I think a lot of companies comply with cookie banners the way that they do just to annoy users, as a protest against regulation. If they can irritate users as much as possible while complying, they think they can turn users against the regulation itself rather than the way that they comply. I don't know if this applies in this particular case, but I know at least some companies do that so it's worth considering. Other than that, maybe the answer is that they were just trying not to be obvious, or that it was totally different divisions responsible for each?
But almost no company complies with the law anyways. They need to have a "reject all" button; a "more options" button is not enough. So any company that has a cookie banner without a "reject all" option might as well not have a banner at all.
We do. At least for the part of the product I was responsible for I made sure that the tracking script is really only loaded if the user explicitly clicks yes.
It's sometimes hard to make marketing understand why this is an issue in the first place but then we are B2B in a mostly offline industry so it doesn't matter as much.
>I think a lot of companies comply with cookie banners the way that they do just to annoy users,
in my experience they don't actually understand what they are required to do, they then think the easiest way to handle it is to pay for some outside expertise with of course the understanding that they would still like to get some ad money.
There are benefits to being a US based company that doesn't target EU users, even if it doesn't reject EU users, I guess.
I can't think of a way to actually use any kind of tracking cookies, even non-ad/sales/data-harvesting related that wouldn't be annoying in EU.
Of course, if you manage your own load balancing, could definitely combine a load-balancer pinning cookie (uuid) for "all" uses as a single "essential" cookie.
Load balancing would fall under "essential" cookies that don't require a permissions. No banner necessary.
See GitHub.
You can't use the data for other purposes though.
Tracking without cookies requires consent no matter how you implement it. Claiming it to be essential won't fly if, say your Marketing or sales team has access.
using a cookie that is essential for non-essential purposes, is not allowed. So using a load-balancer cookie is fine, as long as it's only used for load balancing.
Once it's used for other (technically non-essential) needs as well, one needs to find another basis for processing or ask permission for that second purpose(consent basis).
Also, if the LB cookie can be non-identifying, while fullfilling the stated technical purpose, it must not allow identifying users. So for LB cookies, one must not use a unique ID per user, but an LB ID instead. Something like "node1", "node2" etc...
