The EU is planning to do just that. The new ePrivacy Regulation is currently in trilogue negotiations, and should go into force between later this year and 2025.
> the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies that improve internet experience, such as cookies to remember shopping-cart history or to count the number of website visitors.
Super, so we can get rid of all banners then. Because ad tracking cookies absolutely improve the user experience. It's unarguably better for users to see a small number of high quality targeted ads than to see a large number of low quality animated flashy barrel-scraping casino ads, which is what you get when there's no ability to track preferences or interests. And nobody's privacy is being invaded because they aren't linkable to any individual identity anyway.
Given that the EU has now conceded that point, we can finally get rid of this noise and move on. Hurrah!
Now, some of you may disagree with the above analysis, but your analysis is no more valid than anyone else's. EU privacy law is deliberately vague and open to interpretation so you can't complain when someone interprets it the way given above.
Yes, but websites want us all to believe that they just want to put these cookies on our machines to help us with required features but the regulations require this annoying pop-up just so we can use it. A LOT of people still believe this is true and do not understand they are consenting only to being tracked. So re-stating it is only helpful.
Uhm, yes it will? At least that's how laws work no? You make a law, spot problems and adapt it. While(true)
I'm really happy gdpr exists, it just needs more polishing to be user friendly
Or they could have mandated cookie consent but require it to be handled by the browser, not the site (page and server). Define some standardized cookie description format, get it to the browser, and let it handle prompting the user for consent. Any cookie the user doesn't consent to is dropped instead of being stored.
Benefits:
(1) Don't have to trust the site to honor your consent.
(2) Sites won't try dark UI patterns (because they're not building the UI).
(3) More standardized UI because instead of each site inventing their own, they all use the browser's UI.
(4) Less tedium for the user. Browser can let the user choose defaults for the cookie consent dialog. Or define rules to handle certain choices automatically. And, if you can standardize categories (performance cookies, advertising cookies, etc.), then you can apply defaults and rules to those too.
(5) Web developers' jobs are easier. Just maintain and serve a cookie description data file. And of course be prepared to live without certain cookies.
Yes, this is extra work for the developers of browsers themselves. But it would be worth it. And apparently they're already spending engineering resources on cookie consent anyway.
Not honoring "do-not-track" isn't as visible. Sure a site could just do the bare minimum to look like it upholds the law while breaking it, but instead we got tons of user hostile dark pattern filed dialogs that outright screamed "look at us, we are violating the law".
Privacy Policy pages aren't really a solution to this, in my opinion. I don't think they reasonably count towards satisfying "informed consent".
First, because they don't actually inform you of much.
Second, because they're tricky to understand if you're not a lawyer. Most of them mean "you have no privacy", but worded in a way that leads you to think you do.
Third, because it's a bit ridiculous to expect everyone to read them. You'd spend more of your time reading those damned things than the page you want to read -- and you'd have to read them on every visit because they can change at any time without notice.
Better is if sites would just give basic, truthful warnings at the moments where you are making a privacy-impacting decision.
There is no solution to what you want really, which is informed users. Users don't always care to be informed, and shoving a consent dialog in their faces has been a grand experiment that proves this.
I suppose we could require users to take a test to prove that they read the privacy policy. That would be interesting.
I'm not on board with shoving consent dialogs in people's faces. But a nice little warning line next to relevant controls seem like it would be a good idea.
> I suppose we could require users to take a test to prove that they read the privacy policy
That wouldn't really address the main issue with them, which is that they're written in a deceptive manner. I can tell you right now what 90% of them mean: "you have none". But that's not how they read. How they read is things like "we may share your data with trusted partners in order order to deliver you a great experience".
They should be written clearly, without obfuscation. If you have none, then that's exactly what they should say.
but none of the ones I've read qualify as "informed consent" because even if they're clearly understandable, they don't fully inform you. They always mention sharing data with partners, for instance, but never say who those partners are, what data is being shared with them, and what those partners are doing with that data.
Unless you know that, informed consent is impossible.
Every privacy policy I've read seemed very sensible to me. Remember that privacy policies are legal documents and they quickly become cluttered with "legal-isms" and verbosity. Sometimes companies will move heaven and earth to make their privacy policy readable at a 3rd-grade level. And you know what? That costs them money and they pass those costs on to consumers, who overwhelmingly don't care about what's actually in the agreement (because they have a fairly good understanding of what kinds of things it says anyway).
Complaining about them seems to miss the bigger picture.
That was the reasoning for DNT being enabled in Internet Explorer 11 by default. (Unfortunately, it coincided with the ad-tracking companies – Microsoft included – only agreeing to honour DNT if it were off by default.)
That seems like it would be a huge win for the public. Is there any good reason this couldn't happen besides the obvious troublesome process of passing laws?
