Comment by xp84
1 month ago
Yeah, this is an insane proposal. I know GP may be imagining a smart populace walking away from Big Evil Facebook and X with heads held high, but the other 99% of sites are also doing the same cookie banner stupidity because it is roughly mandatory due to useless EU law (unless you’re not engaging at all in advertising even as an advertiser). So, no more accessing your bank, power utility, doctor, college, etc. That’ll show those pesky cookie banner people!
“The Internet” to someone boycotting cookie banners would basically just be a few self-hosted blogs.
You do not need to show a banner and ask for consent if every cookie is to make the website work (e.g. for authentication and settings). GDPR didn't create this banner; websites that use useless cookies and phone home to Big Tech are.
- Nearly all commercial websites advertise their site in some way
- Nearly all websites people use day-to-day are commercial
- To run ads in a post-1997 world, you must have a conversion pixel because ads aren't sold by impression, they're sold by clicks and they need to know someone made it to your site
- Therefore, some form of tracking cookies (oooh evil) are required
- Big Tech (Google/Meta/X) controls 99% of the real estate where ads can be run, so... they will know about visitors
Unless browsers simply had a setting by default to only save cookies past one session when users allow it. That would be a wildly more effective and efficient solution than forcing every single random website to implement some byzantine javascript monstrosity which attempts to somehow inhibit other JS it doesn't actually control from dropping cookies -- something that the JS API in a browser doesn't even support.
I work on a product that doesn't even have any ad traffic land on it or want to do any tracking, and setting up a cookie management platform was insane. You have to dive into the docs of every SDK to try to figure out how this particular SDK can be signaled to do the GDPR compliance things.
I’m not a web developer, but it seems to me that the referrer that you get after a click on a link should be sufficient to count clicks vs impressions.
I am happy to learn what I may have been imagining: thanks for that!
The law has turned out to be useless, agreed — or at least, it has driven hard-to-navigate UX that we live through today. The intent could have taken us in a different direction with some care (i.e. mandating a clear, no-dark-pattern opt-out/opt-in ahead-of-time option a la DoNotTrack header that similarly failed): if web clients (browsers) were required to pass visitor's preferences and if the list of shared-with was mandated to be machine readable with an exact format (so browsers would create nice UIs), maybe we'd get somewhere.
That's precisely what https://en.wikipedia.org/wiki/EPrivacy_Regulation was supposed to be! As you can imagine, there are strong incentives to lobby against it, so it's almost a decade late already.
Whoever came up with an idea to attach CSAM scanning provision to it is an evil genius, what an incredible way to make sure it's not going to pass any time soon.
'Do not track' was stupid. 'Cannot Be Tracked' would have worked fine. The difference is that the browser is literally the user's agent, so it should work for the user. It is the thing which identifies you today, and could easily NOT identify you without your permission if that was what was mandated -- and "big bad ad tech" could do nothing about it.
Simply select the sites whose first party cookies you want preserved, triggered only by user actively toggling it on, or prompted for on a user-triggered POST that occurs on a page with a user-filled password field (similar to how popups were killed off, no prompting on a POST done without user interaction). "Do you want to let this site 'ycombinator.com' remember you (stay logged in, etc.)?" [YES] [NO]
Otherwise delete the cookies in X minutes/hours/etc.
Or another way, keep the cookies while a tab is on the site, then once no tabs are visiting it, put them in an 'archive.' Upon visiting the site again, show a prompt "Allow ycombinator.com to recognize you from your previous visit(s)?" <Yes> <No, be anonymous> If yes, restore them, otherwise, delete them.
It is so simple to have browsers be responsible for the user's safety, yet since we left it to politicians to decide, we got all this silliness putting it on the users -- and where the technical implementations are by necessity INSIDE the JS sandbox where it's difficult for users to verify that it's being done correctly.