[shagie]

> If they're used to track who's logged in, they are not required.

https://gdpr.eu/cookies/

    To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

    Receive users’ consent before you use any cookies except strictly necessary cookies.
    Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
    Document and store consent received from users.
    Allow users to access your service even if they refuse to allow the use of certain cookies
    Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

If you want to save a person's login to make it easier for them to log in when they come back? That's not strictly necessary - consent is needed. If you save settings to a cookie - that's not strictly necessary - consent is needed. And then there's the "using a cookie to track a session to determine page bounce rate - even if it's not Google Analytics" - consent is needed.

And of course, consent is needed if you are using cookies for marketing.

[layer8]

For persistent logins, a simple “Remember me” checkbox is sufficient, see https://law.stackexchange.com/a/32157.

Analytics and marketing tracking cookies require separate consent, that’s correct. I would prefer websites to refrain from attempting such tracking completely.

[renewiltord]

Great link, thanks. Minor note: appears that you have to use "Remember me - uses cookies". You have to make it clear you are using cookies for these operations.

[layer8]

I don’t think it’s necessary to inform the user about the exact technical means. The law doesn’t care about cookies as a technical mechanism. “Remember me in this browser” may be more adequate to indicate the scope of what is stored.

[ilyt]

> If you want to save a person's login to make it easier for them to log in when they come back? That's not strictly necessary - consent is needed.

The consent is implied in login functionality. Literal example from same article you cited but apparently didn't bother to read in full:

> These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookie

Essentially if cookie is effect of user action that would directly indicate it needs storing state (cart, login, stuff like switching themes on page) it is "essential" to that feature and doesn't need consent.

[shagie]

Which then continues...

> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.

[bonzini]

Remembering username and password is different from remembering a session. You can implement "remember me" functionality just with a checkbox (which implies consent) and by extending the lifetime of the session cookie.

[exodust]

and then continues...

> When people complain about the privacy risks presented by cookies, they are generally speaking about third-party, persistent, marketing cookies.

Nothing is helped or solved by insisting first party "site preferences" cookies need consent. There's obviously room for interpretation in regards to what is a "strictly necessary cookie" when it comes to site preferences, account tokens etc.

[XCSme]

I agree, most problem with privacy across the web is the cross-site tracking, and the ability to track a user across their entire browsing activity, not the fact that each website individually knows what the user did on their own website.