Kindle Forum banner

GDPR and Website Cookies

2K views 41 replies 13 participants last post by  Used To Be BH 
#1 ·
Let me start by saying I'm not trying to cause another panic, but I do think it's noteworthy that we spent a great deal of time chewing on how GDPR affected mailing lists and no time (at least not that I noticed) on how it might affect our author websites.

While it is true that the law was inspired by the actions of large companies, those of us who are risk averse may wish to take steps to comply with requirements. In that spirit, I'm going to talk about a few things I learned (so that you don't have to spend three days getting your website properly compliant the way I did). My experience is only relevant to those of you with self-hosted Wordpress, but hopefully, people on other platforms will also contribute to the conversation.

Here's link that lays out the requirements (according to one source): https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies As with other aspects of GDPR, not everyone says the same thing--and plugin developers tend to imply that GDPR requires exactly what their particular plugin does.

Everyone seems to agree that implied consent is no longer sufficient. A visitor has to actively consent. Continuing to use the site is no longer proof of consent. Also, visitors have to be able to withdraw consent if they change their mind.

Sites that require users to log in to visit the site (which most of us don't), sell things on the site (which some of us do), or have discussion forums (which some of us do) are likely to be the most affected, but those sites won't be the only ones. Allowing people to comment on posts, for example, stores user data on your site. Using Google Analytics or any similar product puts cookies on the visitors' machine. (Yes, not personally identifiable data, but GDPR also covers data which could make someone identifiable in combination with other data People who surf the web enough have an awful lot of data out there). Using ad software typically generates cookies. Using giveaway software generates cookies if entrants use a widget on your site. Using those nifty Amazon book previews generates cookies. Some plugins may be generating cookies without your knowledge.

If you're not a programmer, you're going to have to rely on the plugin makers out there to help you make your site compliant. Here are four I experimented with during my three-day odyssey, together with what I found.

Cookiebot: This is a great, comprehensive approach, and it's free if you use it only for one domain and have a site with fewer than 100 subpages (each post counting as a subpage). There are two caveats, however. First, to use it, you need to edit plugin scripts--and every time you update the plugin, you have to update the scripts again. (That means checking all of them, because without looking at the scripts, you don't know whether they're using cookies or not.) Editing plugin scripts is above my expertise. Also, the elements that do work automatically--the injection of consent banner code into the header and cookie policy and audit results onto a page you designate--didn't function on my site. I didn't have the patience to deactivate all my plugins and reactive them one by one to see which one was causing the problem. All of that said, Cookiebot's audit reports are great. They are complete analyses of all the conceivable cookies your site might generate, and a description of what they do (best for informed consent). I couldn't get that report to install properly in my site, but Cookiebot also emails the report, so I was able to incorporate it manually. That's a plus, because none of the other plugins I tried have that good a reporting function.

Weepie Cookie Allow ($21 on Code Canyon). It has lots of options, blocks cookies until a user consents, and allows users to consent to some kinds of cookies without having to consent to all. This would have been a winner for me and is great for the basic consent machinery (if you pick the right options), but I was concerned that it lacked some of Cookiebot's data management functions, so I kept experimenting.

GDPR Ultimate ($19 on Code Canyon). It provides consent mechanics and automates information requests (for example, if someone wants to know what data you have stored on your site about them or wants to be forgotten.) I had this one all set up when I realized two things. First, the cookie consent banner has options to accept and read more, but not to decline. That's dubious under GDPR, but also there's no way to dismiss the notice until you accept cookies--which means on a mobile device much of the screen is taken up with an annoying notice a visitor can't escape without accepting. The author has promised to fix that issue by providing a decline button (which may be in the update scheduled for today) but I panicked and moved on when I found another issue. In my testing, consent is accurately recorded in Chrome, but in IE, Edge, and Firefox it didn't record properly, which would mean a user would have to consent every time. The author believe that to be a browser issue (the browser itself disallowing cookies), but I didn't have any of mine set that way when I tested. Anyway, I have confidence this plugin will get sorted out, but, being impatient, I moved on.

Wordpress GDPR ($20 on Code Canyon). This one automates the consent process smoothly, furnishes an area for visitors to change their preferences, provides easy support for handling GDPR information requests automatically, and doesn't have any glitches I've been able to find. I wish I had tried it first.

My impression is that the plugin makers are scrambling to meet the May 25 deadline. A lot of them still use old, pre-GDPR language in their descriptions and/or offer consent options that are no longer valid. Only one (Cookiebot) collects consent reports so that you'd have proof people consented. I'd worry about that more, except that, unless a user has created an account or logged in, I don't think you can tell which specific person consented, so that may not really matter, except to membership-based sites.

One thing none of them will do so far is show the consent dialogue only to visitors from the EU, but I don't think indicating that you care about people's privacy and want to respect their wishes is a bad thing.
 
See less See more
#27 ·
Lexi Hall said:
Well, to be fair, the UK isn't part of the EU any more. ;D
Then you know more than I do.

My lists are far too small to warrant a second thought at this point. I'm just highly confused as to how or why anyone in this country thinks they owe allegiance to the EU. You don't vote there. You don't pay taxes there. You don't live there.
If you want to sell there, you have to comply. Full stop.

You can always cease to do business with Europeans, then indeed nothing of this applies to you. Geo-lock your site and maillist, distribute/sell only to non-European countries (don't make such blatant mistakes as the one above, though) and you will be fine.
 
#28 ·
Allow me to reiterate the historical perspective. The last time a European government presumed to tax people on this side of the Atlantic, it didn't go very well. I'm going to leave it there. Say hi to King George for me.
The problem with this is the US signs treaties agreeing to comply with laws in other countries, which binds our citizens to those laws. So, we may not be ruled by another country any longer, but we do make agreements to uphold some of their laws. Collection of taxes would be one of those things the government signed us up for.

I'm not a lawyer, but this GDPR thing is likely going to go the same way. Unless the US government tells the EU to frack off, then one way or another we'll be complying. Either the web sites/service providers will have it built in, or we'll have to do it ourselves. I still don't really understand what the whole thing involves myself, so I think it all sucks.
 
#29 ·
The problem with this is the US signs treaties agreeing to comply with laws in other countries, which binds our citizens to those laws.
If there is a treaty that was ratified by a 2/3 vote of the United States Senate as required by the Constitution, then I stand corrected and will gladly comply with the law.

Has such a treaty been cited in these discussions of the GDPR?
 
#30 ·
Victoria.T76 said:
The UK is in the EU, and GDPR will likely be carried over to UK law when we leave :)

A lot of fuss has gone in to the EU fining corporations - the EU are not after us, and I doubt this is something we need to worry about.

However, the law allows "data subjects" (your mailing list subs etc) to bring compensation claims against "data processors" (you) in the event there is an infringement of the regulations. They can seek compensation whether or not they have suffered material or non-material damage as a result of an infringement - they can see us in court.

The Eu has applied GDPR over ""a controller not established in the Union, but in a place where Member State law applies by virtue of public international law." - their international treaty with the US currently allows them to do this - this may change in the future, but as it stands, for US mail lists, you can try and cut of all EU readers from yous lists - put a note in the back of your books telling them they are not welcome, have a pop up on your website advising them not to enter - try all you want, but the internet is a global community and if you want to annoy 508 million people, go ahead - but it really isn't that difficult to apply good security and processing practices with peoples data, and do you want to take the risk that some enterprising gang, somewhere in the EU decides to flood your list with subs or you site with comments and then come after you in court for infringement of the regulations
It's my understanding that someone can't be extradited on a civil matter. If that's true, then yes, a citizen of the EU could sue--but they'd have to sue in the US. That may reduce the likelihood of a nuisance lawsuit because it would require more work on the part of the litigant.

I agree with you that it isn't that hard to apply good security and processing practices with people's data. The problem is that no one seems to know exactly what the law requires. Or rather, a lot of people claim to know, but they don't all say the same thing. In fact, there are an enormous number of contradictions in the statements I've seen. This thread illustrates how much interpretations vary. In the US, a law can thrown out for vagueness, but I don't know if the same principle is applicable in EU law.

I found it easy enough to comply with the requirements as I understand them. Cookies are blocked on my site until a user accepts them. That user can subsequently revoke that consent. The privacy policy is very thorough and identifies all the cookies and what they do, so people can give informed consent. My comment form has a consent checkbox. My email signups are set up using Mailchimp's GDPR compliant forms, and my past ones were all double opt-in, and Mailchimp has the date on which each user opted in. As far as I can tell, I'm covered.

However, Lee makes a good point. We have to depend to some extent on whether plugins do what they claim to do. I've tested the plugin I'm using, and it seems to block all cookies prior to consent. However, there could be a glitch. I've seen comments on other plugins to the effect that the plugin doesn't block all cookies or doesn't block all if the user allowed cookies initially and then changed his mind. We can't know every single thing that's happening the background. That's why people are nervous.

One might be able to design a cookieless website, but it's tough because plugin authors don't divulge whether their plugins use cookies or not, and cookie setting might only be triggered in some circumstances. I ran three different cookie scans on my site and got different results each time. I trust Cookiebot, which had the most extensive list--but I have no way to verify that every single cookie is identified.
 
#31 ·
but the internet is a global community and if you want to annoy 508 million people, go ahead
Would that I could annoy half a billion people. I could hit #1 and retire tomorrow.

Since the overwhelming majority of those people don't speak English, how does the EU propose I offer them the option to consent or not? Not only do they have no reason to sign up for any services I offer, they can't read the site in the first place.

Like I said, if I'm missing something here, I'm perfectly willing to be persuaded. But so far I haven't seen any constitutional grounds for the EU claiming jurisdiction over a web site in Southern California.
 
#32 ·
Victoria.T76 said:
Although there doesn't appear to be a treaty directly drawn up to agree GDPR - GDPR states that Public International Law is in effect - there are also laws to ensure enforcement of foreign judgments, (https://en.wikipedia.org/wiki/Enforcement_of_foreign_judgments)

An EU data subject can go to an EU court and win using their laws. The EU court will then pass the judgement to a US (for exmple) court for enforcement. In all likelihood the US court will comply with the request. However, even if a lawyer managed to get them to throw the judgement out and get the US court to side against the EU courts - this will cost a fair bit of money - it is highly unlikely that an EU court would allow court costs to be claimed back by the defendant if their original judgement was thrown out of court. So even if the judgement is deemed not enforceable and no fine or compensation claim is issued, it could still end up costing a US (or other non-EU company) a fair bit of money.

Easier to be compliant with laws and save the hassle.

In all honesty, it is highly doubtful anything is going to happen, we will all plod along the way we always have and all still have to adhere to our own countries laws on data protection. The EU isn't after us, they are trying to make sure the big guys keep our data safe - in 2018 alone there have been some huge breaches, with data of 159 million users leaker from myfitnesspal, a huge fedex breach where passports and driving licences etc were revealed. Uber lost the data of 57 million customers. The list can go on and on. These companies will all be fined, and many have already been fined. Facebook had one of the biggest fines on record at 1.2 million euros, I believe - and it still doesn't take data protection seriously. GDPR aims to hit these big companies when they fail to comply, the EU are not after us, but it doesn't hurt to treat the security of peoples data seriously.
I'm all for avoiding hassles--though, as I've said, when a law isn't clear in what it requires, that becomes a more difficult proposition.

I'm sure you're right about the focus being corporate abuse, and the underlying principles on which the law is based are reasonable. It's just the "What does it really mean in practice?" aspect that freaks everyone out. I wasn't worried--until you brought up the possibility of a civil suit. Nuisance law suits are filed all the time in the US, so that would be a point of concern. I checked your Wikipedia link and noted the section, "Exceptions." One of the exceptions is "The foreign court did not have personal jurisdiction over the defendant." From Cornell Law School: "Typically for a court to have personal jurisdiction over a defendant, the plaintiff needs to serve the defendant in the state in which the court sits, and the defendant needs to voluntarily appear in court." (emphasis added) https://www.law.cornell.edu/wex/personal_jurisdiction This would seem to suggest that an EU-based civil judgment against a US citizen over GDPR would have little chance of being enforced by a US court. Also, from the Wikipedia article, "There is a general reluctance to enforce foreign judgments which involve multiple or punitive damages. In this context, it is noted that the U.S. is not a signatory to any treaty or convention and there are no proposals for this position to change." So, while there is precedent for US courts enforcing foreign judgments in some cases, they aren't obligated to by treaty.

That doesn't mean I don't think we should follow GDPR regulations. I think we should. The current situation makes it difficult to know exactly how they will apply. Hopefully, clarification will be forthcoming.
 
#33 ·
Victoria.T76 said:
I honestly have no idea how they are going to enforce it, or even if they can. I do find it baffling that people are reluctant to protect the data of their subs, but we have to do that anyway in the EU and I assumed everyone did. - researching GDPR, I have also learnt that US email marketers do not need permission before they send an email, something again, I find weird - I would hate to receive a random email from someone I hadn't signed up to.

I think there is a lot of questions over how it would be enforceable, and it does seem that nobody knows for sure - I did read this interesting article which spoke to someone called Linda V. Priebe (the former deputy legal counsel a the Office of Drug Policy at the White House under Presidents Bill Clinton, George W. Bush, and Barack Obama) https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr - in the article it is noted that:

""There has [...] been long term and increasing enforcement cooperation between U.S. and EU data protection authorities," Priebe says, pointing to the negotiations over the EU-U.S. Privacy Shield data sharing agreement, which puts systems in place for the EU to issue complaints and fines against U.S. companies.

She continues: "While we don't yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years."

It is also noted that "This won't apply to every U.S. business - just the ones that are knowingly, and actively, conducting business in the EU" - so you could go to amazon etc and remove publication from all EU territories and withdraw from doing business in the EU.

I have noticed a lot of plugin are updating their privacy policies - in mine, I am also stating that i use the plugin and linking to their privacy policy for further info :) It's not great, but it is a start. I have noticed that a lot of people say they didn't have a privacy policy on their site to start with, which is surprising again, as they have always been required, but most countries laws, and if you have an amazon affiliate account etc.

Don't overly worry, there will be lots of updates and changes as people figure out what the law actually means.

It's interesting to note that in the US a law can thrown out for vagueness - wasn't the recent erotica rank stripping and the pulling of ads on craigslist etc blamed at some point of the vagueness of the US SEPTA/FOSTA legislation?
Just for the record, I'm not reluctant to protect people's data, just concerned about the vague spots in the law. You're probably right that I shouldn't be worried.

As far as doing business in the EU is concerned, it could be argued that it is Amazon doing business in the EU, not I. Under seller on my ebooks, it says "Sold by Amazon Digital Services LLC." Is it the store doing business, or each author of each individual book (and each manufacturer of any other product) that is doing business?

I'm not especially worried about EU actions, given how much I've done. It was the civil suit idea that had me really worried, and it doesn't sound as if the cooperation between US and EU necessarily extends to that.

Yeah, the US email marketers can send individual (as opposed to bulk) emails without permission. I'd rather they couldn't. There are also a lot of marketers who still claim you subscribed when you didn't. In that respect, it would be nice if the US law were a little more stringent.
 
#34 ·
Victoria.T76 said:
I wonder if a lot of YS companies will start adopting it across the board anyway. I heard Microsoft had announced they were applying it to all users the other day, it will be interesting to see if others follow suit.

Plus, sorry - didn't mean to accuse you of being flippant with data, I meant it as a generalisation, but now realise how it probably came across.
I knew what you meant. I was just clarifying in case other readers of the thread didn't get what I was saying.

Yes, I think GDPR standards will eventually be the norm. The compliance plugins I've seen don't provide a mechanism for allowing confirming consent by EU citizens; everybody has to confirm. As long as the law is applied rationally, the overall effect will probably be positive.
 
#35 ·
Oh, joy! I just got what appears to be spam from someone using the "Contact Data Protection Officer" option on one of my websites. :p

Edit: Someone theoretically representing a hotel in Vietnam wants to know about my reservation.

The Wordpress GDPR plugin I use can connect to a captcha plugin, but unfortunately not the one I use now.  :(
 
#37 ·
The Wordpress GDPR plugin has updated twice since I bought it yesterday. The author seems very responsive to requests and is very conscious that May 25 is coming up.
 
#38 ·
Lexi Hall said:
Since the overwhelming majority of those people don't speak English, how does the EU propose I offer them the option to consent or not? Not only do they have no reason to sign up for any services I offer, they can't read the site in the first place.

Like I said, if I'm missing something here, I'm perfectly willing to be persuaded. But so far I haven't seen any constitutional grounds for the EU claiming jurisdiction over a web site in Southern California.
Almost 40% of Europeans speak English as a foreign language (not counting the 13% that speak it as their mother tongue), so if they're browsing websites, it's very likely they speak English too or at least understand it. If they don't understand it, there's always Google Translate (yep, I had a few visitors on my website who used it). :p I had sales in almost every EU country (too bad Amazon doesn't have detailed reports, because maybe it's every country) and I have subscribers from the EU on my mailing lists too. They don't have any trouble reading my books or my website.

Speaking of California, when I was generating my privacy policy, some thing called California Online Privacy Protection Act popped out (https://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3/#sthash.0FdRbT51.dpuf). I haven't heard of it before, and I have no idea if it applies to me or what it is. Does anyone know if I should mention it in my privacy policy too or can I leave it out?
 
#39 ·
katherinef said:
Almost 40% of Europeans speak English as a foreign language (not counting the 13% that speak it as their mother tongue), so if they're browsing websites, it's very likely they speak English too or at least understand it. If they don't understand it, there's always Google Translate (yep, I had a few visitors on my website who used it). :p I had sales in almost every EU country (too bad Amazon doesn't have detailed reports, because maybe it's every country) and I have subscribers from the EU on my mailing lists too. They don't have any trouble reading my books or my website.

Speaking of California, when I was generating my privacy policy, some thing called California Online Privacy Protection Act popped out (https://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3/#sthash.0FdRbT51.dpuf). I haven't heard of it before, and I have no idea if it applies to me or what it is. Does anyone know if I should mention it in my privacy policy too or can I leave it out?
I'm in California and wasn't aware of it. I'd have to see, but I think it's not likely to set a higher standard than the GDPR does.
 
#40 ·
MClayton said:
In the podcast people linked to several times last week, the recommendation was a policy somewhere on the website explaining how/if/where cookies were used. Is this not sufficient? Truthfully, if we've reached a point in which we need coding/plug-in knowledge to be an author with a website, I'm tossing in the towel on the website.
Consent is only one basis for data collection/processing in the GDPR. If you're planting cookies specifically to track your users and collect data (like how Amazon manages to show you ads for albums by the artists whose videos you just watched on YouTube) then you need consent. If your cookies are necessary to site operation, like holding a session identifier for the database or something, then it should be sufficient just to mention that your site uses cookies and what it uses them for. (IANAL but that's my understanding.)
 
#41 ·
https://www.bloombergquint.com/business/2018/05/25/blocking-500-million-users-is-easier-than-complying-with-gdpr#gs.3w_eFcU

So, if some of the largest companies in America can't get their head around GDPR, what chance does self-published author have? The EU is already going after FB and Google saying they're in violation and if these two giants and their staff of lawyers can't seem to comply, then good luck to the rest of us. There even trying to say that those companies that simply block access to their sites from the EU are still not in compliance because they already have data from their citizens from before the GDPR went into effect. In other words, they're trying to say the law is retroactive.

The problem is, you have a law written and voted into effect by a group of people who think a cookie should be banned, or at least taxed, because studies show cookies lead to obesity. Sit back and watch the lawsuits fly.
 
#42 ·
I just got my second piece of GDPR spam through the contact DPO option on my website. It's advertising for a fast and easy GDPR solution.

Who do I complain to if a GDPR info request is spam?
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top