[lucb1e]

Correct. You only need a banner for invasive tracking.

Normal visitor counting, login handling, preference setting, etc. is all allowed by default. Only when you don't have a valid reason to process the user's data, then you need to ask them for consent, and that's the only time you need a cookie wall. Everything else is opt-out.

Would be a crazy world if I ask the pizza store to deliver my pizza but I need to consent to them using my address to deliver it. It's obviously essential. Many people see it as such, though, and they resort to including weird clauses like "by hitting submit I consent to the processing of the data in the contact form for the purpose of fulfilling my request". That is like the definition of one of the legal bases you can use (aside from consent) and definitely does not require consent.

The law is quite readable and not overly elaborate, see Article 6(1) of the GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

Example, 6(1)(a) says: "in order to take steps at the request of the data subject", so you don't need to have any GDPR checkboxes or banners when you have a contact form.

[mfontani]

> Normal visitor counting

To my knowledge that might need consent, depending on what do you mean / how it's performed.

[lucb1e]

Trying to track "return visits" often requires installing identifying tokens (cookies, localStorage, etc.). Even if no human ever looks at an individual person's data, you are processing it, so GDPR applies.

But that's where the last legal basis comes in:

> processing is necessary [for] the legitimate interests pursued by the [website], except where such interests are overridden by the interests [of] the data subject

So:

(1) on the one hand, the site owner has a legitimate interest in making the website better. This really can even solely benefit the user, e.g. if you're a non-profit like Wikipedia, but it might also just benefit you and that's okay.

(2) on the other, everyone has the right to privacy. Is privacy violated if you analyse this in an automated fashion? Is there any potential negative consequence for "private and family life, his home and his correspondence"[1]?

If the answer to (2) is a very clear "no" then here's your legal basis for data processing. Since it is not consent-based, you can do it without consent and without 'cookie wall'.

I'm no lawyer, I don't know if this is a clear "no" or if it's a "maybe somehow" or how a judge would rule that or what judges previously ruled on that. I don't have all the answers, but it should be clear not all tracking has to be consent-based, especially when you have the user's privacy at heart. Hence my phrasing of 'invasive tracking' earlier in the thread.

Also, if you're a small company or startup that really tries to do good but misinterpreted the law, the data protection agency is not going to give you a large fine. If there is neither an intention of violating privacy (in an ethical way, not a letter-of-the-law way) nor clear negligence, then the DPA will probably send you a warning. It's also a fundamental right to get a reasonable punishment, so they can't give you a fine that creates major issues if you didn't do anything majorly wrong (people often look at GDPR's vague clauses and €20 million fines and think "how could your mom and pop store ever pay that for small violations" while in practice that's not how this works).

[1] Article 8 "Privacy" from the European Convention on Human Rights: https://en.wikipedia.org/wiki/European_Convention_on_Human_R...

[GordonS]

I believe you are correct, but I believe you also need to have a cookie/privacy policy page, where you explain what data you are storing and processing. I forget off the top of my head if that's a requirement of GDPR or ePrivacy, but you need to comply with both.

[lucb1e]

Correct, you need a page but not a wall/banner unless you need to seek consent for something.

Again, the law is not all lawyerspeak and it's fairly easy to find if you click my link to the law above. Article 14(3):

> The [website] shall provide the information referred to in paragraphs 1 and 2:

> (a) within a reasonable period after obtaining the personal data [...]

> (b) [...] at the time of the first communication to [the user] [...]

Where "the information referred to in paragraphs 1 and 2" is the basics: who you are, what you collect, for what purpose (marketing or so), retention period, what the user's rights are, and other things that may apply from the lists in those paragraphs.

The easiest way to fulfill this is, of course, a nice little link at the bottom with this info laid out for everyone.

This is also perfect if you're Google and your products, taken together, process basically every piece of data about a human going about their daily life. Then you basically say "we collect basically every piece of data that you supply or that we can otherwise get our hands on" and the user is not only none the wiser when they use only reCAPTCHA, but they now also agreed to the rest because that's all in one policy.

By and large I'm still happy that it has improvements over the previous law (most notably enforcement and uniformity between member states) even if there are things to be improved, but I digress. Point is: policy available to read when desired: yes; annoying pop-up banner: NEIN :)