Most active commenters
  • itopaloglu83(5)
  • 1718627440(5)
  • bradleyy(4)
  • layer8(3)
  • pasc1878(3)

←back to thread

Internet's biggest annoyance: Cookie laws should target browsers, not websites

(nednex.com)
583 points SweetSoftPillow | 37 comments | 22 Oct 25 12:12 UTC | HN request time: 2.114s | source | bottom
Show context
michaelmauderer ◴[22 Oct 25 12:36 UTC] No.45668112[source]
The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.

"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...

Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.

replies(27): >>45668188 #>>45668227 #>>45668253 #>>45668318 #>>45668333 #>>45668375 #>>45668478 #>>45668528 #>>45668587 #>>45668695 #>>45668802 #>>45668844 #>>45669149 #>>45669369 #>>45669513 #>>45669674 #>>45670524 #>>45670593 #>>45670822 #>>45670839 #>>45671739 #>>45671750 #>>45673134 #>>45673283 #>>45674480 #>>45675431 #>>45678865 #
1. itopaloglu83 ◴[22 Oct 25 12:54 UTC] No.45668333[source]
Tracking by default is not an acceptable solution, so I would say respecting the Do-Not-Track header must be mandatory and enforced by laws and percentage of global revenue fines.
replies(2): >>45668525 #>>45668738 #
2. bradleyy ◴[22 Oct 25 13:08 UTC] No.45668525[source]
GPC (Global Privacy Control) is the header that's actually being enforced in (parts of) the US. DNT is considered deprecated by many, due to the nonconsensual way that Microsoft rolled it out.
replies(2): >>45668986 #>>45669871 #
3. layer8 ◴[22 Oct 25 13:22 UTC] No.45668738[source]
That wouldn’t help much in terms of annoyance, because you need the option of per-site or per-service opting-in to tracking cookies (like “remember me” checkboxes and similar functionality), and then you can’t really prevent web pages showing a banner offering that opt-in option. It wouldn’t be exactly the same as today’s cookie banners, but websites would made it similarly annoying.
replies(4): >>45668808 #>>45668888 #>>45669555 #>>45669756 #
4. wtetzner ◴[22 Oct 25 13:26 UTC] No.45668808[source]
Unless it was a browser level permission, like asking to access the user's location.
replies(1): >>45668869 #
5. layer8 ◴[22 Oct 25 13:30 UTC] No.45668869{3}[source]
The website has to be able to inform you about what exactly you are opting in to (like saving your shopping cart, and/or who they will be sharing the respective information with). This can’t be covered by a predefined set of options.

Browser-level permissions are about what the browser is sharing with the website, which is a different thing. For one, the browser sharing information with the website isn’t a blanket permission legally for the website to do anything with that information it likes.

replies(1): >>45668908 #
6. itopaloglu83 ◴[22 Oct 25 13:31 UTC] No.45668888[source]
We cannot rule by law if the websites don’t want to abide by the rule of law.

The level of tracking is insane and would never happen in real life, and companies would be fined to oblivion had they tried, if not forced to close by an angry mob of people.

replies(1): >>45669093 #
7. itopaloglu83 ◴[22 Oct 25 13:33 UTC] No.45668908{4}[source]
I’m sorry but no.

Don’t track me means don’t track me, period.

Asking if you could track me etc. regardless is against the spirit of it and simply user hostile.

replies(1): >>45668985 #
8. layer8 ◴[22 Oct 25 13:39 UTC] No.45668985{5}[source]
So you want to make it illegal for websites to inform you about the services they offer that work with tracking cookies?

Users often want some level of tracking, like not having to log in to services they use across sites each time.

replies(3): >>45669512 #>>45669992 #>>45670273 #
9. Nextgrid ◴[22 Oct 25 13:39 UTC] No.45668986[source]
Why is Microsoft's implementation a problem? Having the setting default to a safe value is the rational choice.

It's like saying having a secure OS/browser would deprive malware authors of revenue, and thus vulnerabilities should be preserved unless the user explicitly opts into patching them.

replies(2): >>45670649 #>>45671311 #
10. walkabout ◴[22 Oct 25 13:47 UTC] No.45669093{3}[source]
Kinda… but between credit cards (and any cards serviced by them—debit cards aren’t safe) and widespread facial recognition with cameras everywhere in stores these days, and things like “loyalty cards” being required to just get what should be normal prices on things, we’re pretty heavily tracked in physical space now, too. People just don’t realize how much, and don’t see this stuff being sold and aggregated then re-sold.

We really need to crack down on stalking-but-automated.

replies(3): >>45669462 #>>45670240 #>>45670293 #
11. itopaloglu83 ◴[22 Oct 25 14:11 UTC] No.45669462{4}[source]
You came up with a good term there. Maybe we should start calling it “digital stalking” instead of just “tracking”
12. itopaloglu83 ◴[22 Oct 25 14:16 UTC] No.45669512{6}[source]
No, the essential cookies were never subject to such limitations. Even today you don’t need a banner for them.

Digital stalking under the disguise of essential functions or calling it just tracking doesn’t do any good.

Some websites even purposely break their functionality when 3rd party cookies are disabled.

So, no, do-not-track is an order, do not stalk me, period.

13. ajsnigrutin ◴[22 Oct 25 14:19 UTC] No.45669555[source]
In my opinion, it would be best to regulate the browsers themselves... preinstalled browser on a device sold in EU? Cookies are silently stored to a temporary jar, deleted on tab/window close. One jar per domain. Then add a button by the address bar to enable the "I want this site to remember me", and it'll make the cookies from that domain 'permanent' (with an additonal 'advanced' setting if you want to allow 3rd party cookies too or not).

But hey, when the regulators are lawyers who have no idea what cookies and browser are, we get consent forms on every domain visit.

replies(2): >>45670128 #>>45670322 #
14. carlosjobim ◴[22 Oct 25 14:34 UTC] No.45669756[source]
If it's not a third party cooking, then it's not a tracking cookie. So logins and other site functionality will be perfectly fine. They're not subject to GDPR and similar laws.
replies(1): >>45670286 #
15. velcrovan ◴[22 Oct 25 14:43 UTC] No.45669871[source]
For a new corporate website we just completed, we used GPC signals as the opt out mechanism. If your browser sends GPC, the site just opts you out of everything and loads zero tracking scripts. If it doesn't, you see a popup that explains how to turn it on if you want, or an "I understand" button.

An approach like this seems ideal to me, the problem is that it's only natively supported in Firefox. Our instructions for Chrome and Edge are basically "install Privacy Badger."

And Safari is the WORST, which as an Apple customer it pains me to say. Not only does the browser not support it, there are ZERO Safari browser extensions, NONE, on ANY platform (mac/iphone/ipad), that you can install that will send a simple GPC signal with the HTTP headers. There is a paid Safari extension on iOS called ChangeTheHeaders that you can configure to send a GPC signal, but come on, you can't ask normal people to buy an app and manually enter a specific HTTP header. (ChangeTheHeaders is made by Jeff Johnson, the same dev as StopTheMadness. I asked him whether he'd consider adding user-friendly GPC signals to that (or any other) plugin and he said it would just be "duplicating functionality" :-/ )

replies(1): >>45671204 #
16. xcf_seetan ◴[22 Oct 25 14:50 UTC] No.45669992{6}[source]
I as a user, don't want ANY kind of tracking. That is why i check the No Tracking options of the browser.
17. Thiez ◴[22 Oct 25 14:58 UTC] No.45670128{3}[source]
That is a terrible proposal. The GDPR is not about cookies, it's about tracking. Websites can track you through cookies, through browser fingerprinting, through your IP adres, through your login, through your local storage, and various other ways. They could probably find ways to track you by your mouse movements or how you type, if all other methods were somehow made unavailable.

That websites track you and then sell that data has nothing to do with how long your browser stores cookies. Cookies are just one of many, many ways that websites do tracking.

replies(1): >>45671192 #
18. 1718627440 ◴[22 Oct 25 15:04 UTC] No.45670240{4}[source]
> widespread facial recognition with cameras everywhere in stores these days, and things like “loyalty cards” being required to just get what should be normal prices on things

Which is why this is also illegal in the same jurisdiction.

19. 1718627440 ◴[22 Oct 25 15:05 UTC] No.45670273{6}[source]
> log in to services

That's functional, and doesn't need additional consent. The consent for that is given by pressing the login button.

replies(1): >>45672011 #
20. 1718627440 ◴[22 Oct 25 15:06 UTC] No.45670286{3}[source]
The border is not first party/third party, but purpose. But yes site functionality is fine.
21. danaris ◴[22 Oct 25 15:07 UTC] No.45670293{4}[source]
The big difference there is that unlike, say, Price Chopper, Google, Facebook, and Xitter can track not only what you do with them, but everything you do on thousands and thousands of sites across the internet, through analytics packages that send data back to them and/or the scripts loaded by their "social buttons".

If I buy baby food at Price Chopper, they might send me an email offering me discounts on diapers, but at least I (probably!) won't also get shown such ads literally everywhere I go on the web.

replies(1): >>45670575 #
22. 1718627440 ◴[22 Oct 25 15:09 UTC] No.45670322{3}[source]
Tracking now happens with fingerprinting, focusing on cookies won't provide a benefit.

> when the regulators are lawyers who have no idea what cookies and browser are, we get consent forms on every domain visit.

In this case the regulators have considered the problem and implemented the law independent of the used technology. The software developers/companies were the clueless/malicious ones here.

23. walkabout ◴[22 Oct 25 15:25 UTC] No.45670575{5}[source]
I’m pretty sure the loyalty-card thing has become so big because they’re selling the data.

So many things are like that now. Like Roku sticks and TVs are subsidized by selling user data. You want to make a Roku competitor that doesn’t spy? Your product will struggle to get on shelves and to stay there, in part because the price for your product will be higher even if you get just as good a price on your components as they do, because you’d have to price them at-cost to match Roku’s pricing. Meanwhile 99% of people looking at the products don’t realize that one’s cheaper than the other because it’s going to spy on them and sell the data.

replies(1): >>45674087 #
24. TheCoelacanth ◴[22 Oct 25 15:30 UTC] No.45670649{3}[source]
Yeah, and according to most privacy laws, not tracking should be the default.
25. bschwindHN ◴[22 Oct 25 16:03 UTC] No.45671192{4}[source]
That's true, but at least then we could rid the internet of all those shitty cookie consent banners plastered all over. Those are almost more annoying to me than some company making a fraction of a penny on selling my mouse movement history to some chump.
replies(1): >>45672033 #
26. bradleyy ◴[22 Oct 25 16:04 UTC] No.45671204{3}[source]
It's sounding like California is going to require browser manufacturers to support the GPC signal. The privacy movement in California has a lot of political power and backing; it's pretty likely this will change in the next couple years.
replies(1): >>45671665 #
27. bradleyy ◴[22 Oct 25 16:10 UTC] No.45671311{3}[source]
https://en.wikipedia.org/wiki/Do_Not_Track#Internet_Explorer...

This combined with governments ignoring it, and actively enforcing GPC... it's questionable whether compliance is necessary (I still suggest treating it the same as a GPC signal).

But future work and effort should be put towards the GPC signal.

28. velcrovan ◴[22 Oct 25 16:35 UTC] No.45671665{4}[source]
From what I understand, their AG has said the GPC signal must be honored if sent and that it is an acceptable opt-out mechanism under the CCPA. I haven't heard anything concrete about requiring browsers to support it, but that would be a welcome development.

https://oag.ca.gov/privacy/ccpa/gpc

replies(1): >>45674818 #
29. pasc1878 ◴[22 Oct 25 17:00 UTC] No.45672011{7}[source]
What about a grocery shop.

You can login and buy things. But how do you choose whether the shop can kleep track of what you have bought to suggest rebuying or for you to keep a shoopping list. Requestion those is more than login.

replies(1): >>45674775 #
30. pasc1878 ◴[22 Oct 25 17:02 UTC] No.45672033{5}[source]
And that is a different view - I prefer the privacy and no tracking unless I give explicit permissions.
replies(1): >>45675489 #
31. danaris ◴[22 Oct 25 19:35 UTC] No.45674087{6}[source]
> Meanwhile 99% of people looking at the products don’t realize that one’s cheaper than the other because it’s going to spy on them and sell the data.

And this, plus the fact that it's so abstract and opaque what the negative consequences of that spying are, is a huge part of the problem with all of it.

We need better regulations on this, but sadly, even before the recent fascist takeover, the regulators have been largely asleep at the wheel for decades.

32. 1718627440 ◴[22 Oct 25 20:31 UTC] No.45674775{8}[source]
The shopping list to display the shopping list is fine, Using the shopping list for analytics is not.

> track of what you have bought to suggest rebuying

You know what you sold, no need to track user behaviour.

33. bradleyy ◴[22 Oct 25 20:35 UTC] No.45674818{5}[source]

    California's "Opt Me Out Act" (AB 566) requires that by January 1, 2027, internet browsers must provide a built-in, easy-to-use setting that allows users to send an opt-out preference signal, such as Global Privacy Control.
(copied from a search, but wanted to let you know)
34. icedchai ◴[22 Oct 25 21:38 UTC] No.45675489{6}[source]
You should ask if true privacy is really possible. Cookies are just the tip of the iceberg. Between IP addresses, browser fingerprinting, unique URLs, and the existence of third parties that correlate information across web sites (mainly ad networks) I'm confident it isn't.
replies(2): >>45678665 #>>45680549 #
35. pasc1878 ◴[23 Oct 25 06:05 UTC] No.45678665{7}[source]
Well then the tracker is breading the GDPR keeping personal identifiable information

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...

Yes US sites will be doing that

replies(1): >>45681341 #
36. Thiez ◴[23 Oct 25 11:16 UTC] No.45680549{7}[source]
True privacy is not possible if websites truly want to track you. The point of the GDPR is ensuring that legitimate companies operating in the EU will refrain from doing so without consent, because it's against the law and the punishments can be pretty severe. Sadly enforcement has room for improvement.
37. icedchai ◴[23 Oct 25 13:05 UTC] No.45681341{8}[source]
Some US sites may bother, many won't. At a small startup, whenever this was discussed, it was decided we had better things to focus on since we had no paying EU customers.