A second take on cookie consent banners

In July 2022, I was a confused software developer trying to navigate European e-privacy laws. I was working on projects both for clients and for myself and wanted to take a closer look at the "no cookie-consent banner" claims made by Plausible and other privacy-friendly alternatives to Google Analytics. My motivation was not only to adhere to the best privacy practices but also to get rid of the intrusive cookie consent banners. I wrote about my findings in a blog post. However, after coming across discussions like this and looking more carefully into the subject, I have since changed my opinion. Specifically, until a European DPA provides more clarity or an authoritative voice provides a solid alternative interpretation, it seems that, in the context of most European countries, it's best to keep the cookie consent banner, regardless of the claims made by the service providers.

My starting point at the time was a discussion on Hacker News about browser fingerprinting and whether it was GDPR compliant. Additionally, under a certain interpretation of the e-privacy directive, consent was necessary. The service relied on browser fingerprinting and, even if no cookies were stored in the traditional sense, information about the user's device was still being retrieved. Regardless of whether personal data was anonymized through hashing and a daily salt, the fact remained that this data collection by a third party went beyond what was necessary to provide the service; therefore, consent was required, whether or not cookies were set.

Furthermore, what seemed apparent to me at the time (an opinion which I expressed in an exasperated GitHub comment) was that service providers having good privacy practices should be a good reason for users to give consent for tracking. Instead, those best practices were being presented as reasons for consent to be assumed, and that was a different discussion.

On the other hand, I also felt that this interpretation was surely too strict. Other privacy-friendly alternatives were emerging in the market (and many continue to operate to this day), which at the very least suggested that European DPAs were not overly concerned**. Moreover, there was also the French DPA - CNIL, which still maintains a list of Google Analytics alternatives that do not require consent banners.

It seemed as though everyone was reaching one logical conclusion from interpreting legal documents, but in practice, things seemed to be going a different way. At the time, I concluded that it should be "fine," and there was no need to read too much into it—an opinion I no longer hold, mainly for the reasons explained above.

This is an unfortunate state of affairs because it implies that the cookie banner is here to stay. The legislators, in an effort to protect European citizens, have written legislation in such a way that it is impossible to avoid annoying your users with banners, and worse still, they are pushing businesses to adopt less transparent (i.e., browser fingerprinting) methods of tracking audiences.

**at least no negative press was emerging on sites like noyb.eu