That's correct. Using cookies for the user session is fine and does not require consent as long as you really are just using them for the user session. The moment you use them for analytics, you have to request consent for analytics, even if they are primarily for maintaining the user session.
Not even then - there are plenty of analytics you can do without a cookie banner, as long as they don't identify the user.
Conversely, anything you do other than your obvious business requirements (e.g. if you buy something physical I need some address or identity to verify at pickup) requires consent whether or not it's analytics.
(Not a lawyer, not legal advice, jesus just don't track people...)
No, it wouldn't be in the EULA. There are two parts of GDPR that would specifically go against putting consent to tracking in the EULA:
1. GDPR requires the consent check to be somewhere obvious and in plain language. That was specifically to deal with EULA's given to you in tiny legally compliant text boxes.
2. GDPR requires that you cannot make consent for non-essential usages of data mandatory as a condition for providing your services. Tracking only logged-in people for analytics falls into the category of non-essential purposes. That requires explicit consent, even if consent is not required to use the exact same data for authentication checks.
But wouldn't that be asked for at the same time as signing the EULA, i.e. at account creation? If you're avoiding banners, I can't think where else you'd put it.
If a cookie is not necessary (or you are using a necessary cookie for secondary purposes), then you need GDPR-valid consent. This means:
1. Consent must be separate from other terms being agreed to. So consent in the EULA would not be valid.
2. Consent must be an affirmative, unambiguous action. Pre-ticked boxes or bundled consent are not valid.
3. Consent can be revoked at any time. Revoking consent must be as easy as giving it.
So yes, you can ask for it from a user when you're having them agree to the EULA. However you can't have it as part of the EULA, it has to be an optional add-on. And you still need to let people turn it off afterwards.
If we're talking about Github, no, I don't think it's a clever hack. I think they've actually ripped out the offending usages.
The reason I find that believable is that their core business is selling a git server with bells and whistles. From Microsoft's perspective, Github doesn't need to be doing any marketing because they kind of are the marketing.
Whether they complied in other ways is irrelevant to whether this case is non-compliant, and the point was about reuse of cookies for analytics, not marketing.
I don’t understand your point. You’re asking whether they’re trying to work a loophole or a clever hack, and I said that I don’t think they are and that I think it’s credible because they don’t have profit motives that would drive them to take that legal risk.
You don't think they do analytics on users based on these cookies session? Because doing that without the consent pop-up is (I claim above) illegal, and so the clever workaround fails.
I would be really, really surprised if Github were the only Bay Area unicorn that lacked a product manager nagging them for more analytics. The fact that they don't need to sell the analytics is irrelevant.
I can't speak for Github, but I can speak for my team in [tech giant]: if I wanted to do analytics on end users I'd have to go through a review to confirm that I would not be violating privacy laws. I literally couldn't query them if I wanted to without jumping through technical hoops with audit processes and paper trails.
I do believe Github is legitimately trying not to use that data for analytics. But whether some PM in there is querying that data for analytics purposes: at that point we're just speculating based on how cynical you or I want to be. I don't think that's a meaningful point.
Also: I'm not saying I don't think they do analytics. I'm saying I don't think they are using users' personal data for analytics. That's an important difference with respect to GDPR.
