this post was submitted on 25 Sep 2023
75 points (98.7% liked)
Asklemmy
43858 readers
1993 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy ๐
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The legal definition in the GDPR is:
The European Commission has a page expanding on it.
As you can see it's very vague, and it will probably take several court cases to define the boundaries.
Edit: there's currently a request to ECJ from a Dutch court to define the main boundaries (Case C-621/22) and there was already another (c13/16) setting some limits.
True but the GDPR is not the primary legislative instrument here since it deals with general rules for processing personal data. The ePrivacy directive (or PECR in UK) is more important when it comes to cookies since it deals with electronic communication.
The ePrivacy directive states that cookies and similar tracking technologies can only be dropped on a user device after obtaining consent, i.e. no other โGDPRโ legal bases such as legitimate interest are available. There is an exception for cookies that are essential or strictly necessary for the website to work. In such cases no consent needs to be obtained. This exception is narrowly interpreted by most EU supervisory authorities.
This may be subject to change though since the ePrivacy directive is in the process of being replaced by the ePrivacy regulation which is said to outline new rules for cookies.
The practical way this seems to be implemented is that sites report the bulk of cookies and default to off to comply with GDPR, then list a subset of cookies as legitimate interest-based and default those to on with an ambiguous "object" setting.
Guessing the idea behind it is legal advice that legitimate interest swaps from one ruleset to another, but like the previous poster said I'm not sure how well any of this is tested.