[pjc50]

This was the correct decision and could have been made a decade ago. An .. institutional deficiency was trying to make the GDPR as completely general as possible rather than doing a technology mandate. But this had two consequences: bad actors could circumvent it, and good actors just trying to comply ended up horribly confused (e.g. is logging an IP address in an Apache log "personal data"?).

DNT header. Legally binding. Out of the way of the end user. Unambiguous for enforcement purposes. Probably the end of targeted advertising, but that was always the logical conclusion of GDPR.

[graemep]

I agree cookie banners were the wrong solution, and sometimes made things worse (it make a cookie whitelist extensions I used to use unusable because you have to allow the cookie that stores your cookie preferences).

However, this bit concerns me:

> This key change is part of a new Digital Package of proposals to simplify the EU’s digital rules, and will initially see cookie prompts change to be a simplified yes or no single-click prompt ahead of the “technological solutions” eventually coming to browsers. Websites will be required to respect cookie choices for at least six months, and the EU also wants website owners to not use cookie banners for “harmless uses” like counting website visits, to lessen the amount of pop-ups.

That implies there will be "harmless tracking" allowed, and it removes choices. The latter might restrict dark patterns, but it might also encourage "allow all cookies or you cannot read the site at all" approaches.

[Projectiboga]

Fine I can vote with my feet and avoid sites that say "no cookies, no lookie" and use archive if I am really eager to read something.

[chuckadams]

Cookie consent banners and such come from the ePrivacy Directive, not the GDPR. The banners themselves were never mandated, but lacking any other standardized opt-in signal, that's what everyone converged on anyway.

[kevin_thibedeau]

To be clear, the other option was to respect privacy by default and comply with the GDPR without any banner.

[chuckadams]

A lot of sites put up the banner even when they're not serving anything but "essential cookies", just as a CYA mechanism mandated by legal. And to some degree, I can see legal's point: the site might be just fine now, but you just know somewhere in the sausage-making process, someone's eventually going to toss in a dependency that brings in a tracker without clearing it first, and boom, exposure.

Having a clear non-interactive signal that's legally recognized should go a long way toward clearing out those annoying banners.

[hypeatei]

DNT is dead by the way, Global Privacy Control (GPC) is the new privacy signal mechanism. It has actual legal weight in some jurisdictions already like California and their CCPA law for example.

[ragebol]

Would there have been cookie banners if DNT was respected?

[iamacyborg]

> An .. institutional deficiency was trying to make the GDPR as completely general as possible rather than doing a technology mandate.

Making it a technological mandate would have made it trivial to circumvent.