Follow

Did you know that allows sites not to announce the use of "essential" cookies? Meaning those your site uses for itself, to keep the user logged in for example.

So when Internet commerce started to slap those stupid "we use cookies" banners on every site they used the more generic word "cookies" to avoid saying outright that their sites use *ad trackers*.

Long story short, if you don't sell your user data, you don't have to present stupid disclaimers.

@isagalaev At least now they tend to say that they value($$$) privacy. 😄

@isagalaev Do you have a source please ? GDPR article for example.

@isagalaev didn't know that ! As @whilelm says, can you provide a source for that ?

@isagalaev Does the GDPR roll back the previous EU directive on cookies?

@kline @isagalaev even the "EU cookie directive" was about all tracking technology, not cookies. The amount of misinformation was and is appalling.

@michiel @isagalaev That's not what the law says at all:

3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

@michiel @isagalaev which is absolutely interpretable as requiring consent for 1st party cookies if they are not strictly needed, for example, for an optional comments section on a news website.

@kline @michiel "This shall not prevent any technical storage [..] as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user."

This basically describes a user explicitly logging in and the site using "technical storage" to maintain that state. As long as it is explicit, you're fine.

(That's my reading anyway.)

@isagalaev @michiel there's a mile wide streak of grey zone that's mostly never going to get explored in the courts, but I wouldn't blame any site for being safe and declaring up front.

There is no interpretation that suggests Amazon needs consent to use cookies for your shopping basket.

Whether a news site needs consent for cookies used in the comment sections, or your "recently viewed stories" list (even if not used for further tracking) is far more debatable, and I wouldn't want to be the one being made an example of.

@kline @isagalaev Well, yes, until and when a user wants to comment, don't let your commenting system set cookies. That's common sense.

I can imagine a justification for transitional consent banners (i.e. your old framework is a mess and sets cookies on all connections), but we've cargo-culted them into a privacy best practice.

@michiel @isagalaev
It still doesn't cover passive cases like "recently viewed" lists, but in any case:
I think "cargo culted into a best practice", ie, "put it in and you can't go wrong" is a far different situation to it being actively abused to mislead users.

I think most people are just uncertain and unqualified and want to play it safe. If nothing else, in the times around both the EU cookie directive and the GDPR, there was a lot of naming and shaming in the industry that was equally ill-informed.

@isagalaev Do you have a quote or specific pointer to share on this?

(Besides referring to the whole of GDPR?)

@isagalaev
>If you don't sell user data

or use Google Analytics.
Or JS-based socnet buttons.
Or other third-party malware.

@isagalaev In all honesty, on my website, I just announce if for the sake of transparency...
Then again, analytics n shit are seperate...

@isagalaev I know this is pedantic, but that is almost, but not quite right:

You need users active consent if you collect personally identifiable data, regardless of what you use it for. Most of those banners don't fulfill GDPR requirements anyway, since active consent requires the possibility of saying no.

@jaranta
Art. 6.1 GDPR states consent as one, but not the only reason for lawful data processing! In many cases active consent is not needed. Anyway, you need to inform persons that data processing is applied and what the rights the person has.
@isagalaev

@gom @isagalaev True! I was thinking that was likely to be the only relevant reason, but that not might be true. Thanks for the clarification!

@isagalaev the stupid disclaimers are also not compliant as they don't present a way to opt out. So one wonders why they even bother.

@loke @isagalaev There's also the pattern that opting out is made more difficult than opting in, and it's hard to not think that's intentional. There's no "nope, put them cookies where your mouth is" button. It's at least behind one another click, and often many checkboxes and a reject all sometimes hidden somewhere in a corner.

@isagalaev You don't need to sell data ot do something otherwise harmful to privacy to require a banner. Even if you're doing responsible, anonymous, first-party tracking to plainly figure out whether you sell more stuff to people coming to you via Twitter or people coming to you via Mastodon makes the cookie non-essential and requires the banner.

@rami @isagalaev
As always, "it depends". Art6 GDRP allows data processing if "pseudonymisation" is applied and Art 4. defines the word.
Therefore, statistical processing may be possible if done correctly and depending on the national implementation of GDPR. For me, the nationalization is by far the biggest fuck up of GDPR :/

@rami
Also, to track specific data like "user comes from example.com"
, you should not need a static cookie at all.

Also, nice read: gdpr.eu/cookies/

@gom you don't if you just wanna now how many visitors from Twitter you have. You do if you wanna know how many of them e.g. made a purchase after browsing around

@rami That is quite possible. One can use the Session ID as pseudonym Identifier. Add the referer, date and value of the purchase and store this data separately. Without any connection between customer_/purchase_ID.
The session ID is pseudonym and following GDPR is not personal data. I would recommend, to class all data (data, value of purchase, ...) in a way, which prevents identifying customers by the combination of "value, date, time".

@rami The granularity of classes should be sufficient to allow meaningful statistical analysis and also prevent depseudonymization.

Legally tracking users between multiple sessions without consent would be complicated or even impossible.

@gom which raises the question of what a "session" or "session ID" is and if you're even allowed to have such an ID (stored in a cookie or something equivalent) without consent if you're using it for functionality that isn't "essential" to the site's general functionality. I guess we'll have to sit this out until courts or the ePrivacy regulation add more clarity.

@rami SessionID -> Temporary, random ID, which is invalidated if the visited web side is left and/or the web browser is terminated.
Such a number (/en.wikipedia.org/wiki/Session_).
Such a date would not classify as "personal data" , because it would not allow identification/tracking of a natural person (see: Art. 4 (1) GDPR gdpr-info.eu/art-4-gdpr/ ).
Therfore GDPR does not apply for session IDs as such.

If this ID is processed/stored in relation with other dates, a certain fuzziness should be applied, so the data can not be used for identification of any natural person.

And "essential cookies" are not the wording of the GDPR. What is related to that is Art 6.1.b GDPR and following (gdpr-info.eu/art-6-gdpr/).

Cookies which are used for this purposes, are allowed without consent. Consent as in Art 6.1.a is needed for any other purpose.

Also, Art 6.1.f is relevant (albeit one of the fuzziest parts of the GDPR). The legislator allows a certain interest in data processing for "legitimate" reasons. Such a reason should be measuring the success of advertisements. Which is also the "spirit" if the whole GDPR, allow business, introduce transparency and stop misuse.

@gom @isagalaev The cookie banner and GDPR are only indirectly related

@rami Most cookie banners are just garbage and the behaviour of the site and all the 3rd party content a GDPR violation.

Thats another story :)

@isagalaev isn't it a separate law that requires websites to disclose cookie use? it predates the GDPR.

@icedquinn hm… It's the first time I hear about such. Do you have any pointers?

@isagalaev just searching for “european law cookie banner”

On 1 October 2019 the Court of Justice of the European Union decided that a pre-ticked checkbox does not constitute valid consent for cookies – irrespective of whether the information stored in the cookie contains personal data or not. The CJEU further ruled that the information on cookies must include information on the storage period of the cookie and, whether third parties have access to cookies. https://globalcompliancenews.com/eu-court-justice-european-union-rules-cookie-consent-20191011/

@isagalaev

What is the Cookie Law? First codified as part of an EU directive in 2009, and then more greatly enforced in 2011-2012, the notorious “Cookie Law” is only now going into full effect across EU member states. In Directive 2002/58/EC, Article 5(c), the European Parliament and Council : “Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.” https://www.comparitech.com/blog/vpn-privacy/how-to-comply-with-cookie-legislation/

@isagalaev the earlier law does imply that ex. a login token might count as just being something needed for information services. but the later ruling is quite specific that they no longer care if that's all you are doing.
Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!