The problem is right now management is not only insisting on their team vibe-coding bespoke replacements, they’re avoiding paying for other SaaS because they can vibe-code their own replacements, often themselves, and they’ve lost sight of that they probably don’t want to be responsible for it.
Arguably that’s the “operations” and “relationship” parts described here. But right now, many companies are choosing to not pay for software because they can build a solution themselves.
As far as cookie popups go (and recognizing you probably know this so it’s more a general comment), GDPR doesn’t encode cookie popups into law, but the entire industry follows the pattern of cookie popups in response to the underlying requirement of informed consent. Companies could choose to not collect as much info, or take other approaches, but cookie popups are the default.
You're right, for sure. It'd be nice if the law included an explicit exception for local cookies for routine site operation purposes. I haven't put any time into nailing down the wording, but something that communicates "sites are allowed use 'authentication cookies' to validate a user's ability to make server requests" would be most welcome. Then you could actually have an incentive to remove the cookie banner on sites that only use cookies for session authentication. You don't also use them to integrate with your marketing analytics kraken? Sweet! You don't have to have a banner or other notice!
It's important to note that this is what European Commission has determined to be acceptable for them. One very important distinction here is, as far as I understand, that EC is not bound by ePrivacy Directive as directives bound member states and require them to include them on their national law. They do still try to be consistent with how the directive is applied in the member states though but since it can be varied they have more leeway compared to most other controllers.
The text on that website does state that some DPAs have found some first-party analytics acceptable, but that's not something that is confirmed by CJEU. And ePD does not have single-stop shop so you need to follow every DPAs directions if you are offering services to that DPA's country.
Oh, nice! That page seems to have been written a year ago[0] and I wasn't aware of it. If that had existed from day one, we probably wouldn't be having this conversation.
I'll concede that, but that's still several years after the law was deployed and people had to kind of guess for a while.
GDPR isn't unique in that. When HIPAA came out in the US, no one was sure what it actually meant. I personally talked to hospital administrators who were convinced that we'd have to put up a "take a number" device in waiting rooms and call out "#53? It's your turn #53!", which the owners of the practice I ran flat-out refused to do: "the waiting room is currently occupied by Mr. Smith and Mrs. Jones, who have known each other since kindergarten, and I'm not going to refer to them as numbers". It took several years to build consensus on how to comply with it.
In case it wasn’t clear, I wasn’t trying to “gotcha” you or anything. I took your message to be in good faith. I just knew the website used to exist on another page because I remember having it in my bookmarks and it breaking and having to search for the new one.
> but that's still several years after the law was deployed
Maybe, I do not know. I didn’t search for it before then, so for all I know it was available at some other domain too. Or maybe it wasn’t, that’s the earliest one I remember.
Understood, and appreciated in the manner in which you meant it! I do love talking about this stuff. I've discovered that I have a giant regulation nerd deep inside me.
> It'd be nice if the law included an explicit exception for local cookies for routine site operation purposes.
it does have such exception, always did (as long as the cookies are not used for tracking or other non essential things etc.). It might not be supper explicit but it's explicit enough to have you on the safe side.
you do have to inform people, but there are very non intrusive ways to do so (as it's informational only, i.e. no user interaction like confirm/accept is needed at all). (I think? they also have removed part of the explicit informational requirement for some things recently, i.e. it's good enough to list it on your site in the TOS/Dataprotection section/sub-site.)
there are other (I think not EU wide but nation specific) laws which get confused with it and handle things different, based on sites storing their data on your computer (and with that any cookie)
the reason most sides don't do anything like that isn't because they can't. It's because they try to harass user endlessly until they always click on confirm and can be tracked. Or because they don't know better due to a endless slew of systematic misinformation spread by advertisement agencies like Google Ads.
needing consent and informing the user are two distinct concepts
I think you did need to explicitly tell the user about it.
But I think (not fully sure) they did relax that recently so just listing it in you Privacy Policy or similar should be enough by now.
But also due to how enforcement is designed it's not that you really had to worry about anything if you only have non-censent requiring cookies and list them clearly in the privacy policy. Worst case a privacy agency tell you to "improve on it" without penalty.
It's just which site (or app) today doesn't use something like Google Ad Network, or Metas Ad Network, or Apples Ad network. All of which do not support ads without tracking (which still are very viable, e.g. select ads based on what the side/ad is about).
GDPR does not formally require cookie popups (and the cookie stuff predates GDPR as such anyway). But it's challenging to the point of impracticality to run a website with so few cookies that a popup is not required. The EU's official resources on data protection, for example, have a popup. (https://commission.europa.eu/law/law-topic/data-protection/r...)
only if your site insist to use any of the widely used Ad networks
through there are Ad Networks which base ads on what is on your site instead of who visits
and the popup you link is _not_ a GDPR popup but is related to some other older and very misguided law(s). (Not EU wide laws, but EU sites want to be compliant with every member countries laws.)
Having a EU decision which requires countries to remove this older misguided laws has been on the agenda for years. It's just given that most sites anyway will have popups (e.g. for Google Ads) things move way way way to slow :(
>> But it's challenging to the point of impracticality to run a website with so few cookies that a popup is not required.
Nonsense. It's easy to create a site that doesn't need a cookie pop-up. Indeed the mere existance of a cookie pop-up screams "we are tracking you and selling your info".
Personally, been making a low fidelity exalidraw-like calendar app: https://letswalnut.com.
There’s a real-time collaborative workspace-oriented version, too.
Professionally, working on “Magic Draft,” a feature in Ditto to help designers and writers create the “draft and a half” directly in Figma, which uses a hierarchy of all your context (text, Ditto metadata, the design, your style guides, etc) to write really good starting point copy.
There’s a similar post that I can’t find that relates to ornamentation and detail in infrastructure as simple as a pole on a sidewalk – an ornate and designed pole replaced with a simple round post. Perhaps someone else remembers the source.
Also, here's an example of a collaborative public calendar from the "workspace" version! Anyone can pop in and make changes and see what others are doing.
Ditto | Product Designer | Remote (US/Canada) | $140-200K + early team member equity
Ditto helps teams manage their copy from design to production with a single source of truth. Over 3,600 teams (from Fortune 500 companies to startups!) currently use Ditto.
We're hiring our second product designer to help to define and design our core product, from strategy to execution. As the second designer on our team, you’ll have an outsized impact on defining not only what Ditto is and how it works, but what we do next.
Ditto is a design-driven company. Our design function has high ownership around identifying and shaping problem spaces, exploring solutions, and helping to drive implementation. We don’t have a product function—instead, both design and engineering own the product lens. We think this is critical for Ditto’s product, which used by design and engineering teams in their day-by-day workflows.
reply