New Google cookies

Hi @nuevaenword,

Have you indicated that you wish to block ReCaptcha before consent? (Wizard > Cookies > Integrations > “Select the types of third-party services you use” > Tick the reCAPTCHA checkbox > “Do you want to block reCAPTCHA before consent…” > “Yes”.)

Regarding Google Fonts, this can be hosted locally to prevent the API call. More information about this approach can be found here: https://complianz.io/self-hosting-google-fonts-for-wordpress/

Kind regards,
Jarno

Hi, Jarno. No. I cannot block reCAPTCHA before consent. It uses functional cookies. I’m using reCAPTCHA in order to protect the site. It has no sense to block protection prior consent. Any bot could just reject the consent and my site would become exposed.

As for Google Fonts, I don’t know what happens. The scan detects Google Fonts, but then sometimes the service appears in the policy and sometimes it doesn’t. By the way I’m not sure my theme is using Google Fonts. If your plugin uses Google Fonts, maybe is recognising the API from your plugin. It is strange because I cannot select any font when I’m writing in Gutenberg. The system has just the theme font. Thanks in advance.

Regards ??

Hi @nuevaenword,

If you do not block reCAPTCHA before consent, it would be expected that it places the corresponding Cookies. We don’t dictate what Cookies it places, you would have to reach out to Google for that, as we only block the script(s) that are responsible for placing them.

To add upon the discussion whether it only uses Functional cookies, Google says this about the reCATPCHA API:

You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and app data, and sending it to Google for analysis.

For more information about this, please refer to our earlier article on this subject: https://complianz.io/google-recaptcha-and-the-gdpr-a-possible-conflict/

As for Google Fonts, it is entirely possible that your theme that includes this. It would be hard for me to say what includes this on your website, without knowing the exact setup. But just to clarify: Complianz does not include Google Fonts.

Regards,
Jarno

Hi Jarno. Yes I know Google reCAPTCHA are going to be placed. This is not the problem. The problem is that the plugin doesn’t detect the cookies and doesn’t inform in the policy. According to Cookiedata.org there are 3 cookies related to Google reCAPTCHA. _grecaptcha is a functional cookie, rc::A, rc::B y rc::C are Marketing/Traking cookies. So, if I check to block Google reCAPTCHA cookies prior consent, what cookies are going to be blocked?

I understand and respect and apply RGPD. But I’m responsible as well for protect my site and my clients from malicious software. Stripe recommends Google reCAPTCHA, and the INCIBE recommends Google reCAPTCHA. According to my RGPD assesor I can use Google reCAPTCHA providing I have informed the users.

I agree with you I need the consent, but if I rely the protection of my entire site on the preferences of the user it is as if I close the door and offer the key to any one who ask me for access. So this to me justify the use of this cookie, they are necessary to protect the user.

Again, for Google Fotos cookies if they come from my site I’m happy with that. But what I want is the plugin detect those cookies. If cookies are functional they are saved without consent, but the policy must inform about them. If they are not functional, then the plugin must place those cookies in a way the user can block them and the policy must inform about them again. Thanks in advance.

Regards ??

• This reply was modified 3 years, 9 months ago by nuevaenword.

Hi @nuevaenword,

How did you implement reCaptcha? If we can reproduce the cookies set on Google.com we can help.

Do you use a specific plugin, contact form or do you add the API in Storefront? Is it version 2 or 3? All these specifics matter, please let me know so we can try reproducing this matter,

regards Aert

Hi Aert. First of all I want to apologize for all the trouble I’m giving. What worries me is that sometimes the scan detects some cookies and sometimes it doesn’t. I don’t know if the weather has something to do. Yesterday we had a terrible weather.

Yesterday I revised mi site in a different browser from which I was loged in. And I discovered new Google cookies, as I mentioned before. The cookies were settled without interaction on the part of the user. So I scanned the web, and the scan didn’t find those cookies (“NID”, “OGPC” and “CONSENT”). I looked for those cookies in cookiedatabase.org, and they belon to Google reCAPTCHA.

I cleared my browser, but the cookies remained. I cleared the caché in the web, the same result. I removed the cookies detected by the plugin, cleared the cache and made a new scan. Then the scan didn’t find those cookies, but many other cookies detected by the scan weeks before disappeared, with no reason. I haven’t changed the services or the configuration. At the same time,the plugin detects cookies pertaining to plugins that have been deleted months ago.

Answering your question, I have Google reCAPTCHA v3. I have the keys in Contact Form 7. It is very interesting to me that you mention the posibility to include the reCAPTCHA API in Storefront. I’m using reCAPTCHA not just to avoid SPAN, but to protect the web. It is recommended by Stripe and by INCIBE as well, maybe it would be better to place the API in Storefront, but I don’t know how, or if it is appropiate with this version, and Google doesn’t provide any help. In fact I don’t allow forms or purchase without registration. And in order to have an account the client must accept the Policy, and have to verify the email.

I hope that all of this helps. I apreciate very much your effort. I think it’s a good plugin. Thanks in advance.

Regards ??

Hi again Aert. I was wrong. Some of these cookies don’t belong to Google reCAPTCHA, just from Google. So what it seems that happened is that I created an account as a user to make a test and I use a gmail account. So, when I activated my new user account following the link provided on my gmail account, my web inherited all those Google cookies.

What is true is that for the moment I have lost some cookies, some of them from reCAPTCHA. Could I add those cookies manually and placed them in the appropiated services. Thanks in advance.

Regards ??

• This reply was modified 3 years, 9 months ago by nuevaenword.

Hi again. I had added manually “NID” (Google) cookie which is “Marketing/seguimiento” but it get installed without consent. And another cookie “store_notice”(WooCommerce) which purpose is “Preferences” it get installed without consent as well. Thanks in advance.

Regards ??

• This reply was modified 3 years, 9 months ago by nuevaenword.

Hi again. I have cleared completely the cookies in Edge. Google cookies disappeared, but _grecaptcha of course. Then I opened, in the same browser in another tab any page pertaining to Google, and when I came to the previous tab in which I had my site and refresh it, then the cookies CONSENT, NID, OGPC appeared. I suppose that if where logued in my gmail account then I whould have the SID cookie as well. So, these cookies are not in my system. At first I thought they were tracked because I have reCAPTCHA and maybe it connected with any page related to Google. But I test with another page with no Google service and with the same procedure the cookies NID and CONSENT appeared after refreshing the page.

I don’t know if I must reflect this somewhere in my policy.

I have made another discovery. In Edge, when you press the padlock you get access to different cookies than the developer tools. I have listed these cookies for you. There are wordpress cookies. It is the first time I see them and in many occasions there are several instances of the same cookie. I supose I have to inform in my policy about all these cookies. Here they are:

`complianz_policy_id

wordpress_ (without loging in. Several instances)

wordpress_logged_in_

wordpress_sec_(several instances)

wordpress_test_cookie

wordpresspass_(without login in. Several instances

wordpressuser_

wp-settings-

wp_postpass_(after login out)

wp-settings-time-

wp_woocommerce_session_`

Here you have some images of the cookies the developer tool in Edge shows. They correspond to different circumstances.

https://ibb.co/HByN3CL

https://ibb.co/x5cF9xg

https://ibb.co/WWHfpfn

I hope this help.

Thanks in advance.

Regards ??

Hi @nuevaenword,

As we now have two different topics that seem to have quite some overlap, I have closed the other one and I shall post my response here. Most of the cookies you have listed above are administrator cookies that are not relevant to your Cookie Policy.

The “page last updated on” will only be updated when you make changes in the Wizard, but this is not influenced by new Cookies being detected on your site. After a successful re-sync with CookieDatabase, the “policy has been synchronized” will update accordingly.

As for the scanned cookies, please note the difference between first and third-party cookies. If you scan using Incognito but have previously visited another Google service (Gmail for instance), you will see these cookies as well, while they are not placed or utilized by your site. This article contains all of the necessary information pertaining to the Cookie Scan and how to get the best results: https://complianz.io/cookie-scan-results/

Doing a re-sync every other day will cause you to hit the rate limit, and in this case, will only return newly detected Cookies.

Kind regards,
Jarno