re: I created a website, but when do I have to notify users that I want your cookies? VIEW POST


First, if you don't use cookies, you don't need to notify users at all; if you use cookies, you only have to notify european users and have to let them opt-in (opt-out is not sufficient). Especially if you are using third-party cookies (e.g. ad services), then you can get sued in the EU.


IIRC this is incorrect. It's not about cookies but about what you are doing. Local storage falls under the same regulation. Any third party inclusion (such as fonts) could track users without your knowledge. Any way of tracking users requires deniable opt-in. Cookies by themselves do not require user opt-in.


Local storage never leaves the user's client by itself, so unless you transmit the stored data (but only use it to eg store their preferences) that is not an issue.

Obviously, any attempt to track them, cookies or not, falls under the rules. The question was about cookies - and any persistent data that your transmit to the server (which is exactly what cookies are) will always require an opt-in, the EuGH clarified that only 2 weeks ago.

Do you have a link to that clarification? I can't seem to find it easily. Last time I dove into this topic was over a year ago, I guess some things changed.

As to local storage, yes (ignoring third-party js). The point is that you don't personally have to use cookies to infringe the law, OP seemed confused about this. I'm also guessing session cookies don't count as persistent.

Ah, I confused that. It was the BGH that confirmed the EuGH statement from 2019 (sources are mostly german).

And yes, you are of course correct that you can break the law even without cookies, but that requires sending user data to any services.

I found the European CoJ (I think that's the English acronym...) case

I'm not really seeing any statements about when consent is required, rather about how it may be given required. In addressing question 1(b) they even specifically mention the need to protect users from hidden identifiers. I would argue a shopping cart is, at least, not the intended target here.

Nevertheless, you have convinced me that it is a good precaution to ask for permission for any and all persistent retrievable data, particularly in light of the wording of directive 2002/58.

Code of Conduct Report abuse