[bad_user]

Cookies for functionality that's necessary, i.e. expected by the user, are completely legal without any consent or notification.

Fact of the matter is, when you see a cookie banner, that's always for spyware shit that the service doesn't really need to serve the user (e.g., analytics, tracking).

[swores]

> Cookies for functionality that's necessary, i.e. expected by the user, are completely legal without any consent or notification.

No that is not the case, though it's easy (and common) to mistakenly think that - in part due to the confusing nature of the various regulations and in part due to how frequently companies and websites purposefully misinterpret them for their benefit.

Firstly, there are legitimate reasons to ask for consent to store user data that relate to providing a service (eg if the service is storing a user's personal medical records, or many many possible functions within many services).

Secondly, even without personal information being used or stored, and therefore no GDPR to worry about nor consent needing to be sought, cookies are a separate matter. A different EU law (the 2009 update of the "ePrivacy Directive") requires EU users be notified of any cookie use - even something as obviously reasonable as providing the functionality of a "keep me logged in" checkbox, if you're doing it with a cookie (edit: or even something equivalent like using fingerprinting on the server side to remember people) you need to notify the user.

See, for example, the UK ICO's (the relevant department for dealing with UK's implementation of GDPR, ePrivacy Directive, etc) guidance on it:

> This means that if you use cookies you must:

> - say what cookies will be set;

> - explain what the cookies will do; and

> - obtain consent to store cookies on devices.

> PECR also applies to ‘similar technologies’ like fingerprinting techniques. Therefore, unless an exemption applies, any use of device fingerprinting requires the provision of clear and comprehensive information as well as the consent of the user or subscriber.

https://ico.org.uk/for-organisations/direct-marketing-and-pr...

A cookie being necessary for actual core functionality does allow skipping over requiring consent, but not skipping the notification part. Which is why 14 years ago, years before GDPR arrived, EU sites all started putting "cookie banners" up, most of which didn't ask for consent and just appeared on the first site visit for each user even if they didn't actively dismiss it, since showing it once was widely considered to count as having notified.

Sorry for such a long comment, but the fact that these topics are so widely misunderstood means I think it's important not to make things worse by accidentally spreading misinformation like that in your comment.

[bad_user]

I'm going to repeat … cookie banners are not necessary for functionality that the user expects to receive as part of the service provided. And yes, this is part of the ePrivacy Directive. And indeed, the cookie banners that only “notify” users, without requiring an acknowledgement to proceed, are not even legal.

Go to any Mastodon website right now. Why aren't they providing a cookie banner for notifying that session cookies are used?

Go to GitHub for that matter. Why aren't they providing a cookie banner? We know why: https://github.blog/2020-12-17-no-cookie-for-you/

GDPR isn't concerned with cookies. What the GDPR cares about is personal data and having a legal basis for processing. And “consent” is only one of those legal bases.

You don't need consent, for example, for using a home address for delivering pizza, since pizza delivery can't work without that home address. That's what's called a “legitimate” interest. You also don't need consent for keeping logs for security purposes, if the retention rate is reasonable (e.g., 3 months). You also don't need consent if the law demands that you keep certain records for fraud detection by law enforcement (e.g., banking).

--->

A vast majority of websites needing cookie banners or GDPR consent dialogs are doing spyware shit, which includes Google Analytics (85% of all websites), or behavioral advertising via RTB platforms. And the few websites that don't probably haven't spoken with lawyers yet.

[swores]

If you're so convinced you're right about this point (which is not the view of lawyers I've seen spend tens of thousands worth of billable hours around GDPR and ePrivacy Directive... though I'm not in the legal profession myself, just somebody who has seen the legal advice about this at multiple tech companies, and it's a confusing enough area of law with little precedent set in courts yet, so it's absolutely not impossible that they and therefore I am wrong, though I don't think it's the case) maybe you could provide a source for the claim that's from an actual authority - like the source I provided from an actual government department responsible for implementation of enforcement of these laws, which disagrees with the view of GitHub, a company that may or may not have interpreted the law correctly?

Also, saying "I'm going to repeat..." to someone who had (rightly or wrongly) corrected something you said, is not really helpful, it's not adding to the argument and is more likely to push people away than to get them to reconsider your belief (almost made me just ignore your whole reply, to be honest). I'd suggest saving that phrase for when somebody had forgotten something you said, not when they think that what you said is wrong.

[JakaJancar]

Well his username is bad_user :)