[7952]

I have been building some sites where I have explicitly tried to remove or avoid cookies completely. It is really tricky as any third party script or embed can set cookies, which may be retained depending on browser version. We end up using generic cookie prompts just in case to appease corporate compliance even when nothing is usually set on the page. And the http nature of cookies make automating things much more difficult. You can't just drop in some javascript that overrides document.cookie, and even if you could it would not be supported by all browsers.

What I would like is to be able to whitelist domains in content security policy and reject everything else by default.

[Dayshine]

Why avoid cookies entirely? You don't need a cookie banner for cookies essential to the functioning of your site.

[akie]

You want to avoid cookies entirely so that you don't need a cookie policy and that you don't need a cookie banner.

It's also significantly easier to convince a lawyer that you don't need these things if you can prove that there are no cookies whatsoever. And even then they'll be suspicious.

It's harder than it looks, just embedding a YouTube video for example already sets third-party cookies. Same with embedding a Twitter feed or Google Analytics. There are solutions for all of these things, but the standard/easy way of doing these things means your user gets a third-party cookie, which means you need the banner.

[hnarn]

> You want to avoid cookies entirely so that you don't need a cookie policy and that you don't need a cookie banner.

Wrong. Functional cookies are exempt.

[akie]

Of course I know that, but did you ever talk to someone who is not in technology but does have a say in determining what "we" need to do to cover "our" asses?

Say, a lawyer with the responsibility that all of our websites implement all of the relevant regulations?

You would think that they are up to date on what regulations you need to follow, but you'd be surprised. Many take a blanket "no risks under any circumstances" approach. These types can only be placated with the "we don't have any cookies at all" argument. And even then only barely.

[Ensorceled]

The statement isn't "Wrong.", it's just overly strict.

[nickpp]

What are "functional cookies"? Are analytics/telemetries cookies functional? Are cookies identifying google users so they can receive targeted content but also ads "functional"?

GDPR never bothered to specify. This is why GDPR is broken and sadly it broke the web.

[hnarn]

Have you tried finding the answer to your question online? There are clear examples of what "functional cookies" mean, even straight from the EU.

[nickpp]

There are many opinions online, but there is no authoritative, definitive answer. GDPR was made vague by design "to prevent future exploits". Even lawyers are arguing the details, three years after its introduction.

This made GDPR in effect one of the most expensive regulations we had to implement as IT companies. It is also so incredibly punitive that everybody choose to implement it in the most conservative way possible, at the expense of the UX. Thus the cookie popups and banners.

[tgv]

Still, the boss said: "add a banner anyway." Better safe than sorry, and everyone expects it by now.

[7952]

These particular sites didn't need essential cookies and discussion about privacy/cookies was taking lots of time for no real benefit.

Also, I believe philosophically in trying to reduce things like analytics and tracking.