- From: Greg Wilkins <gregw@webtide.com>
- Date: Mon, 26 Aug 2024 10:02:51 +1000
- To: joao@penteado.me
- Cc: ietf-http-wg@w3.org
- Message-ID: <CAAPGdfGS2nEkjoz7w1rduv7Vm33vU0-x0oX869cX=Z2JWD3BFg@mail.gmail.com>
On Sun, 25 Aug 2024 at 04:08, João Penteado <joao@penteado.me> wrote: > ... Of course, this proposal hinges on the assumption that servers would be > willing > to adopt this standard and honestly disclose a cookie's purpose. I believe > this > is a reasonable expectation for the following reasons: > > 1. Websites that implement cookie consent pop-ups are already disclosing > the > purpose of cookies, albeit with a suboptimal user experience. > Misrepresentation > could expose them to legal risks. The UX issues are not present in > websites not > implementing the pop-ups, so it wouldn't affect them anyway. > There are indeed many websites that in good faith try to optimise the cookie purpose conversation. However, there are also many other sites that do not and deliberately adopt UX that makes accepting all easy and any other form of consent difficult. Thus, I do not think that any proposal can dismiss the existence of bad actors. So if a purpose is established to allow cookies to be set without an intrusive UX, then what is to stop bad actors from abusing that? I.e. having a cookie that is used for some minimal type of auth, but whose primary purpose is tracking and/or marketing? Surely such a scheme will only work if there is real legal sanction for misrepresenting the purpose of a cookie, so can this be solved purely with technology/specification? regards -- Greg Wilkins <gregw@webtide.com> CTO http://webtide.com
Received on Monday, 26 August 2024 00:03:08 UTC