Thank you, yes that’s pretty much it. Except instead of “consent modals must be legal” I’d say “consent modals must be *established practice*”.
There is in fact case law which interprets the legislation and says explicit consent is required[1] but of course it doesn’t mandate modals.
However it does note[2] that
> That decision is unaffected by whether or not the *information stored or accessed on the user’s equipment is personal data*. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.
This sets a fairly high bar for getting consent for any identifier-laden cookie. So I can understand why people choose to use modals as a risk-reduction approach, and why it has become accepted practice. If you do end up in court, it’s reasonable to expect courts to consider established practice is while formulating their judgement.
However, I do fundamentally disagree with the notion that explicit consent at the time of first visit is a good model for ordinary internet users. It was a good first effort but regulators need to do better, and strengthen ways for users to effectively pre-set their consent preferences in advance, think ‘Do Not Track’ but with teeth.
[1] https://curia.europa.eu/juris/liste.jsf?num=C-673/17
[2] https://curia.europa.eu/jcms/upload/docs/application/pdf/201...
