Hacker News new | past | comments | ask | show | jobs | submit login

You’re confusing the GDPR and the ePrivacy directive. (And maybe getting that wrong too. I’ve read the GDPR but not the ePrivacy directive. Oh, and IANAL.)

The GDPR doesn’t require consent for cookies. What it requires is a lawful basis for tracking people’s personal information. Most of those lawful bases don’t require consent either.

The only time the GDPR requires consent is when somebody wants to collect your personal information and they don’t have a good reason to do so. Then they have to ask, they have to make it easy for you to decline, and they have to make it easy for you to withdraw your consent later. They also can’t withhold anything from you if you decline. They can’t charge more for their services, block it from your access, etc.

That’s what the GDPR has to say about consent. Nothing to do with those cookie banners, which are the result of scummy companies doing scummy things.




GP are wrong about which law applies, but they are applying that law correctly.

The ePrivacy Directive requires consent to read or write from the user's terminal device, except when strictly required for the functionality the user requested. Unlike GDPR, it does not allow a different Legal Basis. It must be consent, or strictly functionally necessary. Nothing else.

The passage of GDPR did impact the ePrivacy Directive in that it updated the definition of "consent." The ePD doesn't have one; it referenced the definition in the DPD, which was replaced by GDPR. This is why people blame the GDPR for cookie banners, although really it's incidental.


Great clarification, thank you.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: