The consent request needs to indicate whether "tracking" is required

[robrwo]

HTTP is a stateless protocol, so cookies are used to track users for legitimate reasons, such as whether they are logged in, or for remembering user selections (shopping cart id/contents).

The user is free of course to withdraw consent, but there should be a machine-readable indicator to tell the user that the website may not work properly without the consent.

[michael-oneill]

Would this be covered by an option to include the names and purposes for storage items e.g. cookies, locaStorage items, indexedDB databases etc. , and whether these storage items are being declared as "strictly necessary to fulfil a requested purpose" or otherwise exempted from the prior consent requirement?

[coolharsh55]

What do you mean by "website may not work properly ..."? If some service/functionality is conditional upon the consent, then it should not be activated/loaded until the consent has been granted. Similarly, the website must decide what it wants to do if consent is not granted (e.g. refuse to work, show a notice to user, show non-personalised ads, etc.). As @michael-oneill mentioned above, depending on what the purpose is, it can be used as legitimate interest rather than consent. This is not something the signal should be used to indicate IMHO. The existence of a purpose within the signal should only indicate its conditionality execution on having consent. Otherwise we'll be replacing banners and dialogues with the same amount of information in an ADPC dialogue!

[robrwo]

HTTP Authentication is not fit for purpose, and rarely used by most websites that have login functionality.

For a website to track that the user is logged in, it needs to track the user. For a website to maintain any information about a user (logged in, items in a shopping cart, etc.) it needs to track the user. There is no way around this.

Most websites do this with a cookie.

it can be used as legitimate interest rather than consent. This is not something the signal should be used to indicate IMHO.

This signal is intended to replace the cookie warnings that websites currently implement with something built-in to the user agent. Those cookie warnings usually mention that some kinds of cookies are required.

Part of consent is notification. It's legitimate to tell users that some cookies are required for the website, and if they do not consent, then they cannot use the website.

If websites leave out the "legitimate" cookies, then users will not trust the technology.

[michael-oneill]

@coolharsh55 I was refering to the exemptions under the ePrivacy Directive, which in the online context take precidence over the rules about the processing of personal data. The only legal way to access browser storage is either after the user has given valid consent, or if the purpose claims one of the 2 exemptions (from the consent requirement) in A5.3 of 2009/136/EC, i.e. if the storage is solely used to support the underlying communications mechanism, or that it is strictly necessary to fulfil a purpose requested by the user. Notice the past tense of "requested", the storage can only be used after the user has requested the service.
In all circumstances the user must be informed, and it would make sense if this information was delivered in a "machine readable" format in the same way as the purposes for processing are delivered.

[coolharsh55]

@michael-oneill I disagree that ePrivacy Directive takes precidence over rules about processing of personal data, which would be GDPR. They are both applicable. Where it overlaps, both requirements have to be met. For example, consent where required under ePrivacy Directive (e.g. cookies) must follow its guidelines, and also the valid consent requirements from GDPR when involving personal data. The "exemption" under ePD does not 'negate' or 'override' GDPR, but fits within the legitimate interest bracket of legal bases rather than consent. It has been clarified that if the only cookies used are in relation to these purposes, the cookie banner need not be shown. Case in point: see GitHub's removal of cookie banners. So the notion that when cookies are "legitimately needed for the website to function" require "notice & consent" is a false one.

[coolharsh55]

More important, cookies by themselves are nothing but pieces of data. The ADPC relates to the purposes of those cookies, i.e. advertising, tracking, personalisation. The website must be configured to implement what it must do if these purposes are not given consent to. E.g. if consent to personalisation is not given, the corresponding cookie placement and processing activities must not take place.

[michael-oneill]

I meant that all cookies (and any other client-side storage) , whether containing personal data or not, is covered by ePrivacy. Of course GDPR also further describes what constitutes valid consent, but the other legal bases, more specifically "legitimate interest", make no sense online.

[gb-noyb]

HTTP is a stateless protocol, so cookies are used to track users for legitimate reasons, such as whether they are logged in, or for remembering user selections (shopping cart id/contents).

The user is free of course to withdraw consent, but there should be a machine-readable indicator to tell the user that the website may not work properly without the consent.

As others already noted, if a cookie is necessary for the website to work properly, there is no need to request consent for it. Does this resolve the issue?

[Klukies]

As others already noted, if a cookie is necessary for the website to work properly, there is no need to request consent for it. Does this resolve the issue?

I want to point out real quick that following the information provided by the GDPR site. It is not required to request consent, but it is required to inform the user about this. So this should be implemented in some way I think?

[gb-noyb]

I want to point out real quick that following the information provided by the GDPR site. It is not required to request consent, but it is required to inform the user about this.

That is roughly my understanding too, for any cookies that qualify as personal data; however I am not a lawyer, and even lawyers seem to debate about the exact meaning of the law (especially as the e-Privacy Directive and GDPR interact here). I am not sure what the requirements for ‘informing the user’ would be here; it may suffice to put the information in a website’s privacy policy (that is at least a common interpretation).

Note by the way that what you call “the GDPR site” is just one of many such unofficial sites; effectively an advertisement.

So this should be implemented in some way I think?

We could specify more features in the protocol that let websites inform users about data processing that does not require consent; perhaps limiting this to information about ‘necessary cookies’, or perhaps also including other types of processing. Standardising such information to make it machine-readable seems a deep rabbit-hole that we rather avoid tumbling into, though we could consider e.g. adding a field to link to a human-readable privacy policy. On the other hand, other ways have also been proposed to do exactly this, such as the <link rel="privacy-policy" …> of RFC 6903; so it is not obvious to me that we should add such a field to ADPC. On such questions, it seems worthwhile to collect feedback and discuss the needs and possibilities.

[robrwo]

This is not the "GDPR Protocol". Even if GDPR or other privacy regulations allow some forms of tracking without asking the user's consent, it is important to notify the user about those forms of tracking. Part of consent (moral, not legal) is notifying the user.