Dear Paul Graham, there is no cookie banner law

What the law actually requires

  • Thread distinguishes between:
    • ePrivacy Directive (“cookie law”): prior informed consent to store/read non‑essential data on user devices, with exemptions for “strictly necessary” storage (e.g. auth, carts, basic prefs).
    • GDPR: processing of personal data needs a lawful basis; consent is only one of several.
  • Several participants stress: there is no law mandating banners; the law mandates consent for tracking, not a specific UI.
  • Others argue that, in practice, with tracking, cookie banners are effectively required, so calling it a “cookie banner law” is a reasonable shorthand.

Why cookie banners proliferated

  • Many companies want third‑party tracking and adtech; banners are used to keep that model alive under consent rules.
  • Lawyers often advise “play it safe” and add a banner even for minimal or purely functional cookies.
  • Some see this as malicious compliance and dark‑pattern design: making “accept all” easy and “reject all” buried or impossible, despite that being illegal.

Responsibility: companies vs regulators

  • One camp blames regulators for a vague, hard‑to‑enforce law that predictably led to UX spam and cargo‑cult compliance.
  • Another camp blames companies: they could just not track, or track only what’s strictly necessary, and avoid banners entirely.
  • Several note that many cookie popups themselves violate GDPR (no easy reject, bundled purposes), and enforcement has been slow and selective.

User attitudes and experience

  • Some claim “most people don’t care about tracking and just want content,” seeing banners as pure annoyance.
  • Others say users do care when asked neutrally (citing Apple ATT, etc.) but are confused, exhausted, or feel they have no real choice.
  • “Power users” often rely on blockers (uBlock, “I still don’t care about cookies”, Consent‑O‑Matic, Firefox features) and barely see banners, which raises equity concerns for less technical users.

Proposed alternatives and fixes

  • Strong suggestions to:
    • Make browser‑level controls (e.g., an enforceable DNT‑style signal or richer consent profile) legally binding.
    • Ban or heavily restrict cross‑site tracking and microtargeting outright instead of managing it via consent UI.
    • Clarify and enforce that refusal must be as easy as acceptance; issue more fines for non‑compliant dark patterns.

Broader privacy and business impacts

  • Many argue pervasive tracking is ethically “sketchy,” enabling profiling, data brokerage, and political microtargeting; they see the law as a necessary counterweight.
  • Others worry that weaker ad revenue and compliance complexity hurt small publishers and “free content,” and see the regulation as poorly calibrated despite good intentions.