←back to thread

Internet's biggest annoyance: Cookie laws should target browsers, not websites

(nednex.com)
582 points SweetSoftPillow | 1 comments | 22 Oct 25 12:12 UTC | HN request time: 0s | source
Show context
moooo99 ◴[22 Oct 25 12:32 UTC] No.45668075[source]
I disagree that this should be in the scope of a browser.

Cookie banner are called cookie banners because they‘re most frequently associated with the opt in for tracking cookies, but this kind of opt in is required for any kind of third party involvement that goes beyond technical necessity.

Your browser has no way to tell what third party present on the site is a technical necessity and which one isn‘t. So you‘d have to tell it - making it part of the site providers problem as well. But this time its worse, because responsibilities are mixed between the site operator and the third party.

replies(3): >>45668142 #>>45668223 #>>45670402 #
gwd ◴[22 Oct 25 12:44 UTC] No.45668223[source]
Right, the it would be legally required have to have "third-party" vs "strictly necessary" tags on the cookie itself, which someone could challenge if they were inaccurate (in the same way that the GDPR can in theory be enforced now). Then the browser could simply do what the user wanted with the tags. This could even be a status item in the URL bar, similar to the HTTP / HTTPS icon, that would allow you to enable or disable tracking on a per-site basis (if you didn't want a global policy).

Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged; this would ultimately come down to ad networks / analytics companies documenting the behavior of the cookies they add.

replies(1): >>45668484 #
1. jeroenhd ◴[22 Oct 25 13:05 UTC] No.45668484[source]
> Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged

While enforcement is effectively nill, they already need to do that according to the actual EU "cookie law" (ePrivacy Directive rather than GDPR). If you set cookies, you have to explain to the user what they're there for.

Hilariously, many websites have no idea what the cookies their trackers set are for, and I've caught a bunch of them use language like "seemingly" and "apparently" when describing what purposes cookies actually serve.

If only browsers gave P3P[1] the attention it deserved. The protocol isn't exactly perfect and the unmistakable footprint of early 2000s XML obsession are there, but it could've prevented cookie banners from ever being accepted if only browsers had designed proper UI around an updated version of the protocol.

[1] https://www.w3.org/TR/P3P11