There was the DNT header, that was a bit to simplistic, but was never implemented https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
The thing people need to understand here is that the annoyance is not due to lack of technical solutions, or regulations forcing something. It is explicitly wanted by the industry so they can maximize the consent rate. The browser solution is probably the best technical/user friendly one, but ad tech/data gathering industry won't have any consent. As they control most of the web, they will never do that
Turn "Do Not Track" on or off
When you browse the web on computers or Android devices, you can send a request to websites not to collect or track your browsing data. It's turned off by default.
However, what happens to your data depends on how a website responds to the request. Many websites will still collect and use your browsing data to improve security, provide content, services, ads and recommendations on their websites, and generate reporting statistics.
Most websites and web services, including Google's, don't change their behavior when they receive a Do Not Track request. Chrome doesn't provide details of which websites and web services respect Do Not Track requests and how websites interpret them.[1]
About the best we have browser side is a mode where all cookies are cleared at browser exit.
No. The best we have are adblockers and scripts like consent-o-matic.
Clearing cookies does mostly clear cookies, tracking goes far beyond that. Clearing cookies has always been a red herring enabling adtech submarines like "I don’t care about cookies".
chrome://settings/content/siteData
Here's an extension to block at a per-site granularity (despite it saying cookies, it blocks it all including local storage):
https://chromewebstore.google.com/detail/disable-cookies/lkm...
It's what you would do if you had the crazy idea that a browser should be a client for the user, and only a client for the user. It should do nothing that a user wouldn't want done. The measure of a client's functionality is indistinguishable from the ability of the user to make it conform to the their desires.
None of those cookie popups, though. That's all malicious compliance.
> Explicit consent: Under the GDPR and similar laws, consent must be specific, informed, and an unambiguous, affirmative action from the user. Consent cannot be assumed by a user's continued browsing or inaction, which is what DNT would require.
GDPR already mandates that "Refuse non essential" button should be the same size and prominence than the "Accept all" button, every website around the globe does not care (apart from major players like Google, Apple or Amazon) and national data protection authorities absolutely do not care.
We already had one attempt with "Do not track" header, nobody was willing to commit to it because it impaired business. Same would go with OP proposal.
Websites are forcing this banner on us because they are greedy morons that would rather drain our data for money than incite us to pay for their work.
If the data is being sold, it should be legally required to word it in that way. If there's even the slightest possibility of your data being leaked to spammers, it should be worded to reflect that.
"Do you consent to us selling your data to any party that wishes to buy your data? Do you consent to the possibility that your data will be used to spam you or steal your identity in the future? Yes/No"
It may even be the case that the website pays X company to perform the tracking for their own analytics purposes. Or that it's X company's own freemium model where if you add their tracker they grant you a bunch of cross-site information for free.
Nah. Personal data sharing needs to be banned. It's the right way forward.
If I go to an ER in a different area (read different medical system) I want my doctor to share personal data. I don't want my doctor to share my personal data with a random doctor in the same medical system unless that other doctor is an expert being consulted on something about me. (that is just being a doctor doesn't give you access to my private information, it needs to be on a need to know).
The above is the obvious case. There are likely other cases that are not obvious where after looking closely private information should be shared. Advertisement is never one of those reasons though, and analytics is only a reason if they anonymize the data with prison terms for mistakes.
Indiscriminate sharing of personal data IS banned under the GDPR.
If you collect personal data, you must only collect it for the stated purpose and can't sell or share it for any other reason.
I continue to be astounded at the ignorance some people have of the GDPR; a vital privacy law and one that is fundamental to modern data use and respect for the customer.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
People don't want this, so there is a quick reversion to "pay with your data".
Which, since 2018, is illegal in EU.
> Hey, please send the shipment to my customer. No, I can't tell you the address, it's personal data.
Some data sharing will always be necessary. What needs to be banned is the unnecessary sharing, but it's hard to 100% define what counts as necessary
They are under the GDPR.
If you ask for my data, you must do so fairly and tell me what you are using it for.
In the examples you site, if you read the small print "sharing with partners" will go on to say advertising 'letting you know about products and services' and other such shite.
If my 'data' is a no logs vpn address with a privacy hardened browser running in a VM on an isolated VLAN with encrypted DNS then why wouldn't I just laugh and click accept cookies in a sandboxed tab (so said cookies only exist for that tab and are cleared when it is closed.
What youre saying most users dont have this level of privacy by default? Why not?
GDPR article 7, section 4: When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
basically: A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service
anyone who does that is in violation of GDPR
No one wants to be advertised to, but powerful lobbies argue that ending ads will lower consumption and thus harm the economy; and no politician wants to lower GDP.
No one wants to be spied on, but powerful lobbies argue tracking people allow better security; and no politician wants to be soft on crime and terrorism.
I doubt that. People tend to spend their money regardless. Advertising just determines what they spend it on.
Advertising is only used heavily when all products are similar, otherwise the best would naturally rise to the top.
For example, washing powder/liquid is advertised heavily on TV, yet do you really believe one brand of powder/liquid gets your clothes cleaner than any other?
You're assuming people would still have the same amount of money, but for most money is not a given, and people strive to earn money precisely because they want to buy the things they were advertised.
Without the social pressure to acquire things one doesn't need, it's very possible people might simply work less and use that time for other things.
Even when you give them the option to pay, with no ads or tracking, the conversion rate is still around 0.5-1%.
We should however make it easier to pay for content online; let's implement HTTP 402 and integrate it into the users' browser and internet bill to reduce friction. Who wants to create an account and enter their credit card details to read a single article or watch a single video?
No, they overwhelmingly are not. When given the opportunity to not pay, and do so anonymously (no social shame), the actual pay rates drop to the 1-5% range.
This is a clear trend from thousands of creators who give simple payment options to those who wish to support them directly. The conversion rates from "ad-supported (but blocked)" to "paying member" are usually around 5% of the active audience.
The numbers are atrocious despite the deafening virtue signalling of comment sections ("I always pay creators to support them!")
My need for websites is much less predominant and really I could live without. So of course I bounce when mildly interesting websites ask to host cookies on my browser or want me to create an account and enter my card details.
If one considers maximizing utility the goal of economic science, then this is in fact good, as it redirects me to more useful venues like doing chores I'd been putting off instead of mindlessly scrolling online. Some metrics such as GDP however might suffer.
It is banned.
Unless I give me explicit permission otherwise (though as you say, why anybody would is beyond me, but then "there's nowt as queer as folk")
Any website that uses a cookie banner is going above and beyond what they need to do to run a functional website in order to track you.
I understand why companies don’t do it that way. Tracking is worth money and they like money. What I don’t understand is why ordinary people make excuses for them.
To avoid paying actual money, even the smallest sum of it.
But companies generally do whatever is in their best interest. I don't know why anyone would expect them to do otherwise with regards to tracking.
So either: The EU commission is including trackers on their websites. And they should stop OR they acknowledge that it's almost impossible to build a website without some form of tracking that falls under the law, and they should look into the law itself.
So they have work on their plate.
Why would it be almost impossible to "build a website" without tracking?
But I can't imagine copmanies would want that. They benefit from cookie dialogs fatigue, and for some reason people blame GDPR of all things for surveillance tech being annoying in how they ask for permission.
technical solutions are chosen by companies to have as much dark patterns as possible to force you to consent
companies that want to sell user data are bad guys trying to make gdpr look bad
But actually honoring DNT properly would immediately mean no consent banner, but the consent banner is there to fool you into giving up your rights while providing (flimsy) legal cover for the company.
It's still early days for the GDPR (relatively speaking), but I can see the EU enforcing a particular privacy-related mechanism eventually.
It also doesn't help that DNT is just a boolean signal, it doesn't give you the control over your data that the GDPR demands.
What changed the most with GDPR is that enforcement now has teeth. Not as big teeth as say, NIS2, which actually has executives more concerned than middle level about being compliant, but still big.
[1] https://globalprivacycontrol.org/
[2] https://support.mozilla.org/en-US/kb/global-privacy-control
No. When I see a cookie banner that doesn't have a "Reject all" or at least "Reject non-necessary", I leave the website. When you look into the "Reject..." section, it often contains 1000+ of adtech shit you have to untick individually. Aren't these actually non-compliant with regulations? Makes you think twice about website owners if they choose to sell your data to adtech - seems like law does exactly what it was supposed to do. The problem is adtech which encourages to collect data websites have no business at collecting. If anything, non-compliant sites should be fined into ground and adtech outlawed.
If I could, I'd downvote the article.
People like the author are part of the problem. Blindly clicking consent is allowing site owners to bully you into consent. It works, so they keep doing it.
If you're going to blindly click anything it should be decline all.
The purpose of the laws (GDPR et al) is to give me control over who does what with my data, data about me. The operator of the website is who the law binds. It's not even about the website - if I phoned or emailed, the same laws would apply. You need my explicit consent to process my data in a number of ways that you'd like to, it makes you money, but I don't want you to.
The processors of this data can't make as much money off selling access to data about me, if I have these rights. So they petulantly get in my face as much as possible, via banners on websites, to annoy me and confuse me as to why these banners are even there, and try and trick me into letting them make more money.
The banners, which a browser could block or autofill, are just the surface. And they're an attack surface, so even if we agreed a way for the browser to pass on your preferences (we already did this, it's called the Do-Not-Track or DNT header, and it was a complete failure because website-owners just ignored it), website-owners would add a second layer of "ah, I see you said no automatically, but are you REALLY sure you don't want to let me make more money from your data?"
NOYB is very good for chasing after such charlatans, and forcing companies to obey data protection laws. Here is some of their guidance, and listing of the dark patterns used by non-compliant companies: https://noyb.eu/sites/default/files/2024-07/noyb_Cookie_Repo...
Cookie banner are called cookie banners because they‘re most frequently associated with the opt in for tracking cookies, but this kind of opt in is required for any kind of third party involvement that goes beyond technical necessity.
Your browser has no way to tell what third party present on the site is a technical necessity and which one isn‘t. So you‘d have to tell it - making it part of the site providers problem as well. But this time its worse, because responsibilities are mixed between the site operator and the third party.
There's no value you can give DNT that says "you can do your own on-site tracking and telemetry and I accept sharing my data with Sendgrid for your newsletter, but I do not want third-party trackers".
As a practical example: there are news sites that will not play videos if you hit "deny all" because their video host does some viewership analytics. I'm fine with that, but not the 750 other advertisers the news site tries to have me track.
Of course, "deny all" should be an option, "accept all or deny all" isn't control.
For the longest time we had https://en.wikipedia.org/wiki/P3P as a basis to build on, but that officially died the day Edge became Chromium-based.
I'm sorry, but does a user who would want this actually exist? This seems like a hypothetical dreamed up by the marketing team to avoid having to accept that a large group of users hate all their tracking shit.
Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged; this would ultimately come down to ad networks / analytics companies documenting the behavior of the cookies they add.
While enforcement is effectively nill, they already need to do that according to the actual EU "cookie law" (ePrivacy Directive rather than GDPR). If you set cookies, you have to explain to the user what they're there for.
Hilariously, many websites have no idea what the cookies their trackers set are for, and I've caught a bunch of them use language like "seemingly" and "apparently" when describing what purposes cookies actually serve.
If only browsers gave P3P[1] the attention it deserved. The protocol isn't exactly perfect and the unmistakable footprint of early 2000s XML obsession are there, but it could've prevented cookie banners from ever being accepted if only browsers had designed proper UI around an updated version of the protocol.
A web browser is technically incapable, by design, of knowing whether any piece of a website (1) is there for the purpose of having the website actually work, or for the purpose of tagging and tracking the end user. Only the website owner chooses those purposes, and only the website owner is in a position to determine (or maliciously hide) which technologies are being used for which tracking or technical purposes.
(1) Cookie laws apply to: Cookies, gif pixels, JS fingerprints, and any other tehcnical means that can be technically exploited to track an individual
Denying would, in many cases, go up to hundreds of yes/no options, with no 'deny all'. Makes getting coerced permission easy, and active denial almost impossible.
Of course, by not tracking, they dont need any of this crap. But surveillance capitalism must continue. Sigh.
The GDPR doesn't really care about implementations like that.
Nothing in the GDPR stops websites from honoring "Do not track" and then _not asking_ if it's present. They don't have to ask if they don't track you! They don't have to ask for a technically necessary session cookie that appears after you actively log in!
Websites ask because they want to track you! A 'law targeting browsers' would not help because people would say no to cookies, and then websites would ask about some other way to track you. Because they want to track you.
It's about consent.
Hard disagree.
Legitimate companies will obey the law; be that the GDPR, anti-corruption or anti-pollution laws to pick a few examples.
There's also a basic imbalance of power -- for instance, if you don't fill out the paperwork to get medical care that says (1) everybody who could possibly have a reason to access your data can, and (2) we're going to do that at a cost 1000x more than just leaving all the paperwork out on the curb you don't get medical care.
People don't really real all those clickwrap licenses, I mean, Sony makes you scroll to the bottom of a 50 page contract just to play a video game.
Here's an even more radical idea: the browser doesn't even ask you this, and by default it just respects the user's privacy and blocks all third party tracking.
Can you imagine an internet where the user is put first?
DNT is legally void in several US states because it was enabled by default.
If we do set up a browser-oriented solution, browsers like Firefox and Brave would default to the most privacy-friendly options practical, of course, but they already mostly do that anyway.
"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...
Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.
There’s probably also a version for the adtech browser somewhere.
Edit: their FF-page says,
Set your preferences once, and let the technology do the rest!
This add-on is built and maintained by workers at Aarhus University in Denmark. We are privacy researchers that got tired of seeing how companies violate the EU's General Data Protection Regulation (GDPR). Because the organisations that enforce the GDPR do not have enough resources, we built this add-on to help them out.
We looked at 680 pop-ups and combined their data processing purposes into 5 categories that you can toggle on or off. Sometimes our categories don't perfectly match those on the website, so then we will choose the more privacy preserving option.
no, that's "I don't care about Cookies"
NoScript too.
And AdGuard.
I do this more and more, and I think it's the right and best thing to do.
I'm so cynical now that I can't read articles like this without my first reaction being to look at how it benefits companies that profit from ads.
My two theories here?
1. An attempt to shift liability from companies having to comply with GDPR to browsers having to comply.
2. An attempt to consolidate all cookie consent into the three (?) browser engines we have... so efforts to thwart it can be focused on just those places.
Laws need to be written well to achieve good outcomes. If the law allows for malicious compliance, it is a badly written law.
The sites are just trying to maximize profit, as anyone could predict. So write better laws.
Otherwise how can we explain “please see our privacy policy and send us a sneaker email to opt out” kind of tracking options.
It's impossible to write things correctly the first or final time and especially with the interpretation of words changing over time it doesn't matter if you could.
Example: In cycling, they banned narrow handlebars. There's an aero advantage, but it was seen as a safety problem. So cyclists canted their brake hoods way inside, rested their hands on the brake hoods, and got an aero advantage.
And now there's a rule about brake hoods. Laws are meant only be living things that change as society changes, and also change to patch what we might call "exploits." You are perfectly correct: It's never one and done, it's an ongoing process.
That way, a misplaced comma or a wonky sentence doesn't allow for easy loopholes that need tighter laws to fix issues.
Now law text will work forever, but this format makes for a very solid foundation.
Imagine you write a program to do something and it doesn't work at all as expected and at the same time it causes endless annoyance to users.
A law is very similar to a program. It's software for the society. It didn't work and the authors are blaming everybody except themselves.
We’re also seeing tracking despite the lack of user consent as well. This could be a fluke but when I make anonymous search on website and switch to another, I’m seeing the product I have just searched in the ads. With all the tracking disabled I mind you.
What is the unintended consequence of GDPR?
So maybe “malicious compliance” is a misnomer. We should just call it "illegal dark pattern".
It took just a pair of ruling that made it clear this illegal pattern was going to actually be cracked down upon, and now these popups are just a small annoyance rather than the absolutely enraging trap that they were at first.
Of course I still wish they were unnecessary, but they serve as a reminder that these websites are still trying to prey upon their visitors.
Disagree. The popup is the enraging problem. It's not a small annoyance. I click them multiple times every single day and it's ludicrous.
I don't need a "reminder". The last thing I want is some "reminder" day after day after day. I want a law that protects consumers in the first place.
Then don't visit webpages that do illegal things and are hostile to their users.
> I want a law that protects consumers in the first place.
This is that law.
How about you just enforce consumer protections for everyone? Because that is clearly not the law.
The vast majority of laws are never enforced, so in practice this isn't as absurd as it sounds. It would make people consider what laws they spend time writing.
> […] the Commission is pondering how to tweak the rules to include more exceptions or make sure users can set their preferences on cookies once (for example, in their browser settings) instead of every time they visit a website.
https://www.politico.eu/article/europe-cookie-law-messed-up-...
“Hey what do you think? I dunno, what do you think? How about more tea?!”
Pondering how to tweak, unbelievable.
Now the EU just needs to turn it into an actual liability for corporations. Otherwise it will remain as an additional bit of entropy for tracking.
The story that advertisers don't know what users selected and that somehow allows them to track the user is disingenous.
Services should be denied the capacity to track and fingerprint, not just told about a preference against it.
DNT will always be an "evil bit", regardless of any law behind it.
https://www.heise.de/en/news/Administrative-court-Cookie-ban...
But we see how some companies cough cough Apple cough throw massive hissy fits and tries to find the most minuscule opening on the law
People always say this, but as far as I can tell it's not true.
Burwell v. Hobby Lobby Stores, Inc. - https://www.law.cornell.edu/supremecourt/text/13-354
> While it is certainly true that a central objective of for-profit corporations is to make money, modern corporate law does not require for-profit corporations to pursue profit at the expense of everything else, and many do not do so. For-profit corporations, with ownership approval, support a wide variety of charitable causes, and it is not at all uncommon for such corporations to further humanitarian and other altruistic objectives. Many examples come readily to mind. So long as its owners agree, a for-profit corporation may take costly pollution-control and energy-conservation measures that go beyond what the law requires. A for-profit corporation that operates facilities in other countries may exceed the requirements of local law regarding working conditions and benefits.
——
The best I understand it, what this ultimately means is that, yes; if the shareholders hold a vote to say "you need to focus on profits over X thing you're doing now/planning to do", you have to do that, but absent a specific shareholder mandate, you are not in any way obligated to seek profit over all else.
Ford lost this case because he overtly admitted that he wasn't pursuing profit and because he was deliberately trying to prevent minority shareholders from getting money to start up a rival car company.
If he had just made some vague claim that what he was doing was in the long-term interest of shareholders, he probably would have gotten away with it.
If it wasn't, the ghoulish masquerade of Corporate Social Responsibility wouldn't be a thing - it in itself a response to Milton Friedman's 1970 article “The Social Responsibility of Business Is to Increase Its Profits” which argued that corporate executives are agents of shareholders and should focus solely on maximizing returns, not social responsibility.
Also, please remember that in Europe there is no such thing as "the spirit of the law versus the letter of the law." The intent of the law IS the law.
I think lots of courts claim this, and none actually do.
In any case, there is always a difference between the “intent” of a large and diverse body of politicians, and the actual text of a law. Any practical legal system must take it into consideration.
If people care about privacy, then over time they will migrate to companies and services that respect their privacy. Government laws are broad based policies that always lack nuance. This is why it is better to let markets drive better outcomes organically.
It isn't that this can't be enforced, it just lagged because of the size and changes that this law brought.
> Also, this is a problem that naturally solves itself over time, so no law was ever needed.
How does it solve itself?
> The UX of the web degraded for everyone after GDPR was passed and that I think everyone can agree on.
Due to website operators doing illegal things.
> If people care about privacy, then over time they will migrate to companies and services that respect their privacy.
Why would people care about something they don't know about?
First order of blame goes to the national DPAs for not carrying out their duties.
Second order of blame goes go to whichever EU authority is responsible for penalizing EU member states for non-compliance. There should be serious consequences for non-enforcement like frozen funding. (I don't know what the actual legal process is)
> If people care about privacy, then over time they will migrate to companies and services that respect their privacy.
This is just a libertarian fairy-tale that is designed to sound sensible and rational while being malicious in practice. It exploits information asymmetry, human ignorance, network effects, and our general inability to accurately assess long-term consequences, in order to funnel profits into the hands of the most unscrupulous businesses.
In other words, there's a reason why we have to have regulations that protect people from themselves (and protect well-being of society as a whole).
Or, alternatively, you _could_ enforce the law but the resources to do so (people) are no longer available. This happens a lot in the US when the current admin doesn't feel it's important, so doesn't fund the enforcement agencies. And is particularly true more of codes/regulations (I get them confused) than of laws.
To quote Article 4(11) – Definition of Consent
> ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Meaning if you force users into pressing a button or let them scroll through 1000 no options, with one easy yes option, you have not collected their free consent. Congrats you broke the law.
Meaning if you just have them click yes, but not informed them about the harmful data collection you did not collect free consent.
The law is pretty clear on that.
--------
[1] Here “legitimate interest” essentially means “we see your preference not to be stalked, but we want to so we are going to make it that bit more faf to opt out, because fuck you and the privacy we lie about caring about”.
Which descriptor do you think is unambiguously violated by making it easier to provide consent than withhold it? To my eyes, both 'freely' and 'informed' are plausibly upheld.
It would be very straightforward to specify that consent and withholding must be equally accessible in the interface, instead of splitting hairs about definitions of "freely given". This is what people refer to when they say the law is poorly written
> Art 7(3) It shall be as easy to withdraw as to give consent. [0]
But legal interpretation of GP I believe is reaching the consensus that that phrasing too is broken by that implementation:
> Free and informed consent (Art. 7 GDPR): Consent is valid only if it is freely given. When the option to decline is hidden or unnecessarily cumbersome, the user's choice is affected and consent is no longer "free." [1]
[0] https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...
[1] https://www.ictrechtswijzer.be/en/complaint-about-cookies-wi...
It's the same issue as with most EU-wide issues, where there's always countries competing with each other at the benefit of others.
Also GDPR is not exclusive to browsers or internet, it's applicable universally, for both online and offline businesses and processes, which is why it can't and doesn't prescribe exact technical implementation details.
What are you referring to here? Where in the law is this allowed?
There is no malicious compliance here, just breaking the law. So if it is the problem of laws that they are broken then according to you all laws are 100% the problem. That stance, IMO, is beyond stupid.
- The law allows things it shouldn't, or
- The law disallows things it should
And the later gets swept under the rug as "we won't enforce it that way"... and then it winds up getting enforced exactly that way because someone has an agenda, and this is a hammer.
It's like saying having a secure OS/browser would deprive malware authors of revenue, and thus vulnerabilities should be preserved unless the user explicitly opts into patching them.
This combined with governments ignoring it, and actively enforcing GPC... it's questionable whether compliance is necessary (I still suggest treating it the same as a GPC signal).
But future work and effort should be put towards the GPC signal.
An approach like this seems ideal to me, the problem is that it's only natively supported in Firefox. Our instructions for Chrome and Edge are basically "install Privacy Badger."
And Safari is the WORST, which as an Apple customer it pains me to say. Not only does the browser not support it, there are ZERO Safari browser extensions, NONE, on ANY platform (mac/iphone/ipad), that you can install that will send a simple GPC signal with the HTTP headers. There is a paid Safari extension on iOS called ChangeTheHeaders that you can configure to send a GPC signal, but come on, you can't ask normal people to buy an app and manually enter a specific HTTP header. (ChangeTheHeaders is made by Jeff Johnson, the same dev as StopTheMadness. I asked him whether he'd consider adding user-friendly GPC signals to that (or any other) plugin and he said it would just be "duplicating functionality" :-/ )
Browser-level permissions are about what the browser is sharing with the website, which is a different thing. For one, the browser sharing information with the website isn’t a blanket permission legally for the website to do anything with that information it likes.
Don’t track me means don’t track me, period.
Asking if you could track me etc. regardless is against the spirit of it and simply user hostile.
Users often want some level of tracking, like not having to log in to services they use across sites each time.
Digital stalking under the disguise of essential functions or calling it just tracking doesn’t do any good.
Some websites even purposely break their functionality when 3rd party cookies are disabled.
So, no, do-not-track is an order, do not stalk me, period.
That's functional, and doesn't need additional consent. The consent for that is given by pressing the login button.
The level of tracking is insane and would never happen in real life, and companies would be fined to oblivion had they tried, if not forced to close by an angry mob of people.
We really need to crack down on stalking-but-automated.
Which is why this is also illegal in the same jurisdiction.
If I buy baby food at Price Chopper, they might send me an email offering me discounts on diapers, but at least I (probably!) won't also get shown such ads literally everywhere I go on the web.
So many things are like that now. Like Roku sticks and TVs are subsidized by selling user data. You want to make a Roku competitor that doesn’t spy? Your product will struggle to get on shelves and to stay there, in part because the price for your product will be higher even if you get just as good a price on your components as they do, because you’d have to price them at-cost to match Roku’s pricing. Meanwhile 99% of people looking at the products don’t realize that one’s cheaper than the other because it’s going to spy on them and sell the data.
But hey, when the regulators are lawyers who have no idea what cookies and browser are, we get consent forms on every domain visit.
That websites track you and then sell that data has nothing to do with how long your browser stores cookies. Cookies are just one of many, many ways that websites do tracking.
> when the regulators are lawyers who have no idea what cookies and browser are, we get consent forms on every domain visit.
In this case the regulators have considered the problem and implemented the law independent of the used technology. The software developers/companies were the clueless/malicious ones here.
Should have been written in the law that it’s a one toggle in browser settings.
If government is going to impose on the internet the least they could do is be competent in what they impose. Not writing laws that waste lifetimes in collective hours a day as every person in Europe deals with multiple of these dialogs a day and thousands a year.
It did not. These practices are illegal under the GDPR, the problem is a chronic lack of enforcement by most national enforcement agencies in all but the most severe cases.
Some are just ineffective but others have gone completely rogue. Swedish Data Protection Authority (DPA) for example takes the position that commercial data brokers like Mrkoll are allowed to publish and sell people's personal information (including your current home address, hello stalkers!) [1] and that this is somehow protected under the pretense of "journalism" [2].
[1] https://mrkoll.se/resultat?n=Otto&c=&min=16&max=120&sex=a&c_...
[2] https://noyb.eu/en/swedish-data-brokers-claim-journalists-le...
No!
For crying out loud..... The law says if you want to track me (advertisers take a bow) then in each case, you must have my explicit opt-in permission to do so. And so you should!
Having a browser toggle setting isn't explicit opt-in consent.
And way before that (before spyware became common on the web) there was P3P: https://en.wikipedia.org/wiki/P3P
Now there is Global Privacy Control: https://en.wikipedia.org/wiki/Global_Privacy_Control
The problem isn't technical - the problem is that ultimately spyware operators want to track people so it isn't in their interest to support these solutions and won't do so unless they are forced to. Since enforcement is significantly lacking, operators adopt the pragmatic strategy of non-compliance or pseudo-compliance with the current banners.
Would love something better than GPC, but in the interim, the EU should start considering it as a proper signal of (lack of) consent, obviating the need for a banner altogether.
If I had more time I probably could have figured it out. But unfortunately I’m just running a hobby project and do not have weeks to spend on this. The revenue from the ads is what pays for hosting. I imagine lots of websites are in a similar boat.
I would love if there was a simpler option that could respect people’s privacy more, be less annoying, and that would still allow websites like mine to survive by running ads. Targeting browsers instead of websites could have been that option.
Not bad.
(which is also why framing GDPR discussions around cookies misses the point - the point is to determine the user's consent to being tracked regardless of technical ability, whether cookies, IP address, fingerprinting, or even some magic crystal ball)
Nobody wants this crap.
The problem is that there's a chronic lack of enforcement, so the winning strategy is to breach the regulation. Worst case scenario, you will merely be forced to clean house at some point (but can enjoy the rewards of tracking until then).
Best way to get rid of the cookie banner is to just forbid tracking completely. Given a free choice, how many people actually want to be tracked?
Good question. But there isn't enough information to answer the question. Are these people properly informed about what "tracking" means, or do they think this means companies are passing around their full names and addresses on post-it notes?
None of any technical ANYTHING matters until we (meaning law and government) inflict truly meaningful consequences. Fines, breaking up companies, perhaps even jail time, etc.
We just refuse to use them, because our politicians either believe that companies should have more rights than we do, or are terrified that if they actually try to enforce the law on them they'll lose out on massive amounts of campaign contributions (whether direct or indirect).
If that was the case, then why does the site from the EU first off track... and secondly why does it use a cookie banner rather than some other solution that would not be malicious compliance with the law?
If there was a solution to having cookies and some other way of informing visitors of it, shouldn't that be demonstrated on the official EU government explaining GDPR?
https://europa.eu/youreurope/business/dealing-with-customers...
Can a company go wrong implementing the same approach as https://european-union.europa.eu/index_en uses? Why is that considered malicious compliance with the law?
If you are asking why there isn't a "reject all" button on their webpage then the answer is simple. There is one. The "Accept only essential cookies".
> and secondly why does it use a cookie banner rather than some other solution that would not be malicious compliance with the law?
GDPR (general data protection regulation) is about general data protection, not about technology. It applies the same no matter if you are using cookies or something else.
> Can a company go wrong implementing the same approach as https://european-union.europa.eu/index_en uses? Why is that considered malicious compliance with the law?
The example you've given is an example of compliance since there is a button to reject all tracking cookies. Whenever you read the words malicious compliance within the context of this discussion you can just swap it with the word illegal which is the correct word for the behavior that is being bemoaned here.
If a company is deciding how to comply with the GDPR on its website, can it go wrong with copying how that site does it? Alternatively, if it tries something that is new, do they risk getting sued by the EU for not following the GDPR?
My claim that it isn't malicious compliance to use cookie consent banners, but rather the least risky approach since that is exactly how europa.eu complies with their own laws.
Cookie banners are perfectly valid solution to the problem. GP originally said that the ideal solution is to avoid cookie banners by not tracking users. Not that if you want to track users there is a better solution than presenting them with a cookie banner.
> If a company is deciding how to comply with the GDPR on its website, can it go wrong with copying how that site does it?
No, because that is how it is spelled out in the law. Rejecting tracking must be as simple as accepting it. On the EU website both those options are presented in a clear way.
> My claim that it isn't malicious compliance to use cookie consent banners, but rather the least risky approach since that is exactly how europa.eu complies with their own laws.
There is no malicious compliance. If it is done as it is done on the EU site then it is compliant. If it isn't then it is illegal. Malicious compliance means that the letter of the law is strictly followed so to cause/do something not intended by the law. In case of hiding the reject button, that is illegal.
I don't think that's the case. A number of people downthread are quite explicit that they find being asked at all annoying and don't think websites should be allowed to throw up cookie banners all the time.
You HOPED that websites' top priority is to provide the best possible experience. The REALITY is that not getting sued is way more important than removing all possible user inconveniences.
Of course. The law is clear, the intent is clear and the guidelines are clear.
I think the biggest challenge (and the reason why it feels this is everywhere) is because of the handful of "big corporations" controlling the browsers. Neither Apple nor Google have any interest in making tracking opt-in or working to make this into a standard.
In my view, the situation will be greatly improved with policy like the DMA being amplified even further to prevent cartel-like reactions from the FAANGs (whatever the acronym is today). We have a deep "culture difference" with the US, where everyone expects everything to be spelled out for them in the law so they can sue each other into oblivion, but the reality is this doesn't work. We need to reduce the influence of bigger players and install guardrails so it will never be possible again for a single company to have such dramatic influence over the world.
Imagine how many of these consent prompts can be removed if it wasn't for the fact that even loading a Google Font exposes one to a few hundred "partners"?
Apple has taken steps to make it harder to track, both in iOS apps and in the browser.
It's Google whose revenue depends entirely on surveillance advertising.
The problem is that the technical methods surveillance ad networks use within the browser to track us are features that are useful for many other things.
Trying to redefine this as a technical problem, that can be solved purely by getting the browser makers to change how browsers work, rather than a sociopolitical problem, will fail. Sure, there are more things that Google—and probably Apple—could be doing to protect us, but they can't completely stop the tracking.
The way to stop the tracking is to make laws banning targeted advertising.
Strictly speaking, that's how civil law works, spelling out explicitly the statutes.
By contrast, common law statutes can be (but are not always), more concise but more vague, putting greater emphasis on the courts to interpret them.
That is one reason USA is more litigious, but it probably isn't the only reason. After all, Germany has the infamous legal bounty hunters (one of the words may be "Abmahnanwälte" but I think there's a different one), and Germany is a civil law country, so USA being common law can't fully explain it.
It isn't even compliance, they are just breaking the rules by as much as they think they can get away with and so far, for the most part, they are getting away with it.
Knives can be used to chop vegetables or stab someone. Don't ban their sale, ban their usage.
By-and-large you only need to allow people to opt out of cookies if you're tracking _their_ activity and/or selling details of _their_ activity to your "partners".
The other thing is that it benefits those who wish the law would just go away to have it misunderstood this way.
There is no requirement for 'cookie banners'. You are free to use whatever cookies you want to run your site. HOWEVER, if you are using those cookies to track me (advertisers take a bow) then you need my clear, opt-in informed consent to do so. And so you should!
I continue to be astounded at the ignorance some people have of the GDPR; such a vital privacy law and one that is fundamental to modern data use and respect for the customer.
If we are going to go down the path of mandating legal liability on software makers of a neutral communication medium, then the EU should just break the commercial web.
The only ones ignoring it completely are either dodgy companies, or the clueless. The companies exercising malicious compliance are now (quite rightly) increasingly seen as dodgy and need to up their game if they want to become respectable.
The days of not protecting user data are over.
For example, my insurance company can no longer get away with selling my details to financing companies behind my back. Such shenanigans are no more in the UK and EU thanks to the GDPR.
I am convinced these laws have just made my life and the Internet marginally worse, with no measurable positive impact.
Still too few just show a simple „Reject All“ button.
And they ignored things like DNT in the browser on purpose.
So if someone made the Internet is worse it’s them and they successfully shifted the blame.
Do sites stop tracking you if you reject the cookies?
Some do, some don’t.
Is the goal still valid.
Yes.
Browsers are something the end-user installs. Inserting the government into that doesn't make sense.
This sounds like the idea is for the site to add extra metadata that's not there now, about what each cookie does. Which would still involve mandating site owners to do things.
.
Also, both private mode and https://addons.mozilla.org/en-US/firefox/addon/multi-account... are a thing already, without government meddling.
On what basis? What difference is there between regulating website code and browser code? How a website functions and how a browser functions?
I should not need to follow a ridiculous law to give away some software.
You seem to be anti-regulation period.
Whatever applies to cookies also applies to browser fingerprinting.
We use websites for "free" paying with data. A cynical take on that is "if you are not a customer, you are a product".
If there were no adverts, quite a few things would change:
* much less incentive to track users
* way less distractions
* higher quality content (since it is less about clickbaits and shear volume of visitors)
Yes, it means paying for stuff. Would love to pay per visit or type spent, provided it is easy.
Tracking should be considered equivalent to putting an electronic tracking into every customer’s pocket when they visit your brick and mortar store. Then the question of privacy becomes more obvious. It is simply not acceptable to track people this deeply and invade their privacy so much.
But there is a dark difference if it is de facto the main source of revenue, or some scammy addition.
In the later case, it can be regulated - the same way as we have safety regulation for food or equipment. In some sense, the analogy is not that far off - the current web is made to be addictive. A lot distractions have well known, negative impact on mental health.
* advertising is profitable for advertisers — they buy ad slots because it brings revenue
* advertising is profitable for publishers — some of the biggest companies in the world (Google, Meta) make most of their revenue from ads
* most people are reluctant to spend money, but they're ok to "spend" their attention and their data
There were multiple attempts with micro-payments and nothing has worked so far. Monthly subscription is preferred by customers and companies, but there are only so many outlets that anyone will subscribe to.
Of course, tastes matter. The US is littered with (in real world) advertising banners, my native Poland - even more. But there are quite a few places in the Europe in which people would consider it off putting to use a glowing sign on a historical or otherwise clean design.
So it is about both tastes and regulations.
> most people are reluctant to spend money, but they're ok to "spend" their attention and their data
This is a tricky part. Kind of miss times when we were buying paper newspapers.
But let's take an example - devs were reluctant to pay $ for services. Not everyone and their dog pays for tokens.
If a user sets "allow performance telemetry, deny fingerprinting, ads, tracking" or "decline everything non-vital" once in the browser settings, he should never see a cookie banner ever again - with all of that communicated to the websites by the browser for him, and the websites being obligated to respect the user preferences.
The cookie banner vomit should be reserved only for browsers that don't support that. The fact that this obnoxious behavior somehow became the Internet's default is an atrocity.
It's the dark patterns and lack of consistency that makes it worse. Some websites even refuse to allow you to reject data collection unless you pay to use their service (i.e. news websites)!
As others have echoed, we just need to make this large data collection illegal.
It *IS* illegal under the GDPR.
Article 5(1) requires that personal data shall be (b) collected for specified, explicit and legitimate purposes ... (c) adequate, relevant and limited to what is necessary ...
In plain English, you can't go trawling for personal data.
the solution is simple, shift the cost of compliance, onto regulators!
it would work like this:
1/ Somewhat competent but disconnected from reality politicians vote for adding yet another rule.
2/ Incompetent, disconnected from reality, so called Experts articulate how to implement the rule.
3/ Estimate costs and report back to clouded brains up there.
4/ Clouded brains but budget wise acute, look at the numbers, and say no way
I bet we would get regulations that would always be welcomed by industries.
We could start by rolling everything back, the "economy", you bet, would finally "recover".
Without incentive to make it right, it can't be a surprise you get what you seeded for.
My instinct is to find the other option is either easy or obfuscated a little bit. But the EU regulation requires that it not take more than 2 clicks to do the other thing.
I thought cookies were kind of evil back in the 1990's and I still think they need to go away entirely.
*Copy URL, close window, open private browsing session, paste*
As an aside, is anyone else getting LLM-writing-style vibes from the linked page, or is that just me?
Which doesn't respect the GDPR.
> As an aside, is anyone else getting LLM-writing-style vibes from the linked page, or is that just me?
The multiple 3-item lists with the item's first sentence in bold, the logic not perfectly following from one sentence to another, the numerous comparisons/metaphores, the em dashes, and the general, distinctive tone are certainly clues.
For example, right now any company can ask for your consent ten times a day until you give up, and once you click “yes” even once, your data begins an eternal journey.
A few months ago, my Samsung TV (which I bought four years ago) suddenly blocked everything and displayed a new agreement on the screen with only two options: Read and Agree. There was no way to use the TV without accepting the agreement.
Tell me about these browsers that are in breach of the GDPR and use my data without explicit opt-in permission?
Firefox is no better, with their telemetry being opt-out and I believe even if you opt-out some telemetry is sent to let them know you've opted out.
Yes, consent fatigue is real and nobody likes these cookie banners. Which is also the exact reason why I think they are important. Making tracking visible to the user is the point. It creates an actual "cost" for tracking by forcing websites to actively ask the user to consent. The moment you hide it in a one-time set-and-forget browser setting is the moment when informed consent dies, tracking becomes invisible, and accountability disappears.
We are also looking at very perverse incentives here: Who controls the biggest browsers? Google's Chromium is basically the engine behind 80% of the browser market right now. Apple and Microsoft aren't exactly neutral parties either. Google is an advertising company, and Apple and Microsoft still have a huge interest in data. The idea that you should trust these parties to implement a "simple" consent system that runs counter to their business model is... optimistic, to put it mildly.
You would also have to trust websites to accurately categorize their cookies. If your cookie preferences are a set-and-forget setting in your browser, are you sure that random website you just visited didn't declare Google Analytics as "essential" for their website to work? Are you going to check?
The blog post also assumes cookie preferences are universal, but perhaps I'm okay with analytics on a random tech blog but absolutely not on a website about medical issues.
The funniest part: The "Do Not Track" signal already exists, and it failed spectacularly. The post even mentions it. DNT was supposed to be exactly this simple, browser-level signal. And websites just ignore it.
Sidenote:
> Imagine if every time you got into your car, you had to manually approve the engine's use of oil, the tires' use of air, and the radio's use of electricity. It’s absurd, right? You’d set your preferences once, and the car would just work.
Yes, absurd. Except that's more or less happening with different features. Every time I start my car, I need to manually disable the speed limit warning because it's annoying, and the lane keep assist because I feel like it is overly aggressive and sometimes genuinely dangerous. Also, the analogy is exceptionally weak. The author compares mechanical necessities (oil, air) with optional data extraction. That's hardly the same thing. Cookies required for basic functionality of websites is usually enabled by default. A more appropriate equivalent would be a popup by the car's dealership asking you to track everywhere you drive, and how fast, and if you looked at some billboards along the way.
> ‘3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’;
Of course this also applies to flash cookies, local storage, and other browser data stores, not just cookies. The legal requirements for data storage that doesn't violate anyone's privacy are a lot looser, though.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
It doesn't mention banners or cookies or that every website needs it.
ChatGPT writing aside, how does the author expect browsers to do this exactly? It's not as if website developers are declaring the purpose of each individual cookie. Browser developers already added a Do Not Track header option and to the surprise of no one, it was a massive failure because websites have every incentive to skirt this stuff.
And today the GDPR law extends much more than cookies, it requires explicit consent for processing personal data in general. Your browser has absolutely no bearing on whether a website's backend will save the pages you visited, the text you entered, your IP address, and whether it shares it with 500 partners or not. This problem fundamentally requires cooperation from website developers and that's why we have the law targeting websites as it is today.
The best we have is heuristics content blockers currently use. But heuristics are not good enough for complying to such laws because there's no guarantee they work in 100% of the cases.
It follows that such laws can't target browsers and not websites.
OP has a nice idea but hes short on technical details, which in this case is where the devil resides.
I think we need strong privacy laws, removing the incentive to track, or both, I don't see a technical way around.
Actually, you don't event need parameters to track, you could just use the IP of the requester and for instance do some IP geolocation.
side note: ublock origin has optional filter lists for blocking these banners
Thing is you’re probably right. The modern web is made of middlemen inserting themselves into user experiences to divert and extract revenue from the primary stream between consumer and producer. There’s always room for another layer.
Otherwise, you might end up with some unscrollable page because for instance there's a CSS rule that blocks scrolling when the modal is there and restores it when the modal closes and this handling is unfortunately done in JS.
edit: documentation:
https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#...
https://github.com/gorhill/uBlock/wiki/Resources-Library#tru...
It's actually given in example:
> example.com##+js(trusted-click-element, button.reject-all)
Of course now we also have browsers to worry about as well, being products of the same ad companies that were clogging up the web sites in the first place.
But if cookie laws pushed data collecting web sites to malicious compliance, surely similar laws would do the same to (also data collecting!) browser providers. I’d prefer to avoid inviting browsers to add another layer of bullshit. And there’s no reason it would make web sites behave differently… if I’m a web site bound to comply with laws, I’m probably going to cover my own ass and keep doing what I’m doing without assuming the browser will handle it. Rendering the browser controls redundant and ineffective.
If we want to look for core flaws, look at allowing a handful of giant companies to control the market for personal data — or to traffic in personal data at all.
Ad companies have convinced the whole economic system of the Internet that they are inevitable and essential. They are neither. But we won’t fix that either.
The solution is to get off the damn internet, but short of doing that, I’ll prefer to keep my options open to disable telemetry on my own terms.
Here’s something I would like, though: total sandboxing per web site. Let every domain be alone in its own room of cookies and telemetry. Let it think I only ever visit that site, and optionally always for the first time. I shouldn’t have to blow away all my cookies all the time just to keep Facebook from following me all over the web.
Legitimate Interest per the law is intended for use cases like, having a list of people who owe you money, or keeping IP address access metrics long enough to use them for anti bot or paywall measures.
A funny comparison to me. Actually, I have to manually disable some EU regulated features every time I get into my car. The alerts every time I go 1kmph over the speed limit aren't very relevant for me, and the lane keep alert buzzes as soon as I'm slightly over halfway to the left, but lets me drive along fine if I'm even over the line on the right.
I'd actually like to use both of these, but only if I could calibrate them to my needs.
...
Just like cookie banners.
Happy to answer questions and clear up misconceptions, especially the one about "giving DNT force of law": we already have Global Privacy Control (GPC), and it's already required in (significant parts of) the US, and it's being enforced.
I can say we've tried really hard to prevent a lot of the malicious user interface issues, and to respect the GPC and DNT signal (no banner pop). We've tried to balance the company's need to keep compliant (because frankly, many of the complaints here about "legalese" aren't just deceptive UI (dark patterns), but done on the advice of counsel), and still operating (marketing needs analytics/ad tracking). And we're concerned about the user experience for what is admittedly an intrusive tool, but required.
(1) I'm not a spokesperson for the company, experiences and opinions are mine.
A lot of people in the thread are speculating that this approach is illegal, but it seems to have widespread use across the web. Why doesn't DataGrail do this? Was it something requested by advertisers/management that your team pushed back on?
Our primary job is to make our customers compliant, so we try to "push them into the valley of success". That means GPC and DNT "do the right thing" by default, no deceptive design (dark patterns), etc.
Although, I too had enough of the cookie popups. Let's just ban (and enforce banning) cookie tracking, and be done with this nonsense.
Remove any notion of age blocks that kids just lie about, and let parents determine what is suitable for their kids.
You want to share it? Get my express consent.
That's literally the GDPR? But the problem is that enforcement is severely lacking, so it is more profitable to breach the GDPR than to comply with it.
How is the browser supposed to determine a cookie's purpose?
I default to Deny All, but click on Accept Required when I see it (trusting that it does do what it says it does)
Except that the noble cause has not been achieved but it has made the web worse.
And we don't need a law for that, it is already working. We may need a law to protect that freedom, and for most part, it is on that side as we already have rulings saying that ad blocking is not illegal, and enforcement of browser choice, some of them having built-in blockers.
As the name says, it's a General Data Protection Regulation. It covers all types of processing from all types of entities, everything from big tech websites to your local yoga instructor who doesn't have any online presence.
It is also kind of ironic that the article suggests a technical solution to a legal problem, arguing that a legal solution doesn't work (consent fatigue, DNT, ...) and then suggests legislating on it.
I wasn't implying that ad blockers are a substitute for GDPR, which goes way beyond cookies and things that can be done at the browser level.
And media companies like Axel Springer SE already try to make ad blockers illegal.
Sorry for all the companies that like to track personal information, but this is how it has to be (not sorry).
Maybe it will one day lead to elimination of (most) cookies and lead to cleaner browsing experience.
Let’s face it, users don’t want to be tracked, websites want to track. The cookie banners are the middle ground and the law already tries to prevent all those dark patterns to enforce „accept all“.
I remember the early days when the cookie banner on Tumblr forced the user to deselect every single tracker of the hundreds of trackers they listed.
But here's an interesting wrinkle that may illustrate further complexity:
> Essential Only: "Only allow data necessary for websites to function (e.g., keeping me logged in, remembering my shopping cart)."
I would never have called either of those examples "necessary for websites to function". They are both just convenience things, not essential things. So there may be a lot of discussion needed about category definitions here.
Making them part of the "essential" set in cookie banners is a category error. This is an important point, in my opinion, because if we allow websites to get away with saying nonessential cookies are essential, then the more obnoxious cookies people widely object to will just be counted as "essential" to evade people's preferences. Websites seem strongly predisposed to pulling the wool over user's eyes whenever they think they can get away with it, so this category problem is not without meaning.
I absolutely hate unnecessary cookie popups, e.g. when you're already signed in and have accepted privacy policy. Or, when accessing a parcel tracking service or similar.
It's always annoying, but there are clear cases when you don't need to track users and it probably just drives them away or makes them angry.
[1] https://legiscan.com/CA/text/AB566/2025.
[2] https://portal.ct.gov/ag/press-releases/2025-press-releases/....
[3] https://www.njconsumeraffairs.gov/ocp/Pages/NJ-Data-Privacy-....
The main reason I don’t turn off cookies everywhere is so many sites put my login token in a cookie. Hopefully as a random nonce but even so, it’s using cookies for security.
We are all so used to it is a massive blind spot.
We should move to Fido/webauthn - everywhere. Most all the population has a really impressive Secure Enclave in their pockets
AFAIK there is no need for a cookie banner for a login token. It is necessary for the functioning of the website.
Good riddance to bad rubbish. I'll take an Internet 1/10th (or 1/100th (or 1/1000th)) the size as long as it's not ad-supported.
So we write a law to say "hey you gotta at least ask before you slap a sticker on, most of the time".
We all know why we didn't just make a sticker proof car. As long as the largest ad company in the world is also the defacto king of the internet we will have these issues.
One of the first things people would do if they really had control over their browsers is start blocking Google Ads. Google realized this early on, it's a huge potential threat to their main source of revenue, so they launched Chrome to influence, and eventually dominate, the browser market.
Google doesn't want users to have more control when it threatens their bottom line. It's part of why they've been trying to block ad-blockers.
Yeah ... I just don't do it. I'm not based in the UK or EU and I don't care if they try to "punish" me.
Metaphor is incorrect. Tracking you is not essential to the function of the website. A more appropriate one would be:
> Imagine if everytime you got into your car, you had to approve or reject GM tracking your trip, the number of people in the car, recording your conversations, and sharing all of that with 500 indiscriminate partners including your insurance, law enforcement, supermarkets in the area, and why not your spouse or partner.
Or better even
> imagine if every time you entered a physical store they asked for your id and made you sign a contract that allows them to track you and sell that information
The proposal in that article sets a default tracking preference, it's trying to fix a UX issue with more UX. What it's missing is that there's no EU mandated UX. You don't have to show a banner if your cookies are not used to track random people on your website. The reason why it's bad UX is that it's bad on purpose, skimming the line of legality by deploying as many dark patterns as possible to trick you into consenting to your soul and your children's, in a desperate attempt to make that god awful banner go away and finally access your shot of endorphins.
Websites could very well decide to use only non tracking storage by default, and not show you a banner. Or have everything checked off with a single click to make the banner go away. Sending you to a separate page full of checkboxes and legalese is a choice, and a nefarious one, because most people don't want to be tracked.
If anything I think the law should be strengthened: make tracking default-off, and allow users to consent to more if they so wish. Not consenting should be a single, obvious click (or no click at all), rather than a sub menu. Your information should not be shared or sold by default, or even better, not sellable at all.
I've found a high correlation between cookie consent notices and low-signal content, so this strategy has actually saved me a lot of time I would've spent reading/watching something that doesn't help me.
But to the flights example, I was just looking for flights starting at Google Flights, which doesn't have cookie banners, and the two sites I went to for booking also did not have cookie banners.
I do not use a popular browser to make HTTP requests or to read HTML. I never see these annoyances. I don't store cookies except for HN and a few other exceptions. Nor do I run Javascript. The annoyances cited in the OP appear to be targeted at people who use certain web browsers that enable these "features" by default
This demonstrates to me that the annoyances are in part contingent on the browser, e.g., browser "features" such as Javascript
Perhaps convincing all www users to use the same small set of Silicon Valley-controlled browsers is prudent according to some Silicon Vallley logic. But when these browsers are all provided by commercial entities that profit from "advertising services" and each has "business" interests^1 that run counter to the interests of some www users,^2 then it makes sense for www users to consider alternatives
1. For example, data collection, surveillance and targeted advertising
2. Thereby prompting government regulation
For example, it is possible to retreive information from websites, e.g. "check a product price or read an article", using software that does not not serve an internet advertising objective. No cookies or Javascript required
You can't have laws that dictate the desired outcome in broad terms and trust companies to implement in good faith. Not when they have a direct financial incentive to implement it as obtusely as possible.
It's really unfortunately that in the public's eye the legislative attempt to steer towards a positive outcome is seen as the cause of the pain.
To be real though I'm sure that many sites would not want this because they rely on GDPR fatigue and users to just accept instead of taking a few seconds to opt-out.
varispeed•4h ago
That's why the more logical and simpler ideas were never on the table.