EU GDPR cookie policy and ASP.NET Core web applications

Posted: (EET/GMT+2)

 

If you are developing ASP.NET Core applications for users inside the EU, you will eventually need to deal with GDPR cookie handling. Fortunately, ASP.NET Core provides built-in support for configuring cookie consent, data subject requests, and cookie policies. It's not a full solution by itself, but it gives you a good starting point.

The official documentation is here: https://learn.microsoft.com/en-us/aspnet/core/security/gdpr

First, we have to learn that cookie consent is opt-in. Under GDPR, you generally need explicit user consent before setting non-essential cookies. This includes analytics cookies, tracking cookies, advertising cookies and similar. ASP.NET Core allows you to mark each cookie as Essential or NonEssential.

In Startup or your Program.cs builder configuration, you can enable the built-in GDPR cookie policy like this: 

builder.Services.Configure<CookiePolicyOptions>(options =>
{
    options.CheckConsentNeeded = context => true;
    options.MinimumSameSitePolicy = SameSiteMode.Lax;
});

Then mark essential cookies explicitly: 

options.Cookie.IsEssential = true;

ASP.NET Core will automatically block non-essential cookies until the user has granted consent. It's then your responsibility to provide a UI that lets the user accept or decline non-essential cookies.

The framework also includes helpers for exporting or deleting personal data from identity stores (PersonalDataAttribute, for example). If you build internal admin tools or public-facing systems with login, these can be surprisingly useful.

Next, a few practical tips:

  • Keep essential cookies to a minimum; this makes your consent UI simpler.
  • Remember that analytics tools (even first-party ones) are usually non-essential.
  • Test your site with all non-essential cookies blocked to see how it behaves.

The built-in GDPR support does not replace legal review, but it does give you a solid implementation baseline on the technical side. For everyday ASP.NET Core projects, it is often all you need.

Happy (compliant) coding!