[nickpp]

There are many opinions online, but there is no authoritative, definitive answer. GDPR was made vague by design "to prevent future exploits". Even lawyers are arguing the details, three years after its introduction.

This made GDPR in effect one of the most expensive regulations we had to implement as IT companies. It is also so incredibly punitive that everybody choose to implement it in the most conservative way possible, at the expense of the UX. Thus the cookie popups and banners.

[hnarn]

Instead of ranting and providing nothing but conjecture about how "expensive" GDPR is (whatever that means), or insinuating that lawyers "arguing" about something proves that legislation is ineffective (that's literally their job), refer to first hand sources and ask constructive questions in good faith about what you don't understand. Here's one example: https://gdpr.eu/cookies/

Both first party session cookies and "shopping cart" cookies are mentioned as explicit examples of cookies that do not require prior consent and are unlikely to cause any concern.

[lmkg]

Please do not use that website. It presents itself as an authoritative resource, but it is not actually an authoritative resource. Nor, frankly, even a very good one.

Actual first party resource: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...

ICO is literally the agency that issues fines for GDPR violations in the UK. They have a lot of explicit guidance about what's OK and what's not.

More detailed guidance on the "strictly necessary" exemption: https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...

[nickpp]

Then why does the very gdpr.eu website have a cookie banner at the bottom of the page?! There is clearly no session or shopping cart going on.

[SiempreViernes]

Uh, are you asking why a site with that doesn't use cookies in a purely functional manner has a cookie banner?

In any case, it's the usual reason: they have google tracking, and it seems like they embed content from other sides the easy way. You too can learn the answer to the mystery of why there is a consent banner by clicking the "Privacy policy" button, this one actually explains it clearly, like it was supposed to be a model example or something.

[nickpp]

Actually the unobtrusive cookie banner as implemented on that site is illegal under GDPR. Check out https://ico.org.uk/ for a correctly implemented popup with its dismal UX.

[M2Ys4U]

The GDPR doesn't even mention cookies.

It's the ePrivacy Directive that regulates them (or, more precisely, "information stored in the terminal equipment of a subscriber").

And the ePrivacy Directive does, in fact, define what's allowed without notifying the user:

"any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."

[nickpp]

This kind of vague, high-level language is exactly why, if you reject cookies, you'll receive the same damn popup next time you visit the website until you relent and click Yes.

They never tried applying their abstract concepts to the real world until we had to and the result is "The Web of Cookie Popups".

[jka]

You have a point, but at the other end of the spectrum, writing precise legal terms can cause problems as well.

If the terms refer specifically to "cookies" and "browsers", it'd be entirely possible that the advertising industry and other players would simply change their own wording to evade the law.

An effective legal claim might be able to find out about and catch up with those kind of tricks; but it'd be partly a game of time, and simply by delaying legal challenges while their operations continue, the ad industry would have achieved their goals.