[gcbirzan]

But they're not mandatory. There is nothing stopping websites from not doing it, the previous poster was wrong. The GDPR requires consent, how you obtain that consent is irrelevant. Websites could not store cookies by default and you'd have to manually go and opt in. Maybe we even can have a per browser setting.

[account42]

Specifically, GDPR requires consent before you do (some) things the user might not want. You could simply not try to do those things and then you won't need to obtain consent at all.

It's absurd how used we have become to wantonly collecting user data that some people can't even imagine not doing that.

[gcbirzan]

Yeah. Or, you could make the opt-in something the user has to choose himself, like a link on the page.

[jeroenhd]

GDPR provides mechanisms for getting implicit consent for technically required cookies. For other types of data storage, explicit consent is required. And that's the problem, there are a lot of terrible websites out there that value their ability to stalk you and sell your information more than your ability to use the website.

For consent, the old "hide tracking terms in the terms of service" approach is not allowed anymore. That's where the popups come from, the user needs to know what they're consenting to if the data processing isn't actually required for the website to work.

I would like to see something like P3P (but better) to make a return. We have DNT and its followup, but they're not sufficiently scopable in my opinion.

[gcbirzan]

There's no implicit consent, technically required cookies have a different basis for processing. And, yes, I'm aware of that, my point is that people who create websites choose to force the consent box in front of you, there's nothing in the GDPR that mandates that. It could be a link at the bottom, some header...

[dotancohen]

  > Maybe we even can have a per browser setting.

DNT header?