you're right, I said third party, but I actually meant tracking. I actually went and checked, and our only cookie is the cookie for if you've seen the cookie banner or not...
> Consent may be required even if there are no cookies at all.
>Our US legal team said that we need the banner if we have visitors from the EU, not if we're tracking them.
This actually makes sense - because if you didn't have the cookie banner then some fucking weirdo would come to Hacker News and make a self righteous post about how you're "tracking residents of the EU without their consent and abusing them" (even though you're not). Instant karma. Next thing you know these weirdos and their mob are reporting you to their government and you're dealing with government inquiries and more legal expenses trying to prove your cookie-less web 1.0 site doesn't "abuse people."
Do you have any basis at all for such an absurd claim? The law actually works in the opposite direction (kinda):
You may use "legitimate interest" cookies/tracking without saying so, but as soon as you show a privacy dialog you actually have to disclose everything you're doing including legitimate interest.
Basically by having a list of what youre're doing with your user's data you're giving up your right to do anything not listed.
GDPR actually doesn't specifically mention cookies at all. Tracking is what's illegal, not cookies.
Let's say you keep website logs with IPs on them, and you do analytics for non-essential purposes. You can do this under GDPR, but you must gain consent from the user before logging this PII.
It actually is completely and totally orthogonal to cookies. Some cookies are fine without consent. Some things that are not cookies are illegal without consent.
