Generally, all the cookie banners started popping up after GDPR was published.
One part of the guideline on consent says:
With regard to the existing e-Privacy Directive, the EDPB notes that references to the repealed Directive 95/46/EC shall be construed as references to the GDPR.
It’s unfortunate how complex those guidelines happen to be, but I do think what’s meant is that the GDPR norms on consent apply more widely.
Not literally “all”—they’ve existed for a long time, but until GDPR it was pretty rare except on heavily-regulated EU sites. It’s only recently that the EU has appeared more willing to enforce this on non-EU sites for companies who do business with EU citizens and might someday have part of their business based in the EU. Though I don’t know of many actual enforcement actions, it may be just follow-the-crowd threshold effects: if your competitors are annoying their users this way, you probably should too.
Edit: I wish I’d used this opportunity to introduce the term “cargo-cult regulatory compliance”. I think worth a deeper exploration of the complexity of the modern regulatory world and the sheer quantity of “follow the crowd, rather than understanding the written and unwritten requirements” that exists.
I agree it’s hard to tell. Looking at archive.org most pages don’t show cookie banners even for recent things. I did find that the “I don’t care about cookies” Firefox extension goes back to at least 2014 [1] and says “EU regulations require that any website using cookies must ask the user’s permission before installing them. These warnings appear on most high traffic websites until the visitor agrees with the website’s terms and conditions. Imagine how irritating that becomes when you surf anonymously or if you delete cookies automatically when closing your browser.”
Also not a lawyer, but if they were trying to modify something so specific as the ePrivacy directive line I quoted I think they would have said so?
Generally, all the cookie banners started popping up after GDPR was published.
One part of the guideline on consent says:
It’s unfortunate how complex those guidelines happen to be, but I do think what’s meant is that the GDPR norms on consent apply more widely.
Really? I remember them going back decades
My experience was seeing them all appear after GDPR
Not literally “all”—they’ve existed for a long time, but until GDPR it was pretty rare except on heavily-regulated EU sites. It’s only recently that the EU has appeared more willing to enforce this on non-EU sites for companies who do business with EU citizens and might someday have part of their business based in the EU. Though I don’t know of many actual enforcement actions, it may be just follow-the-crowd threshold effects: if your competitors are annoying their users this way, you probably should too.
Edit: I wish I’d used this opportunity to introduce the term “cargo-cult regulatory compliance”. I think worth a deeper exploration of the complexity of the modern regulatory world and the sheer quantity of “follow the crowd, rather than understanding the written and unwritten requirements” that exists.
I remember that GDPR changed behaviors a lot but I don’t have a good way to check.
I agree it’s hard to tell. Looking at archive.org most pages don’t show cookie banners even for recent things. I did find that the “I don’t care about cookies” Firefox extension goes back to at least 2014 [1] and says “EU regulations require that any website using cookies must ask the user’s permission before installing them. These warnings appear on most high traffic websites until the visitor agrees with the website’s terms and conditions. Imagine how irritating that becomes when you surf anonymously or if you delete cookies automatically when closing your browser.”
[1] https://web.archive.org/web/20140326174218/https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-about-cookies/