The current system for cookie consent is a mess. Every website throws a popup in your face, asking you to accept tracking you neither want nor need. The irony? It’s not technically necessary. We can solve it at the browser level — cleanly, universally, and in a user-respecting way.
Here’s how:
1. Browser-Level Privacy Preferences Browsers should allow users to set global consent preferences, just like setting a default language or search engine.
Example:
* Essential cookies: Always allow
* Analytics cookies: Ask or Block
* Marketing cookies: Ask or Block
* Third-party cookies: Ask or Block
Set once. Apply everywhere. No more popups.
2. New HTTP Header: Set-Cookie-Category Websites would categorize cookies when setting them, like:
Set-Cookie: sessionId=abc123; Category=Essential Set-Cookie: trackUser=true; Category=Marketing
Standardized categories: Essential, Analytics, Marketing, Personalization, Other. No trickery. No ambiguity.
3. Browser Enforcement When a site tries to set a cookie:
* Browser checks the declared category.
* Browser checks the user's privacy preferences.
* If no consent: cookie is silently blocked.
If consent is "Ask," the browser shows a small permission prompt (similar to location or notifications). No more hijacking the page UI.
1. Optional Website Messaging Websites could optionally trigger a browser-native dialog to explain their cookie use — but no walls of legalese blocking access.
2. Bonus: Easier Compliance Audits Browsers could expose APIs for compliance tools to automatically verify if a site respects consent preferences.
Why hasn’t this happened yet?
* Ad-tech companies make too much money off friction and dark patterns.
* Browser vendors (especially Chrome) profit from the status quo.
* Regulators targeted websites, not browsers, in GDPR/CCPA drafts.
But it’s not too late. Safari, Firefox, Brave, Arc — even Chrome (if enough pressure builds) — could easily implement this.
Users deserve better. The web deserves better.
If you think this should be built, upvotes help visibility.
Websites generally aren't made with the user in mind. More often than not, users aren't customers to be served, just eyeballs to be monetized. Safari and Firefox can't do anything without Chrome; it'll just be another stillborn effort like DNT.
The other browsers you mentioned are just Chrome derivatives. They still depend on Google.
Nothing will change unless Google is forced to divest Chrome and some non advertising company buys it.
So while it’s true that many browsers today are Chromium derivatives, Safari and Firefox are not — they operate their own engines and could, in theory, push independent privacy standards without Google’s blessing.
Also important to note: Because Apple requires all iOS browsers to use WebKit under the hood (even "Chrome" and "Firefox" on iPhone), any browser-native privacy feature Apple implements through WebKit would effectively apply to all browsers on iPhones and iPads by default.
That’s a much bigger user base impact than just Safari desktop users.
That said, you’re absolutely right about the broader market power problem: - Chrome controls ~65% of browser usage worldwide. - Many web developers treat Chrome as the de facto standard when building sites. - Anything Safari or Firefox introduce has a harder uphill climb unless it becomes incredibly popular with users and gets picked up by regulators.
The fight here isn’t just technical — it’s economic and cultural too.
Still, I think it’s worth trying. Even small pressure can move norms over time, especially with user frustration around tracking being so high right now.
Appreciate you raising it — it’s a critical part of the puzzle.
However, "cookie" should be interpreted pretty liberal, to cover state storage and tracking in general.
I also completely agree that "cookie" should be interpreted broadly — not just literal HTTP cookies, but any client-side tracking (localStorage, IndexedDB, fingerprinting, etc).
If enforcement actually happened at the storage and tracking level, and browsers had native consent handling, the entire dynamic between users and websites would shift dramatically.
Curious — in your view, would it be better for the EU (or regulators) to issue a technical specification for how consent enforcement should work? Or just mandate the outcome and leave it to browser vendors to figure out? (Feels like that choice matters a lot for real adoption.)
I've worked on three different corporate privacy teams. Nearly unanimously everyone would have preferred an extension of "do-not-track" that's legally enforceable.
The reality though is that the laws governing cookies were an afterthought by the European Commission when writing GDPR. GDPR has been an overwhelming success (at least according to the EU lawyers who legislate such things), so there has not been a rush to amend the rules around cookies.
The reality is it's not going to change until the laws change. No major company is going to stick their neck out and risk punishment.
It's wild how much of today’s cookie UX mess was an accidental regulatory artifact, not deliberate design.
Curious from your perspective: what do you think the EU's real motivation was behind mandating consent banners instead of pushing for proper browser-level control?
And second: what kind of pressure (technical, political, economic) would it actually take for the EU to update the rules to allow something cleaner now?
Would love to hear your take, since it sounds like you've seen how these decisions happen from inside.
The European Commission very proudly does not work with lobbyists, and in this case it shows that they did not consult anyone technical. I think they were just not aware of a browser-level solution and put all of the compliance on individual companies.
While the banners seem a given now, in 2017 when we first started planning for GDPR nobody had a clue how to resolve all of the questions. And at the time the European Commission was also telegraphing very hard that they were going to be resolving most of these questions with case law - none of us wanted to deal with a lawsuit from the EU, so the most obvious thing became do what everyone else does, don't stand out, and wait for some future resolution.
I don't know if there's a fix. This is simply how EU regulators like to work - in the US we like laws that are black and white and apply equally to everyone (or at least have traditionally). And in the EU they like a bit more squishiness - let member countries interpret things a bit differently and build individual cases on only the bad actors. And you see this attitude when working with lawyers from the respective regions.
It’s fascinating (and honestly a little tragic) that a lot of the cookie chaos comes down to basic unsolved problems like "how do you remember privacy without remembering identity?" — fundamental contradictions nobody could easily patch.
It really hits home what you said about the EU approach: case-by-case "squishy" regulation vs hard-coded universal rules.
Makes me wonder if any browser-led technical solution would just end up becoming de facto case law too — basically "Chrome/Firefox/Brave do it this way, so it becomes the norm," even if regulators never mandate it formally.
If you had a magic wand: would you push for a formal browser-level privacy protocol now, or is the better play just to keep tightening enforcement against the worst actors and let good practices spread organically?
That's an easy answer: Do not store anything that will infringe on people's privacy for anything that's not the intended feature people use. If I' visiting an ecommerce site, there's nothing that warrants Google being aware of which product I'm clicking on.
The frustrating part is that so much of modern web infrastructure (ad networks, analytics, personalization layers) depends on quietly hoovering up far more than the feature strictly requires.
I sometimes wonder: if browsers enforced "functional data collection only" as a technical baseline — like enforcing CORS or CSP today — how much of the tracking economy would collapse overnight?
Curious if you think real technical enforcement (browser-level) is the way forward, or if we’re stuck waiting for another round of slow, partial regulation.
Are there real technical blockers to browser-native consent management?
* HTTP already has Set-Cookie, so tagging with a Category param seems straightforward.
* Browsers already manage permissions like location, camera, and notifications.
* GDPR/CCPA compliance should be stronger if browsers enforced consent upstream.
Is the real obstacle purely political (ad-tech resistance), or is there something deeper I'm missing on the protocol or standards side?
Also curious: if browsers did offer this, would major sites still try to layer their own consent dialogs on top (to push opt-ins harder)? How would we stop that?