My website presents the visitor with the choice of opting out of using cookies....

[sbrothy]

... as I (perhaps naively think is mandated by law). I realize it depends on what I use the cookies for, if anything at all, which is pretty much the case right now, as there's no registration or login. I then stumbled across this:

[....]*be aware that essential cookies can be stored regardless (and are not required to be consented to by the cookie law). These are cookies that are functionally required for the site (let's say a login token that remembers you as a authenticated user). As long as they don't store any PII or are stored by a third party, this is fine.[...]

----https://www.reddit.com/r/webdev/comments/1dpev4m/what_actually_happens_when_user_rejects_cookies/

As (I think) @pbuk said: "You're in way over your head" and I happily agree. I can swallow a lot of camels . I realize I can read up on this (and I will!), it's just that sometimes it helps to articulate the question before moving on.

Do(es?) anyone on here have experience in this regard?

 

[jedishrfu]

Cookie law is a funny beast. Each country or region may have a different take on it. The law is based on where the user is from and not where the website is hosted.

European regulations often dictate how a website should respond, especially if the website is small or caters to EU members (e.g., EU languages, EU pricing, and shipping conventions).

With respect to cookies, those that aren't necessary for the site's functioning are considered non-essential and are subject to applicable laws and regional restrictions.

While income-providing, website owners should avoid hosting advertising networks, such as Amazon's, that track people across sites via super-cookie schemes or site analytics networks like Google Analytics that collect user information.

VPNs throw a monkey wrench into things, where a website can't always correctly determine where the user is coming from, and so it adopts the EU standards since they are the most comprehensive and end-user-friendly.

The practical advice for small websites:

• Use the stricter EU-style consent model for everyone.
• Don’t rely heavily on geolocation.
• Avoid unnecessary tracking cookies.

Regulators understand that website owners can't perfectly determine where users come from, but you, as a website owner, must make a reasonable attempt to determine users' locations.

---

If you do go the banner route, then you can base the banner text on where you believe the user is coming from, but you should offer options to accept all or reject all non-essential cookies. Interestingly, sites that do this never specify which cookies are non-essential because it may scare users or expose them to liability if, at some point, they add new non-essential cookie schemes and forget to list them.

Website owners can offer a cookie menu where users can select which cookies to accept or reject.

It's your duty to honor these requests, which raises the question of how to do so without using cookies to record choices.

However, a website owner could argue that choice-recording cookies are essential for legal compliance.

The choice is yours. We will be watching. — Klaatu, Barada, and Nikto

 

[FactChecker]

Cookies are often necessary to keep track of the progress of each user in navigating a website. Any website that can not use any cookies has very little that it can do except to show one display to everyone.

 

[sbrothy]

Cookies are often necessary to keep track of the progress of each user in navigating a website. Any website that can not use any cookies has very little that it can do except to show one display to everyone.

Well technically I can send the session cookie id around using the URL. I realize this opens for hijacking and probably a bunch of other problems, and honestly, I don't want to go there. Then again, as I don't make any money on my website, and use no real 3rd party videos, I may perhaps be i the clear?

 

[pbuk]

Well technically I can send the session cookie id around using the URL. I realize this opens for hijacking and probably a bunch of other problems, and honestly, I don't want to go there.

No, don't go there.

Then again, as I don't make any money on my website, and use no real 3rd party videos, I may perhaps be i the clear?

Doesn't matter, your site is based in the EU so you need to follow (your local implementation of) EU cookie law.

I realize it depends on what I use the cookies for

Yes it does.

there's no registration or login

Then what are you using cookies for? Note that the law does NOT say "you need to get consent if you are using cookies for X, Y or Z", it says "you don't need to get consent if you are only using cookies for essential site functionality". If you are not actually using the cookies then you need to get consent (or stop sending them).

 

[sbrothy]

No, don't go there.



Doesn't matter, your site is based in the EU so you need to follow (your local implementation of) EU cookie law.



Yes it does.



Then what are you using cookies for? Note that the law does NOT say "you need to get consent if you are using cookies for X, Y or Z", it says "you don't need to get consent if you are only using cookies for essential site functionality". If you are not actually using the cookies then you need to get consent (or stop sending them).

Thank you. As always with you "succint is verbose for terse".

 

[sbrothy]

No, don't go there.



Doesn't matter, your site is based in the EU so you need to follow (your local implementation of) EU cookie law.



Yes it does.



Then what are you using cookies for? Note that the law does NOT say "you need to get consent if you are using cookies for X, Y or Z", it says "you don't need to get consent if you are only using cookies for essential site functionality". If you are not actually using the cookies then you need to get consent (or stop sending them).

But to be serious I planned on using the cookies for exactly that: registration and login. To what purpose I haven't yet thought out (well really for "debitors" and creditors" to leave their information, it is a legitimate business after all). I'll start with a guestbook though.....