Yes, and it's why European privacy conscious people get mad when people complain about the EU making the user experience on the internet worse: the EU isn't mandating cookie banners at all, it just requires user consent before doing fishy things with their private data. But if you don't do anything fishy with those data (like selling it with 678 “partners”), there's no consent to get.
"To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:
Receive users’ consent before you use any cookies except strictly necessary cookies."
There are no exceptions for not "nefarious" or "fishy" - only if there is no way your site can function without every cookie.
Legitimate reasons to use cookies that are not strictly necessary include analytics, optimization, user experience, social media sharing, sign in with (third-party IDP), incorporating content or code that is hosted on other sites, and more.
I recognize and agree with the dislike for this, but if it's inaccurate, I'd love a correction.
"Analytics and optimization" is where all the nefariousness goes down IMO, even if it's "for the user". When a site predicts things for a user, some users are delighted by the UX while others are put off by being spied on. So even in the "to improve our UX" case, it's up to the tracked to decide if it's nefarious or not - if they consent or not. It makes more sense to always prompt when using them.
Also, I'm seeing headlines like "Are Internet Cookies About To Crumble?" (not really, but you know how tech media is!) but I wonder how much longer cookies are even going to be relevant.
For most modern developers, the answer is never! They're not really used in modern development by us. Apparently about 40% of websites use cookies, and it's almost always for ad re-targeting - the only reason they make you auth again after clearing is really to auth you with the cookie, your auth with the site is usually just HTTP requests and doesn't require cookies.
TLDR I think they're going away anyway, they're passe and it makes too much sense for Google to obsolete competitors by suddenly dropping them. GDPR calling out cookies is like the American law that bans "magic mushrooms" - they should have been more specific in identifying a specific unlawful behavior.
Upvoted for the good info btw (it just didn't do anything lol) thanks for sharing
I mean, you can write a website that doesn't require any of that.
social media links for authentication (if the website requires authentication) are strictly necessary.
Analytics and optimization are things the eu is trying to prevent, so of course you get a popup.
It is possible, yes. It just hampers much of what people expect modern websites to do (though it hinders abuse, as well, which is good!).
But even GitHub, who proudly declared they had removed all non-essential cookies https://github.blog/2020-12-17-no-cookie-for-you/ added them back https://github.com/github/site-policy/pull/582/files and now if you click either "Manage cookies" or "Do not share my personal information" at the bottom of the page, you'll see they have the common "Required", "Analytics", "Social Media", "Advertising" categories.
GitHub is owned by Microsoft, the company that's putting ads on your start menu, I'm not sure why people are expecting anything less. Whatever they had in terms of culture before acquisition is not the same afterward, even if it changed gradually.
