Honest question: why is cookie management done by the sites instead of the browser? There's something wrong with the way this is all designed if we're relying on the websites, which have an obvious conflict of interest, to manage which cookies are necessary and which are frivolous.
Because this is malicious compliance by websites. They are attempting to annoy people into clicking the easiest button, which is always the "store all my data, spam me at will" button.
And then the second is: browsers don't really know the purpose of any particular cookie, or how much the user actually wants it or not. Due to how cookies work, they really have no way to know. Cookies are not standardized enough.
cookies could be standardized/semantic - by name or by another cookies’ name (of course, there could still be violations if any part of a cookies value is opaque)
If you had that you could (and I think this is GGP's point) have settings in the browser similar to phone privacy settings: allow cookies for (login || place || shopping cart || etc)
I mean, you can turn cookies off in your browser settings, but the browser doesn't have a good way to differentiate between a cookie that keeps you logged into something and a cookie that tracks you to show ads.
Sure, but the vast majority of websites where I see these cookie prompts aren't even websites I'm logging in to in the first place... often they are websites I am not sure you can even log into at all. I get that if I want some kind of fine-grained cookie handling for websites that are legitimately using cookies for something I need to rely on them, but that initial "do I want this site to get cookies at all?" is almost always "no" and I should not have to rely on them for it.
This is pretty "easy" in Chrome, at least for a definition of "easy" that I'm comfortable with.
For more than ten years I've had all cookies turned off by default in Chrome's site settings, and I click two buttons when visiting a site if I want to allow it to store data on my machine. That allowlist is persistent so I don't have to think about it again.
> Sure, but the vast majority of websites where I see these cookie prompts aren't even websites I'm logging in to in the first place... often they are websites I am not sure you can even log into at all.
Cookies for managing login's are explicitly allowed by the GDPR. If you get a cookie choice prompt when visiting a website, it is an indication that the site is placing "advertising/tracking" cookies, for which the GDPR does require consent.
I would assume because either the appropriate solution (to have the settings in the browser) wasn't proposed due to a dearth of technological competence in politics or the ad lobby pushed for each site to present its own in some poor attempt to pretend to provide "consumer choice".
Aside from the other things people have mentioned, GDPR prompts (unlike typical ePrivacy Directive prompts before that) don’t only apply to client-side stuff.
Without obtaining consent or having a legitimate (i.e. functional, not economic) reason, the website operator cannot collect server-side logs or fingerprints either. Or they might not need consent to collect data (e.g. remember your purchases for refunds) but do need it to disclose that data to third parties (e.g. to feed the purchases into a recommendation engine... or, let’s be real, an advertisement profile).
None of this nuance is enforceable browser-side. It could in theory be communicated in machine-readable form by the browser, such as with a DNT header, but before somebody sues over that I doubt it’s going to be honoured.
(I remember that the SameSite cookie proposal had a follow-up, even more web-breaking same-origin-policy cookie proposal. That’s probably the most meaningful thing you can do client-side. But it had seemingly died when FLoC did, and I can’t find it now.)
While browser cookie UI has been historically bad even for developers, I don't see how a browser's cookie UI could do what these menus do.
For example, load StackOverflow in Chrome incognito. It has buttons for "Accept all cookies", "Necessary cookies only" and a "Customize" menu that gives you checkboxes for "strictly necessary", "performance", "functionality", and "targeting cookies" all with a lot of links and explanations.
It isn't just a matter of turning off third party cookies.
The main reason is the web is run via ads which are fueled by cookies. browsers have no interest in limiting their functionality in any way. It's a deal with the devil kind of thing. spyware v free web.
