[jakelazaroff]

GDPR differentiates between cookies and localStorage? I'm skeptical, but if so that's… a really surprising loophole.

[tipiirai]

It doesn't differentiate. GDPR is about identities and using them for non-essential purposes. It doesn't take a stance on the technologies in use. According to our lawyer GDPR law texts doesn't contain the word "cookie" anywhere.

Storing a user identifying random id to any permanent storage (cookie, localStorage, etag, Flash, you name it...) goes against GDPR.

[jakelazaroff]

Got it — the difference between Volument’s localStorage and GA’s cookie is the “identifying” aspect of the latter.

[tipiirai]

Exactly. GA uses identifying cookie so a consent is needed outside Europe too as per CCPA and others. Moreover you must explicitly ask for permission to identify the visitor and explain why you do it.