Making WordPress.org

Opened 5 weeks ago

Last modified 5 weeks ago

#7736 new defect (bug)

Google Tag Manager is called without consent

Reported by: psmits1567's profile psmits1567 Owned by:
Milestone: Priority: high
Component: WordPress.org Site Keywords:
Cc:

Description

Today I encountered a problem on translate.wordpress.org, caused by gtm.js
I am not aware of the fact that this site does send information without my consent. The reason I found that, because gtm.js causes an error under certain circumstances.
Now I do have the following problems with this.

  1. I have never given consent to sent information to Google.
  2. It is not possible to disable this behavior.
  3. The problem seems to be caused by a recent change made by Google for Google Analytics. The tag has been changed. The only solution currently is to remove the code from the site, or use an add blocker.
  4. No consent box is shown when entering translate.wordpress.org. So this is illegal behaviour in my opinion.
  5. When do we get the option to disable this behavior?

Change History (14)

#1 @ocean90
5 weeks ago

  • Component changed from Translate Site & Plugins to WordPress.org Site
  • Priority changed from high to normal

GTM is used on all wordpress.org/wordcamp.org sites. See also https://wordpress.org/about/privacy/ and https://wordpress.org/about/privacy/cookies/.

#2 @psmits1567
5 weeks ago

Thanks for giving the links to the documentation. But in my opinion those sites lack giving consent or disabling sending info to the google tag manager. Although it is boring to see those popups, they are still necessary according to our laws in Europe.

#3 @vikingtechguy
5 weeks ago

  • Priority changed from normal to high

Using our privacy scanner you can see what is loaded before consent:

https://privacyscanner.aesirx.io/result/translate.wordpress.org

5 Beacons are loaded from 3rd parties accessing the users device without due informed and explicit consent.

The 5 are:

# Beacon Explanation
1
https://region1.google-analytics.com/g/collect?v=2&tid=G-CG6GJ50G8J&gtm=45je47v0v873051034za200zb79334995&_p=1722944621031&gcd=13l3lPl2l1&npa=1&dma_cps=syphamo&dma=1&tag_exp=95250753&cid=753489508.1722944622&ul=en-us&frm=0&pscdl=noapi&_eu=AEA&_geo=1&_rdi=1&_s=2&dt=Locales%20%3C%20GlotPress%20%7C%20WordPress.org&dl=https%3A%2F%2Ftranslate.wordpress.org%2F&uid=&sid=1722944622&sct=1&seg=0&en=scroll&epn.percent_scrolled=90&_et=3595&tfd=6004

requested from https://translate.wordpress.org/ and matched with easyprivacy.txt filter
google-analytics.com$third-party

2
https://pixel.wp.com/g.gif?v=ext&blog=124342649&post=0&tz=0&srv=translate.wordpress.org&j=1%3A13.5&host=translate.wordpress.org&ref=&fcp=1482&rand=0.6186975841973257

requested from https://translate.wordpress.org/ and matched with easyprivacy.txt filter
pixel.wp.com

3
https://www.googletagmanager.com/gtag/js?id=G-CG6GJ50G8J&l=dataLayer&cx=c

requested from https://translate.wordpress.org/ and matched with easyprivacy.txt filter
googletagmanager.com

4
https://stats.wp.com/e-202432.js

requested from https://translate.wordpress.org/ and matched with easyprivacy.txt filter
stats.wp.com

5
https://www.googletagmanager.com/gtm.js?id=GTM-P24PF4B

requested from https://translate.wordpress.org/ and matched with easyprivacy.txt filter
googletagmanager.com

#4 @vikingtechguy
5 weeks ago

Notice that WordPress.com is also a 3rd party and constitutes an equal legal risk; it is not legal to load any 3rd parties that collect data from the users devices without informed, explicit consent under both GDPR and the ePrivacy Directive.

#5 follow-up: @nilovelez
5 weeks ago

Under GDPR it is now legal, as long as data is anonymized and it is not used for marketing purposes

Last edited 5 weeks ago by nilovelez (previous) (diff)

#6 @psmits1567
5 weeks ago

Still you have to show a message that data is collected, and an option to optout!
So current behaviour is not correct

#7 in reply to: ↑ 5 @vikingtechguy
5 weeks ago

It is not legal.

Under GPDR and the ePrivacy Directive it is NOT legal to load any data from accessing the users device without explicit and informed consent.

There is no valid argument that it should be legal under GDPR, it does not exist and there is no reason for loading Google Tag Manager at all or any other 3rd party until an informed and explicit consent has been given by the user.

Replying to nilovelez:

Under GDPR it is now legal, as long as data is anonymized and it is not used for marketing purposes

#8 @nilovelez
5 weeks ago

Explicit consent now is not required if data is used under the base of legitimate interest:
https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/what-does-grounds-legitimate-interest-mean_en

As a company/organisation, you often need to process personal data in order to carry out tasks related to your business activities. The processing of personal data in that context may not necessarily be justified by a legal obligation or carried out to execute the terms of a contract with an individual. In such cases, processing of personal data can be justified on grounds of legitimate interest.
-
Your company/organisation must inform individuals about the processing when collecting their personal data.
-
Your company/organisation must also check that by pursuing its legitimate interests the rights and freedoms of those individuals are not seriously impacted, otherwise your company/organisation cannot rely on grounds of legitimate interest as a justification for processing the data and another legal ground must be found.

#9 @vikingtechguy
5 weeks ago

Dear @nilovelez

Thank you for your input. However, it’s important to clarify that while "legitimate interest" is indeed a valid legal basis for processing personal data under GDPR, it does not eliminate the need for explicit consent in all circumstances, especially when it comes to processing activities that significantly impact individuals' rights and freedoms.

The legitimate interest basis allows organizations to process personal data without consent only if:

The processing is necessary for a legitimate interest pursued by the organization.
The processing does not override the rights and freedoms of the data subjects.
This means that even if an organization relies on legitimate interest, it must still assess and ensure that the processing does not infringe on the individual's privacy rights. Furthermore, for activities such as tracking technologies (cookies, pixels, etc.), Article 5(3) of the ePrivacy Directive specifically requires obtaining explicit consent before storing or accessing information on a user's device​​​.

The need for explicit consent is particularly stringent in the context of electronic communications and online tracking, where the ePrivacy Directive complements GDPR by providing additional requirements.

In summary, while legitimate interest is a valid legal ground for certain types of data processing, it does not universally override the need for explicit consent, particularly in areas like online tracking and data processing that significantly affect user privacy.

#10 @vikingtechguy
5 weeks ago

GDPR and Legitimate Interest
Under the GDPR, "legitimate interest" (Article 6(1)(f)) can indeed serve as a legal basis for processing personal data without obtaining explicit consent. However, this is conditional upon the processing being necessary for the legitimate interests of the data controller or a third party, provided these interests are not overridden by the fundamental rights and freedoms of the data subject, especially when the data subject is a child.

Importantly, the GDPR requires a balancing test to ensure that the interests of the data controller do not override the rights and freedoms of individuals. This balancing test must consider factors such as the nature of the data being processed, the potential impact on the data subjects, and the reasonable expectations of individuals regarding the processing of their data​​.

ePrivacy Directive Requirements
The ePrivacy Directive (2002/58/EC), particularly Article 5(3), specifically addresses the use of cookies and similar tracking technologies. This provision requires that consent be obtained before any data is stored or accessed on a user’s device, unless the storage or access is strictly necessary for the provision of a service explicitly requested by the user. The European Data Protection Board (EDPB) has clarified in its Guidelines 2/2023 that this requirement applies broadly to various forms of tracking, including the use of cookies, pixels, and device fingerprinting​​​.

Intersection of GDPR and ePrivacy Directive
While "legitimate interest" can justify certain types of data processing under GDPR, this does not negate the explicit consent requirements mandated by the ePrivacy Directive for activities such as cookie deployment or other tracking technologies. The ePrivacy Directive, as a lex specialis, takes precedence over the GDPR in matters related to the confidentiality of communications, which includes any tracking that occurs in electronic communications​​.

#11 @psmits1567
5 weeks ago

Besides those arguments about legality, I find it very disturbing, that you are not warned about the fact that information is sent to third parties. And do not get the option to prohibit sending information to third parties. We have currently big lawsuits running against Microsoft, Google about collecting data without notice. There is no valid argument for a translating system to send information to a third party. Yes in my profile some info is stored, but that is necessary to get the system working. If I do not want it stored, then I have the opportunity to not enter it!
So I still request that this unacceptable behavior is changed. I do not want to send any information to Google, or other parties. I am a volunteer not a customer!

Last edited 5 weeks ago by psmits1567 (previous) (diff)

#12 @jonoaldersonwp
5 weeks ago

Agreed. Obligatory "I'm not a lawyer", but, at the very least we need to be showing some kind of notice (with disclosure info, options and signposting), and, depending on signoff from legal counsel (who's responsible for wordpress.org in this respect?), we might need to not fire any of these tags until consent is explicitly granted (and then, only fire based on the consent categories granted).

That needs to apply to all third-party domains that are connected to; including *.wp.com (i0.wp.com, stats.wp.com, pixel.wp.com) and s.w.org; all of which process user requests, record IP addresses, aggregate anonymous(?) browsing data, etc, on behalf of someone(?).

Privacy policies and similar also need to do a better job of describing what's being collected and why, how it's used, who has access, how to opt-out, etc.

Stale Slack discussion (one of many similar) here: https://wordpress.slack.com/archives/C02QB8GMM/p1709230289707119?thread_ts=1709203062.686059&cid=C02QB8GMM

I'd be happy to update our Google Tag Manager setup to use 'consent mode' based on the outcome of any legal requirements; though that's only one small part of the problem surface area. Might be a great opportunity to bring some of those wp.com tracking pixels etc into the same framework, though?

#13 @vikingtechguy
5 weeks ago

In relation to Consent for pixel trackers / beacons / cookies - this is also for the cookie / consent solution provider and not just the website owner.

A German court has just dismissed the argument of a third party cookie provider that it is not liable for placing cookies without the consent of the end user, because that's the responsibility of the website operators. The court held that the fact that the website operators are responsible for obtaining consent according to their general terms and conditions does not exonerate the controller form liability.

All 3rd party Consent Management solutions require consent before they can be loaded, meaning if you are one of 100,000s of companies in EU paying monthly subscriptions to be "compliant" you are not and subsequently the same applies in full for analytics, tracking. profiling, advertising etc. without any doubt.

In this sense Automattic is also a 3rd party and so it is clear that consent is also required for the other ones also @jonoaldersonwp and both the website owner and the 3rd party supplier are legally at risk for ensuring an informed and explicit consent is given from the user as well as clear options to reject and to opt-out.

#14 @vikingtechguy
5 weeks ago

I strongly recommend reading the latest Cookie / Consent Banner Report 2023 from NOYB, it shows how DPAs in EUs member states actually decide.

https://noyb.eu/en/noybs-consent-banner-report-how-authorities-actually-decide

All DPAs in EU agree (or are undecided) that legitimate interest does not apply, not a single DPA in EU supports legitimate interest as a valid reason.

Again when this applies for Consent Solutions there is no chance that it would be compliant for statistics, profiling, tracking, analytics, digital marketing etc. - that would be a violation of the users right to an informed and explicit consent.

Note: See TracTickets for help on using tickets.