There has been a lot of useful advice on the forum about how to warn users about cookies and get their consent to cookie usage. However, I haven’t seen any mention of what cookies a standard Blocs project** will actually generate. Frustratingly, I can see in Safari that my website is leaving cookies but I can’t see what they are.
Does anyone know what cookies are generated? Can I safely claim that my website will not track users (I have no analytics code included) or retain their data?
**
That is, a project that does not use any third-party add-ons or raw HTML, JS etc, only the features that ship in the Blocs app (including its bundled libraries like Breakpoint).
Are you adding anything particular to your Blocs sites? I’ve just checked a couple different sites of mine done with Blocs and found nothing to worry about. One included the _cfduid cookie set separately by CloudFlare as as a security measure.
Another site that isn’t on CloudFlare shows nothing but the cache recorded inside Safari and using an app called Cookie shows no tracking whatsoever. It looks like Blocs isn’t directly generating any cookies, but if you are connecting to Twitter or some other service it’s possible that changes things for you.
@Flashman: Thanks. I was interested in the answer to the general question too since it seems important to know what might be left in order to make an accurate (indeed, truthful) statement to the user.
Anyway, for my current Blocs project:
No embedded HTML etc, no external services, does include links to both Facebook and Survey Monkey (but only my links to them), nowhere for the user to enter any data beyond clicking buttons and menu items. A simple, plain-vanilla Blocs site.
I seem to get an entry in Safari’s ‘Manage Website Data’ window as soon as I open any page on the site. Unfortunately, Safari only says “Cache, Cookies” which might be a generic description for one or the other (or anything at all left on the machine).
If you have Chrome installed I would have a look at the extension store and search for something like attacat cookie audit that will show what is on your website. From there you can write a statement.
I actually think large parts of GDPR will follow the same route as the Cookie law once they realise it’s impossible to police hundreds of millions of websites. Do they seriously think millions of people will stop embedding YouTube videos, Google maps or connecting to Facebook etc?
The information commissioner’s own website gave up on the Cookie law in 2013 and moved to a position of presumed consent. After all, if you don’t consent to the use of cookies on your browser you have the ability to block them directly in your settings.
Thanks to @Flashman and @pauland for the thoughts. I will look at a browser extension.
I agree with the sentiments on Cookie regulations: someone misunderstood the fundamental problem and shot the messenger, as it were.
The wider aspects of GDPR are looking a lot like Health & Safety to me: people are doing far more than the legislation intends because they don’t understand it so err on the safe side (no pun intended). As an example, we had a comment that we shouldn’t be sending to someone’s E-Mail address, they had given us, without their written permission. The rules actually say that you can assume a ‘legitimate interest’, so need take no explicit action, if “you use people’s data in ways they would reasonably expect” - that’s a common-sense rule and I don’t think many people gave us their addresses expecting that we would never mail to them.
The same rule would seem to demand permission before selling on people’s data, that sounds right to me.