[cdrx]

To be legal you need to get the user's consent, upfront, for that tracking. Technical challenges are not a defence.

GDPR is not the only regulation at play here. The PECR also applies. You need consent for the session cookie in the public areas of your site. It doesn't become essential until the user logs in, registers, adds an item to the cart, etc.

[that_guy_iain]

Honestly, considering the state of play at the moment the law is pretty much unenforcable. They literally can't fine everyone who is breaching it, they don't have the manpower.

And considering the ICO, the UK org that enforces these laws and where you have to go to find out the UK laws on it, literally just tell you that they use cookies to make their website work and don't ask for consent makes me think this is so much more complicate than any of us truly understand.

If they're setting cookies without consent with a user tracking id, I am going to guess that my session cookie falls under the same thing theirs does.

https://ico.org.uk/for-organisations/guide-to-pecr/what-are-...'. - Check developer tools and cookies.

[matthewheath]

> To be legal you need to get the user's consent, upfront, for that tracking.

No, that's just one basis for processing data. Another basis for server-side tracking like this could be legitimate interest. The site will need to provide evidence that they've weighed up the user's interest in this and be able to demonstrate a convincing case in favour of the site.

For example, it could be a legitimate interest to track A/B testing in order to increase shopping cart checkout rates - the legitimate interest is arguably that the site wants to increase its revenues and if it can demonstrate a convincing case for this, it will be allowed by the regulator.

[cdrx]

Storing a cookie which is not strictly necessary to provide the service, requires explicit consent. This is a PECR requirement, not a GDPR one. Tracking the source and campaign of a user between pages is not required to deliver the page.

So you may rely on legitimate interest to process the data, but you need the consent to store the session cookie to collect the data in the first place.

[that_guy_iain]

If you have A/B testing in place it is strictly necessary to have a session cookie. Otherwise a user could end up in a case where they where in the A group on their first request but their second has them in the B group but the page they visited isn't enabled or displays different content than what they expected to see.

If you have special offers based on the URl they came from then it is strictly necessary to be able to remember where they came from so they get the special offer and don't fall victim to false adverstising.

Strictly necessary means if the website will break in anyway without it.

[cdrx]

Your understanding of strictly necessary is incorrect. You do not need to a/b test a website for it to function. It is optional. It doesn’t become legal just because your tech stack makes it difficult, or because you engineer the site not to work without a non-essential cookie.

You could a/b test based on even or odd numbered IP address and not require consent to store a cookie. You can pass the referrer around via query string and not require consent to store a cookie.

However, as you said, there is no enforcement of the regulation so the risk of non-compliance is basically zero :)

[that_guy_iain]

>Your understanding of strictly necessary is incorrect. You do not need to a/b test a website for it to function. It is optional. It doesn’t become legal just because your tech stack makes it difficult, or because you engineer the site not to work without a non-essential cookie.

No if a user clicks a button to see the prices at 10 euros but see the prices at 20 euros then that is an issue. That is a rather serious issue, if I show you a price and then when it goes the payment processor on the second request that is illegal.

There are many ways of doing things but considering the ICO's list of strictly necessary this falls into it.

Also, I use the session id in my logs so I can debug issues such as the user saw x on page then did y so z happened. This is falls under it as well due to it being required for the operation of the website.

The fact there are other ways of doing things doesn't remove the fact for my way the cookie is strictly necessary. The system will fail. And yes, the tech stack and the way I built it does affect this. Look at the laws and you'll see a number of times where they say something along the lines of "if feasible". The recommendation from ICO is that you don't need to ask for permission for everything and they kinda make a point of saying that as it's annoying as hell for everyone.

[cdrx]

> No if a user clicks a button to see the prices at 10 euros but see the prices at 20 euros then that is an issue.

I agree with you, that is a serious issue. But that issue is caused by your use of a/b testing, and if you solve that issue with a cookie then you need consent.

The ICO PECR guidance explicitly states that you can not rely on the strictly necessary exemption for analytics cookies.