Is a GDPR cookie notice necessary?

[ModischFabrications]

It seems like there isn't a lot of analysis regarding individual users, which makes a GDPR cookie banner obsolete? Would be great to have an official statement somewhere in the documentation or on the website.

[ihucos]

Hello,

this is a super interesting question. My short answer is: No, a cookie banner is not necessary.

The longer answer is that I don't have the access and resources to seriously know the answer of this Legal question in a way that makes me confident enough to prominently display this statement. In fact, in my every-day understanding all other analytics service require a "Cookie Banner", even though many say they don't. The "Cookie Banner" is not specific to Cookies but I believe some ID to recognize users. The "Cookie Free" analytics solutions use the IP address to recognize if a request is a unique visit or another page view. On top of it there is sometimes some hashing and sometimes complex technical anonymization techniques that from what I can know still do not fulfill the requirement of not having and ID.

So my somewhat provocant answer is that it boils down to the courage of web analytics providers to have a official statement on GDPR Banners. But answering the question on a safe basis is at least for smaller players, like Counter, not possible. Which is a pity because it leads to a competitive disadvantage for products that want to stay honest and on the safe side.

[ihucos]

I will close the ticket as I believe there was an answer. But a discussion about this would still be interesting.

[ModischFabrications]

It's a pity, but I absolutely get your thinking. It might be interesting to note this in the readme somewhere? "Probably, but not proven" is still better than each individual coming to different conclusions.

For comparison: "Plausible" seems confident that they don't need a notice, but I'm not sure where the specific differences and similarities are.

[ihucos]

I updated the README

For comparison: "Plausible" seems confident that they don't need a notice, but I'm not sure where the specific differences and similarities are.

According to plausible's docs they know unique visits by assigning the following daily ID to users

hash(daily_salt + website_domain + ip_address + user_agent)

From my understanding this is using ID's or you could also call it fingerprinting which according to the GDPR needs a consent. To quote this source (Slightly different context though)

Fingerprinting is only permitted if:

• an explicit consent of the user is given that fingerprinting is required to provide a special service and is used in this context without exception to carry out the data transfer or

I personally think cookies are more transparent as you can see them and are able to disable them as with fingerpritning you can't really do much against it as an end user. But in any case all analytics provider I know of - Including plausible, excluding Counter - need a GDPR cookie banner. Maybe there is also some key information that I am missing and then all analytics providers - including Counter - would need a cookie banner, who knows.

I could go on and on how sub-optimal the cookie-banner situation is also from a more general perspective but won't :-D. If somebody knows something interesting, please share.

[VodaJeMokra]

In fact, in my every-day understanding all other analytics service require a "Cookie Banner", even though many say they don't.

I want to say that this is not the case, but it's complicated and I would not dare to say that with any certainty, especially not knowing the exact practices of those companies.

GDPR recital 26 states that "...(data protection) should apply to any information concerning an identified or identifiable natural person. ...(data protection) should therefore not apply to anonymous information, ... or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes."

For information to be considered anonymized, it has to be irreversibly altered in a way that cannot reasonably be linked to an individual.

Having an ID should not automatically be considered fingerprinting or profiling, but rather depend on the specifics of what data the ID is linking together.

I believe the distinction is that anonymized data used to track unique views is a collection of data points that relate to each other, but does not directly or indirectly relate to any individual. For example "[this page view] and [this page view] belong to the same user, the user just refreshed the page." As such, having an ID for the purpose of linking these two anonymous data points should be ok, as long this ID can't also be linked to a person.

The ID of which the purpose and limitation is to track unique page views on a website, is deleted in 24h, and is not linked to other data points (for example device information), can't possibly be used to identify a person. The information isn't very unique, and as such should not be considered fingerprinting or identifiable.

On the other extreme, using this ID to link all the data you collect about a user, including browsing habits, collected over a period of time and possibly tracked across sites, could be indirectly linked to an individual, as this data is unique enough to potentially identify a person, or unique enough that it could be linked to a completely unrelated ID that contains personal information. This should be considered fingerprinting.

The first example tracks views, the second example tracks users. If the user from the first example returns to your site after a month, there is no way to know that. If this person has a habit of clicking on many links on websites, there is no way to know that. We don't know anything about them, we don't know who they are and we couldn't find out if we wanted.

So in theory, as long as:

• the data is irreversibly altered and therefore considered anonymized
• the data isn't personal enough that it could be linked to an individual
• the data is anonymized before it's collected It shouldn't be falling under GDPR regulation.

This still leaves me with a lot of questions, such as, how reliably irreversible data anonymization that services perform is? How do we know for sure what can and can't be used to identify a person?

I would assume (hope?) though, that the large analytic providers that do make such statements surely had to consult a lawyer specializing in this law.

[janosdebugs]

Hi folks,

I am not a lawyer, but I would like to submit for consideration that the GDPR is not the only law in the EU that concerns cookie banners. Most prominently, the E-Privacy Directive states the following:

(24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.

(25) However, such devices, for instance so-called ‘cookies’, can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

So, a) cookies are not the only devices regulated in this manner, anything that is stored on the user's device for tracking purposes qualifies and b) even if no consent is required (arguable), the user must be informed if a tracking mechanism is placed on their device in whichever way.

For one, I would really like the EU legislature come up with a more sensible mechanism, but until then I wouldn't advise users to get rid of their cookie banners just yet.

[ihucos]

@janosdebugs I was more focused on the GDPR. According to your quote of the E-Privacy Directive I understand that counter.dev does need a "Cookie" banner. Furthermore I need to implement some facility so website owners can disable tracking when the user requested it.

Hmm, yeah, not what I wanted to read but this is the result of my everyday understanding of the quoted text. I will come up with something and update the README very soon.

I wonder if that will eventually, soon, maybe in finite time change when the "new" ePrivacy Regulation is effective.

EDIT: It looks like it might be possible that there is a possible future where this changes with the new ePrivacy Regulation:

https://digital-strategy.ec.europa.eu/en/policies/eprivacy-regulation

Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies that improve internet experience, such as cookies to remember shopping-cart history or to count the number of website visitors.

(It says cookie. I could also use cookies or whatever.)

[ihucos]

@VodaJeMokra sorry for your late reply. I understand what you are writing, that sounds reasonable and would mean that fingerprinting on the server side could avoid needing a "cookie" banner. Hmm, that is now vague but somebody who is a lawyer privately wrote me something that makes me understand that fingerprinting even with additional anonymisation techniques (like for example GoatCounter is doing it) still does not qualify for the GDPR os something like this (paraphrasing) . Do you have some nice GDPR or E-Privacy Directive quotes to underscore your comprehensive post from last year?

[ihucos]

Current status: I have been testing some changes in the script-testing.js. Now I need to deploy when I get some good hours to monitor aaand document.

[ihucos]

Sorry, those changes mentioned in my last post should not be necessary.

Ok, I updated the README with the newest findings and am eager for any new information.

If somebody wants to implement consent the simplest and most robust turns out to really be just to include or not to include the tracking script depending on the user action.