Cookie popups are a net positive because users are given a choice. Besides, in the US we often still get the popups but they're just useless, with the only option being "accept"
Unpopular opinion: the proper place to controll cookies is from the browser, not from the website. Browsers should show a prominent way to disable or otherwise restrict persistent storage to websites to inhibit tracking.
GDPR does not specify what technology to use to acquire consent [1], as long as the user consent. Trackers could honor the DNT header if they wanted to, and show the banner as a fallback for browsers not sending the header.
> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
While DNT could potentially be used for opt-out, it wouldn't comply for opt-in because it is not specific or informed as the user does not know what specific data processing activities will be done, can't opt-in or out of specific data processing activities, doesn't know the identity of those doing them or that they can withdraw consent at any time.
DNT specification does not allow for giving valid consent under GDPR because it is not granular and it is not informed. There's no browser dialogue that details the requested consent for which and what processing.
And as for why DNT did not took off, it's because MSFT sabotaged it by making DNT set by default in Internet Explorer. The social contract in that time between adtech, publishers and users was that the signal would strictly be opt-in. The adtech industry used IE making DNT the default as justification for not honoring any of the signals being sent by browsers. It doesn't take a lot of reasoning to realize MSFT did this on purpose, knowing it itself earns income from ads.
But it was deprecated precisely because websites either ignored it or used it as yet another signal to identify users (thus making it have the opposite effect to what was intended).
Neither GDPR nor ePrivacy directive demands cookie walls. ePrivacy directive demands consent. That consent can be given programmatically by browser APIs. There's even acknowledgement of such possibillity in the legal text (see point 7 in the directive). GDPR itself does not demand cookie banners, either. It merely demands there to be a legal basis for processing of data that constitutes personal data. One of those bases is consent. It's not the only basis. Other notable basis includes contractual necessity (includes all the cookies that are necessary for user experience, i.e sth like PHP placed session cookie).
Browsers do not have automated means to give consent/not give consent under ePrivacy because the largest browser is ran by an ad company. Monetarily speaking, the ad company earns more if it coerces its users with dark patterns into giving consent under ePrivacy than it does offering pro-user choice technologies to give a blanket not consent.
And ePrivacy itself is not just about cookies. EDPB recently released binding recommendations that severely expanded the perceived scope of ePrivacy (the true scope was always as it is, the adtech industry just ignored it). ePrivacy includes JavaScript side tracking, fingerprinting with various APIs and so on. It's not just cookies.
I mean there are extensions like "consent-o-matic" that auto answer for you, but the law doesn't require any functions like that in a browser. I suppose it was a compromise between business interests and consumer advocates when they worked out the law for the EU?
I don't know. The web is pretty unbearable here in the EU due to the cookies consent.
Even more, many times I find myself wondering why a site is not responsive to my clicks just to find out there's some hidden cookie consent that didn't fire up properly and now I have to inspect the DOM to remove it manually.
