Internet's biggest annoyance: Cookie laws should target browsers, not websites

No, the problem is 100% the law, because it was written in a way that allows this type of malicious compliance.

Laws need to be written well to achieve good outcomes. If the law allows for malicious compliance, it is a badly written law.

The sites are just trying to maximize profit, as anyone could predict. So write better laws.

> The problem here is not the law

Of course. The law is clear, the intent is clear and the guidelines are clear.

I think the biggest challenge (and the reason why it feels this is everywhere) is because of the handful of "big corporations" controlling the browsers. Neither Apple nor Google have any interest in making tracking opt-in or working to make this into a standard.

In my view, the situation will be greatly improved with policy like the DMA being amplified even further to prevent cartel-like reactions from the FAANGs (whatever the acronym is today). We have a deep "culture difference" with the US, where everyone expects everything to be spelled out for them in the law so they can sue each other into oblivion, but the reality is this doesn't work. We need to reduce the influence of bigger players and install guardrails so it will never be possible again for a single company to have such dramatic influence over the world.

Imagine how many of these consent prompts can be removed if it wasn't for the fact that even loading a Google Font exposes one to a few hundred "partners"?

Tracking by default is not an acceptable solution, so I would say respecting the Do-Not-Track header must be mandatory and enforced by laws and percentage of global revenue fines.

The problem here is the problem everywhere; we still as a world have no remotely effective way to actually punish companies-as-bad-actors on the internet or in tech generally.

None of any technical ANYTHING matters until we (meaning law and government) inflict truly meaningful consequences. Fines, breaking up companies, perhaps even jail time, etc.

I would blame ad providers more than individual website owners. From my experience, ad providers have made it very difficult to serve their ads unless you use an ad-supported cookie consent manager. I tried to write my own simple cookie consent form and gave up after realising how obscenely complicated TCF is. And since most ad-compatible cookie consent banners are provided by the ad companies themselves, you kinda just get stuck with bad options. I even tried to pay for a commercial cookie consent manager but it wasn’t supported by my ad provider.

If I had more time I probably could have figured it out. But unfortunately I’m just running a hobby project and do not have weeks to spend on this. The revenue from the ads is what pays for hosting. I imagine lots of websites are in a similar boat.

I would love if there was a simpler option that could respect people’s privacy more, be less annoying, and that would still allow websites like mine to survive by running ads. Targeting browsers instead of websites could have been that option.

The Global Privacy Control (GPC) is the header that actually has enforcement behind it in the US, and there are already companies getting fined. California has partnered with several other states to broaden enforcement.

Would love something better than GPC, but in the interim, the EU should start considering it as a proper signal of (lack of) consent, obviating the need for a banner altogether.

Important not to confuse the actual result vs. the hoped-for result.

You HOPED that websites' top priority is to provide the best possible experience. The REALITY is that not getting sued is way more important than removing all possible user inconveniences.

For that matter, companies should be banned from referring to selling off your data to random spam companies as "sharing with partners." Partners comes with an implication of being somewhat equal or at least on trusting terms. The companies selling our data don't trust these companies. They probably don't even know their names.

If the data is being sold, it should be legally required to word it in that way. If there's even the slightest possibility of your data being leaked to spammers, it should be worded to reflect that.

"Do you consent to us selling your data to any party that wishes to buy your data? Do you consent to the possibility that your data will be used to spam you or steal your identity in the future? Yes/No"

The same could be said with all advertising and surveillance.

No one wants to be advertised to, but powerful lobbies argue that ending ads will lower consumption and thus harm the economy; and no politician wants to lower GDP.

No one wants to be spied on, but powerful lobbies argue tracking people allow better security; and no politician wants to be soft on crime and terrorism.

This law was supposed to give me control of my data. If I have control of my data, why can't I use it to pay the owner of the website?

> Or just ban this kind of data collection

It is banned.

Unless I give me explicit permission otherwise (though as you say, why anybody would is beyond me, but then "there's nowt as queer as folk")

Yes, of course, the reason is pretty simple - someone would willingly accept that to access ad-surveilance-financed content!

Guess what, those banners are still up because it's pretty hard to actually bring the banhammer. At best you have too small team working with huge backlog

Some websites, mostly news outlets, can legally withhold access completely, and do, unless you accept all cookies or pay for membership.

If my 'data' is a no logs vpn address with a privacy hardened browser running in a VM on an isolated VLAN with encrypted DNS then why wouldn't I just laugh and click accept cookies in a sandboxed tab (so said cookies only exist for that tab and are cleared when it is closed.

What youre saying most users dont have this level of privacy by default? Why not?

On this note, this is a good reminder that if you don’t collect information in this way, your website is under no obligation to provide a cookie banner.

Any website that uses a cookie banner is going above and beyond what they need to do to run a functional website in order to track you.

It was implemented in browsers and ignored by sites. Chrome help says:

Turn "Do Not Track" on or off

When you browse the web on computers or Android devices, you can send a request to websites not to collect or track your browsing data. It's turned off by default.

However, what happens to your data depends on how a website responds to the request. Many websites will still collect and use your browsing data to improve security, provide content, services, ads and recommendations on their websites, and generate reporting statistics.

Most websites and web services, including Google's, don't change their behavior when they receive a Do Not Track request. Chrome doesn't provide details of which websites and web services respect Do Not Track requests and how websites interpret them.[1]

About the best we have browser side is a mode where all cookies are cleared at browser exit.

[1] https://support.google.com/chrome/answer/2790761

Correct. Age verification and privacy consents belong on the browser. The issue is that on the browser, things work a bit too well (remember https://en.wikipedia.org/wiki/P3P ?), so the big players are incentivized to ignore completely the browser-based mechanisms and say/do nothing whenever they see lawmakers going on a dumb direction (risking fines is a reasonable price to pay in order to kill adoption of an actual browser/OS based control that would cause a dent to their tracking operations) that puts the onus on individual website operators.

Fun fact - if you handle DNT properly, you don't need to show the consent screen... because you're not doing anything requiring said consent.

At this point browsers should become publicly owned. Theres zero benefit in private ownership. Its a utility and nows the time to accept that.

> Inserting the government into that doesn't make sense.

On what basis? What difference is there between regulating website code and browser code? How a website functions and how a browser functions?

Except that the provider of the most popular browser is also an advertising agency. A conflict there, surely?

Legally compel websites to respect the DNT header. Bam, done. This is a simple problem, and should be solved in a simple way.

Right, the it would be legally required have to have "third-party" vs "strictly necessary" tags on the cookie itself, which someone could challenge if they were inaccurate (in the same way that the GDPR can in theory be enforced now). Then the browser could simply do what the user wanted with the tags. This could even be a status item in the URL bar, similar to the HTTP / HTTPS icon, that would allow you to enable or disable tracking on a per-site basis (if you didn't want a global policy).

Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged; this would ultimately come down to ad networks / analytics companies documenting the behavior of the cookies they add.

DNT already had legal weight in the EU. I don't see what problem is being solved by sending a slightly-renamed version of DNT instead, other than the weird privacy law a few American states have implemented that says "if the browser sends the signal by default it's not a legal signal and you should therefore ignore it" (which will probably be updated to neuter GPC if that ever gets any serious attention, the las were clearly written to give trackers the advantage).

+1 to this, Firefox has been pushing this for a while but my understanding is really the legal side

But unfortunately they won't. This will not happen. They ultimately shift to fingerprinting our browsers instead of using Cookies but they will keep on tracking...

Another weird idea: make this kind of tracking illegal. Why would anyone willingly agree to be tracked?

And companies could just -- each give me $10,000. Then I wouldn't need to work.

But companies generally do whatever is in their best interest. I don't know why anyone would expect them to do otherwise with regards to tracking.

Please ask the EU to lead by example then. The official EU commission website has a cookie banner (https://commission.europa.eu/index_fr)

So either: The EU commission is including trackers on their websites. And they should stop OR they acknowledge that it's almost impossible to build a website without some form of tracking that falls under the law, and they should look into the law itself.

So they have work on their plate.

The problem with making it a law is tracking is in the eye of the beholder, so site owners are heavily incentivized to err on the side of caution and put up the box just in case.

Wasnt this a benefit of the semantic web we were pushing for? Standardized tags exactly for stuff like this? Just another example of the mess that web dev is - trying to coerce a markup language into a fully fledged programming language.

OP has a nice idea but hes short on technical details, which in this case is where the devil resides.

I wanted to ask something like this, but I think you framed it better.

I am convinced these laws have just made my life and the Internet marginally worse, with no measurable positive impact.

What do you mean by achieve?

Do sites stop tracking you if you reject the cookies?

Some do, some don’t.

Is the goal still valid.

Yes.

If your asking if the GDPR is effective, yes, it is.

The only ones ignoring it completely are either dodgy companies, or the clueless. The companies exercising malicious compliance are now (quite rightly) increasingly seen as dodgy and need to up their game if they want to become respectable.

The days of not protecting user data are over.