> It's not allowed to keep state of the user without asking (under GDPR).
Why would that be? The GDPR only covers personally identifiable data, a todo list that stores everything in local storage can keep state without any problems. You can store things like language settings, dark mode theme, etc. perfectly fine.
You can also use state for multiple purposes as long as you clearly list and identify those beforehand. You can't gather personal data and then suddenly sell or analyze it if you didn't tell your customers you'd be doing that with data. However, saying "we use this email address for (a) sending you news letters (b) letting you recover your password" is perfectly fine.
From my reading of the GDPR, you can even gather personal data without explicit informed consent if the data is absolutely necessary for your system to work. You do need to provide ways to update, delete or obtain all information in human-readable form, but explicit consent for something that anyone can understand is absolutely required for the thing to work can be collected. You can keep track of the contents of a shopping cart on a web shop, for example, but you can't submit the contents of that cart to your analytics backend without consent. You can, however, track the cart contents in your backend and link it to the users' account; only when you start processing the data in a way not strictly necessary will you need the user to provide informed consent.
The problem with GDPR is that most people encounter it in the form of tracking cookies and advertising, both of which are not absolutely necessary for any application to work, which is why they need informed consent. People think all cookies are now banned until further notice and that the mere existence of a database is now punishable by law, which is not the case. GDPR sucks, but only if you're in the business of collecting a lot of extraneous information about your customers and/or selling it (through analytics or ads, for example). Which, in my opinion, is a good thing.
> The GDPR only covers personally identifiable data
some data protection officers think any two linked clicks are personally identifiable.
If have read the full cookie ruling, in some passages it's about "saving" (in all senses) any data without consent - yes it sometimes talks about personally identifiable but the "saving" part doesn't care.
To be clear, I don't think that, but it's hard to make our service comply if the customers (think webshop) data protection officers follows that semi official guideline
You can also use state for multiple purposes as long as you clearly list and identify those beforehand. You can't gather personal data and then suddenly sell or analyze it if you didn't tell your customers you'd be doing that with data. However, saying "we use this email address for (a) sending you news letters (b) letting you recover your password" is perfectly fine.
From my reading of the GDPR, you can even gather personal data without explicit informed consent if the data is absolutely necessary for your system to work. You do need to provide ways to update, delete or obtain all information in human-readable form, but explicit consent for something that anyone can understand is absolutely required for the thing to work can be collected. You can keep track of the contents of a shopping cart on a web shop, for example, but you can't submit the contents of that cart to your analytics backend without consent. You can, however, track the cart contents in your backend and link it to the users' account; only when you start processing the data in a way not strictly necessary will you need the user to provide informed consent.
The problem with GDPR is that most people encounter it in the form of tracking cookies and advertising, both of which are not absolutely necessary for any application to work, which is why they need informed consent. People think all cookies are now banned until further notice and that the mere existence of a database is now punishable by law, which is not the case. GDPR sucks, but only if you're in the business of collecting a lot of extraneous information about your customers and/or selling it (through analytics or ads, for example). Which, in my opinion, is a good thing.