GDPR Support with ASP.NET Core 2.1

On May-25th, General Data Protection Regulation (GDPR) becomes active. With that many articles available on GDPR, I need to write one as well. However, this one is about ASP.NET Core. ASP.NET Core 2.1 includes built-in support to fulfill some GDPR requirements.

The ASP.NET Core 2.1 project template not only includes a privacy page, but also allows registered users to easily delete themselves, and to get all the information stored about the user.


Creating and Running the Project

All you need to do to get this support is to create a new ASP.NET Core 2.1 project and configure authentication to store user accounts in-app.

Configure Authentication

This creates a project with a privacy page (Views/Home/Privacy.cshtml) which needs to be filled with your content.

ViewData["Title"] = "Privacy Policy";
<p>Use this page to detail your site's privacy policy.</p>

view raw


hosted with ❤ by GitHub

After creating the database with EF Core Migrations, the user can register, and after registration manage the account.

Register User

Using the Account Management, the user can download and delete all personal data stored.

Manage Account

The database to be used for storing user data is configured with the ConfigureServices method of the Startup class. The class ApplicationDbContext is the EF Core data context. The extension method AddDefaultIdentity adds authentication services to the service collection, and a default user interface. This extension mehtod returns the IdentityBuilder that in turn is used to configure the EF Core store invoking AddEntityFrameworkStores.

public void ConfigureServices(IServiceCollection services)
services.Configure<CookiePolicyOptions>(options =>
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
services.AddDbContext<ApplicationDbContext>(options =>

view raw


hosted with ❤ by GitHub

The middleware to use is configured in the Configure method. You can see some interesting methods in this configuration.

  • The UseHsts extension method adds the HTTP Strict Transport Security policy. This protects the website against protocol downgrade attacks and cookie hijacking*.
  • UseHttpsRedirection redirects HTTP requests to HTTPS. HTTPS is the new default.
  • The method UseCookiePolicy adds the CookiePolicyMiddleware handler to deal with cookies. Remember, users need to agree for cookies.

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
if (env.IsDevelopment())
app.UseMvc(routes =>
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");

view raw


hosted with ❤ by GitHub

Cookie Consent

In the Startup class you’ve seen the code configuration to ask the user for the cookie consent. Running the application, the cookie consent question by default is on top, and the user can’t select any menus before agreeing with the cookie:

Cookie consent

Of course, the text for the cookie consent needs to be changed. This can be done easily in the file Views/Shared/_CookieConsentPartial.cshtml:

@using Microsoft.AspNetCore.Http.Features
var consentFeature = Context.Features.Get<ITrackingConsentFeature>();
var showBanner = !consentFeature?.CanTrack ?? false;
var cookieString = consentFeature?.CreateConsentCookie();
@if (showBanner)
<nav id="cookieConsent" class="navbar navbar-default navbar-fixed-top" role="alert">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#cookieConsent .navbar-collapse">
<span class="sr-only">Toggle cookie consent banner</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="navbar-brand"><span class="glyphicon glyphicon-info-sign" aria-hidden="true"></span></span>
<div class="collapse navbar-collapse">
<p class="navbar-text">
Use this space to summarize your privacy and cookie use policy.
<div class="navbar-right">
<a asp-controller="Home" asp-action="Privacy" class="btn btn-info navbar-btn">Learn More</a>
<button type="button" class="btn btn-default navbar-btn" data-cookie-string="@cookieString">Accept</button>
(function () {
document.querySelector("#cookieConsent button[data-cookie-string]").addEventListener("click", function (el) {
document.cookie =;
}, false);

Predefined UI Libraries

A new feature of ASP.NET Core 2.1 is that user interfaces can be defined within a library. For the user identity, with previous ASP.NET Core project templates many views to manage user identities have been created. This is no longer the case. These views are now referenced with a library. The extension method AddDefaultIdentity also adds the default user interface (AddDefaultUI). The NuGet package Microsoft.AspNetCore.Identity.UI contains the default UIs. You can get the source code for all the account views at GitHub. The common layout for the identity pages is defined with the _ViewStart.cshtml page in Areas/Identity/Pages – what allows for easy customization.

Layout = "/Views/Shared/_Layout.cshtml";


ASP.NET Core 2.1 reduces your source code by adding great features. User interfaces can be included in libraries. For account management, a predefined UI library is available. HTTPS is default. Cookie consent is implemented from the framework, a separate library is not required.

Just the main work – the definition of the text for the cookie consent and the privacy policy is still needed. However, probably you can outsource this work, or adapt various text templates available.

Source code available at Github.

More information on ASP.NET Core 2 in my book Professional C# 7 and .NET Core 2.0 and with my trainings

Enjoy coding!


5 thoughts on “GDPR Support with ASP.NET Core 2.1

  1. How I already hate those annoying cookie questions pop of on almost every website I visit nowadays! Before checking out the other day in a webshop I checked eight(!) checkboxes, that I have read and consent their 1.General Terms, 2.Return procedures 3.Lithium battery handling rules 4.Being of 18+ age, 6.Packaging material dispose rules 7.Product safety info 8.Data handling rules (just the old one, not yet GDPR).
    I already began looking for a browser plug-in that would check every bullshit for me automatically. I do not read those 700-pages blurb anyway, but the webshop would not let me not checking all those. Does this really make sense?

    Now cometh this GDPR thing to the play, I can imagine, another 5-10 years of ‘smart’ legislation in this direction, and we will be required to read, checkbox, fill-out and sign 37 popping up consent windows before we can lookup the weather or the simplest things on any website. Add another 50 years of legislative progress, and will there be 587 questions and checkboxes? Ridiculous.

    Why I am not required to sign anything before I enter a physical shop and buy something with my credit card. My card data is the most personal info I can imagine, my face, my each step is recorded on their video surveillance. A simple warning is enough on their entrance, just by entering and buying I am giving my consent.
    Sorry for the offtopic ranting here. I am just asking you, developers to keep the annoying checkboxes as low count and low profile as it is minimally necessary by the law.
    I understand you can’t change this silly law, but please do not overobey it. I see already websites looking* 10x more GDPR-compliant than required by asking twelve GDPR questions, checkboxes, etc. rendering the whole thing internet is about (free, unrestricted, quick browsing for any info) into an annoying experience.

    *by ‘looking’ I mean much of the GDPR requirements are infeasible today

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.