I'm trying to grasp everything I need to do and am allowed to do regarding the GDPR and cookies.
I'm building a client website that includes share buttons and the only cookies that aren't checked by my consent tool yet are the cookies placed by facebook and twitter when the share buttons are shown.
These are cookies placed by external providers that might include my personal data? I don't even know what is in those cookies.
Question: Is a website responsible for cookies placed by Facebook / Twitter when a user is logged in to those platforms on the same browser? So Do I have to disable the share buttons altogether until the visitor accepts statistics or marketing cookies? Or can I simply show the buttons because they've accepted the policy from said platforms elsewhere and thus given consent?
Related
I have been looking around the last few days for cookies and gdpr law, and I have been busy getting OneTrust and GoogleTagManager up and running on our current website and it works just fine!
On our Cookie consent banner, we have a "Reject all Cookies" button and then we do not load our tracking and other 3rd party scripts.
We have also added a list of all cookies etc. we use on the site that we receive automatically from onetrust. Necessary cookies for the site to work are loaded even if the user clicks Reject all cookies.
So some problems I have today:
Rectaptcha:
https://measuredcollective.com/gdpr-recaptcha-how-to-stay-compliant-with-gdpr/
https://www.imy.se/en/verksamhet/data-protection/this-applies-accordning-to-gdpr/transfer-of-data-to-a-third-country/
According to these links, we send sensitive information such as IP address to another country. as well as puts cookies on google's own domain google.com
If we decide that the user must ask for consent before using Google ReCaptcha cookies and then a spam/bot allows the possibility to deny these cookies. Then you have to ask if there is any point in using Google ReCaptcha in the first place?
I interpret this as meaning that we cannot use Google Recaptcha and have to change to another Recaptcha solution like hcaptcha.com?
A / B test.
https://help.optimizely.com/Account_Settings/Enable_opt-in_options_for_Optimizely_cookies_and_local_storage
In recent months, we have prepared some things to be A/B tested on the website. We already do not have that many users on the site and have to run our a/b tests for a slightly longer period for better results. Of course, an a/b test uses cookies and these cookies are counted as analytics cookies.
But now that we have "Reject all cookies" or "deny analytics cookies", we lose quite a lot of visitors and it becomes almost impossible to a / b test.
Is a/b test dead for smaller websites in EU?
Local storage
We save personal data when the user orders a service from us, in LocalStorage.
Does the website have to tell users, what and why we save it in LocalStorage?
When a user has clicked "X" on a popup, we save it in LocalStorage so that the user does not have to see the popup every time they come into the page. This is not necessary but improves the user experience. So are it considered necessary cookies or do we have to have the user consent to it?
On A/B testing, there are ways to run them without relying on cookies, and instead use a server-server integration that doesn't send any of the user information to 3rd party websites. This is accomplished by having a rules engine run locally on your own server and then only send exposure logs to the analytics service.
If you're curious, one such service with a rule-set based engine is: https://statsig.com.
Disclaimer: I work at Statsig.
I'm about to implement cookie consent for a website. As I understand it, cookie consent means that you shall not use cookies before you have received a consent from the user.
How can I know that a user have accepted cookies or not without storing this information in a cookie?
I'm assuming you mean the GDPR. Your understanding of it is incomplete: cookies that are necessary to deliver the site's functionality are allowed without consent. A cookie that merely stores consent is thus allowed, even if the user rejected other cookies.
I am not a lawyer, not legal advice, etc.
I sugest you set a cookie only if the user has accepted cookies. If this cookie is set dont ask again. Otherwise show the cookie consent banner again and again on every new site they visit as if they were new visitors.
What i find strange is that even big german sites like Stern.de, Focus.de, Spiegel,de and even the computer magazine heise.de are setting loads of cookies before they show the consent banner.
Even more strange is that while Stern.de and Focus.de also offer a complicate "Adjust" button (users usuarly dont click them because adjusting cookie preferences on every site is nerve wrecking), Spiegel.de and Heise.de dont even offer this. They just offer "Accept" or pay for a ad free version.
If you click on "Adjust" instead of "Accept" on the first sites they just close the consent banner.
So all the sites dont show a button to easily denie or delete cookies even i thought it has to be as easy to deny as to accept. Im not a lawyer too and this is no legal advice but if they all do it this way i guess this must be legal in Germany even it doesnt make any sence at all. Cookies are set no matter what the visitor does. The big question seems to be what es necessary? Are google Analytics und Adsense and others necessary to finance the server and keep the site online? Necessary cookies are allowed.
Writing this, there is an article in another big news site (that also sets loads of cookies before showing the consent banner and also just offers accept or pay buttons) saying someone had to pay €100 for not asking the visitor for his permission before even loading google fonts not even talking about analytics: https://t3n.de/news/google-fonts-illegal-urteil-dsgvo-1447698/
https://stackoverflow.com/q/70967060/12668719
Analytics Is there a setting on Google Analytics to suppress use of cookies for users who have not yet given consent
Adsense How To Make Adsense Load When Cookie Consent Given?
Check this open source solutionfor the EU cookie law compliance:
https://cookieconsent.osano.com/
The easiest and most effective way is to show a pop-up banner that explains which kind of cookies you want to store and provide an option to allow/disallow each cookie. When clicking Save, you have to handle which cookies were allowed and load them accordingly. Everything can be done in JS.
My website uses _gs _gu _gw cookies
What are these cookies? Why are they used?
I tried looking for this information but can't seem to find it
This website lists all 3 cookies. It's a specific website policy, but as far as I can see those are cookies used by Getsitecontrol, so you can use that description for reference.
_gs Used to identify the users browser, operating system, IP address and the page on the website they are viewing.
_gu Used to distinguish users.
_gw Records widgets previously displayed to user.
I'm not sure if this is the right stack to ask this in so if not please let me know!
I am trying to get a handle on what cookies are used on a site and what they are for. When I initially did a cookie scan I noticed a cookie names NID which was set by google.
I have tried to research this cookie and can see it is used by Google for advertising purposes.
But I am confused about why and where this is being set, the site I am looking at does not use advertising anywhere, although it does use embedded YouTube videos.
Can anyone shed any light on when and why this cookie is set?
according to Google
Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.
For me, the cookie was hammered incessantly by the url https://www.google.com/s2/favicons?domain=example.org Which was being used by CookieBro & FeedBro RSS feeder browser addons for retrieving icons associated with various domains. The cookie can be dropped by either an addon or by google itself.
I used cookie log via cookiebro addon for firefox & chrome to detect these cookies in realtime, its one of a kind. However I did not realize it was cookiebro dropping them until the next step below.
To see what background connection is occuring when these cookies are placed, enter the following firefox url: about:cache?storage=disk&context= and you will see when and where the google url being connected to.
It is said this cookie is for targeting & ADS and the google's settings are integrated to make the cookie inconvenient to delete for Google users.
Can cookies see my browsing history in a browser? I.e. for example say I visit facebook, does facebook know what pages I've visited before?
I.e. is it necessary to delete browsing history for fear that cookies might acquire it somehow and learn about my browsing habits or sites I often visit?
And do they have access to my bookmarks?
So the direct short answer to my question is: No.
Explanation is: No, cookies do not have access to my browsing history, unless it was a third-party cookie that has to meet conditions specified here (a website 'A' can track other websites that host ads about 'A'):
https://en.wikipedia.org/wiki/HTTP_cookie#Third-party_cookie
Am I wrong?
Cookies are small pieces of information websites can store in your browser. Cookies can also identify you and track your browsing activity across a website. The 3rd party cookies are used for advertising networks to track your usage across different websites.So if 2 websites that you visited uses same advertising network then your browsing data across both the sites can be linked.
Another example is if any website has facebook like button and you liked,then facebook knows you visited that site.
As far as cookies go, they can only be written and read by the same website domain. Cookies belong to a site.
So if you visited Facebook, theoretically, Facebook could write to a cookie of the Facebook page you were on. And each time you clicked around FB, it could update / append this cookie with that page history.
But if you then went to Twitter, Twitter could not read (or write to) the same cookie Facebook wrote to.