Most active commenters
  • rcxdude(4)
  • crazygringo(3)
  • immibis(3)

←back to thread

Internet's biggest annoyance: Cookie laws should target browsers, not websites

(nednex.com)
583 points SweetSoftPillow | 51 comments | 22 Oct 25 12:12 UTC | HN request time: 0.693s | source | bottom
Show context
michaelmauderer ◴[22 Oct 25 12:36 UTC] No.45668112[source]
The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.

"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...

Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.

replies(27): >>45668188 #>>45668227 #>>45668253 #>>45668318 #>>45668333 #>>45668375 #>>45668478 #>>45668528 #>>45668587 #>>45668695 #>>45668802 #>>45668844 #>>45669149 #>>45669369 #>>45669513 #>>45669674 #>>45670524 #>>45670593 #>>45670822 #>>45670839 #>>45671739 #>>45671750 #>>45673134 #>>45673283 #>>45674480 #>>45675431 #>>45678865 #
crazygringo ◴[22 Oct 25 12:52 UTC] No.45668318[source]
No, the problem is 100% the law, because it was written in a way that allows this type of malicious compliance.

Laws need to be written well to achieve good outcomes. If the law allows for malicious compliance, it is a badly written law.

The sites are just trying to maximize profit, as anyone could predict. So write better laws.

replies(20): >>45668365 #>>45668389 #>>45668443 #>>45668540 #>>45668630 #>>45668809 #>>45668823 #>>45668886 #>>45669084 #>>45669675 #>>45670704 #>>45671579 #>>45672352 #>>45672518 #>>45672991 #>>45673713 #>>45674575 #>>45675918 #>>45676040 #>>45676756 #
1. michaelmauderer ◴[22 Oct 25 13:02 UTC] No.45668443[source]
But the courts are saying: the law does NOT allow this.

So maybe “malicious compliance” is a misnomer. We should just call it "illegal dark pattern".

replies(4): >>45668518 #>>45668736 #>>45668841 #>>45671429 #
2. narag ◴[22 Oct 25 13:07 UTC] No.45668518[source]
Lawmakers must consider enforcement. What are the practical consequences of those rulings?
replies(3): >>45668828 #>>45668951 #>>45670393 #
3. mikae1 ◴[22 Oct 25 13:22 UTC] No.45668736[source]
Not a radical idea. The EU is already working on it.

> […] the Commission is pondering how to tweak the rules to include more exceptions or make sure users can set their preferences on cookies once (for example, in their browser settings) instead of every time they visit a website.

https://www.politico.eu/article/europe-cookie-law-messed-up-...

replies(3): >>45668806 #>>45670117 #>>45680526 #
4. dgfitz ◴[22 Oct 25 13:25 UTC] No.45668806[source]
[flagged]
replies(1): >>45668875 #
5. seszett ◴[22 Oct 25 13:27 UTC] No.45668828[source]
Well almost all websites in France do the legal thing now with an obvious "decline all" button, which was not the case at first.

It took just a pair of ruling that made it clear this illegal pattern was going to actually be cracked down upon, and now these popups are just a small annoyance rather than the absolutely enraging trap that they were at first.

Of course I still wish they were unnecessary, but they serve as a reminder that these websites are still trying to prey upon their visitors.

replies(1): >>45668896 #
6. ferongr ◴[22 Oct 25 13:28 UTC] No.45668841[source]
Please post some judicial decisions regarding your claim.
replies(3): >>45669096 #>>45669144 #>>45669887 #
7. yetihehe ◴[22 Oct 25 13:30 UTC] No.45668875{3}[source]
The alternative is that they tweak the laws without much thought...
replies(2): >>45670136 #>>45671448 #
8. crazygringo ◴[22 Oct 25 13:32 UTC] No.45668896{3}[source]
> now these popups are just a small annoyance rather than the absolutely enraging trap

Disagree. The popup is the enraging problem. It's not a small annoyance. I click them multiple times every single day and it's ludicrous.

I don't need a "reminder". The last thing I want is some "reminder" day after day after day. I want a law that protects consumers in the first place.

replies(2): >>45669035 #>>45676164 #
9. schmidtleonard ◴[22 Oct 25 13:36 UTC] No.45668951[source]
Laws should be enforceable, but at some point "it's a bad law if it can be bypassed with corruption" just completely surrenders any hope of holding powerful people / companies accountable to anything at all.
replies(1): >>45672823 #
10. Kbelicius ◴[22 Oct 25 13:42 UTC] No.45669035{4}[source]
> Disagree. The popup is the enraging problem. It's not a small annoyance. I click them multiple times every single day and it's ludicrous.

Then don't visit webpages that do illegal things and are hostile to their users.

> I want a law that protects consumers in the first place.

This is that law.

replies(1): >>45670836 #
11. ruszki ◴[22 Oct 25 13:47 UTC] No.45669096[source]
Sometimes I understand these kind of comments, sometimes I don’t. In this case, it’s quicker to find such decisions than writing your comment.

https://www.heise.de/en/news/Administrative-court-Cookie-ban...

replies(1): >>45671884 #
12. ◴[22 Oct 25 13:50 UTC] No.45669144[source]
13. pas ◴[22 Oct 25 14:44 UTC] No.45669887[source]
https://noyb.eu/en has a nice tracker!

883 total cases

468 pending cases

€ 2B billion fines imposed

14. matheusmoreira ◴[22 Oct 25 14:57 UTC] No.45670117[source]
DNT header already does this. Explicit denial of consent. Reaches their servers before everything else so they have no excuse and zero room for maneuvering.

Now the EU just needs to turn it into an actual liability for corporations. Otherwise it will remain as an additional bit of entropy for tracking.

replies(4): >>45670706 #>>45670933 #>>45670958 #>>45674770 #
15. dgfitz ◴[22 Oct 25 14:58 UTC] No.45670136{4}[source]
Isn’t that the current status quo?
replies(1): >>45670455 #
16. SoftTalker ◴[22 Oct 25 15:12 UTC] No.45670393[source]
Lawmakers should have a limit on the number of laws they can write. Say it's 100. They can regulate 100 things, so they need to consider importance. If they want to regulate something new, they have to give up something else. Which one is more important?

The vast majority of laws are never enforced, so in practice this isn't as absurd as it sounds. It would make people consider what laws they spend time writing.

17. lukeschlather ◴[22 Oct 25 15:17 UTC] No.45670455{5}[source]
The GDPR has over 100k words, and those words are certainly less than 0.01% of the thought that has gone into this problem.
18. rcxdude ◴[22 Oct 25 15:34 UTC] No.45670706{3}[source]
The fact that it was turned on by default in edge really hurt it as an argument under these laws, because it then turned into a 'well we don't know the user actually selected this' thing. Making it explicitly have the force of law regardless would still be a good thing, though.
replies(1): >>45670972 #
19. crazygringo ◴[22 Oct 25 15:42 UTC] No.45670836{5}[source]
That's like saying "don't visit places where people get murdered if you don't want to get murdered."

How about you just enforce consumer protections for everyone? Because that is clearly not the law.

replies(1): >>45673540 #
20. pwdisswordfishy ◴[22 Oct 25 15:47 UTC] No.45670933{3}[source]
They can't. The website may very well do the opposite of the preference DNT signals. Meanwhile, proving in a court of law that the tracking still happens will be hard.

Services should be denied the capacity to track and fingerprint, not just told about a preference against it.

DNT will always be an "evil bit", regardless of any law behind it.

replies(2): >>45675739 #>>45677641 #
21. techjamie ◴[22 Oct 25 15:49 UTC] No.45670958{3}[source]
DNT is considered deprecated in favor of GPC, which has legal backing in places with internet privacy laws. Funnily, Chrome still supports DNT but you need an extension to send a GPC header. Almost like the advertisement company wouldn't want people enabling legal privacy protections.
replies(4): >>45671270 #>>45672135 #>>45675096 #>>45681088 #
22. throw_a_grenade ◴[22 Oct 25 15:49 UTC] No.45670972{4}[source]
No, this wrong. The law says that by default you can't process personal data, unless the user gave consent. That setting matched both the expectation of users and the default as specified by the law.

The story that advertisers don't know what users selected and that somehow allows them to track the user is disingenous.

replies(1): >>45672670 #
23. fmajid ◴[22 Oct 25 16:08 UTC] No.45671270{4}[source]
GPC compliance is already the law in California. I don’t know why the EU has been so slow at making it legally binding. That said, existing cookie popups that don’t have “Reject All” as prominently placed as “Accept All” are already illegal but widespread, in no small part due to deliberate sabotage by the Irish DPA, so don’t expect GPC compliance to fare any better until consumer rights associations like NOYB.eu are allowed to initiate direct enforcement actions.
24. immibis ◴[22 Oct 25 16:18 UTC] No.45671429[source]
But the laws do allow this. It's illegal to make the user experience worse if you decline tracking, or to make it harder to decline tracking than to accept it, but it's not illegal to annoy the user on every page load.
replies(1): >>45673521 #
25. immibis ◴[22 Oct 25 16:19 UTC] No.45671448{4}[source]
Agile laws might not be so terrible.
replies(1): >>45671519 #
26. JadeNB ◴[22 Oct 25 16:23 UTC] No.45671519{5}[source]
Counteropinion: agile laws would be absolutely terrible. Either people wouldn't take them seriously because they're going to change in a few minutes anyway, or people would take them seriously and be bound by law by the equivalent of late-night untested code that seemed like it should work.
replies(1): >>45676681 #
27. anonymous908213 ◴[22 Oct 25 16:51 UTC] No.45671884{3}[source]
I do love the irony of reading a headline "Administrative court: Cookie banner must contain "Reject all" button" on a website that does a completely blocking cookie banner with no such option. I suppose if I lived in Germany I would be pleased with the results of reporting that to the authorities.

More generally, I actually did organically notice the massive increase in "Reject all" buttons and found out about these court decisions myself some time ago. Certainly a small win for the internet, although it should not have taken 9 years(!) from the implementation of GDPR for these violations of it to be cracked down on.

28. kuschku ◴[22 Oct 25 17:10 UTC] No.45672135{4}[source]
In Germany, DNT is legally binding, but GPC is not.
29. rcxdude ◴[22 Oct 25 17:49 UTC] No.45672670{5}[source]
It doesn't allow them to track, but it does allow them to more convincingly argue that they can nag them about it (I think some regulators in some EU countries have rejected this, but I don't think this is universal). i.e. it makes it ineffective as a means of stopping the annoying pop-ups. Because the companies are basically belligerent about it there needs to be a clear declaration of 'if this header is set you may not track _and_ you may not bug the user about it'
replies(1): >>45676213 #
30. narag ◴[22 Oct 25 17:59 UTC] No.45672823{3}[source]
That's a very absolute outlook. The fact is that they were very naive and, althoug they seem to be adjusting, it's been painfully slow and the harm has been done and the public is suffering meanwhile.

Law making is a way of predicting the future and setting up incentives to achieve a goal. You need to foresee what can go wrong, talk to incumbents and anticipate the response. It's a technical matter and this has been a debacle.

It's useless to put the blame in the advertisers. Even if they're evil, that doesn't make the situation any better for the public.

replies(1): >>45679198 #
31. fsflover ◴[22 Oct 25 18:52 UTC] No.45673521[source]
> illegal to make the user experience worse

> not illegal to annoy the user on every page load

This looks like a contradiction to me.

replies(2): >>45673608 #>>45673700 #
32. Kbelicius ◴[22 Oct 25 18:53 UTC] No.45673540{6}[source]
> That's like saying "don't visit places where people get murdered if you don't want to get murdered."

Nope. Murder is an action after which the victim can not make any more actions. It would be like saying "don't go to the bakery where they spit in your food and slap you in the face every time you order something". You are enraged by the behavior of the websites you visit and you still keep going there every day. Either you are a masochist or "voting with your wallet" or, in this instance with you attention, doesn't really work. Why do you give your attention to those that treat you like shit?

> How about you just enforce consumer protections for everyone?

They are. What gave you the idea they aren't? Because some pages still behave illegally? You understand that murder still happens?

> Because that is clearly not the law.

Do you know anything about GDPR? Because it seems that you do not. Could you point to the text of the regulation that you object to? I'll wait but I'm sure I'll be waiting for godot here.

33. ranger_danger ◴[22 Oct 25 18:59 UTC] No.45673608{3}[source]
OP loves to claim how almost everything is illegal and then not give any useful sources when asked.
34. immibis ◴[22 Oct 25 19:07 UTC] No.45673700{3}[source]
> if you decline tracking

please read the second half of the clause, kthx

replies(1): >>45676182 #
35. briandear ◴[22 Oct 25 20:31 UTC] No.45674770{3}[source]
It’s not just corporations. Look how much tracking nonsense goes into a recipe blog.
36. juancroldan ◴[22 Oct 25 21:01 UTC] No.45675096{4}[source]
Plus, all GPC extensions advertised by the offical GPC pack other unsolicited privacy features and freemium models. I ended up building an extension https://chromewebstore.google.com/detail/gpc-enabler/ilknagn...
37. arbol ◴[22 Oct 25 22:05 UTC] No.45675739{4}[source]
How do you deny the capacity to fingerprint? That's basically disabling JavaScript.
replies(2): >>45676082 #>>45676216 #
38. artyom ◴[22 Oct 25 22:41 UTC] No.45676082{5}[source]
Essentially the same way uBlock Origin worked. A global list of offenders to block so that Javascript won't be loaded at all.

Asking browsers to implement uBlock Origin natively tho...

39. mort96 ◴[22 Oct 25 22:52 UTC] No.45676164{4}[source]
I agree. These websites should just not spy on me and therefore not have a pop-up.

But in the absence of that? I appreciate at least being asked for my consent so that I can press the "I do not consent to being tracked" button. It shouldn't exist in the first place, but since these websites are unwilling to just not spy on people, this seems like the next best thing.

40. mort96 ◴[22 Oct 25 22:54 UTC] No.45676182{4}[source]
Wait you're saying that the websites in question ask for your consent on every page load even if you give it to them? I was under the impression that they typically pester you for consent until you give it to them, then remember your choice once you "consent"
41. charcircuit ◴[22 Oct 25 22:58 UTC] No.45676213{6}[source]
How are they supposed to ask for consent then?
replies(1): >>45676385 #
42. avmich ◴[22 Oct 25 22:58 UTC] No.45676216{5}[source]
Adding a different web page-resident language?
43. rcxdude ◴[22 Oct 25 23:19 UTC] No.45676385{7}[source]
If the user has already indicated that they don't consent by setting the header, you don't ask. If they want to change, make it available as a setting.

(and frankly, the number of users that actively want to consent to this is essentially zero)

replies(1): >>45676479 #
44. charcircuit ◴[22 Oct 25 23:31 UTC] No.45676479{8}[source]
What if the user doesn't know they have that setting enabled. Or they enabled it to block some other company than your own.

I always constent to cookie popups so the number can not be 0.

replies(1): >>45676519 #
45. rcxdude ◴[22 Oct 25 23:36 UTC] No.45676519{9}[source]
Hence why I think the default hurt the initiative. And the header could be set on a per-domain basis, if you wanted that for some reason. I'm curious, why do you consent on such pop-ups?
replies(1): >>45680223 #
46. _carbyau_ ◴[23 Oct 25 00:03 UTC] No.45676681{6}[source]
Charitable interpretation of their comment: Law is implemented and then rapidly improved upon.

But yes, I think your take is more realistic as any measure that allows rapid changes also allows willful politics to rapidly make a mess.

47. Jensson ◴[23 Oct 25 02:45 UTC] No.45677641{4}[source]
> They can't. The website may very well do the opposite of the preference DNT signals. Meanwhile, proving in a court of law that the tracking still happens will be hard.

Its not hard when it comes to any website of note, large companies can't easily hide what their computers are doing really, if they have code that tracks people it is gonna be found.

48. dns_snek ◴[23 Oct 25 07:31 UTC] No.45679198{4}[source]
> The fact is that they were very naive and, althoug they seem to be adjusting

Who are "they"? The law hasn't changed, it's enforcement that is changing, albeit very slowly.

There are so many institutions that can be rightfully blamed - chiefly the DPAs and the national governments, but your continued insistence on blaming the lawmakers makes no sense. The law is clear, it's just not being enforced.

Of course advertisers deserve all this blame too, but their blame is irrelevant when discussing enforcement. I don't expect them to stop any more than I expect a serial killer to turn themselves in. This is still a failure of the institutions.

49. speleding ◴[23 Oct 25 10:13 UTC] No.45680223{10}[source]
I always consent as well. They can show much more relevant ads when you consent to cookies. If I block cookies I get generic ads about stuff I don't care about.
50. WeZzyNL ◴[23 Oct 25 11:12 UTC] No.45680526[source]
The EU is already working on it? You have a strange definition of "already" ;)
51. extraduder_ire ◴[23 Oct 25 12:32 UTC] No.45681088{4}[source]
EU law typically has a lead time of at least two years.