This should be handled at the browser level. There's no reason for most users to ever be burdened with even a fantastically designed cookie consent window.
First, every shady website that despite the UX detriments decide that they want to sell their users must publicly state that. That is a feature. I want to know that, I want to see how far in dark patterns they are willing to go to absolutely ruin any trust they imagine they could exploit.
Second, while (most of) these popups are illegal it is so abundantly clear what and how they are trying to get away with it. If the "browser" did this for me I wouldn't know what absolute illegal nonsense they would try to sneak in via "legitimate interest".
Third, normal decently behaved sites/operators obviously don't have cookie-banners at all. That is also a feature, it is an edge. If you see two sites for X one with a cookie-banner and one without it is clear as day which one you'd close and forget.
The times I've backed out of sites because of cookie banners is uncountable. And it is liberating.
I believe by "handling at the browser level" people generally mean the option in the Settings that allow autoaccept "necessary" or "all" cookies. If you care, just leave it unchecked.
No you don't. What site operators try to push as legitimate interest isn't by any definition legitimate interest.
To have it set in the browser is quite detrimental to online privacy. Legitimate interest is an attempt to circumvent the law. It is not like your browser is sentient and could recognize that.
Oh double negations... When you decline legitimate interest, you declare to your browser: "no website has a legitimate interest." And the browser passes this information on.
Also I said this in the context of GPs statement in that legitimate interest couldn't be handled. So it without saying it goes alongside a general advertisement cookie rejection.
This all assumes websites won't just ignore your choices or deceive you either way, which is a real risk whether you do it via browser or not. The only real difference is UX. Users want a "no and never ask me again" button, and that's not possible if every website has to ask you separately.
> If the "browser" did this for me I wouldn't know what absolute illegal nonsense they would try to sneak in via "legitimate interest".
Of course you would, if it's done properly. The browser would be able to list the cookies too, but in this case in one consistent UI that wasn't built with malicious intent.
Sure, that is true. But given the wide-spread use of banners it is at least obvious that they care enough to ruin their own UX.
Which is also a huge cost. As you say, users want a "no and never ask me again". Well, you can have that today. Just don't do anything that requires anyone to say no.
And again, if a site chooses that path then the banner is a feature. It is disrespectful and although it is a royal pain it is very good for users to know up front what kind of entity they are dealing with. Remove that and people will become apathetic to it.
>Third, normal decently behaved sites/operators obviously don't have cookie-banners at all. That is also a feature, it is an edge. If you see two sites for X one with a cookie-banner and one without it is clear as day which one you'd close and forget.
The fact that almost all websites use cookie banners kinda disproves your theory.
Website operators need analytics and advertising to do their job and generate revenue. Most media runs at razor thin profits, so building those tools in-house or not using interest-based advertising would make those websites economically not viable.
I understand that your argument will be "so close down those websites". But how about you do not visit them instead?
> Building those tools in-house or not using interest-based advertising would make those websites economically not viable.
Interest-based advertising is a huge con, and in my opinion an egregious waste of energy doing all the data processing, an affront to people’s privacy, and has spent decades now distracting people who could be working on things with actual value.
Sure, you can track my every move on the internet and burn vast amounts of energy analysing that data to say “this is someone with disposable income who likes technology”, or you could just… advertise directly on the sites I frequent, and on YouTube channels I watch. The “targeted” ads I’m exposed to are invariably utterly irrelevant to me anyway. I had a recent spate of adverts for head of department teaching jobs in Dubai… I’ve never taught in my life, and I’ve got no idea what got interpreted as wanting to move to the Middle East.
I doubt it will happen, but I’d love nothing more than advertisers to stop drinking the kool-aid on targeted ads.
> an egregious waste of energy doing all the data processing, an affront to people’s privacy, and has spent decades now distracting people who could be working on things with actual value
> The fact that almost all websites use cookie banners kinda disproves your theory.
Really not true. And it gets better for every year.
Analytics and advertising does not need tracking.
> I understand that your argument will be "so close down those websites". But how about you do not visit them instead?
I try to avoid. I'm not perfect, sometimes I can't be bothered. Cookie-banners helps me decide which sites not to visit and is a constant reminder of what crappy companies still rely on them.
It is a feature. And it is pretty damning to see which developers ruins their UX for this.
Here is the thing, this has run unchecked for far too long and it takes time to change. Just look in this thread (or any other cookie-related thread on this site or on any site on the internet). People that are supposed to know still are confused and have absolute no idea that cookie-banners is an active choice for site operators. They have/had no incentive to care. Now they do, but they are so deep in denial that it will take years and years for them to even realize that the "cookie-law" was never about cookies or that these banners are an active choice.
The default is tracking, for no real reason. Sites that earn on the order of cents absolutely wreak havoc on the internet just because developers are clueless.
But the best part is that it gets better for every year. Really, it is so slow so you barely notice but if you you'd take a snapshot today and one from a year ago the difference is stark.
Only last month google of all places (because of fines, obviously) changed the youtube banner so that rejecting is the same number of clicks as acceptance. Previously rejecting took five clicks (or was it six?) and some scrolling to be able to perform all those clicks.
I want to know if people who consumed X bit of the website also consumed Y. If those are correlated, it's a good idea to give Y-like content to people who like X-like content. If they aren't correlated, it's a huge waste of everyone's time and money.
You're taking this as if every business is a huge faceless corporation.
If my employer pushed out garbage there's gonna be a real hit to our reputation (we work in a deeply technical sector - the backlash would really hurt the long term profitability).
The website itself is well organized. There's good reason to believe that people who want some X info will also be interested into Y info (due to legislation or standards set by the industry or simply because there are domain specific trends).
There really is a mutual interest in knowing these correlations. That way some segments won't be pushed useless stuff that they aren't likely to be interested in.
They said we wouldn't need tracking. How would we get those info without tracking?
No, we are not selling that data to anyone and it could be anonymous for all we care (IMO this is more an issue with the http protocol than anything else, but good luck changing that)
>I understand that your argument will be "so close down those websites". But how about you do not visit them instead?
Ah yes, "the leave my money printer alone" defense. Nevermind the exploitive underpinnings and utility through which surveillance capitalism is made possible! Just go over in your corner, and let me exploit the rest of the ignorant rubes.
No. Sorry. Absolutely not. Sometimes a foot has to be put down in the name of common decency, and clearing out a behavior that creates even greater problems. This is one of those times.
> That is a feature. I want to know that, I want to see how far in dark patterns
I get the idea, but is this really what you want, all the time? Maybe you do, but if I'd ask myself the same question - I think I'd disagree.
If I want to satisfy my interest in how scummy some website is, I sure can do my research. But typically I just don't care, it's an one-click stay. Some random article or some random website happens to pique my interest, I check it out, and all those banners and stuff are misfeatures because I don't care who runs this website and what they're willing to do to earn some money - not for a split second. All I want is to have what I came for, with the best possible signal-to-noise ratio. So read (or maybe I click the "reader view" if the site is too bad), see if the content that I came for is what I wanted, and close the tab. Maybe the content suggests that the site is really good (happens if I notice I've already seen that site more than once or twice) so I'm enticed to stay - then I'd do my research whenever it's worth to bookmark it or subscribe to something, etc.. But that's rare.
This is why I have an ad-blocker - because life is too short to be constantly distracted with all those ads. Even though some can argue they're an indicator of website scumminess. Let me judge that from the actual content, not the paraphernalia around it.
And this is the logic why I want to see that utopic world where browsers are back to being user agents, acting on my behalf and my instructions for my personal benefit. Sadly, I doubt this is ever going to be the case.
But I do want my browser to automatically act based on the decisions I've informed it about. And I don't particularly mind if it would explicitly ask me to pick "yes or no" on a few questions the very first time I start it, if that's what's needed for the consensus. I think all the noise about DNT from the ad industry was about it having some default setting - okay, if it would ask me "do you want to be tracked? yes/no" (or even "yes/no/it's complicated, show me some advanced settings...") one single time I start the browser - I guess I can live with that, if this would get those banners out and my choice will be properly respected everywhere.
> Third, normal decently behaved sites/operators obviously don't have cookie-banners at all. That is also a feature, it is an edge. If you see two sites for X one with a cookie-banner and one without it is clear as day which one you'd close and forget.
This is nonsense, there are plenty of legitimate reasons why a site operator may want to use digital analytics, advertising, etc.
There are plenty of scenarios where tracking is useful though. For example a product team may want to know how a particular segment of customers use their product vs a different segment.
Unless I am misunderstanding things rather deeply, I do not believe you need consent to track individuals' activity in your own app, with server-side logging.
You need consent to set cookies that are not relevant to the (user-side) functioning of your app/website—and since that's the only way for you to track users outside your own site (an oversimplification, but close enough), naturally you need it to track them beyond there.
> Unless I am misunderstanding things rather deeply, I do not believe you need consent to track individuals' activity in your own app, with server-side logging.
You would require consent for this as far as I understand.
I cannot name a website which has no cookie banner. This is not to say that I have not j such websites, it's just that there is no easy way for me to tell the difference between "I have visited the website long time ago and accepted a banner" vs "I was never presented a banner there".
Something browser-based that would show icon in address bar similar to http:// protocl would be far more effective in letting me prefer banner-less websites.
Yes, the regulators screwed this up. It's the browser that decides to store a cookie or not. And if the browser UI sucks people can switch and go on with their lives.
This is not about storing cookies or not alone, it is about consent to do so. And to give this consent the site has to tell me what it does and for which purposes it does that.
Good, there could have been a standardized way to ask for that consent — but to me the way a site tries to trick you into consenting is yet another data point whether I want to be on this site.
It was complicated and never caught on. I'd say the basic problem (visible also in the DNT fiasco) is that if you ask a user in a global and easy to understand way if he wants to accept tracking cookies, he'll say "no" once and for all, and that's it: you just disabled all tracking cookies everywhere. The only way it can work from the point of view of the tracking companies is to use these obnoxious dialogs everywhere: that way, at least some people will accept the cookies from lazyness.
Dubbing this “cookie consent” is almost conspiracy level misguiding of the public by advertisers. It’s not about cookies at all, they’re fine, it’s about using those cookies to track people around the internet and sell their data.
Frustratingly it seems to have worked. Recently I had to explain cookies vs tracking to a data protection analyst at work.
If you are not using incognito then you are getting tracked. These consent popups are close to useless because only good actors will obey the law, and as we’ve seen the vast majority of websites are somewhere between grey hat (asking but in a way that breaks the law) and black hat (not asking at all).
What we need is better isolation at the browser and web protocol level. This is a technical problem, not a regulatory problem. You cannot regulate actors who don’t obey the law in the first place.
Those who disobey the law can be sued. People just need to start doing it.
The goal of the law is partly to make people who run websites aware of what they do with the data of their visitors. And that means for one part that they need to know what happens with things they embed in thwir site like google analytics and google fonts (for which someone has been sued already). But it also means that once website owners are informed they can decide wheter they want to ask people for their consent or whether they just remove those third party options.
In reality many don't inform themselves at all and just slap a cookie thing onto their page, because that's what all the others are doing — just like they did with google analytics et al.
Not knowing the law is not an excuse which will help you once someone sues you tho.
There are not enough lawyers or court capacity to take the entire www to court, and even if there were, there's no way to enforce injunctions or collect on judgments when websites are operated in different countries.
This is evidenced by the fact that the GDPR already made these actions illegal with huge penalties and it has had scarcely any effect. Most websites just ignore it completely as a "strange foreign law", including this one.
> Good, there could have been a standardized way to ask for that consent — but to me the way a site tries to trick you into consenting is yet another data point whether I want to be on this site.
I get really annoyed at having to care. The economics for content sites are so poor I feel bad for a lot of them.
> This is not about storing cookies or not alone, it is about consent to do so.
Yes, and regulators misjudged the incentives. Relying on each website to create the consent UI leads to a bad outcome for users.
Login. That should be the time at which cookies are authorized. If you have an account you also presumably agreed to the use of cookies or anything else to store the session data.
While I agree on it from a logical Engineering point of view, the problem is that IMHO it'd follow the way of Do Not Track; browsers will by default set it to "1" (meaning do not track the user), so then with the power of defaults the vast majority of browsers signal do not track, and so websites ignore it and track it anyway.
If it's gonna happen at all, there will be a law enforcing that, because it's not in the interest of website owners (which also leads to the dark patterns in the dialogues).
If there is law, people can sue, which usually is enough for companies to (usually) follow it
You'd create a web standard for categorizing cookies (required, performance, login/session, metrics, etc). Meta tags? Naming scheme? .well-known? Lots of ways to do it.
If the website conforms to the standard, then the browser could use its own UI to ask the user for their preference. Importantly, the user would be able to state global preferences like: "only required and login cookies, don't ask about others", and then they wouldn't need to be prompted by every new site. If the website doesn't conform, then they'd need custom UI to comply with existing cookie laws, same a today.
So, the website could lie and say that their tracking cookies are in the required category, but they can do that already by not using a cookie banner, or miscategorizing the cookie in the banner.
I think the users who hate cookie banners and the sites that don't want custom cookie banner UI would like this approach. Sites desperate to trick users into allowing tracking cookies: they'll still find a dark pattern and we'll hate them for it.
Then people will converge on implementation patterns that couple the tracking cookie to a necessary cookie. You cannot keep one without opening the door to the other.
An easy compromise is for the default behavior to be to drop cookies when the session ends and to disallow third-party cookies. That gets you most of the privacy benefits while breaking a low percentage of sites.
A browser never creates a cookie or of thin air. A browser stores a cookie only when it's sent by the server, or set by JavaScript code sent by the server.
Right, but the browser is code you control on a machine you control. If the serve says "please store a cookie" and the browser is configured to drop all cookies when the session ends then the cookies are going to be dropped, and there's nothing short of a CVE that's going to allow the webmaster to change that behavior.
That's a moved goalpost though. We started by saying that cookies are fundamentally different from "do not track" because in the case of the latter the browser doesn't have the technical means to enforce anything and in the former it does. Your point is something rather different -- as best as I can tell you're arguing that any attempt to do something browser-side will break too many things to be useful.
I think the original point still stands (that this is fundamentally different from "do not track"), and moreover I disagree with the contents of that moved goalpost:
As a compromise solution, the vast majority of sites work fine if you delete their cookies when you're done with a session. If the browser did that by default we'd have a significant improvement in privacy and a negligible amount of breakage.
The most obvious counterpoint is login flows. That's not antithetical to the idea for a couple reasons. First, we'd all be a bit more secure if we logged out more frequently. Second, if you do want persistent sessions you've already given up exactly the same amount of privacy as if all cookies were blindly allowed since you're manually tying your visits together with that login information. With that in mind, there's no harm in having a setting somewhere for allowing cookies from the few sites you actually login to frequently. For convenience that could be tied to the existing password box detection, and otherwise it'd be something you have to dive into a menu and fiddle with to keep it from turning into the same kind of annoyance as browsers asking for notification privileges.
That would break a few things, but browsers have had a trend lately of breaking a few things for privacy gains. I don't think it's obvious that we couldn't meaningfully reduce cookie setting.
It was. That was the original design, to ask the user for each site. Then people downloaded browsers that did not ask them ... and browser developers switched it off by default.
Not for each site, for each HTTP request. So if you loaded a page with ten inline images Netscape would ask you eleven times if you wanted to accept cookies, unless you said "yes" at some point, and then it would stop asking you for that site.
The main motivator there is actually Google Chrome's abysmal tab management and navigation, as it is all but impossible to clear out tabs in a reasonable manner.
On Firefox, with Tree-Style Tabs, the problem still exists, though it is less severe.
There's still ample opportunity for tracking, unfortunately. I consider both Chrome and Android to be actively user-hostile and privacy-hostile, for what I hope are evident and well-founded reasons. Google's advertising motiviation is powerful.
Totally agree. This is as simply as discarding non-identity (even all) cookies on closing the browser by default. But the thing is that all mainstream browsers are controlled by giants and unfortunately all of which have huge interests in advertisement industry. So unless we can create a browser ourselves or we are going to have such scratching the boot solutions again and again.
Discarding cookies wouldn't work. Browsers have many ways to store data locally - cookies is the simplest, but there's localstorage, IndexDB, and webdb too. It's trivial to put a tracking ID in any of them, and send it to a third party when a user loads a page. It's one line of JS code.
To solve this problem in the browser you'd need to discard all locally stored information when the user closes it.
Thia comes with two prpblems
- first, users rarely close their browsers. They may close a tab, or a window, but the app is still running. I'm pretty sure Chrome has been running on my Macbook for months.
- second, this mechanism would break every app that actually respects user privacy. Apps that don't upload data or track people need the users content and prefs to be held locally between sessions. By wiping it you'd force app developers to implement mechanisms to put that data in the cloud, which is the opposite of your intent.
I feel like we should probably have the concept of an "intent" for any bit of data that we'd like to store in a browser and partition the storage by that:
Intents:
- REQUIRED_FOR_SITE_FUNCTIONALITY (translation "Required For Site Functionality")
- FIRST_PARTY_ANALYTICS (translation "First Party Analytics")
- THIRD_PARTY_ANALYTICS (translation "Third Party Analytics")
- FIRST_PARTY_MARKETING (translation "First Party Marketing")
- THIRD_PARTY_MARKETING (translation "Third Party Marketing")
Let the browsers themselves provide UI for accepting or denying these (maybe the users should be able to choose their own defaults per intent):
Message:
https://some.site would like to use your browser to store data for these intents:
Required For Site Functionality [X] Yes [ ] No
First Party Analytics [X] Yes [ ] No
Third Party Analytics [ ] Yes [X] No
Unspecified [ ] Yes [X] No
[ Submit ]
Which could then correspond to how everything is stored in the browser:
And extend the JavaScript API for cookies (and also all other mechanisms for storage, this is an example):
document.cookie = "user_id=1234"; // this would go under Unspecified
document.cookie = "intent=REQUIRED_FOR_SITE_FUNCTIONALITY; user_id=1234"; // this would go in the proper group
document.cookie = "intent=THIRD_PARTY_MARKETING; uid=1234"; // this would throw something like an IntentViolationError
And ideally something for checking these intents as well:
let canUseRequired = document.intents["REQUIRED_FOR_SITE_FUNCTIONALITY"].accepted; // true
let canUseTPAnalytics = document.intents["THIRD_PARTY_ANALYTICS"].accepted; // false
Who would define these types? Well, i think that there are two ways:
- have some international body decide on these types
- allow custom types per site, maybe with different UI for that
And then just prosecute those who don't follow the convention and abuse the mechanisms.
Do you want another useless feature in your browser? Because they tried that with Do Not Track, and it is absolutely useless, because a website can ignore it.
You infer that the browser makers, and the content suppliers are not aligned.
But this is not the case. The biggest browser maker is also the biggest cookie tracker.
In theory this would be a point of differentiation for say Firefox, but then again the biggest funder of Firefox is also.... Da dum.... That's right, the biggest beneficiary of cookie tracking...
I imagine there are browsers out there that offer what you want, but you'd have to go looking for them.
Google gets no money from people using Chrome, what they get is the ability to track you directly. They turn that tracking into adverts, which is ultimately their revenue stream. They absolutely _could_ do a good job to prevent you being tracked - they absolutely have no incentive to do so.
Likewise Firefox. They _could_ implement tracking protection. But they (so far) clearly choose not to. You say they'd do a good job, and I agree, but it's not like they haven't thought of it, or they're waiting for approval from the HN forums before implementing it. Given they have chosen not to do it, it makes you think maybe there's a reason for that. And maybe that has to do with the wishes of their biggest benefactor...
Of course I might be wrong. Perhaps they're just thinking that tracking everyone is good for the end user, and so they want to provide a browser which offers users the best possible experience. That's obviously a possibility as well.
Google avoids losing money by having a large Chrome user base. It's the same as making money. They have to write checks to Firefox and Apple to maintain access to those users, but not with Chrome.
> Likewise Firefox. They _could_ implement tracking protection.
I stand corrected, that looks like a jolly good start.
Reading Firefox, Google gets money from chrome by a second order effect - from users using Google as their search engine. They also get money when you browse the web from adverts. The value of those adverts goes up the note they can track you.
Google avoids losing money by keeping tracking in the browser high.
This should be handled at the browser level. There's no reason for most users to ever be burdened with even a fantastically designed cookie consent window.