Hacker News new | past | comments | ask | show | jobs | submit login

> Many people click "add to cart" without logging in because that is the service they want. Nobody voluntarily clicks "track and analyze my activities on this site", because that is not a service people want.

You realize that in order to implement "add to cart" you have to track their activity on the site? That's what the cookie is for. To track customers and persist their cart. If you can't track customers then you can't associate them with their cart.

As far as analyzing activities, what is any isn't allowed is murky. Is it okay to do A/B testing and see their impact on sales? This requires tracking and analyzing user activity, but isn't necessary to provide the service. But it is necessary to actually determine whether changes to the service are positive or negative. So do you throw away A/B testing, do A/B testing and risk fines, or throw up a cookie disclaimer?

> If you can't work out what data is and isn't required for the functioning of your site then perhaps you shouldn't be running one.

I'm more than confident in developers' abilities to know what is and requires. I'm dubious of government bureaucrats' abilities of doing so.




If you can't work out what data is and isn't required for the functioning of your site then perhaps you shouldn't be running one.


A "cookie disclaimer" does not solve any of the problems you describe.

First, you can't avoid solving the murky analysis. You must be able to specify in clear language what personal data you're using for what purpose and which specific paragraph of the GDPR gives you the legal basis to do so.

Are you using that data for A/B testing because it's a legitimate need where you don't need consent or because the user consents to it? Well, you have to decide before implementing that disclaimer, because the disclaimer should clearly state that answer!

Furthermore, if you decide that some use case does not fit the legitimate need criteria and you need consent, then a "cookie disclaimer" does not reduce the risk of fines - because a disclaimer does not collect opt-in consent, it can (at best) record acknowledgement, so if you need consent but only have a disclaimer, then that still risks fines.

On the other hand, if you trust your developers to know what is required and what's not, and you have documented it properly (because it's not just a good idea, it's mandatory), then you should be able to run that documentation through your local data protection authority to validate any doubts, that's part of their job, and wherever I have seen them work it's something they eagerly do.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: