The rules are actually very simple, you have to obtain a clear, explicit consent given out of a user's own free will to track him, or you're breaking the law. Don't like it? Tough luck.
If I do a blocking banner that said, we track users on this site to pay for it with ads, click OK or leave - under GDPR there are lots of gotcha's that make this potentially insufficient. I think folks claiming GDPR is "simple" do not understand it - and how complicated it is.
We have this for age restricted sites already - if you are under 18 leave, if over 18 continue, content is NSFW.
Reddit does the same thing for adult subreddits, you get a popup, this content may be NSFW, if you are at work and will be fire, leave, if not click through if you want - you've been warned.
This model however may NOT be permitted under GDPR which has a TON more requirements on tracking consent, recordkeeping for consent, versioning of disclosures, tracking versioned disclosures to consent identifiers tied to other identifiers etc. If you violate any of this you are breaking the law, are committing crimes, and may need to pay $20M or a % of turnover whichever is GREATER!
There are multiple ways to satisfy the requirements, but that's hardly Kafkaesque. It's simply convenient for the ad business to pretend the rules are incomprehensible, because they'd really rather not understand them.
I'm sure there are real problems with the GDPR (e.g. perhaps how and particularly where it's enforced, and how it favors large business over small, and that there aren't enough practical exemptions for small-scale data collection), but the fact that there's no reasonable and clearly legal loophole for the ads/tracker-business isn't one of them. That's not Kafkaesque, that's by design.
"They often do not allow a single click deny, you have to go through sometimes dozens of vendors and deny them one-by-one. This is so obviously illegal it isn't even funny."
The site sets two cookies on landing regardless of any clicks anywhere.
Edited because I can't reply:
There are lots of lies being told on this discussion. The EU websites track you even if you don't hit accept. It's a 13 month cookie.
"
When opening a page where Europa Analytics is enabled, the browsing experience is registered by the service.
If you refuse cookies, you will also stop the Europa Analytics service. If you choose, though, to contribute your browsing experience on our websites as part of the anonymous statistics, you will enable us to significantly improve the performance of our communication, its outreach and its cost-efficiency."
Before accepting any cookies I got a _pk_id cookie expiring in 13 months.
They are clear this is what will happen.
Just check it for yourself before you listen to the lies / blather you read here.
The EU's own websites track you on first landing.
Note - I have been following this. They used to do a blocking cookie pop-up. This actually had nothing set on pop-up, but blocked you from using their websites until you gave consent or denied it.
The problem was, these required cookie popups are so annoying that many folks have (perhaps illegally) moved to the EU's new model, where they stick it at the bottom, they set the cookies, and if you just use the website you get them.
"Consent must be freely given, specific, informed and unambiguous."
So a question remains, if you give someone the option to decline to be tracked, is that enough? Or do you need actual consent?
The EU website is doing the tracking with option not to be. Other experts say you really should have consent first before doing any tracking.
Anyways, not giving my opinion on which is right, just that there are different views, and even EU does it in ways I think that folks here do not understand.
The one thing, the EU sites are extremely CLEAR about things, I do like that.
