How to check cookies for GDPR compliance - new open tool will help
The developers of the CovenantSQL database introduced the open-source utility Cookie Scanner, which determines which cookies the sites set and for what purpose.
We discuss why the tool was needed and how it works. / Flickr / Yann Cœuru / CC BY / Photo changed
Article 30 of the General Data Protection Regulation (GDPR) requires sites that use the personal data of users to notify the latter about the installation of cookies and to obtain consent.
The use of cookies in the EU is also regulated by another law - ePrivacy Directive , in force since 2009 (this year it will be replaced by the more stringent ePrivacy Regulation, which we talked about in one of the previous materials ). It also obliges website owners to notify about the processing of cookies.
For violation of the GDPR requirements and the ePrivacy directive, the owner of the resource may receive a large fine - up to 20 million euros or 4% of the organization’s annual turnover.
Despite fines, many sites set so-called optional cookies without user consent.
It is believed that the Internet resource is not required to obtain the consent of the user to set cookies, if they are necessary for the correct functioning of the site. However, the wording in the legislation is rather vague, and it is not always clear when this rule is applicable.
On the basis of this, conflict situations arise. For example, the French publisher Editions Croque Futur set visitors to the site cookies for marketing campaigns. The owners noted that these cookies ensure the profitability of the site and therefore are vital for the operation of the service. But the regulator did not agree with their arguments and wrote a fine to the company in the amount of 25 thousand euros.
Another problem is that the GDPR does not require specifying and describing all third-party cookies on the site, for example, those that are needed for the operation of social network plugins. According to the representatives of the British Commission for Information (Information Commissioner's Office) in their guide ( PDF , p. 17), it is enough for a company to group third-party cookies into categories and explain their purpose.
In practice, it turns out that when you go to the site, the user's browser can download third-party cookies, the purpose of which is unknown for sure.
/ Flickr / Benjamin Horn / CC BY
Get the full list of cookies set by a particular resource (and at the same time find sites that violate the requirements of GDPR), the Cookie Scanner utility can. The network has a fairly large number of similar services, but many of them are paid. Cookie Scanner code is open and lies in the repository on GitHub .
Cookie Scanner analyzes the status of cookies and generates a report describing their tasks. The tool takes information on a specialized cookiepedia resource , and uses a CQL database to represent it. Now it contains information about 10 thousand different cookies. About how to start working with a CQL database - in the quick start guide prepared by CovenantSQL developers.
Cookie Scanner requires MacOS / Linux operating system and Chrome browser. Alternatively, you can refer to its headless version, which is used to test code and layout. It does not render content on the screen, so it works faster and consumes less memory.
An important property is the ability to install on a bare Linux server - just put the package and the browser will work out of the box.
To run headless-chrome in the container, run the command:
Setting Cookie Scanner is done using get:
The tool generates reports on cookies in PDF, JSON and HTML formats. The parser function for outputting information in PDF format looks like this:
This is how the HTML report is generated using the CLI mode:
Examples of reports that the program can generate can be found in the corresponding section of the repository .
A month ago, the Netherlands Data Protection Agency (AP) announced that in the near future it will be actively engaged in checking user complaints on sites that violate the rules for working with cookies. We can assume that there will be more tools (including open-source) that allow you to monitor cookies. Both users and site owners will use them to comply with the GDPR and ePrivacy Regulation.
We discuss why the tool was needed and how it works. / Flickr / Yann Cœuru / CC BY / Photo changed
What the law says
Article 30 of the General Data Protection Regulation (GDPR) requires sites that use the personal data of users to notify the latter about the installation of cookies and to obtain consent.
The use of cookies in the EU is also regulated by another law - ePrivacy Directive , in force since 2009 (this year it will be replaced by the more stringent ePrivacy Regulation, which we talked about in one of the previous materials ). It also obliges website owners to notify about the processing of cookies.
For violation of the GDPR requirements and the ePrivacy directive, the owner of the resource may receive a large fine - up to 20 million euros or 4% of the organization’s annual turnover.
What is the difficulty
Despite fines, many sites set so-called optional cookies without user consent.
It is believed that the Internet resource is not required to obtain the consent of the user to set cookies, if they are necessary for the correct functioning of the site. However, the wording in the legislation is rather vague, and it is not always clear when this rule is applicable.
On the basis of this, conflict situations arise. For example, the French publisher Editions Croque Futur set visitors to the site cookies for marketing campaigns. The owners noted that these cookies ensure the profitability of the site and therefore are vital for the operation of the service. But the regulator did not agree with their arguments and wrote a fine to the company in the amount of 25 thousand euros.
Another problem is that the GDPR does not require specifying and describing all third-party cookies on the site, for example, those that are needed for the operation of social network plugins. According to the representatives of the British Commission for Information (Information Commissioner's Office) in their guide ( PDF , p. 17), it is enough for a company to group third-party cookies into categories and explain their purpose.
The Italian regulator explains that this is a necessary measure, because otherwise the owners would have to constantly monitor third-party cookies on the site and monitor their purpose, which may change over time. To accomplish this task is difficult if only because webmasters often do not have direct contacts with all organizations responsible for setting cookies on their website.
In practice, it turns out that when you go to the site, the user's browser can download third-party cookies, the purpose of which is unknown for sure.
/ Flickr / Benjamin Horn / CC BY
How to solve the problem
Get the full list of cookies set by a particular resource (and at the same time find sites that violate the requirements of GDPR), the Cookie Scanner utility can. The network has a fairly large number of similar services, but many of them are paid. Cookie Scanner code is open and lies in the repository on GitHub .
Cookie Scanner analyzes the status of cookies and generates a report describing their tasks. The tool takes information on a specialized cookiepedia resource , and uses a CQL database to represent it. Now it contains information about 10 thousand different cookies. About how to start working with a CQL database - in the quick start guide prepared by CovenantSQL developers.
Cookie Scanner requires MacOS / Linux operating system and Chrome browser. Alternatively, you can refer to its headless version, which is used to test code and layout. It does not render content on the screen, so it works faster and consumes less memory.
An important property is the ability to install on a bare Linux server - just put the package and the browser will work out of the box.
To run headless-chrome in the container, run the command:
$ docker container run -d -p 9222:9222 zenika/alpine-chrome --no-sandbox \
--remote-debugging-address=0.0.0.0 --remote-debugging-port=9222
Setting Cookie Scanner is done using get:
$ go get github.com/CovenantSQL/CookieScanner
The tool generates reports on cookies in PDF, JSON and HTML formats. The parser function for outputting information in PDF format looks like this:
func outputAsPDF(remote *godet.RemoteDebugger, htmlFile string) (pdfBytes []byte, err error) {
var tab *godet.Tab
htmlFile, _ = filepath.Abs(htmlFile)
fileLink := "file://" + htmlFile
if tab, err = remote.NewTab(fileLink); err != nil {
return
}
if err = remote.ActivateTab(tab); err != nil {
return
}
// wait for page to load
time.Sleep(time.Second)
return remote.PrintToPDF(godet.PortraitMode())
}
This is how the HTML report is generated using the CLI mode:
$ CookieScanner cli \
--headless \
--classifier "covenantsql://050cdf3b860c699524bf6f6dce28c4f3e8282ac58b0e410eb340195c379adc3a?config=./config/config.yaml" \
--html cql.html covenantsql.io
Examples of reports that the program can generate can be found in the corresponding section of the repository .
A month ago, the Netherlands Data Protection Agency (AP) announced that in the near future it will be actively engaged in checking user complaints on sites that violate the rules for working with cookies. We can assume that there will be more tools (including open-source) that allow you to monitor cookies. Both users and site owners will use them to comply with the GDPR and ePrivacy Regulation.
Our additional resources and sources:
$ 39 million deal: why did the creators of the open source database management system decide to take up mobile development
Personal data: what is the essence of the law?
Risk minimization: how not to lose your data
File backup: how to insure against data loss
How it works out: 1cloud digest
How cloud technologies helped to make out a black hole
Potential attacks on HTTPS and ways to protect against them