Question about GDPR

So… i need to use a cookie to store if the user is banned from the site or not… that’s pretty much it.
The cookie would only store the value “true” or “false”.

Do i have to include a cookie message if i only store this, only one, important cookie?

Hi there @LankyBox01!
I am not a lawyer, nor should this post be taken as legal advice. Whenever in doubt, consult a solicitor.
First and foremost, GDPR only applies to countries in the EU. (The UK also has “UK GDPR” since it left the EU).
I am from the UK, so I will actually be talking about UK GDPR, but from what I can understand, it’s the same.

Cookies and GDPR

According to the ICO, if a cookie is unlikely to be or contribute to “personal information”, GDPR regulations won’t apply. I would assess that a cookie with this true or false value to not constitute personal information.
But, to be honest, a cookie to keep a user blocked isn’t really good practice anyway. A cookie can easily be edited, deleted, and viewed by the user, whether through the console or the cookies window provided in most browsers. A better option would be to use sessions (such as express-session express-session - npm with a session store such as MongoDB).


Cookies and PECR

I wrote this message, until realising that I was talking about the UK-only regulations, PECR and not GDPR. The below message may be useful for websites operating in the UK, so I am keeping it below.
According to Regulation 6 of PECR, you need to:

  • tell people the cookies are there;
  • explain what the cookies are doing and why; and
  • get the person’s consent to store a cookie on their device.

However, there are some exemptions, which apply when:

  • the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.

The ICO (the UK’s public body that is responsible for privacy) says that some examples of this would be if:

  • they are used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
  • are session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services; or
  • load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.

In the case of a cookie that blocks users, this will probably not count as “essential to comply with data protection security”, but instead “essential for your own purposes”, which means you’ll have to ask for consent.
But, to be honest, a cookie to keep a user blocked isn’t really good practice anyway. A cookie can easily be edited, deleted, and viewed by the user, whether through the console or the cookies window provided in most browsers. A better option would be to use sessions (such as express-session express-session - npm), which would only make a session cookie, which is likely acceptable to use without consent.

Sources for this answer are from the ICO page “Cookies and similar technologies”. You can view it here:

6 Likes

No, you don’t have to :slight_smile:

You only need to use a cookie banner if you use cookies for purposes that are not required for your site to work (such as tracking).

1 Like

I am not a lawyer, nor should this post be taken as legal advice. Whenever in doubt, consult a solicitor.

^ same as eddiestech ^
Actually, express-session still relies on the client to send data identifying the users from the other user. This data is easily removable in your browser so you’ll want to ban based on something that’s a bit harder to change like ip (and NO you do not have to use php to ip ban).

Funnily though according to California Consumer Privacy Act (CCPA) | State of California - Department of Justice - Office of the Attorney General if the user is california they have the right to force you to delete their personal data so technically they can force you to delete their ip bans unless you become one of the exceptions.

1 Like

Yes, you are right. Complete oversight on my part. The best way would probably to use Cloudflare or another service to block IPs. Cloudflare has an API, so you could possibly programmatically add the IP to be banned @LankyBox01

2 Likes

Yea I originally used that but I think it limits how many rules you can have so you’d have to go for a even more advanced solution using other cloudflare features, if you want me to elaborate on other solutions, feel free to reply