Moved from Developer forum:

 

Due to the requirements of the regulatory authorities , it became necessary:

1. change the text displayed on the cookies banner. Where can I correct this text? (SOLVED)

2. Record in the logs clicking on the "Agree" button on the cookies banner. Is it being written to the log now and where can this log be viewed?

3. On mobile, the cookie banner disappears quickly when scrolling and does not appear anymore. Please fix it urgently. 

4.  is it possible to make it so that in order to view the content of the site it was necessary to click on consent to cookies? Now this is not necessary, and it is possible that a person has not expressed consent to cookies, but we still put them and this is a violation. Is it possible to demand consent, and not just notify about cookies?

 

The expression of consent to cookies in the form of clicking on a button must be recorded in the server logs and must be presented at the request of the supervisory authority. This is not my wish, it was demanded by the inspectors from state agencies. They regard failure to comply with this requirement as a violation of the law. If now it is fixed only on the user's side, and is not transmitted to the server, then we ask you to change it. This is a critical requirement, unfortunately.

 

I understand that it may be a guest. But the verifiers do not require binding to the user profile in this case. The requirement concerns the presence of an entry in the log, i.e., in theory, there is enough date/time and ip_address. Ideally, you can add a session id.

 

Please answer, will this be fixed in the near future or do I need to go to another software product to meet regulatory requirements? Unfortunately, the deadlines set by the regulatory authorities for correction are very limited.

Thanks

Near future?  Most likely not. It’s taken many months for new features to be considered, if accepted… developed and tested. 

You can look at having a 3rd party developer create this capability for you, but if you’re on a time crunch I would not bet on it having time to be done as a core feature. 

Thank you for your topic. I have provided responses to your questions below.

 

Quote

2. Record in the logs clicking on the "Agree" button on the cookies banner. Is it being written to the log now and where can this log be viewed?

There is no way in which to obtain a log for these at the present time. 

Quote

3. On mobile, the cookie banner disappears quickly when scrolling and does not appear anymore. Please fix it urgently.

Have you tested this on a default unaltered theme? If so, please let me know what browser and device you are testing with so I can take a look for you. That would be a bug rather than a feature request.

Quote

4.  is it possible to make it so that in order to view the content of the site it was necessary to click on consent to cookies? Now this is not necessary, and it is possible that a person has not expressed consent to cookies, but we still put them and this is a violation. Is it possible to demand consent, and not just notify about cookies?

This is not something that is possible at the present time with guests. You can do it if its only members who are going to view, as you can simply switch the site offline until people are logged in, and add this information to your privacy policy, forcing it to be accepted. 

Quote

 

The expression of consent to cookies in the form of clicking on a button must be recorded in the server logs and must be presented at the request of the supervisory authority. This is not my wish, it was demanded by the inspectors from state agencies. They regard failure to comply with this requirement as a violation of the law. If now it is fixed only on the user's side, and is not transmitted to the server, then we ask you to change it. This is a critical requirement, unfortunately.

I understand that it may be a guest. But the verifiers do not require binding to the user profile in this case. The requirement concerns the presence of an entry in the log, i.e., in theory, there is enough date/time and ip_address. Ideally, you can add a session id.

Please answer, will this be fixed in the near future or do I need to go to another software product to meet regulatory requirements? Unfortunately, the deadlines set by the regulatory authorities for correction are very limited.

 

While I understand your concern and wish for this to be added in the near future, we have to decide on whether to add features, spec them out fully, it then has to be designed on the front end, coded by developers, tested, added to beta versions, then released. We are unable to simply add features to the software very quickly, as it has to go through this process. Quite simply, development unfortunately takes time.

 

Marc, Thanks for Your answer.

Quote

There is no way in which to obtain a log for these at the present time. 

Is it possible to send a GET request to the specified server URL (for example, via ajax or js) when clicking on the button in the cookie banner? This would be enough, the fact of calling the specified URL can be recorded in the logs.

5 minutes ago, Marc Stridgen said:

Have you tested this on a default unaltered theme? If so, please let me know what browser and device you are testing with so I can take a look for you. That would be a bug rather than a feature request.

Yes, tested on default theme. Tested in Yandex browser for Android. Device Samsung Galaxy J6, Android 10.

Quote

This is not something that is possible at the present time with guests. You can do it if its only members who are going to view, as you can simply switch the site offline until people are logged in, and add this information to your privacy policy, forcing it to be accepted. 

Mark, I probably formulated it badly or it's a translation error. I mean, if possible, display a banner about cookies on a semi-transparent div layer at top layer with a size of 100%. This will block actions with the site at the interface level until consent to cookies is clicked.  Is it possible to make this, at least as optional function?

Or, maybe, You consult me where (in which files) I can add change it for myself? It will be faster.

Thanks.

Julia

 

 

@Marc Stridgen

Governmental agencies throughout the world are battling with how to protect their citizenry from bad actors near and far.  Some of the protections implemented will be well thought out and some will be unmitigated disasters.  Sites with minimal technical expertise and or sufficient funds to hire that expertise out will unfortunately find they won't be able to be compliant with various legal requirements.  These sites will be forced to close which will begin to impact your bottom line.

As much as your customer base would like IPS to dedicate your entire programming staff to adding ever cooler features there may be value in dedicating more of your staff's time figuring out what legal requirements we will likely find ourselves having to address and see if they can be programmatically dealt with.

There may be a time in the not-too-distant future where this platform won't be able to be used in certain locales as it simply won't be economically viable to alter it by IPS or a third-party developer to be in continuous legal compliance.  Can we as a community come together in partnership with IPS to minimize such occurrences. 

Every site that closes will diminish the overall value proposition of the internet so it's in our collective best interest to minimize these occurrences.

Edited February 18, 20223 yr by Chris Anderson

For requests like this, I would suggest to clearly state which country has such requirements, what the law is called and so on. It’s much better to judge the validity and the impact this way. 

The country is the Russian Federation. Law 152-FZ. The controlling organization is Roskomnadzor. The claim was made during a preventive inspection.

 

Hi.

Also from a European union standpoint I generally agree with Julia about the cookie consent process, and the urgency in which this legal requirement has to be addressed by the IPS.

I had this conversation with the support in September 2021 and was recommended to submit our issue here. It is hereby being done.

Since at this moment the IPB is not compliant with the cogent (non-optional) EU GDPR law applying to all countries within the union, everybody using this functionality AS IS towards European customers (also from outside the EU) are risking to go to court where heavy fines are at stake. Quoting the EU, two fine tiers are available: "Up to €10 million, or 2% annual global turnover – whichever is higher. Up to €20 million, or 4% annual global turnover – whichever is higher." 

A quote from my support conversations describing the GDPR issue:

(Quote)

But from a legal point of view I find the fact that IPB doesn't keep track of the user acceptance quite worrying. I know that Invision has worked hard to make the IPB EU GDPR and EU ePrivacy Directive compliant. But not storing the consent would make the IPB not fully GDPR compliant. Below is a quote from the relevant EU documentation: https://gdpr.eu/cookies/ ".

To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

1. Receive users' consent before you use any cookies except strictly necessary cookies.
2. Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
3. Document and store consent received from users.
4. Allow users to access your service even if they refuse to allow the use of certain cookies
5. Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

" Bullet three is what directly affects the subject of tracking/storing consent. Bullet four overrules(!) our wish of stopping non-concenters to use the service, but without consent just strictly necessary cookies is allowed according to bullet one. So other cookies must then be inactivated by the PB . Are cookies inactivated by the IPB for non-concenters today? While we are at it, where in the IPB are the quite detailed information requirements of bullet two being met? I am sorry that I have to put you through these questions. But these are questions that we might get from our quite qualified target community group. We then need to be able to answer them. If it was up to us, GDPR would not have been as paranoid as it is.

(End quote)

We are neither builders of GDPR compliant sites nor lawyers, why we can not exactly tell you what functionality is needed to comply, even less so how to implement it. But since a few years have passed since the GDPR was implemented, there should be quite a pile of best practices to profit from out there.

 Please get in touch if we can be of further assistance.

Kind regards
Joachim 

 

 

 

 

 

 

On 2/18/2022 at 8:07 AM, Julia Osipova said:

Moved from Developer forum:

 

Due to the requirements of the regulatory authorities , it became necessary:

1. change the text displayed on the cookies banner. Where can I correct this text? (SOLVED)

2. Record in the logs clicking on the "Agree" button on the cookies banner. Is it being written to the log now and where can this log be viewed?

3. On mobile, the cookie banner disappears quickly when scrolling and does not appear anymore. Please fix it urgently. 

4.  is it possible to make it so that in order to view the content of the site it was necessary to click on consent to cookies? Now this is not necessary, and it is possible that a person has not expressed consent to cookies, but we still put them and this is a violation. Is it possible to demand consent, and not just notify about cookies?

 

The expression of consent to cookies in the form of clicking on a button must be recorded in the server logs and must be presented at the request of the supervisory authority. This is not my wish, it was demanded by the inspectors from state agencies. They regard failure to comply with this requirement as a violation of the law. If now it is fixed only on the user's side, and is not transmitted to the server, then we ask you to change it. This is a critical requirement, unfortunately.

 

I understand that it may be a guest. But the verifiers do not require binding to the user profile in this case. The requirement concerns the presence of an entry in the log, i.e., in theory, there is enough date/time and ip_address. Ideally, you can add a session id.

 

Please answer, will this be fixed in the near future or do I need to go to another software product to meet regulatory requirements? Unfortunately, the deadlines set by the regulatory authorities for correction are very limited.

Thanks

3 hours ago, Joachim Sandstrom said:

Document and store consent received from users.

Amazingly, that means to mass-collect personal data (like IP addresses from guests), which should violate the GDPR itself. 

I use https://www.ccm19.de/en/ - but it is a paid service with monthly additional costs for their cloud service in addition to the costs of IPS CiC. 

1 hour ago, opentype said:

Amazingly, that means to mass-collect personal data (like IP addresses from guests), which should violate the GDPR itself. 

I am sure the EU bureaucrats made a shiny roomy exception for the data needed for The Colossos, also called GDPR. But still, this animal is what everyone doing any Internet based business in the EU cope with. 

From an attorney perspective there is a shortfall in how the IPS system natively handles this: the boiler plate {cookie} language that IPS provides I find insufficient, and the mechanics of IPS in cookie consent tracking/removal of consent are basically lacking altogether.

To me a great cautionary tale is the recent case where a German court awarded 100 euros to a plaintiff who sued over a site that used embedded Google Fonts (like many sites...though not IPS) which reveals an IP address to Google which was not adequately disclosed. Adequate disclosure would likely have been sufficient as "necessary" or "essential" for the proper function of the site (making the assumption that authentic rendering of the site visually equates to an essential function). Of course Google farms data left and right at every level one can presume. Between those who use their 8.8.8.8 DNS server, to embedded Youtube videos on a site, to Google Fonts embedded on the site, to any banner ads, analytics, etc. 

In the specific case of IPS, it does use FontAwesome. No idea what they do, probably nothing near as invasive as Google, but the total absence of any mention, disclosure, disclaimer, etc. in the default {cookie} policy provided by IPS is a giant gap on this point.

The default {cookie} policy also does not mention two additional specific cookies that IPS uses: 

• ips4_hasJS - Indicates to the site whether JavaScript support in your browser has been detected. 
• ips4_ipsTimezone - Used to display site events properly for your time zone. 

I have pointed these out to IPS in private.

For points 1 and 2, I handle this through a more thorough {cookie} policy. For point 4, one can at least try to make the guest/public area is a "functional" place to sufficiently satisfy some level of "access" without non-essential cookie consent (this being tied to registration). For point 3 and 5 I've repurposed another plugin to serve as the mechanism for managing proof and withdrawal of consent.

The last thing I would want is for IPS to waste any time on something that wasn't necessary that doesn't provide added functionality for users and/or site owners. I would personally rather have some cool new feature rather than IPS needing to dump any development resources into something to just "break even" for legal concerns. However, things do have to be stepped up guys, sorry to say. This is only going to be more of an issue. It's not just EU and UK GDPR, but other places' laws are stepping things up as well.

A lackluster boiler plate {cookie} policy aside, there has to be at least SOME mechanism made available to regular site owners to at least SOMEWHAT A) allow users manage/withdraw consent and B) demonstrate some manner of attempted compliance/proof/record of this that can be demonstrated by a site owner in court for point 5. It does not have to be perfect to be useful for this purpose. Something, in some regard, is far far better than nothing from my perspective, even if it was only 30% of what it needs to be.

Edited March 26, 20223 yr by Brainy S.

Unfortunately, I also have the problem with the cookie Notice. Is it possible not to store the IP addresses of the guests, i.e. not to set any cookies for guests? 

I find the Cookie Notice a very very important part of IPS!!! And in the moment ... 😶

IPS can't fully understand Europe Law problems which is nonsense at most of the cases, they are USA, two different worlds. No offense, I don't know USA Law problems too 😛

Problem of European Law is that it is too detailed in area of data collection and taxing/invoicing. I don't know a single platform available for public purchase that can handle both well.

Edited April 28, 20223 yr by PatrickRQ

One thing to consider is that IPS has a large number of enterprise customers who are based in the US and the UK.  These are the customers that have more lawyers on staff than IPS as a company has employees.  

These customers know and understand the laws most likely better than all of us here combined.  Haha

If there was a true legal risk/liability, they would be all over getting it mitigated.  🙂 While some folks here seem to think it’s an “us vs them” for enterprise customers vs self hosted smaller groups…. There are benefits to having both types!  It’s like having a big brother who has been there and done that…. who can help show you how to shave the first time when needed.  😆

Edited April 28, 20223 yr by Randy Calvert

Or, they're using third party tools, which specialise in privacy law compliance. There are plenty out there.

Actually most of our clients in the EU, even the ones from huge corporations, do not concern with the cookies our software sets as a Guest. Since our cookies and the platform in general does not store data on Guests or otherwise track them other than transiently while they are actively clicking, GDPR does not apply. Contrary to popular believe, GDPR is not a cookie law, it is about data privacy and since we don't store any data on Guests (as in tracking cookies and the like) there's no privacy concern.

OFFTOP (BUT IMPORTANT TO, this is one of "WHYs?")

My company actually develops different kind of software but I always wonder WHAT IS THE PROBLEM to design good system for sales, invoicing - serious eCommerce. Current market is so large gap in the sector and demand is huge. I run another company for newborn/toddler clothing/accessories and I run my store on some PrestaShop for that - must say it is one big SHI T and developers of that should be thrown to prison.

IPS has potential and possibilities to turn their system into independent sales platform for serious people and own the market. Their technology is up-to-date, architecture is 21st century, not middle ages of Bill Gates Era like all the rest.

Why the heck to keep focusing on blogs, chatting, forums, gallery, etc. Unfortunately, but world is going into total digitalization, so please IPS, be the one who will own the market in eCommerce software provider.

On 4/28/2022 at 8:29 PM, Charles said:

GDPR is not a cookie law

It's not that simple – and it's not only about GDPR, but also about the Digital Services Act and other Laws and Regulations concerning ePrivacy.

And further changes are on the horizon. https://haerting.de/en/insights/eprivacy-regulation-eu-council/

This sounds good by the way:

Quote

Key points of Commission's proposal

…

Simpler rules on cookies: The cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly, as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy-intrusive cookies improving internet experience (like to remember shopping cart history) or cookies used by a website to count the number of visitors.

…

 

7 hours ago, Markus Jung said:

It's not that simple – and it's not only about GDPR, but also about the Digital Services Act and other Laws and Regulations concerning ePrivacy.

That may be true but again, since our Guest cookies do not track anything about the user, there is no privacy concern.

In fact, we plan to eventually phase out ALL cookies for Guests so it's a total moot point.