Right, the it would be legally required have to have "third-party" vs "strictly necessary" tags on the cookie itself, which someone could challenge if they were inaccurate (in the same way that the GDPR can in theory be enforced now). Then the browser could simply do what the user wanted with the tags. This could even be a status item in the URL bar, similar to the HTTP / HTTPS icon, that would allow you to enable or disable tracking on a per-site basis (if you didn't want a global policy).
Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged; this would ultimately come down to ad networks / analytics companies documenting the behavior of the cookies they add.
> Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged
While enforcement is effectively nill, they already need to do that according to the actual EU "cookie law" (ePrivacy Directive rather than GDPR). If you set cookies, you have to explain to the user what they're there for.
Hilariously, many websites have no idea what the cookies their trackers set are for, and I've caught a bunch of them use language like "seemingly" and "apparently" when describing what purposes cookies actually serve.
If only browsers gave P3P[1] the attention it deserved. The protocol isn't exactly perfect and the unmistakable footprint of early 2000s XML obsession are there, but it could've prevented cookie banners from ever being accepted if only browsers had designed proper UI around an updated version of the protocol.
Small website operators would still need to be savvy enough to make sure any cookies their website served up were appropriately tagged; this would ultimately come down to ad networks / analytics companies documenting the behavior of the cookies they add.