"Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user."
Right, and then the legal teams tell me they don't care, and we should put up the cookie banner anyway. I feel like you didn't read my original comment.
That just means your legal team is lazy or incompetent. I work for a massive company that handles extremely sensitive PII and we don't have a cookie banner, because we don't need to have a cookie banner. GitHub doesn't have one, Gitlab doesn't have one.
The problem is that I spend hours explaining the actual technical nature of what we're doing to the legal team and I feel that there's often some kind of breakdown in communication because they don't understand the underlying technologies as well as the engineers do. And I haven't had this experience at one company, I've had it at multiple companies, several of which folks in this thread will have heard of.
To put a finer point on some of this, in one instance, I was writing an application that would allow our customers to deploy their own website with content that they had created through the tool that my company had provided. My company wasn't adding any tracking whatsoever to these pages. We were simply taking their content, rendering it properly, and hosting it for them. We ended up enforcing a cookie banner on these pages because the lawyers couldn't guarantee that there wouldn't be tracking content on that page that was added by the customers. But the end result is that every page, the vast majority of which don't have any tracking, still have cookie banners.
In essence, the law created a new legal hazard, and people aren't sure when they're going to run into it, so they end up putting up fences all over the place. Between this and malicious compliance, the end user experience has suffered greatly.
That's super interesting, because the lawyers should know that under GDPR, consent needs to be specific.
So a generic cookie banner is actually going to make the legal case worse than not having one at all (because you've now demonstrated that you knew you should have explicitly declared usages, partners, and used opt-in consent, but you didn't).
I know that everyone wants to give me legal advice. Lawyers don't care about legal advice from engineers. That's the crux of the point I'm trying to make.
