It's a sad state of affairs that if I saw that message I would think positively of the website... Except that of you're only showing it once that means you're tracking me to know I'm a repeat visitor
It's clearly not required. The site would function without it. Therefore an activist will eventually argue to a court that it's a GDPR violation and win, meaning you have to pay up a fraction of your revenue (possibly sending you under).
GDPR threads on HN are always like this. Tons of people saying "no no it doesn't work that way it wouldn't be reasonable" and then when that thing ends up being ruled illegal, "of course it's illegal everyone knew that it's all very clear".
GDPR is written in such a way that you can't ever know what is or isn't allowed.
The recent case against Criteo in the Netherlands has some interesting definitions of cookie types:
This case revolves around (third party) tracking cookies.
The Dutch Data Protection Authority (AP) defines 2 cookies as follows:
“Cookies are small files that a website owner places on a visitor’s device. For example on a computer, laptop, smartphone or tablet. For example, the owner can collect or store information about the website visit or about (the device of) the visitor.
Bottom of form
There are 3 types of cookies:
- functional cookies;
- analytical cookies;
- tracking cookies.”
The AP says about tracking cookies 3 :
“If cookies can also be read when you visit another website, we call these tracking cookies. These cookies allow organizations to track people’s internet behavior over time.
Tracking cookies make it possible to draw up profiles of people ( profiling ) and treat them differently. Tracking cookies usually process personal data.
Personal interests can be derived from the information about visited websites. This allows organizations to, for example, show their website visitors targeted advertisements. (…) Do you process personal data of visitors to your website with tracking cookies? Then you must comply with the rules of the General Data Protection Regulation (GDPR).”
(It's in dutch, translate at your own liberty, I'll give my own below + the stuff the authority for consumers and the market demands, which is linked from their page.)
Basically of the three cookie types, functional cookies require no consent whatsoever. A cookie to set up a user session (the page uses a shopping cart in a webshop as an example and the details mention things like saved passwords and language choices) is totally fine. The AP still recommends informing the users, but it's not required.
Analytical cookies are permissible insofar that they aren't used to profile the user. You're not required to ask for permission as long as they don't contain any uniquely identifying information. You are required to inform the visitor that you are placing these cookies though.
The final category are tracking cookies. These fall under the full scope of the GDPR; you must ask for consent before placing them, you must tell people how you are collecting their data (cookies, scripts or beacons are listed as examples) and you need to tell people what you do with them.
Pre-checking consent forms in general is expressly forbidden (on the same logic that you can't pre-check people into signing up for physical spam mail or paid subscriptions) and consent must be clearly stated, not hidden in some terms of services page or privacy statement.
Those are all requirements on top of the rights the GDPR (in Dutch called the AVG) grants consumers, although obviously most of this overlaps with the GDPR already.
That’s setting a cookie/local storage that can be used purely client side to determine whether to show the message or not. No tracking required because the server never has to see or store this.
Tracking cookies identify you across multiple sites. If some front-end JavaScript sets and checks a cookie for "has visited" on a single site, that's not considered tracking. It's non-identifying and harmless.
Storing previous_visitor=1 into local storage is not the type of tracking most people are objecting to, nor is it against the gdpr until you start having user specific indicators or trying to use a collection of values as a fingerprint.
> Storing previous_visitor=1 into local storage is not the type of tracking most people are objecting to
Who are you to speak for "most people". I do object to that kind of cookie being placed without my explicit consent. It provides at least some identifying information that might allow multiple websites working together to uniquely identify you.
No, a cookie with default settings attached to https://example.com saying "previous_visitor=true" does not provide any information whatsoever to any sites other than https://example.com.
There are various techniques to place "cookies" (sometimes not technically cookies) that can be correlated by multiple websites working together, but the website has to go out of their way to proactively do that, this is not something that gets enabled by simply placing a standard non-personalized cookie.
It is arguably tracking required for the functioning of the site which is a clear exception to the ban.