[M2Ys4U]

The GDPR doesn't even mention cookies.

It's the ePrivacy Directive that regulates them (or, more precisely, "information stored in the terminal equipment of a subscriber").

And the ePrivacy Directive does, in fact, define what's allowed without notifying the user:

"any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."

[nickpp]

This kind of vague, high-level language is exactly why, if you reject cookies, you'll receive the same damn popup next time you visit the website until you relent and click Yes.

They never tried applying their abstract concepts to the real world until we had to and the result is "The Web of Cookie Popups".

[jka]

You have a point, but at the other end of the spectrum, writing precise legal terms can cause problems as well.

If the terms refer specifically to "cookies" and "browsers", it'd be entirely possible that the advertising industry and other players would simply change their own wording to evade the law.

An effective legal claim might be able to find out about and catch up with those kind of tricks; but it'd be partly a game of time, and simply by delaying legal challenges while their operations continue, the ad industry would have achieved their goals.