Biscuits, GDPR and the state of the web

Hello!

Since GDPR, the experience of the web has degraded. Cookie pop-ups are everywhere, and websites are still using lots of tracking scripts that make them unusable on slower connections or older devices.

A few months ago we switched to a new website analytics service called Fathom which meant we could get rid of that awful pop-up. We’ve also updated our new Biscuit Policy* with the services we use and how we don’t track you.

Have a great weekend

Nick

*https://zevvle.com/cookies still redirects there.

You bring me great happiness.

I was working for a web agency at in 2018 and sold my soul by sticking cookie notices on hundreds of websites at the behest of clients. A lot of clients didn’t need one at all. Those that did were already breaking the regulations (which weren’t introduced by GDPR, it just got the publicity), and the solution they all insisted on (a simple notice with no option to opt in or out) didn’t make them any more compliant.

So a couple hundred websites were vandalised with annoying sticky footers to absolutely no legitimate end, and you’ve got me to blame. Sorry. :’(

I doubt it was intentional, but expecting every website maintainer to correctly implement some hard-to-navigate regulation wasn’t ideal. A ‘Quick Access’ section:

Screenshot 2020-07-03 at 16.41.141494×896 88.7 KB

“Do we need a pop-up? Do we not? How do we handle it?” Unfortunately the lowest common denominator was a harder-to-use web.

Don’t get me wrong — I’m all for privacy regulation and GDPR seemed like a good move (after all cookies are only one aspect of it and the net-effect may still be positive), but it does highlight unintended consequences…

I’d argue that that’s a little too kind on the people making these decisions. The default was to give no thought what so ever to what they were collecting and how they used it, but to read a BBC headline and tell us to stick a cookie notice on their site. And it was hard to push back against that, because doing it properly required at least some thought that they didn’t want to do or pay us to do.

I don’t think that you don’t need to know the ins and outs of data privacy legislation if you actually have a respect for your users’ privacy. Because if you have that then you’ll probably find that you’re well within its boundaries just by designing something that you wouldn’t be uncomfortable with.

In my opinion, the GDPR is impressively ambitious and well thought out considering the number of stakeholders it had to get past. Cookies were directly regulated by PECR (which long preceded the GDPR) but for some reason most people paid no attention to the issue until the GDPR came in. But yes, when it comes to cookies PECR has lead to a lot of terrible implementations that help nobody, and enforcement is nonexistant.

The proposed update to PECR is aiming to improve that though. ^^

Yes! This.

To be clear, the agency I worked at didn’t have respect for privacy either. There was plently we could have done systematiclly on our end (without even bothering to tell the clients) that would’ve helped a lot. But while I was happy to sound like a broken record about it in work, it’s hard to convice as a lone voice.

One of the problems with the GDPR is the complete lack of enforcement which means half-assed attempts at compliance (like cookie banners) are allowed to proliferate. If the GDPR was enforced, the annoying (and thus non-compliant) cookie banners would disappear overnight after a couple fines, especially considering enforcement can be automated (pick a popular and non-compliant “consent management” solution like TrustArc, run a web crawler looking for their JS and send automatic legal threats).

When it comes to respect for privacy, it isn’t all black and white either though. A lot of companies legitimately want to respect privacy but the person responsible lacks the technical skills to make the right decisions and/or is swayed by the lies of malicious companies that will falsely brand their services as GDPR-compliant. I’ve argued with several DPOs about how their supposedly compliant Facebook SDK (or similar advertising/marketing SDKs) was sending way more PII than just the advertising ID. There is no incentive for them to lie on that point (any additional data the SDK sends is for FB’s purposes only, so the company itself doesn’t gain anything) so it is just an issue of technical skills. After enough arguing they finally removed the SDK completely, but it was still an uphill battle that should be fought by regulators instead of the end-users.

Firefox have an add-on / extension named “i don’t care about cookies” which makes using the web much better. It also has a paywall extension but of course I don’t recommend that.

On Firefox the gold standard is uBlock Origin with all the “annoyances” lists enabled. Blocks all the cookie/consent management garbage in addition to analytics, telemetry, Mark Zuckerberg, etc.

Would also recomend uBlock Origin or uMatrix. Because I do care about cookies - just don’t want them.

I checked out Fathom when this post went up and really liked the look of it. Today I came across Plausible, who’re doing something very similar, with the big upside (to me) of their product being open source and self-hostable. They’re about 70% cheaper as well if you’re interested @nick.

Edit: Plausible is also owned and hosted in the EU (as opposed to North America), which is sometimes a consideration when it comes to data privacy.

dammit. Thank you for pointing them out, it looks excellent. When I get round to switching… ;p

I’m wondering if it’s possible to migrate historic data to these newer systems? I’ve currently got a self hosted Piwik install that I use for a few sites but rarely look at. My other thought is just use the server logs for getting a basic idea of usage.

My other thought is just use the server logs for getting a basic idea of usage.

This is what I do in practice, with Piwik’s log analytics.

Doesn’t look like it for Plausible, could ask in their issue tracker.

Good find. And good job zevvle on all of the above!

Well I’ve just signed up myself for plausible for my company’s website(s), and it’s perfect. Exactly what I need out of an analytics tool. Well worth my $6 a month, imo.