Interesting article from Apple on privacy: here
Understanding how people use their devices often helps in improving the user experience. However, accessing the data that provides such insights — for example, what users type on their keyboards and the websites they visit — can compromise user privacy. We develop a system architecture that enables learning at scale by leveraging local differential privacy, combined with existing privacy best practices. We design efficient and scalable local differentially private algorithms and provide rigorous analyses to demonstrate the tradeoffs among utility, privacy, server computation, and device bandwidth. Understanding the balance among these factors leads us to a successful practical deployment using local differential privacy.
OK, so cookies are actually only mentioned one time in GDPR, but that one time packs a bit of a punch.
Natural persons may be associated with online identifiers… such as internet protocol addresses, cookie identifiers or other identifiers… This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Which translated basically means (taken with other parts of the regulation) if you can identify an individual via their device (directly or indirectly) that makes it personal data.
Now not all cookies will be able to identify users but a whole load of them are. And that includes analytics cookies.
The existing “cookie law” was pretty clear about gaining consent and we all added those cookie bars on to our websites that basically implicitly gained your permission. Well those aren’t any good any more. For any cookies that aren’t strictly necessary to run your site you’re going to have to get explicit consent under GDPR.
That means you need some kind of affirmative action. Like a tick box.
And that consent must be as easy to take away as it was given.
Oh, and it’s about consent. So if you’re not giving a choice then there’s no consent to be given or not. Which basically means you can’t tell your visitors they have to accept or the can’t browse…