New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need help regarding opt-in | EU GDPR #254

Closed
bvevang opened this Issue Jan 10, 2018 · 12 comments

Comments

Projects
None yet
9 participants
@bvevang

bvevang commented Jan 10, 2018

I've went over the documentation on the opt-in compliance type but I can't seem to get the disabling or allowing cookies to work.

Could anyone help me?

Thanks in advance.

@mithri

This comment has been minimized.

@My1

This comment has been minimized.

My1 commented Jan 19, 2018

well it all depends on whether you rather act on the server-side or with JS.

on the server side you could also act upon the cookies. meaning for example if a user denies cookies, you can deny the login or other things.

not to forget, if you see that cookies are there but the user revoked his choice or started to deny, you could run this thing (just dont forget to exclude the cookie consent cookie)
https://stackoverflow.com/a/2310591/4426048

by default the cookie is called cookieconsent_status and when using the opt-methods it can basically be in 4 states.

  1. not existing (user will see the popup. act upon the default opt-policy)
  2. dismiss the popup without anything else (I dont know whether it will ever come up in the opt-models, but better safe than sorry, should be treated same as above)
  3. deny actively (no window and most importantly dont set cookies but keep this one)
  4. allow the cookies, obviously enough

so with opt-in you may only do cookies in case 4. anything else means dont do cookies.

one other thing that may not be TOO blocking would be using the cookie consent only for not-totally-needed cookies, for example ads and analytics.

for things where cookies are totally needed (e.g. login) you could make it so that on the page there is a text (e.g. right below the login form) which basically reads that upon login a cookie will be set anyway, because it's required to make this stuff work. and basically the login button would be the consent for setting a cookie specifically for that purpose.

@rudolf-l

This comment has been minimized.

rudolf-l commented May 16, 2018

Today I've found a bug in cookieconsent.min.js, which makes the "opt-in" working incorrect.
Probably it was added by changes in the "opt-out"-handling:

hasConsented=function(t){var i=this.getStatus();return i==e.status.allow||i==e.status.dismiss}

This causes allow+dismiss handled as hasConsented() in "opt-in"-mode.
This results in "Accept" and "Dismiss" being handled as "opt-in" (accept is fine, but dismiss should be considered as deny in opt-in mode).

This bug causes a lot of confusion and a fix may help to close this issue.

@digibum

This comment has been minimized.

digibum commented May 22, 2018

@rudolf-l you are correct! I hope for a fix soon.

@dev-hero

This comment has been minimized.

Contributor

dev-hero commented May 22, 2018

@rudolf-l This tripped me up a bit as well. Technically speaking "Allow" and "Dismiss" are both opt-in statuses. If a user clicks the button on an "info" type consent or the "Allow" button on an "opt-in" or "opt-out" type consent, that would record "dismiss" as the value in the cookieconsent_status cookie.

In the case of an EU country where the consent needs to be revokable, there is "allow" and "deny" buttons with "deny" being the only true opt-out status.

In my implementation, which I plan on posting to github this week, I am using insites cookie consent type as "opt-out" for EU countries and "info" (default) for all other countries. I am also making use of their laws and location based on freegeoip.

I have essentially created an overarching conditional that used freegeoip to assess the users ip and matches it to a country code based on an array of EU country codes I have stored in a variable as an array. If the code associated with the users ip matches any of the codes in my "inEU" array, we use an "opt-out" implementation of CC. If the country is not part of the EU array, I trigger a standard informational consent to help prevent loss of tracking data when a revokable consent is not required.

Within both CC implementations inside the if else statement I am triggering Goggle Tag Manager which I hightly recommend everyone gets into utilizing as it can make this effort far less painful.

If anything is interested in my implementation, please let me know and I will work on getting it up in hopes of some refinement by the community at a large here on github.

Appreciate anyones time in actually reading my hairbrained thought process.

@drnickyoung

This comment has been minimized.

drnickyoung commented May 23, 2018

@digibum

This comment has been minimized.

digibum commented May 23, 2018

The only valid mode for EU residents is opt-in period. And user must have an option to change it's decision.

@dev-hero

This comment has been minimized.

Contributor

dev-hero commented May 23, 2018

@drnickyoung, @digibum I used the term incorrectly. When I say opt-in or opt-out I mean allow or deny. Relative to the Insites CC script, I am using the "opt-out" type for EU. They way it works based on my testing is that A new user from EU has no cookies loaded until they "Allow" consent. The opt-type seemed to behave this way while the opt-in type was the opposite in that it loads cookies until you deny.

Insites documentation leaves a lot to be desired and based on the backlog of PR's in that repo, I don't think it's being maintained.

@dev-hero

This comment has been minimized.

Contributor

dev-hero commented May 23, 2018

For anyone looking to see how I've adapted this for GDPR rules, I have started to get this into a repo. The ReadMe is not complete so bear with me.

Testing using a service such as TunnelBear VPN (Chrome Ext) is how I worked this out.

My repo is here: https://github.com/dev-hero/insites-cookie-consent-gdpr-adapted
A demo is here: http://cc-gdpr.dev-hero.com/

My repo a modified fork of Insites CC based on a PR I submitted that was a duplicate of one from 3 months ago that has not been merged. That change is documented in this pending PR with Insites: #344

I am hoping some community feedback will make this implementation better as I will never claim to be any sort of coding genius.

@klhkm

This comment has been minimized.

klhkm commented May 25, 2018

@dev-hero Your demo tracks cookies before consent and doesn't remove after consent is denied?

@dev-hero

This comment has been minimized.

Contributor

dev-hero commented May 25, 2018

@klhkm I took a look and there was a mistake on my demo page. I had included Google Tag Manager in the head as it is in the head on the main page for this example site. I neglected to remove it so for this working example, I have made a new commit to remove that and include in my consent script instead 0b65b8a Total overlook on my part while I scramble to patch client sites over the last few weeks. Thank you for point it out. Below is a brief explanation of how this should all work and it does work correctly on my end and in my hosted example here: http://cc-gdpr.dev-hero.com/demo/

If you are a user from outside the EU, a simple info consent is loaded which means all cookies are loaded and you're simply just acknowledging that with the consent. No denial occurs.

For users within the EU, upon initial visit to the site, a consent will be presented with the options of "Allow" and "Deny". The only cookies loaded on that initial visit are session based. No marketing cookies are loaded as in my example Google Tag Manager is part of the consent.

Upon clicking "Allow" if you are monitoring cookies in Chome inspector via the "Application" tab you will see the marketing cookies load immediately upon click. If you were to click "deny" if say you changed your mind, cookies clear upon reload or visit any other link on the site, but GTM cookies are not loaded upon initial visit or if "Deny" is selected. I have some screenshots attached and since the demo site uses only GA to track it's easy to see the consent working properly.

User from EU visits the site for the first time:
screen shot 2018-05-25 at 10 02 57 am

That user clicks "Allow"
screen shot 2018-05-25 at 10 03 21 am

@alexmorleyfinch

This comment has been minimized.

Contributor

alexmorleyfinch commented Jul 16, 2018

You have to manually disable the cookies yourself. There is no way for use to know which cookies you have and where you set them, so users must hook this up manually.

We are currently working on a new plugin that satisfies the GDPR requirements. It will be available in the coming weeks. This plugin will be able to disable cookies on the fly, but only for specific vendors that are open (like GoogleAnalytics, Facebook like button, etc)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment