Ask HN: Why does EU institutions and member gov. websites have cookie banners?
I am too stupid to understand law and especially GDPR and cookie law; I am just a lousy backend developer.
I don't understand why do EU institution and most of member states government websites have annoying cookie pop-up banners.
I thought they are only about third party tracking cookies used in ad tech. But why would EU or governmental websites have ad tech enabled? Or does any cookie trigger the need to have the annoying pop-ups?
It's not about first vs third party, or tracking or non-tracking cookies, or adverts.
Any data storage on the end user's device (cookies, local storage etc.) that is not strictly necessary to provide the service requires consent. So even basic and (relatively) privacy-friendly analytics cookies are covered by this.
When the new ePrivacy regulation is finally adopted[0] the rules will be relaxed a little to allow things like analytics cookies to be used without consent.
This is the full text of the law:
"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC,[1] inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
[0] it was originally going to be adopted in 2017/8 and come in to force a year or two later but that whole process has been a mess
[1] That's the Data Protection Directive, which has been repealed and replaced by the GDPR.
Because the average webdev and website operator want Google Analytics, Youtube embeds, ... and not think about how to do it differently, and the applies to most government agencies the same it applies to companies.
This is just an educated guess, anyone who does know the law feel free to jump in and correct me, but IIRC the GDPR doesn't apply to "ad tech" per se. It applies to collection and retention of personal data. Even an organization that's not trying to sell ad space might collect the usual kind of user analytics.
People in websites like HN are very biased towards the EU. They will tell you that you only need cookie banners if you are doing something sleazy. But that’s not true as you can see. It’s simply a bad law.
Everyone else has one, so you better have one too.
Same reason US sites for US audiences sometimes have a GDPR cookie banner.
Because the cults are cargo.