logoalt Hacker News

vouwfietsmanyesterday at 8:07 PM1 replyview on HN

> So you like the law, but don't like how it didn't actually solve the problem it was trying to solve?

(Not the person you replied to)

I'm not sure where all of this is coming from, the law is actually extremely obvious and useful: you want to track people, they have to be informed, and have to consent. The law says nothing about how, and the way it was implemented was entirely up to the corporations discretion, which of course opted for the most malicious terrible way to do it, but they did it.

The purpose of the law was that people should be informed about cookies being installed and consent to that happening.

Do you feel like people are now aware that cookies are being installed, more so than before the banner? Do people understand that they are consenting to this?

That is the law at work.

Everything above and beyond that is nice to have, and I'm sure the world would be better for it, but without the EU, people probably wouldn't even know what cookies were, let alone understand (or have control over) how they are being tracked.

If that's not a net positive in a world where net-negatives happen every week, I don't know.

Replies

AnthonyMouseyesterday at 8:32 PM

> Do you feel like people are now aware that cookies are being installed, more so than before the banner? Do people understand that they are consenting to this?

> That is the law at work.

The problem is that's not what anybody, including the users, want. Nobody cares that browsers have cookies as an implementation detail. It's a ridiculous thing to use as the basis of a privacy rule. Does the user care that the site uses cookies to implement a shopping cart feature? Does the user not care that the site is tracking them without cookies using device fingerprinting? Cookies were never the problem.

On top of that, they were the thing the users already had control over. Browsers allow you to delete or reject cookies, provide private browsing modes that don't submit them, etc.

Meanwhile the things that would actually be useful, like prohibiting services from requiring the user to provide a phone number (a de facto cross-service cross-device tracking ID) in order use the service, or requiring device attestation (which uniquely identifies the device), are left unaddressed.