If one wants full control cookies could just be disabled by default at the browser level (which also blocks local storage). I do this and just whitelist sites that actually need it (very few).

The issue is some sites won't display any content without cookies, even if it's unnecessary. The amount of React-using sites that will load the entire page only to a second later to fully blank out since the JS couldn't set local storage does get annoying (and can regularly be worked around by disabling Javascript if not used for anything substantial). A handful like this have appeared just this past week on the HN front page.

A further problem is that some if not most sites (that employ any kind of tracking in the first place) do so through a variety of means in no way limited to cookies. Addressing the core problem without legislation that captures intent is not feasible without a new protocol and document data type.

Seems like it should be a browser setting that controls a request header.

Something like https://en.wikipedia.org/wiki/Do_Not_Track ? Which failed in part because Microsoft turned it on by default which even further disincentivised publishers from respecting it.

The fix here would be to legally force them to comply with Do Not Track instead of forcing them to post compliant banners

They are not forced to use banners, they are forced to get explicit opt-in permission before tracking users, which can be done in non-obtrusive ways.

Okay, so regard the Do_Not_Track header as explicit opt-out permission

No browser implements it as an explicit one where you have to explicitly specify which businesses you do not which to track you.

They would never do this willingly, because they don't want you to automatically opt out of tracking.

The annoyance of the cookie banners is the entire draw for companies. Its not a downside. They're user-hostile. You are their enemy. Their goal is to wear you down and trick you into opting-in, so they can both track with impunity and follow the law.

>They would never do this willingly

I know, that is why I am saying you would force them to respect Do_Not_Track by law.

No your browser can just… choose not to send cookies. The website publisher has no say in that.

Cookies are the easiest way to keep track of a user, but if browsers regularly stop sending cookies then website operators will just find another method to fingerprint users and then we're back to square one with the law still requiring publishers to receive opt-in approval, but with no requirements on how.

> then website operators will just find another method to fingerprint users

Example: The identifier you get when you pass anti-bot challenges (Cloudflare, Anubis, etc).

That's not a cookie?

It probably is, currently. But even if cookies are not used, the identifier for this type of functionality would still need to be stored somewhere and passed to the server in some way to avoid showing another CAPTCHA to the user.

Whatever mechanism they choose to uniquely identify you, they will insist it's necessary for another purpose and they totally are not piggybacking on it for tracking (e.g. for the CAPTCHA example, they would insist it's absolutely necessary to protect themselves from DDoS).

As another example, they can always respond with HTML where all links themselves are an opaque hash that internally contain "route + your id" when decrypted. Then emphasizing that all links are always different even for same routes to "show they are randomly generated", and saying that they do this because... idk, detecting scraping or something random but plausible-sounding. Or whatever sneaky variation of the `?PHPSESSID=` query param from old times.

(Yeah I know the last example doesn't a lot make sense, I didn't think too hard about it, the point is that they will probably find a way somehow.)

There's a reason the largest advertising company in the world hasn't sanctioned this move.

Ask your favorite advertising company: https://news.ycombinator.com/item?id=45217269