Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is very likely not valid consent under GDPR. Look at specific guidance on valid consent by DPAs: https://ico.org.uk/for-organisations/guide-to-data-protectio...


Can you explain what is invalid about it? The list of functional cookie permissions on the consent opt-in specifically mentions cookies to remember log in details.


Sure, let's have a look at Article 4 GDPR: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

In this case, I doubt that consent is freely given (which requires a true choice on the user's part), I doubt that it is specific (that the choice is granular pertaining to different cookies fulfilling different purposes), and I doubt that it is informed (that the user understands the relevance of different cookies).

Most importantly, consent given in the context of a visit of the zoom.us site cannot be specific and, at the same time, cover cookies being unexpectedly set by a local uninstall program. We are not talking about the usual session ID cookie here ("remember log in details").

Recital 43: Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case,

Somewhat questionable in this case. Is there a way to opt out of the specific cookie? I guess not.

or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

Quite likely.

Recital 42: For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended

Where does Zoom explain the purpose of the "everlogin" cookie?

Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Again, is there a way to opt out of the specific cookie?

Article 7 GDPR: The data subject shall have the right to withdraw his or her consent at any time. ... It shall be as easy to withdraw as to give consent.

It's quite easy to consent to cookies at zoom.us. Where, however, can a user revoke their consent?

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

I don't think it's possible to use Zoom without this (unnecessary) cookie being saved. Therefore, consent is most likely not applicable.

Again, ICO guidance is a great resource: Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.

Consent under GDPR simply doesn't work like "I consent to all of your cookies".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: