[pieno]

I think a lot of sites are conflating cookie consent and GDPR consent. You only need GDPR consent when processing personal data, so you don’t need consent just for storing settings in a cookie (as long as those settings do not contain personal data or identifiers linked to personal data). But many sites will ask “GDPR consent” or claim “GDPR legitimate interest” for those settings cookies in any case (in my view that’s a dark pattern in itself because you’re actually making the side harder or impossible to use and thereby inducing visitors to just click the big green “accept all” button to get it over with already…)

[M2Ys4U]

>I think a lot of sites are conflating cookie consent and GDPR consent.

They are doing that, however the the legal standard of consent under the ePrivacy Directive is the same as the GDPR.

The ePD initially referenced the definition in the Data Protection Directive, but that was replaced by the GDPR.

[tcldr]

As I understand, there's currently an update to the ePD working its way through which aims to clarify some of these points and unify it with the GDPR.

Here's what they say about analytics for example:

> Audience measurement shall be limited to non-intrusive practices that are not likely to create a privacy risk for users

> The Council’s position creates a new exception for audience measurement as suggested by the Article 29 Working Party6. However, the derogation for audience measurement as proposed by the Council is worded too broadly and could lead to an overly broad interpretation of what could fall under the scope of the derogation and consequently lower the level of protection of end users’ terminals.

> Therefore, the EDPB stresses that the derogation for audience measurement should be limited to low level analytics necessary for the analysis of the performance of the service requested by the user and should be solely limited to providing statistics to the service operator, and must be put in place by the operator or their processors. Therefore, this processing operation cannot give rise, by itself or in combination with other tracking solutions, to any singling-out or any profiling of users by the provider or other data controllers. Moreover, the audience measurement service should not allow to collect navigation information related to users across distinct websites/applications and should include a user-friendly mechanism to opt-out from any data collection.

https://edpb.europa.eu/system/files/2021-03/edpb_statement_0...

[M2Ys4U]

Yeah, the ePrivacy Regulation has been in development for years now, being held up by the Council.

It was supposed to be adopted soon after the GDPR, but 5 years later and we're still waiting...