Please stop putting cookie pop-ups on your website (2022)

Original Article ↗ Hacker News Discussion ↗

What the laws actually require

  • Thread repeatedly distinguishes GDPR (general data protection) from the ePrivacy “cookie law.”
  • GDPR focuses on lawful bases and explicit opt‑in consent for processing personal data and sharing it with third parties.
  • ePrivacy requires consent for non‑essential cookies; technical/functional cookies (e.g., session, login, basic preferences) generally do not need banners.
  • Several comments stress that “tracking” (cookies, fingerprinting, third‑party requests) without consent is not allowed, regardless of technique.
  • There is disagreement over whether sites may deny service if tracking is refused; some assert cookie walls are illegal, others claim blocking access is permitted. Linked national regulators in the EU say cookie walls are not allowed, but enforcement varies.

Why cookie popups exist and who is to blame

  • One camp blames regulators for vague or naive rules that pushed consent UX onto every site, creating friction with limited privacy gains.
  • Another camp argues the laws never mandated popups; sites chose “malicious compliance” and dark patterns instead of collecting less data.
  • Cookie banners are described as an industry tactic to:
    • Nudge fatigued users into consenting.
    • Generate political backlash against privacy regulation.

Effectiveness, failures, and side effects

  • Many see the current regime as a failure: users click “OK” by habit, banners are confusing, slow, often unusable when zoomed, and break sites when blocked.
  • Do Not Track is cited as a prior header‑based solution that sites mostly ignored and sometimes repurposed for fingerprinting.
  • Enforcement is viewed as weak and slow, though some note real impacts: large reductions in third‑party trackers on some platforms and more cautious data‑sharing cultures.
  • Banners did raise public awareness of data sales to hundreds or thousands of “partners.”

Technical and UX alternatives

  • Suggested fixes:
    • Standardized browser‑level privacy preferences (headers or APIs) that sites must honor.
    • A global, legally binding “do not track” / Global Privacy Control signal.
    • Per‑site but browser‑managed consent UX, not site‑by‑site banners.
  • Existing mitigations: ad‑blocking and anti‑tracking tools (uBlock Origin, Brave, AdNauseam), Safari’s “hide distracting items,” and cookie‑banner blockers.

Business models and future directions

  • Debate over whether targeted ads are vital, especially for small/medium businesses, versus claims that contextual ads and limited analytics suffice.
  • Some argue businesses that rely on pervasive tracking “shouldn’t exist”; others warn of economic fallout if ad‑tech collapsed.
  • Proposals include stricter bans on tracking, heavier fines for unnecessary banners or dark patterns, public registries rating companies’ privacy/EULA practices, and potentially outlawing certain ad‑tech (e.g., Google Analytics) in some jurisdictions.