Hacker News new | ask | show | jobs
by Grollicus 2042 days ago
Assuming you're living in the EU.

The cookie:

So on the one hand there's the GDPR which deals with personal data (PII). As what they're storing there does not seem to be PII and is not used for tracking you, it does not care.

On the other hand there's the EU cookie directive. It is responsible for all the "this website uses cookies" banners from before the GDOR Consent popups. I'm not sure if it forbids storing any cookies wihtout consent but that's a direction you might want to look at in more detail. https://www.privacypolicies.com/blog/eu-cookie-law/

Can't say much about the consent form itself as I think the google consent form is especially weird as it's not possible to deny them tracking and still use their site. I suspect there will be fines for that some time down the road, but there a probably a lot of smarter people than me looking at this so what do I know...
2 comments
sirfrankiecrisp 2042 days ago
So I tried clicking around a little and found that there are more cookies being stored even though I never agreed. Not sure if they are third party cookies or not, but either I just found a way to not accept their third party cookie thingy and still use the website, or else they just don't care if I agree or not and they just store third party cookies no matter what...
link
tym0 2042 days ago
The EU cookie directive concerns only third-party cookies. No notice needs to be present for first-party cookies.
link
rendx 2042 days ago
That's not true. Any cookie that is not strictly necessary needs explicit consent. There is simply no distinction whatsoever made between first-party or third-party cookies in the "cookie directive" (ePrivacy directive), or in the GDPR.

The directive itself speaks of cookies "intended for a legitimate purpose" "on condition that users are provided with clear and precise information". Read the rest of paragraph 25 to see how users "should have the opportunity to refuse".

https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...

"Legitimate purposes" are then more narrowly defined in the GDPR.

https://gdpr.eu/article-6-how-to-process-personal-data-legal...

I strongly suggest anyone serving European users to just read the GDPR and the ePrivacy directive, directly, rather than rely on third parties to give you an interpretation. These directories can be read "as is", and are really straightforward. Lots of companies of course try to work their way around the really obvious requirements and definitions laid out here.

In summary:

Unless you really need the cookie for the service to function, you cannot have it unless the user opted in. You cannot simply invent a reason why you would "need" the cookie. Anything that you can make work without cookies has to be provided without them, and you cannot "require consent" and somehow tie to it your service offers for anything that could be made optional.

link
sirfrankiecrisp 2042 days ago
So summary of the summary: Google is doing something illegal here?
link