Preamble
I am not a lawyer and nothing in this post should be considered legal advice, you must make your own determination on how best to comply with the legal requirements of your own websites.
The latest ASP.NET project templates for Razor Pages and MVC provide some built-in tools to help you meet the GDPR (EU General Data Protection Regulation) requirements.
Specifically, the templates provide:
- a way to prompt for cookie consent and track cookie consent and block non-essential first-party cookies until consent is granted.
- a way for users to download and delete the personal data captured by ASP.NET Core Identity if a user registers on the site
Note that it is not a complete solution for meeting GDPR so you should not assume that it provides GDPR compliance out of the box, there are a lot of aspects to consider in meeting the requirements. Some important additional considerations that you must address yourself include handling third-party cookies and explaining your use of third-party cookies in your privacy policy.
It is up to you to make sure no third-party cookies are used until after consent has been granted. It is up to you to create a privacy policy that explains what data you and/or your third-party partners capture and to provide mechanisms for users to download or delete any personal data that you capture.
There are probably also other requirements that I have not mentioned or haven’t yet learned about myself, I cannot emphasize enough that I am not an expert on GDPR and I am not a lawyer.
One thing that I thought should probably be in the template is a mechanism for users to revoke cookie consent after they have granted it. In my layman’s understanding of GDPR, I interpret that as one of the requirements.
In this post I will show you how you can easily add that to your web project built from the ASP.NET Core Razor Page template, the process would be very similar if you use the ASP.NET Core MVC template.
Creating the Project in Visual Studio
In Visual Studio 2017, you create a new ASP.NET Core Web Application as shown in these screenshots.
When you run the project, you will immediately see that the cookie consent prompt blocks the navigation bar so you can’t log in or register, or view the menu until cookie consent is granted.
It is intended for you to customize the consent prompt with a summary of your privacy policy and the “Learn More” button should link to the details of your privacy policy. You can edit the partial view Views/Shared/_CookieConsentPartial.cshtml to customize the summary, and you can edit the Pages/Privacy.cshtml to provide the details of your privacy policy.
Once you click the accept button a cookie is set that indicates your consent and the prompt is hidden to reveal the main navigation bar. But at this point there is no way to change your mind and revoke the cookie consent, that is the part we will add next.
Adding Revoke Cookie Consent Capability
Since the template stubs out a Privacy.cshtml and a corresponding Privacy.cshtml.cs file, I think that is a good place to put the method for revoking consent. You can edit the Privacy.cshtml.cs file and add a post method to revoke consent as shown below.
using Microsoft.AspNetCore.Http.Features;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;
namespace WebApp.Pages
{
public class PrivacyModel : PageModel
{
public void OnGet()
{
}
public IActionResult OnPostWithdraw()
{
HttpContext.Features.Get<ITrackingConsentFeature>().WithdrawConsent();
return RedirectToPage("./Index");
}
}
}
Next, you can create a Razor partial view with a form that posts to that method to revoke cookie consent.
I named it _CookieConsentRevokePartial.cshtml, and it has the following code.
@using Microsoft.AspNetCore.Http.Features
@{
bool showRevoke = false;
var consentFeature = Context.Features.Get();
if (consentFeature != null && consentFeature.IsConsentNeeded)
{
showRevoke = consentFeature.CanTrack;
}
}
@if (showRevoke)
{
Revoke Cookie Consent
}
I put some hard-coded style there to make the form not be a block element because I want to put it in the footer right next to a link to the privacy policy. In your project, it is probably better to put that in a CSS stylesheet.
I added the partial view into the _Layout.cshtml file in the footer along with a link to the privacy policy like this:
© 2018 – WebApp Privacy Policy
Now you should see it at the bottom of the page on the next page request after granting consent.
Clicking the “Revoke Cookie Consent” button (styled as a link) will submit the form and revoke consent, and then the cookie consent prompt should re-appear.
That completes what I wanted to show you in this post but do keep in mind there is a lot more to GDPR and you should do research and consult with your legal counsel to determine if your website or web application is meeting the requirements.
See also the Microsoft documentation about GDPR and ASP.NET Core.