Most people miss that the Cookie Law was essentially the training phase for GDPR. It conditioned users to reflexively click “Agree” just to make popups disappear. Once that behaviour was normalised, GDPR arrived - now those same clicks legally authorise data collection and trade that used to exist in a grey area.
That's why the more logical and simpler ideas were never on the table.
The thing people need to understand here is that the annoyance is not due to lack of technical solutions, or regulations forcing something. It is explicitly wanted by the industry so they can maximize the consent rate. The browser solution is probably the best technical/user friendly one, but ad tech/data gathering industry won't have any consent. As they control most of the web, they will never do that
The cookie laws make it so that web sites have to ask permission to track you, surveil you, sell your data, etc. And surprise, almost every website wants to track you, surveil you, and sell you data. The EU should have just banned the unethical behaviour, the middle ground of every single website asking for unethical tracking is a travesty.
GDPR already mandates that "Refuse non essential" button should be the same size and prominence than the "Accept all" button, every website around the globe does not care (apart from major players like Google, Apple or Amazon) and national data protection authorities absolutely do not care.
We already had one attempt with "Do not track" header, nobody was willing to commit to it because it impaired business. Same would go with OP proposal.
Websites are forcing this banner on us because they are greedy morons that would rather drain our data for money than incite us to pay for their work.
Or just ban this kind of data collection. Is there any reason anyone would willingly click "Accept" when a website asks to share your data with 500+ partner sites?
Targeted ads generally bring in 3x the revenue of generic ads. Personally speaking, I'd rather have 1/3rd the ads on a page and allow my data to be tracked. I don't mind my data being tracked, and I'd rather see ads for keyboards / mens clothes (what I buy) than diapers / ladies shoes (who knows what tomorrow holds, but this is not what I'm buying at the moment).
I agree, the context of the website/topic/whatever should be more than enough to derive enough to load an add. On a hackerspace page? put up some rpi or DMM add. On rock music site? Thow up some vinyl adds or guitar tabs. Etc.
So why didn't GDPR require Do Not Track to be honored? It was already there, to be expanded on if needed.
But I can't imagine copmanies would want that. They benefit from cookie dialogs fatigue, and for some reason people blame GDPR of all things for surveillance tech being annoying in how they ask for permission.
I believe this is already starting to be solved via Global Privacy Control (GPC) [1], and has already been implemented in Firefox to replace Do Not Track [2]. All that remains is to see if lawmakers will catch up and make it a legal requirement to follow...
>We all do the same thing. We sigh, our eyes glaze over, and we click "Accept All" with the muscle memory of a weary soldier.
No. When I see a cookie banner that doesn't have a "Reject all" or at least "Reject non-necessary", I leave the website. When you look into the "Reject..." section, it often contains 1000+ of adtech shit you have to untick individually. Aren't these actually non-compliant with regulations? Makes you think twice about website owners if they choose to sell your data to adtech - seems like law does exactly what it was supposed to do. The problem is adtech which encourages to collect data websites have no business at collecting. If anything, non-compliant sites should be fined into ground and adtech outlawed.
Amen to that, and to Age verification mentioned by @vmaurin. I get cookie rage sometimes from those banners. Most definitely I suffer from consent fatigue.
The purpose of the laws (GDPR et al) is to give me control over who does what with my data, data about me. The operator of the website is who the law binds. It's not even about the website - if I phoned or emailed, the same laws would apply. You need my explicit consent to process my data in a number of ways that you'd like to, it makes you money, but I don't want you to.
The processors of this data can't make as much money off selling access to data about me, if I have these rights. So they petulantly get in my face as much as possible, via banners on websites, to annoy me and confuse me as to why these banners are even there, and try and trick me into letting them make more money.
The banners, which a browser could block or autofill, are just the surface. And they're an attack surface, so even if we agreed a way for the browser to pass on your preferences (we already did this, it's called the Do-Not-Track or DNT header, and it was a complete failure because website-owners just ignored it), website-owners would add a second layer of "ah, I see you said no automatically, but are you REALLY sure you don't want to let me make more money from your data?"
NOYB is very good for chasing after such charlatans, and forcing companies to obey data protection laws. Here is some of their guidance, and listing of the dark patterns used by non-compliant companies: https://noyb.eu/sites/default/files/2024-07/noyb_Cookie_Repo...
I disagree that this should be in the scope of a browser.
Cookie banner are called cookie banners because they‘re most frequently associated with the opt in for tracking cookies, but this kind of opt in is required for any kind of third party involvement that goes beyond technical necessity.
Your browser has no way to tell what third party present on the site is a technical necessity and which one isn‘t. So you‘d have to tell it - making it part of the site providers problem as well. But this time its worse, because responsibilities are mixed between the site operator and the third party.
The point of the 'annoy with consent banners' was to get people to 'allow (to be tracked) '.
Denying would, in many cases, go up to hundreds of yes/no options, with no 'deny all'. Makes getting coerced permission easy, and active denial almost impossible.
Of course, by not tracking, they dont need any of this crap. But surveillance capitalism must continue. Sigh.
For Knuth's sake: The GDPR is NOT about cookies! The older 'cookie directive' is also NOT about cookies! They're about a third party storing their data on your computer, or storing your personal data on their computers - no matter what technology is used.
Nothing in the GDPR stops websites from honoring "Do not track" and then _not asking_ if it's present. They don't have to ask if they don't track you! They don't have to ask for a technically necessary session cookie that appears after you actively log in!
Websites ask because they want to track you! A 'law targeting browsers' would not help because people would say no to cookies, and then websites would ask about some other way to track you. Because they want to track you.
Instead of forcing those cookie banners Europe should have had an Airbus moment and fully funded a privacy first web browser, then Europe would be a player in the web and not looking in from the outside.
The author's idea is "A Simple, Radical Idea: Put Consent in the Browser". So when you set up your browser, you get a single choice of whether you want websites to track you and sell your data.
Here's an even more radical idea: the browser doesn't even ask you this, and by default it just respects the user's privacy and blocks all third party tracking.
Can you imagine an internet where the user is put first?
The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.
"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be.
https://www.techspot.com/news/108043-german-court-takes-stan...
Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.
Or we could stop the charade of that cookie laws prevents tracking and get rid of all the stupid banners. All the beacons are firing in the back(server to server) now and all session data is passed on the inbound URL and stored. Browsers banning third party beacons, cookies laws, etc don't do anything. You can't even tell your being tracked.
> but malicious compliance by websites that don't want to give up tracking
It isn't even compliance, they are just breaking the rules by as much as they think they can get away with and so far, for the most part, they are getting away with it.
That law has "discovered" that these rules for these sites suck because nobody wants to sit and decide what they want on a site by site basis and thus the "just get out of my face" kinda clicking and annoyance works.
The idea that just visiting any given site I visit means I have to make some legal agreement makes no sense.
Counterpoint - making every website you visit ask you about cookies still absolutely sucks. Even when they are fully in compliance it's a bad experience that makes using the internet worse.
And it's all because the law was written by lawyers who care less about user experience or privacy than the companies that have to enforce it.
"The problem is not the law but with the people who don't follow it."
I mean... uh.
If the world would only consist of people who want to cooperate and don't have malicious intentions, then WE WOULDN'T NEED THE LAW AT ALL.
The law exists BECASUE OF the people who don't want to comply. So if the law doesn't control those people who don't want to comply, then the problem is with the law.
Because if we're saying that the problem is with the people, then the discussion is pointless like a black hole.
But I don't want to deal with "Accept All" and "Decline All" either.
First, I, the user, am requesting to open the website. It's not the website imposing on me. My browser, which supposedly is under my control, is what forwards all the data.
Second, there is absolutely no way to know whether the website actually does what it says based on the cookie pop up. If it's a website based outside the EU then there's no way to enforce this cookie pop up.
But if the browser handles this, then there is a way to enforce it. Of course, the downside there is that the website will then use other means to potentially collect the data, meaning that you still need the law to limit such data collection.
Policing the tools instead of policing what is being done with them is the problem for me.
Third party cookies have a valid reason to be used in federated authentication for instance, or a bunch of other valid purposes. Just ban shitty data collection practices.
Knives can be used to chop vegetables or stab someone. Don't ban their sale, ban their usage.
What about by default web browsers are required to have Javascript disabled and uBlock installed and running? They could do a reverse Google, and make it so its impossible to uninstall uBlock.
If we are going to go down the path of mandating legal liability on software makers of a neutral communication medium, then the EU should just break the commercial web.
Why would this need to be law? My browser already does this, because I, the "user" in "user agent", wanted it that way. Some sites don't work, but that's their choice, not mine, as it should be.
110 comments
[ 3.8 ms ] story [ 88.9 ms ] threadThat's why the more logical and simpler ideas were never on the table.
There was the DNT header, that was a bit to simplistic, but was never implemented https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
The thing people need to understand here is that the annoyance is not due to lack of technical solutions, or regulations forcing something. It is explicitly wanted by the industry so they can maximize the consent rate. The browser solution is probably the best technical/user friendly one, but ad tech/data gathering industry won't have any consent. As they control most of the web, they will never do that
GDPR already mandates that "Refuse non essential" button should be the same size and prominence than the "Accept all" button, every website around the globe does not care (apart from major players like Google, Apple or Amazon) and national data protection authorities absolutely do not care.
We already had one attempt with "Do not track" header, nobody was willing to commit to it because it impaired business. Same would go with OP proposal.
Websites are forcing this banner on us because they are greedy morons that would rather drain our data for money than incite us to pay for their work.
Targeted ads generally bring in 3x the revenue of generic ads. Personally speaking, I'd rather have 1/3rd the ads on a page and allow my data to be tracked. I don't mind my data being tracked, and I'd rather see ads for keyboards / mens clothes (what I buy) than diapers / ladies shoes (who knows what tomorrow holds, but this is not what I'm buying at the moment).
But I can't imagine copmanies would want that. They benefit from cookie dialogs fatigue, and for some reason people blame GDPR of all things for surveillance tech being annoying in how they ask for permission.
[1] https://globalprivacycontrol.org/
[2] https://support.mozilla.org/en-US/kb/global-privacy-control
No. When I see a cookie banner that doesn't have a "Reject all" or at least "Reject non-necessary", I leave the website. When you look into the "Reject..." section, it often contains 1000+ of adtech shit you have to untick individually. Aren't these actually non-compliant with regulations? Makes you think twice about website owners if they choose to sell your data to adtech - seems like law does exactly what it was supposed to do. The problem is adtech which encourages to collect data websites have no business at collecting. If anything, non-compliant sites should be fined into ground and adtech outlawed.
If I could, I'd downvote the article.
The purpose of the laws (GDPR et al) is to give me control over who does what with my data, data about me. The operator of the website is who the law binds. It's not even about the website - if I phoned or emailed, the same laws would apply. You need my explicit consent to process my data in a number of ways that you'd like to, it makes you money, but I don't want you to.
The processors of this data can't make as much money off selling access to data about me, if I have these rights. So they petulantly get in my face as much as possible, via banners on websites, to annoy me and confuse me as to why these banners are even there, and try and trick me into letting them make more money.
The banners, which a browser could block or autofill, are just the surface. And they're an attack surface, so even if we agreed a way for the browser to pass on your preferences (we already did this, it's called the Do-Not-Track or DNT header, and it was a complete failure because website-owners just ignored it), website-owners would add a second layer of "ah, I see you said no automatically, but are you REALLY sure you don't want to let me make more money from your data?"
NOYB is very good for chasing after such charlatans, and forcing companies to obey data protection laws. Here is some of their guidance, and listing of the dark patterns used by non-compliant companies: https://noyb.eu/sites/default/files/2024-07/noyb_Cookie_Repo...
Cookie banner are called cookie banners because they‘re most frequently associated with the opt in for tracking cookies, but this kind of opt in is required for any kind of third party involvement that goes beyond technical necessity.
Your browser has no way to tell what third party present on the site is a technical necessity and which one isn‘t. So you‘d have to tell it - making it part of the site providers problem as well. But this time its worse, because responsibilities are mixed between the site operator and the third party.
Denying would, in many cases, go up to hundreds of yes/no options, with no 'deny all'. Makes getting coerced permission easy, and active denial almost impossible.
Of course, by not tracking, they dont need any of this crap. But surveillance capitalism must continue. Sigh.
Nothing in the GDPR stops websites from honoring "Do not track" and then _not asking_ if it's present. They don't have to ask if they don't track you! They don't have to ask for a technically necessary session cookie that appears after you actively log in!
Websites ask because they want to track you! A 'law targeting browsers' would not help because people would say no to cookies, and then websites would ask about some other way to track you. Because they want to track you.
Here's an even more radical idea: the browser doesn't even ask you this, and by default it just respects the user's privacy and blocks all third party tracking.
Can you imagine an internet where the user is put first?
"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...
Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.
It isn't even compliance, they are just breaking the rules by as much as they think they can get away with and so far, for the most part, they are getting away with it.
That law has "discovered" that these rules for these sites suck because nobody wants to sit and decide what they want on a site by site basis and thus the "just get out of my face" kinda clicking and annoyance works.
The idea that just visiting any given site I visit means I have to make some legal agreement makes no sense.
And it's all because the law was written by lawyers who care less about user experience or privacy than the companies that have to enforce it.
I mean... uh.
If the world would only consist of people who want to cooperate and don't have malicious intentions, then WE WOULDN'T NEED THE LAW AT ALL.
The law exists BECASUE OF the people who don't want to comply. So if the law doesn't control those people who don't want to comply, then the problem is with the law.
Because if we're saying that the problem is with the people, then the discussion is pointless like a black hole.
Do any browsers support running a minified LLM on device through an extension?
Training an LLM to reject optional cookies (or better yet, fuck with the telemetry) would seem highly doable nowadays.
It could easily say “browsers have to” and 8 billion people would be spared the perpetual annoyance of cookie poop up warnings.
First, I, the user, am requesting to open the website. It's not the website imposing on me. My browser, which supposedly is under my control, is what forwards all the data.
Second, there is absolutely no way to know whether the website actually does what it says based on the cookie pop up. If it's a website based outside the EU then there's no way to enforce this cookie pop up.
But if the browser handles this, then there is a way to enforce it. Of course, the downside there is that the website will then use other means to potentially collect the data, meaning that you still need the law to limit such data collection.
Knives can be used to chop vegetables or stab someone. Don't ban their sale, ban their usage.
If we are going to go down the path of mandating legal liability on software makers of a neutral communication medium, then the EU should just break the commercial web.