New court decision of 01 October 2019 on GPDR. Cookies must be changed

Markus · 2019-11-16 01:45:47

Good evening from Germany,

on 23 Mai 2018 the DSGVO/GDPR had been came into force within Europe and Germany. In the privacy settings of the web interface you have already implemented the usage of cookies very well. As it now stands, the usage of cookies can be accepted (banner regulation).

However, unfortunately this solution is not sufficient anymore as per court decision on 01 October 2019. Cookies need to be stored and recalled for any visitor. Moreover, for each visitor of my site there has to be some kind of opt-in and opt-out options for cookies in use, unless they are bound to be specific and crucial to run the site.

Here are the laws:

Personal data and data subjects:
https://eur-lex.europa.eu/legal-content … 1e3373-1-1
Judgement Cookie to 01.10.2019:
http://curia.europa.eu/juris/document/d … rst&part=1

Well, there are some providers for services of cookie implementation around (e.g. https://www.cookiebot.com/en/). Their websites state, that the new cookie feature has to be implemented from 01 Oktober 2019 onwards.

I had my old homepage tested, which wasn't finished yet. Over 2.300 subpages came out. The protocol showed that every photo of the gallery was counted as a subpage. I should have been paid EUR 21 for this service pcm. For a hobby a little too much, I think.

Meanwhile I found out that the photos are exported by TTG as sides. As a result all photos will be displayed as subpages, which are far too many.

Actually the photos should rather run as embedded post, right? This would actually only count the album sets and albums and then the third-party service of cookies would be free of charge for me as I would not reach their maximum pages.

It is not only I to have an issue with this but all users of TTG which are located in Europe and especially in Germany will face it. I like to ask when we could expect a solution of cookies from your side in order to apply the new regulations? As I can understand the new regulation, it would be a great idea to have all photos either embedded as a post or the much simpler solution would be, that you will update the cookie process of TTG to be conform with the regulations and court decisions. Because I am not able to solve this issue on my own, I have to seriously think about stopping my homepage all together in order not to get fined because I did not apply the laws, regulations and court decisions.

I am looking forward to hearing from you soon. Thank you very much indeed for your support.

Best regards, Markus

Rainer Goergen · 2019-11-17 05:55:12

Pupes - nicht in die Hose machen.

dussel · 2019-11-21 17:56:46

Rainer Goergen wrote:

Pupes - nicht in die Hose machen.

Moin,
was meinst Du damit... ? Gesetzeslage einfach ignorieren? Kann es ja auch nicht sein.
Und wenn Du erstmal so einen Korinthenvogel als Anwalt an den Hacken hast, wirds teuer. Wie ich es gesehen habe auf Deiner Homepage gehst du ja den Weg der kompletten Ignorierung. Bei Dir sind ja "nichtmal" die alten Cookieregeln implementiert.
Da wünsche ich Dir die Daumen, dass Du damit mal nicht irgendwann einen Abmahnungsbescheid im Postkasten hast.

Gruß
Rolf

dussel · 2019-11-21 18:04:25

Hello,
i am I'm very surprised that nobody seems to see a need here? I think that at least in Europe there are enough users who are affected by the new regulation.
Meanwhile I have closed my site, because I don't want to do all this legal stuff anymore. Actually I wanted to present my hobby with my site, but meanwhile one has to do more with the legal side - and is always uncertain whether it is sufficient according to the claims of the lawyers, what one has done.
But apparently the topic is ignored on a large scale?
Can't TTG support this cookie topic proactively?

Greetings
Rolf

Ben · 2019-11-22 05:41:29

dussel wrote:

Can't TTG support this cookie topic proactively?

Hi Rolf, you overestimate our resources, and we do not have a legal department to interpret legalese. What we can do is look to implement any of the new requirements, if they are put to us in layman’s terms. What’s your understanding of the changes that apply from October 1?

tgalex · 2019-11-22 06:34:04

Ben - I have a quick question regarding Backlight on this matter. Does Backlight 2 use cookies and if yes, for what purpose? As a website owner using Backlight as the tool for my site, I don’t personally use cookies but may collect personal data through my contact/sales page and can deal with that. It would help to understand if Backlight uses them somehow without our knowledge.

I’ve been wondering since these conversations started on the forum. Thanks.

Ben · 2019-11-22 09:16:17

Hi Terry, there is a common misconception that cookies are only used to store personal or identifiable data. Backlight 2 (and Backlight 1) uses cookies for the most benign of reasons, and a reason that just about all dynamic sites on the web do: to know that a page view is by the same browser as a previous page view and use that information for usability and performance. For example, the site settings and language values are loaded once per session and associated with the user, who is otherwise anonymous. This improves performance. When language dropdowns are used, this association enables the server to return pages in the same language as chosen in prior page views. Without this the user would need to choose the language for every single page load. For shopping carts and client response, the cart contents and feedback associated to the browser are kept on the server, so that they are not lost from page view to page view.
None of this information is identifiable to the user, and none of it is kept in the browser. Instead, all that the browser cookie stores is a unique identifier (you can see this by browsing to a Backlight 2 site such as https://somethingchanged.com and viewing the cookies in the inspector - there is one, PHPSESSID).
The identifier and associated data isn't tracked to identifiable information, isn't saved beyond the lifetime of the session, isn't shared outside of the system to us (TTG) or anybody else, and isn't used to track you from one site to another.

Another use case for cookies is to identify logins. Without knowing that a page view came from the same browser that was logged in to client managed albums or the Backlight admin, there is no way to maintain a log in session.

tgalex · 2019-11-22 09:26:21

thanks Ben - great explanation! It appears that since nothing is saved once the session closes, there should not be anything to provide to someone that requests the data, alleviating much of the concern of the German courts - but I too am not a lawyer. ?

Ben · 2019-11-22 10:07:30

Hi Terry, the details aren't removed immediately at the end of a session (session meaning the user closes the window or leaves the site). PHP has a few settings that determine how often sessions get cleaned up and I haven't reviewed this beyond the lens of making the site usable. For your own understanding, the various sessions are usually saved in files within backlight/data/sessions/ on your server, that can be accessed by FTP and not through the web or by other means. These files are text files that are readable to a degree.
On my server, I have 183 files that are at most 90 minutes old. Looking at a couple of them, there are a large number of site settings that mirror what's kept in the database, and nothing pertaining to end-user information. These settings are used for site operation and are not usually returned to the user as shown in the session files.

Ben · 2019-11-22 12:05:19

I've run a compliance test on https://somethingchanged.com through Cookiebot, and it returned a result of Compliant. It found one cookie (as describe above), that it deemed a 'necessary' cookie for the site to run. According to the report, necessary cookies don't need consent, so the consent pop-up that BL2 does provide should be more than necessary to cover this.
Where things get murkier is in data retention. That applies to Client Response and the Cart. Do you use either of these?

tgalex · 2019-11-22 12:37:00

I use Fotomoto rather than the cart, and once a client hits the order button they are shifted direct to their site and not mine. I do use the Client Response to add individuals to a mailing list but only if they indicate they want updates. Beyond that there is no data maintained by me. I would imagine many users of Backlight are similar to this, and as of now I’m pretty comfortable with the data rules, but then I don’t reside in Europe.

Daniel Leu · 2019-11-22 14:02:48

Hi Ben,

I run Cookiebot on my site as well and get in addition the Google tracking cookies:

_ga danielleu.com HTTP 2 years
First found URL: https://danielleu.com/
Cookie purpose description: Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
Initiator: Script tag, page source line number 56
Source: https://www.google-analytics.com/analytics.js
Data is sent to: United States (adequate)
Prior consent enabled: No

Ben · 2019-11-22 17:40:29

Hi Daniel, that's your Google Analytics code. Have you added it through PHPlugins?

Daniel Leu · 2019-11-23 00:46:34

Hi Ben, no, I use Backlight 2 to insert the Google Analytics code.

Matthew · 2019-11-23 13:20:31

Daniel Leu wrote:

Hi Ben, no, I use Backlight 2 to insert the Google Analytics code.

The implication here is unclear to me.

Google Analytics is opt-in by providing your API key in Backlight's settings. I don't think that Backlight or TTG are responsible for individuals' use of Google Analytics. That data collection is between the user, and Google.

For anyone for whom this is an issue, don't enable Google Analytics, yeah?

Matthew · 2019-11-23 13:22:00

Markus wrote:

Here are the laws:
Personal data and data subjects:
https://eur-lex.europa.eu/legal-content … 1e3373-1-1
Judgement Cookie to 01.10.2019:
http://curia.europa.eu/juris/document/d … rst&part=1

Not a lawyer, and not reading these. As Ben has suggested, if you can lay out expectations in layman's terms, we'll have something to discuss.

Matthew · 2019-11-23 13:26:23

Wordpress users should also be aware that Wordpress does its own thing with cookies -- more or less, depending on what plugins you've installed -- that are entirely out of our hands, even when using the Backlight WP Theme.

tgalex · 2019-11-24 00:47:52

Also for awareness, after running Cookiebot I discovered Fotomoto also uses cookies on the site.

Matthew · 2019-11-24 06:49:21

tgalex wrote:

Also for awareness, after running Cookiebot I discovered Fotomoto also uses cookies on the site.

I think just about any third-party service does. This is one of the many reasons the EU regulations are utterly daft. Well intentioned, but daft.

If you use Google Analytics, Google Maps, reCaptcha, Fotomoto, PayPal, a third-party hit counter, etc. Wordpress does whatever it does; and its plugins do still more. The very popular Jetpack plugin that I keep telling people to stop using is a privacy nightmare.

Use just about any online software or service, you are taking on cookies. That doesn't mean they're up to no good; without cookies, the services literally would not function. Often times, the cookies are a part of authentication -- ensuring that you are actually you from page to page, view to view, and for every API call -- security, for your protection. That makes them a good thing.

Matthew · 2019-11-24 09:07:41

I've created a new page of documentation based on this conversation:
http://backlight.theturninggate.net/doc … _backlight

Markus · 2019-11-24 19:59:13

Matthew wrote:

Markus wrote:
Here are the laws:
Personal data and data subjects:
https://eur-lex.europa.eu/legal-content … 1e3373-1-1
Judgement Cookie to 01.10.2019:
http://curia.europa.eu/juris/document/d … rst&part=1
Not a lawyer, and not reading these. As Ben has suggested, if you can lay out expectations in layman's terms, we'll have something to discuss.

Hello together,

I am glad that you want to take care of our (in EU) problem in order to find a solution.

Here is the implementation for the cookie problem:

Website needs to be scanned for cookies
Cookies need to be determined if there are actually mandatory to run a website
Cookie consent form needs to be adjusted accordingly in separate categories such as Mandatory to run website - Marketing - Sales - Analytics
Further to this, all cockies in use needs to be displayed on a separate site stating all information (Publisher of cookie, usage of cookie)
Consent form needs to be presented to visitor of page - all not mandatory cookies are disabled at this stage
After consent is given, cookies may be enabled for this particular visitor
Consent data need to be stored for a) website owner and b) if visitor change their mind
If visitor wants to change consent given, a site has to be displayed and the already given consent is to be displayed with the ability to opt-in or opt-out
All data stored either in a separate database and/or file on server in order to be able to pull consent per visitor out again.
Enable deletion of stored data after a period of 24 hrs, 2 Days, 1 Week or 1 month depending on website owners needs

Altogether, data need to be stored if visitor comes back to a later point of time. Further to this, data to be stored could be IP, browser credentials or saving a cookie onto visitors browser/computer in order to “track” consent given.

I am not a lawyer either. For more information, Steffi from Steffi's Cloud is the person who knows best about this. @Matt with Steffi you already had email contact. I am one of these clients

I hope you can implement a solution

Thanks
Markus

Markus · 2019-11-24 20:09:56

here is another approach, probably also much cheaper than cookiebot https://www.consentmanager.net/

Rainer Goergen · 2019-11-25 08:55:20

dussel wrote:

Rainer Goergen wrote:
Pupes - nicht in die Hose machen.
Moin,
was meinst Du damit... ? Gesetzeslage einfach ignorieren? Kann es ja auch nicht sein.
Und wenn Du erstmal so einen Korinthenvogel als Anwalt an den Hacken hast, wirds teuer. Wie ich es gesehen habe auf Deiner Homepage gehst du ja den Weg der kompletten Ignorierung. Bei Dir sind ja "nichtmal" die alten Cookieregeln implementiert.
Da wünsche ich Dir die Daumen, dass Du damit mal nicht irgendwann einen Abmahnungsbescheid im Postkasten hast.
Gruß
Rolf

Private, nicht kommerzielle Homepage, mal ganz unten im Footer lesen. Ich setzte keine Cookies und für meinen Provider bin ich nicht verantwortlich. Warum sollte ich mir in die Hose machen nur, weil ich mir meine eigenen Fotos ansehen möchte.
Alles andere ist natürlich was anderes.

Rainer

Matthew · 2019-11-28 03:40:00

Markus wrote:

Website needs to be scanned for cookies
Cookies need to be determined if there are actually mandatory to run a website

We've done that. See Ben's reply above.

Markus wrote:

Cookie consent form needs to be adjusted accordingly in separate categories such as Mandatory to run website - Marketing - Sales - Analytics

There's just the one cookie, and it's mandatory.

Markus wrote:

Further to this, all cockies in use needs to be displayed on a separate site stating all information (Publisher of cookie, usage of cookie)

You may create a page via the usual means in Backlight, and link to it from your cookie notice.

Markus wrote:

Consent form needs to be presented to visitor of page - all not mandatory cookies are disabled at this stage

Is this suggesting that the first page a person sees on visiting a site should be a cookie acceptance form, rather than the site's own home page?

Markus wrote:

After consent is given, cookies may be enabled for this particular visitor

No other cookies should be enabled unless the user logs into the site with a user account, or they begin to interact with Client Response or Cart-enabled galleries.

Markus wrote:

Consent data need to be stored for a) website owner and b) if visitor change their mind

That would be only orders placed via the cart, or feedback received via client response. Both of which the site owner can delete via Backlight's admin.

Markus wrote:

If visitor wants to change consent given, a site has to be displayed and the already given consent is to be displayed with the ability to opt-in or opt-out

Again, there is only one cookie and it's mandatory. If a visitor would like to have their purchase history or client feedback purged, then they should reach out to the photographer, or you can create a special page with a contact form, again in the usual Backlight ways.

I don't imagine you can delete records of orders, though, as that would impact your ability to report taxes. And client response feedback only has the person's name and email address as a means to facilitating communication, and stores no personal information.

Markus wrote:

All data stored either in a separate database and/or file on server in order to be able to pull consent per visitor out again.

There is no data, apart from what we have described above.

Markus wrote:

Enable deletion of stored data after a period of 24 hrs, 2 Days, 1 Week or 1 month depending on website owners needs

What I just said. Also, see Ben's comment above about session expiry.

----

So, correct me if I am misunderstanding, but it seems to me there's not much for us to do here. The bulk of the onus for cookie responsibility falls on the site owner, and them having to be aware of what else is going on on their site regarding cookies. As I've described previously, Google, WordPress, and other third-party services are not something we have control over insofar as cookies being a thing.

Community @ The Turning Gate

#1 2019-11-16 01:45:47

New court decision of 01 October 2019 on GPDR. Cookies must be changed

#2 2019-11-17 05:55:12

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#3 2019-11-21 17:56:46

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#4 2019-11-21 18:04:25

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#5 2019-11-22 05:41:29

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#6 2019-11-22 06:34:04

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#7 2019-11-22 09:16:17

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#8 2019-11-22 09:26:21

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#9 2019-11-22 10:07:30

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#10 2019-11-22 12:05:19

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#11 2019-11-22 12:37:00

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#12 2019-11-22 14:02:48

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#13 2019-11-22 17:40:29

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#14 2019-11-23 00:46:34

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#15 2019-11-23 13:20:31

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#16 2019-11-23 13:22:00

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#17 2019-11-23 13:26:23

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#18 2019-11-24 00:47:52

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#19 2019-11-24 06:49:21

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#20 2019-11-24 09:07:41

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#21 2019-11-24 19:59:13

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#22 2019-11-24 20:09:56

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#23 2019-11-25 08:55:20

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

#24 2019-11-28 03:40:00

Re: New court decision of 01 October 2019 on GPDR. Cookies must be changed

Board footer