[geon]

I’m so tired of the popups.

YOY DON’T NEED A POPUP TO USE COOKIES!

Just stop tracking people across sites and you’re good. Cookies, localstorage or fingerprinting makes no difference. The distinction is whether you track users or not.

You are allowed to use cookies to your heart’s content, as long as the cookie is necessary for the functionality of your site, like a session id, or a shopping cart id.

> [You must] Receive users’ consent before you use any cookies except strictly necessary cookies.

What is worse, ALMOST ALL POPUPS ARE STILL ILLEGAL.

Having the decline option hidden behind an extra click on ”Manage Cookies” makes it easier to accept than to decline. You should also be able to withdraw the given consent at any time, But I have never noticed a site with that functionality.

> Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

https://gdpr.eu/cookies/

[9dev]

For my mom‘s small business, I actually tried to craft something compliant by hand (because I can). It’s surprisingly hard to get it right! Like, don’t load external scripts unless consent has been given, reflect that in the interface, and allow to withdraw consent. For example, there’s a maps embed showing the store address. But that’s can only be displayed if you actually consent to the prompt! So that means you’ll need to hold a list of script sources to add to the document head if the respective category has been accepted, but not earlier. Most implementations get this wrong, loading third-party scripts and snippets in normal script tags, assuming the users will consent anyway.

[geon]

The easy solution is to just not load external scripts. Done.

[whstl]

Yes, yes, yes.

By the way: this also aligns with the implementations of the ePrivacy directive done by individual countries.

Just go and read individual laws of each country, but the myth that "even login and shopping cart cookies need consent" is just a myth. It would be impossible to comply to both ePrivacy and GDPR if this was the case.

As much as the cookie banner industry is trying to tell you, you don't need TrustArc, OneTrust or other shady products on every website. Just don't do shady shit. First because you don't need it, second because, as you said, these products are almost always doing some illegal shit.