Maybe stop doing stupid shit that will legally require you to inform users that you're about to sell/share everything you know about them to 3rd parties?

I fail to understand companies that display page after page of cookies and tracking stuff for you to approve don't see the issue with their actions or the insanity of "allow us to share data with our 1500 partners". Does no one in these business look at this and go: "Hey, why do we need 50 different tracking tools" or "Why do we share customer data with over a thousand other businesses?".

When you actually read what these pop-ups says, then you understand why they are there, and why the problem with the laws isn't that it's annoying, but that it is not much more restrictive.

Stop using Google Analytics and your need to place cookies and thus need for cookie popups vanishes.

Goatcounter or Plausible will do fine. Some decent frontend log parsing will also be a viable strategy.

Stop feeding Google your customers data for free.

Hey, just some background from someone who took part in a couple of privacy compliance projects at large platforms in the past:

For companies doing this the right way, the banner was just the tip of the iceberg, loads of work went into ensuring compliance behind the scenes, so customer and employee data was not shared with 3rd parties unknowingly. In one case the list of 3rd parties went from +400 to about 70, this is in my opinion a win for privacy, the culture around sharing your data went from casual to cautious.

Secondly, the culture around trusting meta and google blindly with behaviour data changed drastically. Businesses became aware of how much valuable data they share with these platforms, which actually puts them at great risk, should you really give these platforms detailed data on what customers browse and buy on your site, so they can use the data to sell targeting for competitors, or direct users towards their own shopping platforms?

So, yes the law is not perfect, we all hate the banners, but at least what happened in those early implementation days when the banner became law, was a change in culture around how data was shared and a better understanding of the risk for the business of using 3rd parties.

The cookie policy is a stupid value-signalling stunt with only negative real-life effects. The correct way of handling the problem would have been through request headers and browser settings, or simply, use the existing option of either allowing or disallowing cookies, and put this option on a per-site basis and a bit more into the users face..

Please stop - selling our data to advertisers.

> it is not legally required to provide the service if a user declines tracking cookies. The site can simply not provide functionality. So in many cases, its not really a choice – the choice is either not to use the site, or consent to tracking.

to be fair that is the choice. And ideally, the invisible hand would show that this is a horrible idea and cause a huge spike in traffic, but alas.

I think "stop putting popups cookies" on websites is an extreme stance, but I agree we could use fine tuning on the little things to help keep the spirit of the law. It should indeed be opt-in and not "ask for forgiveness". And it should adhere to current compliances.

Cookie banners are a great reason for expirations dates on new policies. If it works: Great, renew it! If it does not work, is not required anymore or was just plain stupid: Never talk about it again and it will run out. But who will actively admit that regulation failed and work to undo it?

> Enact a law that requires a service to respect the do not track signal from a browser (currently entirely voluntary), and not store any tracking cookies, clear gifs or other trackers – and require that a site not “discriminate” against users who elect no tracking – basically – provide all functions to users whether they consent or do not consent.

This is indeed the obvious solution. I don't understand why the EU didn't mandate the do not track flag to be obeyed. I know some browsers already removed it but that was because nobody bothered to obey it. As soon as it can be mandated it will be useful and come back quickly.

Also, there was criticism from the advertising industry that the do not track was on by default but that's how tracking should work in the EU anyway: opt in.

By not doing this the EU keeps getting flak for the many cookie walls.

Also, for those of us with vision issues (or just want to zoom in a lot on a webpage), these popups look horrible at 150%-200%, and often get misrendered in strange ways, sometimes hiding the button. Then if you actually try to reject it, if you can, the rejecting or customizing page is nearly always broken when zoomed in.

uBlock Origin has cookie notice filters. I don't think this is enabled by default; you can enable it in the Filter Lists section, along with "annoyances".

By far, my favorite feature in iOS 18 is Safari’s “hide distracting items” feature. It lets you permanently hide the cookie popups on a per site basis. And the annoying google sign in popups, and the annoying scroll down popups.

The future 2 years down is cookieless anyway.¹

I'm afraid that these banners, because these are called "cookie banners" and not "consent to us using your data and giving it freely to other companies banners", will just go away, people (& companies) will be happy, and the consumer stays a fool.

¹ https://en.wikipedia.org/wiki/Third-party_cookies

The larger lesson here is this is what happens when governments try to regulate things they don't understand. Cookie popups just add friction, and it's not clear consumers see any real privacy benefit. What's even worse is people seem to not care that the policy isn't working, but they aren't telling lawmakers to fix it.

Interesting article. This policy has felt like a complete failure, but I didn't know the depths of how badly it has failed.

I would really like to see these die. Regulators should just work with browser vendors to make an API that I can set at the browser level, and websites just read that to know my preferences and leave me alone.

Why would they stop?

Most users are now giving explicit consent to be tracked! What a dream! Before, they had to worry about legal grey areas!

Now the legislation says it's fine, as long as they click "OK". Which almost every user does because they are tired and annoyed by the pop ups.

Thank you legislators!

I've come across a few websites that have cookie controls that don't do what they say they do when I manually examined them. E.g. still using analytics

Are there any tools to check websites to see that they do what they say they will do? Or is it a manual thing?

I think its ironic for these pop-ups to frequently only offer "accept necessary" or "accept all"...

Please stop using full justify text layout on your website.

I love the “long press to preview” feature in mobile web browsers. But now all I get to preview is the cookie pop up! EU, pls fix.

Malicious compliance gets the website two benefits: 1) Annoying the customer enough with the popups might net a permission to track from an user who originally did not want the cookies 2) Making the cookie banners as frustrating as possible increases the political pressure against the EU, hopefully leading to them repelling the anti-tracking legislation

There's no upsides for a website from providing an easy "Never track me" button, or just not using analytics cookies - you don't have to put up cookie consent banners for technical cookies used to save e.g. light/dark mode preference

> If a site does comply with the notice and consent requirements, it is not legally required to provide the service if a user declines tracking cookies.

That's simply not true. In order for consent to be valid under GDPR, the service should operate normally if you decline tracing cookies. Otherwise it's considered a "forced consent" and is not valid.

So... Abolish all the EULAs?

If you do not collect my data outside for what is strictly needed, then all is good. Remove analytics, recaptcha, embedded youtube, google cdn and any other things you do not actually need to run your product. And collect only the info you need (and nope, you really do not need my address or phone number unless you ship physical goods, so why are you getting it?). You probably do not need my email address besides for spam (forgot password is not a thing; either use one of the oauth providers, or hash the email and let the user enter it; if it matches you can send the email).

Then you don't need cookie banners or gdpr consent popups. It is not that hard. But you want to screw your clients for profit, I know, in that case, you need them or get fined. Which you should be for misusing my information/behaviour and privacy. Nothing good did come of ad tracking, user fingerprinting and data selling, so I wish you many fines.

This doesn't read quite right to me. Maybe I missed something.

Under the GDPR sites are emphatically NOT allowed to deny service over rejecting cookies.

Iirc the only valid options are providing a paid alternative or blocking service to the entire class of GDPR covered citizens.

So, suppose I run websites. Actually I do and I have cookie banners on all of them - but only for users with EU IP Addresses.

Here's the twist: Good news is (for me), I can[1] track and do whatever I want with any other IP address. You visit my site? Well, thanks to nobody else I care about having GDPR-like regulations in place, I can make sure I'll not only track you down and display ads across all advertiser networks, feed them your visit in all imaginable and unimaginable ways, but I can do it in such a targeted way that it's borderline scary. I can literally use any information you gave me on my websites, like your name, your location, proximity to anything. And if I can't then the advertiser can. And in the case of that particular lawsuit mentioned in the article, collecting all user consents, their IP addresses, and basically which websites they visited, its like a gold mine for advertisiers. If it isn't one yet, it can be turned into one with the click of a button.

It's like that one case a few years back, where a health insurance company bought a bank and started closing bank accounts from people they knew were risk patients.

Simply connect the dots...

GDPRs promise was to make it harder to do so. It wasn't the plan to annoy the hell out of everyone with banners. The whole idea was to not allow tracking unless you opted in, because quite frankly, its scary.

And no, I'm not a fan of GDPR or overregulation. But in reality, there hasn't been any tech I've come across that really protects the non-technical internet users at large. There's uBlock and plugins, but not installed by default or built into standard mobile browsers. Apple might be close for regular consumers to stop the excessive tracking and companies like FB really hates them for it (for good reason, it costs them big $$). Google will never shoot their own foot by integrating non-tracking tech into any of their products.

So, no, my opinion is don't stop that darn annoying cookie pop-ups unless you also stop the tracking. If you stop the tracking, remove the cookie pop-up. As easy as that.

[1] I don't do it, but I could. I'm not a reckless psycho-marketer.

The way to reduce cookie banners only depends on a small tweak by google. If you give people the choice between SEO and legibility, they will choose SEO.

me and my 486 partners agree

>"Almost every major website you visit today pops up a banner to warn you that it uses “cookies.” This is not legally required in the U.S. or in most places, and where it is, the vast majority of sites do not comply with legal requirements."

So, the problem with this is: the law. If you use session management: GOOD NEWS GDPR AND CPPA UNDER PENALTY OF THE COURTS DEMAND YOU INFORM USERS and if you know a better way than an intrusive "accept this before you can continue" by all means pipe up but the problem is overbearing laws, not "people following them". The law requires that you disallow access until people tell you their position on your handling of their personally identifiable information and welcome to modern web dev hell. If you don't like it, hell has done its job.

Both Europe and California consider IP addresses PII and this is the result.

[dead]