[Proposal] Show GDPR popup

Proposal for a similar API as the location API to show a popup to be compliant with the GDPR legislation in europe.

Problem Currently every website implements their own popup to be GDPR compliant. This results in a poor user experience where the user has to dismiss multiple popups to be able to read the actual content of the webpage.

Examples: https://www.google.com/search?q=gdpr+popup&tbm=isch

Example library that generates these popups for you. (useful to see what options we could include in this API) https://cookie-script.com/

Solution To improve this we could create an API in the browser that allows website developers to request a popup to be shown to the user. Similar to the location API popup.

In pseudo code this API would look something like this:

navigator.privacy.getCookieConcent({cookie: true, tracking: true}, allowHandler, denyHandler);

This would then show a dialog to the user:

This would might make it possible to circumvent the GDPR popups for users that check the “use these settings for all sites” (not sure if this is legal though * lawyer assistance needed *)

This would also allow the browser to give more info about the website privacy settings: image

Discussion points:

  • Is this repo the correct location to propose this API?
  • Do you think this is a viable API?
  • Would browsers implement this even though it is only for the European market?
  • Is the “use for all sites” setting enough consent from the user to not show this dialog on other websites?
  • Should we provide options for privacy tracking, so the user can consent to some tracking. eg: tracking for analytics, but not for marketing.
  • Should this work with callbacks or promises or both?
  • Should we include a “read more” link in the API, so users can read more about why privacy tracking consent is required for that particular website?
3 Likes

Frankly, no it isn’t.

  1. Users are already overloaded with these permission notifications. We should be investigating ways (as some are) of trimming them back. Not adding more to get in the way.
  2. This puts browsers in the direct path of legislation in any given country’s demands. Features in browsers should be based only on user needs. Only when a law absolutely targets browsers should they do anything regarding legislation.

The web is a global market. Just because a few make poor decisions based on a fundamental mis-understanding of what is going on and possible doesn’t mean browsers need to bear the burden. Especially when it fundamentally has nothing to do with them or their tech, but how sites decide to take advantage of it. This is clearly a site problem, not a browser problem.

Going forward, promises only.

Include anything you’d like. Most users never read anything so it’ll be the same effectiveness whether we have words or it’s empty space.

I am empathetic both to developers and users having to deal with this madness, and to what GDPR is trying to achieve. But I don’t think browsers should have any burden to react here. It’s bad legislation which requires an implementation like this to be seen by users. Or just lazy developers/businesses who don’t care about their customer experience. Or big business that can’t move rapidly enough to address the problems so they’re doing their best with the time they have.

3 Likes

Users are overloaded with cookie notices. This would make it much easier to globally accept or reject “non-essential” cookies, removing the annoyance.

ONLY if that is a legally accepted GDPR practice (which I somehow doubt as strict as the EU is being about things.) But that’s up to lawyers. The moment we need to get lawyers directly involved in specifying new functionality, we’ve crossed a clear line. Let’s leave it be and move on. Encouraging the EU To fix the broken areas of the law (including their cookie law mania) would be the best path forward. Get protections that are enforceable without annoying users. Win-Win.

3 Likes

This more or less seems to propose the same thing as: [Proposal] Use permissions API to request third-party cookie permissions.