GDPR in practice – Content from third-parties without cookies?

jakob · 2018-08-08 13:13:15

What are your views on the privacy implications of content from third-party services that do not place a tracking cookie or beacon on your site, or on non-scripted preview content – such as video cover images – from services that do otherwise place cookies?

A connection is established between the visitor’s browser and the respective third-party service when the resource is downloaded but no cookies and no beacon images are transferred.

I’m thinking of two specific cases:

Something like this “retrieve cover image and click to play” implementation for vimeo as seen in this codepen (see also this stackoverflow thread). It reads the metadata file associated with a video, extracts the cover image from the site but does not initiate the video iframe itself from the site until you click to play it.
Images and image sets from Flickr. Flickr doesn’t set cookies on the visitor’s browser but the data is brought in from elsewhere and the user is not necessarily aware that is the case.

Is it GDPR-compliant to serve this content as long as one informs the visitor in the privacy policy. My thinking is yes, you don’t have to block that content if the visitors does not give consent. What are your views?

Also, what about CDNs or other image services such as imgix and co?

colak · 2018-08-08 15:40:25

Hi Julian,

According to GDPR no cookies, trackers, etc should be loaded without the visitor’s consent. Vimeo’s cookie policy states that Vimeo only serves First Party cookies in embedded videos but more are used in their website.

There are sites which

do not allow you to do anything unless you accept all their cookies using one button,
provide a complete list of cookies with opt-in/out interfaces,
allow content to be viewed with GDPR acceptance being just another div below the footer and any external content having cookies with their own button and acceptance
have the full warnings/disclaimers but cookies are loaded anyway (the majority of sites)

I believe that GDPR is a waist of time. Even the EU parliament serves what privacy badger calls potential trackers without our consent.

I have pointed to the particular URL as 2/3 of the potential trackers are for font embeds:

fonts.googleapis.com
fonts.gstatic.com
logc187.xiti.com

I would think that images to a website are even more important than fonts.

But to respond coldly to your question, I think that explaining cookie use to your visitors before they load and as they are needed might be the best idea. Making them to just accept a privacy policy which nobody actually reads is pointless.

I am against GDPR even though I have put a lot of work to make our sites compliant. My view – previously mentioned in this forum – is that if the EU had issues with the big boys they should deal directly with them. The point the EU has not made is that they do not care if a visitor is tracked and an IP is known to have visited such and such pages in a website before they left. The point should have been about the monetisation of that visit and how a prohibitive tax could be charged to those companies who use targeted adverts based on our browsing habits.

jakob · 2018-08-08 16:53:00

Thanks for your reply Yiannis. Yes, we’ve talked about GDPR, its rights and wrongs, sense and nonsense at length in the other thread(s). I don’t want to go there again in this thread but rather focus on the practicalities that we face as a web designers and developers.

My interest here is the practical implementation of the above aspects, i.e. what can I reasonably do when I want to …

respect user privacy as far as reasonably possible
maintain the value of the user experience of the site for visitors
maintain the basic structure and value of the site owner’s site (i.e. not remove their created content)

The site I’m currently working on makes liberal use of Flickr images (several hundred) and Flickr galleries and vimeo videos (~80). The site author’s have created these resources and they are a key part of the site. Blocking that effectively ‘butchers’ their homepage. I need to find a good compromise using this existing data or else port it all across to Textpattern (which will severely clog the image and file panels) or cache local copies of the files on the owner’s own domain.

If, for argument’s sake, we use the Firefox Privacy Badger add-on as a benchmark, then:

player.vimeo.com raises a “yellow flag” as it and vimeo.com set four cookies including utma and utmz which are google analytics, right? Clear conclusion: serving a video embed without consent is not GDPR-compliant.
Flickr doesn’t set any cookies. The “network” panel shows no other files other than the Flickr images. Conclusion: Flickr is not actively implementing additional tracking in this specific case. Can I serve these images without obtaining consent first? It would be detailed in the privacy policy.
The codepen I posted above prevents the vimeo video from loading and retrieves two files, the json from vimeo.com and the cover image from i.vimeocdn.com. No cookies are set and “Privacy Badger” does not complain (about those things anyway). Only when you click to play does the video get embedded; and only then does Privacy Badger flag up those cookies. Conclusion: this might be a viable option.

My “common-sense feeling” is that it:

It’s not okay to embed vimeo videos without first obtaining privacy consent
It is okay to source images from Flickr without first obtaining privacy consent
It is okay to show vimeo cover images sourced from vimeo with a “click to play” option for users who want to override their consent on an individual basis.

This is mostly borne out by “Privacy Badger” but I don’t know if the add-on is a good reflection of GDPR compliancy.

I’d like to hear what other TXP users think?

At the moment, this is a specific question, but my hope is that we might have a thread where we collect such “GDPR good/best practice approaches”.

colak · 2018-08-08 17:22:41

Hi Julian, As I have no link to your work yet I can provide some examples here

It’s not okay to embed vimeo videos without consent

According to GDPR no it is not OK

It is okay to source images from Flickr without consent

One of our partners uses flickr and a cookie/tracker does appear: api.flickr.com. It might be because they are using their flash player. I haven’t used flickr for many years.

It is okay to show vimeo cover images sourced from vimeo with a “click to play” option for users who want to override their consent on an individual basis.

Indeed… If there are no cookies served before the consent. In our site I have included a global consent for vimeo embeds which lasts for one year. If someone accepts one of them, they will all be loading in the rest of the page/site. I think that this is more user friendly.

michaelkpate · 2018-08-09 01:40:50

I created a thread a couple of months ago GDPR Compliant Cookie Notice that probably has gotten pretty buried at this point.

My understanding is that the only cookie you and/or a third party is allowed to set is that a user has declined to give permission unless they have actually given permission.

jakob · 2018-08-09 10:24:51

colak wrote #313356:

As I have no link to your work yet …

The site is an update to Jonathan’s “solborg” homepage: https://solborg.fhs.no. I’ve made various revisions, which I can’t show yet as the client should okay them first. As you can see the site makes liberal use of vimeo videos and Flickr images. In fact the header and background images on almost all the pages are from Flickr as are all the galleries in the image archives.

If I were to simply block all that content if consent is not given, that would leave just a skeleton of the site. Part of implementing GDPR-compliancy is that declining consent must be a real choice. Blocking access to a site or severely impacting on its value to the visitor and site operator is penalising a visitor’s legitimate wish to protect their privacy. As you can see the photo and video content is absolutely legitimate and desirable for both visitors and the school.

The problem I face as a web developer is to respect visitor privacy while still maintaining the content and value of the site. The problem is not the videos themselves but the tracking code that vimeo implements. Aside from that, I think vimeo is an excellent and useful service. Flickr, too, is a much easier way for the school to organise their photos than Textpattern, especially given the volume of photos they have. They are well-practised in both and moving away from those services would really only be a last resort.

One of our partners uses flickr and a cookie/tracker does appear: api.flickr.com. It might be because they are using their flash player.

Thanks for the link. That helps to clarify that that site is using an embedded Flickr app (a flash-based slideshow viewer) so that’s the reason why there are beacons in that case.

In my case, we’ve been using vhd_flickr and the only network resources loaded from Flickr (according to the web inspector) are the actual static images, no cookies, no beacon images.

In our site I have included a global consent for vimeo embeds which lasts for one year. If someone accepts one of them, they will all be loading in the rest of the page/site. I think that this is more user friendly.

In principle, I agree with your approach. With the vimeo videos, I’m looking specifically at the situation where someone has declined cookies but the site should still show preview content rather than a virtually blank page. So I want to

a) show at least a placeholder for the video so the page still makes sense and has appeal and value. A video archive without videos is meaningless. And a page showing activities for young people loses a lot of its appeal if you can’t get an idea of the activities themselves and the fun they have.
b) give visitors the ability to choose to override their choice on a case by case basis rather than having to say yes or no to all the videos. As a visitor, I might be interested in one video but would rather not be tracked for all the other videos on that page or indeed on the rest of the site. Unfortunately, vimeo tracking starts as soon as the video is embedded regardless of whether you even watch it.

michaelkpate wrote #313363:

My understanding is that the only cookie you and/or a third party is allowed to set is that a user has declined to give permission unless they have actually given permission.

I don’t think that’s true. Cookies that are necessary for the functioning of a site and/or don’t contain personally identifiable information, e.g for tracking/marketing purposes, do not require consent. That includes “cookie consent” cookies, as you mention, but also session cookies for shopping carts, site preferences such as search filters / sort orders / “last viewed” and “remember me” settings, user logins etc. All those are legitimately useful and possibly necessary but don’t (necessarily) serve profiling, tracking or marketing purposes.

I created a thread a couple of months ago GDPR Compliant Cookie Notice …

Thanks for the link – I had, indeed, lost sight of that. I’m using something similar myself (here).

But I’ve obviously not explained myself well (probably TLDR, sorry) as my question is more specific than that …

colak · 2018-08-09 11:20:58

This is what I currently use but the idea of images/placeholders is indeed good

<txp:if_yield name="setcookie" value="1"><txp:oui_cookie name="accept_vimeo_cookies" duration="+1 year" values="yes" /></txp:if_yield>
<txp:oui_if_cookie name="accept_vimeo_cookies">
<div class="embed-container"<txp:if_yield name="id"> id="<txp:yield name="id" />"</txp:if_yield>><iframe src="https://player.vimeo.com/video/<txp:yield name="video" />?title=0&amp;byline=0&amp;portrait=0" allowfullscreen></iframe></div>
<txp:else />
<div class="vimeoeucookies noprint"><p class="centre">We would very much like you to watch this <txp:if_yield name="other"><txp:yield name="other" /><txp:else />NeMe produced</txp:if_yield> video, <txp:yield name="txt" wraptag="presenting <+>" /> hosted by Vimeo on <a rel="external" href="https://vimeo.com/<txp:yield name="video" />">vimeo.com/<txp:yield name="video" /></a>.<br />By viewing it here, you accept Vimeo's <a rel="external" href="https://vimeo.com/privacy">privacy policy</a>.</p><p class="red centre"><a rel="nofollow" href="?accept_vimeo_cookies=yes<txp:if_yield name="id">#<txp:yield name="id" /></txp:if_yield>">View it here</a></p><p>Note that Vimeo only serves First Party cookies in embedded videos but acording to their <a rel="external" href="https://vimeo.com/cookie_policy">cookie policy</a>, more are used in their website.</p></div>
</txp:oui_if_cookie>

I call the above in articles by:

<txp::vimeo id="vid" video="xxx" other="" txt="yyy" setcookie="" />

setcookie="1", sets the cookie. other is not needed if the video is produced by us.

I am wondering if there is a non-js way to do what you need to do. There is this site which might be of help but there is a lot of donkey work involved to find all the image urls.

colak · 2018-08-09 12:42:39

I also found this little php function which might be of help although I am yet to manage to make it work.

michaelkpate · 2018-08-09 12:57:08

jakob wrote #313368:

I don’t think that’s true. Cookies that are necessary for the functioning of a site and/or don’t contain personally identifiable information, e.g for tracking/marketing purposes, do not require consent. That includes “cookie consent” cookies, as you mention, but also session cookies for shopping carts, site preferences such as search filters / sort orders / “last viewed” and “remember me” settings, user logins etc. All those are legitimately useful and possibly necessary but don’t (necessarily) serve profiling, tracking or marketing purposes.

If someone checks “remember me” then they are giving consent to my way of thinking so you can definitely set a cookie then.

I hadn’t really thought given much thought about shopping carts.

jakob · 2018-08-09 13:02:49

colak wrote #313371:

This is what I currently use but the idea of images/placeholders is indeed good … I am wondering if there is a non-js way to do what you need to do. There is this site which might be of help but there is a lot of donkey work involved to find all the image urls.

I found that site too. It’s okay to use when you need to add just a few new videos but no fun when you need to do that for 80 old videos.

I did a batch download of all video thumbs with some manual work, but it worked nicely. It requires a few Mac programs. Basically, the source of your vimeo homepage contains all the links to the thumbnails so you need to extract the vimeo video IDs along with the image URLs from the source code (I use Data Extractor with this settings file), then use that to construct a list of filenames which you can download all at once (e.g. like this tip). Now you have all the thumbnails on your computer. The final piece of the puzzle is to rename them to match your video ID#s. I used the “rename by file list” function of A Better Finder Rename to do that. In the end, you have files named vimeo_{video_id}_l and _s that you can then use as preview images on your homepage.

If you want to do that for Neme, I can help you with it.

colak · 2018-08-09 13:20:55

Thanks so much for the offer Julian. NeMe has a lot of videos too. In many pages. Your post prompted me to investigate better options for us. The little php snippet I linked to above and posted below might be exactly what we are looking for. Especially if I make it work. The idea is that I will still use the same form but alter it slightly so as to include the thumbs.

<txp:php>
function grab_vimeo_thumbnail($vimeo_url){
    if( !$vimeo_url ) return false;
    $data = json_decode( file_get_contents( 'http://vimeo.com/api/oembed.json?url=https://vimeo.com/<txp:yield name="video" />' . $vimeo_url ) );
    if( !$data ) return false;
    return $data->thumbnail_url;
}
</txp:php>

Hmmm looking at the headers of the json file I see a cookie:

ab_psb=1%7C0; ki_u=4ea11e15-430f-7fd8-22fe-d02d92afee69; ki_t=1381076321701%3B1514221502911%3B1514221502911%3B10%3B21; site_settings=%7B%22browse_format%22%3A%22detail%22%2C%22browse_format_vid%22%3A%22video%22%2C%22sticky_page%22%3A%22%5C%2Fmyvideos%22%7D; has_logged_in=1; stats_start_date=2017%2F10%2F28; stats_end_date=2017%2F11%2F01; pl_volume=58.57142857142858; sticky_brozar=1; clips=271224275%2C262332294%2C260535507%2C254113716%2C254097755%2C254080240%2C254010959%2C250252107%2C250230817; optimizelySegments=%7B%22198520930%22%3A%22direct%22%2C%22199004622%22%3A%22ff%22%2C%22199138489%22%3A%22false%22%2C%22213082152%22%3A%22none%22%2C%22222271074%22%3A%22true%22%2C%22264591493%22%3A%22true%22%2C%221581850087%22%3A%221%22%2C%225461120803%22%3A%22true%22%2C%225486770079%22%3A%22true%22%7D; optimizelyEndUserId=oeu1418652262057r0.6915765038589964; optimizelyBuckets=%7B%7D; ki_r=https%3A%2F%2Fwww.google.com%2F; _abexps=%7B%2223%22%3A%22%22%2C%2261%22%3A%22%22%2C%22106%22%3A%22%22%2C%22158%22%3A%22B%22%2C%22200%22%3A%22on%22%2C%22257%22%3A%22modal%22%2C%22287%22%3A%22on%22%2C%22308%22%3A%22on%22%2C%22329%22%3A%22off%22%2C%22330%22%3A%22off%22%2C%22333%22%3A%22on%22%2C%22337%22%3A%22on%22%2C%22342%22%3A%22a%22%2C%22348%22%3A%22b%22%2C%22402%22%3A%22on%22%2C%22509%22%3A%22yes%22%7D; vimeo_cart=%7B%22music%22%3A%7B%22store%22%3A%22music%22%2C%22version%22%3A1%2C%22quantities%22%3A%5B%5D%2C%22items%22%3A%5B%5D%2C%22currency%22%3Anull%2C%22attributes%22%3A%5B%5D%7D%7D; _abexps=%7B%22257%22%3A%22modal%22%2C%22287%22%3A%22on%22%2C%22402%22%3A%22on%22%2C%22509%22%3A%22yes%22%2C%22430%22%3A%22yes%22%7D; __ssid=b2c19065-d9ec-4a7f-a20b-3c77a9e7cb9a; _ga=GA1.2.977506590.1452781552; is_logged_in=1; _cb=eAC-mCcPIypusbcY; _chartbeat2=.1482051642145.1522917654928.1000001000000001.DTWwZe3jEuMDPs95jCv7RInlakFJ; vuid=2018511707.2072968561; has_uploaded=1; _mibhv=anon-1495437626615-3082000041_6631; sst_aid=4f2f06da-8dbb-1b80-1f51-251d13b780ef; sst_uid=321806; continuous_play_v3=0; __qca=P0-1843732458-1510334795681; _ym_uid=1511602370252529803; vimeo=OHSDLt4XMVHLeSSZtXDLXMxH4XctScatePD3tPteZ4DPX3Lae%2CL3eaNe%2CPSa3etXMiwiVN5_59biw_ViY3HLeLdDD4SZSMIH%2CNDN3LS4N43eat3S%2CDDNBZZadPNt4ccc%2CLSaDDSccdPdLNSLXBDcZ%2CBX4SLNcXXZ; mp_b36aa4f2a42867e23d8f9907ea741d91_mixpanel=%7B%22distinct_id%22%3A%20%2270225ae4-12af-b4ed-aeaf-8432d3474981%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2Fhelp.vimeo.com%2Fhc%2Fen-us%2Farticles%2F228908367-Albums%22%2C%22%24initial_referring_domain%22%3A%20%22help.vimeo.com%22%7D; _cb_ls=1; __zlcmid=mIhK3DPYCQsGAA; player=""

Last edited by colak (2018-08-09 13:28:19)

jakob · 2018-08-09 14:23:00

Nice find. That could indeed be an option.

Please check if that cookie you saw is a leftover from an earlier visit to vimeo.com. I saw a cookie too, then cleared and reloaded and it did not reappear.

BTW it works with both the general and player URL:

https://vimeo.com/api/oembed.json?url=https://vimeo.com/247327862
https://vimeo.com/api/oembed.json?url=https://player.vimeo.com/video/247327862

These also still work for me:

https://vimeo.com/api/v2/video/247327862.json
https://vimeo.com/api/v2/video/247327862.xml

For the thumbnail the vital bit of information you need is the img-thumb number 672633707 part of the url. You can modify / construct the image URL to get a custom width, e.g.

https://i.vimeocdn.com/video/672633707_640.jpg
https://i.vimeocdn.com/video/672633707_1280.jpg
https://i.vimeocdn.com/video/672633707_320x200.jpg

You may be onto something there.

Textpattern CMS

Textpattern CMS support forum

#1 2018-08-08 13:13:15