How, exactly, is a developer supposed to change state in a stateless protocol to denote that you've dismissed the cookie dialog if the user has disabled the feature that allows the developer to add state to the stateless protocol?
The law does not forbid you from storing any cookie, even if the user declined. The user can decline cookies that are not needed to provide what the user asked for. Even after the user declines, you are allowed to use cookies to keep track of what's in the user cart, whether the user has logged in or whether the user rejected cookies.
I believe his point is that if the user disabled cookies, there's no point in showing the banner. If you don't show the banner you can't track the user, of course.
It's not hard. It's just a matter of checking for navigator.cookieEnabled.
cookieEnabled is not reliable for handling third-party cookies, unless you also load a third-party frame running JS. (And even then it doesn't work like you'd want in many browsers.)
Sorry if I missed something, but AFAIK grandparent wasn't talking about third party cookies, only about having cookies disabled and being unable to store the consent flag, so I don't see how this applies to this specific discussion.
I never dismiss those dialogs anyway. Just make sure your site works with the browsers reader mode and I’m fine.
But on the top of my head only display the dialog if the browser cache is cold. Could embed a timestamp in some cachable resource. (Edit: Perhaps this counts as a “cookie“ in the legal sense)
How else can you even store a consent for cookies/localStorage? You can go around calling people immoral and incompetent, but what is the actual way to ask for permission to store data?
If your contention is that it is immoral or incompetent to store any data except through some specific user interaction related to those data, sure that's an opinion.
But if your job is literally "tell me which other pages users go to after this one", it's not really that crazy of an ask.
The law seems to call upon you to make it conspicuous, but when you make it conspicuous it is annoying, the law then calls upon you to make it not annoying.
The better solution, in my mind, is just making cookie control features more visible in browsers. They work great, and it's the right place for this form of consent.
Malicious actors abuse the current circumstance, because it relies on there being a responsible party with collateral to complain against. This is one of those times where the engineered solution is better than the social one.
> But if cookies are disabled, then there's no point in asking for consent.
But the only way to determine if cookies are actually disabled in the browser is to attempt to store cookies, which is the thing you're asking consent for.
Not really, there's also navigator.cookiesEnabled now.
And even if there wasn't, attempting to store a cookie with a dummy value just to check if cookies are enabled does not break the GDPR for three reasons: first, if it's a dummy value it's not really personally identifiable information. Second, it's a functional cookie required for the site to work. And third, the site can just delete it afterwards the checking. No consent required in this case.
