It’s also not what EU law requires. All the many websites that make it easier for people in the EU to accept the tracking than to decline it, as common as that pattern is, are non-compliant. Under-enforcement of these rules is sadly the norm. Compliant websites, such as that of the European Commission, don’t make it any harder to dismiss the dialog by accepting only essential cookies than by accepting all of them.
I agree with you that the non-compliant approach teaches a bad security practice to the general population. The fix is better enforcement of existing law, without a new law actually being needed except possibly a better procedure for more effective enforcement.
Unfortunately, achieving that is hard for political reasons. The EU’s politicians, and therefore the data protection authorities whom they oversee, care mostly about seeming to protect privacy, whatever the reality, and don’t want to deal with the economic + lobbying + PR + political donation + therefore electoral consequences of routinely taking proper and timely action. This is especially true for some of the most regulatorily captured data protection authorities in the EU, such as Ireland’s.
I agree with you that the non-compliant approach teaches a bad security practice to the general population. The fix is better enforcement of existing law, without a new law actually being needed except possibly a better procedure for more effective enforcement.
Unfortunately, achieving that is hard for political reasons. The EU’s politicians, and therefore the data protection authorities whom they oversee, care mostly about seeming to protect privacy, whatever the reality, and don’t want to deal with the economic + lobbying + PR + political donation + therefore electoral consequences of routinely taking proper and timely action. This is especially true for some of the most regulatorily captured data protection authorities in the EU, such as Ireland’s.