Login

Recent searches

No recent searches

Search options

Only available when logged in.
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

10K
active users

fosstodon.org: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Public
The Seven Voyages Of Steve

LB: I don’t have cookie consent banners on my websites because I don’t need cookies: a result of not needing to keep any creepy persistent state about visitors (and not doing it just cause everyone else does)

Ric

@sinbad same. There's literally no legitimate need for cookies beyond tracking. Sessions have been around for decades and make way more sense from every security and privacy perspective. They just don't work well for cross-site data sharing... i.e. tracking. 🙄

There's even local storage, if data really needs storing client-side. Works the same as cookies but as RAM for JS, rather than ROM, and inaccessible by other sites.

"Essential cookies required for functionality" is a straight up lie.

Dec 30, 2024, 01:19 PM·Public·Mastodon for Android
1boost·2favorites
Public
Soso

@dev_ric @sinbad that's just wrong. Sessions are built on top of cookies... And using localstorage for tracking would also require consent banners.

In the law the tech doesn't Mather. What matters is whether it's necessary and logical for the functioning of the website. If is, then regardless of the tech you don't need consent.

Public
Ric

@sgued @sinbad session cookies only store an ID, which the server uses to fetch server-stored data associated with that ID. Session cookies also expire after a set time of inactivity - has to be less than 15 minutes for ecommerce sites, as per PCI-DSS compliance requirements. Thus session cookies are exempt from opt-in requirements.

Localstorage doesn't support XSS access and thus can't be used for tracking. It also doesn't create files so isn't a privacy concern. LS is exempt from opt-in too.

Public
Soso

@dev_ric @sinbad

PCI-DSS is a payment thing. Not relevant to most websites sessions, which use another session, generally handled through a third-party service to handle payment...

Very few websites have 15min long sessions...

XSS is a type of vulnerability, not a thing you can "support".
You don't need cross-site access to do tracking, and first-party tracking (through IP, cookies, LocalStorage or whatever) also requires consent.

Public
Ric

@sgued @sinbad not trying to be argumentative here, so I'll start by saying much of GDPR and the DPAs which came before it are horribly open to interpretation - not clear-cut laws at all - so as DPOs and advisors we can have differing opinions...

Public
Ric

@sgued @sinbad but 😆...

PCI-DSS is actually relevant to everybody with a merchant bank, not just ecomm and not even just websites.

Few websites comply with the expiry requirement, granted. But as a web host we enforce it across all websites.

XSS itself is a tech, not a vulnerability. There are tonnes of XSS vulnerabilities for sure, where data is unreasonably exposed via the tech, but there are also legitimate use cases. Sadly, such as profiling by ad networks.

Public
Ric

@sgued @sinbad your ref to tracking requiring consent regardless of the tech used though, I'll admit is a trickier subject I'm not well versed in the legalities of.

AFAIK, in the UK at least, we don't have consent laws as such for that. GDPR includes clauses on the right to erasure, and as a person you can issue SARs to learn what information a party holds about you, making it possible to obtain and then request deletion of such data, but generally their collection just requires privacy policy.

Public
Ric

@sgued @sinbad in other words, companies tend to just rely on implied consent for actual data grabs. Their grab is outlined in their privacy policy, as should be a list of other parties they share with, and your use of the website + registration to, and submission of your data via forms and such, acts as implied consent with that policy.

It's specifically the dumping of data into cookies which we have actual, explicit opt-in requirements for. And also the use of contact info for email marketing

Public
Soso

@dev_ric There may be some country-specific questions, but the GDPR is pretty clear. The first point covers the case "the cookie/localstorage/whateverstorage is required for the site to function", which is what covers sessions cookies (as long as the session is not also used for tracking). GDPR is generic over any automated data handling. Not referencing a specific technology, and it shouldn't. It also applies to games, native apps, or even digital notes taken by support in a phone call.

What are the alternatives to consent? If you are looking for another lawful basis, these are set out in Article 6(1). In summary, you can process personal data without consent if it’s necessary for: - A contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract. - Compliance with a legal obligation: if you are required by UK or EU law to process the data for a particular purpose, you can. - Vital interests: you can process personal data if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else. - A public task: if you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing under UK law – you can. If you are a UK public authority, our view is that this is likely to give you a lawful basis for many if not all of your activities. - Legitimate interests: you can process personal data without consent if you need to do so for a genuine and legitimate reason (including commercial benefit), unless this is outweighed by the individual’s rights and interests. Please note however that public authorities are restricted in their ability to use this basis.
Public *
Soso

@dev_ric @sinbad
1. XSS refers to the vulnerability. Nobody says XSS to talk about intended cross-site scripts
2. Cross-site scripts have access to the LocalStorage
3. You don't need cross-site scripts to track users with third party cookies. You can have a first-party script that makes requests to a third-party that sets cookies for tracking.

If you use a third-party payment provider, PCI-DSS is irrelevant because the card info never goes through you: stripe.com/en-fr/guides/pci-co

Handling card data Some business models require the direct handling of sensitive credit card data when accepting payments, while others do not. Companies that need to handle card data (e.g. accepting untokenised PANs on a payment page) may be required to meet each of the 300+ security controls in PCI DSS. Even if card data only traverses its servers for a short moment, the company would need to purchase, implement and maintain security software and hardware. If a company does not need to handle sensitive credit card data, it shouldn't. Third-party solutions (e.g. Stripe Elements) securely accept and store the data, whisking away considerable complexity, cost and risk. As card data never touches its servers, the company would only need to confirm a few security controls, most of which are straightforward, such as using strong passwords.
Public
Ric

@sgued @sinbad PCI-DSS compliance comes in 3 tiers. A, AA, and AAA. If handling card data directly, you need AAA compliance. You're still generally handling things like billing and delivery address info though even if using a hosted payment solution and thus, at the discretion of your merchant bank, may still require A or AA level compliance. Compliance isn't just a website test - it's all about employee privileges and office security etc too.

ExploreLive feeds
About