3

There are requests in my web application that contain "personal data" (name, postal code, phone number, date of birth etc). I would like to know what caching controls are advisable. I am using HTTPS.

This question Best practice for caching sensitive data has been asked before.

It looks like I should be using Cache-Control: private if I'm not very paranoid..

Indicates that all or part of the response message is intended for a single user and MUST NOT be cached by a shared cache, such as a proxy server.

...and Cache-Control: no-store if I am very paranoid.

And by "paranoid" I mean: "thinking keeping personal data in the user-agent's single user cache is a bad idea".

I think keeping personal data in a user-agents single user cache is basically fine. It looks like opinion is divided on this, and my opinion is from about 10 minutes of googling. Also, I don't think the linked question really provides a way of making an informed decision here. So I'd like to hear if people disagree.

Do I need to change my approach here because of GDPR?

If I had asked the same question for "Sensitive Personal Data" does anything change?

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
Nathan Cooper
  • 131
  • 5

1 Answers1

5

The law is about what you are allowed to store and targets your infrastructure. And the law is intended to give the user control over his data.

The client cache belongs to the client's infrastructure in any reasonable definition and already is under control of the user.

This may be interpreted differently when you try things like supercookies which stay even when history is deleted or other sneaky tricks, but as long as you're just speaking about the usual client cache this is nothing you're actively storing and nothing you have direct access to.

But be aware of other caches. Maybe your load balancer caches responses with a cache header which allows caching. Then people can argument that you still have data about them stored. It may not be too easy to access, but it is there, could be accessed or may leak when you're hacked.

Disclaimer: I am not a lawyer and you might want to find one. Currently nobody knows for sure what will actually get you sued and what not.

allo
  • 3,173
  • 11
  • 24