Hacker News new | past | comments | ask | show | jobs | submit login

The rules are really surprisingly encouraging about notification of cookies to the point it's quite easy to legitimately need to notify and gain consent about something non-spying related requires consent. E.g. if you have a UI customization cookie which sets the results density preference and you want to store that more than a session (i.e. it should still save for a month later) then the official EU analysis of this is you must notify this is a cookie and that setting this will set this cookie.

If the law didn't intend for users to be inundated with notification banners and consent checkboxes it sure is odd how much time they spent about writing how anything but the most basic connection cookies require said things.




> E.g. if you have a UI customization cookie which sets the results density preference and you want to store that more than a session

I'm not entirely sure that this is true. You can implement a "shopping cart" on your site, with a session cookie without needing to have a "cookie notification", so depending on circumstance I'd argue that settings might be allowed as well. Or you can just display the cookie information along with the settings it self, it doesn't actually need to be a popup.


"and you want to store that more than a session" -> "...with a session cookie without needing to have a "cookie notification"". Session cookies are fine, the example was for a preference beyond the session.

"Or you can just display the cookie information along with the settings it self, it doesn't actually need to be a popup." this is true, you can put the information for each cookie in every place that the UI interacts with the cookie or you can put it in a dedicated popup or however else you can figure out to do it. So long as you notify and require (informed) interaction with the associated interaction you're good.


It’s trivial to implement this in a legal and user friendly way, just make the save button make clear that it’ll persist, or even add a persistence checkbox. Demanding consent as an aggressive popup when it isn’t necessary for anything but ad tracking is not a good faith compliance effort, it’s an attempt to avoid real compliance by just having the user just sign off on whatever they were already doing.


Add the cookie popup/banner into the browser so that the user can make a choice for _all_ the websites used. But honestly, something like that is much harder to achieve with such regulations because it's kind of not the browser vendors problem. The ad network companies are parasitic in a way.


We've had that twenty years ago, in Internet Explorer no less [1]. It just never gained traction, likely because it was quite convoluted.

[1] https://en.wikipedia.org/wiki/P3P


Last I read the law, any cookie used for the functioning of the site, and not for the tracking of the user, is perfectly fine without a cookie banner.


https://ec.europa.eu/justice/article-29/documentation/opinio...

3.6 UI customization cookies:

"These customization functionalities are thus explicitly enabled by the user of an information society service (e.g. by clicking on button or ticking a box) although in the absence of additional information the intention of the user could not be interpreted as a preference to remember that choice for longer than a browser session (or no more than a few additional hours). As such only session (or short term) cookies storing such information are exempted under CRITERION B. The addition of additional information in a prominent location (e.g. “uses cookies” written next to the flag) would constitute sufficient information for valid consent to remember the user’s preference for a longer duration, negating the requirement to apply an exemption in this case."

In particular, criterion A "functioning of the site" is a lot more narrow than your interpretation. It sounds like "oh, they need this to use the site's functions" but it really describes is functionality more like "you can't use the site at all without setting this cookie because you couldn't authenticate" and criterion B "for service explicitly requested" has more limitations (like lasting beyond session).


I was going to agree with you, but in researching this, it does seem that GP is right. This is the source that I found: https://gdpr.eu/cookies/

As far as I can see, this is a resource funded by the EU, so not quite authoritative, but good enough IMO. They say:

> To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must: Receive users’ consent before you use any cookies except strictly necessary cookies. [...]

This sounds like what you're saying, but this verbiage is based on a classification of cookies further above where a distinction is made:

> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. [...] > > Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for [...]

So "strictly necessary" really only means "the site breaks without this", e.g. a session cookie set by a login page or the shopping cart example that the quoted article explicitly calls out, too. Presentational settings like display density, font size, dark/light mode and such seem to require consent.


Ah, so the truth was more specific than I thought. Consider me educated!




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: