Having worked at multiple companies and talked to multiple legal teams about this, they tend to be very conservative. So the guidance I've gotten is that if we store any information at all on the person's computer, even to know whether they've visited the site before, we still need a cookie banner.
Basically, the law created enough fear among the lawyers that software developers are being advised to include the cookie banner in cases where it isn't strictly needed.
All the legal uncertainty problems the cookie law produces aside, the core problem with the law is that it's fundamentally stupid. Cookies are a client side feature: You store the cookie, not the server. If you don't want to store the cookie, complain to your browser, that's the software responsible here. But instead of fixing the issue in the one place actually responsible, we make laws that force millions of websites to adopt.
You only start to need the popups if you specifically put cookies on a visitor's browser to build a personal profile of them.
This can be for e.g. sales acquisition or marketing engagement, but also includes cookies to simplify login, so not everything is "stupid stuff." A cookie that stores "was here, skip the splash page" may already fall afowl, if you put any session metadata in it.
It is just bad UI. It could have been better implemented, such as with a browser-side opt out setting, for instance. Similar to what we have for permissions, for instance.
if you don't track users you don't need GDPR consent dialogs
I think in the past you still needed some info box in the corner with a link to the data policy. But I think that isn't needed anymore (to be clear not a consent dialog, a informational only thing). Also you can without additional consent store a same site/domain cookie remembering you dismissing or clicking on it and not showing it again (btw. same for opting out of being tracked).
But there are some old pre-GDPR laws in some countries (not EU wide AFIK) which do require actual cookie banners (in difference to GDPR consent dialogs or informational things). EU want them removed, but politic moves slow AF so not sure what the sate of this is.
So yes without checking if all the older misguided laws have been dismissed, you probably should have a small banner at the bottom telling people "we don't track you but for ... reasons .. [link] [ok]" even if you don't track people :(. But also if they haven't gotten dismissed they should be dismissed very soon.
Still such a banner is non obnoxious, little annoying (on PC, Tablet, a bit more annoying on Phone). And isn't that harass people to allow you to spy on them nonsense we have everywhere.
The regulatory body could clarify that a DO NOT TRACK header should be interpreted as a "functional/necessary cookies only" request, so sites may not interrupt visitors with a popup modal/banner if it's set.
But that would require directing the anger at specific companies (and their 2137 ad partners) rather than at an easy target of the banana-regulating evil authority.
Sadly whenever this kind of discussion pops up it's usually a very unpopular take.
1. GDPR consent dialogs are not cookie popups, most things you see are GDPR consent dialogs
2. GDPR consent dialogs are only required if you share data, i.e. spy on the user
3. GDPR had from the get to go a bunch of exceptions, e.g. you don't need permission to store a same site cookie indicating that you opted out of tracking _iff_ you don't use it for tracking. Same for a lot of other things where the data is needed for operation as long as the data is only used with that thing and not given away. (E.g. DDOS protection, bot detection, etc.)
4. You still had to inform the user but this doesn't need any user interacting, accepting anything nor does it need to be a popup blocking the view. A small information in the corner of the screen with a link to the data policy is good enough. But only if all what you do falls under 3. or non personal information. Furthermore I think they recently have updated it to not even require that, just having a privacy policy in a well know place is good enough but I have to double check. (And to be clear this is for data you don't need permission to collect, but like any data you collect it's strictly use case bound and you still have to list how its used, how long stored etc. even if you don't need permissions). Also to be clear if you accept the base premise of GDPR it's pretty intuitive to judge if it's an exception or not.
5. in some countries, there are highly misguided "cookie popup" laws predating GDPR (they are actually about cookies, not data collection in general). This are national laws and such the EU would prefer to have removed. Work on it is in process but takes way to long. I'm also not fully sure about the sate of that. So in that context, yes they should and want to kill "cookie popups". That just doesn't mean what most people think it does (as it has nothing to do with GDPR).
mcny|16 days ago
Disclaimer: I anal and this is not legal advice.
rpdillon|16 days ago
Basically, the law created enough fear among the lawyers that software developers are being advised to include the cookie banner in cases where it isn't strictly needed.
tikkabhuna|16 days ago
https://github.blog/news-insights/company-news/no-cookie-for...
nozzlegear|16 days ago
grumbel|15 days ago
mattlutze|15 days ago
This can be for e.g. sales acquisition or marketing engagement, but also includes cookies to simplify login, so not everything is "stupid stuff." A cookie that stores "was here, skip the splash page" may already fall afowl, if you put any session metadata in it.
Saline9515|15 days ago
dathinab|16 days ago
I think in the past you still needed some info box in the corner with a link to the data policy. But I think that isn't needed anymore (to be clear not a consent dialog, a informational only thing). Also you can without additional consent store a same site/domain cookie remembering you dismissing or clicking on it and not showing it again (btw. same for opting out of being tracked).
But there are some old pre-GDPR laws in some countries (not EU wide AFIK) which do require actual cookie banners (in difference to GDPR consent dialogs or informational things). EU want them removed, but politic moves slow AF so not sure what the sate of this is.
So yes without checking if all the older misguided laws have been dismissed, you probably should have a small banner at the bottom telling people "we don't track you but for ... reasons .. [link] [ok]" even if you don't track people :(. But also if they haven't gotten dismissed they should be dismissed very soon.
Still such a banner is non obnoxious, little annoying (on PC, Tablet, a bit more annoying on Phone). And isn't that harass people to allow you to spy on them nonsense we have everywhere.
vasco|15 days ago
[deleted]
prmoustache|16 days ago
idle_zealot|16 days ago
unknown|16 days ago
[deleted]
warmedcookie|16 days ago
seydor|15 days ago
ben_w|16 days ago
bubblewand|16 days ago
Saline9515|15 days ago
mattlutze|15 days ago
gib444|16 days ago
kuerbel|16 days ago
saithir|16 days ago
Sadly whenever this kind of discussion pops up it's usually a very unpopular take.
dathinab|16 days ago
1. GDPR consent dialogs are not cookie popups, most things you see are GDPR consent dialogs
2. GDPR consent dialogs are only required if you share data, i.e. spy on the user
3. GDPR had from the get to go a bunch of exceptions, e.g. you don't need permission to store a same site cookie indicating that you opted out of tracking _iff_ you don't use it for tracking. Same for a lot of other things where the data is needed for operation as long as the data is only used with that thing and not given away. (E.g. DDOS protection, bot detection, etc.)
4. You still had to inform the user but this doesn't need any user interacting, accepting anything nor does it need to be a popup blocking the view. A small information in the corner of the screen with a link to the data policy is good enough. But only if all what you do falls under 3. or non personal information. Furthermore I think they recently have updated it to not even require that, just having a privacy policy in a well know place is good enough but I have to double check. (And to be clear this is for data you don't need permission to collect, but like any data you collect it's strictly use case bound and you still have to list how its used, how long stored etc. even if you don't need permissions). Also to be clear if you accept the base premise of GDPR it's pretty intuitive to judge if it's an exception or not.
5. in some countries, there are highly misguided "cookie popup" laws predating GDPR (they are actually about cookies, not data collection in general). This are national laws and such the EU would prefer to have removed. Work on it is in process but takes way to long. I'm also not fully sure about the sate of that. So in that context, yes they should and want to kill "cookie popups". That just doesn't mean what most people think it does (as it has nothing to do with GDPR).
gunapologist99|15 days ago
Oauth, for example.
DarkUranium|16 days ago
Most sites didn't need a banner. Even post-GDPR, many use-cases don't need one.
r33b33|16 days ago
peterisza|16 days ago
seydor|15 days ago