[iEchoic]

Our lawyers told us otherwise.

Regardless of the answer here, the fact that there's still a debate about what basic functionality requires a cookie banner is really a testament to how bad this legislation is. How long has this been around, 20 years? And there's still widespread debate and lack of understanding as to what specific functionality requires a cookie banner?

[espadrine]

Here is an authoritative source[0]:

> consent is not required [for] cookies that are strictly necessary to provide an online service that the person explicitly requested. e.g. […] when your customers use a shopping basket

So shopping carts (user clicked to add to cart) and notification preferences (user clicked to indicate preference) don’t require consent. Same for authentication cookies.

The page is quite clear; the confusion likely arises from how companies implement it.

[0]: https://europa.eu/youreurope/business/dealing-with-customers...

[aednichols]

I am amused that your official EU link, which contains only static documentation, asks me to choose between “all cookies” and “essential cookies”.

[ambichook]

i think it's worth noting that those cookies keep track of whether you have filled out their feedback form and to count the number of unique visitors to the page, or cookies from third parties the website may present embeds from https://european-union.europa.eu/cookies_en

[aednichols]

Yep. In other words, things that almost every website in the past 10 years does, making consent banners ubiquitous.

[bspammer]

> Our lawyers told us otherwise.

Probably because they're not particularly technical people, and also because of the asymmetric incentives for them personally.

Tell someone to put a cookie banner up when they didn't need to: no consequences.

Tell someone not to put up a cookie banner up when they did need to: potentially big consequences for them and their career.

[GuB-42]

Your lawyers are playing it safe. Their job is to make sure your company is not getting into lawsuits, and having a cookie banner that is not needed won't get you into a lawsuit, so that's what they suggest. They don't care about annoying your users.

If you really care about not annoying your users and don't intend to track them more than what's absolutely required for the service to work, then talk with your lawyers more. Of course, it is not free as it requires extra work, and it may carry some risk (which your lawyers should minimize) but it may be worth it, many people press the "back" button as soon as they see a cookie banner and try their luck elsewhere.

[tremon]

Yes, and if you ask the CFO about the best way to increase profits, the answer is always to fire all your staff. That doesn't mean that that answer is the most optimal solution.

[cccbbbaaa]

You can find a lot of guidelines around GDPR or ePrivacy made by the EDPB or a DPA. For instance:

https://ec.europa.eu/justice/article-29/documentation/opinio...

This says that cookies for a shopping cart or user preferences are exempted from consent. The ICO and the CNIL say the same, as expected.

[rchaud]

Maybe your shopping cart is served through a third party domain, like a Shopify iframe or something?

[crabmusket]

Fair, I can't argue with that. It's definitely a shame.

[smallerfish]

> How long has this been around, 20 years?

No. It took effect in 2018.

[cccbbbaaa]

Cookies banner are a response to the ePrivacy directive from 2002.

[smallerfish]

They weren't widely implemented until post GDPR, and in fact post https://curia.europa.eu/juris/document/document.jsf;jsession...