Hacker News new | past | comments | ask | show | jobs | submit login

How do you remember that a customer has responded to a popup if you don't give them a cookie? Even a cookie as a session identifier.

There’s a common misconception that any cookie of any type needs a pop up.

The rules are actually only concerned with tracking cookies. Session cookies and user preference cookies aren’t within its scope. They are still perfectly acceptable to use without explicit consent from the user.

"Cookies" are mentioned only once in GDPR, in a long list of examples. They're not targeted specifically.

The law talks about information that can be used to identify a person.

So a cookie such as "gdpr_response=ok" has ZERO effect on GDPR compliance.

> So a cookie such as "gdpr_response=ok" has ZERO effect on GDPR compliance.

I wouldn't be so certain about that. Before now, most people were pretty certain that an accept/decline warning was enough and that they had the right to refuse service to people who did not click OK on the warning.

If anyone believed that, they did not research more than 10 minutes.

This comes up in _every_ discussion about GDPR.

I honestly worry - are we as developers just extra stupid, or are other occupations (electricians, ship captains, architects) equally lax when it comes to reading and following regulations?

Those other occupations have been regulated for a long time, so the training and verification practices have had time to mature. This is still the early days of software development regulation, so there's not much history or tradition to fall back on -- I'm pretty sure that all the other industries had similar problems when their first regulations were enacted.

There’s different types of cookies. Cookies are not banned but the ones not needed to offer the service are optional.

You'll need to use fingerprinting and other much more intrusive tracking methods to track the cookie preferences of any user that refuses cookies.

Wrong on both accounts.

1. You ARE allowed to use any cookies you like without popup warnings, as long as the cookie can't be used to bind the session to personal identifiable information (PII) about the user. Session cookies are perfectly fine when used to manage webapp state, such as what page a user is on, what feature has been enabled and so on. Likewise are other identification methods, for this sort of purpose.

2. Any technical means used to make a connection to a user's PII does fall under GDPR.

Seeing the underlying intent? GDPR is about avoiding invisible tracking (connection to a european citizen). The regulation is written to bring that sort of behavior to an end. Your fingerprinting example, as well as any other "clever" technical ways of achieving the identification objective, when the purpose is that of invisible tracking; tracking where the user isn't in control of the profile information generated, is explicitly what the regulation aims to nail.

Do read the regulation document. It's actually a very well written document that even a non lawyer can understand: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...

GDPR is about users gaining control of the lifecycle of information pertaining to their identity, so if you or your proxies (googl/fb or other ad companies for example) have PII about a user, then the GDPR stipulates processing constraints on that information, which includes any information that can be associated with the user. E.g. building a profile about a user that can be tied to a user's PII becomes part of the user's PII, and thus subject to the intended end-user lifecycle control. What that control means is stated clearly in the document linked above.

When the web plays its normal chinese-whispers-game on any kind of fact, it's always best to go directly to the source to see what was actually said or written. In this particular case with GDPR, this is definitely the case. Not a single of my US colleagues nor friends had even an inkling of what GDPR actually is about, and it seems most of this community is in the same boat.

I guarantee that reading the actual doc will dispel a lot of unfounded fears.

If you happen to have even the slightest layman interest in law, or appreciate games / brain teasers, then you might actually be a bit impressed by the cleverness of the wording in parts of the document, and how it all comes together. Myself, having been in the dev field for 20 years, I've read my fair share of EULAs, licenses and contracts, and to me I saw some true genius shine through half way through the document, like watching a good chess player setup a board and guard against obvious attacks by the opponent. I felt I could almost see into the minds of the authors; what they sought to accomplish, loopholes they tried to close, and an attempt at creating a defensive shield that would be as "future proof" as they could make it, against new unknowns introduced by rapid technical innovation.

That's a bit of a chicken/egg thing, but it shouldn't matter if there's no pop-up in the first place right?

I should mention that I essentially browse this way due to a few privacy add-ons I use and it is absolutely infuriating having to deal with these pop-ups even on sites that I've already visited.

If they say yes, you store a cookie that says they said they accept cookies. If they say no, you keep asking them.

There should be a header that browsers can send to indicate wether the user does or does not consent to tracking.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact