Adventures in the GDPR dimension

by
published on

With the DSGVO / GDPR going live, there's a nice little mix of confusion, disinformation, panic and chaos going around. And I'm part of this pack of headless chickens running around aimlessly, protecting ourselves against the predators (of the lawyering profession) that surely are lurking in every dark corner now, waiting to pounce.

In reality, not a whole lot has probably changed, at least not for German sites. The difference is that now everyone is much more acutely aware of the situation and for some time may actually care what happens to their data.

For 908lab, which is no more than a simple collection of trivial websites, I really do see no reason why I should use any cookies at all. And I do not want to confuse the issue by showing a popup warning from those dangerous, dangerous cookies (containing such highly sensitive information as "9cbac8c7b638c101.1527185681.1.1527185725.1527185681") when I really don't need them.

Yes, I do like to see if anyone actually visited the site. Matomo (formerly Piwik) does offer this feature without the need for Cookies. Yes, the information will be limited (return visitors can not be identified easily), but I can live with that. Disabling cookies is simply a matter of adding _paq.push(['disableCookies']); to your tracking code.

<!-- Matomo -->
<script type='{{ gdprScriptBlocker "analytical"}}'>
var_paq=_paq|| [];
/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
_paq.push(["setDocumentTitle", document.domain+"/"+document.title]);
_paq.push(["setCookieDomain", "*.908lab.de"]);
_paq.push(['disableCookies']);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);

(function() {
varu="https://tracker.908video.de/";
_paq.push(['setTrackerUrl', u+'piwik.php']);
_paq.push(['setSiteId', '7']);
vard=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
})();
</script>
<noscript><p><img src="https://tracker.908video.de/piwik.php?idsite=7&amp;rec=1" style="border:0;" alt="" /></p></noscript>
<!-- End Matomo Code -->

So, hooray, my site is cookie-free. Or is it?

Unfortunately, you're not out of the woods yet. Yes YOU don't store any cookies, but someone else might. There's Google or some Javascript you're importing at runtime, who can do whatever they want really. You can circumvent some of it by making sure to store everything locally (webfonts, scripts etc). There's however still the issue of embedded videos. Yes, again, you could host those yourself. But most people will use Youtube, Vimeo etc. for their hosting. For Youtube there is a way to embed videos via https://www.youtube-nocookie.com/embed/YOUTUBE-VIDEO-ID, but I'm not aware of anything similar for Vimeo. And again, you never know whether this changes on their end without them telling you.

So where does this leave us? I have no cookies, but have to warn my users that there may be some anyway. I don't know what they are, I have precious little influence on what they do, I can't list them or give any good information. So I guess, the only safe way is to stop using any third party service at all, until there is some clarity?

This is of course an overreaction. But then again, German "Abmahnanwälte" are notorious for their ingenuity in finding loopholes to make your life miserable.

Which leaves us with the stupid cookie warning after all.

PS: that dreaded Cookie in the picture, btw., is from our project for Prinzenrolle. Go check it out!