Except that if the sites don't do annoying things there is no need for annoying popups.
The EU law:
- doesn't require opt-in permission for essential cookies and similar. So basic non-personalized website usage statistics (analytics) do not need a opt-in only if it's tracking people in any way are such opt-ins needed
- if you login you are known to have accepted the terms of service and as such after login no opt-in pop-up is needed either
- is not limited to cookies btw.
All in all this means that for any site not based on ad-revenue they fully can get away without needing any annoying popups, if they don't do some sneaky questionable things.
Even for ad's there are ways to do them without annoying popups, you just need to not track people, tracking the number of times a website was loaded doesn't require annoying popups, just tracking who opened it does.
Similar if you track people only after they clicked on the ad you don't need annoying popups on the site the add is one but only on the site the app navigates to (through only start tracking after opt-in). Which given that many adds try to sell you stuff and buying thinks only requires a account isn't that big of a problem as it might seem.
In the end you can say the only reason there are so many annoying popups is because most companies have not intention to respect the privacy of their users. Actually if you look into it and realize that many popups are not legally conform or borderline illegal it becomes clear that they do not only not respect the users privacy but the users themself.
Through I have to note, that while many (most?) companies can switch to respectable advertisement, some companies can't as easily do so.
The thing is, tracking cookies don't annoy me, because I block all cookies anyway (unless it's one of the few sites I need to actually log into), so they can't track me with them.
It's the popups that actually annoy me, especially because they keep on popping up -- ironically they need to store a cookie to remember that the user has accepted/denied, and my cookie-blocking blocks that cookie as well.
I think browsers blocking cookies by default and asking for permission before storing cookies is a better solution to this issue than a GDPR popups all over the web, and leaves far less room for malicious websites to track you in spite of the user denying.
But the EU law is not just about cookies. It's also about e.g. fingerprinting your browser which is very hard to effectively block in practice.
It's a common misconception that it's about cookies. It's about data processing, i.e. tracking. There is a different law then GDPR which is about storing data on user PC's but that is also not about cookies but about any browser storage and more or less got superseded(1) by GDPR.
(1): Ok, that is quite a oversimplification, but most popups are now about GDPR and having them also covers the other law.
> if you login you are known to have accepted the terms of service and as such after login no opt-in pop-up is needed either
Apologies if I've misunderstood your claim here but it seems to me that you are saying you can bury consent to processing inside your legalise.
That doesn't comply with the GDPR as I understand it; the consent must be informed and freely given. Informed in that case is debatable since you are lumping a lot of terms together. You certainly can't claim it's freely given if accepting the terms of service is not optional.
Hm true ToS checkmark is not enough, you need to make the opt-in part clear. But it should be enough to do so when creating a account and for every change. At least if you put a reasonable findable setting page in which allows you to review/change such settings.
But I still believe you can do it once on account creation and then never again if people are logged in and nothing changed.
As far as I know if you only use the logs for DDoS protection and not for e.g. statistics and only store it as long as you need it for it and then delete it, it _I_ think should be legal without a popup banner, through maybe only if you don't give it to 3rd parties for DDoS protection? I have to look into this again.
The problem is the "only" part(s) ;=)
Oh, and you must reasonable convey that DDoS protection is essential for your service etc. Which if you ever had any (non super small) DDoS attack should be reasonable easy.
But I'm no lawyer and a bit of time passed since I last looked into it, so if I now would need to do a cooperate decision I would look it up again.
The EU law:
- doesn't require opt-in permission for essential cookies and similar. So basic non-personalized website usage statistics (analytics) do not need a opt-in only if it's tracking people in any way are such opt-ins needed
- if you login you are known to have accepted the terms of service and as such after login no opt-in pop-up is needed either
- is not limited to cookies btw.
All in all this means that for any site not based on ad-revenue they fully can get away without needing any annoying popups, if they don't do some sneaky questionable things.
Even for ad's there are ways to do them without annoying popups, you just need to not track people, tracking the number of times a website was loaded doesn't require annoying popups, just tracking who opened it does.
Similar if you track people only after they clicked on the ad you don't need annoying popups on the site the add is one but only on the site the app navigates to (through only start tracking after opt-in). Which given that many adds try to sell you stuff and buying thinks only requires a account isn't that big of a problem as it might seem.
In the end you can say the only reason there are so many annoying popups is because most companies have not intention to respect the privacy of their users. Actually if you look into it and realize that many popups are not legally conform or borderline illegal it becomes clear that they do not only not respect the users privacy but the users themself.
Through I have to note, that while many (most?) companies can switch to respectable advertisement, some companies can't as easily do so.