I've created an Opt in / out. If opting in, I enable google analytics and store the decision in a cookie for 30 days. However if i don't store the decision in a cookie at all, then on every page the popup will continue to popup if a user doesn't consent.
Is it ok to store a true / false data in a cookie? Or does that not comply with GDPR?
It is actually not a "catch 22".
In order to store something on user's computer, you must ask permission. The true/false cookie which represents the users consent, can be stored - but also must be done with their consent.
If you consider the true/false cookie "necessary", you can simply ask their permission to store "necessary cookies". In order for the site to work (e.g. don't popup a new window on every page), they must consent to that minimal level.
For example, take a look at what CookieBot does:
"Necessary cookies" are disabled. It cannot be unchecked.
Both General Data Protection (GDPR) and ePrivacy Regulations (EPR) have to be adhered to, neither one succeeds each other.
Note each European country in-acts GDPR and EPR legislation into law slightly differently from each other some more strict than others. So you should always consult the law for your own European country also.
For the setting use of cookies and other similar technologies, you (data controller)
normally needs user consent as required by Regulation 5(3) of the EPR to use these types of technologies.
However, you don't need consent where the cookie or other technology is
"strictly necessary" to provide you with the service the user is seeking – for example, cookies
which may be needed to provide you with a functioning website which the user wants to
access.
Hence you do not have to ask permission to store "Strictly Necessary" cookies on the users device. Storing a cookie on the users devices to remember the users opt in or out consent of cookies as far as I know is allowed without asking for their permission.
As far as I am aware you are allowed to store that type of cookies for a maximum of 6 months before you have to ask for their opt in consent again. So you could potentially increase from the 1 month you have set.
The exact EU guidelines regarding the "strictly necessary" exception read as follows:
"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
If you are uncertain whether your cookies are strictly necessary, it's best to consult your local regulators. They can provide additional insight and specific guidelines for your country. In general, it is best to err on the side of caution. Unless you absolutely know your cookies are strictly necessary, assume they are not.
On the flip side...
Any cookie that does not fall under the "strictly necessary" definition needs consent before you can store it on a visitor's device.
Nearly all Google and Facebook API services require you to set tracking cookies and marketing cookies on the users devices i.e. you can not use Google/Facebook Login, Google reCapatcha,Google Adsense, Google Analyitics without getting prior consent from the user to set tracking cookies and marketing cookies on the users devices.
It is the trade off of using the free APIs that Google and Facebook offer, they offer the SDKs and APIs for free but require personal information from the user in return.
Google's terms require you to obtain consent from the user before using their APIs and thus setting tracking cookies and marketing cookies on the users device.
Related
When you go to a website, if they are GDPR compliant they ask whether you consent to them tracking you. If as a user, I click "Deny", how does that website comply with that request? I as the user am not asked again, which to me indicates they have stored something somewhere, probably via a cookie.
Is this the correct way to obtain and work with GDPR? I would have thought by denying tracking, this would include any cookies.
GDPR legislation pertains primarily to Personally Identifiable Information (PII). Storing dissent in a cookie or localStorage doesn't violate that assuming there isn't anything that identifies the particular user, like trackingConsent=false.
Cookies are not only related to "tracking". They are mostly used to persist the state of the application, like session information or cookie acceptance. It is not gonna work otherwise, only option is to disable them on the browser level, but the legislator chosen to force page owner to do it.
You may provide the page that you are asking about. It quite probably stores your refusal in a cookie or some modern persistent storage. Personally I saw page that after refusal was simply asking again and again.
You may also check by yourself if there are some cookies stored. Depends on the browser, but quite probably f12 button and storage tab.
I have a website where I don't ask to user any data, I don't create cookies and I have only AWStats available in the cPanel (preinstalled by the hosting mantainer).
Do I still need to show any legal information (i.e. GDPR, privacy policy, cookie policy) or can I omit all things?
Thanks
You don't need to make any mention of GDPR - that's just one of the applicable laws.
If you don't set any persistent third-party cookies and do not use any third party scripts that set third party cookies (like Google Analytics or Facebook buttons), you don't need a cookie pop-up.
Strictly speaking, your web logs may contain personal data in the form of IP addresses and user agent strings. That data can be reasonably kept for a short period, say 10-30 days, for the purposes of combating abuse, but after that you should either truncate logs or strip out data that can be associated with any individual - and this should be mentioned in your privacy policy too. AWStats typically generates aggregate info from raw logs, and that's fine, so long as it does not end up containing data that allows you to identify individuals (for example, don't store GeoIP data at resolution finer than a city).
You should still have a privacy policy - a policy is just that, it's not something visitors need to agree to, it just tells them how you handle their data. If you don't collect data, don't set cookies, don't share with any third parties, then that's what it needs to say. You don't need a separate cookie policy, especially if you're not using them beyond what's "strictly necessary".
Make sure you have set all applicable HTTP security headers, and (if you're not already) you should be using HTTPS, even for a static site.
Run your site through Webbkoll and Cookiebot to check how the outside world sees it.
I have a very specific question about G. Analytics and the GDPR law.
I've read many topics about this, but answers are sometimes contradictory. I would love to have an answer from a G.A. expert or a lawyer.
The GDPR law indicates that we must obtain the user consent before data treatment ; so for me, it would suggest that we must deactivate G.A. tracking as long as user doesn't optin to that treatment.
If I do so : I refresh the page when user has optin, so the data collection can begin ; Problem doing that : we loose the referrer param (since we do a JS refresh, this param is lost : referrer will be the current page)
Others questions :
If I activated IP anonymisation on G.A. : Must I obtain the user consent or can I send the datas by default (and offer the possibility to user for opt-out) ? (many websites seems to have this process, but it seems contradictory with the user-consent obligation...) but this topic suggest to proceed like this.
Regarding cookie law : Is it allowed to store in cookies the user client-id (that G.A. uses) without the user consent ? If not, how to workaround this limitation, and use G.A. without allowing it to set cookies ?
Is there a way to store user activity without sending it to G.A, and when user opt-in -> send all that datas ?
Many thanks in advance !
Disclaimer: Not a lawyer
There are some cookies that can be set without consent (e.g. for security purposes, or perhaps even a preference for cookies). These are generally meant for essential purposes only and not for analytics, functional, or performance purposes.
However, if referrals are a critical part of how your website functions (say for example process discounts if it came from a certain link), it might be considered essential. The lines are bit blurry on what can be considered 'essential', and indeed 'legitimate interest' for non-essential functions.
If you visit websites and look in dev tools, cookies are there immediately even for websites that are showing a cookie consent banner.
-- As for non-cookie technical ways --
I do have a related question that is open to answers on whether non-cookie based tracking technologies fall into the scope of consent - you could potentially send information to the server-side.
You might also use a front-end framework to construct a Single Page Application (although you might not have the option in a company), so that the page is not actually reloaded on a consent click. The consent form can simply trigger a script to run / change a state variable so that information that were stored in JS as variables can now be written into cookies.
According to new EU laws I have to ask my users to opt into having cookies installed on their computers.
So every time I want to set a cookie I have to see if the user has opted in and if they haven't I shouldn't set the cookie.
When they come to the website a popup will ask if they want to opt in. Should they click "no" I cannot put a cookie on their computer to say they've clicked no. How do I then know, as they go through the website, that they've clicked "no"?
Do I just have to show the popup every page they go to? Or store it in a session variable? (is using sessions still ok under the new law? I assume a cookie is set with the session key?).
Thanks
I'm not a lawyer but I've been reading up on this recently and it is quite clear under the new regulations not every cookie is considered equal and opting in is not required for all of them.
The regulations are most keen on ensuring that cookies that allow tracking of users actions/data between websites must have an opt in, at the other extreme, cookies that contain no personal information and are, for example, only used for security on one particular site (like a session cookie) may not need permission at all.
The UK ICO website has some very clear pages & PDFs (including: http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications.aspx) on the subject and is definitely worthwhile visiting.
I have a question as to how / what the best approaches are to using OpenId and also providing the ability to stay logged in.
If i look at Stackoverflow for example i have logged in using Google and if i close by browser and come back it still has me as logged in.
However, i am not logged into Google and moreoever I have removed stackoverflow from the list of authorised services which have access to your Google account. I would naively expect that stackoverflow would prompt me to login again but it doesn't.
So my question is, what are the best practices regarding OpenId and remembering authenticated users across sessions?
OpenID is still pretty new and several relying parties are trying out new and different ways to implement OpenID. There is a work in progress best practices document for relying parties hosted by the OpenID foundation. In particular, they address the question of cookies and session lengths in their last section. Definitely an interesting idea to use persistent claimed_id cookies rather than persistent session cookies in order to make the user's life easier -- they only have to log out of their OP and close the browser.
Personally I find the behavior you're describing on StackOverflow pretty natural. If OpenID were out of the picture and you were logged into a username/password web site on two different computers with a persistent cookie (a very common scenario), and you changed your password on one, I wouldn't be surprised if the other computer still had me logged in. You could call that a security hole, but it's still normal practice. So normal in fact that Gmail recently added a display at the bottom of your Inbox screen that tells you where else you're logged in and gives you the opportunity to invalidate their session cookie.
I would suggest that a similar approach could be taken by any RP, regardless of the authentication method. And that would probably mitigate the security concern you have.
Stack overflow probably uses a cookie to remember you as user number xyz or session id 1234. After authentication, OpenID has nothing at all to do with the session anymore. SO doesn't have the ability to see if you are still logged in to Google so this seems only natural.