I’ve just finalised an intensive exercise and conversation with a lawyer and the conclusion is that this is the only configuration that is fully compliant with both GDPR and ePrivacy directive:
I’m quite curious why:
- you state that the other configurations are also GDPR compliant?
- you don’t mention a word about the ePrivacy directive?
Would be interesting to have your opinion on this matter.
The configuration you selected is the safest option and does comply with GDPR and ePrivacy directive.
Note that ePrivacy directive has been implemented across various member states inconsistently.
The other methods are solutions that you may elect to use. For instance CNIL allows to track visitors without consent using cookies or other technologies (as long as you comply with other rules they impose). Cookieless option is there to abide with the telco laws by not accessing the end user terminal. We’d calculate a temporary, short lived session ID to stich a couple of events together.
Some companies choose those options regardless of ePrivacy and GDPR. They assess their tracking and the extent of data collection (whether its personal or not). I recommend running a DPIA and then choosing the right option for your business.
Thanks for your view @piotr
Dear all, i asked the relevant Dutch Authority about this (since they use analytical cookies themselves whitout prior consent).
Their official position , as stated on the ACM website, is that analytical cookies can be placed without consent, however you need to inform visitors.
So for our Dutch clients we advice to use the visitor cookies ( like _pk_id.* and _pk_ses.* ) without asking visitors for consent.