[AdriaanvRossum]

Founder of Simple Analytics [1] here. There is a lot of information around cookie banners that is just not true. For example cookies are not limited to the technology of cookies, it contains any piece of information that you can use the track a user. An IP address, localStorage, sessionStorage, ... You are allowed to add a functional cookie with a dark mode setting for example without a cookie banner. You can't use an analytics cookie without a cookie banner.

What you are sharing is simply not true and I will clarify. A cookie banner is required when you store PII data. This is personal identifiable information. This includes, but is not limited to an IP address, a cookie with an user identifier, ... You are free to collect data that is not part of this without a cookie banner. You are also referring to a URL as being device information, this is not device information but basically a page view. You are allowed to collect page views and URLs that a linked to this page views with a cookie banner.

You are describing retention for your business. That's only possible with a cookie banner. It makes perfect sense because you need to calculate retention somehow. If you can calculate retention and conversions you are tracking a user. So you need a cookie banner.

Cookie banners are also a thing that are implemented on the web in many wrong ways. You should always have a way to disable cookies. Just a "accept all cookies" is legally invalid under the GDPR. The e-Privacy was already in place before the GDPR and the GDPR is somewhat a clarification of it.

Simple Analytics does not use cookies and does not require a cookie banner. We don't track your visitors and don't calculate retention or conversions. If your service does this, they a tracking your user and you might need a cookie banner.

[1] https://simpleanalytics.com

[tipiirai]

Hey. Founder of Volument[1] here. We consulted EU law specialists on this particular matter. You are right: you definitely need a cookie banner when you store or process PII data. But GDPR is just an extension to ePrivacy, which says that you also need the cookie banner when any of the device information is accessed (such as the browser URL) for non-essential purposes.

The ePrivacy is just a _directive_ and doesn't oblige to anything. It's the local laws of Europe that do. We have compiled a detailed list of all the European countries and the respective laws that require an analytics service for opt-in or opt-out style banner. [2]

Retention is not possible without cookies or localStorage, but you can measure retention without storing or processing any PII information.

[1] https://volument.com [2] https://volument.com/learn/data-privacy

[klohto]

I would argue that atleast for Czech Republic, the notice is not required if the processed data is crucial to providing the service the user requested. You cite Article 89(3) of the Electronic Communications Act, where it's stated that "... nor does it apply to the cases where such technical storage or access activities are needed for the provision of an information society service explicitly requested by the subscriber or user.". This part was also modified several times, most recently at 2018 in 20/2018 s. 687

[volument]

The list is only for non-essential services such as website analytics. Is there a better cite for Czech Republic? Happy to edit.

[klohto]

Nope, you're spot on with the citation! I got confused and thought the discussion here is around essential cookies/data :)

[XCSme]

> non-essential purposes

How is that defined? For many businesses it is essential to know conversion rates and which users buy, especially if they invest in ads so they can calculate their ROI and know if their campaigns bring in profit or loss, which I think it's pretty "essential".

[ratww]

It means essential for the usage of the website, as in technically essential, like login or shopping cart.

The law doesn't say anything about it, though: this is just the interpretation and how courts have been treating it, so I wouldn't try to find loopholes around the word "essential" if you intent to follow it.

A court has ruled that tracking cookies used by ad networks, analytics and retargeting require consent [1].

Nothing stopping you from analysing your logged-user data, though (as long as you disclose it to your customers and comply with the rest of GDPR), so it's possible to have those kinds of measurements even without those stupid cookie banners.

[1] https://techcrunch.com/2019/10/01/europes-top-court-says-act...

[fanf2]

I am confused. What do you mean by “browser URL”? Do you mean the URL of the page that the user accessed? How is that not essential? How is it specific to the user’s device?

[volument]

Yes: the location information on the browser. You cannot access it for non-essential purposes without user consent. See Article 5 / Statement 3 in the ePrivacy directive[1]

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

[fanf2]

The browser sends the URL to the server to download the page so you can’t avoid receiving the URL before receiving consent from the user. You get to see the URL without accessing the user’s device.

Your citation does not mention URLs or clarify why they might be non-essential.

[volument]

ePrivacy talks about "information stored in the terminal equipment", which includes any information you can get from the device. For example the user agent, location, and operating system. It's not about the information itself being essential or not, but what you do with it: is it for essential purposes (consent not needed) or non-essential purposes (consent needed).

[ratww]

An example:

If you're using it to display a page (say: React Router), then it's essential functionality.

If you're using the URL to propagate a unique hash between pages that is used to identify the user for marketing purposes, then it requires consent.

[ephimetheus]

Ah, this would make sense. They mean if I put data in the url and retrieve it from there. www.example.com/search?q=abcd would be fine in that interpretation.

[ThePhysicist]

The GDPR is not a clarification of the ePrivacy directive, on the contrary. The ePrivacy directive "particularises" certain aspects of the GDPR. National implementations of the ePrivacy directive (which, unlike the GDPR, needed to be put in laws within each EU country) that e.g. regulate certain aspects of electronic communication have priority over the GDPR as a "lex specialis". Wherever such provisions do not exist, the GDPR takes precedence as a "fallback legislation".

If you don't trust my word on this you might want to check out the official stance of the European Data Protection Board on this (from 2019): https://edpb.europa.eu/sites/edpb/files/files/file1/201905_e...

The EU is working on an ePrivacy regulation btw, which will indeed replace the ePrivacy directive, but it's not likely that it will be passed before 2021 or 2022.

[briandear]

> You can't use an analytics cookie without a cookie banner.

In what country? There is certainly no US law to my knowledge, that says that.

[shawabawa3]

Everyone's talking about EU law

[fuzzymind]

That depends solely on what is an "analytics cookie". If it's a permanent identifier, then it's considered PII and requires a GDPR consent. Otherwise GDPR doesn't care. You can freely store foo=bar to a cookie.