[swores]

No that's not true, though it does get spouted very often in online comments.

It's true that a cookie banner (notification only) does not equal "the site can now do whatever it wants and is GDPR compliant thanks to the banner".

However, cookie notification banners are nothing to do with GDPR! They are to comply with an earlier (but still active after GDPR) bit of legislation, the 2002 'ePrivacy Directive' (sometimes known as the "cookies law").

If you don't go near personal data, but still want to use cookies for website functionality, then GDPR doesn't apply but you need to notify users of your use of cookies. If you are doing stuff that's covered under GDPR, then you obviously need to do more than just a cookie notification, and in most cases doing that 'more' will cover the non-personal cookies too so no need for a separate cookie notification on top.

https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...

edit to be more specific: section (25) includes "Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using." and "Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose." (meaning that unlike with GDPR, it's easier to say "these cookies are necessary, accept them or don't use this website")

Full text of that 2002 directive: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

And usual disclaimer, this is not legal advice, if you're doing anything affected by either the ePrivacy Directive or GDPR you'd do well to do one or both of getting specific advice from a lawyer with specific expertise in this area, and that if it's a personal site (or a company without the money for legal advice), better safe than sorry and better to give users more power (in terms of requiring their consent to use even cookies that might not need explicit opt-in to be legal, etc) than required rather than less. Both better in terms of liability, and in terms of ethics!

[illiarian]

> However, cookie notification banners are nothing to do with GDPR! They are to comply with an earlier (but still active after GDPR) bit of legislation, the 2002 'ePrivacy Directive' (sometimes known as the "cookies law").

The cookie banners people are now complaining about are literally companies skirting or otherwise breaking GDPR. Because they now have to ask for your consent before the siphon your data and sell it wholesale to the highest bidder.

[swores]

Sorry if I wasn't clear, there's confusion between banners put up because of GDPR and actual 'cookie banners'.

There are certainly plenty of examples of poorly implemented banners attempting to comply with GDPR while not actually being compliant, where consent is required, but I wouldn't call those 'cookie banners' since they generally talk about privacy and personal data, not just about cookies/local storage.

My point was that there are plenty of websites that don't need to comply with GDPR (because nothing they do falls under its scope), but they still need to comply with the ePrivacy Directive and therefore there are plenty of cookie banners used for that purposes that are a perfectly acceptable way of complying with that law - though because people are more familiar with GDPR than with the ePrivacy Directive, they see those banners and think it's a non-compliant attempt at dealing with GDPR.

[illiarian]

I wish they's update the ePrivacy directive :)

---

I think, but don't quote me in that, that with ePrivacy you don't really need a banner, but an explanation that you use cookies. But that is a minor issue

[swores]

I think there is an update being discussed? Away from my desk but will look in a bit

[illiarian]

I saw this discussed in my Twitter feed today, so second-third-hand account is that the update has been in the works for almost a decade, being fought tooth and nail by the same companies that fight any other privacy initiative.

Hearsay and rumors, so don't take this seriously

[swores]

Ah yeah, this is what I came across earlier when looking for the full 2002 text: "Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)"

But it's from 2017... https://eur-lex.europa.eu/legal-content/EN/TXT/?darkschemeov...

(If the twitter discussion was interesting, any suggested accounts to follow for this sort of topic?)