Add Google Analytics about fmi-standard.org HOT 32 CLOSED

Yes, please add.

from fmi-standard.org.

It must be added in such a form, that no personal data is used, in order to fulfill the new EU regulations GDPR (see e.g. https://blog.convert.com/google-analytics-and-gdpr-is-it-compliant.html)

from fmi-standard.org.

Doesn't this add the inconvenience for all visitors to click away the "We are using Cookies" pop-up?

from fmi-standard.org.

Actually, this should be done by the web masters. It is going to involve potentially multiple sites and it should be done in a consistent way. Furthermore, the analytics should be collected under the MA webmaster account (which I don't seem to have access to at the moment).

I did find a nice link about GDPR though.

from fmi-standard.org.

@GallLeo As far as I know, Google Analytics doesn't pop up any such dialog. Do you know otherwise? I say this because I use it on multiple sites and I've never seen such a popup.

from fmi-standard.org.

The behaviour of not showing the pop-up is probably a violation of the European rules itself. IIRC then when ever a site uses cookies it needs to inform the visitor about this in such a way that the visitor need to acknowledge this.

from fmi-standard.org.

Or perhaps it just doesn’t use cookies. I really have no idea. But I assume Google would do what is necessary to comply...

from fmi-standard.org.

Maybe you don't need it and don't see these nasty pop-ups, because you are located in U.S.?
From my experience, there is nearly no bigger website anymore, which doesn't have these nasty pop-ups.

I asked a friend, who runs a web development business. According to him, you do need the "Cookie Law Pop-up" for Google Analytics. They use a paid service www.iubenda.com in order to generate these texts based on the used services.

Mike's link also tries to explain it:

Since Google Analytics also records an online/cookie identifier called the GA Client ID, and because this is part of the core functionality of the product, you will likely need to offer the opt-in consent for all EU visitors to the site. This is a point that you’ll want to seek legal counsel on, but if you read the regulation, it specifically mentions that online identifiers (such as the GA Client ID) are considered personal data and thus it would be subject to this regulation. We’ve read other sources that indicate that there would be no need to offer consent if you aren’t collecting User ID or any other pseudonymized data in Google Analytics.

(from https://medium.com/@subsign/google-analytics-and-gdpr-compliance-3fad792babf5)

from fmi-standard.org.

You not only need the user to consent; you need to store when the user consented to this tracking. Perhaps storing a time-stamp in the cookie plus which version of the consent would suffice; I am not sure. Note that you need a way to remove consent which is as easy or easier than giving consent; in most web browsers clearing the cookies for a web page is cumbersome so ideally you should then have a button to clear cookies?

You need consent for permanent cookies, session cookies, etc containing any personal information. Which is problematic because Trac and Plone uses session cookies and are not GDPR-compliant (and they by default store a session, which is a no-no). We also couldn't simply add some JavaScript to the webpage to popup some consent box because the webpage would already have added a session cookie in the HTTP response as far as I can tell.

The best solution that is fully GDPR-compliant seems to be: don't perform any tracking, shut down the Trac and Plone systems, disable Apache logging and serve only HTML unless we have a better solution...

The only solution I can see would be to have our systems using server-side scripting (session cookies, etc):

• Implement a server-side check for a cookie in all the languages used (Plone would be annoying to change)
  For systems not using server-side scripting:
• Only load external JavaScript such as Google analytics if consent has been given (cookie is set)

The link given by @GallLeo suggests turning on IP anonymization in Google Analytics, but all this does is zero out the last octet in the IP which basically does nothing and I would not use it without consent to be on the safe side. It should be turned on even if consent is given...

@MartinOtter added in notifications since this concerns also other MA webpages.

With all this in mind: do you really want to make the fmi-standard.org homepage popup a dialog asking for consent to track the user via Google Analytics (that the user has to tick manually)? (There is not anything useful that you would like to perform, right?)

from fmi-standard.org.

It would be really good to have usage stats, an e-mail form etc. again and I'd be happy to add a pop-up to do it in a GDPR compliant way.

@GallLeo, @MartinOtter any updates on this?

from fmi-standard.org.

@MartinOtter: You have 5 days to object to us adding google analytics and a corresponding section in the privacy policy for the fmi-standard.org pages (sorry, we need to move ahead here).

from fmi-standard.org.

@t-sommer How is an e-mail form related to Google Analytics?

Personally, I don't like these pop-ups at all.
Why adding annoyance to many users?
What would you use the usage data for?

We should check carefully, if consent is required. If we don't need active consent, then we should be good to go? (given we add it to the privacy statement, in a proper way).
"It would also seem that if you are NOT using advertising features with Google Analytics, then you do not need consent (more advice on that further below)."
Source: https://www.blastam.com/blog/gdpr-need-consent-for-google-analytics-tracking

So, for me, the situation regarding Google Analytics is still unclear. Does somebody have input?

from fmi-standard.org.

@GallLeo the link you provided states:

You should strongly consider gaining consent in the following situations:

• Collection of a User ID.
• Collection of any other pseudonymous identifiers.
• Collection of detailed geographic data (postal code, latitude/longitude coordinates).

IP addresses should qualify. Any sort of tracking does as well (an identifier is created for this). Just don't use Google analytics and save us a lot of headache.

At least provide a must-have use-case for tracking users.

from fmi-standard.org.

I'm not interested in individual users (Google is) but it would be good to know where our users come from and what features / pages they use. All our improvements are currently based on assumptions rather than data. Example questions:

• is anyone viewing the cross-check results?
• is anyone using filtering?
• is anyone reading the news?

Regarding the privacy message: I hate it, too, but we're about the only ones that don't display it...

from fmi-standard.org.

One could use Matomo (an open source alternative to Google Analytics, also available in a cloud-hosted form for a little fee), in a way not to process personal data, so no consent by the user would be necessary, see https://matomo.org/blog/2018/04/how-to-not-process-any-personal-data-with-matomo-and-what-it-means-for-you/

from fmi-standard.org.

That sounds better. 2 octets masked means 16k~64k less accurate ipv4 tracking depending on sizes of IP ranges. More in line with the size of a city. The blog does not describe how ipv6 is handled though.

The problem is... it actually tries to identify individual users anyway:

it will use a technique called Fingerprint. It is based on several metadata such as the operating system, browser, browser plugins, IP address, browser language; just to name a few to identify a unique visitor.

from fmi-standard.org.

What is the status of this issue?

I received a question by a company considering to get listed on the FMI website (paying) and they ask whether they could get access on analytics data (e.g., how many clicks were there for the FMI website, the tools/XC pages, or the link to their tool)

from fmi-standard.org.

I can make a PR but this will require action by the webmaster to get the Google API key.

from fmi-standard.org.

@sjoelund, can you provide the API key?

from fmi-standard.org.

I could get the key, but I won't until the page is updated to be GDPR-compliant with Google analytics default off until the user presses the button to opt in to analytics.

from fmi-standard.org.

I've prepared the changes on https://github.com/modelica/fmi-standard.org/tree/google-analytics
@sjoelund, can you please provide the tracking code so we can try it out?

from fmi-standard.org.

That code only says you use cookies with no opt-out. There needs to be a question to the user if he or she accepts being tracked, and a statement on how this data is used (which is not linked). Only after this is accepted are you allowed to load the Google analytics. To test Google analytics, you can go to https://analytics.google.com and get a code using your personal Google account.

from fmi-standard.org.

There needs to be a question to the user if he or she accepts being tracked, and a statement on how this data is used (which is not linked). Only after this is accepted are you allowed to load the Google analytics.

Can you cite a regulation / resource? E.g. https://www.theguardian.com/international sets the GA cookie before you accept anything. I would assume that they comply with European law.

from fmi-standard.org.

The issue is whether Google Analytics is used in a way so that data is anonymized before sending it to the MA web page and then it is not necessary to ask for permission (as long as MA cannot deduce which concrete visitor provided data). However, this collection of data must then be stated in the "privacy police".

I would prefer this approach if it can be implemented with reasonable effort.

Whether the guardian follows the GDPR is probably not easy to deduce because it depends on the fact whether data is anonymized. Note, according to a recent investigation https://borncity.com/win/2018/11/17/dutch-report-says-microsoft-office-is-not-gdpr-compliant/. Microsoft Office 2016 does not respect GDPR.

from fmi-standard.org.

Turning IP anonymization on would be totally fine for our purposes

from fmi-standard.org.

Yes, that and the recent ability to turn off personalization should make it possible to only use a cookie. Note though that the Google terms require you to:

• Store consent that the cookie is being used before loading the Google Analytics script
• Storing a record of this consent (https://www.google.com/about/company/user-consent-policy-help.html):

Our policy requires that customers retain records of consent. At a minimum, these should include the text and choices presented to users as part of a consent mechanism and a record of the date and time of the user’s affirmative consent.

from fmi-standard.org.

@sjoelund, can you please provide the JavaScript, so I can make the PR as decided by the Steering Committee today?

Before we can merge the PR we need approval by @MartinOtter.

from fmi-standard.org.

@sjoelund, please help us out here soon - we are waiting to get this done so we can give the soon paying tool providers good statistics.

from fmi-standard.org.

I don't have access to any JavaScript that makes Google Analytics GDPR-compliant. And looking at the requirements Google imposes on using their Google analytics, you would need a database to store records of the consent. I was supposed to phase out using the modelica.org server for new services, so that wouldn't work. And I don't actually administer any other systems.

See also a recent judgement against Google w.r.t. GDPR: https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc

from fmi-standard.org.

@GallLeo and @MartinOtter : can the backoffice clarify the legal situation regarding GDPR and suggest a solution?

from fmi-standard.org.

Adding a link regarding GDPR that was mentioned in the FMI Stering committee yesterday:
https://cookieconsent.insites.com/documentation/compliance/
This is really a blocker, also for the FMI Crosscheck invoicing.

from fmi-standard.org.

Solved with 65f87a1

from fmi-standard.org.