I have been looking around the last few days for cookies and gdpr law, and I have been busy getting OneTrust and GoogleTagManager up and running on our current website and it works just fine!
On our Cookie consent banner, we have a "Reject all Cookies" button and then we do not load our tracking and other 3rd party scripts.
We have also added a list of all cookies etc. we use on the site that we receive automatically from onetrust. Necessary cookies for the site to work are loaded even if the user clicks Reject all cookies.
So some problems I have today:
Rectaptcha:
https://measuredcollective.com/gdpr-recaptcha-how-to-stay-compliant-with-gdpr/
https://www.imy.se/en/verksamhet/data-protection/this-applies-accordning-to-gdpr/transfer-of-data-to-a-third-country/
According to these links, we send sensitive information such as IP address to another country. as well as puts cookies on google's own domain google.com
If we decide that the user must ask for consent before using Google ReCaptcha cookies and then a spam/bot allows the possibility to deny these cookies. Then you have to ask if there is any point in using Google ReCaptcha in the first place?
I interpret this as meaning that we cannot use Google Recaptcha and have to change to another Recaptcha solution like hcaptcha.com?
A / B test.
https://help.optimizely.com/Account_Settings/Enable_opt-in_options_for_Optimizely_cookies_and_local_storage
In recent months, we have prepared some things to be A/B tested on the website. We already do not have that many users on the site and have to run our a/b tests for a slightly longer period for better results. Of course, an a/b test uses cookies and these cookies are counted as analytics cookies.
But now that we have "Reject all cookies" or "deny analytics cookies", we lose quite a lot of visitors and it becomes almost impossible to a / b test.
Is a/b test dead for smaller websites in EU?
Local storage
We save personal data when the user orders a service from us, in LocalStorage.
Does the website have to tell users, what and why we save it in LocalStorage?
When a user has clicked "X" on a popup, we save it in LocalStorage so that the user does not have to see the popup every time they come into the page. This is not necessary but improves the user experience. So are it considered necessary cookies or do we have to have the user consent to it?
On A/B testing, there are ways to run them without relying on cookies, and instead use a server-server integration that doesn't send any of the user information to 3rd party websites. This is accomplished by having a rules engine run locally on your own server and then only send exposure logs to the analytics service.
If you're curious, one such service with a rule-set based engine is: https://statsig.com.
Disclaimer: I work at Statsig.
Related
I'm about to implement cookie consent for a website. As I understand it, cookie consent means that you shall not use cookies before you have received a consent from the user.
How can I know that a user have accepted cookies or not without storing this information in a cookie?
I'm assuming you mean the GDPR. Your understanding of it is incomplete: cookies that are necessary to deliver the site's functionality are allowed without consent. A cookie that merely stores consent is thus allowed, even if the user rejected other cookies.
I am not a lawyer, not legal advice, etc.
I sugest you set a cookie only if the user has accepted cookies. If this cookie is set dont ask again. Otherwise show the cookie consent banner again and again on every new site they visit as if they were new visitors.
What i find strange is that even big german sites like Stern.de, Focus.de, Spiegel,de and even the computer magazine heise.de are setting loads of cookies before they show the consent banner.
Even more strange is that while Stern.de and Focus.de also offer a complicate "Adjust" button (users usuarly dont click them because adjusting cookie preferences on every site is nerve wrecking), Spiegel.de and Heise.de dont even offer this. They just offer "Accept" or pay for a ad free version.
If you click on "Adjust" instead of "Accept" on the first sites they just close the consent banner.
So all the sites dont show a button to easily denie or delete cookies even i thought it has to be as easy to deny as to accept. Im not a lawyer too and this is no legal advice but if they all do it this way i guess this must be legal in Germany even it doesnt make any sence at all. Cookies are set no matter what the visitor does. The big question seems to be what es necessary? Are google Analytics und Adsense and others necessary to finance the server and keep the site online? Necessary cookies are allowed.
Writing this, there is an article in another big news site (that also sets loads of cookies before showing the consent banner and also just offers accept or pay buttons) saying someone had to pay €100 for not asking the visitor for his permission before even loading google fonts not even talking about analytics: https://t3n.de/news/google-fonts-illegal-urteil-dsgvo-1447698/
https://stackoverflow.com/q/70967060/12668719
Analytics Is there a setting on Google Analytics to suppress use of cookies for users who have not yet given consent
Adsense How To Make Adsense Load When Cookie Consent Given?
Check this open source solutionfor the EU cookie law compliance:
https://cookieconsent.osano.com/
The easiest and most effective way is to show a pop-up banner that explains which kind of cookies you want to store and provide an option to allow/disallow each cookie. When clicking Save, you have to handle which cookies were allowed and load them accordingly. Everything can be done in JS.
I'm not sure if this is the right stack to ask this in so if not please let me know!
I am trying to get a handle on what cookies are used on a site and what they are for. When I initially did a cookie scan I noticed a cookie names NID which was set by google.
I have tried to research this cookie and can see it is used by Google for advertising purposes.
But I am confused about why and where this is being set, the site I am looking at does not use advertising anywhere, although it does use embedded YouTube videos.
Can anyone shed any light on when and why this cookie is set?
according to Google
Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.
For me, the cookie was hammered incessantly by the url https://www.google.com/s2/favicons?domain=example.org Which was being used by CookieBro & FeedBro RSS feeder browser addons for retrieving icons associated with various domains. The cookie can be dropped by either an addon or by google itself.
I used cookie log via cookiebro addon for firefox & chrome to detect these cookies in realtime, its one of a kind. However I did not realize it was cookiebro dropping them until the next step below.
To see what background connection is occuring when these cookies are placed, enter the following firefox url: about:cache?storage=disk&context= and you will see when and where the google url being connected to.
It is said this cookie is for targeting & ADS and the google's settings are integrated to make the cookie inconvenient to delete for Google users.
I need to book an appointment on a website. These appointments are released sporadically and booked up quickly. To even see available appointment times, you have to login & complete a reCaptcha. If I wanted to write a scraper using Headless Chrome to continually scrape the site and notify me when a new appointment comes up, following the login flow each time would require beating the reCaptcha, which is at least non-zero difficult.
A better approach (I thought) would be to log in once manually, grab my session cookies, and then load them into Headless Chrome before making a request directly to the appointment times page. The server would see my request, see my session cookies, and respond as if the manually-logged in session had been refreshed. This is pretty much as outlined in the answer to this StackOverflow question: how to manage log in session through headless chrome?
But this doesn't work, and I can't figure out why. I get redirected every time straight back to the login page. I've tried on Chrome & Firefox, and with several other login-requiring websites (Facebook, Reddit, etc.).
How can these servers possibly discern between the original client and the one using copied cookies, when the cookies are what the servers use to identify clients in the first place?
Exact steps to reproduce:
Login to site of your choice on Chrome, let's say Facebook.
Export your cookies to your clipboard from the site using the EditThisCookie Extension
Launch an incognito window (to reset your active cookies) and import those session cookies with the same handy extension.
Navigate to the target, past-the-login-form url.
Get redirected.
Get frustrated.
I am using universal analytics on my website via Google Tag Manager with data layer e-commerce tracking enabled.
The referral addresses are appearing to be coming from the payment providers (e.g. secure.arcot5.com)
I have included all my URLS in to the autolinker and after some testing the _ga cookie value appears to be consistent all the way through the booking process but it appears differently on the page after the secure payment takes place.
This suggests the session is being treated as a new one, hence the referral address issue I am having.
I have been trying to set a cookie on the entry page which equals the _ga cookie value but currently I am unable to retreive it on the confirmation page.
Has anyone got any ideas for a possible solution?
You will most definitely save my life!
Dan
Have you read this article? There could be a couple of pointers in there however I'm not sure what you have and haven't tried
Accurately reporting referrer from payments made with PayPal in Google Analytics
Update: I have split my original question into two to let each one be more cohesive.
According to EU Article 5(3) of the E-Privacy Directive (a.k.a 'The Cookie Laws'), web sites that target EU users have to gain opt-in consent from users before they set a cookie.
See ICO Guidence
I am trying to square this with Google Adsense on my web site.
I would imagine that Google Adsense can serve ads without having to set cookies.
However, I cannot find any info on this (on the Google sites/settings panels) about how to relay information about the 'state of consent' back to Google during a page request. So, my only option seems to be that I should not embed Google tag code at all if the user has not explicitly given consent. Which seems a bit drastic.
Letting my serverside script set a 'hasConsentedToCookies=FALSE' flag in the JavaScript tags would allow me to instruct Google's services to run in a gracefully degraded fashion.
Is there a setting on Google Adsense to suppress use of cookies
for users that have not yet given consent?
If so, where can I find info on this?
No, there isn't a setting in Google AdSense. Google actually just released a note about changes to the consent policy in July 2015 pointing you to a Google site called Cookie Choices, which has information about EU consent as well as links to third party solutions for managing cookie consent functionality on your sites.
So the short answer is that you need to explore the third party tools and choose the one that best addresses your particular case.