@Nyx
The results aren’t recorded until after they leave, so I can allow them to opt out.
@Ira
The A/B test itself isn’t an invasion of privacy. Tracking the user specifically is, though. If you gather data that can’t be traced back to specific users, you may be compliant.
IANAL; consult a lawyer for professional guidance.
If you’re collecting information about EU citizens, you must comply with GDPR.
If you’re using cookies to gather information, GDPR mandates that you provide EU users with an option to opt out of cookies that aren’t strictly necessary, requiring a cookie banner.
@Hart
What qualifies as a necessary cookie? The only cookie I’m using is the session ID. There’s no authentication or PII involved.
Ira said:
@Hart
What qualifies as a necessary cookie? The only cookie I’m using is the session ID. There’s no authentication or PII involved.
A cookie is considered necessary if it’s required for your service to function. For instance, authentication cookies may be necessary to keep users logged in. However, using these cookies for tracking may not be legally permissible.
IANAL, this is not legal advice. Consult a lawyer for accurate information.
> I also don’t understand the consequences of not following those laws if I’m not in California or Europe, so I’d like to grasp this to ensure compliance without unnecessary work.
That’s why we have professionals called “attorneys” who understand the consequences of legal non-compliance. ChatGPT isn’t a legal advisor, and its responses aren’t legally binding. Your attorney is the best source for guidance.
Hey mate!
u/rjhancock summed it up best; you aren’t exempt.
However, some of your statements imply ChatGPT may have misinformed you slightly. Let me know if you’d like clarification.
> Essential Cookies: Cookies solely used for maintaining sessions and ensuring functionality (like A/B testing tracking) – I believe ChatGPT inaccurately defined essential cookies here.
Unless your product prevents user experience without A/B testing, these are not essential cookies—they’re persistent (aka tracking cookies) requiring informed consent and necessitating a cookie banner.
General rules of thumb:
- If a cookie doesn’t expire after a session or if it retains data post-session, it’s likely not essential, requiring consent.
- If a cookie isn’t crucial for user site navigation, it’s vital to you, necessitating consent.
For your inquiry about legal implications, laws protect citizens from violations in their regions, not the businesses collecting data:
- Collecting personal data from EU citizens requires adherence to GDPR.
- Collecting personal data from California residents mandates CCPA / CPRA compliance.
Enforcement procedures can get complex, and further reading is necessary. Your service could be banned in the EU, so avoiding compliance risks through affordable compliance software is wise.
> Sites featuring cookie banners aren’t necessarily non-compliant.
Not quite—cookie banners signal non-essential cookies usage while requesting consent. Assuming banners comply and block scripts automatically means they are attempting compliance.
Your tracking software is highly regulated but remains valuable, and you’ll likely find that over 50% of users consent to cookies. Your product may enhance user experience and internet interactions—just ensure adherence to legal statutes!
Hope this assists! 