8

Per GDPR, I've been wondering if using sentry.io (in this case nuxt) on a website requires to show a cookie notification / settings to opt out from sentry ?

Unfortunately, the sentry.io website only states that they align with GDPR, but does not state whether users/clients must add a notice when using their SDK.

Aerodynamic
  • 782
  • 5
  • 19

3 Answers3

11

The answer to this question is a clear no. None of our SDKs by default either send any PII data or track any cookies. Depending on what you do with the SDK the answer might be different but then it's not in our hands. Cheers

HazA
  • 1,274
  • 12
  • 17
  • 4
    Thx for the clarification. Would be nice if this was stated clearly on the website, under something like "Is a GDPR Cookie Consent required when using Sentry SDK ?" You said that "depending on what you do with the SDK the answer might be different". Does that mean, depending on configuration of the SDK, sentry sets cookies ? I'd appreciate if these settings were clearly marked in the guide (maybe with a notification box) that alert the dev that these will require cookie consent which's quite essential for proper data governance. – Aerodynamic Nov 09 '21 at 22:11
  • 1
    Our SDKs never use cookies. – HazA Nov 11 '21 at 07:13
  • 5
    I just counted 12 cookies associated with .sentry.io, _clck, _biz_*, etc. For the sake of transparency I would love to hear more about that. – Vitor de Carvalho May 31 '22 at 10:45
  • 4
    I just checked and can confirm that SDK itself doesn't create or receive cookies. The cookies that you count exist because you accepted cookies on Sentry.io (ie when visiting your dashboard) at some point, therefore the related cookies are also sent on your website's API calls. You can verify this by opening your site on incognito window. You should not see any sentry.io cookies for your application. – msawired Apr 13 '23 at 16:08
2

Using

"@sentry/react": "6.18.2",
"@sentry/tracing": "6.18.2",

Results in a large number of cookies being set

enter image description here

As far as I understand the question was pertaining to these as they need to be categorized and blockable per GDPR regulations.

Millions
  • 45
  • 8
  • 2
    The source code of our SDKs is open source you can look yourself if you don't belive me saying that our SDKs don't set any cookie https://github.com/getsentry/sentry-javascript What you are referring to is what was already provided in another answer - when surfing on sentry.io and accepting cookies, you get them from there. – HazA Apr 14 '23 at 17:46
1

I’m not the most knowledgeable in that area but as far as I’ve read it is important to educate and give the user the posibility to opt-out of any service where PII is shared to. And as far as I can see in Sentry, the IP address is available among others… Isn’t that already a reasoning to add an opt-out?

enter image description here

Edit: I see now that this storage can be turned off in the settings. Also after reading up more information I believe that Sentry can be considered as "essential" in any case thus the only important bit is that the information is not stored longer than necessary (1-3 Month)

chitzui
  • 3,778
  • 4
  • 28
  • 38
  • Thanks for the information! How would you justify sentry as essential, what sources did you use? – Aerodynamic Jun 24 '23 at 10:42
  • There is an article from Sanity on this: https://www.sanity.io/blog/a-rough-guide-to-running-a-gdpr-compliant-saas-business – chitzui Jul 28 '23 at 15:28
  • The article is from 2018 and only describes general practices. – Aerodynamic Jul 28 '23 at 21:23
  • Doesn’t mean it’s not true. Common sense tells me it’s arguable that Sentry can be considered essential as it is about error reporting and functionality of the app/website itself, let’s see if that’s true when this ever gets to court, which I highly doubt ;) – chitzui Jul 29 '23 at 22:58