[Mulpze15]

Is this true?

1- If I count page views on my site, no consent necessary.

2- If I count sessions on my site, no consent necessary.

3- If I count page views per sessions on my site, is consent necessary?

4- If I count return visits on my site, consent necessary?

5- if I remember what people bought on my site, consent necessary?

Related to 3 and 4, how long is a reasonable cookie expiration?

6- Am I looking at this issue the right way?

Thx.

[scrollaway]

I’m not a lawyer, so take this with a grain of salt. But I have implemented gdpr for several companies.

First, you do not need consent for anything deemed essential to your site. Furthermore, you kind of get to say what is essential and what isn’t, as long as you can reasonably defend it.

For example a shopping cart is certainly essential. Previous purchases, page views, etc all essential.

“Page views per session”, most likely not essential (though you can make the argument they are), but if you’re not installing an identifier on the user to track them (for example, they’re signed in and you’re aggregating as such), then you don’t need to ask for consent.

If this sounds like there are loopholes that’s because there are loopholes. Concretely, tracking consent dialog are one of the looser parts of gdpr.

So what I usually tell clients is: You do not need a consent dialog, unless you use a first or third party analytics library.

If you add a third party analytics library (google analytics, Facebook pixel, piwik, plausible, …), [edit: or third party ads, they come with their own tracking], do not load it until you’ve asked for consent.

Ask for consent once per account or per logged out device.

Give the option to accounts to revoke consent.

[Jochim]

> “Page views per session”, most likely not essential (though you can make the argument they are), but if you’re not installing an identifier on the user to track them (for example, they’re signed in and you’re aggregating as such), then you don’t need to ask for consent.

GDPR might allow for this but other data protection laws might not. In the UK if you want to use an authentication cookie for any other purpose you're required to request permission[0]. Weirdly the guidance also states that consent is also required for persistent login cookies.

[0] https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...

[scrollaway]

Yes, you're quite right; I'm talking about GDPR, but other data protection laws may apply and may be stricter.

Also, these are general guidelines and may not be compliant to 100%. But the clients I deal with do not usually need to worry about absolute compliance, otherwise they'd be hiring teams of actual lawyers, not me.

[Fradow]

6. No, you are not really looking at this issue the right way.

While it has been nicknamed the "Cookie Law", the ePrivacy Directive is about trackers that contains PII (Personally Identifiable Information) and the reason some cookie exist.

On a high-level, the spirit of the law is:

- if the cookie is essential to the site, consent is not needed

- if the cookie doesn't contain PII / isn't used for tracking, it is not impacted by the law, and thus consent is not needed

Now several examples you detailed could be done server-side, without any tracking cookie, or with a cookie if the user is logged (which implies accepting the website conditions and could be deemed essential). In those cases, no consent is needed. If on the other hand you use a tracking cookie, like a Google Analytics tracking cookie, yes consent is needed.

[Cthulhu_]

The answer is no, unless you use a 3rd party like Google Analytics, then you need to look closely at legislation and their settings about whether you need to ask your end user for consent.

But generally speaking, you do not need a tracking consent banner unless you use tracking, directly or via 3rd parties.

[jeroenhd]

As long as you don't connect the statistics you collect to individual user data, you should be fine. A server-side hit counter that just increments a row per page visit in the database doesn't need consent, as long as that row isn't directly connected to any user accounts.

If return counts are nothing more than "this user has visited the site before" and there is some benefit to the user (say, remembering their address or username) then I don't see why you'd need consent. This is in the legitimate interest of you and your user. This "legitimate interest" exception doesn't go as far as many of the nasty tracking companies pretend it does, though.

A history of purchases for an account is an obvious feature, but you need consent before you can use that data to generate a marketing strategy for example. So a cart history is perfectly fine, but training your recommendation algorithm in that needs consent.

You can use whatever you like to achieve the technical requirements for your site to operate from the user's perspective. Theoretically you could even use advanced device fingerprinting techniques without consent as long as the purpose isn't to gather data, but to serve an end goal.

As soon as you start aggregating data for your own benefit, you need explicit, optional consent from the user to use their data to your benefit.

Anonimised data can be used without consent, but good anonimisation is very very difficult to achieve. Data is considered PII if the data can be linked back to the individual user if you have a theoretical second database. Pseudonymisation, which is what most frameworks actually seem to do instead of anonimisation, is not enough to not need consent, because the data can easily be linked back to actual user data using a backup of your site database afterwards.

Tl;dr: as long as you use cookies and other features only to directly benefit the user, you need no consent. If the data you collect cannot possibly be connected to a user, you don't need consent. Based on my reading of the GDPR (not a lawyer but it was covered in an IT law class), that means 1: yes, 2: yes, 3: no, 4: possibly, 5: probably, 6: you've got the right idea.

You can find more details here: https://gdpr.eu/cookies/ You can also try reading the GDPR text itself, it's quite readable as far as legal documents go in my opinion.