Jump to content
Sign in to follow this  
mki

GDRP Wordpress Solution

Recommended Posts

I'm working on a GDRP/EU Cookie Law Wordpress solution at this moment based upon my previous attempt to come up with one.

It uses a bunch of plugins and some extra code to 99.999% comply with the EU cookie laws and the GDRP.

Page caching + GeoIP + cookie consent + creation of additional JS variables to either control code/tags that utilize cookies or to pass to the data layer to control the cookies in GTM.

EU users will not get a single cookie until they press accept and it's very flexible. You can disable ads or whatever you want by wrapping a single conditional statement around whatever code you want.

After they hit accept they get a single session type cookie which is allowed under the GDRP/Cookie Laws and it will remember that they accepted.

I just wanted to know if anybody was interested before I post it.

Share this post


Link to post
Share on other sites
SEOPress WordPress SEO plugin

Guest
1 hour ago, mki said:

I'm working on a GDRP/EU Cookie Law Wordpress solution at this moment based upon my previous attempt to come up with one.

It uses a bunch of plugins and some extra code to 99.999% comply with the EU cookie laws and the GDRP.

Page caching + GeoIP + cookie consent + creation of additional JS variables to either control code/tags that utilize cookies or to pass to the data layer to control the cookies in GTM.

EU users will not get a single cookie until they press accept and it's very flexible. You can disable ads or whatever you want by wrapping a single conditional statement around whatever code you want.

After they hit accept they get a single session type cookie which is allowed under the GDRP/Cookie Laws and it will remember that they accepted.

I just wanted to know if anybody was interested before I post it.

Because this is a legal issue, I have to ask the hard question - when you say it's 99.999% complying with EU cookie laws and the GDRP, who made that determination? 

Share this post


Link to post
Share on other sites
4 hours ago, BIG Mike said:

Because this is a legal issue, I have to ask the hard question - when you say it's 99.999% complying with EU cookie laws and the GDRP, who made that determination? 

It depends how you implement it and since I'm not a lawyer I'm not going to say it's 100% compliant.

The EU users won't get cookies unless they accept them and if you implement it correctly*, your site itself will not collect any data from EU users unless they submit it.

If you use Google Tag Manager, you can completely block GTM for EU users until they accept.

The only issue I can really think of, is if you are using plugins that drop tracking cookies and don't implement the JS code to block them.

What you do with that data after they submit it is up to you. If you are collecting email opt ins and you decide to break your own privacy policy and sell the list, well, I can't control somebody from doing that.

As far as the stuff that Wordpress doesn't handle, I obviously can't help anyone there.

It builds upon the solution I posted here:

https://spartanmarketingacademy.com/forums/topic/4443-anybody-using-cookie-concent-geoip-detect/

The issue is that if you use things like GTM or have ads on your site, your site will not be complaint in the EU, since the users are still getting the cookies, the only difference is that they're being notified of them.

It works right now I'm just trying to create the guide on how to do it and I'm working around issues like the need to modify plugins (done.)

Right now the only modification that needs to be done is to add 1 line of code the cookie consent plugin JS to force a page reload after they press accept, which is optional. That's in case you want all of the privacy destroying stuff to fire immediately after they press accept. (Good idea IMHO.)

After reading the law myself (again I'm not a lawyer) I'm personally confident that just notifying the users of the tracking cookies does not comply, it's not like wording is hard to understand or something. So none of the current solutions that are public actually comply. I'm sure the massive corporations have custom proprietary solutions.

Last thing; this is a developer type solution. It's not a plugin where you click a button. I'm trying to thing of the common things people do and provide code.

 

Share this post


Link to post
Share on other sites
Guest

Instead of trying to isolate and focus on just EU users, why not make it a global solution? Things are heading in that direction anyways, and it overcomes the problems of EU users visiting through proxies. 

Share this post


Link to post
Share on other sites
21 hours ago, BIG Mike said:

Instead of trying to isolate and focus on just EU users, why not make it a global solution? Things are heading in that direction anyways, and it overcomes the problems of EU users visiting through proxies. 

And go out of business? No thanks. It would be a better idea to do what about 50 million websites are doing right now and just break the law.

The solution is to remove any retargetting pixels (there goes half of my leads.)

Remove the Google analytics features that are invasive (the ones that are critical to identifying your audience demographics, so no more cheap Facebook campaigns.)

Can't use similar audiences...

Can't use remarketing lists (which I don't think you can either way if there's any EU users in the list, so they have to be geo tagged in your ESP. This wouldn't be hard to implement if your ESP has custom metafields. You can just create an input field called Continent, fill the field on page load with JS, then hide the input field in CSS. You can do the same thing to pass UTM tracking variables if you like. If your ESP does't support custom metafields, you can serialize the variables, then have JS populate the name field.)

Certainly can't do physical mail remarketing, not that I do, because it costs too much...

Can't use any advertising network as they all rape your privacy.

Having a non complaint site breaks the Adwords ToS, so can't run ads there at all.

It probably violates the webmaster guidelines as well.

Or, I can operate exactly the same way I used to for 90% of business, by installing 4 plugins, and adding 100 lines of code to my site.

This is the global solution... If any country in the world decides they want to go the route the EU, I can change settings in plugins to fix it and add 2 lines of code.

Note: I'm going to be putting the instructions for the solution on my personal blog, but I didn't create it for my personal blog. My current business is lead generation and 95% of my traffic is from paid advertising.

Big boxes disclosing privacy related information + asking for personal details + no ad tech = good luck...

That puts me back into the old-school adwords affiliate arbitrage days and I wasn't one of the those guys that got rich off adwords back then...

And to be 100% honest about this, I've spent more time talking about it here than actually creating and implementing the solution.

I'm staying out of a political conservation and stating facts: I get that the EU is moving towards more user privacy, but that's not the case with the USA. The USA now has Data Exchange, it's new and it allows companies to buy the personal details of a person who visits their website. So, a US users visits a website, no personal details are provided other than cross domain cookie IDs, that data is exchanged with a database, and things like their home address, telephone number, and credit score can be purchased. Do I like the fact that it's legal? Uh, no. But I'm a marketer, it's my "job"...

Share this post


Link to post
Share on other sites
20 minutes ago, yukon said:

I'm redirecting all EU traffic to Canada.

#not-my-problem

LMAO.

Isn't there a Google localization thing for that? Just send them to a page that 301s them back to Google :)

https://support.google.com/webmasters/answer/182192?hl=en

Pseudo code: Use the "not recommended by Google" URL parameters, check the end of the URL for the EU countries, and then print a 301 with mod_rewrite.

#WorstSolutionEVER

LMAO

:):):)

It's really not hard to comply man...

I'm fully complaint and actually collecting more data than I ever have before.

The funny part about this is, to properly comply, you actually have to collect more user data.

For the GDRP side of compliance, you just don't use the EU user data outside of what you clearly disclosed and don't store their data when you're done using it.

Share this post


Link to post
Share on other sites
56 minutes ago, mki said:

It's really not hard to comply man...

I'm fully complaint and actually collecting more data than I ever have before.

The funny part about this is, to properly comply, you actually have to collect more user data.

For the GDRP side of compliance, you just don't use the EU user data outside of what you clearly disclosed and don't store their data when you're done using it.

 

Not happening. Not even a blip on my give a fuck radar.

 

Share this post


Link to post
Share on other sites
30 minutes ago, yukon said:

Not happening. Not even a blip on my give a fuck radar.

Do you even do anything that would require being compliant?

If the only thing you do use Google Analytics and you don't have the advanced Google analytics stuff like demographics enabled, you don't actually have to do anything...

User session cookies are allowed, basic website analytics is allowed, all you have to do is anonymize the IPs in GA and edit your privacy policy...

https://www.en.advertisercommunity.com/t5/Google-Analytics-Code/IP-anonymization-in-Google-Tag-Manager/td-p/1688320

Unless you are a "marketer" who runs ads, there's really not anything to do...

If you don't collect or process user data then it doesn't apply...

Take the survey here:

https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/

If you answer question #2 as no legitimately, you don't have to worry.

If you have a blog, get traffic from SEO, and make money from affiliate links, you don't have to do anything because you're not collecting any data.

Personally, that's not how my current business works. It starts with user data collection and processing... User privacy is being impacted the entire time.

Ads->Landing Page->GTM drops-GA,RSLA,GDN,DSP(Via Sitescout),FB,TW,IG,LI,PI,Taboola, CRO, and Heat map Pixels->Collect Email->Process Data->Send Emails->Landing Pages->More Pixels

So that's 12 cookies plus the compliance cookie and I haven't implemented Outbrain yet, so there will be 14 and I will add more as time goes on.

Edit: Unless the Google cookies are somehow unified. I never looked into that or cared, but my GTM implementation has them all separated into their own tags.

Share this post


Link to post
Share on other sites
9 minutes ago, mki said:

Do you even do anything that would require being compliant?

If the only thing you do use Google Analytics and you don't have the advanced Google analytics stuff like demographics enabled, you don't actually have to do anything...

User session cookies are allowed, basic website analytics is allowed, all you have to do is anonymize the IPs in GA and edit your privacy policy...

https://www.en.advertisercommunity.com/t5/Google-Analytics-Code/IP-anonymization-in-Google-Tag-Manager/td-p/1688320

Unless you are a "marketer" who runs ads, there's really not anything to do...

If you don't collect or process user data then it doesn't apply...

Take the survey here:

https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/

If you answer question #2 as no legitimately, you don't have to worry.

If you have a blog, get traffic from SEO, and make money from affiliate links, you don't have to do anything because you're not collecting any data.

Personally, that's not how my current business works. It starts with user data collection and processing... User privacy is being impacted the entire time.

Ads->Landing Page->GA,GDN,DSP,FB,TW,IG,LI,CRO and Heat map Pixels->Collect Email->Process Data->Send Emails->Landing Pages->More Pixels

 

Lol, I'm not taking a survey for some half baked foreign Gov. 

I hope Brexit spreads like wildfire.

 

Share this post


Link to post
Share on other sites
6 minutes ago, yukon said:

Lol, I'm not taking a survey for some half baked foreign Gov. 

I hope Brexit spreads like wildfire.

Okay well I'm personally not going to leave 510+ million people on the table. Some of those countries have a lot of English speakers and the ad space isn't anywhere near as competitive as the US, which is the absolute most expensive.

I have an FB campaign where I tested it and thought "well damn that didn't work." I removed the US from the targeting list and the campaign became profitable.

Just saying. ¯\_(ツ)_/¯

Share this post


Link to post
Share on other sites
2 hours ago, mki said:

Okay well I'm personally not going to leave 510+ million people on the table. Some of those countries have a lot of English speakers and the ad space isn't anywhere near as competitive as the US, which is the absolute most expensive.

I have an FB campaign where I tested it and thought "well damn that didn't work." I removed the US from the targeting list and the campaign became profitable.

Just saying. ¯\_(ツ)_/¯

 

 

I don't target EU SERPs so I'm not losing anything.

It's like saying I'm losing out on 1.4 billion people from China. No, I don't target China traffic. If they show up, fine, If not, it doesn't matter.

Facebook ads are lame, lol. Can't monetize US, now that's funny. What are you selling fake EU IDs?

Share this post


Link to post
Share on other sites
39 minutes ago, yukon said:

I don't target EU SERPs so I'm not losing anything.

It's like saying I'm losing out on 1.4 billion people from China. No, I don't target China traffic. If they show up, fine, If not, it doesn't matter.

Facebook ads are lame, lol. Can't monetize US, now that's funny. What are you selling fake EU IDs?

I can monetize US traffic on FB... Just not that specific campaign.

It's an offer for online biz-op coaching delivered daily via email.

Obviously the information level of an average FB user is not super high, so this works.

The biggest issues I have are complying with all of the rules, which is why I made this thread. :)

Share this post


Link to post
Share on other sites

I have verified that my solution is similar to the TrustArc solution in functionality (in the sense that it uses a session cookie to control the behavior and uses an IP lookup) so I'm fairly confident that it is indeed compliant. (Again, I'm not a lawyer, so I'm never going to say that it's 100% compliant.)

I believe that solution works around the page cache issue with a purely JS based solution involving a completely insane mess of JS code.

If you visit bloomberg.com on a US IP, there's no notification. If you visit it on an EU address, there's an extremely annoying box blocking the user from being able to interact with the site that forces consent. (I remember reading the law and I thought there was a part that said that you couldn't do that...)

Their site is dropping all kinds of cookies on me even with out my consent that contain tracking id codes while on an EU IP and it is definitely detecting that I am on an EU IP.

I'm sure that solution cost an arm and a leg and I'm not sure if it actually complies.

None of the 'tick boxes' that I thought needed to be ticked to comply with law are ticked in my opinion.

After glancing at their code solely for the purpose of trying to understand the basics behind how it works:

LMAO. What a nightmare.

Share this post


Link to post
Share on other sites
Guest

Given everything you've posted, my next question is, why are you killing yourself trying to come up with a solution on your own? The EU clearly doesn't have the infrastructure to go after every website that violates their legislation and even if they did, I doubt they'd even give you a second look. 

The EU in terms of the GDRP is focused on major corporations doing business with EU citizens, i.e.; Facebook, Google, Microsoft, etc..

Remember their big announcement that you have to collect taxes (VAT) for EU customers? How did that work out? Big companies comply, while everyone else gives them the finger, LOL. 

 

Share this post


Link to post
Share on other sites
2 hours ago, BIG Mike said:

Given everything you've posted, my next question is, why are you killing yourself trying to come up with a solution on your own? The EU clearly doesn't have the infrastructure to go after every website that violates their legislation and even if they did, I doubt they'd even give you a second look. 

The EU in terms of the GDRP is focused on major corporations doing business with EU citizens, i.e.; Facebook, Google, Microsoft, etc..

Remember their big announcement that you have to collect taxes (VAT) for EU customers? How did that work out? Big companies comply, while everyone else gives them the finger, LOL.

PM sent.

I'm not really "killing myself." I was doing yard work all day.

I found out one of my plugins dropped cookies (SumoMe), so I modded it. It took about 5 minutes.

I spent 10x longer than that digging through stock photo sites looking for a funny picture of a cat.

Edit: Great I finally found a stock photo I like and it's a Shutterstock exclusive... FML

//original

  public function append_script_code() {
    $this->check_generate_site_id();

    $site_id = get_option('sumome_site_id');

    if ($site_id) {
      echo("<script async>(function(s,u,m,o,j,v){j=u.createElement(m);v=u.getElementsByTagName(m)[0];j.async=1;j.src=o;j.dataset.sumoSiteId='".esc_attr($site_id)."';j.dataset.sumoPlatform='".$this->dataSumoPlatform."';v.parentNode.insertBefore(j,v)})(window,document,'script','//load.sumo.com/');</script>");
    }
  }

//modded

  public function append_script_code() {
    $this->check_generate_site_id();

    $site_id = get_option('sumome_site_id');

    if ($site_id) {
      echo("<script async>if(iCanHasCookies==true){(function(s,u,m,o,j,v){j=u.createElement(m);v=u.getElementsByTagName(m)[0];j.async=1;j.src=o;j.dataset.sumoSiteId='".esc_attr($site_id)."';j.dataset.sumoPlatform='".$this->dataSumoPlatform."';v.parentNode.insertBefore(j,v)})(window,document,'script','//load.sumo.com/');}</script>");
    }
  }

 

Share this post


Link to post
Share on other sites

Due to repeated bad feedback here,  the 250 people I emailed about this, some facebook group chats, and now I'm catching hate on reddit too, this project is canceled. It was honestly canceled a long time ago, but some person trolling me on reddit reminded me.

I've not gotten a single person, so far, to say they want this or even think it's a good idea.

There was a plan here where I would either develop this into a premium plugin, or train a person to install the solution and sell that as a service to people.

I'm going to keep using it for my personal projects but I just shoved all the content I created to explain this into a folder and backed it up.

The main thing is, I'm not lawyer and for whatever reason people will not accept that the solution complies with the law.

The feedback is pretty much splitting about 80/20.

80% - Doesn't feel there's a need for the Geo IP component

20% - Doesn't think that the Geo IP component complies (This is obviously wrong, so that means you can't buy ads on any ad platform unless your landing page and site complies with the GDRP+EU Cookie Law.)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.