[sqrt2]

It is not true that "functional" cookies are generally exempt from the consent requirement. What is concretely exempt are necessary cookies for a service that the user explicitly requested. This is not the case for cookies placed by Instagram embeds.

These are the guidelines on consent exemption by the Article 29 Working Party (the European Data Protection Board's predecessor) that explain it: https://ec.europa.eu/justice/article-29/documentation/opinio...

[onli]

Sorry, but an opinion from 2012 has no chance to be relevant if it disagrees with the current GDPR interpretation I linked to. Note how it explains that the ePrivacy Regulation is not in effect. I do not see how there could be any basis to legislate cookie usage if it is not linked to private data/analytics, if this happens it will not survive the courts I think. I do understand that this cookie consent interpretation is common - one just has to look at those stupid cookie consent forms on private blogs - but it does not follow from real legislation.

However:

> This is not the case for cookies placed by Instagram embeds.

Yeah, I can see how this is complicated and how it fits the topic. It's not a third party cookie for the embed, but for the website it might be, and is it even a functional cookie? I doubt it. I'm not sure how those would be judged and what is a reasonable way to work with embeds. It's only certain that there is not a solution as easy as it was in this case, where self-hosting the fonts was possible.

[sqrt2]

You're making the mistake of thinking that the cookie consent requirements are somehow a consequence of GDPR. The cookie consent requirements exist separately from and additionally to GDPR as a consequence of the e-Privacy Directive. What GDPR changed in regard to cookie consent is what exactly constitutes "consent", as it updated the Data Protection Directive in that regard, but it did not change when consent for cookies is required.

Other than court judgments, the Article 29 Working Party opinion is the most authoritative opinion you will get on the interpretation of the e-Privacy Directive, which is the "real legislation" that you need to look at.

edit: Nobody claims that the e-Privacy Regulation is in effect, by the way -- of course it isn't, it hasn't even been passed. The cookie consent clause of the e-Privacy Directive is however in effect, and has been since 2009.

[onli]

Also the e-Privacy Directive does exempt strictly necessary cookies from any consent requirements, or am I completely confused now?

Edit: No, I'm not. The GDPR page I linked states the situation that follows both from the GDPR and the e-Privacy Directive. It also fits to what is written in the directive itself.

[sqrt2]

Strictly necessary cookies for a service the user explicitly requested. And, importantly, this is true even if no personal data is involved and the process is therefore not covered by GDPR at all -- the cookie clause of e-Privacy Directive applies regardless.