0

There are a lot of items in the GDPR that I am a fan of. Mandatory unsubscribe links are the best thing to happen to my inbox since I started using email.

But there is one thing in particular I've loathed the policy for:

Cookie consent dialogues.

As I understand them, cookies are sent regardless of the user's response - they are built into the web![1] The only way to turn them off is at the browser level - the website can't do anything about it even if the user clicks "no". They're yet another thing I have to click on to see whatever I'm there to see, and usually they're invasive. In short, they offer no benefit and are a UX disaster.

  • Are there legal implications for a publicly available website which uses cookies for authentication?
  • Are there any sane alternatives to cookies when it comes to authentication so that I don't need to use them?

[1] By this I mean once you've set a cookie, it's there. You can't control that it's going to be sent back to you. So if you were implementing these protections after the site has been live, then it doesn't matter whether or not you ask for this consent because by the time you see the dialogue, they've already been sent. The other scenario I was considering was shared subdomains.

Shadow
  • 211
  • 1
  • 7
  • 9
    I'm voting to close this question as off-topic because it is a mostly legal question. Try [law.se] for such kind of questions. As for the technical part: browsers only send cookies back if the web site sent a cookie to the browser in the first place. Apart from that GDPR is not about cookies - it is about keeping the users informed when PII are processed. If you don't process PII (i.e. do not track users or similar) you don't need to deal with all this. – Steffen Ullrich Sep 19 '18 at 05:54
  • 2
    *".. alternatives to cookies when it comes to authentication so that I don't need to use them?"* - if you process PII you need to inform the user about this, no matter if you do it using cookies or in a different way. So, no need to look for alternatives. – Steffen Ullrich Sep 19 '18 at 06:03
  • @SteffenUllrich is authentication enough to be considered "tracking users"? Surely it would be, right? How else would you know it's their session? – Shadow Sep 19 '18 at 06:17
  • You don't need the users consent when using functional cookies, like authentication – Nick Sep 19 '18 at 07:10
  • @Shadow: again, the main point of GDPR is handling PII. If you authenticate users you are likely have user specific data, i.e. PII. But again - these are legal questions and off-topic here. – Steffen Ullrich Sep 19 '18 at 07:48
  • 1
    This is off-topic, and if you search for GDPR on law.stackexchange you'll find a lot of info. To briefly answer some of your questions: consent is not always required; if you only use cookies for authentication, no consent is required; if you use cookies for other purposes like tracking users for example, then consent is required; when consent is required, the cookies cannot be installed by default before the user gives their consent; the user should not have to tweak browser settings at all, it's the website that decides whether and when to send cookies; cookies are not "built into" the web. – reed Sep 19 '18 at 13:25

2 Answers2

2

they are built into the web!

No they are not.

The WWW defines functionality - but its use is optional. It is a convenient and well understood mechanism for supporting sessions over a stateless protocol, but are a cornerstone of monetization.

Are there legal implications [arising from the GDPR] for a publicly available website

For a website run by EU based operators - yes.

For a website trading within the EU yes - yes

For everything else - ask a lawyer.

Are there any sane alternatives to cookies when it comes to authentication

Cookies are not used for authorization - they are used for session maintainance - i.e. associating subsequent requests with a previous authentication.

But leaving that aside for now, yes - there's http authentication, client certificates, many roll-your-own-cookie implementations using other client persistence mechanisms and Javascript, device fingerprinting, various flavours of evercookies... But as a user of a service you don't get to choose.

Further, if you read the original articles, the guidance relating to EU Data Privacy - even the legislation prior to GDPR, you will be aware the references to "Cookies" are a translation to a terminology people will be more familiar with. The law applies to any persistent data placed on the client. If a website wants to use the window name to store a session id, then it needs informed, opt-in consent from the user to do so.

symcbean
  • 18,278
  • 39
  • 73
  • Even though you are technically right, I disagree from a practical standpoint. They certainly are built into the web. If you try to navigate popular pages (as well as most that require authentication) with cookies disabled, you're not going to get far. I am also aware that "using cookies for authentication" was a gross simplification for brevity. The rest of the information in this answer is very helpful, thanks. – Shadow Sep 19 '18 at 23:15
2

If you're providing services to European citizens, you need to obey the corresponding European laws. That's why some big news sites build GDPR-walls (because they did not start early enough to prepare for data protection).

But please read about what GDPR really says about technologies like cookies: There are two types of cookies (and related technologies, the law is not specially about cookies)

  • You may store required ones (like login cookies or the cart in your online shop) without further consent.
  • You may store tracking cookies and similar only after informed consent (the cookie banner you see from time to time is not sufficient, most sites just do not care about real consent before the first court case), especially you may not deny site functionality which could work without the cookies (see e.g. GDPR paragraph 7).

This means, you will need to employ more data protection for your ads, but the functional cookies are no problem at all.

(Disclaimer: I am not a lawyer)

One thing I do not understand in your post (you may want to edit it):

As I understand them, cookies are sent regardless of the user's response - they are built into the web!

When it is your site, then you are setting the cookies. Why can't you control this?

allo
  • 3,173
  • 11
  • 24
  • Small side note: Cookies are only mentioned once in the GDPR (Recital 30). Most of what you said about cookies is very true but because of a different European law. GDPR covers only tracking cookies and states that when a cookie can identify an individual via their device, it is considered personal data. This supports Recital 26, which states that any data that can be used to identify an individual either directly or indirectly (whether on its own or in conjunction with other information) is personal data. – Kevin Jan 06 '19 at 04:05