By default, I try not to rant about things. I try to be as truthful and complete as possible. I try to be informed. I try to give sound advice based on the knowledge I have and be open for alternative idea.
Nevertheless, often whatever you do, you encounter something that is so mind-boggling bend you could just say what need to be said and be done.
Being European-based, GDRP is a hot topic. It is so hot that many opinions have formed and it feels like everyone with a legal background seems to have some solution and some problem that is left. And there is nothing wrong with that. When it starts going bad is when big-corp lawyers start going astray.
We have had substantial long discussions on why some cookies are used and how some of them you control and others you don’t. Like if you integrate Twitter into your home page or add inline YouTube movies some cookies all of a sudden pop up. There is little you can do about it. Just be honest and open. State clearly that these cookies are there and be done with it.
Obviously, that wasn’t good enough. It should be possible for the end-user to turn these on or off since that was “what other sites did” too. Even though we brought a bunch of arguments and proof that that is not the case the ship had sailed, no turning back.
Eventually the legal team came up with another solution to the “problem” that they had created themselves based on their read of the GDPR rules. Rather than trying to understand the issue, they decided the way forward was to disable all cookies. Then obviously, there was no issue left.
They literally made the poor cookie into the pinnacle of their GDPR policy. Eliminate the cookie and you are free of GDPR worries.
As much as I would like to agree with the legal team, they could not have been further from the truth.
To understand cookies, you have to know how cookies came to be. Originally, cookies did not exist. When you would visit a website and you would log in, your identity had to be passed from page to page. That involved a lot of work and all pages were dynamically generated. About 25 years ago when computer power was not commodity, this involved substantial costs. Would it be a good idea to “by default” be able to get a reference returned in the header of the request? You can set it at first visit and return it with every subsequent visit. The cookie was born.
Note that the cookie was a technological improvement on something that could be solved differently albeit requiring more resources.
The bottom line is that switching off cookies does not make your website more or less GDPR compliant.
As a blissful side story, we received word yesterday that cross-site cookie sharing will be stopped at the web browser side in the near future. See https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
Hopefully, this will put to rest a lot of abuse by big tech that has gone unidentified for year and restores our fate in the good old tiny friend the cookie bringing it back to the stage as the elegant solution for an annoying problem that is was intended to solve.
It is Nexperteam’s ambition to bring clarity and the technical knowledge to the table when it comes to your web presence. If you have issues or feel you need additional information on anything web related, feel free to reach out to us.