Maintaining a shopping cart across days isn’t “strictly necessary”
This seems like an extremely draconian interpretation of the law. I’d say that maintaining a shopping cart across days is a legitimate part of a service the user requested, and while multi-day shopping carts are not “strictly necessary” for the service as a whole, cookies are strictly necessary for that part.
To find out what interpretation is correct I’d like to see some actual court case where it’s discussed. From my cursory search online, the violations (e.g.) seem to be a lot more flagrant than this.
In any case the question of why the cookie banners are so common has a simpler explanation, I think. Websites don’t really know much more of the law than we do, and they don’t have the time or skill to evaluate their entire web tech stack for potential issues. In the end they err on the side of caution by copying what others do, in what’s partially carefulness and partially cargo-cult.
Notably, the website of the Court of Justice of the European Union itself stores cookies for “display preferences, such as language, contrast colour settings or font size” automatically without the user being able to opt out. This is pretty strong circumstantial evidence to me that doing so is actually okay.
When I go to that site and click on the language dropdown I get a cookie pop-up telling me how they will use cookies on the site.
I read the opinion now. You’re right in that their analysis too is actually rather harsh! E.g, no long-term shopping carts are allowed, only for the current session plus “a few hours” which presumably would stretch to tomorrow but not more. Still, I’d say that it’s really strict compared to the actual court cases, and probably in any case wouldn’t prevent a website from delivering an optimal experience for the user without needing a cookie banner at all. if I was designing a shopping website I wouldn’t lose sleep over having a shopping cart expire after a week, assuming I could actually justify that the users would benefit from it.
For the curia.europa.eu cookie banner they present it doesn’t give you the opportunity to reject “technical” cookies, just the analytics and YouTube stuff. That implies that the cookies for language and such is exempt, and the reason for the banner is those other ones. They also set the “clicked the cookie banner”-cookie expiry time to a year, also implying it’s okay to store it for that length of time.
it doesn’t give you the opportunity to reject “technical” cookies, just the analytics and YouTube stuff
I think that’s because then the weaker “legitimate purpose” standard applies? (“Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.”)
This seems like an extremely draconian interpretation of the law. I’d say that maintaining a shopping cart across days is a legitimate part of a service the user requested, and while multi-day shopping carts are not “strictly necessary” for the service as a whole, cookies are strictly necessary for that part.
Notably, the website of the Court of Justice of the European Union itself stores cookies for “display preferences, such as language, contrast colour settings or font size” automatically without the user being able to opt out. This is pretty strong circumstantial evidence to me that doing so is actually okay.
To find out what interpretation is correct I’d like to see some actual court case where it’s discussed. From my cursory search online, the violations (e.g.) seem to be a lot more flagrant than this.
In any case the question of why the cookie banners are so common has a simpler explanation, I think. Websites don’t really know much more of the law than we do, and they don’t have the time or skill to evaluate their entire web tech stack for potential issues. In the end they err on the side of caution by copying what others do, in what’s partially carefulness and partially cargo-cult.
This “draconian interpretation” is straight from the guidelines I linked: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
When I go to that site and click on the language dropdown I get a cookie pop-up telling me how they will use cookies on the site.
I read the opinion now. You’re right in that their analysis too is actually rather harsh! E.g, no long-term shopping carts are allowed, only for the current session plus “a few hours” which presumably would stretch to tomorrow but not more. Still, I’d say that it’s really strict compared to the actual court cases, and probably in any case wouldn’t prevent a website from delivering an optimal experience for the user without needing a cookie banner at all. if I was designing a shopping website I wouldn’t lose sleep over having a shopping cart expire after a week, assuming I could actually justify that the users would benefit from it.
For the curia.europa.eu cookie banner they present it doesn’t give you the opportunity to reject “technical” cookies, just the analytics and YouTube stuff. That implies that the cookies for language and such is exempt, and the reason for the banner is those other ones. They also set the “clicked the cookie banner”-cookie expiry time to a year, also implying it’s okay to store it for that length of time.
I think that’s because then the weaker “legitimate purpose” standard applies? (“Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.”)