How to check cookies for compliance with GDPR - a new open tool will help
CovenantSQL database developers have introduced an open source utility, the Cookie Scanner, which determines which cookies are set by sites and for what purpose.
We discuss why the tool was needed and how it works.
/ Flickr / Yann C –uru / CC BY / Photo changed
')
Article 30 of the General Data Protection Regulations (GDPR) obliges websites using personal data of users to notify the latter about the installation of cookies and to receive consent for this.
Working with cookies on the territory of the European Union is also regulated by another law - the ePrivacy Directive , which has been in force since 2009 (this year it will be replaced by a stricter ePrivacy Regulation, which we described in one of the previous articles). It also obliges site owners to notify you when cookies are processed.
For violation of the requirements of the GDPR and ePrivacy directives, the resource owner can write a large fine - up to 20 million euros or 4% of the organization’s annual turnover.
Despite the fines, many sites set so-called optional cookies without the consent of users.
It is believed that the Internet resource is not required to obtain the consent of the user to set cookies, if they are necessary for the correct functioning of the site. However, the wording in the legislation is rather blurred, and it is not always clear when this rule applies.
On the basis of this, conflicts arise. For example, the French publisher of Editions Croque Futur placed cookies on its site for marketing campaigns. The owners noted that these cookies ensure the profitability of the site and therefore are vital for the operation of the service. But the regulator did not agree with their arguments and ordered the company to pay a fine in the amount of 25 thousand euros.
Another problem is related to the fact that GDPR does not require you to specify and describe all third-party cookies on the site, for example, those that are needed for the operation of social networking plug-ins. As representatives of the British Commissioner for Information (Information Commissioner's Office) write in their guide ( PDF , p.17), companies need only to group third-party cookies into categories and explain their purpose.
In practice, it turns out that when you go to the site, the user's browser can download third-party cookies, the purpose of which is unknown for sure.
/ Flickr / benjamin horn / cc by
Get the full list of cookies installed by a particular resource (and in parallel to find sites that violate the requirements of the GDPR), the Cookie Scanner utility can. The network has a fairly large number of similar services, but many of them are paid. The Cookie Scanner code is open and lies in the GitHub repository .
Cookie Scanner analyzes the status of cookies and generates a report with a description of their tasks. The tool takes information on a specialized cookiepedia resource, and uses CQL database for its presentation. Now it contains information about 10 thousand different cookies. How to start working with CQL-base - in the quick start guide , prepared by CovenantSQL developers.
Cookie Scanner requires MacOS / Linux and Chrome browser. Alternatively, you can refer to its headless version, which is used to test the code and layout. It does not draw the content on the screen, so it runs faster and consumes less memory.
An important feature is also the ability to install on a “bare” Linux-server - just put the package, and the browser will work out of the box.
To run the headless-chrome in the container, you need to run the command:
The installation of the Cookie Scanner is done with get:
The tool generates reports on cookies in PDF, JSON and HTML formats. The parser function for outputting information in PDF format looks like this:
This is how the HTML report is generated using the CLI mode:
Examples of reports that can be generated by the program can be found in the corresponding section of the repository .
A month ago, the Netherlands Data Protection Agency (AP) announced that in the near future it will be actively engaged in verifying user complaints about websites that violate the rules for working with cookies. It can be assumed that there will also be more tools (including open-source) allowing monitoring cookies. Both users and site owners will use them to meet the requirements of the GDPR and ePrivacy Regulation.
We discuss why the tool was needed and how it works.
/ Flickr / Yann C –uru / CC BY / Photo changed
')
What the law says
Article 30 of the General Data Protection Regulations (GDPR) obliges websites using personal data of users to notify the latter about the installation of cookies and to receive consent for this.
Working with cookies on the territory of the European Union is also regulated by another law - the ePrivacy Directive , which has been in force since 2009 (this year it will be replaced by a stricter ePrivacy Regulation, which we described in one of the previous articles). It also obliges site owners to notify you when cookies are processed.
For violation of the requirements of the GDPR and ePrivacy directives, the resource owner can write a large fine - up to 20 million euros or 4% of the organization’s annual turnover.
What is the difficulty
Despite the fines, many sites set so-called optional cookies without the consent of users.
It is believed that the Internet resource is not required to obtain the consent of the user to set cookies, if they are necessary for the correct functioning of the site. However, the wording in the legislation is rather blurred, and it is not always clear when this rule applies.
On the basis of this, conflicts arise. For example, the French publisher of Editions Croque Futur placed cookies on its site for marketing campaigns. The owners noted that these cookies ensure the profitability of the site and therefore are vital for the operation of the service. But the regulator did not agree with their arguments and ordered the company to pay a fine in the amount of 25 thousand euros.
Another problem is related to the fact that GDPR does not require you to specify and describe all third-party cookies on the site, for example, those that are needed for the operation of social networking plug-ins. As representatives of the British Commissioner for Information (Information Commissioner's Office) write in their guide ( PDF , p.17), companies need only to group third-party cookies into categories and explain their purpose.
The Italian regulator explains that this is a necessary measure, because otherwise the owners would have to constantly monitor third-party cookies on the site and monitor their purpose, which may change over time. It is difficult to accomplish this task, if only because webmasters often do not have direct contacts with all organizations responsible for setting cookies on their resource.
In practice, it turns out that when you go to the site, the user's browser can download third-party cookies, the purpose of which is unknown for sure.
/ Flickr / benjamin horn / cc by
How to solve a problem
Get the full list of cookies installed by a particular resource (and in parallel to find sites that violate the requirements of the GDPR), the Cookie Scanner utility can. The network has a fairly large number of similar services, but many of them are paid. The Cookie Scanner code is open and lies in the GitHub repository .
Cookie Scanner analyzes the status of cookies and generates a report with a description of their tasks. The tool takes information on a specialized cookiepedia resource, and uses CQL database for its presentation. Now it contains information about 10 thousand different cookies. How to start working with CQL-base - in the quick start guide , prepared by CovenantSQL developers.
Cookie Scanner requires MacOS / Linux and Chrome browser. Alternatively, you can refer to its headless version, which is used to test the code and layout. It does not draw the content on the screen, so it runs faster and consumes less memory.
An important feature is also the ability to install on a “bare” Linux-server - just put the package, and the browser will work out of the box.
To run the headless-chrome in the container, you need to run the command:
$ docker container run -d -p 9222:9222 zenika/alpine-chrome --no-sandbox \ --remote-debugging-address=0.0.0.0 --remote-debugging-port=9222 The installation of the Cookie Scanner is done with get:
$ go get github.com/CovenantSQL/CookieScanner The tool generates reports on cookies in PDF, JSON and HTML formats. The parser function for outputting information in PDF format looks like this:
func outputAsPDF(remote *godet.RemoteDebugger, htmlFile string) (pdfBytes []byte, err error) { var tab *godet.Tab htmlFile, _ = filepath.Abs(htmlFile) fileLink := "file://" + htmlFile if tab, err = remote.NewTab(fileLink); err != nil { return } if err = remote.ActivateTab(tab); err != nil { return } // wait for page to load time.Sleep(time.Second) return remote.PrintToPDF(godet.PortraitMode()) } This is how the HTML report is generated using the CLI mode:
$ CookieScanner cli \ --headless \ --classifier "covenantsql://050cdf3b860c699524bf6f6dce28c4f3e8282ac58b0e410eb340195c379adc3a?config=./config/config.yaml" \ --html cql.html covenantsql.io Examples of reports that can be generated by the program can be found in the corresponding section of the repository .
A month ago, the Netherlands Data Protection Agency (AP) announced that in the near future it will be actively engaged in verifying user complaints about websites that violate the rules for working with cookies. It can be assumed that there will also be more tools (including open-source) allowing monitoring cookies. Both users and site owners will use them to meet the requirements of the GDPR and ePrivacy Regulation.
Our additional resources and sources:Deal for $ 39 million: why the creators of the open source DBMS decided to engage in mobile development
Personal data: what is the essence of the law?
How everything is arranged: digest from 1cloud
Source: https://habr.com/ru/post/452668/
All Articles