As in what happens to my cookies? Is the website pop-up of accepting or rejecting them just a formality, and do my cookies get collected regardless?
I find myself visiting websites and often don’t reject or accept cookies. I just look at what I need to and close the tab.
I tried to look this up on this sub but couldn’t find any related explanations.
Comments
Good question, wondered about that too. Gosh I wish I could just pre-set my choice and never had to go and select my preferences every f*cking time.
In theory, if correctly implemented: The site won’t set any cookies (except ones that are not in violation of handwave-handwave-I am not a GDPR law guy) if you don’t make either choice on the banner. So if you just visit, read some stuff, and navigate away, you shouldn’t get more cookies for that site (than maybe a few they need for network diagnostic purposes handwave-handwave).
A bit of cookie background: cookies are bits of information a site asks your browser to hold onto for it, then when your browser makes a request to that site, it attaches the cookies the site gave it to the request. This is how websites distinguish one requester from another. Not all cookies are bad (in fact, some are essential; one of the cookies your browser receives when you login to a site is the “session cookie,” and it’s now the browser connects your requests to the fact you are you).
The cookies people don’t like are generally “advertising cookies,” which are cookies a site could (technically speaking) put on your browser even if you didn’t log in. These would let the site know “Hey, I don’t know who this person is, but they looked at cow stories yesterday and now they’re looking at corn prices. I bet they’re a farmer. I’m gonna send ’em farm ads!” This makes some people sad (for reasons), so Europe passed some laws heavily constraining what sites are allowed to do in that space without explicitly telling you.
A note on collection: cookies are something the web server hands your browser. The browser doesn’t “collect” cookies on you. I think you mean “Does the site collect information about who I am if I don’t click yes or no on the cookie banner?” The technical answer is “Yes definitely; if their servers can’t know your IP address they can’t send you a response.” The more correct answer is “The GDPR also constrains what information sites are allowed to retain about individual visitors, how long they can retain it, and why… A GDPR-compliant site only retains your IP address as long as it needs to to make sure the site operates correctly and generally won’t try to blend that information with other information (your browser tells the site what kind of browser it is when it makes a request, for example) to uniquely identify you.”
… The more more correct answer is “The European Union doesn’t have universal reach to force compliance on every website, and the only thing stopping sites from just logging everything they see about your browser activity to their servers forever is how they configured their server software.” I think it’s fair to say most sites that show the cookie banner at all are trying to do things correctly as per the GDPR, but the banner is no guarantee sites are behaving correctly behind-the-scenes.
Technically if you don’t click anything, they don’t give you any cookies, as it’s similar to the “save as” dialogue box for accepting files. The unfortunate reality though is that a lot of websites either don’t implement that regulation at all, or as you somewhat elude to, have them set to remove them based on decline, rather than accept them based on.. accept.
Companies quite quickly swapped over to more broad forms of tracking though, based entirely on the data you have to send to access their website. So for example making a Google search, or reading the news, without any cookies at all, they will still track who made the requests/they sent the data to, and create a record of that identity from there, and try to put two and two together if they can then connect it to a more exact profile that uses cookies.
Alternatively they just become “grey” web sites, where you need to have an account in order to view them, which in itself requires you have a cookie to be logged in. So while you may still be able to opt out of advertising cookies while getting the required ones for logging in, they can create a profile out of that and use it for very slightly less perfect ad targeting, but still pretty highly accurate compared to cookieless.
The real difference with advertiser cookies, is that they can track you between websites, where necessary cookies should ideally be limited to say Twitter/X’s website.
> Is the website pop-up of accepting or rejecting them just a formality
It’s mostly a formality. It’s up to the operator of the website to decide what constitutes an “essential” or a “non-essential” cookie, or whether to even honor your request or not. Additionally, they can store cookies without asking you. In theory there are laws around this but I’ve been operating websites since before those laws existed and no one has ever done any sort of verification for any of my clients.
If you wish you can view the sites that have stored cookies in your browser. In Firefox for example the way to do this is Menu >> Settings >> Privacy & Security >> Manage Data. From there you can also delete individual cookies (sometimes helpful for troubleshooting purposes if a poorly-coded website does not perform properly), or delete all your cookies.
You can also configure your browser to delete all cookies whenever it is closed. However, this may have unintended side effects, such as “remember me” functions will likely not work. So I only do this when I’m setting up a public computer.
Usually the pop-ups only do a thing if you select to not allow some or any off the cookies. Dismissing or ignoring the pop-up will generally be the same as accepting all the cookies.
When you select which cookies to accept or decline them all, the idea is that those cookies shouldn’t be allowed to persist beyond the session. There will still be cookies shared between the server and browser, but once you leave, they should go away, too. When you return to the site, without cookies, you’re a brand new session, and other things need to be done to reconnect to any knowledge of who you are or what you’ve done (like logging in again).
Note that compliance is only required if you’re working with people in certain locations, like the EU and California. Some interpretations of that extend to people who are citizens of those areas regardless of where they are when visiting those sites.
If you’re not a person covered by one of those laws, and the site you visit doesn’t do the cookie things correctly, there is no penalty for them or recourse for you.
Depends on the laws being followed.
Under GDPR, essential cookies (those that are required for the basic operation of the site) don’t need your consent, and are likely being set immediately when you visit the site, regardless of what you do.
For non-essential cookies, they should only be set if and when you actively consent to them. If the site is complying correctly. Which, given there are many millions of websites, and many bad developers or uncaring businesses, is not necessarily true.
Many other regional cookie regulations follow this same basic model, to various degrees of enforcement.