Comment by legitster

Comment by legitster 3 months ago

5 replies

View on Hacker News

> Why hasn’t this happened yet?

I've worked on three different corporate privacy teams. Nearly unanimously everyone would have preferred an extension of "do-not-track" that's legally enforceable.

The reality though is that the laws governing cookies were an afterthought by the European Commission when writing GDPR. GDPR has been an overwhelming success (at least according to the EU lawyers who legislate such things), so there has not been a rush to amend the rules around cookies.

The reality is it's not going to change until the laws change. No major company is going to stick their neck out and risk punishment.

zak-mandhro 3 months ago

It makes sense that corporate teams would have preferred a "real" do-not-track standard, but had no incentive (or legal cover) to push it further.

It's wild how much of today’s cookie UX mess was an accidental regulatory artifact, not deliberate design.

Curious from your perspective: what do you think the EU's real motivation was behind mandating consent banners instead of pushing for proper browser-level control?

And second: what kind of pressure (technical, political, economic) would it actually take for the EU to update the rules to allow something cleaner now?

Would love to hear your take, since it sounds like you've seen how these decisions happen from inside.

Reply View 4 replies
  • legitster 3 months ago

    If you actually work through the privacy directives with a legal team, which is something I have done for nearly a decade, the law itself has several self-contradictions and unresolved problems. How do you retain someone's choice for privacy without remembering who they are? How do you serve data in a TCP network without revealing an IP address? What constitutes clear opt-in language? If we don't sell to Europeans, do we still have to comply?

    The European Commission very proudly does not work with lobbyists, and in this case it shows that they did not consult anyone technical. I think they were just not aware of a browser-level solution and put all of the compliance on individual companies.

    While the banners seem a given now, in 2017 when we first started planning for GDPR nobody had a clue how to resolve all of the questions. And at the time the European Commission was also telegraphing very hard that they were going to be resolving most of these questions with case law - none of us wanted to deal with a lawsuit from the EU, so the most obvious thing became do what everyone else does, don't stand out, and wait for some future resolution.

    I don't know if there's a fix. This is simply how EU regulators like to work - in the US we like laws that are black and white and apply equally to everyone (or at least have traditionally). And in the EU they like a bit more squishiness - let member countries interpret things a bit differently and build individual cases on only the bad actors. And you see this attitude when working with lawyers from the respective regions.

    Reply View 3 replies
    • zak-mandhro 3 months ago

      This is incredible perspective — seriously, thank you for sharing it.

      It’s fascinating (and honestly a little tragic) that a lot of the cookie chaos comes down to basic unsolved problems like "how do you remember privacy without remembering identity?" — fundamental contradictions nobody could easily patch.

      It really hits home what you said about the EU approach: case-by-case "squishy" regulation vs hard-coded universal rules.

      Makes me wonder if any browser-led technical solution would just end up becoming de facto case law too — basically "Chrome/Firefox/Brave do it this way, so it becomes the norm," even if regulators never mandate it formally.

      If you had a magic wand: would you push for a formal browser-level privacy protocol now, or is the better play just to keep tightening enforcement against the worst actors and let good practices spread organically?

      Reply View 2 replies
      • skydhash 3 months ago

        > It’s fascinating (and honestly a little tragic) that a lot of the cookie chaos comes down to basic unsolved problems like "how do you remember privacy without remembering identity?"

        That's an easy answer: Do not store anything that will infringe on people's privacy for anything that's not the intended feature people use. If I' visiting an ecommerce site, there's nothing that warrants Google being aware of which product I'm clicking on.

        Reply View 1 reply
        • zak-mandhro 3 months ago

          100% agreed on the core principle — "only collect what you actually need for the feature the user is engaging with."

          The frustrating part is that so much of modern web infrastructure (ad networks, analytics, personalization layers) depends on quietly hoovering up far more than the feature strictly requires.

          I sometimes wonder: if browsers enforced "functional data collection only" as a technical baseline — like enforcing CORS or CSP today — how much of the tracking economy would collapse overnight?

          Curious if you think real technical enforcement (browser-level) is the way forward, or if we’re stuck waiting for another round of slow, partial regulation.

          Reply View 0 replies