← Back to context

Comment by wizzwizz4

2 months ago

> Simply saying "oh I'm only tracking local cookies" might not even be enough in GDPR because the act of writing any cookie is actually covered under the law

You're mixing GDPR up with the ePrivacy Directive (henceforth "ePrivacy", not to be confused with the proposed ePrivacy Regulation). GDPR Recital 30 describes how cookies should be understood in relation to the GDPR (to the extent that GDPR Article 4(1) didn't already make it clear), and GDPR Recital 15 affirms that "the act of writing any cookie" doesn't have any special treatment under GDPR. Whereas ePrivacy Article 5 ¶3 discusses "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user", and is the real source of nearly all "cookie consent" obligations in the EU. I hope you don't work on the legal side of the consent product!

Less pithily: I've noticed a lot of "consent" providers getting this basic stuff wrong, both in their marketing copy and in their actual products. I (along with most internet users) have a vested interest in any improvements in this area. I'm available to discuss this further, if that would be helpful – keeping in mind that while I know a lot more about this than many working professionals apparently do, I'm still very much an amateur with no formal legal training.

ePrivacy Directive as amended in 2009: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

GDPR as amended in 2016 (without recitals): https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

8 comments

wizzwizz4

Reply
Nextgrid  2 months ago

> I'm available to discuss this further, if that would be helpful.

That would not be helpful, because the whole business of "consent management" is to provide plausible deniability and the illusion of compliance to businesses without actually making them comply (since complying with the GDPR would incur significant cost and obsolete most of the marketing/analytics team's jobs).

I'm very sure they perfectly know what they're doing and have the budget for the best legal advice money can buy, it's just that their business is all about selling the illusion of compliance instead of actual compliance.

It's the fault of the regulators for still not cracking down on this after 8 fucking years. Detecting non-compliant consent flows is trivial with a web scraper.

> in their actual products

The products are configurable by the customer. Now you could indeed argue that the product should not offer an option to configure it in a way that would be in breach of the regulation it's supposed to help you comply with... but again see above.

  • wizzwizz4  2 months ago

    I'm pleased when there's at least one configuration that isn't in breach of the regulations. Sadly, many providers don't even manage that.

bradleyy  2 months ago

I appreciate your precision. Most folks, unless discussing specific provisions, just use GDPR as an umbrella term, much like the CCPA is still used and inclusive of CPRA.

  • wizzwizz4  2 months ago

    This response sounds suspiciously like competence. Do you mind disclosing which consent provider you work for, so I can have a look? (I only ever found one consent product I was really happy with, and it shut down a few months after I discovered it.)

    • bradleyy  2 months ago

      It's DataGrail. I don't mind disclosing it, but I was kinda hoping not to because I'm really not here to advertise... I guess I won't say I know the subject, but do have some experience. lol.

      I'd be happy to discuss directly if you want. Not sure how to exchange details if you're interested but we can figure something out I guess.

      3 replies →