for each "ad partner", at which | point I bail out or disable JS or scrape the text if I'm | really interested in the content. | | The web of 2020 has become a hostile and ad infested place. | I miss the simplicity of the 90s, but it might be nostalgia | bias. | mattrick wrote: | To be fair the web of the early 2000s was full of ads | too. I remember a time when people still used Yahoo as | their homepage which was basically just a giant ad | delivery platform with even more invasive ads than we | have today. That's not to say that today is much better. | It seems like most sites today try to walk the line | between ad revenue and user retention. | marcosdumay wrote: | Yes, it was full of ads, but not tracking. Some ads were | targeted to the sites they were displayed, and not to the | person reading it. | enriquto wrote: | > That doesn't prevent dark UI patterns to highlight | "Accept" and hide "Reject" as much as possible | | I giggle every time I find this dark pattern thinking it | is the modern equivalent of the ballots for the Austrian | Merging referendum of 1938 [1] | | [1] https://en.wikipedia.org/wiki/1938_Austrian_Anschluss | _refere... | MaxBarraclough wrote: | These dark patterns are very widespread, and are even | seen on generally reputable websites like TomsHardware, | but are they actually GDPR compliant? | | GDPR enforcement is approximately zero, to my knowledge, | so I don't know if there's even really an answer to the | question. | | For what it's worth, Wikipedia gives the impression no- | one really knows. https://en.wikipedia.org/wiki/General_D | ata_Protection_Regula... | mattmanser wrote: | The new dark pattern is to default everything off, but | then have a separate switch labelled "legitimate | reasons", which are all turned on for default. | | For example https://www.telegraph.co.uk/ (right wing UK | newspaper). In the pop-up it says "You can also review | where our partners claim a legitimate interest to use | your data and, should you wish, object to them doing | so.". | | If you click manage it opens with "user consent" | selected, where everything is turned off. Click save | means they're not going to start tracking you, right? | | Wrong, if you switch to "legitimate purpose", you'll see | that everything is turned on. All those ad companies | claim they have a legitimate purpose to be tracking you, | even though you have zero business relationship with | them. | | Unless the ICO hands out some very heavy fines to those | companies, the whole thing's become a farce, just like | the cookie law was. | GordonS wrote: | > This means we are now just using Cloudflare for DNS. But it's | possible to hit this button again and re-enable Cloudflare | forwarding temporarily if we find ourselves under attack, so I | figure this is a good option. | | Without this enabled, attackers know what your backend IP address | is, so even if you enabled it later, they could continue to DDOS | your IP directly, without doing a DNS lookup. | | You'd only get what you want if you both re-enabled this _and_ | switched to different IP addresses. | mattrick wrote: | You could firewall off non-Cloudflare requests: | https://support.cloudflare.com/hc/en-us/articles/201897700-A... | Okx wrote: | A software firewall is useless against a DDoS attack. It will | only serve to help your IP not get discovered in the first | place. | eloff wrote: | Also the Cloudflare cookie is clearly for technical purposes, | not marketing. So no consent is needed under GDPR, in my | understanding. Getting rid of it didn't accomplish anything | useful. | calcifer wrote: | > Also the Cloudflare cookie is clearly for technical | purposes, not marketing. | | How do you know that? Because they say so? | edoceo wrote: | Here's what they say for anyone who's looking | | https://www.cloudflare.com/en-gb/gdpr/introduction/ | varispeed wrote: | Isn't the problem about actual tracking and not the cookies? If | you track someone without using any cookie you still need to ask | for consent. I kind of don't understand the this post. Can | someone explain why is it okay to track someone without cookie? | tarjei wrote: | I've been thinking of trying to combine self-hosted analytics and | adding ad info in the urls of ads so I can track if a user | arrived at my site via an ad without divulging that to any third | parties. | | Has anyone tried something like that? Did it work? Obviously what | you give up is retargeting but that may have to go anyhow. | hapidjus wrote: | Isn't this basically UTM Tracking? | wongarsu wrote: | Tracking ads via URL parameters is pretty standard (utm | parameters), and self-hosted matomo can be set to run without | cookies. This means that some metrics can't be tracked [1]. The | most impactful of those is attributing people to a campaign if | come via an ad, view your website, but only convert after | leaving and coming back some time later. | | If you leave cookies enabled everything just works just just as | you would expect, with full conversion tracking etc. Some ad | services try to optimize ads according to tracking data you | send them, which obviously doesn't work if you don't run their | tracking code. | | 1: https://matomo.org/faq/general/faq_156/ | marban wrote: | I store the url param in a DB and rewrite the Url to a cleaned | one via JS in case the user bookmarks the page. | patja wrote: | I always thought this was a fairly common practice so you can | verify you are getting the ad traffic you paid for. | jivings wrote: | TL:DR; We set out to have a no-cookie homepage. Replaced Google | Analytics, Crisp Chat and Cloudflare with privacy friendly | alternatives! | criddell wrote: | Just out of curiosity, how important is live chat? I don't | think I've ever had a good experience using a site's chat | function. | stjohnswarts wrote: | Back when I was doing web stuff for clients I got a lot of | help through hostgator chat function and it was great. It all | depends on how knowledgeable the person on the other side is. | The medium is fine in and of itself. | criddell wrote: | I've had two types of experience. | | One - the person on the other end works for a different | company and they can answer a few common questions, but | everything else is "call this 800 number." Cell phone | companies do this. | | Two - the person immediately says "give me your phone | number and lets talk on the phone" (car dealers are | terrible for this). | | I guess there is a third type - companies using a laughably | terrible bot. I encountered this with Sony after I bought a | game online and it wouldn't start. I eventually called in | and they instantly refunded my money because I think it was | a common problem. | jivings wrote: | We have a rather difficult onboarding process and users often | message via the chat for help. | | For the homepage I'd say visitors message _rarely_ so it is | less useful. That said, the ones that do are usually the same | who convert as they are already fairly qualified leads and | just want a little extra info before they sign up. | gcatalfamo wrote: | How do you retarget on potentially interested customers? | mrweasel wrote: | How effective is retargeting? I'm understand that it varys | from business to business, but from what I saw 5 years ago in | consumer electronic, gaming and toys, it's not really going | to be a significate revenue source. | | The retargeting most of us are see is the failed kind where | you're trying to sell a fridge to the person who already | ordered one two days ago, and you're the person who sold it, | but your retargeting partner does actually support | registering a purchases. | shostack wrote: | It varies by advertiser. Smart ones do incrementality | testing to prove its added value and optimize accordingly. | jsjohnst wrote: | > The retargeting most of us are see is the failed kind | where you're trying to sell a fridge to the person who | already ordered one two days ago | | I've paid close attention over the past few years and have | found >80% of the retargeted ads are for something _I just | purchased_ (and they are usually the "single purchase" type | product, similar to the fridge analogy you used) | konha wrote: | Very effective. | | Even if a big share of your ad impressions falsely target | someone who already bought (see sibling comment) the | remaining impressions lead to an increase in conversions at | a comparatively low cost per conversion. | | As you said, this will vary from business to business, but | I have seen very successful retargeting campaigns in b2c | e-commerce as well as b2b lead generation. | bochoh wrote: | I think the whole point of being privacy focused is that you | don't retarget and your product sells by its own merits. | ponderingfish wrote: | That's hard and I hope they can achieve this strategy! | jamiequint wrote: | > your product sells by its own merits | | This is a common yet naive thing to say that is rarely ever | true in practice. | Geee wrote: | There's no cookie banner on apple.com, but they use cookies. | | There's a cookie banner on google.com, but no way to decline. | maxton wrote: | Assuming Apple is only using cookies for technical purposes, | like providing a way to log in or use a shopping cart, then | there is no need to use a banner. Google needs the banner | because they are using cookies for advertising and tracking | purposes, and you can probably guess why there's no way to | decline | m1aw wrote: | Is it necessary to get consent from the user about _cfduid? | | From what I understand functional cookies are excluded from the | consent banner. | stjohnswarts wrote: | They wanted to get rid of cookies as much as possible as that's | part of their business plan (privacy). So they found a better | CDN that didn't use cookies at all, so I'd say they made out | like a bandit. | achairapart wrote: | The problem with _cfduid is that it is essentially a third- | party cookie (even if it's set on your own domain). | | So I think you are still required to inform users of the cookie | usage, the purpose of the cookies and link to the relevant | Cloudflare privacy/cookie policies. | jivings wrote: | This is what I assumed too. | distantsounds wrote: | how to make a website sans cookies: | | don't use cookies. | | saved you all a click. | raxxorrax wrote: | You could use localstorage and a script for setting/getting the | info via xmlhttp. Technically not a cookie and there is nothing | automatically send. | | I think cookies are great if they weren't abused as much. | | (not saying the site is using any alternative approaches, I | think their ambition is laudable) | cseleborg wrote: | I believe localStorage is equivalent to cookies as far as the | European cookie banner directive is concerned. | volument wrote: | The eDirective states that the browser and device | information (like the URL) is private data and you need a | permission to access it for non-essential purposes such as | analytics. This is why Simple Analytics also needs a cookie | banner, contrast to what their marketing says. | Vespasian wrote: | I'm not quite up to date, was it passed since 2018? I | remember it being delayed quite a bit. | | My Google-Fu has proved insufficient. | volument wrote: | EU is still working on a new version of the directive. I | heard they have been doing it for three years now. | cseleborg wrote: | Well... turns out, it's not that easy. I, too, removed the | cookies from my website [1] and was thrilled to finally get rid | of the cookie banner, but had to jump through some hoops: | | - It's a WooCommerce store. WooCommerce stores one persistent | cookie to keep track of your cart. I had to hack up a little | snippet of PHP code to turn that into a session cookie. It's | not quite documented behavior, but the hack feels robust enough | that I can live with it. (Sessions cookies are allowed, as per | GDPR.) | | - YouTube embeds had to go, as even their youtube-nocookie | domain sets cookies (thanks, YT). Vimeo has a "dnt" option that | seems close to what I want, but it still sets some ID in | localStorage, which the GDPR views as equivalent to cookies in | this regard. So my current workaround is to just have the video | thumbnail and link to the proper video on YT, but that sucks | because now my visitors leave the website. | | - Replaced Google Analytics with self-hosted Matomo, carefully | configured to not set cookies (it's not trivial), which now | regularly brings my cheap hosted server to the limit ;-) | | So even a relatively simple website that does little fancy is | not easy to get free of cookies. | | [1] https://dascask.com | tleb_ wrote: | > Sessions cookies are allowed, as per GDPR. | | Would you have a source? Reading through this page[0] I don't | get the impression this is right. Session cookies are cookies | nonetheless that can be used to identify users and if they | are used that way, consent should be asked and given before | usage. | | [0]: https://gdpr.eu/cookies/ | ss3000 wrote: | I enjoyed the post and appreciate that more people are looking | for privacy focused alternatives to traditional vendors. | | Though I'm disappointed hear that one of the conclusions seems to | be there's no privacy-focused chat vendor that does something as | simple as not collecting identifying information on users until | they interact with the chat app, with integrated consent | collection (which is essentially what they've implemented with | their fork). | | Maybe the wider HN community might know of such a service? | mickael-kerjean wrote: | There's ton of open source ones, I use intergram | (https://github.com/idoco/intergram) but there's more: | | - https://github.com/LiveHelperChat/livehelperchat | | - https://github.com/chatwoot/chatwoot | | - https://github.com/papercups-io/papercups | jivings wrote: | I think there's a gap in the market here! | Aldipower wrote: | This is a really good write up! I wish more companies and SaaS | put this the cookie-less directive on top of their priorities. We | are do the same, expect we have a jwt-cookie, but which is | strictly bound to our domain. Additionally we avoid third-party | scripts and apps, fonts or things like the facebook commenting | system. Basically all stuff sending user traces to foreign | parties. We did a write-up about this here, if you are | interessted, how we did it: | https://www.tredict.com/blog/we_do_not_track_you/ | Hnrobert42 wrote: | In case leavemealone.app is reading these messages, I will leave | this here. I failed to sign up. After clicking the sign up | button, the button began pulsing but did nothing more. When I | tried reporting the failure via chat, nothing happened when I | clicked send. After clicking send, I noticed that my initial chat | message had been truncated halfway. I don't know if these two | failures are related. | | I am using Firefox Focus on an iPhone 7 running iOS 14.1. | jivings wrote: | We're getting a bit smashed by HN traffic right now and server | is running a little more slow than usual! I hope you check back | in a little while. | volument wrote: | Cookies are not an issue for GDPR, it's all about respecting | users' privacy. In fact you can freely store anonymous data to | cookies, localStorage, and sessionStorage without issues. The | problem comes when you are dealing with personally identifiable | information such as permanent identifiers. | | You definitely need a "cookie banner" when using Simple | Analytics, Fathom, or Plausible. Any service that accesses the | device information such as the URL needs a permission from the | user according the ePrivacy directive. | | We have consulted EU law specialists when building our upcoming | analytics service that is as privacy-friendly as Simple | Analytics, while still measuring important things like retention | and conversions. More information: | | https://volument.com/learn/data-privacy | AdriaanvRossum wrote: | Founder of Simple Analytics [1] here. There is a lot of | information around cookie banners that is just not true. For | example cookies are not limited to the technology of cookies, | it contains any piece of information that you can use the track | a user. An IP address, localStorage, sessionStorage, ... You | are allowed to add a functional cookie with a dark mode setting | for example without a cookie banner. You can't use an analytics | cookie without a cookie banner. | | What you are sharing is simply not true and I will clarify. A | cookie banner is required when you store PII data. This is | personal identifiable information. This includes, but is not | limited to an IP address, a cookie with an user identifier, ... | You are free to collect data that is not part of this without a | cookie banner. You are also referring to a URL as being device | information, this is not device information but basically a | page view. You are allowed to collect page views and URLs that | a linked to this page views with a cookie banner. | | You are describing retention for your business. That's only | possible with a cookie banner. It makes perfect sense because | you need to calculate retention somehow. If you can calculate | retention and conversions you are tracking a user. So you need | a cookie banner. | | Cookie banners are also a thing that are implemented on the web | in many wrong ways. You should always have a way to disable | cookies. Just a "accept all cookies" is legally invalid under | the GDPR. The e-Privacy was already in place before the GDPR | and the GDPR is somewhat a clarification of it. | | Simple Analytics does not use cookies and does not require a | cookie banner. We don't track your visitors and don't calculate | retention or conversions. If your service does this, they a | tracking your user and you might need a cookie banner. | | [1] https://simpleanalytics.com | briandear wrote: | > You can't use an analytics cookie without a cookie banner. | | In what country? There is certainly no US law to my | knowledge, that says that. | shawabawa3 wrote: | Everyone's talking about EU law | volument wrote: | That depends solely on what is an "analytics cookie". If | it's a permanent identifier, then it's considered PII and | requires a GDPR consent. Otherwise GDPR doesn't care. You | can freely store foo=bar to a cookie. | tipiirai wrote: | Hey. Founder of Volument[1] here. We consulted EU law | specialists on this particular matter. You are right: you | definitely need a cookie banner when you store or process PII | data. But GDPR is just an extension to ePrivacy, which says | that you also need the cookie banner when any of the device | information is accessed (such as the browser URL) for non- | essential purposes. | | The ePrivacy is just a _directive_ and doesn't oblige to | anything. It's the local laws of Europe that do. We have | compiled a detailed list of all the European countries and | the respective laws that require an analytics service for | opt-in or opt-out style banner. [2] | | Retention is not possible without cookies or localStorage, | but you can measure retention without storing or processing | any PII information. | | [1] https://volument.com [2] https://volument.com/learn/data- | privacy | XCSme wrote: | > non-essential purposes | | How is that defined? For many businesses it is essential to | know conversion rates and which users buy, especially if | they invest in ads so they can calculate their ROI and know | if their campaigns bring in profit or loss, which I think | it's pretty "essential". | ratww wrote: | It means essential for the usage of the website, as in | technically essential, like login or shopping cart. | | The law doesn't say anything about it, though: this is | just the interpretation and how courts have been treating | it, so I wouldn't try to find loopholes around the word | "essential" if you intent to follow it. | | A court has ruled that tracking cookies used by ad | networks, analytics and retargeting require consent [1]. | | Nothing stopping you from analysing your logged-user | data, though (as long as you disclose it to your | customers and comply with the rest of GDPR), so it's | possible to have those kinds of measurements even without | those stupid cookie banners. | | [1] https://techcrunch.com/2019/10/01/europes-top-court- | says-act... | fanf2 wrote: | I am confused. What do you mean by "browser URL"? Do you | mean the URL of the page that the user accessed? How is | that not essential? How is it specific to the user's | device? | volument wrote: | Yes: the location information on the browser. You cannot | access it for non-essential _purposes_ without user | consent. See Article 5 / Statement 3 in the ePrivacy | directive[1] | | [1] https://eur-lex.europa.eu/legal- | content/EN/TXT/HTML/?uri=CEL... | fanf2 wrote: | The browser sends the URL to the server to download the | page so you can't avoid receiving the URL before | receiving consent from the user. You get to see the URL | without accessing the user's device. | | Your citation does not mention URLs or clarify why they | might be non-essential. | ratww wrote: | An example: | | If you're using it to display a page (say: React Router), | then it's essential functionality. | | If you're using the URL to propagate a unique hash | between pages that is used to identify the user for | marketing purposes, then it requires consent. | ephimetheus wrote: | Ah, this would make sense. They mean if I put data in the | url and retrieve it from there. | www.example.com/search?q=abcd would be fine in that | interpretation. | klohto wrote: | I would argue that atleast for Czech Republic, the notice | is not required if the processed data is crucial to | providing the service the user requested. You cite Article | 89(3) of the Electronic Communications Act, where it's | stated that "... nor does it apply to the cases where such | technical storage or access activities are needed for the | provision of an information society service explicitly | requested by the subscriber or user.". This part was also | modified several times, most recently at 2018 in 20/2018 s. | 687 | volument wrote: | The list is only for non-essential services such as | website analytics. Is there a better cite for Czech | Republic? Happy to edit. | klohto wrote: | Nope, you're spot on with the citation! I got confused | and thought the discussion here is around essential | cookies/data :) | ThePhysicist wrote: | The GDPR is not a clarification of the ePrivacy directive, on | the contrary. The ePrivacy directive "particularises" certain | aspects of the GDPR. National implementations of the ePrivacy | directive (which, unlike the GDPR, needed to be put in laws | within each EU country) that e.g. regulate certain aspects of | electronic communication have priority over the GDPR as a | "lex specialis". Wherever such provisions do not exist, the | GDPR takes precedence as a "fallback legislation". | | If you don't trust my word on this you might want to check | out the official stance of the European Data Protection Board | on this (from 2019): https://edpb.europa.eu/sites/edpb/files/ | files/file1/201905_e... | | The EU is working on an ePrivacy regulation btw, which will | indeed replace the ePrivacy directive, but it's not likely | that it will be passed before 2021 or 2022. | villgax wrote: | The cloudflare cookie still persists. | speedgoose wrote: | I wish cloudfare could allow removing this cookie. I'm willing | to pay for that feature. | dkyc wrote: | That cookie can be disabled on Cloudflare's Enterprise plan | [0] (which, to be fair, starts at like $60k a year). | | [0] https://support.cloudflare.com/hc/en- | us/articles/200170156-U... | judge2020 wrote: | The enterprise plan is a very custom plan - if you only | need access to one or two features and/or only have a few | million requests a month, the price can be pretty cheap | (much less than the 5k/mo price advertised on the CF | dashboard), but if you want mission-critical features like | bot management[0], access to China datacenters[1], etc. it | definitely can get into the 6-figure range - and they do | have over 550 customers paying 6 figures or more [2]. | | But just getting one to remove the cookie is probably not | worth it since it will end up costing more than a business | plan (200/mo) regardless. | | 0: https://www.cloudflare.com/products/bot-management/ | | 1: https://www.cloudflare.com/network/china/ | | 2: http://d18rn0p25nwr6d.cloudfront.net/CIK-0001477333/0976 | 9260... (page 63) | eli wrote: | I think you can negotiate with them if you only need some | enterprise features. | speedgoose wrote: | Alright. I can budget 100EUR per year so I will keep the | cookie. | achairapart wrote: | It's funny that you have to pay more in order to have less. | | Cloudflare, if you are listening: Just give us an option to | disable this cookie. Thanks! | 3pt14159 wrote: | How would they know that you're you without the cookie? | speedgoose wrote: | I wasn't thinking as a visitor, but as a website owner who | use cloudfare. | [deleted] | jivings wrote: | It's currently still there on the blog site because I was | worried that HN would smash my server and haven't moved it over | to BunnyCDN yet ^^ | kaszanka wrote: | I wish you luck on your move -- I love to see people dropping | Cloudflare's MITM service that mistreats Tor users (among | others). | input_sh wrote: | FYI a site owner can whitelist Tor as a "country" to stop | mistreatment of Tor users. Of course, hardly anyone that | uses Cloudflare does that. | Saar1991 wrote: | i like the idea of having a public analytics tracking page. How | early in your journey did you introduce that? | jivings wrote: | From the start! | Jsharm wrote: | Naively did not realise using cloudflare as a cdn meant | subjecting users to cookies. I don't have a consent banner... | Does Netlify? | [deleted] | donbrae wrote: | Netlify doesn't seem to have a consent banner but sites hosted | on it don't set cookies, despite using Cloudflare (at least | that's my experience hosting a blog on it). | iruoy wrote: | Netlify doesn't use cloudflare. Their DNS[1] is managed by | NS1 and they host their websites on the edge[2] instead of | using a cdn. | | [1]: https://ns1.com/blog/netlify-leverages-ns1-to-improve- | perfor... | | [2]: https://www.netlify.com/products/edge/ | donbrae wrote: | Ah, thanks. Didn't realise that. | wongarsu wrote: | At least under EU cookie laws and GDPR you shouldn't need a | consent banner for Cloudflare cookies, as they provide | essential functions (for availability and security) and don't | track users. You might have to mention them and their purpose | in your privacy policy though. | | https://support.cloudflare.com/hc/en-us/articles/200170156-U... | goes in some detail what the cookies do and (more importantly | here) what they don't do. | ancymon wrote: | You might be kind of wrong. I think you don't need consent. | But the cookie law still requires notification banner (which | is basically the same thing). That's because cookie usage by | itself (no matter the purpose) requires notification. | ATsch wrote: | https://ico.org.uk/for-organisations/guide-to- | pecr/cookies-a... | | Here's what the UK Regulator says. | | It's a bit unfortunate, there was a follow-up to this law | that much improved the cookie nagging, but unfortunately it | seems to have been stopped in it's tracks by lobbyists | because of its restrictions on ad tracking. | [deleted] | wongarsu wrote: | Following the link from there to https://ico.org.uk/for- | organisations/guide-to-pecr/guidance-... you find this | paragraph: | | """ Are we required to provide information and obtain | consent for all cookies? | | No - PECR has two exemptions to the cookie rules. | Regulation 6(4) states that: (4) | Paragraph (1) shall not apply to the technical storage | of, or access to, information - (a) for the | sole purpose of carrying out the transmission of a | communication over an electronic communications network; | or (b) where such storage or access is | strictly necessary for the provision of an information | society service requested by the subscriber or user. | | """ | | Strictly nessesary includes "Cookies that help ensure | that the content of a page loads quickly and effectively | by distributing the workload across numerous computers | (this is often referred to as 'load balancing' or | 'reverse proxying')". That covers at least one of the | Cloudflare cookies directly, and gives good indication | that the other two also qualify. | ancymon wrote: | But the regulator guide is about GDPR. And it's | consistent with what I wrote - GDPR law does not require | consent for such cookies. So the regulator is ok with no | consent. | | Apart from GDPR law, there's also separate EU Cookie | Legislation which was passed before GDPR. This regulation | require clear user notification (not consent) that | cookies are used. As far as I know (but I might be wrong, | I don't follow it) this law is still in place and GDPR | did not replace it. So that means you still need cookie | notification banner (but not with "I accept" button but | with "I understand"). | ThePhysicist wrote: | No that's not true, look at article 5(3) of the | directive, it exempts strictly necessary cookies as well | (it doesn't reference cookies in particular but applies | to all kinds of storage technologies instead): | https://eur- | lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX... | ancymon wrote: | I am not sure what exactly do you mean is not true. But | in fact the article you linked says about pre-gdpr cookie | consent. So it kind of contradicts what I said. But in | practice to gather such consent it was allowed to say "if | you don't consent, please disable cookies in your | browser" and that's what I meant about "I understand" | button. Regarding the exempt for this notification, I am | not sure if CF cookies should be considered as strictly | necessary. | sergiosgc wrote: | The cookie law is no more. GDPR superseded it. It requires | user consent, but only in some cases. Under GDPR, cookies | that are not "personal information" (those that do not | track users) do not require consent. | speleding wrote: | This is a common misconception. The GDPR is about | protecting user's information, it's not really about | cookies (the entire 88 page law mentions cookies only | once). | | The ePrivacy Regulation is intended to replace the cookie | law (ePrivacy Directive) eventually, but it hasn't yet. | tarasmatsyk wrote: | This is an awesome idea, I really love the writing and products | presented (TLDR; SimpleAnalytics, BunnyCDN, Intergram). Good luck | with LMA, this is an awesome product | | IMO, the "cookies banner" does not help to make internet safer, | only worsening UI, add a few more banners and there is no content | left. How many people who don't know how internet works hit | "Disagree" if we still refuse to pay for e-services | romanovcode wrote: | ERR_TOO_MANY_REDIRECTS | perlpimp wrote: | Safari cannot open the page because too many redirects occurred. | jivings wrote: | I assume HN hug of death! It's back now. ___________________________________________________________________ (page generated 2020-11-03 23:00 UTC)