That is still not clear. Not everyone need to sign in so it could not be essential. It should ask when you want to login if you want to store a cookie or not.
An app like Yelp could claim that one of their essential features is to show you restaurants physically close to you, so location information is essential. They could claim that being able to recommend food based on your past searches is part of their core functionality, and that requires saving searches in cookies, or saving them on the server side with a fingerprint on your side.
You could argue that Yelp is only a yellow pages of restaurants and therefore no cookies are essential. Someone else could argue that they are much more than a yellow pages, that if they were only a yellow pages they would not be profitable and cease to exist, and that their core reason of existence is their recommendation engine. To that person, essential functionality would require more things to be stored.
Then there is a regulatory aspect. Some governments may require their companies to install trackers of sorts. Some governments just don't give a damn and let their companies do as they please. GDPR is not a universal law. It's an EU law. Nobody else has to follow it, and there is no way you'll convince every country in especially Asia, Africa, and South America to follow GDPR. A technological solution on the other hand can deal with the entire problem with a single software update, much more effectively than any legal route.
On a side note I was once able to get a very precise location even with permissions turned off, simply by virtue of 2 devices being on the same Wi-Fi network, the other device having given permissions.
For one they both appear to the outside as the same IPv4 address, and Wi-Fi doesn't travel that far so you can usually presume they are at the same location. There are other ways like having one device hog bandwidth in a slowly modulated fashion, and have the other device pick up on that modulation in streamed data.
This isn't related to the parent comments and I highly doubt any major apps actually implement this but just pointing out that such a side channel attack is possible.
> An app like Yelp could claim that one of their essential features is to show you restaurants physically close to you, so location information is essential.
They could claim that but it would not be relevant in law. The GDPR provides an exception for "strictly necessary" cookies only, as follows:
"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
If I didn't explicitly request for Yelp to show me restaurants physically close to me, or to recommend food based on my past searches, then neither of these things are "strictly necessary" as defined by the GDPR and they can't store personal information about me regardless of what they claim.
Yeah, that's why it depends on the function of the website or app. If you need to sign in to access an app, and the session token is saved using a cookie, then it can be considered an essential cookie. But on a marketing website that doesn't have a login component then yes, you're right, logging in isn't required and so it's arguably a nonessential cookie.
An app like Yelp could claim that one of their essential features is to show you restaurants physically close to you, so location information is essential. They could claim that being able to recommend food based on your past searches is part of their core functionality, and that requires saving searches in cookies, or saving them on the server side with a fingerprint on your side.
You could argue that Yelp is only a yellow pages of restaurants and therefore no cookies are essential. Someone else could argue that they are much more than a yellow pages, that if they were only a yellow pages they would not be profitable and cease to exist, and that their core reason of existence is their recommendation engine. To that person, essential functionality would require more things to be stored.
Then there is a regulatory aspect. Some governments may require their companies to install trackers of sorts. Some governments just don't give a damn and let their companies do as they please. GDPR is not a universal law. It's an EU law. Nobody else has to follow it, and there is no way you'll convince every country in especially Asia, Africa, and South America to follow GDPR. A technological solution on the other hand can deal with the entire problem with a single software update, much more effectively than any legal route.