Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
amelius 3 days ago

Sounds to me like a loophole in the law then. Which would be surprising too since not easy to overlook.

dkersten 3 days ago | parent | next [-]

The law is very clear, if you actually read it. It doesn't care what technology you use: cookies, localstorage, machine fingerprints, something else. It doesn't care. It cares about collecting, storing, tracking, and sharing user data.

You can use cookies, or local storage, or anything you like when its not being used to track the user (eg for settings), without asking for consent.

alternatex 3 days ago | parent | prev | next [-]

LocalStorage is per host though. You can't track people using LocalStorage, right?

reactordev 3 days ago | parent [-]

LocalStorage is per client, per host. You generally can't track people using LocalStorage without some server or database on the other side to synchronize the different client hosts.

GDPR rules are around personal preference tracking, tracking, not site settings (though it's grey whether a theme preference is a personal one or a site one).

root_axis 2 days ago | parent [-]

> though it's grey whether a theme preference is a personal one or a site one

In this case it's not grey since the information stored can't possibly be used to identify particular users or sessions.

reactordev 3 days ago | parent | prev [-]

It’s not a loophole. localStorage is just that, local. Nothing is shared. No thing is “tracked” beyond your site preferences for reading on that machine.

I say it’s a perfect application of how to keep session data without keeping session data on the server, which is where GDPR fails. It assumes cookies. It assumes a server. It assumes that you give a crap about the contents of said cookie data.

In this case, no. Blast it away, the site still works fine (albeit with the default theme). This. Is. Perfect.

dkersten 2 days ago | parent | next [-]

> which is where GDPR fails. It assumes cookies.

It does not assume anything. GDPR is technology agnostic. GDPR only talks about consent for data being processed, where 'processing' is defined as:

    ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(From Article 4.2)

The only place cookies are mentioned is as one example, in recital 30:

    Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
reactordev 2 days ago | parent [-]

>GDPR only talks about consent for personal data being processed

Emphasis, mine. You are correct. For personal data. This is not personal data. It’s a site preference that isn’t personal other than you like dark mode or not.

dkersten 2 days ago | parent [-]

I was responding to this bit:

> It assumes cookies. It assumes a server.

sensanaty 2 days ago | parent | prev | next [-]

> It assumes cookies.

How can people still be this misinformed about GDPR and the ePrivacy law? It's been years, and on this very website I see this exact interaction where someone is misinterpreting GDPR and gets corrected constantly.

0x073 3 days ago | parent | prev [-]

Gdpr don't assumes cookies, if you misuse local storage you also need confirmation.

reactordev 3 days ago | parent [-]

only if you are storing personal information. Email, Name, unique ID.

Something as simple as "blue" doesn't qualify.

dkersten 2 days ago | parent [-]

Correct. But you can also use cookies for that, without violating GDPR or the ePrivacy directive.

reactordev 2 days ago | parent [-]

Then you have the problem of some users blocking cookies at the browser level. LocalStorage is perfect application for this use case.

account42 2 days ago | parent [-]

Or maybe you could respect those user's preferences of not having shit stored for your website.