The rules are actually only concerned with tracking cookies. Session cookies and user preference cookies aren’t within its scope. They are still perfectly acceptable to use without explicit consent from the user.
The law talks about information that can be used to identify a person.
So a cookie such as "gdpr_response=ok" has ZERO effect on GDPR compliance.
I wouldn't be so certain about that. Before now, most people were pretty certain that an accept/decline warning was enough and that they had the right to refuse service to people who did not click OK on the warning.
This comes up in _every_ discussion about GDPR.
I honestly worry - are we as developers just extra stupid, or are other occupations (electricians, ship captains, architects) equally lax when it comes to reading and following regulations?
1. You ARE allowed to use any cookies you like without popup warnings, as long as the cookie can't be used to bind the session to personal identifiable information (PII) about the user. Session cookies are perfectly fine when used to manage webapp state, such as what page a user is on, what feature has been enabled and so on. Likewise are other identification methods, for this sort of purpose.
2. Any technical means used to make a connection to a user's PII does fall under GDPR.
Seeing the underlying intent?
GDPR is about avoiding invisible tracking (connection to a european citizen). The regulation is written to bring that sort of behavior to an end. Your fingerprinting example, as well as any other "clever" technical ways of achieving the identification objective, when the purpose is that of invisible tracking; tracking where the user isn't in control of the profile information generated, is explicitly what the regulation aims to nail.
Do read the regulation document. It's actually a very well written document that even a non lawyer can understand: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
GDPR is about users gaining control of the lifecycle of information pertaining to their identity, so if you or your proxies (googl/fb or other ad companies for example) have PII about a user, then the GDPR stipulates processing constraints on that information, which includes any information that can be associated with the user. E.g. building a profile about a user that can be tied to a user's PII becomes part of the user's PII, and thus subject to the intended end-user lifecycle control. What that control means is stated clearly in the document linked above.
When the web plays its normal chinese-whispers-game on any kind of fact, it's always best to go directly to the source to see what was actually said or written. In this particular case with GDPR, this is definitely the case. Not a single of my US colleagues nor friends had even an inkling of what GDPR actually is about, and it seems most of this community is in the same boat.
I guarantee that reading the actual doc will dispel a lot of unfounded fears.
If you happen to have even the slightest layman interest in law, or appreciate games / brain teasers, then you might actually be a bit impressed by the cleverness of the wording in parts of the document, and how it all comes together. Myself, having been in the dev field for 20 years, I've read my fair share of EULAs, licenses and contracts, and to me I saw some true genius shine through half way through the document, like watching a good chess player setup a board and guard against obvious attacks by the opponent. I felt I could almost see into the minds of the authors; what they sought to accomplish, loopholes they tried to close, and an attempt at creating a defensive shield that would be as "future proof" as they could make it, against new unknowns introduced by rapid technical innovation.
I should mention that I essentially browse this way due to a few privacy add-ons I use and it is absolutely infuriating having to deal with these pop-ups even on sites that I've already visited.