Most tracking now comes from the "legitimate interest" purposes that you need to actively object to, which is buried in a tertiary hidden panel or not available at all, or even forces you to object to several dozens of trackers one by one.

This is briefly touched on in the article: in the first graph you can see that the "Legitimate interest claimed" violations they detected dropped by 57% after they filed their complaints.

not fandom.com, there you need to click on 175 enabled-by-default switches:

    div[data-tracking-opt-in-overlay=true] input[type=checkbox][id^=switch]:checked

One example is https://www.bbc.com. Open it in a private window and you should see the invasion-of-privacy popup. You have a "Consent" and "Do not consent" button, but underneath there's also "Manage options". Click and and now you can see that there's a bunch of enabled toggles mixed in with the disabled ones, each of them headed "Legitimate interest" and the help text warns "Some vendors are not asking for your consent, but are using your personal data on the basis of their legitimate interest". So notice the text says that if you do not consent it is not relevant: they're going to do use your data on the basis of their legitimate interest. You must object to these in order to counter their right.

This is because the BBC hates you and wants you to be unhappy.

Is it possible for a website to say, if you object to these, just don't use our website/service?

IIRC this is against both the meaning and the letter of the law, but that is not practical to properly enforce so they get away with it.

This is the most vague part of the law because the law couldn't just forbid everything and then run into issues.

For example, to run a business a merchant doesn't need anything more from you beside you name and address (and login info if they need to show you your order history). They don't need to ask you for your consent to collect this info because this info is required for their service to operate.

However, they also want to run fraud protection. So they need to collect more data (e.g. your birth date, your IP address, perhaps other data). They have a legitimate reason to collect this data even if this data is not strictly required.

As with any vague parts this "legitimate" part is now abused by the ad industry.

In most cases "legitimate interests" checkboxes, particularly those referring to 3rd parties, basically mean "we see you preference not to be stalked and, while we may claim to respect you and your privacy, fuck you and your silly desire for privacy".

> and is it even possible to object to them, legally speaking?

Legally, in theory, yes.

Practically, not really. You can go through and uncheck the hundreds of preselected consent options some sites present, but do you check that this actually results in tracking information not being dropped?

While some comments are saying that legislation can narrow this down, I don't think it's anything that can be agreed up front any longer.

Web is heading toward a complete change of protocol. One that can operate between mutually hostile and untrustworthy principles. (that's what the web is now, let's face it)

What the service provider's and your "legitimate" requirements are, will have to be negotiated per transaction.

It's the end of the "uniform" web. But I think that already happened and we're long into "The Splinternet".

As I said in Digital Vegan, technology access will not be defined by the "have and the have-nots", but by the "will and the will-nots".

However someone seems to have found a legal loophole whereby third parties ostensibly are able to track you on the grounds that their business is tracking, and they therefore have a legitimate interest in tracking you.

Hopefully this loophole is eventually struck down in some French or German court, and the GDPR will one day be applied as intended. Tracking is not, and will never be, a legitimate business.

The problem is, the way the Internet and its services are financed, it is pretty much a requirement.

A lot of services absolutely depend on advertising revenue because affordable micro-transactions still are not a thing, not to mention 20 years of cultural ingrainment that services on the Internet have to be free when they are aimed at the general public. The alternative is philantropy aka rich billionaires footing the bill - we're seeing with the Washington Post (Bezos), Twitter (Musk) or Austrian newspapers just how problematic that is. The only relevant project surviving off of individual donations is Wikipedia and even that has issues (see e.g. the endowment debate that regularly pops up here), Mozilla depends on Google's money. Another alternative that regularly pops up, especially in Europe, is having the government fund services - but let's be real, who wants to use a messenger where the government has any sort of involvement? China shows why this is a very bad idea.

So basically, now that we have established that currently advertising is required, another can of worms opens up: ad fraud, which is incredibly widespread. Everyone but the advertiser clients has a massive financial interest in manipulations:

- ad networks want to claim "x millions of sites use our services to show ads", so they have an incentive to create fake sites that no one ever looks at

- ad agencies want to claim reachout capacity (to their clients) and maximize ad eyeballs because often they're paid as a percentage of ad spend

- content creators want to have as much income as they possibly can get. Click fraud and SEO spam fake sites/content mills come to mind here.

Advertisers, in turn, want to minimize their ad spend and maximize the ROI. That means they need a way to target ads to specific demographic groups, they need a way to weed out fraudulent spending and they need a way to weed out undesirable context (i.e. no popular brand wants to show a pre-roll ad to Alex Jones claiming crisis actors). And that is where tracking and other "middlemen" companies come in - they serve to protect advertisers from overspending and bullshit, and provide the actual data required for targeting.

The only groups that could get away without tracking and countless middlemen services are "household brands" that simply book ads at massive TV and radio stations and niche magazines and their advertising clients (say, a magazine about farming naturally yields itself to equipment manufacturers, pesticide and other farm suppliers) - but even there, media has an incentive to over-inflate their reader/viewer/listener counts to demand more money from advertisers, so they need third parties like Nielsen Ratings as independent "arbiters".

A bad business model doesn't mean you get to ignore the law.

GDPR did no such thing. There are thousands, if not millions, of businesses operating online that _actually sell goods and services for money_ and GDPR did nothing to stop those.

On top of all that, you can still show ads while being GDPR compliant. Just not slurp-every-piece-of-data type ads.

Ad agencies were making plenty of money for many years before the internet made this kind of tracking possible.

There's very little evidence that personalized tracking actually makes advertising more effective in terms of ROI.

Let ad companies sell ads, and websites sell their ad space, based on the content of what's posted there. The same way ads were sold in newspapers and magazines for decades.

And ad fraud on the part of any of the business parties involved in the ad transactions are not sufficient justification for tracking every person's entire life online. Let them deal with the fraudsters directly, in ways that don't involve incredibly invasive and privacy-eroding surveillance on a massive scale.

If they can't figure out how to do that, that's not my problem. It's their business model, not mine.

It's not. Advertisement can and has worked very well without wholesale collection and trading of private user information.

The next time you feel like presenting the "we require tracking for financing services" bullshit as fact, please provide proof.

I don't know if it exists, but it would probably be a good thing to have aria labels for those common buttons on these popups. It would benefit a11y and pave the way for a better automatic approve/reject by the browser (or some plugins). I think it won't end up in a disaster like the DNT header.

There are (at least) two problems with this approach: it requires that the banners actually use these labels (which they might not want to) and if it requires some kind of browser support, the largest browser vendor is also in the tracking business.

>Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

-- Article 5(3) of the Privacy and Electronic Communications Directive 2002

("Directive 95/46/EC" being the old Data Protection Directive, which has been replaced by the GDPR)

* Grandparent was talking about getting rid of cookie banners.

* Parent was talking about API to prevent tracking needing an extension for all local storage.

Of course to get rid of the original cookie banners, preventing tracking through other means is irrelevant. But nowadays most sites I visited got rid of the original cookie banners, so in my mind the complaints extend to those, even if it's not correct.

What happened when the GDPR came in was twofold:

1. Everyone became acutely aware of data protection legislation, because the GDPR actually had teeth when it came to enforcement.

2. The ePD referenced the Data Protection Directive, and when the GDPR came in to force all references to the DPD became references to the GDPR.

The consequence of #2 is that the hand-wavy "implicit consent" that sites relied on to avoid cookie banners (why show a banner asking for consent if you can just assert you do have consent?) went away - the GDPR made it clear that consent must be explicit.

Firefox has a pretty decent system for this I believe. They also try to go against alternatives like 'local-storage' and a whole slew of other attempts at fingerprinting / creating super-cookies.

So that's pretty unlikely

But websites will never use it because they make it annoying on purpose.

The burden being on the user to manage everything reminds me more of the dysfunctional US healthcare pricing system, where the uninsured have no negotiating power and are hit with absurd prices.

The fact that an information market exists is a legal issue at heart to me.

A few websites that I go to often get special treatment (Hacker News!), because I'm to lazy to press ok each time.

This forces you to close the browser regularly and they can still track you while your browsing session.

Your approach doesn't say no, it's a yes with expiration date.

[0] - https://www.mozilla.org/en-US/security/advisories/ [1] - https://chromereleases.googleblog.com/search/label/Stable%20...

You also need a cookie banner in EU in case your website uses any cookies that are not necessary to serve the content. This includes analytics, telemetry, and so on. It's not only ads.

You can remove the cookie banner if your website uses cookies only for required functionality like log-on.

Not quite, for two reasons:

- The law doesn't care about cookies, it cares about personal data, which includes any data which can individually identify someone (like a cookie associating them with a user account). If you're collecting or processing any personal data, that requires consent; even if you have no cookies.

- The law doesn't care about serving-as-in-content; it cares about providing a service, which could be showing content on a Web site, or could be dispatching orders from a warehouse, or whatever. If someone's personal data is required to provide a service for them, then their consent is implied.

The reason analytics, tracking, ad networks, etc. do not have implied consent, is because the people receiving the service (e.g. those buying ad space) are not the people who the personal data is about (i.e. ad companies cannot consent on my behalf!)

It's this directive (which pre-dates the GDPR) that makes it illegal to store or access data on the end user's devices without consent unless it is strictly necessary for the provision of the service.

How is that different to what I said above? (Modulo "s/without consent/implicit consent/g")

And you will need consent, because it has nothing to do with cookies. You need a telemetry banner.

It has nothing to do with cookies.

Sadly, every marketing person and their dog insist on having analytics. Even more sadly, every product person is not capable on putting their foot down against an obviously bad cookie banner UX.

"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, ... "

So even Fathom, and other analytics tools that use browser fingerprinting or similar methods require consent.

And also, the whole no cookie, no consent -mantra does not respect user privacy. In some ways, browser fingerprinting is even worse because that's much harder for an average user to block than cookies.

There is a fuzzy line somewhere between access-logs and user-tracking.

Personally I think that at that point, one should just stop loading analytic scripts and stick to server-side access-log analytic toolg like goaccess.io.

That's an oxymoron. If your "completely anonymized data" is unique enough to reidentify unique visitors with reasonable probability then it isn't "completely anonymized" - it's pseudonymous.

That's the problem with all these supposedly GDPR-compliant analytics things - the GDPR outlaws analytics without consent (there's no case law whether it would fall under legitimate interest, but I doubt it), there's no way around it. It doesn't matter what technical means you use (whether cookies, fingerprinting, or a crystal ball) - if your analytics "work" in the sense that you can tell unique users apart, then you are in breach because you are effectively collecting/computing and storing some sort of identifier that can reidentify a user with reasonable accuracy.

The other thing, GDPR is not about cookies. The ePrivacy Directive regulates the use of cookies, but it's not about cookies either. Article 5.3. in the ePrivacy Directive says:

"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, ..."

So whatever technology you use, you need consent to use web analytics tools. At least at the moment. A draft online suggests there might be a consent exception for audience measurement if the technology used complies with GDPR - again, this has nothing to do with cookies. The point is that the personal information collected, stored, and processed does not violate GDPR.

Another thing is that all the "GA is illegal" cases have nothing to do with cookies. It's about data transfers between the EU and the US and how Google handles the data. GDPR came into force in 2018, and we will see many more legal privacy cases in the future regarding the ePrivacy Directive. The bulletproof solution at the moment for any web analytics product is to ask for consent in the EU.

I've had talks with EU-based privacy gurus; some think everything is clear, and companies are mean just and reluctant to comply. But most of us agree that the messaging is done very poorly - what to do, how to comply etc.

And yes, giant consent banners break the UX. But at the same time, it's important to remember this data privacy regulation stuff is not about companies. It's about the users. And companies who build tracking tools shouldn't be motivated by the idea, "how can we ignore user consent?".

The claim is they save the web. I can’t be the only one that feels these banners are destroying the web experience.

There has to be a better way to improve privacy without simultaneously nuking user experience.

1. Those who support the tracking and see the banners an imposition of the law. They may come across as supporting the banners because they feel companies should be allowed require customers agree to this, though ultimately they'd rather no banners and to just track as done in the wild west days.

2. Those who support the privacy legislation and feel users should be able to prevent tracking and see the banners as dark pattern coercion so companies can claim compliance. They may come across as supporting the banners because of their stance that companies shouldn't track by default, but ultimately they'd rather there are no banners and either:

(2a) companies just deal with the resulting non-viability of privacy invading business models

(2b) advertising returns to a less privacy invading model as its a zero sum game so if everyone is tracking then you feel you must, but if no one is then advertisers have proven their willingness to accept less invasive models in other fields where more intrusive models are already infeasible (broadcast TV ads aren't yet trying to determine who specifically is watching, the viewability rates of "the side of a bus" must be miniscule compared to web ads, etc.)

But the metrics/tracking crowd - especially the ad vendors - hate that, and they are more important to most companies/websites than the users.

(It also limits what methods you can use for site improvement, so it's a bit inconvenient for you too.)

Either GDPR should be updated to ban consent pop-ups and simply make “REJECT” the default everywhere, or the consent UI should be moved to the browser where defaults (accept/reject/ask) can be set for all websites.

I wish that was true.

> "If you, for example, blocked every consent dialog from appearing, no website would have legal grounds to track you (except for legitime purposes yada-yada)."

Sounds good to me!

Is it? He just said it was and he's right.

The point people are making in response to your post is that GDPRs default is reject. Not necessarily the implementations used on a website default.

That is literally in the law. Article 7.3 https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...

--- start quote, emphasis mine ---

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

--- end quote ---

Also, Recital 32: https://gdpr.eu/Recital-32-Conditions-for-consent

And also. GDPR isn't just about browsers or cookies. It's about data in general. Which includes all other situations, including offline interactions, gaming, and communication with governments.

No, the law does the opposite. It effectively requires the use of pop-ups to "gain consent", it doesn't ban them. At least, that's how it's been interpreted in practice.

> "And also. GDPR isn't just about browsers or cookies. It's about data in general. Which includes all other situations, including offline interactions, gaming, and communication with governments."

Absolutely. In general the GDPR is a good thing. But it needs a rework to fix the cookie consent situation.

Once again: the law isn't about cookie banners. The law is about user data.

That is: if you want to collect more data that is strictly required for the functioning of your business, then you must ask user for consent. Note: the law doesn't care if your business is online, or offline, or a combination thereof. If you set up a corner shop selling bread, and start asking customers for their name and address, you will be subject to the same GDPR provisions as a website.

How difficult is that?

Literally nothing in the law requires cookie banners. The only reason these obnoxious cookie banners exist is because the greedy leeches in our industry cannot live without siphoning your data en masse and selling it to the highest bidder, consequences be damned.

Now. Here's what you said: "Either GDPR should be updated to ban consent pop-ups and simply make “REJECT” the default everywhere"

The law already clearly states: REJECT has to be as simple as giving consent. And the entire industry said: yes, of course, here's a default "accept" with hundreds of pre-checked boxes, and you have to go through every single one of them one by one to reject.

How is that the law's fault?

They cannot ban people from asking users for consent to collect data. However, the law is rather explicit: any person has the right to reject this, the rejecton has to be as easy and clear as accepting, and people cannot be denied service just because they rejected collection of non-necessary data.

As the article above states: once the law started to be enforced, sites started obeying the law, and not flaunting it. Well, they still flaunt it with their "legitimate uses" bullshit, but the tide is ever so slowly turning.

Too bad, even developers are so gullible as to have been tricked into parroting the "law is bad" and "law requires obnoxious cookie banners" nonsense. No, it isn't. No, it doesn't.

Why not? This is exactly what needs to happen. Either that, or allow cookie consent to be granted/declined globally in the browser settings, not with a bespoke, intrusive UI on every. single. damn. website.

Let’s ban cookie pop ups!

No, it's not. Because there are actual legitimate reasons for organisations and businesses to ask for user's consent.

> Either that, or allow cookie consent

You keep missing the simple fact that GDPR is not about cookie consents. How many times do I have to repeat this?

> not with a bespoke, intrusive UI on every. single. damn. website.

Again. In as simple terms as I possibly can:

- GDPR is about user data everywhere, not just in the browsers

- GDPR does not mandate cookie pop ups. This is entirely the work of a greedy industry

- GDPR cannot ban asking for user consent. Because that is a) over-reaching, and b) makes legitimate cases for asking for user consent illegal

- And again. GDPR is not about browsers. GDPR is not about websites. GDPR is not about cookies. GDPR is not about cookie popups

Note: if websites actually respected the law and user privacy, you wouldn't even see those popups. But sure. Tell me how it's the law that is responsible for them.

Fine. That's great: if GDPR is not about cookie consents then let's get rid of the damned pop-ups! If that means no more tracking cookies, then so be it. That's a good thing!

This is no different to the behaviour when a user clicks "reject non essential cookies" and also no different to what Apple already did with apps that accessed advertising tracking IDs on iOS. Facebook complained and lost a little money, but the world didn't end and the sky didn't fall. (iOS users can still choose to let apps track, but that UI is provided by the OS, not the app, and can be set globally).

> "makes legitimate cases for asking for user consent illegal"

I'm not at all suggesting that consent shouldn't still be asked for in situations where it's legitimate, like storing actual user personal data that they provide when signing up for an account, for example.

But simply visiting a website should not be considered a legitimate reason to obtain or store a user's data. Therefore there is no reason to ask for consent, and the practice should be banned.

Guess what. In this case the you don't have to ask for user consent. Because this data is strictly essential to site functionality.

> But simply visiting a website should not be considered a legitimate reason to obtain or store a user's data.

Guess what. It's exactly what GDPR is saying.

But that is not how it is being interpreted in practice.

Clearly we just need to go one step further and explicitly say "it is not permitted for consent for tracking cookies to be obtained by the use of a pop-up UI that appears when a user visits a website". Problem solved.

No. In practice it's actually being interpreted correctly. What is being willfully misinterpreted is how easily a user can opt-out. Because the industry wants to remain exactly the same: it wants to siphon user data and sell it en masse.

The existing pop ups that use dark patterns to make the user click "accept" are already illegal.

> it is not permitted for consent for tracking cookies to be obtained by the use of a pop-up UI that appears when a user visits a website

So it won't be a pop-up. It will be an interstitial page. You keep focusing in the entirely wrong issue and blaming the law for it.

So, we've banned pop ups. Now what? Now every time you visit a web site, you get a full page asking for your consent.

Then you'll blame the law and ask to ban interstitials.

Ok. We'll ban interstitials. Now it will be banners. Or every second paragraph in text. Videos. Images.

Where the law just says: do not collect user data without user's consent, and the user isn't obliged to give you that consent.

And the industry replies: screw this, we demand this data and make users' life hell for it.

Somehow gullible devs are now fully convinced that the law requires all this.

It’s clear at this point that the problem is not going to go away without intervention. The industry isn’t going to fix itself.

Also, it’s unfair to blame developers here. Devs don’t have some perverse desire to create annoying pop-ups. They’re being told to do it by management and legal teams, because that’s how the GDPR has been interpreted.

> ”So it won't be a pop-up. It will be an interstitial page.”

Ok, so you phrase it more generally: “it is not permitted for consent for tracking cookies to be obtained when a user visits a website”

Indeed. The main problem with GDPR is that enforcement has been slow. And that the industry has blamed its own behavior on the law.

As the article shows, the tide is ever so slowly turning.

> Ok, so you phrase it more generally: “it is not permitted for consent for tracking cookies to be obtained when a user visits a website”

And how, in this case, do you ask for consent for legitimate reasons?

Consent for legitimate reasons is given, for example, when you sign up for an account on a website or conduct some sort of transaction with a business. Just not the act of anonymously visiting a web page.

Those pop-ups are not "specific for tracking cookies". Because the issue, and the law, isn't about "tracking cookies". The issue, and the law, is about user data.

So, they will replace the question about cookies with question about localStorage. Then about indexed db. Then about storing data in service workers.

Why do you keep focusing on the one issue that is 100% the result of industries actions and pretending it's about the law?

> Consent for legitimate reasons is given, for example, when you sign up for an account on a website or conduct some sort of transaction with a business.

Again. Even when you sign up for something, for some of the data consent isn't required. And for other data consent is required.

I give up. I cannot put it in simpler terms that I already have.

It doesn't matter how they're technically implemented, pop-ups seeking consent for tracking cookies (or their functional equivalent) should be banned.

> "Again. Even when you sign up for something, for some of the data consent isn't required. And for other data consent is required."

We seem to be agreeing on this, not disagreeing! The ban I'm proposing would apply to user tracking data, and would not affect whether or not consent is required for other data.

The fundamental point is that the simple act of visiting a website should not require consent.

If you ban asking for consent, "reject" is not the default, it is the only option left. If you specifically ban "pop-ups" (or modals), I believe websites will use a standalone page instead of a modal to ask for consent. Same but different.

And it was implemented in the browser as Do Not Track but websites ignored it

https://en.m.wikipedia.org/wiki/Do_Not_Track

> the French CNIL introduced guidelines and required Google to introduce a "reject" button, which was also seen as a sign to many companies to adjust their banners and lead to major measuarable improvements in France.

Implemented in the browser AND mandated by law to be respected - in other words, similar enforcement as the current cookie notice, but with a uniform interface and central control.

The EU should have mandated an interaction-free solution like Do Not Track. They could have.

Consent for personal data is implied when performing services for a user (e.g. logging in, shopping carts, remembering high-scores, etc.).

Interactions are only needed when consent is not implied; i.e. when the personal data is not performing a service for a user; i.e. when the user is the product, not the customer.

If it's not mandated it's not a solution, it's more like a pacifist asking for peace in the middle of WWII

>The EU don't mandate it, since that would probably be considered over-reach

I don't think that's the reason, as it wouldn't be any more overeach than mandating the current cookie notice (or, in another domain, USB-C for mobile phones).

That's not mandated. You need to notify the users about third parties getting their data and allow them to opt-out. The cookie notice is just a common, terrible implementation of that requirement.

> or, in another domain, USB-C for mobile phones

They didn't do that either. They forced the relevant companies to agree to a standard until next review and the agreement was USB-C. No specific solution was mandated.

As viraptor says, cookie banners are not mandated; they're a crappy UX invented by ad companies.

In any case, regardless of one's personal opinions on user tracking, I don't understand how 'cookie notices' are at all equivalent to a flat-out ban on all tracking by anyone ever.

2. Governments shouldn't mandate solutions. Instead, EU stipulated a requirement. And industry as a whole decided that they will break the law for as long as possible until the governments chase after them. In the process the industry has convinced gullible developers that it is the law that it is bad, and not the greedy leeches who flaunt it.

Huh? That's what we have governments for.

Considering car headlights. Obviously there are some requirements we should make - they need to be bright enough to safely light-up the road. They should not blind oncoming drivers. They need to be reasonably safe in the event of a collision.

Between the sixties and 1984, the government of the USA mandated a solution. Basically one model of headlights was permitted (with a few minor variations introduced over time). If you look at all car models from this time they have a similar appearance, and the same headlights are still in use in some commercial vehicles today.

In most European nations (and other parts of the world) instead a requirement, or series of requirements were made. If you met these standards for lighting level, glare, etc. your headlight was permitted.

This led to European and Japanese cars have very varied headlight models, while most American cars were forced to stick to the same old style. This meant that American drivers missed out on innovations in this space.

Mandates can very easily become out-dates. Whereas well written requirements are much more timeless.

They do all the time. USB-C is probably the most recent example but there are a gazillion standards that are mandated by governments. Electrical sockets, traffic signalling, seat belt design, etc.

It's not some weird outlier for them to say "you have to do it like this".

If you really believe it's a cookie legislation from tech-illiterate, I recommend reading the document. You're in for a surprise. (in a good way)

It was; nobody cared (due to lack of any legislation/enforcement); it died. https://en.wikipedia.org/wiki/P3P

I think the underlying reason is that most people don’t consider trade-offs.

“Yes, great let’s do the cookie banner thing. But before, let’s also consider how this could be a bad idea?”

“Yes, great let’s ban plastic straws. But also let’s consider what we get instead and if that alternative is really better.”

These conversations rarely take place in my experience. You can still decide to do it, but at least you are aware of the consequences and are able to communicate them properly to the public, to your employees etc

It means that companies that want to do 'evil' are forced to ask their customers. For now most customers find the question annoying, and some go for the easy option of 'fine do some evil to me' out of convenience. But in the meantime, people are slowly building an awareness of this evil happening to them.

For now the evil is profitable enough with the few people that click agree to evil out of convenience. But people are now being faced with these decisions and will slowly turn against this evil. As this awareness builds, people will start disliking the companies. And as the law gets enforced better, people will find it easier to say 'no' to evil. At some point, this will make the extra friction of cookie acceptance screens no longer worth it, and we will be in a better place.

(Droping the 'evil' shtick here) All the law says is 'if you want to do this generally bad thing, you gotta ask people and you can't trick or coerce them'. This is slowly going to stop the generally bad thing from happening. The alternative "don't do this bad thing" would have a less annoying transition. But that would have been an over-reaching law that doesn't leave space for the few times where the thing is actually not bad.

A more interesting question is 'without surveillance supported adds, how will the internet actually work'. Especially given that the EU laws are aimed at effectively killing the surveillance supported add industry. This is not something the EU laws have an answer to. I find this the most worrying question, though I see little room for a new way to finance the internet that is worse then surveillance supported adds.

The law requires you to ask for consent before collecting data you do not strictly need. Websites decided that they'd rather bother their visitors with cookie banners than stop collecting their data.

Hacker News does not have a cookie banner - despite using cookies. It doesn't need to ask for consent, because it has no intention of abusing your data.