[sgjohnson]

No. Technically it's illegal to provide such service, not receive it.

Fun fact, this very website is not GDPR compliant. I've never ever seen a cookie notice on HN, which is legally required.

Of course, none of this is relevant, because AFAIK HN has no physical presence in the EU, but still, this site is not GDPR compliant, which just outlines how stupid GDPR actually is.

[dgb23]

Cookie notices are required if you for example use them to pass data to third parties.

A login cookie that is just for auth is not that. It is specifically requested by the user and implies that the user's data is managed on that site and can be evicted.

Same with analytics. The problem is not that you're doing analytics. It's that the user doesn't know that your doing it and that you're passing on that data to a third party.

[Semaphor]

It’s not just about third parties. I still need to consent to any PII you gather for your analytics, even if it’s completely first-party.

[dgb23]

Would have assumed that anonymous logging is fine? Generating usage data? Error logs? As long as it’s not sold, private data or used to identify the user?

Highly doubt that kind of gathering is a problem. If it were you could close 95% of the web.

[Semaphor]

As I said, PII. So if your only PII is storing the IP one-way hashed and salted, keeping the salt only for a day as like (I think) Plausible does, it’s probably/possibly okay.

Besides that, intent also matters. For example, we had to start logging IPs for every newsletter change, or you can log IPs in your access log for security reasons without consent. Logging the same IP into your analytics tool becomes an issue.

[berkes]

> I've never ever seen a cookie notice on HN, which is legally required.

For clarity: it isn't always required. Only if you have third party (tracking) cookies.

I don't know about HN. But its perfectly possible to have analytics, ads and other functional cookies, without pestering your users with cookie popups.

Again: cookie popups and concent-banners aren't required. They are only required if you have "invasive" tracking in place.

e.g. I've worked on web-apps that were tracked by a selfhosted matomo, by plausible or some other tracking, that did not have any GTM or other tag-managers, that had no ads or only ads which were served from their own domain and without any 3rd party trackers, lacked all the GAFAM-pixels, had their fonts and other assets self-hosted (or on a simple, non-tracking CDN) and so on. Non of these needed any form of banner, popup or wizard.

[enedil]

I don't think you are right. Right now, the only cookie present is my session cookie. This should fall under obvious reason to have a cookie (it's not a tracking cookie). The sets of required and of all cookies are identical. Therefore, a dialog like this changes nothing.

[Semaphor]

> I've never ever seen a cookie notice on HN, which is legally required.

What for? The GDPR does not require consent for purely functional cookies, and the only data I see stored is my account cookie. So the existing privacy policy should cover them.

[that_guy_iain]

It's illegal for you to provide a service that isn't compliant. So if you use Stripe, therefore transfer data to a non-compliant country, you would be illegally providing a service that isn't complaint.

Also, the cookie notice is not GDPR it's a separate law. And if you only use functional cookies such as login cookies no notice is required.