The spirit, and the letter too. (It's quite a well-written law.) Article 7, "Conditions for consent":
> 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
> It shall be as easy to withdraw as to give consent.
Being as easy to withdraw as to give consent is technically a different thing from being as easy to refuse as to give consent, since consent that is refused was never given in the first place but consent that is withdrawn was previously given. But yeah, courts have been clear that both of these actions must be as easy as giving consent, and both requirements are too often not complied with.
The law says that it should be easier to refuse consent than give it. That's thoroughly implied (and then there's Recital 43, if the text of the law isn't clear enough for you).
Separate from my other reply to this comment: withdrawing consent and refusing consent are two different things. If it's difficult for someone who previously granted consent to subsequently find the screen where they need to click the reject button, that's not legally compliant.
Nope, including EU big business sites as well. There are also EU big business sites which illegally claim the legitimate interest basis for advertising and tracking purposes of data processing which have already been ruled by the courts as not acceptable justifications for the legitimate interest basis.
> The non EU sites are due to the EU trying to claim global jurisdiction.
The EU is trying to protect the data of the people in the EU. There's no way to do that while allowing companies outside the EU to freely violate the privacy of people in the EU. Otherwise these rules become laughably easy to circumvent for all but the smallest EU companies which are also the least dangerous from a privacy and tracking perspective.
> The EU are very much to blame for the popups, because even the non dark-patterns one are annoying.
Disagree. They're not supposed to be annoying enough to impair site usability. The truly compliant ones aren't.
Maybe some, but generally businesses are not breaking the law willy nilly like that.
> There are also EU big business sites which illegally claim the legitimate interest basis for advertising and tracking purposes of data processing which have already been ruled by the courts as not acceptable justifications for the legitimate interest basis.
And did the EU follow up?
> The EU is trying to protect the data of the people in the EU.
The problem is it's unenforceable nonsense and has led to this foolish cookie popup situation.
If they had limited it to entities with a presence in the EU, it would have worked better. At the moment it applies to some malicious Chinese teenager who blatantly wants to collect and sell the data of Europeans who visit his self-hosted low-traffic blog.
> The truly compliant ones aren't.
Yeah, they really are. It's still something you have to interact with to make it go away.
If your response says something if companies don't track they won't need a popup, then you have missed the point.
> 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.