Implementing GDPR in ASP.NET Core

TLDR

• GDPR requires websites to inform users about cookie usage and restrict the writing of non-essential cookies until the user provides consent.
• ASP.NET Core manages the cookie consent mechanism through CookiePolicyOptions and the UseCookiePolicy middleware.
• To enforce that non-essential cookies are only written after user consent, set CheckConsentNeeded to true.
• Cookies marked as IsEssential = true can be written even if the user has not consented, which is applicable for data necessary for website operation.
• During implementation, you can use ITrackingConsentFeature to check if the user has consented to tracking and use CreateConsentCookie() to generate the consent flag.

Core Concepts of GDPR Implementation

GDPR requires websites to regulate the data and privacy of individuals in the EU. When implementing a Cookie Consent Banner, the common processing logic is as follows:

• Inform users about the website's cookie usage and provide a link to the privacy policy page.
• Handling the dismissal of the prompt:
  • Dismiss only: Temporarily hidden on the screen; it will reappear after a page refresh.
  • Consent: Write a consent flag cookie, stop displaying the prompt subsequently, and use this flag to determine whether to write other non-essential cookies.
• Preventive protection: Before the user consents, the writing of non-essential cookies should be stopped.

How to Implement GDPR in ASP.NET Core

ASP.NET Core provides a built-in mechanism to handle the cookie consent flow, primarily configured through CookiePolicyOptions.

Configuring CookiePolicyOptions

Configure CookiePolicyOptions in Program.cs and enable the UseCookiePolicy middleware.

builder.Services.Configure<CookiePolicyOptions>(options => {
    // When set to true, the system checks if the user has consented and restricts non-essential cookie writing until consent is given
    options.CheckConsentNeeded = context => true;

    options.MinimumSameSitePolicy = SameSiteMode.None;
});

// ...other code...

app.UseCookiePolicy(); // Cookie-related Middleware

Creating a Cookie Consent Banner

In _CookieConsentPartial.cshtml, use ITrackingConsentFeature to determine whether to display the banner and handle the click event of the consent button.

When you encounter this issue: When you need to dynamically show or hide the cookie prompt banner based on the user's consent status.

@using Microsoft.AspNetCore.Http.Features

@{
    var consentFeature = Context.Features.Get<ITrackingConsentFeature>();
    var showBanner = !consentFeature?.CanTrack ?? false;
    var cookieString = consentFeature?.CreateConsentCookie();
}

@if (showBanner) {
    <div id="cookieConsent" class="alert alert-info alert-dismissible fade show" role="alert">
        Use this space to summarize your privacy and cookie use policy. <a asp-page="/Privacy">Learn More</a>.
        <button type="button" class="accept-policy close" data-dismiss="alert" aria-label="Close" data-cookie-string="@cookieString">
            <span aria-hidden="true">Accept</span>
        </button>
    </div>
    <script>
        (function () {
            var button = document.querySelector("#cookieConsent button[data-cookie-string]");
            button.addEventListener("click", function (event) {
                document.cookie = button.dataset.cookieString;
            }, false);
        })();
    </script>
}

Handling Essential Cookies

Some cookies are necessary for the website to function properly (such as shopping carts or authentication), and these cookies must be written even if the user has not yet consented to the privacy policy.

When you encounter this issue: When parts of the website (such as login status) rely on cookies, and that functionality must work before the user clicks "Accept".

Response.Cookies.Append("name", "value", new CookieOptions {
   IsEssential = true // Mark this cookie as essential, exempt from the consent mechanism
});

Change Log

• 2022-10-27 Initial document creation.