Would you rather take a 50% pay cut, or slightly annoy somebody else? Because that's essentially the choices they're giving companies. They should have 100% seen through this, and made the do-not-track header enforceable. Legislators actively chose not to though.
Browsers could have implemented something that was compatible and sent the header accordingly, but they didn't. It's not the government's fault this is the way the industry implemented the law.
They didn't implement it, otherwise I would see a browser-level popup instead of a nasty dark-patterns modal on websites. The do-not-track header (at least at places I worked) were generally respected, going so far as to completely disable analytics for those users. However, this is not active consent ... so, no browsers did not implement this.
They literally did. It was shipped in all major browsers. It was even shipped in IE 9.
It's still being shipped in most browsers. Though it's now deprecated and Safari removed it because it was, guess what, used as a fingerprinting variable.
> I would see a browser-level popup instead of a nasty dark-patterns modal on websites.
No, no you wouldn't. If industry at large cared about user privacy, they would actually come together and agreed on such a popup. And in the absence of such a popup they wouldn't come up with the plethora of dark patterns they now blame on the EU.
As is, they used DNT for fingerprinting, and employed dark patterns when asked (quite nicely, but in no uncertain terms) not to track users and not to sell their data without users' consent.
> The do-not-track header (at least at places I worked) were generally respected, going so far as to completely disable analytics for those users.
There are places where you didn't work. And they couldn't care less about user privacy, or user preferences.
It's very likely that the same very places you worked at now offer a "we care about your privacy, here's 1922 partners that build a profile on you, accept".
No. I said browsers could have implemented the GDPR pop-up. Someone else asserted that they did via do not track headers and I’m giving up trying to convince people that do not track headers are not GDPR compliant.
- Browsers could have implemented something that was compatible and sent the header accordingly
- Browsers literally implemented a header, called Do Not Track. You provided "active consent" by setting that header in the settings
The great amazing industry that does no wrong immediately used it for tracking.
Fast forward a few years. The industry is told in no uncertain terms: do not track without user consent. How did the industry respond? Did it implement this at browser level? No. Did it come up with a standardized pop-up? No. The industry immediately responded with malicious compliance and dark patterns.
Setting it in your browser settings is not compatible at all. It isn't active consent by any definition of the word. It isn't per-site but set globally (hence how it could be used to fingerprint browsers in the first place!). The header failed every possible test for actually providing any actual signal.
All browsers had to do was create active consent (like they do for pop-ups, remember those?), send the appropriate header, and that is it. It would only require a few changes but the industry decided not to do that ... for whatever reason.
Would you rather take a 50% pay cut, or slightly annoy somebody else? Because that's essentially the choices they're giving companies. They should have 100% seen through this, and made the do-not-track header enforceable. Legislators actively chose not to though.