undefined | Better HN

0 pointslegitster1y ago0 comments

If you actually work through the privacy directives with a legal team, which is something I have done for nearly a decade, the law itself has several self-contradictions and unresolved problems. How do you retain someone's choice for privacy without remembering who they are? How do you serve data in a TCP network without revealing an IP address? What constitutes clear opt-in language? If we don't sell to Europeans, do we still have to comply?

The European Commission very proudly does not work with lobbyists, and in this case it shows that they did not consult anyone technical. I think they were just not aware of a browser-level solution and put all of the compliance on individual companies.

While the banners seem a given now, in 2017 when we first started planning for GDPR nobody had a clue how to resolve all of the questions. And at the time the European Commission was also telegraphing very hard that they were going to be resolving most of these questions with case law - none of us wanted to deal with a lawsuit from the EU, so the most obvious thing became do what everyone else does, don't stand out, and wait for some future resolution.

I don't know if there's a fix. This is simply how EU regulators like to work - in the US we like laws that are black and white and apply equally to everyone (or at least have traditionally). And in the EU they like a bit more squishiness - let member countries interpret things a bit differently and build individual cases on only the bad actors. And you see this attitude when working with lawyers from the respective regions.

0 comments

3 comments · 1 top-level

zak-mandhro1y ago· 2 in thread

This is incredible perspective — seriously, thank you for sharing it.

It’s fascinating (and honestly a little tragic) that a lot of the cookie chaos comes down to basic unsolved problems like "how do you remember privacy without remembering identity?" — fundamental contradictions nobody could easily patch.

It really hits home what you said about the EU approach: case-by-case "squishy" regulation vs hard-coded universal rules.

Makes me wonder if any browser-led technical solution would just end up becoming de facto case law too — basically "Chrome/Firefox/Brave do it this way, so it becomes the norm," even if regulators never mandate it formally.

If you had a magic wand: would you push for a formal browser-level privacy protocol now, or is the better play just to keep tightening enforcement against the worst actors and let good practices spread organically?

skydhash1y ago

> It’s fascinating (and honestly a little tragic) that a lot of the cookie chaos comes down to basic unsolved problems like "how do you remember privacy without remembering identity?"

That's an easy answer: Do not store anything that will infringe on people's privacy for anything that's not the intended feature people use. If I' visiting an ecommerce site, there's nothing that warrants Google being aware of which product I'm clicking on.

zak-mandhro1y ago

100% agreed on the core principle — "only collect what you actually need for the feature the user is engaging with."

The frustrating part is that so much of modern web infrastructure (ad networks, analytics, personalization layers) depends on quietly hoovering up far more than the feature strictly requires.

I sometimes wonder: if browsers enforced "functional data collection only" as a technical baseline — like enforcing CORS or CSP today — how much of the tracking economy would collapse overnight?

Curious if you think real technical enforcement (browser-level) is the way forward, or if we’re stuck waiting for another round of slow, partial regulation.

j / k navigate · click thread line to collapse