[jefftk]

The duration is part of the functionality. In interpreting the e-Privacy directive a general principle is that durations should not be longer than required to implement the required functionality. If you read through https://ec.europa.eu/justice/article-29/documentation/opinio... you'll see lots of discussion of appropriate durations.

[the_mitsuhiko]

The opinion document as far as I'm aware has no legal force. That said, I'm sure durations can always be re-evaluated but the case of "i'm going to log in but then not" is a corner case that's not exactly top of mind. I think the bigger task here is to defer loading stripe until necessary.

[jefftk]

> The opinion document as far as I'm aware has no legal force.

Agreed! But without this guidance we're just stuck guessing what "strictly necessary" means.