> all external content providers that are embedded on their page
All the embedding is being done by the people building the websites, so yes, they do have full control and therefore full responsibility.
Just because I don't perform a crime or violation myself, it doesn't automatically absolve me when I pay or ask someone to commit it.
> forcing millions of website providers
Millions? There are billions of website visitors, and most of those don't have any control or deep knowledge over their tools. There are only 3 significant browser technology suppliers at the moment, and none of them provides the hypothetical tools to users, only third parties, and those tools often break websites.
Website builders, however are significantly more technical and able to control their tech stack. If anything just hire another company. The burden should definitely be on them.
How many of these billions want or are even capable of understanding what they do when they click the "i accept" button? Legal complexities seem even further removed from public understanding than technical ones. This approach seems equally ineffective for achieving what this regulation is intended to achieve, to not just to have the users sign away their rights with a click, but give them an understanding of what they give away. But I'm not sure whether that will ever be possible.
I agree that its a big problem that the big browsers do not act in the interest of their users, and that their vendors are in fact disincentivized to do so. That would be a good reason for antitrust action and public funding, since they should be public goods.
> How many of these billions want or are even capable of understanding what they do when they click the "i accept" button?
I don't see how this is relevant, but:
Again, whether those consent forms are understandable or not depends solely on how websites implement them. The fact they are confusing is purely because website operators want them to be.
These confusing forms are not a requirement of the GDPR. How they look and feel is up to the website hosting them. They go against the spirit and some go against the letter of the law.
The goal of GDPR is letting people answer to the question such as "Can I give your data to company X?". The fact that the internet became a cesspool of privacy violations doesn't change the original intent of the law.
> This approach seems equally ineffective for achieving what this regulation is intended to achieve, to not just to have the users sign away their rights with a click, but give them an understanding of what they give away.
The law already states that rejecting should be as easy as allowing. The fact websites don't make it means they're breaking the law, and I hope they get punished by it.
> I agree that its a big problem that the big browsers do not act in the interest of their users, and that their vendors are in fact disincentivized to do so
We already have a Do-Not-Track header, but websites refused to obey it for more than 10 years, to the point they were removed from browsers.
Solutions were always there. It is websites that chose not to comply.
All the embedding is being done by the people building the websites, so yes, they do have full control and therefore full responsibility.
Just because I don't perform a crime or violation myself, it doesn't automatically absolve me when I pay or ask someone to commit it.
> forcing millions of website providers
Millions? There are billions of website visitors, and most of those don't have any control or deep knowledge over their tools. There are only 3 significant browser technology suppliers at the moment, and none of them provides the hypothetical tools to users, only third parties, and those tools often break websites.
Website builders, however are significantly more technical and able to control their tech stack. If anything just hire another company. The burden should definitely be on them.