An organisation as large as the NHS/UK GOV is not going to have their own in-house analytics solutions. And I believe even that would require a cookie policy to be displayed under the (current) legislation.
I imagine they’re using analytics to improve the website, not to sell you more medicine. Imagine running a hospital without knowing where you had queues, people getting lost, broken doorways, etc. Analytics is just that.
I guess you’re worried about it being used more nefariously, especially by the third-party trackers themselves. If so, I’m also a little concerned about that, but I think the good probably outweighs the bad.
I mean they literally have Google and Microsoft analytics cookies in there.
I am aware that they are doing this to improve their website, but I don't get why so many are saying that it is because of the EU law or that it is a bad law.
Yes they have to show this dialog because of the law, but they decided that it is worth it for their analytics. That was their decision. They could also have said that they would be fine with less analytics and less tracking and gotten rid of the dialog. It can also not see why it is a bad law since it is exactly doing what it is supposed to do: Prevent or inform about tracking by the Tech giants. M$ and Google don't really have a huge amount of trust from the general public that their tracking is the good kind.
You can't do any form of user testing or heatmaps with server logs. And whilst real user testing is undertaken, sometimes the passive collection of heatmap data etc. is best done in an unbiased environment (i.e. you don't know you are being tested).
There are plenty of open-source analytics tools that you can self-host, like Open Web Analytics. You can gather all the information you need for usability testing without handing it over to a third party and compromising the privacy of your users.
Of course they can, but there is always a cost of hosting your own infra. There is a strong argument for the gov to be doing this in house, but I suspect it's not 100% the case and individual departments have the freedom to put their own tracking codes on their own site.
Because they collide. GDPR regulates how to work with private information and makes it absolutely clear that cookie popup informing the user that a cookie was already set is not sufficient. But if the cookie is not used for privacy relevant user tracking, then a popup is not necessary in neither regulation.
Those cookie popups have been a misinterpretation in the first place, the general recommendation for them already redacted by the one data protection agency that first formulated that consequence as requirement based on the regulation from way back then. They are completely out of date now. Note also how the site you link does not require them - it instead completely blocks the site when cookies are not allowed by the user, which is a different beast.
