There is a misunderstanding about GDPR and cookie consent that many people have.
Using cookies to track state on a website, that is only used for that website, is fine. You don't need to ask for consent. That is how a site tracks things like whether you are logged in.
Also inversely, there are non cookie things which do need consent, like server side fingerprinting, which is why the "just turn off cookies in your browser" suggestion here and from some noncompliant sites doesn't cut it
Even different usages of the same data can require consent.
Logging & storing IP addresses in logs for a reasonable period of time for debugging or abuse prevention is fine and doesn't require consent (falls under legitimate interest).
Querying those same logs for marketing, analytics or market research purposes would not be fine as this would require consent.
That's not correct: the ePrivacy directive doesn't distinguish between first and third party cookies but instead about whether the cookies are "strictly necessary for the delivery of a service requested by the user".
Yes. And login state or preferences are perfectly valid "functional uses" that don't require consent (but need to be spelled out in the privacy policy by most interpretations of the law).
The difference between first and third party cookies/embeds is only relevant when the third party may be collecting data (e.g. keeping access logs). This covers things like Google Fonts, Google Maps and social media embeds all of which should be opt-in and have fallback options (like an external link to the otherwise embedded post or map).
No, the in-proposal ePrivacy Regulation supersedes the in-effect ePrivacy Directive.
GDPR overlaps (or rather, mandates a specific implementation of) only a small portion of the ePD. Most of the ePD is still open for implementation and most of the GDPR does not overlap with it.
That's not correct. Both are in effect simultaneously, and they each restrict different behaviors. Very roughly: ePrivacy restricts sites' use of client-side storage, the GDPR restricts their use of personal information.
>Using cookies to track state on a website, that is only used for that website, is fine. You don't need to ask for consent. That is how a site tracks things like whether you are logged in.
They are called 1st party cookies and they are required like you said in order for a website to work but 3rd party cookies are intrusive and invasive.
The 1st vs. 3rd party distinction is not legally relevant; what matters is what any personal data is used for, regardless of its technical implementation. A first-party tracking cookie is not allowed without consent; a third-party OAuth cookie may be (if most common OAuth providers weren't also massive trackers...).
They were speaking about Log In session cookies that is what I was referring to. I don't know what legal status of session cookies is but they are required in order for a website to track if you are logged in or not otherwise you would need to log in constantly.
But I get your point, purpose of a cookie is important.
I think two things get mixed up (not by you)... a lot of sites, especially American ones, only started showing any kind of notice/request for consent once GDPR came in. But there was another wave before that, which everyone called the "cookie law" but which is apparently the ePrivacy Directive.
"On the other hand, providing your customers with a customized user experience or tailored product suggestions is not a requirement for an online store, and cookies that enable these features do not fall under the "strictly necessary" category. You'll need to get consent before you use them."
"Depending on your country's interpretation of the law, you may only need to get a user's "implied consent." Rather than forcing every user to click "accept" ... you can instead display a short message informing them that cookies are being used, typically through a header bar or some other non-obstructive method. After a predefined period of time ... the announcement can disappear."
I think what happened is that a lot of sites went for non-compliance or implied consent until the GDPR came in requiring proper consent for most cookies and harsher penalties (?) and everyone went from 0 to 100. But people were complaining about & blocking even the implied consent banners when they first came in. Now everyone thinks the GDPR is about cookies but it's really about tracking.
> typically through a header bar or some other non-obstructive method.
Those are obstructive too. Just respect my DNT header; if you don't want to serve me the page after seeing what my preference is, don't show me the page, and I won't read it. I know when I'm not wanted. There are plenty more sites on the web.
Additionally the ePrivacy law was revised to e.g. mandate that if an "accept all" button is present it can not be given more visual weight than a "deny all and continue" button. Most (especially American) sites are currently in violation of this requirement as they try to get away with making it annoying to not opt-in to everything.
What a web RUM system or a JavaScript error logger that track groups by seasons? Or let’s say you’re testing a new feature with an AB test platform and the cookies are used to store bucket information?
Increased discontent with cookies is a direct result of annoying people with these banners. Do it long enough and radically enough and the backlash will grow to severe.
Using cookies to track state on a website, that is only used for that website, is fine. You don't need to ask for consent. That is how a site tracks things like whether you are logged in.