This brings up a interesting point: cookies are not just for user/session identification. Yes that's how the majority of the apps work but instead, it's totally possible to use cookies to customize a site's experience, feature by feature. A cookie for the theme, a cookie for the font prefs, etc. Yet most sites still insist on logging the user in to customize the experience, and rely on some central storage to determime user preferences.

"User-interface customization" cookies are actually explicitly exempt from EU consent requirements: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

I believe they should not be affected by GDPR either, since they're not actually identifying a person.

Yet you could use them to do that once there is a significantly high amount of customised settings ...

Wasn't there some website where you could pull a relatively small number of easily accessible prefs from the browser (OS, list of fonts, browser, etc.) and get a nearly uniquely identifying set of facts about someone?

https://panopticlick.eff.org/ ?

Yup, the fingerprinting portion of that was what I had in mind.

This is a terrible use case for cookies. Any browser reset or change, new computer, your phone, etc, and you need to redo the whole experience every time. I'd rather login and customize once.

Cookies get sent with most requests as headers so you're unnecessarily bogging down requests with data unrelated to the session.

It can be worked around. For example, you can use those cookies just to initialize the client web browser. Once it's done, the data can be cached inside the localStorage, and the cookie itself can be deleted (Or changed to a marker that tells the server that the client has been customized).

Of course this may require some heavy changes on the client-side code, as the client now must have the ability to apply user's customization locally, but there are benefit: After you done that, then you don't have to read user's customization data from any of your infrastructure every time user reloads your page.

I don't think a gzipped header with some hundreds of bytes of JSON (or BSON) for preferences is that much bigger than one with a session id string in a cookie.

100% exactly. Cookies are device and moment specific. Whereas a user account can easily save and transport the saved experience/setting anywhere the user wants to access them.

I specifically do not want to have the same experience on multiple devices.

I do not want to have the same experience on my work computer vs my home computer.

I do not want to have the same experience on my home computer vs my personal phone.

I do not want to have the same experience on my personal phone vs my work phone.

I do not want to have the same experience on my work phone vs my work computer.

Firefox (and Chrom{e,ium} AFAIK) can sync up your cookies, among other things.

but if you go this route, you have to share them with a third party (Mozilla or Google)?

Yes, but Firefox's Sync is open source [1], so you should be able to set up a private instance. IDK how easy or hard it is though.

[1] https://wiki.mozilla.org/CloudServices/Sync

Thanks for the suggestion. That wiki page brought me to https://mozilla-services.readthedocs.io/en/latest/howtos/run... which I intend to try out. I want to migrate my a Firefox profile from Windows to Linux and synching seems to be the easiest way to transfer bookmarks and saved passwords.

I am struggling to understand how it is bogging down requests with data that are "unrelated" to the session.

Cookies are delivered with the request. If it has feature selections, great, no more work necessary on your part.

If the feature selection is hidden behind a user ID, then you need to look up the user ID in a database and then request the user's features.

Indeed, it seems to me that requiring a login in order to customize the viewing experience is what bogs down requests.

You could backup your cookies and share them across devices? ... I don't think "bogging down" requests is a very big issue nowadays...

Once upon a day, twenty years ago, site feature selection were exactly what cookies were used for.

A cookie is such a transient data source. Some people regularly purge them all. Some people use more than one device.

I wouldn't bother changing any preferences that disappear every time I clear out my cookies. For starters, I'd have to figure out where on the website the preferences are set -- and if it's in the user profile, well, just save my preferences there.

An example of what you describe is duckduckgo.com, cookie contain preferences without any user identifiers.

Then, there are those who go in the opposite direction and store all session information in the URL!

One of the most common interpretation I've heard is that IP address is PII according to GDPR. Even if not combined with other PII.

So based on this description they are doing PII.

From the text of the directive:

"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

An IP address is an "identifier". However, an IP address does not in and of itself identify a natural person; you know that, I know that, and even the GDPR knows that.

However, if you start building a map of IP addresses to user real names, or some other form of profile construction, then the IP addresses become personal information.

(comment hoisted from other thread)

GDPR introduces a new concept called "Personal Data" which includes things like IP addresses and opaque database keys. Something is personal data if it is tied to an individual, regardless of whether sufficient information to identify that individual is contained in the data itself. An IP Address (or, according to some interpretations, an IP Address + timestamp but not an IP Address on its own) is Personal Data but not PII.

The GDPR does not address PII at all. To a first approximation, PII is now an American legal concept and Europe has a completely different (and strictly broader) definition of privacy-relevant data.

If they _store_ IP. You will see an IP with every single connection to a service. If you don't store it - but say, you store a country level geolocation instead - it's not PII.

They’re using Google Analytics, by default, in the browser UI and on their Websites, without opt-in or visible opt-out (it’s hidden in the tracking prevention settings of the browser itself, and chained to the DNT setting).

That’s about as violating as it gets.

Are you accounting for the fact that Mozilla has a special contract with Google regarding the use of Analytics?

https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14

Yes. That still requires at least a cookie notice in any case.

But Mozilla doesn’t have that, and merely has a tiny grey-on-grey 10px tall "Privacy Policy" link in about:addons.

But a cookie notice is not part of the GDPR, right?

The notice not, the requirement is.

Users are free to block third party cookies.

They need to know that third-party cookies exist for that, though.

After completing our mandatory and very boring GDPR training at work, I can tell you that it's Mozilla :)

OK. Can you tl;dr for me why that is?

Is it because I've asked Mozilla to show me a web page, and the data collection happens as an automatic result of that?

Yes, you asked Mozilla for the web page, and they decided to load Google Analytics.

Mozilla is the Data Controller, and they asked a third-party (Google Analytics) to process the data of Mozilla's users (that includes simple visitors to the site), making Google a Data Processor. The Data Controllers generally have more obligations than Processors, since they control how the data is handled, and to whom it's passed.