169 Matching Annotations
  1. Jul 2020
    1. Perhaps most significantly, these latest guidelines clearly state that Cookie Walls are prohibited and that the EDPB does not consider consent via scrolling or continued browsing to be valid. 
    1. The Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them. This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must: inform users about your data collection activities;give them the option to choose whether it’s allowed or not; obtain informed consent prior to the installation of those cookies.
  2. Jun 2020
    1. How do I change my cookie settings? Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.
  3. May 2020
    1. The iubenda Cookie Solution features a JS API for easy interaction with some of its main functions.
    2. In particular, if you set this parameter to true, our solution creates a technical cookie on iubenda.com (domain) which is used when the cookie on the local domain is not found.
    1. The banner is not necessarily required in this specific instance if the cookie policy is easily accessible and visible from every page of the site.
    2. A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart. Do note, however, that these session-based technical cookies are not tracking cookies.

      I'm not sure I agree with this:

      [the technical cookies] are explicitly requested by the user when they indicate that they would like to add the item to the cart.

      The only thing they requested was that the item be held in a cart for them. They didn't explicitly request that cookies be used to store information about items in the cart. They most likely don't understand all of the options for how to store data like this, and certainly wouldn't know or expect specifically that cookies be used for this.

      In fact, localStorage could be used instead. If it's a single-page app, then even that would be necessary; it could all be kept in page-local variables until they checked out (all on the same page); such that reloading the page would cause the cart data held in those variables to be lost.

    3. Blocking cookies before consent. In compliance with the general principles of privacy legislation, which prevent processing before consent, the cookie law does not allow the installation of cookies before obtaining user consent. In practice, this means that you may have to employ a form of script blocking prior to user consent.
    4. Prior to informed and explicit consent, no cookies – except for exempt cookies – can be installed.
    5. Because using cookies means both processing user data and installing files that could be used for tracking, it is a major point of concern when it comes to user data privacy rights.
    1. Shouldn't I be adding the names of the cookies my site/app is using? The specific names of cookies don't provide users with information they can understand. Regarding cookies installed by third parties: the site owner is not in direct control of these cookies. This results in the naming and future changes to naming conventions also being outside of the owner's control and therefore also duty for disclosure. Due to this, we describe the cookies by their purpose and we give users all the instructions they need in order to understand cookies and manage them in their browsers. Then we link to the privacy/cookie policies of any third parties used by your site and we reference their opt-out pages, when available. This concept is the result from consultations with countless privacy attorneys, feedback from privacy authorities and the interpretation of the law itself.

      This sounds like a reasonable compromise.

      Like they say, listing specific names of cookies isn't helpful or practical/maintainable for perpetuity:

      The specific names of cookies don't provide users with information they can understand. Regarding cookies installed by third parties: the site owner is not in direct control of these cookies. This results in the naming and future changes to naming conventions also being outside of the owner's control and therefore also duty for disclosure.

    1. Implementing prior blocking and asynchronous re-activation Our prior blocking option prevents the installation of non-exempt cookies before user consent is obtained (as required by EU law) and asynchronously activates (without reloading the page) the scripts after the user consents.To use, you must first enable this feature: simply select the “Prior blocking and asynchronous re-activation” checkbox above before copy and pasting the code snippet into the HEAD as mentioned in the preceding paragraph.
  4. Apr 2020
    1. purposes are grouped into 5 categories (strictly necessary, basic interactions & functionalities, experience enhancement, measurement, targeting & advertising)
    2. Strictly necessary (id 1). Purposes included:Backup saving and managementHosting and backend infrastructureManaging landing and invitation pagesPlatform services and hostingSPAM protectionTraffic optimization and distributionInfrastructure monitoringHandling payments
    3. Google Tag Manager allows you to avoid tagging scripts as described below, although this is limited to a certain category of scripts – scripts that are not positional/do not define a position. It, therefore, does not handle embed scripts such as those related to advertising banners, youtube video widgets, facebook like buttons etc.
    1. You can change your browser settings to refuse cookies and delete them at any time. If you continue to use this site without taking action to prevent the storage of this information, you are effectively agreeing to this use.
    1. The user's computer stores and transmits cookies. Therefore, you as a user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your browser. Cookies that have already been saved can be erased at any time. This can also be done automatically. Please consult the documentation of your browser. Links to the cookie management documentations of some popular browsers:
    1. Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field. The usual mechanism for folding HTTP headers fields (i.e., as defined in [RFC2616]) might change the semantics of the Set-Cookie header field because the %x2C (",") character is used by Set-Cookie in a way that conflicts with such folding.

      "Fold" should be replaced with "combine" to make this paragraph consistent with the HTTP/1 specs (RFC 2616, RFC 7230).

      https://www.rfc-editor.org/errata/eid6093 https://stackoverflow.com/questions/3241326/

  5. Mar 2020
    1. The Cookie Law does not require that records of consent be kept but instead indicates that you should be able to prove that consent occurred (even if that consent has been withdrawn). The simple way to do this would be to use a cookie management solution that employs a prior blocking mechanism as under such circumstances, cookie installing scripts will only be run after consent is attained. In this way, the very fact that scripts were run may be used as sufficient proof of consent.
    2. Websites should not make conditional “general access” to the site on acceptance of all cookies but can only limit certain content if the user does not consent to cookies.
    3. it would appear impossible to require a publisher to provide information on and obtain consent for the installation of cookies on his own website also with regard to those installed by “third parties**”
    4. Our solution goes a bit further than this by pointing to the browser options, third-party tools and by linking to the third party providers, who are ultimately responsible for managing the opt-out for their own tracking tools.
    5. You are also not required to manage consent for third-party cookies directly on your site/app as this responsibility falls to the individual third-parties. You are, however, required to at least facilitate the process by linking to the relevant policies of these third-parties.
    6. conspicuously provide the option for obtaining informed consent, provide a means for the withdrawal of consent and guarantee, via prior blocking, that no tracking is performed before the user has provided consent.
    7. the Cookie Law does not require that you provide users with the means to toggle cookie preferences directly on your site/app
    8. the publisher would be required to check, from time to time, that what is declared by the third parties corresponds to the purposes they are actually aiming at via their cookies. This is a daunting task because a publisher often has no direct contacts with all the third parties installing cookies via his website, nor does he/she know the logic underlying the respective processing.
    9. This means or mechanism does not have to be hosted directly by you. In most cases under member state law, browser settings are considered to be an acceptable means of withdrawing consent.
    10. It’s worth noting here that the Italian Data Protection Authority (the Garante Privacy) specifically recognizes “performing a scrolling action” and “clicking on one of the internal links of the page” as valid indications of affirmative consent. Italy’s electronic data laws are fairly robust so in all likelihood, it should be fine to apply this, but because the ePrivacy is, in fact, a Directive, the specifics of how requirements should be met are heavily dependent on individual Member State law. For this reason, we give you the option to easily disable the Cookie Solution’s “scroll to consent” feature should the particular Member State law require it.

      Interesting. Most things I've read seem to suggest that wouldn't be sufficient action to imply consent.

    11. When you think about data law and privacy legislations, cookies easily come to mind as they’re directly related to both. This often leads to the common misconception that the Cookie Law (ePrivacy directive) has been repealed by the General Data Protection Regulation (GDPR), which in fact, it has not. Instead, you can instead think of the ePrivacy Directive and GDPR as working together and complementing each other, where, in the case of cookies, the ePrivacy generally takes precedence.
    12. The exemption to the consent requirement only clearly applies to non-tracking technical cookies strictly necessary for the functioning of services that were expressly requested by the user. A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart.
    13. In general, the directive does not specifically require that you list and name individual third-party cookies, however, you are required to clearly state their categories and purpose. This decision by the Authority is likely deliberate as to require such would mean that individual website/app owners would bear the burden of constantly watching over every single third-party cookie, looking for changes that are outside of their control; this would be largely unreasonable, inefficient and likely unhelpful to users.
    14. a broader explanation of the way cookies operate and of the categories of cookies used will be helpful. A description of the types of things analytical cookies are used for on the site will be more likely to satisfy the requirements than simply listing all the cookies you use with basic references to their function.
    15. The cookie policy must: indicate the type of the cookies installed (e.g. statistical, advertising etc.);describe in detail the purpose of installation of cookies;indicate all third-parties that install or that could install cookies, with a link to their respective policies, and any opt-out forms (where available);be available in all languages in which the service is provided.
    16. In practice, this means that you may have to employ a form of script blocking prior to user consent.
    17. these active behaviors may include continued browsing, clicking, scrolling the page or some method that requires the user to actively proceed; this is somewhat left up to your discretion. Some website/app owners may favor a click-to-consent method over scrolling/continued-browsing methods as the former is less likely to be performed by user error.
    18. This means that if your site/app (or any third-party service used by your site/app) uses cookies, you must inform users about your data collection activities and give them the option to choose whether it’s allowed or not; you must obtain informed consent prior to the installation of those cookies.
    19. Prior to consent, no cookies — except for exempt cookies — can be installed
    20. To further illustrate this point, imagine that the ability to run cookies is a room, the cookie management solution is the door and the consent is the act of rotating the door handle; you can only enter through the door into the room if the door handle is rotated (the act of giving consent). In this example, if you’ve entered the room it can only be because the door handle was rotated and, therefore, your presence in the room is sufficient proof of this fact.
    1. The fastest way to preventively block the scripts that require prior consent is to install a module on your own server that we have developed for Apache, IIS and NGNIX. After the initial configuration, the module will autonomously block all the resources that are subject to prior consent, on all sites on that server that are using the Cookie Solution.
    2. Some cookies are exempted from prior consent and therefore do not require compliance with the instructions contained in this guide
    3. Please consider that using this method means that you do not directly block the vendor scripts yourself, therefore, the success of this method depends heavily on the individual vendors’ adherence to regulation.
    4. This method has the advantage of being quite fast but with the limit of working only for scripts that don’t require a specific position. Google Tag Manager is therefore not effective for all scripts that display a specific element in a specific position of the page (such as the Facebook Like button).
    5. Technical cookies, i.e. those needed to provide the service. These include preference cookies, session cookies, load balancing cookies etc.
    6. In accordance with the general principles of privacy law, which do not permit the processing of data prior to consent, the cookie law does not allow the installation of cookies before obtaining the user’s consent, except for exempt categories.
    1. to be fully compliant, this leads to having to check for consent on every request server-side, which is not cacheable/scalable at all. Maybe having caches vary on consent-related properties of a request would solve that, but not without an explosion in cache storage requirements (if nothing else) and nightmares when it comes to cache invalidation(s).
    2. To complicate things further, if you classify your social-sharing-plugins-usage as required functionality, and those need to set their own 3rd party cookies (as they themselves classify those as required), hello to 3rd party cookies being set by default and no way for users to opt-out (except by turning them off via browser, which means the whole thing is redundant, might as well just instruct users to disable third party cookies if they don't want to participate in social sharing crap?)
    3. The cookie or privacy policy could list those 3rd party cookies in more detail.
    4. You don't have to list every exact cookie on this accept/decline page as it'll just be too confusing for users.
    5. this website claims the cookie stuff will be a responsibility of the browser, not the website, which would make live easier for web devs.
    1. Our WordPress plugin automatically blocks scripts that are generated on the server side (therefore returned by PHP by WordPress). Scripts that are inserted into the page via JavaScript after the loading process of that page are not and cannot be blocked automatically.
    1. A single consent form is useful when consent is requested for a single purpose. Here: analytics

      This seems like an important distinction:  Probably (?) you can only use a simple Agree/Disagree consent request if you only have a single purpose/category that you are obtaining consent for.

      As soon as your site has multiple categories to need consent, then you must allow individual consent/refusal of consent for each individual category/purpose.

      This is alluded to just a little bit further on:

      Consent should also be granular; users must be allowed to selectively decide what types of tracking, analytics and other activities their data can be used for.

    2. the introduction of the EU’s General Data-Protection Regulation (GDPR) has significantly impacted the way websites and business collect, store and use both types of cookies. For one, the GDPR includes cookies in its definition of personal data, which refers to any piece of data or information that can identify a visitor.
    1. Are cookies governed by the GDPR? Cookie usage and it’s related consent acquisition are not governed by the GDPR, they are instead governed by the ePrivacy Directive (Cookie Law) which in future will be repealed by the up-coming ePrivacy Regulation.
    1. ‘specific website content’ means that you should not make ‘general access’ subject to conditions requiring users to accept non-essential cookies – you can only limit certain content if the user does not consent;
    2. A majority also try to nudge users towards consenting (57%) — such as by using ‘dark pattern’ techniques like using a color to highlight the ‘agree’ button (which if clicked accepts privacy-unfriendly defaults) vs displaying a much less visible link to ‘more options’ so that pro-privacy choices are buried off screen.
    3. it really doesn’t take much clicking around the regional Internet to find a gaslighting cookie notice that pops up with a mocking message saying by using this website you’re consenting to your data being processed how the site sees fit — with just a single ‘Ok’ button to affirm your lack of say in the matter.
    1. provide users with information regarding how to update their browser settings. Many sites provide detailed information for most browsers. You could either link to one of these sites, or create a similar guide of your own. Your guide can either appear in a pop up after a user declines consent, or it can be part of your Privacy Policy, Cookie Information page, or its own separate page.
    2. On the other hand, providing your customers with a customized user experience or tailored product suggestions is not a requirement for an online store, and cookies that enable these features do not fall under the "strictly necessary" category. You'll need to get consent before you use them.
    3. When you visit your favorite online store, you expect the items you add to your shopping cart to still be in your shopping cart when you check out. Cookies make that happen. If you opted out of those cookies, you would, in essence, be opting out of the very reason you went to that site in the first place. Asking a customer if they want to allow cookies to make their shopping cart work would be like asking them if they want the thread to keep their shirt together.
    4. In fact, some are essential for the proper functioning of a website. The EU understands this and makes an exception for cookies that are "strictly necessary" to fulfill the services requested by your site visitors.
    1. Decision point #2 – Do you send any data to third parties, directly or inadvertently? <img class="alignnone size-full wp-image-10174" src="https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart.png" alt="GDPR cookie consent flowchart" width="1451" height="601" srcset="https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart.png 1451w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-300x124.png 300w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-981x406.png 981w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-761x315.png 761w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-611x253.png 611w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-386x160.png 386w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-283x117.png 283w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-600x249.png 600w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-1024x424.png 1024w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-50x21.png 50w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-250x104.png 250w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-241x100.png 241w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-400x166.png 400w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-350x145.png 350w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-840x348.png 840w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-860x356.png 860w, https://www.jeffalytics.com/wp-content/uploads/7deb832d95678dc21cc23208d76f4144_Flowchart-1030x427.png 1030w" sizes="(max-width: 1451px) 100vw, 1451px" /> Remember, inadvertently transmitting data to third parties can occur through the plugins you use on your website. You don't necessarily have to be doing this proactively. If the answer is “Yes,” then to comply with GDPR, you should use a cookie consent popup.
    1. Vimeo We use Vimeo for video display. Read more Name Retention Function Statistics __utmt_player 10 minutes Track audience reach vuid 2 years Store the user's usage history Sharing For more information, please read the Vimeo Privacy Policy.

      I like how it groups cookies by the site/service that sets them, and has links to more information and privacy policy for each of those services.

    1. Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.

      They seem to claim (or hope that their description will make you think) that ‘NID’ is only used for storing preferences, but if you read further down, you see that it's also used for targeting.

      These should be separate cookies since they have separate purposes, and since under GPDR we have to get separate consent for each purpose of cookie.

    2. You can view and manage cookies in your browser (though browsers for mobile devices may not offer this visibility).
    1. Is installing and configuring the plugin enough for compliance? Only if the only cookies your site uses are the Google Analytics ones. If other plugins set cookies, it is possible that you will need to write additional JavaScript.
    1. YouTube’s privacy-enhanced mode basically means they do not store visitor’s information if you have a YouTube video on your website, unless they actually click on the video to view it.
    1. The problem is that even if the visitor is not watching the video or interacting with it, in any capacity, YouTube still collects and stores data on them. Not cool.This is done using cookies that are placed on the user’s browser the moment they load a webpage with a YouTube video embedded in it. These cookies are used to track users, serve targeted ads (Google’s bread and butter), and add info to user’s profile. Yes, they have profiles on everyone.
    1. If a user embeds a Facebook iframe, a blocking tool is needed that initially disables the iframe and or scripts
    1. In order to obtain freely given consent, it must be given on a voluntary basis. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.
    1. You still have to use a Cookie Notice, if you’re planning to collect data that can identify an individual within the EU, or
    1. However, we recognise there are some differing opinions as well as practical considerations around the use of partial cookie walls and we will be seeking further submissions and opinions on this point from interested parties.
    2. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.
    3. While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.
    4. PECR always requires consent for non-essential cookies, such as those used for the purposes of marketing and advertising. Legitimate interests cannot be relied upon for these cookies.
    1. Out of 508 manually analysed websites that provide a way to opt out, we detected 39 websites where the banner stores a positive consent, even if the user explicitly refuses consent via the cookie banner.
    2. For large-scale analysis of websites, we have implemented a crawler, called Cookinspect, based on a Selenium-instrumented Chromium, that detects what consent cookie banners store in the user's browser.
    3. The primary goal of Cookie glasses extension is to empower the end users and Data Protection Authorities to investigate websites and detect when the consent stored by the website does not correspond to the choice made by the user.
    1. small portion of sites (~7%) entirely ignore responses to cookie pop-ups and track users regardless of response.
    2. open source browser extension that can automatically answer pop-ups based on user-customizable preferences.It’s called Consent-o-Matic — and there are versions available for Firefox and Chrome.
    3. majority of the current implementations of cookie notices offer no meaningful choice to Europe’s Internet users — even though EU law requires one
    1. Cookies may not be detected by scanner if the related tag is triggered by actions such as form submission, scroll depth, timing delay, etc. These tags will need to be controlled by manual methods.

      With all these caveats listed, it makes me wonder for which tags auto-blocking does work. Only script tags inside of head?

      They are a bit vague in their "how it works" description...

    2. Cookies set by in-line scripting directly in the HTML is not supported by the auto-blocking functionality.
    1. By default, your users will be asked for their consent on each of your domains and sub domains since Cookiebot treats domains and sub domains separately. By enabling the Bulk Consent feature, however, your users will only be prompted for a consent the first time they visit any one of your websites (and again after 12 months when the consent needs to be renewed).
    1. Very few solutions include all of the GDPR required features like: 1) Enabled prior consent. 2) Clear and specific information about data types and purpose of the cookies. 3) Full documentation of all given consents. 4) The possibility for users to reject superfluous cookies and still use the website. 5) The possibility that users can withdraw their consent whenever they want. Cookie solutions that don’t have those features are not GDPR compliant.
    2. It is required by the GDPR as you must document cookies and online tracking at anytime and you must be able to show that documentation to both your users and the EU.
    1. You can add both the two domains to the same domain group. That way they will share the same script and behave in the same way.
    2. it is possible to use ‘Bulk Consent’ for all the domains and subdomains within one domain group to ensure that a website visitor is asked for a joint consent covering all the domains/subdomains only the first time he visits one of those domains
    1. Also, it is possible to use ‘Bulk Consent’ for all the domains and subdomains within one domain group to ensure that a website visitor is asked for a joint consent covering all the domains/subdomains only the first time he visits one of those domains
    2. They will share the same cbid (‘CookiebotIdentifier, which is the serial number that is included in the script. Each domain group has a unique cbid), use the same cookie consent banner template, the same logo, the same styling of the banner etc.
    1. Some people prefer not to allow cookies, which is why most browsers give you the ability to manage cookies to suit you.Some browsers limit or delete cookies, so you may want to review your cookie settings and ads settings. In some browsers you can set up rules to manage cookies on a site-by-site basis, giving you more fine-grained control over your privacy. What this means is that you can disallow cookies from all sites except those that you trust.In the Google Chrome browser, the Tools menu contains an option to Clear Browsing Data. You can use this option to delete cookies and other site and plug-in data, including data stored on your device by the Adobe Flash Player (commonly known as Flash cookies). See our instructions for managing cookies in Chrome.
    1. haven’t consent tools been around for a while? Sort of! Ever since May 2011, when the EU Cookie Directive went into effect, most EU sites have added cookie notification bars to the top or bottom of their pages. This prompted many third-party solutions to pop-up, including WordPress plug-ins and the leading tool from Silktide. These tools are still around, and many sites continue to use them under the GDPR. However, these solutions were built for the older law, and the GDPR is much more specific about requiring explicit opt-in consent. Most of those older tools don't provide this, nor do they integrate with downstream ad partners, paving the way for the more sophisticated CMPs.
    1. Note that the scope of personal data is truly broad, which makes processing complex and tricky. So, even though, for instance, you employ anonymization in Google Analytics to get rid of all information that falls under this category, you’re still in a catch-22 situation. This is because GA stores a visitor online identifier in a cookie, and under the GDPR that file constitutes a piece of personal data. That means you still need to obtain consent from visitors to process their data.
    1. Do I need a CMP? Short answer: Probably yes. Long answer: If your company is based in the EEA (European Economic Area) or if you are dealing with customers/visitors from this area and show them advertising, it is very likely that you will collect and/or process personal data such as IP-addresses. Therefore, according to GDPR, you need to make sure that the visitor is informed and you need to ask the user for consent. In order to do this you will need a CMP.
    1. To be fully compliant with GDPR, you would also need to enable Show Reject All Button setting.
    2. Consent Model. In the case of GDPR, you must choose the Opt-in. This means that you cannot start tracking people before the consent was given.
    3. This cookie consent notification is just a tool for getting consent, it’s not capable of managing your tracking tags because every website and every GTM container is unique, therefore there is no universal solution. As a result, you will have to manually update all your tracking tags with additional firing rules.
    4. Configuring OneTrust’s cookie consent solution is just half of the task. Your tracking scripts (like Google Analytics, Google Adwords, etc.) will still continue working as they always did unless you import my GTM recipe and then reconfigure all of your tracking tags. Yup, there’s a lot of manual work waiting ahead.
    5. if you are using some tools/scripts on your website that are used to identify individuals and their data is processed by you or 3rd parties), that can be done only when a person gives consent
    1. CookiePro’s Cookie Consent module provides the ability to decide whether to respond to a DNT browser request by automatically blocking any category of cookies where it is configured to do so. To use this function, go to the relevant cookie group(s), and set the status to Do Not Track. The result is that cookies will be Active, unless the user has turned on Do Not Track, in which case they will be set to Inactive, with the ability for the user to override this in the cookie settings.
    1. If you wish to disable cookies, you may do so through your individual browser options. More detailed information about cookie management with specific web browsers can be found at the browsers’ respective websites.
    1. You need to provide the ability for users to look at cookies individually, so they need to be listed (and that can be quite a lot of work in major systems). You’re allowed to define some cookies as “necessary for the correct functioning of this product”, usually cookies that store session related data. After all, if a user opts out of those, they can’t meaningfully use the web site, or that part of the site.But you have to be honest about it. You can’t, for example, define marketing or analytic cookies as necessary, and you have to allow users to opt out from them. Those don’t stop the site from functioning, it just reduces the data you can collect about site use.
    1. There’s not even a consensus on whether or not cookie alerts are compliant with European law. In May, the Dutch data protection agency said these disclosures do not actually comply with GDPR because they’re basically a price of entry to a website.
    2. On the other hand, asking them to check a box when they have very little idea what they’re agreeing to — and not giving them any other viable options — doesn’t seem to be an ideal solution.
    3. Most companies are throwing cookie alerts at you because they figure it’s better to be safe than sorry When the GDPR came into effect, companies all over the globe — not just in Europe — scrambled to comply and started to enact privacy changes for all of their users everywhere. That included the cookie pop-ups. “Everybody just decided to be better safe than sorry and throw up a banner — with everybody acknowledging it doesn’t accomplish a whole lot,” said Joseph Jerome, former policy counsel for the Privacy & Data Project at the Center for Democracy & Technology, a privacy-focused nonprofit.
    1. load cookies without my consent. These sites just notify me without giving me a choice to refuse.
    2. that permission must be freely obtained. Ergo, a free choice must be offered.So, in other words, a “data for access” cookie wall isn’t going to cut it. (Or, as the DPA puts it: “Permission is not ‘free’ if someone has no real or free choice. Or if the person cannot refuse giving permission without adverse consequences.”)
    1. Is that enough to be GDPR compliant? No. My understanding is that to be compliant you would wait to initialize the analytics until after you had received the user's explicit consent. Even then you would need to be able to turn off analytics again if the user later revoked their consent.
    1. Here you need to decide if you want to take a cautious road and put it into an “anonymous” mode or go all out and collect user identifiable data. If you go with anonymous, you have the ability to not need consent.
    2. anything that isn’t really necessary or essential requires consent from the user
  6. www.quora.com www.quora.com