“Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.”
My understanding is “legitimate purpose” is far weaker than “strictly necessary”.
Now, you’re right that the DSVGO/GDPR is often interpreted as banning cookie walls (guidelines):
“39. In order for consent to be freely given, access to services and functionalities must not be made
conditional on the consent of a user to the storing of information, or gaining of access to information
already stored, in the terminal equipment of a user (so called cookie walls)”
But my understanding is this only applies to gathering consent to do something otherwise prohibited under the GDPR.
The concept of consent as used in the Data Protection Directive (hereafter: Directive 95/46/EC) and in the e-Privacy Directive to date, has evolved. The GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent. These Guidelines focus on these changes, providing practical guidance to ensure compliance with the GDPR and building upon the Article 29 Working Party Opinion 15/2011 on consent.
Then later:
Therefore, in this document, the EDPB expands upon and completes earlier Article 29 Working Party Opinions on specific topics that include reference to consent under Directive 95/46/EC, rather than replacing them.
Later in a text, it specifies:
Ad. (ii): Consent mechanisms must not only be granular to meet the requirement of ‘free’, but also to meet the element of ‘specific’. This means, a controller that seeks consent for various different purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes.
I’m no lawyer but to me, that sounds like “completing the Data Protection Directive” means adding new requirements to it.
Generally, all the cookie banners started popping up after GDPR was published.
One part of the guideline on consent says:
With regard to the existing e-Privacy Directive, the EDPB notes that references to the repealed Directive 95/46/EC shall be construed as references to the GDPR.
It’s unfortunate how complex those guidelines happen to be, but I do think what’s meant is that the GDPR norms on consent apply more widely.
Not literally “all”—they’ve existed for a long time, but until GDPR it was pretty rare except on heavily-regulated EU sites. It’s only recently that the EU has appeared more willing to enforce this on non-EU sites for companies who do business with EU citizens and might someday have part of their business based in the EU. Though I don’t know of many actual enforcement actions, it may be just follow-the-crowd threshold effects: if your competitors are annoying their users this way, you probably should too.
Edit: I wish I’d used this opportunity to introduce the term “cargo-cult regulatory compliance”. I think worth a deeper exploration of the complexity of the modern regulatory world and the sheer quantity of “follow the crowd, rather than understanding the written and unwritten requirements” that exists.
I agree it’s hard to tell. Looking at archive.org most pages don’t show cookie banners even for recent things. I did find that the “I don’t care about cookies” Firefox extension goes back to at least 2014 [1] and says “EU regulations require that any website using cookies must ask the user’s permission before installing them. These warnings appear on most high traffic websites until the visitor agrees with the website’s terms and conditions. Imagine how irritating that becomes when you surf anonymously or if you delete cookies automatically when closing your browser.”
The ePrivacy directive has:
“Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.”
My understanding is “legitimate purpose” is far weaker than “strictly necessary”.
Now, you’re right that the DSVGO/GDPR is often interpreted as banning cookie walls (guidelines):
“39. In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)”
But my understanding is this only applies to gathering consent to do something otherwise prohibited under the GDPR.
The introduction says:
Then later:
Later in a text, it specifies:
I’m no lawyer but to me, that sounds like “completing the Data Protection Directive” means adding new requirements to it.
Also not a lawyer, but if they were trying to modify something so specific as the ePrivacy directive line I quoted I think they would have said so?
Generally, all the cookie banners started popping up after GDPR was published.
One part of the guideline on consent says:
It’s unfortunate how complex those guidelines happen to be, but I do think what’s meant is that the GDPR norms on consent apply more widely.
Really? I remember them going back decades
My experience was seeing them all appear after GDPR
Not literally “all”—they’ve existed for a long time, but until GDPR it was pretty rare except on heavily-regulated EU sites. It’s only recently that the EU has appeared more willing to enforce this on non-EU sites for companies who do business with EU citizens and might someday have part of their business based in the EU. Though I don’t know of many actual enforcement actions, it may be just follow-the-crowd threshold effects: if your competitors are annoying their users this way, you probably should too.
Edit: I wish I’d used this opportunity to introduce the term “cargo-cult regulatory compliance”. I think worth a deeper exploration of the complexity of the modern regulatory world and the sheer quantity of “follow the crowd, rather than understanding the written and unwritten requirements” that exists.
I remember that GDPR changed behaviors a lot but I don’t have a good way to check.
I agree it’s hard to tell. Looking at archive.org most pages don’t show cookie banners even for recent things. I did find that the “I don’t care about cookies” Firefox extension goes back to at least 2014 [1] and says “EU regulations require that any website using cookies must ask the user’s permission before installing them. These warnings appear on most high traffic websites until the visitor agrees with the website’s terms and conditions. Imagine how irritating that becomes when you surf anonymously or if you delete cookies automatically when closing your browser.”
[1] https://web.archive.org/web/20140326174218/https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-about-cookies/