[dheera]

I think it goes deeper than this.

An app like Yelp could claim that one of their essential features is to show you restaurants physically close to you, so location information is essential. They could claim that being able to recommend food based on your past searches is part of their core functionality, and that requires saving searches in cookies, or saving them on the server side with a fingerprint on your side.

You could argue that Yelp is only a yellow pages of restaurants and therefore no cookies are essential. Someone else could argue that they are much more than a yellow pages, that if they were only a yellow pages they would not be profitable and cease to exist, and that their core reason of existence is their recommendation engine. To that person, essential functionality would require more things to be stored.

Then there is a regulatory aspect. Some governments may require their companies to install trackers of sorts. Some governments just don't give a damn and let their companies do as they please. GDPR is not a universal law. It's an EU law. Nobody else has to follow it, and there is no way you'll convince every country in especially Asia, Africa, and South America to follow GDPR. A technological solution on the other hand can deal with the entire problem with a single software update, much more effectively than any legal route.

[BlueTemplar]

Note that 'share my location' (or not) is already being perfectly fine handled by the browser.

[dheera]

On a side note I was once able to get a very precise location even with permissions turned off, simply by virtue of 2 devices being on the same Wi-Fi network, the other device having given permissions.

For one they both appear to the outside as the same IPv4 address, and Wi-Fi doesn't travel that far so you can usually presume they are at the same location. There are other ways like having one device hog bandwidth in a slowly modulated fashion, and have the other device pick up on that modulation in streamed data.

This isn't related to the parent comments and I highly doubt any major apps actually implement this but just pointing out that such a side channel attack is possible.

[rlpb]

The law isn't as fuzzy as you think.

> An app like Yelp could claim that one of their essential features is to show you restaurants physically close to you, so location information is essential.

They could claim that but it would not be relevant in law. The GDPR provides an exception for "strictly necessary" cookies only, as follows:

"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

If I didn't explicitly request for Yelp to show me restaurants physically close to me, or to recommend food based on my past searches, then neither of these things are "strictly necessary" as defined by the GDPR and they can't store personal information about me regardless of what they claim.