arunbasillal
commented
5 years ago Hello @Netzlichter I am trying to replicate this. Can you please provide the entire tracking code that was added by WP Rocket?
@Tabrisrp Any idea if this is valid?
Closed Contributolo closed 2 years ago
arunbasillal
commented
5 years ago Hello @Netzlichter I am trying to replicate this. Can you please provide the entire tracking code that was added by WP Rocket?
@Tabrisrp Any idea if this is valid?
vmanthos
commented
5 years ago @arunbasillal It is valid.
It's coming from the deactivation intent panel.
Even when Rocket Analytics is off, the Mixpanel JavaScript is present and a cookie is set.
Similar ticket: https://secure.helpscout.net/conversation/917682739/118009/
GeekPress
commented
5 years ago Rocket Analytics and our Deactivation Intent pop-in are two different things.
Rocket Analytics gets data from your website which needs your consentement.
Deactivation Intent doesn't get any data from your website. It doesn't have any relation with Rocket Analytics.
Contributolo
commented
5 years ago Yes but regarding DSGVO implement a third party code and cookie is not that smart in my humble opinion. Nethertheless Im using WP Rocket on many sites but do not like that my adblocker is blocking code on my own sites ;) and by the way the popup is annoying ... please consider to remove that.
arunbasillal
commented
5 years ago So as mentioned here https://github.com/wp-media/wp-rocket/issues/1959#issuecomment-538039136 the script is added for the deactivation intent and not for Rocket Analytics.
Since the deactivation intent doesn't collect or send any data back to origin until the user chooses to do so, it should be GDPR compliant, right?
saschafoerster
commented
4 years ago Sorry to disturb. Of course Mixpanel is getting personal data from me and all other admins, my IP address, every reload of my admin-sites, all this is or might be logged somewhere in the US without my explicit agreement or knowledge. It shouldn't be activated without my consent, because admins are people too. GDPR is actually quite clear about this. Especially when you are transferring my data to the US, this is not allowed any more, as privacy shield isn't existing, so there is no contract.
Actually I don't care oof you change it or not, I just wanted to give a chance to review this. WP-Rocket will be removed as soon as possible from our blogs because it feels to me like a privacy breach in my admin "backyeard" that I have to find out by searching who is adding third party sources without being informed in any way. Not cool.
arunbasillal
commented
4 years ago @saschafoerster Thanks for the feedback and sorry for the late reply. I will do more investigation from our side.
@GeekPress For the deactivation intend, do we really need the Mixpanel script? Can't we do something custom so that no third party is involved?
GeekPress
commented
4 years ago @arunbasillal Everything is possible to do on our side with their pros and cons. Having something custom will require to create an interface somewhere on our back-end to analyze the data. We will need to maintain the code, etc... When with Mixpanel, the back-end to analyze the data is already done. We have all our anonymous feedbacks centralized in the same tool, etc...
saschafoerster
commented
4 years ago You can keep Mixpanel, but you should at least get my consent and the consent of the users in the backend when activating it and accept a no, then you might transfer data outside of my server. No consent, no mixpanel in my backyard. 😉 And if you transfer data to your own servers, of course you need a rightful base for that data-transfer as well. Consent might be the fairest option in my opinion and only load mixpanel- or other external scripts in the moment if they are really needed and not track every step in the admin-plugin-panel I am doing (because the mixfile-logfiles will see my IP with every fresh load of the plugin page including the full URL and all my browser-data).
arunbasillal
commented
4 years ago @GeekPress What if we keep the deactivation intend only for users who have opted in to provide analytics and feedback? Would that be a middle ground approach?
NataliaDrause
commented
3 years ago Likely related: https://secure.helpscout.net/conversation/1404458869/233642/
andcam
commented
2 years ago it's been over 2 years and mixpanel script is still being loaded without consent.
@arunbasillal's suggestion is a good one. this really should be opt-in only to be compliant.
barabasis
commented
2 years ago I really hate this kind of decision you are taking for your users even going against GDPR. Still today, everytime I load my plugin page, sensitive data is sent to mixpanel and their script is loaded on my backend (attached). It's terribly disturbing me and my privacy as a paying user and the fact that this thing is going on since at least 3 years and your trick has been unveiled and showed illegal and you decided to do nothing about it, irritates me and my company a lot.
Dont' get me wrong, you have a solid product and I like you, but for this kind of shit, I am considering either stop my unlimited-websites license with you and get to the competition or filing a GDPR complaint to my local DPA if you don't solve this matter!!
This is serious, pls consider stopping mixpanel or at least ask for consent to your users and respect a "no" as answer.
King regards George DPO (data protection officer) Cfpowertools.com
GeekPress
commented
2 years ago Of course Mixpanel is getting personal data from me and all other admins, my IP address,
This isn't true.
Mixpanel does not store IP addresses, but rather, only uses IPs to assign geolocation properties to data upon ingestion.
We have defined since the beginning the IP parameter to false to disable the geolocation tracking. It means the IP isn't stored and not used to determine the user geolocation.
I really hate this kind of decision you are taking for your users even going against GDPR
I totally understand your point of view. It's why our script is defined to be 100% anonymous since we deployed it. As you are a DPO, I would love to know exactly more about what we have missed to not be GDPR ready.
The IP isn't sent to Mixpanel, and it's not stored by Mixpanel.
We have defined the IP parameter to false as explained here:
We have also added a couple of data to not be send and saved to Mixpanel:
mixpanel.init("xxx", {
 'ip':false,
 property_blacklist: ['$initial_referrer', '$current_url', '$initial_referring_domain', '$referrer', '$referring_domain']
 } );Currently, based on the configuration of our script, it is 100% GDPR friendly. If we have missed something, thanks to tell us what we missed.
barabasis
commented
2 years ago Well, here are a few examples:
Is this enough?
GeekPress
commented
2 years ago transparency with your users...
We will add something about Mixpanel on our Privacy Policy page to be transparent.
this is still analytics that you are taking from our backend
I can't agree. We are NOT sending any data from your back-end. The only thing which is sent to Mixpanel is the response of the form, nothing else.
the script is loading every time, therefore slowing down the backend
The script is loading only on the plugins.php file. It's not « everywhere ». And I can guarantee it's not slowing down your backend and it set to priority low in order to be loaded.
plus is simply against GDPR art. 5 (c) > data minimisation principle
Sorry but I'm going to be sure I'm clear: we aren't sending any personal data to Mixpanel!
We send only the response of the form to Mixpanel.
No IP, no URL, no personal data.
Please tell me exactly which personal data we send and do not respect GDPR?
Is this enough?
Sorry, no. You still didn't tell us which data aren't protected.
GeekPress
commented
2 years ago @barabasis Don't get me wrong, we aren't against updating our script or doing adjustements.
We need to know exactly what is really not respecting GDPR. Because currently, there is no tracking of your IP, website URL, or personal data.
barabasis
commented
2 years ago actually this modal
https://ibb.co/kJ47jyX
that you are showing everytime wprocket is diabled:
a) is purely a SELFISH thing to get your internal feedback and statistics. Clients get NOTHING out of it.
b) because of a), it's definitely NOT best-in-class-example. This is luckily rarely followed by other plugins (which don't interrupt you when you need to disable them)
c) this is a very annoying modal window that pushes you to an extra click every time you need to disable wprocket. This means that you are taking millions if not thousands of millions of seconds away from your users/clients everytime they disable wprocket.
d) we are dealing with a, awesome ;), caching plugin here.... but as such, realisticly, it is likely to be disabled multiple times a month for normal troubleshooting. Therefore having such modal it's even more frustrating knowing a), b) and c).
e) I am surprised you guys didn't realize up to no 1 single simple fact (which is why b) is reality)!!!!!
I am just assuming 90% of the clients clicks on "skip and deactivate" while 10% is giving you feedback from that window (and I am pretty sure I am generous with those numbers):
i) to collect 10% of feedback, you annoy 90% of your paying clients > which under both a logical and business perspective doesn't make much sense
iI) as d) is true and most webmaster are in a hurry for troubleshooting or similar condition, that 10% will never read through your 6 options picking the right one (surely not the 7th which is opening another window)... SO, he will give you FALSE information, just picking in fact a random radial just with the purpose of go on and disabling the plugin! Which returns you with false statistics, which is even worst than not getting any of such feedback.
The icing on the cake is that you even suffer from a tremendous "order effect" cause you don't randomize the 7 options!
Jonathan, if you are honest you can't say I am wrong on all what's above ;)
Bottom line is, and you never expressed a single word about it since, that to be able to perform this useless and unreliable statistics as above, you load a mixpanel script on the plugin page of each of your clients! This script takes in average 250ms to be received from the backend, regardless if I want to disable wprocket or do anything on my plugin page!
It's just non-sense... again, despite I love wprocket and am I trying to make you see this through the eyes of your clients.
GeekPress
commented
2 years ago So, this isn't a GDPR problem, you don't like this modal ;) This is totally different topic.
We will discuss about it internally, and let you know if we decide to make some changes based on feedbacks we received.
barabasis
commented
2 years ago So, this isn't a GDPR problem, you don't like this modal ;) This is totally different topic. >> oh right, then it's totally fine ;)
...based on feedbacks we received. >> you should also use the feedback you DON'T receive, common sense and best in class examples.
saschafoerster
commented
2 years ago I was once a customer of WP rocket. When I saw mixpanel.js in the plugin-backend, I was concerned. When I read the the list of external services that open up, when I use WP Rocket in my backend was longer than the list of my own domains, then I decided, WP Rocket has to go. And when I see, that you set plenty of cookies (for instance from stripe), without my consent, I am angry.
I don't think it is okay to do data-transfers in my backend to all different external services without my consent. And I don't know other plugins that do this in such an extreme way.
Hello, I have deactivated "Rocket Analytics" in settings BUT WP Rocket is still adding:
to my plugins.php page.
My adblocker is blocking this right now...
If I set Tracking to off it should be off - site wide.
Please explain.