Jan Wildeboer 😷
Tech bros love to whine about "The EU cookie policy" that simply doesn't exist the way they imagine it. All these popups are the most radical way to interpret the explicit consent demanded by regulations when sending data to a 3rd party or collecting personal data by the site itself. An ongoing provocation by the ad/tracker industry to blame their ruthless data hoarding on the EU.
Every time you see such a cookie consent pop-up, you know you are on a website that has accepted to share your data with some data collecting entity. That they are willing to hand over parts of the page content to be filled by a 3rd party. And allow that 3rd party to aggregate and sell their visitors data to the highest bidder. So stop blaming "the EU" and ask yourself if this is the internet we want.
The ad/tracker "industry" used the same tactics to ruin the DNT (Do Not Track) flag that we had years ago. Because they simply don't WANT to give users an option to just say no. And they have convinced their customers that "enhancing" the web with these popups is the only acceptable way to work. And these customers just accept that.
To make this very clear: user/visitor consent is only needed for data typically going to 3rd parties. All cookie laws, including GDPR and CCPA, allow essential first-party cookies to be exempt from collecting user consent before performing their actions. So the simple, non-persistent session cookie on your site DOES NOT need a consent popup AT ALL. Regardless of what the ad/tracker "industry" tries to insinuate.
Steve Hill 🏴🇪🇺@jwildeboer This is not true. The exemptions in PECR (UK) are given in 6(4):
"(a)for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
(b)where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user."
There is nothing in the legislation to differentiate 1st / 3rd party cookies.
Graham IX@steve @jwildeboer also, someone else mentioned "PII". European law is concerned with "personal data" not "personally identifiable information" - nice explainer here (inc anonymous vs pseudonymous identifiers) https://blog.pangeanic.com/the-difference-between-pii-and-gdprs-personal-data
@grahamix @jwildeboer That article mentions that "general email addresses not containing personal data ([email protected])" are not personal data, which I think is risky. e.g. A small company with a single sales person may have [email protected] routed directly to that single person. Arguably, if there it a 1:1 relationship between an email address and a natural person, that could be considered personal data (no different to an individual having [email protected], where "blah" isn't their name).