GDPR - Analytics : User consent before any tracking? - cookies

I have a very specific question about G. Analytics and the GDPR law.
I've read many topics about this, but answers are sometimes contradictory. I would love to have an answer from a G.A. expert or a lawyer.
The GDPR law indicates that we must obtain the user consent before data treatment ; so for me, it would suggest that we must deactivate G.A. tracking as long as user doesn't optin to that treatment.
If I do so : I refresh the page when user has optin, so the data collection can begin ; Problem doing that : we loose the referrer param (since we do a JS refresh, this param is lost : referrer will be the current page)
Others questions :
If I activated IP anonymisation on G.A. : Must I obtain the user consent or can I send the datas by default (and offer the possibility to user for opt-out) ? (many websites seems to have this process, but it seems contradictory with the user-consent obligation...) but this topic suggest to proceed like this.
Regarding cookie law : Is it allowed to store in cookies the user client-id (that G.A. uses) without the user consent ? If not, how to workaround this limitation, and use G.A. without allowing it to set cookies ?
Is there a way to store user activity without sending it to G.A, and when user opt-in -> send all that datas ?
Many thanks in advance !

Disclaimer: Not a lawyer
There are some cookies that can be set without consent (e.g. for security purposes, or perhaps even a preference for cookies). These are generally meant for essential purposes only and not for analytics, functional, or performance purposes.
However, if referrals are a critical part of how your website functions (say for example process discounts if it came from a certain link), it might be considered essential. The lines are bit blurry on what can be considered 'essential', and indeed 'legitimate interest' for non-essential functions.
If you visit websites and look in dev tools, cookies are there immediately even for websites that are showing a cookie consent banner.
-- As for non-cookie technical ways --
I do have a related question that is open to answers on whether non-cookie based tracking technologies fall into the scope of consent - you could potentially send information to the server-side.
You might also use a front-end framework to construct a Single Page Application (although you might not have the option in a company), so that the page is not actually reloaded on a consent click. The consent form can simply trigger a script to run / change a state variable so that information that were stored in JS as variables can now be written into cookies.

Related

Reliability of creating and setting a cookie in GTM based on whether a user visits different pages?

We have two separate websites on different domains and want to track whether a user is a visitor/member to one via a cookie , so we can use that to influence their experience on the other site. Currently, I have GTM setting a cookie based on whether the user has visited certain pages but I'm tracking the effectiveness of this with a combination of events in GTM and Google Analytics and there looks like a 10% error. I'm fairly new to both GA and GTM so it could be either errors on GTMs side or GAs side. I was wondering if anyone had any experience with setting cookies in GTM and if you think this is a safe way to set the cookie?
The reliability of a cookie set by GTM is not a question.
The real question here is how you conduct your analysis, plus how you expect the said cookies to work.
Cookies are useless across top-level domains for this purpose, so if the cookies are set on one domain, they won't be seen on the other.
You're supposed to reset the cookie on every pageview to not lose the context of the visit.
In case you're measuring your tracking effectiveness against the access log, you have to keep in mind that quite a lot of people use adblockers. 10% of data loss due to adblockers sounds reasonable to me, in case you have a younger or more technically apt audience.
You may skip on edge cases when people visit site A from a normal source, then go to site B, so you set the cookie, but then they go back to site A from site B, and so you reset the cookie again.
I would suggest solving this either with referrer report in GA, or by joining the GTM tracking across the sites via GTM cross-domain linking and then analyzing unbroken user sessions, paying attention to the hostname dimension, and then building your analysis on top of that. If you need to track users being logged in on other site, you can then use a custom dimension for that.

When we "deny" consent to tracking on a website, how does the website "know" we've declined?

When you go to a website, if they are GDPR compliant they ask whether you consent to them tracking you. If as a user, I click "Deny", how does that website comply with that request? I as the user am not asked again, which to me indicates they have stored something somewhere, probably via a cookie.
Is this the correct way to obtain and work with GDPR? I would have thought by denying tracking, this would include any cookies.
GDPR legislation pertains primarily to Personally Identifiable Information (PII). Storing dissent in a cookie or localStorage doesn't violate that assuming there isn't anything that identifies the particular user, like trackingConsent=false.
Cookies are not only related to "tracking". They are mostly used to persist the state of the application, like session information or cookie acceptance. It is not gonna work otherwise, only option is to disable them on the browser level, but the legislator chosen to force page owner to do it.
You may provide the page that you are asking about. It quite probably stores your refusal in a cookie or some modern persistent storage. Personally I saw page that after refusal was simply asking again and again.
You may also check by yourself if there are some cookies stored. Depends on the browser, but quite probably f12 button and storage tab.

Correct (technically) handling of cookie consent

I'm about to implement cookie consent for a website. As I understand it, cookie consent means that you shall not use cookies before you have received a consent from the user.
How can I know that a user have accepted cookies or not without storing this information in a cookie?
I'm assuming you mean the GDPR. Your understanding of it is incomplete: cookies that are necessary to deliver the site's functionality are allowed without consent. A cookie that merely stores consent is thus allowed, even if the user rejected other cookies.
I am not a lawyer, not legal advice, etc.
I sugest you set a cookie only if the user has accepted cookies. If this cookie is set dont ask again. Otherwise show the cookie consent banner again and again on every new site they visit as if they were new visitors.
What i find strange is that even big german sites like Stern.de, Focus.de, Spiegel,de and even the computer magazine heise.de are setting loads of cookies before they show the consent banner.
Even more strange is that while Stern.de and Focus.de also offer a complicate "Adjust" button (users usuarly dont click them because adjusting cookie preferences on every site is nerve wrecking), Spiegel.de and Heise.de dont even offer this. They just offer "Accept" or pay for a ad free version.
If you click on "Adjust" instead of "Accept" on the first sites they just close the consent banner.
So all the sites dont show a button to easily denie or delete cookies even i thought it has to be as easy to deny as to accept. Im not a lawyer too and this is no legal advice but if they all do it this way i guess this must be legal in Germany even it doesnt make any sence at all. Cookies are set no matter what the visitor does. The big question seems to be what es necessary? Are google Analytics und Adsense and others necessary to finance the server and keep the site online? Necessary cookies are allowed.
Writing this, there is an article in another big news site (that also sets loads of cookies before showing the consent banner and also just offers accept or pay buttons) saying someone had to pay €100 for not asking the visitor for his permission before even loading google fonts not even talking about analytics: https://t3n.de/news/google-fonts-illegal-urteil-dsgvo-1447698/
https://stackoverflow.com/q/70967060/12668719
Analytics Is there a setting on Google Analytics to suppress use of cookies for users who have not yet given consent
Adsense How To Make Adsense Load When Cookie Consent Given?
Check this open source solutionfor the EU cookie law compliance:
https://cookieconsent.osano.com/
The easiest and most effective way is to show a pop-up banner that explains which kind of cookies you want to store and provide an option to allow/disallow each cookie. When clicking Save, you have to handle which cookies were allowed and load them accordingly. Everything can be done in JS.

GDPR and cookies that do not store personal data

I've created an Opt in / out. If opting in, I enable google analytics and store the decision in a cookie for 30 days. However if i don't store the decision in a cookie at all, then on every page the popup will continue to popup if a user doesn't consent.
Is it ok to store a true / false data in a cookie? Or does that not comply with GDPR?
It is actually not a "catch 22".
In order to store something on user's computer, you must ask permission. The true/false cookie which represents the users consent, can be stored - but also must be done with their consent.
If you consider the true/false cookie "necessary", you can simply ask their permission to store "necessary cookies". In order for the site to work (e.g. don't popup a new window on every page), they must consent to that minimal level.
For example, take a look at what CookieBot does:
"Necessary cookies" are disabled. It cannot be unchecked.
Both General Data Protection (GDPR) and ePrivacy Regulations (EPR) have to be adhered to, neither one succeeds each other.
Note each European country in-acts GDPR and EPR legislation into law slightly differently from each other some more strict than others. So you should always consult the law for your own European country also.
For the setting use of cookies and other similar technologies, you (data controller)
normally needs user consent as required by Regulation 5(3) of the EPR to use these types of technologies.
However, you don't need consent where the cookie or other technology is
"strictly necessary" to provide you with the service the user is seeking – for example, cookies
which may be needed to provide you with a functioning website which the user wants to
access.
Hence you do not have to ask permission to store "Strictly Necessary" cookies on the users device. Storing a cookie on the users devices to remember the users opt in or out consent of cookies as far as I know is allowed without asking for their permission.
As far as I am aware you are allowed to store that type of cookies for a maximum of 6 months before you have to ask for their opt in consent again. So you could potentially increase from the 1 month you have set.
The exact EU guidelines regarding the "strictly necessary" exception read as follows:
"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
If you are uncertain whether your cookies are strictly necessary, it's best to consult your local regulators. They can provide additional insight and specific guidelines for your country. In general, it is best to err on the side of caution. Unless you absolutely know your cookies are strictly necessary, assume they are not.
On the flip side...
Any cookie that does not fall under the "strictly necessary" definition needs consent before you can store it on a visitor's device.
Nearly all Google and Facebook API services require you to set tracking cookies and marketing cookies on the users devices i.e. you can not use Google/Facebook Login, Google reCapatcha,Google Adsense, Google Analyitics without getting prior consent from the user to set tracking cookies and marketing cookies on the users devices.
It is the trade off of using the free APIs that Google and Facebook offer, they offer the SDKs and APIs for free but require personal information from the user in return.
Google's terms require you to obtain consent from the user before using their APIs and thus setting tracking cookies and marketing cookies on the users device.

Is there much of an anti-cookie movement anymore?

I'm not sure whether this belongs on StackOverflow or on ServerFault, so I've picked SO for as first go.
A number of years ago, there was a highly visible discussion about mis-use of HTTP cookies, leading to various cookie filtering proxys and eventually to active cookie filtering in browsers like Firefox and Opera. Even now, Google will admit that currently about 7% of end-users will reject their tracking cookies, which is quite a lot, actually.
I still vett all cookies that get set in my browser. I have for years. I personally do not know anyone else who does this, but it has given me a few interesting insights into web tracking. For instance, there are many many more sites using Google Analytics than there were even two years ago. And there are still sites (extremely few, fortunately) which malfunction hideously if you don't let them set cookies. But advertisers in particular are still setting cookies to track your way across the web.
So is there much of an anti-cookie movement anymore? Has anyone tried to take Google to task for setting so many with Analytics? Is anyone trying to vilify sites like Ebay and PayPal who use a dodgy cross-site cookie to let you login?
Or am I making too much of a stupidly small problem?
Nowadays, there are other ways to block these annoyances. Rick752's EasyList has the EasyPrivacy list, which blocks most of them with no work at all other than adding the subscription once to Adblock Plus. NoScript can (with a little configuration, mostly removing some misguided entries on the default whitelist) easily block the ones which depend on JavaScript.
That said, I set up my browser to empty all the cookies on logout. Then they can track you only for the duration of a session, which will be short unless you tend to keep your browser open for a long time (or use the session save/restore all the time).
If you use Flash, know that it also has a kind of cookies, and the interface to manage them is most probably poorer than your browser's.
There's always people who misunsderstand cookies - on both sides. Ultimatey, it's up to the browsers to properly identify the sites for cookies. As long as the site's being set properly and the browser's respecting that, it's just not much of a problem. I think thta, with the increased use of web toolkits that take care of the programmatic details (and better, slightly more security-conscious browsers), it's not much of an issue now for end-users.
Beyond that, the proliferation of DHTML and XML-based partial-page-loading mechanisms (as well as database-backends and similar), the need to track session between stateless pages is reduced now. Your web app can very easily keep state without the need for cookies, and that may well have partially been driven by the number of [generally misinformed] end-users who blocked cookies all together.
In shorter words: "IMHO, no".
I gave up both as user and developer.
As a user the convenience of staying logged into sites is just too tempting, the pain of some sites not working too annoying. And I'm not that sensitive about my privacy, so I stopped caring and let all cookies through.
As a developer I always try to be as RESTful as possible, but I don't know any decent way of handling authentication without cookies. HTTP Basic Auth is just too broken, I can't assume HTTPS all the time and mangling URLs is painful and inelegant. What's left is form-based authentication with cookies. So my applications have one auth cookie -- I don't need any more than that, but that by itself requires the user to have cookies on if they want to authenticate themselves. Maybe OpenID and other federated identity services might fix that one day, but at the moment I can't rely on any of these yet.
My biggest annoyance with cookies is that I want to block Analytics cookies but at the same time I need to login to analytics to manage some customer sites. As far as I can tell they are the same cookie (in fact it may be the same cookie across all google services).
I really don't trust the Google cookie. They were apparently one of the first large companies to set cookie expiration to 2038 (the maximum) and their business model is almost entirely advertising based (targeted advertising at that). I suspect they know more about the day-to-day online activities and interests of people than any other government or organisation on the planet.
That's not to say it's all evil or anything but that really is a lot of trust to be given one entity. They may claim it's all anonymised but I'm pretty sure that claim would be hard to verify. At any rate there is no guarantee that this data won't be stolen, legally acquired or otherwise misused at some future point for other purposes.
It isn't impossible that one day this kind of profiling could be used to target people for more serious things than ads. How hard would it be for some future Hitler to establish the IP addresses, bank accounts, schools, employers, club memberships etc of some arbitary class of person for incarceration or worse?
So my answer is that this is not a small problem and history has already taught us many times over what can happen when you start classifying and tracking people. Cookies are not the only means but they are certainly a part of the problem and I recommend blocking them and clearing at every convenient opportunity.
I am also one of the hold-outs who doesn't automatically accept cookies. I do appreciate sites that need fewer, and I am more likely to return to those sites and allow cookies from them in the future.
That said, I do think that being vigilant about cookies is not (rationally) worth the effort. (In other words, I expect I will keep doing what I'm doing because it makes me feel better, even though I don't have evidence of commensurate tangible benefit.)
Every now and again I clear all my cookies. It's a pain as I then have to login to sites again (or set preferences) but this is also a good test as to whether either me or my browser can remember the login details..