There already is a better solution and always has been, it's called setting cookie preferences at the browser level and then leaving it.
Trying to regulate the option for cookie preferences at the individual site level was always a stupid idea. The average person visits thousands of websites every year. Of course nobody is going to take the time to do that.
If the lawmakers in the EU were intelligent, they would have created a law that forced all web browsers to provide "X" privacy setting features for EU-domiciled users (where X is what they were aiming to achieve).
In addition to not burdening the entire world with time wasting popups all day, this option would have also had the bonus of not burdening millions of small businesses around the globe with complex regulation and legal liability.
Not to mention the total lack of enforceability of the current law when it comes to websites operated outside of the EU.
If done at the browser-level you really only have to police <10 companies.
I totally agree that this should be a browser setting.
However it’s not only about cookies: What we abusively call the cookie law and cookie popups are about tracking, and there are many ways to track you without cookies, some of which are not easily blocked by browsers.
Ideally the browsers would indicate the user’s preference via a headers (e.g. the DNT header) and websites would be constrained by law to obey that.
Sites could provide a cookies-manifest.json with the entities they provide data to. Then the browser could show a standardized cookie banner, if needed. The user could also disable the cookie banner completely, if they so desire.
> There already is a better solution and always has been, it's called setting cookie preferences at the browser level and then leaving it.
This. I've always had 3rd party cookies disabled at the browser level, and never noticed any website breaking. The "solution" by the EU has been terrible, and everyone just clicks "accept all".
If bureaucrats helping create these laws were less out of touch. I think they are reasonably intelligent, they just don't know anything about technology. The criteria for selecting them is outdated.
I've worked as a consultant for the EU Parliament and they are a lot more knowledgeable than you think and for things they are not, they hire consultants (like me)
There are a number of people directly elected in EU Parliament that have a background in technology, I personally know a couple or computer scientists, with lots of publications in their curricula.
Problem is the law cannot be written the way you are arguing about, that could be in the form of a directive not as a regulation[1], the regulation must be general enough and cannot address issues that have different legal bindings in the 24 EU countries.
[1] A "Regulation" is defined as a binding legislative act. It is immediately applicable in its entirety in all Member States and it overrules national laws. A "Directive" is a legislative act setting objectives that all EU countries must reach and translate into their national legislation within a defined time frame.
So if the law couldn't be written in a rational way without creating bizarre outcomes, then why create it at all?
When you create legislation, you're implicitly saying; "these rules we're writing down are important enough to enforce with the full monopoly on violence given the powers of government." The cookie popups seem extremely silly in that context.
I don't doubt you've run across some well-intentioned people. But as the saying goes, the road to hell is paved with good intentions.
Seeing a structurally dysfunctional system from the inside, and being able to empathize with the individuals in it, does not make the design of the system any less dysfunctional.
Cookie popups are bad, but they're pretty similar to a no smoking or no parking sign. In this case, it's the reverse. The whole internet bans cookies, but it informs you that you're entering a cookie zone.
These companies may think they're protesting the cookie law with popups but it's achieved what I expected it to achieve. It's given me fair warning that the site intends to track and monetize me, so I can walk away if I don't think it's worth it. And it adds a higher cost to it too.
> So if the law couldn't be written in a rational way without creating bizarre outcomes, then why create it all?
Nobody said that, I don't know why you're saying it, because it also makes no sense.
Do you also believe that we shouldn't have made murder illegal because murderer still exist?
There are always gonna be bizzare outcomes, pop-ups only speak about how lousy advertisers and tracking freaks are, but there have been certainly more bizzare outcomes, think about people refusing vaccines...
Compared to that pop-ups are just an annoyance that we can avoid by punishing the perpetrators directly not visiting their websites.
> But as the saying goes, the road to hell is paved with good intentions
it's all simple, until you have to convince hundreds of politicians to agree on a law that's gonna be enforced on 450 million people from 27 different countries, with 27 different legal systems.
Especially because many people that consider themseleves tech savy are more out of touch, e.g., thinking the privacy aspects could be solved through local cookie policies only, or that it would be a suitable solution to solve even just the cookie aspect in a nuanced, non-techie friendly manner.
Cookie consent should be the responsibility of user-agent cookie policy. And virtually all of the consent banners I've seen are about cookies. And I certainly think it has a better shot of being comprehensible by users in general than having a separate UI for consent for every site. Especially when it's in those sites' interest to confuse or annoy users into allowing the cookies.
In this thread I had the impression that the discussion widened to more than just cookie-banners, more general privacy on the web.
One of the problems I have with the pure-local approach is that I want certain cookies (or certain cookie functionality) of sites but not others. Some functionality I want and some I don't want can be implemented with the same cookie.
I think I would need tagged cookies (so I can disallow those that are used for things I don't want) as well as an assurance to not use the other cookies in the "wrong" ways.
That's why I think purely local cookie management is severly lacking and not suitable to tackle the problem in a user-friendly and nuanced manner - beyond an all-or-nothing approach.
I personally do not think a browser level approach can enforce the privacy goals without cooperation of (and therefore enforcement against the companies providing) the serverside implementation.
That, of course, does not mean that a browser level setting that has to be honored by the server side and can be transfered between sites would not be preferable to clicklists and banners.
>There already is a better solution and always has been, it's called setting cookie preferences at the browser level and then leaving it
GDPR is not only about browsers , it applies outside our web dev bubble.
Then if the law was is only about cookie some "smart" webdev would use localStorage , if then we add localStorage then some other dev (probably working on Google Chrome) would create something new... so maybe those EU politicians and consultants are a bit smarter then you(no offense, maybe you are a smart person but either you are having the wrong perspective or you did not really thought more then 5 seconds about the problem).
I know that, my point still relevant because it was related to:
>There already is a better solution and always has been, it's called setting cookie preferences at the browser level and then leaving it.
This is really not a solution, browser already had a black and white option to allow cookies or not, or allow JS or not. The proposed idea is to give only 1 place where you can accept or not accept tracking, then you want to really read a website or your work/bank forces you to read a page and you have no choice then allow cookies for everything and accept all possible tracking because some HN web dev did thinks is mmuch smarter then a group of consultants. lawers and privacy advocates.
If tracking is legal then Allow/Disallow tracking should be per website and always should be 100% transparency on what is tracked and shared with, Tech people could create browser APIs for example, you could have a in browser cookie popup where web devs could populate the text message about "We care about privacy" , an array where web devs can populate with the names, links and terms of use for the 100+ partners. Then all websites will share same native popup, and implement it correctly with no dark patterns, there could be a 3 line extension to click allow or not allow for people that really want to accept or not accept. But this browser APIs won't happen because Google controls the web , Mozilla is on it's last breath and Safari is still screwing around with missing JS and Webgl features and other bullshit.
Edit:
Also a simple law as propsed with "make cookies a setting for all websites per browser) is not good since you can use the localstorage,fingerprinting or other tricks to go around the law, so proposed idea is bad.
The question is how would you regulate browsers? I would personally hate any regulation that government would try to do for software, because we know that the next thing they would do is ban encryption. No browser/IETF member would voluntarily do this for sure, not even firefox.
Firefox, safari, etc. already have pretty advanced anti-tracking and privacy features in place.
If you care about that sort of thing, you use those browsers and automatically make all cookie popups irrelevant. After that they simply turn into pure annoyances.
And no regulation was needed at all, since the free market has already satisfied those customer wants and found the optimal solution for all parties.
Legislation should be the absolute last resort to a problem that has proved otherwise unsolvable. This was not one of those problems.
I agree with what you said, but I was wondering about a little detail you mentioned:
> The average person visits thousands of websites every year.
Is this true? Is there any data that would back this? A commonly used argument comes to my mind, that for most internet users the internet is about a handful sites...
In Finland, the law implementing the GDPR used to be interpreted so that browser settings were enough to opt out of cookies and you just had to inform the user about what cookies you were setting. This interpretation was suggested by Traficom (the government office in charge of traffic and telecommunications). Some individual complained to the Helsinki Administrative Court, which issued rulings (H1515/2021 and H1516/2021) stating that this interpretation is incorrect - as far as I understand, this is because browser settings cannot differentiate between necessary and optional cookies. The new Traficom advice requires the same annoying pop-ups as everywhere else in the EU.
But I agree it shouldn't technically be too hard to standardize the settings so that your browser could communicate to each site what the user consents to. The hard part is enforcing compliance - we already had Do Not Track, which had very little effect.
Trying to regulate the option for cookie preferences at the individual site level was always a stupid idea. The average person visits thousands of websites every year. Of course nobody is going to take the time to do that.
If the lawmakers in the EU were intelligent, they would have created a law that forced all web browsers to provide "X" privacy setting features for EU-domiciled users (where X is what they were aiming to achieve).
In addition to not burdening the entire world with time wasting popups all day, this option would have also had the bonus of not burdening millions of small businesses around the globe with complex regulation and legal liability.
Not to mention the total lack of enforceability of the current law when it comes to websites operated outside of the EU.
If done at the browser-level you really only have to police <10 companies.