| > Cookies for functionality that's necessary, i.e. expected by the user, are completely legal without any consent or notification. No that is not the case, though it's easy (and common) to mistakenly think that - in part due to the confusing nature of the various regulations and in part due to how frequently companies and websites purposefully misinterpret them for their benefit. Firstly, there are legitimate reasons to ask for consent to store user data that relate to providing a service (eg if the service is storing a user's personal medical records, or many many possible functions within many services). Secondly, even without personal information being used or stored, and therefore no GDPR to worry about nor consent needing to be sought, cookies are a separate matter. A different EU law (the 2009 update of the "ePrivacy Directive") requires EU users be notified of any cookie use - even something as obviously reasonable as providing the functionality of a "keep me logged in" checkbox, if you're doing it with a cookie (edit: or even something equivalent like using fingerprinting on the server side to remember people) you need to notify the user. See, for example, the UK ICO's (the relevant department for dealing with UK's implementation of GDPR, ePrivacy Directive, etc) guidance on it: > This means that if you use cookies you must: > - say what cookies will be set; > - explain what the cookies will do; and > - obtain consent to store cookies on devices. > PECR also applies to ‘similar technologies’ like fingerprinting techniques. Therefore, unless an exemption applies, any use of device fingerprinting requires the provision of clear and comprehensive information as well as the consent of the user or subscriber. https://ico.org.uk/for-organisations/direct-marketing-and-pr... A cookie being necessary for actual core functionality does allow skipping over requiring consent, but not skipping the notification part. Which is why 14 years ago, years before GDPR arrived, EU sites all started putting "cookie banners" up, most of which didn't ask for consent and just appeared on the first site visit for each user even if they didn't actively dismiss it, since showing it once was widely considered to count as having notified. Sorry for such a long comment, but the fact that these topics are so widely misunderstood means I think it's important not to make things worse by accidentally spreading misinformation like that in your comment. |
Go to any Mastodon website right now. Why aren't they providing a cookie banner for notifying that session cookies are used?
Go to GitHub for that matter. Why aren't they providing a cookie banner? We know why: https://github.blog/2020-12-17-no-cookie-for-you/
GDPR isn't concerned with cookies. What the GDPR cares about is personal data and having a legal basis for processing. And “consent” is only one of those legal bases.
You don't need consent, for example, for using a home address for delivering pizza, since pizza delivery can't work without that home address. That's what's called a “legitimate” interest. You also don't need consent for keeping logs for security purposes, if the retention rate is reasonable (e.g., 3 months). You also don't need consent if the law demands that you keep certain records for fraud detection by law enforcement (e.g., banking).
--->
A vast majority of websites needing cookie banners or GDPR consent dialogs are doing spyware shit, which includes Google Analytics (85% of all websites), or behavioral advertising via RTB platforms. And the few websites that don't probably haven't spoken with lawyers yet.