This is the kind of nonconsensual sureptitious user tracking that the EU privacy directive 2002/58/EC concerns itself with, not those redundant, stupid cookie consent overlays.
No, from my understanding cookies are allowed by default only if they are essential to the function of the site. If you only use the cookie to handle logins and sessions then you don't need the warning. I you use the cookie for tracking or analytics then you need the warning.
Note that you can use your webserver logs for analytics and that doesn't require the cookie banner.
Something that is best left to the browser to handle... by allowing the user to enable/disable 3rd party cookies. Which we already have. But no, the EU has stupid notifications on basically every single website as a result since everyone uses third party analytics. Why? If you want your analytics to be believed by anyone who wants to advertise with you, invest in you, partner with you, or buy you, they'd damn well better be third party analytics.
That's true. The implementation differs on the country, for example in the UK it is enough to just show the annoying banner. Here in Spain you cannot set any tracking cookie (i.e. Analytics) without explicit consent. Of course, governmental websites totally break this law: http://cfenollosa.com/blog/the-ignorant-eu-cookie-law.html
However, OP is right, governments spy on our webcams and analyze our traffic, and that's ok, but we need a stupid banner that overrides browser preferences to avoid all but session cookies. Duh.
If you can set cookies, the user has already expressed their consent by enabling the cookies in the browser. As long as cookies' existence is common knowledge (it is by now), there is no need to duplicate browser UI within every website.
This is the official stance of the ICO[1], the UK national authority: there was a need to educate users what cookies were when the directive was passed. No such need exists now. ICO itself briefly used consent overlays, but does not anymore (EDIT: Aaaaand they've apparently use them again; I'll try to find the policy release where they say this is not necessary.). Cookies not used for tracking of persons never needed any consent, as they have no privacy implications.
People who make their living creating cargo-cult UI designs, have predictably added cargo-cult law-compliance to their toolset. It is beyond stupid.
> If you can set cookies, the user has already expressed their consent by enabling the cookies in the browser. As long as cookies' existence is common knowledge (it is by now), there is no need to duplicate browser UI within every website.
Wrong. If I disable cookies in my browser, I can't log in to websites anymore, so they need to be allowed. A whitelist would be very inconvenient. On top of that, it's not explicit allowance, it'd be implicit (i.e. opt-out instead of opt-in).
I don't know if British legislation is different, but this is illegal at least in the Netherlands.
You can enable session cookies only, even in the current UIs. Ditto for third-party cookies. Duplicating UI in a website is a solution looking for a problem. The web devs can nag the 0.01% who don't have cookies enabled, and leave the 99.99% who have them enabled alone.
It has never been enforced that way to my knowledge, anywhere in the EU. Which law or court decision says that it is actually illegal?
How does my browser know that one PHPSESSID is used for tracking, and another is a session? You probably mean until I close the browser, which would be never -- at least, I would never want to, but I do every few months for browser updates. (My laptop always goes in suspend/sleep mode.)
> Ditto for third-party cookies
I don't know what third-party cookies are anyway, and I bet my peers could not give me an accurate description either. We're all in the software business, be it game development or general software development or something.
Two gave a rough description but couldn't answer a question about whether embedded Like buttons would work if the user is logged into Facebook. Another just said "I don't know".
I'm not sure "the public is informed about all their options by now". The ones who really care generally use uBlock, ABP, Self-Destructing Cookies, Ghostery, etc., the rest just click "ok" because the sites do not inform them about these aforementioned possibilities: that wouldn't be in their interest.
> Duplicating UI in a website is a solution looking for a problem
Oh I agree it's an issue, I hate this cookie wall as much as anyone. I would love for there to be no need to ever see this wall.
> It has never been enforced that way to my knowledge, anywhere in the EU. Which law or court decision says that it is actually illegal?
I am not sure fines have been dealt, but the Dutch ACM ("authority for consumer and markets", literally translated) did give out warnings to non-compliant sites and they subsequently places cookie walls.
The law simply says no such cookies may be placed, it doesn't say "for a few months while users are unaware, and after that, oh well, have some fun picking your own privacy laws as you wish."
And yes, I know functional cookies and simple tracking is allowed if you don't invade a person's privacy. This means practically every major website knowingly tries to invade your privacy, because they have these walls in place. What do people say? "Fucking government does not understand the internet, look at all these walls." What should we be saying? "Wait why are they trying to create detailed profiles of me in the first place?"
