This is about cookies, which are stored on the client.

Ok. So we drop the cookies and invent/use something else that works like the cookies(e.g an iframe that pings to Google's server) What's that good for? Are you considering including the CORS, iframes and whatever feature may leak information about the visitor in the law as well?

An iframe that pings Google is pointless if it doesn't send cookies.

How is that? Itcan send whatever it wants as query strings(e.g timestamp, current window etc)

Browser fingerprinting is a thing. In fact I suspect most of the supposedly GDPR compliant (so no cookies or local storage) still use fingerprinting in the background because you can't prove it's happening from the client (and the law is not being enforced anyway).

Most fingerprinting relies on Javascript (or maybe some CSS shenanigans) which you could prove from the client.

Using fingerprinting for tracking is not GDPR compliant.

The cookie law is the ePrivacy Directive 2002,[1] not GDPR. And as a user, I would much rather control my privacy preferences regarding cookies from my own browser, instead of within hundreds of different implementations across websites.

We already have P3P to allow websites to declare how they want to use your information. European legislation should have focused on leveraging these existing tools and protocols to give control to the user, instead of annoying them with endless pop-ups.

1. https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...

Interesting, I did not know that. Where is that covered? I want to read more.

GDPR is all about user data AFAIK. If I understand it correctly it avoided the trap that is to single out specific implementations.

Also it seems either I or someone else misread the context. I'm in the broader GDPR context while someone else seems to be in the older cookie law context.