> Receive users’ consent before you use any cookies except strictly necessary cookies.
Yup.
> login cookies
Put an unchecked "Remember me" checkbox on your login page and link to your cookie/privacy policy. This is a good idea anyway as the user might be on a shared computer.
> Preferences cookies
Allowed to be persistent as long as they don't contain user identifiable information.
> A cookie that remembers your shopping cart if you leave the site and return to it later.
I couldn't find any specific guidance on this, so it seems reasonable to use a cookie that might last a few hours or so, then have a talk to your local Information Commissioners Office if someone complains.
However, such devices, for instance so-called ‘cookies’, can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.
Where are you getting that some cookies don't require consent?
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
See the "Cookies and the GDPR" section for discussion.
Why are you so unwilling to read anything on that page except that specific paragraph. The next paragraph says:
> Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
and further down the page a little bit:
> Receive users’ consent before you use any cookies except strictly necessary cookies.
I sincerely hope that nobody reading this thread follows any of your terribly incorrect advice.
Preference cookies are not allowed to persist without consent. Not only is your interpretation of the regulations very highly opinionated, but it’s just outright wrong on some points. Your assertion that anybody who deviates from your opinions on the regulation, or doesn’t share your misunderstandings must be abusing data by asking for a cookie consent is frankly ridiculous. The guidelines also state that even for Strictly Necessary cookies, the site must explain why they are necessary, something your canonical example of a good site fails to do.
> Preference cookies are not allowed to persist without consent.
OK, I am willing to be educated, point me at the place in the regulations this is discussed.
> Not only is your interpretation of the regulations very highly opinionated, but it’s just outright wrong on some points.
s/opinion/interpretation/
> The guidelines also state that even for Strictly Necessary cookies, the site must explain why they are necessary, something your canonical example of a good site fails to do.
You don't need to do this in a cookie popup consent dialog. You are welcome to carry on thinking this if you want to though obviously.
> Preference cookies are not allowed to persist without consent.
> OK, I am willing to be educated, point me at the place in the regulations this is discussed.
It is not discussed, it is stated very explicitly:
>(66) Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
If you want to persist any preference information, you must get explicit consent. Whether you use that information for tracking or not, or whether it is combined with PII or not, has absolutely no bearing on your obligation. The act of persisting that information in the users browser requires consent. As this is a directive, it will be implemented independently by every member state, so if you want specific guidance for a specific state, you'll have to look it up. I linked the UKs guidance on this to you above, which you ignored. The facts are:
> If you want to persist any preference information, you must gain explicit consent
> The existence of cookie consent dialog is not a sign of malfeasance
> Lack of a cookie consent dialog is not a sign of lack of malfeasance
> Your stated interpretation of the regulations is very highly opinionated, and not supported by any jurisprudence
> Some of your stated interpretations are just demonstrably wrong
> The actual regulation is almost never followed
Based on those facts I would argue that the regulation has provided no benefit to the public at all, and has simple created a global nuisance that we all have to put up with now.
Yup.
> login cookies
Put an unchecked "Remember me" checkbox on your login page and link to your cookie/privacy policy. This is a good idea anyway as the user might be on a shared computer.
> Preferences cookies
Allowed to be persistent as long as they don't contain user identifiable information.
> A cookie that remembers your shopping cart if you leave the site and return to it later.
I couldn't find any specific guidance on this, so it seems reasonable to use a cookie that might last a few hours or so, then have a talk to your local Information Commissioners Office if someone complains.