←back to thread

Internet's biggest annoyance: Cookie laws should target browsers, not websites

(nednex.com)
599 points SweetSoftPillow | 1 comments | 22 Oct 25 12:12 UTC | HN request time: 0.235s | source
Show context
michaelmauderer ◴[22 Oct 25 12:36 UTC] No.45668112[source]
The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.

"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...

Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.

replies(27): >>45668188 #>>45668227 #>>45668253 #>>45668318 #>>45668333 #>>45668375 #>>45668478 #>>45668528 #>>45668587 #>>45668695 #>>45668802 #>>45668844 #>>45669149 #>>45669369 #>>45669513 #>>45669674 #>>45670524 #>>45670593 #>>45670822 #>>45670839 #>>45671739 #>>45671750 #>>45673134 #>>45673283 #>>45674480 #>>45675431 #>>45678865 #
crazygringo ◴[22 Oct 25 12:52 UTC] No.45668318[source]
No, the problem is 100% the law, because it was written in a way that allows this type of malicious compliance.

Laws need to be written well to achieve good outcomes. If the law allows for malicious compliance, it is a badly written law.

The sites are just trying to maximize profit, as anyone could predict. So write better laws.

replies(20): >>45668365 #>>45668389 #>>45668443 #>>45668540 #>>45668630 #>>45668809 #>>45668823 #>>45668886 #>>45669084 #>>45669675 #>>45670704 #>>45671579 #>>45672352 #>>45672518 #>>45672991 #>>45673713 #>>45674575 #>>45675918 #>>45676040 #>>45676756 #
atoav ◴[22 Oct 25 13:26 UTC] No.45668809[source]
No. The law does not allow it.

To quote Article 4(11) – Definition of Consent

> ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Meaning if you force users into pressing a button or let them scroll through 1000 no options, with one easy yes option, you have not collected their free consent. Congrats you broke the law.

Meaning if you just have them click yes, but not informed them about the harmful data collection you did not collect free consent.

The law is pretty clear on that.

replies(2): >>45669263 #>>45669399 #
wutbrodo ◴[22 Oct 25 14:07 UTC] No.45669399[source]
I may be missing something, but I don't see how this clearly precludes that behavior.

Which descriptor do you think is unambiguously violated by making it easier to provide consent than withhold it? To my eyes, both 'freely' and 'informed' are plausibly upheld.

It would be very straightforward to specify that consent and withholding must be equally accessible in the interface, instead of splitting hairs about definitions of "freely given". This is what people refer to when they say the law is poorly written

replies(1): >>45669806 #
croon ◴[22 Oct 25 14:38 UTC] No.45669806[source]
> Which descriptor do you think is unambiguously violated by making it easier to provide consent than withhold it?

> Art 7(3) It shall be as easy to withdraw as to give consent. [0]

But legal interpretation of GP I believe is reaching the consensus that that phrasing too is broken by that implementation:

> Free and informed consent (Art. 7 GDPR): Consent is valid only if it is freely given. When the option to decline is hidden or unnecessarily cumbersome, the user's choice is affected and consent is no longer "free." [1]

[0] https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...

[1] https://www.ictrechtswijzer.be/en/complaint-about-cookies-wi...

replies(1): >>45678726 #
wutbrodo ◴[23 Oct 25 06:13 UTC] No.45678726[source]
Ah appreciated, that is indeed exactly what I was asking about!

Now I'm left wondering why enforcement was supposedly so hard. Seems like shooting fish in a barrel, especially given that some very large websites were in clear violation of this article

replies(1): >>45680437 #
1. croon ◴[23 Oct 25 10:58 UTC] No.45680437[source]
Subjective take: Huge amount of small actors, and the big actors have a financial interest in shifting the conversation to blaming the EU for their annoying dark patterns over protecting customers from privacy violations and tracking to the detriment of their financials.