european-union (germany, spain, uk)
The cookie consent law is the ePrivacy directive, which was implemented as national laws by all EU member states (including, at the time, the UK). Later, GDPR changed the applicable definition of consent so that implicit consent is no longer allowed. A notice in fine print as in the given example is not sufficient to meet this definition of consent, so any non-necessary cookies set in that context would be a violation.
But it would be the national ePrivacy implementation that would be violated, not the GDPR. Thus, the GDPR's famous 4%/EUR 20M fines are not relevant here. Instead, each country can set its own fines. In Germany, this would probably be up to EUR 50k (§16 TMG) though German law doesn't implement this aspect of ePrivacy correctly. In the UK, PECR penalties are determined by more general data protection penalty legislation.
Notable instances of cookie consent enforcement include the Planet 49 (ECJ judgement, German BGH verdict) case which basically affirmed that yes, the GDPR's definition of consent applies. Thus, any case law regarding GDPR consent is also applicable to the issue of cookies. Furthermore, the Spanish AEPD has issued an interesting fine due to insufficient cookie consent, but due to much more subtle violations than the outright disregard in the given example. E.g. in the Vueling action (decision (Spanish, PDF), summary, listing on enforcementtracker), the Vueling airline's website had a consent banner but ultimately told the user to reject cookies via their browser settings. This violates the requirement that consent must be specific/granular, since the browser settings are all-or-nothing if they're available at all. The airline was fined EUR 30k, the maximum possible under applicable Spanish data protection law.
But what kind of risks would some blog run into that just sets cookies without appropriate consent?
- If the service is outside of the EU, enforcement is difficult. I am not aware of cookie consent enforcement against non-EU services.
- National data protection authorities can investigate the violation and issue fines, subject to their respective national data protection laws. They generally only do this when there are lots of complaints. Some authorities like the UK ICO have indicated that cookie consent enforcement isn't a priority for them.
- Independently, individuals can generally sue the service for damages. Some lawyers might send out cease and desist letters to non-compliant websites in the hopes of collecting fees.
So aside from the last point, the risk is likely somewhat low, especially for a smaller site.
At this point, it is worth reminding that ePrivacy/GDPR doesn't require consent for all cookies, and is not just limited to cookies. It is more generally about access to and storage of information on a user's device, unless that access is strictly necessary to provide the service explicitly requested by the user. Thus, functional cookies can be set without consent. However, consent does become necessary when cookies or similar mechanisms are used for analytics, tracking, or ads. Even though GDPR is involved, the cookie consent requirements apply regardless of whether the cookies involve any personal data.
