[virmundi]

That’s my issue. If I have a cookie for a refresh token, I have to now have a banner saying the site uses a cookie. I have to have a page that explains why. All the while I have the site now looking shady because the banner is synonymous with stealing your data and selling it to ISIS.

[upofadown]

If the refresh token is only being used for authentication and expires in a reasonable time for the application then you would not need prior consent so you would not need a banner. You would still have to explicitly disclose what you are doing on some sort of easy to find cookie policy page.

Some good discussion here:

* http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm