Are Local Storage and Session Storage Compliant with Privacy Laws?
ON THIS PAGE
- What Is Local Storage?
- What Is Session Storage?
- Local Storage vs Session Storage vs Cookies: How to Choose the Right Option?
- Is the Usage of Local Storage and Session Storage Compliant with Privacy Laws?
- Best Practices for Compliance
- How to Block Local Storage and Session Storage?
- Frequently Asked Questions
In web development, creating an interactive user experience is very important. Thus, web applications often rely on client-side storage mechanisms that enable the storing and retrieving of data behavior directly within the user’s web browser. Client-side storage allows the storing of information locally without relying on constant communication with the server, so the user experience could be increased.
There are three popular client-side storage options that can be used: cookies, local storage, and session storage.
Local storage and session storage can be used as cookies, so they have to be scanned and blocked if needed to be fully GDPR compliant. CookieScript checks for local storage and session storage and blocks them until users provide consent to store personal data in any form, whether it's in cookies, local storage, or session storage. CookieScript allows using local storage and session storage in a privacy laws- compliant way.
The earliest and most popular local storage option is by using cookies. There are persistent cookies and session cookies, among others. Read more about different types of cookies and compliance with privacy laws by using cookies.
Persistent cookies are stored on users’ browsers and remain active across different browsing sessions. Even if the user closes the browser, the persistent cookies can be accessed later, when the user returns to the website after some time. They restore previous settings, personalizing the user experience. Persistent cookies have an expiration date, which could last up to half a year or a year.
Session cookies are stored on the user’s browser only for the duration of the session and don’t remain active across different browsing sessions. Session cookies have no specific expiration time set, but they are cleared automatically after the session, once the user closes the browser or tab.
However, cookies have several limitations. First, cookies can handle just small amounts of data. Second, cookies send information back to the server with every HTTP request, increasing the overall data traffic and affecting a website’s performance.
Two other common methods for storing data on the client side are Local Storage and Session Storage. In this article, we'll explore the key mechanisms of local storage and session storage and evaluate their compliance with privacy laws.
Read more about how to show Local Storage and Session Storage in cookie declaration.
Note, that if you use local storage or session storage to track visitors, but do not show them in your cookie declaration report, you might be violating GDPR and could get a fine for the violation of privacy laws.
What Is Local Storage?
Local storage and session storage emerged with HTML5 to address the limitations of cookies. Like cookies, local storage stores data on the user’s browser. However, it has a far larger size limit, up to 5- 10 MB, and the data stored doesn’t get sent with every HTTP request. Local storage is typically used to store user preferences, application settings, and cached data.
Local Storage is a client-side data storage option that allows websites to store data locally and persistently on a user's browser.
The advantages of Local Storage:
- Reduced network latency. Local storage is a client-side storage option that stores data locally on a user's browser and doesn’t need persistent communication with the server.
- Persistent storage. Local storage provides a long-term storage solution: data is stored persistently and remains available even after the user closes the browser or reboots their device.
- Big storage capacity. Local storage has a larger storage capacity (up to 5- 10 MB) compared to cookies.
- Offline support. Local storage allows offline functionality in web applications. By storing necessary data offline, users can continue interacting with the web application even when they are not connected to the internet.
However, local storage also has some disadvantages:
- No automatic expiration. Local storage does not have an expiration mechanism and must be deleted or updated manually. This isn’t convenient for web developers and could violate compliance with the privacy laws.
- Limited to the same origin. Local storage can be accessible only by the same origin, restricting access from different domains.
- Limited to the client side. While cookies can be accessed by both the client and the server, the local storage is purely client-side. Local storage can’t remember server-side session states.
- Synchronous access. Retrieving data from local storage is synchronous, which can potentially affect other operations.
- Less support. Since local storage is a newer option than cookies, it has less support across old or less frequently updated web browsers.
What Is Session Storage?
Session storage is also a client-side storage option that allows websites to store data locally on a user's browser but is designed for short-term storage.
Data stored in session storage is available only during the lifetime of a single-page session or until the browser tab is closed. It is commonly used for maintaining state during a user’s interaction with a web application like storing shopping cart contents or form data.
Session storage is commonly used to store shopping cart information during a single browsing session. It allows users to add items to their cart and navigate through different product pages while maintaining the cart contents until they proceed with the purchase.
It is also used for user authentication to maintain user login status throughout the browsing session. Users don’t need to log in each time they navigate different web pages.
The size limit for session storage is generally around 5–10MB, like local storage.
The advantages of session storage are the following:
- Session-specific storage. Session storage is used for a specific browsing session, making it useful for storing temporary data that needs to be available within the same session.
- Big storage capacity. Session storage has a larger storage capacity (up to 5- 10 MB) compared to cookies.
- Automatic clearing. Session storage is automatically deleted when the user closes the browser or reloads the device. It’s a convenient way to manage temporary data needed within the same session.
- Reduced network latency. As in the case of local storage, session storage is a client-side storage option that stores data locally and allows to reduce network latency.
- Isolated storage. Since session storage is tied to a specific browsing session, it allows to isolate session-related data from other sessions.
Session storage also has some disadvantages:
- Limited lifetime. Session storage data is cleared and no longer accessible when the user closes the browser or refreshes the page.
- Limited to the same origin. Session storage can be accessible only by the same origin, restricting access from different domains.
- Limited to the client side. As in the case of local storage, session storage is purely client-side and can’t remember server-side session states.
- Synchronous access. Retrieving data from local storage is synchronous, which can potentially block other operations in the browser until the data is received.
- Less support. Since session storage is a newer option than cookies, it has less support across old or less frequently updated web browsers.
Local Storage vs Session Storage vs Cookies: How to Choose the Right Option?
When choosing the right storage option for your web application, you need to consider factors like data size, data persistence, and data isolation.
Data storage option based on data size:
- Small data size. If you have small amounts of data to store, such as user preferences or language settings, it’s better to use cookies due to their small storage capacity.
- Average to large data size. If you have big amounts of data to store, use local storage or session storage, depending on the data persistence. However, even local storage or session storage allows to store large data size, and avoid storing excessive data that may impact the website’s performance.
Data storage option based on data persistence:
- Persistent data. If you need to store data persistently, use local storage that allows to store data beyond the current browsing session and across multiple sessions. The data could be stored persistently until explicitly deleted.
- Session-specific data. If you only need data to be stored within the current browsing session, session storage would be the best storage option. After the session ends, the data will be automatically removed.
Data storage option based on data isolation:
- Isolated data. If you need to store data in a particular browsing session without sharing it with other sessions, session storage should be the best. Session storage allows to have isolated data storage for each browsing session.
- Cross-domain data sharing. Cross-domain data sharing means the availability to access data by multiple domains or subdomains within the same origin. Cookies are the best option for cross-domain data sharing since they allow for and can be accessed by different parts of a website.
Local storage and session storage can be used as cookies, so they have to be scanned and blocked if needed to be fully GDPR compliant. CookieScript checks for local storage and session storage and blocks them if needed until users provide consent to store personal data in any form, whether it's in cookies, local storage, or session storage. Read more about how to show Local Storage and Session Storage in cookie declaration.
Scan your website for free to see all your website cookies, local storage, and session storage in use.
Is the Usage of Local Storage and Session Storage Compliant with privacy laws?
The GDPR and ePrivacy Directive (the Cookie law) states, that if you use cookies or other tracking technologies to collect and manage data for purposes other than essential ones, such as sharing them with others or marketing, you need to obtain user consent. Users should be fully informed about what data you collect and store, for what reasons, how long, and other related information about their data. Users should have the opportunity to consent to this or to decline.
Add local storage and session storage to your Privacy Policy or cookie policy, which should be easily accessible on your website.
If you provide all the necessary information about the usage of local storage and session storage and take all necessary actions to inform users and protect their private information as in the case of cookie compliance, local storage and session storage usage is compliant with privacy laws.
With CookieScript, you can use local storage and session storage in a privacy laws-compliant way. CookieScript CMP blocks local storage and session storage until users are informed about their personal data collection and storage and users provide user consent to store personal data in any form, whether it's in cookies, local storage, or session storage.
Best Practices for Compliance
If you want to use local storage and session storage for your website, follow the best practices regarding data security, size limitations, and appropriate usage of them.
Data security
- Data minimization. Do not collect or store sensitive or unnecessary information to minimize potential risks.
- Data encryption. Consider data encryption to protect the collected information from unauthorized access.
- Correct settings. Properly set secure measures.
User consent and privacy
- User notice. Respect user privacy by informing users about the collection and management of their personal information, the reasons for it, the duration of their data storage, and with whom you share that information, if any.
- Cookie policy. Add local storage or session storage to your Privacy Policy or Cookie Policy, which should be easily available on your website.
- User consent. Inform users about the usage of cookies, local storage, and session storage, and obtain user consent before collecting their data. Allow users to revoke their consent at any time.
Size limitations
- Data minimization. Store only essential data to maintain optimal performance.
- Preference for session storage. If you can, use session storage instead of local storage to avoid exceeding browser limits since data is automatically deleted after each browsing session.
- Minimal data in cookies. Store just minimal data in cookies to ensure efficient transmission and minimize the impact on network performance.
You could also read the article about cookie compliance and cookie banner checklist- the same rules apply to session storage and local storage for compliance with the privacy laws as in the case of cookies.
How to Block Local Storage and Session Storage?
Local storage and session storage can be used as cookies, so they must be scanned and blocked to be fully GDPR compliant.
If your website uses local storage and session storage but does not show them in your cookie declaration report and does not block them before getting user consent, your website might be violating GDPR and you could get a fine for the violation of privacy laws.
CookieScript checks for local storage and session storage and blocks them until users provide consent to store personal data in any form, whether it's in cookies, local storage, or session storage.
How does it work?
- CookieScript Cookie Scanner checks for local storage and session storage.
- CookieScript CMP blocks local storage and session storage according to your selected categories.
- CookieScript CMP shows a Cookie Banner, providing detailed information about cookies, local storage, and session storage, and asks for user consent to use them.
- If user consent is granted, local storage and session storage are placed on a user’s device.
- If user consent is rejected, local storage and session storage remain blocked.
Read the guide about how to enable local storage and session storage detection and blocking on your website.
Avoid large fines and get consent before loading local storage and session storage — use CookieScript!
Frequently Asked Questions
What is the difference between session storage and local storage?
Local storage and session storage are similar since both are client-side data storage options that allow websites to store up to 5-10 MB of data locally on a user's browser. The difference is that the local storage stores users’ data persistently, while session storage stores data temporarily, just during the current browsing session. Data in session storage is automatically deleted when the web page session ends. CookieScript allows using local storage and session storage in a privacy laws- compliant way.
Is local storage GDPR-compliant?
Yes, local storage GDPR and other privacy laws-compliant, if you inform users about their personal data collection and management and obtain user consent before storing personal data in any form, whether it's in cookies or local storage. CookieScript CMP allows using local storage that complies with the GDPR.
Are Local Storage and Session Storage Compliant with privacy laws?
Local storage and session storage are compliant with privacy laws if you follow the guidelines for compliance with privacy laws. In brief, you need to inform users about the usage of cookies, local storage, and session storage, allow them to consent to this or to decline, and protect their private information. Add local storage and session storage to your Privacy Policy or Cookie Policy. CookieScript CMP can help you to collect and manage user data through cookies, local storage, and session storage in privacy laws- compliant way.
Do I need to add local storage to my Cookie Policy?
Yes, you need. A Cookie Policy is needed to inform users about the collection and usage of their data, as required by privacy laws. Since local storage collects and uses personal data, it must be added to your Cookie Policy. Use CookieScript CMP to collect and the manage personal data of users in privacy laws-compliant way.
Do I need to ask consent to use local storage on my website?
Under the GDPR and other privacy regulations, you need to get user consent before storing personal data in any form, whether it is in cookies, local storage, or session storage. Website users should be fully informed about what data you collect and store, and for what reasons, and they should have the opportunity to consent to this or to decline. However, the requirements can be different depending on the privacy laws. CookieScript CMP has geo-targeting and privacy laws-compliance hints, so you can manage user consent based on the jurisdiction you’re in.
Does CookieScript allow blocking local storage and session storage?
Yes, CookieScript has the functionality of blocking local storage and session storage. CookieScript Cookie Scanner checks for local storage and session storage and blocks them according to your selected categories. Then CookieScript CMP shows a Cookie Banner, providing detailed information about cookies, local storage, and session storage, and asks for user consent to use them. If user consent is granted, local storage and session storage are placed on a user’s device and are shown in cookie declaration. If user consent is rejected, local storage and session storage remain blocked.
How to block Local Storage and Session Storage?
The best way to detect and block local storage and session storage is by using a professional Consent Management Platform (CMP). It shows a Cookie Banner, providing detailed information about cookies, local storage, and session storage, and asks for user consent to use them. If user consent is granted, local storage and session storage are placed on a user’s device and are shown in cookie declaration. If user consent is rejected, local storage and session storage remain blocked.