Proposal: Cookie Consent Should Be Browser-Native, Not Website-Native

15 points by zak-mandhro 2 days ago

11 comments

View on Hacker News

TL;DR: Cookie consent shouldn’t be a popup war on every website. Browsers should handle it natively — just like location or notifications — based on user-set privacy preferences. We can fix the web with one header, a little browser enforcement, and a lot less nonsense.

The current system for cookie consent is a mess. Every website throws a popup in your face, asking you to accept tracking you neither want nor need. The irony? It’s not technically necessary. We can solve it at the browser level — cleanly, universally, and in a user-respecting way.

Here’s how:

1. Browser-Level Privacy Preferences Browsers should allow users to set global consent preferences, just like setting a default language or search engine.

Example:

* Essential cookies: Always allow

* Analytics cookies: Ask or Block

* Marketing cookies: Ask or Block

* Third-party cookies: Ask or Block

Set once. Apply everywhere. No more popups.

2. New HTTP Header: Set-Cookie-Category Websites would categorize cookies when setting them, like:

Set-Cookie: sessionId=abc123; Category=Essential Set-Cookie: trackUser=true; Category=Marketing

Standardized categories: Essential, Analytics, Marketing, Personalization, Other. No trickery. No ambiguity.

3. Browser Enforcement When a site tries to set a cookie:

* Browser checks the declared category.

* Browser checks the user's privacy preferences.

* If no consent: cookie is silently blocked.

If consent is "Ask," the browser shows a small permission prompt (similar to location or notifications). No more hijacking the page UI.

1. Optional Website Messaging Websites could optionally trigger a browser-native dialog to explain their cookie use — but no walls of legalese blocking access.

2. Bonus: Easier Compliance Audits Browsers could expose APIs for compliance tools to automatically verify if a site respects consent preferences.

Why hasn’t this happened yet?

* Ad-tech companies make too much money off friction and dark patterns.

* Browser vendors (especially Chrome) profit from the status quo.

* Regulators targeted websites, not browsers, in GDPR/CCPA drafts.

But it’s not too late. Safari, Firefox, Brave, Arc — even Chrome (if enough pressure builds) — could easily implement this.

Users deserve better. The web deserves better.

If you think this should be built, upvotes help visibility.

solardev 2 days ago

You're trying to apply a technological solution to a financial problem. It won't work because the web, and especially Google, depends on advertising and tracking to survive. They'll never agree to anything that kills their business.

Websites generally aren't made with the user in mind. More often than not, users aren't customers to be served, just eyeballs to be monetized. Safari and Firefox can't do anything without Chrome; it'll just be another stillborn effort like DNT.

The other browsers you mentioned are just Chrome derivatives. They still depend on Google.

Nothing will change unless Google is forced to divest Chrome and some non advertising company buys it.

Reply View 1 reply
  • zak-mandhro 2 days ago

    Just to clarify a bit on browser engines: - Safari runs on WebKit, an independent rendering engine maintained by Apple. - Firefox runs on Gecko (specifically the newer Quantum version), which is fully independent and maintained by Mozilla. - Chrome, Brave, Edge, Opera, and most others run on Blink, which is Google’s fork of WebKit.

    So while it’s true that many browsers today are Chromium derivatives, Safari and Firefox are not — they operate their own engines and could, in theory, push independent privacy standards without Google’s blessing.

    Also important to note: Because Apple requires all iOS browsers to use WebKit under the hood (even "Chrome" and "Firefox" on iPhone), any browser-native privacy feature Apple implements through WebKit would effectively apply to all browsers on iPhones and iPads by default.

    That’s a much bigger user base impact than just Safari desktop users.

    That said, you’re absolutely right about the broader market power problem: - Chrome controls ~65% of browser usage worldwide. - Many web developers treat Chrome as the de facto standard when building sites. - Anything Safari or Firefox introduce has a harder uphill climb unless it becomes incredibly popular with users and gets picked up by regulators.

    The fight here isn’t just technical — it’s economic and cultural too.

    Still, I think it’s worth trying. Even small pressure can move norms over time, especially with user frustration around tracking being so high right now.

    Appreciate you raising it — it’s a critical part of the puzzle.

    Reply View 0 replies
Flundstrom2 2 days ago

There is already one important implementation that is basically ignored nowadays. But if EU would enforce the use of Do-Not-Track and your proposal there would be quite a movement.

However, "cookie" should be interpreted pretty liberal, to cover state storage and tracking in general.

Reply View 1 reply
  • zak-mandhro 2 days ago

    Totally agree — "Do-Not-Track" was a great idea, but without real enforcement it became a polite suggestion nobody listened to.

    I also completely agree that "cookie" should be interpreted broadly — not just literal HTTP cookies, but any client-side tracking (localStorage, IndexedDB, fingerprinting, etc).

    If enforcement actually happened at the storage and tracking level, and browsers had native consent handling, the entire dynamic between users and websites would shift dramatically.

    Curious — in your view, would it be better for the EU (or regulators) to issue a technical specification for how consent enforcement should work? Or just mandate the outcome and leave it to browser vendors to figure out? (Feels like that choice matters a lot for real adoption.)

    Reply View 0 replies
zak-mandhro 2 days ago

One thing I’d love to hear from the HN crowd:

Are there real technical blockers to browser-native consent management?

* HTTP already has Set-Cookie, so tagging with a Category param seems straightforward.

* Browsers already manage permissions like location, camera, and notifications.

* GDPR/CCPA compliance should be stronger if browsers enforced consent upstream.

Is the real obstacle purely political (ad-tech resistance), or is there something deeper I'm missing on the protocol or standards side?

Also curious: if browsers did offer this, would major sites still try to layer their own consent dialogs on top (to push opt-ins harder)? How would we stop that?

Reply View 0 replies
legitster 2 days ago

> Why hasn’t this happened yet?

I've worked on three different corporate privacy teams. Nearly unanimously everyone would have preferred an extension of "do-not-track" that's legally enforceable.

The reality though is that the laws governing cookies were an afterthought by the European Commission when writing GDPR. GDPR has been an overwhelming success (at least according to the EU lawyers who legislate such things), so there has not been a rush to amend the rules around cookies.

The reality is it's not going to change until the laws change. No major company is going to stick their neck out and risk punishment.

Reply View 5 replies
  • zak-mandhro 2 days ago

    It makes sense that corporate teams would have preferred a "real" do-not-track standard, but had no incentive (or legal cover) to push it further.

    It's wild how much of today’s cookie UX mess was an accidental regulatory artifact, not deliberate design.

    Curious from your perspective: what do you think the EU's real motivation was behind mandating consent banners instead of pushing for proper browser-level control?

    And second: what kind of pressure (technical, political, economic) would it actually take for the EU to update the rules to allow something cleaner now?

    Would love to hear your take, since it sounds like you've seen how these decisions happen from inside.

    Reply View 4 replies
    • legitster 2 days ago

      If you actually work through the privacy directives with a legal team, which is something I have done for nearly a decade, the law itself has several self-contradictions and unresolved problems. How do you retain someone's choice for privacy without remembering who they are? How do you serve data in a TCP network without revealing an IP address? What constitutes clear opt-in language? If we don't sell to Europeans, do we still have to comply?

      The European Commission very proudly does not work with lobbyists, and in this case it shows that they did not consult anyone technical. I think they were just not aware of a browser-level solution and put all of the compliance on individual companies.

      While the banners seem a given now, in 2017 when we first started planning for GDPR nobody had a clue how to resolve all of the questions. And at the time the European Commission was also telegraphing very hard that they were going to be resolving most of these questions with case law - none of us wanted to deal with a lawsuit from the EU, so the most obvious thing became do what everyone else does, don't stand out, and wait for some future resolution.

      I don't know if there's a fix. This is simply how EU regulators like to work - in the US we like laws that are black and white and apply equally to everyone (or at least have traditionally). And in the EU they like a bit more squishiness - let member countries interpret things a bit differently and build individual cases on only the bad actors. And you see this attitude when working with lawyers from the respective regions.

      Reply View 3 replies
      • zak-mandhro 2 days ago

        This is incredible perspective — seriously, thank you for sharing it.

        It’s fascinating (and honestly a little tragic) that a lot of the cookie chaos comes down to basic unsolved problems like "how do you remember privacy without remembering identity?" — fundamental contradictions nobody could easily patch.

        It really hits home what you said about the EU approach: case-by-case "squishy" regulation vs hard-coded universal rules.

        Makes me wonder if any browser-led technical solution would just end up becoming de facto case law too — basically "Chrome/Firefox/Brave do it this way, so it becomes the norm," even if regulators never mandate it formally.

        If you had a magic wand: would you push for a formal browser-level privacy protocol now, or is the better play just to keep tightening enforcement against the worst actors and let good practices spread organically?

        Reply View 2 replies