bendolo
Forum Replies Created
-
The cookie
optn_visitor_typeis currently set to expire in 100 years. While I understand the intent is to remember “returning” visitors, this duration conflicts with several core principles of the GDPR:- Storage Limitation (Art. 5 (1) (e) GDPR): Personal data (and even pseudonymized data like cookies) must be kept in a form which permits identification for no longer than is necessary for the purposes for which they are processed. A 100-year storage period for a simple visitor-type flag is legally unjustifiable and considered “excessive.”
- Data Minimization (Art. 5 (1) (c) GDPR): Processing must be limited to what is necessary. A duration of 1 year is standard for “returning visitor” logic; anything beyond that (especially a century) will be flagged in any professional privacy audit.
The Issue for Users: As a site operator, I have to list every cookie and its expiration in my privacy policy. Listing a “100-year” cookie makes my site look like it’s using intrusive tracking, even though the cookie’s content (
"returning") is actually harmless. It’s a “red flag” for automated compliance scanners and legal regulators.Suggested Fix: Please update the cookie TTL to something reasonable, like 365 days or 730 days (to match your
optn_analytics_id).time() + (365 * 24 * 60 * 60)This small change would make the plugin much more compliant in the EU.
Best regards
Thanks for the quick fix! I’ve updated the plugin and can confirm that it’s working now. Please note that I have only tested this for Inline Ads so far. Everything looks good there! Thanks for your help.
The cookie optn_purchase_tracking seems to be missing from your overview. It should probably be added for those looking to identify all tracking cookies.
Could you also confirm if there are any other cookies that might have been missed, or is this now the complete list for a fully cookie-less setup?
Thanks a ton for the clear breakdown of those cookies! This is super helpful for getting the privacy settings exactly where they need to be.
You should definitely toss this info into the official documentation or the plugin FAQs!
Thanks again for the great support and for being so transparent about how the plugin handles data!
I just wanted to say a big thank you for the latest update! Being able to disable the IP tracking/API call to ipinfo.io is exactly what I was looking for.
I really appreciate you listening to the community and giving us more control over privacy and performance. Keep up the great work!
I checked your documentation but could not find any details about the specific cookies listed below.
Why this is critical for me: In Europe, GDPR compliance is very strict. If I fail to declare a cookie or describe its data accurately, I risk facing heavy fines.
Currently, it creates a significant administrative burden just to use the basic functions of your plugin. Every time a cookie is set, I have to update my privacy policy. Many companies here rely on lawyers to draft these documents to be safe, so having to constantly adjust the policy for new cookies is not only time-consuming but also expensive.
Additionally, for users with less technical expertise, it is extremely difficult to use your plugin in a GDPR-compliant way. Most users do not know how to implement complex workarounds or analyze cookie behavior. Without a simple solution, they are legally exposed.
This is why I strongly believe that a native “Zero-Cookie Mode” would be a massive unique selling point for you. There is a huge market of users specifically looking for marketing tools that work out-of-the-box without triggering complex consent requirements or legal costs.
In the meantime, to avoid legal issues, please provide the technical details for the following cookies:
opnt_visitor_tracked_weeklyoptn_analytics_idoptn_visitor_typeoptn_user_info
For my privacy policy, I specifically need to know the following for EACH cookie:
- Purpose: What exactly does the cookie do?
- Data Stored: Does it store Personal Data (like IP addresses, IDs) or just functional states?
- Storage Duration (Expiration): How long does the cookie remain stored (e.g., Session, 24 hours, 1 year)?
I was able to temporarily solve the problem using the code below. It intercepts the request to
ipinfo.ioand returns a dummy response, which stops the issue from occurring:add_action('wp_head', function() {
?>
<script>
(function() {
const originalFetch = window.fetch;
window.fetch = function() {
// If the URL contains ipinfo.io, return a fake response
if (arguments[0] && typeof arguments[0] === 'string' && arguments[0].includes('ipinfo.io')) {
return Promise.resolve(new Response(JSON.stringify({
ip: "127.0.0.1",
country: "EU",
city: "Local",
org: "None"
}), {
status: 200,
headers: { 'Content-Type': 'application/json' }
}));
}
// Execute all other requests normally
return originalFetch.apply(this, arguments);
};
})();
</script>
<?php
}, 1);I am really looking forward to the feature you confirmed that will improve data privacy and allow for better control over this.
Hi,
Thanks for the reply. I would like to clarify the definition of “Functional” in this context, as there is often a misunderstanding regarding GDPR requirements.
Under EU law (ePrivacy Directive & GDPR), a cookie is only strictly “Necessary” if the service explicitly requested by the user cannot function without it. To illustrate my concern, here is a clear distinction:
1. Strictly Functional: A cookie that maintains a user’s login session or keeps items in a shopping cart.
2. Marketing/Tracking: A cookie that remembers a user has visited a pricing page three times and then triggers a specific discount pop-up based on that behavior.
In the second case, even if the plugin needs that data to work as intended, this is legally considered behavioral tracking/marketing because it profiles the user’s journey to optimize conversions. This requires an explicit Opt-in.
Because of this, it is essential to introduce a “Zero-Cookie” mode.
I understand that if this mode is active (and no consent is given), some advanced features of WowOptin—like frequency capping or behavior-based triggers—might not work. But that is exactly the point:
- Consent Granted: All tracking features and cookies are active.
- Zero-Cookie Mode or (Consent Denied): The plugin should only show generic pop-ups without any tracking, identifiers, or behavioral memory.
I understand that the plugin’s “intelligence” (like frequency capping or behavioral triggers) will not work in Zero-Cookie mode. However, as site owners, we need the ability to let the plugin run in a restricted, cookie-less way for users who do not opt-in.
Thanks
- This reply was modified 2 months, 2 weeks ago by bendolo.
Hi,
Thank you for the update and for adding the previous request to your developer list (OPT-133). I will look into the firewall workaround for the time being.
Regarding the further development of the plugin, I have two specific questions concerning data privacy and infrastructure:
- Local Geolocation: Are there plans to allow local geolocation? Specifically, we need an option to manually upload our own .mmdb files (e.g., MaxMind GeoLite2 or IP2Location LITE). This would allow the plugin to query the visitor’s IP locally via PHP (
$_SERVER['REMOTE_ADDR']) against this database, ensuring that no visitor data leaves our infrastructure and no US-based servers are involved.To give you a better idea of how we imagine the settings interface for this, please see this mockup: https://i.imgur.com/j6BYzi6.png - IP Anonymization (Hashing): Do you plan to implement a feature to anonymize or hash IP addresses before they are processed or stored? We are looking for an option to either mask the last octet or use a salted hash to stay compliant with strict privacy requirements.
I look forward to hearing if these features might be on your roadmap.
Best regards
Forum: Plugins
In reply to: [NSFW] [Redirection] Forwarding to slug/… does not work