Most active commenters
  • JohnFen(3)
  • Dylan16807(3)

←back to thread

Internet's biggest annoyance: Cookie laws should target browsers, not websites

(nednex.com)
583 points SweetSoftPillow | 11 comments | 22 Oct 25 12:12 UTC | HN request time: 0.815s | source | bottom
Show context
JohnFen ◴[22 Oct 25 13:33 UTC] No.45668907[source]
As others have said, we already tried this with DNT. Unless websites are legally compelled to honor the signal, the signal is worthless.

But here's an interesting wrinkle that may illustrate further complexity:

> Essential Only: "Only allow data necessary for websites to function (e.g., keeping me logged in, remembering my shopping cart)."

I would never have called either of those examples "necessary for websites to function". They are both just convenience things, not essential things. So there may be a lot of discussion needed about category definitions here.

replies(1): >>45669151 #
1. padjo ◴[22 Oct 25 13:50 UTC] No.45669151[source]
If your website is a shop then being able to put things in a cart is pretty necessary no?
replies(1): >>45669365 #
2. croes ◴[22 Oct 25 14:05 UTC] No.45669365[source]
You don’t need cookies for that.
replies(1): >>45670794 #
3. padjo ◴[22 Oct 25 15:40 UTC] No.45670794[source]
The point is that you need to track the person. The technology used is irrelevant.
replies(2): >>45671028 #>>45672830 #
4. JohnFen ◴[22 Oct 25 15:53 UTC] No.45671028{3}[source]
The point is whether or not "shopping cart" cookies are "essential". I argue that there is nothing about them that qualifies as essential. The contents of your cart can be kept server-side, which means that using cookies to do it is not essential at all.

Making them part of the "essential" set in cookie banners is a category error. This is an important point, in my opinion, because if we allow websites to get away with saying nonessential cookies are essential, then the more obnoxious cookies people widely object to will just be counted as "essential" to evade people's preferences. Websites seem strongly predisposed to pulling the wool over user's eyes whenever they think they can get away with it, so this category problem is not without meaning.

replies(2): >>45672115 #>>45674873 #
5. TheCoelacanth ◴[22 Oct 25 17:08 UTC] No.45672115{4}[source]
"Cookies" is just a colloquial way of talking about this tracking. What actually matters legally is what you are tracking, not how you implement it. It is completely irrelevant whether your shopping cart uses cookies or not.
replies(1): >>45673596 #
6. croes ◴[22 Oct 25 17:59 UTC] No.45672830{3}[source]
For a shopping cart you need link the visitor to their cart in your database. The cart doesn’t need a cookie and these identification is not what is meant by tracking
replies(1): >>45674900 #
7. JohnFen ◴[22 Oct 25 18:59 UTC] No.45673596{5}[source]
Except that the topic at hand is the cookie permission banners, which are about cookies specifically, not tracking generally.
replies(2): >>45674830 #>>45675008 #
8. Dylan16807 ◴[22 Oct 25 20:36 UTC] No.45674830{6}[source]
The banners are about tracking. They can't just sneak in localstorage instead and claim they're following the rules.
9. Dylan16807 ◴[22 Oct 25 20:40 UTC] No.45674873{4}[source]
> The contents of your cart can be kept server-side, which means that using cookies to do it is not essential at all.

The sane way to keep the cart contents server-side still involves a cookie on the client.

It's possible to do it in a glitchy way server-side-only, but if that makes a cookie stop being essential then by that definition there's no such thing as an essential cookie.

Such a definition is a bad definition.

10. Dylan16807 ◴[22 Oct 25 20:43 UTC] No.45674900{4}[source]
If there is an identification cookie that is used to find the cart in the database, that is the cart needing a cookie.
11. TheCoelacanth ◴[22 Oct 25 20:53 UTC] No.45675008{6}[source]
That is completely false unless you are talking about the pre-GDPR e-privacy directive.

GDPR only uses the word cookies once and it comes immediately after the phrase "such as", i.e. it's a non-exhaustive list of examples of ways that you could track someone.