Yeah, you better comply. And it is also pretty simple — if you don't so anything that requires that you get informed consent from your users you don't need to ask them.
Each combination of personal datum and purpose requires such consent if it isn't a strictly needed purpose (legitimate interest). Example: If you have an online shop you can e.g. collect someones address for the purpose of shipping — if they order and enter there address the user implicitly gave you their informed consent that they agree to you using that address to ship the product to them. Logical: when they order and pay money it can be assumed they want to give their address for that purpose.
They did not give you consent to sell that same address off to the highest bidder. If that is what you need to do, you would have to explicitly ask them to whom you want to sell that data and what they plan to do with it — same data, but different purpose. Not legitimate interest since you don't strictly need to do that to sell a product. And you better have a clear wording describing that purpose otherwise you collected uninformed consent and that is worth zlich. If you feel like you need to trick users into agreeing, that is what the law aims to prevent.
IP adresses and such have also been ruled personal data. Server side logging for technical purposes is legitimate interest, but storing the same data anywhere (not only cookies!) for the purpose of ad tracking requires you to get the users informed consent before collecting the data. You can assume that if it can be used to personally identify a user in a sea of users, it is personal data, even if it needs to be used in conjunction with other data to reach that identifiability.
Also: if there is a million "No" switches with two menu layers and one green "Accept" button: you created a nice toy there, but it didn't gather informed concent from your user and is therefore utterly useless. Informed consent must be given freely. If you make one easier than the other it hasn't been given freely. If you visually code one as the good/default and the other as the bad/meaningless/complicated choice, the choice was not made freely. Play stupid games, win stupid prices.
The law is pretty clear on all that, lived reality hasn't cought up yet and people pay real money for that. I recommend that you just read the law, it is probably worth to read instead of copying what everybody else (including the big ones) are doing.
But isn't the cookie banner for asking permission to use third party cookies? I don't think I ever have seen a cookie banner asking if I agree to my data being sold.
Why do you think website operators want to place those third party cookies on your PC?
There's only one legitimate use for them, which is for ancient corporate login workflows that shouldn't exist anymore. Every other use of them generally is just for targeted advertising, and with it sale of data, or using them for internal analytics.
Usually they don't really mention the selling data part upfront; it's hidden somewhere in the giant modals that they make you click through. There's also the related problem that Google is an information guzzler, and anything that enters it's ecosystem has a chance to get used by them for advertising, meaning that these giant modals also get shown for webpages that use Analytics. That last one is how you often see sites without ads get those giant modals.
Arguably they should've been blocked by the user agent years ago, and Mozilla has already done so. Google however cannot do so with Chrome because of their conflict of interest in the ad market; the UK has determined that if Chrome kills third party cookies, all their replacements would just punt Google into unfair competition. It's probably the strongest argument I can think of as to why Chrome should be split off from Google - a browser that cannot meaningfully protect a user against bad actors because of the operator being a monopolist bad actor shouldn't be used at all.
Mere (same site) login cookies require no modals or confirmation since the user implicitly consents to them when they authenticate (most users expect their login to be preserved when they changes pages and/or reload the site.) That said, it's still considered a courtesy/good practice to inform users before placing them regardless.
Yeah but the law didn't invent cookie banners, people who (intentionally mis-)interpreting the law did. Then in the public eye it got reduced to "You need a cookie banner" and people jumped on the bandwagon, because other sides had them so apparently you need to have them too. Many of those cookie banners are factually at odds with current EU law. But hey everything is a cargo cult these days.
Legally the law is just: You have to ask for informed consent that has to be given freely for each purpose. How you ask and how you inform is not defined precisely, except for negative examples what isn't considered informed consent or freely given consent etc.
If someone just clicks "Accept All" that person wasn't informed. So cool that you made them click, but you could also just have left it away, since it didn't give you the thing the law required you to get.
That means real datahogs would probably need to inform people in a many slides long presentation or a feature length film before they could actually get even close to receiving something resembling informed consent. That is ofc totally unpractical and would hurt their business of data-hogging.
Now the EU came at this with the base assumption that prvacy is a right that needs to be protected in a way that it cannot be simply given away without informed free consent. So if it hurts databogs, that is one of the intended side effects.
If my friends Pizza place wants to put ads onto my website that is entirely possible without any tracking he can give me a JPEG or a video and I put it onto my website as static content. Just the current way of advertisements with 300+ third parties would become harder.
Because it’s a poorly designed regulation and there is a group of people who can’t accept that the EU over-regulates and is bad at writing any regulation remotely related to technology.
If a government has trouble complying with the “spirit” (as many people use in argument) of their own regulation then the regulation is poorly designed and not useful.
Those are most likely illegal too, although local DPAs have been mucking with allowing them.
The CJEU however doesn't seem to like the practice, considering Meta/Facebook wants to do the same scheme, and as a general rule, when a major company does it, it'll eventually get a decision from the CJEU.
By the letter of the law these cookie paywalls are actually illegal. I assume the news sites are intentionally taking the risk till there is legal clarification/precedent.
I wish them that the EU comes crashing down with a hammer and demands all ad revenue of that time back.
