The third party block list

How Complianz blocks cookies from third parties

Rogier

Rogier

Senior Developer

Categories

Most Popular Articles

Subscribe to our newsletter

    For EU Subscribers | Privacy Statement
    For USA Subcribers | Privacy Statement

  • This field is for validation purposes and should be left unchanged.

There are a lot of plugins out there which offer a cookie banner. All of them offer some kind of customisation for the look and feel, or the message, or the type of dismissal you can use. So in what way is the Complianz Privacy Suite different from other plugins?

One answer to that is the included set of legal documents, which are custom generated based on the answers you provide in the wizard, and the scan of the site for cookies and third party services. But another, major part of the plugin is the cookie blocker.

What is a cookie blocker?

One of the challenges for a developer in a WordPress site is that when you write a plugin, you never know what other plugins are loaded, and you can’t control what these do. What if these plugins add a Facebook feed? If you load a Facebook widget, Youtube video, Google ReCaptcha V3, or any other third party service that relies on user tracking to make a living, you can be sure this service places a cookie in the browser of your visitors. As I see it there is one foolproof method to prevent those services from placing cookies: prevent this service from loading. To do this we remove the source of an iframe, and we change the javascript from text/javascript to text/plain. This way the scripts won’t be executed. When the user consents by clicking the accept button in the cookie warning, a small script runs to enable these scripts, and Youtube, Facebook, Google Recaptcha are all loaded.

The disadvantage of this approach is that we need to have all third parties in our block list. Of course you can add your own to the block list, in the script center from the Complianz Plugin, but if you report any missing third parties to us we’ll add it to the community block list.

Which cookies and services are currently blocked?

Scripts:

'google.com/recaptcha',
'fonts.googleapis.com',
'platform.twitter.com',
'apis.google.com/js/plusone.js',
'apis.google.com/js/platform.js',
'connect.facebook.net',
'platform.linkedin.com',
'assets.pinterest.com',
'www.youtube.com/iframe_api',
'www.google-analytics.com/analytics.js',
'google-analytics.com/ga.js',
'new google.maps.',
'static.hotjar.com',
'dataset.sumoSiteId',
'_getTracker',
'disqus.com',
'addthis.com',
'sharethis.com',
'adsbygoogle',
'cdn.livechatinc.com/tracking.js',
'googleads.g.doubleclick.net',
'advads_tracking_ads',
'advanced_ads',
'googletagmanager.com/gtag/js',
'instawidget.net/js/instawidget.js',
'videopress.com/videopress-iframe.js',
'plugins/instagram-feed/js/sb-instagram.min.js',

Iframes:

   'googleads',
   'doubleclick',
   'youtube.com',
   'youtube-nocookie.com',
   'youtu.be',
   'platform.twitter.com',
   'facebook.com/plugins',
   'apis.google.com',
   'www.google.com/maps/embed',
   'player.vimeo.com',
   'disqus.com',
   'platform.twitter.com/widgets.js',
   'dailymotion.com/embed/video/',
   'videopress.com/embed',

This list will get updated on a regular basis.

There are still cookies placed on my own domain. Is this a problem?

Probably not. If you are in doubt, please contact us and we’ll check for you. As a general rule you can say that functional cookies can be placed without consent. A functional cookie is a cookie which is not used to track users, but purely to enable the website to function properly. This still leaves a grey area. In the ePrivacy draft as currently published, the following is stated:

“Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website.”

A functional cookie then, might be defined as a cookie which results in “no, or only very limited, intrusion of privacy”. When no data is exchanged with third parties, no user data is tracked, and/or exchanged with third parties, we’ll consider the cookie as being functional.

Based on this, we can deduce that the vast majority of the cookies which a WordPress website place itself, will be a functional cookie: as a rule these cookies will be placed on the website’s own domain, and can only be read by the website itself, no data is shared with third parties.

There might be exceptions to this rule of course, but this will be a plugin that tracks user data in an agressive way for your (the website owner) benefit, without being strictly necessary for the website’s functioning. You’ll know, or should know about this. I can’t think of a plugin that places cookies in this category, but such exceptions can be handled in our script center of course.

In most cases, we can consider the cookies as placed on our own domain by your website’s WordPress plugins as being functional. Some questions about this might arise:

  • How about Google Analytics?
    If you configure it correctly, no consent is necessary. If not, Complianz will block Analytics properly.
  • Contact Form 7 is a WordPress plugin, but places Google Recaptcha cookies. These are not functional right?
    Google recaptcha is a third party service, which will be blocked accordingly
  • I have a WordPress plugin which adds a Facebook feed. Will this be considered functional?
    No: the facebook widget will still load stuff through facebook.com, which will trigger the cookie blocker. Consent needs to be given first.
  • I have a plugin, which tracks users without any necessity for the website’s functioning. What should I do?
    The script which adds this cookie can be added to the script center, or the plugin needs to be adjusted slightly so it will place only cookies when consent is given. Contact us if you need any assistance with this.

If you know of a WordPress plugin which places first party cookies on our your own domain, please share this with us in the comments!

How do I know if cookies are blocked?

In the Chrome browser this is very easy to see. First, make sure the cookie banner from Complianz is set to “denied”. Then click on the lock in the browser address bar, click on “cookies” and remove everything which is not on your own domain. Now refresh the page. Because you have revoked consent, all cookies should be blocked.

If you click on the lock again, open “cookies”, then you will see which cookies the site was able to load. If all has been configured properly, you will only see cookies on your own domain, for example from the Complianz plugin, tracking if consent has been given or not. But not from third party services like Facebook etc.

Click on the lock the get the cookie options:

Open the cookies menu to show the placed cookies, and remove them.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.

© Copyright - Complianz 2019
×

Complianz Privacy Suite 3.1 is live!

See our new features and available documentation. Read more