I find it staggering how misunderstood GDPR seems to be at large.
First and foremost, it's not about cookies. EU laws required you to inform visitors about "cookies" and have them acknowledge them long before GDPR passed into law.
Second, it's not about third parties or required cookies vs. marketing cookies.
What the law actually states is that you may not, in any form, make individuals using your service identifiable or track them without prior informed and active consent by the visitor, and you also may not make such consent mandatory for accessing your publications content. plain and simple.
all the "cookie banners" out there are ONE form of solving this problem but are in no way mandated by law. If you find another way of solving this issue, all the better.
But the way these banners are designed and implemented at large are geared towards soliciting consent by means of obfuscating actual selection (think: bright "accept all" buttons with tiny "save settings" links) and by making it hard and tedious to actually select and submit your preferences (think: giant lists of all trackers with opt-out for legitimate interest and optin for consent side by side). These are in clear violation of what the law states imho and are largely in use because there is still no juridical precedent that clarifies what goes and what doesn't.
what we are experiencing is a clash of ethical mandate and economical interest. GDPR is aimed at protecting you, the user, from beeing identified and tracked along your wen history, be it by cookies or fingerprint or whatever.
dropping functional cookies for logged in users is perfectly fine though, as registration itself is likely a process where users can be informed of such personal identification and is an active decision by the user.
saying "the site needs it to function" and tracking users first party only is NOT a way around GDPR, as much as this narrative gets retold.
in short: it's not about cookies and third parties. The law is purposefully formulated in a way that isn't scoped on technicalities and seeks to prevent such "workarounds".
I would love to see more details disclosed by GitHub about HOW exactly they implemented this, as i am certain they have enough professional legal councel to have digged deep into this question.
First and foremost, it's not about cookies. EU laws required you to inform visitors about "cookies" and have them acknowledge them long before GDPR passed into law.
Second, it's not about third parties or required cookies vs. marketing cookies.
What the law actually states is that you may not, in any form, make individuals using your service identifiable or track them without prior informed and active consent by the visitor, and you also may not make such consent mandatory for accessing your publications content. plain and simple.
all the "cookie banners" out there are ONE form of solving this problem but are in no way mandated by law. If you find another way of solving this issue, all the better.
But the way these banners are designed and implemented at large are geared towards soliciting consent by means of obfuscating actual selection (think: bright "accept all" buttons with tiny "save settings" links) and by making it hard and tedious to actually select and submit your preferences (think: giant lists of all trackers with opt-out for legitimate interest and optin for consent side by side). These are in clear violation of what the law states imho and are largely in use because there is still no juridical precedent that clarifies what goes and what doesn't.
what we are experiencing is a clash of ethical mandate and economical interest. GDPR is aimed at protecting you, the user, from beeing identified and tracked along your wen history, be it by cookies or fingerprint or whatever.
dropping functional cookies for logged in users is perfectly fine though, as registration itself is likely a process where users can be informed of such personal identification and is an active decision by the user.
saying "the site needs it to function" and tracking users first party only is NOT a way around GDPR, as much as this narrative gets retold.
in short: it's not about cookies and third parties. The law is purposefully formulated in a way that isn't scoped on technicalities and seeks to prevent such "workarounds".
I would love to see more details disclosed by GitHub about HOW exactly they implemented this, as i am certain they have enough professional legal councel to have digged deep into this question.