[yeahforsureman]

Are you sure?

The ePrivacy Directive requires a (GDPR-level) consent for just placing the cookie, unless it's strictly necessary for the provision of the “service”. The way EU regulators interpret this, even web analytics falls outside the necessity exception and therefore requires consent.

So as long as the user doesn't and/or is not able to automatically signal consent (or non-consent) eg via general browser-level settings, how can you obtain it without trying to get it from the user on a per-site basis somehow? (And no, DNT doesn't help since it's an opt-out, not an opt-in mechanism.)

[exyi]

Everyone I know of will try to click "reject all unnecessary cookies", and you don't need the dialog for the necessary ones. You can therefore simply remove the dialog and the tracking, simplifying your code and improving your users' experience. Can tracking the fraction which misclicks even give some useful data?

[yeahforsureman]

My point was that according to the current interpretation, if they rely on cookies, user analytics (even simple visitor stats where no personal data is actually processed) are not considered "necessary" and are therefore not exempt from the cookie consent obligation under the ePrivacy Directive. The reason why personal data processing is irrelevant is that the cookie consent requirement itself is based on the pre-GDPR ePrivacy Directive which requires, as a rule, consent merely for saving cookies on the client device (subject to some exceptions, including the one discussed).

So you need a consent for all but the most crucial cookies without which the site/service wouldn't be able to function, like session cookies for managing signed-in state etc.

(The reason why you started to see consent banners really only after GDPR came to force is at least in part due to the fact that the ePrivacy Directive refers to the Data Protection Directive (DPD) for the standard of consent, and after DPD was replaced by GDPR, the arguably more stringent GDPR consent standard was applied, making it unfeasible to rely on some concept of implied consent or the like.)

[mhitza]

User analytics that require cookies, sounds like tracking to me.

> like session cookies for managing signed-in state etc.

Maybe I'm reading it wrong, but are you saying that consent is required for session cookies? Because that is not the case, at all.

> (25) However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

https://eur-lex.europa.eu/eli/dir/2002/58/oj/eng

You should inform users about any private data you would be storing in a cookie. But this can be a small infobox on your page with no button.

When storing other type of information, the "cookie" problem needs to be seen from the perspective of shared devices. You know, the times before, when you might forget to log out at an internet cafe or clear your cookies containing password and other things they shouldn't. This is a dated approach at looking at the problem (most people have their own computing devices today, their phone), but still applicable (classrooms, and family shared devices).

[micromacrofoot]

there are analytics providers that don't require third party cookies, it's not hard to switch

[yeahforsureman]

The cookie consent provision under the ePrivacy Directive doesn't care whether they're first- or third-party. Actually, the way it's been worded, you'd arguably need a consent for (strictly non-"necessary") use of eg local storage, too — afaik this hasn't really come up in regulatory practice or case law, but may be more due to regulators' modest technical expertise or priorities.

A conceptually different matter altogether is consent (possibly) needed under GDPR for various kinds of personal data processing involving the use of cookies (ie not just the placement of cookies as such) and other technologies for tracking, targeting and the like. That's why you see cookie banners with detailed purposes and eg massive lists of vendors (since they can be considered "recipients" of the user's personal data under GDPR). In this context, a valid consent (and the information you have to provide to obtain it) is required (at least) when consent is the only feasible legal basis of the ones available under Art 6 GDPR for the personal data processing activities in question. This is where the national regulators have taken strict stances especially regarding ad targeting and other activities usually involving cross-site tracking, for example, deeming that the only feasible basis for those activities would be consent (ie "opt-in") — instead of, in particular, "legitimate interests" which would enable opt-out-like mechanisms instead. This is the legal context of looking critically at 3rd-party cookies, but unfortunately, for the reasons mentioned above, getting rid of such cookies might still not be enough to avoid the minimal base cookie consent requirement when you use eg analytics... :(

It's pretty ridiculous, I know, and it's a bummer they scrapped the long-planned and -negotiated ePrivacy Regulation which was meant to replace the old ePrivacy Directive and, among other things, update the weird old cookie consent provision.

[saubeidl]

As you said yourself, analytics are not necessary.

It's corpos trying to invade our privacy.