GDPR features in ASP.NET Core
As General Data Protection Regulation (GDPR) is now official in European Union (EU) there’s also some basic support for it included in ASP.NET Core 2.1. Althouhg it’s not possible to come out with technical etalon for GDPR there’s still some good starting points available in ASP.NET Core. Here is the brief overview.
Consent for non-essential cookies
First GDPR thing we notice with ASP.NET Core applications is the cookie consent bar displayed on top of the page.
It covers only non-essential cookies that are not needed for sites to work. Among these cookies are the ones used by TempData and session providers. If TempData or session state is needed by our application then we have to find other ways to implement these and not rely on cookies.
In Startup class of application we have to add and configure cookie policy. This is new in ASP.NET Core 2.1.
public void ConfigureServices(IServiceCollection services)
{
// GDPR stuff
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
// GDPR stuff
app.UseCookiePolicy();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
When user clicks on Learn More button ib cookie consent bar then browser is redirected to default privacy policy page.
Unfortunately there is no sample text available to start with but I understand product group too – they are techies and no lawyers :)
Managing personal data
GDPR makes also rules how users must be able to see what data is gathered about them. Also there are rules how users can decide to opt out and delete their data from system. For web applications with authentication it is also supported by ASP.NET Core 2.1 on basic level.
When creating application that supports individual accounts there is new personal data section available on profile page.
This is example data file that user can download.
{
"Id": "a2048f7d-5627-4cae-8da6-aca009457b98",
"UserName": "gpeipman@hotmail.com",
"Email": "gpeipman@hotmail.com",
"EmailConfirmed": "False",
"PhoneNumber": "null",
"PhoneNumberConfirmed": "False",
"TwoFactorEnabled": "False",
"Authenticator Key": null
}
In this point I think it would be better to represent this data as XML with online XSL stylesheet as regular users are not familiar with JSON and other technical data formats. But still we got data handled to user.
Wrappig up
Although GDPR is massive headache for many companies specially on juridical side there is some readiness in ASP.NET Core 2.1 to support the efforts on technical side. Besides simple cookie consent bar and privacy policy page there’s also support for users to download or delete their data. Of course, actual implementation of these features is up to every company but still we have good base to start moving.
Pingback:The Morning Brew - Chris Alcock » The Morning Brew #2601
Great post, though i think you are missing an important step. Which is how to opt-out from the consent.
It clearly states that it must be just as easy to opt-out as opt-in.
I personally prefer to make a button to opt-out and attach that to policy page.