Platform cookies and "User Privacy & GDPR Rights Portals" column

[thierrymaasdam]

Hi all,

I would like to take the opportunity to consider something with regards to cookies of platforms that operate directly on behalf of a site owner — such as e-commerce software — and their User Privacy & GDPR Rights Portals URLs.

Lets take the following examples:

• woocommerce_cart_hash, set by WooCommerce;
• woocommerce_items_in_cart, set by WooCommerce;
• frontend, set by Magento;
• searchReport-log, set by Magento;
• COOKIELAW_ADS, set by Lightspeed;
• wordpress_logged_in_, set by WordPress;
• _tracking_consent, set by Shopify;

These cookies refer to privacy portals that are maintained by the original developers of the software behind a certain platform and do not apply to instances of the products that they develop, such as an individual website that runs on WordPress or store that runs on Magento, Lightspeed or Shopify.

Diving deeper into the examples:

1. wordpress_logged_in_'s portal URL is set to https://wordpress.org/about/privacy/. That page is only referring to visitors' privacy and GDPR rights on the WordPress.org, and related, domain(s).
2. The same goes for Magento. Every Magento instance should have their own privacy page. The provided privacy portal, https://www.adobe.com/privacy.html, is irrelevant for shops that run on Magento as it only covers the privacy and GDPR rights of users that visit websites that are managed by Adobe.
3. Shopify does things differently: on their privacy page, they do mention the cookies used by merchants that use Shopify as their e-commerce platform (https://www.shopify.com/legal/cookies#merchant-storefronts). However, I personally think that it would be better if a merchant maintained their own cookie overview table.

Counter examples

• A cookie such as _ga has the privacy portal https://business.safety.google/privacy/. That makes sense, as the _ga cookie is set by an external script (although as a first-party cookie) and processed by a third-party platform that is not native to the domain where the cookies are set.

Discussion

What are your thoughts on approaching privacy portals by platforms that operate as a first-party platform on behalf of a site owner?

[jkwakman]

Hi Thierry,

This is a difficult issue and I understand the underlying problem. Of course you are completely right that the essential 'framework' and open source platform cookies in particular should ultimately refer to the privacy pages of your own website. We have chosen to refer to the makers of these platforms in this database, as background information can often be read about these cookies or about the way in which these parties operate. Although this may not be useful for every use case, in our opinion it is the most appropriate / elegant solution.

Can you explain what you are trying to achieve with the database?

Kind regards,

Jack Kwakman