Textpattern CMS support forum

You are not logged in. Register | Login | Help

#371 2018-06-02 09:29:21

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 1,625
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

colak wrote #312252:

I love the way the SF chronicle asks consent for cookies. Even if you reject all, and click continue, the page will load.

Is that a EU thing? I don’t get anything that asks for cookie consent from here (even if I whitelist the site in 1Blocker)

Maybe I should be jealous?

Offline

#372 2018-06-02 10:29:18

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 7,152
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

I have no idea if it is an EU thing but here is the screenshot. All privacy policies are linked to the corresponding sites.

> Edited to add: It is strange, as I did not consent to any cookies, clicked continue, read the article, and closed the browser. On revisiting the URL with the same browser, the choices were not there. I just landed on the article. I wonder if by not consenting to cookies, a cookie is saved to remember that decision.

Last edited by colak (2018-06-02 10:35:51)


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | Respbublika! | NeMe @ github

Offline

#373 2018-06-02 10:51:42

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 3,388
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

colak wrote #312256:

I have no idea if it is an EU thing but here is the screenshot. All privacy policies are linked to the corresponding sites.

Wow. That is a monster. I suppose the language of the introductory sentences is lucid enough but the information on what those services are being used for is lacking, so one can’t make any half-way informed decision without reading the various privacy policies. Good luck to them with that – my guess is it’s their loss and people will simply not consent to what they don’t know … I’ve heard of Facebook and Twitter ;-) but none of the others.

Edited to add: It is strange, as I did not consent to any cookies, clicked continue, read the article, and closed the browser. On revisiting the URL with the same browser, the choices were not there. I just landed on the article. I wonder if by not consenting to cookies, a cookie is saved to remember that decision.

You can probably check that, but I assume “continue” is effectively committing your decision with regard to what they preset. Saving your preferences in a cookie is, I believe, okay. There’s no personal data being collected there, it’s just your own site preferences.

I love the way the SF chronicle asks consent for cookies. Even if you reject all, and click continue, the page will load.

That the page loads isn’t a problem (especially if leaner). If all those services are included (with their cookies) despite having been declined, then they’re blatant ignoring the user’s settings.

I’m sure you saw that post somewhere about The Verge being much leaner and still surfable and readable if you don’t click “OK” (they don’t offer a decline and make their notice take up a third of the screen). If you have a “User CSS” plugin in your browser, you can simply display:none !important; the notice and surf quite happily with about half the page volume.


TXP Builders – finely-crafted code, design and txp

Offline

#374 2018-06-02 11:41:04

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 3,388
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Back to a practical question: Can I ask how you lot have been dealing with embedded content from such services if cookies are declined?

I have a few sites where there are occasional embedded videos, or a few interactive maps are shown or publication previews are embedded with issuu. I have another site with a twitter feed. If you’re going to follow the rules, you need to deactivate those or provide an alternative if cookies have been declined.

Up to now, I’ve used oui_cookie (thanks Nicolas!) as a wrapper to skip that content if my cookie-consent cookie is not accepted or provide a more basic alternative. That’s been easy enough on more recent sites where I was using rah_beacon to embed content, so only need to add the wrapper to my custom tag’s form (like you can now do with txp 4.70). It’s pretty tiresome, though, on the older sites where old articles have to be revisited and any embedded content wrapped in <oui_if cookie name="cookie-consent" value="accepted"> … </oui_if_cookie>.

  • In the case of the maps, I can put a static image in its place because there are only a few. That’s not feasible, for sites with lots of maps, though. <br> Note: if you do provide a graphic, go to the extra effort to download a static image from that service with their logo and copyright on it. If not, you may run into copyright problems like I explained in another thread (even if you state copyright separately on your page). Mapbox has a service for that. Google Maps I believe too. Others probably do too.
  • In place of issuu, you can simply link straight to a download of the document. Depending on your site, you could provide a preview image of the document, but again that’s not feasible for large sites with lots of past material.
  • Videos are more complicated: you can provide just the link to the video. If you want to show a preview image, you either have to make one for each video yourself, or you need to retrieve them from the service and cache them somehow (would that be possible?) before your visitor arrives. Then you show your visitors the preview and link along with a “when you click this you contact youtube” notice. No YouTube or vimeo code is then run until your user actually clicks on the video.
  • For twitter I’ve found tweetledee. You can retrieve your twitter timeline separately and turn it into a feed that get’s cached. They you embed that feed in your homepage. That prevents having to embed twitter code in your site.

There has been some admiration expressed for how Medium handle Do Not Track by showing an overlay that has to be clicked on before embedded content is shown: https://medium.com/policy/how-we-handle-do-not-track-requests-on-medium-f2b4b4fb7c5e.

I was wondering whether there’s a case to be made for some agreed site-wide flag or attribute name that plugin users could reference in their plugins, e.g. that consent-obtaining scripts could set and embedded content plugins could check against before displaying their content.

For example: I realised after a while (too late, unfortunately), that it would probably have been more robust to set a variable to denote consent or no-consent (or different kinds of consent). Then I can use oui_cookie, or some other method, to set that variable on page load. All other embeds only need check if that variable exists before presenting content. If plugins like oui_player, arc_youtube, arc_video etc. etc. checked against some typical default variable name/value, and perhaps also offered an attribute to allow you use a custom consent variable if you prefer (for more granular control, for example), then one could dispense with all the wrappers altogether.

That still doesn’t solve the problem of getting and caching the preview images first, though. I don’t know if there’s a way to do that on saving the article. Or perhaps we need a plugin where you first link up the video (like the links or files tab) and the preview image is retrieved then.


TXP Builders – finely-crafted code, design and txp

Offline

#375 2018-06-02 12:01:10

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 1,625
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

colak wrote #312256:

I have no idea if it is an EU thing but here is the screenshot. All privacy policies are linked to the corresponding sites.

Wow impressive thing that. But as Jacob notes, there is not much of an explanation for each service. And no matter how I try, I don’t get that. Must be EU specific. And I’m definitively jealous :-)

> Edited to add: It is strange, as I did not consent to any cookies, clicked continue, read the article, and closed the browser. On revisiting the URL with the same browser, the choices were not there. I just landed on the article. I wonder if by not consenting to cookies, a cookie is saved to remember that decision.

Probably a cookie yes. I checked the page with Firefox and afterwards found 14 cookies, + some subdomain with cookies and local storage things. That is with Ghostery enabled.

Offline

#376 2018-06-02 14:07:46

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 7,152
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob and phiw13 wrote:

Wow. That is a monster. I suppose the language of the introductory sentences is lucid enough but the information on what those services are being used for is lacking, so one can’t make any half-way informed decision without reading the various privacy policies. Good luck to them with that – my guess is it’s their loss and people will simply not consent to what they don’t know … I’ve heard of Facebook and Twitter ;-) but none of the others.

I think that the safest way is to link to the individual policies as sites change them more often than not. What I liked is the idea that you can opt in or out from individual providers rather than just accept cookies from all. A lot of ‘normal’ sites have cookies from, some analytics software(s), gaggle, youpuke, vimeo, facebook, twitter, instagram, flckr… the list goes on…. Most people would have heart of those. Allowing for acceptance (or not) for each one individually, is so much nicer.

Up to now, I’ve used oui_cookie (thanks Nicolas!) as a wrapper to skip that content if my cookie-consent cookie is not accepted or provide a more basic alternative. That’s been easy enough on more recent sites where I was using rah_beacon to embed content, so only need to add the wrapper to my custom tag’s form (like you can now do with txp 4.70). It’s pretty tiresome, though, on the older sites where old articles have to be revisited and any embedded content wrapped in <oui_if cookie name="cookie-consent" value="accepted"> … </oui_if_cookie>.

I did notice that oui_cookies does load the vimeo videos, twitter and fb feeds, in our site regardless. Would that be because I am loading it last? Should I enclose the trackers within it? ie:

<txp:oui_if_cookie name="accept_cookies">
trackers
<txp:else />
<a rel="nofollow" href="?accept_cookies=yes">Accept</a>
</txp:oui_if_cookie>

for which case, gaggle spiders will have to accept their own cookies before they see that their code is there.

Wow impressive thing that. But as Jacob notes, there is not much of an explanation for each service. And no matter how I try, I don’t get that. Must be EU specific. And I’m definitively jealous :-)

You may be able to get it via the new Opera VPN.

That the page loads isn’t a problem (especially if leaner). If all those services are included (with their cookies) despite having been declined, then they’re blatant ignoring the user’s settings.

I have to admit that I did not bother checking.

I’m sure you saw that post somewhere about The Verge being much leaner and still surfable and readable if you don’t click “OK” (they don’t offer a decline and make their notice take up a third of the screen). If you have a “User CSS” plugin in your browser, you can simply display:none !important; the notice and surf quite happily with about half the page volume.

I saw that one, and it is an acceptable, if not ideal solution. Instead of a plugin, I normally use the solution described here.


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | Respbublika! | NeMe @ github

Offline

#377 2018-06-02 15:54:25

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 3,388
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

colak wrote #312261:

I think that the safest way is to link to the individual policies as sites change them more often than not.

Yes, re linking to the other sites. It’s no use, of course, if your readers can’t read the language they’re in.

What I liked is the idea that you can opt in or out from individual providers rather than just accept cookies from all.

Maybe, but it’s a lot of work to realise and a bit daunting for the visitor. To me it looks like having to read the ten commandments before you eat a piece of chocolate!

I saw that one, and it is an acceptable, if not ideal solution. Instead of a plugin, I normally use the solution described here.

Yes, it’s the same idea but for Safari: User CSS (it’s what they call an extension). It’s good for those really obnoxious “we’ll freeze your view until you sign up with us” sites.

I did notice that oui_cookies does load the vimeo videos, twitter and fb feeds, in our site regardless. Would that be because I am loading it last? Should I enclose the trackers within it? ie:

The bit you linked to only affects the display of the cookie consent message. I must admit I hadn’t seen the method you used before (only just noticed it is from Nicolas’ help). Assuming you’re not showing cookie-dependent tracked content until a user consents, then, yes, you need to wrap any content that shouldn’t show or any code that shouldn’t be run in oui_if_cookie, e.g.

<txp:oui_if_cookie name="accept_cookies">
<!-- analytics code -->
</txp:oui_if_cookie>

or

<txp:oui_if_cookie name="accept_cookies">
<!-- embedded video -->
<txp:else />
<!-- alternative content, e.g. link to video -->
</txp:oui_if_cookie>

TXP Builders – finely-crafted code, design and txp

Offline

#378 2018-06-02 16:49:56

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,172
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

Another good reason for GDPR, it puts pressure on devs to do better.

Deleting users is hard


The text persuades, the *notes prove。

Offline

#379 2018-06-02 17:04:55

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,172
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #312262:

Safari: User CSS (it’s what they call an extension). It’s good for those really obnoxious “we’ll freeze your view until you sign up

I might not have your context right, but I find just using the browsers Reader view clears that stuff out of the way. Whether that functions as a consent, I don’t know, but I block all cookies now anyway.


The text persuades, the *notes prove。

Offline

#380 2018-06-02 19:11:37

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 7,152
Website

Re: Txp cookies, visitor logging, and GDPR stuff in general

jakob wrote #312262:

Yes, re linking to the other sites. It’s no use, of course, if your readers can’t read the language they’re in.

I would, maybe naively, take it for granted that in most of our cases when we visit a site which we do not understand the language, we either close that tab or use an online page translator to get the gist of the article. In such cases, the cookie acceptance policies would just remain unclicked.

To me it looks like having to read the ten commandments before you eat a piece of chocolate!

What?!!! Are you insinuating that this is not a commonly exercised habit? :)

The bit you linked to only affects the display of the cookie consent message. I must admit I hadn’t seen the method you used before (only just noticed it is from Nicolas’ help). Assuming you’re not showing cookie-dependent tracked content until a user consents, then, yes, you need to wrap any content that shouldn’t show or any code that shouldn’t be run in oui_if_cookie, e.g.

Thanks!!! I actually did have it wrong!!!!


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | Respbublika! | NeMe @ github

Offline

Board footer

Powered by FluxBB