I think the real problem here is that the technical feature of cookies providing browser state is a poor proxy for what EU/DPA _really_ wants to regulate, which is privacy-related tracking.
"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
Of course, no website will ever tell you "Hey, we're using cookies to track you"; it's in most companies' (both legal consulting companies' and website owners') best interest to keep people ignorant. Consulting companies want website owners to be scared and buy legal consulting services, and website owners want people to think that the pop-ups are a result of stupid EU legislation and not because they are actually being tracked.
If I need to get explicit opt-in for "So, remembering your shopping cart when you come back requires cookies, that okay with you?" I'm not sure how much better that would be. It's still gonna be information overload "false positives".
But I think that is what the regulations actually intend. "We need cookies to give you: Shopping cart; search history; login to your account; whatever -- opt in or out to each one, you can still use the site just without those features if you go out."
A) That is actually fairly expensive to implement.
C) But you are exactly right that no company is ever going to tell you what you _really_ care about. Unless regulations make them maybe. These regulations were trying. Not there yet.
I'm not entirely sure if a user account at an online store would require consent; in my view, cookies would be "strictly necessary" to provide the user experience a user expects which includes being able to create an account to save their shopping cart and view their order history, while using cookies to show tailored product suggestions wouldn't be. However, IANAL and I haven't even read through the text of the directive.
You can 100% support a logged in account experience without cookies. Java, for example, supports jsession id in the URL for people with cookies disabled. This id belongs to a session that is managed by the app server, which you can use to store information such as the cart, logged in account id, etc. If Java can do it, other languages and web frameworks that currently only support cookies can do it too.
I think the better angle to look at it is: session cookies expire when someone closes their browser. They aren't that good at tracking people.
In that light I tend to agree with GP. If you're just using cookies to run sessions for your site, I just can't see regulators coming down on you.
There's some potent mix legal and technical pedantry combining with the profit motive of consultants everywhere that has led to a huge wave of overblown FUD around GDPR.
The fact is, ad-tech has been running amok for years and I don't think it's that hard to draw a line if we're intellectually honest. Of course it will take years for case law to catch up, but it's not as hand-wringingly difficult as some would have us believe.
You don't provided you have a reasonably short retention period, are not storing personal information that is not directly needed for remembering the shopping cart and are only using it for that and not simply using that as a justification for something else.
Nor do the regulations. You have to meet the exactly the same requirements to store personal information using some other mechanism that you do using cookies.
The biggest lie in most cookie warning popups is that you need to accept them for the site to function. It is often not true. Those are session cookies and you don't need to warn users about them, they're just allowed.
I didn't know this, and neither do any of the cookie warnings mention this. So like many people I thought the cookie law was the stupidest thing ever because like you say, you gotta have state. But the session cookies used to make a site hold state, those aren't considered tracking. When I learned about this little fact, it changed my opinion about the cookie law considerably.
As far as I understand it, the GDPR does everything and more than the cookie law was supposed to, so IMO it's about time we put that disaster behind us.
On the web, your approximate unique ID is your browser fingerprint. That can be used to join your activity to other activity.
Your session cookie is your activity for your browsing session (or for users who never quit their browser, your entire computer uptime).
Think about it -- a cookie is information the web server gives to you; it's essentially a bookmark to your current position in the app. The server already knows where you were -- it saw you there!; it just doesn't know that you want to go back there on your next HTTP request.
Tracking data is data you give to the web server. Cookies are only one primitive to enable tracking. Cookies can be replicated by URL query parameters, subject to size constraints.
There’s only a handful that need them for logging in.
Most sites I visit I don’t want to interact with, I just want to read.
Silent cookies aren't completely banned by the GDPR/cookie laws, only cookies that aren't necessary to provide the service requested by the user. That's sort of vague, but I think mostly obvious what is intended there. It's pretty easy to operate within the spirit and letter of the law: Shopping baskets, load balancer cookies and login tokens are fine (provided you only use them for those purposes!), third party advertising tracking cookies are absolutely not (without consent). More info here: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...
Lawyers have told me that you do not even need consent for Google Analytics, unless you enable the data collection for advertising features.
It appears to me that there's intentional bad faith misunderstanding from some, regarding both the cookie law and GDPR, in order to try and paint it as unworkable.
So, yeah, it's a mess. These "extra" warnings are contributing to user fatigue, I agree with troy hunt that users are just gonna ignore them all. I also understand why a small organization can say "Well, I don't really understand if we need it or not, the lowest risk thing to do is just to supply it." And there's no law _preventing_ you from supplying an unnecessary pointless cookie warning banner...
It's 88 pages of legalese consisting of 99 articles distributed over 13 chapters. It also has dozens of footnotes which incorporate thousands of pages of other laws by reference.
> and if execs/managers aren’t smart enough
Clearly I am too stupid to operate a business and have reading comprehension problems. Thanks for letting me know.
Google analytics feeds tracking data to google for advertising purposes and tracks you across sites, it's exactly the sort of crap the cookie warning was meant to stop.
> These "extra" warnings are contributing to user fatigue
Your need for analytics is contributing to user fatigue.
> I agree with troy hunt that users are just gonna ignore them all
So do websites putting up these silly warnings, do you actually wait for people to accept before they get their tracking cookie?
That is why GP said "(no advertising features)." That is the name of the feature in GA that does that, and it can be disabled.
Very much this. None of the cookie warning dialogs (I've seen) mention this, and a lot of them use the dialog to complain about the law.
Something seems to have changed when GDPR came around though. The cookie warning dialogs before just had angry or condescending warnings with only a big "I accept" button, and otherwise too bad. But recently I've begun to see more and more warning dialogs that both have more honest wording about what they're about, as well as providing a "Decline" button.
IIRC there is something in the GDPR about explaining the privacy choices in clear language to the user, as well as having to provide an alternative if possible. If that's the case then it really does smell like intentional bad faith.
Although to be fair in addition to bad faith, I think it's also a lot of webdevelopers just not doing research what is exactly required and just parroting the scary story off each other.
But there's certainly a large part that just want to scare their users into accepting Google Analytics tracking. I'm curious about what those lawyers told you, though. Analytics data flowing through a third party widget that is doing the same on almost every site anywhere, sure feels like tracking to me. But maybe if you disable the data collection for advertising option, Google really won't cross-correlate that data for their own purposes. Even then, doesn't Analytics track the path users take on a single site too? For measuring "conversions" and such, as well as just detect whether people get "lost" on the site, or something.
Now certainly that's useful information, but it is tracking. Also you can get a lot of that information (and more) by just doing basic usability testing on real users. No tracking required and if you ask 10 people to try your site, you get 90% of the usability issues, with diminishing returns (based on some usability research I once read somewhere). But the information is much higher quality because you can ask them questions, ask them to perform tasks, actually look over their shoulder, etc. Tracking website users through analytics is just numbers and doesn't tell the whole story in very many cases, anyway.
Is there any legitimate and reasonably necessary purpose for third party cookies? And similarly is there any undesirably exploitative use of first party cookies? As I am not a web developer, these are not rhetorical questions.
Oh wait https://en.m.wikipedia.org/wiki/Do_Not_Track
--- quote ---
Removed support for the expired Do Not Track standard to prevent potential use as a fingerprinting variable.
--- end quote ---