[privacylawthrow]

You're wrong. The ePrivacy Directive does require that a website get consent before storing information on the end-user's device. Prior to GDPR, the local country implementations of the ePD allowed for implicit consent in some EU countries, and opt-out consent in other EU countries. GDPR redefined what constitutes legitimate consent to process personal data. Consent that was previously valid under the ePD was no longer valid under GDPR, which is why GDPR is about cookies, and every other processing of personal data.

[speedgoose]

You don’t need consent to use cookies. You need consent to use cookies to track.

[privacylawthrow]

No. You need consent to store data on an end user's machine, regardless of whether you later track that data or not, unless such storage is strictly necessary for the operation of service explicitly requested by the user.

[swores]

By that logic the GDPR is "about" fridge magnets because any business storing personal data using letter magnets arranged on a fridge is subject to GDPR. Sure, often cookies constitute/contain personal data, but when they don't they are not regulated by GDPR.

[bduerst]

I mean, if you're storing user information that isn't pertinent to the business with fridge magnets on a slab of metal, and the user asks you to take them down, it's a GDPR violation if you don't remove/scramble said magnets after 30 days.

Method of data storage isn't really specified, but that's why it's General Data Protection Compliance.

[swores]

Yes of course it would cover that hypothetical situation, as I said in my comment, but it would still be ridiculous in general conversation to say "GDPR does require that businesses get consent before using fridge magnets" without specifying "if personal data is involved".

[tick_tock_tick]

Yes, that is correct GDPR as written and as being interpreted by the courts covers every aspect of commerce, any interaction with another entity no matter how far removed, and any observable side effects of said interactions even if neither party knows of the third parties.

[swores]

Yes of course it would cover that hypothetical situation, as I said in my comment, but it would still be ridiculous in general conversation to say "GDPR does require that businesses get consent before using fridge magnets" without specifying "if personal data is involved".

[belorn]

Before GDP, the legal consensus among lawyers I asked was that consent could be a 30 pages long legal document hidden through a 6 pixel text link at the bottom of a page that can only be accessed by trawling the website. It wasn't really what the politicians that wrote the ePrivacy Directive intended, which is why the word informed consent was added.

Now if a hidden 30 page long legal document that no one can read is consent then I have this bridge I want to sell. It is totally legit.

[hugoroy]

I doubt you actually asked any lawyers who know this stuff.

While GDPR did raise the threshold of valid consent, the interpretation before the GDPR was nowhere near what you describe here.

There are authority guidelines and sanctions predating the GDPR on this.

[belorn]

I asked a lawyers during a conference that discussed privacy and law. I initially asked if a 50 page document was fine, which they said was not, but then lowered it to 30 and they said "sometimes" without any irony in sight. After an additional discussion they said that even if people did not read the document or had the ability to understand it, it would still count as consent.

I have also talked personally with politicians who was involved with the work of writing GDPR, and the people who wrote the ePrivacy Directive has reportedly said that lawyers interpretation of consent was beyond the imagination of the original intent of the directive, which is why GDPR now require freely given informed consent in contrast to the old consent.

[privacylawthrow]

You asked the wrong lawyers, at least for the US. The FTC's case against Sears in 2009 made it clear that consent to a privacy notice isn't valid if the privacy notice is buried deep in a licensing agreement, even if the notice is correct.

[3np]

They are referring to GDPR. I do not see how any US ruling applies to that.