53 Matching Annotations
  1. May 2020
    1. They collect very little data so their "export" feature is very simplistic: just an in-browser JSON dump of localStorage and cookies.

      Browser Data

      We use data on your browser to offer features on this website. We do not store this data, but we can offer a view of your browser data at any time.

      View Browser Data

    1. This kind of cookie-based data collection happens elsewhere on the internet. Giant companies use it as a way to assess where their users go as they surf the web, which can then be tied into providing better targeted advertising.
    2. For instance, Google’s reCaptcha cookie follows the same logic of the Facebook “like” button when it’s embedded in other websites—it gives that site some social media functionality, but it also lets Facebook know that you’re there.
    3. one of the ways that Google determines whether you’re a malicious user or not is whether you already have a Google cookie installed on your browser.
    1. In particular, if you set this parameter to true, our solution creates a technical cookie on iubenda.com (domain) which is used when the cookie on the local domain is not found.
    1. Importance of declaring the cookie domain: When you clean up the cookies (like in the example above for on_reject) is important to set the domain that this cookies belongs. In some cases this external scripts could add the cookie on your subdomain or your base domain. In out case we found that some cookies are generated on panel.preyproject.com or .panel.preyproject or just preyproject.com.
    1. A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart. Do note, however, that these session-based technical cookies are not tracking cookies.

      I'm not sure I agree with this:

      [the technical cookies] are explicitly requested by the user when they indicate that they would like to add the item to the cart.

      The only thing they requested was that the item be held in a cart for them. They didn't explicitly request that cookies be used to store information about items in the cart. They most likely don't understand all of the options for how to store data like this, and certainly wouldn't know or expect specifically that cookies be used for this.

      In fact, localStorage could be used instead. If it's a single-page app, then even that would be necessary; it could all be kept in page-local variables until they checked out (all on the same page); such that reloading the page would cause the cart data held in those variables to be lost.

    1. Implementing prior blocking and asynchronous re-activation Our prior blocking option prevents the installation of non-exempt cookies before user consent is obtained (as required by EU law) and asynchronously activates (without reloading the page) the scripts after the user consents.To use, you must first enable this feature: simply select the “Prior blocking and asynchronous re-activation” checkbox above before copy and pasting the code snippet into the HEAD as mentioned in the preceding paragraph.
  2. Apr 2020
    1. Allows you to autodetect and limit prior-blocking and cookie consent requests only to users from the EU – where this is a legal requirement – while running cookies scripts normally in regions where you are still legally allowed to do so.
    2. Enables the blocking of scripts and their reactivation only after having collected user consent. If false, the blocked scripts are always reactivated regardless of whether or not consent has been provided (useful for testing purposes, or when you’re working on your project locally and don’t want pageviews to be counted). We strongly advise against setting "priorConsent":false if you need to comply with EU legislation. Please note that if the prior blocking setting has been disabled server side (via the checkbox on the flow page), this parameter will be ineffective whether it’s set to true or false.
    1. Strictly necessary (id 1). Purposes included:Backup saving and managementHosting and backend infrastructureManaging landing and invitation pagesPlatform services and hostingSPAM protectionTraffic optimization and distributionInfrastructure monitoringHandling payments
  3. Mar 2020
    1. If other third-party tools guarantee not to use cookies, perhaps by providing specific configuration options, they too can be considered to be exempt from prior blocking. This is the case namely with YouTube, which provides a specific feature to prevent the user from being tracked through cookies.
    2. This depends on the legal jurisdiction applicable to your site. In Europe, you’re legally required to block cookie scripts until user consent is obtained. All cookies must be blocked except for those that are exempt.
    3. Technical cookies, preference, session and optimization cookies
    1. stored in a first-party cookie, which means that users will be requested to give their consent again after deleting browser cookies or switching to another device or browser
    2. First-party cookies are the lifeblood of every website, enabling businesses to remember key pieces of information about users and to collect analytics data. Third-party cookies are the bread and butter of AdTech, allowing publishers to monetize their websites, and brands to run advertising and marketing campaigns.
    1. The exemption to the consent requirement only clearly applies to non-tracking technical cookies strictly necessary for the functioning of services that were expressly requested by the user. A real-world example of this would be an e-commerce site that allows users to “hold” items in their cart while they’re using the site or for the duration of a session. In this scenario, the technical cookies are both necessary for the functioning of the purchasing service and are explicitly requested by the user when they indicate that they would like to add the item to the cart.
    1. When you visit your favorite online store, you expect the items you add to your shopping cart to still be in your shopping cart when you check out. Cookies make that happen. If you opted out of those cookies, you would, in essence, be opting out of the very reason you went to that site in the first place. Asking a customer if they want to allow cookies to make their shopping cart work would be like asking them if they want the thread to keep their shirt together.
    2. In fact, some are essential for the proper functioning of a website. The EU understands this and makes an exception for cookies that are "strictly necessary" to fulfill the services requested by your site visitors.
    1. If you want to disable Google Analytics-tracking for this site, please click here: [delete_cookies]. The cookie which enabled tracking on Google Analytics is immediately removed.

      This is incomplete. The button is missing.

    1. You can also disable the use of cookies via your browser, but please note that our website may no longer work properly.

      And an example of a button to delete cookies

    1. This tool will allow you to create a customised cookieless Google Map that does not use privacy-invasive cookies.
    1. Google uses cookies like NID and SID to help customize ads on Google properties, like Google Search. For example, we use such cookies to remember your most recent searches, your previous interactions with an advertiser’s ads or search results, and your visits to an advertiser’s website. This helps us to show you customized ads on Google.
    2. Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.

      They seem to claim (or hope that their description will make you think) that ‘NID’ is only used for storing preferences, but if you read further down, you see that it's also used for targeting.

      These should be separate cookies since they have separate purposes, and since under GPDR we have to get separate consent for each purpose of cookie.

    1. Vimeo’s embeddable video player uses first-party cookies that we consider essential to the video player experience. We do not use third-party analytics or advertising cookies when our video player appears on a third-party website.
    1. YouTube’s privacy-enhanced mode basically means they do not store visitor’s information if you have a YouTube video on your website, unless they actually click on the video to view it.
    1. Many people see tracking cookies as an invasion of privacy since they allow a site to build up profiles on users without their consent.
    2. YouTube's default setting is to leave privacy-enhanced mode off. This allows them to place a tracking cookie on any computer that a viewer uses to visit your webpage.
    1. The problem is that even if the visitor is not watching the video or interacting with it, in any capacity, YouTube still collects and stores data on them. Not cool.This is done using cookies that are placed on the user’s browser the moment they load a webpage with a YouTube video embedded in it. These cookies are used to track users, serve targeted ads (Google’s bread and butter), and add info to user’s profile. Yes, they have profiles on everyone.
    1. Default YouTube video embeds set cookies on user systems as soon as they open web pages with embedded YouTube videos. Google may use the cookie to deliver targeted advertisement, add information to the user's profile, or track the user.
    1. an additional reCAPTCHA-specific cookie will be added to the user's browser

      It appears to actually set a non-reCAPTCHA-specific cookie:

      NID — This cookie is set by DoubleClick (which is owned by Google) to help build a profile of your interests and show you relevant ads on other sites. The main purpose of this cookie is: Targeting/Advertising. (cookiepedia)

    1. While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.
    1. select an origin

      It's interesting that under my site's origin it lists cookies for other domains. Are these considered 3rd-party cookies or 1st-party cookies written by a 3rd-party script? How is it allowed to set them on my site? Presumably because I loaded a script from their origin.

      Loading scripts from other origins allows them to set cookies on which domains? Only their origin? And which cookies can they read?

    1. Also note that the first two opt out tools are currently cookie-based and prevent Oracle from using, sharing, or selling your personal information for interest-based advertising on the browser on which they are installed. As a result, the opt out will only function if your browser is set to accept third-party cookies and may not function where cookies are sometimes automatically disabled or removed (e.g., certain mobile devices and operating systems). If you delete cookies, change your browser settings, switch browsers or computers, or use another operating system, you will need to opt out again. Oracle does not use persistent, unique identifiers to revive a previously opted-out profile or deleted cookie.
    1. Much like the cookies you eat are an asset to humankind, HTTP cookies are an asset to the internet. They help personalize the web experience and make things like online shopping and logging into accounts so much easier and more efficient.
    1. Cross-Domain Cookie Library This library is intended for cases where you have scripts running on different domains (i.e. domain-a.com, domain-b.com) that need to be able to set/share a cookie value across those domains. A few example use cases would be a third-party script that wants to set/share a user identifier across both domains, or a company that wants to track if a user signed up for a newsletter across both their main website and blog that resides on a different TLD. This library also offers a way of writing data to a cookie from a third-party script
  4. Dec 2019
  5. Oct 2018
  6. May 2018
  7. Apr 2018
    1. A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”.[

      I see a lot of cookie notices that give vague reasons like "improving user experience". Specifically disallowed by GDPR?

  8. Oct 2017
    1. Weusecookiestoprovideyouwithabetterservice.Carryonbrowsingifyou’rehappywiththis,orfindouthowtomanagecookies.’

      ¿Podría haber un formato para determinar los permisos y datos que requiere una cookie, similar a como lo hacen las aplicaciones móviles que indican qué permisos requieren del usuario antes de instalarse? ¿Cómo puede ser esto extendido a aplicaciones de escritorio?

    2. However,evenwhenconsensuallyinstalled,usersrarelyunderstandhowspywareworksandoftenforgetaboutitspresence.[50]Cookiesarethemostpervasiveform.Theyarebitsofdatastoredondevicesandsenttobrowsersbywebsitesthatarevisitedorthroughtechniqueslike‘devicefingerprinting’,whichenableswatchingsubjectswhodeleteordonotstorecookies.[51]Theyareusednotonlyformonitoringdigitalactionsbutalsofortrackingpreferredlanguage,login,andotherpersonalsettingssuchassearchpreferencesandfortargetingadvertisingandtrackingnumbersofvisitstosites.[52]Digitaltracespickedupbycookieshavealsobeenrepurposedbysecurityagencies,suchastheNSA’sutilizationofGoogle’sadvertisingcookiestotracktargets.
  9. Feb 2016
    1. When not setting an explicit domain for a cookie, the default in most browsers is to only send the cookie when the domain matches exactly. However, Internet Explorer violates the RFC, and will send it to all subdomains as well.
  10. Dec 2015
    1. It is important to note that the path attribute does not protect against unauthorized reading of the cookie from a different path. It can be easily bypassed using the DOM, for example by creating a hidden iframe element with the path of the cookie, then accessing this iframe's contentDocument.cookie property. The only way to protect the cookie is by using a different domain or subdomain, due to the same origin policy.