What Does It Take to Skip GDPR Cookie Consent

This post is not about getting tired of clicking buttons to steer clear of the blocking toasts. On the contrary, it is about respecting users' right to the extreme, to give the power back to the individual. So how far can we go without requesting consent for user while complying GDPR?

Strictly Necessary Cookies?

Since putting cookies on a web page does not necessarily require the website to ask for consent from user, we need to know what kinds of cookies are allowed.

From https://gdpr.eu/cookies/ it reads

Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

The same page also states:

To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:
- Receive users’ consent before you use any cookies except strictly necessary cookies.
...

Well the authorities have good intentions and being also pragmatic. But for people who know how to open their browsers and check if a website uses cookies, they cannot be sure whether the cookies, if present, are strictly necessary and will not be used to track the user by the websites. Actually, it is not about cookies. As long as a website can identify the user, whether using cookies, web sockets, or any kind of password/passkey/password-less mechanisms, it can and need to track the user, because that's fundamental to any business that needs to manage their current customers.

Anonymity?

So for goodwill companies which also do not want to sacrifice the UX of their websites, operating solely on strictly necessary cookies, or even without using any cookies, is still not enough. They can probably declare their policies in their websites or other media, but people can always challenge as lone as they sign in to their websites.

So the actual question of this post is: how far can it go if people only browse the web without ever sign in into any websites?

To be continued...