Probably cookies. Some captcha will try to remember that you are human with a cookie so that you don't have to solve captchas repeatedly, this one advertises as not storing personal information:
That doesn't violate the GDPR. For a cookie to violate GDPR it has to trace back to personally identifiable information, not just "a uuid'd session". The number of people that get this wrong is staggering.
Because the law is unclear and lots of sites are afraid to accidentally violate it. If you search "do you need a cookies banner to operate in the EU" online, Google's suggested answer is "If your site has EU or UK visitors, you require a cookie banner to comply with GDPR," which you're saying isn't exactly true.
I don't think the law is unclear at all on this point. If your site wants to ride the fine line of what is allowed, you can get into a gray area. But unless you're trying to push the boundary, there isn't any mystery.
> Google's suggested answer
Do not trust Google's suggested answers for anything that matters. If you're really in doubt, consult an attorney that works with these issues.
If you look through several top results, you get other unconditional yeses and some murky maybes. On this topic, Recaptcha doesn't say whether or not it's GDPR-compliant, and searches give unsure answers. You're saying a session ID isn't personal info, but https://commission.europa.eu/law/law-topic/data-protection/r... lists both "cookie IDs" and IP addresses as personal info. Which one is it?
>If you're really in doubt, consult an attorney that works with these issues.
If I have to consult a lawyer just to run a basic website without cookie banners, that means the law is unclear.
> If I have to consult a lawyer just to run a basic website without cookie banners, that means the law is unclear.
My whole point is that you don't need to consult a lawyer for a basic website. You need to do that if what you want to do is near the edge of the law. If you're using cookies for functional website reasons, you don't need to present a banner. That's very clear.
Sessions IDs _are_ personal data, it's not even ambiguous if you read the definition in GDPR (article 4(1)). You even found it on the commission's website, it should give you a clear answer.
About cookies, the relevant law is ePrivacy 2002/58/CE, article 5(3), which says you don't need to ask for consent for “strictly necessary” cookies. In practice, this means session ID cookies, user preferences, etc. This also applies to local storage or any other way to store and retrieve data on a user's device.
The issue is not that the law is unclear, it's people that can't help but speculate on its content even though they never read it. Google is full of links to this, and HN is bad in this regard. And to be honest, this is not exclusive to GDPR.
I've found Stackexchange law and /r/gdpr to be okay-ish. Otherwise, there is a guide on the commission's website, there is gdpr.eu, there is the commented version of GDPR on gdprhub.eu:
Of course the problem with "strictly necessary" is that it doesn't mean what the words mean. Almost nothing is strictly necessary to just serve content when a URL is accessed, so it has been made quite intentionally super murky. Beyond a session id, they're not even strictly necessary for serving content to logged in users, so there needs to be a place for people to agree and/or manager their cookie settings as part of their user settings, but user preferences, localStorage, etc. are still not strictly necessary to serve login-locked content on a URL.
With all due respect, this is the kind of speculation I was complaining about earlier.
>Almost nothing is strictly necessary to just serve content when a URL is accessed
That's not what the law says.
> 3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
Emphasis mine. It's not to just serve content, but to provide a service requested by the user. This should clear up the confusion.
I knew about this part of the law too, and it sounds like captchas don't count as "strictly necessary" based on the original part and the Opinion 04/2012 on Cookie Consent Exemption you linked, but I'm not sure.
"Simply using a cookie to assist, speed up or regulate the transmission of a
communication over an electronic communications network is not sufficient. The
transmission of the communication must not be possible without the use of the cookie." - criterion A
"A cookie is necessary to provide a specific functionality to the user (or subscriber): if
cookies are disabled, the functionality will not be available." - B
For B, they say for example that a session ID to keep a user logged in is fair to use without asking, provided the user explicitly wanted to log in.
If you use a captcha to secure your service, they can be. See article 4 of the ePrivacy directive. This is also said in section 3.3 of the EDPB guideline.
The issue of Google's reCaptcha, according to the CNIL at least, is that they use data collected through the service for their own purposes. See https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000047346903, point 86. Deepl translation below:
> If a data controller can claim exemption from the requirement to provide information and obtain consent when the only purpose of read/write operations carried out on a user's terminal is to secure an authentication mechanism for the benefit of users (see CNIL, FR, September 27, 2021, Sanction, no. SAN-2021-013, published), the situation is different when these operations also pursue other purposes that are not strictly necessary for the provision of a service. The Google reCaptcha mechanism is not intended solely to secure the authentication mechanism for the benefit of users, but also enables Google to carry out analysis operations, as Google itself specifies in its general terms of use.
I'm pretty sure a session ID is personal data since it can be linked to a specific user by the service provider (see GDPR article 4(1)), and can be processed under the “legitimate interest” legal basis (article 6(1)f).
Cookies don't violate GDPR, but are subject to ePrivacy 2002/58/CE, article 5(3). “Strictly necessary” cookies (eg. session ID cookies) are exempt from consent.
Fun fact: if you have user accounts, the act of logging in is literally the act that consents to storing and handling PII (unless you're so bad at writing a signup agreement that you forgot to put that in there).
If you don't require users to be logged in to serve content, e.g. the overwhelming majority of web content, then a visitor's session id, by definition, cannot be linked to their personal information, because there is no personal information to link to.
However, if a session id is used to track "the same user across different websites", building up a behavioural profile, THAT would require explicit consent. But since cookies are per-domain, and browsers have severely locked down cross domain access, that's basically a non-existence concern (as both a blessing and a curse. The wild west web is long gone, for better and for worse).
With a visitor session ID, you can identify a single user, so it's personal data under GDPR. Yes, even if you don't have a detailed profile of them. It's not even ambiguous, it's spelled in article 4(1).
