Correct. The vast majority of such cookie banners you see are illegal according to the GDPR, i.e. whenever you see one that doesn't have equal prominent "Accept"/"Reject" options next to each other.

The only reason these illegal banners still get used is a lack of enforcement. Right now, the enforcement process is rather slow, which is in part due to all this stuff being "new" (the cookie ePrivacy is technically from 2009 already, but regulatory bodies with a clear focused mandate to enforce infractions only really came into existence with the GDPR) and thus regulatory bodies and sometimes courts still trying to figure out the legal details, and acting slow and (overly) cautious in order not to embarrass themselves by issuing fines that are later thrown out in a high court. (And then there is Ireland...). And more generally, the law is rather slow regardless; the time it takes to conclude any "important" case is measured in years, and sometimes decades.

There are civil organizations such as noyb[1] trying to get things going and "nudge" regulators into action, but even with that it will be a few more years at least until the legal questions around "what is an acceptable cookie banner" are settled.

[1] https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-is...

Most of the cookie consent banners I see are illegal in that case..

That's right.

And how many have you reported to your local data commissioner?

Cookie consent banners have nothing to do with GDPR, but with the ePrivacy directive. GDPR clarifies what is "consent", but this is not what leaded to the proliferation of cookie banners.

Please note if you have strictly necessary cookies, you don't need to have cookie banners, and if your cookies are anonymous, you don't need them either !

The proliferation of cookie banners just means that people running such websites are usually terrible with regards to consent, personally identifiable information, and so on.

Finally, at least one person in this thread who understands that GDPR is not cookie banners. I mean WTF, we're on hacker news. Oh wait, yeah, we're on hacker news.

I routinely delete these “strictly necessary” cookies and the world doesn’t end.

Worst case scenario is I have to log in again.

Non-essential cookies are personal data as regulated by the GDPR. It is true the EPD started the cookie consent popup craze though.

That's the point. GDPR without good enforcement is useless and meaningless. I'd even argue that all this time since GDPR and until something is done about enforcement if ever (that is not just a random fine, which is considered cost of doing business) all that GDPR is doing is allowing these companies to come up with more elaborate ways to scam (I'm looking at whoever the assholes who work, run, or are remotely involved with trustarc.com).