[dgroshev]

I'm a bit confused. You're claiming what I'm saying is false, but you're just referring to someone advising something as a precaution? Do you have a primary source for a legislation mandating cookie banners? (Also, is there a cookie banner on apple.com?)

There is no "disproportionate punishment" under GDPR in practice, unless you're doing something egregious, and even then (see Facebook). I'm very familiar with the UK regulator, they publish their enforcement actions [1]. I'm not aware of a single case of a cautionary letter, much less "disproportionate punishment", that they sent over a cookie banner on its own. Are you?

Besides, you correctly hinted at the incentive structure. Your lawyer might advise you to slap a cookie banner just because because they have zero incentive not to, they don't care about your users' experience. You might care though. Personally I consulted multiple external DPOs and lawyers, as well as primary sources, before forming my opinion.

[1]: https://ico.org.uk/action-weve-taken/enforcement/

[nickpp]

I take my legal advice from lawyers, not the internet. They are the ones defending us in court if need come.

Their position was simple: my team uses 3rd party analytics tools (no ads or anything) so IPs will be passed and cookies will be stored. We don’t control them, we don’t know what kind, if they can be considered personal info or not (GDPR is intentionally vague - classic bad law). So we need to be extra careful since our regulator is not a sane one like the UK’s. Thus: follow the common practice - cookie banner. End of story.

[dgroshev]

> We don’t control them, we don’t know what kind, if they can be considered personal info or not

If I were you, I'd consider changing my lawyers. This is explicitly forbidden by GDPR (art 28), you have to know what your contracted data processors are doing, and you have to have processes in place to assure data subjects rights (eg remove their data from your contracted third parties on request). Cookie banners have nothing to do with this, and you're in breach of GDPR cookie banner or not. If your lawyers didn't stop you from breaching art 28 but recommended slapping a cookie banner "to be extra careful", that's a major red flag.

[nickpp]

That “we” was the lawyer’s “we”. But their point stands: tools change and even if we understand and trust their specs and descriptions now, those change too inevitably in the future.

A bad law, an ambiguous law compels you to be defensive and take precautions. Cookie banners are one of many such defenses and everybody seems to be doing it, validating our strategy.

Thanks for your advice, but unless you are willing to defend me in court and put your money where your mouth is, with all due respect, I will consider its value to be exactly how much I paid for it.

[dgroshev]

GDPR is not in any way ambiguous there, take a look for yourself [1]. Keeping an eye on those changes is a part of your responsibilities as a data controller, it's your vendors' responsibility to inform you of any changes, and it's your responsibility to vet vendors for GDPR compliance. Again, if your lawyers didn't explain this to you (and you haven't read the law yourself), I'd be very cautious of those lawyers.

On the other hand they probably realise there's zero chance for substantial review of your GDPR practices by the regulator (much less seeing them in court), so they can recommend sticking a useless plaster (opt-in has to be specific, and how can it be specific if you collect it for unknown future changes) and keep you in the dark about more substantial requirements.

GDPR is a very good and clearly stated law, you can read through it yourself in about half an hour to an hour, a negligible time investment for such an important piece of legislation. The purported ambiguity is a psyop by people who don't want to comply.

[1]: https://gdpr-info.eu/art-28-gdpr/

[nickpp]

The only way GDPR is unambiguous is if you interpret it in the strictest sense. Which we actually did - you truly have to, in a business-hostile place like the EU.

For example, consider IP addresses as PII. (This is of course not clearly specified by the GDPR). Then analytics processing them needs consent. Thus cookie popup.

Anything else is interpretation unproven in court.