Hacker News new | past | comments | ask | show | jobs | submit login

I feel like the cookie banners could be fixed with an iteration of the law that requires adherence to an HTTP request header like do not track.



I think DNT could be rescued if it could be turned into a browser-wide consent UI. Currently, with its history of being set to 1 by default in some browsers, it doesn't really distinguish between "I don't consent" and "I haven't expressed an opinion", giving sites an excuse to ask you anyway.

Myself, I wish another GDPR iteration would instead mandate the shape and form of the initial consent popup, requiring it to fit to the following template (or something similar/equivalent):

  +------------------------------------------------+
  |     Allow additional data collection?      [X] |
  |                                                |
  | This site would like to use technical means    |
  | such as cookies and local storage to collect   |
  | data about you and your computer. This data is |
  | not necessary for the correct functioning of   |
  | this site, and does not impact the service     |
  | it provides.                                   |
  |                                                |
  | Do you consent to this opt-in data collection? |
  |                                                |
  | GDPR requires this message to be shown because |
  | the data collection requested is not necessary |
  | and may carry data privacy risks. Necessary    |
  | data collection does not require consent form. |
  |                                                |
  | [Learn purposes and]      [>I do not consent<] |
  | [configure consent ]                           |
  +------------------------------------------------+
With an explicit [>I do not consent<] button, pre-selected, in the "call to action" color, doing the same thing as [X] does, which is declining data collection described. Displayed in the same language website content is, and with specific regulations guarding against the common "dark pattern" bullshit. I'm sure Brussels has some webdevs that would be happy to provide standard templates and React components and whatnot, so that site authors could just plug in a stylesheet and a JSON blob to configure the [Learn purposes...] section.

The ultimate solution would be for member states' DPAs to get off their collective butts and start issuing fines for the current crop of blatantly illegal consent popups, but in the interim, it would be helpful to regulate the popups, so that they clearly communicate that a) they're requesting strictly unnecessary tracking that can be safely ignored, b) showing an annoying popup is a choice by the website owners, who decided to request consent for additional tracking.


>I think DNT could be rescued if it could be turned into a browser-wide consent UI.

This is kind of what I was getting at.

I think there would he subtleties to the user interactions though - I might say yes to marketing cookies if I knew not accepting it would lead to a degradation of service on some sites, but not for every site.

Driving a standard that can manage that kind of thing might be something regulators simply aren't up to.


Some people might reasonably prefer ads that are more tailored to them and would consider it a negative impact on the service.

Other sites might, for example, use your current location to display the local weather, which isn't required (you can type in your city in the search bar) but would be prefered by many.

A better solution would be to have the browser ask once, globally, on first install and then send the DNT after that. Any attempt to circumvent anything would be an instant fine.


You are not wrong. Browsers could standardize the information exchange and approval that happens for cookies and then implement a sane UI for that similar to how e.g. browser location tracking requires opting in. That should be a perfectly valid alternative for home grown UX that website developers add themselves and offer a better UX.

To do this you would need to provide the legalese for that in some standardized way so the browser can pop up some UI that allows users to review that and approve/reject that. It should simply refuse any kind of cookie until the user has approved. That approval should be removable as well. Part of that should also cover having a sane API around that so sites can decide if they need to fall back to displaying their popups for this. Browsers that support this could even start defaulting to block all forms of cookies until explicit permission is in place for a website, regardless of existing UI. Many users have extensions that do this.

Wouldn't be the worst idea. Of course the flip side is that it also makes it easier for users to say "no" a lot (I would). And there is the notion that this may be a grey area under the current legal text. And of course some browser vendors have vested interest in the whole cookie & tracking business (Google).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: