alt Hacker NewsIt would be nice if you could argue, “well, just be a good site and don’t use marketing cookies”, but the ePrivacy Directive requires consent for performance and preference cookies too. Perhaps a liberal reading arguably allows classification of certain statistics and preferences functions to be strictly necessary, like “I wouldn’t provide this service without crash reporting because I’d go insane so it’s strictly necessary”, but most lawyers would be ill before advising as much.
Replies
There’s still the question of what law mandates that they are annoying pop-ups? They could be preferences in a menu, for example.
What happened is website operators started to feel entitled to doing whatever they want with cookies on users’ machines and eventually decided to act like petulant children when the rules changed.
Yes that's the point. You don't need those things. The idea that a news article or blog post or e-commerce page could "crash" is ridiculous, and the law shouldn't humor that excuse. There's been standard ways to declaratively define such pages since before scripting frameworks gained popularity. Use those standard ways. If you're really building an app and need to performance test, buy some hardware in your target range. Privacy aware users block things like Sentry.
The GDPR standard of "consent" (as I suspect you know, but as context for my opinion) is applied to the ePrivacy Directive and relates to any cookies that are not strictly necessary.
I do not like using the legal basis of "consent" for processing personal data, and I would much prefer not to need to use consent for placing cookies. As it is, in my personal capacity I can get away without placing cookies at all .
If we had access to other lawful bases for placing cookies, I'd like to think we could work out way towards phasing out any blanket consent. I'm sure "legitimate interests" would be abused and over-relied-on. But it already is, and if we're not arguing with people about whether the "consent" they rely on is legitimate then maybe we'll have more time to worry about whether companies are using other bases appropriately.
If cookies are only used for preferences functions, then I should expect that it should only require to mention the cookies in the preferences menu (I hope)? If they have a document to explain each cookie by name, then it would also be helpful, that you can enable/disable them individiaully (or make them read-only) by the browser settings. However, for some things such as languages there are other ways to do without using cookies, such as Accept-Language header for languages, although cookies could be used to override the Accept-Language header in case both are present in the request.