GDPR: Log cookie consent?

ShadowHunter · Jun 4, 2018

Hello, I'm in doubt about the GDPR requirement to log cookie consent.

Given a normal webpage (no login) how to keep track who consents with cookies and who withdraws it? I believe you will only have the IP to log? But in turn, the IP is personal data... how should this be done?

Thanks!

ShadowHunter

silentbogo · Jun 4, 2018

You simply store it client-side in cookies.
Looks like this:

ShadowHunter · Jun 4, 2018

Hi silentbogo,

Thanks for your feedback.

When it is stored client side how can you proof that consent was given when a dispute is made? My understanding is that you are required to log it yourself? Or do I misunderstand this requirement?

Cheers,

ShadowHunter

silentbogo · Jun 4, 2018

ShadowHunter said:
When it is stored client side how can you proof that consent was given when a dispute is made? My understanding is that you are required to log it yourself? Or do I misunderstand this requirement?

It's basically up to the website owner to figure out how to log this. Here on TPU we have an identifier in cookies and most likely on servers, some sites only store a date of consent while the rest is logged server-side.

EU GDPR has no clear guidelines. Basically all they say is "you need to minimize the amount of sensitive info stored server-side and you need to let your users know that you are using cookies and that some of their info is stored on servers". They only say "what", but not "how" so in my opinion it's a total mess and it's absolutely pointless.

For more info you might wanna visit this website:
https://gdpr-info.eu/
All they have to say about consent logging is in Chapter 2 Article 7 (stupid to the point of laughable).

kruk · Jun 9, 2018

ShadowHunter said:
Hello, I'm in doubt about the GDPR requirement to log cookie consent.

Given a normal webpage (no login) how to keep track who consents with cookies and who withdraws it? I believe you will only have the IP to log? But in turn, the IP is personal data... how should this be done?

Thanks!

ShadowHunter

You can use the same anonymization method that Google Analytics uses:

When a customer of Analytics requests IP address anonymization, Analytics anonymizes the address as soon as technically feasible at the earliest possible stage of the collection network. The IP anonymization feature in Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to the Analytics Collection Network. The full IP address is never written to disk in this case.

Don't forget to include a timestamp of consent.

System Name	WS#1337
Processor	Ryzen 7 3800X
Motherboard	ASUS X570-PLUS TUF Gaming
Cooling	Xigmatek Scylla 240mm AIO
Memory	4x8GB Samsung DDR4 ECC UDIMM
Video Card(s)	Inno3D RTX 3070 Ti iChill
Storage	ADATA Legend 2TB + ADATA SX8200 Pro 1TB
Display(s)	Samsung U24E590D (4K/UHD)
Case	ghetto CM Cosmos RC-1000
Audio Device(s)	ALC1220
Power Supply	SeaSonic SSR-550FX (80+ GOLD)
Mouse	Logitech G603
Keyboard	Modecom Volcano Blade (Kailh choc LP)
VR HMD	Google dreamview headset(aka fancy cardboard)
Software	Windows 11, Ubuntu 20.04 LTS

System Name	WS#1337
Processor	Ryzen 7 3800X
Motherboard	ASUS X570-PLUS TUF Gaming
Cooling	Xigmatek Scylla 240mm AIO
Memory	4x8GB Samsung DDR4 ECC UDIMM
Video Card(s)	Inno3D RTX 3070 Ti iChill
Storage	ADATA Legend 2TB + ADATA SX8200 Pro 1TB
Display(s)	Samsung U24E590D (4K/UHD)
Case	ghetto CM Cosmos RC-1000
Audio Device(s)	ALC1220
Power Supply	SeaSonic SSR-550FX (80+ GOLD)
Mouse	Logitech G603
Keyboard	Modecom Volcano Blade (Kailh choc LP)
VR HMD	Google dreamview headset(aka fancy cardboard)
Software	Windows 11, Ubuntu 20.04 LTS

GDPR: Log cookie consent?

ShadowHunter

New Member

silentbogo

Moderator

ShadowHunter

New Member

silentbogo

Moderator

kruk