idk if it's a failure of the legislation itself (I haven't read it) but it's kinda fucked up how "cookie consent" dialogues put so much focus on the cookies themselves, and not the actual tracking and selling of user data, etc.
I think they finally started getting it right with the "Do not sell my personal data" buttons but like, those are rare and not I'm not super clear on what kinds of actions they consider to be "sale of personal data".
That's to comply with California law (CCPA), not the e-Privacy Directive in the EU. It has been interpreted to include disclosure of data to another entity that will use it for their own purposes. Prop 24 added the opt-out for "sharing" which is explicitly for cross-context behavioral advertising.
The EU laws about it are pretty clear. Data harvesters are just so brain poisoned at this point they can't help themselves from fabricating consent, and lying about why the notice exists.
Doesn't help that most online info about it with good SEO is from jackasses trying to sell defeat-devices.
ISTR seeing something that the rise of "cookie consent" dialogues isn't actually due to GDPR like everyone assumes, but rather due to industry self-regulation? Like, some internet advertising council got together and decided that they'd be the way to increase trust from users or something...
More that advertisers realized putting more shrinkwrap up gives a legal fig leaf. Things that weren't collected before now routinely are because they can say "well the user hit 'I consent'"
There’s a dozen state laws that all work slightly differently and the Internet Advertising Bureau has been trying to establish a national industry standard that makes everyone’s lawyers happy
That’s like saying the auto industry come together to make seatbelts ubiquitous nationwide out of their thoughtfulness for the safety of their occupants.
The actual legal standard is "store or access data in the user's terminal equipment" for any purpose not "strictly necessary" to provide the "information society service."
I don't think it's fair to call it a failure of legislation. That implies there's legislation. It is absolutely a lack of legislation with attempts at self regulation by groups like the Digital Advertising Alliance. Relying on ad and marketing trade associations to fix the problem is the problem.
And the reason it isn't better is because it can't be left to just GDPR and the EU. As long as the US avoids the problem there will still be problems. I'm not knocking GDPR. I'm just saying it's not enough by itself.
My default way of handling this is to disallow all cookies, and if they then try to force to enable them to keep being on the website (looking at you online news media) i simply avoid that website until the end of time