Storing a cookie which is not strictly necessary to provide the service, requires explicit consent. This is a PECR requirement, not a GDPR one. Tracking the source and campaign of a user between pages is not required to deliver the page.
So you may rely on legitimate interest to process the data, but you need the consent to store the session cookie to collect the data in the first place.
If you have A/B testing in place it is strictly necessary to have a session cookie. Otherwise a user could end up in a case where they where in the A group on their first request but their second has them in the B group but the page they visited isn't enabled or displays different content than what they expected to see.
If you have special offers based on the URl they came from then it is strictly necessary to be able to remember where they came from so they get the special offer and don't fall victim to false adverstising.
Strictly necessary means if the website will break in anyway without it.
Your understanding of strictly necessary is incorrect. You do not need to a/b test a website for it to function. It is optional. It doesn’t become legal just because your tech stack makes it difficult, or because you engineer the site not to work without a non-essential cookie.
You could a/b test based on even or odd numbered IP address and not require consent to store a cookie. You can pass the referrer around via query string and not require consent to store a cookie.
However, as you said, there is no enforcement of the regulation so the risk of non-compliance is basically zero :)
>Your understanding of strictly necessary is incorrect. You do not need to a/b test a website for it to function. It is optional. It doesn’t become legal just because your tech stack makes it difficult, or because you engineer the site not to work without a non-essential cookie.
No if a user clicks a button to see the prices at 10 euros but see the prices at 20 euros then that is an issue. That is a rather serious issue, if I show you a price and then when it goes the payment processor on the second request that is illegal.
There are many ways of doing things but considering the ICO's list of strictly necessary this falls into it.
Also, I use the session id in my logs so I can debug issues such as the user saw x on page then did y so z happened. This is falls under it as well due to it being required for the operation of the website.
The fact there are other ways of doing things doesn't remove the fact for my way the cookie is strictly necessary. The system will fail. And yes, the tech stack and the way I built it does affect this. Look at the laws and you'll see a number of times where they say something along the lines of "if feasible". The recommendation from ICO is that you don't need to ask for permission for everything and they kinda make a point of saying that as it's annoying as hell for everyone.
> No if a user clicks a button to see the prices at 10 euros but see the prices at 20 euros then that is an issue.
I agree with you, that is a serious issue. But that issue is caused by your use of a/b testing, and if you solve that issue with a cookie then you need consent.
The ICO PECR guidance explicitly states that you can not rely on the strictly necessary exemption for analytics cookies.
A/b testing is not analytics. Analytics is how many people are using the site not market testing. And it says you can‘t use it for soley analytics, soley being a keyword. The analytics from market research which results in a legal requirement of having to charge the price advertised is not the same as Web Site analytics of how a user used the site. Just which version of the site they used and what legal requirements/contracts are in place.
So you may rely on legitimate interest to process the data, but you need the consent to store the session cookie to collect the data in the first place.