-
Posts
-
I have asked Yigit in this thread https://kriesi.at/support/topic/update-4-6-makes-cookie-consent-reload-every-time/page/2/ but guess it will be overlooked, so I am creating a separate thread.
The issue many of us had, was two missing shortcodes in the Essential Website Cookies section of the Modal Window. The team has created some workaround for the issue, but with the new legal situation in the EU, we really need to make sure that Enfold is configured correctly in order not to submit our customers to legal issues, so some clarity would be great.
I don’t understand how those shortcodes missing affect the whole cookie logic. Those two shortcodes are described in a very vague fashion, so I am hoping someone from the Kriesi team can explain this.
Looking at the shortcode descriptions, they say:
[av_privacy_allow_cookies] – allows a user to refuse cookies and hides message bar (needs 2 cookies for that, others are removed)
[av_privacy_accept_essential_cookies] – allows a user to opt out from essential theme and all other cookies (except 2 from av_privacy_allow_cookies)Here are my questions, numbered for easier answering:
- 1. So the first one refuses ALL cookies or only non-essential ones?
- 2. And the second one says “essential theme and all other cookies”, so in my understanding kinda contradicts the first one? Or is this only “enable essential cookies and NOT all others”?
- 3. Also the logic is not very clear: the shortcode is called av_privacy_allow_cookies and the description is talking about refusing them. So when the toggle is set to “on”, what exactly is happening. Alllow or forbid?
- 4. If I am creating a webpage with the available shortcodes, I can use [av_privacy_allow_cookies] and [av_privacy_accept_essential_cookies] as well as the buttons [av_privacy_accept_button wrapper_class="" id="" class=""] and [av_privacy_do_not_accept_button wrapper_class="" id="" class=""] on the same page. So on this page it should be possible to do all the privacy settings, right?
- 5. What do the “Accept Cookies” button and the “Do not accept” button do exactly?
- 6. Are the having an influence on the other two toggles as well?
- 7. Cookie Consent Message Bar: Are the Accept Cookies” button and the “Do not accept” button the same buttons as the accept and dismiss buttons from the cookie bar, i.e do they do the same thing? If not, what is the difference?
- 8. Modal Popup Window: Are the Accept Cookies” button and the “Do not accept” button the same buttons as the accept and dismiss buttons from the cookie bar, i.e do they do the same thing? If not, what is the difference?
Do you see where i am going with these question? The current solution might very well be good and working as intended, but the intention is not clear at all and we are kinda left in the dark and the on-page description is well meant but not very helpful.
It would be great, if you can describe the logic for each shortcode and how they all work together. Or maybe update the https://kriesi.at/documentation/enfold/privacy-cookies page for 4.6.1?Our (legal) requierements are actually pretty straightforward: Essentially we have these possibilities:
- User does nothing – no cookies are saved at all
- User denies cookies – 2 cookies are saved
- User allows essential cookies – some cookies are saved
- User allows all cookies – all cookies are saved
How does this translate to the cookie message bar and why have those 2 selectors like this? I am really confused or to stubborn/dumb to get this.
Thanks in advance for helping me and surely others with this.
Cheers,
MichaelI forgot one thing. The third button, that we can use in the Modal Popup Window does not work as intended. It should link to another page, right?
It doesn’t, as you can test here: http://enfold.muster.website/ (Open modal and klick on “Ich will hier weg!”)
Btw. that’s where I have been testing all the shortcodes, but the results where inconsistent, so I had to ask all those questions above.Hi,
Thank you for the inquiry.
We have updated the documentation regarding the privacy options. You can review it here.
// https://kriesi.at/documentation/enfold/privacy-cookies/#implementation-of-data-security-in-enfold
Please make sure that the site is running on version 4.6.1. And we also tried to answer your inquiry here:
It doesn’t, as you can test here: http://enfold.muster.website/ (Open modal and klick on “Ich will hier weg!”)
The modal popup window button as the name suggests, opens a modal window containing info about the privacy option including the privacy shortcodes. It will not link to another page. If you want to create a link to your privacy page, create a new button in the privacy & cookies options panel and set the “Button Action” to the 4th option (Link to another page).
Best regards,
IsmaelHi Ismael,
thanks for taking the time to answer. You misunderstood me, I was talking about the button “Link to another page” in the modal popup. Linking to another page is not working!
Also thanks for updating the documentation. Please believe me, I am not trying to be a pain in the ass, but some question are still unanswered resp. not yet clear. Could you shed some light on these?
- 1. [av_privacy_allow_cookies] refuses ALL cookies or only non-essential ones?
- 2. [av_privacy_accept_essential_cookies] refuses essential cookies additionally to the above? Why does the description say “and all other cookies”?
- 3. The toggle logic is not clearly described in the documentation: When the toggle is set to “on”, what is happening, allow or forbid? Btw, the new wording “allow to refuse” only makes it worse ;-)
- 4. Both toggles are set to “on” on the first visit. Clicking on “Accept” or clicking on “Decline” does not change that. So the logic behind it all is still not clear.
I have updated the test page under http://enfold.muster.website/ Have a look at it and try to switch the toggle of either one shortcode and then click on “Accept” or “Deny” and see if the behaviour is as intended. For me the logic is botched, even considering that I still am misinterpreting some of your explanations the wrong way. Which would be a GDPR issue of its own:
There is a very big danger here for all of us. The GDPR clearly states, that the user has to be informed in clear and concise natural language what his privacy options are. The current solution MIGHT be viable from a technical point of view (not sure yet, that it really is), but it is not clear at all and this opens up all kinds of problems, from unintended misconfigurations to written warnings (Abmahnungen) and other legal risks and issues.
Please continue to work with us, so that we can find an easily working solution as well as an unambiguous documentation.
Best regards
MichaelHi,
Thank you for the clarification.
We are able to reproduce the issue with the buttons inside the modal popup window. We’ll forward it to the dev team.
1.) The [av_privacy_allow_cookies] when enabled will ensure that the cookie consent bar is hidden once the user opted in, but it will not allow non-essential cookies such as cookies that can/disable videos and maps. For that, the [av_privacy_accept_essential_cookies] should be enabled.
2.) The [av_privacy_accept_essential_cookies] when enabled will add the “aviaPrivacyEssentialCookiesEnabled” and allow non-essential cookies (maps, videos, recaptcha), but it will not affect the essential cookies “aviaCookieConsent” and “aviaPrivacyRefuseCookiesHideBar” once the user opted in.
You can test this by adding the [av_privacy_allow_cookies], [av_privacy_accept_essential_cookies] and [av_privacy_video_embeds] in a test page. Below the privacy shortcodes, add a video element with a youtube URL.
3.) Just think of “green” as enabled and “gray” as disabled, so when the [av_privacy_allow_cookies] is gray, the cookie consent bar will always popup on reload because the “aviaPrivacyRefuseCookiesHideBar” is not present. If the [av_privacy_video_embeds] is gray or disabled, videos will automatically open in another tab or to an external link. If green, the video is allowed to play directly on the site.
4.) On 4.6.1, the [av_privacy_allow_cookies] and [av_privacy_accept_essential_cookies] cookies are enabled by default because a lot of site owners are not aware of it. This assumes that the user or visitor opted in or allow the use of cookies when they continue to browse the site, accept the cookies or by simply ignoring the consent bar.
There is a very big danger here for all of us. The GDPR clearly states, that the user has to be informed in clear and concise natural language what his privacy options are.
That’s why you have to enable the cookie consent message bar and add the details of the site policy in the privacy policy page. It is up to the users by then if they want to ignore the consent bar or accept the cookies.
As stated on the documentation:
It is up to you as owner of a website to ensure that your website is compliant to the rules of the country your visitors come from. You need to check this with a reliable lawyer.
// https://kriesi.at/documentation/enfold/privacy-cookies/#implementation-of-data-security-in-enfold
Best regards,
IsmaelHi Ismael,
1. so you are saying enabling [av_privacy_allow_cookies] only has an effect on the cookie message bar, but not on any cookies at all (except it’s own cookie of course) ?
2. And enabling [av_privacy_accept_essential_cookies] will allow non-essential cookies, but when disabled only essential cookies are allowed?
Is this not the opposite of what the description says?
3. You completely misunderstood question 3. Naturally we know when the toggle is enabled and when not. My question was which toggle state corresponds with which cookie behaviour. But maybe this is more clear, when you confirm my question 1 and 2 above.Thanks in advance
MichaelHi!
Thank you for the update.
1.) Yes, that’s correct. The [av_privacy_allow_cookies] add or enables the essential cookies “aviaCookieConsent” and “aviaPrivacyRefuseCookiesHideBar”. When these cookies are present, it means that cookie message bar will not re-appear once the user opt in or accepted the cookies. For non-essential cookies (maps, recaptcha, video), the [av_privacy_accept_essential_cookies] should be enabled.
2,) Yes, even I is a little bit confuse now that you mentioned it, but what the [av_privacy_accept_essential_cookies] does when it is enabled or set to “green” is add the “aviaPrivacyEssentialCookiesEnabled”, which allow the users to interact with the elements directly in the site. For example, if there is a video in a page and this cookie is not present or enabled, the user will not be able to play the video directly in the site. It will open an external link in a new tab. Same with the map, the map will not display if this cookie is not present.
If you want to see the actual script, edit the config-templatebuilder > aviashortcodes > video > video.js file. Look for this code around line 25:
else if( ! document.cookie.match(/aviaPrivacyEssentialCookiesEnabled/) ) { allow_continue = false; }Regards,
IsmaelHi Ismael,
thanks for clearing this up. I guess you might wanna update the documentation as well as the shortcode description in the backend to reflect that. I would even suggest to rename the shorcodes, as their names alone bear a lot of potential for confusion.
To be honest, I would have preferred the other way around, i.e. the toggle saying “Enable to only allow essential cookies” – since this is what the GDPR and the latest judgement by the EuGH made mandatory. But from a legal standpoint it doesn’t matter if you allow or forbid with toggle on “on” – the only thing that matters is that the users has a – clearly described – choice. That’s why that description is so very important and why I kept nagging you for the definite explanation.
One other thing: If we don’t use Google Analytics, Google Maps, Google Fonts or Videos, those cookies are still set since they are enabled by default.
Wouldn’t it make more sense, to make it possible to deactivate the shortcodes and also their respective Cookies, if we don’t need them?
Our privacy policy explains that we don’t use any of these service but the cookies are still set to “allow”, if users accept the cookie message bar. That is not good and might even have some legal implications. I know that I can create my own modal popup texts and leave those shotcodes out, but they are still enabled by default.
Thanks a lot for your continued help.Cheers,
MichaelHi,
Thank you for the update.
We’ll forward your suggestions to the team. However, additional changes to the privacy option might create another wave of confusion for those who had it setup already, so we will probably stick with the current names and description. And if you’re not aware already, you can actually change the text and description of the privacy options.
lease note: if you do not like the default text that is displayed by those shortcodes you can change it by using [shortcode]Your text here[/shortcode]
[av_privacy_cookie_info id="" class=""] – adds a list about used and accessable cookies in domain with value and additional info about the cookie
[av_privacy_accept_button wrapper_class="" id="" class=""]your button text[/av_privacy_accept_button] – adds an accept cookies button
[av_privacy_do_not_accept_button wrapper_class="" id="" class=""]your button text[/av_privacy_do_not_accept_button] – adds a do not accept cookies button
[av_privacy_modal_popup_button wrapper_class="" id="" class=""]your button text[/av_privacy_modal_popup_button] – adds a button that opens the privacy modal popup window – you have to enable cookie consent message bar========================
Wouldn’t it make more sense, to make it possible to deactivate the shortcodes and also their respective Cookies, if we don’t need them?
You can actually set the “Default Cookie and Services Option Settings” to the 3rd option so that the non-essential cookies are disabled by default. This is the most “strict” option because users will have to be aware of the implications of not accepting the cookies and not enabling the privacy options. If you’re not using those services or elements in the site, then it’s fine.
Best regards,
IsmaelHi Ismael,
I know how to change the descriptions displayed for the shortcodes I am using. My suggestion was to change the descriptions of the shortcodes in the documentation and in the Enfold options, since they are plain wrong and thus will forever create confusion for your customers. But hey, up to you, at least I now know what I am doing.
Just as an addendum, if you would follow the EuGH judgement as strictly as possible, [av_privacy_accept_essential_cookies] would have to be set to “disabled” by default. But there is some legal leeway and since the user has the possibility to disable it himself, it “should” be ok.
I do have set “Default Cookie and Services Option Settings” to the 3rd option, in Europe this is the only viable option, all others are definitively illegal!
Regarding the 3rd party cookies, I removed all shortcodes/toggles from the modal popup related to external stuff like Google Analytics and so on. Now the respective cookies are not saved anymore. So in order to really adapt this to our needs, we have to edit the custom content of the modal window and remove all unnecessary shortcodes. Can you confirm this behaviour? This might be another useful hint for your documentation, I just found this out by chance.
Cheers,
MichaelJust tested a bit further to confirm the above about 3rd party cookie shortcodes and found some strange behaviour. Why is [av_privacy_accept_essential_cookies] enabled by default but third-party shortcodes like [av_privacy_video_embeds] are not? That’s completely illogical.
A user accepting cookies, i.e. opting-in to have cookies saved would never expect that he has to go into the settings and enable each and every cookie separately.
A website user either wants to enable all cookies (with one click), some cookies by en- or disabling some (takes a few clicks) or no cookies at all (with one click).
Hi again, I have to take back my last comment. The second option of “Default Cookie and Services Option Settings” enables all shortcodes by default. Still not sure why [av_privacy_accept_essential_cookies] is enabled by default on the 3rd option though.
Hi,
Option 1 is the behaviour before 4.6: On pageload all cookies are allowed, all services are active, user can opt out (= silent accept all).
Option 2 and 3 block all cookies and services on every pageload until user clicks the button with action “Accept settings …” (and in coming 4.6.3 there will be an action “Accept all cookies and services”). This is the must opt in.
As services need a page reload after accepting cookies to work (because js code is not loaded before) with 4.6.3 there will be an option where you can force this automatically.
In option 3 (user must opt in) the 2 shortcode toggles av_privacy_allow_cookies and av_privacy_accept_essential_cookies are preselected to be more intuitive. These 2 shortcodes enable cookies that are needed for the site to function (= esential cookies, from Enfold and from plugins like WooCommerce cart, WPML icl_… ,…).
If visitor clicks “accept” without checking the settings he has a working site without external services.
In 4.6.3 you will be able to change this to have all toggles deselected by adding to functions.php:
add_theme_support( 'avia_privacy_basic_cookies_unchecked' );There is a button action “Do not accept ….”: This button removes all cookies, disables all services (page reload !!). Message bar is hidden on subsequent page reloads, but shown in a new window or new tab – visitor is a new visitor.
Documentation will be extended with this info.
Hope this makes things clear.
Best regards,
GünterHi Günter,
awesome, all the upcoming features in 4.6.3 are exactly what has been missing and if the documentation and backend description reflect all that, Enfold is back on track.
Are you saying that disabling [av_privacy_accept_essential_cookies] should have an influence on cookies set by
WoocommerceandWPML? I would have to test that, I assumed it wouldn’t…Thanks for the heads up.
Cheers,
Michael
- You must be logged in to reply to this topic.