13 comments

[ 2.9 ms ] story [ 29.2 ms ] thread
What if we just don't track people? Crazy idea, I know...
Someone in the ad industry will tell you that the internet is powered by ad revenue, it's what keeps it free and open, what makes services better.
I thought the internet was powered by paying your ISPs bill
It's powered by paying your ISPs bills as much as the restaurant bill is paid by what you spent in car/public-transport commute to the restaurant.
"The Internet" is paid for by my ISP bills. "Websites" are paid for by advertising people trying to track my every move when they don't need to
Next up: Stabbing people without a knife.

If you are tracking people without a lawful basis (e.g. consent), you are violating the GDPR. It doesn't matter if you use cookies. (The article does mention this towards the end.)

It's not (just) GDPR and TFA mentions that as soon as they move on from Cookies, ie point 2 on local storage:

"This buys you nothing. Article 5(3) of the ePrivacy Directive".

They clearly have a product to sell but the article seems balanced and offers a good list of commonly used/proposed techniques that are not quite compliant.

As you alluded, there're more lawful basis than consent, one of most common ones being technical necessity to mitigate abuse.

Right, but even if you have a lawful basis for processing the data to collect aggregate statistics (which the article mentions), the GDPR still doesn't allow you to process the data for unrelated purposes such as advertising, which is usually what cookie banners are about. If you're using cookies strictly to implement the expected functionality of the service, there's no problem to begin with - you don't need any banners in that case.
I think the blog author is misinformed about the session id? If you use that for marketing purposes, you need cookie prompt. The GDRP says only necassary cookies, if you also reuse the login cookies for purposes. It's not longer necassary right?

Otherwise it'd be so blatant loophole, you can only use cookies for their intended purposes and not reuse for them other purposes. I remember some details when i needed a way to prioritize user traffic via cookies, since lots malicous traffic dont have cookie storage, as long i didnt retain the cookie ID used for load balancing, as all information would be lost on reboot of haproxy process. I didnt need cookie prompt, but if i also used that for other purposes like visitor tracking, then I'd need cookie prompt even before setting the cookie.

Im not lawyer, but thats how I understood.

Same thing I was thinking. I personally don't track unique visitors on my blog, just random sessions where you can't identify unique users, which allows me to not show a banner. If I were to use this technique I'd have to show a banner
For tracking uniques, why can’t we just set a “first_visit=false” cookie if not present on first request? The number of new unique users is then the number of requests that came in without that cookie in whatever time window. Expiration timeline left as an exercise for the reader (month, week, whatever).

This zero-entropy cookie cannot be linked to a specific person and would not require consent under any privacy law I think.