[dmitriid]

https://gdpr.eu/cookies/

Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

...

To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

- Receive users’ consent before you use any cookies except strictly necessary cookies.

[d1sxeyes]

Should is not the same as 'must'.

If the cookie is purely functional, and is not used for any other purposes, you are neither required to request consent nor inform, provided it is for a service the user explicitly requests.

For example, authentication, preference setting, form submission, etc. are all explicit requests.

If your cookies do not require consent, you are not required to explain them to the user (although personally I'd say it's a good practice).

EDIT: the above is not true, please check the comments below for further discussion.

[lucb1e]

> you are not required to explain them to the user (although personally I'd say it's a good practice).

Nitpick: you are actually required to explain it, but not by shoving a banner in their face. You can explain it in the privacy policy, to be retrieved on demand by the user themselves.

See also GordonS' comment elsewhere in this thread, who is correct about the need for a privacy policy (and I posted a more elaborate comment with more info below it): https://news.ycombinator.com/item?id=25305722

[d1sxeyes]

Thank you, that was an interesting read. I'll bear this in mind going forwards.