Search
Close this search box.

Documentation

In this article

Category: , ,

Categories

Recent articles

Blocking cookies from third party services: how Complianz blocks cookies

This article is from 2019 and might be outdated.

There are a lot of plugins out there that offer a cookie banner. They all offer some customisation for the look and feel of the message or the type of dismissal you can use. So in what way is the Complianz Privacy Suite different from other plugins?

One answer is the included set of legal documents, which are custom generated based on the answers you provide in the wizard, and the site scan for cookies and third party services. But another major part of the plugin is the cookie blocker.

What is a cookie blocker?

One of the challenges for a developer in a WordPress site is that when you write a plugin, you never know what other plugins are loaded, and you can’t control what these do. What if these plugins add a Facebook feed? Suppose you load a Facebook widget, Youtube video, Google ReCaptcha V3, or any other third party service that relies on user tracking to make a living. In that case, you can be sure this service places a cookie in your visitors’ browser. As I see it, there is one foolproof method to prevent those services from placing cookies: prevent this service from loading. To do this, we remove the source of an iframe, and we change the javascript from text/javascript to text/plain. This way, the scripts won’t be executed. When the user consents by clicking the accept button in the cookie warning, a small script runs to enable these scripts, and Youtube, Facebook, Google Recaptcha are all loaded.

The disadvantage of this approach is that we need to have all third parties on our block list. Of course, you can add your own to the block list in the script center from the Complianz Plugin, but if you report any missing third parties to us, we’ll add it to the community block list.

Which cookies and services are currently blocked?

Scripts:

'google.com/recaptcha',
'fonts.googleapis.com',
'platform.twitter.com',
'apis.google.com/js/plusone.js',
'apis.google.com/js/platform.js',
'connect.facebook.net',
'platform.linkedin.com',
'assets.pinterest.com',
'www.youtube.com/iframe_api',
'www.google-analytics.com/analytics.js',
'google-analytics.com/ga.js',
'new google.maps.',
'static.hotjar.com',
'dataset.sumoSiteId',
'_getTracker',
'disqus.com',
'addthis.com',
'sharethis.com',
'adsbygoogle',
'cdn.livechatinc.com/tracking.js',
'googleads.g.doubleclick.net',
'advads_tracking_ads',
'advanced_ads',
'googletagmanager.com/gtag/js',
'instawidget.net/js/instawidget.js',
'videopress.com/videopress-iframe.js',
'plugins/instagram-feed/js/sb-instagram.min.js',

iFrames:

'googleads',
   'doubleclick',
   'youtube.com',
   'youtube-nocookie.com',
   'youtu.be',
   'platform.twitter.com',
   'facebook.com/plugins',
   'apis.google.com',
   'www.google.com/maps/embed',
   'player.vimeo.com',
   'disqus.com',
   'platform.twitter.com/widgets.js',
   'dailymotion.com/embed/video/',
   'videopress.com/embed',

This list will get updated regularly.

There are still cookies placed on my domain. Is this a problem?

Probably not. If you are in doubt, don’t hesitate to contact us, and we’ll check for you. As a general rule, you can say that functional cookies can be placed without consent. A functional cookie is a cookie that is not used to track users but purely to enable the website to function correctly. This still leaves a grey area. In the ePrivacy draft as currently published, the following is stated:

“Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment or to access information stored in terminal equipment should be limited to situations that involve no, or only very limited, intrusion of privacy. For instance, consent should not be requested for authorizing the technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service explicitly requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages. Cookies can also be a legitimate and useful tool, for example, in measuring web traffic to a website.”

A functional cookie then might be defined as a cookie that results in “no, or only minimal, privacy intrusion”. When no data is exchanged with third parties, no user data is tracked, and/or exchanged with third parties; we’ll consider the cookie as being functional.

Based on this, we can deduce that the vast majority of the cookies that a WordPress website place itself will be a functional cookie: as a rule, these cookies will be placed on the website’s own domain and can only be read by the website itself, no data is shared with third parties.

There might be exceptions to this rule, of course, but this will be a plugin that aggressively tracks user data for your (the website owner) benefit without being strictly necessary for the website’s functioning. You’ll know or should know about this. I can’t think of a plugin that places cookies in this category, but such exceptions can be handled in our script center, of course.

In most cases, we can consider the cookies placed on our domain by your website’s WordPress plugins as functional. Some questions about this might arise:

  • How about Google Analytics?
    If you configure it correctly, no consent is necessary. If not, Complianz will block Analytics properly.
  • Contact Form 7 is a WordPress plugin but places Google Recaptcha cookies. These are not functional, right?
    Google ReCaptcha is a third-party service, which will be blocked accordingly.
  • I have a WordPress plugin that adds a Facebook feed. Will this be considered functional?
    No: the facebook widget will still load stuff through facebook.com, which will trigger the cookie blocker. Consent needs to be given first.
  • I have a plugin, which tracks users without any necessity for the website’s functioning. What should I do?
    The script that adds this cookie can be added to the script center, or the plugin needs to be adjusted slightly to place only cookies when consent is given. Contact us if you need any assistance with this.

If you know of a WordPress plugin that places first-party cookies on your domain, please share this with us in the comments!

How do I know if cookies are blocked?

In the Chrome browser, this is very easy to see. First, make sure the cookie banner from Complianz is set to “denied”. Then click on the lock in the browser address bar, click on “cookies”, and remove everything, not on your domain. Now refresh the page. Because you have revoked consent, all cookies should be blocked.

If you click on the lock again, open “cookies”, you will see which cookies the site could load. If all has been configured correctly, you will only see cookies on your domain, for example, from the Complianz plugin, tracking if consent has been given or not. But not from third party services like Facebook etc.

Click on the lock the get the cookie options:

Open the cookies menu to show the placed cookies and remove them.

Join 900.000 users and install The Privacy Suite for WordPress locally, automated or fully customized, and access our awesome support if you need any help!

Complianz has received its Google CMP Certification to conform to requirements for publishers using Google advertising products.