Txp cookies, visitor logging, and GDPR stuff in general

colak · 2018-06-02 14:07:46

jakob and phiw13 wrote:

Wow. That is a monster. I suppose the language of the introductory sentences is lucid enough but the information on what those services are being used for is lacking, so one can’t make any half-way informed decision without reading the various privacy policies. Good luck to them with that – my guess is it’s their loss and people will simply not consent to what they don’t know … I’ve heard of Facebook and Twitter ;-) but none of the others.

I think that the safest way is to link to the individual policies as sites change them more often than not. What I liked is the idea that you can opt in or out from individual providers rather than just accept cookies from all. A lot of ‘normal’ sites have cookies from, some analytics software(s), gaggle, youpuke, vimeo, facebook, twitter, instagram, flckr… the list goes on…. Most people would have heart of those. Allowing for acceptance (or not) for each one individually, is so much nicer.

Up to now, I’ve used oui_cookie (thanks Nicolas!) as a wrapper to skip that content if my cookie-consent cookie is not accepted or provide a more basic alternative. That’s been easy enough on more recent sites where I was using rah_beacon to embed content, so only need to add the wrapper to my custom tag’s form (like you can now do with txp 4.70). It’s pretty tiresome, though, on the older sites where old articles have to be revisited and any embedded content wrapped in <oui_if cookie name="cookie-consent" value="accepted"> … </oui_if_cookie>.

I did notice that oui_cookies does load the vimeo videos, twitter and fb feeds, in our site regardless. Would that be because I am loading it last? Should I enclose the trackers within it? ie:

<txp:oui_if_cookie name="accept_cookies">
trackers
<txp:else />
<a rel="nofollow" href="?accept_cookies=yes">Accept</a>
</txp:oui_if_cookie>

for which case, gaggle spiders will have to accept their own cookies before they see that their code is there.

Wow impressive thing that. But as Jacob notes, there is not much of an explanation for each service. And no matter how I try, I don’t get that. Must be EU specific. And I’m definitively jealous :-)

You may be able to get it via the new Opera VPN.

That the page loads isn’t a problem (especially if leaner). If all those services are included (with their cookies) despite having been declined, then they’re blatant ignoring the user’s settings.

I have to admit that I did not bother checking.

I’m sure you saw that post somewhere about The Verge being much leaner and still surfable and readable if you don’t click “OK” (they don’t offer a decline and make their notice take up a third of the screen). If you have a “User CSS” plugin in your browser, you can simply display:none !important; the notice and surf quite happily with about half the page volume.

I saw that one, and it is an acceptable, if not ideal solution. Instead of a plugin, I normally use the solution described here.

jakob · 2018-06-02 15:54:25

colak wrote #312261:

I think that the safest way is to link to the individual policies as sites change them more often than not.

Yes, re linking to the other sites. It’s no use, of course, if your readers can’t read the language they’re in.

What I liked is the idea that you can opt in or out from individual providers rather than just accept cookies from all.

Maybe, but it’s a lot of work to realise and a bit daunting for the visitor. To me it looks like having to read the ten commandments before you eat a piece of chocolate!

I saw that one, and it is an acceptable, if not ideal solution. Instead of a plugin, I normally use the solution described here.

Yes, it’s the same idea but for Safari: User CSS (it’s what they call an extension). It’s good for those really obnoxious “we’ll freeze your view until you sign up with us” sites.

I did notice that oui_cookies does load the vimeo videos, twitter and fb feeds, in our site regardless. Would that be because I am loading it last? Should I enclose the trackers within it? ie:

The bit you linked to only affects the display of the cookie consent message. I must admit I hadn’t seen the method you used before (only just noticed it is from Nicolas’ help). Assuming you’re not showing cookie-dependent tracked content until a user consents, then, yes, you need to wrap any content that shouldn’t show or any code that shouldn’t be run in oui_if_cookie, e.g.

<txp:oui_if_cookie name="accept_cookies">
<!-- analytics code -->
</txp:oui_if_cookie>

or

<txp:oui_if_cookie name="accept_cookies">
<!-- embedded video -->
<txp:else />
<!-- alternative content, e.g. link to video -->
</txp:oui_if_cookie>

Destry · 2018-06-02 16:49:56

Another good reason for GDPR, it puts pressure on devs to do better.

Deleting users is hard

Destry · 2018-06-02 17:04:55

jakob wrote #312262:

Safari: User CSS (it’s what they call an extension). It’s good for those really obnoxious “we’ll freeze your view until you sign up

I might not have your context right, but I find just using the browsers Reader view clears that stuff out of the way. Whether that functions as a consent, I don’t know, but I block all cookies now anyway.

colak · 2018-06-02 19:11:37

jakob wrote #312262:

Yes, re linking to the other sites. It’s no use, of course, if your readers can’t read the language they’re in.

I would, maybe naively, take it for granted that in most of our cases when we visit a site which we do not understand the language, we either close that tab or use an online page translator to get the gist of the article. In such cases, the cookie acceptance policies would just remain unclicked.

To me it looks like having to read the ten commandments before you eat a piece of chocolate!

What?!!! Are you insinuating that this is not a commonly exercised habit? :)

The bit you linked to only affects the display of the cookie consent message. I must admit I hadn’t seen the method you used before (only just noticed it is from Nicolas’ help). Assuming you’re not showing cookie-dependent tracked content until a user consents, then, yes, you need to wrap any content that shouldn’t show or any code that shouldn’t be run in oui_if_cookie, e.g.

Thanks!!! I actually did have it wrong!!!!

phiw13 · 2018-06-03 06:30:30

colak wrote #312261:

You may be able to get it via the new Opera VPN.

That was a nice idea. Setting Opera to use the build-in VPN did indeed show your monster dialog. Clicking “continue” without touching anything then sets a bunch of cookies + local storage: cookies for the domain itself + GA and Chartbeat. You’ll notice that, in your screenshot, the checkboxes for “analytics” are checked by default. Given the size of my browser window, I didn’t even see that; and with overlay scrollbars, there was nothing telling me there was more to scroll to. OK, I could/should have scrolled… On a second visit to the same page, I was greeted with an overlay for offer this, then a second one for offer that, and redirected to a page with the only option to subscribe.

By the way, it appears that Opera’s build-in ad/tracker blocker does not block the G.Analytics scripts. 1Blocker (with Safari) and Ghostery (Firefox) do block it.

phiw13 · 2018-06-03 06:35:05

jakob wrote #312262:

Yes, it’s the same idea but for Safari: User CSS (it’s what they call an extension). It’s good for those really obnoxious “we’ll freeze your view until you sign up with us” sites.

Just FWIW – Safari you can link to a stylesheet directly (Preferences > Advanced). But everything you set in that stylesheet is global. The advantage of the UserCSS extension is that it can target an individual site. The 1Blocker content blocker extension also offers a way for those “we’ll freeze your view ” sites.

colak · 2018-06-04 04:37:13

jakob wrote #312258:

Back to a practical question: Can I ask how you lot have been dealing with embedded content from such services if cookies are declined?

Videos are more complicated: you can provide just the link to the video. If you want to show a preview image, you either have to make one for each video yourself, or you need to retrieve them from the service and cache them somehow (would that be possible?) before your visitor arrives. Then you show your visitors the preview and link along with a “when you click this you contact youtube” notice. No YouTube or vimeo code is then run until your user actually clicks on the video.

I have created two little macros for the videos from vimeo. <txp:euvid video="###" presenting="something here" id="vid" /> (for videos which are embedded as a single video) and <txp:euvids cat="link_category_name" presenting="something here" id="vids" /> (for groups of videos using a jquery script). As such, no content is loaded without the visitors consent and I easily include descriptions of the videos and links to their urls on vimeo.

Destry · 2018-06-08 10:59:19

gdprhallofshame.com

I knew somebody would do it.

jakob · 2018-06-08 11:24:03

Destry wrote #312459:

gdprhallofshame.com

I knew somebody would do it.

Except that the examples there are really quite good! That tumblr consent page has to be a joke! Makes our SF Chronicle “monster” look like an ant.

colak · 2018-06-08 12:15:14

Hi all,

I have a question which I hope that it might generate some discussion.

There is a proper way to deal with GDPR which is to load no cookies without the visitors consent but does the law allow for cookies to be loaded regardless, once a disclaimer (cookie warning) is included in the site?

RE. gdprhallofshame.com

It loads 10-15 cookies when visited and the cookie warning is there just to tell us about it. In fact, the cookie warning is wrong as it only mentions analytics but cookies are also loaded from many other places. Interestingly, viewing it with ff and chrome the privacy badger revealed different results:

FF	Chrome
ajax.cloudflare.com	ajax.cloudflare.com
www.google-analytics.com	www.google-analytics.com
–	ssl.gstatic.com
fonts.googleapis.com	fonts.googleapis.com
www.gstatic.com	www.gstatic.com
abs.twimg.com	abs.twimg.com
pbs.twimg.com	pbs.twimg.com
cdn.syndication.twimg.com	cdn.syndication.twimg.com
–	lh3.googleusercontent.com
platform.twitter.com	platform.twitter.com
syndication.twitter.com	syndication.twitter.com
unpkg.com	unpkg.com
–	www.google.com
–	media1.giphy.com
–	fonts.gstatic.com

planeth · 2018-06-08 13:43:06

Hi Colak,
my understanding is that you absolutely need consent before dropping cookie, pixel tracking, fingerprinting, whatever.
The CNIL is very clear about that.
And consent means opt-in, not opt-out. Your visitor must have a positive action before you do anything.
The only thing which is not very clear —I need to investigate some more— is for mandatory cookies as session cookies.

ANd don’t forget: E-Privacy directive is just around the corner.

michaelkpate · 2018-06-08 13:53:02

colak wrote #312461:

There is a proper way to deal with GDPR which is to load no cookies without the visitors consent but does the law allow for cookies to be loaded regardless, once a disclaimer (cookie warning) is included in the site?

I have noticed that a lot as well. I was on a site the other day and essentially their disclaimer was “Click here to read our GDPR-compliant Cookie Policy. Note: By browsing to another page on this site, you are indicating your agreement with our Privacy Policy.”

The code I wrote specifically doesn’t do anything with cookies until you accept.

colak · 2018-06-08 15:26:18

So, as I understand it gdprhallofshame.com should include their own site in the list?

Re E-Privacy directive I was looking at that too and I was thinking of collating some info to start another thread.

bici · 2018-06-08 22:37:05

i can see a day when the internet will be like the transistor radio

Textpattern CMS support forum

#376 2018-06-02 14:07:46

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob and phiw13 wrote:

#377 2018-06-02 15:54:25

Re: Txp cookies, visitor logging, and GDPR stuff in general

colak wrote #312261:

#378 2018-06-02 16:49:56

Re: Txp cookies, visitor logging, and GDPR stuff in general

#379 2018-06-02 17:04:55

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #312262:

#380 2018-06-02 19:11:37

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #312262:

#381 2018-06-03 06:30:30

Re: Txp cookies, visitor logging, and GDPR stuff in general

colak wrote #312261:

#382 2018-06-03 06:35:05

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #312262:

#383 2018-06-04 04:37:13

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #312258:

#384 2018-06-08 10:59:19

Re: Txp cookies, visitor logging, and GDPR stuff in general

#385 2018-06-08 11:24:03

Re: Txp cookies, visitor logging, and GDPR stuff in general

Destry wrote #312459:

#386 2018-06-08 12:15:14

Re: Txp cookies, visitor logging, and GDPR stuff in general

#387 2018-06-08 13:43:06

Re: Txp cookies, visitor logging, and GDPR stuff in general

#388 2018-06-08 13:53:02

Re: Txp cookies, visitor logging, and GDPR stuff in general

colak wrote #312461:

#389 2018-06-08 15:26:18

Re: Txp cookies, visitor logging, and GDPR stuff in general

#390 2018-06-08 22:37:05

Re: Txp cookies, visitor logging, and GDPR stuff in general

Board footer