In the absence of any explicit consent, no-consent is always assumed by the GDPR. The absence of a DNT header definitely doesn't count as consent, so that header is kind of useless, since the GDPR basically requires every request to be handled as if it has a DNT header.
A pre-existing statement of non-consent doesn't stop anyone from asking whether the user might want to consent now. So it is not legally required to not show a cookie dialog when the DNT header is set, which would be the only real purpose of the DNT header, but legislating such a thing, would be incompatible with the other laws. It would basically forbid anyone from asking for any consent, that's kind of stupid.
The GDPR requires the consent to be given fully informed and without any repercussions on non-consent. So you can't restrict any functionality when non-consenting users, and you can also not say "consent or pay a fee". Also non-consenting must be as easy as consenting and must be revocable at every time. So a lot of "cookie-dialogs" are simply non-compliant with the GDPR.
What would be useful is a "Track me" header, but the consent must be given with an understanding to the exact details of what data is stored, so this header would need to tell what exactly it consents to. But no one would turn it on, so why would anyone waste the effort to implement such a thing in the browser and web applications?
A pre-existing statement of non-consent doesn't stop anyone from asking whether the user might want to consent now. So it is not legally required to not show a cookie dialog when the DNT header is set, which would be the only real purpose of the DNT header, but legislating such a thing, would be incompatible with the other laws. It would basically forbid anyone from asking for any consent, that's kind of stupid.
The GDPR requires the consent to be given fully informed and without any repercussions on non-consent. So you can't restrict any functionality when non-consenting users, and you can also not say "consent or pay a fee". Also non-consenting must be as easy as consenting and must be revocable at every time. So a lot of "cookie-dialogs" are simply non-compliant with the GDPR.
What would be useful is a "Track me" header, but the consent must be given with an understanding to the exact details of what data is stored, so this header would need to tell what exactly it consents to. But no one would turn it on, so why would anyone waste the effort to implement such a thing in the browser and web applications?
> GDPR that would seem to be dead in the water
I agree, and I don't like that.