I’m developing a startup that collects analytics and marketing data, https://storyteller.so.
The whole point of the app is to gather that data in-house, not using third-party tools or sending it to different providers.
From my understanding, since the app collects information it requires to function and doesn’t utilize third-party collection, it should be compliant with both laws without needing a bunch of “accept cookie” banners.
Additionally, I believe that sites that prompt those annoying cookie banners aren’t truly complying with the law.
I also want to understand the consequences of not adhering to these laws if I’m not based in California or Europe, so I’d like clarity on compliance without unnecessary feature work.
EDIT: I asked ChatGPT for clarity, but I’m uncertain whether I can trust its response. It seemed reasonable, suggesting that if your site and app use cookies only for essential purposes, like maintaining user sessions and tracking A/B testing versions, while gathering analytics directly through your backend without additional cookies, your obligations under GDPR and CCPA may vary:
GDPR Considerations
Essential Cookies: Cookies used only for maintaining sessions and ensuring functionality (like A/B testing tracking) are generally seen as “strictly necessary.” Under GDPR, strictly necessary cookies do not need user consent, but users should be informed in a cookie policy or privacy policy.
Analytics Without Cookies: If you collect analytics server-side without additional cookies, you can skip the consent typically associated with analytics cookies. However, you still need to:
Be transparent about data collection (e.g., in your privacy policy).
Justify data processing under a lawful basis such as legitimate interest.
Reduce data collection to what’s necessary for your stated purpose.
A/B Testing: Tracking A/B test versions through session cookies can be seen as strictly necessary if it’s vital to delivering the expected service.
CCPA Considerations
Session Cookies and Analytics: Under CCPA, session cookies for functionality or analytics collected directly by you (not through third-party tools) are generally not considered data sales. You need to:
Disclose analytics data collection in your privacy policy.
Offer a mechanism for users to opt out if the data is seen as personal information.
A/B Testing: Similar to GDPR, if the data collected is essential for service (like ensuring users see the same A/B test variant), it’s unlikely to trigger extra obligations—still, transparency is key.
Do You Need a Cookie Banner?
No Cookie Banner Required: If only strictly necessary cookies are used, and no tracking or analytics cookies are set, a cookie banner isn’t necessary under GDPR.
Transparency Required: Both GDPR and CCPA mandate explaining in your privacy policy:
Types of data collected (e.g., analytics data, session tracking).
Reasons for data processing.
Users’ rights (e.g., access, deletion, opting out under CCPA).
Key Steps to Ensure Compliance
Privacy Policy: Clearly define:
Data collected (e.g., session cookies, analytics data).
Reason and use (e.g., A/B testing, site functionality).
User rights (opt-out under CCPA, access, or deletion).
Avoid Non-Essential Cookies: Refrain from using cookies for analytics or third-party tracking, simplifying compliance.
Lawful Basis: For GDPR, utilize a lawful basis like legitimate interest for server-side analytics and strictly necessary cookies.
By adhering to these practices, you can avoid needing a cookie banner while still meeting transparency and accountability obligations under GDPR and CCPA.
You are the third party. You MUST comply with both laws. You MUST allow users to opt out of everything your service does. The reason you don’t qualify for an exemption under the A/B part is…
I’m making a startup that collects analytics and marketing data
You’re collecting analytics and marketing data CLIENT SIDE.
@Orion
Thanks, I will ensure they can opt out of the analytics. The A/B test occurs before they see any screen where I can present an opt-out option; I can’t change that other than informing them they’re part of a test, but that test will have occurred regardless.
@Ira
Collecting user data should be opt-in, especially if it includes personal information. GDPR explicitly requires individuals to provide informed, explicit, and active consent before personal data can be collected, processed, or shared for most purposes.
EU’s General Data Protection Regulation (GDPR) mandates opt-in consent for certain data processing types. This means individuals must actively give permission before their data can be utilized.
Brigham said:
You are the third party for your customers’ visitors. Your A/B testing cookies will require consent.
But this is the confusing part; I don’t store any cookies other than the session cookie. My A/B tests aren’t like Posthog, which are determined after page load. My A/B tests are tracked in the session, with no data exposed.
Also, analytics can be gathered without cookies at all—tracking clicks, movements, and scrolls while sending a beacon without writing a cookie.
I don’t run ads or anything that would let users be tracked across the internet.
So, I don’t understand the utility of a popup saying ‘hey, this site, like every website on the internet, uses cookies.’ It’s a session cookie, which is essential for the site’s function.
Brigham said: @Ira
So your A/B tests have no results after the user leaves?
It tracks which version is shown and whether they signed up, but all within the platform. No third party is involved.
To clarify, I’m not trying to hide the fact that A/B tests are being conducted or that analytics are being collected. I’d rather present a banner stating those things, as that seems more pertinent information than ‘yes, I use cookies; please agree.’ That seems like an unnecessary burden.
Cliff said: @Ira
So you store cookies… and then do something with it that your site doesn’t ‘necessarily’ require?
But who’s judging if it’s necessary? Are A/B tests an invasion of privacy or personal information? I don’t think they are, but it’s unclear to me who gets to make that decision.
A/B testing isn’t critical for a site’s main functionality.
The necessary part involves session cookies (or similar) for tracking user authentication and identifying users. If you’re logging in, it’s necessary for the site to know who you are, and a cookie is essential to perform that task.
If you want to identify or track without asserting a necessity for the user, you’ll need to obtain consent.
You can do A/B testing without identifying users—track the variations, not the user—so no session cookie, just retain data about the version that yielded results. No unique identifier means no user tracking.
@Parker
I noticed someone (presumably the OP) downvoting all the posts advising them on their legal obligations… asking for guidance, then downvoting those who provide it.
Cliff said: @Parker
I noticed someone (presumably the OP) downvoting all the posts advising them on their legal obligations… asking for guidance, then downvoting those who provide it.
Yeah, I noticed that too. I’ve been a developer for 15 years and remember the GDPR implementation period well.
I’m heavily involved in online compliance at my company, so I feel I know this topic well. It seems the OP isn’t based in the EU and just wants confirmation that they don’t need a banner.
I’d suggest leaving them to their own devices and letting them potentially face fines. Learning through consequences is a powerful teacher.
@Hart
While I’ve memorized parts of the DPA for my current studies, I acknowledge your experience!
They seem like an entitled American who believes the law applies only when convenient. It’s frustrating to consider they may face hefty fines for ignorance. Yet, ultimately, it’s on them to resolve this.
Cliff said: @Parker
I noticed someone (presumably the OP) downvoting all the posts advising them on their legal obligations… asking for guidance, then downvoting those who provide it.
@Parker
Yes, that’s my main confusion. The A/B version is selected before the user ever sees anything. Therefore, they can’t technically ‘opt out’; it’s done. I can ensure it’s not recorded afterward, and I’m willing to inform them it took place, but they will inevitably get a version of the website.