First, a disclaimer. What you're about to read is an extremely simplified explanation of how web browsers interact with websites alongside an introduction to EU-level policy making thrown in for good measure. This is a daunting array of topics that I smashed into one article but I have faith in you, kiddo; on average, kids in each new generation are smarter than adults from the previous one so I expect this text to become more easily understood as time goes on. In short, when you visit any website you're served a mish-mash of content that at best slows down your machine and hogs your bandwidth; at worst, it's designed to track you, creating a profile of your online habits that is exposed to seedy entities. EU tried to put an end to it with GDPR, considered effective since May 25, 2018.
When you visit a website using a web browser, you're served a cookie, a small text file that contains some data, alongside any content from the website. Cookies are fairly safe and quite useful on their own, as they can hold your username and password on websites that require you to login so you can log in once and return back tomorrow without having to type in the password again, that sort of thing. Websites can only read their own cookies. Cookies identify a user, which is the first party, to the website, which is the second party. Three's a crowd indeed because other entities can make a deal with the website owner and arrange to inject third-party content into the website, which now means the user gets the website's cookie and the third-party cookie. Still with me?
So, what's this third-party content? It can be anything from images, fonts, code, embedded messages, videos, buttons, banners, ads to even just 1x1-pixel invisible images called "beacons" that are simply there to alert the third party that a visitor has arrived. Through this devious scheme, over which you have little control by the way, you receive cookies you never wanted or needed, ultimately revealing your internet activity to a completely random party or set of parties.
The website owner typically gets paid for this but can also host third-party content out of ignorance or sheer laziness. Typically, the website owner sees this as a quick way to make easy cash but the more third parties are cramming their content into any given website, the slower and less responsive it becomes. Now, try to visit any website you typically do and press F12, which should open the developer console. You want to look at the "Network" tab and set the filter to "All", as shown in the Palemoon 28 image below. Clicking the image opens it in new tab (156 KB, 1,569x430px).
This is a partial snapshot of one Youtube video activity. Now, there's a lot going on in this one image so take your time and just absorb the details (notice the "beacon"). The key takeaway is that websites aren't meant to be this complex. Internet filled with Youtube videos is not transparent and besides, you have no idea what third parties gain access to your data because you have to enter the website to see what it contains, leaving you with an all-or-nothing proposition. You can try blocking some or all cookies or elements on the page but that's liable to having it break in unusual ways.
Wherever you see social share buttons or embedded content, you get the respective third-party cookie; after a certain point, user gets a stockpile of cookies that serves as a partial fingerprint that websites can share behind the scenes to create an online identity against the user's will. Imagine 1,000 third-party companies having their own network. They can each access only their own cookies but by sharing data on which user has what cookies, it's possible to create a unique identifier. This is called "shadow profile" if you'd like to research it and implies some harrowing consequences. If a hacker decides to breach this third-party network, all of a sudden your shadow profile is exposed to another layer of seedy guys; it's seedy guys all the way down.
Websites are promised greater traffic volume through shares, tweets and video embeds; third parties get to enjoy setting their cookies and profiling users but what do users get? ADHD from all the attention-seeking tidbits of content. Instead of having clear-cut websites with genuinely interesting content that loads instantly and doesn't endanger privacy, we've got this writhing, maddening mass of hacked-together code that causes all sorts of trouble.
EU finally decided to put an end to this with GDPR – General Data Protection Regulation, an umbrella directive trying to make websites transparent about what they're doing with third-party cookies and user data. That's it, there's no censorship or shutting down websites or anything destructive like that, simply the idea that a visitor should be informed about what the website is doing and a suggestion that website owners should work with trustworthy third parties. Websites introduced GDPR banners, which are intrusive warnings that "we use cookies", which tells nothing and is likely not even compliant with GDPR while causing even more clutter on the screen and mandating an additional click on the "X".
The problem is, all tech giants are in total violation of GDPR and, to the best of my knowledge, they'd have to tear down their websites and services completely in order to become GDPR-compliant. Putting up a warning or a bunch of toggles for individual cookies won't cut it; the issue is tracking users as soon as they arrive without their informed consent or any benefit to the user. How was this legal even before GDPR? Internet is simply unregulated to the point any company can stake out a piece of online real estate and start setting its own, usually dictatorial, rules.
You can actually go and read any mainstream website privacy policy to realize – it's all there in plain sight. Tracking is explained away as "sharing data with our partners" and in other terms meant to lull you into complacency. Dictatorship is presented as "community guidelines", as if there's a council of wise men deciding on what's kosher rather than just some 3rd world knave in a sweatshop working for pennies that has to process 10,000 bans a day. The very fact you're being tracked, there's data of your presence and it's being shared with unknown third parties, with you having absolutely no oversight or control over any of it, is worrisome.
To sum up what I presented so far, websites are needlessly complex to obscure the process of serving webpages while identifying users without their consent. GDPR is meant to suppress these obnoxious sprawling web platforms that are constantly sending out their feelers all across the internet and allow for smaller websites to flourish. My website, the one you're currently using, is fully GDPR compliant in all aspects as it uses cookies only as necessary; you may block any cookies here and it won't affect the functionality save that links you visited won't change color. It is my premonition that EU will eventually bring down the hammer on all websites that use third-party tracking, which means my website is futureproof in that regard. EU regulators have a constant boner about "the internal market", which they consider the solution to all problems – just let separate EU countries work it out together. GDPR is meant to strengthen the digital internal market, allowing things like Czech alternative to Youtube, Polish alternative to Facebook and so on.
I mentioned profiling, so how is that done through cookies? Here's where having an account comes into play because you're essentially given a profile form to fill out, willingly giving over data advertisers would otherwise have to painstakingly gather. Make the profile public and let users reward each other with drips of social validation on who has entered more data; soon enough, users will be losing sleep over it. In a sense, second party becomes the third party. Once you create such an infrastructure where millions or billions of users track themselves in this way, their habits and attributes become revealed. This tracking of users is how US tech giants can realize what people are chatting about and where they're spending their time to swoop in and buy out the competition in time, just like Facebook did with WhatsApp and Instagram. There's no leaving Facebook's paddock.
In summary, GDPR is EU declaration of cyber-war against US tech giants, who have inflated stock market values anyway and are bleeding money trying to expand globally. Try to find non-US alternatives to all services and try starting your own self-funded online service, whatever it is. We need more grassroots service providers or the internet will stagnate once US tech giants wane. Until then, use adblocking browser plugins and stay off of social media websites.