>> Those were never necessary for operational purposes. If you were selling your users to get Google's analytics, that's a different matter.
> What about simple session cookies? You need to give end-users the information on how your service uses cookies, if I understand it correctly.
No, from what bigger half of the internets says, you don't need consent for
session cookies (the ones that are necessary for login form).
> if you have something like a login form, you'll need to collect email addresses (or something else users can use to reset their lost passwords). This is personal information, which is subject to GDPR.
Nope. For keeping login (especially if you don't require logging in) you
don't need separate explicit consent.
>> Open source that doesn't steal users' data is already GDPR-compatible.
> What about simple session cookies? You need to give end-users the information on how your service uses cookies, if I understand it correctly.
No, from what bigger half of the internets says, you don't need consent for session cookies (the ones that are necessary for login form).
> if you have something like a login form, you'll need to collect email addresses (or something else users can use to reset their lost passwords). This is personal information, which is subject to GDPR.
Nope. For keeping login (especially if you don't require logging in) you don't need separate explicit consent.
>> Open source that doesn't steal users' data is already GDPR-compatible.
> I don't think it's that simple.
I think it is.