this post was submitted on 25 Sep 2023
75 points (98.7% liked)
Asklemmy
43856 readers
1784 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy ๐
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
True but the GDPR is not the primary legislative instrument here since it deals with general rules for processing personal data. The ePrivacy directive (or PECR in UK) is more important when it comes to cookies since it deals with electronic communication.
The ePrivacy directive states that cookies and similar tracking technologies can only be dropped on a user device after obtaining consent, i.e. no other โGDPRโ legal bases such as legitimate interest are available. There is an exception for cookies that are essential or strictly necessary for the website to work. In such cases no consent needs to be obtained. This exception is narrowly interpreted by most EU supervisory authorities.
This may be subject to change though since the ePrivacy directive is in the process of being replaced by the ePrivacy regulation which is said to outline new rules for cookies.
The practical way this seems to be implemented is that sites report the bulk of cookies and default to off to comply with GDPR, then list a subset of cookies as legitimate interest-based and default those to on with an ambiguous "object" setting.
Guessing the idea behind it is legal advice that legitimate interest swaps from one ruleset to another, but like the previous poster said I'm not sure how well any of this is tested.