Case and point, the EU Data Protection Board has a cookie consent banner and only uses a first-party cookie for analytics.

https://www.edpb.europa.eu/concernant-le-cepd/mentions-legal...

Exactly. Analytics is one of the types of data for which permission is explicitly required.

Session auth cookies are the only ones the EU considers strictly necessary.

Anyone that says the quote is the case doesn't know what they're talking about. For the love of god, just read the law text :(((

Considering that for most banners the "consent" is the easy option I assume a lot. People want to get rid of the banners.

However I claim the point of the bad UX is to make users angry and then have them complain about EU etc. "demanding" those. In order to weaken the regulation of tracking. If they are successful (and they are making progress) "no more cookie banners" is a lot better headlines than "more tracking"

I have been on a call with a CMP where they got mad at me for not resetting our user's preferences and because our 'do not accept' was high due to the fact i refused to de-promote it via a dark pattern. I kid you not.

fwiw; looking at our stats for the past year: No consent: 40.8% Full Consent: 31% Just closed the damn window: 28.1% Went through the nightmare selector: 0.07%

~1.5M impressions from GDPR areas

Most of the sites use dark patterns in the banners, from not presenting decline option to hiding and renaming it to be unrecognizable. For example I make an effort in always picking Decline All option if available and the practice shows that I click on Allow All in about 20-30% of all banners, because it was impossible to avoid. So I safely assume that general population clicks Allow All even more.

It's always those awful websites with a million popups, adverts, sites that reflow after 10 seconds, etc. They would be horrible to use even without the cookie banners.

GA is free while Fathom and Plausible are not. I think that's the main reason why GA is so popular and therefore why most sites need cookie consent banners.

That’s the argument made by the article.

I often wonder what value it actually is.

Sure, you might understand your demographics better.. if you presume that the analytics are faultless at telling you this- which they're really not.

If you care about how your site is used, you don't need to set any cookies.

For some sites and businesses that's the right approach.

For some.

But if you're including ads you're already past the point of caring about annoying your visitors.

> Disclaimer: I work on a consent product.

Forgive me for immediately untrusting you on the matter because the reality distortion field must be strong. Cookie banners are an absolute crystal clear evil and there is absolutely no leeway for a different opinion here.

(Tracking is also an undisputed evil)

> Consent banners don't have to be awful, I promise.

False.

They absolutely have to be awful because that's the whole premise of the law. You have to get user's consent. In order to force the user to make a choice you have to make it more annoying than it is annoying to read your content while ignoring the popup. The only way to conform to the law is to make users' experience on your website miserable.

> true at a certain (small) scale, when you have hundreds of millions [...] this is impractical.

True.

However it is also impractical to actually use the consent dialog. Because all the trackers and tools that different teams are adding to the site - they have to communicate with the cookie popup somehow and no living programmer would be bothered to even think about it. Nothing good for the world comes out of presenting and respecting the cookie popup ().

Thus I see fake cookie consent popups that are actually ignoring users' choices.

() On my site I do my best to respect the user's choice and do NOT track them once they hopefully reject.

> the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.

The page describing the law has more examples of cases where you do not need consent than the ones you do.

https://commission.europa.eu/resources/europa-web-guide/desi...

> proper consent banner

It is also quite complex to integrate a third-party consent management platform in a compliant way; the tool itself is a script, but it somehow needs to preempt loading of any other scripts until the right consent is given (there's also an argument whether the CMP being third-party is itself a breach of "data minimization" when such functionality can trivially be done in-house, or at least self-hosting the script).

The majority of sites fail at this, which already breaches the GDPR since merely loading a third-party script discloses your IP address and browser fingerprint to them.

It's not a big deal in their case because their CMP is itself configured to be non-compliant, but if you want to be compliant with a third-party CMP it's likely the effort to integrate it properly would be just as much as just doing it in-house.

> Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law

You're mixing GDPR up with the ePrivacy Directive (henceforth "ePrivacy", not to be confused with the proposed ePrivacy Regulation). GDPR Recital 30 describes how cookies should be understood in relation to the GDPR (to the extent that GDPR Article 4(1) didn't already make it clear), and GDPR Recital 15 affirms that "the act of writing any cookie" doesn't have any special treatment under GDPR. Whereas ePrivacy Article 5 ¶3 discusses "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user", and is the real source of nearly all "cookie consent" obligations in the EU. I hope you don't work on the legal side of the consent product!

Less pithily: I've noticed a lot of "consent" providers getting this basic stuff wrong, both in their marketing copy and in their actual products. I (along with most internet users) have a vested interest in any improvements in this area. I'm available to discuss this further, if that would be helpful – keeping in mind that while I know a lot more about this than many working professionals apparently do, I'm still very much an amateur with no formal legal training.

ePrivacy Directive as amended in 2009: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

GDPR as amended in 2016 (without recitals): https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

I appreciate the list of reasons to cookies are useful. Despite having worked in technology for 25 years, I couldn't have articulated that list off the top of my head. I have never worked for a website that made money that way.

I think that means not ALL websites need invasive tracking.

you don't need a banner for shopping carts, or personalisation

the heuristic for whether you need the banner is essentially: is the user deriving the benefit, or just the operator?

if it's the latter you definitely need the banner

There's no _need_ to use cookies for tracking purposes though, it's usually just easier/cheaper/quicker (or requested by the marketing department) to use off the shelf software than actually spend the time to implement these things.

But if you have a cart, you need a cookie banner regardless of any tracking you are doing.

You can track conversions exactly without using analytics or cookies, by using promotion codes.

It's a shame this is downvoted. It doesn't make it right, but it is true.

Until the regulation actually gets enforced so that everyone is on a level playing field and does not do such things, you will be at a disadvantage if you're the only one to comply, so the winning strategy is to not comply and engage in such practices just like your competitors do.

Why would pissing off users be illegal? Websites can do whatever they want, I don't like those popups and just leave the page when they show up.

[dead]