Alarmed to find off-site .cookiebot.com cookies being set

  • Without even configuring/activating the Cookie Consent for a test domain, I was both surprised and alarmed to find Google Analytics-type cookies (_ga, _gac_UA-33923583-2, _gid) being set within the .cookiebot.com domain. At best these are third-party cookies being set without any consent on the first visit. Once activated, the cookies were still reset (after being cleared) before any consent was given. Legal advice is for NO cookies whatsoever being set on first visit. After consent is given, CookieConsentBulkTicket is set, but again tied to the “.cookiebot.com” domain.

    I know it sounds paranoid, but I can see no reason why it is necessary to go off-site to provide GDPR compliance, and these cookies will allow CookieBot to track users across domains that use their software. There are arguably not essential cookies. At the very least, users of your site will need to be notified under the GDPR that you/CookieBot are tracking their use of your, and other, sites.

    I assume this is an implementation issue to allow cookiebot to report the user’s cookie preferences, but there is no reason why the scripts cannot do this locally without ever going off-site. Uninstalled the plug-in as quickly as it was installed.

    Otherwise looks profesionally implemented and thought out, which is why it gets 2 stars and not 1 :-/

Viewing 1 replies (of 1 total)
  • Plugin Author cookiebot

    (@cookiebot)

    Hi @ams047,

    Thanks for reacing out!

    Cookiebot does not per default set third party cookies.

    According to our Terms of Service: https://www.cookiebot.com/goto/terms-of-service

    2.2.5. Cookiebot itself automatically sets up to two cookies in the user’s web browser when the user visits your website: The first-party cookie “CookieConsent” which stores the user’s consent and – if you enable “Bulk Consent” in Cookiebot – the third-party cookie “CookieConsentBulkTicket” which stores an encrypted key to enable Bulk Consent across your domains as described in clause 2.2.3 above. Both cookies expire automatically for renewal after 12 months from the date of the user’s consent.

    The reason that you were seeing third party Google Analytics cookies, set within the .cookiebot.com domain, is because you’ve carried them over after visiting cookiebot.com. If you would have opened your site in Incognito mode, you would see that the GA cookies would not appear.

    We’ve wrongfully configured our own Google Analytics setup to point at the subdomain .cookiebot.com, and because the Cookiebot script is hosted on consent.cookiebot.com, which you have to insert on your site, the third party cookies were carried over (but only because you’ve visited cookiebot.com).

    Based on your input we’ve fixed this problem, so that our Google Analytics configuration is now pointing at our www subdomain, hence this will not occur again. Moreover, this will not have occurred for your end users, since they probably haven’t visited cookiebot.com. Rest assured, we haven’t used any GA data from any other domain than our own – that would not be compliant!

    Thanks again for pointing out the issue.

    [ Signature deleted ]

    • This reply was modified 6 years, 11 months ago by cookiebot.
    • This reply was modified 6 years, 11 months ago by cookiebot.
    • This reply was modified 6 years, 10 months ago by Jan Dembowski.
Viewing 1 replies (of 1 total)
  • The topic ‘Alarmed to find off-site .cookiebot.com cookies being set’ is closed to new replies.