Kindle Forum banner

GDPR and Website Cookies

2K views 41 replies 13 participants last post by  Used To Be BH 
#1 ·
Let me start by saying I'm not trying to cause another panic, but I do think it's noteworthy that we spent a great deal of time chewing on how GDPR affected mailing lists and no time (at least not that I noticed) on how it might affect our author websites.

While it is true that the law was inspired by the actions of large companies, those of us who are risk averse may wish to take steps to comply with requirements. In that spirit, I'm going to talk about a few things I learned (so that you don't have to spend three days getting your website properly compliant the way I did). My experience is only relevant to those of you with self-hosted Wordpress, but hopefully, people on other platforms will also contribute to the conversation.

Here's link that lays out the requirements (according to one source): https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies As with other aspects of GDPR, not everyone says the same thing--and plugin developers tend to imply that GDPR requires exactly what their particular plugin does.

Everyone seems to agree that implied consent is no longer sufficient. A visitor has to actively consent. Continuing to use the site is no longer proof of consent. Also, visitors have to be able to withdraw consent if they change their mind.

Sites that require users to log in to visit the site (which most of us don't), sell things on the site (which some of us do), or have discussion forums (which some of us do) are likely to be the most affected, but those sites won't be the only ones. Allowing people to comment on posts, for example, stores user data on your site. Using Google Analytics or any similar product puts cookies on the visitors' machine. (Yes, not personally identifiable data, but GDPR also covers data which could make someone identifiable in combination with other data People who surf the web enough have an awful lot of data out there). Using ad software typically generates cookies. Using giveaway software generates cookies if entrants use a widget on your site. Using those nifty Amazon book previews generates cookies. Some plugins may be generating cookies without your knowledge.

If you're not a programmer, you're going to have to rely on the plugin makers out there to help you make your site compliant. Here are four I experimented with during my three-day odyssey, together with what I found.

Cookiebot: This is a great, comprehensive approach, and it's free if you use it only for one domain and have a site with fewer than 100 subpages (each post counting as a subpage). There are two caveats, however. First, to use it, you need to edit plugin scripts--and every time you update the plugin, you have to update the scripts again. (That means checking all of them, because without looking at the scripts, you don't know whether they're using cookies or not.) Editing plugin scripts is above my expertise. Also, the elements that do work automatically--the injection of consent banner code into the header and cookie policy and audit results onto a page you designate--didn't function on my site. I didn't have the patience to deactivate all my plugins and reactive them one by one to see which one was causing the problem. All of that said, Cookiebot's audit reports are great. They are complete analyses of all the conceivable cookies your site might generate, and a description of what they do (best for informed consent). I couldn't get that report to install properly in my site, but Cookiebot also emails the report, so I was able to incorporate it manually. That's a plus, because none of the other plugins I tried have that good a reporting function.

Weepie Cookie Allow ($21 on Code Canyon). It has lots of options, blocks cookies until a user consents, and allows users to consent to some kinds of cookies without having to consent to all. This would have been a winner for me and is great for the basic consent machinery (if you pick the right options), but I was concerned that it lacked some of Cookiebot's data management functions, so I kept experimenting.

GDPR Ultimate ($19 on Code Canyon). It provides consent mechanics and automates information requests (for example, if someone wants to know what data you have stored on your site about them or wants to be forgotten.) I had this one all set up when I realized two things. First, the cookie consent banner has options to accept and read more, but not to decline. That's dubious under GDPR, but also there's no way to dismiss the notice until you accept cookies--which means on a mobile device much of the screen is taken up with an annoying notice a visitor can't escape without accepting. The author has promised to fix that issue by providing a decline button (which may be in the update scheduled for today) but I panicked and moved on when I found another issue. In my testing, consent is accurately recorded in Chrome, but in IE, Edge, and Firefox it didn't record properly, which would mean a user would have to consent every time. The author believe that to be a browser issue (the browser itself disallowing cookies), but I didn't have any of mine set that way when I tested. Anyway, I have confidence this plugin will get sorted out, but, being impatient, I moved on.

Wordpress GDPR ($20 on Code Canyon). This one automates the consent process smoothly, furnishes an area for visitors to change their preferences, provides easy support for handling GDPR information requests automatically, and doesn't have any glitches I've been able to find. I wish I had tried it first.

My impression is that the plugin makers are scrambling to meet the May 25 deadline. A lot of them still use old, pre-GDPR language in their descriptions and/or offer consent options that are no longer valid. Only one (Cookiebot) collects consent reports so that you'd have proof people consented. I'd worry about that more, except that, unless a user has created an account or logged in, I don't think you can tell which specific person consented, so that may not really matter, except to membership-based sites.

One thing none of them will do so far is show the consent dialogue only to visitors from the EU, but I don't think indicating that you care about people's privacy and want to respect their wishes is a bad thing.
 
See less See more
#2 ·
If you do not have coding knowledge then everything is close to impossible. I have basic coding knowledge and I still can't get my head around  all of it. We really have three choices; take the word of others; remove all of the plugins and links that we're not sure about; risk it. That's about it.

For membership sign up, we only need to make sure that we have a record of consent and that people are made aware of what they are signing up for, i.e., what you will use their data for. That should be fairly easy with a plugin, as long as you are sure the plugin itself isn't setting tracking cookies.

Cookies that fall under "consent required" are only those that track personal info, this includes I.P address, remarketing cookies etc. If the cookie does not track then we're Ok.

For AdSense, this cannot be removed, however, if you show AdSense on your website then you can set the Ads to non-personalised for EU visitors. This should be sufficient as long as we can trust Google to comply.

For Google Analytics, the script can be set to anonymous. Again, Ok if we can trust them ... who knows? I'm just going to take that risk.

For Amazon affiliate links, there is no way around it that I know of for some Ads. I have contacted them and they are not interested (surprise). What you can do however is use Amazon text or image links and remove the tracking pixel yourself.

Facebook "like" buttons I haven't figured out yet.

It's all a minefield!
 
#3 ·
Lee Nichols said:
It's all a minefield!
Well, it could be. Let's just hope enforcement is handled in a reasonable way.

I'm guessing better solutions will develop as time goes on. It's funny how GDPR was first approved in 2016, but we didn't hear much about it until recently. The plugin writers appear to have been in somewhat the same boat. Even the European ones act as if they're playing catch-up. There are a fair number of plugins that were sufficient under the old law, but the ones coming along now seem to have been programmed in great haste, at least in a few cases. Like most other sudden changes, I expect that the glitches will get ironed out over the next few months.

Honestly, I'd be quite content to walk away from Google Analytics and never look back. If enough people opt out, the stats will be meaningless anyway. The real problem, as you point out, is whether or not plugin authors are accurate in their descriptions. I imagine at some point Wordpress will start requiring authors to list what cookies their plugins use and for what purpose, but that could still be a long way away.

The sad part is that most modern browsers allow users to handle cookie blocking with far more efficiency and nuance than we can from our end. I use those options myself to address privacy concerns. It's a shame more people don't.
 
#4 ·
In the podcast people linked to several times last week, the recommendation was a policy somewhere on the website explaining how/if/where cookies were used. Is this not sufficient? Truthfully, if we've reached a point in which we need coding/plug-in knowledge to be an author with a website, I'm tossing in the towel on the website.
 
#5 ·
I agree, in time solutions will develop. I think it will be sooner rather than later as companies are going to get hurt if they don't catch up. Google has been, to some extent, trying to pass the problem on to the user. I think they are in for a rude awakening because website owners are choosing to drop things like analytics until they know exactly what is going on. Once it begins to hurt them, they will act quickly, hopefully.

Wordpress and the various plugins I think will catch up quickly. https://www.gdprwp.com/ should be a great help here. Website owners are starting to worry, so the slower the plugin creators are to catch up, the quicker they will go out of business.

Let's hope the next few months gives us much more clarification than we are getting so far. One thing for certain is this is a game changer. It's actually not a bad thing in principle, unfortunately the whole show is being run by the arrogance and ignorance of the EU regulators.
 
#6 ·
Bill Hiatt said:
Here's link that lays out the requirements (according to one source): https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies
That is an unofficial website giving an opinion in a way to generate clickbait. As it states there is only one reference to cookies in GDPR, but omits to mention that this is because cookies are dealt with elsewhere in EU law. TL/DR a fleeting paragraph in a later law cannot abrogate the actual law on the topic of cookies unless it specifically states that it is changing the face of the text in that law.

The argument over the requirement for more than implied consent has been going on for as long as (indeed longer than) the EU cookie law has existed. The bureaucrats will continue to insist that implied consent is insufficient until the courts determine that it is sufficient.

EU cookie law draws a distinction between ads that change for each visitor (e.g., Google AdSense) and ads that are static (e.g., Amazon affiliates). The former requires a cookie warning on the website while the latter does not. I stopped using Google Ads so Google disabled my account and now won't reopen it. I did so to allow me to comply with the law without using the cookie banners that breach EU disability law. Requiring explicit consent is in contravention of the EU law on accessible websites as it makes reading a website more difficult for someone with dexterity issues than for other members of the population.

A wonderful irony is that the cookie consent javascript used by many sites is a key campaigner against the law https://silktide.com/why-the-cookie-law-is-total-clownshoes/.
 
#7 ·
MClayton said:
In the podcast people linked to several times last week, the recommendation was a policy somewhere on the website explaining how/if/where cookies were used. Is this not sufficient? Truthfully, if we've reached a point in which we need coding/plug-in knowledge to be an author with a website, I'm tossing in the towel on the website.
I was almost ready to pull the plug on mine!

Well, as Mercia points out, there is a lot of debate on the issue. I've actually read a number of sources that argue that explicit consent is now a must. Because I could find a way to do it that made me happy, I still have a website. I'm trusting in reasonable enforcement standards, especially for small businesses.

Like Lee, I think one of the outcomes will be for authors to question the value of Google Analytics. While it's interesting to know where my traffic came from, my website is mostly a convenient place for me to put things to make it easier for fans to find what they want rather than a major sales channel. With big brands it might be different, but for me, it increasingly doesn't seem worth it.
 
#9 ·
Mercia McMahon said:
EU cookie law draws a distinction between ads that change for each visitor (e.g., Google AdSense) and ads that are static (e.g., Amazon affiliates). The former requires a cookie warning on the website while the latter does not. I stopped using Google Ads so Google disabled my account and now won't reopen it. I did so to allow me to comply with the law without using the cookie banners that breach EU disability law. Requiring explicit consent is in contravention of the EU law on accessible websites as it makes reading a website more difficult for someone with dexterity issues than for other members of the population.
I'm unclear as to how requiring explicit consent is an accessibility issue. The plugins I looked at, and particularly the one I use, don't block the ability to use the site if someone doesn't accept or decline cookies. They just continue to prohibit the use of cookies until they get a definite response one way or the other. That might be problematic for big brands that use their websites as major sales channels (because that opens up the need for a whole new group of session cookies, if nothing else), but for most authors, it wouldn't make that much difference. A supposed requirement in the law (which may also be a matter of debate for all I know) is that the website is supposed to remain functional for people who decline to use cookies. I tested the plugin I'm now using, trying both ignoring the cookie popup and clicking decline, and everything still worked properly. Under those circumstances, would there still be an accessibility issue?
 
#10 ·
archaeoroutes said:
I haven't seen anything about cookies that isn't already covered in other legislation. Requiring consent for cookies has been around for ages - hence all those banners and panels requiring visitors to click to accept them.
I agree it's not a new thing at all. What is new (unless that information isn't really accurate--Mercia has me wondering) is that implied consent is less likely to be acceptable. Many websites I visited used the "Continuing to use this site constitutes acceptance of our use of cookies" kind of language. I've even seen, "This site uses cookies to improve your experience," with no obvious way to decline cookies.

I also think the current agitation over GDPR has made people in the US more aware. I knew there was an EU cookie law but had no idea it affected people whose web server was outside the EU. I'm sure that was wrong--but I'm also sure I wasn't alone in thinking that. A lot of websites, including big corporate ones, said nothing about cookies, but from what I've seen virtually every website has some.
 
#11 ·
Requiring explicit consent contravenes EU web accessibility law because those with dexterity problems can only make limited use of a mouse before the pain becomes too much to continue. Most explicit cookie consent banners persist until you click with a mouse or tap on a touchscreen. Those banners often block a substantial proportion of the website thus reducing the ability of those with dexterity issues to enjoy the same experience of the website as other visitors.  Many business website simply have a statement in the footer or header stating that the site uses cookies, which complies with accessibility law and I have yet to see an accessibility compliant website that goes beyond implied consent.
 
#12 ·
I don't want to sound contrary, nor do I want to start an argument, but I want to hear a member of the Bar explain the specific legal provisions by which the European Union claims jurisdiction over citizens of the United States.  Especially citizens who haven't once set foot in Europe. 

I'm not a lawyer, but from where I'm sitting, I can do as I please on my own web site with my books, since both are my property.  And the EU can go pound sand. 

What am I missing?  What happens if I just block Europe from my site?  They all speak different languages anyway. 
 
#13 ·
Lexi Hall said:
What am I missing? What happens if I just block Europe from my site? They all speak different languages anyway.
Er, sorry but some of us don't. It's not called English for nothing... ;D

I too struggle with how the EU - as an unelected non-democratic body - has sway over anyone, but that's perhaps a different discussion. I think the chances of the EU lawmakers descending on one of us running a mailing list are pretty slim. That said, I've made sure that I'm fully compliant, and killed my list because of it. I've 'lost' 90% of my subscribers - you could of course argue that it's the dead wood that's been lost and I think there's a fair argument there.

It'll probably end up being like the Year 2000 bug. The sky will fall in, the sky will fall in! Oh hang on a minute. It hasn't!
 
#14 ·
Er, sorry but some of us don't. It's not called English for nothing... ;D
Well, to be fair, the UK isn't part of the EU any more. ;D

My lists are far too small to warrant a second thought at this point. I'm just highly confused as to how or why anyone in this country thinks they owe allegiance to the EU. You don't vote there. You don't pay taxes there. You don't live there.
 
#15 ·
Lexi Hall said:
I don't want to sound contrary, nor do I want to start an argument, but I want to hear a member of the Bar explain the specific legal provisions by which the European Union claims jurisdiction over citizens of the United States. Especially citizens who haven't once set foot in Europe.

I'm not a lawyer, but from where I'm sitting, I can do as I please on my own web site with my books, since both are my property. And the EU can go pound sand.

What am I missing? What happens if I just block Europe from my site? They all speak different languages anyway.
I suspect that there aren't too many attorneys hanging out here.

It's interesting that in the US legal traditions, states haven't traditionally claimed as much ability to regulate citizens of other states as the EU is claiming with regard to regulating pretty much anybody in the world who deals with even one citizen of the EU. That's why issues that crossed state lines in some way have traditionally ended up as federal issues.

However, the Internet has changed the dynamic. In the past, in order to do business with someone, you either had to have a physical presence in their country or ship physical goods to their country. In the former case, the buyer's country would clearly have jurisdiction, at least over the part of the company located in their borders. In the latter case, the goods could have been stopped at the border. With the Internet and digital goods, physical presence and/or physical shipment are no longer barriers. I can see why countries might like some regulatory control, though in this case, they may be going to extremes.

So far the EU has won in court against large corporations like Amazon. If a jurisdictional argument was raised, it didn't prevail. Of course, those cases tended to revolve around tax revenues in the affected countries, a far different issue than whether or not the EU could bring a criminal action against a website owner outside Europe for violating the EU's legislation on the appropriate way to operate a website. Is there any precedent for that? The EU cookie law has been around for a while, but I'm not aware of any non-European small businesses having to pay fines over it.

A lot of US authors don't have that many readers in Europe--though I'd be happy to recruit some! I think it's interesting that plugin authors have scrambled to write compliance plugins, but not one that I know of has written an EU blocker. As far as I can tell, the EU's position seems to be that websites can't refuse to serve EU citizens, but I'm not sure they could make that stick for a website hosted outside the EU. Personally, unless the requirements become completely unmanageable, I wouldn't want to go there. I'd rather be open to everyone, as long as that openness doesn't make it impossible for me to continue to publish. So far, I'm thinking the situation is manageable.
 
#16 ·
Puddleduck said:
I've tried asking this regarding VAT (when selling on own website), and no one seems to even understand the question. *shrug*
For VAT, there's an actual precedent, at least to the extent that states do the same things. You have to collect sales tax based on the state in which the purchaser resides. If that's true nationally, it makes some sense to do the same internationally, though it does introduce a lot of complications.
 
#17 ·
As far as taxes go, while a buyer in the EU may be liable to pay VAT, I am not. Even if I were, I have no way to pay taxes to the EU.

Based on my admittedly amateur understanding, the only way the EU could reach into the US would be through extradition. To qualify they would have to bring a felony indictment or the EU equivalent, and then petition a U.S. federal court, which would result in an extradition hearing. It would also result in what my editor often refers to as a "monkey cage jailbreak" in Congress as millions of people would be rather upset at the news they may be facing criminal prosecution in a place they've never visited.

I tend to doubt the GDPR law has any provisions for criminal violations rising to the level of a felony, and I suspect the first federal judge to catch an attempt to collect a fine from a U.S. citizen over an e-mail list would do his or her best impression of Ray Guy and drop kick it out an eighth-floor window into a truck full of patio furniture under the doctrine of de minimis non curat praetor.

Also based on my amateur understanding, historically speaking, the last jurisdiction over Americans originating in Europe expired with the end of the War of 1812. If they are now presuming to reinstate the Stamp Act, I think someone might want to notify the media.
 
#18 ·
So, I guess, since everyone has set up their websites differently, we all have to figure out how to be compliant by what we've done. I have noticed that it does vary by which Wordpress plan that you have signed up for. I don't have the business plan right now. So, I don't have Google Analytics or use SEOs. I'm working on trying to write or find a privacy policy that would work. I don't have the business plan. So, it looks like I'm not getting the automatic pop-up privacy plan option. But then, I'm not using the other tools in the business plan. I've got the middle plan, just above personal.

Just trying to make sense of all this is hard for the little, lone author. So, any advice welcomed.
-Marilyn
 
#19 ·
Puddleduck said:
It's all a question of jurisdiction, and that question hasn't been answered.

I've been trying to get an answer out of my accountant on the tax issue for months, and no one's given me one yet. It may be that even the professionals don't really know.
The VAT situation should be clearly defined, an accountant should know this. It really depends from what country you are selling from and to.
 
#20 ·
Lexi Hall said:
I don't want to sound contrary, nor do I want to start an argument, but I want to hear a member of the Bar explain the specific legal provisions by which the European Union claims jurisdiction over citizens of the United States. Especially citizens who haven't once set foot in Europe.

I'm not a lawyer, but from where I'm sitting, I can do as I please on my own web site with my books, since both are my property. And the EU can go pound sand.

What am I missing? What happens if I just block Europe from my site? They all speak different languages anyway.
My guess is, and it's only a guess, that if you are a small business then they probably won't put much effort into doing anything about it. For myself, being in the EU has become borderline ridiculous. If I say "no" to selling within the EU, I can get done for discrimination. Lookup geo-blocking EU, it's quite pathetic. What's worse is I'm obliged to be VAT registered in each of the 28 EU states with zero VAT threshold.

The problem I see with the US vs EU argument is one that few people are thinking about. Feel free to say "screw them," I fully sympathise. What you may need to be careful of is getting kicked off of the networks that make your money. I'd be careful not to assume, for instance, that Amazon or Google etc., won't kick you out of their services if you aren't complying with GDPR because the law is between controller and processor, either one can affect the other.
 
#21 ·
Puddleduck said:
The tax thing, OTOH, directly affects the amount of money I may potentially make, so yeah, if a foreign government wants to reach across the pond into my pocket, I'm going to have more of an issue with that, and I'm going to ask a little harder what actual legal right they have to do so.
Where do you sell your books? If you sell on your own website then you will probably need to think about taxes. If you sell through the likes of Amazon then you don't need to worry, they deal with all the cross border stuff. All you need to do with this is pay taxes in your own country based on what Amazon pay you in royalties.
 
#22 ·
Puddleduck said:
Well, I have my website set up to sell books, but I don't have any sales yet. Yes, I'm aware that the retailers take care of this (since they're the retailer, they have to pay those things, and they choose to take VAT out of my cut of the sale instead of theirs and instead of raising the price to reflect the VAT, which kinda ticks me off, but there's nothing I can do about it). Until someone convinces me I have a legal (that is, legal in the place I actually live) obligation to pay a foreign government taxes of any kind, I'm gonna hang on to any money I may make through direct sales. Still hoping to get a solid answer from my accountant, though, just in case there's some weird US legal requirement that contravenes all common sense in this area (as is pretty common when it comes to the law).
I can only guess but my assumption would be the same as I do in reverse. Ebooks fall under digital goods which have different VAT requirements in the EU. For me, being EU based, it's a pain. If however I sell to a consumer in the US who is not VAT registered then I charge VAT and pay it in my own country.
If I sell to a US VAT registered consumer then I do not charge VAT but I have to record their VAT number. I can't imagine it being any different the other way around. If you do not live in the EU then I'm not sure you can even VAT register over here unless you have an EU business address. If you can't register then you can't pay VAT in that country. It's changing all the time but that's how I currently deal with VAT.
 
#23 ·
This VAT thing has got me curious. Seems I might be wrong about things being the same in reverse. VAT MOSS came in 2015. I stopped selling digital goods on my website because of it. It looks like even those of you in the US are subject to it. As far as I remember, Taxamo is an EU authorised company and according to them, US sellers are subject to this.

https://www.taxamo.com/insights/us-digital-companies-eu-vat/


edited, PM if you have questions -- Ann
 
#24 ·
Allow me to reiterate the historical perspective.  The last time a European government presumed to tax people on this side of the Atlantic, it didn't go very well. I'm going to leave it there. Say hi to King George for me. 

 
#25 ·
Lexi Hall said:
I don't want to sound contrary, nor do I want to start an argument, but I want to hear a member of the Bar explain the specific legal provisions by which the European Union claims jurisdiction over citizens of the United States. Especially citizens who haven't once set foot in Europe.
Governments have the right to protect their citizens. GDPR is aimed at doing just that- protecting EU citizens.
For years, the US has had CAN spam laws. They applied those to anyone in the world who wanted to email US citizens. How is GDPR any different in principle, apart from now the shoe is on the other foot?
 
#26 ·
archaeoroutes said:
Governments have the right to protect their citizens. GDPR is aimed at doing just that- protecting EU citizens.
For years, the US has had CAN spam laws. They applied those to anyone in the world who wanted to email US citizens. How is GDPR any different in principle, apart from now the shoe is on the other foot?
This isn't so much the problem, it's the implementation that doesn't work. They throw out a whole bunch of rules that are OK in principle but completely ignore the practicality. What they are demanding is almost impossible and will only hurt small business. As Puddleduck has mentioned, how do we get proof of location for VAT MOSS? Most required or recommended ways of obtaining proof, by the EU themselves, are now in breach of other EU rules. None of these other rules have been updated or correlated.

The cookie problem is no different, it's virtually impossible to comply without the need to shut down your website. For instance, even if you decide to remove everything you have on your website, other than the content and a sign up form, it is up to you to decide whether or not the auto-responder company, the hosting company and Wordpress if you use it, are all in compliance. Other than take their word for it there is nothing else you can do. If they decide to break any of the rules then you as the website owner are now liable as the data controller. This leaves you with two option, shut down or risk breaking the law.

This sounds like over reaction but until the makers of the rules give more clarification and more constructive advice, this is how it stands. If we use a cookie solution such as Cookiebot, it's down to us to decide whether or not they comply properly and to figure out how to install it. The only way to really know this is to understand coding to such a level that you wouldn't need them in the first place. I know a reasonable amount of HTML and some basic Java coding, php and I'm a quick learner when I need to understand more ... I still cannot get my head around any of it, not even close. What chance does that leave others?
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top