Support » Requests and Feedback » WP plugins MUST explicitly state which COOKIES they set

  • One of the major problems with WordPress plugins is that they could set cookies outside their code, that is, by calling pieces of codes stored on other servers. In practice, it is not possible to understand WHICH PLUGIN is setting WHICH COOKIE only looking at plugin code.

    This is a serious problem for admins of WP sites, because the new GDPR law requires full control of cookies in each site, that is, the admin of site is responsible by law for any cookie is set by the site, even if it is set by a plugin.

    In the plugin directory it is NOT mandatory to provide info about which cookie that plugin is setting. This HAS TO change. It is now a MUST that each plugin provides that piece of information, otherwise admin will have to REMOVE any plugin that potentially may create profilation cookies from their sites.

    WordPress organization should force ALL plugin authors to provide that info, or remove the plugin from directory. In fact, if a plugin is setting profilation cookie and a company is requested to pay a fee for that (up to 4% of company revenue), that company may sue the plugin author.

    • This topic was modified 1 week, 2 days ago by  dejudicibus.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    *Drinks coffee*

    I’ve moved this out of Developing with WordPress. You don’t have a coding support question, you’re trying to get a discussion. Those aren’t discussion forums and I’ve moved it to Requests and Feedback.

    One of the major problems with WordPress plugins is that they could set cookies outside their code, that is, by calling pieces of codes stored on other servers. In practice, it is not possible to understand WHICH PLUGIN is setting WHICH COOKIE only looking at plugin code.

    That’s not a WordPress problem. Any website can include code from a 3rd party site and many do with “Like” buttons, “Tweet this”, etc. Please refrain from such broad generalizations.

    This is a serious problem for admins of WP sites, because the new GDPR law requires full control of cookies in each site, that is, the admin of site is responsible by law for any cookie is set by the site, even if it is set by a plugin.

    That’s not the case and you’re taking huge liberties with that regulation. When in doubt seek professional legal and compliance advice. That’s not from you or me or anyone here. See IANAL.

    In fact, if a plugin is setting profilation cookie and a company is requested to pay a fee for that (up to 4% of company revenue), that company may sue the plugin author.

    No, totally wrong and you’re mistaken. Do not make such wild claims here. That’s pure FUD.

    The GDPR is about responsibility and you are responsible for your website. Plugin authors, theme authors and WordPress.ORG is not at all responsible for that. Making that wild claim is wrong. Please do not repeat that again.

    Do real research on the topic. Despite how many people get GDPR wrong it will not create some storm of people being put into the poorhouse for having a website.

    WordPress is working on getting tools into the code to permit site owners and users to manage their personal data. Part of that is driven by GDPR but in reality it is a useful option to have. Many WordPress users do not want to deny visitors or account holders the ability to manage their data when possible. That is what drives that effort in WordPress.

    But refrain from making such fearful claims here. That does not help and frankly is just plain wrong.

    • This reply was modified 1 week, 2 days ago by  Jan Dembowski. Reason: Fixed grammar

    That’s not a WordPress problem. Any website can include code from a 3rd party site and many do with “Like” buttons, “Tweet this”, etc. Please refrain from such broad generalizations.

    I did not say that it was a WordPress problem. I said that it was a WordPress plugin problem.

    That’s not the case and you’re taking huge liberties with that regulation.

    I am not. If a plugin is profiling your visitors and the corresponding company is selling those data to third parties, you are responsible for that. Verified with legals.

    You did not take the point. Let’s suppose that you have a WordPress site that does NOT profile users and therefore you state that you have only technical coolies to make the site works. Users accept that by clicking on ACCEPT button below your statement.

    Later on you add a plugin for a specific reason that does NOT require, to work, to profile user. However, that plugin is profiling users but there is no setcookie in code, so you are not aware of that. The cookie, in fact, is set in an external minified javascript file.

    So now your statement is no more valid and your site is no more GDPR compliant. That is why on WordPress plugin catalog, EACH plugin author should explicitly state if they set cookies, because there is currently no tool to know WHICH plugin is setting WHICH cookie. I think you underestimate the importance of GDPR in Europe.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    It think we’re not really disagreeing with each other. This is the part I was cautioning about.

    In fact, if a plugin is setting profilation cookie and a company is requested to pay a fee for that (up to 4% of company revenue), that company may sue the plugin author.

    Again, that’s utterly wrong and not correct. That’s FUD.

    All software on this site is either GPL’ed or compatible in a way that the plugins and theme review teams have agreed to. The GPL 2 states this. The other versions state something either identical or functionaly identical.

    NO WARRANTY

    11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

    12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html

    That is one of the few times I approve of all caps.

    If you wish to state that site owners can suffer penalties for GDPR violations (in some very specific instances) then I can support that statement.

    But if you are going to say “that company may sue the plugin author” then again, that’s FUD and very wrong. You can sue anyone for anything. That doesn’t mean you’ll win or that you are correct.

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.