As General Data Protection Regulation (GDPR) is now official in European Union (EU) there’s also some basic support for it included in ASP.NET Core 2.1. Althouhg it’s not possible to come out with technical etalon for GDPR there’s still some good starting points available in ASP.NET Core. Here is the brief overview.
Consent for non-essential cookies
First GDPR thing we notice with ASP.NET Core applications is the cookie consent bar displayed on top of the page.
It covers only non-essential cookies that are not needed for sites to work. Among these cookies are the ones used by TempData and session providers. If TempData or session state is needed by our application then we have to find other ways to implement these and not rely on cookies.
public void ConfigureServices(IServiceCollection services)
// GDPR stuff
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
// GDPR stuff
Unfortunately there is no sample text available to start with but I understand product group too – they are techies and no lawyers :)
Managing personal data
GDPR makes also rules how users must be able to see what data is gathered about them. Also there are rules how users can decide to opt out and delete their data from system. For web applications with authentication it is also supported by ASP.NET Core 2.1 on basic level.
When creating application that supports individual accounts there is new personal data section available on profile page.
This is example data file that user can download.
"Authenticator Key": null
In this point I think it would be better to represent this data as XML with online XSL stylesheet as regular users are not familiar with JSON and other technical data formats. But still we got data handled to user.
View Comments (1)
Great post, though i think you are missing an important step. Which is how to opt-out from the consent.
It clearly states that it must be just as easy to opt-out as opt-in.
I personally prefer to make a button to opt-out and attach that to policy page.