Comment by AnthonyMouse
2 days ago
> Do you feel like people are now aware that cookies are being installed, more so than before the banner? Do people understand that they are consenting to this?
> That is the law at work.
The problem is that's not what anybody, including the users, want. Nobody cares that browsers have cookies as an implementation detail. It's a ridiculous thing to use as the basis of a privacy rule. Does the user care that the site uses cookies to implement a shopping cart feature? Does the user not care that the site is tracking them without cookies using device fingerprinting? Cookies were never the problem.
On top of that, they were the thing the users already had control over. Browsers allow you to delete or reject cookies, provide private browsing modes that don't submit them, etc.
Meanwhile the things that would actually be useful, like prohibiting services from requiring the user to provide a phone number (a de facto cross-service cross-device tracking ID) in order use the service, or requiring device attestation (which uniquely identifies the device), are left unaddressed.
I am eagerly awaiting your grassroots campaign to define legislation that would tackle such uses, and also eagerly awaiting it backfiring because of malicious compliance.
Malicious compliance is a result of incompetent drafting. It's common because incompetent drafting is common, case in point GDPR. It's definitely possible to screw it up less than that -- there are many laws that nobody complains about.
You pass a law prohibiting any entity from conditioning the use of their service on the user providing them with a phone number. Even services that actually use SMS or voice calls are required to provide an alternative like email or the web with no reduction in functionality and for no additional cost.
You pass a law stating that any device which is sold or leased to anyone who takes physical possession of it cannot contain a private key the customer is unable to both read and extricate at no cost.
What does malicious compliance look like there? Anyone can give them an email instead of a phone number and if that doesn't work they're in violation. Remote attestation is the only reason for devices to come from the factory containing an inaccessible private key, which is thereby prohibited and unable to be used as a tracking ID.
Cookies are not the basis of the law, which is about tracking in general, abstracted from the exact means and implementation details.
The law contains some ridiculous language about storing data on the user's device, which applies to cookies in particular even though that category in general makes no coherent sense, because the thing that should matter is if you can identify the user/device, not whether you used something in the shape of a cookie to do it.