We've already encountered that with "Do Not Track"—as soon as you have anything that doesn't require user intervention, websites start arguing that it doesn't reflect the users' intention, and so they have to protect us from the nasty browsers by tracking us.
To be fair, the DNT launch was botched from the beginning, starting more as hack than an industry-wide consensus [1]. While it eventually got implemented by browsers, it lacked adoption, and had risks with fingerprinting [2]. The nail in the coffin was when Internet Explorer 10 decided to enable it by default [3], completely disregarding user intent.
Certainly not at the near 100% level that the default setting suggests. Microsoft poisoned the well with DNT and worsened privacy on the web for everyone.
I can believe that there are some people who don't care if they're tracked, but do you believe that there's anyone who wants to be tracked?
Maybe someone out there somewhere does, but surely such people, who actively want to be tracked, are in the distinctly small minority. In that case, why should the onus be on everyone else to communicate their intent, rather than on the few users affected to communicate their intent?
>why should the onus be on everyone else to communicate their intent, rather than on the few users affected to communicate their intent?
Because this effectively bans any kind of tracking cookies which, while most are kind of awful, there are legitimate reasons for their existence. Shifting the conversation from a user choice to an effective ban is a completely different conversation with pros and cons that must be considered separately.
I still don't understand how this has anything to do with "user intent". What makes you think that the default user intent is to allow tracking? Would it have been better if the browser asked the user to choose? Do you think user intent would have been respected if it was presented as an opt-in setting? (ie. 99% of user would just click ok without opting in)
The reason why this flag doesn't work has nothing to do with user intent. We wouldn't see all these GDPR banners that make it difficult to opt out if anyone actually cared about user intent.
”We make money by selling a snippet of code to websites that integrates with Super Agent.
Essentially, websites can have a JS snippet unique to them so that when a user with Super Agent visits, cookie preferences are applied automatically without having to ask anything.”
https://www.super-agent.com/faq
Cookies are just completely broken. The EU should never have got involved in the way that it did. No matter how positive the intentions, the web is a worse experience as a result, with marginal privacy gains.
The focus on cookies was always a bit off and more a result of too much technical detail resulting in laws missing their intent. The legislative moves slowly, over time, this will be fixed. However the legislative regulating how webservices have to handle data privacy was very necessary (and the people of the USA should really consider amending their constitution by also demanding a basic human right to data privacy). The key elements are "informed choice" and "consent to data gathering/processing" which have little to do with cookies. Let's say you buy a smartphone from china and it comes with a keyboard app that sends all your inputs to a chinese company so they can make predictions and offer autocompletion. You kind of want that app to display a banner asking you if that is okay. And you kind of want a privacy policy attached that explains they will create user specific profiles and sell them to advertisers and share them with the chinese ministry of state security. I think you want that banner. Now google analytics isn't much different. It tracks you all over the web, creates profiles of your browsing habits, sells those to advertisers and shares them with the american national security agency. Sure it also shows statistics to the website owners, the same way that keyboard app has an autocomplete function, but you kind of want to be informed about those other functions and have the option to say no, don't you? That is why 'consent management' is so important for data privacy.
I'm really hoping Do Not Track becomes legally binding. (Also, how is it not already treated like a piece of a contract negotiation? It is machine readable and sent on every request. Hidden website EULA's are already treated like contracts.)
I would rather use Lynx than any more creepy JavaScript.
When I want “experience” —- a concept I loathe because it is a euphemism in all senses, and somehow arrogant and naive at the same time. —- that is the role of a desktop program. And it better ask me and inform me whenever it wants to perform a network request.