GDPR for developers

@aurawindsurfing, what else... (context: my wife is one of the founders in the industry of REGTECH)... do NOT force a user to make a choice, only prompt. For example TONS of sites show the notice forcing you to agree. NOT actually compliant.

@webrobert A choice/prompt regarding what exactly?

I may be misunderstanding what you mean by ‘choice’ and ‘prompt’, but if you’re talking about cookie consent, for example, forcing the user to make a choice (e.g., between ‘Accept All’ and ‘Necessary Only’, or between ‘Accept’ and ‘Refuse’) is compliant, and forcing the user to agree (by only giving the ‘Agree’ option) is also compliant if you only use strictly necessary first-party cookies on the site.

Complying with legal requirements is not something that can be magically achieved by installing a Composer package.

for example, forcing the user to make a choice (e.g., between ‘Accept All’ and ‘Necessary Only’, or between ‘Accept’ and ‘Refuse’) is compliant.

@kokoshneta that is not compliant and is an infringement according to the authorities the Cookie Banner Taskforce talked to in their report, they did that report last month on Cookie Banners, and to quote a portion of the report.

a vast majority of authorities considered that the absence of refuse/reject/not consent options on any layer with a consent button of the cookie consent banner is not in line with the requirements for a valid consent and thus constitutes an infringement.

@thinkverse So you’re saying the EDPB website that carried out and hosts the report you linked to is itself not compliant? Their cookie options force the user to make a choice between “Accept cookies for aggregated statistics” and “No thanks, only essential cookies”, which is precisely the type of choice I described, and which you say is an infringement.

I haven’t read the report in details, but a quick read-through does not bear out your assertion that such a consent banner is not compliant. The section you quoted is explicitly not the type of banner I was describing, since both scenarios I described contain refuse/reject/not consent options.

@kokoshneta,

Its about correct interpretation, notice how its does here...

https://gdpr.eu You can click NO. and not agree. you are not forced to agree to anything.

the real problem is this whole field is like trying to heard cats.

So going to the EDPB site... https://edpb.europa.eu/

They force a selection "No thanks, only essential cookies." No Bueno.

But if you read their about....

The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities.

They are doing their best.

My wife consulted the GDPR on the actual laws. My best practice, have the popup but let the user close it without making a choice. [though the gdpr site doesn't do this either]

EDIT: and clearly the gdpr.eu site did remember I clicked NO because when I revisit the popup doesn't come back. ha.

@kokoshneta aah, I read that as either having a Accept All or Necessary Only or Reject meaning automatic opt-in, didn't notice the and there, my bad. 🤦‍♂️

@thinkverse yeah it's their report and "#6 bad practice no reject button" and they don't have one.

@webrobert When I open gdpr.eu, I don’t get any cookie consent banner at all. I don’t recall visiting the site recently, but I see that there is a compliance_hide_a session cookie set, so perhaps I did.

More importantly, though, where are you getting that providing an ‘exit’ option on cookie banners is required to be GDPR/EPD compliant? The GDPR page on cookie compliance does not mention this, nor does (as far as I can tell) the EDP itself.

Yes, it’s good practice to allow the user to close the prompt without making a choice, but I cannot find any indication that it is a requirement in order to be compliant.

yeah it's their report and "#6 bad practice no reject button" and they don't have one.

They do have one. “No thanks, only essential cookies” is a reject button, since essential (= strictly necessary) cookies do not require consent.

@kokoshneta,

They do have one. “No thanks, only essential cookies” is a reject button, since essential (= strictly necessary) cookies do not require consent.

again, interpretation, who am I? but a man. I write contracts in business and to me, that is not a reject button. I am being forced to agree to essential cookies. It's a tricky legal thing. Reject is reject... "NO"

And, let me clarify, I didn't say compliant, I said my best practice. Where did I get it. I live with my wife. 😊And for literally years she has been saying (every time I'm near her and she opens a site that forces a choice), "that is not correct". So though there is a new report (the one being talked about here) that does clearly say it is bad practice. She was there years ago when the GDPR laws were being authored.

Let me see if I can summarize the issue as I understand it.

No one has the right to force their views or opinion on another. When a site forces you to agree they are breaking the law. This is clearly over stated but I think it puts color on the actual issue.

So storing an essential cookie is legally ok. BUT forcing me to agree to it is not. Make sense? This is the crux.

which explains why the gdpr site didnt ask me to agree to storing an essential cookie. They just did it. They can. But they did let me NOT agree to [whatever the notice is about]

@martinbean for sure! but I was just wondering if there was some comprehensive guide of what to install and what to do, step by step ;-)

@aurawindsurfing 😂

@webrobert wishful thinking ;-)