简体繁体 English

遵循 GDPR 指南的 Cookie 同意逻辑

[英]Cookie Consent Logic Following GDPR guidelines

原文 2021-10-24 07:20:31 9 1 javascript/ reactjs/ express/ cookies/ setcookie

I haven't deployed a website since GDPR became a thing and sort of confused with some logic I need to do server and client-side to comply with GDPR.自从 GDPR 成为一种东西以来，我就没有部署过网站，并且对我需要在服务器端和客户端执行以符合 GDPR 的某些逻辑感到困惑。 Sorry for the multiple questions here.抱歉这里有多个问题。

Currently, I just have one 1st party cookie that stores a session cookie when a user logs in successfully.目前，我只有一个第一方 cookie，用于在用户成功登录时存储会话 cookie。 Should this be Opt-in?这应该是选择加入吗？ As in, should I prevent someone from logging in if they have not accepted cookies?比如，如果某人没有接受 cookie，我应该阻止他们登录吗？ If so, is there a standard in express.js of only setting cookies once cookies have been accepted?如果是这样，express.js 中是否有仅在接受 cookie 后才设置 cookie 的标准？
When a user declines cookies (logged in or not), where should I store this information that they have declined?当用户拒绝 cookie（已登录或未登录）时，我应该将他们拒绝的信息存储在哪里？ Do I store it as a cookie with a binary value?我是否将其存储为具有二进制值的 cookie？ Or does that go against the whole consent idea, so, if a user rejects cookies, but then I follow up by adding a cookie?或者这是否与整个同意的想法背道而驰，因此，如果用户拒绝 cookie，但随后我通过添加 cookie 进行跟进？
Similarly, if a user accepts cookie consent, should that be stored as a cookie, as a binary value, so they don't get the cookie popup every time they refresh, or is there a better method?同样，如果用户接受 cookie 同意，是否应该将其存储为 cookie，作为二进制值，这样他们就不会每次刷新时都弹出 cookie，或者有更好的方法吗？
Say I added some more cookies to the site in the future, for example, Google Analytics.假设我将来向网站添加了更多 cookie，例如 Google Analytics。 How do I prompt users with the cookie popup again, even if they had already accepted cookies prior to the Google Analytics cookies being added.我如何再次使用 cookie 弹出窗口提示用户，即使他们在添加 Google Analytics cookie 之前已经接受了 cookie。

Are there any good resources out there about more in-depth cookie policy implementation, particularly with Express and React?有没有关于更深入的 cookie 策略实现的好资源，尤其是 Express 和 React？

1 个解决方案

Here is how I understand the topic.以下是我对这个主题的理解。 This is no legal advice.这不是法律建议。

Regarding #1, users are aware that logging in means making themselves known to the server, and the session cookie serves no other purpose than that.关于#1，用户知道登录意味着让服务器知道他们自己，并且会话 cookie 没有其他用途。 In other words: By pressing the "Login" button, they consent to that cookie (but that one only).换句话说：通过按下“登录”按钮，他们同意该 cookie（但仅限于该 cookie）。 The session cookie must be deleted from client and server when the user logs off again (because it has then reached the end of its purpose).当用户再次注销时，会话 cookie 必须从客户端和服务器中删除（因为它已经达到了目的）。 Ideally, delete it from the server also when the user "logs off" by simply closing the browser.理想情况下，当用户通过简单地关闭浏览器“注销”时，也将其从服务器中删除。

It is a different question how far you are allowed to "track" the actions of logged-in users.允许“跟踪”登录用户的行为多远是一个不同的问题。 But that has got to do with the transparency of your application and nothing to do with cookies.但这与您的应用程序的透明度有关，而与 cookie 无关。

Regarding #2 and #3, if your application uses no other cookies than the session cookie, you should not bother users with cookie pop-ups at all.关于#2 和#3，如果您的应用程序除了会话cookie 之外不使用其他cookie，您根本不应该用cookie 弹出窗口来打扰用户。 Only after you start using other cookies (#4) must you confront this issue.只有在您开始使用其他 cookie (#4) 之后，您才必须面对这个问题。