Welcome to WebmasterWorld Guest from 18.205.176.85

Forum Moderators: webwork

Message Too Old, No Replies

GDPR and local storage

GDPR affects use of local storage by embedded widgets?

     
4:52 am on May 22, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 27, 2001
posts:1186
votes: 16


An acquaintance has an embedded booking widget on her site.

Just going through it and checking the site for GDPR stuff, I noticed that it was not using cookies but was using local storage (checking in Firefox Web Developer in private browsing).

I know next to nothing about this technique but from the little I have read it a) appears to function in a similar way to a cookie and b) be substantially less secure because of xss potential.

Anyone want to illuminate whether the use of local storage might be part of this GDPR can of worms?
5:19 am on May 22, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


[webmasterworld.com...]

I think you answered your own question... less secure so obviously wouldn't comply with GDRP.

You could use the xss security header though:
X-XSS-Protection: 1; mode=block
5:51 am on May 22, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 27, 2001
posts:1186
votes: 16


Thanks for the reply.

Sorry, I wasn't too clear about what I was looking for because I know little about local storage.

I think my questions were:
i) is 'local storage' just in the user browser and, if so, does this count as 'data storage' in terms of GDPR (since the data never goes anywhere apart from the user and the user, theoretically, has allowed the use of local storage)
ii) does the use of 'local storage' fall under the cookie notification regulations (which are separate from GDPR but often being combined now by websites)
5:57 am on May 22, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Cookies are stored on the user's computer.

What you're describing is data that identifies a user that's stored on the web server. As such, it would be subject to GDPR proposals about data storage. The link I gave above outlines data storage.

One point I left out in that other thread though is encryption. If stored data is encrypted, it would be compliant generally speaking without getting into who has access and for how long the data is stored.