[starbugs]

I'd like to point out that I answered the question even if not using cookies is not an option.

But to elaborate a bit: At least in Germany (and I believe this applies more or less everywhere) if you install a 1st-party tracking method based on 1st-party cookies, that doesn't fall under the 3rd-party consent requirement and you don't need consent. That means you can track your valuable retention numbers and won't need a consent banner. It's a common misunderstanding that you need that consent for all cookies. You only need it for cookies that aren't required to do your business. And 3rd-party cookies aren't.

It's just that marketing typically don't want to spend any money on this, because these retention numbers turn out to not be enough value to justify the investment. I wonder if they are as valuable as you described at all.

Edit: I should have said 1st-party tracking that doesn't collect personally identifiable information (PII).

[t0mas88]

This is completely false. You need permission for any data you store on a user device or retrieve from a user device if that is not strictly needed for the execution of the service the user requested. Nowhere in the law is the word "cookie" even used, so your suggestion that "1st party cookie" is different from "3rd party cookie" is wrong. And similarly, this whole thing also applies to all alternative tracking methods, so you cannot avoid it by using localStorage for example.

A 1st party tracking solution is in no way considered needed to deliver the service the user requested. Only things like remembering my shopping basked are necessary to deliver the services of a webshop. And you cannot use that cookie for other purposes (like counting visitors).

[TrueDuality]

This is what is false. You can use first party tracking using cookies, local storage, indexdb, whatever you like without consent as long as it is not tied to any PII and it is essential for _operating_ your service. Diagnostics, page views, flows through the app, even with a unique identifier for that session is fine and 100% acceptable for both GDPR and CCPA unless its shared with third-parties or tied directly to PII.

The easiest thing to do here, is to simply not associate those sessions with a particular user. Even if your user accounts are tied to specific PII for essential purposes of your app. As long as the tracking data is not connected to that identifier, does not log any PII data on it own, and is not shared with third parties you do not need consent.

One quick edit: Be careful with collecting errors, its easy for backtraces to include application specific data including any PII you might have which will tie that session back to a specific user and becomes a violation.

[culturedsystems]

The language in the UK version of the law is "strictly necessary for the provision of an information society service requested by the subscriber or user", which the ICO interprets as meaning "it must be essential to fulfil their request". I don't think tracking page views counts, because it's technically possible to serve a page without using a cookie to track that it was viewed.

[starbugs]

You might be referring to some other law than GDPR?

I was referring to the GDPR as pointed out in my comment.

There even is a GDPR recital that explicitly states:

"[...] The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

Source: https://gdpr-info.eu/recitals/no-47/

[t0mas88]

You're forgetting about the ePrivacy directive (or "cookielaw"). That has nothing to do with whether the information is identifying or not, you need permission for everything that isn't strictly necessary to deliver the service the user requested.

Analytics is not strictly necessary to deliver the service.

[TrueDuality]

Thank you. I have done so many implementations of GDPR. The cookie consent pop-ups everywhere are only needed because of how aggressive these third parties collect information (and that they _are_ third parties).

Just don't collect PII beyond was is absolutely essential for your application, and don't share it with third parties. Bam you don't have to get consent. Knowing what classifies as PII is still a hard problem because its full of so many conditionals. Email is not PII unless you have some part of their name for example and it counts if your company receives an email from that person that includes their name in the From field.

All the cookie banners out there are designed to make people weary of them into just accepting the previous practices. It's malicious compliance.

[graftak]

Email is always pii under gdpr

[mnw21cam]

If you're doing 1st-party tracking, and you are collecting personal data for that purpose (which is almost by definition going to be true), and the user hasn't explicitly asked for that tracking to take place (for instance by creating an account and logging in, or by putting items in a shopping basket and expecting them to be retained) then yes you will need to ask for consent to do that tracking.

The test isn't whether collecting that data is required to do your business - it is whether collecting that data is required to do what the user is asking you to do. So if (for example) you are tracking your users to see where they click in your web site in order to improve your web site, then that is only required for your business - your user has no interest in that, didn't ask for it, and therefore must be asked for consent for you to do it.

[starbugs]

I was referring to the grey area of legitimate interest in the law and how I was briefed to interpret it ca. 2021. Things may have moved on and I am not a lawyer. You might be right and what the lawyers told me back then isn't true or was true and is no longer considered true.

What I was basically saying is that 1st-party cookies are considered more likely to reflect a legitimate interest than 3rd-party cookies. And I think that is what the interpretation of the law was (or maybe still is).

You can do 1st-party tracking without collecting personally identifiable information if it's just about retention without a user ID, which I was referring to. And I in fact think that there is a case to be made that this could be part of the legitimate interests of improving the user experience on a web property of a given business, hence not requiring consent.

[mnw21cam]

IANAL too.

I'll certainly agree that this is an area where different opinions abound, and also you are much less likely to be prosecuted for this, so it's likely that advice would be that it's probably alright and you'll get away with it. But a strict interpretation of the law says that you can't use information gathered for a purpose for which the user didn't consent (or deliberately ask for, etc), even if you have it lying around because you collected it for a separate reason that is valid.

Regarding arguing that improving the user experience is a legitimate interest - I'm not aware of that having been argued and decided in court, but my opinion is that it is a hopeful misinterpretation of the law, and a slippery slope towards quite egregious data collection.

Yes, you can collect web site metrics without identifying information, for instance how many times are the different links on a particular page clicked on, but if you're linking one page request to another by the identity of the browser that is requesting them, then that is crossing the line.

[starbugs]

> [...] but if you're linking one page request to another by the identity of the browser that is requesting them, then that is crossing the line.

Just out of curiosity: That would be crossing a line, because it might be potentially possible to reconstruct an identity from the linked navigation pattern?

If so, I guess I would consider that beyond the realm of what any normal internet lawyer would include in their advice.

[BrandoElFollito]

One of the problems is that it is hardly possible to differentiate connections without gathering PII.

Even an IP address is PII, your may be lucky with some fingerprinting, but this won't be unique.

[starbugs]

A cookie used solely for counting anonymous visits without storing individual identifiers generally wouldn't be considered personally identifiable information under GDPR.

At least that's what I was told. Having said that, this is obviously a complicated and nuanced topic with a lot of grey areas. I guess it's a good idea to talk to a lawyer in any case.

[BrandoElFollito]

You are right that if this is just a unique identifier that gets into the cookie and you cannot link it to the actual user then it's fine.

My point was rather for non-cookie based kind of identification, but it was no clear enough.