Standard API to inform client of cookie policies (alternative to “accept these cookies” prompt)

Due to semi-recent laws, every website you go to has a giant “Please allow us to store cookies in your browser” banner. I understand the importance and usefulness of these laws, but for most people, those banners are just annoying popups on websites that you might only ever visit once, and many people instinctively dismiss them without a second thought.

What if, there was a standard way for a website to inform the browser of its cookie policies. The end-user could then set some browser-level options to decide how they want to handle these cookie policies. Some example possible configurations:

• Always present the cookie policies to me, and let me manually decide if I accept/decline them (how the web works today)
• Auto-accept cookie policies that only store cookies for essential, non-advertising functionality, otherwise present the policy to me.
• Auto-decline all cookie policies
• Auto-accept all cookie policies (Like it was in the good old days)
• When my configuration says that a cookie policy should be presented to me, do so by showing an unintrusive cookie icon in the URL bar, letting me know that there’s a policy I can look at and agree to if I so choose. I can then click on this icon to ask the website to show me the policy.
• When my configuration says that a cookie policy should be presented to me, immediately ask the website to present it to me. (How it works today)
• etc

Giving this kind of power to the end users would not only make the web much nicer to use, it’ll do a better job of letting people know when the cookie policy actually contains information they care about, like, “We store cookies to follow you around for advertising purposes”. If that’s the only type of policy you care about, you can simply auto-accept all other types, and have advertisement-related policies be presented, or auto-declined.

That would have to allow for complicated trees of permissions. Also websites actually try to make refusing cookies as much a hassle as possible cause it’s cutting their money if you refuse so I don’t think most sites will use it anyway if some legislations won’t force them to use this api

I know the law already describes two categories. “essential” and “non-essential”, so it should be possible to at least subdivide it that far. Though, honestly, if we don’t have the categorization part of this idea, it would still be a very useful feature to allow people to control how/when the cookie policies are shown to them. If you’re honestly ok with websites tracking you around the internet, then you shouldn’t need to push “accept” on every cookie banner.

Many websites use cookies for other purposes besides advertising, and making a less intrusive cookie banner would be beneficial for them, to improve the overall UX of their website.

For everyone else, I wouldn’t be surprised if the value of users auto-accepting their cookies outweight those who are auto-rejecting. For example, when I visit a search-result page, I might not bother dismissing the cookie-banner, because I’m only going to be on that page for a short time. But, when presented with a browser-level option of auto-accepting all cookie policies, I would likely choose it, thus granting these websites that I briefly visit permission to store advertisement-related cookies on my computer. Without doing any studies, I wouldn’t know how many people behave more like me, and how many would choose an “auto-reject” option, but it’s very possible these kinds of websites would actually see more people accepting their cookies with a system like this in place. Or not. Or maybe it depends on the type of people visiting their website.

Note that this API is simply informing the website of the user’s preferences, it’s up to the website to honor those wishes. It’s very possible that some more-annoying websites would simply ignore a user’s wishes to auto-reject their cookie policy and present them with a difficult-to-reject cookie banner anyways. But they’ll happily receive the “auto-accept” signals and never show those users a cookie banner. Thus even the annoying websites would still be able to provide a minor UX improvement to the people who don’t care about the cookies while still being able to greedily push everyone else in front of the banner.

This or something similar would be super helpful. Related: Getting rid of cookie warnings, [Proposal] Use permissions API to request third-party cookie permissions, [Proposal] Show GDPR popup

It’s worth noting that browsers may guide users differently here as well, as they each have differing incentives:

• Edge and (especially) Chrome would likely want to guide users to accept cookies.
• Firefox and Opera would likely remain neutral.
• Brave and Safari would likely want to guide users to deny non-functional cookies.
• Tor Browser Bundle would likely reconfigure the underlying Firefox application to deny all optional cookies by default and leave it awkward but possible for users to opt in by choice later (as more or less an escape hatch).
• In all cases, browsers would have a very strong customer demand to expose this as a configurable option for extensions like NoScript and uBlock Origin.

Good point. Even within a browser, it’s possible that an incognito mode would use different cookie-tracking defaults over the normal browsing experience.

Regardless of whether or not this proposal is realistic or not, I think it’s a very important topic and I do support the proposal. Cookie banners are not just annoying in the sense that they break the flow of using a site, they’re also often intentionally designed to mislead or burden a user with e.g. buttons with an unintuitive primary option or an otherwise ugly or confusing UI.

On top of that, it’s very hard for a user to actually understand what these cookies are for and why they are necessary. Most cookie banners have some explanation with each cookie to indicate what it’s for, but ultimately I personally am not satisfied with some (if not most) of them. On top of this, it is very hard to find the source of a cookie with some details about what service it is used in exactly. Let me demonstrate this using an example.

I currently have 31 cookies stored on this site at the time of writing this answer. One of them, picked at random, is called “LSOLH” and it is from accounts.google.com. This site does not seem to have a cookie banner (which is questionable, but let’s disregard that) so if I want to find out what this cookie is for, what do I do? When trying to search for this through Google, I merely find sites that list this cookie as one of the many cookies they use, but none of the sites seem to be from Google themselves (the origin of the cookie). Luckily, Google provides us with the ability to search terms on only a specific domain, so the search term LSOLH site:google.com ought to do the trick! Well, sadly, no - as of writing this, that only comes up with 2 results, neither of which explain or even talk about this cookie.

This makes cookie banners somewhat pointless for me personally. Any site can say they use a cookie for a specific reason, but if there is no documentation from the actual source of the cookie, I cannot confirm that what they say is true. I need to have faith in the service’s integrity regardless of whether or not they show me a cookie banner.

The original proposal is definitely nice to have, would save a lot of hassle when browsing the internet, and would definitely prevent people from agreeing to things they do not actually want to agree to (whether that’s by mistake due to a confusing UI or just out of frustration). However, I think we actually need to go further than that. We need developers to explicitly write extensive documentation on what the cookies in their product(s) do, why they are necessary and what it means for a user when denying that cookie (in the case that it is not a cookie necessary for the service). Currently, many services and products do not even acknowledge they use certain cookies (e.g. the aforementioned “LSOLH” cookie). Perhaps this should even be a central database storing this information about cookies, so that cookie banners can use that info to inform their users properly using the documentation given by the original developer rather than by someone on their own team that more-or-less had to guess what the cookies are for.

Are you arguing that developers should document what each and every cookie does? How does this improve the trustworthiness of the banner (or whatever we present to the end user) - if they can lie about the collection of cookies, can’t they also lie about each individual cookie?

It increases the trustworthiness because people (i.e. developers implementing cookie banners) don’t have to guess at what certain cookies do. They can simply take the documentation written by the original developer(s) and make sure their information is accurate. Even better, if we let browsers handle this and have that central database, then browsers could just download all cookie information they need so that users can be sure the information they get about cookies is correct.

Maybe my reply was a bit confusing, but essentially what I was getting at is that cookie banners should not have to describe another product’s cookies because it is just harder to do than for the developers of the product the cookies are coming from. I want to shift the responsibility of an accurate cookie banner somewhat away from the site using the cookies. From an architectural standpoint, it doesn’t make much sense for this to happen either; what if a service removes or adds a cookie? Then everyone has to update their cookie banner. Does that always happen? Most likely, no. If this information is coming from a central database, sites do not have to worry about GDPR compliance because all they need is to list the products or services they use and the cookie banner can essentially build itself with accurate (and always up-to-date) data.

Going back to the original proposal, I think letting browsers handle cookies is definitely valuable for a multitude of reasons. Not just for removing the annoyance of the banners and popups, but also actually blocking cookies the user did not agree to. I mean that not just on a big scale of blocking “non-essential cookies” but also each cookie separately if the browser has in some way access to the list of cookies a site asks consent for. We have these GDPR laws in place, but the technology allows developers to basically ignore and break that law, and as far as I know there are rarely ever consequences for that. With implementing cookie banners on a browser level we could actually ensure full GDPR compliance because the browser can just block whatever you didn’t consent to (on top of that, browsers can more accurately handle country-specific laws because they can probably more reliably detect what country someone is in).

Either way, that’s just my two (perhaps a bit dreamy) cents - I’m not a lawyer by any means, so I’m not even sure if any of this is legally feasible, but I think progress on this topic is very important.