Can anyone familiar with the topic explain what distinguishes essential from non-essential cookies?
GitHub gives the example of "those used by third-party analytics, tracking, and advertising services", but curious if the law defines some sort of bright line here.
Authentication and authorization cookies seem pretty essential for any website that has accounts. If you block those cookies the website stops working -- they're essential.
If you block ad networks and analytics the site functions just fine -- they're not essential.
Beyond that there's probably some sort of "need to know" test to prevent convoluted fake dependencies.
They are not really, really essential. No cookie is essential. A long, long time ago I worked with a web system that kept session info in a URL parameter, and carried it over all the links. I think it was a C# website, but I'm not sure.
I love those systems. Especially when the unwary users share links, accidentally letting other users into the site as them. Or when google indexes it, and in addition to terrible security, the site uses regular GET links to perform site actions, so google deletes the user's content or buys a bunch of stuff as them while walking the links it finds as it indexes in beyond the user's initial account bearing link.
Yes ASP.NET allows (allowed? Haven’t used it in years) cookieless sessions this way. The problem is it has to rewrite all the relative links on the page to ensure session state is not lost.
The problem is it’s makes urls horribly unwieldy if a user wants to bookmark or paste in links from emails etc etc, or writing JS to interact with links, not to mention the security issues of being able to accidentally share your session.
Those were great. I hung around a forum around 2004 where someone posted a link to jeans he just bought from a smallish online store - the URL contained the PHP session identifier. Thousands of people had instant access to his address + bank information + purchase history, and could place orders for him.
Implementing session handling as URL parameters makes no difference from a legal perspective. It will be covered by the law excatly the same as if one used cookies.
It's the tracking the law is about, not the implementation of it.
Your just picking a worse technical solution for no legal gain.
Yes. Some sites operating like that eventually tried to work around this issue by tying it to the IP, but you can see how that is hopelessly broken anyway.
> You won't be able to distinguish device sessions from one another reliably neither. Think of "log out all other devices".
You could, I think. Passing the session ID in the URL is the same as storing it as a cookie. You can invalidate both in the server.
Link sharing is an issue, for sure. You could tie the session id to the IP, but that doesn't work when people share their IP, which is more and more common every day. IP tied session would work better with IPv6, though.
In WAP times there was no such feature as cookies available.
I started programming by writing WML pages instead of HTML. Good memories from those times!
The website at my college we used to register for classes and some other stuff used this method. For whatever reason though, the logic was wonky, and the site would give an error if you used the "back" button in the browser, and you'd have to go back to the home page.
- Security stuff (auth tokens and similar) are generally essential (if only used for that purpose).
- Any form of tracking people is generally non-essential.
What you can and can't do is not based on technical implementation details but practical usage of the information!!
The tricky part if when both overlap, i.e. if you track people but only for assuring a secure operation, i.e. you don't use the tracking information for anything besides their main purpose of assuring secure operation.
A lot (all?) of systems which provide such security specific tracking do not strictly limit their usage, access and collection of information and as such are also used for non-essential purposes and in turn need opt-in.
But then sometimes companies try to abuse it and will do do until taken to court.
For example Facebook argued that people use Facebook with the (main) intend to get customized ads and as such tracking them is essential for Facebooks service. As you can guess this argument is completely ridiculous especially given that they also track users which don't use Facebook, but if you are the size of Facebook you can try to bring that to court and maybe gain a bit more time before you need to comply.
There isn't an obvious bright line, and that's probably intentional.
This is not legal language or legal advice, but the gist of it is "if you don't have it, can your website still do what it claims to do?"
For a site like Github, if you can't use cookies to maintain session state, you'd have trouble implementing login sessions, so that's pretty squarely on the essential side of the fence.
But moving into murkier territory, how about logging the IP addresses you signed in from? If you're using it to detect new login locations or new devices as a security alerting thing, then I think you can make a strong enough claim that this is essential. (Again, not a lawyer, this is not legal advice.)
What if a PM wants to look in these logs for how many unique users show up in each country? That's pretty squarely on the side of analytics, and is probably not essential.
But... muddying the waters more, what about if an engineer wants to query unique users to figure out how many more racks of servers to buy? I have no idea. I'd be asking a lawyer.
I can guarantee that you could throw a rock in your city’s business district and hit a lawyer that is in the process of doing incredible mental acrobatics to wrangle Google Analytics to be an “essential part of the offering”.
I believe it is generally untested in law whether third-party Analytics count as "legitimate interest" (direct consent not required) in EU GDPR, which is why cookie banners talk a lot about "legitimate interest" now.
I work a lot with GDPR and making sites compliant, and some agency's do in fact tell this to their customers. I suspect it's to sell their Services for cheaper.
Luckily where I work we are pretty serious about this stuff. Since one of our main revenue's is Data protection consulting, anything else would be idiotic anyway
There is no direct language about cookies in article 5(3) of the ePrivacy Directive. What we have is Opinion 04/2012 on Cookie Consent Exemption of the Article 29 Working Group of the European Commission about Cookie Consent, which elaborates about the topic:
(The §29 WG is now replaced by the European Data Protection Board, but that seems not to have issued any more current Guidelines or Opinions on that matter. Also: IANAL.)
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
GitHub gives the example of "those used by third-party analytics, tracking, and advertising services", but curious if the law defines some sort of bright line here.