Hacker News new | ask | show | jobs
by soyyo 891 days ago
I believe that under GDPR cookies that are used only for technical purposes and not related to personal information are exempt from any consent and don't need to be informed with the infamous cookie banner.

Is not about cookies, is about their content and purpose.
2 comments
Waterluvian 891 days ago
Indeed. Cookies are incredibly useful for things the user really does want, like staying logged in across sessions/tabs.
link
jefftk 891 days ago
A login cookie does not require a consent banner, because logging in is an explicit user request. But I didn't log into Sentry in my testing.
link
orbat 879 days ago
Persisting login cookies if the user didn't explicitly consent to data collection is specifically _not_ exempted by ePrivacy. To quote a EU Working Group's opinion on this: 'Persistent login cookies which store an authentication token across browser sessions are not exempted under CRITERION B. This is an important distinction because the user may not be immediately aware of the fact that closing the browser will not clear their authentication settings. They may return to the website under the assumption that they are anonymous whilst in fact they are still logged in to the service. The commonly seen method of using a checkbox and a simple information note such as “remember me (uses cookies)” next to the submit form would be an appropriate means of gaining consent therefore negating the need to apply an exemption in this case.'

You can find the full opinion text here https://ec.europa.eu/justice/article-29/documentation/opinio...

link
jefftk 879 days ago
Sorry;you're right! I should have given the caveat that the login needs to be accompanied by a checkbox like that.
link
jefftk 891 days ago
Cookie banners predate the GDPR, and were initially a response to the ePrivacy Directive of 2002: https://en.wikipedia.org/wiki/EPrivacy_Directive

While the GDPR has added additional restrictions, the basic framework is still in force: you can't store information client-side (cookies, localStorage etc) unless (a) it is "strictly necessary" to fulfill a user request or (b) you get user consent. All the cookies above look to me like they don't meet that bar; the site seems to still fulfill my requests with cookies disabled.

(Not a lawyer.)

link