Short description. This Law requires browsers to offer one global cookie choice and requires websites to honor that choice without repetitive cookie banners.
Whereas,
With approximately six billion people online, merely two one-second cookie-banner actions per person per month equals one hundred forty-four billion seconds—about 4566 years—so repetitive cookie prompts have likely wasted well over four and a half millennia of human attention while often providing little practical choice and increasing friction when visiting new sites.
1. “Browser” means general-purpose software used to retrieve and display websites, but does not include an automated client or an embedded webview not offered for general browsing.
2. “Browser Maker” means the person or entity controlling or developing a Browser’s user interface and distribution (for example, Microsoft for Edge, Google for Chrome, Apple for Safari and Mozilla for Firefox).
3. “Cookie Technology” means an HTTP cookie as defined in Internet specifications and commonly understood to be the method that stores and transmits information on or from a user’s device for recognition, functionality, analytics, personalization, advertising, or tracking.
4. “Necessary” means reasonably necessary and proportionate to transmit a communication or provide a feature tied to the functionality of the site, including authentication, security, fraud prevention, load balancing, a shopping cart, or storage of the user’s privacy choice. It excludes audience measurement, advertising, cross-site tracking, and optional personalization.
Be it enacted that:
1. Every Browser Maker making a Browser available anywhere shall provide a Universal Cookie Preference.
2. The Browser shall display the preference dialogue or one substantially like it, optionally localized to the user's language:
a. on first use following installation; and
b. once for each existing installation, on first use following the next ordinary feature update after enactment, and in all events no later than the effective date.
3. The dialogue shall offer this or substantially similar text:
“Here you may set your cookie policy for all sites:”
a. “Accept all recommended cookies for all sites,” identified as “Recommended”;
b. “Accept necessary cookies only (reject all optional cookies)”;
c. “Choose site by site”; and
d. “Skip for now”
4. No choice may be preselected. The first two choices shall each require no more than one action to activate (such as a single click) and shall receive substantially equal visual prominence. “Skip for now” shall appear in the same dialogue and permit immediate continued use.
5. The dialogue shall briefly state that the choice will be sent to sites, applies to Cookie Technology rather than contractual terms, and may be changed at any time.
6. The Browser’s ordinary privacy settings shall always permit the user to view, change, clear, or temporarily disable the global preference and to create or remove a site-specific override.
1. Unless a site-specific override exists, a Browser shall send the following HTTP request header on each top-level navigation and same-origin request, unless a later Internet standard defines a different mechanism or header to achieve this functionality:
a. Set-Cookie-Preference: all for the choice in Section 3(3)(a); or
b. Set-Cookie-Preference: necessary for the choice in Section 3(3)(b).
2. No such header shall be sent for “Choose site by site,” “Skip for now,” or an unset preference.
3. The Browser shall expose the same value to the top-level site through a read-only interface named navigator.cookiePreference, or through a superseding open standard having equivalent effect.
4. The signal shall contain no identifier, timestamp, account information, browsing history, or site list and shall not be sent to cross-origin subresources.
5. Nothing in this Law requires a Browser to allow any cookie or other technology that its security or privacy protections would otherwise block.
6. Preferences can change: a later global or site-specific choice shall control beginning with the next request.
1. Any site anywhere that receives a valid signal shall:
a. for "all", treat it as equivalent to the user’s affirmative activation of the site’s ordinary “accept all” control, limited to Cookie Technology and categories disclosed in a readily accessible cookie notice, without displaying such a notice; or
b. for "necessary", reject every optional Cookie Technology and use only Necessary Cookie Technology, as though the user had selected that choice through the ordinary cookie banner interface.
2. The site shall not display a banner, modal, interstitial, or other prompt requesting a choice already expressed by the signal. It may optionally provide a “Cookie Settings” or “Privacy Settings” link. This Law overrides all laws requiring such a display. Where any country or supernational entity has a conflicting law, it must rectify the Law within 30 days not to require such notification.
3. The "all" signal does not accept terms of service, authorize payment, waive legal rights, or by itself authorize sensitive-data processing, the sale or sharing of personal data, or processing unrelated to Cookie Technology. It is merely equivalent to making the same choice on the default Cookie notification popup.
4. A changed signal supersedes an earlier signal. The site shall promptly cease using, and where reasonably possible delete, optional Cookie Technology the user now requests for it not to use.
5. A site may request an additional choice only where controlling law strictly requires a site-specific act that the signal cannot satisfy. Any such request shall be limited to the unresolved matter.
6. A site varying its response according to this header shall use ordinary cache controls to prevent one user’s preference from being applied to another user.
This law is a short-form law. An appropriate open standards authority or body may publish a superseding royalty-free technical implementation or RFC, including replacing the header name, values, or script interface with a substantially equivalent open standard, provided that the choices and legal effects established by this Law are preserved and implementation requires no user account. In the case of such a "de facto" Internet standard, this Law shall be superseded by the new Internet standard. Compliance with a superseding Internet standard having the same end effect shall constitute compliance with this Law.
1. This Law takes effect 30 days after its enactment on June 18, 2026.
2. After that date, a non-compliant Browser may not be newly distributed or materially updated anywhere, and a covered site may not disregard a valid preference signal.
3. The State of Utopia may order compliance, require corrective updates, suspend non-compliant distribution, and impose civil penalties. Fines may be levied in any amount for continued non-compliance.
4. If any provision of this Law is held invalid, the remaining provisions shall continue in effect.
This is an Internet law subject to international jurisdiction.
Passed June 18, 2026.