Comment by noirscape

> My gut says that practice (or at least its breadth) stems from a misunderstanding of the legislated requirements.

Sorta yes. The "cookie law" is the EU ePrivacy Directive (not the same as the GDPR, it predates the GDPR by around a decade) and doesn't directly talk about cookies. Rather, it talks about any means in which a remote server can store data on your PC (which includes cookies, but also things like LocalStorage - the law is resilient to innovation).

Basically if you want to store data for things that aren't obviously necessary to provide service, you need to ask for consent to store this information (getting consent for using and sharing information obtained by using these cookies is a separate matter, that's what the GDPR is for). So a shopping cart or a session cookie don't need consent banners, since those get filled out in accordance with things users expect (if you login, it's expected that the site knows who you are in future requests, if you add an item to a shopping cart, it's expected to be kept somewhere and to be cross referenced. Rejecting a cookie consent banner can also place a cookie for this same reason; users expect to not be shown that popup again if they said no.)

Cookie banners are effectively an attempt to maliciously comply with this directive combined with legal paranoia. The second one is easier to explain; if you need consent to store some cookies, then legal is just gonna tell you that you need consent to store any cookies, no matter how trivial. This is standard legal paranoia, which leads to sites that don't place tracking cookies getting consent banners.

The first is more malicious; browsers can send indicators to servers that they don't want to be tracked at all. That's the DNT header or the GPC header. They are basically the same thing, except the GPC header allegedly has more legal backing - to my knowledge there's no evidence that DNT doesn't work for this purpose and in fact, GPC is worse at protecting against tracking. GPC only opts out against selling data, DNT opts out against tracking for any purpose whatsoever.

Advertisers habitually ignore/use these headers for fingerprinting, but a German court has decided that the DNT header has full legal backing as a "I don't want to be tracked" indicator in a case against LinkedIn and that spamming users with consent popups if these headers are present is essentially pestering them to relinquish consent that isn't going to be given. The GPC Header has no such protections, but might be more amenable to the (worse) Californian privacy laws. Advertisers and other companies like to pretend that the DNT header has no legal backing, but it does. Cookie banners could entirely be handled on the browser side, but browsers and advertisers refuse to take this idea seriously because it'd lead to mass rejection of tracking. (Due to perverse incentives at this point; both Mozilla and Google own/are ad companies respectively. This is why Mozilla quietly killed the DNT header at the start of the year, in favor of the GPC header.)