I am currently working on developing a solution for clients to comply with incoming GDPR regulations. Part of this task involves allowing users to explicitly opt-in and opt-out of cookies. I am using Cookie Consent for the general framework of displaying notices and allowing users to opt in/out but when it comes to actually developing code to implement that, I am stuck.
Google Analytics explicitly provides an opt-out function in the form of:
window[ga-disable-UA-XXXXXXXX-Y] = true;
However I have not been able to find ways to do this for other third-party cookies, such as Twitter and LinkedIn despite much googling. Twitter, for example, doesn't seem to offer anything similar to Google Analytics in the form of opt-out code; it seems like users need to log into their Twitter account and change settings through that, but on the sites I am working on Twitter is setting cookies because Twitter embeds are used on the site regardless of whether a visitor has an account or not.
The closest I have came to a solution is a suggestion to delete cookies by setting their expiry date in the past. However, AFAIK this won't stop cookies being set again. Also how then do I explicitly re-allow these cookies if the user decides to opt-in to allowing cookies in the future?
Related
I am trying to use the gtag.js consent mode of Google Analytics to design a GDPR compliant cookie banner for my website. I have followed the Google implementation guidelines (https://developers.google.com/gtagjs/devguide/consent), but I am stuck trying to create an opt-out functionality for my users.
I have created the following code that I think should work:
function optOut() {
gtag('consent', 'update', {
'analytics_storage': 'denied'
});
}
Which is triggered when the user clicks on the Opt-Out link.
<a onclick="optOut();">Opt-Out</a>
But I cannot see that the GA cookies change in any way. As I understand it, with previous solutions GA would set an opt-out cookie (for example as in this answer https://stackoverflow.com/a/10721214/7927271). I would have at least expected that the cookie properties are somehow updated. Does anyone know if the code above does indeed enable the user to opt-out of GA or whether I am doing something wrong?
Consent Mode does not remove the use from tracking, it just means that there will be no unique identifier created and stored in a cookie. It will not do anything to already existing cookies (but will not use them, either), and it will not set opt-out cookies. You can check this by looking for the consent mode parameter in the GA request (there should be "gcs=G100" in the query parameters).
In Consent Mode, GA collects anonymous data to use them with a machine learning algorithm that promises to deliver results (e.g. in ad targeting) comparable to conventional analytics.
If you want to stop even anonymized data, you cannot use consent mode, but need to implement some other blocking mechanism for your GA tags.
I am trying to implement a GDPR-compliant site which implements Google Analytics via Google Tag Manager. GDPR status is determined via a cookie, which I do not have control over and is the only method I may use. My understanding is that I need to set the anonymizeIp value in Google Analytics to true based on the value of this GDPR cookie. I'm not quite sure how best to do this. I can make changes in GA or GTM directly or I can conditionally load different GTM snippets on the site. What I cannot do is use a different strategy to determine GDPR status. What is my likely best choice?
As far as I know I can't just drop the standard ga('set', 'anonymizeIp', true); when using GTM. (Though I'm not an expert on this.) Configuring the value via "Fields to Set" in the GA variable inside GTM is also not allowed unless I reset it when the GDPR cookie notes that un-anonymized tracking is allowed.
GA & GTM are extremely difficult to make GDPR compliant. You should not even load the scripts before getting consent. EU courts have already ruled that analytics does not constitute an "required" service, and thus does require consent, with all the baggage that goes with that.
GA's IP anonymization setting is a cosmetic fob - the act of loading the script has already revealed the user's full IP (and other fingerprintable data) to a corporation outside the EU, and it will also have fully identified them if they happened to have a google cookie set (which is very likely). The anonymization setting may mean that full IPs are not sent to analytics as part of analytics data capture, but by then the damage has already been done. Also, IP anonymization alone is insufficient to deidentify visitors.
GTM very often means that people without technical awareness load third-party extensions that add extra tracking without appropriate consent or control, that you (as the data controller) are liable for.
If you need proper compliance (in the spirit, not just the letter) of GDPR, I recommend self-hosted analytics and tag manager systems such as Matomo or Open Web Analytics.
A few days ago, I noticed googleyolo client library was showing this message:
An UI change targeting on 5/18/2018 will show relying party's privacy
policy URL and terms of service URL inside the one-tap UI for new
users. If enabled, SHOW_RP_TOS can be found in
GOOGLE_ONETAP_EXPERIMENTAL_FEATURES array. To try this feature, append
'?e=1723232' to googleyolo client library URL.
When using https://smartlock.google.com/client?e=1723232 as googleyolo client library URL, I see no change in the one-tap UI.
Is there anything else that needs to be done to show Terms of Service URL in one-tap UI?
This feature is available for all sites now. If you don't see the links in the UI, check the following:
ensure you have supplied a privacy policy and/or terms of service link in the Google Developer Console for the OAuth project / client ID that you using in the API requests (under "consent screen" in the credentials section). Refer to the Getting Started guide for background.
verify that the active Google Account(s) has not already granted access to name/email address info via previous usage of one-tap or Google Sign-In button. You can check and reset this at https://myaccount.google.com/permissions
Also note that if you have multiple active accounts, you will need to select one before the blue button and legal text are shown. Please leave a comment if you have trouble.
Sorry that experiment didn't work. We'll be rolling out the changes this week, so you'll be able to see them. If you want to see the change on your site before it is rolled out, there is a google group (https://groups.google.com/forum/#!forum/yolo-web-testers) you can join and you'll see the notice.
I am developing a extension for chrome. I have a site that has a list of affiliate sites. When a user access a site that is affiliate with my site i want that extension checks if chrome is already logged in my site and perform different actions if It is logged or not. How can i do?
Every site handles user states differently. Most likely you need to evaluate the cookie or the DOM of the site. Every web application I've written uses encrypted cookies, many other sites do the same, so evaluating the DOM is most likely more fruitful. There cannot be a generic answer.
The browser (any browser, not just Chrome) doesn't know about any "logged in" status for any site. Instead the browser maintains a list of cookies for particular sites that the user has visited (and accepted cookies for). One of the cookies for a particular site may mean (for that specific site) that the user is known under some specified identity, that may even be anonymous. Each site defines it's own set of cookies.
However, you are talking about "affiliate sites", meaning there is some relation between them and you. You might be able to require a specific cookie (readable from your plugin) that signals this status.
Everyone of us knows the new law which is a pain for developers who are using cookies on their websites.
We have to ask our users if they allow us to create cookies on their machines. If they won't allow us this thing, how do we turn off cookies with javascript?
Is there a way to turn off cookies just for one website? Is there a compatible script which will work for all browsers?
What about 3rd parties cookies (Youtube, or Google Analytics? They are also stored in our website folder..)
Thank you!
You can't turn off cookies from the client. Your client code can stop creating new cookies, but even then the server could still be putting cookies on the page. If you want to stop creating cookies for a particular site, then you need to stop doing so in both your client code and your server code.
FYI, is it really cookies-per-se that are the problem - or is it more what you do with those cookies (like tracking a given user). For example, if you set a cookie just to remember what tab the current user was last on (with no other identifying information in the cookie and no use of that cookie on the server), is that a problem? Or, a cookie that stores a temporary session ID so that the server can keep track of the items in your shopping cart. I doubt these are issues because these aren't tracking or privacy issues.
As every country has their own laws in regard to this, if you are aiming for compliance with a particular country's laws, you will have to consult their exact laws.
I have no idea what all the different laws are across different countries, but the Dutch cookielaws aren't all that strict and most sites won't have to change a thing. You might want to look into the exact laws that apply to your website before you try to purge all cookie creations from it.
In short Dutch cookielaws come down to:
A website must ask permission to place cookies that track the user (this includes 3rd party cookies, such as cookies added by Google).
A website doesn't need to ask users for permission to place cookies that are required to run the website. An example of such a cookie is a cookie that keeps track of what you placed in your shopping cart.
Most implementations of this law that I have seen so far are similar to the one found on fok.nl. The first time the user opens the site a large popup is thrown into their face that will only let the user open the real website if they permit the site to place cookies. I assume this setting is then stored in a new cookie so the user never gets bothered with it again. This solution shouldn't be too difficult to implement.
Edit:
Here are some more examples of implementations: http://www.stormmc.nl/nieuws/nederlandse-voorbeelden-implementatie-cookiewet/ (just click the links).