laddr icon indicating copy to clipboard operation
laddr copied to clipboard

Published 20 hours ago verified publisher icon CodeForPhilly

Show Cookie declaration and ask for consent before user tracking

Open schlos opened this issue 6 years ago • 4 comments

Due to GDPR and EU Data Protection law, beside previously required showing cookie banner (#192), we now have to ask for user consent before tracking cookies are activated.

The following requirements in the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) has to be implemented:

  • Prior consent on other than strictly necessary cookies (ePR)
  • Prior consent on personal data (GDPR)
  • Personal data is transmitted to 'adequate countries' only (GDPR)

Please also make sure to:

  • Inform your visitors in plain language about the purpose of your cookies and trackers before setting other than strictly necessary cookies (ePR)
  • Provide options for the visitor to change or withdraw a consent (GDPR/ePR)
  • Have a mechanism in place to log and prove consents (GDPR)
  • Map and document data streams performed by third parties (GDPR)
  • Configure your consent method to use explicit/active consent when processing sensitive personal data on your website (GDPR)
  • Provide the identity and contact details of the data controller in your company (GDPR)
  • Disclose that the visitor is entitled to access, correct, delete and limit processing of personal data (GDPR)
  • Disclose that the visitor is entitled to receive personal data so that they can be used by another processor (GDPR)
  • Disclose that the visitor has the right to lodge a complaint with a supervisory authority (GDPR)
  • Inform about the occurrence of automatic decisions, including profiling (GDPR)

Some useful examples:

  • http://cookiebot.com
  • https://github.com/schlos/tarteaucitron.js
  • https://github.com/schlos/consentcookie

schlos avatar Apr 12 '18 09:04 schlos

Example of cookie declaration page generated by CookieBot: Cookies — Code for Croatia.pdf

schlos avatar Apr 12 '18 09:04 schlos

Is every cookie considered a "tracking cookie" even though we're not an ad network reading people's visits to 3rd-party websites? Is this really just required for any login functionality at all? Isn't the act of logging into a website already pretty explicitly asking the website to track who you are between pages within that site?

Either way if it's required for EU compliance let's figure it out, my musings might be moot

themightychris avatar Apr 12 '18 15:04 themightychris

I'll try to sum up my findings and then I will post them here. Some similar discussion is going at https://github.com/insites/cookieconsent/issues/242

schlos avatar Apr 21 '18 07:04 schlos

@schlos thanks schlos! I read through that discussion but it's hard to know who's right... I choose to like the position that for purely functional cookies no new workflows are required :-) Looking forward to hearing what you gather from it all

themightychris avatar Apr 23 '18 15:04 themightychris