I know GDPR might be enforced in EU, but what about your local variations? (And what about US?)
Most commonly seen are cookies. I believe it should not be only Accept or Decline, but detailed with fine tuning. (But how fine-tuned should it be?)
Another thought is, personalizations (and recommendations) should be able to be turned off, including search engines.
Oldest comments (1)
Actually, the question is: what mustn't be done. You may not compromise the privacy of the user or make him identifyable to yourself or a third party, either by name or a unique property except if he explicitly gives his consent.
How far you allow the user to give a detailed consent is your own choice (the best way to handle this IMO is
[No consent*] [Fine-tuned consent] [Full consent]), but at least you must provide sufficient data on whom the information is shared with if third parties are involved, otherwise a conscious consent to share the information cannot be given.
* if your page or web app requires a log in, you should obviously exclude that from the no consent rule, but make it obvious that the choice for the user is either to allow for the login our leave your service.