> Those were never necessary for operational purposes. If you were selling your users to get Google's analytics, that's a different matter.

What about simple session cookies? You need to give end-users the information on how your service uses cookies, if I understand it correctly.

> Don't collect user's data, then you don't need privacy statements nor EULAs about that.

That would be optimal, of course – and I'm not even sure if it saves you from having a privacy statement – but if you have something like a login form, you'll need to collect email addresses (or something else users can use to reset their lost passwords). This is personal information, which is subject to GDPR.

> Are you Microsoft or Homebrew team that you steal users' data unless opted out?

GDPR mandates opt-in to almost everything. And you need to be explicit about what you are doing with the data, in order to be able to provide opt-in.

> Open source that doesn't steal users' data is already GDPR-compatible.

I don't think it's that simple.

>> Those were never necessary for operational purposes. If you were selling your users to get Google's analytics, that's a different matter.

> What about simple session cookies? You need to give end-users the information on how your service uses cookies, if I understand it correctly.

No, from what bigger half of the internets says, you don't need consent for session cookies (the ones that are necessary for login form).

> if you have something like a login form, you'll need to collect email addresses (or something else users can use to reset their lost passwords). This is personal information, which is subject to GDPR.

Nope. For keeping login (especially if you don't require logging in) you don't need separate explicit consent.

>> Open source that doesn't steal users' data is already GDPR-compatible.

> I don't think it's that simple.

I think it is.