They are the most adversarial implementation of the law. There is no requirement for them. The Do Not Track HTTP header would've been perfectly compliant but of course the ad companies -- and let's not forget Google is one -- did not want it. They want you to be pissed off by the cookie banners so eventually they might go away.
I get pissed off at the website for asking to track me, not pissed off at the law that requires my consent to track me. I hope many people feel the same way I do.
Unfortunately not enough people care, or are even aware of what they don't care about, and that is a large part of what the dark patterns hope to take advantage of.
I'd accept a straight opt-in/opt-out choice if, as per the law, opting out was just as easy as opting in and opting in was not any sort of default. But the stalky side of the industry (most of it) doesn't want informed consent, they don't want to have to acknowledge the idea of consent at all.
I just remove cookie popups with ublock origin. Nobody annoyed me enough yet to see if they're compliant afterwards - pretty much all pages work properly after that, and they'd need to handle that case as selecting the refusal button.
There are an excellent way to see which sites I really can't trust. Which is unfortunately many of them. If they are willing to use that many dark patterns to try engineer accidentally acceptance of stalking, then I have no doubt that they'd carry drive-by downloaded rootkits if that were still as easy as it once was, there was a fraction of a sniff of profit in it, and they thought they'd get away with it (or could convincingly blame someone else).
The majority of the cookie banners that you see aren't even compliant with the regulations that the site owners claim that they are caused by, some aren't even close to compliant. At that point it isn't “malicious compliance” but instead “overstepping as far as they feel safe”. Almost none of the cookie pop-overs would be needed at all if allowing advertisers to follow you around your life was opt-in. You don't need to ask permission for anything that is strictly necessary, like non-permanent session tracking & auth tokens, presenting that part at all is part of the theatre to try convince users that the regulations are the problem not the sites themselves doing things that need to be regulated.
One of the most annoying bits of many is “legitimate interest” which basically means “we see your opt-out preference, but fuck you and your preferences we want to stalk you and we will”. Note that these are usually implemented in such a way that if you don't explicitly object they'll be allowed, even if you click the “reject all” button without opening the concertina UI element that hides them from default view.
The phrase “cookie banner” itself is misleading, though we are guilty of that as well as them. You are opting in/out of the ability for them to do things, cookies are just part of the options they have for implementing those doings.
And while I'm having a little rant… “We value your privacy!” — no you don't, you lying sack of shit. You value the opportunity to sell the possibility of invading my privacy to the highest bidder.
They are annoying but not needed if people would respect privacy. How about don’t use tracking or collecting too much info? Then you don’t have to put them.
I use Consentomatic, which automatically rejects cookies and can also reject dark pattern banners. Of course this should be better solved, but at least this way I have some control over my privacy without being disturbed.
That they're a form of malicious compliance to do anything except for comply with very reasonable laws.
Cookie banners predate the GDPR by like, a decade anyway. They were the soft attempt to get tracking companies to back off; instead, tracking companies just attempted (and mostly succeeded) at tiring out the user.
I highly recommend the Consent-O-Matic extension to fully reject all that crap automatically[0] in lieu of corporations properly complying with the law and accepting the general rejection signals like DNT and GPC.
Consent-o-matic takes care of all honest cookie banners out there and opts out for me before I even realize it.
When I run into a website that it doesn't work with, I sometimes use the report function and set it myself.
However, most websites with a cookie banner that's too obstrusive for Consent-o-matic turn out to be useless clickbait LLM spam that's not worth the effort. So most of the time I just go somewhere better and leave the obnoxious cookie wall to itself.
I think it all turned out fine (for the time being) thanks to cookie walls :)
A lot of websites and people misunderstand and think that you need popups for essential cookies like login cookies -- you don't. Every time you see a cookie popup it's because they want to track your actions beyond the basics needed for their site to work.
The vast majority of the sites don't misunderstand, I wouldn't give them that much benefit of doubt. They present things in a way to encourage people to misunderstand, in the hope that people will think the regulations are the problem and support getting rid of them.
I wish the rules for consent banners were actually enforced. What bothers me most is when some site clearly doesn't care and puts up a "you consent by viewing this site" banner.
It's understandable, they can do whatever they want without any consequences right now, but that needs to change.
They are easier to click now, first sites with cookie wall setups were often bad pattern, hard to disagree with non essential cookies and so on, they basically forced you or tried to trick you into accepting all cookies, essential, marketing, social and what not. Now you see more sites that have default setting to only allow essential.
But regulator obviously didn't know how cookies work, what they are good for, what they are bad for and whatever they try to outlaw now gets correlated via different means. User-agent, ip and some other browser fingerprinting.
So bottomline, we have to click once more (or every time, when private/incognito mode) when you visit a site.
> But regulator obviously didn't know how cookies work, what they are good for, what they are bad for and whatever they try to outlaw now gets correlated via different means. User-agent, ip and some other browser fingerprinting.
The regulators are very aware of it, that's why the law doesn't say anything about cookies. You'd know that if you cared to read it. It's only been 6 years, and the law can be read in it's entirety in an afternoon or less. So I see why the task of actually learning anything about GDPR beyond what the industry tells you to seems insurmountable to most IT people.
So there's the old e-privacy directive which I agree was poorly thought out, but cookie banners in their current form were implemented by companies as a reaction to GDPR which has no thoughts on cookies - fingerprinting is equivalent to cookies under the GDPR.
This should be done with API, not banners. As someone who prefers using Incognito mode in order to regularly clean cookies from third-parties, the choice of place of storing my GDPR preferences for each web-site is nuts.
BTW I do not use much websites with that banners because they are for idiots. Good forums and torrent trackers don't have that because there will be always an anark spirit on the Internets, no matter how severe the censorship is going to be. And this part of the Internets is really better part than the opposite one.
Checking if user has "Do Not Track" or its newer equivalent set and just triggering the same flow as if the user refused all tracking (outside of what falls under "legitimate interest" according to GDPR and not IAB) would be perfectly fine implementation.
"Do Not Track" has some problems with reputation, probably "Do Not Track Even The System Cookies" might solve all the problem such as repeating to see GDPR banners and Mozilla certainly will not make the "Do Not Track Even The System Cookies" as a default choice.
They are a very minor part of GDPR. It's kind of a shame that it is most people's only experience of it, because the other changes are all very positive for EU citizens.
As a non-EU citizen that is affected by this, I find the entire idea stupid and they're annoying as heck. Every website I go to has a stupid cookie banner. It's beyond ridiculous. This should be a simple setting in the browser that I can override per site and never see a cookie banner again. This is a perfect example of government overreach done wrong.
Don’t track people solves the entire issue. Complain to companies who want to fingerprint and track you; those are the evil ones and the ones with overreach. Without that you don’t have to put banners.
> This should be a simple setting in the browser that I can override per site and never see a cookie banner again.
There was the Do Not Track header. That the industry you're defending immediately used to fingerprint and track people
> This is a perfect example of government overreach done wrong.
The law doesn't say anything about cookie banners. The blame for them lies squarely with the great amazing privacy-preserving and customer-loving industry of ours.
Cookies should be a client thing, browsers should forget them once the tab/window is closed by default, and there should be a button by the url bar to remember cookies for that domain. EU should mandate the default settings in preinstalled browsers on all devices sold in eu, and that would solve 99% of the problem.
They remind me of how we as humans often end up with ineffective solutions to problems we try to solve. It's like it goes off the rails halfway and ends up stuck there.
IMHO one of the worst things about the current state of the web, especially if you're browsing on a device like an iPhone which doesn't have uBlock Origin.
It used to be, you open a website, you can view the content. Now it's more like you open a website, get an overlay popup, take 30 seconds to solve the dark pattern logic puzzle of disabling tracking, then you view the content. Every. Single. Time.