My company recently announced a game, and we launched a website for the game. There's no ̶t̶h̶i̶r̶d̶ ̶p̶a̶r̶t̶y̶ e:tracking cookies (I didn't make the site, but I do run it).
Our US based legal team told us we needed a cookie banner if we were going to have visitors in the EU. I pushed back, but I lost, and ultimately it's not my fight.
Which was probably written (even if not by the legal team, but someone they consulted) with an eye towards keeping more data than legitimate interest allows under GDPR.
I don't quite think Cargo Culting is the right label for it. It's not just because everyone's doing it. My experience when legal meets code is that common sense, intent and what is actually allowed go out the window, and cover-your-ass wins. My experience with Legal has been that they default to no "just in case" for every question you come to them with.
It's a battle to get them onboard to not taking the safest possible approach, so you only want to fight that battle when it's a kingmaker of an opportunity.
Yeah, people often approach legal in the wrong way: people often want to ask "is this OK?" and have the lawyers say "yes", but basically no lawyer is going to say that for almost anything. Instead you need to ask them to explain what the risks of different courses of action are and take a view as to whether they are important or not.
That's been my experience, but unfortunately _that's_ where cargo culting comes in. As part of $NEW_WEBSITE_CHECKLIST we have to "check with legal" which inevitably involves a laundry list of stuff like this, and the default is to accept what legal says, unless we _really_ don't like the answer at which point we're going to do it anyway...
Legal counsel is there to advise, not to design product UX. Some companies have bonehead policies like “you must develop whatever Legal advises” but that’s a choice the company is making. Sensible companies treat their in house counsel as advisory, and weigh the risks like they would weigh any other risks.
you're right, I said third party, but I actually meant tracking. I actually went and checked, and our only cookie is the cookie for if you've seen the cookie banner or not...
> Consent may be required even if there are no cookies at all.
>Our US legal team said that we need the banner if we have visitors from the EU, not if we're tracking them.
This actually makes sense - because if you didn't have the cookie banner then some fucking weirdo would come to Hacker News and make a self righteous post about how you're "tracking residents of the EU without their consent and abusing them" (even though you're not). Instant karma. Next thing you know these weirdos and their mob are reporting you to their government and you're dealing with government inquiries and more legal expenses trying to prove your cookie-less web 1.0 site doesn't "abuse people."
Do you have any basis at all for such an absurd claim? The law actually works in the opposite direction (kinda):
You may use "legitimate interest" cookies/tracking without saying so, but as soon as you show a privacy dialog you actually have to disclose everything you're doing including legitimate interest.
Basically by having a list of what youre're doing with your user's data you're giving up your right to do anything not listed.
GDPR actually doesn't specifically mention cookies at all. Tracking is what's illegal, not cookies.
Let's say you keep website logs with IPs on them, and you do analytics for non-essential purposes. You can do this under GDPR, but you must gain consent from the user before logging this PII.
It actually is completely and totally orthogonal to cookies. Some cookies are fine without consent. Some things that are not cookies are illegal without consent.
Our US based legal team told us we needed a cookie banner if we were going to have visitors in the EU. I pushed back, but I lost, and ultimately it's not my fight.