Why can't we use a HTTP request header to get rid of all cookie consent popups?

6 points by Roark66 ↗ HN
I suspect I'm not the only person annoyed by all the GDPR cookie and tracking consent popups every single site now has. Many sites even go as far as to not give a "No" answer option. You only have "Agree to all tracking" and "Configure" and when you click Configure it sends you down a rabbit hole of wasted time so most users simply click "Agree" to get rid of the damn annoyance.

It would be hugely better to simply set some setting in your browser that would send a request header to every web site you visit that contains your GDPR preferences. Then every site would have to comply with this by default.

This could be a general purpose header that could send various user preferences, for example it could also tell the website the end user is a child under 13 years of age so the site wouldn't collect certain stats automatically to comply with US Coppa law.

To me this is an obvious solution that would be a lot easier to implement than all those GDPR popups and it would result in a much better usage. What do people think? Should HTTP standard be updated with such header? Or are there any disadvantages of this approach I'm not thinking about?

6 comments

[ 2.8 ms ] story [ 36.0 ms ] thread
I entirely agree but the laws get in the way of such a "blanket" approval as it's about notification as much as approval.

The laws require that sites notify you specifically about how they each use cookies which varies hugely from site to site.. accepting a universal approval wouldn't allow such specialized notification on a site by site basis.

Hmm, good point. However, I imagine one of the header's features could be enabling/disabling those notifications based on user preferences.

Also, many people (including me) would probably set their browsers to equivalent of answering "no" to current tracking questions so the notifications wouldn't be required if I understand the law correctly.

The laws require that sites ask you for consent before they track you. Merely notifying them is not compliant and just annoying (if you're not going to comply anyway at least don't annoy your users).
https://en.wikipedia.org/wiki/Do_Not_Track was a first attempt at this, somehow.
I think it would be much better if the name and purpose of the header was something like: "tracking preferences" or even "user preferences". This way it wouldn't be just binary track/do not track, but could allow more customisation. For example user classification as a child for US Coppa law purpose.
These popups are not actually GDPR compliant.

The GDPR mandates that consent should be opt-in (tracking can only begin when the user says yes) and consent should be given freely so the user should not be inconvenienced if they refuse.

However regarding your idea, it's already been tried with the Do Not Track header - the ad-tech scum ended up using it as an extra data point for browser fingerprinting, which meant that opting out of tracking actually made tracking you even easier.