Just make it a law that the Do-Not-Track header implies a no to the cookie banner and makes it illegal to show it.
The dumb part is that most Cookie Banners do not actually adhere to the law. While I do see room for improvement in the law itself, those improvements will go unseen, too, if the law is not enforced.
Which is why we need a one click solution to deny all of the cookies.
This is already the law. Declining must not be more tedious than accepting.
Unfortunately it’s poorly enforced.
We have the Do-Not-Track standard, enforcing its functionality by law would’ve been so useful. Most cookie consent software has an option to respect DNT, but people/agencies just don’t configure it, because they don’t have to.
Cookie banners would not be necessary if companies weren’t trying to do shit with data, specifically personally-identifying data and personal-behavior data. If they were just running simple analytics over everyone, there would be no need for “cookie” banners, even as they used cookies. Instead, mainstream sites try to figure out my personal click paths and then associate that with a mail address I typed into their newsletter form accidentally but didn’t click Submit on and then combine their data with data from millions of other websites assocuiated with the same email. The EU never said that all websites have to use blatantly non-compliant services from Google, Adobe, and tons of others.
Even the term “cookie banner” is a total misnomer here. “Extraneous and third-party data collection banner” would be much more honest, as cookies are a symptom but not an issue on their own.
This is not a failing of the GDPR. This is a failing of web designers, corporate marketing structures, and the legal system (specifically that of Ireland).
Fully agree, those nagging “consent” pop-ups are just fig leaf technology to coax users into “consenting” to something no sane user would consent to out of their free will.
Eh, uBlock Origin blocks those banners anyways I think.
But why did this take so long? We have been enduring this crap for years.
The cookie consent rules appeared 2009, and consent was made more strict in 2018 with the GDPR.
EU bodies such as the WP29 data protection board had been writing since at least 2014 on the need of reform because the cookie consent rules are onerous in practice. Everyone wants reform.
So there was (is?) an effort to replace the ePrivacy Directive with a shining new ePrivacy Regulation that would also harmonize it with the GDPR. At the time, it was hoped it could come into force together with the GDPR in 2018. This regulation would have allowed the use of some cookies without consent, even when not strictly necessary.
But the proposed regulation is disliked by both the data protection side and the industry side, because it changes the existing balance. It was heavily lobbied against by Google and others, and never got ready enough for a vote (report from 2017, and in 2021 the NYT reported on internal documents where Google boasted that it successfully slowed down any progress). Every year someone in the EU tries to pick it up again, but always there’s something more important and it gets dropped again. I guess the effort this article reports on will falter as well.
Some silver linings though:
- Because responsibility for enforcement for cookie consent currently differs from GDPR stuff, clever data protection authorities like Belgium and France have been able to issue fines against big tech companies without having to involve their extremely industry-friendly Irish colleagues.
- Subsequent lobbying has not been able to prevent improvements on other aspects, e.g. Digital Markets Act and Digital Services Act, the latter of which also forbids Dark Patterns. However, these Acts primarily affect very large companies, not the average website.
Because the EU is extremely slow by design. Any decision needs unanimity between 27 countries, that takes time.