Cannot find where Cookie Comes from
-
Hi,
I am trying out Complianz since a few days and have rerun the scan a few times. In contrast to the previous days, compliance has started telling me today that I was using a third party cookie by “AddThis” and by “AddToAny”.
I used to have AddThis and AddToAny implemented, but I do not (or should not…) have now. I am using Sharif Wrapper, and there are pages with links to AddThis, but to the best of my knowledge no actual implementation.
It is theoretically possible I might have forotten to purge some code somewhere, when I deleted AddThis a few years ago – but why did it not show up with earlier scans, then?
And also: How can I find out which of my articles / pages is actually responsible for that? I do not want that cookie to be set, but I have no idea where to look for the reason.
(I even deactivated and deleted Complianz, asking it to purge the data on delition. However, afterwards the data I had entered before where there again. I wonder why? Was I not patient enough? Should I have waited a bit after installation? In any case, I also tried to “clear” the cookies in the Wizard. But “AddThis” remained. And when proceeding in the Wizard, it told me I should tell that I have third party cookies, as I had Addthis. But: WHERE?)
I would appreciate your help.
-
Hi Aert,
Thank you for your response. This time, I have even used another browser, where I had deleted all cookies and data before, and it did ot show up again.
Please allow me to use this opportunity to point out a few other things:
– This time, there was a behaviour I did not notice before. I have WP Do Not Track installed. But I had deactivated it already yesterday. Despite my switching browsers, Complianz told me that it WAS activated (which it was not), and I should deactivate it. That does not seem to be right?
– I would very much like to ask if you could not add a function to select each single cookie in the preferences, i.e. whether the visitor wants to accept it or not. From a brief look through the websites of various (German) lawyers, there seems to be a common understanding among many lawyers that, at the very least until a higher court will rule in these matters, it is quite risky not to offer that possibility. So I would very much like to encourage you consider such an option (for the free version, too, please, as this would be essential).
– I would also suggest to reflect upon whether you need to add (e.g.) “EU” in the URL of the cookie policy. While certainly it is worded for the legal orders you offer the option to select, it is still equally an information with equally a legal function for visitors from other regions nevertheless. The “EU” in the URL could be taken to imply that it would only be directed towards visitos from that region. Your introductory sentence in the cookie policy seems to enforce that. I am not really sure that is an optimal decision.
– When implementing social media buttons on a website in German, the respective paragraph in the cookie policy by Complianz contains the words “Bitte lese die Datenschutzerkl?rung”. While it is being used like that by quite a few Germans, especially depending on where they live, nevertheless, the (only) correct imperative form here would be “lies”. This is even supported by the Duden (https://www.duden.de/rechtschreibung/lesen_aufsammeln#grammatik), which has already become quite (perhaps “too”) lenient in recent years. So it would be great if you could use the correct imperative form “lies” instead.
– Lastly, it would be nice if you would offer the possiblity for setting a noindex-tag in the header. As the cookie policy contains the name and address of the person responsible, that person may not want to be found his data publically on the net. By allowing a noindex-tag, this may be avoided.
Thank you for your patience!
Hi Aert,
Thank you once more for your detailled response.
1. Well, I am using the free version, and it did comment in the way I described. It did comment so actually all the time, and on two different WordPress websites I have. The only difference was, that, until today, the comment was right to point out that I had it switched on. But today I had deactivitaed Do Not Track, and, still, the comment came. If you need more information as to that, feel free to let me know.
2. I can only repeat that various German lawyers and privacy experts seemed to deem the possiblity not to have that option risky, user unfriendly as it may be. But, then, many of the demands the GDPR forces webmasters to implement are not necessarily user friendly. So that should not be the criterion. Of course, nothing has been ruled as to that yet, but I believe it would be safer for the users to rather offer it until there have been rulings than not to offer it with the risk a ruling might decide just being able to accept or reject groups would not be enough. Finces can be too high… And there are still other dangers (competition law in certain legal orders). Therefore, at least for the non functional cookies, that option should be implemented in my eyes.
3. ok
4. Thank you for forwarding it. Just to explain further: This is not a question of formal or informal. The decision to use “du” is a decision for informal language. The decision to use “lese” is the decision for wrong grammar, which is also equally wrong in informal language.
5. Ok, thank you.
6. My apologies to bring up something else, but I only noticed it now: The cookie set by compliance, “complianz_policy_id”, seems to contain information which are shared? Why otherwise would, in the cookie policy, after describing the cookie, not be written that you do not share the information and instead link to your privacy policy? Here, does it not become dangerous for the webmaster, for he may need a processing agreement with you, if the data are personal, and / or stored on servers outside the EU. As you yourself mention Google in your privacy policy…. could you please clarify? Will the cookie effect any transmission to servers outside of the webmaster’s site, and onto which servers and with which purpose?
Edit: Could I solve the problem by not letting anyone register? Is the cookie only part of the backend and not set for non backend-users?Hi Aert,
Thank you again for your helpful response. Now I can finally set my website free ??
(As for 6.: Thank you for your clarification. Perhaps it might be advisable to slightly change the wording, then? To make everything perfectly clear, in my privacy policy, I have changed it to: “The cookie above he cookie complianz_policy_id is only stored in the your browser and will not be shared with us. The exact purpose of this cookie is to register the ID of the policy you agreed to. If the policy would be changed afterwards, the ID’s would not match and your consent be automatically revoked. For more information on the tool we are using, please read the Complianz Privacy Statement.”)
As for your question: I may not have found now the original article I was thinking about, but here are a few, albeit not in English:
A. Overview over Opinions
I. Doubtful whether not offering to select or deselect cookies is lawful:
1. “data protection authorities” according to this article written by a lawyer: https://datenschutz-generator.de/eugh-cookie-einwilligung-banner-detailinformationen-pflicht. He himself is not as strict, but recommends nevertheless to follow the opinion of the authorities if one would like to be sure. Others should weigh risks, advantages and disadvantages.
2. My interpretation of the first link given in III. 2. below
3. This publisher (it is not clear whether the article was written by a jurist) says that tracking cookies have to (enabled to) be accepted separately. (The ruling of the BGH, the highest German civil court, this article is reacting to, has not decided the matter itself, as far as I see, it only speaks of having to get consent “in the concrete case” (see at paragraph / point 50 of the decision).
II. Agreeing with that it is currently lawful:
1. https://www.e-recht24.de/artikel/datenschutz/11648-eugh-urteil-cookies-einwilligung.html
III. Undecided / Not definite / Neutral (?) / Unclear
2. https://www.datenschutzkonferenz-online.de/media/oh/20190405_oh_tmg.pdf says on p. 9: that, normally (“as a rule”) there will be an overview that includes all those involved (“Aktuere”: actors, players”). While this appears to be desciptive, it is seen, in fact, according to the previous paragraph in that text, as a “requirement” (“Anforderung”). However, a lawyer interprets it differently than I do here: https://datenschutz-generator.de/eugh-cookie-einwilligung-banner-detailinformationen-pflicht/ Nevertheless, in the same article, he continues to mention that data protection authorities are of the opinion that cookies have to be named and confirmed separately (!), deriving that from Art. 25 II GDPR. In contrast to that, here, the European Data Protection Committee is seen as allowing the grouping, but I could not verify this as the paragraph given did not seem to me to contain the information – in any case, the author remains with his recommendation that it would be best if each cookie could be chosen separately.
3. https://easyrechtssicher.de/opt-in-cookie-banner/: Not really decided, but not being “able to imagine” that a ruling to the contrary would be made.
B. Outlook
As we do not have a court ruling yet, we cannot say for sure what will happen. It is wishful thinking to assume that “practicality” will keep a court from ruling according to the purpose of the law. “Easy use” can only be the servant to the true purpose of the norm, which has to prevail. Practicality has seldom kept a judge from overthrowing the practice of years. Therefore, caution is advised.
If we look at the requirement to collect only data necessary, if we give freedom of choice its true place, we need to consider giving the user the informed choice in each and concrete case. The most concrete way to do this would be to allow for selecting, agreeing to or denying the setting of each single cookie, at least as far as non-necessary cookies are concerned. A grouping could still occur, and a group could be made selectable too (“mark all in this group”, then “agree to all in this group”). This would enable the user looking for easyness of use to still have it. It would, however, still give him the full freedom of choice.
In any case, it may be in the interest of the website owner, though more complicated, if marketing cookies could be selected or declined individually. Let us assume someone dislikes the service X but would accept Y (because he knows the website owner does earn money through both). If his dislike for X would be sufficient, he would probably decline everyting, if no selection mechanism would exist. Otherwise, he might just select one.
However, I do doubt myself whether anyone would actually go to that length when browsing a website. As it probably would be unlawful to have everything ticked initially, he would still very probably not accept any marketing cookie, unless the buttons would remarkably differ in favour of the non-functional cookies – something, again, legally doubtful.All in all, looking back at what both parliaments and judges have brought over the internet, I believe that, without voicing a final opinion (and remarking that at the time of writing this, I did not use any marketing cookies anyhow, so I can, as long as this is the case, continue to use it legally, but would peraps, without the option to select each cookie or not, have to reconsider if I introduced more than one marketing cookie), the best way to ensure safety for the users would be to enable the option to agree or decline single cookies (with, of course, no tick box checked but that of the technical necessary cookies). In some cases, like the Cookie of the VG Wort, it would be parliament which would have to find a way out for authors to be recompensed. But until then, it would be great to have a solution that would protect the users from any potential ruling in this matter that still may come by implementing the respective solution.
(To all who read this in the future, please note: This is the situation as observed when this comment was written. This comment is not to be seen as to reflect any definite legal opinion or to give any council, it is, rather, a mere response to a question given in private capacity added in the hope that my feature request will be heard and contains no guarantee is given for the correctness of anything said or implied.)
P. S.: One further remark, if I may, as it does belong in this thread. Above, I had sad that the plugin tells me that “Do Not Track” is activated (albeit it is not). I assumed this was referring to the plugin of that name. The German version tells me just “Du hast ?Nicht verfolgen” aktiviert. Dies verhindert die Platzierung der meisten Cookies. Bitte führe den Scan ohne aktiviertes “Nicht verfolgen” aus.”. This sounds like a setting, not so much like a plugin. I am not sure what it is referring to exactly, though? Or would that refer to a browser setting?
H Mathieu, thank you for your explanations. Yes, there is no common understanding of that – but there is none to the opposite opinion either. While it is convenient to ignore this, it is risky, still, for those who long for security. So to say “should this become a legal obligation” is, strictly speaking, a bit misledaing: The only question can be whether it already is a legal obligation, for the law does (generally speaking now) not become law because of a court ruling, the court ruling, rather (again: generally speaking / in most cases) reveals what the law actually is. Of course, we can still hope that you are right, and it actually is NOT a legal obligation currently. That the new draft does not mention this, is, therefore, good to know, as it may point toward such a unified view.
But it is good that you have the situation in view, and thank you for taking my question as a feature-request.
- The topic ‘Cannot find where Cookie Comes from’ is closed to new replies.
