I understand the frustration and would probably have said similar till recently. I'm now starting to think these companies can't be trusted to keep pushing things beyond the spirit of the law and that we should simply outlaw certain forms of data collection so that even asking for consent isn't required.
I have no problem with a Web site owner monitoring my progress around their site, timing my interactions, recording what things I was interested in, and then using that data to "optimize" my experience. But do I think having Facebook track me around hundreds of non-Facebook sites is OK? Or an ad network doing the same? Not really. I would be quite happy if they fully legalised first party data collection and outlawed third party collection entirely (including proxying first party data to a third party automatically - to close that loophole), to be honest, and then we wouldn't need consent buttons or banners, perhaps.
The industry should really get together and set up something like P3PP but good. These settings should be set in the browser, not in the client.
Of course the ad and web stalking people don't want that, because that means users can easily opt out. With Google's misguided attempt to force FLOC down everyone's throats we may see them join forces with Apple, Microsoft and Mozilla at some point to develop a consent protocol that can be configured easily without the stupid popups.
For example, the browser could hide all the requested consent in a little button in the top right that opens into a menu to let the user pick what they do or do not consent to for what parties (with UI to show the necessary reasons for processing), with defaults configurable in the settings. The defaults would differ per browser of course (probably opt-in on Firefox and Safari, opt-out in Chrome and Edge) but it'd still work out for users because they could change the defaults.
Hell, with the rate HTTP is evolving (bodies in GET requests, QUERY, etc.) I can see a HTTP CONSENT verb coming to http4 eventually.
There are definitively other concerns with such a protocol, like the ability for malicious actors to use it for fingerprinting, but I think it's the only way forward for browsers. Big tech has ignored legislation for a while now, but if they don't show initiative the law will only get worse for them.
I bet the EU would happily list such a protocol as a requirement for most websites. People like you could just blanket allow everything, people like me could blanket block everything, and we'd all get rid of these stupid popups forever.
How would the browser be able to enforce what the Actual server does with the data? This would work only for those binary track everything/don't track anything scenarios. Those are rare cases. What the the majority of us want and the whole purpose of the GDPR is, is the "informed consent" part. A detailed list of what information is gathered and how it is going to be used. A browser can not really enforce "I give you consent to use my data for "Use-case" in this site but don't use it for advertising or sell it". And since the potential uses are thousands, a generic form can not be used as a real consent form. The only way is the planned way. Every site/App Declares what/how they are using the collected data and take legal responsibility in case of infraction.
It wouldn't be able to control anything on the backend, but neither can it control the tracker behabvour in the cookie popups. That's where the border between technical and legal issues is crossed.
My idea for consent would be a sort of challenge/response protocol, where the sending party sends a request for consent with all the details they need and the browser approves or denies it. Preferably, this would be done automatically based on the user's settings. It could even be part of the CORS system, leveraging the browser's "firewall" to ensure no data gets leaked to misconfigured trackers and forcing companies to comply.
The thing about consent is that it must be freely given. Therefore, it should always be opt-in. The user can opt into certain stuff from some kind of simple control after reviewing the requests the other party sends, but that stuff should be hidden and denied by default.
A general declarative method would probably lack some finesse. For example, when your user account has a certain country set, a server might load in payment providers on the fly, and the manifest should reflect that. The manifests we have today would get cached way too quickly, I think.
https://globalprivacycontrol.org/ goes kind of in that direction. It's a rebranded Do Not Track header, but referencing specific privacy rights under GDPR/CCPA. That hopefully makes it enforceable, whereas advertisers could just ignore Do Not Track.
I like the idea, but that protocol is too simple. For example, I don't have too much of a problem with Matomo tracking cookies, but I don't want Google Analytics to follow me around the web.
This header doesn't specify any of that, and I'd still need to give some kind of consent through a cookie pop-up to websites that want me to use that stuff.
I see your point, but one of the main problems of P3P was its complexity. There's more than two decades of privacy-enhancing technology research showing that privacy controls need to be fundamentally simple.
I think DNT/GPC can be more fine-grained than you make it out to be. The spec is simple, but there's nothing in there that stops you from developing a browser extension that only sends DNT/GPC signals to a curated list of known bad trackers. That would give you as an advanced user some configurability while it's a simple checkbox for most folks.
I agree that P3P was way too complex, but so are the cookie popups that plague us today. P3P was built around legalese and privacy statements rather than simple consent, I think a modern take can do much better.
The extension you propose would be my vision of a modern P3P, but with categories you can set up with defaults. You don't want to force a NoScript/uMatrix style screen onto users, so the browser should simplify a bit, but a header that says "yes for necessary services, yes for analytics, no for tracking, no for advertising" (or something like that) would fit my requirements.
I think websites should also have a way to show _why_ and _how_ they process data, because that's part of the informed consent users give. A simple text field with a maximum size to force short descriptions, maybe with a "more details" button next to the selected purpose could be enough.
I don't think just sending a header would suffice because you'd still get consent popups if there's no other way to get consent. A boolean "sell my data" kust doesn't encompass the consent you're giving websites when you allow/deny.
It's a challenge to keep simple, for sure, but the UI and server-side API can be simpler than the underlying protocol. Consider the browser language list that nobody uses: to the user it's just an ordered list of languages, but in the user agent headers each language gets a numeric weight added to it. Or Firefoxs's "block trackers" button that substitutes Javascript when you enable it and applies all kinds of weird rules and detections to work.
> I wish there was an HTTP header that meant "I don't give a shit about what you do with my data, just let me get the information I want from this website".
I'm OK with that as long as there is an equivalent HTTP header which means "NO! Do not track anything, do not profile, do not collect any information besides the bare minimum PROVEN to be essential for the site to function at all. Either something's truly essential or it isn't, there is NO Legitimate Interest category".
Unlike the failed Do Not Track header, this one should actually have legal teeth (well, at least in EU) and sites which refuse any service to visitors carrying this header should be fined (after a grace period to implement any needed changes). And why not, add provisions to pierce the corporate veil so they can't set up a hollow company to take the fall for noncompliance.
Remember, you can still show ads and profit from them, you can't just violate my privacy and vacuum all my data to Feed The Beast.
> I'm OK with that as long as there is an equivalent HTTP header which means "NO! Do not track anything".
Why is there a condition attached to this? If I communicate clearly to Google that they should track me as much as they want and hide all popups from me, say by sending them a notarized letter, what legitimate interest do you have at this point to interfere?
Given how much of my time and wellbeing has been wasted the last couple of years with those popups, my instinctive reaction to this phrasing is honestly that the GDPR-fanboy faction would be well punished if they had to continue to deal with them for the rest of their earthly lives.
Because the law explicitly wants to avoid companies being able to annoy people into doing this, and thus requires to make the opposite action equally possible and easy.
