Hey. Founder of Volument[1] here. We consulted EU law specialists on this particular matter. You are right: you definitely need a cookie banner when you store or process PII data. But GDPR is just an extension to ePrivacy, which says that you also need the cookie banner when any of the device information is accessed (such as the browser URL) for non-essential purposes.
The ePrivacy is just a _directive_ and doesn't oblige to anything. It's the local laws of Europe that do. We have compiled a detailed list of all the European countries and the respective laws that require an analytics service for opt-in or opt-out style banner. [2]
Retention is not possible without cookies or localStorage, but you can measure retention without storing or processing any PII information.
I would argue that atleast for Czech Republic, the notice is not required if the processed data is crucial to providing the service the user requested.
You cite Article 89(3) of the Electronic Communications Act, where it's stated that "... nor does it apply to
the cases where such technical storage or
access activities are needed for the provision of an information society service explicitly
requested by the subscriber or user.".
This part was also modified several times, most recently at 2018 in 20/2018 s. 687
How is that defined? For many businesses it is essential to know conversion rates and which users buy, especially if they invest in ads so they can calculate their ROI and know if their campaigns bring in profit or loss, which I think it's pretty "essential".
It means essential for the usage of the website, as in technically essential, like login or shopping cart.
The law doesn't say anything about it, though: this is just the interpretation and how courts have been treating it, so I wouldn't try to find loopholes around the word "essential" if you intent to follow it.
A court has ruled that tracking cookies used by ad networks, analytics and retargeting require consent [1].
Nothing stopping you from analysing your logged-user data, though (as long as you disclose it to your customers and comply with the rest of GDPR), so it's possible to have those kinds of measurements even without those stupid cookie banners.
I am confused. What do you mean by “browser URL”? Do you mean the URL of the page that the user accessed? How is that not essential? How is it specific to the user’s device?
Yes: the location information on the browser. You cannot access it for non-essential purposes without user consent. See
Article 5 / Statement 3 in the ePrivacy directive[1]
The browser sends the URL to the server to download the page so you can’t avoid receiving the URL before receiving consent from the user. You get to see the URL without accessing the user’s device.
Your citation does not mention URLs or clarify why they might be non-essential.
ePrivacy talks about "information stored in the terminal equipment", which includes any information you can get from the device. For example the user agent, location, and operating system. It's not about the information itself being essential or not, but what you do with it: is it for essential purposes (consent not needed) or non-essential purposes (consent needed).
Ah, this would make sense. They mean if I put data in the url and retrieve it from there. www.example.com/search?q=abcd would be fine in that interpretation.
The ePrivacy is just a _directive_ and doesn't oblige to anything. It's the local laws of Europe that do. We have compiled a detailed list of all the European countries and the respective laws that require an analytics service for opt-in or opt-out style banner. [2]
Retention is not possible without cookies or localStorage, but you can measure retention without storing or processing any PII information.
[1] https://volument.com [2] https://volument.com/learn/data-privacy