| HN Mirror

I agree that (under) enforcement is part of the equation, but I don't think it's the primary issue.

The problem starts when legislators write vague or ill-posed laws because they don't understand the underlying technical issues. If your understanding of the problem is that "cookies are some sort of tracking token and tracking is bad," you will not be able to write effective legislation. You need to have a basic understanding of HTTP, you need to know how cookies fit into HTTP, and you need to be aware of some basic cookie usage patterns. You need to be able to identify that some things that certain companies build using cookies are problematic, and other things are totally benign and are required for basic functionality. You need to be capable of understanding that a user's "allow/deny cookies" preference usually can't even be saved without a cookie.

When the law actually comes out, it's so vague and seemingly self-contradictory that lawyers at these companies are going to say "We have no clue WTF they meant here, or how they intend to enforce this law, or if they even intend to enforce it at all, but just to be safe, let's just do it this way that's obviously stupid, but appears to be what everyone else thinks will pass the sniff test."

Then the law isn't actually enforced, because the enforcers don't understand the law either, so the lawyers are like, "Well, no guidance based on patterns of enforcement, in fact, they don't seem to be enforcing this thing at all, so let's just do whatever we want," which is how you get your laundry list of obviously non-compliant websites.

Legislation needs to be clear, enforcement needs to actually happen, and needs to happen consistently in order to reinforce the clarity of the original law. If you don't have these things, your legislation is going to fail. Cookie law used in this example, but the same thing applies to GDPR. So far, very little enforcement, and enforcement has been extremely inconsistent. It's a really bad start.