> "To make this very clear: user/visitor consent is only needed for data going to 3rd parties."
I think this statement is categorically false. Art. 6 GDPR (https://gdpr-info.eu/art-6-gdpr/) lists exhausively the reasons for lawful processing of personal data which applies not only to cookies, but also IP addresses etc. The "cookie consent" addresses Art. 6 Point 1(a). Whether third-parties (data processors) are involved is irrelevant, e.g. if I need to transfer personal data to my accountant, it falls under b, c (or d).
Agreed. It isn't the third party that is the issue - it is the separate purpose.
For example, if I access a web page, I'm giving my IP address to the server, so that it knows how to sent the data I just asked for back. That IP address is personal information, but it is necessary for the server to fulfil the purpose of the task I just asked for. That server also gives the IP address to a third party - the router in between it and me. That's also necessary, because otherwise the packets can't be routed, and it's fine legally.
However, if the company running the web page were to take that IP address and store it and use it for deep analytics, matching my request up to other requests from the same IP address, then the personal data has not been handed over to a third party, but it is being used for a purpose which requires consent, and would be illegal unless that consent had been obtained. That data use isn't necessary for the original purpose of the task I asked for, which is to serve me a web page - it is a separate purpose.
Wouldn't that depend on perspective? Wouldn't the router e.g. cloudflares purpose be to ensure fast delivery and that it's not an attack.
Both require capturing the ip address and analyzing behavior. A faster road where no one wants to go isn't a faster way, so the router needs to capture it so they know where to build their roads.
> However, if the company running the web page were to take that IP address and store it and use it for deep analytics
Or, in fact, sending off to Google Fonts. As a German court case reveals, that is considered sending the IP to Google -- breaking GDPR since it is done without consent on first launch of the site.
Toot author here. Yes, the complexities are tough to explain in a few toots. Bit as an abstraction it is valid IMHO. As per the GDPR and ePrivacy Directive, a website must ask its users’ consent to use cookies that are not necessary for accessing the website’s functionality. All third party cookies typically fall under this rule. 1st party cookies that do not collect PII (Personally Identifiable Information) like simple session cookies ar exempted from consent.
I think this statement is categorically false. Art. 6 GDPR (https://gdpr-info.eu/art-6-gdpr/) lists exhausively the reasons for lawful processing of personal data which applies not only to cookies, but also IP addresses etc. The "cookie consent" addresses Art. 6 Point 1(a). Whether third-parties (data processors) are involved is irrelevant, e.g. if I need to transfer personal data to my accountant, it falls under b, c (or d).