The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.
"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be.
https://www.techspot.com/news/108043-german-court-takes-stan...
Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.
Viewing corporations as amoral bots that are justified in squeezing every bit of profit out of humans is exactly what is wrong with our society. Someone in a big tech was the inventor of this dark pattern and they think they're awesome for finding a loophole in the well-meaning regulation, at the cost of the costumer they supposedly should serve. That person is the problem, and so are the people that followed them
> ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Meaning if you force users into pressing a button or let them scroll through 1000 no options, with one easy yes option, you have not collected their free consent. Congrats you broke the law.
Meaning if you just have them click yes, but not informed them about the harmful data collection you did not collect free consent.
> No, the problem is 100% the law, because it was written in a way that allows this type of malicious compliance.
There is no malicious compliance here, just breaking the law. So if it is the problem of laws that they are broken then according to you all laws are 100% the problem. That stance, IMO, is beyond stupid.
You think websites like having this crap? You think they haven't considered alternatives? What greedy corporate executive is thinking "yes, let's make our product considerably worse just to prove a point"
They obviously looked at the alternatives and decided that the benefits of cookies or the cost of compliance is bad enough to allow for this crappy experience. And they all pretty much decided across the board.
So what problem is this cookie crap trying to solve? No one asked for it, no one wants to comply and now we're just making the web worse off as a result.
> Laws need to be written well to achieve good outcomes.
This is a critical failure point which should get more attention. Laws (and regulations) are like computer code in some key ways. Early computer code was written assuming it would be run by experts in trusted, benign environments that were relatively fixed in size and complexity. Our legislative law-making structures were created with similar assumptions. As the world changed, code changed but law-making structures didn't.
At a minimum, while being drafted laws should be subject to independent red-teaming and penetration testing to A) Assess their ability to actually accomplish their stated intent over time in the real world, and B) Surface likely unintended perverse consequences. Of course, that still wouldn't solve the issue of intentional weakening of laws with vague terminology, incomplete scoping, inserting loopholes, exceptions, etc by special-interest-driven legislators.
Sadly, these days I think intentional nerfing of laws during drafting is the biggest cause of 'bad laws'. But at least the red-teaming concept might prevent some unintended bugs on top of lobbyist-driven nerfing.
I agree. The law was lobbied to death before it was passed. Thus, the lawmakers are the problem.
The intent was nice, but the ask from the article is essentially asking browsers to implement uBlock Origin built-in and expect Google to just comply without pushback.
Unlike to happen because the ones that got us the current law, the ones that make the browsers, and the ones that make money from the ads (cookies == ads) are all the same companies.
Well written laws are difficult to create. You usually wind up with one of
- The law allows things it shouldn't, or
- The law disallows things it should
And the later gets swept under the rug as "we won't enforce it that way"... and then it winds up getting enforced exactly that way because someone has an agenda, and this is a hammer.
Like mentioned by sibling comments, GDPR explicitly does not allow this. It's just the fact that enforcement is spotty and complicated by the fact that the responsibility is shared across all EU member states with limitations what each country can do by itself, with some countries' data protection authorities intentionally dragging their feet to protect multinationals.
It's the same issue as with most EU-wide issues, where there's always countries competing with each other at the benefit of others.
Also GDPR is not exclusive to browsers or internet, it's applicable universally, for both online and offline businesses and processes, which is why it can't and doesn't prescribe exact technical implementation details.
Although I agree the law isn’t as good as it could be. It’s also impossible to create perfect law when websites are looking to avoid the spirit of the law to begin with.
Otherwise how can we explain “please see our privacy policy and send us a sneaker email to opt out” kind of tracking options.
browsers should be developed so they do not provide the web server any more information than any other visitor.
web browsers should curl the website and process it locally without telling the server anything else.
It seems like web browsers were developed in a pre-surveillance capitalism world
And you write 100% bug free and secure software right? There is no way a law can account for every malicious tech bro trying to subvert it on first pass, or even after that. It is always a constant battle with bad actors.
Of course. The law is clear, the intent is clear and the guidelines are clear.
I think the biggest challenge (and the reason why it feels this is everywhere) is because of the handful of "big corporations" controlling the browsers. Neither Apple nor Google have any interest in making tracking opt-in or working to make this into a standard.
In my view, the situation will be greatly improved with policy like the DMA being amplified even further to prevent cartel-like reactions from the FAANGs (whatever the acronym is today). We have a deep "culture difference" with the US, where everyone expects everything to be spelled out for them in the law so they can sue each other into oblivion, but the reality is this doesn't work. We need to reduce the influence of bigger players and install guardrails so it will never be possible again for a single company to have such dramatic influence over the world.
Imagine how many of these consent prompts can be removed if it wasn't for the fact that even loading a Google Font exposes one to a few hundred "partners"?
> Neither Apple nor Google have any interest in making tracking opt-in or working to make this into a standard.
Apple has taken steps to make it harder to track, both in iOS apps and in the browser.
It's Google whose revenue depends entirely on surveillance advertising.
The problem is that the technical methods surveillance ad networks use within the browser to track us are features that are useful for many other things.
Trying to redefine this as a technical problem, that can be solved purely by getting the browser makers to change how browsers work, rather than a sociopolitical problem, will fail. Sure, there are more things that Google—and probably Apple—could be doing to protect us, but they can't completely stop the tracking.
The way to stop the tracking is to make laws banning targeted advertising.
> everyone expects everything to be spelled out for them
Strictly speaking, that's how civil law works, spelling out explicitly the statutes.
By contrast, common law statutes can be (but are not always), more concise but more vague, putting greater emphasis on the courts to interpret them.
That is one reason USA is more litigious, but it probably isn't the only reason. After all, Germany has the infamous legal bounty hunters (one of the words may be "Abmahnanwälte" but I think there's a different one), and Germany is a civil law country, so USA being common law can't fully explain it.
The biggest challenge is that websites wouldn't be able to pay the bills if they didn't track you (show you ads). The price we would pay for that is an open and freely accessible internet. Websites like YouTube, Twitter, and Reddit would likely never have been as successful if there wasn't the ad market (even if those websites don't use that, the existence of such a possible pivot still adds to the value of such a site for investors).
People respond to this with "but you don't have to track people to show them ads!" But that's naive and shows that you really haven't thought it through. What's the value of an ad to you in Chinese? Russian? Japanese? Latvian?
The answer is zero. You would constantly get ads that are completely irrelevant to you and the company that bought advertising. Even with today's tracking this still happens a lot. I still ads every week that are in a language I do not understand.
Take your Google Fonts example - would that even exist if it wasn't for the "exposed to 100 partners" part? Quite possibly not.
But I don't want to deal with "Accept All" and "Decline All" either.
First, I, the user, am requesting to open the website. It's not the website imposing on me. My browser, which supposedly is under my control, is what forwards all the data.
Second, there is absolutely no way to know whether the website actually does what it says based on the cookie pop up. If it's a website based outside the EU then there's no way to enforce this cookie pop up.
But if the browser handles this, then there is a way to enforce it. Of course, the downside there is that the website will then use other means to potentially collect the data, meaning that you still need the law to limit such data collection.
Counterpoint - making every website you visit ask you about cookies still absolutely sucks. Even when they are fully in compliance it's a bad experience that makes using the internet worse.
And it's all because the law was written by lawyers who care less about user experience or privacy than the companies that have to enforce it.
Tracking by default is not an acceptable solution, so I would say respecting the Do-Not-Track header must be mandatory and enforced by laws and percentage of global revenue fines.
That wouldn’t help much in terms of annoyance, because you need the option of per-site or per-service opting-in to tracking cookies (like “remember me” checkboxes and similar functionality), and then you can’t really prevent web pages showing a banner offering that opt-in option. It wouldn’t be exactly the same as today’s cookie banners, but websites would made it similarly annoying.
GPC (Global Privacy Control) is the header that's actually being enforced in (parts of) the US. DNT is considered deprecated by many, due to the nonconsensual way that Microsoft rolled it out.
The Global Privacy Control (GPC) is the header that actually has enforcement behind it in the US, and there are already companies getting fined. California has partnered with several other states to broaden enforcement.
Would love something better than GPC, but in the interim, the EU should start considering it as a proper signal of (lack of) consent, obviating the need for a banner altogether.
I would blame ad providers more than individual website owners. From my experience, ad providers have made it very difficult to serve their ads unless you use an ad-supported cookie consent manager. I tried to write my own simple cookie consent form and gave up after realising how obscenely complicated TCF is. And since most ad-compatible cookie consent banners are provided by the ad companies themselves, you kinda just get stuck with bad options. I even tried to pay for a commercial cookie consent manager but it wasn’t supported by my ad provider.
If I had more time I probably could have figured it out. But unfortunately I’m just running a hobby project and do not have weeks to spend on this. The revenue from the ads is what pays for hosting. I imagine lots of websites are in a similar boat.
I would love if there was a simpler option that could respect people’s privacy more, be less annoying, and that would still allow websites like mine to survive by running ads. Targeting browsers instead of websites could have been that option.
The problem here is the problem everywhere; we still as a world have no remotely effective way to actually punish companies-as-bad-actors on the internet or in tech generally.
None of any technical ANYTHING matters until we (meaning law and government) inflict truly meaningful consequences. Fines, breaking up companies, perhaps even jail time, etc.
Yes. The problem isn't the letter of the law, it's that governing bodies like the EU need something like an enforcement czar who tells companies in no uncertain terms that if they're going to try to be clever they're going to get the ol' Jack Ma treatment. Stop letting the tail wag the dog.
And before someone says that it will hamper innovation, I used to live in China and talk to investors often, they would always stress that for every guy with a billion who can't play by the rules there's a thousand guys with a million who have no problem taking the market share, that's hardly an issue
We just refuse to use them, because our politicians either believe that companies should have more rights than we do, or are terrified that if they actually try to enforce the law on them they'll lose out on massive amounts of campaign contributions (whether direct or indirect).
My default firefox settings rejected content tracker and in the end no cookies were created at all, plus there was just one failed CDN request outside original domain.
Everyone states this. At the same time, any official site I have ever visited for the EU government/regulators _has cookie banners_. Why would the EU malicious compliance itself?
Or we could stop the charade of that cookie laws prevents tracking and get rid of all the stupid banners. All the beacons are firing in the back(server to server) now and all session data is passed on the inbound URL and stored. Browsers banning third party beacons, cookies laws, etc don't do anything. You can't even tell your being tracked.
GDPR is not about Cookies, it's about all tracking, including the examples you mention. As far as I understand the GDPR, the things you mention would also require the user to opt-in to be legal
That law has "discovered" that these rules for these sites suck because nobody wants to sit and decide what they want on a site by site basis and thus the "just get out of my face" kinda clicking and annoyance works.
The idea that just visiting any given site I visit means I have to make some legal agreement makes no sense.
> Given a free choice, how many people actually want to be tracked?
Good question. But there isn't enough information to answer the question. Are these people properly informed about what "tracking" means, or do they think this means companies are passing around their full names and addresses on post-it notes?
This is the problem, the law clearly recognizes tracking as something people don't want. The fact that they let every website beg you to allow tracking instead of banning all but functional cookies is the problem. They capitulated to advertisers and this is the result.
> but malicious compliance by websites that don't want to give up tracking
It isn't even compliance, they are just breaking the rules by as much as they think they can get away with and so far, for the most part, they are getting away with it.
Important not to confuse the actual result vs. the hoped-for result.
You HOPED that websites' top priority is to provide the best possible experience. The REALITY is that not getting sued is way more important than removing all possible user inconveniences.
I wonder why people don't build a collection of scripts into a browser plugin, like Adblock that auto rejects all tracking info to the greatest extent possible?
"The problem is not the law but with the people who don't follow it."
I mean... uh.
If the world would only consist of people who want to cooperate and don't have malicious intentions, then WE WOULDN'T NEED THE LAW AT ALL.
The law exists BECASUE OF the people who don't want to comply. So if the law doesn't control those people who don't want to comply, then the problem is with the law.
Because if we're saying that the problem is with the people, then the discussion is pointless like a black hole.
> The problem here is not the law, but malicious compliance by websites that don't want to give up tracking.
If that was the case, then why does the site from the EU first off track... and secondly why does it use a cookie banner rather than some other solution that would not be malicious compliance with the law?
If there was a solution to having cookies and some other way of informing visitors of it, shouldn't that be demonstrated on the official EU government explaining GDPR?
> If that was the case, then why does the site from the EU first off track
If you are asking why there isn't a "reject all" button on their webpage then the answer is simple. There is one. The "Accept only essential cookies".
> and secondly why does it use a cookie banner rather than some other solution that would not be malicious compliance with the law?
GDPR (general data protection regulation) is about general data protection, not about technology. It applies the same no matter if you are using cookies or something else.
> Can a company go wrong implementing the same approach as https://european-union.europa.eu/index_en uses? Why is that considered malicious compliance with the law?
The example you've given is an example of compliance since there is a button to reject all tracking cookies. Whenever you read the words malicious compliance within the context of this discussion you can just swap it with the word illegal which is the correct word for the behavior that is being bemoaned here.
One thousand percent yes. And I'll repeat because people need to see it called out as often as possible: this is due to malicious compliance by websites. Period.
I'm so cynical now that I can't read articles like this without my first reaction being to look at how it benefits companies that profit from ads.
My two theories here?
1. An attempt to shift liability from companies having to comply with GDPR to browsers having to comply.
2. An attempt to consolidate all cookie consent into the three (?) browser engines we have... so efforts to thwart it can be focused on just those places.
The problem is exactly the law then because it was written so incompetently that it left the loopholes to allow websites to try and trick accepting.
Should have been written in the law that it’s a one toggle in browser settings.
If government is going to impose on the internet the least they could do is be competent in what they impose. Not writing laws that waste lifetimes in collective hours a day as every person in Europe deals with multiple of these dialogs a day and thousands a year.
> it left the loopholes to allow websites to try and trick accepting.
It did not. These practices are illegal under the GDPR, the problem is a chronic lack of enforcement by most national enforcement agencies in all but the most severe cases.
Some are just ineffective but others have gone completely rogue. Swedish Data Protection Authority (DPA) for example takes the position that commercial data brokers like Mrkoll are allowed to publish and sell people's personal information (including your current home address, hello stalkers!) [1] and that this is somehow protected under the pretense of "journalism" [2].
> Should have been written in the law that it’s a one toggle in browser settings.
No!
For crying out loud..... The law says if you want to track me (advertisers take a bow) then in each case, you must have my explicit opt-in permission to do so. And so you should!
Having a browser toggle setting isn't explicit opt-in consent.
Or just ban this kind of data collection. Is there any reason anyone would willingly click "Accept" when a website asks to share your data with 500+ partner sites?
For that matter, companies should be banned from referring to selling off your data to random spam companies as "sharing with partners." Partners comes with an implication of being somewhat equal or at least on trusting terms. The companies selling our data don't trust these companies. They probably don't even know their names.
If the data is being sold, it should be legally required to word it in that way. If there's even the slightest possibility of your data being leaked to spammers, it should be worded to reflect that.
"Do you consent to us selling your data to any party that wishes to buy your data? Do you consent to the possibility that your data will be used to spam you or steal your identity in the future? Yes/No"
The word "partner" lost its meaning completely. Each business relation is a "partner" these days. Guess it sounds nicer than "company that pays me to do stuff and bug you about"
> companies should be banned from referring to selling off your data to random spam companies as "sharing with partners."
They are under the GDPR.
If you ask for my data, you must do so fairly and tell me what you are using it for.
In the examples you site, if you read the small print "sharing with partners" will go on to say advertising 'letting you know about products and services' and other such shite.
Targeted ads generally bring in 3x the revenue of generic ads. Personally speaking, I'd rather have 1/3rd the ads on a page and allow my data to be tracked. I don't mind my data being tracked, and I'd rather see ads for keyboards / mens clothes (what I buy) than diapers / ladies shoes (who knows what tomorrow holds, but this is not what I'm buying at the moment).
1. Targeted ads being more profitable has no relevance to the number of ads on the page. Advertisers will always try to maximize the number of ads and potential profits regardless of profitability.
2. Contextual ads are not targeted and would not be showing you adverts for diapers or ladies shoes- unless you are reading about diapers or ladies shoes.
The same could be said with all advertising and surveillance.
No one wants to be advertised to, but powerful lobbies argue that ending ads will lower consumption and thus harm the economy; and no politician wants to lower GDP.
No one wants to be spied on, but powerful lobbies argue tracking people allow better security; and no politician wants to be soft on crime and terrorism.
The single most powerful lobby, by far, to the point that it is essentially the only lobby, is the enormous mass of people who refuse to pay money for content. Absolutely refuse.
Even when you give them the option to pay, with no ads or tracking, the conversion rate is still around 0.5-1%.
>> No one wants to be advertised to, but powerful lobbies argue that ending ads will lower consumption and thus harm the economy; and no politician wants to lower GDP.
I doubt that. People tend to spend their money regardless. Advertising just determines what they spend it on.
In some sense, "no one wants to be advertised to" is similar to "no one wants to pay for stuff". Like yeah it'd be nice if my groceries were free, but that's not very realistic, the grocery store would just close if they had to give everything away. Advertising is similar - a cost we pay so that websites can make some money in exchange for their services. Most ad supported websites would just disappear without them.
I agree, the context of the website/topic/whatever should be more than enough to derive enough to load an add. On a hackerspace page? put up some rpi or DMM add. On rock music site? Thow up some vinyl adds or guitar tabs. Etc.
Guess what, those banners are still up because it's pretty hard to actually bring the banhammer. At best you have too small team working with huge backlog
On this note, this is a good reminder that if you don’t collect information in this way, your website is under no obligation to provide a cookie banner.
Any website that uses a cookie banner is going above and beyond what they need to do to run a functional website in order to track you.
Some websites, mostly news outlets, can legally withhold access completely, and do, unless you accept all cookies or pay for membership.
If my 'data' is a no logs vpn address with a privacy hardened browser running in a VM on an isolated VLAN with encrypted DNS then why wouldn't I just laugh and click accept cookies in a sandboxed tab (so said cookies only exist for that tab and are cleared when it is closed.
What youre saying most users dont have this level of privacy by default? Why not?
>Some websites, mostly news outlets, can legally withhold access completely, and do, unless you accept all cookies or pay for membership.
GDPR article 7, section 4: When assessing whether consent is freely given, utmost account
shall be taken of whether, inter alia, the performance of a contract,
including the provision of a service, is conditional on consent to the
processing of personal data that is not necessary for the performance of
that contract.
basically: A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service
The thing people need to understand here is that the annoyance is not due to lack of technical solutions, or regulations forcing something. It is explicitly wanted by the industry so they can maximize the consent rate. The browser solution is probably the best technical/user friendly one, but ad tech/data gathering industry won't have any consent. As they control most of the web, they will never do that
It was implemented in browsers and ignored by sites. Chrome help says:
Turn "Do Not Track" on or off
When you browse the web on computers or Android devices, you can send a request to websites not to collect or track your browsing data. It's turned off by default.
However, what happens to your data depends on how a website responds to the request. Many websites will still collect and use your browsing data to improve security, provide content, services, ads and recommendations on their websites, and generate reporting statistics.
Most websites and web services, including Google's, don't change their behavior when they receive a Do Not Track request. Chrome doesn't provide details of which websites and web services respect Do Not Track requests and how websites interpret them.[1]
About the best we have browser side is a mode where all cookies are cleared at browser exit.
That's not an implementation. That's a request to sites that you visit to comply willingly. An implementation would be defensive.
It's what you would do if you had the crazy idea that a browser should be a client for the user, and only a client for the user. It should do nothing that a user wouldn't want done. The measure of a client's functionality is indistinguishable from the ability of the user to make it conform to the their desires.
> About the best we have browser side is a mode where all cookies are cleared at browser exit.
No. The best we have are adblockers and scripts like consent-o-matic.
Clearing cookies does mostly clear cookies, tracking goes far beyond that. Clearing cookies has always been a red herring enabling adtech submarines like "I don’t care about cookies".
Correct. Age verification and privacy consents belong on the browser. The issue is that on the browser, things work a bit too well (remember https://en.wikipedia.org/wiki/P3P ?), so the big players are incentivized to ignore completely the browser-based mechanisms and say/do nothing whenever they see lawmakers going on a dumb direction (risking fines is a reasonable price to pay in order to kill adoption of an actual browser/OS based control that would cause a dent to their tracking operations) that puts the onus on individual website operators.
I believe Medium's DNT implementation showed a little confirmation button on embedded Youtube players. That's the kind of consent screen you may still need with proper DNT handling.
None of those cookie popups, though. That's all malicious compliance.
I don't think this is true. DNT being absent or set to consenting is not enough to infer the user has given specific and informed consent under the GDPR.
> Explicit consent: Under the GDPR and similar laws, consent must be specific, informed, and an unambiguous, affirmative action from the user. Consent cannot be assumed by a user's continued browsing or inaction, which is what DNT would require.
I disagree that this should be in the scope of a browser.
Cookie banner are called cookie banners because they‘re most frequently associated with the opt in for tracking cookies, but this kind of opt in is required for any kind of third party involvement that goes beyond technical necessity.
Your browser has no way to tell what third party present on the site is a technical necessity and which one isn‘t. So you‘d have to tell it - making it part of the site providers problem as well. But this time its worse, because responsibilities are mixed between the site operator and the third party.
DNT doesn't solve all problems, though. Not only is DNT being deprecated, it also lacks the proper customisability the law actually prescribes for data processing.
There's no value you can give DNT that says "you can do your own on-site tracking and telemetry and I accept sharing my data with Sendgrid for your newsletter, but I do not want third-party trackers".
As a practical example: there are news sites that will not play videos if you hit "deny all" because their video host does some viewership analytics. I'm fine with that, but not the 750 other advertisers the news site tries to have me track.
Of course, "deny all" should be an option, "accept all or deny all" isn't control.
For the longest time we had https://en.wikipedia.org/wiki/P3P as a basis to build on, but that officially died the day Edge became Chromium-based.
It's already seen as a valid opt-out signal against this sort of thing in Germany. LinkedIn got in trouble and lost a court case for not respecting the DNT header if memory serves me right.
A web browser is technically incapable, by design, of knowing whether any piece of a website (1) is there for the purpose of having the website actually work, or for the purpose of tagging and tracking the end user. Only the website owner chooses those purposes, and only the website owner is in a position to determine (or maliciously hide) which technologies are being used for which tracking or technical purposes.
(1) Cookie laws apply to: Cookies, gif pixels, JS fingerprints, and any other tehcnical means that can be technically exploited to track an individual
No one is expecting browsers to identify the purposes of cookies. Websites would still need to register cookies as either technically necessary or not. That part stays the same.
As far as malicious/non-compliant websites go, cookie banners don’t make that issue better or worse. They can lie just as easily with a banner. In fact this implementation makes it easier as no one needs to build those ugly banners anymore. (Devastating for the pop up industry though.)
Right, the it would be legally required have to have "third-party" vs "strictly necessary" tags on the cookie itself, which someone could challenge if they were inaccurate (in the same way that the GDPR can in theory be enforced now). Then the browser could simply do what the user wanted with the tags. This could even be a status item in the URL bar, similar to the HTTP / HTTPS icon, that would allow you to enable or disable tracking on a per-site basis (if you didn't want a global policy).
Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged; this would ultimately come down to ad networks / analytics companies documenting the behavior of the cookies they add.
> Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged
While enforcement is effectively nill, they already need to do that according to the actual EU "cookie law" (ePrivacy Directive rather than GDPR). If you set cookies, you have to explain to the user what they're there for.
Hilariously, many websites have no idea what the cookies their trackers set are for, and I've caught a bunch of them use language like "seemingly" and "apparently" when describing what purposes cookies actually serve.
If only browsers gave P3P[1] the attention it deserved. The protocol isn't exactly perfect and the unmistakable footprint of early 2000s XML obsession are there, but it could've prevented cookie banners from ever being accepted if only browsers had designed proper UI around an updated version of the protocol.
> Your browser becomes your personal privacy enforcer, and the law would require it to act on your behalf. Based on your one-time choice, it would be responsible for allowing or declining cookies from every site you visit. If a website tries to use a cookie with an unclear or undeclared purpose?
Browsers are something the end-user installs. Inserting the government into that doesn't make sense.
This sounds like the idea is for the site to add extra metadata that's not there now, about what each cookie does. Which would still involve mandating site owners to do things.
I've come up with an easy solution, which works almost all the time. When a cookie consent dialog interferes with me using the website, I close the tab and move on.
I've found a high correlation between cookie consent notices and low-signal content, so this strategy has actually saved me a lot of time I would've spent reading/watching something that doesn't help me.
But to the flights example, I was just looking for flights starting at Google Flights, which doesn't have cookie banners, and the two sites I went to for booking also did not have cookie banners.
I believe this is already starting to be solved via Global Privacy Control (GPC) [1], and has already been implemented in Firefox to replace Do Not Track [2]. All that remains is to see if lawmakers will catch up and make it a legal requirement to follow...
DNT already had legal weight in the EU. I don't see what problem is being solved by sending a slightly-renamed version of DNT instead, other than the weird privacy law a few American states have implemented that says "if the browser sends the signal by default it's not a legal signal and you should therefore ignore it" (which will probably be updated to neuter GPC if that ever gets any serious attention, the las were clearly written to give trackers the advantage).
California now has a law that requires browsers to have an opt-out setting (effective in 2027) [1]. So far, websites are required to respect opt outs via browser settings or extensions in California, Connecticut, and Colorado [2]. That is also the case for New Jersey [3].
Readit News
"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...
Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.
Laws need to be written well to achieve good outcomes. If the law allows for malicious compliance, it is a badly written law.
The sites are just trying to maximize profit, as anyone could predict. So write better laws.
So maybe “malicious compliance” is a misnomer. We should just call it "illegal dark pattern".
Also, please remember that in Europe there is no such thing as "the spirit of the law versus the letter of the law." The intent of the law IS the law.
To quote Article 4(11) – Definition of Consent
> ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Meaning if you force users into pressing a button or let them scroll through 1000 no options, with one easy yes option, you have not collected their free consent. Congrats you broke the law.
Meaning if you just have them click yes, but not informed them about the harmful data collection you did not collect free consent.
The law is pretty clear on that.
What are you referring to here? Where in the law is this allowed?
There is no malicious compliance here, just breaking the law. So if it is the problem of laws that they are broken then according to you all laws are 100% the problem. That stance, IMO, is beyond stupid.
They obviously looked at the alternatives and decided that the benefits of cookies or the cost of compliance is bad enough to allow for this crappy experience. And they all pretty much decided across the board.
So what problem is this cookie crap trying to solve? No one asked for it, no one wants to comply and now we're just making the web worse off as a result.
This is a critical failure point which should get more attention. Laws (and regulations) are like computer code in some key ways. Early computer code was written assuming it would be run by experts in trusted, benign environments that were relatively fixed in size and complexity. Our legislative law-making structures were created with similar assumptions. As the world changed, code changed but law-making structures didn't.
At a minimum, while being drafted laws should be subject to independent red-teaming and penetration testing to A) Assess their ability to actually accomplish their stated intent over time in the real world, and B) Surface likely unintended perverse consequences. Of course, that still wouldn't solve the issue of intentional weakening of laws with vague terminology, incomplete scoping, inserting loopholes, exceptions, etc by special-interest-driven legislators.
Sadly, these days I think intentional nerfing of laws during drafting is the biggest cause of 'bad laws'. But at least the red-teaming concept might prevent some unintended bugs on top of lobbyist-driven nerfing.
The intent was nice, but the ask from the article is essentially asking browsers to implement uBlock Origin built-in and expect Google to just comply without pushback.
Unlike to happen because the ones that got us the current law, the ones that make the browsers, and the ones that make money from the ads (cookies == ads) are all the same companies.
- The law allows things it shouldn't, or
- The law disallows things it should
And the later gets swept under the rug as "we won't enforce it that way"... and then it winds up getting enforced exactly that way because someone has an agenda, and this is a hammer.
It's the same issue as with most EU-wide issues, where there's always countries competing with each other at the benefit of others.
Also GDPR is not exclusive to browsers or internet, it's applicable universally, for both online and offline businesses and processes, which is why it can't and doesn't prescribe exact technical implementation details.
But we see how some companies cough cough Apple cough throw massive hissy fits and tries to find the most minuscule opening on the law
Deleted Comment
Otherwise how can we explain “please see our privacy policy and send us a sneaker email to opt out” kind of tracking options.
It seems like web browsers were developed in a pre-surveillance capitalism world
Of course. The law is clear, the intent is clear and the guidelines are clear.
I think the biggest challenge (and the reason why it feels this is everywhere) is because of the handful of "big corporations" controlling the browsers. Neither Apple nor Google have any interest in making tracking opt-in or working to make this into a standard.
In my view, the situation will be greatly improved with policy like the DMA being amplified even further to prevent cartel-like reactions from the FAANGs (whatever the acronym is today). We have a deep "culture difference" with the US, where everyone expects everything to be spelled out for them in the law so they can sue each other into oblivion, but the reality is this doesn't work. We need to reduce the influence of bigger players and install guardrails so it will never be possible again for a single company to have such dramatic influence over the world.
Imagine how many of these consent prompts can be removed if it wasn't for the fact that even loading a Google Font exposes one to a few hundred "partners"?
Apple has taken steps to make it harder to track, both in iOS apps and in the browser.
It's Google whose revenue depends entirely on surveillance advertising.
The problem is that the technical methods surveillance ad networks use within the browser to track us are features that are useful for many other things.
Trying to redefine this as a technical problem, that can be solved purely by getting the browser makers to change how browsers work, rather than a sociopolitical problem, will fail. Sure, there are more things that Google—and probably Apple—could be doing to protect us, but they can't completely stop the tracking.
The way to stop the tracking is to make laws banning targeted advertising.
Strictly speaking, that's how civil law works, spelling out explicitly the statutes.
By contrast, common law statutes can be (but are not always), more concise but more vague, putting greater emphasis on the courts to interpret them.
That is one reason USA is more litigious, but it probably isn't the only reason. After all, Germany has the infamous legal bounty hunters (one of the words may be "Abmahnanwälte" but I think there's a different one), and Germany is a civil law country, so USA being common law can't fully explain it.
People respond to this with "but you don't have to track people to show them ads!" But that's naive and shows that you really haven't thought it through. What's the value of an ad to you in Chinese? Russian? Japanese? Latvian?
The answer is zero. You would constantly get ads that are completely irrelevant to you and the company that bought advertising. Even with today's tracking this still happens a lot. I still ads every week that are in a language I do not understand.
Take your Google Fonts example - would that even exist if it wasn't for the "exposed to 100 partners" part? Quite possibly not.
First, I, the user, am requesting to open the website. It's not the website imposing on me. My browser, which supposedly is under my control, is what forwards all the data.
Second, there is absolutely no way to know whether the website actually does what it says based on the cookie pop up. If it's a website based outside the EU then there's no way to enforce this cookie pop up.
But if the browser handles this, then there is a way to enforce it. Of course, the downside there is that the website will then use other means to potentially collect the data, meaning that you still need the law to limit such data collection.
And it's all because the law was written by lawyers who care less about user experience or privacy than the companies that have to enforce it.
Would love something better than GPC, but in the interim, the EU should start considering it as a proper signal of (lack of) consent, obviating the need for a banner altogether.
If I had more time I probably could have figured it out. But unfortunately I’m just running a hobby project and do not have weeks to spend on this. The revenue from the ads is what pays for hosting. I imagine lots of websites are in a similar boat.
I would love if there was a simpler option that could respect people’s privacy more, be less annoying, and that would still allow websites like mine to survive by running ads. Targeting browsers instead of websites could have been that option.
None of any technical ANYTHING matters until we (meaning law and government) inflict truly meaningful consequences. Fines, breaking up companies, perhaps even jail time, etc.
And before someone says that it will hamper innovation, I used to live in China and talk to investors often, they would always stress that for every guy with a billion who can't play by the rules there's a thousand guys with a million who have no problem taking the market share, that's hardly an issue
We just refuse to use them, because our politicians either believe that companies should have more rights than we do, or are terrified that if they actually try to enforce the law on them they'll lose out on massive amounts of campaign contributions (whether direct or indirect).
Not bad.
That law has "discovered" that these rules for these sites suck because nobody wants to sit and decide what they want on a site by site basis and thus the "just get out of my face" kinda clicking and annoyance works.
The idea that just visiting any given site I visit means I have to make some legal agreement makes no sense.
Do any browsers support running a minified LLM on device through an extension?
Training an LLM to reject optional cookies (or better yet, fuck with the telemetry) would seem highly doable nowadays.
Best way to get rid of the cookie banner is to just forbid tracking completely. Given a free choice, how many people actually want to be tracked?
Good question. But there isn't enough information to answer the question. Are these people properly informed about what "tracking" means, or do they think this means companies are passing around their full names and addresses on post-it notes?
Nobody wants this crap.
It isn't even compliance, they are just breaking the rules by as much as they think they can get away with and so far, for the most part, they are getting away with it.
You HOPED that websites' top priority is to provide the best possible experience. The REALITY is that not getting sued is way more important than removing all possible user inconveniences.
Deleted Comment
NoScript too.
And AdGuard.
I do this more and more, and I think it's the right and best thing to do.
If they are showing you a toggle and calling it for "legitimate interest", they are most likely lying.
They love to put cookies under "performance and enhancements" as if that isn't bullshit as well.
All legitimate interest cookies are in the greyed out toggle for "required cookies".
By law, you can decline all and the site should still work fine, which again means they won't allow you to turn off actually needed cookies.
I mean... uh.
If the world would only consist of people who want to cooperate and don't have malicious intentions, then WE WOULDN'T NEED THE LAW AT ALL.
The law exists BECASUE OF the people who don't want to comply. So if the law doesn't control those people who don't want to comply, then the problem is with the law.
Because if we're saying that the problem is with the people, then the discussion is pointless like a black hole.
If that was the case, then why does the site from the EU first off track... and secondly why does it use a cookie banner rather than some other solution that would not be malicious compliance with the law?
If there was a solution to having cookies and some other way of informing visitors of it, shouldn't that be demonstrated on the official EU government explaining GDPR?
https://europa.eu/youreurope/business/dealing-with-customers...
Can a company go wrong implementing the same approach as https://european-union.europa.eu/index_en uses? Why is that considered malicious compliance with the law?
If you are asking why there isn't a "reject all" button on their webpage then the answer is simple. There is one. The "Accept only essential cookies".
> and secondly why does it use a cookie banner rather than some other solution that would not be malicious compliance with the law?
GDPR (general data protection regulation) is about general data protection, not about technology. It applies the same no matter if you are using cookies or something else.
> Can a company go wrong implementing the same approach as https://european-union.europa.eu/index_en uses? Why is that considered malicious compliance with the law?
The example you've given is an example of compliance since there is a button to reject all tracking cookies. Whenever you read the words malicious compliance within the context of this discussion you can just swap it with the word illegal which is the correct word for the behavior that is being bemoaned here.
It could easily say “browsers have to” and 8 billion people would be spared the perpetual annoyance of cookie poop up warnings.
I'm so cynical now that I can't read articles like this without my first reaction being to look at how it benefits companies that profit from ads.
My two theories here?
1. An attempt to shift liability from companies having to comply with GDPR to browsers having to comply.
2. An attempt to consolidate all cookie consent into the three (?) browser engines we have... so efforts to thwart it can be focused on just those places.
Should have been written in the law that it’s a one toggle in browser settings.
If government is going to impose on the internet the least they could do is be competent in what they impose. Not writing laws that waste lifetimes in collective hours a day as every person in Europe deals with multiple of these dialogs a day and thousands a year.
It did not. These practices are illegal under the GDPR, the problem is a chronic lack of enforcement by most national enforcement agencies in all but the most severe cases.
Some are just ineffective but others have gone completely rogue. Swedish Data Protection Authority (DPA) for example takes the position that commercial data brokers like Mrkoll are allowed to publish and sell people's personal information (including your current home address, hello stalkers!) [1] and that this is somehow protected under the pretense of "journalism" [2].
[1] https://mrkoll.se/resultat?n=Otto&c=&min=16&max=120&sex=a&c_...
[2] https://noyb.eu/en/swedish-data-brokers-claim-journalists-le...
No!
For crying out loud..... The law says if you want to track me (advertisers take a bow) then in each case, you must have my explicit opt-in permission to do so. And so you should!
Having a browser toggle setting isn't explicit opt-in consent.
If the data is being sold, it should be legally required to word it in that way. If there's even the slightest possibility of your data being leaked to spammers, it should be worded to reflect that.
"Do you consent to us selling your data to any party that wishes to buy your data? Do you consent to the possibility that your data will be used to spam you or steal your identity in the future? Yes/No"
Nah. Personal data sharing needs to be banned. It's the right way forward.
They are under the GDPR.
If you ask for my data, you must do so fairly and tell me what you are using it for.
In the examples you site, if you read the small print "sharing with partners" will go on to say advertising 'letting you know about products and services' and other such shite.
Dead Comment
Targeted ads generally bring in 3x the revenue of generic ads. Personally speaking, I'd rather have 1/3rd the ads on a page and allow my data to be tracked. I don't mind my data being tracked, and I'd rather see ads for keyboards / mens clothes (what I buy) than diapers / ladies shoes (who knows what tomorrow holds, but this is not what I'm buying at the moment).
2. Contextual ads are not targeted and would not be showing you adverts for diapers or ladies shoes- unless you are reading about diapers or ladies shoes.
No one wants to be advertised to, but powerful lobbies argue that ending ads will lower consumption and thus harm the economy; and no politician wants to lower GDP.
No one wants to be spied on, but powerful lobbies argue tracking people allow better security; and no politician wants to be soft on crime and terrorism.
Even when you give them the option to pay, with no ads or tracking, the conversion rate is still around 0.5-1%.
I doubt that. People tend to spend their money regardless. Advertising just determines what they spend it on.
It is banned.
Unless I give me explicit permission otherwise (though as you say, why anybody would is beyond me, but then "there's nowt as queer as folk")
Any website that uses a cookie banner is going above and beyond what they need to do to run a functional website in order to track you.
If my 'data' is a no logs vpn address with a privacy hardened browser running in a VM on an isolated VLAN with encrypted DNS then why wouldn't I just laugh and click accept cookies in a sandboxed tab (so said cookies only exist for that tab and are cleared when it is closed.
What youre saying most users dont have this level of privacy by default? Why not?
GDPR article 7, section 4: When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
basically: A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service
anyone who does that is in violation of GDPR
There was the DNT header, that was a bit to simplistic, but was never implemented https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
The thing people need to understand here is that the annoyance is not due to lack of technical solutions, or regulations forcing something. It is explicitly wanted by the industry so they can maximize the consent rate. The browser solution is probably the best technical/user friendly one, but ad tech/data gathering industry won't have any consent. As they control most of the web, they will never do that
Turn "Do Not Track" on or off
When you browse the web on computers or Android devices, you can send a request to websites not to collect or track your browsing data. It's turned off by default.
However, what happens to your data depends on how a website responds to the request. Many websites will still collect and use your browsing data to improve security, provide content, services, ads and recommendations on their websites, and generate reporting statistics.
Most websites and web services, including Google's, don't change their behavior when they receive a Do Not Track request. Chrome doesn't provide details of which websites and web services respect Do Not Track requests and how websites interpret them.[1]
About the best we have browser side is a mode where all cookies are cleared at browser exit.
[1] https://support.google.com/chrome/answer/2790761
chrome://settings/content/siteData
Here's an extension to block at a per-site granularity (despite it saying cookies, it blocks it all including local storage):
https://chromewebstore.google.com/detail/disable-cookies/lkm...
It's what you would do if you had the crazy idea that a browser should be a client for the user, and only a client for the user. It should do nothing that a user wouldn't want done. The measure of a client's functionality is indistinguishable from the ability of the user to make it conform to the their desires.
No. The best we have are adblockers and scripts like consent-o-matic.
Clearing cookies does mostly clear cookies, tracking goes far beyond that. Clearing cookies has always been a red herring enabling adtech submarines like "I don’t care about cookies".
None of those cookie popups, though. That's all malicious compliance.
> Explicit consent: Under the GDPR and similar laws, consent must be specific, informed, and an unambiguous, affirmative action from the user. Consent cannot be assumed by a user's continued browsing or inaction, which is what DNT would require.
Cookie banner are called cookie banners because they‘re most frequently associated with the opt in for tracking cookies, but this kind of opt in is required for any kind of third party involvement that goes beyond technical necessity.
Your browser has no way to tell what third party present on the site is a technical necessity and which one isn‘t. So you‘d have to tell it - making it part of the site providers problem as well. But this time its worse, because responsibilities are mixed between the site operator and the third party.
There's no value you can give DNT that says "you can do your own on-site tracking and telemetry and I accept sharing my data with Sendgrid for your newsletter, but I do not want third-party trackers".
As a practical example: there are news sites that will not play videos if you hit "deny all" because their video host does some viewership analytics. I'm fine with that, but not the 750 other advertisers the news site tries to have me track.
Of course, "deny all" should be an option, "accept all or deny all" isn't control.
For the longest time we had https://en.wikipedia.org/wiki/P3P as a basis to build on, but that officially died the day Edge became Chromium-based.
A web browser is technically incapable, by design, of knowing whether any piece of a website (1) is there for the purpose of having the website actually work, or for the purpose of tagging and tracking the end user. Only the website owner chooses those purposes, and only the website owner is in a position to determine (or maliciously hide) which technologies are being used for which tracking or technical purposes.
(1) Cookie laws apply to: Cookies, gif pixels, JS fingerprints, and any other tehcnical means that can be technically exploited to track an individual
As far as malicious/non-compliant websites go, cookie banners don’t make that issue better or worse. They can lie just as easily with a banner. In fact this implementation makes it easier as no one needs to build those ugly banners anymore. (Devastating for the pop up industry though.)
Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged; this would ultimately come down to ad networks / analytics companies documenting the behavior of the cookies they add.
While enforcement is effectively nill, they already need to do that according to the actual EU "cookie law" (ePrivacy Directive rather than GDPR). If you set cookies, you have to explain to the user what they're there for.
Hilariously, many websites have no idea what the cookies their trackers set are for, and I've caught a bunch of them use language like "seemingly" and "apparently" when describing what purposes cookies actually serve.
If only browsers gave P3P[1] the attention it deserved. The protocol isn't exactly perfect and the unmistakable footprint of early 2000s XML obsession are there, but it could've prevented cookie banners from ever being accepted if only browsers had designed proper UI around an updated version of the protocol.
[1] https://www.w3.org/TR/P3P11
Browsers are something the end-user installs. Inserting the government into that doesn't make sense.
This sounds like the idea is for the site to add extra metadata that's not there now, about what each cookie does. Which would still involve mandating site owners to do things.
.
Also, both private mode and https://addons.mozilla.org/en-US/firefox/addon/multi-account... are a thing already, without government meddling.
On what basis? What difference is there between regulating website code and browser code? How a website functions and how a browser functions?
I should not need to follow a ridiculous law to give away some software.
I've found a high correlation between cookie consent notices and low-signal content, so this strategy has actually saved me a lot of time I would've spent reading/watching something that doesn't help me.
But to the flights example, I was just looking for flights starting at Google Flights, which doesn't have cookie banners, and the two sites I went to for booking also did not have cookie banners.
[1] https://globalprivacycontrol.org/
[2] https://support.mozilla.org/en-US/kb/global-privacy-control
Deleted Comment
[1] https://legiscan.com/CA/text/AB566/2025.
[2] https://portal.ct.gov/ag/press-releases/2025-press-releases/....
[3] https://www.njconsumeraffairs.gov/ocp/Pages/NJ-Data-Privacy-....