Aspnetcore.docs: A warning note about GDPR non-compliance should be included in the documentation.
As Asp.Net Core 2.1+ meets GDPR compliance requirements so below documentation about GDPR support in Asp.Net Core: EU General Data Protection Regulation (GDPR) support in ASP.NET Core
must include a warning information about steps that can make a web application GDPR non-compliance.
For example: Session state will remain disabled in .net core 2.1 without user consent. However, by changing options.CheckConsentNeeded = context => true; to options.CheckConsentNeeded = context => false; enables you to use session state as per your expectation without user consent.
However, by doing so your web application may become GDPR non-compliance.
This information should be present in the documentation as a warning note.
gurmeetsinghdke
All 5 comments
The topic doesn't recommend setting CheckConsentNeeded for session: The fourth bullet point links down to the section that shows how to deal with the session cookie. I'm not sure if this rises to the level of a warning.
guardrex
on 17 Jun 2019
The topic doesn't recommend setting
CheckConsentNeededfor session: The fourth bullet point links down to the section that shows how to deal with the session cookie. I'm not sure if this rises to the level of a warning.
Yes @guardrex , session cookies will start working if we make it essential (this is what fourth bullet point links down to) and this is not going to make an app GDPR non-compliance.
However, similarly session will start working if we disable tracking by changing options.CheckConsentNeeded = context => true; to options.CheckConsentNeeded = context => false; and this change is something which can make a web app GDPR non- compliance as we are going to store session cookies without user consent.
As a developer I would find a way to store cookies without asking user to make my application leverage all session/tempData features because this is the easiest way for a developer. That is why is am suggesting this change. Moreover, you share more thoughts on the same.
gurmeetsinghdke
on 18 Jun 2019
We provide warnings for scenarios that are truly dangerous from a security perspective. Breaking GDPR may cause a problem within a company (e.g., violate a company policy), and it might even create a legal problem for the company (e.g., a government fine), but it won't actually compromise the security of an app, server, or network. That's why I said that it probably doesn't rise to the level of a warning.
The author of the topic is OOF right now. When he gets back, he'll take a look.
guardrex
on 18 Jun 2019
@blowdart do we want to warn about non GDPR compliance? I could have @guardrex make an animated GIF include.
Rick-Anderson
on 18 Jun 2019
ASP.NET Core doesn't claim to be GDPR compliant, we give you features to help you reach compliance (as the documentation so carefully says), once you figure out what compliance means for your scenario. Compliance is more than using a template.
It is not for Microsoft to give legal advice on what is or is not compliance.
blowdart
on 18 Jun 2019
Related issues
Raghumu
路
3Comments
Mattacks
路
3Comments
neman
路
3Comments
cocowalla
路
3Comments
StevenTCramer
路
3Comments
Most helpful comment
ASP.NET Core doesn't claim to be GDPR compliant, we give you features to help you reach compliance (as the documentation so carefully says), once you figure out what compliance means for your scenario. Compliance is more than using a template.
It is not for Microsoft to give legal advice on what is or is not compliance.