Because of Bill 25 in Quebec CANADA, I am obliged to upgrade all my 12 SPARKLE websites to version 2 for the consent mode request, if not penalty of a fine of 4% of sales and a minimum of $15,000, can occur.
The differences with version 1 in SPARKLE and the additional functions required by law are :
1- For each cookie present on the site, you must indicate :
A- The name of the cookie,
B- The URL of the website responsible,
C- The duration before expiration,
D- A description of its functionalities
2- Consent records must be recorded and stored on a CMS to prove that the visitor has accepted the privacy conditions in the event of a complaint or investigation by the authorities.
@Frenchie youāll need to take this up with @duncan at feedback@sparkleapp.com
To be honest with you we are going down the road of madness on this topic!!!
So Canada is forcing you to have a CMS backend to record interactions with your site - Wow!
Users are already feed up with all the popups now it looks like they have to read a plethora of info on the ins and outs before interacting with a site. Most will just close out and go elsewhere.
I feel really sorry for you that you have to put up with this over there in Canada.
This is one of those infuriating regulations that will drive most web developers āpottyā. However, there are relatively simple ways to deal with it. The first thing that must be understood is that if visitors to your site donāt check all the boxes, what are you supposed to do with the visitor? I guess you have to bounce them away from your site to somewhere else. If that is the case, then it becomes a real issue. However, if this is something that has to be done, then a simple solution is to have an automatic popup that contains a form with a set of consent boxes, and the relevant information youāre supposed to provide. Clearly, in the case of Canada, this could be quite a long and detailed form and will require you knowing precisely what cookies are being served up on your website - especially those that relate to third parties. If you do have this information, itās relatively straightforward to create the popup, and make the only way to dismiss the popup by ticking all the boxes and clicking on a consent button.
When it comes to recording that information in a database of sorts, you will have to resort to having some form of third-party script on your server that will allow you to create the form itself (which could then be embedded into your popup) AND store the form inputs into a databases for later retrieval if needed. For example, an online form generator such as The PHPJabbers Contact form generator, will allow you to create a custom form specifically for this type of function. Once created, the form can be embedded into your popup and will display whenever someone enters your site. Furthermore, the submit button will store the results in a database that can be accessed via a back-end interface on your domain. If you make all the checkboxes required fields, the form will not be submitted or stored until all required fields have been checked.
You can also create such a form using Sparkleās form fields, but you will have to have the form processed by a script on your server by using the advanced form submission option. One free script that could be used for this is the Tectite Formmail Script. This can be configured to store inputs in a CSV file that can be downloaded to a spreadsheet. Clearly, using any of these options will mean collecting referrer information from users as part of the submission, otherwise there will be no way of knowing who has consented and who hasnāt. Fortunately, most form scripts can add that information automatically. Here is an example of the Referrer information collected by the Formmail script:
The only other option I can suggest is creating a website where no cookies get implanted by any third-party service, and simply create a popup to the effect that the site may have limited functionality due to removal of all third party services, such as Google Fonts, Maps, or any other third party add-ons that could plant cookies on your visitors systems. Itās not ideal, but if thatās what the law requires, then you donāt have a lot of options.
Wow Frank you have āpulled rabbits out of the hatā on this one!
All in all for me this is becoming madness! The average business or User is jumping through hoops as the corporation world finds ways around it to collect our data!
I can see it will come to a point in the near future where all Users of the internet will sign a contract-of-use through a digital ID!
A few office sitters (farting in their armchairs) have come up with a great idea
Do they actually know how the Internet works? Theyāre shooting sparrows with cannons again.
I think this is all aimed at the big data collectors to put them back in their place.
It should also give the authorities the opportunity to sanction them more severely and demand higher fines.
At the end of the day, itās the small players who fall by the wayside because they canāt implement all this.
I wouldnāt panic.
Mr. F.
I mean, in theory in the EU you should need to use consent records as well but is a functionality sparkle doesnāt has. And I think they should focus on it.
Is this a requirement only for websites that are hosted in Canada? What if you host your site on a server in another country?
Hello Flaming Fig, can you tell me in which country you are located? Because Iāve done a lot of research on the subject and it seems that similar laws are also applicable in most of the countries: the European Union including France and Italy. Thatās why the SPARKLE site uses iubenda for their privacy policy, to comply with EU RGDP law. https://www.iubenda.com/privacy-policy/22064645
The iubenda plans seem to me to be compliant in Canada, but are rather expensive and complex to set up on SPARKLE. You mentioned that visitors might close down and go elsewhere, and thatās my concern too. As if that wasnāt enough, the information on the first page must be hidden until the visitor clicks on an item in the consent box. Hereās a screenshot of a site thatās 100% compliant with Bill 25. Itās as if they wanted to kill a fly with a hammer with this law!
WOW! As always, you find a solution to our problems, Franc. But, like most web designers who use no-code solutions like SPARKLE and Wordpress, I donāt have the skills to develop a solution like the one proposed and, above all, to guarantee to all my customers that itās flawless. The fines are high, starting at $15,000, so thereās no question of taking a chance with this law. Thatās why Iām looking for a company that offers this service at a reasonable price and lets them manage the risk in the event of a lawsuit. What country are you in? No binding law in your country?
Unfortunately, if your company is located in Quebec, you must comply with the law. And they have similar laws in almost every country now, EU, California, Italy. etc.
Click on this link to see, the list of huge fines given in 2024 to date in different countries, many in Italy.
https://www.skillcast.com/blog/biggest-gdpr-fines-2024
We donāt use Iubenda for any of their cookie or consent solutions, because they donāt integrate in Sparkle. We use their privacy policy generator because it costs less than a lawyer to put up some generic lawyeresque boilerplate for a few services.
Anyway, thereās a lot of confusion on the matter, precisely because lawyers and the iubendas of the world want to scare you into paying for some service, just in case. āIt would be a shame if something happened to your little businessā.
Iām not an expert either, itās all designed to be confusing and nuanced and require a highly specialized expensive professional.
The requirements you list vary a lot based on the country. Naming a cookie is frankly completely pointless, way over the head of any user. Sites generated by Sparkle have a functional cookie named ācookieConsentā, turns out the website responsible is your own (Sparkle is the generator you are using, but itās still your site), the duration is 1 year of the purpose is to record consent on the user device. Stating this information is not required directly by GDPR, but some EU countries add it.
Generally the crackdown is on the analytics kinds of cookies, which Sparkle sites do not generate directly.
Recording visitor consent is generally tied to a user identification, and Sparkle sites generally donāt have users, so what are you recording? An IP address of the visitor? Frankly I donāt think itās very useful or that the law would require it.
I donāt know if massive fines are only a hollow threat or if theyāre only designed for huge e-commerce platforms that sell their user tracking information, or if theyāll actually go after every small site in Canada.
If thatās a concern my guess is removing google analytics, third party embeds and the Sparkle privacy support is going to get you with a 99.99% likelihood in full technical compliance. If thereās no cookie to accept, thereās no consent to give. If thereās a contact form, add a āI consent to the data I submit here being processed etc etcā, and the consent is going through in the email. But ask a lawyer.
Hi @Frenchie,
Iām a bit confused about this legislation and hope you can clarify since clearly youāve spent a good deal of time studying it.
- What specific information does the law require for each cookie served? Is it only the four you list?
Perhaps you can link a reference and save yourself some typing time.
-
Does the law apply only to Quebec-based companies? So a company based in Ontario or the US can skirt the law while only those in Quebec must comply?
-
Does the law require consent from all visitors regardless the purpose of the site or is it only applicable to those sites that (covertly) collect specific information?
And a couple simple clarifications (perhaps due to French-English translation differences?)
- You are referring to Law 25 not Bill 25, correct?
*Are you saying that your problem is due to using SparkleApp version 1 and not the current one, Version 5? Perhaps I misunderstand.
Thanks for your help answering these questions.
Hi @Frenchie ā¦
Iām based here in Tasmania, Australia.
We also have privacy consent laws here but not as extreme as EU, and nowhere even close to what Canada has just set into law!
Australian based businesses selling to Australia is covered by terms & conditions which covers cookies, third-parties and what is done with Users information. If they were to signup to a newsletter or contact via email then their is a notice that they agree to (tick box, and the form doesnāt send until it is ticked) that is linked to terms & conditions page which they have access to mull-over.
If a client sets up and sells internationally then Sparkleās cookie consent function is activated. Of course within reason my clients have to abide by what EU has dished out when it comes to Userās information. This Canadian ruling is absurd but for me Sparkleās consent popup will cover that. My clients are running an online business not data-mining!
From this end I make sure my clients understand what are required of them when they start to collect Userās information and hooked-in third-parties.
I remember the far-cries of yesteryearā¦ āThe digital world will make life cheaper and more efficient and less complicated then our outdated analogue systems!ā
I think there are many misconceptions about these new laws globally. So, let me clarify what the LEGAL situation is with regard to cookies:
First-Party Cookies
Definition:
- First-party cookies are set by the website that the user is currently visiting. They are stored directly by the website (or domain) you are visiting.
Usage:
- These cookies are typically used to remember user preferences, keep users logged in, and gather analytics data specific to the userās interaction with the website. For example, if you visit an e-commerce site, the first-party cookies might remember items in your shopping cart as you browse.
Impact on GDPR:
- Consent and Transparency: Under GDPR, first-party cookies that are necessary for the basic function of the website (like session cookies) DO NOT require user consent. However, for non-essential first-party cookies (such as those used for tracking and analytics), explicit user consent is required.
- User Rights: Users must be informed about the use of cookies and have the ability to manage their cookie preferences. Websites must provide clear information about what data is being collected and how it will be used.
Third-Party Cookies
Definition:
- Third-party cookies are set by a domain other than the one the user is currently visiting. These are often used by advertisers and social media platforms to track users across multiple sites and build a profile of their online behavior.
Usage:
- These cookies are commonly used for online advertising, retargeting, and social media integration. For instance, a third-party cookie might track your browsing history on various sites to show you targeted ads based on your interests.
Impact on GDPR:
- Stricter Consent Requirements: Because third-party cookies are often used for tracking and profiling, GDPR imposes stricter requirements for obtaining user consent. Explicit and informed consent must be obtained before third-party cookies can be placed on a userās device.
- Transparency and Control: Websites must provide users with clear information about the third parties involved, the purpose of the cookies, and how the data will be used. Users must have the option to refuse third-party cookies and be able to withdraw their consent easily.
Key Differences in GDPR Context
- Necessity and Functionality:
- First-party cookies necessary for website functionality DO NOT require consent, whereas non-essential first-party cookies and third-party cookies require explicit consent.
- Transparency and Control:
- Both types of cookies require transparency about their use, but third-party cookies require more detailed disclosures due to their broader tracking capabilities.
- Consent Mechanisms:
- The consent for third-party cookies must be more granular, allowing users to control which third parties can set cookies.
- Data Sharing and Profiling:
- Third-party cookies often involve sharing data with multiple entities and are used for profiling, which necessitates a higher standard of consent and data protection measures under GDPR.
Overall, GDPR aims to enhance user privacy by ensuring that all cookies are used transparently and with the userās informed consent, with stricter regulations applied to third-party cookies due to their extensive tracking capabilities.
So, thatās the legal situation. In terms of a website created in Sparkle, itās no different to a website created in any other development environment (except maybe a platform such as Wordpress, or some online web site builders). Essentially, when the site is created it isnāt going to plant any cookies on a visitorsā computer UNLESS YOU PUT THEM THERE. It is, as Duncan rightly points out, YOUR RESPONSIBILITY to comply with relevant legislation - its YOUR site, YOUR Cookies, so you have to accept responsibility in ensuring compliance with the legislation - itās not the responsibility of the development application or platform.
The bottom line is that if your create a site right out of the Sparkle box, you are very unlikely to even need a full-blown cookie consent front-end. For most people, a simple acknowledgement that you may have one or two āfunctionalā cookies would be sufficient. Sparkle provides such a consent option, and when deployed will, in almost all cases, require little more that the users clicking a button that confirms they understand the need for your cookies.
If, however, you want to cram your website full of gadgets and gizmos that rely on third-party sites, such as social media feeds, video sharing, third party shopping carts, form processing services or integrating so-called FREE third party apps, then there is a price to pay - that price comes in the form of making your site visitors go through a multi-page questionnaire in which they have to give explicit consent for every cookie that your site implants onto the users device - whether put there by you or by the service providers youāve signed up to.
Personally, I would keep things very simple. Donāt use third party content or facilities in your website - keep your site uniquely yours. If you need things like a shopping cart, itās probably going to be cheaper in the long term to implement your own script. If you want to have video content, its better to pay a small fee to have your own, ad-free video channel with one of the video sharing platforms. Paid services mostly donāt have a need to implant cookies on visitors computers (other than essential, functional cookies) because they are not serving up advertising. If you need a booking calendar, mailing list management system, a real estate listing facility, or some other web-based e-commerce facility, better to buy a script and install it as part of your website. This way, you stay well out of the legislatorās hands and can deploy a far simpler cookie consent banner on your website.
Well explained Frank and spoken!
Totally agree with you that the more you third-party the more consent paraphernalia to contend with.
But I think most of us are here so we donāt have to play with code, script and further intricacies so third parties do become useful, but like you said weāll have to put up with the consent(s).
@FlaminFig Youāre absolutely right. There is often the temptation to use the freebies offered by so many online platforms, we often forget that there is no such thing as āfreeā when it comes to the Internet. In the case of all those add-ons, the price is very much about selling your visitor data to big tech companies.
I take your point about it often being difficult to incorporate some features into websites without resorting to code etc. But, if these things are important to your web-presence, then itās sometimes worth exploring the self-hosted options out there. Many script providers are happy to take care of installation for you, if that is a cause of concern. Once installed on you server, there is usually a dashboard through which you can grab the code snippets needed to add to your web pages. These are very easy to handle, and Sparkle makes it easy to add these snippets.
I guess the real point I wanted to make was that it isnāt the place of Sparkle to address these types of issues - their job is to provide an easy to use, functional app that creates great websites. What individuals do with the resulting website can be quite wide and variable, so itās very difficult to second-guess legislation and use-case scenarios, and then try to build utilities that can address them within a web development app.
I believe this is spot-on: MUCH confusion exists on this matter (and on related issues like SEO), predominantly focused on scaring and money-making.
Thank you @duncan and @francbrowne for your considered and apropos comments. SPARKLEAPP is fabulous especially for use by privacy-oriented groups working to skirt Big Tech. I greatly appreciate the substantive work, as clearly do many others (given the continuing growth). Keep on!!
Thank you all for your help in solving my problem. I just want to clarify my need and why I need to find a solution for my company. At the beginning, 5 years ago, I only made websites with SPARKLE, all my clients are in the service base and the demand to offer advertising with Google Ads has become very important and now occupies 80% of the revenues of my company. This is why I absolutely must find a CMP script that easily integrates with my SPARKLE websites for which I do online marketing, in order to retain my highest-paying clientele.
For now, I think Iāll have two options:
1- Remove all third-party cookies from sites that donāt use Google Ads
2- Find a script/CMP that works with SPARKLE for sites with external cookies like Google Aalytics, Google Ads and Calendly. I will tell, if I am able to find a solution that works.
Bill 25 applies only to Quebec companies and has nothing to do with the federal Bill 25. Version 2 is the content requirement of the Google version required to perform Google Ads Marketing and its name is cookies consent v2 and has nothing to do with the SPARKLE version. Francbrowneās last message explains very well the information required for each website.
Oh, you were referencing Google V2.Thanks for the clarification. I consciously avoid using Googleās privacy violating tools and, thus, am not up-to-date on its abbreviated nomenclature.
Matomoās analytic tools provide comparable features and even can integrate with Google Tag Manager (Iāve seen but not used). Law 25 does allow for de-identification for research and statistical purposes (see Section 12) but āprospectionā is explicitly disallowed. Depending on how you use the personal information, perhaps Matomo could assist youā¦??
RE Quebec Law 25 (AKA known as Bill 64, when not yet law)
The following sentence is directly from Quebec Law 25:
17. Before communicating personal information outside QuƩbec, a person carrying on an enterprise must conduct a privacy impact assessment.
(Select the ā17ā for direct link to Law 25 with French also available).
The statute proceeds to list four specific requirements regarding the assessment.
As the law itself notes in the first sentence, it is intended to protect Quebec residentsā personal information, and this intent would be regardless the location of the enterpriseāeven Facebook and Google and AWS are expected to comply. Perhaps you are less isolated than you may feel. A Secure Privacy article provides a most helpful comprehensive review. One paragraph reads,
It is important to note that the scope of application is based on the location of the individual (emphasis added), not the organization. This means that even organizations located outside of Quebec, but collecting, using, or disclosing personal information of individuals residing in Quebec, are subject to Law 25.
So, yes, businesses outside Quebec are expected to comply with Law 25 when dealing with Quebecersā personal information. It is little different from how GDPR imposes a similar expectation for businesses outside the EU doing business with EU residents.
To end on, perhaps, an encouraging note: the law applies to all business types not only digital. Thus, it constrains your Quebec clients who insist you use/share personal information with third-parties too. Perhaps you can approach your clients with the issue, present yourself as a (even more) valuable resource to them, and find a reasonable solution. I mean, how often is personal information of persons distal from your customersā businesses actually needed? Arenāt your clients seeking customers near their places of business thus obviating most (all?) the personal data Google demands? Are personal data really needed for Me. Poliquinās potential customers to find her legal and mediation services, and vice versa?
Anyway, as others noted, this forum is not the place to debate the effectiveness of legislative strategy or the atrocities of Big Tech syphoning personal data. My point is to suggest that there is much confusion on this general topic and, I believe, some of your expressed concerns were due to confusion. As seems clear, many here sympathise with the frustrations these (idiotic?) hoops have caused. For me, however, SparkleApp is a wonderful solution; it is not the source.
I hope all this doesnāt overwhelm you. Keep on and good luckā¦