Complaining about the madness of the EU mandating cookie banners has become one of web developers’ favorite internet pastimes. But here’s the thing: the EU didn’t mandate this for most websites. We did it to ourselves.
The Misconception
The ePrivacy Directive requires consent for cookies that track users across sites or collect personal data for advertising. That’s it.
What doesn’t require consent:
- Session cookies (keeping you logged in)
- Shopping cart cookies
- Language and preference cookies
- Security cookies (CSRF tokens, etc.)
These are all “strictly necessary” cookies. No banner needed.
The Real Problem
The reason every site has a cookie banner is because every site installed Google Analytics, Facebook Pixel, and a dozen other tracking scripts. Then, when GDPR and the ePrivacy Directive came along, they needed consent for all of it.
The law didn’t create the problem. The surveillance did.
The Fix
If you’re building a new product, you have a choice. And one gives you a competitive advantage and makes life better for your users:
- Don’t track anonymous users. They’re browsing, not buying. Maybe you need this data. Maybe you’re doing something useful with it. Then you have no choice. But most sites learn nothing from anonymous visitors.
- Move tracking consent to the signup flow. Users are already agreeing to terms of service. That’s the natural place to mention analytics. Not a popup on their first page view.
Your logged-in users are the ones whose behavior actually matters. And they’ve already opted in.
The Takeaway
Skip the tracking, skip the banner. Your first impression gets cleaner, your bounce rate will go down, and you keep the analytics that actually matter.