When you have something on that blog that is tracking users. Usually ads or Google Analytics. Ideally these things already bring in their own banners.
It is not about cookies. It is about tracking. Tracking through other means also needs the banner. Also cookies for a shopping cart or a login or user preferences do not need a banner.
If you have a large audience from the EU (GDPR), or California (CCPA), yes.
I’m pretty sure I’m wrong about the CCPA, as it’s more for businesses, and not a personal blog.
I’m not a lawyer, but privacy policy generators exist and it’s easy to slap it in a footer. I have them on my blog. Then again, I probably serve like 1000 visits a year and don’t have ads or anything. The analytics is for fun like seeing where people come from or what content is popular.
I also have those annoying banners but set them for a year, and only for those visitors from EU/California.
This is not true. The Europen ePrivacy direction (“Cookie Law”) specifically requires that cookies (and equivalents) which are not strictly necessary for the delivery of a requested service be explicitly consented to.
That means that cookies which store user preferences like dark mode require explicit consent, because you don’t need to store that cookie to deliver your service. Even though there is no way to store a preference without a cookie (or equivalent) so selecting the option could be construed as consenting to the requirements for making that particular feature work, that is not the way the law is written.
I’m not a lawyer, but I’d say that’s a case for implied consent.
Typical example is when you’re shopping and you hand the cashier the money that they’re asking for, then that counts as an agreement to a contract. You don’t have to explicitly say that you’d like to buy the wares for that price.
With the dark mode button, I’d expect the same. You’re very likely cool with them storing your preference, specifically for providing you with dark mode (not for tracking et al). So, pressing the button would presumably suffice as consent for that.
The wording of the law requires in general that the user be given a chance to decline information storage - “implied consent” is not an opportunity to decline. The exception is if the “information society service” is “explicitly requested by the user.” Again there is no opportunity for implied consent because the request must be explicit.
The only argument I can see is to attempt to subdivide the service offered by a website and call “dark mode” its own service. That seems clearly not to be the meaning here.
It’s worth saying that the ePrivacy directive binds legislatures; it’s not the law that website owners have to follow. Member states wrote their own laws to comply with it, but obviously those laws are going to conform to the general principles.
That means that cookies which store user preferences like dark mode require explicit consent, because you don’t need to store that cookie to deliver your service.
I don’t think dark mode is a good example. Why would you use cookies to see if somebody wants dark mode when we have CSS media queries to handle that?
When you have something on that blog that is tracking users. Usually ads or Google Analytics. Ideally these things already bring in their own banners.
It is not about cookies. It is about tracking. Tracking through other means also needs the banner. Also cookies for a shopping cart or a login or user preferences do not need a banner.
Hmmmm… do you have any more info? Is it as soon as I use any sort of analytics I need a privacy policy?
This really depends on where you live and what the laws there are. But most analytics usually already come with a policy you can copy and paste.
If those analytics do not process personal data, then you don’t.
At the very least, don’t use Google Analytics. To my knowledge, that’s currently illegal in the EU in general. See, for example: https://techcrunch.com/2023/07/03/google-analytics-sweden-gdpr-fines/
If you have a large audience from the EU (GDPR), or California (CCPA), yes.
I’m pretty sure I’m wrong about the CCPA, as it’s more for businesses, and not a personal blog.
I’m not a lawyer, but privacy policy generators exist and it’s easy to slap it in a footer. I have them on my blog. Then again, I probably serve like 1000 visits a year and don’t have ads or anything. The analytics is for fun like seeing where people come from or what content is popular.
I also have those annoying banners but set them for a year, and only for those visitors from EU/California.
Again – not a expert.
This is not true. The Europen ePrivacy direction (“Cookie Law”) specifically requires that cookies (and equivalents) which are not strictly necessary for the delivery of a requested service be explicitly consented to.
That means that cookies which store user preferences like dark mode require explicit consent, because you don’t need to store that cookie to deliver your service. Even though there is no way to store a preference without a cookie (or equivalent) so selecting the option could be construed as consenting to the requirements for making that particular feature work, that is not the way the law is written.
I’m not a lawyer, but I’d say that’s a case for implied consent.
Typical example is when you’re shopping and you hand the cashier the money that they’re asking for, then that counts as an agreement to a contract. You don’t have to explicitly say that you’d like to buy the wares for that price.
With the dark mode button, I’d expect the same. You’re very likely cool with them storing your preference, specifically for providing you with dark mode (not for tracking et al). So, pressing the button would presumably suffice as consent for that.
The wording of the law requires in general that the user be given a chance to decline information storage - “implied consent” is not an opportunity to decline. The exception is if the “information society service” is “explicitly requested by the user.” Again there is no opportunity for implied consent because the request must be explicit.
The only argument I can see is to attempt to subdivide the service offered by a website and call “dark mode” its own service. That seems clearly not to be the meaning here.
It’s worth saying that the ePrivacy directive binds legislatures; it’s not the law that website owners have to follow. Member states wrote their own laws to comply with it, but obviously those laws are going to conform to the general principles.
I don’t think dark mode is a good example. Why would you use cookies to see if somebody wants dark mode when we have CSS media queries to handle that?
Does that include importing fonts from fonts.google? Privacy badger sees it as a tracker but usually allows it, I think.
Someone sending out hundreds of notices about that in Germany was barred from doing that by a court. So I guess it’s all right.
Personally I wouldn’t like to depend so much on external services anyways. I’d rather host everything myself.
At a certain scale that becomes impractical and you have to use CDNs and cloud compute, or you’re big enough to build your own.