1. 13
  1.  

  2. 16

    Please correct me if I’m wrong, but AFAIK you don’t need to ask for cookie consent for core site functionality, such as remembering user settings.

    The “cookie law” isn’t about using cookies per se, but about using cookies (or any other identifier) for tracking people.

    1. 7

      That’s true. You’re not required to get cookie consent for the necessary functionality such as session cookies that for instance hold the items in the shopping cart etc.

      1. 4

        remembering user settings.

        Presumably, it depends whether your user settings cookie contains data like “dark mode on” or whether it contains a user id which allows you to load the user’s settings from your database. While they both achieve the same functionality, the latter case tracks the user, while the former does not. I don’t know whether you could try to justify the latter as “necessary”, given that the former is possible.

        1. 4

          From my reading here https://gdpr.eu/cookies/ it says:

          “Receive users’ consent before you use any cookies except strictly necessary cookies.

          Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies.

          Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.”

          So you would have to ask for consent for “preferences” but you don’t need to ask for those as soon as someone enters a site like you need to ask for marketing/tracking cookies. You can for instance have a “remember me” box and let users check it in case they want to save settings such as dark mode or they try to login.

          1. 3

            If you keep the dark mode setting client-side, you can just store it in local storage and never send it to the server. You don’t need opt-in for that.

            1. 4

              GDPR is technology-agnostic. Don’t assume that if you use some other mechanism that you’re in the clear. Local storage can still hold persistent identifiers that your website can access.

              1. 3

                I agree, but I said “never send it to the server”. I don’t think anything done purely client-side is subject to consent in GDPR.

                1. 1

                  I wouldn’t bet on a technicality convincing any lawyers.

                  • If you embed third-party scripts on your page, you’re sharing localStorage with them, and you have the responsibility to ensure they won’t grab it. XSS on your site may need to be treated the same way as server-side data breaches, because it only matters what data leaked, not how.

                  • If you make use of the data, you’re still processing it. Even if you don’t send the data as-is to the server, it may still have privacy implications, e.g. if you choose which ads user gets served based on localStorage data.

                  1. 1

                    Both of those points are interesting, but I wonder about the implications on native, desktop applications then…

                    I’ve never had a video game ask me for consent to autosave, for instance.

                    1. 1

                      Games come with heavy EULAs, especially if any account or on-line component is involved (e.g. DRM and anti-cheat rootkits have access to lots of private information, so they must have made you “agree” to this).

              2. 2

                That only works if the user runs your JS

                1. 2

                  Yes. It doesn’t really matter if the dark mode setting isn’t saved (or even cannot be used) for users who disable JS…

                  1. 3

                    you’re right. and it also doesn’t matter if that wheelchair ramp actually works.

                    1. 1

                      I don’t know an accessibility issue that would be solved by a native dark mode and where the user cannot interpret JavaScript…

                      Honestly, accessibility matters, but this really sounds like a straw man argument.

                      1. 2

                        Correct me if I’m wrong, but what I interpret your comment to say is:

                        I don’t think it is important for users without JS to be able to save their site preferences.

                        1. 1

                          Yes, but today disabling JS is a choice so it’s not really fair to compare it to disability.

                          How many users can still afford to disable JS entirely anyway, in a time when so many popular websites are single page applications?

                          It’s 2020, and CLI browsers, screen readers, crawlers… can all run JS. (And they don’t care about a dark mode anyway.)

                          For what it’s worth I’ve always thought that styling was a client-side issue. 20 years ago we had alternate stylesheets, and Mozilla never fixed this issue so people already replied on cookies + client-side JS to solve that. The only difference in using localStorage is that the information is never sent to the server, where it isn’t used anyway.

                          1. 2

                            Yes, but today disabling JS is a choice so it’s not really fair to compare it to disability.

                            Go get yourself an Obamaphone, or a $25 phone from Best Buy, and use it as your primary device for a week. Then come back here and say that again.

                            How many users can still afford to disable JS entirely anyway, in a time when so many popular websites are single page applications?

                            That’s what I’m saying here. You could be a “popular website” which makes itself inaccessible, or you could go the extra mile and build that ramp.

                            JS can also break due to incomplete transfers, broken cached JS files, errors in the JS itself, unfinished loading due to slow connections. Do you really want to eliminate all these users, when they may depending on your service the most?

                2. 2

                  I think it’s okay to send the individual preferences to the server, but not an ID to look up preferences server-side, because that is something you can individually track the user with.

                  For example, if both me and catwell prefer the dark site with language Swahili, you can’t distinguish us if these settings are set directly in the cookies; same settings, same cookies. But if you store them in a database with user ID, suddenly I’m user 42 and catwell is user 1337, and you can distinguish between us.

                  1. 1

                    I think it’s okay to send the individual preferences to the server, but not an ID to look up preferences server-side, because that is something you can individually track the user with.

                    Is there really a difference?

                    1. 1

                      Is there really a difference?

                      Yes. Definitely. darkmode=1 vs darkmode=0 has one bit of entropy, so you can’t track me with it. SID=94898743637843438653262 is many bytes of entropy, and I don’t know what you use it for. Is that identifier only matched to a darkmode setting or is it a giant GDPR violation server side?

              3. 2

                or just use css media queries and let the person configure it on their browser instead of having to figure out where every website’s special toggle mode button it.

                @media (prefers-color-scheme: dark) and @media (prefers-color-scheme: light)

            2. 4

              Can websites you visit share your usage, behavioral data and personal data with third-party companies for purposes such as to be able to target you with commercial messages as you browse the web and visit other websites? Choose yes or no.

              We tried that with Do Not Track. The little problem was that everyone knew no one would choose yes and Google/Facebook/Big Adtech undermined all efforts to explicitly define handling of the DNT header.

              Google owns the browser market now and it will never do something that makes it easier for people to reduce its ad revenue.

              1. 0

                I sort of hate GDPR for this cookie consent thing. Pre-GDPR, only EU business had this invasive, (most of the time) ‘whatever you say, we will set cookie unless you disable the cookies from the browser’ type shoutings. Now, lots of website does this.

                As a non-EU citizen, I am not interested in being forced to see an EU-law-specific notice, when I don’t really have a choice. (In my jurisdiction, cookie notices are required in the Privacy Policy, but that doesn’t require you a banner.)

                1. 9

                  The thing is GDPR is not invasive. It is the illegal implementation from sites that want to force you to say “yes” to them selling your data to third-parties for non-essential purposes (such as the targeted advertising purposes) that makes it invasive.

                  1. 1

                    You really should read the article linked at the very top of this page..