Recent Topics

Cookie Policy - update EU Cookie Plugin

Started by on Jan 10, 2020 – Contents updated: Jan 14, 2020

1 Jan 10, 2020 11:52    

Hello,

In the meantime, there are court rulings that show that it is necessary to actively consent to cookies, i.e. it is no longer sufficient to be able to refuse cookies.
This means that the EU plugin is no longer really compliant with the law.
Is there a way to change the cookie policy at b2e and upgrade the EU plugin.

This screenshots show, how websites handle this (in the case of https://www.wienerzeitung.at

Cookie Policy - update EU Cookie Plugin

Thanks and Regards, Will

2 Jan 10, 2020 14:54

In the meantime, there are court rulings that show that it is necessary to actively consent to cookies, i.e. it is no longer sufficient to be able to refuse cookies.

The cookie plugin allows only one thing: Consent to cookies. It does NOT allow to refuse.

So please explain in what regard it is not good enough "to actively consent to cookies".

Also link to court rulings that explain what is not good enough.

Also if you like cookiebot better, why don't you use it? (https://www.cookiebot.com/)

4 Jan 10, 2020 17:26

Hi @saunders

Though I don't use the plugin I have just enabled it and the one I have on 6.11.4 has the option to add text and a button to confirm the user agrees.

I also have a link to this on all screens

5 Jan 10, 2020 17:37

@saunders

here is the link to the ECJ ruling C-673/17 towards cookie consent from 1 October 2019: http://curia.europa.eu/juris/document/document.jsf?docid=218462&text=&dir=&doclang=EN&part=1&occ=first&mode=DOC&pageIndex=0&cid=7380994

Thanks. Please quote which paragraph in there you think is stating that what the cookie plugin displays is not good enough.

ALSO: can you retest b2evolution.net (or provide a link to the tool). I have temporarily enabled the cookie plugin here.

6 Jan 10, 2020 18:26

@fplanque the critical conclusion, at the end of the ruing:

On "https://cookieinformation.com/resources/blog/belgian-data-protection-authority-imposes-cookie-fine-of-15-000-to-sme" there you'll find this conclusion:

This tricky rules are not mine, but e.g. in Belgium a SME has to face a fine of €15.000 for unlawful use of cookies. So I want to avoid fines.

7 Jan 10, 2020 19:10

Hi @saunders

Regarding the first yellow highlight, I would have thought that was addressed by asking a user to check a box if they accept the use. That is a positive choice to accept not one to reject, as you first wanted

Regarding the second yellow highlight, that is only liable if a user asks the website owner for any personal data that would includes identifiable information, not site cookies etc.

8 Jan 10, 2020 19:14

1) First highlight: our plugin does NOT have a pre-checked box, so this does not apply.

2) Second highlight: what prevents you from giving this information in the plugin dialog?

9 Jan 10, 2020 19:49

@fplanque

1) First highlight: our plugin does NOT have a pre-checked box, so this does not apply.


to avoid a misunderstanding. You have quasi activated Cookies eg. by using google analytics. And this is like prechecked. And this cookie works from the very first touch with you website, before a visitor has any chance to accept or not be EU Consent by hte pluging. If you use third party cookies by e.g. embedding youtube videos, the visitors are not asked to allow, etc.

2) Second highlight: what prevents you from giving this information in the plugin dialog?


E.g. in the subtext of the EU Constent I link to the privacy policy. There the visitor gets an information that she can decline matomo cookies etc.
But that is what has changed: To offer an option to decline tracing is not compliant (opt-out). Since that decision the owners of Websites have to offer Opt-In for each cookie and each tracking. That's the challenge. And it therefore does not matter whether a cookie is set via preactivated tickbox or without any. Anyway you have to ask.

For example:

10 Jan 10, 2020 19:50

@saunders

Further, for example, this site, b2evolution, places only a session cookie on my computer, which is exempt.

So I wonder what cookies you have on your site that you are implimenting that gather personal data.

12 Jan 10, 2020 21:25

@saunders

As your result is in German I'm doing a similar test for my English habit and will see if any of the results show any personal data.

I'll then do the same test on my own site and respond.

Thanks

13 Jan 10, 2020 22:26

Well I did my site first and there is no personal data in any of the 22 cookies mentioned, my site's session cookie, my server's session cookie and most from third parties (facebook, google). The later are not allowed and there is no actualstorage on my computer but the report doesn't indicate than.

Further there is no identifiable info not even my IP which is static.

And I am not too bothered about what is stored on my computer as I can control that. The issue is what from my site is stored on others ~ that I am liable for.

I see nothing to indicate that the b2evo engine stores personal data in cookies on my computer.

The GDPR text only mentions the word cookie once in its 88 pages. Despite this, the GDPR has clear consequences for the use of cookies, because these are capable of collecting a wide variety of data that, according to the GDPR, can be defined as personal data.

A reason for the GDPR to only mention cookies once is that the ePrivacy Regulation is underway – a lex speciallis to the GDPR, i.e. a specification and elaboration of the parts of the existing regulation that concern electronic communication.
https://www.cookiebot.com/en/gdpr-cookies/

As far as this forum goes I have found 4 cookies none of which relate to personal data. Sadly two are google and all are stored in the USA.

So I see no reason to concern myself with the GPDR as I see no personal data being collected and stored in cookies.

14 Jan 10, 2020 22:56

@saunders

Thanks for the private message showing the ccokie situation of my site.

The iframes use other sites that do use cookies, but a) they are not cookies that I store on a user's computer so I am not liable, and b) they may be tracking cookies but there is no personal data so even the sites linked to have no liability to me.

The worst that could happen is that they get my IP address, which is easy enough anyway, so there is no need to store that in a cookie.

15 Jan 11, 2020 00:12

@saunders

1) 2) again, the plugin is asking the user to agree or to leave. If they continue to use the site, they get the cookies.

About Google Analytics or YouTube (let's suppose they land on a page with a YouTube video). What are we supposed to do? Not display the page?

3) You have not answered : why don't you use cookiebot if you think that's how things should be done?

4) You have not answered: where can I re-audit b2evolution.net with the cookie plugin enable to see if the audit tool sees it?

16 Jan 12, 2020 19:51

@fplanque

1) 2) According to the ruling, it is not sufficient to obtain a blanket consent. It is required that consent is obtained for each cookie set and information must be provided for each cookie (such as duration, etc.). Furthermore, this consent is required even before the first cookie is set.
For example, if b2evolution sets the cookie by GA before the user accepts, this is not legally compliant. Even if the user does not agree, Google Analytics actually will continue to track every page view. This is a clear violation and shows that the cookie pulgin cookie not really work in the legal sense. This means that every user of b2e runs the risk of being punished - at least within the EU.

3) I preferred to use instead of cookiebot https://wwwschutz.de/
I have already posted the test result for b2e as a screenshot further up in the thread

4) I would also be interested in that.

This is not about me wanting to know something better and wanting to be right. I deal professionally with questions concerning data protection. According to all information available to me, the current practice using EU Consent Plugin is inadequate and insufficient.
Every user can use it at his own risk.

Companies that use b2e and rely on the fact that the CMS by default complies with the current data protection laws would certainly not be happy about a penalty by the data protection authorities.

A further development of the current practice seem rather not to be expected. Perhaps this will happen in connection with the possibly even stricter provisions of the e-privacy regulation.

We do not need to continue this discussion.

PS: This is not only about GDPR, but also about the so-called EU Cookie Directive. And tracking is not only limited to cookies, but also includes tracking through image pixels, Java scripts etc. pp.

17 Jan 12, 2020 20:12

@saunders

We do not need to continue this discussion.

Ha! well you may say, but it is an important issue, as you first stated.
I just don't see how GA requires consent.

@fplanque

What is the purpose of using GA in b2evo, if as @saunders says, it raises problems regarding EU legisaltion? Not that I'm convinced it does. yet :)

I will continue this, now reading https://www.cookielaw.org/google-analytics-eu-cookie-law/

I keep coming back to the notion of personal data and wonder what personal data GA gets when used by b2evo?

18 Jan 12, 2020 22:13

@amoun

I keep coming back to the notion of personal data and wonder what personal data GA gets when used by b2evo?

I don't know.

What is the purpose of using GA in b2evo, if as @saunders says, it raises problems regarding EU legisaltion? Not that I'm convinced it does. yet :)

It's not used in b2evo. It is used on b2evolution.net for anonymous usage stats.

@saunders

Companies that use b2e and rely on the fact that the CMS by default complies with the current data protection laws

How does it not? It only requires the sessions cookie by default and that is a necessary cookie for site operation, which, as far as I understand poses no problem under GDPR.

Also you did not answer on this:

About Google Analytics or YouTube (let's suppose they land on a page with a YouTube video). What are we supposed to do? Not display the page? Not display the video?

19 Jan 13, 2020 09:44

@Saunders @fplanque

All seems fine to me. I have found any legislation to counter that b2evo is totally within EU legislation parameters

20 Jan 13, 2020 10:26

@amoun
yes, as long as you use b2e exclusively in its delivered core functions.

In case you add e.g. Google Analytics etc.pp. you have to take action to stay compliant. And the EU Consent Plugin in its actual version is not capable to the challenges of EU laws.

I hope that the EU ePrivacy Regulation, which should have been in force since 2018, but is on the long run because of lobbying by different industries, finally will clarify which consents are absolutely necessary and in what specific way this consents must be obtained and stored.

Until then, we run the risk of being punished by data protection authorities - precisely because of different legal opinions. However, these have been largely clarified by the ECJ ruling of October last year. Now it remains to be seen how this will affect national court proceedings.

PS: Here you'll find information, that cookie regulation in accordance with Art. 5 Para. 3 Directive 2002/58 is not only focused on personal data, but on retrieval of information on his or her end device. (The webpage ist translated by Google. So I cannot guarantee that the website has been translated correctly (I have not checked this).
https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fshopbetreiber-blog.de%2F2019%2F10%2F09%2Feugh-opt-in-pflicht-fuer-cookies-was-online-haendler-jetzt-wissen-muessen%2F

21 Jan 13, 2020 15:07

@saunders

Thanks for the link, willread up

Update : have Endlish version

Article 1 Scope and aim

  1. This Directive provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community.

This text runs contrary to your assertion

is not only focused on personal data

Any reading of Article 5 must pertain to the aim else it is misinterpreted from my point of view, with the caveat of 'in particular' so will go over Article 5 :)

Article 5

  1. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.

There is no indication that the information refered to here is other than personal information.

So to Directive 95/46/EC which even older legislation and refers to the same 'personla data'

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

So I'm still happy with the was b2evo is set up with a widget that allows infromation about any cookie that I may wish to store on visitors site. Depending upon the data I want to retrieve I can clarify what is stored to the user. If it other than session cookie then I would ask for consent. Simples

22 Jan 13, 2020 16:54

@saunders

b2evo is totally within EU legislation parameters
yes, as long as you use b2e exclusively in its delivered core functions.

Exactly, so if you add third party functions and you think they don't comply with GDPR, you should also use third party add-ons (popups or whatever annoying consent requesting form you like the most) to comply with GDPR.

I do not consider it the job of b2evolution CMS to manage GDPR consent for third party plugins.

Note: I hear the cookie plugin doesn't comply to GDPR in your opinion. It doesn't really say it does but maybe it's still misleading. Would you feel better if we renamed that plugin to a more descriptive name like "Useless and annoying popup about cookies" ?

23 Jan 13, 2020 23:13

I don't think there's a requirement to say a site complies with the GDPR, just that the owner of a site is liable if it doesn't, so not misleading and does remind people that cookies are out of the oven and ready to be eaten.

25 Jan 14, 2020 16:44

@saunders
Thanks for the link, waiting for translation, though I don't allow google cookies on my computer, so will see if that's an issue. UPDATE: had to work around Google.

It been interesting and I see that you are concerned as no doubt both site owners are for thier liabilty and users are for leakin personal data. To that end I have ammended my cookie page to clarify my thoughts on it.

As for the article you refer to, it's much of the same, more opinion than legislation. Specifically to quote

For example, the GDPR stipulates that a button must be clicked before a user can interact with the website.
Well
a) I'd like to see that in the GDPR and
b) I think by opening a browser and clicking on a button, means you are already interacting with a website. So it all seems a load of non-logic and thereby nonsense. :) if by interacting they mean entering personal details, then I think 'we' all have agreed that consent to have such data stored anywhere should be clear, positive, and the data retrievable and deletable.

Thanks for your concern, I'm sure from some persepectives all you say is acceptable and actionable.


Form is loading...