Search code examples
javascriptreactjsexpresscookiessetcookie

Cookie Consent Logic Following GDPR guidelines

I haven't deployed a website since GDPR became a thing and sort of confused with some logic I need to do server and client-side to comply with GDPR. Sorry for the multiple questions here.

  1. Currently, I just have one 1st party cookie that stores a session cookie when a user logs in successfully. Should this be Opt-in? As in, should I prevent someone from logging in if they have not accepted cookies? If so, is there a standard in express.js of only setting cookies once cookies have been accepted?
  2. When a user declines cookies (logged in or not), where should I store this information that they have declined? Do I store it as a cookie with a binary value? Or does that go against the whole consent idea, so, if a user rejects cookies, but then I follow up by adding a cookie?
  3. Similarly, if a user accepts cookie consent, should that be stored as a cookie, as a binary value, so they don't get the cookie popup every time they refresh, or is there a better method?
  4. Say I added some more cookies to the site in the future, for example, Google Analytics. How do I prompt users with the cookie popup again, even if they had already accepted cookies prior to the Google Analytics cookies being added.

Are there any good resources out there about more in-depth cookie policy implementation, particularly with Express and React?

Solution

  • Here is how I understand the topic. This is no legal advice.

    Regarding #1, users are aware that logging in means making themselves known to the server, and the session cookie serves no other purpose than that. In other words: By pressing the "Login" button, they consent to that cookie (but that one only). The session cookie must be deleted from client and server when the user logs off again (because it has then reached the end of its purpose). Ideally, delete it from the server also when the user "logs off" by simply closing the browser.

    It is a different question how far you are allowed to "track" the actions of logged-in users. But that has got to do with the transparency of your application and nothing to do with cookies.

    Regarding #2 and #3, if your application uses no other cookies than the session cookie, you should not bother users with cookie pop-ups at all. Only after you start using other cookies (#4) must you confront this issue.