[kstrauser]

You're right, for sure. It'd be nice if the law included an explicit exception for local cookies for routine site operation purposes. I haven't put any time into nailing down the wording, but something that communicates "sites are allowed use 'authentication cookies' to validate a user's ability to make server requests" would be most welcome. Then you could actually have an incentive to remove the cookie banner on sites that only use cookies for session authentication. You don't also use them to integrate with your marketing analytics kraken? Sweet! You don't have to have a banner or other notice!

[latexr]

> It'd be nice if the law included an explicit exception for local cookies for routine site operation purposes.

That’s exactly what it does.

https://commission.europa.eu/resources/europa-web-guide/desi...

They list more types of cookies which do not need consent than the ones which do.

[buzer]

It's important to note that this is what European Commission has determined to be acceptable for them. One very important distinction here is, as far as I understand, that EC is not bound by ePrivacy Directive as directives bound member states and require them to include them on their national law. They do still try to be consistent with how the directive is applied in the member states though but since it can be varied they have more leeway compared to most other controllers.

The text on that website does state that some DPAs have found some first-party analytics acceptable, but that's not something that is confirmed by CJEU. And ePD does not have single-stop shop so you need to follow every DPAs directions if you are offering services to that DPA's country.

[kstrauser]

Oh, nice! That page seems to have been written a year ago[0] and I wasn't aware of it. If that had existed from day one, we probably wouldn't be having this conversation.

0: https://web.archive.org/web/20250301000000*/https://commissi...

[latexr]

> That page seems to have been written a year ago

The page has existed for several years, it was just at a different URL before. Here’s a version from 2021:

https://web.archive.org/web/20210623122357/https://wikis.ec....

[kstrauser]

I'll concede that, but that's still several years after the law was deployed and people had to kind of guess for a while.

GDPR isn't unique in that. When HIPAA came out in the US, no one was sure what it actually meant. I personally talked to hospital administrators who were convinced that we'd have to put up a "take a number" device in waiting rooms and call out "#53? It's your turn #53!", which the owners of the practice I ran flat-out refused to do: "the waiting room is currently occupied by Mr. Smith and Mrs. Jones, who have known each other since kindergarten, and I'm not going to refer to them as numbers". It took several years to build consensus on how to comply with it.

[latexr]

> I'll concede that

In case it wasn’t clear, I wasn’t trying to “gotcha” you or anything. I took your message to be in good faith. I just knew the website used to exist on another page because I remember having it in my bookmarks and it breaking and having to search for the new one.

> but that's still several years after the law was deployed

Maybe, I do not know. I didn’t search for it before then, so for all I know it was available at some other domain too. Or maybe it wasn’t, that’s the earliest one I remember.

[kstrauser]

Understood, and appreciated in the manner in which you meant it! I do love talking about this stuff. I've discovered that I have a giant regulation nerd deep inside me.

[dathinab]

the site didn't exist from day one, the exceptions do

(but some informational requirements have been slightly relaxed recently I think)

[bruce511]

See Article 5(3). There is a specific carve-out for cookies that are used solely for essential site operation and security.

[dathinab]

> It'd be nice if the law included an explicit exception for local cookies for routine site operation purposes.

it does have such exception, always did (as long as the cookies are not used for tracking or other non essential things etc.). It might not be supper explicit but it's explicit enough to have you on the safe side.

you do have to inform people, but there are very non intrusive ways to do so (as it's informational only, i.e. no user interaction like confirm/accept is needed at all). (I think? they also have removed part of the explicit informational requirement for some things recently, i.e. it's good enough to list it on your site in the TOS/Dataprotection section/sub-site.)

there are other (I think not EU wide but nation specific) laws which get confused with it and handle things different, based on sites storing their data on your computer (and with that any cookie)

the reason most sides don't do anything like that isn't because they can't. It's because they try to harass user endlessly until they always click on confirm and can be tracked. Or because they don't know better due to a endless slew of systematic misinformation spread by advertisement agencies like Google Ads.

[mhitza]

If you use cookies only for authentication it can be a single note on the login form.

[latexr]

You don’t even need that.

https://commission.europa.eu/resources/europa-web-guide/desi...

> Cookies and similar technologies that generally do NOT need consent

> (…)

> Authentication cookies, for the duration of a session

[dathinab]

needing consent and informing the user are two distinct concepts

I think you did need to explicitly tell the user about it.

But I think (not fully sure) they did relax that recently so just listing it in you Privacy Policy or similar should be enough by now.

But also due to how enforcement is designed it's not that you really had to worry about anything if you only have non-censent requiring cookies and list them clearly in the privacy policy. Worst case a privacy agency tell you to "improve on it" without penalty.

It's just which site (or app) today doesn't use something like Google Ad Network, or Metas Ad Network, or Apples Ad network. All of which do not support ads without tracking (which still are very viable, e.g. select ads based on what the side/ad is about).

[latexr]

> It's just which site (or app) today doesn't use something like Google Ad Network, or Metas Ad Network, or Apples Ad network.

For websites, Hacker News doesn’t seem to use any of that. For apps, Alfred doesn’t do any tracking, nor does Wipr, or Inkscape, or mpv.