In the meantime, there are court rulings that show that it is necessary to actively consent to cookies, i.e. it is no longer sufficient to be able to refuse cookies.

The cookie plugin allows only one thing: Consent to cookies. It does NOT allow to refuse.

So please explain in what regard it is not good enough "to actively consent to cookies".

Also link to court rulings that explain what is not good enough.

Also if you like cookiebot better, why don't you use it? (https://www.cookiebot.com/)

@fplanque here is the link to the ECJ ruling C-673/17 towards cookie consent from 1 October 2019: http://curia.europa.eu/juris/document/document.jsf?docid=218462&text=&dir=&doclang=EN&part=1&occ=first&mode=DOC&pageIndex=0&cid=7380994

Here is a result report of a GDP Compliance test of b2evolution.net (It says, that it is not compliant - nor is my b2e collection although I am using matomo with fully anonymized IPs instead of google analytics):

Hi @saunders

Though I don't use the plugin I have just enabled it and the one I have on 6.11.4 has the option to add text and a button to confirm the user agrees.

I also have a link to this on all screens

@saunders

here is the link to the ECJ ruling C-673/17 towards cookie consent from 1 October 2019: http://curia.europa.eu/juris/document/document.jsf?docid=218462&text=&dir=&doclang=EN&part=1&occ=first&mode=DOC&pageIndex=0&cid=7380994

Thanks. Please quote which paragraph in there you think is stating that what the cookie plugin displays is not good enough.

ALSO: can you retest b2evolution.net (or provide a link to the tool). I have temporarily enabled the cookie plugin here.

@fplanque the critical conclusion, at the end of the ruing:

On "https://cookieinformation.com/resources/blog/belgian-data-protection-authority-imposes-cookie-fine-of-15-000-to-sme" there you'll find this conclusion:

This tricky rules are not mine, but e.g. in Belgium a SME has to face a fine of €15.000 for unlawful use of cookies. So I want to avoid fines.

Hi @saunders

Regarding the first yellow highlight, I would have thought that was addressed by asking a user to check a box if they accept the use. That is a positive choice to accept not one to reject, as you first wanted

Regarding the second yellow highlight, that is only liable if a user asks the website owner for any personal data that would includes identifiable information, not site cookies etc.

1) First highlight: our plugin does NOT have a pre-checked box, so this does not apply.

2) Second highlight: what prevents you from giving this information in the plugin dialog?

@fplanque

1) First highlight: our plugin does NOT have a pre-checked box, so this does not apply.

2) Second highlight: what prevents you from giving this information in the plugin dialog?

For example:

@saunders

Further, for example, this site, b2evolution, places only a session cookie on my computer, which is exempt.

So I wonder what cookies you have on your site that you are implimenting that gather personal data.

@amoun Please see the check of the b2evolution.net website in screenshot, added in https://forums.b2evolution.net/cookie-policy-update-eu-cookie-plugin#c115905

@saunders

As your result is in German I'm doing a similar test for my English habit and will see if any of the results show any personal data.

I'll then do the same test on my own site and respond.

Thanks

Well I did my site first and there is no personal data in any of the 22 cookies mentioned, my site's session cookie, my server's session cookie and most from third parties (facebook, google). The later are not allowed and there is no actualstorage on my computer but the report doesn't indicate than.

Further there is no identifiable info not even my IP which is static.

And I am not too bothered about what is stored on my computer as I can control that. The issue is what from my site is stored on others ~ that I am liable for.

I see nothing to indicate that the b2evo engine stores personal data in cookies on my computer.

The GDPR text only mentions the word cookie once in its 88 pages. Despite this, the GDPR has clear consequences for the use of cookies, because these are capable of collecting a wide variety of data that, according to the GDPR, can be defined as personal data.

A reason for the GDPR to only mention cookies once is that the ePrivacy Regulation is underway – a lex speciallis to the GDPR, i.e. a specification and elaboration of the parts of the existing regulation that concern electronic communication.
https://www.cookiebot.com/en/gdpr-cookies/

As far as this forum goes I have found 4 cookies none of which relate to personal data. Sadly two are google and all are stored in the USA.

So I see no reason to concern myself with the GPDR as I see no personal data being collected and stored in cookies.

@saunders

Thanks for the private message showing the ccokie situation of my site.

The iframes use other sites that do use cookies, but a) they are not cookies that I store on a user's computer so I am not liable, and b) they may be tracking cookies but there is no personal data so even the sites linked to have no liability to me.

The worst that could happen is that they get my IP address, which is easy enough anyway, so there is no need to store that in a cookie.

@saunders

1) 2) again, the plugin is asking the user to agree or to leave. If they continue to use the site, they get the cookies.

About Google Analytics or YouTube (let's suppose they land on a page with a YouTube video). What are we supposed to do? Not display the page?

3) You have not answered : why don't you use cookiebot if you think that's how things should be done?

4) You have not answered: where can I re-audit b2evolution.net with the cookie plugin enable to see if the audit tool sees it?

@fplanque

1) 2) According to the ruling, it is not sufficient to obtain a blanket consent. It is required that consent is obtained for each cookie set and information must be provided for each cookie (such as duration, etc.). Furthermore, this consent is required even before the first cookie is set.
For example, if b2evolution sets the cookie by GA before the user accepts, this is not legally compliant. Even if the user does not agree, Google Analytics actually will continue to track every page view. This is a clear violation and shows that the cookie pulgin cookie not really work in the legal sense. This means that every user of b2e runs the risk of being punished - at least within the EU.

3) I preferred to use instead of cookiebot https://wwwschutz.de/
I have already posted the test result for b2e as a screenshot further up in the thread

4) I would also be interested in that.

This is not about me wanting to know something better and wanting to be right. I deal professionally with questions concerning data protection. According to all information available to me, the current practice using EU Consent Plugin is inadequate and insufficient.
Every user can use it at his own risk.

Companies that use b2e and rely on the fact that the CMS by default complies with the current data protection laws would certainly not be happy about a penalty by the data protection authorities.

A further development of the current practice seem rather not to be expected. Perhaps this will happen in connection with the possibly even stricter provisions of the e-privacy regulation.

We do not need to continue this discussion.

PS: This is not only about GDPR, but also about the so-called EU Cookie Directive. And tracking is not only limited to cookies, but also includes tracking through image pixels, Java scripts etc. pp.

@saunders

We do not need to continue this discussion.

Ha! well you may say, but it is an important issue, as you first stated.
I just don't see how GA requires consent.

@fplanque

What is the purpose of using GA in b2evo, if as @saunders says, it raises problems regarding EU legisaltion? Not that I'm convinced it does. yet :)

I will continue this, now reading https://www.cookielaw.org/google-analytics-eu-cookie-law/

I keep coming back to the notion of personal data and wonder what personal data GA gets when used by b2evo?

@amoun

I keep coming back to the notion of personal data and wonder what personal data GA gets when used by b2evo?

I don't know.

What is the purpose of using GA in b2evo, if as @saunders says, it raises problems regarding EU legisaltion? Not that I'm convinced it does. yet :)

It's not used in b2evo. It is used on b2evolution.net for anonymous usage stats.

@saunders

Companies that use b2e and rely on the fact that the CMS by default complies with the current data protection laws

How does it not? It only requires the sessions cookie by default and that is a necessary cookie for site operation, which, as far as I understand poses no problem under GDPR.

Also you did not answer on this:

About Google Analytics or YouTube (let's suppose they land on a page with a YouTube video). What are we supposed to do? Not display the page? Not display the video?

@Saunders @fplanque

All seems fine to me. I have found any legislation to counter that b2evo is totally within EU legislation parameters

@amoun
yes, as long as you use b2e exclusively in its delivered core functions.

In case you add e.g. Google Analytics etc.pp. you have to take action to stay compliant. And the EU Consent Plugin in its actual version is not capable to the challenges of EU laws.

I hope that the EU ePrivacy Regulation, which should have been in force since 2018, but is on the long run because of lobbying by different industries, finally will clarify which consents are absolutely necessary and in what specific way this consents must be obtained and stored.

Until then, we run the risk of being punished by data protection authorities - precisely because of different legal opinions. However, these have been largely clarified by the ECJ ruling of October last year. Now it remains to be seen how this will affect national court proceedings.

PS: Here you'll find information, that cookie regulation in accordance with Art. 5 Para. 3 Directive 2002/58 is not only focused on personal data, but on retrieval of information on his or her end device. (The webpage ist translated by Google. So I cannot guarantee that the website has been translated correctly (I have not checked this).
https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fshopbetreiber-blog.de%2F2019%2F10%2F09%2Feugh-opt-in-pflicht-fuer-cookies-was-online-haendler-jetzt-wissen-muessen%2F

@saunders

Thanks for the link, willread up

Update : have Endlish version

Article 1 Scope and aim

1. This Directive provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community.

This text runs contrary to your assertion

is not only focused on personal data

Any reading of Article 5 must pertain to the aim else it is misinterpreted from my point of view, with the caveat of 'in particular' so will go over Article 5 :)

Article 5

3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.

There is no indication that the information refered to here is other than personal information.

So to Directive 95/46/EC which even older legislation and refers to the same 'personla data'

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

So I'm still happy with the was b2evo is set up with a widget that allows infromation about any cookie that I may wish to store on visitors site. Depending upon the data I want to retrieve I can clarify what is stored to the user. If it other than session cookie then I would ask for consent. Simples

@saunders

b2evo is totally within EU legislation parameters
yes, as long as you use b2e exclusively in its delivered core functions.

Exactly, so if you add third party functions and you think they don't comply with GDPR, you should also use third party add-ons (popups or whatever annoying consent requesting form you like the most) to comply with GDPR.

I do not consider it the job of b2evolution CMS to manage GDPR consent for third party plugins.

Note: I hear the cookie plugin doesn't comply to GDPR in your opinion. It doesn't really say it does but maybe it's still misleading. Would you feel better if we renamed that plugin to a more descriptive name like "Useless and annoying popup about cookies" ?

I don't think there's a requirement to say a site complies with the GDPR, just that the owner of a site is liable if it doesn't, so not misleading and does remind people that cookies are out of the oven and ready to be eaten.

@amoun
You might be interested in this article. It refers to a study towards cookie policy in the UK

Summary by ZDNet (via google translator from GE to EN)
https://translate.google.com/translate?hl=en&sl=de&tl=en&u=https%3A%2F%2Fwww.zdnet.de%2F88375861%2Fstudie-mehrheit-der-cookie-banner-verstoesst-gegen-dsgvo%2F&sandbox=1

The study
https://arxiv.org/abs/2001.02479

this is my last post in this thread.

@saunders
Thanks for the link, waiting for translation, though I don't allow google cookies on my computer, so will see if that's an issue. UPDATE: had to work around Google.

It been interesting and I see that you are concerned as no doubt both site owners are for thier liabilty and users are for leakin personal data. To that end I have ammended my cookie page to clarify my thoughts on it.

As for the article you refer to, it's much of the same, more opinion than legislation. Specifically to quote

For example, the GDPR stipulates that a button must be clicked before a user can interact with the website.
Well
a) I'd like to see that in the GDPR and
b) I think by opening a browser and clicking on a button, means you are already interacting with a website. So it all seems a load of non-logic and thereby nonsense. :) if by interacting they mean entering personal details, then I think 'we' all have agreed that consent to have such data stored anywhere should be clear, positive, and the data retrievable and deletable.

Thanks for your concern, I'm sure from some persepectives all you say is acceptable and actionable.

I have a project ahead of me where I thought that B2E could - finally - be used.
But when reading this thread then I am "scared".
Is it so, that B2E is currently not compliant with EU-laws?
Not even with this plugin: https://plugins.b2evolution.net/cookie-consent-plugin ?

Is there any intention to update B2E(Plugin) to make B2E "usable" within the EU?

Thanks.

Hi @northlight

The essential session cookie that b2evo uses is expempt the EU GPDR as are all essential site cookies and that is all the default b2evo uses.

If you embed any other cookie demanding add-ons, like live wether maps then it is 'your' responsibilty not that of b2evo.

So the plugin is fine for the default install.

If you choose to use Facebook, and Google plugins for your visitors, then you may want to add to the extra field in the cookies plugin to inform them, or make a dedicated page explaining the the GPDR.

@northlight b2evolution does NOT set any user tracking cookies. Therefore there is no cookie compliance issue. Even the Cookie Consent Plugin is NOT needed on a standard install.

You only need to worry about legal cookie issues when you add 3rd party javascript to your website. The CMS has nothing to do with this.

@fplanque wrote earlier:

You only need to worry about legal cookie issues when you add 3rd party javascript to your website. The CMS has nothing to do with this.

What about Adsense?
Is this a 3rd party plugin or is it part of b2e - since it is delivered with b2e?

The Adsense plugin is an empty shell where you can put your own javascripts.

We will remove that plugin from the distribution to avoid confusion though.

Thanks for your feedback fplanque.

If B2E developers want B2E to be used within the EU or by EU visitors, then they must get active in this matter.

The attitude - taking all Plugins/Widgets out of the download package - isn't helpful for b2evolution.
Maybe a separate plugin should be available which adds "EU-functionality" to b2evolution?

It would be a pity if a lack of EU-conformity would be a show-stopper for this CMS.

@northlight

Excuse my butting in on the issue you have

The attitude - taking all Plugins/Widgets out of the download package - isn't helpful for b2evolution.
Maybe a separate plugin should be available which adds "EU-functionality" to b2evolution?

Plugins that require GDPR checks re. cookies and traking will each require individual permmissions to be effective. Agreeing to one set of cookies does not mean agreement to all. Neithercan there leaglly be a blanket agreement on a range of cookies ~ as most sites seem to ask and imply is GPDR compliant.

So it is hard to see how the devlopers of the b2evo engine should monitor all plugins.

It would be conveient for all the plugin developers to have the core b2vo engine team to do this but it seems unreasonable to me.

In view of @fplanque 's note remove one plugin: There is no suggestion that removing more plugins is a likely as available plugins that are installed by the sites owners are their responsibilty, not that of b2evo

I do note also that the adsense plugin is there for the sit owner to use. In it's provided state it needs no GPDR compliance. Compliance occurs only when the site owners use it to gather information via cooies etc. Hence @fplanque 's wording "it will be removed to save confusion"

I think direct to your concern

1. ~ The attitude - taking all Plugins/Widgets out of the download package - isn't helpful for b2evolution.

There was no mention of taking all the plugins out of the download package.

2. ~ Maybe a separate plugin should be available which adds "EU-functionality" to b2evolution?

a) It would be onerous and nigh on impossible for b2evo to envisage how b2evo may be used by downloaders and

b) There is no evidence that b2evo is not 100% compliant as it is

c) There is no such thing as 'EU-funcionality'

Hope you are ok and enjoying b2evo and the EU Weather, both of which exist in the EU but are not a part of the EU :)

@amoun wrote earlier:

Excuse my butting in on the issue you have

Its not my issue. I don't use b2evolution - yet.

But it is an issue for b2evolution CMS if folks in the EU can't use b2evolution or those who want to make business with folks in the EU but are outside the EU.
There are CMSs which have a "cookie management" or there are plugins available that make their CMS "EU-conform".

Again, I have a project ahead of me where I was thinking to go with b2e but if I must be afraid of receiving a https://en.wikipedia.org/wiki/Abmahnung or similar - then b2e is not an option.

While searching for b2e replacement options I found this some minute ago:

• https://extensions.typo3.org/extension/om_cookie_manager
• https://extensions.typo3.org/extension/dp_cookieconsent -> https://github.com/DirkPersky/typo3-dp_cookieconsent

Is there a b2e dev who could create a b2e plugin for that: https://www.osano.com/cookieconsent like one did for TYPO3?

@northlight That cookieconsent script does NOT do ANY real cookie disabling if you don't add specific code for each cookie you use.

You MUST start with knowing exactly WHICH cookies you want to enable/disable based on user consent.

Do you?

Do you know any other magical plugin that finds all cookies your site might be setting, asks you if it is essential or tracking or this or that and then enables/disables it automatically?

I do NOT think any CMS has that.

There may be commercial third party solutions that attempt to do that but I have never seen one that actually clearly explains what it does.

@northlight

Thanks for your continued concern, though as I said I think it's misplaced. @fplanque put it quute suctinctly.

Links and embedded objetcs, such as wether maps I use will no doubt try and place cookies etc on a visitors local conputer. More importantly they do not or are unlikely to detail or explain the cookies so that a user has much choice.

I can't decide what cookies facebook want or will place so I cannot warn any visitor. All I can do is to stop the cookies on my site ~ with ease.

I am not responsible for cookies by google and the like who place cookies on other computers that may have got to google via an app or objetc on my site.

I do not control the data that google and the like place anywhere so I cannot repond to any EU legislation that requires any control of such info.

And of course b2evo only uses session cooies which are exempt.

I hope you are feeling a little but more confortable :)

@amoun

I can't decide what cookies facebook want or will place so I cannot warn any visitor. All I can do is to stop the cookies on my site ~ with ease.

I am not responsible for cookies by google and the like who place cookies on other computers that may have got to google via an app or object on my site.

Well, what you could do is NOT include a weather map or a facebook widget until the user has given consent for these (and the cookies that come with it).

(and yes, let's remind everyone, once again, that b2evolution does NOT include weather maps or facebook widgets)

@fplanque

Well, what you could do is NOT include a weather map or a facebook widget until the user has given consent for these (and the cookies that come with it).

That wasn't a request for help. What I mean is that I cannot control any changes an external site makes to thier cookie demands, so I don't see how I can be responsible for third party site that can do what they like.

My view is the EU GDPR is about data collection and responsibilty for that data. I do not collect data by adding third party constituents to my site, but it could be considered polite to inform users that third parties do, and that I have no control over those parties except not to use them. However if the idea is that I have to inform people of the individual cookies and how to disble them, I think I will wait to see more of EU legislation use be fore I concern myself with that.

That wasn't a request for help.

I know, I was a rhetorical "could do".

What I mean is that I cannot control any changes an external site makes to thier cookie demands, so I don't see how I can be responsible for third party site that can do what they like.

The GDPR people will tell you that you are responsible for embedding third party "potentially raping the users with cookies" rogue iframes/javascripts in the first space... and that... if you do chose to embed such 3rd party code, then suddenly it is your responsibility to know what cookies it may place because the end user is too stupid to clear his cookies himself.

Personally I stopped including things like Facebook widgets long before GDPR.

Most "GDPR people" though will embed all kinds of 3rd party scripts, will NOT even know what they included and will demand a "magic plugin to solve everything" (with having no definition of "everything" AT ALL), which doesn't exist anywhere.

So again, my question to anyone demanding a "magic plugin" is: what exactly do you expect it to do? Besides asking user for consent.
If user says yes, then what? (Osano does this: record choice , then NOTHING)
If user says no, then what? (Osano does this: record choice , then NOTHING)

(So yes, we also do have a plugin that does the dialog and nothing more).

The GDPR people will tell you that you are responsible for embedding third party "potentially raping the users with cookies" rogue iframes/javascripts in the first space... and that... if you do chose to embed such 3rd party code, then suddenly it is your responsibility to know what cookies it may place because the end user is too stupid to clear his cookies himself.

I agree with all your points but am doubtful the EU can really expect the above. I await thier contact :) and will keep the kettle on, or is that the wine for continentals

Would you feel better if we renamed that plugin to a more descriptive name like "Useless and annoying popup about cookies" ?

@fplanque You'd make a good American.

@northlight

Maybe a separate plugin should be available which adds "EU-functionality" to b2evolution?

Please define "EU-functionality".

If you try, you will find that what the EU requires cannot be handled by "magic code" but requires deep involvement from webmasters. (And I don't like it either.)

Sorry - I needed some time...

Any idea how this is solved here - because this looks convenient for the website visitor:
https://www.korrosionsschutz-depot.de/
When clicking on "Datenschutzeinstellungen" within "Cookie Einstellungen" (CookieConsentManager) the visitor can manage the website cookies.

Thank you.

I would say the webmaster made a list of all cookies he uses (which are certainly not part of his CMS), described them and then used a plugin to show that list and allow some switching (again, certainly not part of his CMS).

@fplanque

I would say the webmaster made a list of all cookies he uses (which are certainly not part of his CMS), described them and then used a plugin to show that list and allow some switching (again, certainly not part of his CMS).

By the way the 'quote' option in the previous comment didn't work so the above was manualy entered. Maybe a one off?

Back to this sweet but dry overly wrapped snack.

Exactly! and to all you cookie warriors :- exactly what I have no intention of doing, as I don't require cookies. And there's no way I'm going to continously check my weather map iframes embed to see what the producers want to place on someone elses computer. That's an overbaked biscuit expectation.

My view is that linked to and embeded objetcs are required to explain them selves and I note that if I click on a twitter embed in a bbc.co.uk/news feed twitter ask if I will accept thier cookies, which I don't and everything works fine.

Given that there is the option to turn off cookies on most/all browsers then the client could take more responsibilty when visiting sites.