[rzwitserloot]

Quick question on cookies in general:

Let's say I write a site that doesn't set any cookies when you load it, but, it does have a login form on a few pages.

If you fill in the form and click submit, a cookie is set by that site (not by some auth server, SSO system, adserver, etc) which keeps you logged in for future visits. It contains a unique token. You know, the usual way to do basic web form -> server checks via bcrypt or some other password hashing scheme -> generates a long unique token and saves it in a DB -> sends it to the client via a cookie -> that cookie is looked up in the DB for a period of time which will then authenticate the incoming request.

This does not require a cookie banner whatsoever. Right?

[lucb1e]

Correct. You only need a banner for invasive tracking.

Normal visitor counting, login handling, preference setting, etc. is all allowed by default. Only when you don't have a valid reason to process the user's data, then you need to ask them for consent, and that's the only time you need a cookie wall. Everything else is opt-out.

Would be a crazy world if I ask the pizza store to deliver my pizza but I need to consent to them using my address to deliver it. It's obviously essential. Many people see it as such, though, and they resort to including weird clauses like "by hitting submit I consent to the processing of the data in the contact form for the purpose of fulfilling my request". That is like the definition of one of the legal bases you can use (aside from consent) and definitely does not require consent.

The law is quite readable and not overly elaborate, see Article 6(1) of the GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

Example, 6(1)(a) says: "in order to take steps at the request of the data subject", so you don't need to have any GDPR checkboxes or banners when you have a contact form.

[mfontani]

> Normal visitor counting

To my knowledge that might need consent, depending on what do you mean / how it's performed.

[lucb1e]

Trying to track "return visits" often requires installing identifying tokens (cookies, localStorage, etc.). Even if no human ever looks at an individual person's data, you are processing it, so GDPR applies.

But that's where the last legal basis comes in:

> processing is necessary [for] the legitimate interests pursued by the [website], except where such interests are overridden by the interests [of] the data subject

So:

(1) on the one hand, the site owner has a legitimate interest in making the website better. This really can even solely benefit the user, e.g. if you're a non-profit like Wikipedia, but it might also just benefit you and that's okay.

(2) on the other, everyone has the right to privacy. Is privacy violated if you analyse this in an automated fashion? Is there any potential negative consequence for "private and family life, his home and his correspondence"[1]?

If the answer to (2) is a very clear "no" then here's your legal basis for data processing. Since it is not consent-based, you can do it without consent and without 'cookie wall'.

I'm no lawyer, I don't know if this is a clear "no" or if it's a "maybe somehow" or how a judge would rule that or what judges previously ruled on that. I don't have all the answers, but it should be clear not all tracking has to be consent-based, especially when you have the user's privacy at heart. Hence my phrasing of 'invasive tracking' earlier in the thread.

Also, if you're a small company or startup that really tries to do good but misinterpreted the law, the data protection agency is not going to give you a large fine. If there is neither an intention of violating privacy (in an ethical way, not a letter-of-the-law way) nor clear negligence, then the DPA will probably send you a warning. It's also a fundamental right to get a reasonable punishment, so they can't give you a fine that creates major issues if you didn't do anything majorly wrong (people often look at GDPR's vague clauses and €20 million fines and think "how could your mom and pop store ever pay that for small violations" while in practice that's not how this works).

[1] Article 8 "Privacy" from the European Convention on Human Rights: https://en.wikipedia.org/wiki/European_Convention_on_Human_R...

[GordonS]

I believe you are correct, but I believe you also need to have a cookie/privacy policy page, where you explain what data you are storing and processing. I forget off the top of my head if that's a requirement of GDPR or ePrivacy, but you need to comply with both.

[lucb1e]

Correct, you need a page but not a wall/banner unless you need to seek consent for something.

Again, the law is not all lawyerspeak and it's fairly easy to find if you click my link to the law above. Article 14(3):

> The [website] shall provide the information referred to in paragraphs 1 and 2:

> (a) within a reasonable period after obtaining the personal data [...]

> (b) [...] at the time of the first communication to [the user] [...]

Where "the information referred to in paragraphs 1 and 2" is the basics: who you are, what you collect, for what purpose (marketing or so), retention period, what the user's rights are, and other things that may apply from the lists in those paragraphs.

The easiest way to fulfill this is, of course, a nice little link at the bottom with this info laid out for everyone.

This is also perfect if you're Google and your products, taken together, process basically every piece of data about a human going about their daily life. Then you basically say "we collect basically every piece of data that you supply or that we can otherwise get our hands on" and the user is not only none the wiser when they use only reCAPTCHA, but they now also agreed to the rest because that's all in one policy.

By and large I'm still happy that it has improvements over the previous law (most notably enforcement and uniformity between member states) even if there are things to be improved, but I digress. Point is: policy available to read when desired: yes; annoying pop-up banner: NEIN :)

[Dayshine]

No, in the majority of cases, cookies required for the website to function do not require prior consent nor notification.

You should still have a notice somewhere that explains this though.

[simpss]

exactly, this does not require a cookie notice. See here for explanations: https://europa.eu/youreurope/business/dealing-with-customers...

Consent is mainly required for cookies that are not technical requirements for providing the service.

[dmitriid]

https://gdpr.eu/cookies/

Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

...

To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

- Receive users’ consent before you use any cookies except strictly necessary cookies.

[d1sxeyes]

Should is not the same as 'must'.

If the cookie is purely functional, and is not used for any other purposes, you are neither required to request consent nor inform, provided it is for a service the user explicitly requests.

For example, authentication, preference setting, form submission, etc. are all explicit requests.

If your cookies do not require consent, you are not required to explain them to the user (although personally I'd say it's a good practice).

EDIT: the above is not true, please check the comments below for further discussion.

[lucb1e]

> you are not required to explain them to the user (although personally I'd say it's a good practice).

Nitpick: you are actually required to explain it, but not by shoving a banner in their face. You can explain it in the privacy policy, to be retrieved on demand by the user themselves.

See also GordonS' comment elsewhere in this thread, who is correct about the need for a privacy policy (and I posted a more elaborate comment with more info below it): https://news.ycombinator.com/item?id=25305722

[d1sxeyes]

Thank you, that was an interesting read. I'll bear this in mind going forwards.