[xdennis]

It's not the EU's fault that you have to click cookie banners. Those banners are only required if a website plans to do malicious things with the cookies. If they're used to track who's logged in, they are not required.

They are more akin to the "Do not eat" warnings on silica packs... except on the internet everyone swallows.

[seppel]

> It's not the EU's fault that you have to click cookie banners. Those banners are only required if a website plans to do malicious things with the cookies.

I just check some web pages from diffrent organs of the EU:

https://commission.europa.eu/select-language?destination=/no...

https://www.consilium.europa.eu/de/european-council/

https://european-union.europa.eu/institutions-law-budget/ins...

They all have cookie banners, some of them are super prominent and annoying. So maybe they as well are doing malicious things, maybe they don't understand they own regulation, or it is just impossible to have a non-trivial web page without a cookie banner in 2023. In either case, the regulation is totally dettached from reality and has become just some ritual.

[geraldhh]

> regulation is totally dettached from reality and has become just some ritual

not completely wrong.

ime in the case of the cookie law, most ppl didn't actually bother to go into details and just took the word on the street and some existing 'solution' and called it a day since everybody was doing it this way and sales/executives were pleased.

fact remains: cookie banner is _not_ necessary for logins and most existing banners are outright illegal since 'no' is not an easily accessible option

[endgame]

So the EU should ban the malicious thing, instead of putting that fatigue onto all users everywhere.

[avianlyric]

That’s exactly what the EU has done. They only require that people consent to be tracked for non-essential reasons.

Don’t track people for non-essential reasons, then you don’t need to ask for consent, which means you don’t need a cookie banner.

[mrtksn]

It's not malicious if the user wants it to happen, that's why its asking.

[seanmcdirmid]

They are needed if they do anything with cookies and don’t block EU IP addresses: the laws are quite vague, and interpretation has for been quite broad.

[arsome]

They have no jurisdiction outside the EU, you can let EU IPs in all you want. I'm sick of people acting like they're some world police. Treat them like the children they are, ignore them.

[shagie]

> If they're used to track who's logged in, they are not required.

https://gdpr.eu/cookies/

    To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

    Receive users’ consent before you use any cookies except strictly necessary cookies.
    Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
    Document and store consent received from users.
    Allow users to access your service even if they refuse to allow the use of certain cookies
    Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

If you want to save a person's login to make it easier for them to log in when they come back? That's not strictly necessary - consent is needed. If you save settings to a cookie - that's not strictly necessary - consent is needed. And then there's the "using a cookie to track a session to determine page bounce rate - even if it's not Google Analytics" - consent is needed.

And of course, consent is needed if you are using cookies for marketing.

[layer8]

For persistent logins, a simple “Remember me” checkbox is sufficient, see https://law.stackexchange.com/a/32157.

Analytics and marketing tracking cookies require separate consent, that’s correct. I would prefer websites to refrain from attempting such tracking completely.

[renewiltord]

Great link, thanks. Minor note: appears that you have to use "Remember me - uses cookies". You have to make it clear you are using cookies for these operations.

[layer8]

I don’t think it’s necessary to inform the user about the exact technical means. The law doesn’t care about cookies as a technical mechanism. “Remember me in this browser” may be more adequate to indicate the scope of what is stored.

[ilyt]

> If you want to save a person's login to make it easier for them to log in when they come back? That's not strictly necessary - consent is needed.

The consent is implied in login functionality. Literal example from same article you cited but apparently didn't bother to read in full:

> These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookie

Essentially if cookie is effect of user action that would directly indicate it needs storing state (cart, login, stuff like switching themes on page) it is "essential" to that feature and doesn't need consent.

[shagie]

Which then continues...

> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.

[bonzini]

Remembering username and password is different from remembering a session. You can implement "remember me" functionality just with a checkbox (which implies consent) and by extending the lifetime of the session cookie.

[exodust]

and then continues...

> When people complain about the privacy risks presented by cookies, they are generally speaking about third-party, persistent, marketing cookies.

Nothing is helped or solved by insisting first party "site preferences" cookies need consent. There's obviously room for interpretation in regards to what is a "strictly necessary cookie" when it comes to site preferences, account tokens etc.

[XCSme]

I agree, most problem with privacy across the web is the cross-site tracking, and the ability to track a user across their entire browsing activity, not the fact that each website individually knows what the user did on their own website.

[lolinder]

Malicious and lazy compliance are known problems with regulations that should be accounted for in advance. California's prop 65 passed in 1986, so by the time the EU was working on the GDPR they had more than 30 years of precedent for useless warning labels stamped on everything until they lose all meaning.

Theoretically websites could choose to do better, but the EU should absolutely have predicted this outcome.

[avianlyric]

You know that prop 65 warnings don’t exist on products outside the US right? I’ve personally never seen one in the EU.

[lolinder]

Duh. I also know that governments can and do pay attention to what other governments are doing and observe the effects. It's much better to learn from someone else's mistakes!

[wincy]

It’d be nice if the same were true for all the stupid cookie banners I don’t care about.

[jdasdf]

>It's not the EU's fault that you have to click cookie banners.

Yes it is.

[ampersandwhich]

No it's not.

[forgotusername6]

This is not the interpretation I've been told. All stored things i.e. cookies, local storage, tracking jpegs etc must be described to the user and have an opt out.

[lm28469]

> tracking jpegs

tracking pixel ? Are you sure you know what you're talking about ?

[forgotusername6]

Apologies for misremembering the term. My site does not use them, but it was in a list of things that we had to report if we did use them

[anothernewdude]

No, it's always required.

[lillecarl]

I've never seen one on this site, and yet I'm logged in writing this comment. Is HN breaking the law?

[jeroenhd]

Last time I checked, HN doesn't use tracking cookies and other such nonsense. All I see are session cookies to track my login. That doesn't require any form of popup.

HN being an American company probably violates some section of the GDPR (not having someone labeled as the privacy officer or some other technicality) but I doubt anyone cares. If you feel your privacy is getting violated, you can try contacting your local DPA.

In terms of cookies and data processing, I don't think HN is breaking the law anywhere, unless the privacy policy is full of lies and dang is secretly selling our personal info on the site (he isn't).

[renewiltord]

It is in violation because it uses cookies for persistent login functionality without making that clear.

It's okay, though. No DPA will go after HN.