Seriously one of the stupidest regulations I've ever seen. It would have been nice if they would have at least had the forethought to enforce regulation on a do not track header.
Neither ePrivacy nor GDPR require cookie consent popups, instead they basically say that tracking requires consent. GDPR only mentions cookies once, in its recitals. It's the adtech industry that decided to ignore DNT.
> Neither ePrivacy nor GDPR require cookie consent popups
Except that it does. The law specifically prohibits any form of consent that is not informed and specific. As a consequence, a user cannot just consent - or disallow - cookies globally. He has to tick a box for every single domain on earth; and can only do so after reading the specific information box associated to said domain.
As a user, saying "I am OK with analytics cookies but not with marketing ones" is not something I am allowed to express or setup. I have to do it for every domain because the law explicitly forbids a global solution to be implemented.
I'm afraid you are wrong for the global disallow button, as informed and specific consent is necessary to allow the processing of personal information, not to forbid it. See the definition in article 4(11), and the definition of the basis in article 6(1)a.
Correct. Cookie banners were required before GDPR. GDPR is the one that makes dealing with EU citizens online a risky enterprise, so the large entrenched players have the advantage.
I know that cookie banners exist since ePrivacy. That's why I mentioned it. But ePrivacy does _not_ mandate them. The adtech industry could have respected the DNT header.