> "That is literally in the law."

No, the law does the opposite. It effectively requires the use of pop-ups to "gain consent", it doesn't ban them. At least, that's how it's been interpreted in practice.

> "And also. GDPR isn't just about browsers or cookies. It's about data in general. Which includes all other situations, including offline interactions, gaming, and communication with governments."

Absolutely. In general the GDPR is a good thing. But it needs a rework to fix the cookie consent situation.

> It effectively requires the use of pop-ups to "gain consent", it doesn't ban them.

Once again: the law isn't about cookie banners. The law is about user data.

That is: if you want to collect more data that is strictly required for the functioning of your business, then you must ask user for consent. Note: the law doesn't care if your business is online, or offline, or a combination thereof. If you set up a corner shop selling bread, and start asking customers for their name and address, you will be subject to the same GDPR provisions as a website.

How difficult is that?

Literally nothing in the law requires cookie banners. The only reason these obnoxious cookie banners exist is because the greedy leeches in our industry cannot live without siphoning your data en masse and selling it to the highest bidder, consequences be damned.

Now. Here's what you said: "Either GDPR should be updated to ban consent pop-ups and simply make “REJECT” the default everywhere"

The law already clearly states: REJECT has to be as simple as giving consent. And the entire industry said: yes, of course, here's a default "accept" with hundreds of pre-checked boxes, and you have to go through every single one of them one by one to reject.

How is that the law's fault?

They cannot ban people from asking users for consent to collect data. However, the law is rather explicit: any person has the right to reject this, the rejecton has to be as easy and clear as accepting, and people cannot be denied service just because they rejected collection of non-necessary data.

As the article above states: once the law started to be enforced, sites started obeying the law, and not flaunting it. Well, they still flaunt it with their "legitimate uses" bullshit, but the tide is ever so slowly turning.

Too bad, even developers are so gullible as to have been tricked into parroting the "law is bad" and "law requires obnoxious cookie banners" nonsense. No, it isn't. No, it doesn't.

> ”They cannot ban people from asking users for consent to collect data.”

Why not? This is exactly what needs to happen. Either that, or allow cookie consent to be granted/declined globally in the browser settings, not with a bespoke, intrusive UI on every. single. damn. website.

Let’s ban cookie pop ups!

> Why not? This is exactly what needs to happen.

No, it's not. Because there are actual legitimate reasons for organisations and businesses to ask for user's consent.

> Either that, or allow cookie consent

You keep missing the simple fact that GDPR is not about cookie consents. How many times do I have to repeat this?

> not with a bespoke, intrusive UI on every. single. damn. website.

Again. In as simple terms as I possibly can:

- GDPR is about user data everywhere, not just in the browsers

- GDPR does not mandate cookie pop ups. This is entirely the work of a greedy industry

- GDPR cannot ban asking for user consent. Because that is a) over-reaching, and b) makes legitimate cases for asking for user consent illegal

- And again. GDPR is not about browsers. GDPR is not about websites. GDPR is not about cookies. GDPR is not about cookie popups

Note: if websites actually respected the law and user privacy, you wouldn't even see those popups. But sure. Tell me how it's the law that is responsible for them.

> "You keep missing the simple fact that GDPR is not about cookie consents. How many times do I have to repeat this?"

Fine. That's great: if GDPR is not about cookie consents then let's get rid of the damned pop-ups! If that means no more tracking cookies, then so be it. That's a good thing!

This is no different to the behaviour when a user clicks "reject non essential cookies" and also no different to what Apple already did with apps that accessed advertising tracking IDs on iOS. Facebook complained and lost a little money, but the world didn't end and the sky didn't fall. (iOS users can still choose to let apps track, but that UI is provided by the OS, not the app, and can be set globally).

> "makes legitimate cases for asking for user consent illegal"

I'm not at all suggesting that consent shouldn't still be asked for in situations where it's legitimate, like storing actual user personal data that they provide when signing up for an account, for example.

But simply visiting a website should not be considered a legitimate reason to obtain or store a user's data. Therefore there is no reason to ask for consent, and the practice should be banned.

> I'm not suggesting that consent shouldn't still be asked for in cases where it's legitimate, like storing actual user personal data that they provide when signing up for an account, for example.

Guess what. In this case the you don't have to ask for user consent. Because this data is strictly essential to site functionality.

> But simply visiting a website should not be considered a legitimate reason to obtain or store a user's data.

Guess what. It's exactly what GDPR is saying.

> "Guess what. It's exactly what GDPR is saying."

But that is not how it is being interpreted in practice.

Clearly we just need to go one step further and explicitly say "it is not permitted for consent for tracking cookies to be obtained by the use of a pop-up UI that appears when a user visits a website". Problem solved.

> But that is not how it is being interpreted in practice.

No. In practice it's actually being interpreted correctly. What is being willfully misinterpreted is how easily a user can opt-out. Because the industry wants to remain exactly the same: it wants to siphon user data and sell it en masse.

The existing pop ups that use dark patterns to make the user click "accept" are already illegal.

> it is not permitted for consent for tracking cookies to be obtained by the use of a pop-up UI that appears when a user visits a website

So it won't be a pop-up. It will be an interstitial page. You keep focusing in the entirely wrong issue and blaming the law for it.

So, we've banned pop ups. Now what? Now every time you visit a web site, you get a full page asking for your consent.

Then you'll blame the law and ask to ban interstitials.

Ok. We'll ban interstitials. Now it will be banners. Or every second paragraph in text. Videos. Images.

Where the law just says: do not collect user data without user's consent, and the user isn't obliged to give you that consent.

And the industry replies: screw this, we demand this data and make users' life hell for it.

Somehow gullible devs are now fully convinced that the law requires all this.

I’m not necessarily blaming the law, but saying that a new law (or change to the existing one) is needed to ban cookie pop-ups.

It’s clear at this point that the problem is not going to go away without intervention. The industry isn’t going to fix itself.

Also, it’s unfair to blame developers here. Devs don’t have some perverse desire to create annoying pop-ups. They’re being told to do it by management and legal teams, because that’s how the GDPR has been interpreted.

> ”So it won't be a pop-up. It will be an interstitial page.”

Ok, so you phrase it more generally: “it is not permitted for consent for tracking cookies to be obtained when a user visits a website”

> It’s clear at this point that the problem is not going to go away without intervention. The industry isn’t going to fix itself.

Indeed. The main problem with GDPR is that enforcement has been slow. And that the industry has blamed its own behavior on the law.

As the article shows, the tide is ever so slowly turning.

> Ok, so you phrase it more generally: “it is not permitted for consent for tracking cookies to be obtained when a user visits a website”

And how, in this case, do you ask for consent for legitimate reasons?

This would be specifically for tracking cookies (“cookie pop-ups”).

Consent for legitimate reasons is given, for example, when you sign up for an account on a website or conduct some sort of transaction with a business. Just not the act of anonymously visiting a web page.

> This would be specifically for tracking cookies (“cookie pop-ups”).

Those pop-ups are not "specific for tracking cookies". Because the issue, and the law, isn't about "tracking cookies". The issue, and the law, is about user data.

So, they will replace the question about cookies with question about localStorage. Then about indexed db. Then about storing data in service workers.

Why do you keep focusing on the one issue that is 100% the result of industries actions and pretending it's about the law?

> Consent for legitimate reasons is given, for example, when you sign up for an account on a website or conduct some sort of transaction with a business.

Again. Even when you sign up for something, for some of the data consent isn't required. And for other data consent is required.

I give up. I cannot put it in simpler terms that I already have.

> "So, they will replace the question about cookies with question about localStorage. Then about indexed db. Then about storing data in service workers."

It doesn't matter how they're technically implemented, pop-ups seeking consent for tracking cookies (or their functional equivalent) should be banned.

> "Again. Even when you sign up for something, for some of the data consent isn't required. And for other data consent is required."

We seem to be agreeing on this, not disagreeing! The ban I'm proposing would apply to user tracking data, and would not affect whether or not consent is required for other data.

The fundamental point is that the simple act of visiting a website should not require consent.