80 comments

[ 4.4 ms ] story [ 143 ms ] thread
Hi, I'm Eli, the lead engineer behind this project. We're on a mission to put an end to cookie banners so we built a new kind of consent manager at Transcend to achieve this goal. In this post, you can read about the process that went into building a secure firewall for our consent manager.

This product is currently in closed beta, so I am sure you may have many questions. I will try to answer any questions you have in the comments.

With Transcend Consent Manager, site owners can:

• Block, quarantine, & replay tracking events cross-session or in-place (e.g. a same-session DOM mutation is replayed or a fetch() promise is resolved).

• Override requests to use alternative domains or enforce privacy rules on parameters, skipping the SDK. (e.g. we can automatically enforce Facebook's LDU parameters, Google Consent Mode, Google Ads RDP, YouTube Privacy Enhanced Mode, etc. with no site changes)

• Privately sync consent & quarantine data across a first-party set of hosts without data ever leaving the browser.

Most importantly, this enables sites to ask for consent later in the user journey, eliminating cookie banners.

The problem that I see with your approach is that you are heavily biasing the collected samples towards "successful" flows.

If you have two funnels A and B and users using path A convert slightly more than users using path B, but path A is way more hidden. If you end up only showing the collect prompt after the conversion, you will get a lot of data about path B, and some about path A. It's really hard to tell the efficiency of each path, you now that. more people come from path B, but you don't one which one is best.

I hate cookie banner, but from a data collector perspective, since they are the first thing people interact with, you are argue that they minimize sampling bias. You approach adds a significant one, which makes all the number you can get from it hard to trust.

This consent flow solves one specific problem very well, which is Return on Ad Spend. This addresses the data needs of one stakeholder, which is the marketer in charge of the ad and marketing budget. Of the dollars they're spending, which ones result in sales? That's the one question they want to ask from their data, and this tool lets them answer that.

Every other stakeholder I can think of will want to know details about a failure or drop-off. Some stakeholders, like User Experience, will only want to know about failures. This tool does not meet their needs.

My experience is that the user base of Google Analytics skews heavily towards marketers, and there is a decent-size market of current GA users that only use GA for the subset of data provided by this tool.

It doesn't necessarily solve RoAS tracking either. If you only have information on some % of your purchasers* and you optimize against that small, self-selecting sample, you may entirely miss other groups of higher spenders who just don't want to be tracked.

It might help answer the question "which campaigns are performing better relative to each other" as long as we assume that no campaigns are more likely to affect opt-in rates than others. It may even be an improvement over up-front consent seeking, if the theory is that a better checkout UX with less upfront annoyances results in better opt-in rates later on. But it doesn't really answer the bigger question of "is this the best place to spend my marketing dollars" vs, say, investing in campaigns/platforms that may have greater reach but less transparent funnels (comparing a Google Ad to a Superbowl TV ad, for example).

If you use this in a vacuum without any statistical modeling thought, you end up optimizing against algorithmic limitations rather than real customers. At the end of the day you're drastically reducing your sample size, and not in a representative, random manner. Your opt-in users are behaviorally different from the majority of people, and it wouldn't be a good idea to make big decisions based on their actions alone. They are essentially a cheaper focus group, with all the pros and cons of such.

(*Probably a very low percentage, if the recent iOS tracking opt-in is any indication. One analysis says <15% of users opt-in: https://www.flurry.com/blog/ios-14-5-opt-in-rate-att-restric...)

Is there any option for folks to do an "I accept all cookies but reserve right to manage them myself" setting - and then skip all the popups? In other words, the site can set what it wants, and I can delete what I want?

I really don't need more setting options tweaks etc. How many people do this carefully on each site? How many are annoyed by this STUPID pop up game that means almost nothing.

I carefully turn them all off. I'd much rather have a setting that says "I don't want to participate in your bullshit". We tried such a thing as "Do Not Track", but companies weren't playing along. So now we have to have this regulation, and you should be upset at the companies who necessitated that regulation, not at the people who are doing their best to keep it being a choice.
The GDPR is explicit about that: non-functional stuff should be turned off by default. No, marketing isn't functional. If companies follow the law, the default is set at "I don't want to participate in your bullshit".

It's just that a lot of companies are employing dark patterns or getting it wrong on purpose, and it's working because people are now annoyed at GDPR instead of the companies doing this.

Yes, and it's ultimately sad to me, although not terribly surprising, that people are getting annoyed at the legislation instead of the perpetrators.
There is only an option to reject all cookies via GPC https://globalprivacycontrol.org/. Some sites have started to respect it.
Note that our consent manager integrates with and respects GPC signals.
Is there an accept all cookies version of this?

Reject all is pointless. You can do it in browser already. You need cookies to hold a login session - folks who try to get websites to block cookies - it doesn't make sense and isn't what most folks want (I need login, shopping cart etc).

> Reject all is pointless. You can do it in browser already.

No, you can’t. You can block cookies. GPC enables the ”I reject” signal, so websites that honor GPC don’t have to ask you (i.e., no cookie banner)..

"Do Not Track" header was used to track users, and removed. GPC will be used to do the same.
Any HTTP header can be used to build a fingerprint. Should we remove HTTP headers because of that? No.
There is a crucial difference between login session cookies and personal tracking cookies for ads.

You don't even need consent for login session cookies, provided that is all they are used for. Because the user is already asking the site to remember who they are. Similarly for a shopping cart, as the user is asking the site to remember selected items.

"Reject all for privacy" is about rejecting personal tracking cookies for ads, usually while keeping essential login and shopping cart cookies.

Please note that some (many) people don't care - they don't want these browser pop-ups, they understand that cookies aren't the only way profiles are built etc etc.

The problem is the zealots here are souring generations on actual user control of data by endlessly requiring more and more notices and popups. Don't annoy 95% of users so some random subgroup can feel smug about themselves.

It seems every CA company now sends me - via PAPER MAIL - a privacy notice of privacy practices. I DON'T CARE. There are no teeth in any of this. Even if there were people don't care.

The people who want more privacy - including zealots - also don't want the notices, popups, options, etc.

It's a mistake to think privacy zealots are requiring all those things. They are not; they don't want them. And so they are not to blame for them.

They do want to be able to find out what commitments a company is binding itself to, to be able to hold the company accountable under the law, which acts to curtail some abuses, but even that would be much preferred in the form of statutury commitments that could be assumed by default everywhere, the same way consumer protection law works.

Those endless annoyances are the result of companies that are actively hostile to users who value privacy and to statutory privacy policies in general. So companies make the popups, in particular, intrusive and often difficult to reject properly. Sometimes they outright lie about the GDPR requiring some heavy duty options lists.

I say companies. Usually the worst popups on a site are not from a site's own company, they are from third party surveillance-based advertising services or similar used by the company. Naturally, those third parties are the ones most actively hostile to a privacy oriented society, and on an individual level, most interested in persuading or tricking someone into accepting the tracking.

With regards to CA privacy notices: Imagine how refreshing it would be if it was like consumer protection law protecting you when buying things mail order and against false advertising and faulty products. You wouldn't need to receive a privacy policy at all, because there would be a statutory privacy policy you could always assume and all companies adhered to it. Perhaps you would be able to opt out of privacy explicitly, but you always had the option to take the service without opting out of the statutory privacy policy if you wanted.

I really want a browser flag like "I DO NOT CARE ABOUT TRACKING" that auto-accepts.
Exactly. I just blow away all cookies but a few selected sites periodically.

There are people carefully going through the deep menus that supposedly turn something off. Why not just control yourself, blow them away if you care.

But key is - I want to ACCEPT all cookies in return for not being asked at all. If I care about tracking many other solutions I can use.

Cookies, OK. But there are other forms of tracking that you can’t undo on your end.
But you can already delete specific cookies from the browser, or you are referring to deleting some other data?
Has any company been fined specifically for dropping cookies without consent? This enforcement tracker shows lots of fines but it isn't clear which are for cookie banner related issues https://www.enforcementtracker.com/
I don't think fines for cookie violations show up in that tracker. It seems to only include GDPR violations; cookies are regulated by the ePrivacy Directive, a separate (but intermingled) set of laws.
Interesting, this is the first time I've seen a webpage that can crash firefox's tab with 100% probability in 10 seconds.
Despite all my addons, I can't reproduce that behaviour here. Firefox 89.0.2, Ubuntu 20.04, amd64.
This is an interesting idea, asking the user to share data at the end of the conversion flow, as long as it remains opt-in. It can possibly use some more customization though, and perhaps an option for a preview of the data being transmitted for full clarity.

It's vulnerable to implementation changes in the browser network traffic API, though, because the "firewall" isn't a real firewall (just something intercepting fetches and such).

I think it could further be improved by sending a no-op script when the user sends a do-not-track header, which clearly indicates their preference already, saving the power it takes to parse the 30KB of JS and the additional network requests associated with it.

> perhaps an option for a preview of the data being transmitted for full clarity

That's on our roadmap.

> It's vulnerable to implementation changes in the browser network traffic API, though, because the "firewall" isn't a real firewall (just something intercepting fetches and such).

With CSP, we can ensure a certain level of network compliance. It's not perfect but it provides useful browser-enforced protections against non-consented data sharing and exfiltration. CSP isn't a panacea but it's getting better over time. For example, navigation (e.g. clicking on a link to navigate to it) rules could be enforced through CSP's new `navigate-to` directive. Our consent manager's patchers don't yet regulate automated navigation but that is also on our roadnap as well.

We do regulate automated form submissions (e.g. used by the Snapchat ads SDK) to comply with user consent though.

Wouldn't less annoying Cookie Banners lead to significantly less data?

Or maybe asked differently: Is people giving actual informed consent to tracking actually a thing? I mean for most people I know, the reaction to such banners is one of:

  - opting out
  - trying to opt out but being tricked by misleading design to press a "opt in" button
  - trying to out out but failing and then "opting in" out of desperation
  - people who encountered the previous situations before and "opt in" since they don't have the time/patience to work through the opt out dialogues and decide that tracking is "the lesser evil"
  - Not understanding what this is about and just clicking anything to make it disappear
I can't remember anyone who ever really wanted to agree to such stuff. Of course I haven't done any reliable research on this and it might just be my sampling bias, but I would expect any system which really gives people a choice to get very little positive responses. (On the other hand people are also trained to accept things like ToS without thinking at the end of the user journey, so maybe it works out fine...)

Don't get me wrong, I really like the idea and hope that it will be successful. I just don't see users agreeing to this.

I completely get where you're coming from. I'd personally never consent to tracking either without adequate incentives.

This new consent manager makes it easier for site owners to offer incentives to consent (e.g. share your user journey for 5% off at checkout).

Note: 'Selling your privacy' (and likely incentivizing consent) may not be legal under some regimes, so nuance should be applied to any novel implementations using our consent manager. We have a privacy legal regime detection API which helps enable varying UI & behavior based on user-applicable legal regimes.

How do you check what the applicable legal regime is?

(Please don't say IP geolocation.)

Currently we use your browser's language and time zone settings to derive applicable legal regimes such as GDPR, CPRA, and LGPD.

This method even supports the nuance of detecting a EU-likely user vacationing in California, affording them both CPRA and GDPR protections. You can try out this API by typing `await airgap.getRegimes()` in your browser console on this blog post.

This method won't scale forever as more states and countries enact new privacy laws so we do plan on eventually falling back to IP geolocation as well.

For those of us less fluent in modern JS, the console command should be:

  await airgap.getRegimes()
to unwrap the promise and display the regime set directly in the output :).

Also, I can confirm it correctly identifies the regime applicable to me (GDPR).

EDIT: I played a bit more with your blog post, after disabling my Adblock and tracking protection features in Firefox. It seems you're dogfooding your system here and now; I don't see any analytics calls happening beyond the scripts being loaded, and I also see a bunch of requests being trapped by airgap (I found it by doing airgap.export("foo") in the console). Nice work!

(So, what kind of analytics are you getting from this blogpost without asking? ;))

I press the button most likely to get rid of the thing in my way as fast as possible
So basically, you're rewarding dark patterns. I get where you're coming from, but I'd rather people-in-the-know use CSS rules or other hacks to work around this.

Basically, anything but enabling treacherous design.

well, I have ubo enabled too, so I remove overlays and blurs sometimes, my point is I don't care, I'm visiting the site once ever most likely, I just want to read the page and leave
We should go back to a world where users are paid to test a product, rather than expecting everybody to accept being tracked and to participate to experiments.
This honestly sounds like a major inconvenience to both developers and users, by adding a virtual DOM, 30kb of unnecessary JS, and unnecessary consent check boxes that I wouldn't agree anyway.

How is the impact of slower and heavier web page experience measured? I'm sure it has more negative impact than whatever improvement this traced information can help improve.

We've benchmarked this framework on very heavy interactive video and content creation webapps with minimal overhead.

When a user is opted out of tracking, we can actually observe negative overhead due to performance gains from blocking certain requests.

Performance (and security) is something that we always keep in mind with our consent manager.

> We've benchmarked this framework on very heavy interactive video and content creation webapps with minimal overhead.

On the dev machine? Or also on a smartphone, a several years old pc, etc etc?

Using simulated slow machines via browser DevTools and Lighthouse.
Ah, fair enough.
As a reader, I deal with cookie banners with user javascript that deletes them. As a creator, I don’t need to annoy my users with them because I don’t track them.
Better solution:

1. Force (by law) all cookie banners to have specific class, e.g. "eu_cookie_consent_banner"

2. I'll write user css rule that hides this class.

The law already makes the absolute vast majority of these banners illegal.

Do companies care?

If you live in the EU, you can report websites with cookie issues to your country's Data Protection Authority. If the website owner gets fined, and the fine is significant enough in some cases they would start to care.

You can contact your DPA for guidance on the exact process – you may first need to contact the website owner and try to resolve the issue between them, before filing a formal complaint to the DPA.

The list of DPAs: https://edpb.europa.eu/about-edpb/about-edpb/members_en

I reported some egregious behavior to Swedish DPA. I think I didn't even get an automated reply acknowledging the request :(
Better solution

1. Force (by law) all tracking companies to shut down

2. Enjoy a better internet

People say this without thinking about the consequences. Unfortunately the biggest loser of non-trackable Internet would be small businesses and startups that are trying to find their audiences.

The recent changes in iOS for example have led to a situation that none of the startups I'm involved in can buy cheap ads anymore. Revenues are down, investors are unhappy, companies are struggling to find new channels.

As a user myself, I avoid places that seem to track me aggressively but at the same time I occasionally click on ads (Facebook is especially good at it) that are well targeted and on point. Maybe the world needs a different way of delivering well-targeted sponsored content, but nobody has invented one so far.

So before saying "fuck tracking" think of the small guy, the entrepreneur who is trying to reach out to the audiences with their limited funds.

If your biz doesn't work without tracking and you cant to context based advertisement to find audiences then your biz needs to fail. I don't want your sh!tty startup to succeed if it involves tracking children (and adults) to deliver ads. If you can only make money by using highly targeted ads on Facebook, then your biz model is just bad.
(comment deleted)
> Maybe the world needs a different way of delivering well-targeted sponsored content, but nobody has invented one so far.

But they did! Many times over!

The current solution isn't the only way to deliver ads to the right audience - it's just the cheapest one. It outcompetes all other approaches. The solution is thus simple: just ban it. Everyone will then go back to whatever is the next cheapest option. Rinse, repeat, until the cheapest option is one that doesn't compromise privacy and isn't destructive to the communications medium.

So what are the different, older ways of delivering well-targeted sponsored content? For starters, opt-in approaches. Mail catalogues, e-mail catalogues, yellow pages, catalog websites, trade shows, etc. - all kinds of services where it's the user who seeks out advertisements. People want to spend money on things, want to find solutions to their problems, want to save money by finding cheaper alternatives. You don't have to shout at them to get them on the market.

> the biggest loser of non-trackable Internet would be small businesses and startups that are trying to find their audiences

I'm somewhat skeptical about this, but even if, I also think that the amount of advertising deployed is keeping the market in an artificially oversaturated state. There's more companies selling commodity products, competing on advertising alone, surviving only because they manage to trick people into buying things. Without so much unsolicited advertising, some of those would have to fold, but I think this would be extremely good for everyone - less spam, less resources wasted on unnecessary production, and less resources wasted on the zero-sum game that is advertising in a highly competitive market segment.

I have similar thoughts and am very divided over this, despite that businesses I'm involved in are suffering losses right now. What am I doing wrong? Is my product bad, mediocre, useless? After all, I'm thinking, if my product could generate profit when I could run cheap ads and have a pretty decent retention rates, then fundamentally, what's wrong with it?

> ... opt-in approaches. Mail catalogues, e-mail catalogues, yellow pages, catalog websites, trade shows, etc. - all kinds of services where it's the user who seeks out advertisements

There's a big problem with this. I don't know what I don't know. Even though I wouldn't voluntarily opt in for ads on my Facebook feed if I had the chance, but some ads are so good that I am sometimes even thankful when I see an interesting promoted product. That's only possible because Facebook knows too much about my interests already. But again, I'm not among those who'd voluntarily subscribe to yellow pages in any shape or form. My IDFA has been disabled since my first iPhone, I have the best paid ad blocker in my browser etc.

All in all, I doubt the industry can make a U-turn and go back to the opt-in model. More realistically we'll have a bipolar world with Apple on one end of the spectrum and the rest on the other.

I think “web directory” is the old answer, which was killed by targeted ads.

Even though I wouldn't voluntarily opt in for ads on my Facebook feed if I had the chance, but some ads are so good that I am sometimes even thankful when I see an interesting promoted product

Idk, when things were different, I actually read ads on paper, because it was interesting what companies can offer, and it was versatile. It was like going to a monstrous store with shelfs full of different goods and descriptions. You’re asking how to target a specific interest? A directory. I’d go to a tech section (and many more) weekly just to keep up with the world. I’d share good findings with my friends and relatives, buy interesting things which I know much better than FB ever would. Today directories are dead and I have NO, completely NO way to do that, except by the chance of seeing something on HN or few other sites. Github awesome-something lists are a proof for that: you just can’t reach good stuff with how it all works now.

Better solution: do away with cookie banners. Optionally, make the DNT header legally binding.
in addition to the cookie banner vandalism committed by the EU, another problem that needs solving is legal agreements: it is not acceptable to run a society in a way that involves frequently requiring the public to sign documents they obviously haven’t read. I don’t know what the solution is, but I suspect it involves a massive devolution of power away from lawyers, so that they are no longer allowed to simply create agreement documents as long and complex as they want. The new documents must literally be such that it is probable that all users who sign, have read. That probably means just one or two short sentences.

In other words an “agreement” would not be legally valid unless it was short and simple enough for it to be empirically likely that the user has read it, unless we are in a situation in which a user has explicitly selected a service that they are told involves high legal complexity.

> in addition to the cookie banner vandalism committed by the EU

You mean cookie banner vandalism committed by companies who couldn't care about laws and privacy and trick people into consenting through barely legal and illegal popups.

Not sure what you mean. What alternative action to putting up a banner do you propose for the huge numbers of companies that are apparently using cookies in a way that requires a banner?

All the companies putting up banners today are clearly using cookies in a manner that would require a banner under EU rules. The EU knew this, and knew the effect their rules would have on the aesthetics and UX of the internet. Hence “vandalism”.

An alternative may be to stop tracking users and sharing cookie data with third parties by default.
Well the obvious solution is to stop using these cookies, since they're not necessary for the site's function. I know the site wants to scrape your data to optimize against and sell, but maybe they could just not?
If its an eCommerce site then tracking and logging users is a necessary function in the same way as any brick and mortar tracks and logs its customers. A brick and mortar doesn't need your consent to track you on cctv because accessing the store is the consent why should a website require your consent for the same thing?

The law is just a bad idea poorly executed, like the obsession with cookies? I assume the law is for normies that don't understand that websites are using cookies to track them, but normies don't know that cookies are used to track them so informing them that the site uses cookies means nothing to them, they will agree cookies not knowing they are actually agreeing to being tracked.

From the point of view of a developer the cookie obsession also causes problems, like what if I use cookies to store the fact that people don't want to be tracked so I don't pester them with the notice? do I need a notice for that? What if I don't use cookies but an e-tag for the same purpose. If I uniquely fingerprint your browser can I then just track anyone anywhere without consent? Im not using cookies.

If the EU wanted to ban tracking users they could easily have just wrote that into law instead of this legal, technical and practical mess.

> What alternative action to putting up a banner do you propose for the huge numbers of companies that are apparently using cookies in a way that requires a banner?

1. If you use cookies that are strictly necessary for your site to function, you don't need the banner, at all.

2. For anything else you need a banner.

So, the question is: is it EU that "vandalised the web with cookie banners" or "huge number of companies" that indiscriminately collect and sell your data?

This approach only seems to target the GDPR. It needs to also satisfy the laws created by the ePrivacy directive in the EU member states, and UK (PECR). Storing data in a cookie ("or similar technology") requires informed consent.

Airgap.js does not shield you from this requirement.

If you want your users to not have to step through the Cookie Inquisition, consider the actual business loss of not using cookies [for everybody] any more. Yes, a ton of marketing tools require them, but do you require the tracking aspects of those marketing tools? Food for thought.

For anybody unfamiliar with EU ePrivacy Directive derrived laws, here's the UK's implementation (PECR): https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...

Private local storage is likely not a 'similar technology' in the legal sense that the legislatures were referring to. IANAL & TINLA

Cookies are shared over the network by default. Local storage is not shared over the network by default.

Regardless, we support configuring our consent manager into the bog-standard norm for customers that share your legal interpretation. Even in that case, nuance can be applied specifically to individual privacy legal regimes (e.g. GDPR), allowing you to use most of our features in other legal regimes (CPRA, etc).

(comment deleted)
I always open the web inspector and remove or hide them. There's nothing to be gained by answering these if the site is following the law.
My approach is to not engage with them, and treat them as an unchangable part of the design.

If I can read the content around it, then I do that. If not, I probably am not missing much.

Nice, I like it!

Of course, you won't be able to get away with just a simple checkbox there - to give informed consent, I need to be able to review what data is being sent, to whom, and for what purpose. Some kind of popup or summary page will still be needed. However, this has a much different feel to it - as a user, I'd feel respected by you, and I might actually be inclined to opt-in as a favor to you.

RE details screen: given the data is already collected, a smart enough screen could let the user inspect actual data, not just promises. That's probably too much work and isn't going to happen unless someone like you implements this as plug-and-play components, but I imagine a details screen giving me summary like:

  - Google Analytics
    - Your mouse movements (24213 data points)
    - Which links you clicked, and when
      - 12 internal
      - 2 leading to external sites
  - EvilNoGoodCorp Ltd
    - Input events in text boxes (234 characters)
      [click here] to show recording
In a hypothetical, perfect world, most users wouldn't even look at any of this. But some might skim it, expand it here end there, and the few privacy-conscious users would read through them, ready to raise alarm if something is off. This would be a very meaningful step for the industry to regain trust of the users, making people more comfortable with some level of telemetry.

As I see it, there is a place for analytics on websites and in software, but it has to be respectful, opt-in, in a culture of mutual help. A nice company asks me to do them a favor and let them watch me as I use their services? Sure, why not. If it helps them make the service better, or stay afloat for longer, I might benefit too. That's a polar opposite of the current culture, where companies feel entitled to as much data as they can possibly get.

On the technical side, I appreciate the detailed writeup. I didn't know you could inject CSP entries at runtime! And then:

> We detect JavaScript network API events by patching and overriding all of the global interfaces used to create network requests, such as XMLHttpRequest(), fetch(), and navigator.sendBeacon().

Holy shit you can do that?! That's impressive, in a positive way, both in terms of the browsers allowing this, and you finding a good use for it.

This is entirely missing the point of the regulation if it defaults to tracking without consent.

You need consent (as defined by the GDPR) to store tracking related data on a client device.

This is a creative approach, and on some level I like it. However, it does seem to be kicking the can down the road. If a website is storing significant details in my browser I'd still want to know why, necessitating.... some sort of... banner? I'm only half-joking.

What's to stop airgap.js leaking my data, either deliberately or accidentally? How do I disable it before it starts collecting?

It would be nice to see this post describe whether and how they audited what information is collected and why. The slippery-slope towards ever-more pervasive and clever means of collecting ever-more detailed data about users is truly Orwellian. In fact, it's worse, since Orwell thought it would only be governments doing it when in fact it's apparently everyone. It's no longer normal to defend why so much data should be collected; instead it's so normalised that it's not questioned at all, as here.

We really do need to hold up more examples of organisations who successfully achieve their aims without resorting to surveillance capitalism.

(comment deleted)
The right solution would be for me to define my consent preferences in my browser and have that transmitted in a HTTP header.

Since obviously the "industry" will ignore that, it should be mandated by law. Everything would suddenly become way simpler: for example, the dark patterns involving hoops we have to jump through to deny consent would suddenly disappear. Policing is easy and could even be automated: if a website shows a "consent form" after a header has been sent, issue a fine.

They don’t want, so what. GDPR failed to prevent tricking in on the first iteration, but it may succeed on the next one. All these tricks are technical tricks* not backed by “no con” enforcement. Slap the first creep with a fine and others will comply. “Citizens don’t want” is the only important thing we should think of here.

* https://mastercard.com/blog/2019/why-tracking-tricks-are-not... (please mentally agree before opting in)

This proposal is from the company that sues non-compliant companies for a living (consider donating): https://noyb.eu/en/new-browser-signal-could-make-cookie-bann.... So I am expecting this proposal to be offered to legislators if the industry pretends not to notice (but legislators in Europe usually only make ISO standards enforced, and the usual road is to prepare a spec, standardize it at a "smaller" venue, e.g. OASIS or W3C and then submit a complete document to ISO for a fast-track approval as an ISO standard). Just a few weeks ago they filed around 500 complaints with the regulators: https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-is.... Specific excerpt with respect to your sentiment:

"Blame it on the GDPR? Many internet users mistake this annoying situation as a direct outcome of the GDPR, when in fact companies misuse designs in violation of the law. The GDPR demands a simple “yes” or “no”, as reasonable people would expect, but companies often have the power over the design and narrative when implementing the GDPR."

Same guy who sued Facebook and won: https://en.wikipedia.org/wiki/Max_Schrems

Your link leads to https://mastercard.com/api/v4/card-actions/send-money?confir... ?! Edit: I guess this was by design, nice trick.

In uBlock Origin it is in Filter Lists under Annoyances category