Proposal: Cookie Consent Should Be Browser-Native, Not Website-Native

5•zak-mandhro•3h ago

TL;DR: Cookie consent shouldn’t be a popup war on every website. Browsers should handle it natively — just like location or notifications — based on user-set privacy preferences. We can fix the web with one header, a little browser enforcement, and a lot less nonsense.

The current system for cookie consent is a mess. Every website throws a popup in your face, asking you to accept tracking you neither want nor need. The irony? It’s not technically necessary. We can solve it at the browser level — cleanly, universally, and in a user-respecting way.

Here’s how:

1. Browser-Level Privacy Preferences Browsers should allow users to set global consent preferences, just like setting a default language or search engine.

Example:

* Essential cookies: Always allow

* Analytics cookies: Ask or Block

* Marketing cookies: Ask or Block

* Third-party cookies: Ask or Block

Set once. Apply everywhere. No more popups.

2. New HTTP Header: Set-Cookie-Category Websites would categorize cookies when setting them, like:

Set-Cookie: sessionId=abc123; Category=Essential Set-Cookie: trackUser=true; Category=Marketing

Standardized categories: Essential, Analytics, Marketing, Personalization, Other. No trickery. No ambiguity.

3. Browser Enforcement When a site tries to set a cookie:

* Browser checks the declared category.

* Browser checks the user's privacy preferences.

* If no consent: cookie is silently blocked.

If consent is "Ask," the browser shows a small permission prompt (similar to location or notifications). No more hijacking the page UI.

1. Optional Website Messaging Websites could optionally trigger a browser-native dialog to explain their cookie use — but no walls of legalese blocking access.

2. Bonus: Easier Compliance Audits Browsers could expose APIs for compliance tools to automatically verify if a site respects consent preferences.

Why hasn’t this happened yet?

* Ad-tech companies make too much money off friction and dark patterns.

* Browser vendors (especially Chrome) profit from the status quo.

* Regulators targeted websites, not browsers, in GDPR/CCPA drafts.

But it’s not too late. Safari, Firefox, Brave, Arc — even Chrome (if enough pressure builds) — could easily implement this.

Users deserve better. The web deserves better.

If you think this should be built, upvotes help visibility.

Comments

zak-mandhro•3h ago

One thing I’d love to hear from the HN crowd:

Are there real technical blockers to browser-native consent management?

* HTTP already has Set-Cookie, so tagging with a Category param seems straightforward.

* Browsers already manage permissions like location, camera, and notifications.

* GDPR/CCPA compliance should be stronger if browsers enforced consent upstream.

Is the real obstacle purely political (ad-tech resistance), or is there something deeper I'm missing on the protocol or standards side?

Also curious: if browsers did offer this, would major sites still try to layer their own consent dialogs on top (to push opt-ins harder)? How would we stop that?

legitster•2h ago

> Why hasn’t this happened yet?

I've worked on three different corporate privacy teams. Nearly unanimously everyone would have preferred an extension of "do-not-track" that's legally enforceable.

The reality though is that the laws governing cookies were an afterthought by the European Commission when writing GDPR. GDPR has been an overwhelming success (at least according to the EU lawyers who legislate such things), so there has not been a rush to amend the rules around cookies.

The reality is it's not going to change until the laws change. No major company is going to stick their neck out and risk punishment.

zak-mandhro•2h ago

It makes sense that corporate teams would have preferred a "real" do-not-track standard, but had no incentive (or legal cover) to push it further.

It's wild how much of today’s cookie UX mess was an accidental regulatory artifact, not deliberate design.

Curious from your perspective: what do you think the EU's real motivation was behind mandating consent banners instead of pushing for proper browser-level control?

And second: what kind of pressure (technical, political, economic) would it actually take for the EU to update the rules to allow something cleaner now?

Would love to hear your take, since it sounds like you've seen how these decisions happen from inside.

legitster•1h ago

If you actually work through the privacy directives with a legal team, which is something I have done for nearly a decade, the law itself has several self-contradictions and unresolved problems. How do you retain someone's choice for privacy without remembering who they are? How do you serve data in a TCP network without revealing an IP address? What constitutes clear opt-in language? If we don't sell to Europeans, do we still have to comply?

The European Commission very proudly does not work with lobbyists, and in this case it shows that they did not consult anyone technical. I think they were just not aware of a browser-level solution and put all of the compliance on individual companies.

While the banners seem a given now, in 2017 when we first started planning for GDPR nobody had a clue how to resolve all of the questions. And at the time the European Commission was also telegraphing very hard that they were going to be resolving most of these questions with case law - none of us wanted to deal with a lawsuit from the EU, so the most obvious thing became do what everyone else does, don't stand out, and wait for some future resolution.

I don't know if there's a fix. This is simply how EU regulators like to work - in the US we like laws that are black and white and apply equally to everyone (or at least have traditionally). And in the EU they like a bit more squishiness - let member countries interpret things a bit differently and build individual cases on only the bad actors. And you see this attitude when working with lawyers from the respective regions.

zak-mandhro•1h ago

This is incredible perspective — seriously, thank you for sharing it.

It’s fascinating (and honestly a little tragic) that a lot of the cookie chaos comes down to basic unsolved problems like "how do you remember privacy without remembering identity?" — fundamental contradictions nobody could easily patch.

It really hits home what you said about the EU approach: case-by-case "squishy" regulation vs hard-coded universal rules.

Makes me wonder if any browser-led technical solution would just end up becoming de facto case law too — basically "Chrome/Firefox/Brave do it this way, so it becomes the norm," even if regulators never mandate it formally.

If you had a magic wand: would you push for a formal browser-level privacy protocol now, or is the better play just to keep tightening enforcement against the worst actors and let good practices spread organically?

Flundstrom2•1h ago

There is already one important implementation that is basically ignored nowadays. But if EU would enforce the use of Do-Not-Track and your proposal there would be quite a movement.

However, "cookie" should be interpreted pretty liberal, to cover state storage and tracking in general.

zak-mandhro•1h ago

Totally agree — "Do-Not-Track" was a great idea, but without real enforcement it became a polite suggestion nobody listened to.

I also completely agree that "cookie" should be interpreted broadly — not just literal HTTP cookies, but any client-side tracking (localStorage, IndexedDB, fingerprinting, etc).

If enforcement actually happened at the storage and tracking level, and browsers had native consent handling, the entire dynamic between users and websites would shift dramatically.

Curious — in your view, would it be better for the EU (or regulators) to issue a technical specification for how consent enforcement should work? Or just mandate the outcome and leave it to browser vendors to figure out? (Feels like that choice matters a lot for real adoption.)

Hubproxy: The GitHub webhooks you deserve

Is 1 Prime, and Does It Matter?

The '5 things' emails are going by the wayside as Musk readies his exit

EU says it will enforce digital rules irrespective of CEO and location

Internal tech emails: Mark Zuckerberg and Snapchat

Introducing Incrementalist, An Incremental .NET Build Tool for Large Solutions

A man behind Fukushima town's 'Strawberry Sheep'

Data Structure for Dynamic Discrete Probability Distributions

China sends back new Boeing jet made more expensive by tariffs

Show HN: ArTok is TikTok for research papers

Inside a neuroscientist’s quest to cure coma

Show HN: Chessophone – Generate music from chess games

Hexer by LJ (winner of the 4kb PC intro competition at Revision 2025) [video]

An Update to Our Pricing

PlayAI's new Voice to Voice changer

UAE Cabinet approves first-of-its-kind AI regulatory ecosystem

Whistleblower statement on anomalies at time of DOGE work at NLRB [pdf]

A M.2 HDMI capture card

How to Build a Team of 5 Agents Using Google ADK and Nebius (Llama and Nemotron)

GitZip – A browser extension that lets you quickly download from GitHub

Ask HN: What to do if stuck without a technical cofounder?

The reactionary turn against nuclear power

Show HN: I made a backdoor for web freelancers to avoid unpaid bills

The Wait Is the Price: Quiet Rationing Plagues Canadian Health Care

Show HN: I Made Cursor.ai for the Browser

Propositional Parlor Puzzle

Psychedelics Make You Mentally Ill (Temporarily)

Commons Currency Monetary System

U.S. Asks Judge to Break Up Google

Ask HN: Qt style "Signals and Slots" based JavaScript UI library?