GDPR compliant cookies script?

susannemcom
Jr. Bludit
Posts: 7
Joined: Mon Sep 30, 2019 12:43 pm

Tue Oct 22, 2019 1:31 pm

Hello everyone!

I absolutely LOVE Bludit, but I miss a function where I can add for example Google Analytics or Statcounter code, and have a cookie banner where people are able to reject cookies, and if that's the case the statistics script won't load.
I've seen the cookie banner/adblock plugin, but there's no function there to reject cookies. This is necessary to follow GDPR, otherwise I only have the option to not use website statistics at all.
Is there any plugin that could do this? Would anyone be interested in making one? Sadly I'm not competent in programming myself.
User avatar
Edi
Site Admin
Posts: 1652
Joined: Sun Aug 09, 2015 5:01 pm
Location: Zurich
Contact:

Tue Oct 22, 2019 3:34 pm

There is no need to use a cookie banner if you only collect anonymous data:

https://developers.google.com/analytics ... nymization

But you have to mention it in the privacy policy.

If you do not have a shop for example there is anyway no need to collect personal data.
Planet Bludit, Tipps, Snippets und nützliche Links. - Newsletter, Informationen zu Bludit (auf Deutsch).
susannemcom
Jr. Bludit
Posts: 7
Joined: Mon Sep 30, 2019 12:43 pm

Tue Oct 22, 2019 3:49 pm

That's interesting - I've never thought of that. Still - with statistics you use cookies, and GDPR is clear about that users have to be able to actively give consent. and have the option to refuse:

https://gdpr.eu/cookies/
kostaslgr
Ssr. Bludit
Posts: 11
Joined: Fri Jan 11, 2019 8:58 pm

Thu Oct 24, 2019 11:21 am

You are correct Susanne! The visitor must accept the cookies before they even start to load. I am using the script from Cookiebot. Which gives you the chance to block the cookies from analytics if the person does not press to accept the cookies.

On the bludit plugins there is a plugin named HTML code. That will allow you to insert on the Head of the pages the Google analytics code. Using the guidelines provided by the cookiebot you will be able to alter the google analytics code to block cookie installation if not accepted.
User avatar
Edi
Site Admin
Posts: 1652
Joined: Sun Aug 09, 2015 5:01 pm
Location: Zurich
Contact:

Thu Oct 24, 2019 12:09 pm

susannemcom wrote:
Tue Oct 22, 2019 3:49 pm
Still - with statistics you use cookies, and GDPR is clear about that users have to be able to actively give consent. and have the option to refuse:

https://gdpr.eu/cookies/
Two points:

1) Not every statistic uses cookies. There are for example also statistics from the server.

2) Cookies are only used if you collect personal data.

As I wrote before: If you do not collect personal data you can use cookies without the consent of visitors.

The same says the linked explanation.
Planet Bludit, Tipps, Snippets und nützliche Links. - Newsletter, Informationen zu Bludit (auf Deutsch).
User avatar
Edi
Site Admin
Posts: 1652
Joined: Sun Aug 09, 2015 5:01 pm
Location: Zurich
Contact:

Thu Oct 24, 2019 12:17 pm

kostaslgr wrote:
Thu Oct 24, 2019 11:21 am
I am using the script from Cookiebot.
The problem is the script of Cookiebot itself: It is loaded from another server, without the visitors consent. And this is not allowed by the GDPR (loading a script from another server sends data to this server).

It's an interesting case because Cookiebot is around for a while as a sort of legal tool.
Planet Bludit, Tipps, Snippets und nützliche Links. - Newsletter, Informationen zu Bludit (auf Deutsch).
susannemcom
Jr. Bludit
Posts: 7
Joined: Mon Sep 30, 2019 12:43 pm

Thu Oct 24, 2019 12:44 pm

Edi wrote:
Thu Oct 24, 2019 12:09 pm
susannemcom wrote:
Tue Oct 22, 2019 3:49 pm
Still - with statistics you use cookies, and GDPR is clear about that users have to be able to actively give consent. and have the option to refuse:

https://gdpr.eu/cookies/
Two points:

1) Not every statistic uses cookies. There are for example also statistics from the server.

2) Cookies are only used if you collect personal data.

As I wrote before: If you do not collect personal data you can use cookies without the consent of visitors.

The same says the linked explanation.
I see what you mean. BUT..

"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."

So then this would mean that if I personally as the website owner doesn't use the anonymised data to identify people, it wouldn't be counted as personal data?
Technically an ip address can identify a person (as far as I know) - but I wouldn't be able to do it, nor do I have any interest in doing it.

All this is very confusing, but not having to worry about cookie warnings would be great.
User avatar
Edi
Site Admin
Posts: 1652
Joined: Sun Aug 09, 2015 5:01 pm
Location: Zurich
Contact:

Thu Oct 24, 2019 1:12 pm

susannemcom wrote:
Thu Oct 24, 2019 12:44 pm
So then this would mean that if I personally as the website owner doesn't use the anonymised data to identify people, it wouldn't be counted as personal data?
Yes, it's very confusing... I hope this is clear: You can use cookies that do not store personal data. This means that you have to anonymize the IP address.
Planet Bludit, Tipps, Snippets und nützliche Links. - Newsletter, Informationen zu Bludit (auf Deutsch).
kostaslgr
Ssr. Bludit
Posts: 11
Joined: Fri Jan 11, 2019 8:58 pm

Thu Oct 24, 2019 2:40 pm

Edi wrote:
Thu Oct 24, 2019 12:09 pm
susannemcom wrote:
Tue Oct 22, 2019 3:49 pm
Still - with statistics you use cookies, and GDPR is clear about that users have to be able to actively give consent. and have the option to refuse:

https://gdpr.eu/cookies/
Two points:

1) Not every statistic uses cookies. There are for example also statistics from the server.

2) Cookies are only used if you collect personal data.

As I wrote before: If you do not collect personal data you can use cookies without the consent of visitors.

The same says the linked explanation.
You are correct for #1. it was a misswriting from me. Statistics can exist without cookies.

Regarding #2. Cookies can have a variety of reasons they exist, one of them could be for the correct operation of the website but also could be for marketing and statistical reasons. The first kind of cookies you can use without conscent. For the cookies that are for statistical reasons you need an explicit conscent from the visitor that he allows you to use statistical cookies, and the option for the statistical cookies should not be prechecked.

I do not know if you have read this on the news. The Court of Justice of the European Union replied on a German court question for clarification.
https://www.thedrum.com/news/2019/10/02 ... SJQ8S8hx0Y

Apart from the parts i already mentioned about the active and explicit conscent there is this following part.

“That decision is unaffected by whether or not the information stored or accessed on the user’s equipment is personal data. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.”

That means that even if you use anonymization technology you are still not covered because even though you are not aware of the personal data, maybe someone else can decypher and use these personal data.
That means that even if the cookie uses anonymization technology since it is collecting personal data, it still needs active conscent.
kostaslgr
Ssr. Bludit
Posts: 11
Joined: Fri Jan 11, 2019 8:58 pm

Thu Oct 24, 2019 2:57 pm

Edi wrote:
Thu Oct 24, 2019 12:17 pm
kostaslgr wrote:
Thu Oct 24, 2019 11:21 am
I am using the script from Cookiebot.
The problem is the script of Cookiebot itself: It is loaded from another server, without the visitors consent. And this is not allowed by the GDPR (loading a script from another server sends data to this server).

It's an interesting case because Cookiebot is around for a while as a sort of legal tool.
Help me understand if i have understood wrongly.

Cookiebot gives you a script that popups and what it does, is asking for what cookies do you give consent to use. But still this cookie does NOT load until you have accepted it!! The only necessary cookie that shows is this one from cookiebot inorder to keep your decision because it also needs to be tracked. That cookie is marked as safe, meaning that it is verified that it does not transfer any other kind of data and it is for the reasons of the website operation. You need to track somehow the decision from the visitor and this is what this cookie does. So i suppose since it is widely accepted that it does not transmit other personal data you are ok with it.

Once you explicitly accept to have statistical cookies, the Google analytics cookies are also allowed to run. So what this script does, is to block the part of the code that gives Google the right to track you unless you explicitly accept it. If you do not press accept to the necessary cookie of cookiebot it still does not load. I have checked it with cookie checkers.

When you say that the script is loaded from another server without the visitor consent, what do you mean? is there any data that is being transfered from the visitor to the cookiebot website?
Post Reply