design for stay-logged-in cookie UX
Per GDPR, it seems that we not only need to tell people that we use a stay-logged-in cookie (we do that already), but that it ought to either expire after a while (say 3 weeks maybe) or the user should opt-in to setting it when they log-in. We've seen the common "[ ] stay logged in" checkbox on other sites. I'm not 100% certain on GDPR requirements, but we probably want this clarify anyway.
We need a design decision about the best way to handle this, User Stories / SPECs / mockups as appropriate.