Having worked at multiple companies and talked to multiple legal teams about this, they tend to be very conservative. So the guidance I've gotten is that if we store any information at all on the person's computer, even to know whether they've visited the site before, we still need a cookie banner.
Basically, the law created enough fear among the lawyers that software developers are being advised to include the cookie banner in cases where it isn't strictly needed.
Agreed! Many sites don't actually comply with the GDPR because they don't provide simple tools to control the cookies and instead force you through a flow. Part of my gripe with the law is the way those violations are not being systematically cited.
You'd have much better retention rates if you don't cover up the content the viewer is trying to view.
How would you like it if I shoved a banner in your face the moment you walked into a store and forced you to punch a hole in it in order to view items on the shelves?
> even to know whether they've visited the site before
So uh, don't do that.
You don't need to notify if you use cookies for required functionality like login sessions or remembering a functional setting.
If you're tracking whether they're returning or not your activity is exactly the kind of behaviour the rule is covering because, in legal terms, it's skeezy as fuck.
> You don't need to notify if you use cookies for required functionality like login sessions or remembering a functional setting
Nobody wants to be the EU test case on precisely how "required functionality" is defined. Regardless of what the plaintext of the law says, it should be self-evident that companies will be more conservative than that, especially when the cost is as low as adding one cooke banner and tracking one preference.
"Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user."
Right, and then the legal teams tell me they don't care, and we should put up the cookie banner anyway. I feel like you didn't read my original comment.
That just means your legal team is lazy or incompetent. I work for a massive company that handles extremely sensitive PII and we don't have a cookie banner, because we don't need to have a cookie banner. GitHub doesn't have one, Gitlab doesn't have one.
The problem is that I spend hours explaining the actual technical nature of what we're doing to the legal team and I feel that there's often some kind of breakdown in communication because they don't understand the underlying technologies as well as the engineers do. And I haven't had this experience at one company, I've had it at multiple companies, several of which folks in this thread will have heard of.
To put a finer point on some of this, in one instance, I was writing an application that would allow our customers to deploy their own website with content that they had created through the tool that my company had provided. My company wasn't adding any tracking whatsoever to these pages. We were simply taking their content, rendering it properly, and hosting it for them. We ended up enforcing a cookie banner on these pages because the lawyers couldn't guarantee that there wouldn't be tracking content on that page that was added by the customers. But the end result is that every page, the vast majority of which don't have any tracking, still have cookie banners.
In essence, the law created a new legal hazard, and people aren't sure when they're going to run into it, so they end up putting up fences all over the place. Between this and malicious compliance, the end user experience has suffered greatly.
That's super interesting, because the lawyers should know that under GDPR, consent needs to be specific.
So a generic cookie banner is actually going to make the legal case worse than not having one at all (because you've now demonstrated that you knew you should have explicitly declared usages, partners, and used opt-in consent, but you didn't).
I know that everyone wants to give me legal advice. Lawyers don't care about legal advice from engineers. That's the crux of the point I'm trying to make.
Laws should be evaluated on the effect they actually have on society, rather than the effect that we wish they had on society. I am very critical of laws that fail this test, and I think they should be updated to improve their performance. We want the right outcome, not the right rules.
I'm willing to argue that, sure (though it's purely a hypothetical point as I'm not a citizen of the EU and thus I don't and shouldn't have a voice in the laws there). I don't judge a law by a deontological measure of worth, but rather by whether it seems to be making things better or worse. The GDPR has overwhelmingly made my experience browsing the web worse, not better. Whether it should have resulted in that is beside the point: it has resulted in that, so that is what I judge it by. Therefore, I think it makes sense to get rid of the law as it seems that it is making things worse for people, not better.
> The GDPR has overwhelmingly made my experience browsing the web worse, not better.
From where I sit that's hard to evaluate since you cannot actually see most data abuses and privacy concerns, and you also don't know how it would have been without it. You also see the effects of various laws and regulations in combination, so the ones related to GDPR are not easy to be singled out. Are you thinking only of the cookie banners? Maybe sites would be plastered with even worse bullshit. Did you consider that GDPR also resulted in privacy policies that (if actually somewhat legal) are fairly easy to read and not just copy pasta but specific to the service(s), have proper contact information, you get some transparency about which data partners the sites work with, sites need to have full data export, right to be forgotten (removal of your data/contributions), and so on. I am certain you benefit from it often, potentially without realizing, and you wouldn't know what the world would be like without them today so it's not so straightforward to reason about.
>At GitHub, we want to protect developer privacy, and we find cookie banners quite irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really.
Go to that link, these are the cookies it writes (at least for me):
Some are from github.blog, some are from the cloudflare.com hosting. Not sure how the laws apply to that. But obviously there's several analytics cookies.
All the legal uncertainty problems the cookie law produces aside, the core problem with the law is that it's fundamentally stupid. Cookies are a client side feature: You store the cookie, not the server. If you don't want to store the cookie, complain to your browser, that's the software responsible here. But instead of fixing the issue in the one place actually responsible, we make laws that force millions of websites to adopt.
You only start to need the popups if you specifically put cookies on a visitor's browser to build a personal profile of them.
This can be for e.g. sales acquisition or marketing engagement, but also includes cookies to simplify login, so not everything is "stupid stuff." A cookie that stores "was here, skip the splash page" may already fall afowl, if you put any session metadata in it.
It is just bad UI. It could have been better implemented, such as with a browser-side opt out setting, for instance. Similar to what we have for permissions, for instance.
I happened to work with people who elaborated the GDPR rules and they knew very well that it would end with cookie banners everywhere, or mandatory logins.
if you don't track users you don't need GDPR consent dialogs
I think in the past you still needed some info box in the corner with a link to the data policy. But I think that isn't needed anymore (to be clear not a consent dialog, a informational only thing). Also you can without additional consent store a same site/domain cookie remembering you dismissing or clicking on it and not showing it again (btw. same for opting out of being tracked).
But there are some old pre-GDPR laws in some countries (not EU wide AFIK) which do require actual cookie banners (in difference to GDPR consent dialogs or informational things). EU want them removed, but politic moves slow AF so not sure what the sate of this is.
So yes without checking if all the older misguided laws have been dismissed, you probably should have a small banner at the bottom telling people "we don't track you but for ... reasons .. [link] [ok]" even if you don't track people :(. But also if they haven't gotten dismissed they should be dismissed very soon.
Still such a banner is non obnoxious, little annoying (on PC, Tablet, a bit more annoying on Phone). And isn't that harass people to allow you to spy on them nonsense we have everywhere.
Disclaimer: I anal and this is not legal advice.