Analysis of economic and productivity losses caused by cookie banners in Europe

Why should websites even be trusted with implementing these banners in the first place? Browser vendors should be responsible for implementing these controls per-origin. Give a little banner pop-up built into Chrome, Firefox, Safari, and the rest. Have it display every time a new site sets a cookie for the first time. Or have it reject every cookie by default, unless I whitelist a site. This would result in a consistent user-experience across the board, and I'd actually be able to trust that I'm not being tracked.

Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls. So now every website gets a shitty banner - on top of all the other annoying in-page banners and popups which are a staple of 2020s web design - that asks us if we want cookies. All these banners look different, are positioned differently on the page, appear at different times after the page is loaded, and function differently. So there's no consistency. And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies." How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?

So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.

So again, why isn't this the responsibility of browser vendors? Am I taking crazy pills? Am I going insane or is the world going insane?

/rant

> So again, why isn't this the responsibility of browser vendors?

It should be, but then legislators don't get to brag about having Done Something and enforcers don't get to brag about punishing Bad People.

>Am I going insane or is the world going insane?

You haven't been reading the news lately, have you?

> You haven't been reading the news lately, have you?

If you're referring to the US elections, then you might be interested in the fact that not everyone on HN is from US, and not everyone cares.

Essentially because the people drafting the laws are ignorant about technology, and have a kind of weird snobbery towards it. They like the shiny, but don't try and engage them in a conversation about what actually makes it tick.

Knowing and caring how the plumbing actually works marks you out as a plumber, and sophisticated people don't concern themselves with those kind of details.

(Also various corruptions in the drafting process itself, of the sort which tend to arise when you have a mega-nation with competing interests and power blocs, but in this case it's mostly just ignorance.)

You think the wars in Ukraine or the middle east only affect Americans?

You think the change of administration in the US isn't going to affect the global economy?

> Why should websites even be trusted with implementing these banners in the first place?

Because these "banners" are not just about cookies but about data processing and storage. Cookies are just the most obvious and immediate aspect because they're browser-facing and thus consent needs to be obtained early on. But there's nothing special about cookies when it comes to the need to obtain consent (even the ePrivacy directive which singles them out only does so to explain what information needs to be disclosed in order for consent to be possible).

> Instead, we are trusting the very websites we are blaming on tracking us in the most decietful, malicious ways possible to self-regulate and implement these controls.

Yes. Because they break the law if they don't comply or try to trick you to "opt in".

> So there's no consistency.

Yes. Most consent dialogs are breaking the law by being intentionally non-compliant to mislead visitors into opting in. The ePrivacy directive makes it pretty clear what a compliant dialog would look like. For example if you have a big "accept all" CTA you need to have an equally prominent "reject all and proceed" CTA.

> And 90% of the time you can't disable all the cookies anyway, because there's that little grayed out toggle control for "strictly necessary cookies."

If they're strictly necessary, they are required for the site to function. Disabling them would make the site not work.

> How do I know one of those cookies you consider "strictly-necessary" or "crucial for site functionality" doesn't connect back to some evil tracking algorithm, the blocking of which was the whole point of this banner debacle in the first place?

Because that would break the law.

> So we have essentially asked websites to self-regulate the way the US's vitamin/supplement industury does, except its worse because I don't have to click a fucking banner before I take a capsule of what may or may not be vitamin C.

No, we have created a law they have to follow and which they can be fined for violating. We have also established privacy and the right to your personal data as a universal right because everything else in the GDPR and ePrivacy directive follows downhill from that.

They're not self-regulating, they're regulated. This is literally how regulation works: they have to follow the law or they risk a fine. The problem right now is some DPAs dragging their heels, most being underfunded and foreign companies getting special "One Stop Shop" deals where a ridiculously corrupt DPA (hello Ireland) gets to be the single DPA in charge of handling complaints about them.

The law isn't about cookies - it's about obtaining consent to process personal data.

You need to ask permission to track people and to do other things with their personal data.

Cookies are one method to do that, but any other method (like local storage or storing session state in a URL parameter) also counts.

Hence, it is not possible to have a system where a browser can tell a site what kinds of processing the user thinks are OK, as it would be too complicated.

Couldn't agree more. A browser used to be known as a User Agent [1], but most browsers no longer act in the user's best interest, but rather pander to adtech enablers. It is a sad state of affairs.

[1] Shameless plug to my rant on the subject https://blog.melnib.one/2024/05/19/death-of-the-user-agent/

You Americans are the last people who will be affected by whatever will happen to Ukraine. Even if Putin will punch through the whole EU up to Spain, you are still safe behind the great ocean, don't worry. Well, maybe he'll take Alaska. ;P

Doesn't the Global Privacy Control header/property solve for this?

There is plenty going on in global news apart from US elections to be concerned about. Even apart from the wars, I think we've been acting insane for a few decades at least w.r.t. emissions and pollution. One person has intelligence, many, not so much.

I realize there are indeed strictly necessary cookies for site functionality. Sites need to store state information, login data, information about what's in your cart, etc. I should be able to make that choice on a site by site basis - to decide if my relationship with a website is deep enough to be worthy of allowing it to store data on my computer beyond the contents of the page itself. I know whether I'm going to be logging into a site or not. I know whether I feel like making yet another user account or not. I know whether I want to actually consider buying something or not. And if I don't know for sure, I should have the option to allow cookies, and then to quickly revert that decision. And user interfaces can be built within the browser to make this level of control more accessible and understandable to the average person without being obtrusive or overly complex.

In my opinion, the web needs to be less reliant on cookies and state data, and websites should be adaptable to situations where they cannot store or access it. Websites can easily provide UI feedback for this issue. For instance, a store website unable to save a cookie can place a banner at the top saying something like "please enable cookies for this website in order to use the shopping cart." And then it's up to browser vendors to provide a simple, consistent, intuitive user interface for enabling cookies - such a UI should minimize the amount of instructional info a site's banner will need to contain in the first place.

The web really needs to be built around opting into site functionality on a site by site basis. It's been the opposite of this for a long time now and we've ended up where we are today... There are many reasons site operators will hate this, from legitimate concerns about usability or accessiblity, to business concerns about users not wanting to take the minimum amount of time to change a setting to add items to a cart resulting in reduced sales, or even malicious concerns about not being able to track users under a magnifying glass. As pissed off as these site owners will be, it's a change browser vendors can make without needing their permission the same way Apple added app-tracking-transparency controls much to the chagrin of companies like Facebook.

And yes, users will find one reason or another to complain about this, despite the fact that it will be optional. "It's like Vista's UAC prompts all over again!" "I shouldn't have to do extra work to add stuff to my cart!" etc. That's great that they don't care about being tracked and if they want to be the cattle of data mining companies that's fine. But there are plenty of people who, given the choice, will prefer the alternative, and over time sites will adapt. If sites purposefully punish people for not enabling cookies, and websites are interested in pissing off thier users, well there's always the option to close that site and use another... in any case I'd rather deal with that kind of fight then the situation we have now.