Allowing users to disable certain kinds fo cookie (e.g. marketing, analytics) — how? Free plugin, paid service?

[DrQuincy]

Hi,

I work for UK and EU clients.

I remember about five years ago when GDPR came in there was a panic due to the potential fines and the things people did ranged from nothing at all to extreme UX disasters where the first thing you saw was a huge popup giving the user the opportunity to break the site.

Since this is a legal area and I am not qualified to do so I do not give clients any advice in this area but will implement whatever kind of policy they decide on. To date many clients are happy to have a cookie notice that acts as a warning rather than manage specific cookies as it saves them disabling Google Analytics, paying for legal advice, etc.

A client has raised a concern that since 2019 we should have started giving users the option to disable different types of cookies and therefore the above approach does not meet this legal requirement. Anecdotally, many small sites either do nothing at all or have a cookie warning as above. It seems to be a minority of sites, generally bigger ones, that allow for full on cookie management (i.e. blocking of non-essential cookies) and therefore are likely in a small group that are fully compliant.

I've had a quick look today and am unsure on how to implement this. Am I right in saying there are two primary ways:

1. Use a paid third-party service that scans your site for scripts that uses cookies; this handles the popup and management for you
2. Use a jQuery/JS plugin that handles the interface but not the cookie blocking — you do this yourself

It also looks like there is a WordPress plugin for this that WP users can use. Do these work like option 2 above or can they actually scan your site? Are there any PW or JS plugins that I should be aware of that can help me out here?

I'm just after a bit of general advice from anyone who has PW sites and has implemented cookie management.

Thanks.

[netcarver]

PrivacyWire is one option that works for PW and allows you to categorise and manage cookie choices.

Also worth a look is cwsoft's new module (which I haven't tried) here: https://github.com/cwsoft/pwNoCookiesWithoutConsent

[cwsoft]

4 hours ago, netcarver said:

Also worth a look is cwsoft's new module (which I haven't tried) here: https://github.com/cwsoft/pwNoCookiesWithoutConsent

Guess DeQuincy is searching for something different than my module NoCoWoCo. My module just shows a consent box for enabling or disabling technical required Cookies e.g. used for booking form validation etc. and blocks the wire Cookie unless user gave consent. Also not really required for technical Cookies, my client wanted to have this feature just to be on the safe side .

So my module does not disable other cookies like Youtube, Google fonts etc. on users choice. Guess he is more after something similar to this project on Github https://github.com/orestbida/cookieconsent. Have used a similar solution for a plain HTML5 site with no CMS as backend. 

[teppo]

As a free solution for ProcessWire I would definitely recommend PrivacyWire. In my opinion it is the only viable solution at the moment.

When that's not an option or more automation is needed, we tend to use Cookiebot. It's a paid service (they do have a free tier for small scale and limited requirements), but there are a few things that can make it worth the cost:

• It scans the site (as you mentioned) automatically and creates a list/table of used cookies, as well as identifies any cases where cookies are set without prior consent. At least here in Finland a list of cookies used on a site — including whether they are first or third party cookies, what they are used for, and for how long they are stored — is required. While one can of course keep such a table up manually, well... let's just say that especially for large and media-rich sites it's a whole lot of work.
• It has an automatic block mode that at least tries to automatically prevent the browser from loading anything that can set cookies. With PrivacyWire (for an example) you'll have to modify the markup of embedded script tags, iframe elements, etc. in order to load them only after consent has been given.
• It automatically generates and stores per-user consent history. At least here in Finland that is a necessary thing — site owners must be able to produce proof that the user has indeed given consent to storing data, and a separate registry is a must (said proof has to be available even if the user has cleared their cookies, localstorage, etc.)
• With paid plans it is very customizable. For an example we use a modified version of generaxion/cookiebot-accessible-template, since many of our sites need to be accessible.

There are other services that do similar things, and I believe that some are cheaper than Cookiebot, but I have not had a chance or any need to properly dig into said other services.

I'm only familiar with official guidelines and legislation as it has been implemented here in Finland, and also IANAL. Even with GDPR the actual implementation (and how that implementation is interpreted by officials) can vary from country to country ?

[DrQuincy]

Thanks everyone for the useful replies. There's lots to go through, it's all very helpful thanks.

PrivacyWire looks very interesting and also easy to implement. I also like the look of https://github.com/orestbida/cookieconsent#how-to-blockmanage-scripts as it looks like you can accomplish the same thing independent of the platform (I have a lot of legacy sites that aren't PW). I think that will suit most smaller clients.

Cookiebot looks reasonably priced and seems to have all the features so I suspect my bigger clients may go or this.

Thanks everyone!

[jacmaes]

There’s also this really good tutorial on how to achieve a customizable cookie notice with plain JavaScript using the dialog element: 

https://www.thomasvantuycom.com/writing/simpler-cookie-notices/

[DrQuincy]

What's the general consensus for users with JavaScript disabled? Solutions are naturally JS-based and indeed most cookies would be set via JS and require JS to run. However, many scripts, such as Google Analytics, also give you an noscript image or iframe to install. How do you handle this? I presume they are still take people's IP and using it for tracking and therefore it's personal info under GDPR.

[teppo]

3 hours ago, DrQuincy said:

However, many scripts, such as Google Analytics, also give you an noscript image or iframe to install. How do you handle this? I presume they are still take people's IP and using it for tracking and therefore it's personal info under GDPR.

Only solution I can think of right now would be handling cookie check server-side, which in most cases is honestly waste of time and resources. My solution is to leave noscript versions out, and use JS similar to what PrivacyWire (and probably all other sensible tools) do: by default the script is disabled (e.g. has type="text/plain" or something along those lines) and only after consent has been given that gets swapped with actual type.

[DrQuincy]

Thanks, I'm inclined to agree.

I have being playing with cookieconsent this morning and it's really good.