Right, and now you get sued by a group claiming that you don't need carts for non-logged in customers. Do you need to provide carts for non-logged in customers? No, says the lawyer, you selfishly used cookies to track people without consent in order to improve your sales. Or you can just throw up a cookie disclaimer to cover your ass.
Sure, the cart is perhaps a trivial case. But persistent tracking is also used to prevent abusive behavior, and other things that aren't strictly necessary. The risk that someone might try to claim that these are unnecessary far outweighs the cost of throwing up a cookie disclaimer. Thus, cookie disclaimers become pointless through their ubiquity.
Reply to your comment, since HN is rate limiting my work VPN:
> That's not it works. Someone complains to the Information Comissioners Office (ICO). ICO determine if the complaint is valid and will get in touch with the site owner to help them come into compliance.
And then they get sued if they don't come into compliance. This is just elaborating extra steps.
> There is no such thing.
> You have to make unecessary data collection and tracking opt in. You can't have a notice that says "we might do x unecessary data collection and/or tracking" and make the user click it or go away. You need to be compliant, or you need to not serve the European market.
Right, and websites don't display content unless this supposedly unnecessary data collection is opted into. Because nobody wants to risk being on the wrong side of ambiguous restrictions on necessary and unnecessary tracking. You insist that websites have to display content regardless. Reality demonstrates otherwise - this is a practice sites do all the time.
Again, cart's aren't actually necessary. They make it easier for users to buy multiple items, but you can make cart-less checkouts by having customers select all items on a single page. Thus, by adding cookies to implement a cart without consent you have violated user privacy for reasons unnecessary to provide your service.
> Right, and now you get sued by a group claiming that you don't need carts for non-logged in customers.
That's not it works. Someone complains to the Information Comissioners Office (ICO). ICO determine if the complaint is valid and will get in touch with the site owner to help them come into compliance.
> Or you can just throw up a cookie disclaimer to cover your ass.
There is no such thing.
You have to make unecessary data collection and tracking opt in. You can't have a notice that says "we might do x unecessary data collection and/or tracking" and make the user click it or go away. You need to be compliant, or you need to not serve the European market.
In some countries your competitors or some other third parties can just directly send you a cease-and-desist letter if they believe you're violating some law.
Even if that letter turns out to be unfounded because it turns out that implementing a shopping cart using cookies without an explicit consent is a legitimate use case, they're quite a bit more of a hassle to handle than your supposed friendly ICO just "get[ting] in touch with the site owner to help them come into compliance".
So one more reason to err on the side of over-caution and just put up a popup for any kind of cookie...
This is a reasonable grounds to discriminate. No one is required provide non-logged-in users a bulk product purchase interface. They could choose to buy each product separately, or sign in. Bulk purchase cart is not essential, it is a convenience.
> And then they get sued if they don't come into compliance. This is just elaborating extra steps.
If you don't come into compliance with data privacy laws after being helped to do so by the ICO, they yes, you deserve to end up in court.
> Right, and websites don't display content unless this supposedly unnecessary data collection is opted into.
That's literally not allowed under GDPR. You can't avoid the GDPR by doing soemthing that is in violation of the GDPR. It's like trying to avoid getting a speeding ticket by going faster.
> You insist that websites have to display content regardless. Reality demonstrates otherwise - this is a practice sites do all the time.
Yes, and they're not compliant with the GDPR. Not all sites will get the tap of the ICOs hammer though. Some are going to be too hard to enforce (non-EU only entities for instance) and some just won't get complaints.
> Again, cart's aren't actually necessary.
Nope, they are very much allowed.
> Thus, by adding cookies to implement a cart without consent you have violated user privacy for reasons unnecessary to provide your service.
Sure, the cart is perhaps a trivial case. But persistent tracking is also used to prevent abusive behavior, and other things that aren't strictly necessary. The risk that someone might try to claim that these are unnecessary far outweighs the cost of throwing up a cookie disclaimer. Thus, cookie disclaimers become pointless through their ubiquity.
Reply to your comment, since HN is rate limiting my work VPN:
> That's not it works. Someone complains to the Information Comissioners Office (ICO). ICO determine if the complaint is valid and will get in touch with the site owner to help them come into compliance.
And then they get sued if they don't come into compliance. This is just elaborating extra steps.
> There is no such thing.
> You have to make unecessary data collection and tracking opt in. You can't have a notice that says "we might do x unecessary data collection and/or tracking" and make the user click it or go away. You need to be compliant, or you need to not serve the European market.
Right, and websites don't display content unless this supposedly unnecessary data collection is opted into. Because nobody wants to risk being on the wrong side of ambiguous restrictions on necessary and unnecessary tracking. You insist that websites have to display content regardless. Reality demonstrates otherwise - this is a practice sites do all the time.
Again, cart's aren't actually necessary. They make it easier for users to buy multiple items, but you can make cart-less checkouts by having customers select all items on a single page. Thus, by adding cookies to implement a cart without consent you have violated user privacy for reasons unnecessary to provide your service.