Is your contention that all of these websites and providers all simultaneously decided, incorrectly, to use these popups and that there is no legal requirement for them?
GDPR does not require any website/webapp by default to show a popup.
What GDPR requires is consent for tracking PII.
If you or anyone run a website and dont track/store/process any PII tracking information without user consent you dont need the popup.
Here is an example:
Do not put any GA or tracking analytics that tracks PII on your web app and you can still have signups and login if you gave a good terms of use and you require consent for the user when they signup. You can even use cookies in the login/signup flow but use them only for making the auth work and not for tracking.
PS: If you do signups please read the GDPR and offer to the user the option to manage their consent for accepting to provide data when they created their account: for example (IANAL) the user should be able to delete their account, download their data, retract the consent and have their account with all the info provided destroyed. You can keep data for legal reason for the minimum required period.
It's not my "contention". You could read the text of the law and point out the exact places where it talks about cookies, popups, or browsers: https://gdpr.eu/tag/gdpr/ (Hint: there are no such places)
> all of these websites and providers all simultaneously decided, incorrectly, to use these popups and that there is no legal requirement for them
Yes. Yes they did.
The bigger players decided that they have god-given right to your data. Facebook has literally spent the past several years arguing that in courts.
The smaller players rely on a handful of literal ad-industry-owned leeches like IAB[1] or OneTrust to get their popup banners from because people are stupid and/or lazy and don't want to deal with details.
So they, like you, were sold a lie of "to be compliant use our services".
Well, EU law requires you to use cookie banners if your website contains cookies that are not required for it to work. Common examples of such cookies are those used by third-party analytics, tracking, and advertising services. These services collect information about people’s behavior across the web, store it in their databases, and can use it to serve personalized ads.
At GitHub, we want to protect developer privacy, and we find cookie banners quite irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really.
--- end quote ---
[1] Literally Interactive Advertisement Bureau. Fined 250 000 euros in 2022 for non-compliance.
The point of the popups started out as smokescreen for continuing behaviours illegal under GDPR
The way most of them are designed is in fact illegal.
For reference, every time a popup claims consent for "legitimate purposes" for some 3rd party? That's flat out illegal - actual legitimate purposes need no consent... and also can't be shared with third parties like this.
IANAL:
GDPR does not require any website/webapp by default to show a popup. What GDPR requires is consent for tracking PII.
If you or anyone run a website and dont track/store/process any PII tracking information without user consent you dont need the popup.
Here is an example: Do not put any GA or tracking analytics that tracks PII on your web app and you can still have signups and login if you gave a good terms of use and you require consent for the user when they signup. You can even use cookies in the login/signup flow but use them only for making the auth work and not for tracking.
PS: If you do signups please read the GDPR and offer to the user the option to manage their consent for accepting to provide data when they created their account: for example (IANAL) the user should be able to delete their account, download their data, retract the consent and have their account with all the info provided destroyed. You can keep data for legal reason for the minimum required period.