yup, this

IANAL, but user consent is actually only one of the six legal bases of data processing under the GDPR. it is the most “universal” one, and the only one that enables most of the tracking and advertising bs that a lot of web services love to do, but it is possible to collect and process data without ever having to rely on user consent. if you provide a service without abusing your user’s data you likely won’t need a cookie consent dialog at all.

of course, there are a lot of companies that do love abusing their users’ data, so they benefit a lot from normalizing those dialogs. but that’s not actually the piece of the gpdr that might bite lemmy – it’s federation, or more specifically, sending personally identifiable data to non-gdpr compliant federated instances. the eu is actually aware of the fediverse and is discussing it, so we’ll likely see something on that front in the future.

there actually is a second, older style of cookie dialog which i’m not yet sure is still a requirement, which merely needs to inform the user of the presence of cookies if there are any on the site. of course this is entirely useless because everything with a login uses cookies by necessity – which is why the gdpr refocused on the collection and processing of user data instead. (which is another common misconception btw: it’s okay to have user data that you could use for nefarious purposes if you have another non-nefarious purpose you need it for, such as providing a service, but using the data for said nefarious purpose would be a violation of the gdpr. it’s less about what you collect and more about what you do with it, although if you have nothing legal to do with it you shouldn’t have it either.)