I'm fairly sure I agree with out that the law wouldn't achieve its purpose even if it was implemented "correctly", and it certainly doesn't achieve its purpose with how it's implemented by websites today. I considered adding a short sentence about that, but ended up not doing it. I'm just tired of the vast amount of misinformation out there, and people discussing as if the directive applies to all cookies and only to cookies.
I'm not entirely sure if a user account at an online store would require consent; in my view, cookies would be "strictly necessary" to provide the user experience a user expects which includes being able to create an account to save their shopping cart and view their order history, while using cookies to show tailored product suggestions wouldn't be. However, IANAL and I haven't even read through the text of the directive.
In any case, the vast majority of the times I see the cookie notice are times where there are exactly zero reason to use cookies (or other methods of persistent storage) other than tracking, such as blog posts and news articles. Every single one of those websites would be able to get rid of their annoying pop-ups if they just spied on their users a bit less.
> I'm not entirely sure if a user account at an online store would require consent; in my view, cookies would be "strictly necessary" to provide the user experience a user expects
You can 100% support a logged in account experience without cookies. Java, for example, supports jsession id in the URL for people with cookies disabled. This id belongs to a session that is managed by the app server, which you can use to store information such as the cart, logged in account id, etc. If Java can do it, other languages and web frameworks that currently only support cookies can do it too.
I think the better angle to look at it is: session cookies expire when someone closes their browser. They aren't that good at tracking people.
I'll quibble with the 100% thing. Yes, you can shove session ids into the URL but it's generally pretty terrible from a security and UX perspective, you can't share links, and caching becomes much more difficult.
In that light I tend to agree with GP. If you're just using cookies to run sessions for your site, I just can't see regulators coming down on you.
There's some potent mix legal and technical pedantry combining with the profit motive of consultants everywhere that has led to a huge wave of overblown FUD around GDPR.
The fact is, ad-tech has been running amok for years and I don't think it's that hard to draw a line if we're intellectually honest. Of course it will take years for case law to catch up, but it's not as hand-wringingly difficult as some would have us believe.
I'm not entirely sure if a user account at an online store would require consent; in my view, cookies would be "strictly necessary" to provide the user experience a user expects which includes being able to create an account to save their shopping cart and view their order history, while using cookies to show tailored product suggestions wouldn't be. However, IANAL and I haven't even read through the text of the directive.
In any case, the vast majority of the times I see the cookie notice are times where there are exactly zero reason to use cookies (or other methods of persistent storage) other than tracking, such as blog posts and news articles. Every single one of those websites would be able to get rid of their annoying pop-ups if they just spied on their users a bit less.