Support » Requests and Feedback » WP plugins MUST explicitly state which COOKIES they set

  • dejudicibus

    (@dejudicibus)


    One of the major problems with WordPress plugins is that they could set cookies outside their code, that is, by calling pieces of codes stored on other servers. In practice, it is not possible to understand WHICH PLUGIN is setting WHICH COOKIE only looking at plugin code.

    This is a serious problem for admins of WP sites, because the new GDPR law requires full control of cookies in each site, that is, the admin of site is responsible by law for any cookie is set by the site, even if it is set by a plugin.

    In the plugin directory it is NOT mandatory to provide info about which cookie that plugin is setting. This HAS TO change. It is now a MUST that each plugin provides that piece of information, otherwise admin will have to REMOVE any plugin that potentially may create profilation cookies from their sites.

    WordPress organization should force ALL plugin authors to provide that info, or remove the plugin from directory. In fact, if a plugin is setting profilation cookie and a company is requested to pay a fee for that (up to 4% of company revenue), that company may sue the plugin author.

    • This topic was modified 2 months ago by  dejudicibus.
Viewing 10 replies - 1 through 10 (of 10 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    *Drinks coffee*

    I’ve moved this out of Developing with WordPress. You don’t have a coding support question, you’re trying to get a discussion. Those aren’t discussion forums and I’ve moved it to Requests and Feedback.

    One of the major problems with WordPress plugins is that they could set cookies outside their code, that is, by calling pieces of codes stored on other servers. In practice, it is not possible to understand WHICH PLUGIN is setting WHICH COOKIE only looking at plugin code.

    That’s not a WordPress problem. Any website can include code from a 3rd party site and many do with “Like” buttons, “Tweet this”, etc. Please refrain from such broad generalizations.

    This is a serious problem for admins of WP sites, because the new GDPR law requires full control of cookies in each site, that is, the admin of site is responsible by law for any cookie is set by the site, even if it is set by a plugin.

    That’s not the case and you’re taking huge liberties with that regulation. When in doubt seek professional legal and compliance advice. That’s not from you or me or anyone here. See IANAL.

    In fact, if a plugin is setting profilation cookie and a company is requested to pay a fee for that (up to 4% of company revenue), that company may sue the plugin author.

    No, totally wrong and you’re mistaken. Do not make such wild claims here. That’s pure FUD.

    The GDPR is about responsibility and you are responsible for your website. Plugin authors, theme authors and WordPress.ORG is not at all responsible for that. Making that wild claim is wrong. Please do not repeat that again.

    Do real research on the topic. Despite how many people get GDPR wrong it will not create some storm of people being put into the poorhouse for having a website.

    WordPress is working on getting tools into the code to permit site owners and users to manage their personal data. Part of that is driven by GDPR but in reality it is a useful option to have. Many WordPress users do not want to deny visitors or account holders the ability to manage their data when possible. That is what drives that effort in WordPress.

    But refrain from making such fearful claims here. That does not help and frankly is just plain wrong.

    • This reply was modified 2 months ago by  Jan Dembowski. Reason: Fixed grammar

    That’s not a WordPress problem. Any website can include code from a 3rd party site and many do with “Like” buttons, “Tweet this”, etc. Please refrain from such broad generalizations.

    I did not say that it was a WordPress problem. I said that it was a WordPress plugin problem.

    That’s not the case and you’re taking huge liberties with that regulation.

    I am not. If a plugin is profiling your visitors and the corresponding company is selling those data to third parties, you are responsible for that. Verified with legals.

    You did not take the point. Let’s suppose that you have a WordPress site that does NOT profile users and therefore you state that you have only technical coolies to make the site works. Users accept that by clicking on ACCEPT button below your statement.

    Later on you add a plugin for a specific reason that does NOT require, to work, to profile user. However, that plugin is profiling users but there is no setcookie in code, so you are not aware of that. The cookie, in fact, is set in an external minified javascript file.

    So now your statement is no more valid and your site is no more GDPR compliant. That is why on WordPress plugin catalog, EACH plugin author should explicitly state if they set cookies, because there is currently no tool to know WHICH plugin is setting WHICH cookie. I think you underestimate the importance of GDPR in Europe.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    I think we’re not really disagreeing with each other. This is the part I was cautioning about.

    In fact, if a plugin is setting profilation cookie and a company is requested to pay a fee for that (up to 4% of company revenue), that company may sue the plugin author.

    Again, that’s utterly wrong and not correct. That’s FUD.

    All software on this site is either GPL’ed or compatible in a way that the plugins and theme review teams have agreed to. The GPL 2 states this. The other versions state something either identical or functionaly identical.

    NO WARRANTY

    11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

    12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html

    That is one of the few times I approve of all caps.

    If you wish to state that site owners can suffer penalties for GDPR violations (in some very specific instances) then I can support that statement.

    But if you are going to say “that company may sue the plugin author” then again, that’s FUD and very wrong. You can sue anyone for anything. That doesn’t mean you’ll win or that you are correct.

    A WordPress plugin is a service/product for the owner of a WordPress site at all effects, be free of charge or not. As such, if the owner is European, it is subject to GDPR (note that GDPR has priority on GNU license too).

    That is, if the plugin is setting cookies that could be used to identify a person, for marketing or statistical reasons, the developer of the plugin has to explicitly state such a fact in the plugin documentation, even if he/she is not European.

    There are many WP plugins that are setting cookies in a hidden way, that is, not inside the visible code of plugin, but inside external scripts that run on other servers. This is illegal according to GDPR.

    Whoever is providing a service/product to an European customer has the obligation to inform that customer about how it will use ANY DATA is going to collect because the execution of service or delivery of product. This applies to software too, as web sites or mobile apps, for example.

    TO BE INFORMED is the first right of customer. To ACCESS those data, to GET A COPY of those data, to request UPDATES or DELETION of those data, are the other four rights.

    This is has nothing to do with risks, damages, or any other consequence of usage of product/service. The NO WARRANTY section of GNU license does not relieve the plug-in developer from honoring GDPR.

    Note, that according to GDPR, a reply from developer as “I collect data anyway, up to you to use or not my plugin” is NOT ALLOWED.

    According to GDPR, «Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.», that is, when cookies can identify an individual, it is considered personal data.

    One of the most tangible requirements of the GDPR is in the definition of what constitutes a proper cookie consent, meaning, that the consent has to be:

    • Informed: Why, how and where is the personal data used? It must be clear for the user, what the consent is given to, and it must be possible to opt-in and opt-out of the various types of cookies.
    • Based on a true choice: This means, for example, that the user must have access to the website and its functions even though all but the strictly necessary cookies have been rejected.
    • Given by means of an affirmative, positive action that can not be misinterpreted.
    • Given prior to the initial processing of the personal data.
      Withdrawable. It must be easy for the user to change his or her mind and withdraw the consent.
    • The user has the right to be forgotten. At the user’s request, all of his or her personal data must be properly deleted.
    • All given consents must be recorded as documentation.

    Cookies are generally divided into essential and non-essential. The essential cookies are those necessary for providing the information requested by the user. All the other cookies are considered non-essential. Included here are identifiers used for analytics, cookies from advertisers or third parties, including affiliates and those that identify a user when he returns to the website. The EU cookie law is meant to target the non-essential category.

    Moderator Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Read this.

    That article has nothing on your point to hold WordPress plugin authors legally responsible for meeting GDPR on your website.

    We know what cookies are and we know what GDPR is.

    What is not clear is saying because GDPR is what it is and there is a chance cookies in plugins hold personal data, therefore plugin developers are legally responsible.

    • This reply was modified 1 month, 2 weeks ago by  Andrew Nevins.
    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    I’m closing this topic. It’s not productive and you keep making the same mistake.

    Read what I wrote. Stop spreading that FUD here. You’re not a lawyer, I’m not one either. For anyone reading this, seek professional advice and do not let FUD deter you from contributing here. Educate yourself; again anyone can sue anyone else for any reason. That does not mean that person suing is correct, or will win.

    That’s the sad state of the world. That’s not new and not related to GDPR.

    This site and the code on it comply with the GPL.

    https://wordpress.org/about/philosophy/

    Also read this.

    https://wordpress.org/support/topic/gdpr-your-plugins-and-themes/

    Your FUD would discourage people from contributing and again, you’re wrong. If you want tp spread that on your site or blog feel free. But not here.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘WP plugins MUST explicitly state which COOKIES they set’ is closed to new replies.