It is still very strict. For example, here is what the document you link has to say about cookie lifetimes for shopping carts:
"A cookie that is exempted from consent should have a lifespan that is in direct relation to the
purpose it is used for, and must be set to expire once it is not needed, taking into account the
reasonable expectations of the average user or subscriber. This suggests that cookies that
match CRITERION A and B will likely be cookies that are set to expire when the browser
session ends or even earlier. However, this is not always the case. For example, in the
shopping basket scenario presented in the following section, a merchant could set the cookie
either to persist past the end of the browser session or for a couple of hours in the future to
take into account the fact that the user may accidentally close his browser and could have a
reasonable expectation to recover the contents of his shopping basket when he returns to the
merchant’s website in the following minutes."
So? That's totally what I'd expect from a shopping cart cookie. I don't expect something I put in a cart to be there the next day (I will have bought it somewhere else).
I was using the website for a Dutch big box hardware store (Gamma) today, and it had a door stopper I was looking to purchase half a year ago in my shopping cart. I never finished that transaction. That kind of retention is just pointless.
> I don't expect something I put in a cart to be there the next day
I do. I use the shopping cart as a staging area sometimes when deciding what to buy. In fact, I don't really see a good reason for a shopping cart ever lose items I put in it until I explicitly remove them or they stop being available, since the whole point of a cart is to express intent to buy.
The whole point of a shopping cart is for items that you are going to buy--not for things you may (or may not) buy tomorrow. It's a shopping cart. Not a bookmarking service. You don't go into a physical grocery store, put things in your shopping basket, leave, and expect them to be there when you walk in the next day.
That is your interpretation of shopping carts in web stores. Other people add things to their cart as they need to replace eg: items in the stationery cupboard, then checkout once a week. Some people use the cart as a form of Wishlist, or a picking list while evaluating similar products.
At the very least if a site doesn’t offer Wishlist, shipping list or other bookmarking facilities I would expect the shipping cart to give me a cookie that lasts at least three days to cover the weekend or the option to create an account to save that shopping list/cart to come back to later.
The metaphor is imperfect. It is a staging area for orders in practice, and people like to be able to use it that way. I often build up a shopping cart on several sites while trying to figure out where is the best place to buy from (especially in cases with a shipping is a large proportion of the overall price) and sometimes this takes me several days.
While I do agree keeping items in the cart for a year is not what users expect, if someone puts something in their cart, closes the browser, and then comes back the next day, I think most e-commerce sites would still list the item. And I think that's generally something users want.
It’s worth noting that you do not need cookies to store shopping cart details if you have a user account system. You can store their cart in a database and associate it with a user account.
A session based cookie can then be used to store your identity in a short term session, and the server can easily gather long-term storage on its own.
I think it’s a fair compromise to say “if you want to save this cart, please log in”, which satisfies opt-in data tracking in a user friendly way. You aren’t mandating a user account, but if you opt in you get something potentially useful.
My principle complaint about most of the discourse on this topic is that it is superficial. There are reasonable workarounds for most user-friendly tracking that allow for tacit opt-in via responsible and clear UX. The “hard parts” seem to generally concern the type of tracking that isn’t so clearly user-friendly, such as behavior tracking and PII collection, which is a conversation we should be having anyways without obfuscating the issue by pretending it’s about the easy stuff.
I think just about the only "essential" cookies to ensure functionality would be session cookies. But I would be surprised to learn that the point is to eliminate useful cookies. Shopping cart cookies, when designed so they are not shared with 3rd parties, are benign and should not require an opt-in. That's my opinion on most cookie-based functionality, really. Client-side state is useful for a lot of user-friendly functionality.
For example, remembering things like Dark Mode, pop-up re-sizing, slider locations (volume for example) are all legitimate use cases that I would prefer as a user to be isolated per client.
I think that works if the site clearly says that your preference will be stored. On the other hand, if it's just a "dark mode" checkbox or something, my reading of the directive is that isn't enough?
I don't want to have to make accounts on websites just for them to remember what is in my cart for my next visit. I don't like having more accounts, especially if I'm not yet sure if I'm going to buy from them.
Since the site does not know you are leaving, it doesn't have any opportunity to prompt you and ask whether you would like to save your cart (and if it did I would find it pretty annoying)
If I go to an e-commerce website and I am not signed in to, add a bunch of stuff to my cart and leave, I have absolutely no expectation the cart will persist until the next day, and I really don’t think you should either. Not only is it in an unreasonable expectation as an end user, but also it sounds like an absolute nightmare for businesses (Do you hold physical inventory for things in the cart? What about price changes or products are discontinued? Etc).
In practice, sellers do deal with this. The most common approach is that putting something in the cart does not reserve it or maintain a fixed price. Then if availability or pricing changes, they flag that to the user when viewing the cart.
Also, you initially asserted that the regulations were strict for any and all cookie usage. The person replying to you provided plenty of evidence to the contrary, and now you’re bringing up incredibly niche edge cases, to what end I’m not sure. I think it would be more productive to just concede that the regulations aren’t as strict as you stated.
Most companies will not be compliant unless they do one of (a) get consent from users or (b) hire a lawyer to review each of the things they do in the context of ePrivacy, and make corresponding changes to keep everything within the bounds of "strictly necessary". I'm bringing up these 'edge cases' as part of showing that most sites would have changes they would need to make if they wanted to stop asking for consent from users, and that these changes are not obvious and go beyond removing tracking.
Often you need only the session cookie. Everything else can go into the database indexed by that cookie. This is especially safe if the user has an account and won't lose the data if the cookie is lost.
"A cookie that is exempted from consent should have a lifespan that is in direct relation to the purpose it is used for, and must be set to expire once it is not needed, taking into account the reasonable expectations of the average user or subscriber. This suggests that cookies that match CRITERION A and B will likely be cookies that are set to expire when the browser session ends or even earlier. However, this is not always the case. For example, in the shopping basket scenario presented in the following section, a merchant could set the cookie either to persist past the end of the browser session or for a couple of hours in the future to take into account the fact that the user may accidentally close his browser and could have a reasonable expectation to recover the contents of his shopping basket when he returns to the merchant’s website in the following minutes."