Internet's Biggest Annoyance: Cookie Laws Should Target Browsers, Not Websites
Posted2 months agoActiveabout 2 months ago
nednex.comTechstoryHigh profile
heatednegative
Debate
85/100
Cookie LawsGdprData PrivacyWeb Tracking
Key topics
Cookie Laws
Gdpr
Data Privacy
Web Tracking
The article argues that cookie laws should target browsers instead of websites, sparking a heated discussion on the effectiveness of current data privacy regulations and the role of browsers in enforcing user consent.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
14m
Peak period
152
Day 1
Avg / period
40
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Oct 22, 2025 at 8:12 AM EDT
2 months ago
Step 01 - 02First comment
Oct 22, 2025 at 8:26 AM EDT
14m after posting
Step 02 - 03Peak activity
152 comments in Day 1
Hottest window of the conversation
Step 03 - 04Latest activity
Nov 6, 2025 at 4:31 PM EST
about 2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45667866Type: storyLast synced: 11/22/2025, 11:47:55 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
There was the DNT header, that was a bit to simplistic, but was never implemented https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
The thing people need to understand here is that the annoyance is not due to lack of technical solutions, or regulations forcing something. It is explicitly wanted by the industry so they can maximize the consent rate. The browser solution is probably the best technical/user friendly one, but ad tech/data gathering industry won't have any consent. As they control most of the web, they will never do that
Turn "Do Not Track" on or off
When you browse the web on computers or Android devices, you can send a request to websites not to collect or track your browsing data. It's turned off by default.
However, what happens to your data depends on how a website responds to the request. Many websites will still collect and use your browsing data to improve security, provide content, services, ads and recommendations on their websites, and generate reporting statistics.
Most websites and web services, including Google's, don't change their behavior when they receive a Do Not Track request. Chrome doesn't provide details of which websites and web services respect Do Not Track requests and how websites interpret them.[1]
About the best we have browser side is a mode where all cookies are cleared at browser exit.
[1] https://support.google.com/chrome/answer/2790761
No. The best we have are adblockers and scripts like consent-o-matic.
Clearing cookies does mostly clear cookies, tracking goes far beyond that. Clearing cookies has always been a red herring enabling adtech submarines like "I don’t care about cookies".
It's what you would do if you had the crazy idea that a browser should be a client for the user, and only a client for the user. It should do nothing that a user wouldn't want done. The measure of a client's functionality is indistinguishable from the ability of the user to make it conform to the their desires.
chrome://settings/content/siteData
Here's an extension to block at a per-site granularity (despite it saying cookies, it blocks it all including local storage):
https://chromewebstore.google.com/detail/disable-cookies/lkm...
So for the vast majority of people in the world government ownership of their browser would mean American political control. The current administration has expressed both in theory and practice a willingness to directly exert influence over organizations even when they are supposed to be independent of government control. That would be a concern for much of the world even outside the US.
> Explicit consent: Under the GDPR and similar laws, consent must be specific, informed, and an unambiguous, affirmative action from the user. Consent cannot be assumed by a user's continued browsing or inaction, which is what DNT would require.
None of those cookie popups, though. That's all malicious compliance.
If the data is being sold, it should be legally required to word it in that way. If there's even the slightest possibility of your data being leaked to spammers, it should be worded to reflect that.
"Do you consent to us selling your data to any party that wishes to buy your data? Do you consent to the possibility that your data will be used to spam you or steal your identity in the future? Yes/No"
It may even be the case that the website pays X company to perform the tracking for their own analytics purposes. Or that it's X company's own freemium model where if you add their tracker they grant you a bunch of cross-site information for free.
Nah. Personal data sharing needs to be banned. It's the right way forward.
People don't want this, so there is a quick reversion to "pay with your data".
Which, since 2018, is illegal in EU.
> Hey, please send the shipment to my customer. No, I can't tell you the address, it's personal data.
Some data sharing will always be necessary. What needs to be banned is the unnecessary sharing, but it's hard to 100% define what counts as necessary
Indiscriminate sharing of personal data IS banned under the GDPR.
If you collect personal data, you must only collect it for the stated purpose and can't sell or share it for any other reason.
I continue to be astounded at the ignorance some people have of the GDPR; a vital privacy law and one that is fundamental to modern data use and respect for the customer.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
If I go to an ER in a different area (read different medical system) I want my doctor to share personal data. I don't want my doctor to share my personal data with a random doctor in the same medical system unless that other doctor is an expert being consulted on something about me. (that is just being a doctor doesn't give you access to my private information, it needs to be on a need to know).
The above is the obvious case. There are likely other cases that are not obvious where after looking closely private information should be shared. Advertisement is never one of those reasons though, and analytics is only a reason if they anonymize the data with prison terms for mistakes.
They are under the GDPR.
If you ask for my data, you must do so fairly and tell me what you are using it for.
In the examples you site, if you read the small print "sharing with partners" will go on to say advertising 'letting you know about products and services' and other such shite.
If my 'data' is a no logs vpn address with a privacy hardened browser running in a VM on an isolated VLAN with encrypted DNS then why wouldn't I just laugh and click accept cookies in a sandboxed tab (so said cookies only exist for that tab and are cleared when it is closed.
What youre saying most users dont have this level of privacy by default? Why not?
GDPR article 7, section 4: When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
basically: A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service
anyone who does that is in violation of GDPR
Iirc it boils down to the fact the user still has a choice.
Either way your interpretation of GDPR and several major news outlets clearly differ, and i would bet my house on them having access to better legal advice than you.
And it *gave* freedom to society not to have their personal data exploited and privacy invaded for corporate profit.
No one wants to be advertised to, but powerful lobbies argue that ending ads will lower consumption and thus harm the economy; and no politician wants to lower GDP.
No one wants to be spied on, but powerful lobbies argue tracking people allow better security; and no politician wants to be soft on crime and terrorism.
I doubt that. People tend to spend their money regardless. Advertising just determines what they spend it on.
You're assuming people would still have the same amount of money, but for most money is not a given, and people strive to earn money precisely because they want to buy the things they were advertised.
Without the social pressure to acquire things one doesn't need, it's very possible people might simply work less and use that time for other things.
Advertising is only used heavily when all products are similar, otherwise the best would naturally rise to the top.
For example, washing powder/liquid is advertised heavily on TV, yet do you really believe one brand of powder/liquid gets your clothes cleaner than any other?
Even when you give them the option to pay, with no ads or tracking, the conversion rate is still around 0.5-1%.
We should however make it easier to pay for content online; let's implement HTTP 402 and integrate it into the users' browser and internet bill to reduce friction. Who wants to create an account and enter their credit card details to read a single article or watch a single video?
No, they overwhelmingly are not. When given the opportunity to not pay, and do so anonymously (no social shame), the actual pay rates drop to the 1-5% range.
This is a clear trend from thousands of creators who give simple payment options to those who wish to support them directly. The conversion rates from "ad-supported (but blocked)" to "paying member" are usually around 5% of the active audience.
The numbers are atrocious despite the deafening virtue signalling of comment sections ("I always pay creators to support them!")
If people actually didn't value the content, they wouldn't devote their time to it. I don't know anyone who regularly devotes hours a day to something they get zero value from...
All the paywalled news agencies want a monthly subscription. But I, as someone who doesn't like getting all their news from a single source, am not interested in signing up for news subscriptions because the cost would pile up fast, and to be honest I don't read that many news articles in a given month.
I think we need some kind of usage based billing system where participating outlets can set a price per article, and users can agree to be billed for that article when they go to view it.
My need for websites is much less predominant and really I could live without. So of course I bounce when mildly interesting websites ask to host cookies on my browser or want me to create an account and enter my card details.
If one considers maximizing utility the goal of economic science, then this is in fact good, as it redirects me to more useful venues like doing chores I'd been putting off instead of mindlessly scrolling online. Some metrics such as GDP however might suffer.
Targeted ads generally bring in 3x the revenue of generic ads. Personally speaking, I'd rather have 1/3rd the ads on a page and allow my data to be tracked. I don't mind my data being tracked, and I'd rather see ads for keyboards / mens clothes (what I buy) than diapers / ladies shoes (who knows what tomorrow holds, but this is not what I'm buying at the moment).
2. Contextual ads are not targeted and would not be showing you adverts for diapers or ladies shoes- unless you are reading about diapers or ladies shoes.
Any website that uses a cookie banner is going above and beyond what they need to do to run a functional website in order to track you.
It is banned.
Unless I give me explicit permission otherwise (though as you say, why anybody would is beyond me, but then "there's nowt as queer as folk")
I understand why companies don’t do it that way. Tracking is worth money and they like money. What I don’t understand is why ordinary people make excuses for them.
To avoid paying actual money, even the smallest sum of it.
So either: The EU commission is including trackers on their websites. And they should stop OR they acknowledge that it's almost impossible to build a website without some form of tracking that falls under the law, and they should look into the law itself.
So they have work on their plate.
Why would it be almost impossible to "build a website" without tracking?
But companies generally do whatever is in their best interest. I don't know why anyone would expect them to do otherwise with regards to tracking.
But I can't imagine copmanies would want that. They benefit from cookie dialogs fatigue, and for some reason people blame GDPR of all things for surveillance tech being annoying in how they ask for permission.
technical solutions are chosen by companies to have as much dark patterns as possible to force you to consent
companies that want to sell user data are bad guys trying to make gdpr look bad
But actually honoring DNT properly would immediately mean no consent banner, but the consent banner is there to fool you into giving up your rights while providing (flimsy) legal cover for the company.
It's still early days for the GDPR (relatively speaking), but I can see the EU enforcing a particular privacy-related mechanism eventually.
It also doesn't help that DNT is just a boolean signal, it doesn't give you the control over your data that the GDPR demands.
What changed the most with GDPR is that enforcement now has teeth. Not as big teeth as say, NIS2, which actually has executives more concerned than middle level about being compliant, but still big.
[1] https://globalprivacycontrol.org/
[2] https://support.mozilla.org/en-US/kb/global-privacy-control
No. When I see a cookie banner that doesn't have a "Reject all" or at least "Reject non-necessary", I leave the website. When you look into the "Reject..." section, it often contains 1000+ of adtech shit you have to untick individually. Aren't these actually non-compliant with regulations? Makes you think twice about website owners if they choose to sell your data to adtech - seems like law does exactly what it was supposed to do. The problem is adtech which encourages to collect data websites have no business at collecting. If anything, non-compliant sites should be fined into ground and adtech outlawed.
If I could, I'd downvote the article.
People like the author are part of the problem. Blindly clicking consent is allowing site owners to bully you into consent. It works, so they keep doing it.
If you're going to blindly click anything it should be decline all.
Cookie banner are called cookie banners because they‘re most frequently associated with the opt in for tracking cookies, but this kind of opt in is required for any kind of third party involvement that goes beyond technical necessity.
Your browser has no way to tell what third party present on the site is a technical necessity and which one isn‘t. So you‘d have to tell it - making it part of the site providers problem as well. But this time its worse, because responsibilities are mixed between the site operator and the third party.
There's no value you can give DNT that says "you can do your own on-site tracking and telemetry and I accept sharing my data with Sendgrid for your newsletter, but I do not want third-party trackers".
As a practical example: there are news sites that will not play videos if you hit "deny all" because their video host does some viewership analytics. I'm fine with that, but not the 750 other advertisers the news site tries to have me track.
Of course, "deny all" should be an option, "accept all or deny all" isn't control.
For the longest time we had https://en.wikipedia.org/wiki/P3P as a basis to build on, but that officially died the day Edge became Chromium-based.
I'm sorry, but does a user who would want this actually exist? This seems like a hypothetical dreamed up by the marketing team to avoid having to accept that a large group of users hate all their tracking shit.
You download a specific tool which only has the purpose of collecting your local error reports and sending them to Microsoft". Later on that tool became just a button in your control panel that submitted all your local errors and told you if those errors had an already developed solution.
That's how they did all their error telemetry until like late XP era, and it worked just fine.
All the people insisting that they
need* this telemetry is also horse shit. Companies are demonstrably not producing better and more bug fixed software, and demonstrably are not using that data to make serious improvements, but demonstrably ARE using that data to choose where to focus dark pattern and other sales funnel based efforts.If Unity and Unreal and GPU drivers can ask me "Do you want to send this error report" with a default no, nobody else has any excuse.
Even now, a significant amount of companies use the system of "Please upload your error log and the output of this command to this forum" as their bug report solution and it works just fine if that company actually intends to fix bugs.
The solution is not to turn your software into spyware. Stop being entitled. You don't have a right for me to QA your software for you, that's your job. Even with all this telemetry, companies only fix the most common and most obvious bugs anyway, so the perfect telemetry is utterly useless. Those bugs would have surfaced anyway.
Developers in the 80s did not need telemetry to get bug reports and fix things and release patches. Learn some history of your profession people.
Has throwing a hundred thousand bugs onto your sprint backlog actually helped anyone develop better software? No. Meanwhile it has exposed all your customers and users to predatory bullshit from your marketing and sales departments, and enabled your worst product managers to optimize hostility and extraction.
If you deprecate a feature nobody ever implemented in the first place...
Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged; this would ultimately come down to ad networks / analytics companies documenting the behavior of the cookies they add.
While enforcement is effectively nill, they already need to do that according to the actual EU "cookie law" (ePrivacy Directive rather than GDPR). If you set cookies, you have to explain to the user what they're there for.
Hilariously, many websites have no idea what the cookies their trackers set are for, and I've caught a bunch of them use language like "seemingly" and "apparently" when describing what purposes cookies actually serve.
If only browsers gave P3P[1] the attention it deserved. The protocol isn't exactly perfect and the unmistakable footprint of early 2000s XML obsession are there, but it could've prevented cookie banners from ever being accepted if only browsers had designed proper UI around an updated version of the protocol.
[1] https://www.w3.org/TR/P3P11
A web browser is technically incapable, by design, of knowing whether any piece of a website (1) is there for the purpose of having the website actually work, or for the purpose of tagging and tracking the end user. Only the website owner chooses those purposes, and only the website owner is in a position to determine (or maliciously hide) which technologies are being used for which tracking or technical purposes.
(1) Cookie laws apply to: Cookies, gif pixels, JS fingerprints, and any other tehcnical means that can be technically exploited to track an individual
As far as malicious/non-compliant websites go, cookie banners don’t make that issue better or worse. They can lie just as easily with a banner. In fact this implementation makes it easier as no one needs to build those ugly banners anymore. (Devastating for the pop up industry though.)
The point is: It Is Not About Cookies.
The website owner can track you in a couple dozen ways, and all of them require your consent to be lawful.
What you are saying is that websites would need to "register" transparent pixels as tehcnically necessary or not, Javascript fingerprinting as technically necessary or not, URL query strings/fragments as technically necessary or not, etc, and then the web browser would need to detect those "registrations" and enable/disable those technical uses one by one.
Cookie banners are malicious compliance almost all the time, but really, the web browser can't do anything about it.
Denying would, in many cases, go up to hundreds of yes/no options, with no 'deny all'. Makes getting coerced permission easy, and active denial almost impossible.
Of course, by not tracking, they dont need any of this crap. But surveillance capitalism must continue. Sigh.
The GDPR doesn't really care about implementations like that.
It's about consent.
Hard disagree.
Legitimate companies will obey the law; be that the GDPR, anti-corruption or anti-pollution laws to pick a few examples.
There's also a basic imbalance of power -- for instance, if you don't fill out the paperwork to get medical care that says (1) everybody who could possibly have a reason to access your data can, and (2) we're going to do that at a cost 1000x more than just leaving all the paperwork out on the curb you don't get medical care.
People don't really real all those clickwrap licenses, I mean, Sony makes you scroll to the bottom of a 50 page contract just to play a video game.
Here's an even more radical idea: the browser doesn't even ask you this, and by default it just respects the user's privacy and blocks all third party tracking.
Can you imagine an internet where the user is put first?
DNT is legally void in several US states because it was enabled by default.
If we do set up a browser-oriented solution, browsers like Firefox and Brave would default to the most privacy-friendly options practical, of course, but they already mostly do that anyway.
"Spend Five Minutes in a Menu of Legalese" is not the intended alternative to "Accept All". "Decline All" is! And this is starting to be enforced through the courts, so you're increasingly seeing the "Decline All" option right away. As it should be. https://www.techspot.com/news/108043-german-court-takes-stan...
Of course, also respecting a Do-Not-Track header and avoiding the cookie banner entirely while not tracking the user, would be even better.
Edit: their FF-page says,
Set your preferences once, and let the technology do the rest!
This add-on is built and maintained by workers at Aarhus University in Denmark. We are privacy researchers that got tired of seeing how companies violate the EU's General Data Protection Regulation (GDPR). Because the organisations that enforce the GDPR do not have enough resources, we built this add-on to help them out.
We looked at 680 pop-ups and combined their data processing purposes into 5 categories that you can toggle on or off. Sometimes our categories don't perfectly match those on the website, so then we will choose the more privacy preserving option.
no, that's "I don't care about Cookies"
There’s probably also a version for the adtech browser somewhere.
NoScript too.
And AdGuard.
I do this more and more, and I think it's the right and best thing to do.
If they are showing you a toggle and calling it for "legitimate interest", they are most likely lying.
They love to put cookies under "performance and enhancements" as if that isn't bullshit as well.
All legitimate interest cookies are in the greyed out toggle for "required cookies".
By law, you can decline all and the site should still work fine, which again means they won't allow you to turn off actually needed cookies.
Laws need to be written well to achieve good outcomes. If the law allows for malicious compliance, it is a badly written law.
The sites are just trying to maximize profit, as anyone could predict. So write better laws.
Otherwise how can we explain “please see our privacy policy and send us a sneaker email to opt out” kind of tracking options.
It's impossible to write things correctly the first or final time and especially with the interpretation of words changing over time it doesn't matter if you could.
Example: In cycling, they banned narrow handlebars. There's an aero advantage, but it was seen as a safety problem. So cyclists canted their brake hoods way inside, rested their hands on the brake hoods, and got an aero advantage.
And now there's a rule about brake hoods. Laws are meant only be living things that change as society changes, and also change to patch what we might call "exploits." You are perfectly correct: It's never one and done, it's an ongoing process.
That way, a misplaced comma or a wonky sentence doesn't allow for easy loopholes that need tighter laws to fix issues.
Now law text will work forever, but this format makes for a very solid foundation.
Imagine you write a program to do something and it doesn't work at all as expected and at the same time it causes endless annoyance to users.
A law is very similar to a program. It's software for the society. It didn't work and the authors are blaming everybody except themselves.
We put a lot of safeguards, exception handling and all kind of measures to control errors.
I'm so cynical now that I can't read articles like this without my first reaction being to look at how it benefits companies that profit from ads.
My two theories here?
1. An attempt to shift liability from companies having to comply with GDPR to browsers having to comply.
2. An attempt to consolidate all cookie consent into the three (?) browser engines we have... so efforts to thwart it can be focused on just those places.
That's why the more logical and simpler ideas were never on the table.
The purpose of the laws (GDPR et al) is to give me control over who does what with my data, data about me. The operator of the website is who the law binds. It's not even about the website - if I phoned or emailed, the same laws would apply. You need my explicit consent to process my data in a number of ways that you'd like to, it makes you money, but I don't want you to.
The processors of this data can't make as much money off selling access to data about me, if I have these rights. So they petulantly get in my face as much as possible, via banners on websites, to annoy me and confuse me as to why these banners are even there, and try and trick me into letting them make more money.
The banners, which a browser could block or autofill, are just the surface. And they're an attack surface, so even if we agreed a way for the browser to pass on your preferences (we already did this, it's called the Do-Not-Track or DNT header, and it was a complete failure because website-owners just ignored it), website-owners would add a second layer of "ah, I see you said no automatically, but are you REALLY sure you don't want to let me make more money from your data?"
NOYB is very good for chasing after such charlatans, and forcing companies to obey data protection laws. Here is some of their guidance, and listing of the dark patterns used by non-compliant companies: https://noyb.eu/sites/default/files/2024-07/noyb_Cookie_Repo...
GDPR already mandates that "Refuse non essential" button should be the same size and prominence than the "Accept all" button, every website around the globe does not care (apart from major players like Google, Apple or Amazon) and national data protection authorities absolutely do not care.
We already had one attempt with "Do not track" header, nobody was willing to commit to it because it impaired business. Same would go with OP proposal.
Websites are forcing this banner on us because they are greedy morons that would rather drain our data for money than incite us to pay for their work.
Nothing in the GDPR stops websites from honoring "Do not track" and then _not asking_ if it's present. They don't have to ask if they don't track you! They don't have to ask for a technically necessary session cookie that appears after you actively log in!
Websites ask because they want to track you! A 'law targeting browsers' would not help because people would say no to cookies, and then websites would ask about some other way to track you. Because they want to track you.
450 more comments available on Hacker News