Plugin uses hardcoded external hosted javascript

  • Resolved Ov3rfly

    (@ov3rfly)


    2 years, 3 months ago

    Plugin file src/view/frontend/scripts/cookiebot-js.php included via src/lib/Cookiebot_Javascript_Helper.php in a wp_head action on every page in frontend contains hardcoded external hosted javascript:

    <script type="text/javascript"
		id="Cookiebot"
		src="https://consent.cookiebot.com/uc.js"
		data-cbid="<?php echo esc_attr( $cbid ); ?>"
	...

    Please include the javascript in plugin distribution, we need to host all assets locally due to GDPR regulations.

    Legal background regarding user IP as personal information which can not be shared without consent is same as with: Complying with GDPR when using Google Fonts (make.www.remarpro.com)

    Cookiebot | GDPR/CCPA Compliant Cookie Consent and Control 4.1.1

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support Richard

    (@rvcybot)

    Hi @ov3rfly,

    Unfortunately we can’t include the JS-file, as we continuously make changes and update it.
    Furthermore, the script will fails if it’s hosted locally. This is due to the script fetching multiple resources from consent.cookiebot.com.

    So I’m afraid we can’t accommodate your request ??

    Thread Starter Ov3rfly

    (@ov3rfly)

    This is not some optional request. The current behaviour of the plugin needs to be changed due to legal requirements.

    Lots of companies in EU countries like Germany are sued right as we speak for embedding external assets without previous user consent. See above make.www.remarpro.com link for details why that happens and will continue to happen.

    WordPress users look for solutions for this problem and find (besides others) your plugin, which in the end will get them into even more legal trouble with the current behaviour.

    Fetching javascripts and multiple more external resources without previous user consent is clearly against GDPR regulations.

    If a GDPR consent plugin can’t work without fetching resources from external servers, it not only basically useless but also dangerous for unsuspecting users.

    Plugin Support Richard

    (@rvcybot)

    Hi again,

    Thank you for clarifying why you would need to locally host the script. We’re aware of the Hessen ruling, which prohibits data transfer to the United States.
    Sadly locally hosting really isn’t a possibility, but we do offer an EU hosted alternative, as described in this article: Cookiebot CMP – European CDN solution.

    I hope this helps you comply with the German requirements.

    Thread Starter Ov3rfly

    (@ov3rfly)

    GDPR regulations require user consent before personal user data including IP address is sent to any third party.

    Also your European CDN is a third party.

    A plugin which shows a banner and includes or excludes content parts of a website based on settings in this banner can be completely hosted locally and also work perfectly fine locally without any problem.

    You still can offer (paid) services to scan websites from outside for cookies etc. but there is no technical reason at all to host any plugin resources on an external server.

    If there is any need to update a script for the banner, you can push a plugin update via the provided www.remarpro.com mechanism which you use to distribute your plugin, done.

    Your plugin description is currently not clear about the fact that at this time EU users can not use the plugin with the current behaviour without getting into legal trouble.

    The whole concept of hosting GDPR consent resources on third party servers is flawed from the beginning.

    We know how to comply with local requirements, the majority of your plugin users don’t. They think, they would be safe, but instead they add additional risk with the current version of this plugin.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Plugin uses hardcoded external hosted javascript’ is closed to new replies.