Cookie Laws, Privacy, Do Not Track

Updated 14-Sep-2023

> Google's EU user consent policy > > When using Google products that incorporate this policy, certain disclosures must be given to and consents obtained from end users in the European Union where EU data protection law requires such disclosures and consents. > > For end users in the European Union: > > You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and > > You must use commercially reasonable efforts to ensure that an end user is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the end user's device where such activity occurs in connection with a product to which this policy applies.

Various Cookies and their Flavors

There are several privacy concerns that fall under the header of cookies, though actually cookies are not so much the issue as javascript. In any case, there are a variety of cookies for a variety of reasons and uses:

  • Session cookies, used for personalization, login, or simply making sure the site is functional
  • Analytics tracking cookies come under a few kinds,
    • The first is basic website usage, such as traffic sources, geographic locations, time-on-site, etc.
    • The second is remarketing, or behavioral targeting, which is generally considered more invasive, and effectively allows the use of information gathered on one site, on other sites (this is what the EFF considers to be a violation of Do Not Track).
    • The third can actually do things such as identify users (as unique users), such as tying website use to individual hardware devices, or combining with offline data to identify specific people
  • Third party cookies are of two kinds, one is for remarketing (the second kind of analytics) and the second kind (which can be the same cookie) is actually used to share data with third parties, either completely or in aggregate. These include Adwords (Google), Bing (Microsoft), and Facebook cookies.

The degree to which privacy can be invaded is part technology and part legal agreement (generally with third parties). For all third-party advertisers, to the extent that we can, we do not allow Bing, Facebook or Google to use cookie data (anonymized or not). It is not required and unless you are a large company, does not provide much value. Also, it is important to be clear that there should be no attempt to merge offline with online information, try and identify hardware devices, or even do user-level tracking, which seems the most obvious first hurdle when it comes to preserving privacy. Finally, it is important not to try and triangulate for precise locations, which an alarming number of websites and apps try and do, and instead only using IP addresses for general geographic information.

Don't Procrastinate -- Panic Today

The latest General Data Protection Regulation (GDPR), i.e., Regulation (EU) 2016/679 became law on 27 April 2016, but will not come into force until 25 April 2018. This is known as the EU Cookie Law and supersedes previous laws on the topic.

It is true that there are more strict requirements when that happens, which means ability to opt out of cookies (at any time), as well as actually a requirement that people opt-in (though again, the need to be able to opt out at any time in the future).

In addition, sites need to respond to browser settings for Do Not Track. The latest draft for Do Not Track is still a bit unclear on what exactly not tracking entails (everything including single site analytics, or does it just refer to third-parties?). One thing is that Do Not Track as implemented in the browser can be unset, or set as allow or not allow, and the information is contained in the HTTP header upon browser requests. See also the Firefox browser Do Not Track feature, and an earlier Lifehacker Article on where to enable Do Not Track.

There is also a limited right to erasure aka the right to be forgotten that will require compliance. Erasure may include not only cookies, but things like email addresses and other identifying information.

United Kingdom PECR and DPA Cookies

For the UK, there are the Privacy and Electronic Communications Regulations (PECR) along with the Data Protection Act. A cookie banner (basically the same as in the EU) is required in the UK and possessions. As with both the EU and the UK, at least for now, regular transactional cookies are fine (e.g., WordPress and WooCommerce user and session cookies), but anything with analytics or marketing need to be declared, and a banner needs to be displayed, with a notice that use is consent.

The Dutch Cookie

The ePrivacy Directive (2009/136/EC) is an opt-in system which is fairly strong (at least as much as the coming 2018 EU GDPR). On 11 March 2015 a revised cookie recipe came into effect, but that still contains a strong opt-in requirement for marketing cookies (not transactional, and not analytic).

This current law is the basis of which significant fines are already being assessed by those found in violation. As such, it should be the focus of designing a system which will thread the needle of current and future cookie requirements.

The Italian Cookie

Akin to the Dutch ePrivacy Directive, on 02 June 2015 Italian law no. 229/201 entered into force. This requires explicit consent from visitors for any cookies beyond those for the functioning of the website (that is, third-party marketing cookies).

It appears that there is still broad disagreement as to whether a simple Analytics cookie is acceptable or not (without explicit consent), though my guess is that explicit consent is not needed, as long as the Analytics is not used for behavioral marketing (on a third party site, e.g., Marketing extension to the Analytics cookie, used for creating groups).

The Right of Erasure aka The Right to be Forgotten

The right of erasure, aka the right to be forgotten, which is a purge of all private data regarding a person, is already something that people and governments want and will eventually have and exercise. This is beyond the scope of a simple cookie, browser header and tracker script tool. However, as a setting on a privacy page, this will likely become required. Adding this as a simple email form (and having a double-opt-out mechanism through email) would not be much additional effort, though of course verification of identity will be important in these cases.

EU-US Privacy Shield

There is new (mid 2016) legislation called the EU-U.S. Privacy Shield. The previous agreements were considered invalid.

Essentially, organizations which are subject to review by one of a few US government agencies can self-declare being under the privacy shield, and they must then follow certain rules with regard to informed notification and consent as well as data handling requirements. These are generally good rules to follow in any case, though anyone who is not a US-based organization cannot be considered as operating under the shield (as there is no audit provision for them).

California Privacy Statement

In 2014, California released a set of requirements regarding privacy statements (pdf) that are required by law to operate in California. It is fairly general, but also requires a statement about Do Not Track, and how the site responds to a Do Not Track signal from the browser.

Does or Will Google Penalize Non Compliant Sites?

This of course is unclear, though nothing has been explicitly stated. What we do know is that Google has required users of its site advertising platforms (AdSense, DoubleClick) to comply with cookie laws. This mitigates Google's risk. There is no evidence Google is attempting to mitigate other's risk by penalizing their Search Engine Results ranking. However, this may indeed happen in the future. I don't see why not.

Updates to Privacy Policies and Use Agreements with Third Party Advertisers

Privacy policies should get a hard look, and the additional information here should be included in some useful, effective, and concise way. If one wants to target on Adwords, Adsense, Bing, or Facebook, everyone who visited the website in the past up to 90 days, then this is behavioral targeting and requires informed consent (which is either in the fine print of a site's privacy policy, a banner notification, or actually requiring opt-in).

Additional information that could be included would be links to various resource sites, such as:

Cookie Law WordPress Plugins

There are many cookie law plugins for wordpress. However, none of them have a few different aspects which would make them both compliant and parsimonious with current laws. By compliant I mean that they would actually provide opt-in-only and anytime-preference-switching functionality. By parsimonious I mean that the law would be followed in every jurisdiction, but not present in those jurisdictions without specific laws.

Cookie Notice Plugin Implementation

The Cookie Notice is a fairly functional and popular (300,000+ installs) WordPress plugin. It easily handles the cookie notice, the ability to dismiss this notice (and easy-to-set duration for dismissal, the ability to provide a link to a privacy policy, and a way of placing code that will only work if the notice has been dismissed. There is more discussion of the detail below, but the main points are:

  • Create a Custom Trigger in Google Tag Manager and configure any special cookies to use that trigger
  • Install Cookie Notice plugin and set the custom trigger to fire on cookie banner dismissal (agreement)

Iubenda Javascript Product

Iubenda (strange name) is the only comprehensive solution for all the functionality needed. They also have a tool to build a privacy policy based on what kind of third-party cookies are used. Nice, but a bit pricey ($9 USD/mo. per site) as the free version does not support adsense, adwords, facebook, or bing cookies. Aelia is a site that uses Iubenda. Notice that the privacy policy is a link to the Iubenda site, which I consider to be a craptastic, weasley way of getting links.

Cookie Law Variables

At current glance, it appears that there are just a few variables:

  • Banners with cookie use announcement may or may not need to be displayed (jurisdiction via GeoIP)
    • If a banner needs to be displayed, it can be dismissed permanently or for a period of time (cookie preference)
  • Non-session cookies may need to be opted-into (cookie preference)
  • Once opted-into and once banner-dismissal, both should be able to be changed as a preference at any time

Note that, treating all visitors with the the highest level of privacy and control is a simpler use case, in which case:

  • Display a banner by default
  • Allow said banner to be dismissed
  • Allow said banner dismissal to be undo-able (this is already possible by deleting local cookies)
  • Default cookie use is analytics and sessions OK, third party requires explicit permission
  • Have a simple form on the website policies page which allows for reading and setting:
    • Display cookies banner (check box)
    • Do Not Track (check box)

An even simpler approach would be to accept DNT:1 for everyone, all the time. That is, disable all third-party cookies (either with the exception of Google Analytics or other analytics providers, or completely). If so, then for sure read the browser/form for DNT:1 and assume DNT:null

Do Not Track Variables

In addition to the Cookie Law, the browser-based signal for do-not-track is also a setting that needs to be checked at session start, and again, it should be able to be changed as a preference. There are three settings: not set (null), tracking-ok, do-not-track.

Cookie Law / Do Not Track Pseudocode

// Check for privacy preference cookie (PPC)
If PPC not exists
    // Check do-not-track setting in browser, create initial settings from these
    If header has *Do Not Track* DNT:0, set DNT:0 in session cookie
    If header has *Do Not Track* DNT:1, set DNT:1 in session cookie
    // Set country defaults (override DNT as browser may not be configurable)
    // This ensures more conservative setting, until explicit preference given
    Determine country via GeoIP
        If country requires a banner
            Set *Display Cookie Banner* DCB:1 in session cookie
        If country requires tracking opt-in
            Set *Do Not Track* DNT:1 in session cookie
            // we assume that DNT:0 is not explicit per-site tracking preference
            // alternatively we can assume display cookie banner for all visitors
Else load settings from preference cookie to session cookie
    If DCB = 0,1
        Set session cookie DCB:0,1
    If DNT = 0,1
        Set session cookie DNT:0,1
// Check for Cookie Banner setting
    If session cookie has DCB:1
        display the cookie banner
    If session cookie does contain DNT:1
        run Google Tag Manager code
// Allow user to change settings at any time by following *privacy settings* link
    // Load preferences and display them
    // Display Cookie Banner = No Preference (country defaults), Display, Hide
    // Do Not Track = No Preference (country defaults, browser preference), Tracking OK, Do Not Track
    // Display the browser preference and link to change settings

Google Tag Manager and Obeying Preferences

With Google Tag Manager, one can create a trigger which would be a requirement for firing a given script. Normally, each script (for example, Google Analytics, Bing Universal Tag, and/or Facebook Pixel) will fire once on every page. However, if it is instead set to fire on a datalayer.push event.

There are likely several ways of doing this, but the following seems to work. Because there are two possible do not track interpretations -- that of analytics whatsoever, and that of no third-party analytics -- we need two new triggers in Google Tag Manager, and the writing of a custom push event of one of two values. While I've seen code out there that has these custom push events before the main GTM script, I could not get that work. No worries, the code needed to write out the final script in the footer will be sufficient.

The Triggers are custom events with a trigger name, an event name, and conditions:

  • Trigger Name: Fire_ThirdParty
  • Event Name: alpha_track_consent
  • Condition: alpha_track contains thirdparty
  • Trigger Name: Fire_Analytics
  • Event Name: alpha_track_consent
  • Condition: alpha_track contains analytics

After creating these triggers, replace the All Pages trigger on any analytics and third party trackers. Then add the following script to add after the standard GTM script:

window.dataLayer = window.dataLayer || [];
'alpha_track' : 'thirdparty_analytics',
'event' : 'alpha_track_consent'

Simo Ahava's blog post was helpful with this, as it generally is with GTM.

WordPress Plugin Pseudocode

We are still at the design phase, but basically the WordPress Plugin needs a few functions:

  • Have an admin page that includes the following functionality:
    • Override country requirements (globally or per country),
    • Set the banner, label, button, and description text (globally or per language),
    • Set the url for the privacy page (globally or per language),
  • Have a shortcode for the privacy settings
  • Have a widget for the banner
  • Check cookie and header info as above to determine preference, browser, and country settings
  • When footer is called, write out alpha_track variable based on conditions (analytics_ok, thirdparty_ok, or null)