GDPR features in ASP.NET Core

As General Data Protection Regulation (GDPR) is now official in European Union (EU) there’s also some basic support for it included in ASP.NET Core 2.1. Althouhg it’s not possible to come out with technical etalon for GDPR there’s still some good starting points available in ASP.NET Core. Here is the brief overview.

Consent for non-essential cookies

First GDPR thing we notice with ASP.NET Core applications is the cookie consent bar displayed on top of the page.

GDPR cookie consent bar in ASP.NET Core

It covers only non-essential cookies that are not needed for sites to work. Among these cookies are the ones used by TempData and session providers. If TempData or session state is needed by our application then we have to find other ways to implement these and not rely on cookies.

In Startup class of application we have to add and configure cookie policy. This is new in ASP.NET Core 2.1.

public void ConfigureServices(IServiceCollection services)
{
    // GDPR stuff
    services.Configure<CookiePolicyOptions>(options =>
    {
        // This lambda determines whether user consent for non-essential cookies is needed for a given request.
        options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;
    });

    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
    }

    app.UseStaticFiles();

    // GDPR stuff
    app.UseCookiePolicy();

    app.UseMvc(routes =>
    {
        routes.MapRoute(
            name: "default",
            template: "{controller=Home}/{action=Index}/{id?}");
    });
}

When user clicks on Learn More button ib cookie consent bar then browser is redirected to default privacy policy page.

Privacy policy page in ASP.NET Core

Unfortunately there is no sample text available to start with but I understand product group too – they are techies and no lawyers :)

Managing personal data

GDPR makes also rules how users must be able to see what data is gathered about them. Also there are rules how users can decide to opt out and delete their data from system. For web applications with authentication it is also supported by ASP.NET Core 2.1 on basic level.

When creating application that supports individual accounts there is new personal data section available on profile page.

Personal data page in ASP.NET Core

This is example data file that user can download.

{
  "Id": "a2048f7d-5627-4cae-8da6-aca009457b98",
  "UserName": "gpeipman@hotmail.com",
  "Email": "gpeipman@hotmail.com",
  "EmailConfirmed": "False",
  "PhoneNumber": "null",
  "PhoneNumberConfirmed": "False",
  "TwoFactorEnabled": "False",
  "Authenticator Key": null
}

In this point I think it would be better to represent this data as XML with online XSL stylesheet as regular users are not familiar with JSON and other technical data formats. But still we got data handled to user.

Wrappig up

Although GDPR is massive headache for many companies specially on juridical side there is some readiness in ASP.NET Core 2.1 to support the efforts on technical side. Besides simple cookie consent bar and privacy policy page there’s also support for users to download or delete their data. Of course, actual implementation of these features is up to every company but still we have good base to start moving.

Liked this post? Empower your friends by sharing it!

Gunnar Peipman

Gunnar Peipman is ASP.NET, Azure and SharePoint fan, Estonian Microsoft user group leader, blogger, conference speaker, teacher, and tech maniac. Since 2008 he is Microsoft MVP specialized on ASP.NET.

    2 thoughts on “GDPR features in ASP.NET Core

    • Pingback:The Morning Brew - Chris Alcock » The Morning Brew #2601

    • June 8, 2018 at 8:50 am
      Permalink

      Great post, though i think you are missing an important step. Which is how to opt-out from the consent.
      It clearly states that it must be just as easy to opt-out as opt-in.
      I personally prefer to make a button to opt-out and attach that to policy page.

    Leave a Reply

    Your email address will not be published. Required fields are marked *