Question about GDPR and CCPA and cookie banners

I’m developing a startup that collects analytics and marketing data, https://storyteller.so.

The whole point of the app is to gather that data in-house, not using third-party tools or sending it to different providers.

From my understanding, since the app collects information it requires to function and doesn’t utilize third-party collection, it should be compliant with both laws without needing a bunch of “accept cookie” banners.

Additionally, I believe that sites that prompt those annoying cookie banners aren’t truly complying with the law.

I also want to understand the consequences of not adhering to these laws if I’m not based in California or Europe, so I’d like clarity on compliance without unnecessary feature work.

EDIT: I asked ChatGPT for clarity, but I’m uncertain whether I can trust its response. It seemed reasonable, suggesting that if your site and app use cookies only for essential purposes, like maintaining user sessions and tracking A/B testing versions, while gathering analytics directly through your backend without additional cookies, your obligations under GDPR and CCPA may vary:

GDPR Considerations

  1. Essential Cookies: Cookies used only for maintaining sessions and ensuring functionality (like A/B testing tracking) are generally seen as “strictly necessary.” Under GDPR, strictly necessary cookies do not need user consent, but users should be informed in a cookie policy or privacy policy.
  2. Analytics Without Cookies: If you collect analytics server-side without additional cookies, you can skip the consent typically associated with analytics cookies. However, you still need to:
    • Be transparent about data collection (e.g., in your privacy policy).
    • Justify data processing under a lawful basis such as legitimate interest.
    • Reduce data collection to what’s necessary for your stated purpose.
  3. A/B Testing: Tracking A/B test versions through session cookies can be seen as strictly necessary if it’s vital to delivering the expected service.

CCPA Considerations

  1. Session Cookies and Analytics: Under CCPA, session cookies for functionality or analytics collected directly by you (not through third-party tools) are generally not considered data sales. You need to:
    • Disclose analytics data collection in your privacy policy.
    • Offer a mechanism for users to opt out if the data is seen as personal information.
  2. A/B Testing: Similar to GDPR, if the data collected is essential for service (like ensuring users see the same A/B test variant), it’s unlikely to trigger extra obligations—still, transparency is key.

Do You Need a Cookie Banner?

  • No Cookie Banner Required: If only strictly necessary cookies are used, and no tracking or analytics cookies are set, a cookie banner isn’t necessary under GDPR.
  • Transparency Required: Both GDPR and CCPA mandate explaining in your privacy policy:
    • Types of data collected (e.g., analytics data, session tracking).
    • Reasons for data processing.
    • Users’ rights (e.g., access, deletion, opting out under CCPA).

Key Steps to Ensure Compliance

  1. Privacy Policy: Clearly define:
    • Data collected (e.g., session cookies, analytics data).
    • Reason and use (e.g., A/B testing, site functionality).
    • User rights (opt-out under CCPA, access, or deletion).
  2. Avoid Non-Essential Cookies: Refrain from using cookies for analytics or third-party tracking, simplifying compliance.
  3. Lawful Basis: For GDPR, utilize a lawful basis like legitimate interest for server-side analytics and strictly necessary cookies.

By adhering to these practices, you can avoid needing a cookie banner while still meeting transparency and accountability obligations under GDPR and CCPA.

Simple version:

You are the third party. You MUST comply with both laws. You MUST allow users to opt out of everything your service does. The reason you don’t qualify for an exemption under the A/B part is…

I’m making a startup that collects analytics and marketing data

You’re collecting analytics and marketing data CLIENT SIDE.

@Orion
Thanks, I will ensure they can opt out of the analytics. The A/B test occurs before they see any screen where I can present an opt-out option; I can’t change that other than informing them they’re part of a test, but that test will have occurred regardless.

@Ira
Collecting user data should be opt-in, especially if it includes personal information. GDPR explicitly requires individuals to provide informed, explicit, and active consent before personal data can be collected, processed, or shared for most purposes.

EU’s General Data Protection Regulation (GDPR) mandates opt-in consent for certain data processing types. This means individuals must actively give permission before their data can be utilized.

- https://secureprivacy.ai/blog/difference-beween-opt-in-and-opt-out

IANAL. This is not legal advice.

@Ira
You need to take an opt-in approach, not opt-out. You risk being sued and fined in several countries and states otherwise.

But this is your business, you do you.

You are the third party for your customers’ visitors. Your A/B testing cookies will require consent.

Brigham said:
You are the third party for your customers’ visitors. Your A/B testing cookies will require consent.

But this is the confusing part; I don’t store any cookies other than the session cookie. My A/B tests aren’t like Posthog, which are determined after page load. My A/B tests are tracked in the session, with no data exposed.

Also, analytics can be gathered without cookies at all—tracking clicks, movements, and scrolls while sending a beacon without writing a cookie.

I don’t run ads or anything that would let users be tracked across the internet.

So, I don’t understand the utility of a popup saying ‘hey, this site, like every website on the internet, uses cookies.’ It’s a session cookie, which is essential for the site’s function.

@Ira
So your A/B tests have no results after the user leaves?

Brigham said:
@Ira
So your A/B tests have no results after the user leaves?

It tracks which version is shown and whether they signed up, but all within the platform. No third party is involved.

To clarify, I’m not trying to hide the fact that A/B tests are being conducted or that analytics are being collected. I’d rather present a banner stating those things, as that seems more pertinent information than ‘yes, I use cookies; please agree.’ That seems like an unnecessary burden.

@Ira
So you store cookies… and then do something with it that your site doesn’t ‘necessarily’ require?

Cliff said:
@Ira
So you store cookies… and then do something with it that your site doesn’t ‘necessarily’ require?

But who’s judging if it’s necessary? Are A/B tests an invasion of privacy or personal information? I don’t think they are, but it’s unclear to me who gets to make that decision.

@Ira
IANAL.

A/B testing isn’t critical for a site’s main functionality.

The necessary part involves session cookies (or similar) for tracking user authentication and identifying users. If you’re logging in, it’s necessary for the site to know who you are, and a cookie is essential to perform that task.

If you want to identify or track without asserting a necessity for the user, you’ll need to obtain consent.

You can do A/B testing without identifying users—track the variations, not the user—so no session cookie, just retain data about the version that yielded results. No unique identifier means no user tracking.

Consult a real lawyer specializing in this field.

@Parker
I noticed someone (presumably the OP) downvoting all the posts advising them on their legal obligations… asking for guidance, then downvoting those who provide it.

Cliff said:
@Parker
I noticed someone (presumably the OP) downvoting all the posts advising them on their legal obligations… asking for guidance, then downvoting those who provide it.

Yeah, I noticed that too. I’ve been a developer for 15 years and remember the GDPR implementation period well.

I’m heavily involved in online compliance at my company, so I feel I know this topic well. It seems the OP isn’t based in the EU and just wants confirmation that they don’t need a banner.

I’d suggest leaving them to their own devices and letting them potentially face fines. Learning through consequences is a powerful teacher.

@Hart
While I’ve memorized parts of the DPA for my current studies, I acknowledge your experience!

They seem like an entitled American who believes the law applies only when convenient. It’s frustrating to consider they may face hefty fines for ignorance. Yet, ultimately, it’s on them to resolve this. :woman_shrugging:

Ira said:
@Hart
What qualifies as a necessary cookie? The only cookie I’m using is the session ID. There’s no authentication or PII involved.

“Strictly necessary cookies allow a website to work properly; without them, it either won’t function or will fail to work as intended. These cookies include those for logging into secure areas or enabling a shopping cart. They don’t track personal data.”
https://www.cookieyes.com/blog/cookie-consent-exemption-for-strictly-necessary-cookies

Ira said:
@Nyx
The results aren’t recorded until after they leave, so I can allow them to opt out.

This comment is empty, admin should fix

Cliff said:
@Parker
I noticed someone (presumably the OP) downvoting all the posts advising them on their legal obligations… asking for guidance, then downvoting those who provide it.

I’m not downvoting anyone.

@Parker
Yes, that’s my main confusion. The A/B version is selected before the user ever sees anything. Therefore, they can’t technically ‘opt out’; it’s done. I can ensure it’s not recorded afterward, and I’m willing to inform them it took place, but they will inevitably get a version of the website.

@Ira
As long as you’re not tracking until they opt in, it should be fine. The unnecessary tracking should be opt-in, not opt-out.

IANAL, this is not legal advice. Consult a lawyer for further clarity.