[wp-trac] [WordPress Trac] #44043: Framework for logging/retrieving a users consent state

WordPress Trac noreply at wordpress.org
Tue May 22 10:30:32 UTC 2018 

#44043: Framework for logging/retrieving a users consent state
------------------------------------+------------------------------
 Reporter:  cookiebot               |       Owner:  (none)
     Type:  enhancement             |      Status:  new
 Priority:  normal                  |   Milestone:  Awaiting Review
Component:  Privacy                 |     Version:  trunk
 Severity:  normal                  |  Resolution:
 Keywords:  gdpr 2nd-opinion close  |     Focuses:
------------------------------------+------------------------------

Comment (by xkon):

 @gisle afaic the ePD was going to be updated as well in 25 along with GDPR
 but it is unlikely to happen, so we can't know for sure their new ways of
 dealing with cookies especially ( I might be totally wrong but that's what
 I know from lawyers and non-lawyers on this matter).

 Apart from that though as seen reading the LB for processing (
 https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-
 regulation-gdpr/lawful-basis-for-processing/ ) and as seen in
 http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051


 Quote from the europa.eu document -> Page 17:

 > In any event, consent must always be obtained before the controller
 starts processing personal data for which consent is needed. WP29 has
 consistently held in previous opinions that consent should be given prior
 to the processing activity.44 Although the GDPR does not literally
 prescribe in Article 4(11) that consent must be given prior to the
 processing activity, this is clearly implied. The heading of Article 6(1)
 and the wording “has given” in Article 6(1)(a) support this
 interpretation. It follows logically from Article 6 and Recital 40 that a
 valid lawful basis must be present before starting a data processing.
 Therefore, consent should be given prior to the processing activity. In
 principle, it can be sufficient to ask for a data subject’s consent once.
 However, controllers do need to obtain a new and specific consent if
 purposes for data processing change after consent was obtained or if an
 additional purpose is envisaged.

 I think it's clear that you do need consent first and then start
 processing the data ( not always of course as it depends on the situation
 ).

 One extra example I can give from the coding world is Google AMP project
 as it's adding a consent component similar to the discussion that you
 could basically put let's say for example the analytics scripts 'on hold'
 until the user gives his consent to track him.

 Now if we take into account that pretty much everybody is using analytics
 which in it's own way is tied to re-marketing and anything else that
 Google adds behind the scenes. A consent is pretty much mandatory and
 should be used pretty much everywhere beforehand the way I see it.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44043#comment:24>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list