Cookie Consent and GDPR

  • Gareth

    (@catapult_themes)


    6 years, 6 months ago

    Please note that Cookie Consent doesn’t store any user data server-side or make use of IP addresses. When a user lands on a site using this plugin and accepts the cookie notification message, the plugin places a cookie on the user’s own machine that records the user’s acceptance. It doesn’t store anything, including IP addresses, server-side.

    This means it’s not possible to allow the user to ‘opt out’ or remove their data from the site running the plugin – because no data is held on the site.

    It’s up to you to decide whether this is relevant with regard to GDPR.

Viewing 15 replies - 1 through 15 (of 20 total)

  • Hi there,

    As I understand the GDPR legislation doesn’t allow implied consent any longer.

    Will this plugin be updated with the ability to gain explicit consent?

    GDPR still allows implied consent, provided your cookies is not used to collect personal data or are used for profiling (see GDPR Recital 30 for details).

    If your cookies do collect personal data or are used for profiling (and if you use Google Analytics or AddThis – you are) then only hard consent (aka. explicit consent) is allowed.

    This plugin let the admin select dismissal method. Configuring to use “on click” dismissal method will ensure that the plugin will use “hard” or “explicit” consent.

    IMHO, it does not need to be updated to be GDPR compliant.

    Cookie Consent doesn’t store any user data server-side or make use of IP addresses. It doesn’t store anything, including IP addresses, server-side. This means it’s not possible to allow the user to ‘opt out’ or remove their data from the site running the plugin – because no data is held on the site.

    The purpose of your plugin is to inform users that this website uses cookies, including WordPress core ones and Third Party plugin ones, not just the Cookie Consent one. Other plugins can store user data in cookies. You may not have control over that, but we need to remember that when the users click the “I accept” button, they’re accepting all the cookies used by the website, not just yours.

    I’ve updated my Privacy Policy to list all the cookies used on my site – their names, what they are used for and what data they contain – and added a line to my more info “Cookie policy” page which states “You can read more detail about what data is stored, why it is stored, and the cookies used, in our Privacy Policy (link).” This goes some way to making my site more GDPR-compliant, but the Cookie Consent plugin in of itself doesn’t make your site compliant because there’s no mechanism to opt-out: it’s informational only, there’s no mechanism to stop other plugins storing data in cookies if the user doesn’t agree, and they can happily surf your website, visiting as many pages as they wish with cookies being set by other plugins, without clicking the “I accept” button.

    Thread Starter Gareth

    (@catapult_themes)

    @qaws I’m not in any way saying that this plugin will make your site compliant with GDPR. It doesn’t say that anywhere in the description.

    Yes, the purpose of this plugin – which was developed around 6 years ago, long before GDPR – is “inform users that this website uses cookies, including WordPress core ones and Third Party plugin ones, not just the Cookie Consent one”. It would be bizarre if it only informed users of its own cookies…

    @gisle

    I don’t believe you are correct. Google Analytics states:

    User Information
    ?Location – this is derived from the IP address where the hit originated. The IP address itself is not available in GA as it is personally identifiable information (PII) which violates the terms of Google Analytics.
    ?Language – derived from the language settings of the browser

    So google DOES consider an IP to be personally identifiable. However the GDPR states this is only personal data when combined with a unique identifier. In my opinion google analytics would not require consent prior to use. Implied should be fine (from what I read).

    Ico.org who are the regulators in the UK:

    * do not have consent
    * do not notify the user
    * use google analytics

    Here’s what they have to say on google analytics:

    These cookies are used to collect information about how visitors use our website and WordPress blog. We use the information to compile reports and to help us improve the website. The cookies collect information in an anonymous form, including the number of visitors to the website and blog, where visitors have come to the website from and the pages they visited.

    @homegrownandy,

    You say:

    the GDPR states this is only personal data when combined with a unique identifier (my emphasis)

    However, the GDPR actually says this about IP-addresses:

    This may leave traces which, in particular when combined with unique identifiers and other information received by the servers (my emphasis)

    The quote you post from ico.org.uk is very incomplete. They have much more specific information about Google analytics:

    When someone visits https://www.ico.org.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. (my emphasis)

    So the UK ICO has a legally binding DPA in place where Google is forbidden from doing anything to identify individuals (Google otherwise do this, and they have the technological means to do it, i.e. fingerprinting and triangulation).

    I’ll admit that my comment above was a bit brief:

    If your cookies do collect personal data or are used for profiling (and if you use Google Analytics or AddThis – you are) then only hard consent (aka. explicit consent) is allowed.

    I should have written this:

    If your cookies do collect personal data or are used for profiling (and if you use Google Analytics or AddThis without having an DPA in place that forbid this processors from finding out the identities of those visiting your website, or have taken other protective measures such as masking IP-addresses – you are) then only hard consent (aka. explicit consent) is allowed.

    Yes, it is possible to use Google Analytics without requiring hard consent. But for the majority of WordPress sites (i.e. those that do not make Google sign a legally binding DPA, and who do not anonymize IP-addresses before forwarding them to Google), this does not apply and hard consent is required.

    @homegrownandy,

    I think you are misquoting the GDPR and your quote from UK ICO is incomplete.

    I have written a long reply, but I am not allowed to post it, so this brief note will have to do.

    Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.

    This may leave traces which,

      in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them

    .

    This is a direct quote from the standard. How I interpret it:

    Persons ASSOCIATED with cookies. Not identifiable by them (this is true typically depending on the cookie). If a cookie stores a username for example then this alone makes it personally identifiable information.

    So we read on its similar to what I just said. When used in conjunction with Unique identifiers.

    Please correct me if I’m wrong. I’m seeking the truth.

    Also my quote from the ICO is found on their cookie policy page and this is the complete quote. Please check for yourself. (I don’t believe they are compliant anyway).

    (New attempt to post a longer reply, pruning all URLs which may have triggered the spam-filter).

    Thank you for posting the exact quotes for the DPA. The key phrase is: “other information received by the servers”. Goggle, in particular, has access to “other information”.

    When you collect consent under the GDPR, you not only get consent on behalf of yourself. You also get the data subject’s consent to process the personal data on behalf of all third parties that you give access to your data subjects’ personal data, including Google Analytics.

    However, you point out that the UK ICO do not require a hard consent on behalf og Google Analytics, so why should you need yo do it?

    This is actually what UK ICO has to say about Google analytics:

    “When someone visits https://www.ico.org.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.” (my emphasis)

    Too me, at least, it seems from this text that UK ICO has imposed upon Google much stronger legally binding contractual obligations regarding to not identify individuals than emerges from the standard ToS and Privacy Policy of Google Analytics. It probably means that there exists a DPA between UK ICO and Google where this is regulated.

    No, back to my statement, that you believed was incorrect.

    Well, maybe it was a bit brief. I said:

    If your cookies do collect personal data or are used for profiling (and if you use Google Analytics or AddThis – you are) then only hard consent (aka. explicit consent) is allowed.

    However, I should have written this:

    If your cookies do collect personal data or are used for profiling (and if you use Google Analytics or AddThis without having an DPA in place that forbid this processors from finding out the identities of those visiting your website, or have taken other protective measures such as masking IP-addresses – you are) then only hard consent (aka. explicit consent) is allowed.

    So:

    Yes, it is possible to use Google Analytics without requiring hard consent. But for the majority of WordPress sites (i.e. those that do not make Google sign a legally binding DPA, and who do not anonymize IP-addresses before forwarding them to Google), this does not apply. For those sites, hard consent is required.

    Thank you for the time and effort you have put into this. I don’t actually agree that an IP address is identifiable at all. But my opinion doesn’t matter, its the courts. Really appreciate your response, It should help anyone looking into this.

    @homegrownandy wrote:

    I don’t actually agree that an IP address is identifiable at all.

    Before you conclude that, you may want to take a look at this newspaper article.

    It basically says that based upon knowing only their IP-address, the newspaper

    identified 78 Norwegians who seem to have downloaded abuse material

    I am a data security analyst and I am familiar with the methods used. If you know how to do this, getting the name and home address of the person when you know the IP-address is trivial, even if you’re not Google.

    I agree, but what evidence is there that this specific person was the one using the IP? maybe a friend or family member.

    Also. the way cookies work shouldn’t fall under GDPR at all (my opinion again) because this data is stored on the client PC. Which is not an external companies responsibility.

    Once a cookie is installed I do not hold any data of that installation or its contents. I have potential to retrieve the information at a later date for live use.

    Interestingly google sys this:

    PII Prohibition

    Our contracts prohibit customers from sending Personally Identifiable Information to Google Analytics. Customers should follow these Best Practices to ensure PII is not sent to Google Analytics.

    So standard use should be fine according to this statement from google. (found here)

    These points don’t really matter as its better to be safe than sorry. Id rather be covered than not.

    I agree, but what evidence is there that this specific person was the one using the IP? maybe a friend or family member.

    People don’t look at abuse material on computers shared with friends or family members. The devices was smartphones, under the control of the data subject. And these was not one or two random visits, before anyone was identified there had to be a pattern of repeated visits that lasted for a long time.

    Also. the way cookies work shouldn’t fall under GDPR at all (my opinion again) because this data is stored on the client PC. Which is not an external companies responsibility.

    Then you’ll be glad to hear that in the EU, cookies are not regulated by the GDPR, but by the ePrivacy directive (Directive 2002/58/EC). Quite early in the GDPR-process, it was decided to not regulate cookies through the GDPR, but trough a separate directive (i.e. which probably will be a a revised version of Directive 2002/58/EC).

    Thanks for the links to Google’s revised policies re PII! Haven’t seen them before.

    Hi,

    Thanks @gisle and @homegrownandy for this discussion. I finally understand what can be done with cookies on website.

    As I wanted to anonymise IP in the Google Analytics tags, I understand I can use plugin like Cookie Consent with soft consent (non explicit).

    A last question as you know plenty on the subject: I understood that the user should have the possibilities to consent for specific cookies and decline others and could reverse his choice. This is the case on the CNIL website with the plugin tarteaucitron.js. But plugin like Cookie Consent doesn’t allow that, so is it not a problem ?

    Thanks

Viewing 15 replies - 1 through 15 (of 20 total)
  • The topic ‘Cookie Consent and GDPR’ is closed to new replies.