I know about the cookies frontend part, but what about the server side part compliance with GDPR and especially the websocket protocol and things it stores.
Is there anything I should be aware of?
Does Phoenix store some information that is GDPR important in the Database or somewhere else?
Phoenix itself does not store any information in a data store.So the platform itself does not have a material impact as a result of GDPR. What your application does matter though of course.
WebSocket protocol doesn’t have anything to do with GDPR. Check Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu not all cookies need GDRP consent and browser local storage & session storage likely also fall in this same rules because law is not just about cookies. Anyway from there
Receive users’ consent before you use any cookies except strictly necessary cookies.
Cookies can’t contain information that identify the person. So you can’t store users email or name in them for example. No login name in the cookie either but user id is probably ok.
You could even store just client id or authorization id in JWT token in the cookie instead user id for example that is then tied server side authorization that contains user id. That way user id is also kept out of browser cookies.
If you use some 3rd party browser analytics like azure application insights you likely need to show that GDRP consent popup. If you use azure application insights specifically then you might need extra steps to make it GDRP compliant so it won’t store cookie until user has given consent by setting disableCookiesUsage to true until user has given consent. But I’m pretty sure lot of sites don’t do this and just let analytics create cookie before consent is given…
This is a misconception. You don’t need to disable cookies for GDPR compliance. All you have to do is not use cookies for tracking. Cookies for login and other functional cookies are totally fine.