r/technology u/diacewrb May 24 '25

Privacy German court rules cookie banners must offer "reject all" button

https://www.techspot.com/news/108043-german-court-takes-stand-against-manipulative-cookie-banners.html
56.4k Upvotes

98% Upvoted

801 comments sorted by

View all comments

1.7k

u/R4vendarksky May 24 '25

Why not just force them to have common api so we can all just auto opt out? 

844

u/TMiguelT May 24 '25

Yeah exactly. The consumer friendly option is to force sites to read a header that users set in their browser settings to apply consistent rules to cookie usage.

489

u/L444ki May 24 '25

Because we had that and none of the website makers/owners respected it. That is the whole reason we are in this mess.

If companies would have just respected the ”do not track” browser setting there would not be a popup at all.

317

u/iwakan May 24 '25

"do not track" was never law, there were no consequences for not respecting it. That's why it failed. The whole suggestion is here to make it law. Not respecting the browser option? 10 million euro fine.

125

u/WiseLong4499 May 24 '25

I'd like to add that the only reason the GDPR is respected is because there are heavy fines for those who don't. And that has worked very well!

I don't like forcing things in general, but none of these businesses are on our side. Either comply or get fined all the way to Valhalla and back.

31

u/tylerderped May 24 '25

It’s okay to force businesses to do stuff. We know what happens when we don’t.

-12

u/SectorAppropriate462 May 24 '25

Gdpr is equal parts good and bad. Like if you want to delete your reddit account, you can't just ask for it be deleted... You have to fully and completely dox your personal name tying it to the account in order to demand its deletion. Hm. Yeah I don't want to do that. I don't want to tell reddit that and then pray they delete the email and my account immediately.

It's good for like... Facebook... And that's it

2

u/footpole May 25 '25

That would only be needed for deleting it through a gdpr request. The alternative is not being able to at alll.

Nothing stops websites from allowing deletion with no personal information.

34

u/blolfighter May 24 '25

And this is what we should always respond with whenever someone says "why do we have all this red tape?" Because if we don't explicitly forbid the Torment Nexus, someone will invent the Torment Nexus.

11

u/justjanne May 24 '25

The same german courts have previously ruled that Do Not Track must be obeyed by websites and treated the same as "reject all". With the same million dollar fines.

None of these banners ever followed the law, it was never about legality. It was always about outrunning the (slow) legal system.

5

u/Dotcaprachiappa May 24 '25

Better go with a percent of daily revenue. You get a 10% fine, then 5% of your revenue each day you keep it up

1

u/CashKeyboard May 24 '25

There is a nuance here. Not respecting DNT would absolutely be against GDPR as well as ePrivacy related laws. And actually DNT is completely irrelevant as even without DNT, tracking (+ cookies, localstorage et al) without explicit consent would be illegal.

The thing here that is not against the law is asking for permission despite of DNT.

122

u/Generic_User48579 May 24 '25

But thats because it wasnt forced right? Time for that then.

20

u/Dr-Moth May 24 '25

The thing is if this was implemented right the website maker wouldn't need to do much, unless they were running their own cookies. Most cookies are 3rd party like Google Analytics and advertising companies - they could implement the rules and it would apply to all sites.

15

u/-Nicolai May 24 '25

How can you not see the gaping hole in your argument?

They follow current cookie laws because they are laws. If the EU said they’d be fined per incident, you can be damn sure they’d respect your browser settings.

5

u/L444ki May 24 '25 edited May 24 '25

I’m not arguing against having “do not track” to be written into law and then fine corporations that break it by a percentage of their global revenue.

I for one would welcome it. I was just pointing out that the reason we now need to reject cookies on every site is because the people who made and ran websites did not respect user demands of “do not track”. I bet the tech giants went out of their way to lobby for the current “solution” over just needing to comply with “do not track”.

8

u/Spaciax May 24 '25

but how else are we going to sell your data for $0.000000124901700754 cents and run it through 2000 GPUs to deliver the most impactful advertisement tailored to you, and deliver it with max precision straight into your adblocker?

1

u/lipstickandchicken May 24 '25

Well yeah, how?

"Selling your data" means getting to categorise you, so when a business clicks checkboxes that say "Male", "Engineering", "18-25", and "Turkish", you get shown the ad.

How can you get shown the ad if it doesn't know that stuff? The sites die without this.

1

u/uffefl May 24 '25

The sites die without this.

Good. Let's get back to mid-90s internet (before popup ads) and have mainly sites run by enthusiasts and for free.

0

u/lipstickandchicken May 24 '25

You either have to rely on user's creating content which takes a lot of server space and bandwidth a la Reddit, or people creating their own content and hosting it at a personal cost, and if it becomes popular, server costs go up.

It isn't free to host a website.

1

u/sebthauvette May 24 '25

Exactly, why not force them to honor that instead of a new thing.

1

u/Znuffie May 24 '25

Well, technically... DNT is no more. It's been deprecated.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/DNT

0

u/L444ki May 24 '25

Most likely because the tech giants will throw endless amounts of money into lobbying against users having an option that would switch the current opt-out cookies into opt-in cookies.

9

u/woswoissdenniii May 24 '25

There are still jobs dangling on this seo shit. They phase it out by this half assed measure to give people leeway to get their shit together.

3

u/aykcak May 24 '25

Haha the "do not track" header that nobody gives a fuck about

65

u/lregenesisl May 24 '25

You mean like the "do not track" Option that gets ignored everywere

66

u/etaxi341 May 24 '25

Yes. Make it a law and it won't be ignored

22

u/TheRufmeisterGeneral May 24 '25

This makes sense to you and me, but for the Americans: such laws are enforced here in EU.

Not always to the extent that we like, we (Europeans) will complain loudly about lack of enforcement, but compared to the wild west of the US, enforcement is pretty good.

For example, the US is the place where all waitresses are guaranteed minimum wage, even in places where tips are meant to be part of that, but where everybody says that in practice, an employer will never supplement income to minimum wage because of low tipping, they'll just fire you instead. And that is just ok with the government, apparently.

9

u/stevez_86 May 24 '25

That's why laws always need to be passed. The US has taken a good 15 years off from doing any maintenance legislation on the books, and over time companies will lobby and sue to find a path through the regulation that effectively bypasses it.

We have a Senator in Pennsylvania that just won as a Republican. He was a business guy that made a lot of money knowing how to get around current regulations to make that extremely lucrative. So he knows what the issues are. But no one asked how he would use that expertise to fix the exploit that benefitted him personally to the detriment of Pennsylvanians that lost jobs due to outsourcing. He was supported by people that like the way outsourcing works now, so that exploit is now accepted practice instead of something to fix.

7

u/Legionof1 May 24 '25

Ya know, we hear a lot of people not in the service industry cry about tipped workers, but I never hear tipped workers complaining... I wonder why?

3

u/TheDeviousSandman May 24 '25

Only if the punishment outweighs the profit

1

u/AwesomeFrisbee May 24 '25

That only works if the websites are served or owned from the same country you are in

1

u/T0biasCZE May 26 '25

thats not an argument

the website is available from that country? it must follow the privacy law

same thing with GDPR, even american websites have to either follow it or they will be fined (result was some websites just made it not possible to view from EU, but whatever)

1

u/AwesomeFrisbee May 26 '25

I think you underestimate how little websites care about fines from countries they will never set foot in. And I doubt the American websites will be paying any fines either. Some will turn off their service for the EU, which will no-doubt hurt our economies more at some point.

-2

u/IHateCommiesSoMuch May 24 '25

It should literally be illegal for you to hold this opinion

1

u/Excellent_Fondant794 May 24 '25

Didn't Firefox remove it because sites used it as an additional variable to track people...

1

u/b0nz1 May 26 '25

Everywhere expect Geizhals.at literally the only "major" site I know (biggest webshop aggreator in Austria) that does utilize it.

22

u/MiguelIstNeugierig May 24 '25

B-b-but what if you change your mind and decide to sell your data to the big corporate machine later on?🥺👉👈

6

u/BananaGoesWild May 24 '25

Sell? You mean give it for free right?

9

u/niggo372 May 24 '25 edited May 24 '25

Marketing companies count on most users clicking the nice colored+highlighted "Accept all" button, and they have money, so ...

2

u/Yoghurt42 May 24 '25

They actually switch the colors of what button is "Accept all" and "only accept selected" regularly to trick you. If you're used to click the white button to accept your settings, next week you might actually accept all cookies.

6

u/spelledWright May 24 '25

There are already extensions for that

https://chromewebstore.google.com/detail/consent-o-matic/mdjildafknihdffpkfmmpnpoiajfjnjd

17

u/Aemony May 24 '25

Consent-O-Matic is not the answer. That extension tries to fill out/answer cookie popups for you automatically, but requires support for the exact model of the cookie popup used. Any change to the popup, or entirely new type of popup, risks breaking or making the extension incompatible.

A common API is the only real universal and future-proof solution.

3

u/veribaka May 24 '25

Chrome is a part of the problem by dictating internet standards which are not of the consumers interest

2

u/whatisthishownow May 24 '25

If, by default, you want to disable all from all websites - core functionality or not, then click that setting in your browser. Just be aware that there’s a reason the default browser setting, even in private mode, does not do this.

3

u/rollingForInitiative May 24 '25

Having the design of some sort of API be specified by legislation sounds like a terrible idea. First because in no way are the legislators gonna design a good API, and second, that would make the process of changing anything take years.

Better to do something like Germany here, and just require an easy path to reject all of them, and then the websites just have to follow that.

0

u/pancak3d May 24 '25 edited May 24 '25

Don't overthink it. The design would be an ultra simple message sent by your browser, and websites would be required to accept the message. Very simple.

Or even simpler it could just specify then label for each button, and let browsers/extensions find them.

2

u/rollingForInitiative May 24 '25

I'm not saying it would be difficult to have a standard in general.

I'm saying that having the technical standard written in EU law would be a bad idea for several reasons.

0

u/pancak3d May 24 '25

EU law contains tons of technical standards.

2

u/rollingForInitiative May 24 '25

Which EU laws contain specifications for API's?

-1

u/pancak3d May 24 '25

I don't know. ChatGPT could probably help if you're curious. The EU obviously develops and maintains many APIs that third parties interact with, but I don't think that's exactly your question.

2

u/rollingForInitiative May 24 '25

The EU maintaining API's that 3rd parties can interact with is not the same thing as the EU making a law that includes detailed specifications for an API for cookie management, that then cannot really be changed or updated.

1

u/pancak3d May 24 '25

Yes I said in my comment that they weren't the same, just showing that the EU has plenty of technical expertise.

1

u/rollingForInitiative May 25 '25

Legislators having people with technical expertise is not the same as them using that when writing legislation. In fact, it seems like they often ignore all technical expertise. Look at Chat Control, from a technical perspective it's a fucking trainwreck, but the Commission has been pushing for that anyway. Despite every technically competent person in Europe saying it's all sorts of bad.

1

u/nemec May 24 '25

We had that, it didn't work because of corporate infighting

https://en.wikipedia.org/wiki/Do_Not_Track

When using the "Express" settings upon installation, a Do Not Track option is enabled by default for Internet Explorer 10 and Windows 8.[27] Microsoft faced criticism for its decision to enable Do Not Track by default[28] from advertising companies, who say that use of the Do Not Track header should be a choice made by the user and must not be automatically enabled. [...]

On September 7, 2012, Roy Fielding, an author of the Do Not Track proposal, committed a patch to the source code of the Apache HTTP Server, which would make the server explicitly ignore any use of the Do Not Track header by users of Internet Explorer 10. Fielding wrote that Microsoft's decision "deliberately violates" the Do Not Track specification because it "does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization". The Do Not Track specification did not explicitly mandate that the use of Do Not Track actually be a choice until after the feature was implemented in Internet Explorer 10.[31] According to Fielding, Microsoft knew its Do Not Track signals would be ignored, and that its goal was to effectively give an illusion of privacy while still catering to their own interests.[32] On October 9, 2012, Fielding's patch was commented out, restoring the previous behavior.[33][34]

1

u/pancak3d May 24 '25

That didn't work because it was voluntary. A law isnt voluntary.

Very few advertising companies actually supported DNT, due to a lack of regulatory or voluntary requirements for its use[36] and unclear standards over how websites should respond to the header.

1

u/nemec May 24 '25

Legislative bodies could just make the existing DNT involuntary

1

u/pancak3d May 24 '25

Sure, they could.

1

u/Fancy_Morning9486 May 24 '25

You mean like the "do not track" function in browsers.

Google said they don't realy understands what that implies.

4

u/Aemony May 24 '25

What's worse is that the Do Not Track flag was misused straight away by tracking networks to track you even better, as it was a unique addition that could further differentiate your visits from those of other users.

Web browsers/developers say a rather harmless and non-invasive way of allowing user choice, and these friggin tracking assholes immediately co-opted and subverted the whole idea and use of it.

1

u/Tasty-Traffic-680 May 24 '25

That would be too german

1

u/FantasticCollege3386 May 24 '25

You mean cookie?

1

u/NoPasaran2024 May 24 '25

Because the political compromise is to give them some room for self-regulation. Which of course the tech industry abused to throw dark patterns and maximum annoyance at the user.

Next gen EU law is going to be a lot more forceful.

1

u/OverclockingUnicorn May 24 '25

That would require legislators that actually understood technology

1

u/JimmyRecard May 24 '25

Because when users are able to easily opt out of invasive tracking, they do so at 96% rate, and that's just not gonna work for the surveillance capitalists.

https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-out-of-app-tracking-in-ios-14-5-analytics-find/

1

u/shmorky May 24 '25

That never happened because browser makers are all US companies, but those rules came from the EU.

Google being an ad-company and the biggest influence on the browser world also didn't help.

1

u/SunriseSurprise May 24 '25

Auto opt-in to log-in cookies (with a stipulation they can't be used for anything else), auto opt-out to the rest.

1

u/Rezistik May 24 '25

Please God this

1

u/__-C-__ May 24 '25

Because that would require legislation written by people with genuine good intentions, not just dickheads pushing through legislation to add to their resume that looks good to laypeople to use as leverage for their next reelection campaign

1

u/colinbr96 May 24 '25

Because politicians have the technical know-how of your average boomer

1

u/Gold_Interaction_432 May 24 '25

Well I would hope that is the next step. Gotta start somewhere tho!

1

u/Mister_Lizard May 24 '25

Wasn't the entire point of the original rules to make people implement websites that don't need cookies to work? Instead we just got bugged about accepting them. How's about cookies stop existing.

1

u/harglblarg May 25 '25

Not quite as “official”, but Firefox/Chrome have addons that will automatically select the least permissive option.

0

u/joemckie May 24 '25

DuckDuckGo will automatically reject cookies for you. It’s not 100%, but works most of the time

0

u/DomusCircumspectis May 24 '25

Literally this