Open-Cookie-Database icon indicating copy to clipboard operation
Open-Cookie-Database copied to clipboard

Published 20 hours ago verified publisher icon jkwakman

Platform cookies and "User Privacy & GDPR Rights Portals" column

Open thierrymaasdam opened this issue 6 months ago • 1 comments

Hi all,

I would like to take the opportunity to consider something with regards to cookies of platforms that operate directly on behalf of a site owner — such as e-commerce software — and their User Privacy & GDPR Rights Portals URLs.

Lets take the following examples:

  • woocommerce_cart_hash, set by WooCommerce;
  • woocommerce_items_in_cart, set by WooCommerce;
  • frontend, set by Magento;
  • searchReport-log, set by Magento;
  • COOKIELAW_ADS, set by Lightspeed;
  • wordpress_logged_in_, set by WordPress;
  • _tracking_consent, set by Shopify;

These cookies refer to privacy portals that are maintained by the original developers of the software behind a certain platform and do not apply to instances of the products that they develop, such as an individual website that runs on WordPress or store that runs on Magento, Lightspeed or Shopify.

Diving deeper into the examples:

  1. wordpress_logged_in_'s portal URL is set to https://wordpress.org/about/privacy/. That page is only referring to visitors' privacy and GDPR rights on the WordPress.org, and related, domain(s).
  2. The same goes for Magento. Every Magento instance should have their own privacy page. The provided privacy portal, https://www.adobe.com/privacy.html, is irrelevant for shops that run on Magento as it only covers the privacy and GDPR rights of users that visit websites that are managed by Adobe.
  3. Shopify does things differently: on their privacy page, they do mention the cookies used by merchants that use Shopify as their e-commerce platform (https://www.shopify.com/legal/cookies#merchant-storefronts). However, I personally think that it would be better if a merchant maintained their own cookie overview table.

Counter examples

  • A cookie such as _ga has the privacy portal https://business.safety.google/privacy/. That makes sense, as the _ga cookie is set by an external script (although as a first-party cookie) and processed by a third-party platform that is not native to the domain where the cookies are set.

Discussion

What are your thoughts on approaching privacy portals by platforms that operate as a first-party platform on behalf of a site owner?

thierrymaasdam avatar Aug 12 '24 10:08 thierrymaasdam