Forum Academy Marketplace Showcase Pricing Features

Bubble GDPR Intro Guide - Bubble Blog

This content is meant to be a basic introduction to GDPR for Bubble users, up-to-date as of early November 2020.

Updates to original post - please click through to the blog to see the latest version
* November 16, 2020: Updating section "Then how does Bubble help its users with GDPR?" to correct a previous mistake about the Cookie Consent (EU) plugin.
This is a companion discussion topic for the original entry at https://bubble.io/blog/bubble-gdpr/
8 Likes

Hello all!

You may have seen a number of threads in the forum about Bubble and GDPR. We wanted to publish some content that we hope is helpful for you to understand GDPR and what it means for you as a Bubble app creator.

We’ve tried to address some common concepts and questions in the blog post, including a brief mention of what happened this summer in the regulatory landscape.

If there are additional questions, feel free to ask here! Friendly reminder that we’ll do our best to be helpful, but ultimately some of these questions may be legally sensitive, so our overall disclaimer is that you should check with your legal counsel.

Best,
Allen

7 Likes

@allenyang @vivienne awesome guide.

I agree I wouldn’t underestimate the need for GDPR or how you implement it within your Bubble app.

For example - I found that going through the UK rules (Still the same as Europe) published here

and creating a checklist against it, and either creating a feature/function or a note to state it needs to be in your privacy policy, really helps, as it makes sure your infrastructure is as close as compliant as can be and give you proof that you looked/implemented it.

i.e

From my experience with data consultants here in the UK and ICO, they advise this is generally sufficient as you are also given an allowance with reasonable care and attention i.e if just two of you, you won’t be expected to be as compliant as Google say. But it is still expected that you follow the rules, as much as your business can do.

Regards
Omar from WeGetDesign.com

1 Like

Thanks a lot, this is very clear and useful.

Excellent and a much needed refresher post on this topic. Have had a few discussions with clients where content in old posts was being looked at suspiciously just due to age.

Thank you very much for this.

Regards
ZubairLK
linkedin.com/in/zubairlk/
azkytech.com

Hi there.
Just want to inform this plugin isn’t GDPR compliant at all (at least for Europe).

Since the enforcement of the GDPR on 25 May 2018, a simple “accept cookies” banners are no longer compliant or valid.

And since the EDPB guidelines on valid consent from May 2020, websites must be aware that –

  • Scrolling and continued browsing on a website is not considered valid consent. Users must give a clear and affirmative consent to the processing of their personal data.
  • Pre-ticked checkboxes on cookie banners are non-compliant with the GDPR. Cookies must be deselected by default, except for necessary cookies.
  • Cookie walls (forced consent) are non-compliant with the GDPR.

This is not GDPR compliant (Bubble plugin):

This is GDPR compliant:

GDPR and the EDPB guidelines on valid consent in the European Union has cemented the legal fact that websites must obtain the specific, informed, clear and affirmative consent from user before any activation of cookies and collection or processing of personal data can take place.

Would appreciate an answer on this @vivienne @allenyang

1 Like

The plugin should be compliant because with it, any EU visitor will see the cookie consent from this plugin as you configure it, and only by clicking the affirmative will they have cookies set.

You’re right that GDPR requires affirmative consent from the user, not just an FYI. This plugin has certain text that it displays by default, which you see here:

But, you can customize all the text you see via Settings > Languages. It is probably a good idea to edit it to provide more context about the situation (eg what your site uses cookies for) - what you do here will probably also be influenced by your Privacy Policy. But regardless of the text customization, that visitor should only be cookied if they click the button (ie affirmatively give consent).

Thank you for the answer @allenyang but what makes the plugin compliant or not it’s not the message that is shown to the user or how you customize it, it’s the way the user can interact with which cookies want to accept or which ones no. As a company in EU I’m required to ask the consent for such particular cookies individually like: Analytics or User preferences + inform what does each consent of that individual “cookie”.

The only cookie that can be checked by default it’s the “required” cookies in order to make sure the website will run correctly.

For example, similar bar as bubble plugin:

User interact with the cookies:

Extended information about the cookies of the website:

This one is compliant. Why? Because user can check/modify the cookie settings from the cookie advice.

Another example:

User interact with the cookies:

Extended information about the cookies of the website:

I’m just informing you about this because we have runned an external test/audit and we got advised that the current cookie consent isn’t compliant with the current GDPR and EDPB guidelines.

Thanks.

2 Likes

GDPR is a nightmare, and you’re right @yusaney1 that the cookie consent plugin as-is is not compliant as long as it does not allow for cookie (un)selection.

It would be awesome, and real game changer, to have this plugin able to show all cookies used by Bubble and let users interact with them. The touchy point is that adding external plug-ins or APIs, we - as makers, can add lot of cookies Bubble is not aware of. The alone, this plugin won’t be able to cover all GDPR requirements.

Cookie banners providers, such as Axeptio may be an answer for compliance. I’m currently looking at Axeptio solution and integration.

1 Like

(Friendly reminder that this should not be construed as legal advice and that you should consider speaking to legal counsel if you want guidance on your particular case.)

My understanding is that GDPR compliance doesn’t require fine-grained control over the different categories of cookies (but I do agree that is a nicer UX for privacy-conscious users).

Here’s a resource about cookies and GDPR. My read of this is that having one control for all cookies from a site is sufficient for fulfilling this particular requirement for GDPR. (There is such a thing as “strictly necessary” cookies which can be used regardless.)

In other words, the plugin I mentioned should be enough to fulfill GDPR, but it won’t provide a higher degree of customizability that you’re seeking with specific cookie categories. As @Christophe_HK suggests, there are potentially other providers out there who could offer this, but I’m not an expert there. The situation is indeed tricky given the variety of 3rd party services that could be connected to your Bubble app.

Hello again @allenyang, thanks for your answer, but this is not about your understanding or mine, it’s just as-it’s-now is not compliant.

Basically what the GPDR looks to accomplish with the new cookie consent it’s the fact that the user has to have the option to control the cookies that’s using the website.

As said two times what makes it compliant it’s the fact that the user HAS TO BE ABLE TO NAVIGATE on the website even if he doesn’t want to use any particular cookie such as analytics or others. For example: If I’m using an analytical plugin to track users experience for SEO or any other purposes, the user can’t deny that particular cookie/consent.

What Bubble plugin does is inform that the website is using cookies and forcing to accept EVERYTHING that’s running on the website. That’s not compliant. I suggest you to check with the legal department and you will see what I’m talking about.

As said before we did an external audit, and we got advised on this, and that’s the reason I’m writing on this thread.

We can’t use external cookies consent because we can’t control which cookies are used from all the elements that running in Bubble background such as plugins or unknown sources.

We can’t add an advice saying using this website requires to accept ALL THE COOKIES because that’s the exact reason why GDPR changed cookie policies (plus that even us as “platform” we don’t know exactly which or how many cookies are running in our site).

  • Receive users consent before you use any cookies except strictly necessary cookies: This condition isn’t meet. Bubble will use all the cookies, no matters if the user gives the consent before.

  • Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received: This condition isn’t meet. We don’t know how many cookies actually is using our bubble app because many plugins can use/add/modify cookies, and we don’t know what cookies bubble is using in the background.

  • Document and store consent received from users: Where is the consent stored in Bubble? How user can access/see/modify this?

  • Allow users to access your service even if they refuse to allow the use of certain cookies: This condition isn’t meet. As explained before in the example. If any user don’t want to allow the analytics in my website he has no-opt to decline these cookies, he is forced to accept all.

  • Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place: Same question in 3*

I can understand you don’t want to enter in legal situation but IMHO If I’m planning to use Bubble as a platform in EU I need to be 100% sure this is GDPR compliant with guarantees otherwise I can be fined for not being compliant at all. I’m actually very unsecure and uncomfortable with this because I’m very sure this will not work. It’s something as the “bubble builder” can’t change or use external services. Sometimes I feel Bubble gives answers without committing or giving a 100% guarantee for the companies/individuals that are using Bubble as a platform.

After checking with our engineering team, I do need to correct myself on what I wrote before - I was getting two features mixed up.

You’re right that the cookie consent plugin just offers an FYI banner, based on the version of Osano that we’ve implemented there. So you’re also correct that this is not enough.

The other feature I got mixed up with, which should be much more helpful for GDPR compliance, is the checkbox found in Settings > General called “Do not set cookies on new users by default”. If you check this box, any visitor to your app will not get any Bubble cookies - which also means they will not get a temporary user ID. When you’re using this setting, you can also use the workflow action “Opt-in to cookies”.

The combination of these two means that you can build an experience where no users get cookies, but you can show some kind of consent element that, when the user gives consent, then turns on cookies.

(Note also that there’s a workflow action to opt out of cookies when you’re using this setting. That takes care of being able to withdraw cookie consent.)

When you’re using this setting, the user is still able to navigate around your Bubble app - but you as the creator are in control of what that experience looks like for a non-cookied user.

Bubble itself sets a certain handful of cookies which are necessary for Bubble to behave properly with a logged-in experience. Cloudflare also sets a cookie which I believe is generally regarded as necessary (and not used for things like analytics, personalization, marketing, etc.). More information about these cookies can be found here.

So in short, the above feature is what you’d use to build a user flow where visitors can consent to cookies.

Bubble does not have the feature to create categories of cookies with finer grained controls over each. But, you as the app creator do have control over which plugins you use - and some plugins will influence which cookies your app sets. (I am double checking with our legal counsel on whether the EU’s stance on controls by cookie category has changed recently.)

(The original blog post of this thread had the above feature listed, but I’m editing it now to account for the information that yusaney1 has highlighted here.)

2 Likes

An addition to my last post: we’ve heard back from our legal counsel (again, caveat, that this is our legal counsel and not yours, so if you want to be absolutely sure, you should check with your own :slight_smile: ). Their opinion is that EU regulation* requires that non-essential cookies need affirmative, opt-in consent from users, and doesn’t expressly say anything about categorizations of non-essential cookies. There is a statement that such consent should be “specific, informed and unambiguous”. Listing out the categories of cookies and giving finer-grained controls appears to be one way to satisfy this clause; arguably, one could also just be very specific and transparent about all the different cookies that the site uses, even if there’s only 1 control over all of them.

* EU regulation here being both GDPR and the ePrivacy Directive

Hello @allenyang,

Is there any existing documentation where we could find description of the cookies set and used by Bubble (by default) and the ones relative to Bubble’s plug-ins (if Bubble plugin set any other cookie)?

That would really help for the legal docs :slight_smile:

Thanks for the update @allenyang we will run some more legal checks before proceeding with this…

However, it’s a bit weird that bubble website which “it’s made using bubble editor” it’s using a different “cookie consent”, actually exactly as I explained in the different posts I did here, and the “one made” from bubble to EU users to be compliant looks exactly as it shouldn’t (TBH very disappointed here, It’s like some kind of bad joke).


If Bubble website it’s made with Bubble editor how actually haves the feature to create categories of the cookies that’s using the app? If actually all what you said with the actual bubble plugin is true, why Bubble is using different cookie consent?

We haven’t added it to our formal documentation yet, but I answer the question about Bubble’s default cookies here: California Consumer Privacy Act (CCPA)

We haven’t documented what cookies different plug-ins set yet. Generally it should be the cookie of the corresponding service if it’s needed for the plugin to run. Easiest way to tell without waiting for our documentation is to set up the plugin and see for yourself!

@yusaney1 I checked with our team on this one. Yes, we use this service for our main webpage: https://cookie-script.com/. It’s a paid service that allows for more customization. Please see my above responses for why you shouldn’t rely on the Bubble-made plugin (which came out a while ago) for current GDPR compliance, and for our other guidance here.

1 Like

Cookie script sounds powerful!

Would it be possible to embed this cookie script thing into a bubble site? I was thinking the integration would work if embedded into the script/meta tags in header in the SEO/metatags page.

Like they do here for SquareSpace:

Does anyone know if this works?

Actually it does.