Anyone have a clear answer for this question?
When you have something on that blog that is tracking users. Usually ads or Google Analytics. Ideally these things already bring in their own banners.
It is not about cookies. It is about tracking. Tracking through other means also needs the banner. Also cookies for a shopping cart or a login or user preferences do not need a banner.
Hmmmm… do you have any more info? Is it as soon as I use any sort of analytics I need a privacy policy?
This really depends on where you live and what the laws there are. But most analytics usually already come with a policy you can copy and paste.
If those analytics do not process personal data, then you don’t.
At the very least, don’t use Google Analytics. To my knowledge, that’s currently illegal in the EU in general. See, for example: https://techcrunch.com/2023/07/03/google-analytics-sweden-gdpr-fines/
If you have a large audience from the EU (GDPR), or California (CCPA), yes.
I’m pretty sure I’m wrong about the CCPA, as it’s more for businesses, and not a personal blog.
I’m not a lawyer, but privacy policy generators exist and it’s easy to slap it in a footer. I have them on my blog. Then again, I probably serve like 1000 visits a year and don’t have ads or anything. The analytics is for fun like seeing where people come from or what content is popular.
I also have those annoying banners but set them for a year, and only for those visitors from EU/California.
Again – not a expert.
Does that include importing fonts from fonts.google? Privacy badger sees it as a tracker but usually allows it, I think.
Someone sending out hundreds of notices about that in Germany was barred from doing that by a court. So I guess it’s all right.
Personally I wouldn’t like to depend so much on external services anyways. I’d rather host everything myself.
At a certain scale that becomes impractical and you have to use CDNs and cloud compute, or you’re big enough to build your own.
This is not true. The Europen ePrivacy direction (“Cookie Law”) specifically requires that cookies (and equivalents) which are not strictly necessary for the delivery of a requested service be explicitly consented to.
That means that cookies which store user preferences like dark mode require explicit consent, because you don’t need to store that cookie to deliver your service. Even though there is no way to store a preference without a cookie (or equivalent) so selecting the option could be construed as consenting to the requirements for making that particular feature work, that is not the way the law is written.
I’m not a lawyer, but I’d say that’s a case for implied consent.
Typical example is when you’re shopping and you hand the cashier the money that they’re asking for, then that counts as an agreement to a contract. You don’t have to explicitly say that you’d like to buy the wares for that price.
With the dark mode button, I’d expect the same. You’re very likely cool with them storing your preference, specifically for providing you with dark mode (not for tracking et al). So, pressing the button would presumably suffice as consent for that.
The wording of the law requires in general that the user be given a chance to decline information storage - “implied consent” is not an opportunity to decline. The exception is if the “information society service” is “explicitly requested by the user.” Again there is no opportunity for implied consent because the request must be explicit.
The only argument I can see is to attempt to subdivide the service offered by a website and call “dark mode” its own service. That seems clearly not to be the meaning here.
It’s worth saying that the ePrivacy directive binds legislatures; it’s not the law that website owners have to follow. Member states wrote their own laws to comply with it, but obviously those laws are going to conform to the general principles.
That means that cookies which store user preferences like dark mode require explicit consent, because you don’t need to store that cookie to deliver your service.
I don’t think dark mode is a good example. Why would you use cookies to see if somebody wants dark mode when we have CSS media queries to handle that?
If you’re using Google Analytics, check out “consent mode.” You still need a banner but it can be super simple — there’s probably a plugin for your blogging platform.
You’re only required to have one if you’re in the EU or are actively targeting an EU audience. You can have EU visitors to your blog without having to worry about GDPR. (And in reality, they aren’t going to come after a personal blog using basic analytics. They fine companies doing egregious things where the fine is worth the effort.)
Are you using some kind of third-party for ads, analytics, comment system, social login or link sharing?
Using analytics. Got any info on how to deal with this?
Now how to technically do this I’m not sure, but from what I can read is that the cookies should be blocked until the user takes an action to let them through.
GPDR requirements.
