Cookies and GDPR compliance

Hi. I’m trying to understand whether or not Netlify’s own cookies necessitate a cookie consent banner to be in GDPR compliance.
For institution-specific reasons I want to avoid a cookie-consent banner, and for that reason, I don’t collect any user information or use cookies in my own build.
However, Netlify’s data policy page states that cookies are used to collect data on and track users. At the same time, the GDPR page advertises that Netlify is GDPR-compatible. What gives? Is this an error in one of these two pages? Are we expected to implement our own consent banner for Netlify’s cookies, even if we use no cookies in our site? Is there any way to turn off Netlify’s native tracking?
Thanks for any clarification you can provide!

2 Likes

hi there @gravinamike ,

happy to go through this with you.

On this page, we do make a statement as to which data we collect from all visitors to sites hosted on netlify:

this :point_up: is applicable to everyone.

Your obligations around data about your customers which you collect via Netlify

If you use our service to collect Personally Identifiable Information from your visitors, via form submission or other methods, you are solely responsible for its disposition."

this :point_up: is applicable if you collect data from YOUR customers via YOUR site, for example, via a form.

I’m not sure which page you mean when referring to “data policy page” - maybe this one?

that :point_up: refers to how we as a company handle your personal data (not that of your sites, but your own data, such as your name, email, etc) when you are browsing netlify.com or using the netlify dashboard to work on your sites - so there are basically two different documents: one that governs the sites you build and what we do with that data, and one that covers your personal account with us. does that make sense?

as far as your last question goes - if there is a way to turn off “native tracking” - no, that is not possible, not for your personal account with us, not for the sites that you might build and host with us.

i hope this helps clarify!

2 Likes

Thank you very much, Perry, for going into the details with me. One sentence on the Privacy Policy page still confuses me, under Cookies and Log files:
“This also allows us to make sure that visitors see the website they expect to see if they return to the same web URL and it allows us to tell you how many people click on your website.”
That seems to indicate the use of cookies on visitors that come to my site, not just cookies used on me when I’m accessing Netlify’s services. Is that the case? And - if that’s the case - doesn’t that mean that visitors to my site will need to see a cookie consent banner alerting them to the cookies that Netlify is using to track visits?

1 Like

those are good questions, @gravinamike ! I will get some :eyes: on this that may be able to explain a little more.

1 Like

hi again, i had a chance to chat with a team mate about this who is more knowledgeable about GDPR etc than i am, and we took a closer look at this paragraph!

Here it is in its entirety for anyone else following along:

## Cookies and Log Files

We use cookies and log files to track user information. Cookies are small amounts of data that are transferred to your web browser by a web server and are stored on your computer’s hard drive. We use cookies to track which page variant a visitor has seen, to track if a visitor has clicked on a page variant, to monitor traffic patterns and to gauge popularity of service options. We will use this information to deliver relevant content and services to you. This also allows us to make sure that visitors see the website they expect to see if they return to the same web URL and it allows us to tell you how many people click on your website.

The “we” here in this paragraph refers to us, Netlify, who do indeed use cookies to track visitor’s behaviour when they are interacting with app.netlify.com - also known as the UI or dashboard. We set cookies to route you (as our customer who is using the dashboard) to the right place should you browse away, etc.

this does not refer to visitors for a site you might build.

We do not set cookies on sites you might make for YOUR visitors (edited to add there are some exceptions that are Opt-In, see described by scott below) We don’t edit your content, and if you should see a cookie being set you think should not get set, it is possible that something is misconfigured and you should let us know right away!

One more time for clarity - that paragraph refers only to visitors to app.netlify.com, not to visitors to sites you might host with us.

let me know if you have any other questions!

3 Likes

Ok, fantastic. That puts my mind considerably at rest. Thank you for taking the time to go through that with me in detail, Perry!

1 Like

Hey there!

Just to add on to Perry’s advice – if you opt-in to split testing or make use of the “remember me” functionality within our gotrue-js library, both of these services do set a cookie on the client’s machine.

Out of the box, no – we don’t set cookies however above are the two scenarios which you may optionally configure.

EDIT: We also save cookies when you enable password-protection for your website - another opt-in feature.

3 Likes

Thank you, Scott, for that clarification!

1 Like

Thanks for the explications guys and asking the question! This is also something that is of considerable interest to me and many others.

@Scott It’s great that you clarify that some of your opt-in features will set cookies.
As a developer, and someone who appreciates netlify for its great DX, I would hope that within the docs, the features setting additional cookies would be clearly marked. For example next to the configuration / activation settings of those opt-in features (or the specific feature doc page).

I noticed that indeed the split testing page has a single sentence that says it sets a cookie, but it’s rather easy to overlook. It’d be great if there was a notification banner stating: GDPR Notice: This feature requires Cookie Consent"

It is really essential for good data governance and compliance with GDPR.

thanks for that suggestion, @MentalGear ! i’ll check with the team on this.

In the meantime, the gdpr-ccpa page no longer contains this section. The Wayback Machine showed it was removed between 2023-01-22 and 2023-03-07. Some privacy policies of websites quoted that Netlify stores access logs of site visitors for less than 30 days, for example https://www.bausicht.de/en/privacy/ (I’m not affiliated with that site). But the section “Types of Personally Identifiable Information (PII) we collect” also got deleted from the gdpr-ccpa page. Did it move somewhere else? How should I update my GDPR and cookie policy?