[stephankoelle]

It's not allowed to keep state of the user without asking (under GDPR). No technical hack changes that, no not even an SPA or running a webpage in an iframe. If you have state for one purpose, you are not allowed to share state for another purpose.

I know that's bad. I don't know how many things we are used to should work in such en environment, where users are trained to NOT consent to anything, cause consent is only needed for bad things they do NOT want.

You are event not allowed to tell a user: this will not work without consent.

I'm perplexed how any complex thing should work.

[jeroenhd]

> It's not allowed to keep state of the user without asking (under GDPR). Why would that be? The GDPR only covers personally identifiable data, a todo list that stores everything in local storage can keep state without any problems. You can store things like language settings, dark mode theme, etc. perfectly fine.

You can also use state for multiple purposes as long as you clearly list and identify those beforehand. You can't gather personal data and then suddenly sell or analyze it if you didn't tell your customers you'd be doing that with data. However, saying "we use this email address for (a) sending you news letters (b) letting you recover your password" is perfectly fine.

From my reading of the GDPR, you can even gather personal data without explicit informed consent if the data is absolutely necessary for your system to work. You do need to provide ways to update, delete or obtain all information in human-readable form, but explicit consent for something that anyone can understand is absolutely required for the thing to work can be collected. You can keep track of the contents of a shopping cart on a web shop, for example, but you can't submit the contents of that cart to your analytics backend without consent. You can, however, track the cart contents in your backend and link it to the users' account; only when you start processing the data in a way not strictly necessary will you need the user to provide informed consent.

The problem with GDPR is that most people encounter it in the form of tracking cookies and advertising, both of which are not absolutely necessary for any application to work, which is why they need informed consent. People think all cookies are now banned until further notice and that the mere existence of a database is now punishable by law, which is not the case. GDPR sucks, but only if you're in the business of collecting a lot of extraneous information about your customers and/or selling it (through analytics or ads, for example). Which, in my opinion, is a good thing.

[stephankoelle]

> The GDPR only covers personally identifiable data

some data protection officers think any two linked clicks are personally identifiable.

If have read the full cookie ruling, in some passages it's about "saving" (in all senses) any data without consent - yes it sometimes talks about personally identifiable but the "saving" part doesn't care.

To be clear, I don't think that, but it's hard to make our service comply if the customers (think webshop) data protection officers follows that semi official guideline

[pmontra]

GDPR is about personal data. A user name (not an email) and a password are not personal data so their not in the domain of GDPR. A cart full of products is not personal data. It becomes personal data when we add a street address for delivery, an email or phone number for sending alerts, a credit card number for payment. However if delivery is to a PO Box (or an Amazon locker) and the credit card and customer name never touch the ecommerce site (a third party authorizes the transaction), then a fully anonymous ecommerce becomes possible. No GDPR and yet it keeps state and tracks orders.

[sintaxi]

> It's not allowed to keep state of the user without asking

I don't think this claim is correct. GDPR requires complete transparency with how personal data is used and stored. Asking for permission just happens to be the safest/laziest way to be compliant.

[stephankoelle]

What's a way to get consent without asking?

[PeterisP]

There's no way to get consent without asking (informed, freely given, opt-in affirmative action) but consent is just one of the paragraphs that give a legal basis for processing private data - it's legitimate to use data that's needed to fulfil the contract (e.g. the adress to deliver goods), comply with legal obligations (e.g. KYC in banking), for legitimate interests that don't conflict with freedoms of the user, for public interest (e.g. news reporting), etc (see Article 6 https://gdpr-info.eu/art-6-gdpr/), and all these use cases can be carried out without the user's consent. However, in some cases where the data processor could assert some other basis for processing, it may be simpler to just ask for consent.

But for the particular case of sharing data with thousands of third parties so that they can use it to target ads, consent seems to be the only one that applies. Direct marketing is one of the very few use cases explicitly listed in the GDPR, e.g. in the 21.2 'the right to object' - "Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing."

[salawat]

You realize that's an un-question, right? It doesn't even parse out.

You can't have consent without the assumption that there is a choice to be made, and that the choice is not yours to make, and that the one giving consent is aware of the choice. Anything with the characteristic of producing an implied voluntary choice without the chooser being aware the choice is being made is very specifically not consent.

[pmontra]

Sure, possibly with a contract signed before using the web service. Example: I sign a contract with a utility, maybe on paper in a shop in a mall, then I use their website to check my bills. If that's included in the contract I don't have to give consent again in the website.

[tripzilch]

> It's not allowed to keep state of the user without asking (under GDPR).

False. You're not allowed to store data about the user for any amount of time longer than is required to provide the session/service.

Session cookies are explicitly allowed without consent. Even though many cookie consent popups imply that they are not ("cookies are required for this site to function"), that is a lie by the adtech industry (and ignorant webdevelopers).

Remember: They are NOT asking for permission to store session cookies--they don't need it. Every cookie consent popup is literally asking for permission to share tracking data with third parties. Even if they word it obscurely.