But they all choose to do that, so that's the actual outcome of the legislation.
I don't understand why I keep seeing this argument. We all have to deal with cookie dickbars regardless of whether or not your armchair lawyer argument is technically correct. If this is what the law does in practice, and the behavior is generally seen as compliant, then it's a dumb law.
Lots of websites seemingly actually break the law, with full page "can't see the page unless you click accept" etc. The problem seems to be under-enforcement, and then we're right back at the point of TFA.
I agree that (under) enforcement is part of the equation, but I don't think it's the primary issue.
The problem starts when legislators write vague or ill-posed laws because they don't understand the underlying technical issues. If your understanding of the problem is that "cookies are some sort of tracking token and tracking is bad," you will not be able to write effective legislation. You need to have a basic understanding of HTTP, you need to know how cookies fit into HTTP, and you need to be aware of some basic cookie usage patterns. You need to be able to identify that some things that certain companies build using cookies are problematic, and other things are totally benign and are required for basic functionality. You need to be capable of understanding that a user's "allow/deny cookies" preference usually can't even be saved without a cookie.
When the law actually comes out, it's so vague and seemingly self-contradictory that lawyers at these companies are going to say "We have no clue WTF they meant here, or how they intend to enforce this law, or if they even intend to enforce it at all, but just to be safe, let's just do it this way that's obviously stupid, but appears to be what everyone else thinks will pass the sniff test."
Then the law isn't actually enforced, because the enforcers don't understand the law either, so the lawyers are like, "Well, no guidance based on patterns of enforcement, in fact, they don't seem to be enforcing this thing at all, so let's just do whatever we want," which is how you get your laundry list of obviously non-compliant websites.
Legislation needs to be clear, enforcement needs to actually happen, and needs to happen consistently in order to reinforce the clarity of the original law. If you don't have these things, your legislation is going to fail. Cookie law used in this example, but the same thing applies to GDPR. So far, very little enforcement, and enforcement has been extremely inconsistent. It's a really bad start.
> You need to be able to identify that some things that certain companies build using cookies are problematic, and other things are totally benign and are required for basic functionality. You need to be capable of understanding that a user's "allow/deny cookies" preference usually can't even be saved without a cookie.
But they did all that. Functional cookies (shopping carts, preferences, etc.) all need no consent. This is not some kind of complicated thing. It only gets complicated if you want to try to trick users into allowing other cookies and/or hope that whenever those things get enforced, they’ll start with bigger fishes than you.
The worst part is that all alternatives to cookies are worse privacy wise... Or at least it would have been if every single browser didn't tacitly accept and keep all cookies. It's getting better, but making cookies permanent should really count as an additional privilege (I mean it does for browser extensions, so why on earth not arbitrary webpages?), also session cookies should really just go away when the tab closes, and first party isolation should probably be the default.
I don't understand why I keep seeing this argument. We all have to deal with cookie dickbars regardless of whether or not your armchair lawyer argument is technically correct. If this is what the law does in practice, and the behavior is generally seen as compliant, then it's a dumb law.