There are a lot of items in the GDPR that I am a fan of. Mandatory unsubscribe links are the best thing to happen to my inbox since I started using email.
But there is one thing in particular I've loathed the policy for:
Cookie consent dialogues.
As I understand them, cookies are sent regardless of the user's response - they are built into the web![1] The only way to turn them off is at the browser level - the website can't do anything about it even if the user clicks "no". They're yet another thing I have to click on to see whatever I'm there to see, and usually they're invasive. In short, they offer no benefit and are a UX disaster.
- Are there legal implications for a publicly available website which uses cookies for authentication?
- Are there any sane alternatives to cookies when it comes to authentication so that I don't need to use them?
[1] By this I mean once you've set a cookie, it's there. You can't control that it's going to be sent back to you. So if you were implementing these protections after the site has been live, then it doesn't matter whether or not you ask for this consent because by the time you see the dialogue, they've already been sent. The other scenario I was considering was shared subdomains.