Did you know that #GDPR allows sites not to announce the use of "essential" cookies? Meaning those your site uses for itself, to keep the user logged in for example.
Long story short, if you don't sell your user data, you don't have to present stupid disclaimers.
@lanodan hahaha good one
@isagalaev Do you have a source please ? GDPR article for example.
@isagalaev Does the GDPR roll back the previous EU directive on cookies?
3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
This basically describes a user explicitly logging in and the site using "technical storage" to maintain that state. As long as it is explicit, you're fine.
(That's my reading anyway.)
Whether a news site needs consent for cookies used in the comment sections, or your "recently viewed stories" list (even if not used for further tracking) is far more debatable, and I wouldn't want to be the one being made an example of.
I can imagine a justification for transitional consent banners (i.e. your old framework is a mess and sets cookies on all connections), but we've cargo-culted them into a privacy best practice.
It still doesn't cover passive cases like "recently viewed" lists, but in any case:
I think "cargo culted into a best practice", ie, "put it in and you can't go wrong" is a far different situation to it being actively abused to mislead users.
I think most people are just uncertain and unqualified and want to play it safe. If nothing else, in the times around both the EU cookie directive and the GDPR, there was a lot of naming and shaming in the industry that was equally ill-informed.
@isagalaev Do you have a quote or specific pointer to share on this?
(Besides referring to the whole of GDPR?)
>If you don't sell user data
or use Google Analytics.
Or JS-based socnet buttons.
Or other third-party malware.
@isagalaev In all honesty, on my website, I just announce if for the sake of transparency...
Then again, analytics n shit are seperate...
@isagalaev I know this is pedantic, but that is almost, but not quite right:
You need users active consent if you collect personally identifiable data, regardless of what you use it for. Most of those banners don't fulfill GDPR requirements anyway, since active consent requires the possibility of saying no.
@isagalaev the stupid disclaimers are also not compliant as they don't present a way to opt out. So one wonders why they even bother.
@loke @isagalaev There's also the pattern that opting out is made more difficult than opting in, and it's hard to not think that's intentional. There's no "nope, put them cookies where your mouth is" button. It's at least behind one another click, and often many checkboxes and a reject all sometimes hidden somewhere in a corner.
@isagalaev oh good. Too bad the gpdr didn't say that though
@isagalaev You don't need to sell data ot do something otherwise harmful to privacy to require a banner. Even if you're doing responsible, anonymous, first-party tracking to plainly figure out whether you sell more stuff to people coming to you via Twitter or people coming to you via Mastodon makes the cookie non-essential and requires the banner.
As always, "it depends". Art6 GDRP allows data processing if "pseudonymisation" is applied and Art 4. defines the word.
Therefore, statistical processing may be possible if done correctly and depending on the national implementation of GDPR. For me, the nationalization is by far the biggest fuck up of GDPR :/
@gom you don't if you just wanna now how many visitors from Twitter you have. You do if you wanna know how many of them e.g. made a purchase after browsing around
@rami That is quite possible. One can use the Session ID as pseudonym Identifier. Add the referer, date and value of the purchase and store this data separately. Without any connection between customer_/purchase_ID.
The session ID is pseudonym and following GDPR is not personal data. I would recommend, to class all data (data, value of purchase, ...) in a way, which prevents identifying customers by the combination of "value, date, time".
@rami The granularity of classes should be sufficient to allow meaningful statistical analysis and also prevent depseudonymization.
Legally tracking users between multiple sessions without consent would be complicated or even impossible.
@gom which raises the question of what a "session" or "session ID" is and if you're even allowed to have such an ID (stored in a cookie or something equivalent) without consent if you're using it for functionality that isn't "essential" to the site's general functionality. I guess we'll have to sit this out until courts or the ePrivacy regulation add more clarity.
@rami SessionID -> Temporary, random ID, which is invalidated if the visited web side is left and/or the web browser is terminated.
Such a number (/https://en.wikipedia.org/wiki/Session_ID).
Such a date would not classify as "personal data" , because it would not allow identification/tracking of a natural person (see: Art. 4 (1) GDPR https://gdpr-info.eu/art-4-gdpr/ ).
Therfore GDPR does not apply for session IDs as such.
If this ID is processed/stored in relation with other dates, a certain fuzziness should be applied, so the data can not be used for identification of any natural person.
And "essential cookies" are not the wording of the GDPR. What is related to that is Art 6.1.b GDPR and following (https://gdpr-info.eu/art-6-gdpr/).
Cookies which are used for this purposes, are allowed without consent. Consent as in Art 6.1.a is needed for any other purpose.
Also, Art 6.1.f is relevant (albeit one of the fuzziest parts of the GDPR). The legislator allows a certain interest in data processing for "legitimate" reasons. Such a reason should be measuring the success of advertisements. Which is also the "spirit" if the whole GDPR, allow business, introduce transparency and stop misuse.
@rami Most cookie banners are just garbage and the behaviour of the site and all the 3rd party content a GDPR violation.
Thats another story :)
@icedquinn hm… It's the first time I hear about such. Do you have any pointers?
@isagalaev just searching for “european law cookie banner”
On 1 October 2019 the Court of Justice of the European Union decided that a pre-ticked checkbox does not constitute valid consent for cookies – irrespective of whether the information stored in the cookie contains personal data or not. The CJEU further ruled that the information on cookies must include information on the storage period of the cookie and, whether third parties have access to cookies. https://globalcompliancenews.com/eu-court-justice-european-union-rules-cookie-consent-20191011/
What is the Cookie Law? First codified as part of an EU directive in 2009, and then more greatly enforced in 2011-2012, the notorious “Cookie Law” is only now going into full effect across EU member states. In Directive 2002/58/EC, Article 5(c), the European Parliament and Council : “Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.” https://www.comparitech.com/blog/vpn-privacy/how-to-comply-with-cookie-legislation/
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!