← Back to context

Comment by aenis

19 hours ago

This is a bit more nuanced than that.

Under the GDPR provisions, strictly necessary cookies are exempt from the consent screen. But the way the exemptions read prompts all the lawyers to "well, maybe it's sort of necessary for you to have a session_id, but its so, so much safer to have the damn consent screen, so please...".

I worked in technical roles at large companies that had completely honest-to-god private, strictly necessary cookies - where compliance people forced the cookie consent screens, there was no space for a discusion. At my latest company, despite being a CTO, I could not convince our legal team that going without the consent screen as we are really only using "strictly necessary" cookies was fine. Its "mate, you may even be right, but really, nobody is skipping the consent screen, and we won't risk a compliance issue on your say-so.".

Sure, lots of companies - maybe even most - do shit things, and of course the real tagging of people and fingerprinting happens in sophisticated ways that actually defy GDPR, require no cookies whatsoever and so on - and thats another problem. Those moronic consent screens server exactly no real benefit for a while now.

The law doesn’t mention Cookies even once.

If your company is overcompliant, seems to be a company issue. This is a general trend I observed: way too many companies and even government entities don’t do certain things for "privacy reasons", while they’re just lazy and privacy is an excuse.

It’s not like not having a consent banner for necessary cookies will result in a fine right away. Most fines are for serious stuff.

  • I am not arguing with that. Its a fact that companies are staffed with salaried people incentivised with externalising costs and avoiding personal responsibility. People legislating stuff should know this well and design taking this reality into account. But they themselves are incentivised largely the same way, and some of them are also reaping material benefits from establishing regulatory regimes like this one. So here we are. For the 0.0001% of the population actually concerned about privacy billions of people have to click on the stupid banners 20 times a day. I hope hell exists, and that its where the people behind it will end up.

    That ignores the main issue, though. Companies moved on, cookies are no longer needed to associate your behaviour on various websites. I'd argue that because cookies were regulated like this, we now have state of the art tech that profiles people across vpn's, not to mention incognito browsing. Just ask anyone working with big data aggregators or having access to telco data and other logins. Its not just browsing behavior, some companies can get your extremely intimate, offline-only facts by combining those data sources. But hey, a bunch of technically illiterate people in Brussels feel like they did us all a favor.