"Companies could easily avoid any cookie banner. Just don’t track."
It seems like a point dear to the author's heart, given the way he highlights this and puts it in bold at the top of the article.
But while it sounds good on the surface, it doesn't take much digging to show it's silly. If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.
> If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
If it is crucial to provide the service or the service is explicitely requested by the user (i'd argue a shopping cart is), I think you don't need consent (see Article 5 of Directive 2002/58/EC).
Regardless of the answer here, the fact that there's still a debate about what basic functionality requires a cookie banner is really a testament to how bad this legislation is. How long has this been around, 20 years? And there's still widespread debate and lack of understanding as to what specific functionality requires a cookie banner?
> consent is not required [for] cookies that are strictly necessary to provide an online service that the person explicitly requested. e.g. […] when your customers use a shopping basket
So shopping carts (user clicked to add to cart) and notification preferences (user clicked to indicate preference) don’t require consent. Same for authentication cookies.
The page is quite clear; the confusion likely arises from how companies implement it.
i think it's worth noting that those cookies keep track of whether you have filled out their feedback form and to count the number of unique visitors to the page, or cookies from third parties the website may present embeds from https://european-union.europa.eu/cookies_en
Your lawyers are playing it safe. Their job is to make sure your company is not getting into lawsuits, and having a cookie banner that is not needed won't get you into a lawsuit, so that's what they suggest. They don't care about annoying your users.
If you really care about not annoying your users and don't intend to track them more than what's absolutely required for the service to work, then talk with your lawyers more. Of course, it is not free as it requires extra work, and it may carry some risk (which your lawyers should minimize) but it may be worth it, many people press the "back" button as soon as they see a cookie banner and try their luck elsewhere.
Yes, and if you ask the CFO about the best way to increase profits, the answer is always to fire all your staff. That doesn't mean that that answer is the most optimal solution.
It is not that simple. In "Opinion 04/2012 on Cookie Consent Exemption" [1] the the EU Parliament's Working Party On The Protection Of Individuals With Regard To The Processing Of Personal Data said:
> A cookie that is exempted from consent should have a lifespan that is in direct relation to the purpose it is used for, and must be set to expire once it is not needed, taking into account the reasonable expectations of the average user or subscriber. This suggests that cookies that match CRITERION A and B will likely be cookies that are set to expire when the browser session ends or even earlier. However, this is not always the case. For example, in the shopping basket scenario presented in the following section, a merchant could set the cookie either to persist past the end of the browser session or for a couple of hours in the future to take into account the fact that the user may accidentally close his browser and could have a reasonable expectation to recover the contents of his shopping basket when he returns to the merchant’s website in the following minutes. In other cases, the user may explicitly ask the service to remember some information from one session to another, which requires the use of persistent cookies to fulfil that purpose.
(Criterion A is cookies that are user “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” and criterion B is cookies that are “strictly necessary in order for the provider of an information
society service explicitly requested by the subscriber or user to provide the service”).
If your shopping cart cookie has a lifetime longer than the "reasonable expectations of the average user or subscriber" you may need to obtain consent. That a sufficiently vague criteria that it may not be clear if your particular shopping cart cookie requires consent or not.
> But while it sounds good on the surface, it doesn't take much digging to show it's silly. If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
A tracking warning a login/sign up would be enough. No need to ask for cookie consent at every visit. It would just be part of the typical T&C.
> It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.
Easily solved with a cookie that says "don't track". If cookie is set, don't track anything.
The law takes these things into account just fine. It's not a cookie law, it's a tracking law, and the "tracking" isn't about the technical meaning of "to track" but about the way the data is used (and could be used).
It's not "you're not allowed to store anything about the visitor without their consent", it's "you're not allowed to track them across your site, or share that data with others, except if it's directly necessary to provide the service". That last part refers to session tokens, shopping carts, and yes, also to remembering the "no tracking" choice. If you ask a site to remember something (such as "no tracking plz" or "I want to buy this product" or "keep me logged in plz") then that's explicitly asking it to do something that in technical terms is tracking, but not in operational terms.
It's like, the EU makes a new law that makes it illegal to break into people's houses, and all the pedantic HN'ers start saying "but this is stupid! what if you lose your key? you need to be able to hire a locksmith to let you back in!". That's obviously not how the "no break-ins" laws work, and it's also not how the GDPR works wrt tracking.
If you break the GDPR, there's a fair set of warnings before you can actually get the kinds of humongous fines that the law is infamous for. This means to me, as an entrepreneur, that if I follow the intent of the law as best I can, then worst case scenario if we still get it wrong, then there's a big enough chance we're in the clear. And then if somehow we do get a warning from the local privacy authority, we learn and adjust. This is fine.
We don't need to be maximally pedantically safe. We just gotta not track people and then we don't need a cookie banner. It's great.
Shopping carts, session cookies, or any other kind of functional cookies (including the one for "do not track" saving) do not require consent, and so don't require the banner. Github for example doesn't have it.
Please, read the basics about the law before disparaging criticisms, I constantly have to educate users on HN about this misrepresentation of GDPR and Cookie Law.
> If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
These are first-party cookies as they're served by the host domain, so they wouldn't need an opt-in under GDPR. Site owners should try to limit that to core functionality, like updating shopping cart state as you navigate from page to page.
> It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.
That's not how it works. The cookie banner opt-in asks if you want to accept cookies aka tracking. If you say no, no cookies are downloaded, so the site has no idea that you have visited it. So the next time you arrive on the site, it will provided the popup again, as though it's your first time visiting.
It seems like a point dear to the author's heart, given the way he highlights this and puts it in bold at the top of the article.
But while it sounds good on the surface, it doesn't take much digging to show it's silly. If you store any kind of data about a visitor to make their life more convenient, is that tracking? Shopping carts? Notification preferences? etc.
It's actually a bit ironic to ask visitors if it's ok to track them. If they say no, you have to track them to at least remember that choice.