loading...

I created a website, but when do I have to notify users that I want your cookies?

patarapolw profile image Pacharapol Withayasakpunt ・1 min read

How likely will I be sued, if I don't put up a notice? Or just put up a notice later when I get famous, with also perhaps lawyer consultation?

Discussion

markdown guide
 

First, if you don't use cookies, you don't need to notify users at all; if you use cookies, you only have to notify european users and have to let them opt-in (opt-out is not sufficient). Especially if you are using third-party cookies (e.g. ad services), then you can get sued in the EU.

 

IIRC this is incorrect. It's not about cookies but about what you are doing. Local storage falls under the same regulation. Any third party inclusion (such as fonts) could track users without your knowledge. Any way of tracking users requires deniable opt-in. Cookies by themselves do not require user opt-in.

 

Local storage never leaves the user's client by itself, so unless you transmit the stored data (but only use it to eg store their preferences) that is not an issue.

Obviously, any attempt to track them, cookies or not, falls under the rules. The question was about cookies - and any persistent data that your transmit to the server (which is exactly what cookies are) will always require an opt-in, the EuGH clarified that only 2 weeks ago.

Do you have a link to that clarification? I can't seem to find it easily. Last time I dove into this topic was over a year ago, I guess some things changed.

As to local storage, yes (ignoring third-party js). The point is that you don't personally have to use cookies to infringe the law, OP seemed confused about this. I'm also guessing session cookies don't count as persistent.

Ah, I confused that. It was the BGH that confirmed the EuGH statement from 2019 (sources are mostly german).

And yes, you are of course correct that you can break the law even without cookies, but that requires sending user data to any services.

I found the European CoJ (I think that's the English acronym...) case

I'm not really seeing any statements about when consent is required, rather about how it may be given required. In addressing question 1(b) they even specifically mention the need to protect users from hidden identifiers. I would argue a shopping cart is, at least, not the intended target here.

Nevertheless, you have convinced me that it is a good precaution to ask for permission for any and all persistent retrievable data, particularly in light of the wording of directive 2002/58.

 

The only official legislation that I'm aware referring to the disclosure of cookies is within the EU.

This is separate from GDPR, and falls under a different umbrella.

As far as I'm aware, the implications of this being an issue are significantly lower than something a GDPR violation.

For the most part, the rules are being applied to web sites that are using cookies to serve you ads. Is this something you're actively looking at doing?

I'd also like to point out that these laws are most often aimed very specifically at giant corporations that actively abuse systems to the detriment of users.

Most smaller entities, or people who don't understand the law but have no I'll intent are really not at risk. You're not the target.

 

I am worried mostly about Google Analytics and Disqus, actually. Or, are they respective companies' problems?

Actually, I have exactly another one use case of cookies -- securing user authentication and session without relying on localStorage.

 

I'm not a lawyer so couldn't tell you for sure.

The best thing is to just cover your bases and add a disclaimer anyway, theres no actual functionality you need to build, and providing a simple button wouldn't be too difficult.

There are also probably dozens of copy/paste solutions out there for this very common problem.

 

if they are tracking your users, you must tell them that before hand and if possible offer an option to disable it

 

I find the ICO guide to be very useful with this.
The "cookie law" covers all forms of storage on a device including cookies, sessions and local storage but you do not need to get consent for essential storage - something your website cannot function without.
Examples of this may include authentication and keeping a shopping basket.

For non-essential purposes, you must give “clear and comprehensive” information about your purposes and why you need to store that information on the user's device.

You also have to allow the user to continue to use your website as normal if they have not opted-in to cookies.

There's a few solutions online you could integrate into your website?

I'm not an expert, but that's my takeaway from what I've heard. Hopefully it's helpful :)

 

Cookie notices are mainly for third-party tracking cookies. The EU law specifically excludes administration and security tokens required for site access.

If you link to any off-site JS you'd likely have to include the popup notice as most of those have some kind of tracking of the user. If it's all on your own site, and you have no tracking beyond your site, you shouldn't need a notice.

 

You do not have to if you don't use trackers like Google Analitics, ads and so on. for example.

I am using Netlify Analytics on colorsandfonts.com that are server side.

But there's many like that, Plausible is also a great choice !!

I would take a general read about GDPR.

Edit:
If you use Google Analytics you must have a banner. With disquss I am not sure....

 

I use tracker like Google Analytics to track my users on purpose such as demographics, topics, etc. So I tell users that I use cookies on the website to track your activities during the session and you can leave the site if you mind I track you. Basically just like that.

 

I think you should be open to your users about the cookies, even if just started. Also, If you don't wish to use such pop-ups then there are other ways too. I saw that you are mainly concerned about Disqus and Google Analytics.

Your best option will be to replace them with privacy friendly alternatives like SimpleAnalytics, Fathom or Plausible for analytics and Utterances or HyvorTalk for comments.

 

Utterances would not be an option, as my audience aren't always programmers.

I am also looking for Firebase Auth / Firebase Admin, and Firebase Storage alternatives, BTW.

After all, it does always depend on costs and learning curve. Privacy is not free. You exchange privacy for free services.

 

Yeah but there are self-host solutions like Commento for comments, have a look. Your website will be free as long as you wish for it.

Self-hosting, with full control of the server, is, AFAIK, never free. You always have to pay for the hire.