alt Hacker NewsDisclaimer: I work on a consent product.
If you're in any way something beyond a hobbyist, you should probably get legal advice about whether you need to get affirmative or implicit consent, whether you need to handle universal opt-out signals (in California, Global Privacy Control signals are now legally required to be respected), etc.
Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
And a proper consent banner will immediately handle your GPC signal, and generally not show you anything (California now requires a visual notification that your preference has been respected).
I understand what the author is actually saying: you can design sites that don't require the tracking tools requiring consent. And yes, while true at a certain (small) scale, when you have hundreds of millions or billions of page loads per month, and several development teams, a partnership group, and a lot of moving parts, you'll forgive me for thinking this is impractical.
Consent banners don't have to be awful, I promise.
Replies
> the act of writing any cookie is actually covered under the law (because you're storing something on the user's computer). You're required to disclose that these cookies are in use.
The page describing the law has more examples of cases where you do not need consent than the ones you do.
https://commission.europa.eu/resources/europa-web-guide/desi...
> proper consent banner
It is also quite complex to integrate a third-party consent management platform in a compliant way; the tool itself is a script, but it somehow needs to preempt loading of any other scripts until the right consent is given (there's also an argument whether the CMP being third-party is itself a breach of "data minimization" when such functionality can trivially be done in-house, or at least self-hosting the script).
The majority of sites fail at this, which already breaches the GDPR since merely loading a third-party script discloses your IP address and browser fingerprint to them.
It's not a big deal in their case because their CMP is itself configured to be non-compliant, but if you want to be compliant with a third-party CMP it's likely the effort to integrate it properly would be just as much as just doing it in-house.
> Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law
You're mixing GDPR up with the ePrivacy Directive (henceforth "ePrivacy", not to be confused with the proposed ePrivacy Regulation). GDPR Recital 30 describes how cookies should be understood in relation to the GDPR (to the extent that GDPR Article 4(1) didn't already make it clear), and GDPR Recital 15 affirms that "the act of writing any cookie" doesn't have any special treatment under GDPR. Whereas ePrivacy Article 5 ¶3 discusses "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user", and is the real source of nearly all "cookie consent" obligations in the EU. I hope you don't work on the legal side of the consent product!
Less pithily: I've noticed a lot of "consent" providers getting this basic stuff wrong, both in their marketing copy and in their actual products. I (along with most internet users) have a vested interest in any improvements in this area. I'm available to discuss this further, if that would be helpful – keeping in mind that while I know a lot more about this than many working professionals apparently do, I'm still very much an amateur with no formal legal training.
ePrivacy Directive as amended in 2009: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
GDPR as amended in 2016 (without recitals): https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
> Disclaimer: I work on a consent product.
Forgive me for immediately untrusting you on the matter because the reality distortion field must be strong. Cookie banners are an absolute crystal clear evil and there is absolutely no leeway for a different opinion here.
(Tracking is also an undisputed evil)
> Consent banners don't have to be awful, I promise.
False.
They absolutely have to be awful because that's the whole premise of the law. You have to get user's consent. In order to force the user to make a choice you have to make it more annoying than it is annoying to read your content while ignoring the popup. The only way to conform to the law is to make users' experience on your website miserable.
> true at a certain (small) scale, when you have hundreds of millions [...] this is impractical.
True.
However it is also impractical to actually use the consent dialog. Because all the trackers and tools that different teams are adding to the site - they have to communicate with the cookie popup somehow and no living programmer would be bothered to even think about it. Nothing good for the world comes out of presenting and respecting the cookie popup ().
Thus I see fake cookie consent popups that are actually ignoring users' choices.
() On my site I do my best to respect the user's choice and do NOT track them once they hopefully reject.