Disclaimer: I anal and this is not legal advice.
Basically, the law created enough fear among the lawyers that software developers are being advised to include the cookie banner in cases where it isn't strictly needed.
You'd have much better retention rates if you don't cover up the content the viewer is trying to view.
How would you like it if I shoved a banner in your face the moment you walked into a store and forced you to punch a hole in it in order to view items on the shelves?
So uh, don't do that.
You don't need to notify if you use cookies for required functionality like login sessions or remembering a functional setting.
If you're tracking whether they're returning or not your activity is exactly the kind of behaviour the rule is covering because, in legal terms, it's skeezy as fuck.
Nobody wants to be the EU test case on precisely how "required functionality" is defined. Regardless of what the plaintext of the law says, it should be self-evident that companies will be more conservative than that, especially when the cost is as low as adding one cooke banner and tracking one preference.
https://github.blog/news-insights/company-news/no-cookie-for...
Go to that link, these are the cookies it writes (at least for me):
* _ga
* _gcl_au
* octo
* ai_session
* cfz_adobe
* cfz_google-analytics_v4
* GHCC
* kndctr_
*_AdobeOrg_identity
* MicrosoftApplicationsTelemtryDeviceId
* OptanonConsent
* zaraz-consent
I think in the past you still needed some info box in the corner with a link to the data policy. But I think that isn't needed anymore (to be clear not a consent dialog, a informational only thing). Also you can without additional consent store a same site/domain cookie remembering you dismissing or clicking on it and not showing it again (btw. same for opting out of being tracked).
But there are some old pre-GDPR laws in some countries (not EU wide AFIK) which do require actual cookie banners (in difference to GDPR consent dialogs or informational things). EU want them removed, but politic moves slow AF so not sure what the sate of this is.
So yes without checking if all the older misguided laws have been dismissed, you probably should have a small banner at the bottom telling people "we don't track you but for ... reasons .. [link] [ok]" even if you don't track people :(. But also if they haven't gotten dismissed they should be dismissed very soon.
Still such a banner is non obnoxious, little annoying (on PC, Tablet, a bit more annoying on Phone). And isn't that harass people to allow you to spy on them nonsense we have everywhere.
Having the EU decide on a technical implementation is more of a last ditch effort, like what happened with more than a decade of the EU telling the industry to get its shit together and unify under a common charging port.
1. GDPR consent dialogs are not cookie popups, most things you see are GDPR consent dialogs
2. GDPR consent dialogs are only required if you share data, i.e. spy on the user
3. GDPR had from the get to go a bunch of exceptions, e.g. you don't need permission to store a same site cookie indicating that you opted out of tracking _iff_ you don't use it for tracking. Same for a lot of other things where the data is needed for operation as long as the data is only used with that thing and not given away. (E.g. DDOS protection, bot detection, etc.)
4. You still had to inform the user but this doesn't need any user interacting, accepting anything nor does it need to be a popup blocking the view. A small information in the corner of the screen with a link to the data policy is good enough. But only if all what you do falls under 3. or non personal information. Furthermore I think they recently have updated it to not even require that, just having a privacy policy in a well know place is good enough but I have to double check. (And to be clear this is for data you don't need permission to collect, but like any data you collect it's strictly use case bound and you still have to list how its used, how long stored etc. even if you don't need permissions). Also to be clear if you accept the base premise of GDPR it's pretty intuitive to judge if it's an exception or not.
5. in some countries, there are highly misguided "cookie popup" laws predating GDPR (they are actually about cookies, not data collection in general). This are national laws and such the EU would prefer to have removed. Work on it is in process but takes way to long. I'm also not fully sure about the sate of that. So in that context, yes they should and want to kill "cookie popups". That just doesn't mean what most people think it does (as it has nothing to do with GDPR).
Sadly whenever this kind of discussion pops up it's usually a very unpopular take.
Most sites didn't need a banner. Even post-GDPR, many use-cases don't need one.