Ask HN: Why doesn't GDPR go after web browsers?

4 points by Guest9812398 ↗ HN
As expected, as of today more websites are displaying complex options for accepting or declining cookies, analytics, and personalized advertising. Wouldn't it make more sense if this was asked once by the web browser, and not separately on every website?

When you install a web browser it would ask...

1. Do you want to allow websites to use third party cookies for analytics? This may share information about your browsing activities with third parties, but help websites better understand how their users are engaging with their service. Yes, I would like to use cookies for this reason. No, I would not like to use cookies for this reason.

2. Do you want to allow websites to display personalized advertising to you? This will help to display more relevant advertising by sharing information about the websites you visit online. Yes, I would like the advertising I see to be personalized. No, I would like the advertising I see to not be personalized.

And, that's it. The regulation could focus on the wording that should be displayed, ensuring it's clear, unbiased, and fair. The browser could also allow you to toggle those options individually for websites if you decide not to use the defaults you specified.

Wouldn't this make sense? We wouldn't need to see a popup on every website, and configure these options a hundred times a day as we're browsing the internet. If I just want to quickly search for a recipe on Google, I don't want to spend 30 seconds going through the cookie settings on the website before I can spend 30 seconds reading the recipe. It's also annoying when every website is setup differently, so it's hard to navigate these settings and avoid the tactics they're using to opt me in.

4 comments

[ 17.0 ms ] story [ 717 ms ] thread
The decision is made with regard to organisation, not medium. You may make one decision for one website, and another for another. Also different sites have different options to choose from: some ask you for permission, some have many variants to offer. Many websites have apps, once you agreed to something via app, browser settings are irrelevant. What exactly to decide on or agree to vary by site as well: its not just about tracking and ads. One size does not fit all.
It's not just about cookies, tracking and advertising; it's about informing the user about what will be done with their data, its retention periods and reasons for holding/collecting/processing the data. This will be site dependant, so can't really be generalised in the way you suggest. eg a manufactures website may say they hold your data for 6 years in case of a product recall but an online shop might only hold your data for 12 months for the purpose of returns, so it'll be different permission in each case.
1. is pretty much the basic idea behind Do not track headers. Acceptance of it among websites is... low, and given the history around it its probably not legally viable to treat DNT: 0 as "I consent to tracking", since there's no clear standard what exactly it'd be consent for, and no clear way to be sure that the user has seen enough details about it. (DNT: 1 as "I do not consent" wouldn't be a problem, but why respect that if you can annoy the user with a popup and try to get consent anyways?)

But your 2 examples only cover a tiny sliver of what GDPR covers, so no, it wouldn't make sense for the regulation to be replaced by proposals like this.

Nothing stopping the tech industry to develop standardized mechanisms to communicate privacy rules though, and use them where appropriate. I haven't seen much in the way of proposals for this though, I suspect because a fair implementation of that would have the same issue the advertising industry had with DNT: don't make it to easy for users to not consent, that's bad for profits.

Why not force publishers to respect the do not track headers, and clarify what it means to not be tracked? I'm not asking for GDPR to be replaced, and I understand it covers a much wider range of issues. However, I want to say that analytics, advertising and cookies are the ones that most affect users, and are the ones that will be causing the popups everywhere online. I feel this process should be simplified, users shouldn't need to update these settings with every website they visit, and we shouldn't trust publishers to be the ones asking for consent, since they have a high interest in misleading users and finding creative ways to obtain consent, which we can already see happening.

As for your last point, there are standards being implemented related to obtaining and communicating consent (http://advertisingconsent.eu). However, these standards are being set by the ad networks, and as you would expect, they are looking out for their best interest and bottom line.