Don’t blame the EU. Respect
DNT: 1

en.wikipedia.org/wiki/Do_Not_T…

"Encrypting everything just to protect that one lousy cookie header seems like a whole lot of overkill to me.

I’m not holding my breath for that to happen any time soon, though. "

Looks like you were wrong about both this and the GDPR cookies.

hey, EU doesn't force cookie banners on websites. Just... don't track your users with third party scripts and no consent mechanism is necessary then.

For context: I work as a website GDPR compliance auditor

yup totally, another text of la made to let shittyfiers run business as usual.

how about do not track feature that is widely ignored but already implemented ? and yeah, if people making websites did not think it would be a good idea to give every people's privacy to analytics there would be no need for such cookie popups as it is already stated.

If it only it was possible for websites to exist without tracking the shit out of every user.

But no, these evil popups which the EU definitely said every site must have stand in the way of the newsletter sign-up popup, the three overlaid autoplaying videos, the half screen ads, and the push notifications popup that we're all just dying to see.

Wait no you can just not treat visitors like a commodity to be shopped around. Because that's gross.

Yes it should be a browser feature. But no, this blame is not with the EU. They just require consent if you do overt user tracking. Even if you would want advertising, this form is toxic as fuck and enough sites do the invasive tracking without advertising.

There is a related browser feature that helps here: the do not track header. If you honor that, you do not need to show a cookie banner when set.

nah. The EU didn't "force the cookie notice" on anyone. It just requires that if you track people, you need their consent. If data brokers choose to make the most hideous dark patterned interfaces for that, then that's on them.

Tracking people without their consent is called stalking. You sure you want to defend that?

wait a sec... is this the right link?

A blog post from 2010 on how it's a bad idea to demand that every website uses https, but considering that a better authentication protocol won't come, demanding https is our best bet?

How's that relevant to cookie popups?

And how has noone in this thread noticed this before? Did they not read the blogpost?

Sorry, but this is bullshit US propaganda. There is no obligation to have a cookie banner (my blog does not have one, for instance), even if you use cookies (a lot of important uses, such as logging in and out are excluded).

#factChecking

See mastodon.ar.al/@aral/115122589… Aral is correct, gdpr does not mandate cookie notices.

Aral Balkan

2025-08-31 09:08:32

Look, Jeff Atwood, it is difficult to take you seriously when you write authoritatively on a subject you clearly don’t understand.

GDPR doesn’t mandate cookie notices.

Cookie notices are *malicious compliance* by the surveillance-driven adtech industry.

If you’re not tracking people, you do not need a cookie notice, period.

If you’re only using first-party cookies for functional reasons, you do not need a cookie notice, period.

If you’re using third-party cookies to track people – i.e., if you’re sharing their data with others – then *you must have their consent to do so*. Because, otherwise, you are violating their privacy. Even then, the law doesn’t mandate a cookie notice.

How would you conform to EU law without a cookie notice if your aim wasn’t malicious compliance?

You would not track people by default and you would make it so they have to go your site’s settings to turn on third-party tracking if, for some inexplicable reason, they wanted that “feature”.

Boom!

No cookie notice necessary.

What’s that?

But that would destroy your business because your business is founded on the fundamental mechanic of violating people’s privacy?

Good.

Your business doesn’t deserve to exist.

Because the real bullshit here isn’t EU legislation that protects the human right to privacy, it’s the toxic Silicon Valley/Big Tech business model of farming people for data that violates everyone’s privacy and opens the door to technofascism.

infosec.exchange/@codinghorror…

GDPR never mandated cookie banners. GDPR mandated user consent. There was a browser feature for that: the DNT HTTP header. That header was deprecated because nobody respected it. It was just easier to enforce user consent through cookie banners and dark patterns.

Nothing here is EU's fault. You want a better option? Campaign for a legislation to enforce the website to respect DNT.

Or… Just don't track?

It was a missed opportunity indeed. Instead of allowing non-essential tracking cookies if the user naïvely agrees to them, they should just have been banned outright. No banners needed.

As for technically required cookies like session ids no banner is necessary.

The EU didn't "force anything".

"If you want to track (or share information), you must seek consent"
Websites had various alternatives.

1. Don't do it. No consent needed.
2. Need? Then Ask.

Nowhere in the docs is mentioned that it should be borderline impossible to say no (or to use a banner)

This is on companies, not the EU. The alternative is they do it behind the scenes without your consent.

Of course bureaucracy made it possible to abuse loopholes. And here we are.

I feel it difficult to believe that the EU meant for those cookie banners to be the response to their requirements. It is nothing else than malicious compliance.

After doing some digging it seems that functional cookies do not require consent, but the tracking that is shared with third-parties does (that would be advertisers and social ).

I published my business’ site this Friday. No cookie consent necessary.

It’s all a matter of what cookies you (don’t) use.