[hnarn]

The most frustrating thing about these cookie banners (more like cookie lightboxes) is that almost none of them are compliant with the rules. Unfortunately I don't have time to find the source right now, but I'm pretty sure I've read official EU guidance docs clearly stating that many "dark patterns" are simply illegal. For example making the "Accept all cookies" button require less effort than only accepting necessary cookies, which almost every page does.

I feel like the current state of cookie consent is completely broken, partly due to the complete lack of enforcement, and having a browser-specific setting that propagates to all pages would be great -- but again you have to think about incentives. If pages are not required to accept these settings, their incentive is to ignore them and to claim that since it's unfortunately not supported "yet" (read "ever"), you still have to wade through the cookie form.

[jakub_g]

At least in France, there's CNIL (Commission Nationale de l'Informatique et des Libertés) that started going after the top non-compliant websites and sending love letters like "you have N days to become compliant".

[1] https://www.cnil.fr/en/home

[quotemstr]

And then Europeans complain when the rest of the world geoblocks them.

[galgalesh]

Where are these fictional Europeans who want strong enforcement of privacy laws and complain about geoblocking?

The whole point is that either you follow our laws or you lose access to Europe. Geoblocking is just self-regulation.

[datenarsch]

Here's one. I hate it how I can no longer access 90% of local US news websites.

[hnarn]

Every single time I've had this problem I've just used the Google cache or archive.org

[samjmck]

No one's complaining about not being able to access shitty websites that can't be arsed to make clear which companies are tracking you.

[anoncake]

No, we politely inform you that geoblocking is not actually required. But thanks for protecting us from your privacy-violating website anyway.

[7952]

I have been building some sites where I have explicitly tried to remove or avoid cookies completely. It is really tricky as any third party script or embed can set cookies, which may be retained depending on browser version. We end up using generic cookie prompts just in case to appease corporate compliance even when nothing is usually set on the page. And the http nature of cookies make automating things much more difficult. You can't just drop in some javascript that overrides document.cookie, and even if you could it would not be supported by all browsers.

What I would like is to be able to whitelist domains in content security policy and reject everything else by default.

[Dayshine]

Why avoid cookies entirely? You don't need a cookie banner for cookies essential to the functioning of your site.

[akie]

You want to avoid cookies entirely so that you don't need a cookie policy and that you don't need a cookie banner.

It's also significantly easier to convince a lawyer that you don't need these things if you can prove that there are no cookies whatsoever. And even then they'll be suspicious.

It's harder than it looks, just embedding a YouTube video for example already sets third-party cookies. Same with embedding a Twitter feed or Google Analytics. There are solutions for all of these things, but the standard/easy way of doing these things means your user gets a third-party cookie, which means you need the banner.

[hnarn]

> You want to avoid cookies entirely so that you don't need a cookie policy and that you don't need a cookie banner.

Wrong. Functional cookies are exempt.

[akie]

Of course I know that, but did you ever talk to someone who is not in technology but does have a say in determining what "we" need to do to cover "our" asses?

Say, a lawyer with the responsibility that all of our websites implement all of the relevant regulations?

You would think that they are up to date on what regulations you need to follow, but you'd be surprised. Many take a blanket "no risks under any circumstances" approach. These types can only be placated with the "we don't have any cookies at all" argument. And even then only barely.

[Ensorceled]

The statement isn't "Wrong.", it's just overly strict.

[nickpp]

What are "functional cookies"? Are analytics/telemetries cookies functional? Are cookies identifying google users so they can receive targeted content but also ads "functional"?

GDPR never bothered to specify. This is why GDPR is broken and sadly it broke the web.

[hnarn]

Have you tried finding the answer to your question online? There are clear examples of what "functional cookies" mean, even straight from the EU.

[tgv]

Still, the boss said: "add a banner anyway." Better safe than sorry, and everyone expects it by now.

[7952]

These particular sites didn't need essential cookies and discussion about privacy/cookies was taking lots of time for no real benefit.

Also, I believe philosophically in trying to reduce things like analytics and tracking.

[GrayShade]

> For example making the "Accept all cookies" button require less effort than only accepting necessary cookies, which almost every page does.

Like those that make you uncheck 10 or 20 entries one by one.

[blowfish721]

The best ones are the ones that provide a list to 100 partners and ask you to visit them to opt out. Usually just close the tab when I hit one of those.

[tempodox]

Those are the worst. And calling them “legitimate interest” only adds insult to injury.

[Macha]

Also the providers that appear to offer a even choice of accept all/reject all, except you realise that they've classified a second "legitimate interest" option for everything which the reject all doesn't cover (because that would be objecting, not rejecting)

[StavrosK]

Or like those that make the "Accept all cookies" button green and the "accept necessary" white/colorless/default.

[squiggleblaz]

I recently came across a website that makes the "Accept all cookies" button secondary and the the "accept necessary" primary. It's such an effort to actually press the primary button — I have been so trained by the completely disdainful behavior of the majority of websites.

[StavrosK]

I saw the exact same thing and was surprised too! I wonder if it was a site that was on HN...

I press "accept all" by accident and thought "wow".

[squiggleblaz]

Well I needed to visit the website due to an unfortunate event in meatspace - in no way hacker news related. So it seems there's definitely at least two sites which do it!

[lrem]

Max Schrems now has a foundation you can donate to: https://noyb.eu/en

[kamray23]

But they pretend to be legal. They at least make an attempt to seem kind of legal. And that's what matters.

If you only accept a spec like this there is no way to pretend to be legal other than to accept it anymore. Make custom cookie banners totally illegal. Force the use of this. No dark patterns, no semi-legal trickery. Either you use it and accept it, or you don't. Take out the grey area.

[hnarn]

That's my point: that if you create a standard like this but don't enforce it (which is not the same thing as its legality) it won't matter. What is the consequence going to be of ignoring it? Will it be enough to actually create an incentive more attractive than breaking the law?

[oftenwrong]

Instead of permitting sites to request consent of the user directly, they should be required to request consent via an official EU site. It could work like an authorisation redirect flow. This would standardise the consent UI, and prevent sites from implementing dark patterns.

[akie]

Then the EU tracks everything everyone does. Nice.

[oftenwrong]

The site could provide an opaque ID for user. Also, anti-tracking on the part of the EU could be enforced by law.

[kiallmacinnes]

Ignoring the many obvious privacy issues with this proposal, have you considered how this would result in a legally mandated single point of failure for (nearly..) all web sites?

[tomjen3]

Better yet, a standard browser interface.

[hnarn]

This is an awful idea.

[TX0098812]

Yup, this is absolutely the case. Consent in order to count as consent has to be clearly affirmative, freely given, specific, informed, unambiguous and can be withdrawn.

https://gdpr-info.eu/art-7-gdpr/

[Sander_Marechal]

It's EU, it varies by country. Each country takes the European GRPR law/guidelines and implements in on the national level. There may be slight differences. Your specific example where opting out must not cost more effort than opting in is specific to the UK GDPR implementation for instance.

[hnarn]

The point is that it's not being enforced, so if we assume what you say is true for the sake of argument, then the only way that would be OK was if a different cookie banner was shown for visitors from the UK, which I highly doubt happens in any meaningful percent of cases.

[rikroots]

No. The GDPR is an EU Regulation which is, by definition, a binding legislative act. It applies in its entirety across the EU - no exceptions, no opt-outs. EU Member States are allowed to interpret (to a greater or lesser degree) EU Directives when they translate them into national law[1]

The EU GDPR no longer applies in the UK because the UK is no longer a member of the EU. The EU GDPR has been incorporated into UK law (as the UK GDPR) but there's nothing preventing the UK Government varying it at any point in the future[2]

[1] - https://europa.eu/european-union/law/legal-acts_en

[2] - https://ico.org.uk/for-organisations/dp-at-the-end-of-the-tr...

[TX0098812]

'A "directive" is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.'

[rikroots]

> A "directive" is a legislative act that sets out ...

Maybe my wording was a bit vague. How about: "The GDPR is an EU Regulation which is, by definition, a binding legislative act which applies in its entirety across the EU without the need for Member States to pass any further national legislation. This is different to EU Directives, which EU Member Sates will implement by translating them into their own national law - which in turn does give Member States room to 'interpret' the Directive's requirements - subject to legal challenge in the Court of Justice of the European Union"

[anoncake]

And the GDPR is not a directive.

[lmkg]

But cookie banners must also adhere to the ePrivacy Directive, which is a directive (as the name implies).