> The websites presenting cookie banners either don't know the law, or are engaged in spyware shit. You don't need a cookie banner if you need it to provide a service that the user expects (e.g., saving settings, login).
There's quite a lot between "engaged in spyware shit" and "service that the user expects".
For example if I want to add first party analytics to my site, the data from which I will use solely internally to try to figure out what pages people like and which they do not like, it is not "spyware shit" if I explain what I'll be using the data for and get permission from the user--and getting that permission needs a cookie banner.
Yes. For example, if you want to track unique users (for the most rudimentary analytics), you'll need to put a uuid in a cookie on their browser, and you'll need to damage your UX with a stupid cookie consent popup, thanks to EU Directives.
This is not nefarious data collection, and it shouldn't need user consent - but it does, because EU lawmakers were overzealous and careless when designing their regulation.
No, you dont! Only if you use third party services to do that or collect data thats not essential to your business. Its just coloquially called a "Cookie Banner", but the laws DONT require you to put up one as soon as you set one cookie!
It does if the cookie contains any uuid that might be linkable to a user's identity (which is obviously necessary if you want to perform rudimentary self-hosted analytics on unique user visits)
In the UK (and broadly under the UK GDPR and PECR – the Privacy and Electronic Communications Regulations), yes, you generally do need to get consent before setting non-essential cookies, even if it's just for rudimentary analytics like a unique visitor count.
Here's the key distinction:
Strictly necessary cookies: No consent needed. These are required for the site to function properly (e.g., shopping cart cookies, login sessions).
Analytics cookies (including the case with a unique ID for tracking visitors): Not strictly necessary, so consent is required.
Even if the data is anonymous or pseudonymous (like a randomly generated unique ID), if the purpose is analytics and it involves storing or accessing data on the user’s device (like setting a cookie), you must ask for consent.
> if I want to add first party analytics to my site, the data from which I will use solely internally to try to figure out what pages people like and which they do not like,
This is doable entirely on the server side, provided there is no caching or CDNs that get in the way.
What you lose with that method, however, is all the spyware-like shit that analytics tends to gravitate towards.
There's quite a lot between "engaged in spyware shit" and "service that the user expects".
For example if I want to add first party analytics to my site, the data from which I will use solely internally to try to figure out what pages people like and which they do not like, it is not "spyware shit" if I explain what I'll be using the data for and get permission from the user--and getting that permission needs a cookie banner.