> get around anything GDPR

Nitpick: none of those dark patterns "get around" the GDPR - they merely get away with it due to a (hopefully temporary) lack of enforcement. GDPR explicitly disallows annoying the user into accepting and tricks such as hiding the decline button, etc.

> So the banner is pretty much irrelevant technologically

That's why the GDPR doesn't explicitly target cookies or a specific means of tracking but rather the collection and processing of personal data, regardless of technical means (a hypothetical crystal ball that actually worked would also fall in scope).

> Between things like VPN and all the privacy tweaking you can do in Firefox, if someone wants privacy they can have it.

Even if let's assume there was a way to truly be anonymous and defeat all fingerprinting, how are you going to do business on the internet? At some point you will need to enter personal data, whether it's to buy something, sign up for real-world thing, etc. No amount of VPNs or plugins will save you if you enter your delivery address because you bought something.

GDPR or similar legislation is the only way around it - you should be able to enter your delivery address without consenting to it being used for malicious purposes such as advertising.

The point is to allow someone the option to defeat all fingerprinting if they want to. The consequences of that are up to the companies - if they don't want to sell you something because you are anonymous, they have the right to reject your browser requests. Thats an important cornerstone of capitalism.

Even with limits on collection/processing of personal data, because the legislation was made by non technical people, there are always ways around it. For example, lets say company has an advertising ml model that they use that essentially identifies visitors by fingerprint and maps them to some advertising targeting. They can train that model and throw away the training data, and then hand that model off to any regulator that is going to have no idea what to do with a bunch of floats in matrices, and claim that there is no user data stored in there, and nobody could prove otherwise.

> if they don't want to sell you something because you are anonymous, they have the right to reject your browser requests. Thats an important cornerstone of capitalism.

Maybe in a perfect world where healthy competition is a thing. But (potentially due to under-regulation elsewhere) that's not what we have in practice - for a lot of services, you only really have a choice between a handful of providers, and you're out of luck if they all decide to stalk and spam you.

Competition is not currently an effective solution to data protection, so something else was needed. The GDPR's approach to it is to outlaw personal data and spam as a payment method - you can't make non-functionally-required data processing mandatory for using a given service or product. I think it's a good approach - less spam, tracking and incentives for hoarding personal data is always a good thing.

> They can train that model and throw away the training data, and then hand that model off to any regulator that is going to have no idea what to do with a bunch of floats in matrices, and claim that there is no user data stored in there, and nobody could prove otherwise.

At least in theory, the regulator should be able to see through that scheme. But even if let's assume they actually did train an ML model and got away with it, the GDPR mandates that users should be able to decide how their personal data is processed, so they can just not opt into targeted advertising, and their personal data must not be processed using that model. The model can be there, it'll just sit unused.

Article 21 of the GDPR allows an individual to object to processing personal information for marketing or non-service related purposes.[24] This means the data controller must allow an individual the right to stop or prevent controller from processing their personal data.

There are some instances where this objection does not apply. For example, if:

1. Legal or official authority is being carried out 2. "Legitimate interest", where the organisation needs to process data in order to provide the data subject with a service they signed up for 3. A task being carried out for public interest.

2 is the key here. Make an entire ML model that generates a website layout based on the request, claim its core business logic, oh and btw, it just happens to load advertisements from companies based on this contextual data, but that contextual data has nothing to do with the user. Look, we don't store any advertising cookies or session data, don't request any either, and here is our model. Investigate it as much as you want, and we don't have the training data anymore because we delete that.

Meh, they will never be able to punish sites that arguably hide disallowing.

Slowing users down with irrelevant prompts is bad.

So what is the difference between “all cookies” and “essential cookies”?

> "my house, my rules"

A website is in no way "your house".

Why not?

Essentially, if I build and host a hobby site, it's my digital property. You have the right to see what are the conditions to visit (essentially: fetch) it and if you don't agree, you are free to go.

That's in no way comparable with walking into somebody's home. Publishing a website is a form of communication.

Regardless of the silent downvotes, it's still true.