←back to thread

Internet's biggest annoyance: Cookie laws should target browsers, not websites

(nednex.com)
583 points SweetSoftPillow | 7 comments | 22 Oct 25 12:12 UTC | HN request time: 0.002s | source | bottom
Show context
michaelmauderer ◴[22 Oct 25 12:36 UTC] No.45668112[source]
The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.

"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...

Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.

replies(27): >>45668188 #>>45668227 #>>45668253 #>>45668318 #>>45668333 #>>45668375 #>>45668478 #>>45668528 #>>45668587 #>>45668695 #>>45668802 #>>45668844 #>>45669149 #>>45669369 #>>45669513 #>>45669674 #>>45670524 #>>45670593 #>>45670822 #>>45670839 #>>45671739 #>>45671750 #>>45673134 #>>45673283 #>>45674480 #>>45675431 #>>45678865 #
1. whywhywhywhy ◴[22 Oct 25 12:58 UTC] No.45668375[source]
The problem is exactly the law then because it was written so incompetently that it left the loopholes to allow websites to try and trick accepting.

Should have been written in the law that it’s a one toggle in browser settings.

If government is going to impose on the internet the least they could do is be competent in what they impose. Not writing laws that waste lifetimes in collective hours a day as every person in Europe deals with multiple of these dialogs a day and thousands a year.

replies(2): >>45668441 #>>45668445 #
2. dns_snek ◴[22 Oct 25 13:02 UTC] No.45668441[source]
> it left the loopholes to allow websites to try and trick accepting.

It did not. These practices are illegal under the GDPR, the problem is a chronic lack of enforcement by most national enforcement agencies in all but the most severe cases.

Some are just ineffective but others have gone completely rogue. Swedish Data Protection Authority (DPA) for example takes the position that commercial data brokers like Mrkoll are allowed to publish and sell people's personal information (including your current home address, hello stalkers!) [1] and that this is somehow protected under the pretense of "journalism" [2].

[1] https://mrkoll.se/resultat?n=Otto&c=&min=16&max=120&sex=a&c_...

[2] https://noyb.eu/en/swedish-data-brokers-claim-journalists-le...

replies(1): >>45672625 #
3. GJim ◴[22 Oct 25 13:02 UTC] No.45668445[source]
> Should have been written in the law that it’s a one toggle in browser settings.

No!

For crying out loud..... The law says if you want to track me (advertisers take a bow) then in each case, you must have my explicit opt-in permission to do so. And so you should!

Having a browser toggle setting isn't explicit opt-in consent.

replies(2): >>45668692 #>>45668781 #
4. pverheggen ◴[22 Oct 25 13:19 UTC] No.45668692[source]
Maybe not a single browser toggle, but it really should be handled at the browser level. There are browser APIs for opt-ins like your current location, using the camera and microphone - why not one for tracking consent?
replies(1): >>45668963 #
5. wtetzner ◴[22 Oct 25 13:24 UTC] No.45668781[source]
Ideally opt-in would be explicit, but a browser toggle could bypass even showing the opt-in button if the Do-Not-Track header is sent.
6. Nextgrid ◴[22 Oct 25 13:37 UTC] No.45668963{3}[source]
There was Do-Not-Track which is a header that could be set at the browser level: https://en.wikipedia.org/wiki/Do_not_track

And way before that (before spyware became common on the web) there was P3P: https://en.wikipedia.org/wiki/P3P

Now there is Global Privacy Control: https://en.wikipedia.org/wiki/Global_Privacy_Control

The problem isn't technical - the problem is that ultimately spyware operators want to track people so it isn't in their interest to support these solutions and won't do so unless they are forced to. Since enforcement is significantly lacking, operators adopt the pragmatic strategy of non-compliance or pseudo-compliance with the current banners.

7. dns_snek ◴[22 Oct 25 17:46 UTC] No.45672625[source]
[2] Doesn't fully capture the negligence of the Swedish DPA ("IMY"), here's a better source:

> IMY’s practice of simply “forwarding” complaints.

> The IMY’s way of dealing with complaints since the Supreme Administrative Court ruling is to attach an “appeal form” to their (non-)decisions. But it still doesn’t investigate the complaints. Instead, the authority simply forwards the complaint to the entity that illegally processes personal data and then immediately closes the case. This also happened in the case preceding noyb’s current legal action against the IMY. After a data subject filed a complaint regarding a recorded phone call, the authority forwarded it to the respondent without investigating.

[3] https://noyb.eu/en/noyb-takes-swedish-dpa-court-refusing-pro...