[jopsen]

> I'd like to point out that GDPR compliant sites don't need to ask permission for strictly necessary cookies.

That's also my interpretation. If you use cookies for session state, authorization, then it's no problem.

The problem is that every website decided that they needed to track users. Or that asking for permission would minimize liability.

[ChrisSD]

Even with tracking you merely need a privacy policy in a place users can find. It's considered implied consent to continue using a site if the site makes a reasonable effort to make you aware that such a policy exists.

However, what counts as reasonable hasn't been explicitly defined. The UK government considers it fine to use a header that automatically disappears after awhile (i.e. no need to click "ok"). But other governments may view it differently so I can understand some large organisations being cautious.

[simpss]

no such thing as implied consent in GDPR.

Here are the conditions for consent: https://gdpr-info.eu/art-7-gdpr/

Most sites don't adhere to that at all as there's pretty much no way to "not agree", which means they can not rely on consent as a legal basis for processing PII.

[kd5bjo]

I feel it's important to note that, although implied consent doesn't mean anything in a GDPR context, consent isn't necessarily required at all. It's only one of 6 different justifications a business can use to show their activities are legitimate: https://gdpr-info.eu/art-6-gdpr/

[Macha]

And they all have their own stipulations. Contract requires that the data is needed to perform your part of the contract, legitimate interests requires documentation proving you do need the data and weighed the risks to users