Dear Paul Graham, there is no cookie banner law

On why you keep seeing these cookie banners

I’m not a lawyer and this is not legal advice. Ask your data protection specialist.

Paul Graham on Cookie Banners

Recently, Paul Graham came up with the thought, that the EU forces companies to have cookie banners.

There is no law for cookie banners.

Indeed, as an American, there is no need to force them onto you. But perhaps of bad IT departments or bad outsourcing, or “Look, Why take a chance?” (Remo Gaggi), Americans see them too.

What the EU is saying, you need my consent when you want to track me, profile me and sell my behavior off to ad companies.

Companies could easily avoid any cookie banner. Just don’t track.

  • Or they could avoid banners for people who don’t want to be tracked, just listen to “Do Not Track” headers (it’s deprecated because companies did hate this).

  • Browsers could have a tracking icon like that SSL icon years ago, with the SSL information, you click it, information pops up, and you give consent.

  • Or cookie banners could be this small line at the top of a site, that you sometimes see for notifications like coupons, and which says “Give Cookie consent YES | NO” (and open all details on YES). I would just ignore that small banner, no need to decline consent, I just don’t need to give it.

  • Or they could put a small button at the bottom of the page to the right, like those support buttons, which says “I want to be tracked to support you”, and you click there, and it pops up all the ways the company wants to track you and sell your data. And you give consent.

But of course, this is not what companies want. You don’t want to be tracked, but they want to track you.

So they force half-page-size banners on you, grey out the content and prevent you reading their site, in the hope you say yes. Or you are worn down and no longer care after twenty banners and say yes. Or you misclick and say yes. Or you are confused and say accidentally yes. Or they nudge you with Dark UI Patterns into saying yes.

“Companies are making your life hard by choice. They got told by the EU they could not be secret abusers anymore, so now they decided to be irritating on top.”

It’s like a child throwing a tantrum “But I want the toy!”.

This is why we have cookie banners.

The EU does not mandate cookie banners. Companies do.

PS: Having written this, I don’t think EU regulation is a good thing per se, especially if we don’t know about things to be regulated, like the current AI regulation. But I think data privacy is a good thing, I fought for PGP 30 years ago and will keep doing so.

CTO Newsletter

Join more than 2500 CTOs and Engineering Managers

More Stuff from Stephan

Other interesting articles for CTOs

Best books for CTOThe CTO BookExperienced CTO CoachEngineering Manager CoachingConsulting and Workshops to Save you TimeCTO MentorCTO MentoringCTO NewsletterHow many developers do you need?Postgres for Everything Product Roadmaps for CTOsHow to become a CTO in a company - a career path

Other Articles

🦹 We see the AI Endgame for Software Engineering

How To Succeed With A Rewrite - And Why They Fail

Selfhealing Code for Startup CTOs and Solo Founders

Keep a List of Insecure Features