Leave it to the browser to opt out of cookies

31 points by m348e912 ↗ HN
Any website following GDPR guidelines presents annoying preference options regarding which cookies the user wishes to accept. Some sites categorize the cookies from "cookies needed for functionality" all the way to "third party advertiser cookies" I'd like to be able to pre-define what kind of cookies to accept in my browser. Since most content providers won't like the approach I think it might have to be legislated, since most users would probably opt for "cookies required for functionality"

16 comments

[ 1.7 ms ] story [ 35.8 ms ] thread
That would not respect the GDPR law. The point is to require consent. And as an user you should be annoyed and seek websites that respect you better.

> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

> That would not respect the GDPR law. The point is to require consent.

This is something that sounds good in theory, but in practice may be counterintuitively a bad solution that makes people less safe when you take into account how UX and human nature works.

Most people don't read these forms. You're training people to instinctively click on any clickable buttons they see on page load to make the annoying banners go away as fast as possible. It's much easier for shady characters to get people to give up some permission that actually matters in this environment or agree to something awful that might actually harm them.

This is doubly a problem on mobile, where the limited screen size means that you can't see anything unless you click on the shiny banner button.

> And as an user you should be annoyed and seek websites that respect you better.

To me, real respect means not wasting my time doing busy performative theater.

However people choose to deal with cookies is a problem that should be handled on the browser level, not with every website trying to write their own explanation and have some cookie management consent form.

The law is not about cookie management but privacy and data protection.

Also, what you describe sounds a bit like the “do not track” failure.

That was a failure because it was unenforced. The cookie consent banners are a failure of lawmakers to enforce a protocol solution.

It is really weird seeing people apologize for this clunky piece of legislation. "That's how it is supposed to be: a qualitative step down all across the internet."

You know what people do to get around this trashfire? They install adblockers.

It was a failure also because of Microsoft and their choice to enable do not track by default in internet explorer.

The legislation could be improved of course, but personally I think these consent forms are fine. And it tells me immediately which website “value my data“.

A small correction:

> Any website following GDPR guidelines presents annoying preference options regarding which cookies the user wishes to accept.

That's not true. If a website wants to spy on you, it needs your consent. GDPR doesn't require websites to spy on you, that's 100% on the owners of the website.

That’s the most important thing to understand. My website doesn’t present a cookie banner because I don’t spy on my readers. Neither do any of the websites that I’ve made for other people. If you see a cookie banner, either just close the tab or, if you really need to use the page, execute a bookmarklet like

    javascript:let i, elements = 
    document.querySelectorAll('body *'); for (i = 0; i < 
    elements.length; i++) { 
    if(getComputedStyle(elements[i]).position === 'fixed' 
    || getComputedStyle(elements[i]).position === 'sticky'){ elements[i].parentNode.removeChild(elements[i]); } }
uBlock already has blocklists for this.
I saw sites that have "reject all cookies" button right on the cookie banner. Maybe you should ask why other sites do not want to do the same?

Also, GDPR is not only about cookies, it is about tracking in general. For example, collecting IP address and device fingerprint is also considered tracking, although it doens't use cookies.

(comment deleted)
You are incorrect.

The GDPR does not require consent for cookies.

HOWEVER, if you are using those cookies to track or spy on me (advertisers take a bow) then you need to ask my explicit permission to do so. And so you should.

(Take away your scummy business model, and you remove the need for cookie banners).

I agree, a preference set at the browser level would be far more effective. The current implementations inconvenience the user to the point that they don’t want to go through the hassle of entering their preferences.
> current implementations inconvenience the user

The scummy business model used by advertisers is to deliberately make it inconvenient to opt out of their tracking.

All that is needed by GDPR is a simple 'tick yes' to opt in to tracking if you wish to be tracked or personally identified. (No need to ask permission for 'ordinary' cookies).

You should ask yourself why you are doing business with companies with such as shady business model.

I know it’s deliberate, but let’s be honest why would we expect them to make it simple when it isn’t in their interests. I’m saying take it out of their hands now and give users the control they need.
The problem is that there's a literally a 3-trillion-dollar business depending on the difficulty of rejecting tracking.

The inability to easily reject tracking cookies is not a technical problem. It's a problem of lobbying and malicious compliance by megacorporations living off web surveillance. They will subvert (P3P), ignore (DNT), or replace (FLoC) every technology that makes it easy to reject tracking cookies. They will fight every law and smear every institution that tries to mandate use of any easy tracking-rejecting technology.