European Union Justice Commissioner Didier Reynders recently told German newspaper 'Welt am Sonntag' that the European Commission is aware of how annoying cookie consent banners have become...
The reason you keep seeing the banner is because by saying “no” to cookies, you’re telling them they don’t have permission to store ANYTHING on your computer.
That’s not how the regulation works. You don’t need to ask for permission to remember settings the user actually set themselves. Those companies don’t want to remember.
Another web developer here, that is how the California and European rules are interpreted. If we’re acting in good faith we do not store anything.
Maybe you can find a way to argue user settings and session cookies don’t require consent, but I am not a lawyer and I err on the side that doesn’t put me out of business.
It’s not about “finding a way to argue”, but “follow the law”. Which means “analyse every data point and categorise it”. When you do that for remembering cookie settings, going down the three-part test, 1) The purpose of not annoying users is legitimate, 2) It is necessary to store a single boolean for that, 3) Balancing: As our previous analysis left us with a single boolean we simply note that that’s not personal data.
This kind of stuff shouldn’t be done by lawyers but your data protection officer. Random lawyers will have all kinds of crazy opinions about the regulations because they don’t understand that area of law enough to interpret it. Heck your run off the mill US lawyers won’t even understand European legal theory enough to understand it. Data protection officers, however, are trained and certified to do exactly those calls.
I don’t know about education in the US but back in the early 00s, when I was still polishing lecture hall chairs with my butt, data protection was part of the mandatory curriculum. Not an official certification, but like 80% of what you needed to know to pass a certification test, and about 500% of what you need as a developer, which is spotting when something should get looked at.
As to putting you out of business: Even if my analysis was wrong (it isn’t), this isn’t “fine into bankruptcy” but “polite letter” territory. All those companies using dark patterns in cookie banners, OTOH, are risking serious action. It could even be argued that not remembering accept/reject settings is in itself a dark pattern, but again that would be “polite letter” territory.
That’s not how the regulation works. You don’t need to ask for permission to remember settings the user actually set themselves. Those companies don’t want to remember.
Another web developer here, that is how the California and European rules are interpreted. If we’re acting in good faith we do not store anything.
Maybe you can find a way to argue user settings and session cookies don’t require consent, but I am not a lawyer and I err on the side that doesn’t put me out of business.
It’s not about “finding a way to argue”, but “follow the law”. Which means “analyse every data point and categorise it”. When you do that for remembering cookie settings, going down the three-part test, 1) The purpose of not annoying users is legitimate, 2) It is necessary to store a single boolean for that, 3) Balancing: As our previous analysis left us with a single boolean we simply note that that’s not personal data.
This kind of stuff shouldn’t be done by lawyers but your data protection officer. Random lawyers will have all kinds of crazy opinions about the regulations because they don’t understand that area of law enough to interpret it. Heck your run off the mill US lawyers won’t even understand European legal theory enough to understand it. Data protection officers, however, are trained and certified to do exactly those calls.
I don’t know about education in the US but back in the early 00s, when I was still polishing lecture hall chairs with my butt, data protection was part of the mandatory curriculum. Not an official certification, but like 80% of what you needed to know to pass a certification test, and about 500% of what you need as a developer, which is spotting when something should get looked at.
As to putting you out of business: Even if my analysis was wrong (it isn’t), this isn’t “fine into bankruptcy” but “polite letter” territory. All those companies using dark patterns in cookie banners, OTOH, are risking serious action. It could even be argued that not remembering accept/reject settings is in itself a dark pattern, but again that would be “polite letter” territory.