Man it's 2025 and we still WANT to opt out of cookies visually? Why don't we just have browsers that just do that.

Springtime 5 days ago | parent | next [-]

If one wants full control cookies could just be disabled by default at the browser level (which also blocks local storage). I do this and just whitelist sites that actually need it (very few).

The issue is some sites won't display any content without cookies, even if it's unnecessary. The amount of React-using sites that will load the entire page only to a second later to fully blank out since the JS couldn't set local storage does get annoying (and can regularly be worked around by disabling Javascript if not used for anything substantial). A handful like this have appeared just this past week on the HN front page.

	▲	boomlinde 4 days ago \| parent [-]
		A further problem is that some if not most sites (that employ any kind of tracking in the first place) do so through a variety of means in no way limited to cookies. Addressing the core problem without legislation that captures intent is not feasible without a new protocol and document data type.

▲

joquarky 5 days ago | parent | prev | next [-]

Seems like it should be a browser setting that controls a request header.

▲

benjiweber 5 days ago | parent | next [-]

Something like https://en.wikipedia.org/wiki/Do_Not_Track ? Which failed in part because Microsoft turned it on by default which even further disincentivised publishers from respecting it.

▲

beeflet 5 days ago | parent | next [-]

The fix here would be to legally force them to comply with Do Not Track instead of forcing them to post compliant banners

▲

Cthulhu_ 5 days ago | parent [-]

They are not forced to use banners, they are forced to get explicit opt-in permission before tracking users, which can be done in non-obtrusive ways.

▲

beeflet 5 days ago | parent [-]

Okay, so regard the Do_Not_Track header as explicit opt-out permission

▲

charcircuit 4 days ago | parent | next [-]

No browser implements it as an explicit one where you have to explicitly specify which businesses you do not which to track you.

▲

const_cast 4 days ago | parent | prev [-]

They would never do this willingly, because they don't want you to automatically opt out of tracking.

The annoyance of the cookie banners is the entire draw for companies. Its not a downside. They're user-hostile. You are their enemy. Their goal is to wear you down and trick you into opting-in, so they can both track with impunity and follow the law.

	▲	beeflet 4 days ago \| parent [-]
		>They would never do this willingly I know, that is why I am saying you would force them to respect Do_Not_Track by law.

▲

catlifeonmars 5 days ago | parent | prev [-]

No your browser can just… choose not to send cookies. The website publisher has no say in that.

▲

9rx 5 days ago | parent [-]

Cookies are the easiest way to keep track of a user, but if browsers regularly stop sending cookies then website operators will just find another method to fingerprint users and then we're back to square one with the law still requiring publishers to receive opt-in approval, but with no requirements on how.

▲

quectophoton 5 days ago | parent [-]

> then website operators will just find another method to fingerprint users

Example: The identifier you get when you pass anti-bot challenges (Cloudflare, Anubis, etc).

▲

Thorrez 4 days ago | parent [-]

That's not a cookie?

	▲	quectophoton 4 days ago \| parent [-]
		It probably is, currently. But even if cookies are not used, the identifier for this type of functionality would still need to be stored somewhere and passed to the server in some way to avoid showing another CAPTCHA to the user. Whatever mechanism they choose to uniquely identify you, they will insist it's necessary for another purpose and they totally are not piggybacking on it for tracking (e.g. for the CAPTCHA example, they would insist it's absolutely necessary to protect themselves from DDoS). As another example, they can always respond with HTML where all links themselves are an opaque hash that internally contain "route + your id" when decrypted. Then emphasizing that all links are always different even for same routes to "show they are randomly generated", and saying that they do this because... idk, detecting scraping or something random but plausible-sounding. Or whatever sneaky variation of the `?PHPSESSID=` query param from old times. (Yeah I know the last example doesn't a lot make sense, I didn't think too hard about it, the point is that they will probably find a way somehow.)

▲

popcorncowboy 5 days ago | parent | prev [-]

There's a reason the largest advertising company in the world hasn't sanctioned this move.

▲

troupo 5 days ago | parent | prev [-]

Ask your favorite advertising company: https://news.ycombinator.com/item?id=45217269