undefined | Better HN

0 pointst0mas882y ago0 comments

This is completely false. You need permission for any data you store on a user device or retrieve from a user device if that is not strictly needed for the execution of the service the user requested. Nowhere in the law is the word "cookie" even used, so your suggestion that "1st party cookie" is different from "3rd party cookie" is wrong. And similarly, this whole thing also applies to all alternative tracking methods, so you cannot avoid it by using localStorage for example.

A 1st party tracking solution is in no way considered needed to deliver the service the user requested. Only things like remembering my shopping basked are necessary to deliver the services of a webshop. And you cannot use that cookie for other purposes (like counting visitors).

0 comments

TrueDuality2y ago

This is what is false. You can use first party tracking using cookies, local storage, indexdb, whatever you like without consent as long as it is not tied to any PII and it is essential for _operating_ your service. Diagnostics, page views, flows through the app, even with a unique identifier for that session is fine and 100% acceptable for both GDPR and CCPA unless its shared with third-parties or tied directly to PII.

The easiest thing to do here, is to simply not associate those sessions with a particular user. Even if your user accounts are tied to specific PII for essential purposes of your app. As long as the tracking data is not connected to that identifier, does not log any PII data on it own, and is not shared with third parties you do not need consent.

One quick edit: Be careful with collecting errors, its easy for backtraces to include application specific data including any PII you might have which will tie that session back to a specific user and becomes a violation.

culturedsystems2y ago

The language in the UK version of the law is "strictly necessary for the provision of an information society service requested by the subscriber or user", which the ICO interprets as meaning "it must be essential to fulfil their request". I don't think tracking page views counts, because it's technically possible to serve a page without using a cookie to track that it was viewed.

starbugs2y ago

You might be referring to some other law than GDPR?

I was referring to the GDPR as pointed out in my comment.

There even is a GDPR recital that explicitly states:

"[...] The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

Source: https://gdpr-info.eu/recitals/no-47/

t0mas88OP2y ago

You're forgetting about the ePrivacy directive (or "cookielaw"). That has nothing to do with whether the information is identifying or not, you need permission for everything that isn't strictly necessary to deliver the service the user requested.

Analytics is not strictly necessary to deliver the service.

j / k navigate · click thread line to collapse