[zeorin]

That's not accurate, at least as far as GDPR is concerned.

Only necessary ones don't need consent, but the bar for "necessary" is high: the software wouldn't be able to function without it and there's no way to implement the software without it. Think: "address" is necessary for "delivery".

Even then you still need consent to store the cookie under most versions of the "Cookie law", which is a complementary but different thing to GDPR.

[pimterry]

> Even then you still need consent to store the cookie under most versions of the "Cookie law"

I don't think the cookie law is different from GDPR in that respect. IANAL, but from the EU directive itself [1]:

> Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information [...] and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

I read that as having the equivalent "no consent required for strictly necessary data" get-out clause to the GDPR. Yes, strictly necessary is a high bar, but for cookies that clear that bar I think both GDPR & the cookie law let you off the hook.

[1]: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

[TeMPOraL]

> Only necessary ones don't need consent, but the bar for "necessary" is high: the software wouldn't be able to function without it and there's no way to implement the software without it. Think: "address" is necessary for "delivery".

Yup. That's literally the point. Phrased in an equivalent form: cookies that require consent are ones you don't actually need.

It's thus not GDPR's fault that a site opts to spam their users with a consent popup - it's their choice to include cookies that aren't required to provide the service.

[jefftk]

You're assuming everyone agrees on "need". People disagree with governments all the time, so it's not surprising here that a website operator might consider a cookie to be necessary for the operation if their service, but the government views their needs differently?

[simpss]

If i can delete the cookie and nothing goes visibly wrong, it's obviously not needed.

Same with blocking a script that sets such a cookie. Most cookies are not needed for providing a service.

edit: see the article 29 data protection working party guidelines here: https://ec.europa.eu/justice/article-29/documentation/opinio...

[chromanoid]

I think they literally mean "technically need". This is objectively deductible.

[privacylawthrow]

I am a privacy lawyer that has spent far too many hours on cookie issues. It is disappointing that your correct answer was downvoted. It goes to show just how much misinformation is out there about GDPR.

The top comment in this thread demonstrates that as well as the Data Protection Directive of 1995 had a functionally identical requirement allowing users to opt out of completely automated decisions for credit purposes.

[chromanoid]

Sure? https://www.iubenda.com/en/help/23672-gdpr-cookie-consent-ch...

I would claim the only way to make a webapp with login securely function in a usable manner is to use a session cookie with secure transport policy. Do you really need more than that?

[simpss]

not sure if you want to say that such a session cookie would require consent or not, but just to make it clear, it definitely doesn't.

See 3.2 in data protection working party recommendations: https://ec.europa.eu/justice/article-29/documentation/opinio...