by zak-mandhro on 4/21/25, 4:21 PM with 12 comments
The current system for cookie consent is a mess. Every website throws a popup in your face, asking you to accept tracking you neither want nor need. The irony? It’s not technically necessary. We can solve it at the browser level — cleanly, universally, and in a user-respecting way.
Here’s how:
1. Browser-Level Privacy Preferences Browsers should allow users to set global consent preferences, just like setting a default language or search engine.
Example:
* Essential cookies: Always allow
* Analytics cookies: Ask or Block
* Marketing cookies: Ask or Block
* Third-party cookies: Ask or Block
Set once. Apply everywhere. No more popups.
2. New HTTP Header: Set-Cookie-Category Websites would categorize cookies when setting them, like:
Set-Cookie: sessionId=abc123; Category=Essential Set-Cookie: trackUser=true; Category=Marketing
Standardized categories: Essential, Analytics, Marketing, Personalization, Other. No trickery. No ambiguity.
3. Browser Enforcement When a site tries to set a cookie:
* Browser checks the declared category.
* Browser checks the user's privacy preferences.
* If no consent: cookie is silently blocked.
If consent is "Ask," the browser shows a small permission prompt (similar to location or notifications). No more hijacking the page UI.
1. Optional Website Messaging Websites could optionally trigger a browser-native dialog to explain their cookie use — but no walls of legalese blocking access.
2. Bonus: Easier Compliance Audits Browsers could expose APIs for compliance tools to automatically verify if a site respects consent preferences.
Why hasn’t this happened yet?
* Ad-tech companies make too much money off friction and dark patterns.
* Browser vendors (especially Chrome) profit from the status quo.
* Regulators targeted websites, not browsers, in GDPR/CCPA drafts.
But it’s not too late. Safari, Firefox, Brave, Arc — even Chrome (if enough pressure builds) — could easily implement this.
Users deserve better. The web deserves better.
If you think this should be built, upvotes help visibility.
by solardev on 4/21/25, 10:27 PM
Websites generally aren't made with the user in mind. More often than not, users aren't customers to be served, just eyeballs to be monetized. Safari and Firefox can't do anything without Chrome; it'll just be another stillborn effort like DNT.
The other browsers you mentioned are just Chrome derivatives. They still depend on Google.
Nothing will change unless Google is forced to divest Chrome and some non advertising company buys it.
by Flundstrom2 on 4/21/25, 6:23 PM
However, "cookie" should be interpreted pretty liberal, to cover state storage and tracking in general.
by zak-mandhro on 4/21/25, 4:23 PM
Are there real technical blockers to browser-native consent management?
* HTTP already has Set-Cookie, so tagging with a Category param seems straightforward.
* Browsers already manage permissions like location, camera, and notifications.
* GDPR/CCPA compliance should be stronger if browsers enforced consent upstream.
Is the real obstacle purely political (ad-tech resistance), or is there something deeper I'm missing on the protocol or standards side?
Also curious: if browsers did offer this, would major sites still try to layer their own consent dialogs on top (to push opt-ins harder)? How would we stop that?
by endore8_ on 4/23/25, 6:19 PM
by legitster on 4/21/25, 5:04 PM
I've worked on three different corporate privacy teams. Nearly unanimously everyone would have preferred an extension of "do-not-track" that's legally enforceable.
The reality though is that the laws governing cookies were an afterthought by the European Commission when writing GDPR. GDPR has been an overwhelming success (at least according to the EU lawyers who legislate such things), so there has not been a rush to amend the rules around cookies.
The reality is it's not going to change until the laws change. No major company is going to stick their neck out and risk punishment.