←back to thread

Internet's biggest annoyance: Cookie laws should target browsers, not websites

(nednex.com)
583 points SweetSoftPillow | 3 comments | 22 Oct 25 12:12 UTC | HN request time: 0.09s | source
Show context
michaelmauderer ◴[22 Oct 25 12:36 UTC] No.45668112[source]
The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.

"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...

Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.

replies(27): >>45668188 #>>45668227 #>>45668253 #>>45668318 #>>45668333 #>>45668375 #>>45668478 #>>45668528 #>>45668587 #>>45668695 #>>45668802 #>>45668844 #>>45669149 #>>45669369 #>>45669513 #>>45669674 #>>45670524 #>>45670593 #>>45670822 #>>45670839 #>>45671739 #>>45671750 #>>45673134 #>>45673283 #>>45674480 #>>45675431 #>>45678865 #
crazygringo ◴[22 Oct 25 12:52 UTC] No.45668318[source]
No, the problem is 100% the law, because it was written in a way that allows this type of malicious compliance.

Laws need to be written well to achieve good outcomes. If the law allows for malicious compliance, it is a badly written law.

The sites are just trying to maximize profit, as anyone could predict. So write better laws.

replies(20): >>45668365 #>>45668389 #>>45668443 #>>45668540 #>>45668630 #>>45668809 #>>45668823 #>>45668886 #>>45669084 #>>45669675 #>>45670704 #>>45671579 #>>45672352 #>>45672518 #>>45672991 #>>45673713 #>>45674575 #>>45675918 #>>45676040 #>>45676756 #
michaelmauderer ◴[22 Oct 25 13:02 UTC] No.45668443[source]
But the courts are saying: the law does NOT allow this.

So maybe “malicious compliance” is a misnomer. We should just call it "illegal dark pattern".

replies(4): >>45668518 #>>45668736 #>>45668841 #>>45671429 #
mikae1 ◴[22 Oct 25 13:22 UTC] No.45668736[source]
Not a radical idea. The EU is already working on it.

> […] the Commission is pondering how to tweak the rules to include more exceptions or make sure users can set their preferences on cookies once (for example, in their browser settings) instead of every time they visit a website.

https://www.politico.eu/article/europe-cookie-law-messed-up-...

replies(3): >>45668806 #>>45670117 #>>45680526 #
matheusmoreira ◴[22 Oct 25 14:57 UTC] No.45670117[source]
DNT header already does this. Explicit denial of consent. Reaches their servers before everything else so they have no excuse and zero room for maneuvering.

Now the EU just needs to turn it into an actual liability for corporations. Otherwise it will remain as an additional bit of entropy for tracking.

replies(4): >>45670706 #>>45670933 #>>45670958 #>>45674770 #
rcxdude ◴[22 Oct 25 15:34 UTC] No.45670706[source]
The fact that it was turned on by default in edge really hurt it as an argument under these laws, because it then turned into a 'well we don't know the user actually selected this' thing. Making it explicitly have the force of law regardless would still be a good thing, though.
replies(1): >>45670972 #
throw_a_grenade ◴[22 Oct 25 15:49 UTC] No.45670972[source]
No, this wrong. The law says that by default you can't process personal data, unless the user gave consent. That setting matched both the expectation of users and the default as specified by the law.

The story that advertisers don't know what users selected and that somehow allows them to track the user is disingenous.

replies(1): >>45672670 #
rcxdude ◴[22 Oct 25 17:49 UTC] No.45672670[source]
It doesn't allow them to track, but it does allow them to more convincingly argue that they can nag them about it (I think some regulators in some EU countries have rejected this, but I don't think this is universal). i.e. it makes it ineffective as a means of stopping the annoying pop-ups. Because the companies are basically belligerent about it there needs to be a clear declaration of 'if this header is set you may not track _and_ you may not bug the user about it'
replies(1): >>45676213 #
charcircuit ◴[22 Oct 25 22:58 UTC] No.45676213[source]
How are they supposed to ask for consent then?
replies(1): >>45676385 #
rcxdude ◴[22 Oct 25 23:19 UTC] No.45676385[source]
If the user has already indicated that they don't consent by setting the header, you don't ask. If they want to change, make it available as a setting.

(and frankly, the number of users that actively want to consent to this is essentially zero)

replies(1): >>45676479 #
1. charcircuit ◴[22 Oct 25 23:31 UTC] No.45676479[source]
What if the user doesn't know they have that setting enabled. Or they enabled it to block some other company than your own.

I always constent to cookie popups so the number can not be 0.

replies(1): >>45676519 #
2. rcxdude ◴[22 Oct 25 23:36 UTC] No.45676519[source]
Hence why I think the default hurt the initiative. And the header could be set on a per-domain basis, if you wanted that for some reason. I'm curious, why do you consent on such pop-ups?
replies(1): >>45680223 #
3. speleding ◴[23 Oct 25 10:13 UTC] No.45680223[source]
I always consent as well. They can show much more relevant ads when you consent to cookies. If I block cookies I get generic ads about stuff I don't care about.