cbook

Hi @catapult_themes. As I mentioned, I like your plugin. If it wasn’t for the GDPR, I would use it and have even thought about what it would take to modify it for GDPR compliance and give the code to you. I did look at Cookiebot (cookiebot.com) – it looks pretty good on a trial run but can get pretty expensive for a blog or some other types of sites with a large number of “pages”.

(@catapult_themes) I think it’s worth remembering in this discussion that this plugin doesn’t store any user data or make use of IP addresses. When a user lands on a site using this plugin and accepts the cookie notification message, the plugin places a cookie on the user’s own machine that records the user’s acceptance. It doesn’t store anything, including IP addresses, server side.

When I saw your entry, I wondered if you have looked into the GDPR. Until a couple of weeks ago, it was one of those things that was on my to-do list and I finally got to it.

In case you haven’t looked into it…
The GDPR is a regulation (EU law) ratified by the EU back in 2016 and is set to take effect on May 25.

Every web site that collects and processes data about any natural person who is a citizen of the EU needs to comply with the GDPR or they are subject to fines of up to 10 000 000 EUR or 2% of worldwide turnover for certain infractions and up to 20 000 000 EUR and 4% of worldwide turnover for other infractions, and the GDPR even states that for some things the fine is “whichever is higher” (Article 83 of the GDPR).

Cookies related to analytics and ad targeting will be the main ones that collect and process user data, some of which could be personally identifying information as defined by the regulation and referenced statutes. As a class of cookies, going back to what I wrote earlier as to the GDPR and cookie acceptance, those cookies that collect any potentially personally identifying information on sites that EU citizens might visit need to be listed as to what they are, what they do and who might use the data and the site visitor needs to be able to turn them off – my preference in looking for a GDPR compliant cookie acceptance plugin is one that gives an acceptance and a rejection choice so their choice either way is explicit. For GDPR compliance visitors also need to be able to withdraw acceptance and also to be able to see their data.

In fact, compliance isn’t just doing things but it is documenting what you do and being ready for an audit, and having a process to mitigate damage and notify people in case there is a data breach that could compromise personal data.

The EU really made things difficult for companies without big budgets because there is so much to do.

There is probably plenty of web sites who will only have visitors outside of the EUR, but the GDPR is causing a lot of companies to look for what will be GDPR compliant in their forms and cookies, anything that could collect personal data.

Best regards

• This reply was modified 6 years, 7 months ago by cbook.

Hello, I like this plugin, but I’m looking for a GDPR compliant cookie plugin also. However, because of all the discussion about what the GDPR says about cookies in this forum thread, I’d like to add this about that.

The GDPR is big on protecting personal data, but it only mentions cookies once, in the Whereas item 30: “(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Two other items in the Whereas section of The GDPR seem to me to be a big help in determining how the GDPR affects cookies:
“(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.”
AND
“(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”

Combining the information in those three items it looks like 1) Use of cookies don’t necessarily require acceptance; 2) If a cookie contains potentially personally identifiable information or sensitive information as defined in the GDPR, the site visitor must be provided information about that cookie so they clearly understand what it is and does and the user must be given the option to allow use of that cookie and the user’s choice to allow or disallow its use must be documented, etc. just like you would handle any form collecting personal data; 3) Personally identifiable data defined by The GDPR includes data that if combined with other data could identify a natural person, including third party data.

The GDPR says anonymized data is GDPR compliant without needing consent, but pseudonymized potentially personal data isn’t because it can still be combined with other data to identify a person.

Discussion I’ve seen give an example of IP addresses. Even though with DHCP, a person’s dynamic IP address may change the next time they turn on their computer, the ISP knows to whom they have assigned the IP, so if a tracking cookie contains the IP, it could conceivably be combined with the ISP’s data and identify a natural person and therefore an IP is potentially personally identifiable and needs explicit consent to collect and use.

A little longer than I thought but hopefully it helps. And no, at this time I haven’t found a cookie plugin that I like that fulfills those considerations above.