I am working on an asp.net mvc core web application for users' registration within our system, and we have the following scenario:-
1) when a user access the web application, they enter their registration number
2) then they click on submit >> and fill the registration form.
3) we want to track the users who enter step number one , but did not complete the registration.
so since i am tracking users' actions, so i enable the GDPR inside my application by following these steps https://learn.microsoft.com/en-us/aspnet/core/security/gdpr?view=aspnetcore-2.2 . and using the following code, i am able to check if the user accept the privacy alert or not:-
var consentFeature = HttpContext.Features.Get<ITrackingConsentFeature>();
var canTrack = consentFeature.CanTrack ;
and if the canTrack return true (the user accept the privacy alert) then i will track the users' action, while if the canTrackreturn false (the user did not accept the privacy alert) i will not track the user actions.. so am i going things correctly?
The question of whether or not that is compliant with GDPR is one you won't find an answer to on SO, but as for your question on whether or not you are using the consent mechanism in ASP.NET core correctly, can be answered.
First, I suggest you read up on the bigger picture here, here is an article from MS:
https://learn.microsoft.com/en-us/aspnet/core/security/gdpr?view=aspnetcore-3.1
In essence, you need something like this to handle the consent banner.
@{
var consentFeature = Context.Features.Get<ITrackingConsentFeature>();
var showBanner = !consentFeature?.CanTrack ?? false;
var cookieString = consentFeature?.CreateConsentCookie();
}
@if (showBanner)
{
<div id="cookieConsent" class="alert alert-info alert-dismissible fade show" role="alert">
Use this space to summarize your privacy and cookie use policy. <a asp-page="/Privacy">Learn More</a>.
<button type="button" class="accept-policy close" data-dismiss="alert" aria-label="Close" data-cookie-string="@cookieString">
<span aria-hidden="true">Accept</span>
</button>
</div>
<script>
(function () {
var button = document.querySelector("#cookieConsent button[data-cookie-string]");
button.addEventListener("click", function (event) {
document.cookie = button.dataset.cookieString;
}, false);
})();
</script>
}
The key point here is that it is your responsibility to present the user with a consent dialog and report back the response. The ASP.NET framework will help web developers track user consent status and there is a standardized API for managing this, which is essential since this will enable adhering to user consent even in third party middleware etc.
Which brings us to the next point, it is your responsibility to ensure that all your code as well as any third party code you pull in follow this. If you have any third party dependencies you need to check the documentation for those (or possibly use the web browser's debug tools to verify) that it does not store cookies nor send off request to third parties.
Any javascript libraries such as Google Analytics or whatever telemetry you use, also need to take this into account. This you have to solve on the JavaScript side. Check the documentation. Here is a checklist for Google Analytics.
For Application Insights, there is the window.appInsights.config.isCookieUseDisabled property that you may need to set. Looks like automatically adhering to the ASP.NET core consent tracking is still an open issue.
So in short, looks like you are on the right track, but you likely need to do more.