Comment by hnbad

The law is fine. The industry has just decided that dragging its heels and risking fines is better than actual compliance.

Most of the "cookie management" scripts that people use aren't compliant.

EU law requires "Accept All" and "Reject All Non-Essential" be both equally easy to access and given equal weight (or rather: the latter can't be given less weight and made more difficult to access, which almost all of these scripts blatantly ignore).

Browser vendors can't solve this because the question isn't technical but legal. It's not about first-party vs third-party cookies (let alone same-origin vs cross-origin) but about the purposes of those cookies - and not just cookies but all transferred data (including all HTTP requests).

You don't need to (and in fact can't) opt into technically necessary cookies like session cookies for a login and such. It's plausible that these might even be cross-origin (as long as the other domain is controlled by the same legal entity). If they're provided by a third party, that would indeed be data sharing that warrants a disclosure and opt in (or rather: this can only happen once the user acknowledges this but they have no option to refuse and still use the service if it can't plausibly be provided without this).

The GDPR and ePrivacy laws (and the DMA and DSA) have done a lot for privacy but most of what they have done has happened behind the scenes (as intended) by changing how companies operate. The "cookie management" is just the user-facing part of those companies' hostile and dishonest reactions to these laws as well as a cottage industry of grifters providing "compliance" solutions for companies that can't afford the technical and legal expertise to understand what they actually need to do and think they can just tick a box by buying the right product/service.

Heck, most companies don't even provide legally compliant privacy policies and refuse to properly handly data access requests. The GDPR requires companies to disclose all third parties (or their categories if they can't disclose identities) your (specifically your) data has been shared with and the specific types of data, purposes of that sharing and legal basis for sharing it (i.e. if it required consent, how and when that consent was given) - and yet most will only link you to their generic privacy policy that answers none of those questions or only provides vague general answers or irrelevant details ("We and our 11708 partners deeply care about your privacy").