[Garvi]

> Ideally this would be opt-in rather than opt-out for privacy reasons

As long as it's about cookies, the law is nonsense. Asking laypeople to "opt-in to tracking" so they can log into a website would render most websites inoperable.

> They’re separate laws but with the same practical enforcement / incentive problems.

I disagree with this. The cookie law popups pretend to ask users whether they consent to being tracked or not. Which is entirely misleading. With GDPR the pressure is on the companies to disclose what data they are collecting on you and give you the option of deleting it.

> Both have more user-friendly requirements than people expect, both are widely violated in user-hostile ways, both are rarely enforced by regulators, and what rare enforcement does exist is slow, often reluctant, and with inadequate fines to change industry behavior.

If I understand you correctly, you're saying the main downside to GDPR is it's not properly enforced. I agree with that.

[jkaplowitz]

Neither the GDPR nor the ePrivacy Directive (cookie law) requires consent for cookies that are technically necessary to operate a website, including those to reflect a user-initiated login action. This is separate from consent to tracking for advertising, marketing, and analytics purposes.

The cookie law doesn’t pretend to require consent for non-essential cookies placed on end user decides - it does require that consent. But, yeah many of the popups handle this in misleading ways where the verb “pretend” is quite accurate. This is exactly the same problem of under enforcement and misaligned incentives that limits the effectiveness of the GDPR, even though the two laws have different scopes and requirements.

Yes, you correctly understood the GDPR downside I was describing.