Parent is right, banners are not required by GDPR. These websites do not reflect the people in the organisations they represent, they are made by developers like the rest of us who are following the crowd like sheep.
3. Analytics cookies
We use these purely for internal research on how we can improve the service we provide for all our users.
The cookies simply assess how you interact with our website – as an anonymous user (they data gathered does not identify you personally).
Also, this data is not shared with any third parties or used for any other purpose. The anonymised statistics could be shared with contractors working on communication projects under contractual agreement with the European Commission.
However, you are free to refuse these types of cookies – either via the cookie banner you will see on the first page you visit or at Europa Analytics.
That appears to be things covered by the GDPR and that they need some way to inform you that you can reject them ... and that's done with a banner that allows you to reject those cookies.
Given that analytics is used, and that has cookies that track information, they're required to have that notification somehow. That page doesn't appear to be a "developers following the crowd like sheep" but rather "the requirements of the law are followed to the spirit and letter and the easiest and most accessible way to provide that functionality is with a banner."
The banner works for its requirements with GDPR and meets the requirements for accessibility.
Surely, one cannot expect that companies trying to save costs will go through great lengths to implement something that they don't know if it will work or not or if they'll get sued in the EU if they implement a different solution when the EU themselves implement it this way.
If there is a better way of doing it that doesn't lead to lawsuits, the EU's website should be the first ones to implement and demonstrate an easier and more accessible way to comply with the GPDR.
As it is, the websites of europa.eu are setting the standard for companies to follow when they want to make sure that they don't get sued for failure to comply with the GPDR for website notifications and accessibility within the EU.
This is an issue I regulary face, people not being educated on what the damn thing actually is. A general catchall banner on intial website load is the laziest and most intrusive way to get compliance, but its the easiest for developers so they generally take that way out.
As a company, if I were to implement something that is unknown to be in compliance with the spirit or letter of the GDPR, it is possible that the company would get sued within the EU.
The way to ensure that you don't get sued is to copy the structure of the one website that you know is in compliance with the GPDR and follow their lead.
When reading the GPDR text from https://eur-lex.europa.eu/homepage.html I see a cookie banner. If it works there and that is the example of how to be in compliance with the obligations of a website for cookies? Would some other implementation that isn't done that way be risky in that the courts in Europe could decide that it wasn't done correctly?
Until the websites of europa.eu change to show an alternative way to be in compliance with cookie notification for the GDPR, banners remain the least risky (and yes, easiest and laziest) way to try to remain in compliance.
Nothing in the GPDR says "thou shalt have a banner" - but that's not the issue at hand. What is the least risky way for a company to implement the requirements of GDPR given that's the way europa.eu does it?
Given that analytics is used, and that has cookies that track information, they're required to have that notification somehow. That page doesn't appear to be a "developers following the crowd like sheep" but rather "the requirements of the law are followed to the spirit and letter and the easiest and most accessible way to provide that functionality is with a banner."