Internet's biggest annoyance: Cookie laws should target browsers, not websites

I disagree that this should be in the scope of a browser.

Cookie banner are called cookie banners because they‘re most frequently associated with the opt in for tracking cookies, but this kind of opt in is required for any kind of third party involvement that goes beyond technical necessity.

Your browser has no way to tell what third party present on the site is a technical necessity and which one isn‘t. So you‘d have to tell it - making it part of the site providers problem as well. But this time its worse, because responsibilities are mixed between the site operator and the third party.

Legally compel websites to respect the DNT header. Bam, done. This is a simple problem, and should be solved in a simple way.

Right, the it would be legally required have to have "third-party" vs "strictly necessary" tags on the cookie itself, which someone could challenge if they were inaccurate (in the same way that the GDPR can in theory be enforced now). Then the browser could simply do what the user wanted with the tags. This could even be a status item in the URL bar, similar to the HTTP / HTTPS icon, that would allow you to enable or disable tracking on a per-site basis (if you didn't want a global policy).

Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged; this would ultimately come down to ad networks / analytics companies documenting the behavior of the cookies they add.

This is the best suggestion here with the least friction in my opinion

DNT doesn't solve all problems, though. Not only is DNT being deprecated, it also lacks the proper customisability the law actually prescribes for data processing.

There's no value you can give DNT that says "you can do your own on-site tracking and telemetry and I accept sharing my data with Sendgrid for your newsletter, but I do not want third-party trackers".

As a practical example: there are news sites that will not play videos if you hit "deny all" because their video host does some viewership analytics. I'm fine with that, but not the 750 other advertisers the news site tries to have me track.

Of course, "deny all" should be an option, "accept all or deny all" isn't control.

For the longest time we had https://en.wikipedia.org/wiki/P3P as a basis to build on, but that officially died the day Edge became Chromium-based.

> Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged

While enforcement is effectively nill, they already need to do that according to the actual EU "cookie law" (ePrivacy Directive rather than GDPR). If you set cookies, you have to explain to the user what they're there for.

Hilariously, many websites have no idea what the cookies their trackers set are for, and I've caught a bunch of them use language like "seemingly" and "apparently" when describing what purposes cookies actually serve.

If only browsers gave P3P[1] the attention it deserved. The protocol isn't exactly perfect and the unmistakable footprint of early 2000s XML obsession are there, but it could've prevented cookie banners from ever being accepted if only browsers had designed proper UI around an updated version of the protocol.

[1] https://www.w3.org/TR/P3P11

Companies ARE legally compelled to comply with the GPC header.

It's already seen as a valid opt-out signal against this sort of thing in Germany. LinkedIn got in trouble and lost a court case for not respecting the DNT header if memory serves me right.

You are exactly correct.

A web browser is technically incapable, by design, of knowing whether any piece of a website (1) is there for the purpose of having the website actually work, or for the purpose of tagging and tracking the end user. Only the website owner chooses those purposes, and only the website owner is in a position to determine (or maliciously hide) which technologies are being used for which tracking or technical purposes.

(1) Cookie laws apply to: Cookies, gif pixels, JS fingerprints, and any other tehcnical means that can be technically exploited to track an individual

> you can do your own on-site tracking and telemetry and I accept sharing my data with Sendgrid for your newsletter, but I do not want third-party trackers

I'm sorry, but does a user who would want this actually exist? This seems like a hypothetical dreamed up by the marketing team to avoid having to accept that a large group of users hate all their tracking shit.

At my first job I took phone calls for an insurance carrier and agents definitely didn't like finding out that all the unhandled exception screens the rater had simply disappeared into the abyss.

Yes, it's quite common for users to want this. I think a lot of people don't realize functionality like "remember I want dark mode every time I visit" or "keep me logged in when I reopen my browser tomorrow" constitutes first-party tracking and requires consent under EU law.

Microsoft solved this decades ago.

You download a specific tool which only has the purpose of collecting your local error reports and sending them to Microsoft". Later on that tool became just a button in your control panel that submitted all your local errors and told you if those errors had an already developed solution.

That's how they did all their error telemetry until like late XP era, and it worked just fine.

All the people insisting that they need* this telemetry is also horse shit. Companies are demonstrably not producing better and more bug fixed software, and demonstrably are not using that data to make serious improvements, but demonstrably ARE using that data to choose where to focus dark pattern and other sales funnel based efforts.

If Unity and Unreal and GPU drivers can ask me "Do you want to send this error report" with a default no, nobody else has any excuse.

Even now, a significant amount of companies use the system of "Please upload your error log and the output of this command to this forum" as their bug report solution and it works just fine if that company actually intends to fix bugs.

The solution is not to turn your software into spyware. Stop being entitled. You don't have a right for me to QA your software for you, that's your job. Even with all this telemetry, companies only fix the most common and most obvious bugs anyway, so the perfect telemetry is utterly useless. Those bugs would have surfaced anyway.

Developers in the 80s did not need telemetry to get bug reports and fix things and release patches. Learn some history of your profession people.

Has throwing a hundred thousand bugs onto your sprint backlog actually helped anyone develop better software? No. Meanwhile it has exposed all your customers and users to predatory bullshit from your marketing and sales departments, and enabled your worst product managers to optimize hostility and extraction.

I do not want my data sent to data brokers or used for advertising. I have less of an issue if my data is used to improve a service I use and only for this, as long as I value/trust the service. The problem is that many websites really want to sell your data to third parties and/or use if for advertising, that often it feels safer to just refuse any consent.

No one is expecting browsers to identify the purposes of cookies. Websites would still need to register cookies as either technically necessary or not. That part stays the same.

As far as malicious/non-compliant websites go, cookie banners don’t make that issue better or worse. They can lie just as easily with a banner. In fact this implementation makes it easier as no one needs to build those ugly banners anymore. (Devastating for the pop up industry though.)

Sorry, but no. Those functionalities fall under "functional cookies" and as such do not require consent. Also, there is no tracking needed for the dark mode at all. And "logging in" does not mean "tracking"