In this case, it is just showing that most companies are collecting more data than they need.
You don’t need a banner for the data that is necessary for the service to work at minimum level. There is no role for the consent since the site won’t work otherwise.
How does it show that? Most people I know are annoyed by this and click on "reject" (if they can find it), but for a lot of non-technical people these banners are just a given because they don't even understand the problem. Doesn't mean they don't care
The close to million users now on https://www.stilldontcareaboutcookies.com/ suggests that there's a pretty sizable amount of people that care less about the philosophy of European data laws and more about just getting on with their day.
>pretty sizable amount of people that care less about the philosophy
How does it show that?
It shows that they prefer to get on with their day over clicking cookie banners. It says nothing about whether they agree with the philosophy of the GDPR.
How many "normies" do you know that stopped visiting websites that track them? I don't know anybody who isn't in my tech bubble who cares, and very few normies who would rather pay money than to give access to their data.
None. That doesn't mean they don't care. As I said, most people I know are annoyed by this but take these banners and tracking as a given because they don't understand enough about technology and see them everywhere. And let's be honest here, if you were to stop visiting sites that track you, you could just stop using more or less the whole internet. It's not about stopping to use these sites, it's about stopping those sites from tracking you, which almost everyone I talk to is ok with. The only people I see that defend the amount of tracking happening on the web are commenters online (here, on reddit, etc.). That leads me to believe it's mostly corporate accounts.
To the point: Not using a site is not the point of it. Insert "yet you participate in society" meme
Apple do not track alert resulted in many people saying they don't want it. And of course, had impact on Meta's business.
So if websites presented cookie banners in a neutral way without dark patterns to make Reject difficult, "normies" would reject these, I'm sure.
This is something a lot of people seem to misunderstand about GDPR. At its core it says you should only process people’s personal data within a lawful basis. There are 6, and consent is only one.
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The thing is, if you have any of (b)-(f), why shouldn't you also get (a)?
The maximum fine is 20 million euros or 4% of revenue, whichever is higher. Sure, it probably won't be imposed on a first time violation, but why take the chance?
Could you imagine any lawyer advising a company against requiring consent, even if they have some cover because of a legal obligation? Isn't it much safer to deny service to those that refuse to consent?
Sure, it'll annoy the customer, but right now the customer is used to minor annoyances.
This is true, but the comment you replied to was about the cookie law, not about GDPR. They are separate issues, even if they are obviously related. Cookie law is about not using other peoples storage for usage that is not needed, GDPR is about personal information. You can use cookies for saving information that is not personal but that still would need banners.
> You don’t need a banner for the data that is necessary for the service to work at minimum level.
We were advised by our lawyers (a top SV tech law firm) that we should include a cookie banner in the EU even if we're only using cookies for functions like login. After eventually switching legal counsel (for unrelated reasons), we were told the same thing by our new counsel.
Either EU law covers cookie banners that use cookies for routine functionality, or it's so (deliberately) vague that even top tech law firms would rather everyone add a cookie banner than risk running afoul of the law. Either case validates PG's argument here.
It is indeed quite complex. I would argue that just the login does not need.
1. There are users who will come to your website with specific purpose or expectation of your service.
2. Then there are users who came to website by accident and might just try out things without understanding what is happening.
The banner recommendation from the lawyers is likely for the 2nd case. The users haven't subscribed to the service with certain expectation or knowledge what is expected from them to service to provide what they want. Or they have zero expectations about the service to provide something for their needs.
For example, the login case, the group 1. probably wants to stay logged in if they came to service with expectation of personal service, which cannot be linked to the person without an account.
Or the lawyers just did not understand your service well enough and just said that put the banner be done with it.
For group 2. it is unlikely that someone did not expect or want to stay logged in all the time, but that is for minority and arguable case whether is fair to assume that.
If the lawyers don't recommend you add the banner, and you somehow run into trouble because of it, the lawyers will be blamed. However, if they do recommend that you add a banner and you follow their advice, then they can get some more billable hours by recommending some verbiage for the banner, checking your website to make sure the banner is displayed in a compliant way, etc. And even if you don't follow their advice - people rarely fire their lawyer for recommending caution.
So, how did you ever expect the lawyers not to recommend adding the banner? That's like going to a plumber and ask them if you should DIY or not some installation. Of course they're going to recommend you get a professional...
You don’t need a banner for the data that is necessary for the service to work at minimum level. There is no role for the consent since the site won’t work otherwise.