Preamble

I am not a lawyer and nothing in this post should be considered as legal advice, you must make your own determination on how best to comply with legal requirements of your own websites.

The latest ASP.NET project templates for Razor Pages and MVC provide some built in tools to help you meet the GDPR (EU General Data Protection Regulation)  requirements.

Specifically the templates provide:

  • a way to prompt for cookie consent and track cookie consent and to block non-essential first party cookies until consent is granted.
  • a way for users to download and delete the personal data captured by ASP.NET Core Identity if a user registers on the site

Note that it is not a complete solution for meeting GDPR so you should not assume that it provides GDPR compliance out of the box, there are a lot of aspects to consider in meeting the requirements. Some important additional considerations that you must address yourself include handling third party cookies and explaining your use of third party cookies in your privacy policy. It is up to you to make sure no third party cookies are used until after consent has been granted. It is up to you to create a privacy policy that explains what data you and/or your third party partners capture, and to provide mechanisms for users to download or delete any personal data that you capture. There are probably also other requirements that I have not mentioned or haven't yet learned about myself, I cannot emphasize enough that I am not an expert on GDPR and I am not a lawyer.

One thing that I thought should probably be in the template is a mechanism for users to revoke cookie consent after they have granted it. In my layman's understanding of GDPR I interpret that as one of the requirements. In this post I will show you how you can easily add that to your web project built from the ASP.NET Core Razor Page template, the process would be very similar if you use the ASP.NET Core MVC template.

Creating the Project in Visual Studio

In Visual Studio 2017 you create a new ASP.NET Core Web Application as shown in these screen shots.

 screen shot first dialog to create a web app in visual studio

 screen shot, second dialog with options to create a web application in visual studiio

When you run the project, you will immediately see that the cookie consent prompt blocks the navigation bar so you can't login or register or view the menu until cookie consent is granted.

 screen shot showing cookie consent prompt

It is intended for you to customize the consent prompt with a summary of your privacy policy and the "Learn More" button should link to the details of your privacy policy. You can edit the partial view Views/Shared/_CookieConsentPartial.cshtml to customize the summary, and you can edit the Pages/Privacy.cshtml to provide the details of your privacy policy.

Once you click the accept button a cookie is set that indicates your consent and the prompt is hidden to reveal the main navigation bar. But at this point there is no way to change your mind and revoke the cookie consent, that is the part we will add next.

Adding Revoke Cookie Consent Capability

Since the template stubs out a Privacy.cshtml and a corresponding Privacy.cshtml.cs file, I think that is a good place to put the method for revoking consent. You can edit the Privacy.cshtml.cs file and add a post method to revoke consent as shown below.

using Microsoft.AspNetCore.Http.Features;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;

namespace WebApp.Pages
{
    public class PrivacyModel : PageModel
    {
        public void OnGet()
        {
        }

        public IActionResult OnPostWithdraw()
        {
            HttpContext.Features.Get<ITrackingConsentFeature>().WithdrawConsent();
            return RedirectToPage("./Index");
        }

    }
}

Next you can create a Razor partial view with a form that posts to that method to revoke cookie consent. 

I named it _CookieConsentRevokePartial.cshtml, and it has the following code.

@using Microsoft.AspNetCore.Http.Features
@{
    bool showRevoke = false;
    var consentFeature = Context.Features.Get<ITrackingConsentFeature>();
    if (consentFeature != null && consentFeature.IsConsentNeeded)
    {
        showRevoke = consentFeature.CanTrack;
    }
}
@if (showRevoke)
{
    <form style="display:inline" asp-page="/Privacy" asp-page-handler="Withdraw"  method="post">
         <button type="submit" class="btn btn-link">Revoke Cookie Consent</button>
    </form>
}

I put some hard coded style there to make the form not be a block element because I want to put it in the footer right next to a link to the privacy policy. In your project it is probably better to put that in a CSS stylesheet.

I added the partial view into the _Layout.cshtml file in the footer along with a link to the privacy policy like this:

<footer>
     <div>&copy; 2018 - WebApp   <a asp-page="/Privacy">Privacy Policy</a> <partial name="_CookieConsentRevokePartial" /></div>
</footer>

Now you should see it at the bottom of the page on the next page request after granting consent.

Clicking the "Revoke Cookie Consent" button (styled as a link) will submit the form and revoke consent, and then the cookie consent prompt should re-appear.

That completes what I wanted to show you in this post but do keep in mind there is a lot more to GDPR and you should do research and consult with your legal counsel to determine if your website or web application is meeting the requirements.

See also the Microsoft documentation about GDPR and ASP.NET Core.

Shameless Plug!

I'm the primary developer of cloudscribe, a set of open source ASP.NET components that jump start web application development. Instead of using the standard ASP.NET Core web application templates which don't provide any mechanisms for user management or role management or creating an administrative user, I recommend that you try our cloudscribe project template for Visual Studio, or our cloudscribe project template for dotnet new command line.  Our template provides comprehensive management for users roles, and a whole lot more, and we also have a pretty awesome user friendly content and blog engine. Our template has similar GDPR tools including built in support for revoking cookie consent. With our project templates you can pick and choose which cloudscribe features you want and it will generate a web application with the nuget packages for those features all wired up for you. Please give it a try and see for yourself how much work it can save you because you don't need to write all that code yourself.