Most active commenters
  • rcxdude(4)

←back to thread

Internet's biggest annoyance: Cookie laws should target browsers, not websites

(nednex.com)
582 points SweetSoftPillow | 29 comments | 22 Oct 25 12:12 UTC | HN request time: 0.001s | source | bottom
Show context
michaelmauderer ◴[22 Oct 25 12:36 UTC] No.45668112[source]
The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.

"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...

Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.

replies(27): >>45668188 #>>45668227 #>>45668253 #>>45668318 #>>45668333 #>>45668375 #>>45668478 #>>45668528 #>>45668587 #>>45668695 #>>45668802 #>>45668844 #>>45669149 #>>45669369 #>>45669513 #>>45669674 #>>45670524 #>>45670593 #>>45670822 #>>45670839 #>>45671739 #>>45671750 #>>45673134 #>>45673283 #>>45674480 #>>45675431 #>>45678865 #
crazygringo ◴[22 Oct 25 12:52 UTC] No.45668318[source]
No, the problem is 100% the law, because it was written in a way that allows this type of malicious compliance.

Laws need to be written well to achieve good outcomes. If the law allows for malicious compliance, it is a badly written law.

The sites are just trying to maximize profit, as anyone could predict. So write better laws.

replies(20): >>45668365 #>>45668389 #>>45668443 #>>45668540 #>>45668630 #>>45668809 #>>45668823 #>>45668886 #>>45669084 #>>45669675 #>>45670704 #>>45671579 #>>45672352 #>>45672518 #>>45672991 #>>45673713 #>>45674575 #>>45675918 #>>45676040 #>>45676756 #
michaelmauderer ◴[22 Oct 25 13:02 UTC] No.45668443[source]
But the courts are saying: the law does NOT allow this.

So maybe “malicious compliance” is a misnomer. We should just call it "illegal dark pattern".

replies(4): >>45668518 #>>45668736 #>>45668841 #>>45671429 #
1. mikae1 ◴[22 Oct 25 13:22 UTC] No.45668736[source]
Not a radical idea. The EU is already working on it.

> […] the Commission is pondering how to tweak the rules to include more exceptions or make sure users can set their preferences on cookies once (for example, in their browser settings) instead of every time they visit a website.

https://www.politico.eu/article/europe-cookie-law-messed-up-...

replies(3): >>45668806 #>>45670117 #>>45680526 #
2. dgfitz ◴[22 Oct 25 13:25 UTC] No.45668806[source]
[flagged]
replies(1): >>45668875 #
3. yetihehe ◴[22 Oct 25 13:30 UTC] No.45668875[source]
The alternative is that they tweak the laws without much thought...
replies(2): >>45670136 #>>45671448 #
4. matheusmoreira ◴[22 Oct 25 14:57 UTC] No.45670117[source]
DNT header already does this. Explicit denial of consent. Reaches their servers before everything else so they have no excuse and zero room for maneuvering.

Now the EU just needs to turn it into an actual liability for corporations. Otherwise it will remain as an additional bit of entropy for tracking.

replies(4): >>45670706 #>>45670933 #>>45670958 #>>45674770 #
5. dgfitz ◴[22 Oct 25 14:58 UTC] No.45670136{3}[source]
Isn’t that the current status quo?
replies(1): >>45670455 #
6. lukeschlather ◴[22 Oct 25 15:17 UTC] No.45670455{4}[source]
The GDPR has over 100k words, and those words are certainly less than 0.01% of the thought that has gone into this problem.
7. rcxdude ◴[22 Oct 25 15:34 UTC] No.45670706[source]
The fact that it was turned on by default in edge really hurt it as an argument under these laws, because it then turned into a 'well we don't know the user actually selected this' thing. Making it explicitly have the force of law regardless would still be a good thing, though.
replies(1): >>45670972 #
8. pwdisswordfishy ◴[22 Oct 25 15:47 UTC] No.45670933[source]
They can't. The website may very well do the opposite of the preference DNT signals. Meanwhile, proving in a court of law that the tracking still happens will be hard.

Services should be denied the capacity to track and fingerprint, not just told about a preference against it.

DNT will always be an "evil bit", regardless of any law behind it.

replies(2): >>45675739 #>>45677641 #
9. techjamie ◴[22 Oct 25 15:49 UTC] No.45670958[source]
DNT is considered deprecated in favor of GPC, which has legal backing in places with internet privacy laws. Funnily, Chrome still supports DNT but you need an extension to send a GPC header. Almost like the advertisement company wouldn't want people enabling legal privacy protections.
replies(4): >>45671270 #>>45672135 #>>45675096 #>>45681088 #
10. throw_a_grenade ◴[22 Oct 25 15:49 UTC] No.45670972{3}[source]
No, this wrong. The law says that by default you can't process personal data, unless the user gave consent. That setting matched both the expectation of users and the default as specified by the law.

The story that advertisers don't know what users selected and that somehow allows them to track the user is disingenous.

replies(1): >>45672670 #
11. fmajid ◴[22 Oct 25 16:08 UTC] No.45671270{3}[source]
GPC compliance is already the law in California. I don’t know why the EU has been so slow at making it legally binding. That said, existing cookie popups that don’t have “Reject All” as prominently placed as “Accept All” are already illegal but widespread, in no small part due to deliberate sabotage by the Irish DPA, so don’t expect GPC compliance to fare any better until consumer rights associations like NOYB.eu are allowed to initiate direct enforcement actions.
12. immibis ◴[22 Oct 25 16:19 UTC] No.45671448{3}[source]
Agile laws might not be so terrible.
replies(1): >>45671519 #
13. JadeNB ◴[22 Oct 25 16:23 UTC] No.45671519{4}[source]
Counteropinion: agile laws would be absolutely terrible. Either people wouldn't take them seriously because they're going to change in a few minutes anyway, or people would take them seriously and be bound by law by the equivalent of late-night untested code that seemed like it should work.
replies(1): >>45676681 #
14. kuschku ◴[22 Oct 25 17:10 UTC] No.45672135{3}[source]
In Germany, DNT is legally binding, but GPC is not.
15. rcxdude ◴[22 Oct 25 17:49 UTC] No.45672670{4}[source]
It doesn't allow them to track, but it does allow them to more convincingly argue that they can nag them about it (I think some regulators in some EU countries have rejected this, but I don't think this is universal). i.e. it makes it ineffective as a means of stopping the annoying pop-ups. Because the companies are basically belligerent about it there needs to be a clear declaration of 'if this header is set you may not track _and_ you may not bug the user about it'
replies(1): >>45676213 #
16. briandear ◴[22 Oct 25 20:31 UTC] No.45674770[source]
It’s not just corporations. Look how much tracking nonsense goes into a recipe blog.
17. juancroldan ◴[22 Oct 25 21:01 UTC] No.45675096{3}[source]
Plus, all GPC extensions advertised by the offical GPC pack other unsolicited privacy features and freemium models. I ended up building an extension https://chromewebstore.google.com/detail/gpc-enabler/ilknagn...
18. arbol ◴[22 Oct 25 22:05 UTC] No.45675739{3}[source]
How do you deny the capacity to fingerprint? That's basically disabling JavaScript.
replies(2): >>45676082 #>>45676216 #
19. artyom ◴[22 Oct 25 22:41 UTC] No.45676082{4}[source]
Essentially the same way uBlock Origin worked. A global list of offenders to block so that Javascript won't be loaded at all.

Asking browsers to implement uBlock Origin natively tho...

20. charcircuit ◴[22 Oct 25 22:58 UTC] No.45676213{5}[source]
How are they supposed to ask for consent then?
replies(1): >>45676385 #
21. avmich ◴[22 Oct 25 22:58 UTC] No.45676216{4}[source]
Adding a different web page-resident language?
22. rcxdude ◴[22 Oct 25 23:19 UTC] No.45676385{6}[source]
If the user has already indicated that they don't consent by setting the header, you don't ask. If they want to change, make it available as a setting.

(and frankly, the number of users that actively want to consent to this is essentially zero)

replies(1): >>45676479 #
23. charcircuit ◴[22 Oct 25 23:31 UTC] No.45676479{7}[source]
What if the user doesn't know they have that setting enabled. Or they enabled it to block some other company than your own.

I always constent to cookie popups so the number can not be 0.

replies(1): >>45676519 #
24. rcxdude ◴[22 Oct 25 23:36 UTC] No.45676519{8}[source]
Hence why I think the default hurt the initiative. And the header could be set on a per-domain basis, if you wanted that for some reason. I'm curious, why do you consent on such pop-ups?
replies(1): >>45680223 #
25. _carbyau_ ◴[23 Oct 25 00:03 UTC] No.45676681{5}[source]
Charitable interpretation of their comment: Law is implemented and then rapidly improved upon.

But yes, I think your take is more realistic as any measure that allows rapid changes also allows willful politics to rapidly make a mess.

26. Jensson ◴[23 Oct 25 02:45 UTC] No.45677641{3}[source]
> They can't. The website may very well do the opposite of the preference DNT signals. Meanwhile, proving in a court of law that the tracking still happens will be hard.

Its not hard when it comes to any website of note, large companies can't easily hide what their computers are doing really, if they have code that tracks people it is gonna be found.

27. speleding ◴[23 Oct 25 10:13 UTC] No.45680223{9}[source]
I always consent as well. They can show much more relevant ads when you consent to cookies. If I block cookies I get generic ads about stuff I don't care about.
28. WeZzyNL ◴[23 Oct 25 11:12 UTC] No.45680526[source]
The EU is already working on it? You have a strange definition of "already" ;)
29. extraduder_ire ◴[23 Oct 25 12:32 UTC] No.45681088{3}[source]
EU law typically has a lead time of at least two years.