Cookie-Policy, Translation, Handling, Shortcodes

  • Resolved webmastermd

    (@webmastermd)


    7 years, 8 months ago

    Don’t get me wrong, I really like many parts of the plugin but for me it seems incomplete in some points, which holds me back a bit to really use it for a live site.

    1. I would very much prefer to alter the content of the cookie policy, so some customization for text parts would be nice. I mean automatism is good and all, but I think this needs a bit more flexibility to correct e.g. wrong translations or insufficient (not complete enough) information. (I would rather write all by myself and only use a shortcode for the cookie table.)

    2. For each service, there should be an Opt-Out link when available, e.g. for GA or FP.
    And the classic hint to the official GA Opt-Out plugin. etc…

    3. I’m missing some shortcodes for e.g. the cookie table (only) or the link to recall the consent. I see a custom link in the generated Cookie policy, can I make a link myself for another page?
    In general, I would rather integrate this table into a privacy policy. I know, you say it should be a separate cookie policy, but in the privacy policy I describe my services I use and the cookies are just a side effect of them. So for me it makes more sense to have the Cookie information integrated into the PP instead of in an redundant way within an extra page. I guess this can be a discussion by itself 🙂

    4. There are many cookie names missing for standard services like Google Maps, ReCaptcha or YouTube. Are they only pulled if prior detected by the scanner? or are they just not yet in the cookie database?

    5. I would like to see a more clear association of the generated cookie information tables to my created groups (functional, analytics, marketing, …)

    6. You say all third-party cookies get blocked by default? I do not see how this works. I tested with a page with embedded YouTube-Video and Facebook-feed and like button. I saved only with “functional cookies” and in DevTools I see about 10 cookies for each domain. How should the blocking work?

    7. Even if I can use GTM to trigger tags per custom groups, I miss some hooks/shortcodes to block WordPress content for the decision. E.g. Google-Maps, Videos, Social Media Feeds etc.
    How should this be handled?

    8. Script Center seems not to work? Unlike in the video there is only one single text field with the heading “URL’s from iframes you want to be blocked before the cookie warning is accepted”. Miss I some settings that the code fields will be shown?
    And wow does this work in general and can I use it to block e.g. content on my site like embedded videos or social media feeds?

    9. The German translations are partly mediocre and some are just wrong.
    e.g. here some sections:
    – in generated Cookie Policy, the Section: “Einwilligung ” is still in English.
    – in admin “Bewahrungsfrist” and front-end “Aufbewahrungsfrist” is correctly translated from “retention period” but I think this is called more commonly “Lebensdauer” (lifespan/lifetime). As both is right in some way, also here a perfect opportunity to make such labels configurable.
    – For “Verwendete Namen” I would prefer something like “Mögliche Cookie-Namen” (“possible cookie names”) as not all of these are always active, or if “used” then (“Verwendete Cookie-Namen”) “used cookie names”. As this is another preference thing, another vote for configurable labels.
    – The link heading is called in back-end “Datenschutzerklärung URL”, which sounds a bit too technical for front-end, but at the front-end it is called “Teilen” (“share”)? This is plain wrong. I think this should called something like “Link zur Datenschutzerklärung” (“link to the privacy statement”) or “Datenschutzrichtlinie” for “privacy policy” (which is again a question of preference)

    10. I would like to see more in depth documentations for using the cookie and script setup. The “How to fill in the wizard”-Video is way to shallow. There needs to be a more complex case and a guide to handle it.

    11. Are there no soft opt-ins possible? So If I’m right you cannot precheck custom categories. I think this is important as instead nobody would ever check the marketing if it is not at least prechecked. Activation is then after clicking the save button. Or is this against the law?

    Thanks

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Aert

    (@aahulsebos)

    7 years, 8 months ago

    Hi webmastermd,

    Thanks for all your input. Let’s begin!

    1. We made the decision to automate the cookie policy by generating it through the wizard, which should be complete and formulated correctly when all questions are answered. The possibility to add information to the cookie table is also possible. This covers all legal responsibilities in the cookie policy. The automation will take care of any future updates and easy configuration if anything changes in the cookie list.

    We understand a more personal output might be required and will look into this.

    At this time our free plugin is translated in Dutch & Spanish, while German and French are being checked as we speak, and as of now are not yet approved by a WordPress PTE.

    2. I think I can assume this is a personal preference. Our opt-out link is available either in the Cookie Policy and as a pop-up, available on every page. The specific opt-out is not required, as a specific opt-in is not required. We have categorized our cookies, but a more specific approach would complicate the consent for the website visitor and will probably lower your rate of consent.

    3. For the consent recall, please use: cmplz-revoke-link and for overriding the link generated by our cookie-policy: https://complianz.io/can-i-use-only-a-privacy-statement-instead-of-a-cookie-policy/.

    You are right we will suggest separating the policies, because of GDPR regulations:). But when we open the Cookie Policy to customization this will be possible.

    4. These should be standard in our cookiedatabase, we will update these shortly. We do not collect cookie data from our users.

    5. This a good idea. These are now non-functional cookies, but could be categorized. We will add this to our dev planning.

    6. Either embedded URL’s in the script center or scripts in Tag Manager will be blocked by changing the scripts to text/plain. Our blocker won’t remove the cookies in your browsers, this should be done manually. If there are iFrames or Scripts (outside of Tag Manager) that are not getting blocked, please let us now, so we can update our plugin.

    7. This really depends on how you implement those tools, by a plugin, script or iFrame. Let me know, so we can help:)

    8. Please see my answer at 6. Between blocking scripts through Tag Manager and adding iFrames in our script center, which scripts are you unable to implement?

    9. Our German translations have not been approved yet, so the current strings are ‘under construction’. To update these translations we will appreciate greatly if you could change these strings in our plugin directly. But another option will be to use Loco Translate to translate the texts locally.

    10. We are working on our documentation everyday. An in-depth walkthrough of the wizard is on it’s way.

    11. Yes, this not viable for GDPR requirements. Most likely DSVGO will adapt GDPR requirements in the near future, so we won’t adapt a soft opt-in possibility.

    Let me know if you have any follow-up questions,

    Regards Aert

    Thread Starter webmastermd

    (@webmastermd)

    7 years, 8 months ago

    Hey thanks for fast reply.

    Yes, the shortcode for the link works fine, thanks. And I’m pleased to hear more documentation is on the way!

    Ok, as nearly all other GDPR plugin state explicitly that they do not block cookies because it’s not technically possible, you have exactly this phrase “Blocks thirdparty cookies from all major third party services” on multiple sites as a feature. In my eyes this is just wrong and should be corrected, as you do activate/block services which are connected with your plugin and only indirectly deactivate the cookies with it.

    to 7.: I mean if I build a post or page with a Builder or tinymce or Gutenberg, etc…
    And use e.g. a Video block which embeds a YouTube iframe, or a Instagram Feed which gets embeded via iframe. Lastly it would be ok to do this even manually with code blocks or if the plugin gives the interface, via shortcode.
    Beside iframes there could be other solutions which directly connects to 3rd party apis like a google maps element which uses directly the maps api to set not a bunch of cookies, but still makes an api call which should be consented beforehand.

    There are some gdpr solutions/plugins out there which can block these elements by wrapping them into a shortcode or even simpler by globally overlay and block all videos /maps/etc. with a consent message which needs to be accepted first, then the video or map or whatever gets loaded (as placeholder a default pic is shown or for e.g. youtube the picture is called by api once and is stored then locally as placeholder…)

    As the consent is not for cookies only, but more for the acceptance to use such services like GA or YouTube, maps etc… this could be a feature of this plugin.

    to 11.: I think you got me wrong here, I do not mean that marketing cookies are enabled by default and can be opted out, I mean more they’re deactivated by default and the checkbox is just ticked by default, so that when the user clicks save settings, they get activated or the user can untick the box and click save and they stay blocked. This is my interpretation of softest opt-in.
    This is also the way most other consent plugins handle this or give at least the option, but it’s just the fact that nearly no user looks at these boxes and so the marketing stuff would nearly never trigger.
    If this is still against the law what I stated here, can you please point me to the corresponding article/paragraph. That would be very kind.

    Plugin Author Aert

    (@aahulsebos)

    7 years, 8 months ago

    Hi there,

    To clarify;

    With: “as you do activate/block services which are connected with your plugin and only indirectly deactivate the cookies with it.”

    Do you mean there’s an unclear difference between blocking the actual cookies, and/or removing these cookies?

    For 7. iFrames can be blocked using our Script Center – for example a YouTube embed URL will receive a -nocookie extension to use YouTube’s privacy features, while still being able to embed a video, without cookies. This works for a Maps Embed API too, where the API is necessary but is placed by iFrame.

    Blocking Google Maps Javascript API calls without embedding it through a dedicated plugin or theme feature is not yet included, and could be, but most plugins/themes who actually make the API call should include a placeholder/consent option and are required to conform to GDPR. Implementing it without assistance from a plugin, should require a custom consent action on the API call, but is rare and easily placed by a developer, which in this case is likely.

    Blocking these by overlay is possible, but as seen with YouTube and consent options in dedicated plugins, not always necessary and will harm a user’s experience if it’s brute force.

    We actually prefer native solutions brought by plugins, compatibility is easier and faster than integrating.

    11. Please refer to: “What is an unambiguous indication” of https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/what-is-valid-consent/

    Until further notice concerning E-Privacy we will adhere to GDPR guidelines and not actively feature an option to pre-check consent boxes.

    Regards Aert

    Plugin Contributor Rogier Lankhorst

    (@rogierlankhorst)

    7 years, 8 months ago

    To clarify the blocking of cookies: It is technically possible to prevent the placing of cookies by preventing the scripts which place the cookies to execute. This is done by changing the script attribute from ‘javascript’ to ‘text/plain’.

    As a result the cookies are blocked: they don’t get placed. But: if you visited the site without the cookie blocker, these cookies already exist.

    Additionally, you might get for example Facebook cookies on another website. If that website does not block these cookies, you do have Facebook, on the facebook.com domain.

    To summarize: cookies are effectively blocked, but are not removed if they’re already placed. That is technically impossible, as these third party cookies live on their own domain (e.g. facebook.com).

    Thread Starter webmastermd

    (@webmastermd)

    7 years, 8 months ago

    I very appreciate, that you keep the discussion, I hope I do not start to get annoying 😉

    I think there is a difference between blocking cookies and blocking/manage services which set cookies from their source code. I looked at a lot of GDPR plugins over the last months and many that had stated they can block cookies came with a lot of confused user requests, that the plugin in fact does not block cookies. Thus you see often a FAQ about “Does this plugin blocks all cookies?”…
    So I just think it’s a false to interpret statement which lastly does more harm than good and should be clarified more deeply within the feature list or at least in the FAQ.

    I also think my “Script center” is broken as I only see one textarea-field. and nothing else. This might be the reason I do not understand what there should be happen or how I block YouTube with this? I guess I just wait for your tutorial update and make a bug ticket then if this seems still unclear.

    But the more important question which comes up now, you state it is fully compliant to use youtube videos over the nocookie-url? It is really confusing, because some people say it is enough and some say it’s not because the api will still be called.
    Same for Google Fonts with the two parties: self-host or just use the api and state it in the PP. But yeah, lastly I need to decide this by myself, I guess.

    And for the consent and the given paragraph: Thanks. I indeed read this before somewhere and lastly you need to find a way to make it at least most converting by staying compliant.
    Now I see two use cases which may need a better solution:

    1. As you have to only comply as you use services which juggle with PPI, there is this case which I like and used with another plugin on one site I manage: I have e.g. three categories, the first is “Essential”, the second “Functional” and the third “Analytics”. Now, I use just GA with anonymized IP and lastly all these categories do not need to be strictly handled by the GDPR. But I would like to give the user the possibility to simply opt out with the consent system. So under Functional I have YouTube videos and under Analytics GA. Functional is preactivated and can be opted out and Analytics is prechecked but not preactivated and activates after accepting the bar/settings. If the user opts out of the functional, the Video module get’s replaced with a placeholder 😉
    Now you can say, this is unnecessary complicate and I might consent with you (and even consider changing it myself), but yeah it is a valid use case I would say, to leverage the system to give the user some fine control about it’s given data (PPI or not).

    2. The more interesting case is, if you want to trigger your ad tags the most as possible. In this case, I think the only compliant way with the most conversion is act by the statement “you should have equal prominence of binary choices”. Yes, as beautiful the checkboxes are (and I like them a lot), I think it is not equal if you have checkboxes who rarely someone touches if not required, and a big button “save settings”. The vast majority will hit this button to dismiss the bar as fast as possible. If I untick the “Use categories” to get a two-button solution, this will convert much better for sure (to be very strickt with the equal prominence, here would maybe be necessary even to style the 2 buttons the same, but I like of course that the “all cookies” button is more prominent).
    So lastly I think, there needs to be a multi button solution if I want to use categories. As this seems the only compliant way which has a good conversion.

    So as this was all theoretical, I’m just interested in your thought about it, I do not say, this needs to be implemented, it’s just what I think at the moment.

    Best regards,
    Manuel

    Plugin Author Aert

    (@aahulsebos)

    7 years, 8 months ago

    Hi Manuel,

    When using Google Tag Manager – we suggest using this as your script center, that’s why the only option left is blocking iFrames, by adding a URL.

    Concerning the -nocookie URL – I have sent this to out legal partner and will double check.

    1. Our position on consent, parallel to the GDPR, it should be easy and nonintrusive to either decline or accept cookies. With decline as a default. For your example I would suggest configuring Analytics as a functional cookie https://complianz.io/how-to-configure-google-analytics-for-gdpr/. I don’t see a clear difference between essential and functional, both are either session dependent and/or do not additional data.

    We have implemented in premium a statistics and A/B testing for this purpose.

    2. Actually, this falls back on what I said earlier – taking an easy and non-intrusive approach will improve ‘consents given’. To strengthen that point you can test this with different banners, using A/B/C/D testing if you want and analyzing statistics.

    For some insight: We run a/b/c/d testing on different domains and there seems to be an improvement in consents when the banner is centered with a clear message, without categories.

    Regards Aert

    Thread Starter webmastermd

    (@webmastermd)

    7 years, 8 months ago

    to 1: You’re right and I will change GA to activated by default. My point here was just, to use the consent system for an easier Opt-Out if I make an Analytics group which does not uses PII. So I have 2 functional groups which both would be activated by default. The user can now easily deactivate/opt-out from Analytics (like GA) via the consent system instead to use the opt-out plugins or functionality of the Analytics services.

    to 2: that was exactly what I was thinking, nice to know for sure

    Thank you so much for your time.

    Best,
    Manuel

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Cookie-Policy, Translation, Handling, Shortcodes’ is closed to new replies.