Hacker News new | ask | show | jobs
by sdflhasjd 993 days ago
I think the effort would be best spent avoiding cookies and trackers in the first place.

What do you plan on using cookies for? There might be some ways of doing similar things without cookies or trackers (server-side analytics for example) that are more respective of users and also eliminiate the need for any banners at all.

I know my company's website has a pointless cookie modal - the necessary cookies are just for session affinity on a gateway (which I don't believe you'd need a modal for anyway), and the unecessary cookies are from one analytics integration that's been used just once since it was set up, and another that is used for the most basic reports that you could get from just the access logs.
2 comments
IanCal 993 days ago
> What do you plan on using cookies for? There might be some ways of doing similar things without cookies or trackers (server-side analytics for example) that are more respective of users and also eliminiate the need for any banners at all.

For EU things you must make sure what you're doing with this aligns with consent from the user / other justifications. Whether it's server side or cookies doesn't matter for GDPR, it's the collection & use of the data.

To OP, try not to collect data at all, and if you need to then make the consent banner not block the use of the website. Also don't animate it in, just have it there.

The ICO guidance in the UK is pretty good https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...

Note that consent is not always the best justification for lawful processing.

link
jacobsimon 993 days ago
Can you explain how server side analytics works without cookies?
link
simonw 993 days ago
You log the IP address, referrer, user agent and the requested page URL but you don't set a unique cookie to identify the user.

This still gets you plenty of actionable analytics information: where geographically people are located (via GeoIP), what pages are most popular, what platforms (including desktop vs mobile) people are using.

I've been using https://plausible.io for analytics on a bunch of my sites for a couple of years now and I honestly don't miss the extra level of detail I got from cookie-based analytics I've used in the past.

link
jacobsimon 993 days ago
Let’s say I want to know the conversion rate of my payment page. I need to know how many unique visitors viewed a page, and how many of them went on to complete a payment. I’m pretty sure this is not possible without a unique identifier. And if you are using (ip address, user agent) as a proxy for such an identifier, is that any better or legal than using a cookie in the first place?
link
IanCal 993 days ago
You need to make sure you're happy with how you're using peoples data and that it falls within the legitimate interest justification (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...) IP addresses can be considered personal data.

edit - make sure you've actively made this decision and documented the assessment.

link
giladvdn 993 days ago
You can use IP based tracking or something like a query parameter to track within that session
link
remram 993 days ago
You're describing a session cookie. Changing the technique slightly doesn't allow you to bypass the law.
link