this post was submitted on 08 Jan 2024
996 points (99.3% liked)
Technology
59578 readers
3168 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
That's not how the regulation works. You don't need to ask for permission to remember settings the user actually set themselves. Those companies don't want to remember.
Another web developer here, that is how the California and European rules are interpreted. If we're acting in good faith we do not store anything.
Maybe you can find a way to argue user settings and session cookies don't require consent, but I am not a lawyer and I err on the side that doesn't put me out of business.
It's not about "finding a way to argue", but "follow the law". Which means "analyse every data point and categorise it". When you do that for remembering cookie settings, going down the three-part test, 1) The purpose of not annoying users is legitimate, 2) It is necessary to store a single boolean for that, 3) Balancing: As our previous analysis left us with a single boolean we simply note that that's not personal data.
This kind of stuff shouldn't be done by lawyers but your data protection officer. Random lawyers will have all kinds of crazy opinions about the regulations because they don't understand that area of law enough to interpret it. Heck your run off the mill US lawyers won't even understand European legal theory enough to understand it. Data protection officers, however, are trained and certified to do exactly those calls.
I don't know about education in the US but back in the early 00s, when I was still polishing lecture hall chairs with my butt, data protection was part of the mandatory curriculum. Not an official certification, but like 80% of what you needed to know to pass a certification test, and about 500% of what you need as a developer, which is spotting when something should get looked at.
As to putting you out of business: Even if my analysis was wrong (it isn't), this isn't "fine into bankruptcy" but "polite letter" territory. All those companies using dark patterns in cookie banners, OTOH, are risking serious action. It could even be argued that not remembering accept/reject settings is in itself a dark pattern, but again that would be "polite letter" territory.