top | item 26370536

(no title)

cdrx | 5 years ago

Storing a cookie which is not strictly necessary to provide the service, requires explicit consent. This is a PECR requirement, not a GDPR one. Tracking the source and campaign of a user between pages is not required to deliver the page.

So you may rely on legitimate interest to process the data, but you need the consent to store the session cookie to collect the data in the first place.

discuss

that_guy_iain|5 years ago

If you have A/B testing in place it is strictly necessary to have a session cookie. Otherwise a user could end up in a case where they where in the A group on their first request but their second has them in the B group but the page they visited isn't enabled or displays different content than what they expected to see.

If you have special offers based on the URl they came from then it is strictly necessary to be able to remember where they came from so they get the special offer and don't fall victim to false adverstising.

Strictly necessary means if the website will break in anyway without it.

cdrx|5 years ago

Your understanding of strictly necessary is incorrect. You do not need to a/b test a website for it to function. It is optional. It doesn’t become legal just because your tech stack makes it difficult, or because you engineer the site not to work without a non-essential cookie.

You could a/b test based on even or odd numbered IP address and not require consent to store a cookie. You can pass the referrer around via query string and not require consent to store a cookie.

However, as you said, there is no enforcement of the regulation so the risk of non-compliance is basically zero :)