|
|
|
|
|
|
by lmkg
1890 days ago
|
|
|
The ePrivacy Directive makes a bit of a distinction between data stored on the client, vs network information. Cookies are the former, IP addresses are the latter. From reading the paper, the TLS session ID is stored on the client, and sent to the server. So for the ePD, this is in the same category as cookies, not IP addresses. The complicating factor is that the TLS session ID has a legitimate purpose, and this tracking is a secondary use of that data. I know what GDPR says about that topic, but I'm less familiar with the ePD. I'm trying to read the law, but it's less approachable than GDPR. I think secondary uses still require strict consent, but I'm not sure. |
|
|
One grounds is necessity to deliver the packets to you (IP address can be used to route a reply back to you in TCP/IP), and the other grounds is to deliver a feature you explicitly request, and can't be done otherwise (adding an item to your shopping basket, for example).
Neither lets you go beyond functionality, so use of a TLS session identifier to me would be a straightforward breach, if the purpose was anything beyond basic connection setup. At that point, informed, explicit, specific, opt-in consent is required. And contrary to all the illegal cookie walls, you can't require or presume this consent - that isn't consent!