DNT header. Legally binding. Out of the way of the end user. Unambiguous for enforcement purposes. Probably the end of targeted advertising, but that was always the logical conclusion of GDPR.
Having a clear non-interactive signal that's legally recognized should go a long way toward clearing out those annoying banners.
However, this bit concerns me:
> This key change is part of a new Digital Package of proposals to simplify the EU’s digital rules, and will initially see cookie prompts change to be a simplified yes or no single-click prompt ahead of the “technological solutions” eventually coming to browsers. Websites will be required to respect cookie choices for at least six months, and the EU also wants website owners to not use cookie banners for “harmless uses” like counting website visits, to lessen the amount of pop-ups.
That implies there will be "harmless tracking" allowed, and it removes choices. The latter might restrict dark patterns, but it might also encourage "allow all cookies or you cannot read the site at all" approaches.
Making it a technological mandate would have made it trivial to circumvent.
This is something which courts should consider more about other things, such as EULA and Terms and Conditions. Same reasons.
corporations have enough money to tie you up in court with lawyers.
I'd expect a situation like Somerset v Stewart. Mansfield clearly didn't want to rule you can't have slavery because that's going to be extremely disruptive to powerful people - so he suggests they settle and then the case goes away and he isn't called to say anything. But Stewart refuses to settle, apparently nobody could convince him that it's in his best interest - so, OK says Mansfield: fiat justitia, ruat cælum (Justice be done though the heavens fall). Somerset walks free.
Are corporations relying on EULAs smart enough to take the L? I guess we'd see.
There is a very clear law that forbids any additional contract terms post the point of sale, so that if you go to a store, purchase a box with software in it and then go home to install it, when it pops up a dialog for you to "agree" on, you can just ignore it, nothing in that is enforceable at all. And no, small print text on the box that says you have to agree to terms in the software does not change anything. But that's not how software is sold anymore.
EULAs in general are not unenforceable, so long as they are presented before the sale. This is precisely why Steam (for example) now gives you the EULA before it lets you buy anything.
So for example, in Germany, an EULA would be considered an AGB, and subject to §303 BGB and following paragraphs, which e.g. means, "surprising" clauses which you cannot reasonably expect beforehand being part of the EULA would be unenforcable or §307 BGB would make certain kinds of one-sided/lop-sided clauses unenforcable.
Other EU countries might have other laws. I'm not really sure this is an area of unification, and a lot of the commonalities there is might be more due to the common heritage of Napoleon's Code Civil which underlies contract law in many european countries, instead of EU unification efforts.
Given that ~98% of Internet users couldn't even articulate what javascript does as part of their browsing experience, the exfiltration and reassembling of their PII via meta-data into sellable profiles for targeted auctions is completely beyond their capacity to comprehend or engage with. Thus consent is de facto ungrantable.
The real solution would be to make users pay for the content, but charging for something that users used to get for "free" is also essentially impossible.
Right now why would you spend money on untargeted ads when you have better options.
Targeted ads are always dumb as they tend to push an item that you've looked into before purchasing, but never realize that item has been purchased and you are no longer interested. They never get that the person researched item but has not looked for some time for item. Let's now advertise accessories for that item. If it was a fridge, show stainless cleaning items, for dishwasher, show ads for different detergents or other kitchen related items. It's not hard. For whatever reasons, they can't do targeted well. Targeted doesn't work as advertised.
If targeted advertising, as a whole, is banned, you can be pretty damn sure the payout for untargeted will come up—not necessarily to match what targeted is now, but way more than that 10% figure.
Ad spend, in aggregate, doesn't change that much based on new "innovations" in advertising annoyance. If you've still got roughly the same amount of money being spent on untargeted ads, continent-wide, as you do now on targeted, they're going to pay out much closer to parity.
I'd like to see the source of that claim.
E.g. this particular study claims almost the exact opposite: "Targeted ads need to be 100% to 700% more efficient than regular ads to be as profitable": https://www.sciencedirect.com/science/article/pii/S016781162...
This could well be true. Unless targeted ads are just flat out banned, at which point the profitability of untargeted ones will rise, as the air (user attention, available space in web pages) is no longer being sucked out of the room by targeted ones.
Also - if by untargeted you mean completely randomly chosen ones, there absolutely is a happy medium - choose them based on the content of the page (I'm browsing for baby wipes and formula? Show me ads for strollers and child car seats, and maybe earplugs and some gift ideas for infants, not for motor oil or landscaping or circular saws). I don't buy the excuse that they are so much less effective - especially if the personally targeted ones are out of the picture.
As a huge bonus, they are comparatively trivial to implement and would provide a way out of the current monopoly were only Google, Facebook and a handful of other "know" what to show you and everyone must make these few greedy incumbents even richer by advertising through them. This would also help fragment what information exists about your habits, so even actors determined to break the law would get less advantages by doing so.
They literally did. With GDPR. The poor struggling advertisers came up with the cookie banners they blamed on the EU.
Oh no, cried the publishers. How can we ever live without storing all of user data for a decade or more? https://x.com/dmitriid/status/1817122117093056541
The internet made information a commodity, and how we collectively pay for that information is still an open question 3 decades in.
It's easy to say people want content "without ads," but there are also plenty who don't want to buy a membership to every single provider either.
the problem is a plugin like that would take out entire industries because it would basically end anonymous tracking cookies.
The GDPR is technologically agnostic about tracking. You don't accept, then no tracking either way.
Without consent, this is illegal, so if this is happening someone's gonna get sued and fined.
This is already happening. Now, could enforcement be better? Of course, but it's trending in the right direction.
wat.
fingerprinting and cookiless tracking was a thing before GDPR. And GDPR literally talks about all forms of tracking, not just cookies. One would think you'd read at least something before having an opinion.
Locking up a few people who don't respect their users' privacy would be a much more effective way of achieving actual results. AFAIK no big adtech or data brokers have been punished in any way.
I'm a big fan of personal accountability in the corporate world.
No one went to jail: https://noyb.eu/en/where-did-all-reject-buttons-come
If not, then the 1st step to jailing people is to change the law.
The EU did find that IAB (behind one of the "industry standard banners") was liable for fines: https://www.euractiv.com/news/top-eu-court-finds-widely-empl... But unfortunately that was partly dismissed on procedural grounds and went nowhere: https://techgdpr.com/blog/data-protection-digest-19052025-di...
I mean, big tech has absolutely been punished under the GDPR, eg https://www.edpb.europa.eu/news/news/2023/12-billion-euro-fi...
They are proudly removing the annoyance they mandated 7 tears ago.
Do we have to congratulate them?
Curious how no one blames the industry which just needs to store your precise geolocation data for 12 years: https://x.com/dmitriid/status/1817122117093056541
GDPR itself doesn't require consent for functional cookies. For example, Apple.com does not have a cookie consent box _at all_.
On tracking specifically, I feel there are at least two levels. One that happens in-browser by third party companies. These are your classic advertisements. The other is more first-party backend-heavy. These would be your local grocery store using your purchase history linked to your membership card and using that data to create analytics and targeted ads etc.
So creating a browser setting would likely not toggle all tracking away, just the ones that are "annoying" while browsing.
Things like "precise location information stored for 12 years": https://x.com/dmitriid/status/1817122117093056541
Europe literally said: we're not going to force specific tech decisions on you. All we ask is to let people opt-in if they want to be tracked. What we got is "we care about your privacy, we're sending all your data to 15000 partners" from the industry.
To people crying "but this should've been mandated as a browser setting": Which world's largest advertising company has dominating browser marketshare and subsumes all web standards committees? What exactly prevented that company to come up with a browser setting that isn't "we sell your data by default and use dark patterns to trick you to agree" https://x.com/dmitriid/status/1664682689591377923?
Our industry is shit, and we blame governments for regulations that ... assume that industries shouldn't be shit. There's literally no need for EU to regulate browser settings. And yet here we are.
Sadly, this is mostly a matter of not enforcing the GDPR enough. Things such as "data minimization" and the erosion of "technically necessary" already should protect us. Instead the Business Community chose malicious compliance on a vast scale and the data protection agencies did nothing.
Market research is only "not just advertisement" by an artificial distinction. Walmart isn't preparing data for a non-profit research group's benefit.
Step 1: force websites to add an opt-out flow for privacy-minded users.
Step 2: websites don't complain too much because they can implement it in obnoxious and dark-pattern-laden ways, so that few users actually opt-out.
Step 3: now that websites have proven there's no technical barrier and the flows are already implemented, slowly retire unnecessary user tracking and data sharing.
I'd be surprised if this was planned ahead of time, but it's not a bad strategy.
So the devil is in the details. The best option I think isn't a secret setting in a browser, but a standardized consent dialog. Basically the sites communicate to the browser a standardized data format for consent. Then the browser shows that query in a popup that looks the same for every site. That means 1) the sites no longer have a chance to do dark patterns 2) it's less confusing for end users since the UX is always the same 3) it allows users to check a "Automatically reject for all sites". The site should not know whether the user has auto-rejected this, or manually rejected it. There should be no option to automatically consent for all sites (Can't have that). So the only ergonomic choice is to set it to auto reject.
Having this "use this choice (reject) for all sites" is the really important part here. Because it means that ALL users of ALL browsers will quickly see this choice, so in short order a huge chunk of users will have made this permanent rejection choice.
We know exactly how. Here's Google presenting "more private web". If you click "yes, I'm in", all the tracking options will be turned on: https://x.com/dmitriid/status/1664682689591377923
And of course HN (and the industry at large, and journalists) will blame it on "clueless bureaucrats writing regulations"
* Let websites do whatever they want with cookies/local storage.
* Let browsers delete them as often as they want.
* Make other kinds of fingerprinting illegal.
Speeding is illegal. Controlled substances are illegal. Murder is illegal. Embezzlement is illegal. Driving in a school zone while using a mobile device is illegal.
Has the legality stopped any of it?
I'd suggest that illegality has in fact stopped most of it. We'd surely have many times as many murders if it was legal to murder people.
(Yes.)
No... I like laws. They're nice, for the most part.
Don't fucking rush, you useless bureaucrats.
"A mix of European legislation has resulted in cookie notices that use dark patterns to nudge people into accepting online tracking. And regulators aren’t taking strong action"
Wired, 20/5/2020:
Europe is scaling back GDPR and relaxing AI laws - https://news.ycombinator.com/item?id=45980117 - Nov 2025 (60 comments)
Klaster_1•2mo ago
Personally, I find this a move in the wrong direction where hostile behavior by websites is normalized and hidden. Cookie banners show web site true colors. When someone asks me to share data with a thousand of "partners", I leave.
moritzwarhier•2mo ago
Fingerprints can be shared with third parties without cookies, and while I know that the so-called "cookie law" is not really just about cookies, this is where the deception begins.
For some reason, I think it's easier to force websites to list everyone they share data with, than to force them to comply with an invisible preference that says "don't share data".
It even sounds as if this could be a trojan horse to dismantle parts of the GDPR altogether (see the DNT references in this thread...), and I happen to think that by and large, GDPR is good.
thinkingtoilet•2mo ago
dylan604•2mo ago
thinkingtoilet•2mo ago
dylan604•2mo ago
plqbfbv•2mo ago
I kind of agree, but at the same time basically all websites are using some kind of tracking to know what kind of users visit, and I'm tired of clicking "allow all" just to read an article. Many websites don't even work if you refuse non-essential trackers, because their tag manager is configured incorrectly, or because by law if there's even a single textbox where users can put their email or name, they need to have the consent to show that and allow input on it.
Having a browser default of "nope" with the option to whitelist a broken website would save a ton of time for people and machines the same, and also reduce website latency a lot. There's a nice website that "tracks" this cost: https://cookiecost.eu/
pancsta•2mo ago
Server side analytics exists, its the ad optimization and feeding data brokers which is the reason. You can disable cookies for google analytics (storage none).