I am kind of frustrated by the widespread misunderstandings in this thread.
Laws are best when they are abstract, so that there is no need for frequent updates and they adapt to changing realities. The European "cookie law" does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.
There is no doubt that the goals set by the law are sensible. It is also not evident that losing time over privacy is so horrible. In fact, when designing a law that enhances consumer rights through informed consent, it is inevitable that this imposes additional time spent on thinking, considering and acting.
It's the whole point, folks! You cannot have an informed case-by-case decision without spending time.
Why should websites even be trusted with implementing these banners in the first place? Browser vendors should be responsible for implementing these controls per-origin. Give a little banner pop-up built into Chrome, Firefox, Safari, and the rest. Have it display every time a new site sets a cookie for the first time. Or have it reject every cookie by default, unless I whitelist a site. This would result in a consistent user-experience across the board, and I'd actually be able to trust that I'm not being tracked.
Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls. So now every website gets a shitty banner - on top of all the other annoying in-page banners and popups which are a staple of 2020s web design - that asks us if we want cookies. All these banners look different, are positioned differently on the page, appear at different times after the page is loaded, and function differently. So there's no consistency. And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies." How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?
So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.
So again, why isn't this the responsibility of browser vendors? Am I taking crazy pills? Am I going insane or is the world going insane?
If websites respected Do Not Track then things would be a lot easier. I think we need a right to be listened to. Right now it's enough online to insist on only accepting information in one particular way, like having a noreply email and making people login and submit since shitty web form to respond. Putting your hands over your ears and tape over your mail slot doesn't work in real life, it shouldn't work on the web either.
The whole law should have been forcing sites to not ignore DoNotTrack bworser settings. It's a prime example of the EU being utterly useless because they don't understand the underlying issue and then choose a "solution" that's as much in your face as possible but doesn't change anything about the original problem. It's the whole plastic straw thing in digital form.
This calculation somehow assumes that clicking banners on your free time equals lost money in terms of production.
If the average time for toilet visits per day is 12 minutes, we are losing 89.8 million hours a day collectively across Europe, and continuing the same logic in as in the article, with 25€/h this sums to 5% of EU GDP being spent down the drain.
Maybe we should focus efforts on a productivity programme to ban bathroom visits?
People blame the cookie banners themselves or the legislation that "made them necessary" but somehow never seem to blame the web companies for doing the naughty things on their websites that make them subject to the law.
The "cookie banner problem" exists because it's primarily end users that are shouldering the burden of them, and not the companies. For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner. For everyone else, it's thousands of wasted seconds per year. Make the law hit companies where it hurts: their balance sheets.
The whole thing is a colossal waste too, it was a law written by people who don't understand tech for special interest groups who don't want to actually make things better.
If you don't want a website doing something on your computer, you start with the browser, not the website.
I would like to present my opinion that this amount of time is spent dealing with website malicious compliance with EU rules. And it is in general asking people to get tracked and present them with personalized track or share/sell the data to their partners. All of these does not happen and you don't have to do that if you don't track and collect information about your users. Well there are some genuine websites that needs that but I am talking about the general case.
I am about as far from Europe as you can get, and I think my fellow kiwis also spent an inordinate about of time clicking EU mandated cookie banners.
Cookies should be enforced in the browser. I think all the major browsers block third party cookies now. Bad actors can use other fingerprints to do tracking.
The internet is broken and I don't think it's only in the EU. In the last years I found myself just avoiding using websites I'm not familiar with or confident they're not filled with ads and trackers, I've set-up some aggregators and custom readers to find and get the information I'm interested in. If I open a page that has the cookie banner that blocks me from reading the content or forces me to agree I just close it, it wouldn't have been that important anyway.
The numbers are much lower I think, at least nowadays.
> On average, a user visits about 100 websites per month, totaling 1,200 websites per year.
The number of 100 websites per month is pulled out of thin air. Following the links it seems to be based on the number of web PAGES visited DAILY by Americans in 2007.
In my anecdata most people are online a lot but mostly in just a few apps and websites.
So I guess all numbers in the article should be much much lower.
Around the time this started, Google was going to penalize sites in its search ranking if they greeted users with an obtrusive popup. I thought that would strongly discourage cookie banners but then suddenly there was an explosion of stupid popups everywhere - newsletter signups, cookie banners, "special offers", overlaid ads, etc. I guess Google never did that thing?
Think about this: Cookie banners are only a small part of how bad UI wastes people's time. Computers could be so much more useful if more care was put into UI for widely used applications and OSes.
I'm not sure I can accept their calculations. For example, I use "I do not care about cookies" + "Cookie AutoDelete". The first one claims it accepts only necessary cookies, closing or hiding all banners, while the second deletes all cookies when I leave the site.
I spend ~0sec on these banners. How many are there people like me? The authors say nothing about this solution and it seems to me that they are not aware of the possibility of the automation. They just assume that each banner costs 5 seconds.
Why 5 seconds? It is an eternity, to pick "reject" and click on it would take 0.5 seconds or so, wouldn't it? Yeah, I know, there are sites that do not allow just reject all and force you to uncheck a several dozen of checkboxes one by one, but these sites eat much more time than 5 seconds, it is more like 50 seconds. Maybe 5 seconds is an average value across all sites? But how it was calculated?
But I agree, that the situation is stupid. It would be better to have a standard API common for all sites, that will allow addons to accept and reject cookies based on the user settings.
> This situation calls for an urgent revision of the ePrivacy Directive
Shame companies cannot live without tracking cookies, and shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss".
You know the best way of not having to put up cookie banners on your website? Don't store PII in cookies. You know the best way of not having to care about GDPR? Don't store PII.
the angle of wasted productivity on the end-user's side seems ridiculous. If anything, count wasted resources in implementation for little gain for the end-user.
"Assuming it takes an average of 5 seconds per interaction with a cookie banner".
People don't spend 5 seconds clicking accept. They start reading their website, notice the banner in their periphery shortly after, and click it to go away.
There's a more insidious effect of cookie banners, which is that they make it annoying to follow external links, especially to websites that you haven't visited before. This disadvantages websites built for external links, like HN.
The title originally claimed 575M hours spent every year by Europeans on cookie banners. That's 12 seconds on average a day per person. Hardly anything to complain about.
Am I literally the only person who this doesn't bother? When I go to a site I click all the xs and buttons until I can see content, without any conscious engagement at all really.
Sometimes when you go for a walk in the country there are stiles or gates to climb over and that is also fine.
I feel like there's some kind of implied belief here that all interactions with the world should be perfectly frictionless which I think may be more of a niche view than is realised?
Because I use fresh incognito mode for each browsing session, I have to click through those consent popups on every website I visit. Quite frustrating to say the least.
And how much time is wasted clicking away mailing list banners, popup ads, trying to parse the real download button on a page, watching through unskippable video ads, trying to decipher which part of a website is the article vs an ad etc?
Exemptions from cookie banners for small and medium-sized businesses (SMBs) using analytics, tracking user interactions on their websites, and managing basic advertising are imperative to mitigate unnecessary economic and productivity losses.
Yeah, right. You don't have to use cookie banners if you don't use cookies.
Unless you are running ads or profiling users, you can get equivalent data from server logs.
It is literally that meme where the guy pushes a stick into the spokes of his own bicycle only to blame others.
You don't need to ask people for their consent if you do not store personal data client side to track them. There are clear definitions what is personal and what isn't, you can store cookies for legitimate reasons which are also clearly outlined.
So if you don't want to ask for consent, you can avoid that by not doing things that require it.
> actively tracking a user beyond their visit to a website is difficult or borderline impossible for website owners, as it would require a court order.
I am skeptical of this claim. Partially due to the existence of trackers, beacons, 3rd party cookies and fingerprinting methods.
> Identifying users typically requires a court order to process IP addresses
Lots of people here saying the banners are simply unnecessary, but with untargeted advertising paying over 90% less, it simply is necessary for any website with ads.
If you got told tomorrow you had to start every conversation with "are you okay if I remember this" or you lose 90% of your salary, guess what you'd do.
Now count how much money and time is wasted loading all the spyware of typical commercial websites to generate a tiny value from selling ads and personally identifying information (the mobile data costs alone ...)
These calculations read like an episode of Silicon Valley.
Sure the banners are a stupid idea and a little annoying, but these figures have no merit. There's no way 500m hours of productivity are going to materialize from removing the banners. Removing 'please subscribe' popups, and other ads, now that's altogether different...
“Analysis of economic and productivity losses caused by companies implementing dark patterns in order to extort used consent”
FTFY
And you could add an analysis of the productivity cost of those “Subscribe to out newsletter” and “The experience is better on the app” pop-ups please?
"All" the EU needs to do is to mandate adherence to the Do Not Track setting in browsers, but then vast swathes of businesses based on unwanted and unethical tracking would go bust, so we have this really shitty stalemate.
All websites we build adhere to the Do Not Track setting and don't even show a cookie banner if it's set. The only question is whether we should show a message to say that we're not tracking people because we see they've asked us not to! It's possibly a bit easier for us because we work primarily in the non-profit sector where ethics are perhaps a little higher up the agenda.
My opinion is that cookie banners are so bad because of GDPR and not getting rid of the cookie law when GDPR was enacted.
Then everybody kept their cookie banners around and folded GDPR requirements into it, making it more complex, and more necessary all over the place, and less likely for people to think do we need these cookies or not and do we need to show this banner because of fear of GDPR (potential fines are big!!)
Analysis of economic and productivity losses caused by Youtube ads in <world>.
<S>OMFG!!! YOUTUBE IS COSTING THE WORLD *750B EUR* PER YEAR. </S>
How many hours of productivity are lost to Youtube ads?
2.49 billion active users, average seems to be 29 hours per month, reddit reports 4 ads/10 minutes lately - so 24 ads/hour, 5 seconds each (even though that went up!), so 2mins of ads/hour or 1 hour of ads per month, 12 hours of ads per year!
12 hours * 25 Eur/hour * 2.5B = 750B Eur
(probably made some mistakes)
Also, this article is ridiculous - like assuming all 400M European internet users are "productive" at 25Eur/h (30% are probably < 15 or > 65), people clicking 1200 banners per year because they visit 100 sites/month (12*100, right?!) and so on.
I don't even have the words to express how little I care if companies serve me targeted ads with cookies. On the other hand I absolutely despise what the average visit to website with a cookie banner has become.
I can't believe any of this made a difference in privacy. There is ZERO chance that the law can be enforced here. I've worked in few startups in Europe, no one understand their obligation, let alone the consequences from third party services.
This whole cookie banners, and GDPR in general, is as good as literature.
This destroyed the world wide web, which was the major driver of the internet as a consumer application. I'm referring to the experience of intelligent & creative publishers sharing content openly on the web. This did far more to destroy the world wide web than ads or tracking
This is an example of the potential double-edged sword of passing legislation without input from lobbyists. On one hand, without an industry voice, they passed an amazingly ambitious set of protections. On the other hand, it doesn't seem like there was a technical industry expert who warned them of the implications.
(I say that, but the EU bureaucrats that passed this law may actually see the immense numbers of popups as a win still - who knows).
A revision is patently obvious to seemingly everyone - revise the law to instead mandate that websites respect the Do Not Track header, or at least have designed a more granular replacement. There's no reason you shouldn't just be able to set it once and your browser tracks it for you.
I know that I'm in the minority, especially here, but I generally welcome paying with my data. it seems to me that companies need to generate revenue and they do this by extracting something of value from the user and that this thing by definition almost would be something the user isn't happy to just hand over: money, watching ads, electricity for mining crypto, personal data etc. It's some form of payment.
for me personally out of all these options giving my data is my least painful payment option for one off services.
Analysis of economic and productivity losses caused by cookie banners in Europe
(legiscope.com)332 points by vegasbrianc 14 November 2024 | 381 comments
Comments
Laws are best when they are abstract, so that there is no need for frequent updates and they adapt to changing realities. The European "cookie law" does not mandate cookie banners, it mandates informed consent. Companies choose to implement that as a banner.
There is no doubt that the goals set by the law are sensible. It is also not evident that losing time over privacy is so horrible. In fact, when designing a law that enhances consumer rights through informed consent, it is inevitable that this imposes additional time spent on thinking, considering and acting.
It's the whole point, folks! You cannot have an informed case-by-case decision without spending time.
If you're on iOS, the Kill Sticky bookmarklet does a decent job of cleaning these up without breaking most sites: https://www.smokingonabike.com/2024/01/20/take-back-your-web...
Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls. So now every website gets a shitty banner - on top of all the other annoying in-page banners and popups which are a staple of 2020s web design - that asks us if we want cookies. All these banners look different, are positioned differently on the page, appear at different times after the page is loaded, and function differently. So there's no consistency. And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies." How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?
So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.
So again, why isn't this the responsibility of browser vendors? Am I taking crazy pills? Am I going insane or is the world going insane?
/rant
The EU does not mandate banners, it's the businesses choosing to bully their customers into accepting all tracking and profiling.
So modest proposal: Make these websites pay 575€ million/year for wasting citizens' time or have them accept that "no" means "no".
If the average time for toilet visits per day is 12 minutes, we are losing 89.8 million hours a day collectively across Europe, and continuing the same logic in as in the article, with 25€/h this sums to 5% of EU GDP being spent down the drain.
Maybe we should focus efforts on a productivity programme to ban bathroom visits?
The "cookie banner problem" exists because it's primarily end users that are shouldering the burden of them, and not the companies. For the company, it's a one time JIRA ticket for a junior software engineer to code up a banner. For everyone else, it's thousands of wasted seconds per year. Make the law hit companies where it hurts: their balance sheets.
If you don't want a website doing something on your computer, you start with the browser, not the website.
Cookies should be enforced in the browser. I think all the major browsers block third party cookies now. Bad actors can use other fingerprints to do tracking.
> On average, a user visits about 100 websites per month, totaling 1,200 websites per year.
The number of 100 websites per month is pulled out of thin air. Following the links it seems to be based on the number of web PAGES visited DAILY by Americans in 2007.
In my anecdata most people are online a lot but mostly in just a few apps and websites.
So I guess all numbers in the article should be much much lower.
I spend ~0sec on these banners. How many are there people like me? The authors say nothing about this solution and it seems to me that they are not aware of the possibility of the automation. They just assume that each banner costs 5 seconds.
Why 5 seconds? It is an eternity, to pick "reject" and click on it would take 0.5 seconds or so, wouldn't it? Yeah, I know, there are sites that do not allow just reject all and force you to uncheck a several dozen of checkboxes one by one, but these sites eat much more time than 5 seconds, it is more like 50 seconds. Maybe 5 seconds is an average value across all sites? But how it was calculated?
But I agree, that the situation is stupid. It would be better to have a standard API common for all sites, that will allow addons to accept and reject cookies based on the user settings.
https://chromewebstore.google.com/detail/consent-o-matic/mdj...
> This situation calls for an urgent revision of the ePrivacy Directive
Shame companies cannot live without tracking cookies, and shame that the blame somehow end up on the regulation, rather than the companies who are the ones who introduce this cookie banner and "massive productivity loss".
You know the best way of not having to put up cookie banners on your website? Don't store PII in cookies. You know the best way of not having to care about GDPR? Don't store PII.
"Assuming it takes an average of 5 seconds per interaction with a cookie banner".
People don't spend 5 seconds clicking accept. They start reading their website, notice the banner in their periphery shortly after, and click it to go away.
What would I have contributed to my GDP in the 5 seconds it took to ‘Reject all’ on Reddit?
Sometimes when you go for a walk in the country there are stiles or gates to climb over and that is also fine.
I feel like there's some kind of implied belief here that all interactions with the world should be perfectly frictionless which I think may be more of a niche view than is realised?
Yeah, right. You don't have to use cookie banners if you don't use cookies. Unless you are running ads or profiling users, you can get equivalent data from server logs.
You don't need to ask people for their consent if you do not store personal data client side to track them. There are clear definitions what is personal and what isn't, you can store cookies for legitimate reasons which are also clearly outlined.
So if you don't want to ask for consent, you can avoid that by not doing things that require it.
I am skeptical of this claim. Partially due to the existence of trackers, beacons, 3rd party cookies and fingerprinting methods.
> Identifying users typically requires a court order to process IP addresses
And this one as well.
If you got told tomorrow you had to start every conversation with "are you okay if I remember this" or you lose 90% of your salary, guess what you'd do.
Oh and 5 seconds is unrealistically high.
Sure the banners are a stupid idea and a little annoying, but these figures have no merit. There's no way 500m hours of productivity are going to materialize from removing the banners. Removing 'please subscribe' popups, and other ads, now that's altogether different...
FTFY
And you could add an analysis of the productivity cost of those “Subscribe to out newsletter” and “The experience is better on the app” pop-ups please?
All websites we build adhere to the Do Not Track setting and don't even show a cookie banner if it's set. The only question is whether we should show a message to say that we're not tracking people because we see they've asked us not to! It's possibly a bit easier for us because we work primarily in the non-profit sector where ethics are perhaps a little higher up the agenda.
https://legiscope.com/blog/hidden-productivity-drain-cookie-...
Then everybody kept their cookie banners around and folded GDPR requirements into it, making it more complex, and more necessary all over the place, and less likely for people to think do we need these cookies or not and do we need to show this banner because of fear of GDPR (potential fines are big!!)
>404 Not Found
<S>OMFG!!! YOUTUBE IS COSTING THE WORLD *750B EUR* PER YEAR. </S>
How many hours of productivity are lost to Youtube ads?
2.49 billion active users, average seems to be 29 hours per month, reddit reports 4 ads/10 minutes lately - so 24 ads/hour, 5 seconds each (even though that went up!), so 2mins of ads/hour or 1 hour of ads per month, 12 hours of ads per year!
12 hours * 25 Eur/hour * 2.5B = 750B Eur
(probably made some mistakes)
Also, this article is ridiculous - like assuming all 400M European internet users are "productive" at 25Eur/h (30% are probably < 15 or > 65), people clicking 1200 banners per year because they visit 100 sites/month (12*100, right?!) and so on.
GDPR is basically exactly what Bill Gurley talks about here ; https://www.youtube.com/watch?v=F9cO3-MLHOM
Regulatory capture.
This whole cookie banners, and GDPR in general, is as good as literature.
>if you collect users data
>you must ask first
>add a yes or no button on a banner so they can pick
but instead the eu citizens were let down by the legislators
(I say that, but the EU bureaucrats that passed this law may actually see the immense numbers of popups as a win still - who knows).
A revision is patently obvious to seemingly everyone - revise the law to instead mandate that websites respect the Do Not Track header, or at least have designed a more granular replacement. There's no reason you shouldn't just be able to set it once and your browser tracks it for you.
for me personally out of all these options giving my data is my least painful payment option for one off services.