I've read this entire thread and I still don't know when I would need to prompt for cookies, or even if I need to prompt if I store everything serverside and id the visitors with a session token in URLs.
There is no easy-to-understand definitive answer for the common use cases.
Here is what looks to be pretty respectable commentary on when it triggers. Essentially, if you collect any sort of personal data whatsoever: https://gdpr-info.eu/issues/personal-data/
If you store information that can identify the user, e.g. if you collate a user's IP address, you are almost certainly collecting personal data.
Don't, if you can help it. If you must, that same site has some general guidance on how to collect consent: https://gdpr-info.eu/issues/consent/
Read there more info on how to comply with the data collection. Essentially, if it is personal data, you must give the person informed control over their data, including the ability to withdraw consent at any time, in which case you must delete it.
54,000 words? Significant fines for non-compliance, even in the form of errors? And this is a legal spec, not a software spec, so there's no validating my implementation? And the terms are subject to possible change and different interpretations as one could get sued in any country?
Dotan, I'm dropping into this thread after all that drama. I'm upset that you were insulted like that. That was unnecessary.
Anyway, if you feel the need to implement a cookie pop-up to feel safe, I get it.
The GDPR is really meant to protect users' rights to control their own data. If you implement that single principle in good faith, there won't be any gotcha moments where the EU cyber police fines you over some obscure clause in 50 thousand words of legalese.
It's really the people who ignore or circumvent that principle who will be crushed.
In my opinion, you will be serving your clients better if you take the time to understand the GDPR rather than annoying your client's users by cargo-culting UX from companies that are skirting or ignoring the law.
If you do want to cargo-cult anyway, you could do worse than to crib from the EU website itself. Just saying.
Thanks, but I don't mind the insult. Quite the opposite, I do think that those who display an inability or unwillingness to learn should be shunned from the profession. I should have invested the time to write a response that clarified my position that legal compliance should be taken liberally, rather than just declaring that I don't understand law.
For what it's worth, I completely agree with the spirit of the GDPR and don't really have an issue with the implementation - it's far better than not having it.
>And the terms are subject to possible change and different interpretations as one could get sued in any country?
Do you have examples of this? I mean the different interpretations meaning that one country could sue you for an implementation that was deemed fine in another one.
>My skill is identifying possible attack vectors, whether or not they've been exploited.
Ok, but EU legal systems (after Brexit) I think are all Napoleonic systems and not common law, furthermore as the 'cookie law' is a directive and not an actual law and is thus supposed to be imposed the same way across all EU lands I don't think this could be as exploitable as it might otherwise be.
> ...Napoleonic systems and not common law, furthermore as the
> the 'cookie law' is a directive and not an actual law...
And the fact that I have no idea what "Napoleonic systems" are, nor what "common law" is and how that differs from non-common law, nor what the difference would be between a "directive" and an "actual law", all shows why I won't understand that fifty thousand word spec.
Of course, I could go get an education in law. Or I could implement the cookie popup.
You are supposed to know what civil law and common law is, this is part of general school education. The same goes for the difference between regulation, directive and national law, in case you are an EU resident.
You don't appear to have the aptitude to educate yourself when you notice that something confuses you or you are ignorant about a topic, c.f. post id=29529880.
I think it would be reasonably charitable to assume that when the poster uses I in that post they are using it as shorthand for a hypothetical person that needs to decide whether or not they should implement cookie popup, and not a complete admission of ignorance or disinterest in learning anything on their part.
To me it reads GGP meant exactly as he wrote it. You have given no reason to back the assumption that the pronoun "I" refers not to himself, but to some other hypothetical person. Therefore I find that unreasonably charitable.
I actually don't mind the personal attack, as I also believe that we should encourage a higher bar to entry than is currently acceptable for software developers.
I do not live in the EU. I did not learn what civil law nor common law is, neither did I learn the difference between regulation, directive and national law. Out of interest, I work with people who grew up in France, Russia, the United States, and Argentina in addition to locals. I'll ask them if these terms are familiar to them.
Perhaps in fact I don't have the aptitude. Or more likely, I see the tradeoff between "understanding every nuance of a 50,000 word document in a field I'm unfamiliar with that carries severe penalties for my client" vs. "implement cookie warning" differently than you do.
OTOH, enlightenment about both terms is a simple Internet search away. Literally at your fingertips.
I could give you layman definitions good enough for this discussion in about half a dozen words each... But, hey, let's not reward auotingrained helplessness.
I've read this entire thread and I still don't know when I would need to prompt for cookies, or even if I need to prompt if I store everything serverside and id the visitors with a session token in URLs.
There is no easy-to-understand definitive answer for the common use cases.