35

If a user refuses cookies on a website, then how can that website store that refusal? As far as I can tell, the GDPR requires you to store both consent to and refusal of personal data storage. But it seems to me that there is a catch 22 here: they specifically refused the storage of their data, and now the website is supposed to store that somehow.

How can you store that information in a compliant way?

My initial thought is to use a cookie, but would that be non-compliant? They did just refuse the storage of cookies on their device... And if I store it in a database somewhere, how am I supposed to associate that refusal with that user if I can't store personal information?

According to the accepted answer to this question, you can use a userId or some such. But first of all that is in the context of consenting, not refusing, to cookies; secondly, if that identifier is associated with a user, then by definition it is personal data (right?) and therefore storing that information would be non-compliant.

Regarding the storage of consent, is it enough to store that in a cookie on the user's device or do you really need to store it in a database somewhere? That really seems superfluous to me.

Jackson Holiday Wheeler
  • 475
  • 4
  • 6

2 Answers2

37

The so-called 'cookie law' obliges you to inform the user about the site's cookies (or use of Storage or such on the user's computer) and ask for consent for those that are not "strictly necessary for the provision of an information society service requested by the subscriber or user".

It does not require you to seek consent for the use of any cookie no matter what function it has.

"Strictly necessary" cookies include those necessary for the website to comply with the law.

Per guidance from the Information Commissioner's Office (ICO) in the UK (see the example box), a cookie set in relation to such consent or refusal is fine - it's for compliance with the cookie law. I would expect similar guides throughout the EU.

You must consider its duration or lifespan: "For example, whilst it may be technically possible to set the duration of a cookie to “31/12/9999” this would not be regarded as proportionate in any circumstances."

And consider including information about it in your cookie policy or such that users can find out more if they want.

Lag
  • 20,104
  • 2
  • 46
  • 76
4

Non-personalized cookies

GDPR is not about cookies, it's about processing personal or identifiable data, and even for that it has explicit "legitimate need" basis that allows processing data as long as the data minimization principle is followed.

If the goal is to simply avoid repeatedly asking for the same thing, you don't need to know, store or process who refused consent - so the appropriate way to go would be to avoid any unique identifiers, session IDs, etc and simply place a cookie "consent-request:refused" or something like that.

Peteris
  • 2,218
  • 16
  • 17