Law isn't like software code. It doesn't have to be put to an exhaustive set of unit tests to 100% pass rate and then worry about anything it might not have covered. The law just needs to signal intent and scope clear enough the judicial system can work with interpreting it to new applications in a way most people can consider consistent.

In the case of cookies, they simply apply to computers and not people. Why? It's not about whether the two are operationally similar it's about whether the two are practically similar. Until every shopkeep meticulously tracks every detail of every customer interaction and starts efficiently sharing them with others, all manually, often enough and at a large enough scale that it becomes a similar privacy concern it's not really worth fretting the law be generic enough to cover the use cases. In such a case it probably even makes sense to just write a separate law which meets the domain's needs more succinctly.

Excellent post.

To hammer your point home even further, there's also the key point that in the digital world you also have entities like Meta that track you everywhere you go because they have their little tracker scripts running on almost every website.

To bring this back to the previous hypothetical, it's more like a single person following you around with a camera everywhere you go, which is already covered by existing laws.

A website run by a large corporation is very different from a store run by Jane. Jane does not have thousands or millions of people coming into her store, and she also is not selling CCTV footage from her store to advertising companies. We would be rightly outraged if she was. She also probably isn't sharing customer details or security footage with government authorities unless her store has been robbed or something.

This is a thing that these comparisons always miss.

These rules aren’t for your dream small business. It’s for a mega corp that would literally not care if you lived or died or if that hammer hit you on the head.

Probably?

* Using Quickbooks Online? they market/sell that data.

* using ADT for payroll? They market/sell employee salary information.

* Using Ring for security? they freely share video with LEO

* etc, etc. All these services that SMB's use already have their fingers in the pie.

Those big multinationals are abusing their position I agree. I’d like to see those practices banned, HN wouldn’t because half of HN relies of predatory activities to pay their rent

Yes. In fact, you already do this most of the time. The right to be forgotten is so fundamental to humanity that humans have to expend extra effort to violate it and remember stuff. Machines with perfect memory violate the right to be forgotten by default and we have to tell them to forget things. Hence the regulation.

I don't do this most of the time. It keep a diary. I keep records of all kinds of stuff.

I would be uncomfortable if I had found out your diary contained as much about my daily travel and grocery errands as I know can be bought by marketing firms, or anyone with the right relationships in the industry. For that matter, the friendly greengrocer doesn't know what I bought at the shoe store.

Do you... write down the name of every person that walks into your store, then cross-correlate so you have nice little lists of every time each person came in and what they bought and how they looked that day? Because doing the same thing online companies get away with is generally seen as stalking in the real world.

Jane is tracking you from store to store, remembering everything you saw, everything you interacted with, everything you did, and selling that to the highest bidder

The law says that you need consent for any cookies which aren't strictly necessary for the functioning of the site.

In your instance, I would have put a backordered hammer in my cart. I come back the next day to check and see if the hammer is in stock. The cookie that enables cart behavior is necessary to the functioning of an online store. No consent needed.

In the real world, this basically means that tracking and marketing cookies are what you are being asked about. They don't need to ask about much else.

The EU has a very good write-up: https://gdpr.eu/cookies/

Even tracking what items you had looked at purely for the purpose of showing you things you had previously considered is trivially justifiable if its used for that feature rather to sell info to advertisers.

Showing you your viewing history would be an "unnecessary to the core functionality of an online store" feature and require explicit consent to track.

I think it would actually be very difficult to demonstrate that this tracker is absolutely required for the online store to function.

Most stores suggest products to buyers

And yet it's still not a vital part of running a store.

> These cookies are essential for you to browse the website and use its features

It doesn't seem to directly require comporting with someone's limited view of how a particular app is supposed to work

Not a lawyer. My impression is that you’re in any case allowed to record things in order to fulfil explicit requests (preferences, ongoing orders—like in your example), legal requirements (limited-time order history—ugh), or functional necessities (free trial used up), no explicit consent needed. Notably the bar is “required to work at all”, not “required to be profitable” or “required to use common out-of-the-box solutions”. Cloudflare or reCAPTCHA 3 would probably make interesting test cases here (my burning hate for them from the several years I needed to use a self-hosted always-on VPN aside).

The way to do this (both in ePrivacy and in GDPR, despite the different legal mechanisms they use) looks to be to write a phrase like “legitimate interest” into the main text, give illustrative examples of what that’s supposed to mean in the recitals before that, and let the courts figure out the details.

> am I required to forget that you came into my store?

No. Your head is not covered by the GDPR. It requires you to not keep a record of all your clients' personal info without a legitimate interest.

There's a Seinfeld episode where Elaine goes to buy a fancy pen at a stationery store which isn't available atm. The clerk asks for her full name and number to notify her (that's a legitimate interest) but then uses it to hit on/stalk her (that would be a GDPR violation). Presumably he also doesn't get rid of the number after their business transaction.

> what is the limit here.

Common sense and consent. Laws are not theorems or malicious genies.

First: just look into your session store, which lists all people which are in your store (hah!).

Second: You can have analytics AND be GDPR compliant without a cookie banner. There are even companies built around this: https://plausible.io/