There’s a lot of wrong or at the very least uninformed answers in here.

## Most sites that use popups don’t understand why they do

The first thing to know is that this cookie popup is overused for reasons that the people who run these sites don’t care to understand. Nearly every site uses cookies or something like them, but *only those that use such tech to track your actions outside of the requirements of the site must have a popup.*

For example, if you have a website that lets you login to see private stuff, or update your profile etc. *you don’t need a popup*. Have a site with a shopping cart? *No popup needed*.

The directive only applies when type using cookies in a way that’s not a basic functionality of the site. Say for example if you’re using cookies to track people’s movements on the site for your own records, or if you’re traking people across different sites *(coughfacebookcough)*.

## It’s not a cookie law

The ePrivacy Directive does not refer to cookies directly. The directive was written to intentionally avoid tying the spirit of the law to the technology of the time. It applies to things like LocalStorage, Flash cookies, etc. as well. You need to acquire consent to track user behaviour if that tracking isn’t an obvious requirement for using the site (like a shopping cart).

## Not GDPR

I know that for non-Europeans, you’re only going to hear about the occasional Big Thing that comes out of the EU, but you should resist the temptation to bundle everything under one headline just because it’s what you’ve heard… especially when it’s pretty obvious that these cookie popups started appearing *years* before GDPR was even mentioned.

These popups are the (misinformed) reaction to the [ePrivacy Directive](https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communications_Directive_2002), a move by the EU to try to force websites that are collecting data on people to disclose that fact. [The General Data Protection Regulation](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) is a separate set of rules that apply to your rights as an EU citizen in dealing with tech companies. Among other things, it:

* Requires that a company can’t store stuff about you that it doesn’t need to perform the services you asked them to do for you (via informed consent).
* Prohibits the sharing of any personally identifying information with third parties without informed consent.
* Requires that the company make available to you everything they have on you, and delete all of it from their system at your request.

They’re totally different things.

## So what are you agreeing to?

Well, *did you read it?* ‘Cause of you didn’t read it, you could be agreeing too anything. More often than not though, it’s some legal boilerplate acknowledging that the site uses cookies and that they’ll use that data for whatever they want. The CEO probably heard this was what her friend was doing on their site, so she ordered her web nerd to do the same and stopped thinking about it.