Enabling non-essential cookies after click on "I understand"

[Creanimo]

I am a bit confused about how cookies are supposed to be activated. Do I wrongly assume that clicking "I understand" activates non essential cookies too? Because since the latest update it no longer does activate the non-essential scripts in the privacy settings. Could you add an option where we can choose if a cookie set is activated when the "I understand" button is clicked? My cookie consent popup explicitly says "By agreeing to cookies you allow the use of third party tracking through Google Analytics and the facebook Pixel. You can opt-out using the privacy settings.", so I believe I am in accordance with the law here. Please explain if I have misunderstood something.

[fclaussen]

The default behavior is that only required cookies are set. Setting not required cookies or consent without explicit consent, or having a checkbox checked by default is not enough for GDPR. That's why we only set required cookies.

I could build an option for you to choose, but that would mean I'm enabling users to go against GDPR rules. Probably against their knowledge. And if something goes wrong, people could say "oh, but this plugin allowed me to do it"

[Creanimo]

But how would they ever activate a non-essential cookie? From the side of user behavior I mean. Will anyone actually open the options and activate the cookies? Hmm have you seen how the Borlabs plugin does this? Nothing is pre-checked and you have a clear choice: https://borlabs.io/?noredirect=en_US

[fclaussen]

I disagree @Creanimo,

I don't have a clear choice. It is very obscure what cookies will be set and what is the purpose. I have no way to know.

You can always prompt the user to enable a feature or another based on their current preferences. If you need them to enable something you can prompt them to and add the button that opens the preference management window.

[Creanimo]

Can you show me this in action? How would you ask a user to enable the facebook pixel for example?

I agree that the default text in Borlabs isn't enough. But you can add more text and options like 1 only essential cookies 2 only Google Analytics 3 enable all cookies (facebook pixel and Google Analytics). Plus your plugin could show the infos added to the privacy panel before the user hits ok.

It's tough to find a good balance here. Yes, the user should have a choice and be informed, but currently I see the danger that no user will ever enable a non-essential cookie if it is too hidden.

[fclaussen]

I have no live example to show it to you, but the code would be something similar to this

if( is_allowed_cookie( 'fbpixel' ) { // cookie name in this example is probably not correct.
    // load the fbpixel
} else {
    echo '<p>Help us improve your experience by enabling Facebook Pixel</p>':
    gdpr_preferences( 'Privacy Preferences' );
}

[Creanimo]

Thanks for the code. :) I just seriously doubt that people will actually do that... So many clicks. Maybe a shortcode could display the specific checkbox for the facebook pixel isolated without the need to open the setting checkbox?

[fclaussen]

Maybe, but I am thinking of changing this entire thing with the purpose of making it easier for users to select their stuff anyway. I like what cookie bot made where you can easily pick the categories from the bar.

[Creanimo]

Picking categories from the bar sounds great :)

[miximed]

I was just wondering the following:

With the new regulations the visitor has to manually tick the checkbox to Agree on the cookies?

• delete all cookies until visitor agrees to the Cookie Policy

• a visitor should be able to change his choise

• allow strictly necessary cookies

• let visitor decide which cookies are strictly necessary for him/her

?

[fclaussen]

The user needs to manually tick the checkbox to agree to cookies. Unless we are talking about strictly necessary cookies that will be allowed by default.

I'm already working on this rework for v2.

[wizzud]

I could be wrong but my understanding of GDPR is that explicit consent is required if the data being collected is capable of "personally identifying" the visitor/customer/whomever. If the data being collected is not capable of personally identifying someone then having a checkbox that is checked by default is not necessarily breaking GDPR. For example, at its most basic, Google Analytics can be set up simply for site analysis, such as page hits/flow and device stats - no Marketing, no Advertising, and capturing an "anonymised" IP address. Since there is no personally identifying data being collected then consent can be implicit, defaulting to 'given', with an option for opt-out.

I understand the concerns about "oh, but this plugin allowed me to do it". However, as has already pointed out, the plugin can't know everything, and ultimately it is the plugin's user (eg. site owner) that is responsible for its correct configuration. Since the plugin is not responsible for (and is actually incapable of) determining either the constituents of a group, or whether that group is "required" or "optional", it cannot be held responsible for any mistakenly(?) applied settings. In terms of "enabling users to go against GDPR rules", you have no choice. You already allow users to make the decision as to whether a group is Always Active or not, so if they misuse that option ... ?

Ideally, what I would like to see the plugin doing is something along the lines of expanding the Always Active option to be one of a set of possible options (instead of simply on/off) ...

• Always On (opt-out disallowed)
• Default to Off
• Default to On
• Default to On UNLESS Do Not Track is set

Those options, per group, would allow me to [perfectly legitimately!] set 'gdpr' as 'Always Active', GA Tracking as 'Default to On Unless DNT is Set', and Marketing as 'Default to Off'. Then any first time visitor to the site who just hits "I agree" - which is the usual/typical action - would be consenting to the required cookies and the tracking cookies ... unless they have DNT enabled, in which case the site would honour that setting. If DNT is set, they can still choose to opt-in. If DNT is not set, they can still choose to opt-out. Whether the tracking cookies are actually capturing personally identifying data or not is not the plugin's problem, it's mine.

Thank you for reading ... and I really like this plugin! Regards.

PS. And a little PHP function and/or shortcode that told me whether the plugin thought that the browser's Do Not Track was set [or not], would be a nicety!

[fclaussen]

Thank you for your input @wizzud

This law is very complicated. It has so many interpretations.

I am honestly tired of "locking" things to the interpretation that was given to me. I've decided to make it more flexible.

I'm currently working on v2 with a bunch of improvements and additions. I really like the addition of the DNT in the options. I will add that to my roadmap. It's going to be though. Hold on!

[miximed]

Thanks! I really appreciate all the work you are doing. The plugin is great! Looking forward to v2!

[andrearuffini]

Hi guys,

this plugin is really the best GDPR compliance solution I found since now. The only thing I can say is that it's too restrictive about cookies. The GDPR says that you can give a vaild consent through an "affirmative action". So the soft opt-in consent is probably the best consent model, according to GDPR: this means that you have to give an opportunity to act before cookies are set on a first visit to a site. Than when you click on the "accept" button should be considered as a fair consent via "affirmative action".

Given this is possible to have the cookies set as approved when a visitor clicks on the "accept" button? or is there a way to set this option through some rows of code?

Thanks!

[Creanimo]

I agree with this. To the understanding of many lawyers clicking the button to activate cookies is enough (for some cookies) if information and opt-outs are available in the cookie bar (which this plugin does very well by opening the settings window) at least until eprivacy is taking effect in 2019. I would appreciate it if this mode would at least be optionally available maybe even on a per cookie basis.

[nathan-charrois]

Great post @wizzud. Opt-out functionality is preferable for businesses proceeding with GDPR compliance. Quite happy to see you've already implemented this @fclaussen.

I'd argue that the current (v1) implementation could be harmful to your business if not thought about carefully. For example we rely on Remarketing cookies to sell our product and have invested time honing our Facebook campaigns. If suddenly users must explicitly opt-in to these cookies, we'd be in trouble.

Conversely, as a user, I love the ability to opt-out of these campaigns. And that's the whole point of cookie consent. The business has a choice, and the user has a choice.

[fclaussen]

Since v2, you can pick set cookies as Required, ON, OFF

Required: Cookies are required and can't be opted out. ON: cookies categories will be checked by default. By clicking "I understand" all of those would be set. OFF: Same behavior as V1. Categories are unchecked.