To argue that this leglislation would've had a good effect in some hypothetical alternative world where businesses had different incentives is beside the point!
(Side note, if it were not for govt investment in the dentralized, open internet, we'd probably all be using some ungodly-advanced version or America Online. So I'm certainly not advocating govt has no place in tech!)
Websites don't have to put a cookie banner for every kind of cookie. They have to show it whenever they collect identifying data about you. If they choose not to collect info on their visitors, then they don't have to put a banner.
- Customer: We must still implement that cookie popup before launch!
- Me: No. You don't have to. If we just disable SomePerformanceMetrics and GoogleAnalytics, we're done: we don't need a pupop.
- Me: who is using the performance metrics ATM? And who is acting on GA? How do you use them? Would this (shows three really neat Log-analyzers as alternative) suffice?
- Customer: We don't use them yet. But we might want to in future. And we then we might need all that data. So we want to start collecting it now.
Point is: you don't need Google Analytics, you don't need any of those 20+ tracking cookies if you actually look at it. But there's a lot a FOMO, combined with "but this is how we have always done it, so shut up".
There are some rare cases where GA, new-relic, tagmanager etc are really nessecary and none of the privacy-friendly (ie no-cookie-popup required) alternatives cut it. But those are rare. I daresay that a vast majority of tracking cookies is just there because the developers/business is too lazy to take a serious look at the problem.
Which is why I truly welcome more legislation that turns "collecting vast amounts of data" from "free" into a real and looming liability.
And yeah, doesn't work for all sorts of things, but as a site operator I would be careful in giving away that information out of self interest already ...
You mean... no opt-in popup is required for logfiles? Isn't it also PII? IP + browser + timestamp + referrer? It's almost enough to identify unique visitors.
GDPR could have added a law against misrepresenting the profiling under the umbrella of a "cookie consent", but that would just be Whac-A-Mole legislation. Companies would just wrap the consent banner under some under pretense.
A govt legislation that would actually work in practice would be to ban the practice of collecting and selling personal data. No consent, no popup, just a law making it illegal. That would have the desired practical effect and no annoying banners would ever be written. It would also be much harder politically to get accepted and people would complain that EU are draconian for not allowing consenting adults to go into an agreement where they trade personal data for service.
Personally however I would prefer if EU did just that. Ban it. Make databases of personal data toxic to have and the liability if anything leaks be high enough that in practice a company like a news papers will do something else in order to earn profits.
The reality is even worse. The site operators would have to say "we want to give your data to google and others so they can create a profile of everything you do online."
If an individual site would track how one navigates their site and see click paths that might be tolerable to some degree. (Till they use that to increase dark patterns like booking.com's "only 2 rooms left and 5 people looking at this") But giving it away, into central databanks is baaaad
