| ▲ | amelius 3 days ago |
| The theme switcher uses local storage as a kind of cookie (19 bytes for something that could fit in 1 byte). Kind of surprised they don't show the cookie banner. Just a remark, nothing more. PS, I'm also curious why the downvotes for something that appears to be quite a conversation starter ... |
|
| ▲ | athenot 3 days ago | parent | next [-] |
| You don't need the cookie banner for cookies that are just preferences and don't track users. |
| |
| ▲ | dotancohen 3 days ago | parent | next [-] | | Which is why calling it the cookie banner is a diversion tactic by those who are against the privacy assurances of the GPDR. There is absolutely no problem with cookies. The problem is with the tracking. | | |
| ▲ | root_axis 3 days ago | parent | next [-] | | It's called a cookie banner because only people using cookies to track users need them. If you're using localstorage to track users, informed consent is still required, but nobody does that because cookies are superior for tracking purposes. | | |
| ▲ | madeofpalk 2 days ago | parent [-] | | > If you're using localstorage to track users [...] but nobody does I promise you every adtech/surveillance js junk absolutely is dropping values into local storage you remember you. | | |
| ▲ | root_axis 2 days ago | parent [-] | | They are, but without cookies nearly all of the value disappears because there is no way to correlate sessions across domains. If commercesite.com and socialmediasite.com both host a tracking script from analytics.com that sets data in localstorage, there is no way to correlate a user visiting both sites with just the localstorage data alone - they need cookies to establish the connection between what appears to be two distinct users. |
|
| |
| ▲ | reactordev 3 days ago | parent | prev | next [-] | | Our problem is with tracking. Their problem is that other companies are tracking. So let’s stop the other companies from tracking since we can track directly from our browser.
GDPR requires cookie banner to scare people into blocking cookies There, now only our browser can track you and only our ads know your history… We’ll get the other two to also play along, throw money at them if they refuse, I know our partner Fruit also has a solution in place that we could back-office deal to share data. | |
| ▲ | bigstrat2003 3 days ago | parent | prev [-] | | You're assuming bad intent where there are multiple other explanations. I call it the cookie banner and I don't run a web site at all (so, I'm not trying to track users as you claim). | | |
| ▲ | dotancohen 3 days ago | parent | next [-] | | You call it the cookie banner because you've been hearing it regularly referred to as the cookie banner. It was the regularization of calling it the cookie banner that confuses people into thinking the issue is about cookies, and not about tracking. | | |
| ▲ | bigstrat2003 3 days ago | parent [-] | | So, by your own admission, calling it the cookie banner is not only "a diversion tactic by those who are against the privacy assurances of the GPDR". My only point is that you were painting with an overly broad brush and saying someone is a bad actor if they call it the cookie banner, which is demonstrably not the case. | | |
| ▲ | dotancohen 2 days ago | parent [-] | | I admit nothing, because I am not partaking into contentious argument. However I could have better phrased my original comment with the word "was" instead of "is". |
|
| |
| ▲ | 3 days ago | parent | prev | next [-] | | [deleted] | |
| ▲ | 3 days ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | mhitza 3 days ago | parent | prev [-] | | Or for cookies that are required for the site to function. On a company/product website you should still inform users about them for the sake of compliance, but it doesn't have to be an intrusive panel/popup. | | |
| ▲ | sensanaty 2 days ago | parent [-] | | > On a company/product website you should still inform users about them for the sake of compliance No? Github for example doesn't have a cookie banner. If you wanna be informative you can disclose which cookies you're setting, but if they're not used for tracking purposes you don't have to disclose anything. Also, again, it's not a "cookie" banner, it's a consent banner. The law says nothing about the storage mechanism as it's irrelevant, they list cookies twice as examples of storage mechanisms (and list a few others like localStorage). |
|
|
|
| ▲ | ProZsolt 3 days ago | parent | prev | next [-] |
| You don't have to show the cookie banner if you don't use third party cookies. The problem with third party cookies that it can track you across multiple websites. |
| |
| ▲ | account42 2 days ago | parent [-] | | Wrong, you also need to ask permission before using first-party tracking cookies. |
|
|
| ▲ | reactordev 3 days ago | parent | prev | next [-] |
| Because she’s using local storage…? If you don’t use cookies, you don’t need a banner. 5D chess move. |
| |
| ▲ | root_axis 3 days ago | parent | next [-] | | There's no distinction between localstorage and cookies with respect to the law, what matters is how it is used. For something like user preferences (like the case with this blog) localstorage and cookies are both fine. If something in localstorage were used to track a user, then it would require consent. | |
| ▲ | roywashere 3 days ago | parent | prev | next [-] | | That is not how it works. The ‘cookie law’ is not about the cookies, it is about tracking. You can store data in cookies or in local storage just fine, for instance for a language switcher or a theme setting like here without the need for a cookie banner. But if you do it for ads and tracking, then this does require consent and thus a ‘cookie banner’. The storage medium is not a factor. | |
| ▲ | amelius 3 days ago | parent | prev [-] | | Sounds to me like a loophole in the law then. Which would be surprising too since not easy to overlook. | | |
| ▲ | dkersten 3 days ago | parent | next [-] | | The law is very clear, if you actually read it. It doesn't care what technology you use: cookies, localstorage, machine fingerprints, something else. It doesn't care. It cares about collecting, storing, tracking, and sharing user data. You can use cookies, or local storage, or anything you like when its not being used to track the user (eg for settings), without asking for consent. | |
| ▲ | alternatex 3 days ago | parent | prev | next [-] | | LocalStorage is per host though. You can't track people using LocalStorage, right? | | |
| ▲ | reactordev 3 days ago | parent [-] | | LocalStorage is per client, per host. You generally can't track people using LocalStorage without some server or database on the other side to synchronize the different client hosts. GDPR rules are around personal preference tracking, tracking, not site settings (though it's grey whether a theme preference is a personal one or a site one). | | |
| ▲ | root_axis 2 days ago | parent [-] | | > though it's grey whether a theme preference is a personal one or a site one In this case it's not grey since the information stored can't possibly be used to identify particular users or sessions. |
|
| |
| ▲ | reactordev 3 days ago | parent | prev [-] | | It’s not a loophole. localStorage is just that, local. Nothing is shared. No thing is “tracked” beyond your site preferences for reading on that machine. I say it’s a perfect application of how to keep session data without keeping session data on the server, which is where GDPR fails. It assumes cookies. It assumes a server. It assumes that you give a crap about the contents of said cookie data. In this case, no. Blast it away, the site still works fine (albeit with the default theme). This. Is. Perfect. | | |
| ▲ | dkersten 2 days ago | parent | next [-] | | > which is where GDPR fails. It assumes cookies. It does not assume anything. GDPR is technology agnostic. GDPR only talks about consent for data being processed, where 'processing' is defined as: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(From Article 4.2)The only place cookies are mentioned is as one example, in recital 30: Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
| | |
| ▲ | reactordev 2 days ago | parent [-] | | >GDPR only talks about consent for personal data being processed Emphasis, mine. You are correct. For personal data. This is not personal data. It’s a site preference that isn’t personal other than you like dark mode or not. | | |
| ▲ | dkersten 2 days ago | parent [-] | | I was responding to this bit: > It assumes cookies. It assumes a server. |
|
| |
| ▲ | sensanaty 2 days ago | parent | prev | next [-] | | > It assumes cookies. How can people still be this misinformed about GDPR and the ePrivacy law? It's been years, and on this very website I see this exact interaction where someone is misinterpreting GDPR and gets corrected constantly. | |
| ▲ | 0x073 3 days ago | parent | prev [-] | | Gdpr don't assumes cookies, if you misuse local storage you also need confirmation. | | |
| ▲ | reactordev 3 days ago | parent [-] | | only if you are storing personal information. Email, Name, unique ID. Something as simple as "blue" doesn't qualify. | | |
| ▲ | dkersten 2 days ago | parent [-] | | Correct. But you can also use cookies for that, without violating GDPR or the ePrivacy directive. | | |
| ▲ | reactordev 2 days ago | parent [-] | | Then you have the problem of some users blocking cookies at the browser level. LocalStorage is perfect application for this use case. | | |
| ▲ | account42 2 days ago | parent [-] | | Or maybe you could respect those user's preferences of not having shit stored for your website. |
|
|
|
|
|
|
|
|
| ▲ | the_duke 3 days ago | parent | prev | next [-] |
| You only need cookie banners for third parties, not for your own functionality. |
| |
| ▲ | root_axis 3 days ago | parent [-] | | GDPR requires informed consent for tracking of any kind, whether that's 3rd party or restricted to your own site. | | |
| ▲ | input_sh 2 days ago | parent [-] | | Incorrect, GDPR requires informed consent to collect personally identifiable information, but you can absolutely run your own analytics that only saves the first three octets of an IP address without needing to ask for constent. Enough to know the general region of the user, not enough to tie any action to an individual within that region. Therefore, not personally identifiable. Of course, you also cannot have user authentication of any kind without storing PII (like email addresses). | | |
| ▲ | root_axis 2 days ago | parent [-] | | You've stretched the definition of tracking for your hypothetical. If you can't identify the user/device then you're not tracking them. | | |
| ▲ | input_sh 2 days ago | parent [-] | | I literally worked with digital rights lawyers to build a tool to exercise your GDPR rights, but sure, call it a hypothetical. | | |
| ▲ | root_axis 2 days ago | parent [-] | | It's literally a hypothetical situation you introduced for the sake of discussion. "Hypothetical" doesn't mean it doesn't happen in real life, the whole purpose of a hypothetical is to model reality for the sake of analysis. |
|
|
|
|
|
|
| ▲ | lucideer 3 days ago | parent | prev | next [-] |
| You don't need a banner if you use cookies. You only need a banner if you store data about a user's activity on your server. This is usually done using cookies, but the banners are neither specific to cookies nor inherently required for all cookies. --- Also: in general the banners are generally not required at all at an EU level (though some individual countries have implemented more narrow local rules related to banners). The EU regs only state that you need to facilitate informed consent in some form - how you do that in your UI is not specified. Most have chosen to do it via annoying banners, mostly due to misinformation about how narrow the regs are. |
|
| ▲ | rafram 2 days ago | parent | prev | next [-] |
| 19 whole bytes! |
|
| ▲ | hju22_-3 3 days ago | parent | prev [-] |
| I'd guess it's due to it not being a cookie, by technicality, and is not required then. |
| |