TLDR: Are Stripe cookies "essential" cookies that do not require consent?
As many of you may know, Stripe is a payment processor and they require that websites using their platform serve the users with their "stripe.js" which applies several cookies.
The cookies are used for tracking, so they sort of come under GDPR, but the tracking is for strictly necessary purposes (fraud prevention) so it sort of also doesn't come under GDPR.
Do I need to irritate users with an accept cookies banner for these Stripe cookies or not? I think it would impair functionality if they were not set, so I'm leaning towards "No, I don't need to ask"
Related
The website uses embed Youtube videos, Slide Shares, Open Table Widgets that become iframes. According to the new law about GDPR we need to ask user's consent for tracking his activity. But how then I can use these components and at the same time disable analytics that comes automatically from these iframes?
It's very difficult to reconcile any kind of tracking with GDPR. If the frame you're loading does not provide privacy controls of its own, you would need to acquire the relevant consent before loading the iframe at all, which you can do via Javascript loaded from your own site.
As a workaround, you could proxy the services and strip tracking cookies and scripts before they ever reach the end user. I've done this before.
The privacy-friendly approach is to not use services that track users in the first place, and then you have nothing to worry about. Sadly this is easier said than done, since the vast majority of such services' entire business model relies on tracking people.
My country is starting to apply laws about privacy and cookies.
Is there a way to use the Youtube IFrame API without storing cookies?
This is a free script preventing iFrame cookies:
cookies-enabler
Here you get a list of free cookie law tools with features, pros and cons:
free cookie law tools
We have setup GA from an intranet, however we are not sure if everything is tracked correctly. We should be getting more unique hits/page views than GA reports.
All of our intranet users gets the same external IP address and we are not sure if this makes GA believe that all the requests are coming from the same user or a limited number of unique users at least.
How does GA determine the uniqueness of a the requests? and is there a way to provide another "unique" key if needed?
Google Analytics does not IP adresses for that purpose. It creates an id for every browser where the tracking code is run and stores it in a cookie (on browser that do not allow cookies data will still be sent but will not be grouped into user sessions, however with Universal Analytics you can choose to provide a uuid yourself).
Since you intranet users are presumably authenticated you could use the user id feature in Universal Analytics. However this should not be necessary (it was developed to recognize authenticated users across devices, so it might be useful if you users log in to different computers).
But as long as javascript is enabled and allowed to set cookies (and of course there is an internet connection) there should be no problems. IP is used for geolocation only.
I have recently been required to implement some Usage Tracking to a web-based Business Application. Basically what needs to be tracked is what pages in the application are being used and for how long users stay on those pages. The application is hosted on the internet and is HTML/JavaScript.
I could use Google Analytics to track page views, visits and browser capabilities, but is it secure enough to use for business applications?
Does anyone else use Google Analytics to track web-based business application usage? Or do you have some thoughts on this?
Also, I couldn't find anything from Google specifically stating whether this is a good or bad thing to do.
It depends what you want to be secure.
Gathered data, if you trust Google, is pretty secure.
However, Analytics data can be tampered with. Someone can read your Analytics ID from page source (or HTTP traffic) and submit fake pageviews, events, change custom variables, etc.
When you sign up to google analytics it instructs you to use a javascript snippet on every page you want to track. This code includes an API key, which is visible to everyone who views your source code.
How does it guarantees that the request is coming from the real site, and not from a third-party who wants to mess with your statistics? Does it check the HTTP Referer header? Even that is not safe, as it can be forged.
GA doesn't (to the best of my knowledge) attempt to verify that the site ID (the UA-XXXXX-XX code) matches a domain specified in the GA setup - I think this is a good thing, as you can track a bunch of related sites as though they were a single site (think single-product minisites, for example). However, this does leave the GA profile open to accidental or malicious use of the UA code on other unrelated sites.
The easiest way to fix this is to add a filter onto the GA profile which restricts reported data to a specified referrer hostname set. This will clean out the accidental typo problem, but malicious types would be able to work around this if they were really interested (but they'd be more likely to grief your PPC campaigns instead).