It started innocently, with the promise of extreme convenience to website owners and managers. The Internet became sufficiently standardized to make plug-able building blocks easy. And, with the emergence of script-tag-blocks that can be plugged into your website, website owners could quickly gain capabilities that might have taken weeks or month to create.
Want to add a shopping cart-system? Add the woo-commerce tag. Want to quick-add mailing subscribers? Add the MailChimp script. Want to analyze your website traffic? Add the Google analytics script tags. Finally, we are able to componentize the internet into building blocks that can be re-assembled to quickly bring new services to our customer.
What could go wrong?
On the surface, the benefits are clear and substantial. Website owners quickly gain features that are managed and improved by some-one else. And website visitors can access more complete services. The only monkey-wrench seems to be the addition of pesky privacy rules.
The only monkey-wrench seems to be the addition of pesky privacy rules.
Under new privacy rules, the website owners are held accountable for the behavior of the third-party scripts that are launched from their sites. And, with that, we may find that some third-party script behavior was neither nice, nor intended, nor legal. In particular, it emerged this week that Google Analytics scripts, included by many websites as the de-facto standard for site-visit statistics, are adding cookies and tracking users across sites without explicit consent. More than 200,000 sites were reported to German authorities for this behavior.
This, unfortunately, is not news. This is known behavior of many scripts included in modern websites. This problem will only get worse as supervisory authorities become better at identifying this problem.
To avoid this, existing sites will have to be re-engineered to effectively handle consent for scripts in addition to consent for cookies. And, with anything of this magnitude, we find that technology implementations of existing sites do not appear to change unless the long arm of justice is hitting them with a big stick.
…unless the long arm of justice is hitting them with a big stick.
The origin of this problem seems to be twofold. First, the existing third-party scripts do not tend to have removal or consent routines. Their sole focus is on how to get quickly deployed and remain persistent once deployed. There is little engineering time spent on clean up functions by third-party plug-in makers.
Second, the sites owners themselves have limits on time and budget and would have to analyze each third-party plugin deeply to determine whether they can operate as desired by law.
Similar to speeding in a large group of vehicles, the outcome is that most sites just include the scripts and hope that they will not be singled out in the mass of misbehavior. However, with better tooling for privacy authorities, this strategy is bound for failure.
At XcooBee we don’t subscribe to this philosophy
At XcooBee we don’t subscribe to this philosophy. For example, we choose not use Google Analytics and do the work to review the behavior of scripts before we deploy them. Yet, we understand the need for better tooling. Thus, we recognized script behavior as an issue and have created free tools that help website owners implement scripts correctly.
Our open source XcooBee Cookie Kit (XCK), is not just a cookie management system, but also a script management system. This is unique in the industry. It is incredibly easy to use for website owners, and requires minimal change to their code.
The XCK will automatically analyze the cookie-behavior of third-party scripts and create a safe-removal pattern for each. Moreover, it will connect this to proper consent from users. So, your site only runs scripts when user has granted consent, and similarly, removes them when the user has not. All this happens transparently and is extremely easy to implement even on existing sites.
For technically minded people, you simply, change “script” tags to “xbee-script” and you are good to go. (See managed cookies and scripts section in the manual for more information.)
You still can’t believe that this is even available?
You still can’t believe that this is even available? And, does not cost anything? It is simple to verify, jump over to the github or our npm repo and check it out for yourself.
Want to add a shopping cart-system? Add the woo-commerce tag. Want to quick-add mailing subscribers? Add the MailChimp script. Want to analyze your website traffic? Add the Google analytics script tags. Finally, we are able to treat the wide internet as building blocks that can be assembled to quickly bring services to our customer. What could go wrong?
On the surface, the benefits are clear and substantial. Website owners gain features quickly that are managed and improved by some-one else, and, the website visitors can access more complete services. The only monkey-wrench seems to be the addition of pesky privacy rules.
Under new privacy rules, the website owners are held accountable for the behavior of the third-party scripts that are launched from their sites. And, with that, we may find that some third-party behavior was neither nice, nor allowed, nor legal. In particular, it emerged this week that Google Analytics scripts included by many websites as the de-facto standard for site-visit statistics are adding cookies and tracking users across sites without explicit consent. More than 200,000 sites were reported to German authorities for this behavior.
This, unfortunately, is not new news. This is known behavior of many scripts included in modern websites. Existing sites will have to be re-engineered to effectively handle consent for scripts in addition to cookies. And, with anything of this magnitude, we find that technology implementations of existing sites do not appear to change unless the long arm of justice is hitting them with a big stick.
The origin of this problem seems to be twofold. First, the existing third-party scripts do not tend to have removal or consent routines. Their sole focus is on how to get quickly deployed and remain persistent once deployed. There is little engineering time spent on clean up functions by third-party plug-in makers.
Second, the sites owners themselves have limits on time and budget and would have to analyze each third-party plugin deeply to determine whether they can operate as desired by law.
Similar to speeding in a large group of vehicles, the outcome is that most sites just include the scripts and hope that they will not be singled out in the mass of misbehavior.
At XcooBee we don’t subscribe to this philosophy. For example, we choose not use Google Analytics and do the work to review the behavior of scripts before we deploy them. Yet, we understand the need for better tooling. Thus, we recognized script behavior as an issue and have created tools that help website owners implement scripts correctly.
Our open source XcooBee Cookie Kit (XCK), is not just a cookie management system, but also a script management system. This is unique in the industry. It is incredibly easy to use for website owners, and requires minimal change to their code.
The XCK will automatically analyze the cookie-behavior of third-party scripts and create a safe-removal pattern for each. Moreover, it will connect this to proper consent from users. So, your site only runs scripts when user has granted consent, and similarly, removes them when the user has not. All this happens transparently and is extremely easy to implement even on existing sites.
For technical minded people, you simply, change “script” tags to “xbee-script” and you are good to go. (See managed cookies and scripts section in the manual for more information.)
You still can’t believe that this is even available? And, does not cost anything? It is simple to verify, jump over to the github or our npm repo and check it out for yourself.
