Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For you EU citizens, how do you feel about cookie banners?


They are the most adversarial implementation of the law. There is no requirement for them. The Do Not Track HTTP header would've been perfectly compliant but of course the ad companies -- and let's not forget Google is one -- did not want it. They want you to be pissed off by the cookie banners so eventually they might go away.


I get pissed off at the website for asking to track me, not pissed off at the law that requires my consent to track me. I hope many people feel the same way I do.


Unfortunately not enough people care, or are even aware of what they don't care about, and that is a large part of what the dark patterns hope to take advantage of.

I'd accept a straight opt-in/opt-out choice if, as per the law, opting out was just as easy as opting in and opting in was not any sort of default. But the stalky side of the industry (most of it) doesn't want informed consent, they don't want to have to acknowledge the idea of consent at all.


I just remove cookie popups with ublock origin. Nobody annoyed me enough yet to see if they're compliant afterwards - pretty much all pages work properly after that, and they'd need to handle that case as selecting the refusal button.


That is expected to happen with every law.


To which, the solution would be to tell companies not to use intrusive banners, not allow tracking like it was before.


There were already updated requirements to avoid some dark patterns deployed in the wild, like mandating providing a "reject all" button.


Unfortunately, I still see tons of sites that don't provide one, or have opted-in-by-default settings for news, etc.

These definitely need to be enforced better.


Hopefully leeches like IAB who are behind many of these banners will get their dues: https://www.osborneclarke.com/insights/digital-ad-ruling-cje...


There are an excellent way to see which sites I really can't trust. Which is unfortunately many of them. If they are willing to use that many dark patterns to try engineer accidentally acceptance of stalking, then I have no doubt that they'd carry drive-by downloaded rootkits if that were still as easy as it once was, there was a fraction of a sniff of profit in it, and they thought they'd get away with it (or could convincingly blame someone else).

The majority of the cookie banners that you see aren't even compliant with the regulations that the site owners claim that they are caused by, some aren't even close to compliant. At that point it isn't “malicious compliance” but instead “overstepping as far as they feel safe”. Almost none of the cookie pop-overs would be needed at all if allowing advertisers to follow you around your life was opt-in. You don't need to ask permission for anything that is strictly necessary, like non-permanent session tracking & auth tokens, presenting that part at all is part of the theatre to try convince users that the regulations are the problem not the sites themselves doing things that need to be regulated.

One of the most annoying bits of many is “legitimate interest” which basically means “we see your opt-out preference, but fuck you and your preferences we want to stalk you and we will”. Note that these are usually implemented in such a way that if you don't explicitly object they'll be allowed, even if you click the “reject all” button without opening the concertina UI element that hides them from default view.

The phrase “cookie banner” itself is misleading, though we are guilty of that as well as them. You are opting in/out of the ability for them to do things, cookies are just part of the options they have for implementing those doings.

And while I'm having a little rant… “We value your privacy!” — no you don't, you lying sack of shit. You value the opportunity to sell the possibility of invading my privacy to the highest bidder.


They are annoying, but I quite like the option to choose. I definitely prefer not to have tracking cookies.


I find them very informative, to have a clear indicator if a site's answer to upholding my rights is genuine effort or malicious compliance.


They are annoying but not needed if people would respect privacy. How about don’t use tracking or collecting too much info? Then you don’t have to put them.


I use Consentomatic, which automatically rejects cookies and can also reject dark pattern banners. Of course this should be better solved, but at least this way I have some control over my privacy without being disturbed.


That they're a form of malicious compliance to do anything except for comply with very reasonable laws.

Cookie banners predate the GDPR by like, a decade anyway. They were the soft attempt to get tracking companies to back off; instead, tracking companies just attempted (and mostly succeeded) at tiring out the user.

I highly recommend the Consent-O-Matic extension to fully reject all that crap automatically[0] in lieu of corporations properly complying with the law and accepting the general rejection signals like DNT and GPC.

[0]: https://consentomatic.au.dk/


Consent-o-matic takes care of all honest cookie banners out there and opts out for me before I even realize it.

When I run into a website that it doesn't work with, I sometimes use the report function and set it myself.

However, most websites with a cookie banner that's too obstrusive for Consent-o-matic turn out to be useless clickbait LLM spam that's not worth the effort. So most of the time I just go somewhere better and leave the obnoxious cookie wall to itself.

I think it all turned out fine (for the time being) thanks to cookie walls :)


A lot of websites and people misunderstand and think that you need popups for essential cookies like login cookies -- you don't. Every time you see a cookie popup it's because they want to track your actions beyond the basics needed for their site to work.

Im all for them.


The vast majority of the sites don't misunderstand, I wouldn't give them that much benefit of doubt. They present things in a way to encourage people to misunderstand, in the hope that people will think the regulations are the problem and support getting rid of them.


It becomes very obvious when the "cookie banners" talks about "Company and our 1234 partners ..."


They are annoying, disrespectful, unwarranted and unasked for.

But with uBlock Origin and Firefox, we have solid tooling to almost never see them now.

GDPR is also not the issue. The issue is incentives to track people.


> They are annoying, disrespectful, unwarranted and unasked for.

The tracking itself is : if there is a banner, it shows you this company is indeed disrespectful.


It is nice to see which websites do not value their visitors' privacy. It is too bad that there are so many of them.


I hate all the illegal consent popups.


I like it. Gives you good idea who actualy cares about their users and who consider us to be the product.


They are pretty annoying, and I very much prefer for web sites not to need them.

But when they employ the practices that make them have them, I'm glad I can say no.


I wish the rules for consent banners were actually enforced. What bothers me most is when some site clearly doesn't care and puts up a "you consent by viewing this site" banner.

It's understandable, they can do whatever they want without any consequences right now, but that needs to change.


It's enforced, but not fast enough, and not hard enough.

Even the enforcers are just not mentally ready (or just have too many cases) to really, really slam the monopoly of force on offenders.


They are easier to click now, first sites with cookie wall setups were often bad pattern, hard to disagree with non essential cookies and so on, they basically forced you or tried to trick you into accepting all cookies, essential, marketing, social and what not. Now you see more sites that have default setting to only allow essential.

But regulator obviously didn't know how cookies work, what they are good for, what they are bad for and whatever they try to outlaw now gets correlated via different means. User-agent, ip and some other browser fingerprinting.

So bottomline, we have to click once more (or every time, when private/incognito mode) when you visit a site.


> But regulator obviously didn't know how cookies work, what they are good for, what they are bad for and whatever they try to outlaw now gets correlated via different means. User-agent, ip and some other browser fingerprinting.

The regulators are very aware of it, that's why the law doesn't say anything about cookies. You'd know that if you cared to read it. It's only been 6 years, and the law can be read in it's entirety in an afternoon or less. So I see why the task of actually learning anything about GDPR beyond what the industry tells you to seems insurmountable to most IT people.


So there's the old e-privacy directive which I agree was poorly thought out, but cookie banners in their current form were implemented by companies as a reaction to GDPR which has no thoughts on cookies - fingerprinting is equivalent to cookies under the GDPR.


It already was equivalent under ePrivacy.


This should be done with API, not banners. As someone who prefers using Incognito mode in order to regularly clean cookies from third-parties, the choice of place of storing my GDPR preferences for each web-site is nuts.

BTW I do not use much websites with that banners because they are for idiots. Good forums and torrent trackers don't have that because there will be always an anark spirit on the Internets, no matter how severe the censorship is going to be. And this part of the Internets is really better part than the opposite one.


Checking if user has "Do Not Track" or its newer equivalent set and just triggering the same flow as if the user refused all tracking (outside of what falls under "legitimate interest" according to GDPR and not IAB) would be perfectly fine implementation.


"Do Not Track" has some problems with reputation, probably "Do Not Track Even The System Cookies" might solve all the problem such as repeating to see GDPR banners and Mozilla certainly will not make the "Do Not Track Even The System Cookies" as a default choice.


They are a very minor part of GDPR. It's kind of a shame that it is most people's only experience of it, because the other changes are all very positive for EU citizens.


> They are a very minor part of GDPR.

Cookie banners are not a part of GDPR. Especially not the common dark-pattern-riddled "we sell your info to thousands of companies" ones


As a non-EU citizen that is affected by this, I find the entire idea stupid and they're annoying as heck. Every website I go to has a stupid cookie banner. It's beyond ridiculous. This should be a simple setting in the browser that I can override per site and never see a cookie banner again. This is a perfect example of government overreach done wrong.


Don’t track people solves the entire issue. Complain to companies who want to fingerprint and track you; those are the evil ones and the ones with overreach. Without that you don’t have to put banners.


> This should be a simple setting in the browser that I can override per site and never see a cookie banner again.

There was the Do Not Track header. That the industry you're defending immediately used to fingerprint and track people

> This is a perfect example of government overreach done wrong.

The law doesn't say anything about cookie banners. The blame for them lies squarely with the great amazing privacy-preserving and customer-loving industry of ours.


It's horrible.

Cookies should be a client thing, browsers should forget them once the tab/window is closed by default, and there should be a button by the url bar to remember cookies for that domain. EU should mandate the default settings in preinstalled browsers on all devices sold in eu, and that would solve 99% of the problem.


It's mostly malicious compliance.


They remind me of how we as humans often end up with ineffective solutions to problems we try to solve. It's like it goes off the rails halfway and ends up stuck there.


I have uMatrix installed and never see them. The greatest achievement for GDPR for me was that it significantly reduced the amount of spam I receive.


They are an annoyance, but it is great not to have websites track you if you select them not to.


The ones that disappear AS SOON as you click your choice are ok :-)


Its great to know which websites track you and which don't.


Cookie banners are just like ad banners: adblock fodder.


IMHO one of the worst things about the current state of the web, especially if you're browsing on a device like an iPhone which doesn't have uBlock Origin.

It used to be, you open a website, you can view the content. Now it's more like you open a website, get an overlay popup, take 30 seconds to solve the dark pattern logic puzzle of disabling tracking, then you view the content. Every. Single. Time.


I like them, it's a sign that the website is shit and helps me go away from it.


Extremely annoying.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: