| I’m not a lawyer, so take this with a grain of salt. But I have implemented gdpr for several companies. First, you do not need consent for anything deemed essential to your site. Furthermore, you kind of get to say what is essential and what isn’t, as long as you can reasonably defend it. For example a shopping cart is certainly essential. Previous purchases, page views, etc all essential. “Page views per session”, most likely not essential (though you can make the argument they are), but if you’re not installing an identifier on the user to track them (for example, they’re signed in and you’re aggregating as such), then you don’t need to ask for consent. If this sounds like there are loopholes that’s because there are loopholes. Concretely, tracking consent dialog are one of the looser parts of gdpr. So what I usually tell clients is: You do not need a consent dialog, unless you use a first or third party analytics library. If you add a third party analytics library (google analytics, Facebook pixel, piwik, plausible, …), [edit: or third party ads, they come with their own tracking], do not load it until you’ve asked for consent. Ask for consent once per account or per logged out device. Give the option to accounts to revoke consent. |
GDPR might allow for this but other data protection laws might not. In the UK if you want to use an authentication cookie for any other purpose you're required to request permission[0]. Weirdly the guidance also states that consent is also required for persistent login cookies.
[0] https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...