Ask HN: Can you get away with “by using this site you accept cookies”
Can you get away with a "by using this site you accept that cookies will be stored on your device" rather than explicitly asking for consent?
In the EU, that depends on what you use cookies for. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...! Article 5.3:
3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
I don’t think what you propose covers “and is offered the right to refuse such processing by the data controller”, but if the cookies are covered by the last sentence (for example if you store ‘is logged in as Foo’ or the contents of a shopping cart in there), you don’t even need to tell the user.
Our lawyer said we can for functional cookies so we now require those. For statistics and marketing we still ask for consent.
Under EU GDPR: Yes, if the cookies are not used for anything that requires consent.
Functional cookies do not require consent so you can skip the message. Tracking cookies require consent and your message is not valid.
You don’t need a lawyer to read the law, it’s pretty clear for GDPR:
> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.