[dspillett]

> And now it’s illegal to not have a popup.

It absolutely isn't. You, along with many others, are falling for the advertising industries attempts to turn you against privacy regulations by claiming the regulations force them to inconvenience you.

In fact a great many of the pop-us (the vast majority) are actually in breach, deliberately so, because they make it far more work to opt out than to opt in.

If all you track by default is tokens required for correct functioning of the site (session tokens and such) then you do not need a pop-up at all.

[fwlr]

I’m not “falling for the advertising industries attempts”. You’re missing my point, which is that the law specifies you must use a particularly atrocious UX pattern.

[dspillett]

I am not missing your point. I am asserting that your point is incorrect. Show me where in a law/regulation where anything like that is stipulated.

IIRC all that is stipulated in the EU regs, for instance, WRT cookies and other tracking tech is the ability to opt-out should be as easy as the ability to opt in, it should not be auto-opt-in, you can opt-out later if you do opt-in, and you should be properly informed about what you are opting into.

The bad UX patterns making it time-consuming, confusing, or otherwise unpleasant, to opt-out are actually against the spirit of the law (perhaps even the letter of the law) but unfortunately it is not proving really practical to enforce.