(no title)

Law isn't like software code. It doesn't have to be put to an exhaustive set of unit tests to 100% pass rate and then worry about anything it might not have covered. The law just needs to signal intent and scope clear enough the judicial system can work with interpreting it to new applications in a way most people can consider consistent.

In the case of cookies, they simply apply to computers and not people. Why? It's not about whether the two are operationally similar it's about whether the two are practically similar. Until every shopkeep meticulously tracks every detail of every customer interaction and starts efficiently sharing them with others, all manually, often enough and at a large enough scale that it becomes a similar privacy concern it's not really worth fretting the law be generic enough to cover the use cases. In such a case it probably even makes sense to just write a separate law which meets the domain's needs more succinctly.

A website run by a large corporation is very different from a store run by Jane. Jane does not have thousands or millions of people coming into her store, and she also is not selling CCTV footage from her store to advertising companies. We would be rightly outraged if she was. She also probably isn't sharing customer details or security footage with government authorities unless her store has been robbed or something.

Yes. In fact, you already do this most of the time. The right to be forgotten is so fundamental to humanity that humans have to expend extra effort to violate it and remember stuff. Machines with perfect memory violate the right to be forgotten by default and we have to tell them to forget things. Hence the regulation.

Jane is tracking you from store to store, remembering everything you saw, everything you interacted with, everything you did, and selling that to the highest bidder

The law says that you need consent for any cookies which aren't strictly necessary for the functioning of the site.

In your instance, I would have put a backordered hammer in my cart. I come back the next day to check and see if the hammer is in stock. The cookie that enables cart behavior is necessary to the functioning of an online store. No consent needed.

In the real world, this basically means that tracking and marketing cookies are what you are being asked about. They don't need to ask about much else.

The EU has a very good write-up: https://gdpr.eu/cookies/

Not a lawyer. My impression is that you’re in any case allowed to record things in order to fulfil explicit requests (preferences, ongoing orders—like in your example), legal requirements (limited-time order history—ugh), or functional necessities (free trial used up), no explicit consent needed. Notably the bar is “required to work at all”, not “required to be profitable” or “required to use common out-of-the-box solutions”. Cloudflare or reCAPTCHA 3 would probably make interesting test cases here (my burning hate for them from the several years I needed to use a self-hosted always-on VPN aside).

The way to do this (both in ePrivacy and in GDPR, despite the different legal mechanisms they use) looks to be to write a phrase like “legitimate interest” into the main text, give illustrative examples of what that’s supposed to mean in the recitals before that, and let the courts figure out the details.

> am I required to forget that you came into my store?

No. Your head is not covered by the GDPR. It requires you to not keep a record of all your clients' personal info without a legitimate interest.

There's a Seinfeld episode where Elaine goes to buy a fancy pen at a stationery store which isn't available atm. The clerk asks for her full name and number to notify her (that's a legitimate interest) but then uses it to hit on/stalk her (that would be a GDPR violation). Presumably he also doesn't get rid of the number after their business transaction.

> what is the limit here.

Common sense and consent. Laws are not theorems or malicious genies.

First: just look into your session store, which lists all people which are in your store (hah!).

Second: You can have analytics AND be GDPR compliant without a cookie banner. There are even companies built around this: https://plausible.io/

EU in 2035:

  All store owners and employees should get whacked in the head every day.

Don't give them ideas