Textpattern CMS support forum

You are not logged in. Register | Login | Help

#21 2018-04-09 07:45:45

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,021
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

gaekwad wrote #310792:

I’ve been using this with my clients, it’s the best explanation I’ve found to date:

blog.varonis.com/gdpr-requirements-list-in-plain-english/

That’s a very useful resource. Thanks Pete. I like how they’ve pulled out the vocabulary from that. It could be strategic to start using those terms, in fact, in the legal statements of sites. For example, I see site owners are called “Controllers” in terms of the GDPR. I’ll be looking at this closer.


The text persuades, the *notes prove。

Offline

#22 2018-04-09 07:59:20

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,021
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

michaelkpate wrote #310794:

Here’s another one I ran across:

Centry’s GDPR Guide

That’s an interesting one too. Clearly written to scare people because they’re selling a service around it. This is potent faint remedy:

“Companies that are not compliant with the regulations by May 25th, 2018, and experience a breach of personal data, can expect to face steep fines, i.e. up to 4% of global revenue or 20 million Euro (whichever is higher)!”

And their “What does it effect?” section seem to confirm a bit what I was stabbing at about company size. It’s not the size, but the nature of the practice.

But, Michael, I don’t know if your free advertising for YouTube and Denise is warranted. ;)


The text persuades, the *notes prove。

Offline

#23 2018-04-09 08:30:20

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,021
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

If there are any French company owners following, a question for you…

Up to this point, a small business online in France was/is governed by the Processing, Data Files and Individual Liberties Act of 6 January 1978, and its post amendments. I’m presuming the new GDPR will supercede that old law, thus all French company sites can remove those old statements and “legalize” against the GDPR regulations?

That’s the impression I’m getting from this:

What are the goals of GDPR?
… Furthermore, they will simplify the regulatory environment for international business, by unifying regulations across the EU.


The text persuades, the *notes prove。

Offline

#24 2018-04-09 08:40:43

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,021
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

colak wrote #310795:

OK, Destry persuaded me that we have to have a warning for our cookies.

For what it’s worth. I’m not using any special code or elements to popup display my legal “compliance” notes, whatever kind. It’s all going directly into the footer of the site. In fact, that’s what the site footer of my site is for, “legal” notes. Front and center, in plain English, and on every page (one, in this case because it’s a single-page site). ;) An ID (i.e. <footer id="bam">) provides a direct link anchor if I need one from an external location (e.g. my writing site).


The text persuades, the *notes prove。

Offline

#25 2018-04-09 09:13:03

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 8,462
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

What I still find kinda funny about all this is that in order to opt out of any cookies being stored on a site, a cookie needs to be stored. The domain controller (site owner) has access to that information. That, potentially, has personally identifiable content or at the very least can be used to “profile” groups of people who have opted out per geographic region.

So is it now implicit that the act of saying “no” to cookies is also a “no” to profiling of any kind? Or are they treated separately? Does the wording on all of those annoying banners that pop up (on every site every time you visit a site from a new private browsing session) need to reflect this, now that GDPR is upon us?


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#26 2018-04-09 09:48:55

jakob
Moderator
From: Germany
Registered: 2005-01-20
Posts: 3,162
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

gaekwad wrote #310792:

I’ve been using this with my clients, it’s the best explanation I’ve found to date: blog.varonis.com/gdpr-requirements-list-in-plain-english/

Thanks. That’s quite clear. Now I need to find something that clear in German.

Bloke wrote #310804:

What I still find kinda funny about all this is that in order to opt out of any cookies being stored on a site, a cookie needs to be stored.

That is the irony of it, yes!

The domain controller (site owner) has access to that information. That, potentially, has personally identifiable content or at the very least can be used to “profile” groups of people who have opted out per geographic region.

I’m not sure about this one. The cookie is stored in the visitor’s browser and if it only holds the “opt-out” information and nothing more (i.e. you don’t do anything extra on your site to track which site visitor IPs have opted in or out), then surely it has no personally identifiable content…

So is it now implicit that the act of saying “no” to cookies is also a “no” to profiling of any kind? Or are they treated separately? Does the wording on all of those annoying banners that pop up (on every site every time you visit a site from a new private browsing session) need to reflect this, now that GDPR is upon us?

From what I’ve read, each kind of use of personal data has to be explicitly agreed to, so a) you have to opt in to any tracking that is not totally anonymous, not just “using this site implies agreement” and b) other uses also need agreeing to separately. So the default should be “no personal tracking” and I presume the wording will need changing in many cookie usage messages.

I’m a bit hazy on the specifics but my understanding is that you only need explicit permission for uses that hold potentially personalisable information. So cookies used purely for the visitors’ site navigation and use that you do not connect to anything personalisable should stay “under the radar”.

A murky area, however, might be if you want to track the relative proportion of people who have opted out versus those whose visits are logged in your webstats, to obtain a measure of how representative your site stats are of your visitors overall. Even if you anonymise that so that all you have in the end is “these web stats apply to N% of the site’s visitors”, are you not contravening the user’s wish not to be tracked?!

FWIW: In Germany, the EU cookie directive has not – until now – been converted into German law (they’re lagging behind here), so those warnings are less prevalent on German sites!!

I know many people here think web stats are pointless but for organisations/non-profits who don’t sell things, it’s one of the few ways of measuring and documenting the “success” and value of their website (and of the need for website updates) to their membership.


TXP Builders – finely-crafted code, design and txp

Offline

#27 2018-04-09 10:07:47

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 8,462
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #310806:

A murky area, however, might be if you want to track the relative proportion of people who have opted out versus those whose visits are logged in your webstats, to obtain a measure of how representative your site stats are of your visitors overall. Even if you anonymise that so that all you have in the end is “these web stats apply to N% of the site’s visitors”, are you not contravening the user’s wish not to be tracked?!

That’s precisely what I was getting at. You can “profile” people based on whether they opted in or out of cookies by virtue of them having a cookie stored on their computer (that the domain controller can access) saying they don’t want to be tracked.

Whether or not it’s personally identifiable, the act of consenting (or not) to cookies leaves the possibility of aggregating that info and may come under the banner of ‘profiling’. Even if that is just, as you say, to judge the success or not of page visits to help clients improve their site wording for better engagement.

And let’s not get into A/B split testing eh?!


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#28 2018-04-09 10:55:06

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,021
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #310806:

I know many people here think web stats are pointless but for organisations/non-profits who don’t sell things, it’s one of the few ways of measuring and documenting the “success” and value of their website (and of the need for website updates) to their membership.

I probably give that impression with my wood-palette proselytizing. But much of that is in context of my own pithy websites.

You’re right, and I’m well-aware, that analytics are important readings for other needs. And this is where it’s going to be very interesting to see what strains through 24 months of GDPR being in effect. Some sites use analytics for reasonable/necessary operational purposes, while others (media sites, as one notable example) load their sites excessively with so much tracking BS, largely because they’ve given their souls to ad agencies and our data to brokers.


The text persuades, the *notes prove。

Offline

#29 2018-04-09 12:09:10

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,021
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

The one thing that’s got me confused at the moment in relation to Txp is the Visitor logs panel, and where IP address data falls on the scale of what’s “identifying” data or not in relation to GDPR. If IP data is remotely considered an opt-in data type, then the Visitor logs functionality will essentially become obsolete because nobody will opt-in to have their visits logged. Why would they?

Could the Visitor logs be extended to only log non-human visits? (Spam tech, bots, etc) so that it’s at least providing some value? I’ve never used it for that reason but maybe somebody has and would like to keep doing so.

If not, let me ask the elephant in the room question: Should Txp drop supporting the Visitor logs functionality and leave it to site Controllers to decide for themselves whether or not to install/use third-party tracking technology? Or maybe this is a rare instance where core functionality is removed to become a plugin. Not a bad idea, actually.

It kind of makes sense to me… Takes the hazy middle ground out of the equation. I, or anyone, could then say matter-of-factly: “We do not have software installed than can track you. Period.”

Maybe that’s a question for a new thread in Core topics? Let me know and I can repost.


The text persuades, the *notes prove。

Offline

#30 2018-04-09 12:44:42

planeth
Plugin Author
From: Nantes, France
Registered: 2009-03-19
Posts: 183
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Bloke wrote #310804:

What I still find kinda funny about all this is that in order to opt out of any cookies being stored on a site, a cookie needs to be stored.

In fact, you can’t store cookie unless your visitor has given you explicit permission to do so.
The EU cookie banner is dying in favor or a more granular and “just-in-time” way to opt-in.

There’s a lot to say about GDPR, I don’t have time now to read and react to the rest of the thread.

Offline

Board footer

Powered by FluxBB