A lot of people have the misconception that the EU cookie law applies to all cookies, but as the blog post correctly points out, that just isn't the case.
True. Also even if you do track your visitors you can use privacy friendly (and ideally selfhostable) Analytics like Plausible https://plausible.io/ so you won't need the banners either.
Just don't include facebook like buttons or any of these widgets
Does anyone happen to know of a service like this that is free (not self hosted) for non-commercial, low-traffic sites? Or which costs less than ~$10 per year.
I have a basic Github Pages site, and I currently don't know whether anyone is looking at it, beyond the very few who take the time to email me. I don't need (or want) to know anything about my visitors, but it would be nice to know that I'm not simply tossing stuff into the ether.
I thought that with the recent changes to PECR they that clarified any non-essential cookie-like technology needs permission, irrespective of whether it's first party or pseudonymous. And additionally that analytics does not count as strictly necessary.
To be fair, most of them probably do. It's not like the introduction of GDPR in Europe 2 years ago suddenly made all of the shit a marketing dept shoves into Google Tag Manager completely legit and above board.
These third parties will take what you give them and _also_ take what they can get from your browser if you're embedding their script. Are you going to proxy those scripts as well to stop them getting the user's IP address and then geolocating it to grab even more info?
The cookie warning banner is bullshit only in the sense that it achieves nothing. Accept it or deny it, it won't change a thing. Same with the tracking consent popups: despite the law saying they should be opt-in by default, they're still treated as opt-out by default, meaning that all of these sites _still_ collect your data because you're blacklisting individual sites from tracking, as opposed to whitelisting them. You need to set a cookie to say that you don't want tracking and not thousands of cookies to say you do want it?
That's being tracked... it's all wrong. Literally everything you offer as information, or don't offer, is another node in their graph.
Or they treat continuing to use the site as consent. Some of them are really passive-aggressive about it too. I've seen cookie banners with wording like "We use cookies, because duh, who doesn't in 2020? Click here or keep using the site to accept."
Completely at odds with the whole "informed consent" thing.
And then they wonder why we use things like uBlock, which are pretty much the only tools we can rely on to genuinely revoke consent. Or revoke as much of it as possible.
I have nothing directly against cloudflare but I think it would be better to try to support one of the smaller analytics companies if possible. They are the ones who made products that got big companies like cloudflare interested in the space.
Few years back I created some HelloWorld application on Google's AppEngine (requires Java, Python or Go) and was positively surprised about its statistics on theirs dashboard.
I get requests to /wp-login.php (and the like) on my simple Haskell web app hosted on my university's servers. They're quite persistent and I'm not even sure how found the URL to my app in the first place (the format is something like universityname.com/~userid/projectname, and I haven't linked it anywhere).
https://simpleanalytics.com/
Says this on their homepage:
We don't use cookies or collect any personal data. So no cookie banners, GDPR, CCPA, or PECR to worry about.
Seems like a cool company/project to me.
But, it's not free :(
$19/mo
Still thought it's worth pointing out.
Looked for a few minutes and couldn't find the full answer. How does Plausible calculate unique users if it can't store some type of identifier on the page?
I see this... "We do not generate any persistent identifiers either. We generate a random string of letters and numbers that is used to calculate unique visitors on a website and we reset this string once per day."
Probably like we do it for pirsch.io, by calculating a hashed fingerprint and throwing away the individual page hits once per day: https://github.com/pirsch-analytics/pirsch
What's the privacy benefit over storing a tracking cookie with expiry of a day? If at all, random cookie seems better for privacy as in your case if someone really wants it, they can recover the IP if the user agent is not rare by searching for all IP(4 billion IPv4), User-Agent(100 for popular browsers), the date(1 day as date is stored separately), and a salt(known to server), easily within reach of anyone.
It doesn't use cookies. Fingerprints are calculated on each page hit.
The salt must be treated like a password to make sure it's not that easy to brute force it and no one should get access to your database of course ;) It's not the strongest anonymization, but good enough considering that the hits will be deleted once a day by batch processing.
> How can Plausible Analytics count unique visitors without cookies?
> So if you don’t use cookies how do you count the number of website visitors and report on metrics such as the number of unique users?
> Instead of tagging users with cookies, we count the number of unique IP addresses that accessed your website. Counting IP addresses is an old-school method that was used before the modern age of JavaScript snippets and tracking cookies.
> Since IP addresses are considered personal data under GDPR, we anonymize them using a one-way cryptographic hash function. This generates a random string of letters and numbers that is used to calculate unique visitor numbers for the day. Old salts are deleted to avoid the possibility of linking visitor information from one day to the next. We never store IP addresses in our database or logs.
...
> In our testing, using IP addresses to count visitors is remarkably accurate when compared to using a cookie. Total unique visitor counts were within 10% error range with IP-based counting usually showing lower numbers.
A one way hash of an IPv4 address is no more private than the address itself. If you know the has algorithm, you can build a rainbow table of all the hashes in under a second. Even with a random salt it doesn't take long to build a rainbow table with all possible salts.
To an extent, but there are easy ways to cut the search space. For example, you could make a unique request with garbage on it from a known IP every day, and then all you have to do is build a rainbow table for that one IP to find out what the salt is for each day, and then you can fully reconstruct the logs.
Don't universities have a huge number of IPs because they were the first to use internet ?
Mine gives one public ipv4 per device that access the internet on the network (with some exceptions). Strategies varies but if you have a lot of addresses why not use them.
You cannot stop that. You can get around it for a while by serving the script yourself and setting a CNAME record for your domain to point to us. That's why we recommend integrating Pirsch into your backend so that it can't be blocked: https://docs.pirsch.io/get-started/backend-integration/
IANAL, but my understanding is that you might still need a consent box even if you use Plausible.
I've only skimmed over the docs, but it looks like they derive a unique identifier from the IP address and user agent which changes every day. IP addresses still count as Personally Identifiable Information under GDPR, so deriving an identifier from this for a use case such as analytics would likely require consent. This is speculation though so I'd be interested to hear what others think.
If it is critical to the operation of the website (functionality like storing saved items in a shopping cart, or security), then you wouldn't need consent.
In reality though, Plausible looks great and using it is a huge improvement over Google Analytics for privacy.
> IP addresses still count as Personally Identifiable Information under GDPR, so deriving an identifier from this for a use case such as analytics would likely require consent.
Only if there is a bijection between the identifier and the IP address, so that you could re-derive the IP address from the identifier. Otherwise, I do not see how the identifier itself would count as PII.
This way of divorcing data from PII by replacing it with pseudonymous identifiers which cannot be linked back is a relatively standard technique for this.
My understanding is that this kind of active consent that we see as popups everywhere on the web nowadays applies to cookies only. So I would assume that if you can track user activity without a cookie you wouldn't need it. It should probably be stated in the privacy policy though.
I'm not an expert in this even though I'm a webdev from the EU, so I'm also interested in other people's input.
GDPR doesn't care if you're accomplishing the tracking with a cookie or using a different mechanism. You're not allowed to do it either way, unless the user has consented.
Since I’m being downvoted: The EU directive that specifically obligates websites to collect informed and active consent for the use of cookies is not GDPR, it’s the ePrivacy Directive.
I don’t believe that one should automatically conclude that just because a cookie requires active consent, any kind of ‘logging’ (local and temporary storage of IPs in order to track website usage) requires active consent. Those are two fundamentally different things.
I’m not saying you should hide the fact that you’re doing it. I’m saying it should be stated in the privacy policy.
Also remember that there is a big difference between ‘personally identifiable information’ and ‘sensitive information’ which are clearly separated concepts in GDPR. Not all collection of data requires active consent.
I did read my EU state’s guideline on GDPR in full, but I’m not an expert. I would suggest reading up on the ePrivacy Directive though, which is still in effect.
Not sure why you're being downvoted, yeah cookies are handled by legislation other than GDPR (ePrivacy as you mentioned).
However regardless of whether you're using cookies, I still think you need to collect explicit consent as GDPR requires a lawful basis of processing, and I don't see how analytics would fall under any of the other lawful basis's other than consent (_maybe_ legitimate interests?)
If you are using cookies, then my understanding is you need to collect consent where necessary under _both_ ePrivacy and GDPR.
That's not as accurate as throwing around cookies and JavaScript, but I rarely check the log pages anyway, and when I do I'm less interested in raw numbers than I am in the relative performance of various pages. (And that's mostly just idle curiosity, e.g., are there some old articles that keep getting steady traffic from somewhere?)
Wouldn't that still violate the law but just be harder to detect from the client? If so, I don't think GitHub (i.e. Microsoft) would find it a compelling approach.
The backend already stored all the information about the users. Why would it violate any laws if it stored a bit more or a bit less info? Things can get tricky if Github exported the collected data to third party for analytics.
part of the GDPR law is the intent of the information you are storing, not the method. Cookie is just a technology. If you track your users using a DB it still applies and you need consent if the tracking is not necessary
See my profile if you want, that was my first comment in hours. I think it is that sort of brake, (prevents heated discussions veing quite so quick-fire) but it's not on the user, it's on everyone for <'5 [or something] minutes ago' comments; drcongo's happened to be '0 minutes ago' when I loaded the page, so I clicked on it to reply.
It would still be a violation because of how you're using it. The law isn't purely about what data you track, it's primarily about what you do with the data.
IANAL!!!! But I think, yes, there are still implications. GDPR makes no distinction about back end and front end AFAIK, it's just about what data you collect and why/purpose.
But note there are other reasons you can have for collecting data other than consent (something often overlooked) - for example I would guess GitHub would log IP addresses in the back end for a limited time for spam fighting reasons, and I think that would be fine.
To my understanding of the GDPR, as soon as you track any identifier that makes those data non-anonymous you still need consent for that. It is not about the cookies per se.
I can see a need for cookies to mitigate against things like DDoS attacks, session management for paywalled content or just to leave comments on articles, favoriting certain sections. There are several reasons why as a reader you would want the site to be stateful.
Helps separate real traffic from DDoS traffic.
e.g. traffic from someone that also visited the site prior to the start of the DDoS is vastly more likely to be real traffic.
Yes! If you use cookies for essential functionality (like keeping track of logged in status), you don't have to do anything. No banners, no annoyance for your users.
I dropped all third-party crap from my site way back and haven't ever needed a cookie banner.
It is, because "logged in" is an abstraction - someone has to decide how frequently you have to contact the server before being considered to have "logged out".
a cookie representing authentication session with your app isn't personal data, and doesn't need privacy policy, especially if your login is arbitrary and not an email.
It doesn't matter how long it's active either, unless you use it to track users activity elsewhere
If it's used to determine identity, it's a kind of personal data.
However, as you say, it might be allowed by GDPR without requesting extra approval, depending on the way that it's being used and who it is shared with?
Hence my question about whether the length of time that you store this data legally matters (because since databases can be stolen, it eventually does). Compare with how ISPs must store all your connection logs for a specific amount of time.
a session cookie establishing your authentication session only links you with the account in the system. Now, what other data is attached to that account is another thing. For example, the typical forum of yore would only have to take care of emails at best - if it doesn't have personal data, it's irrelevant, because you can't link that identity with your IRL identity.
Length of time you store the data doesn't matter, except in the sense where you can prove that effectively you do not store it at all - for example by anonymization of logs so that you do not effectively store IP addresses, even if of course they have to exist in full in the system at some point to keep the connection open.
Except that if the sites don't do annoying things there is no need for annoying popups.
The EU law:
- doesn't require opt-in permission for essential cookies and similar. So basic non-personalized website usage statistics (analytics) do not need a opt-in only if it's tracking people in any way are such opt-ins needed
- if you login you are known to have accepted the terms of service and as such after login no opt-in pop-up is needed either
- is not limited to cookies btw.
All in all this means that for any site not based on ad-revenue they fully can get away without needing any annoying popups, if they don't do some sneaky questionable things.
Even for ad's there are ways to do them without annoying popups, you just need to not track people, tracking the number of times a website was loaded doesn't require annoying popups, just tracking who opened it does.
Similar if you track people only after they clicked on the ad you don't need annoying popups on the site the add is one but only on the site the app navigates to (through only start tracking after opt-in). Which given that many adds try to sell you stuff and buying thinks only requires a account isn't that big of a problem as it might seem.
In the end you can say the only reason there are so many annoying popups is because most companies have not intention to respect the privacy of their users. Actually if you look into it and realize that many popups are not legally conform or borderline illegal it becomes clear that they do not only not respect the users privacy but the users themself.
Through I have to note, that while many (most?) companies can switch to respectable advertisement, some companies can't as easily do so.
The thing is, tracking cookies don't annoy me, because I block all cookies anyway (unless it's one of the few sites I need to actually log into), so they can't track me with them.
It's the popups that actually annoy me, especially because they keep on popping up -- ironically they need to store a cookie to remember that the user has accepted/denied, and my cookie-blocking blocks that cookie as well.
I think browsers blocking cookies by default and asking for permission before storing cookies is a better solution to this issue than a GDPR popups all over the web, and leaves far less room for malicious websites to track you in spite of the user denying.
But the EU law is not just about cookies. It's also about e.g. fingerprinting your browser which is very hard to effectively block in practice.
It's a common misconception that it's about cookies. It's about data processing, i.e. tracking. There is a different law then GDPR which is about storing data on user PC's but that is also not about cookies but about any browser storage and more or less got superseded(1) by GDPR.
(1): Ok, that is quite a oversimplification, but most popups are now about GDPR and having them also covers the other law.
> if you login you are known to have accepted the terms of service and as such after login no opt-in pop-up is needed either
Apologies if I've misunderstood your claim here but it seems to me that you are saying you can bury consent to processing inside your legalise.
That doesn't comply with the GDPR as I understand it; the consent must be informed and freely given. Informed in that case is debatable since you are lumping a lot of terms together. You certainly can't claim it's freely given if accepting the terms of service is not optional.
Hm true ToS checkmark is not enough, you need to make the opt-in part clear. But it should be enough to do so when creating a account and for every change. At least if you put a reasonable findable setting page in which allows you to review/change such settings.
But I still believe you can do it once on account creation and then never again if people are logged in and nothing changed.
As far as I know if you only use the logs for DDoS protection and not for e.g. statistics and only store it as long as you need it for it and then delete it, it _I_ think should be legal without a popup banner, through maybe only if you don't give it to 3rd parties for DDoS protection? I have to look into this again.
The problem is the "only" part(s) ;=)
Oh, and you must reasonable convey that DDoS protection is essential for your service etc. Which if you ever had any (non super small) DDoS attack should be reasonable easy.
But I'm no lawyer and a bit of time passed since I last looked into it, so if I now would need to do a cooperate decision I would look it up again.
No, it applies to every resident in EU and EU citizens all over the world.
Edit: https://gdpr-info.eu/art-3-gdpr/ ("where Member State law applies" and "subjects who are in the Union" [...] "regardless of whether the processing takes place in the Union or not" respectively)
Edit 2: https://gdpr.eu/companies-outside-of-europe/ for more info: "The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”"
It's related to the ePrivacy Directive, which is deeply intertwined with GDPR but a separate piece of legislation. It's not clear whether the GDPR's territorial applicability also holds for ePD. France in particular is drawing a divide between GDPR and ePD, because ePD lets them fine Google directly but GDPR require they mediate through the Irish DPA.
The "cookie law" as part of the ePD is indeed older than the GDPR, but the GDPR kinda supersedes it by including all tracking/data collection not just cookie data collection.
It's also not entirely correct that the GDPR would require going through the Irish DPA or wherever a company in violation has their primary EU presence for tax purposes. True, the GDPR says the nation where a company has the primary presence of business within the EU take lead within the EU should take lead, but the French courts figured out that Google's Irish subsidy is actually not making any decisions, the US parent is, and therefore it's fine for the French watchdog to issue fines skipping Ireland [1].
GDPR does not supercede the ePD. The ePD is, according to its own text, a law that extends the general privacy regulations to certain aspects of internet technology. So in many cases it defers out to the general privacy law in effect.
When ePD was passed, that law was the DPD, Data Privacy Directive. When GDPR was passed, all ePD references to the DPD became references to GDPR instead (this is Article 94 of GDPR). But ePD remains entirely in effect, just with updated references.
Most importantly, ePD requires Consent in certain cases, but defers to DPD/GDPR for what is the definition of consent. GDPR's definition of consent is much more stringent.
In cases where the ePD did not refer out to DPD, it remains unchanged by the passage of GDPR. So, according to CNIL, it does not include the one-stop-shop mechanism. See section "The competence of the CNIL" in the link below:
And as far as I know there is no ruling that using a VPN or other kind of proxy does make you count as "being in the country of the exit node wrt. actions done through the VPN".
Which means that you can't say a user is not residing in the EU (without a popup asking the user if they are residing there... ;=) ).
On the other hand if there would be such a law it would have kinda interesting consequences.
Well, somehow we in EU have to comply with DMCA, which is not an EU law. Every company that _does business in_ EU can get in trouble for not following EU law irrespective where it violated that law.
Sure they can, at least in theory. US citizens have to pay taxes no matter where they reside. Most countries will prosecute certain crimes abroad if those crimes were committed by their citizens or against their citizens or against the state.
The practical question is just if they can get hold of the people acting unlawfully.
The GDPR is implemented in British law, that's how these directives work.
Once the UK leaves the EU, they're no longer obliged to keep their implementation of the GDPR. The government can choose to keep their implementation, and in practice keep the same regulations as the GDPR, or they could reduce or remove their privacy protection laws as they see fit.
With London being famous for their camera surveillance, I expect the UK to reduce some if not all of the privacy protections the GDPR brought to the world.
The GDPR is a regulation (hence the R at the end) not a directive.
It became UK law as soon as it was passed by the EU, and it didn't need to be implemented in to UK law.
The UK has already passed their amendments to the GDPR,[0] which will effectively fork it into the "UK GDPR". These will come in to force on the 1st of January.
There's a "Keeling Schedule" available[1], which is effectively a diff between the EU GDPR and the UK GDPR.
I read that and it said that it applies to data not processed in the EU. I always interpreted that as applying to data centers and such in something like an was availability zone in the US. It said “ the monitoring of their behaviour as far as their behaviour takes place within the Union.” I never thought that applied to EU citizens all over the world. EU citizens living in another jurisdiction would be subject to that jurisdictions laws right? For instance GDPR wouldn’t apply to a Spanish expat that lives in Thailand, as far as I understand it.
Yes, but if you reside in Spain and use a VPN with Thai exit node to access a site in Thailand you are stil residing in the EU and in turn the Thai website needs to comply with GDPR.
Through non compliance can only be enforced if the entity behind the website/app or similar does enter the EU or does business with the EU.
I really wonder genuinely if the regulation has improved anything at all. I just click through the banners without even thinking. It has become so annoying. The value I get is below zero. I wonder if the majority is like me.
The regulation explicitly forbids annoying banners, the problem is that there’s currently zero enforcement of it so websites continue breaching it and lying to themselves (and others) by thinking their consent banners are compliant.
You have to love how the regulator did not even try to define what they mean by "annoying". Thus making the whole law completely useless.
In my book, any single pixel of my limited screen real estate that gets dedicated to this useless regulation is annoying. If the EU wants to enforce this, they need to provide a way for me to basically say "Yes, I agree with all tracking cookies for all sites forever", and never see a banner again.
Enforcement is already happening. Multiple confirmed cases of fines being handed out to businesses, organisations etc :-)
More importantly IMO they are also contacting entities up front to tell them about violations and how to get compliant, the fines we have seen yet seems (again IMO) to be only for particularly nasty cases and/or cases where the entities in question refuses to change.
This means the fines we are seeing is just the top of the iceberg: most changes happens underneath the surface and only trickles up in the form of less annoying websites (or fines) little by little.
Yeah, maybe. But not by clever design. The opt-out boxes are usually designed as secondary buttons. The opt-in is designed as primary button. So if you want to change something you have to really think and make a deliberate choice, whereas most people in that moment just want to see the damn content of the site.
That's because the website operators deliberately design the experience to be obnoxious and frustrating.
They want you to have a bad experience if you decide to opt-out of detailed behavioural tracking, so that you'll feel pressured to "consent" to detailed behavioural tracking, and so you'll feel like the GDPR is to blame, even though it isn't.
I've put "consent" in quotes because it's not freely given consent if you are heavily pressured into it, and it's not consent at all if you end up believing you don't really have a choice.
These banners/dialogs do not even comply with the GDPR (despite saying the GDPR requires them), as GDPR says consent to non-essential personal data collection about you must be as easy to withdraw as it is to give, and the service you get must be the same if you don't consent as if you do.
Same here. and I'm on ublock origin and the rest. It's just ghastly, of all the scams (tech support and more) and other misery on the internet, the EU is just absolutely fixated on some of these random things.
More information is in Opinion 04/2012 on Cookie Consent Exemption of the Article 29 Working Party of the European Commission about Cookie Consent, which elaborates about the topic:
(The §29 WP is now replaced by the European Data Protection Board, but that seems not to have issued any more current Guidelines or Opinions on that matter. Maybe they are waiting for a forthcoming ePrivacy Regulation. Also: IANAL.)
Well, it's a reasonable misconception to have, banners don't usually explain everything, they mostly say "hey, we use cookies", and not "hey, we use non-essential cookies".
Part of the problem is that when it first passed, the advice was to just add a cookie banner no matter what to be safe, since no one really understood the law and exactly when it did or did not apply.
You are right, and that unfortunately happened because nobody even tried to read the law (which is quite clear regarding this). It's easier to just follow other sheep.
That's correct. Using cookies for the user session is fine and does not require consent as long as you really are just using them for the user session. The moment you use them for analytics, you have to request consent for analytics, even if they are primarily for maintaining the user session.
Not even then - there are plenty of analytics you can do without a cookie banner, as long as they don't identify the user.
Conversely, anything you do other than your obvious business requirements (e.g. if you buy something physical I need some address or identity to verify at pickup) requires consent whether or not it's analytics.
(Not a lawyer, not legal advice, jesus just don't track people...)
No, it wouldn't be in the EULA. There are two parts of GDPR that would specifically go against putting consent to tracking in the EULA:
1. GDPR requires the consent check to be somewhere obvious and in plain language. That was specifically to deal with EULA's given to you in tiny legally compliant text boxes.
2. GDPR requires that you cannot make consent for non-essential usages of data mandatory as a condition for providing your services. Tracking only logged-in people for analytics falls into the category of non-essential purposes. That requires explicit consent, even if consent is not required to use the exact same data for authentication checks.
But wouldn't that be asked for at the same time as signing the EULA, i.e. at account creation? If you're avoiding banners, I can't think where else you'd put it.
If a cookie is not necessary (or you are using a necessary cookie for secondary purposes), then you need GDPR-valid consent. This means:
1. Consent must be separate from other terms being agreed to. So consent in the EULA would not be valid.
2. Consent must be an affirmative, unambiguous action. Pre-ticked boxes or bundled consent are not valid.
3. Consent can be revoked at any time. Revoking consent must be as easy as giving it.
So yes, you can ask for it from a user when you're having them agree to the EULA. However you can't have it as part of the EULA, it has to be an optional add-on. And you still need to let people turn it off afterwards.
If we're talking about Github, no, I don't think it's a clever hack. I think they've actually ripped out the offending usages.
The reason I find that believable is that their core business is selling a git server with bells and whistles. From Microsoft's perspective, Github doesn't need to be doing any marketing because they kind of are the marketing.
Whether they complied in other ways is irrelevant to whether this case is non-compliant, and the point was about reuse of cookies for analytics, not marketing.
I don’t understand your point. You’re asking whether they’re trying to work a loophole or a clever hack, and I said that I don’t think they are and that I think it’s credible because they don’t have profit motives that would drive them to take that legal risk.
You don't think they do analytics on users based on these cookies session? Because doing that without the consent pop-up is (I claim above) illegal, and so the clever workaround fails.
I would be really, really surprised if Github were the only Bay Area unicorn that lacked a product manager nagging them for more analytics. The fact that they don't need to sell the analytics is irrelevant.
I can't speak for Github, but I can speak for my team in [tech giant]: if I wanted to do analytics on end users I'd have to go through a review to confirm that I would not be violating privacy laws. I literally couldn't query them if I wanted to without jumping through technical hoops with audit processes and paper trails.
I do believe Github is legitimately trying not to use that data for analytics. But whether some PM in there is querying that data for analytics purposes: at that point we're just speculating based on how cynical you or I want to be. I don't think that's a meaningful point.
Also: I'm not saying I don't think they do analytics. I'm saying I don't think they are using users' personal data for analytics. That's an important difference with respect to GDPR.
> then you still can’t use those cookies for other purposes, like analytics, right?
Yes. It’s not the cookies, it’s what you make the use of them.
The wording even predates GDPR. You could even dispense of the banner if you had DNT set to 1 or 0, since that would count as consent/not consent resp.
I just checked my cookies on the Github website and had several tracking cookies (including Google Analytics).
Then I realized I should probably clear all the cookies for Github, and start over with a fresh session. So I deleted all cookies that Github had given me (which was 12) and refreshed the page. As expected, I was now logged out and Github immediately issued you me 4 new cookies.
• _gh_sess (a fresh session cookie)
• _octo (not sure what this is, might have something to do with cache-busting? Looks like it contains something resembling a version id/string)
• logged_in (my logged in status, now false)
• tz (my timezone)
All of these are valid cookies (assuming that _octo is for cache busting) that would not require a cookie banner.
So then I logged in. I now have 10 cookies. None of them appear to be tracking cookies.
• __Host-user_session_same_site (14 day session token)
• device_id (this contains a random string to differentiate this device. Initially I was concerned with this, thinking it might be a fingerprint. But it is far too short for that, and it appears to be a flash cookie. It expires as soon as it is issued, so it only lasts one request. This is likely used to improve your experience in the case that you are logged in across multiple devices to differentiate which device is making a request within the current session)
• gh_sess (same as before, session)
• _octo (same as before, presumably cache-busting)
• dotcom_user (contains a string with my github username)
• has_recent_activity (boolean value, likely used to display "unseen notifications" on the front-end)
• logged_in (same as before, except now true)
• tz (same as before, timezone for frontend time displays)
• tz (now have 2 timezone cookies. Both are currently the same timezone, although I assume the first one is a timezone gathered from my system clock and the new one is a timezone gathered from my github settings which they now have since I logged in. This is probably a bug where they expect to overwrite the first one, but since one is set to the github.com domain and the other is set to all github subdomains then it didn't overwrite)
• user_session (yet another session token with 14 day expiration. However the session token in this cookie and the __Host-user_session_same_site cookie are the same. Not sure reason for the duplication)
So those are all the cookies that Github now gives you. 2 of these seem to have duplicates. Meaning the same could be done with 8 cookies instead of 10. But regardless, all cookies seem to check out. None of these are tracking your usage and are there to improve your logged in experience. Tracking things like your username and recent activity boolean are most likely being used to save making the same database queries for every request. The others are just tracking sessions, which is something that users definitely do want. The 14 day expiration is a good middle ground between convenience and security.
At the beginning I mentioned that I had two tracking cookies before I cleared my cookies. These are gone after the refresh. So it looks like github has in fact stopped issuing tracking cookies altogether. They also seem to have removed Google Analytics entirely as I don't see the script on their website at all.
So all-in-all this definitely checks out. I don't see any GDPR violations here or reason to display a cookie banner anymore.
I assume they still have analytics, but the analytics are all happening server-side which provides them basics like pageviews and visitors. And since you have to be logged in to do almost anything in github they don't need cookies to track what you do while logged in, thats all going through their servers and databases anyway.
I know plenty of people here have problems with Github, but I think it is exciting to see a large company like Github (Microsoft) take this step.
> I assume they still have analytics, but the analytics are all happening server-side which provides them basics like pageviews and visitors. And since you have to be logged in to do almost anything in github they don't need cookies to track what you do while logged in, thats all going through their servers and databases anyway.
Considering Microsoft's size, wouldn't this still be a concern, and might even still violate GDPR if they were to use identifiers like IP or Microsoft accounts between their various services ?
For an even more extreme version: see Google or Amazon (AWS).
Are we claiming that if GitHub has a dashboard like “number of concurrent sessions” and “average length of session” and “unique users who touched this feature” it would be a GDPR violation?
It looks like you can still be tracked as long as you are logged into your Github account? (Or even if you are not logged in as long as only Github/Microsoft is tracking you?)
Another question is how exactly can Github be trusted to not send this tracking to Microsoft? It's not like this is something that we can check... I don't think that the EU is going to send inspectors to Microsoft?
seasion ids are unique? are they personal data if you cannot link them to an individual? count those. let’s say you are paranoid and someone, somewhere can link those random ids to people. So hash those random ids with a key that this someone has no access to. Now you have anonymized ids you can count uniquely and that cannot be linked to individuals.
You can anonymize data if you really want to and use it for understanding trends, usage etc in a privacy respectful way. Few companies bother these days though. And yes if you want a 100% watertight way, it’s hard.
generally they are used to protect against DDOS and to have forensic data in the case there is malicious behavior and are allowed as essential to operating the service.
> A lot of people have the misconception that the EU cookie law applies to all cookies, but as the blog post correctly points out, that just isn't the case.
A lot of people also have the misconception that the EU cookie law applies to them, even if they are not in the EU and have no EU physical presence.
The GDPR applies to anyone anywhere processing personal information (such as IP addresses) of people inside the EU (both EU and non-EU residents).
That doesn't mean that you're necessarily at risk of any lawsuits or effective action, but what you're stating is wrong. Physical presence has nothing to do with it.
As a corporation, of any size, you are not beholden to laws made in other countries, unless you do business in that country or have a presence of some kind in that country.
With exception of large, international organizations, that doesn't apply to nearly all business outside the EU.
No, it absolutely does not "[apply] to anyone anywhere processing personal information of people inside the EU." I don't know why people keep saying this, I have no idea where this misconception came from.
>Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
Recital 23 of the GDPR provides some more information about when an organisation would be considered as targeting users in the EU:
"In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."
The EU can say this all they want, but the reality is it has zero teeth for any organization conducting business outside the EU, with no actual presence in the EU.
EU laws simply do not apply to the world, even if the EU thinks they should.
> The EU can say this all they want, but the reality is it has zero teeth for any organization conducting business outside the EU, with no actual presence in the EU.
Perhaps not, but the EU is the world's second-largest economy (only $2tn behind the US and $4tn ahead of China) accounting for about 1/5th of the global economy.
If one wants to operate a company that does international business, one will probably want to do business in the EU, which means following EU law in such matters.
It's not about physical presence. It's about whether the EU could do something to punish you. For every big company that is true. For example the EU can force Visa/MasterCard to stop doing business with you.
If you're small enough, then the EU won't bother doing anything.
If you don't even depend on any 3rd party that is vulnerable to EU will then you can fully ignore everything. That can be tricky to achieve though. No common money transfer methods and you must be self-hosting.
Also, all of this isn't new. The US has been enforcing its will globally in a similar fashion for a long time.
People get scared of lawsuits, especially if they're from a very litigious country like the EU. Companies lobbied against the law hard, spreading the idea that any visitor of your website could sue you for millions because you sent a cookie header. Reality is much less scary for most decent people.
Technically, the law applies to everyone worldwide, regardless of location. However, if you have no business in the EU and don't plan to expand your current business operations to the EU, you don't need to worry.
Hell, if you don't meet the requirements, the relevant enforcement departments generally give you plenty time to implement the necessary requirements or block access if you're a dick. The exception, of course, is data brokers and huge companies like Facebook or Google where the impact is much larger.
The GDPR doesn't expose you to lawsuits from anyone but the privacy monitoring instances of EU member states. The average American blog or news site isn't nearly large enough for any government instance to start a lawsuit.
You can also ask yourself: so what if they fine my company a €10.000. They're not going to send a team of special forces over the Atlantic or through Russia just to extract the cash from you. You only need to pay the fine if your company ever needs to do business in the EU. If your company structure makes your personally liable, this also impacts your future holiday destination decisions, but you can live perfectly fine without seeing the Eiffel tower.
A lot of very similar laws are also being passed in California right now, which will probably be a lot more dangerous than any GDPR restriction, but if you follow the GDPR you're pretty much set to protect yourself from Californian lawsuits as well.
Most of the GDPR is just "don't be a dick with people's data". If the fear of not meeting requirements stops the free-for-all data exchange market, then I'm perfectly fine with that.
