Cookie banners

In the EU, there's a requirement that users are warned about the cookies that a site uses. It's a bizarre quirk that resulted from well-meaning legislation that appeared before GDPR. However, it suggests that users know what a cookie is and what it might be used for, which they absolutely do not. And it's oddly specific: I can register a serviceworker or use localStorage to store data and run code on the device, but for cookies I need a warning banner.

Every website implements this banner differently, leading to a mix of different ways to pop up a banner over the content of whichever site you're currently viewing. There's no prescribed way to handle this, so each site owner must solve it for themselves. This leads to a lot of superstition about what the requirements actually are, especially for teams without formal legal advice, and especially for teams with formal legal teams (because legal teams tend to hedge against the possibility of legal action rather than acting in the interests of the user).

What would be a better solution here?

I notice that some sites ask me if they can send me push notifications, or whether they're able to read my current location. These prompts don't need to be provided by the site owner - they're built into the permission model of the browser. Why is it different for cookies?

Indeed, at a basic level, it is the browser who stores cookies for the websites. It is the browser attaching them to requests, reading them off the responses and managing cross-domain security. A browser is the only actor that can prevent a cookie in an http response header from being saved, based on approval given in a prompt.

As I browse the internet in the EU, the vast majority of sites I see give me cookie notices. However, some do not. I would be interested to know if the browser vendor could be held legally responsible for not warning the users of these websites about the cookies that are issued. That might prompt swift action from the browser vendors to implement a native prompt.

A native prompt could have other benefits: one might be able to set a setting to say "always accept" or "always reject", or to artificially limit the lifetime of cookies across all sites.

I imagine that we could agree a means to provide the browser with a link to our cookie policy, and that the browser could display it without using cookies, before cookies are accepted by the user. Perhaps this would be at a well-known url per site.

Cookies are essential for complex and useful websites. Let's ask the browsers to help us out.

Thanks for reading! I guess you could now share this post on TikTok or something. That'd be cool.
Or if you had any comments, you could find me on Threads.