Screenshot of Chrome Dev Tools inspecting Application / Cookies for Timeouttherapy.co.uk in incognito mode - still showing google analytics cookies from previous session

I’m not GDPR compliant. :(

I’m trying!

I’ve been busy with my new job; haven’t had much time with “web stuff” over the last year (beyond ASP.Net / Web.API – but for internal network use).

I’ve only just started to look at how GDPR affects me. I have no interest in tracking individuals but I do use plugins, and I did set-up Google Analytics once.

For hours I’ve been looking into the details of it all and possible solutions … but one thing in particular has frustrated and confused me! I couldn’t understand why, when I opened timeouttherapy.co.uk in an incognito tab, having removed the Google Analytics script, cookies would still show under Application – Cookies in the Dev Tools in Chrome. WHY???? WHY????

Something must be setting it, so I thought. But what? Because of course incognito mode uses a fresh cookie store doesn’t it?

Hmmm. Maybe it doesn’t !!!

This is my JavaScript for Google Analytics for timeouttherapy.co.uk – set with anonymize_ip to true. On this site, based on CyberChimps Responsive theme, when the Responsive Add On plug-in is active then script in the webmaster section of theme options is active. For my experiment, in an incognito window, I cleared cookies for timeouttherapy.co.uk. With this script active, I refreshed … the ga and gid cookies appeared. I closed the window. I cut the script from timeouttherapy.co.uk, saved those options, and deactivated the Responsive Add On plug-in. I opened a new incognito window, went to timeouttherapy.co.uk, opened inspect, went to application / cookies and the cookies were still there. They persist after a hard cache empty reload. That’s what confused me. They weren’t set this session – but were from the previous session. Clearing the cookies, and reloading the site any which way resulted in no more ga / gid cookies (until the script was replaced and plug-in re-activated).

...

<!-- Global Site Tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-101156984-3"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-101156984-3', {  'anonymize_ip' : true });
</script>

It’s going to take some time for me to be compliant.

SiteGDPR compliantCookies and notes
timeouttherapy.co.ukNopaypal, NID (google.com),
blog.xarta.co.ukNoPHPSESSID, wordpress_test_cookie, YouTube (lots), Facebook (lots)
xarta.co.ukNoGoogle Analytics (make anonymous), cloudflare? (might be a JavaScript file download)
the-icons.co.ukNoGoogle Analytics (make anonymous), DSID, IDE, __sonar … all Google I think but why? .doubleclick.net, _gali?

The NID cookie appears to be a session cookie and only appears (on timeouttherapy.co.uk, I think) when this script is active:

...

<!-- Place this tag in your head or just before your close body tag. -->
<script src="https://apis.google.com/js/platform.js" async defer>
  {lang: 'en-GB'}
</script>

The PayPal cookie might be due to the image used in this form.

...

<div style="width: 240px; margin: 0 auto;" form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top"><input name="cmd" type="hidden" value="_s-xclick" />
        <input name="hosted_button_id" type="hidden" value="DV3PYAQ3HS758" />
        <input alt="PayPal – The safer, easier way to pay online." name="submit" src="https://timeouttherapy.co.uk/wp-content/images/20150426_1499_price_tag_green.png"
            type="image" style="display: block; margin: 0 auto;" />
        <img src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" alt="" width="1" height="1" border="0" /></form>
        <p style="width: 98%;">Currently UK Delivery only, at £2.25 postage and packing. Please contact Suzie if alternative delivery required before
            ordering!
        </p>
</div>

However, this code no longer works! (I’ve just discovered). Maybe something to do with certificates. I’ll have to ask my friend’s permission to log on to her paypal, and get fresh script.

So, timeouttherapy.co.uk compliancy with GDPR.

  • Research what NID cookie is and if it’s a problem – if so, delay the google api script until acceptance granted
  • Google Analytics – that’s set to anonymous so shouldn’t be a problem
  • PayPal – after updating the script, need to research to see if that’s a problem, and if so, maybe use JavaScript to add the button only after consent acquired

That might not be all for timeouttherapy.co.uk – I’m sure I’ve seen a cookie related to Akamai appear at least once – I need to record a session interacting with the site to check.

So, I’m working on it. Eventually there should be a consent – but also reject, and any cookie setting scripts delayed until consented (and no other personalised tracking present). I’ll update this table as I progress.