Close menu

PWA & Cookies

DISCLAIMER

We are not lawyers and this is not legal advice. Any information on this article and website is provided as an opinion only and you should seek professional legal advice before relying on any opinions presented here.

Cookies And The Law

Everyone knows what cookies are nowadays right? I am of course not referring to the sweet and tasty baked treat - I’m talking about the other kind of cookies, the ones you are told about with big banners and control mechanisms which interrupt your view on virtually every website you open.

The term Cookies is today used as an umbrella to refer to all forms of browser storage; cookies themselves, local/session storage, indexedDB... basically, any technology that allows a website to store data onto a device, to be retrieved later.

Of course, legislation such as PECR and GDPR means that cookies (and all other similar technologies) fall into a category of storage technologies requiring a user to give explicit consent to storing on their devices, before they can be saved on the device.

That’s right - the process in which we store cookies are a matter of compliance to the law.

In order to comply with the law, web authors must seek explicit, opt-in consent to store anything in the browser that does not fall under one of two exemptions:

Communication Exemption
The sole purpose of the cookie is to carry out a transmission of a communication over an electronic communications network. For this exemption to apply, the communication must be impossible without the cookie.

Strictly Necessary Exemption
The cookie is absolutely necessary for the website or webapp to provide an 'information society service'.

An information society service basically means a service over the internet.

What About Service Workers?

PWA service workers act as a helper to the network communications; they are not a requirement. Therefore the communication exemption does not fit.

For the strictly necessary exemption to fit, the service worker would have to be absolutely necessary in order for the website to be used. Now while we might argue that PWA is a class of web application which make its service worker and relevant storage essential for its function as a PWA, it is in fact client side storage saved to the user’s device, and as indicated by the ‘p for Progressive’ in PWAs, by design is not needed to provide core functionality.

It makes sense therefore, that we seek consent before attempting to install the service worker.

Optional Service Workers

The solution is actually pretty simple, especially if you already use a cookie management tool. All we need to do is treat PWA as a separate category of cookies, and give our users the option to opt-in.

When opted in, set a cookie that holds a timestamp of when the PWA cookie was accepted, and have your application register the service worker.

As part of the normal cookie management process, should the user opt-out of the PWA cookies, we can run a function to unregister the service worker and purge any other storage related to the PWA functionality.

But there is one other scenario to consider; if a user clears their browser cookies manually, without deleting the installed service workers, or the cookie expires before their next visit, your website won’t know about it, and the service worker will continue on, oblivious to the fact that the user has now opted-out of the PWA functionality, or renewed consent is required.

Solve this by checking for the PWA cookie opt-in status on page load. If it is found to be opted in, and the service worker is not registered, you can register it, if it is found to be opted-out and the service worker is still present, you can unregister it.

What this might look like in code goes a little like this:

const handleServiceWorker = () => {
  if (PWAOptedIn) { // value from your cookie management solution
    navigator.serviceWorker
      .register('path/to/service-worker.js')
      .then(
        (registration) => {
          console.log('Service worker registered:', registration);
        },
        (error) => {
          console.error('Service worker registration failure', error);
        });
  } else {
    navigator.serviceWorker
      .getRegistrations()
      .then(
        (registrations) => {
          for (let i of registrations) {
            i.unregister();
          }
        },
        (error) => {
          console.error('Failed to unregister service workers', error);
        });
  }
}

window.addEventListener('load', handleServiceWorker);

Treating service workers in this way, as if they are themselves cookies may be more complex than many are used to, but not only does it help with compliancy, it can also help you highlight the PWA functionality of your site or app.

First published: 01/11/2022