I don't agree, but I can't quote GDPR because it's much older than GDPR.
It's from a 2002 ePrivacy Directive, which is still in force, but on its way out and therefore less heavily enforced. ePrivacy Regulation is supposed to eventually deprecate it. The initial idea was for both GDPR and ePR to be enforced from the same date, but that obviously hasn't happened.
> Even that law (which got updated along to align with GDPR IIRC) does't require the cookie banners that the industry has barfed up.
Yeah it does[0], and no it didn't get updated. ePrivacy Regulation which was supposed to make it deprecated was never voted on.
[0] "Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose."
Not the ones that the industry has barfed up, and I specifically chose this wording
ePrivacy: "their use should be allowed on condition that users are provided with clear and precise information"
GDPR (among other things): "the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language... It shall be as easy to withdraw as to give consent."
Nothing in any law requires the "accept by default, go through hundreds of checkboxes to opt-out". If anything, those are actually illegal.
It's from a 2002 ePrivacy Directive, which is still in force, but on its way out and therefore less heavily enforced. ePrivacy Regulation is supposed to eventually deprecate it. The initial idea was for both GDPR and ePR to be enforced from the same date, but that obviously hasn't happened.