110 Matching Annotations
  1. Jul 2020
    1. Perhaps most significantly, these latest guidelines clearly state that Cookie Walls are prohibited and that the EDPB does not consider consent via scrolling or continued browsing to be valid. 
    1. The Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them. This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must: inform users about your data collection activities;give them the option to choose whether it’s allowed or not; obtain informed consent prior to the installation of those cookies.
  2. May 2020
    1. The iubenda Cookie Solution features a JS API for easy interaction with some of its main functions.
    2. In particular, if you set this parameter to true, our solution creates a technical cookie on iubenda.com (domain) which is used when the cookie on the local domain is not found.
    1. The banner is not necessarily required in this specific instance if the cookie policy is easily accessible and visible from every page of the site.
    2. A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart. Do note, however, that these session-based technical cookies are not tracking cookies.

      I'm not sure I agree with this:

      [the technical cookies] are explicitly requested by the user when they indicate that they would like to add the item to the cart.

      The only thing they requested was that the item be held in a cart for them. They didn't explicitly request that cookies be used to store information about items in the cart. They most likely don't understand all of the options for how to store data like this, and certainly wouldn't know or expect specifically that cookies be used for this.

      In fact, localStorage could be used instead. If it's a single-page app, then even that would be necessary; it could all be kept in page-local variables until they checked out (all on the same page); such that reloading the page would cause the cart data held in those variables to be lost.

    1. Implementing prior blocking and asynchronous re-activation Our prior blocking option prevents the installation of non-exempt cookies before user consent is obtained (as required by EU law) and asynchronously activates (without reloading the page) the scripts after the user consents.To use, you must first enable this feature: simply select the “Prior blocking and asynchronous re-activation” checkbox above before copy and pasting the code snippet into the HEAD as mentioned in the preceding paragraph.
  3. Apr 2020
    1. Strictly necessary (id 1). Purposes included:Backup saving and managementHosting and backend infrastructureManaging landing and invitation pagesPlatform services and hostingSPAM protectionTraffic optimization and distributionInfrastructure monitoringHandling payments
    1. You can change your browser settings to refuse cookies and delete them at any time. If you continue to use this site without taking action to prevent the storage of this information, you are effectively agreeing to this use.
  4. Mar 2020
    1. to be fully compliant, this leads to having to check for consent on every request server-side, which is not cacheable/scalable at all. Maybe having caches vary on consent-related properties of a request would solve that, but not without an explosion in cache storage requirements (if nothing else) and nightmares when it comes to cache invalidation(s).
    2. To complicate things further, if you classify your social-sharing-plugins-usage as required functionality, and those need to set their own 3rd party cookies (as they themselves classify those as required), hello to 3rd party cookies being set by default and no way for users to opt-out (except by turning them off via browser, which means the whole thing is redundant, might as well just instruct users to disable third party cookies if they don't want to participate in social sharing crap?)
    3. this website claims the cookie stuff will be a responsibility of the browser, not the website, which would make live easier for web devs.
    1. A single consent form is useful when consent is requested for a single purpose. Here: analytics

      This seems like an important distinction:  Probably (?) you can only use a simple Agree/Disagree consent request if you only have a single purpose/category that you are obtaining consent for.

      As soon as your site has multiple categories to need consent, then you must allow individual consent/refusal of consent for each individual category/purpose.

      This is alluded to just a little bit further on:

      Consent should also be granular; users must be allowed to selectively decide what types of tracking, analytics and other activities their data can be used for.

    1. Websites should not make conditional “general access” to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies.
    2. it would appear impossible to require a publisher to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by “third parties**”
    3. Our solution goes a bit further than this by pointing to the browser options, third-party tools and by linking to the third party providers, who are ultimately responsible for managing the opt-out for their own tracking tools.
    4. This means or mechanism does not have to be hosted directly by you. In most cases under member state law, browser settings are considered to be an acceptable means of withdrawing consent.
    5. It’s worth noting here that the Italian Data Protection Authority (the Garante Privacy) specifically recognizes “performing a scrolling action” and “clicking on one of the internal links of the page” as valid indications of affirmative consent. Italy’s electronic data laws are fairly robust so in all likelihood, it should be fine to apply this, but because the ePrivacy is, in fact, a Directive, the specifics of how requirements should be met are heavily dependent on individual Member State law. For this reason, we give you the option to easily disable the Cookie Solution’s “scroll to consent” feature should the particular Member State law require it.

      Interesting. Most things I've read seem to suggest that wouldn't be sufficient action to imply consent.

    6. The exemption to the consent requirement only clearly applies to non-tracking technical cookies strictly necessary for the functioning of services that were expressly requested by the user. A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart.
    7. these active behaviors may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed; this is somewhat left up to your discretion. Some website/app owners may favor a click-to-consent method over scrolling/continued-browsing methods as the former is less likely to be performed by user error.
    8. This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must inform users about your data collection activities and give them the option to choose whether it’s allowed or not; you must obtain informed consent prior to the installation of those cookies.
    9. Prior to consent, no cookies — except for exempt cookies — can be installed
    10. To further illustrate this point, imagine that the ability to run cookies is a room, the cookie management solution is the door and the consent is the act of rotating the door handle; you can only enter through the door into the room if the door handle is rotated (the act of giving consent). In this example, if you’ve entered the room it can only be because the door handle was rotated and, therefore, your presence in the room is sufficient proof of this fact.
    1. A majority also try to nudge users towards consenting (57%) — such as by using ‘dark pattern’ techniques like using a color to highlight the ‘agree’ button (which if clicked accepts privacy-unfriendly defaults) vs displaying a much less visible link to ‘more options’ so that pro-privacy choices are buried off screen.
    2. it really doesn’t take much clicking around the regional Internet to find a gaslighting cookie notice that pops up with a mocking message saying by using this website you’re consenting to your data being processed how the site sees fit — with just a single ‘Ok’ button to affirm your lack of say in the matter.
    1. On the other hand, providing your customers with a customized user experience or tailored product suggestions is not a requirement for an online store, and cookies that enable these features do not fall under the "strictly necessary" category. You'll need to get consent before you use them.
    2. When you visit your favorite online store, you expect the items you add to your shopping cart to still be in your shopping cart when you check out. Cookies make that happen. If you opted out of those cookies, you would, in essence, be opting out of the very reason you went to that site in the first place. Asking a customer if they want to allow cookies to make their shopping cart work would be like asking them if they want the thread to keep their shirt together.
    3. In fact, some are essential for the proper functioning of a website. The EU understands this and makes an exception for cookies that are "strictly necessary" to fulfill the services requested by your site visitors.
    1. Decision point #2 – Do you send any data to third parties, directly or inadvertently? <img class="alignnone size-full wp-image-10174" src="https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart.png" alt="GDPR cookie consent flowchart" width="1451" height="601" srcset="https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart.png 1451w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-300x124.png 300w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-981x406.png 981w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-761x315.png 761w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-611x253.png 611w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-386x160.png 386w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-283x117.png 283w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-600x249.png 600w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-1024x424.png 1024w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-50x21.png 50w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-250x104.png 250w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-241x100.png 241w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-400x166.png 400w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-350x145.png 350w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-840x348.png 840w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-860x356.png 860w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-1030x427.png 1030w" sizes="(max-width: 1451px) 100vw, 1451px" /> Remember, inadvertently transmitting data to third parties can occur through the plugins you use on your website. You don't necessarily have to be doing this proactively. If the answer is “Yes,” then to comply with GDPR, you should use a cookie consent popup.
    1. Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.

      They seem to claim (or hope that their description will make you think) that ‘NID’ is only used for storing preferences, but if you read further down, you see that it's also used for targeting.

      These should be separate cookies since they have separate purposes, and since under GPDR we have to get separate consent for each purpose of cookie.

    2. You can view and manage cookies in your browser (though browsers for mobile devices may not offer this visibility).
    1. YouTube’s privacy-enhanced mode basically means they do not store visitor’s information if you have a YouTube video on your website, unless they actually click on the video to view it.
    1. The problem is that even if the visitor is not watching the video or interacting with it, in any capacity, YouTube still collects and stores data on them. Not cool.This is done using cookies that are placed on the user’s browser the moment they load a webpage with a YouTube video embedded in it. These cookies are used to track users, serve targeted ads (Google’s bread and butter), and add info to user’s profile. Yes, they have profiles on everyone.
    1. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.
    1. You still have to use a Cookie Notice, if you’re planning to collect data that can identify an individual within the EU, or
    1. However, we recognise there are some differing opinions as well as practical considerations around the use of partial cookie walls and we will be seeking further submissions and opinions on this point from interested parties.
    2. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.
    3. While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.
    4. PECR always requires consent for non-essential cookies, such as those used for the purposes of marketing and advertising. Legitimate interests cannot be relied upon for these cookies.
    1. Out of 508 manually analysed websites that provide a way to opt out, we detected 39 websites where the banner stores a positive consent, even if the user explicitly refuses consent via the cookie banner.
    2. For large-scale analysis of websites, we have implemented a crawler, called Cookinspect, based on a Selenium-instrumented Chromium, that detects what consent cookie banners store in the user's browser.
    3. The primary goal of Cookie glasses extension is to empower the end users and Data Protection Authorities to investigate websites and detect when the consent stored by the website does not correspond to the choice made by the user.
    1. small portion of sites (~7%) entirely ignore responses to cookie pop-ups and track users regardless of response.
    2. open source browser extension that can automatically answer pop-ups based on user-customizable preferences.It’s called Consent-o-Matic — and there are versions available for Firefox and Chrome.
    3. majority of the current implementations of cookie notices offer no meaningful choice to Europe’s Internet users — even though EU law requires one
    1. By default, your users will be asked for their consent on each of your domains and sub domains since Cookiebot treats domains and sub domains separately. By enabling the Bulk Consent feature, however, your users will only be prompted for a consent the first time they visit any one of your websites (and again after 12 months when the consent needs to be renewed).
    1. Very few solutions include all of the GDPR required features like: 1) Enabled prior consent. 2) Clear and specific information about data types and purpose of the cookies. 3) Full documentation of all given consents. 4) The possibility for users to reject superfluous cookies and still use the website. 5) The possibility that users can withdraw their consent whenever they want. Cookie solutions that don’t have those features are not GDPR compliant.
    2. It is required by the GDPR as you must document cookies and online tracking at anytime and you must be able to show that documentation to both your users and the EU.
    1. You can add both the two domains to the same domain group. That way they will share the same script and behave in the same way.
    2. it is possible to use ‘Bulk Consent’ for all the domains and subdomains within one domain group to ensure that a website visitor is asked for a joint consent covering all the domains/subdomains only the first time he visits one of those domains
    1. Also, it is possible to use ‘Bulk Consent’ for all the domains and subdomains within one domain group to ensure that a website visitor is asked for a joint consent covering all the domains/subdomains only the first time he visits one of those domains
    2. They will share the same cbid (‘CookiebotIdentifier, which is the serial number that is included in the script. Each domain group has a unique cbid), use the same cookie consent banner template, the same logo, the same styling of the banner etc.
    1. Some people prefer not to allow cookies, which is why most browsers give you the ability to manage cookies to suit you.Some browsers limit or delete cookies, so you may want to review your cookie settings and ads settings. In some browsers you can set up rules to manage cookies on a site-by-site basis, giving you more fine-grained control over your privacy. What this means is that you can disallow cookies from all sites except those that you trust.In the Google Chrome browser, the Tools menu contains an option to Clear Browsing Data. You can use this option to delete cookies and other site and plug-in data, including data stored on your device by the Adobe Flash Player (commonly known as Flash cookies). See our instructions for managing cookies in Chrome.
    1. haven’t consent tools been around for a while? Sort of! Ever since May 2011, when the EU Cookie Directive went into effect, most EU sites have added cookie notification bars to the top or bottom of their pages. This prompted many third-party solutions to pop-up, including WordPress plug-ins and the leading tool from Silktide. These tools are still around, and many sites continue to use them under the GDPR. However, these solutions were built for the older law, and the GDPR is much more specific about requiring explicit opt-in consent. Most of those older tools don't provide this, nor do they integrate with downstream ad partners, paving the way for the more sophisticated CMPs.
    1. Note that the scope of personal data is truly broad, which makes processing complex and tricky. So, even though, for instance, you employ anonymization in Google Analytics to get rid of all information that falls under this category, you’re still in a catch-22 situation. This is because GA stores a visitor online identifier in a cookie, and under the GDPR that file constitutes a piece of personal data. That means you still need to obtain consent from visitors to process their data.
    1. Do I need a CMP? Short answer: Probably yes. Long answer: If your company is based in the EEA (European Economic Area) or if you are dealing with customers/visitors from this area and show them advertising, it is very likely that you will collect and/or process personal data such as IP-addresses. Therefore, according to GDPR, you need to make sure that the visitor is informed and you need to ask the user for consent. In order to do this you will need a CMP.
    1. To be fully compliant with GDPR, you would also need to enable Show Reject All Button setting.
    2. Consent Model. In the case of GDPR, you must choose the Opt-in. This means that you cannot start tracking people before the consent was given.
    3. This cookie consent notification is just a tool for getting consent, it’s not capable of managing your tracking tags because every website and every GTM container is unique, therefore there is no universal solution. As a result, you will have to manually update all your tracking tags with additional firing rules.
    4. Configuring OneTrust’s cookie consent solution is just half of the task. Your tracking scripts (like Google Analytics, Google Adwords, etc.) will still continue working as they always did unless you import my GTM recipe and then reconfigure all of your tracking tags. Yup, there’s a lot of manual work waiting ahead.
    5. if you are using some tools/scripts on your website that are used to identify individuals and their data is processed by you or 3rd parties), that can be done only when a person gives consent
    1. CookiePro’s Cookie Consent module provides the ability to decide whether to respond to a DNT browser request by automatically blocking any category of cookies where it is configured to do so. To use this function, go to the relevant cookie group(s), and set the status to Do Not Track. The result is that cookies will be Active, unless the user has turned on Do Not Track, in which case they will be set to Inactive, with the ability for the user to override this in the cookie settings.
    1. If you wish to disable cookies, you may do so through your individual browser options. More detailed information about cookie management with specific web browsers can be found at the browsers’ respective websites.
    1. You need to provide the ability for users to look at cookies individually, so they need to be listed (and that can be quite a lot of work in major systems). You’re allowed to define some cookies as “necessary for the correct functioning of this product”, usually cookies that store session related data. After all, if a user opts out of those, they can’t meaningfully use the web site, or that part of the site.But you have to be honest about it. You can’t, for example, define marketing or analytic cookies as necessary, and you have to allow users to opt out from them. Those don’t stop the site from functioning, it just reduces the data you can collect about site use.
    1. There’s not even a consensus on whether or not cookie alerts are compliant with European law. In May, the Dutch data protection agency said these disclosures do not actually comply with GDPR because they’re basically a price of entry to a website.
    2. On the other hand, asking them to check a box when they have very little idea what they’re agreeing to — and not giving them any other viable options — doesn’t seem to be an ideal solution.
    3. Most companies are throwing cookie alerts at you because they figure it’s better to be safe than sorry When the GDPR came into effect, companies all over the globe — not just in Europe — scrambled to comply and started to enact privacy changes for all of their users everywhere. That included the cookie pop-ups. “Everybody just decided to be better safe than sorry and throw up a banner — with everybody acknowledging it doesn’t accomplish a whole lot,” said Joseph Jerome, former policy counsel for the Privacy & Data Project at the Center for Democracy & Technology, a privacy-focused nonprofit.
    1. load cookies without my consent. These sites just notify me without giving me a choice to refuse.
    2. that permission must be freely obtained. Ergo, a free choice must be offered.So, in other words, a “data for access” cookie wall isn’t going to cut it. (Or, as the DPA puts it: “Permission is not ‘free’ if someone has no real or free choice. Or if the person cannot refuse giving permission without adverse consequences.”)
    1. Is that enough to be GDPR compliant? No. My understanding is that to be compliant you would wait to initialize the analytics until after you had received the user's explicit consent. Even then you would need to be able to turn off analytics again if the user later revoked their consent.
    1. Here you need to decide if you want to take a cautious road and put it into an “anonymous” mode or go all out and collect user identifiable data. If you go with anonymous, you have the ability to not need consent.
    2. anything that isn’t really necessary or essential requires consent from the user
    1. Absolutely not! There is no GDPR cookie rule. That is a total myth.
    2. if the cookie is installed by your own site, then the consumer can decide ON THEIR OWN BROWSER, if they want to send it. Cookies are a data signal YOU ARE SENDING FROM YOUR OWN COMPUTER. If you don’t want to voluntarily submit a cookie, just turn it off.
    1. When choosing the ‘Compliance type’ we recommend that you use their ‘Just tell users that we use cookies’ option