trewknowledge / GDPR

This plugin is meant to assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.
https://wordpress.org/plugins/gdpr/
GNU General Public License v2.0
149 stars 44 forks source link

Consent to embeds and iframes #33

Open fclaussen opened 6 years ago

fclaussen commented 6 years ago

From: darkmoonxarx

One of the challenges of GDPR is YouTube, facebook and instagram embeds, because they save cookies from external sources. In some cases a general “I understand” click at the beginning doesn’t suffice. So how about if your plugin could detect iframes and oEmbeds, replace them with a thumbnail with some legal info and don’t load them until they are clicked. This is a plugin that does this with YouTube links: https://github.com/michaelzangl/wp-video-embed-privacy Your plugin could go one step further and save the consent, so the user only has to click once. Also functionality for all oEmbeds, iFrames and potentially a shortcode to hide any type of content until permission is given would be awesome.

Creanimo commented 6 years ago

Thanks for posting it here! To elaborate on that:

Purpose and reason

As mentioned above showing iFrames and oEmbeds on the first visit is problematic because cookies and privacy policies might apply that the user of our website didn't give consent to - especially if they haven't confirmed the banner yet.

Description

Feature 1: Iframes and OEmbeds should automatically be replaced by

Minimum: A text notice saying that this content will be available if the user accepts the privacy policy. There should be a clickable button or text link to activate a specific consent or cookie. Good solution: A predefined placeholder image (could also just be div with a nice CSS gradient) spanning the approximate size of the oEmbed (16:9 for YouTube and vimeo, 1:1 for Instagram, 2:3 for facebook) with the text notice on top of it. Best solution: A thumbnail fetched from the source and cached on our own webspace with a semi transparent div overlay with the text notice on top of it. Maybe a mix with a generic placeholder when a preview cannot be fetched.

Settings in admin area: Minimum:

Good solution:

Best solution:

Optional:

Feature 2: A shortcode to hide any type of content if (a specific) consent wasn't given

This way we can potentially hide any scripts or iframes embedded on the frontend. Shortcode: [have_consent][/have_consent] Variables: consent=" ", content only shows when user gave a specific consent (if this is not defined, a click on "I understand" on the banner is necessary). cookie=" ", content only shows when a specific cookie is active. option_type=" " defines what is appended where the user can click on to give consent

What could set the GDPR plugin apart from others

fclaussen commented 6 years ago

I was watching a video on Twitter this morning and they showed a cookie consent message before playing. So I'm guessing individual providers will take care of this issue. Making that update might mean you have to click twice if providers really go down that path.

Keeping this on hold until we are closer to the deadline to see what major providers are doing.

Creanimo commented 6 years ago

Interesting that twitter is already implementing sth like this. Technically even loading the privacy note from an external server is against GDPR though because an IP address is transmitted. And I still see advantages in a shortcode... An iframes could be anything. I have a couple of scripts and iframes like the forms from viral loop I couldn't use without such a tool... or a lot of manual work. I just doubt every provider will include such a message... and it's up to debate if showing the external message is already passing on of user data.

fclaussen commented 6 years ago

From what I understood, the way they do it does not pass any user data at all.

They just check if their cookie is set. If not, they display the message alerting that choosing to view the video will set a cookie and an OK button.

Creanimo commented 6 years ago

But a transaction of the users's ip would still be necessary to serve the cookie notice, right? I mean, we are in unprecedented territory here, but I swear I heard from some lawyers warning even from loading images from external servers before consent to the privacy policy. I am pretty sure that an iframe is just as problematic even when just showing a cookie notice.

Creanimo commented 6 years ago

Another plugin called Borlabs Cookie solved it like this: https://borlabs.io/borlabs-cookie-iframe-demo/ They also have a shortcode to block any content within the shortcode before consent was given.

Will we see this functionality in this plugin?

fclaussen commented 6 years ago

Blocking content via shortcodes is a nice idea. I can add that in. I'm not ready to block iframes still. But if you can block a section based on a shortcode, then I guess that would do the trick for that case too?

Creanimo commented 6 years ago

Shortcode would be a great first step.

I have hundreds of video embeds on my site though so an automatic blocking of oembeds and iframe tags (like borlabs cookie does) would be amazingly helpful. I could of course use borlabs cookies for the moment but it would be awesome to have detailed choices for the user which oEmbeds to block in the settings pop up of the GDPR plugin.

Barrans commented 6 years ago

That

On Mon, Apr 30, 2018 at 10:22 AM, Fernando Claussen < notifications@github.com> wrote:

Blocking content via shortcodes is a nice idea. I can add that in. I'm not ready to block iframes still. But if you can block a section based on a shortcode, then I guess that would do the trick for that case too?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/trewknowledge/GDPR/issues/33#issuecomment-385412999, or mute the thread https://github.com/notifications/unsubscribe-auth/AEStsXqOpWx1ICn99fFIsP5sXseo7zZdks5ttx4rgaJpZM4TSNsD .

--

Shawn Barrans President, Senior Strategist I Président, Stratégiste en Chef

Trew Knowledge Inc. 372 Richmond ST. W, Suite 209 Toronto, ON, M5V 1X6

Call me at 647.289.6838 Email me at sbarrans@trewknowledge.com sbarrans@trewknowledge.com

Shawn Barrans on Linked in http://ca.linkedin.com/pub/shawn-barrans/16/309/677 Trew Knowledge on Facebook https://www.facebook.com/trewknowledge Visit us at www.trewknowledge.com http://www.trewknowledge.com

This message, including any attachments, is intended only for the use of the individual(s) to which it is addressed and may contain information that is privileged and confidential. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply e-mail and permanently delete this message including any attachments, without reading it or making a copy. Thank you.

Ce message (incluant ses fichiers joints) est transmis pour l'usage exclusif de la ou des personnes à qui il est destiné et peut contenir des renseignements confidentiels ou assujettis au secret professionnel. Il est strictement interdit d'en faire toute autre distribution, copie ou divulgation. Si vous n'êtes pas le destinataire visé ou que vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement par réponse à ce courriel et le détruire (incluant ses fichiers joints) de façon définitive sans le lire ou en faire de copie. Merci

Barrans commented 6 years ago

That sounds like it would be a good solution. If we can block the shortcode embed based on preference, I don't see an issue with that. Ideally, the cookie should be available as an option in your preference window. If the user has disabled the cookie, we can replace the embed with a generic placeholder for the type of content ie. video, image, social and include a button to view content. If the user clicks on the reveal button, it sets the cookie which should be a blanket consent for all shortcode cookies.

On Mon, Apr 30, 2018 at 10:53 AM, Shawn Barrans sbarrans@trewknowledge.com wrote:

That

On Mon, Apr 30, 2018 at 10:22 AM, Fernando Claussen < notifications@github.com> wrote:

Blocking content via shortcodes is a nice idea. I can add that in. I'm not ready to block iframes still. But if you can block a section based on a shortcode, then I guess that would do the trick for that case too?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/trewknowledge/GDPR/issues/33#issuecomment-385412999, or mute the thread https://github.com/notifications/unsubscribe-auth/AEStsXqOpWx1ICn99fFIsP5sXseo7zZdks5ttx4rgaJpZM4TSNsD .

--

Shawn Barrans President, Senior Strategist I Président, Stratégiste en Chef

Trew Knowledge Inc. 372 Richmond ST. W, Suite 209 Toronto, ON, M5V 1X6

Call me at 647.289.6838 Email me at sbarrans@trewknowledge.com sbarrans@trewknowledge.com

Shawn Barrans on Linked in http://ca.linkedin.com/pub/shawn-barrans/16/309/677 Trew Knowledge on Facebook https://www.facebook.com/trewknowledge Visit us at www.trewknowledge.com http://www.trewknowledge.com

This message, including any attachments, is intended only for the use of the individual(s) to which it is addressed and may contain information that is privileged and confidential. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply e-mail and permanently delete this message including any attachments, without reading it or making a copy. Thank you.

Ce message (incluant ses fichiers joints) est transmis pour l'usage exclusif de la ou des personnes à qui il est destiné et peut contenir des renseignements confidentiels ou assujettis au secret professionnel. Il est strictement interdit d'en faire toute autre distribution, copie ou divulgation. Si vous n'êtes pas le destinataire visé ou que vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement par réponse à ce courriel et le détruire (incluant ses fichiers joints) de façon définitive sans le lire ou en faire de copie. Merci

--

Shawn Barrans President, Senior Strategist I Président, Stratégiste en Chef

Trew Knowledge Inc. 372 Richmond ST. W, Suite 209 Toronto, ON, M5V 1X6

Call me at 647.289.6838 Email me at sbarrans@trewknowledge.com sbarrans@trewknowledge.com

Shawn Barrans on Linked in http://ca.linkedin.com/pub/shawn-barrans/16/309/677 Trew Knowledge on Facebook https://www.facebook.com/trewknowledge Visit us at www.trewknowledge.com http://www.trewknowledge.com

This message, including any attachments, is intended only for the use of the individual(s) to which it is addressed and may contain information that is privileged and confidential. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply e-mail and permanently delete this message including any attachments, without reading it or making a copy. Thank you.

Ce message (incluant ses fichiers joints) est transmis pour l'usage exclusif de la ou des personnes à qui il est destiné et peut contenir des renseignements confidentiels ou assujettis au secret professionnel. Il est strictement interdit d'en faire toute autre distribution, copie ou divulgation. Si vous n'êtes pas le destinataire visé ou que vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement par réponse à ce courriel et le détruire (incluant ses fichiers joints) de façon définitive sans le lire ou en faire de copie. Merci

Creanimo commented 6 years ago

I have to stress again that I see the shortcode only as an additional option. I have 5 years of YouTube and facebook embeds. An automatic solution detecting oEmbed and iFrame code is the only way to get my site GDPR compliant without checking every single post individually. Do you think this will be a function of the plugin (ideally around the GDPR deadline)?

C44Supra commented 6 years ago

Any updates on this? How do we go about embedded content from YouTube or Instagram? Even though you can use youtube-nocookie.com, I'm still seeing cookies being set by google.com. (Only happens on pages with a embedded youtube video). I would very much like to lock this down if at all possible.

fclaussen commented 6 years ago

This is planned for June 11th

kasperkamperman commented 6 years ago

This would be a necessary function to make a site GDPR proof. Unfortunately this is not supported by many plugins. However Vimeo loads a cookie on embed. Twitter indeed puts a message before playing a video (however I think they still set a language cookie without permission).

This plugin (https://nl.wordpress.org/plugins/eu-cookie-law/) blocks embeds with a banner, however it doesn't work with caching plugins like WP Super Cache.

fclaussen commented 6 years ago

Not all cookies need blocking. Some cookies are ok. It's a fine line.

maxammann commented 5 years ago

Seems like there is no open source solution available so far.