4

Many cookie consent services – for example SecurePrivacy, CookieBot, and CookiePro – allow "cross-domain" consent, where consenting with cookie usage on one domain will imply consent on certain other domains as well. This means that after you've consented on e.g. example.org you are not shown the cookie consent dialog on app.example.org.

These services do not talk about the legal aspects of this functionality, so I'm wondering if it really is compliant with GDPR to do this? And what about CCPA?

I realize that any answers or comments are not legal advice and I will not take them as such. I'm just asking for some sort of justification or comments on the validity of this approach.

qff
  • 141
  • 2

1 Answers1

1

It is valid as long as you can comply to EU GDPR. You might need to dynamically generate some contents of the cookie banner consent (i.e.: domain name). Your domain name example.org and subdomain app.example.org refer to the same root domain name, and you can refer to *.example.org. It does not matter how you are compliant from a technical perspective. Keep in mind that you need to comply with both the EU GDPR and the ePrivacy Directive. Further reading: https://gdpr.eu/cookies/

You cannot expect legal advice here on webmaster StackExchange. Here you would find technical help. You might try on https://law.stackexchange.com/ for legal advice. Also, GDPR is available in EU and UK while CCPA is pertinent to California. You might try to split the question, and highlight the country specific regulation in the title. This could help you to get an answer quicker.

Goemon Code
  • 76
  • 8