No, the real problem was that it worked too good from the perspective of ad-tech and data-gatherers.¹
It relied on the goodwill of those who run these services to i) invest some effort and money to detect the DNT headers and then ii) not collect/store the data of these requests.
Back, when only a tiny portion of web-users would send these headers along, the industry was fine to implement it. If only for marketing purpose.
But, as soon as they saw that it actually worked, the industry saw a threat to their revenues and stopped.
I believe a DNT2.0 that's more granular could've been a basis for GDPR, but the GDPR refrained -rightfully so, IMO- from any implementation details. For one, the GDPR never once requires some "popup", it merely states that if you are an a*hole and collect data that you shouldn't and/or send that to other parties, you should at least ask concent to do so - the idea being that web-owners would then massively ditch these services so that they don't have to nag their users.
And because the GDPR refrained from implementation details, the Ad- and surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light. This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them". And the browser makers then could add some UI to allow users per-domain or global, or wildcard or whatever settings "set-and-forget". But alas, this industry is malicious at best and will annoy users to no end for their own agenda.
It's not a dark pattern, but actually is similar to terms of conditions and privacy policies that sites show. Requiring users to go through legal agreements sucks, but companies can't just ignore the law in order to make a better user experience.
My website has no tracker nor any third party cookies so it doesn't need cookie dialog. And even if I had some analytics that stays on prem, doesn't store or gather PII, I wouldn't need one.
The first dark pattern, is that websites want to send all your PII and other data to other companies, and act as if this is normal.
The second dark pattern is how they do this. They could just not track and share this data, but allow you to flip some setting if you really want them to gather and sell or share this data. No popup needed. Or one that has some big button "proceed" that denies all tracking and a tiny link "advanced settings" that allows opt in to tracking. Instead, their UX is the exact opposite. Sometimes with deliberate javascript to make the "nope" button not work, slow or clumsy.
the GDPR refrained -rightfully so, IMO- from any implementation details
I would disagree with this. If you're going to force bad actors to take actions that they don't want to, and you give them wide latitude to decide how to comply, then of course they're going to try to find ways to satisfy the letter of the law while avoiding the law's underlying goal.
surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light
We should in fact blame lawmakers when they fail to anticipate the obvious consequences of their laws.
This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them".
If they were the type of people to do that, then they wouldn't have been doing the invasive tracking in the first place.
The GDPR would be far better if it simply banned individualized tracking. It would be somewhat better if it explicitly specified that sites must honor browser headers and specified the exact UI to use when requesting permissions.
I agree that much clearer constraints and less wiggle room would be better.
But imposing technical solutions in laws has hardly ever worked. Because these are almost always much easier to circumvent.
E.g. your suggestion to "honor browser headers" would be easy to circumvent by not having a browser - native apps, alt clients, etc. Google would easily track almost everything they do now through android, play services, email, docs, etc. And such implantation details inevitably get outdated.
E.g. in The Netherlands we have a law that forbids, with severe punishment, that you read people's paper post. If only lawmakers hundreds of years ago had abstracted this to "correspondence" rather than paper mail in envelopes, it would've applied to email and probably all network traffic.
It relied on the goodwill of those who run these services to i) invest some effort and money to detect the DNT headers and then ii) not collect/store the data of these requests.
Back, when only a tiny portion of web-users would send these headers along, the industry was fine to implement it. If only for marketing purpose. But, as soon as they saw that it actually worked, the industry saw a threat to their revenues and stopped.
I believe a DNT2.0 that's more granular could've been a basis for GDPR, but the GDPR refrained -rightfully so, IMO- from any implementation details. For one, the GDPR never once requires some "popup", it merely states that if you are an a*hole and collect data that you shouldn't and/or send that to other parties, you should at least ask concent to do so - the idea being that web-owners would then massively ditch these services so that they don't have to nag their users.
And because the GDPR refrained from implementation details, the Ad- and surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light. This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them". And the browser makers then could add some UI to allow users per-domain or global, or wildcard or whatever settings "set-and-forget". But alas, this industry is malicious at best and will annoy users to no end for their own agenda.
¹ edit: source: https://pc-tablet.com/firefox-ditches-do-not-track-the-end-o...