Bubble GDPR Intro Guide - Bubble Blog

The plugin should be compliant because with it, any EU visitor will see the cookie consent from this plugin as you configure it, and only by clicking the affirmative will they have cookies set.

You’re right that GDPR requires affirmative consent from the user, not just an FYI. This plugin has certain text that it displays by default, which you see here:

But, you can customize all the text you see via Settings > Languages. It is probably a good idea to edit it to provide more context about the situation (eg what your site uses cookies for) - what you do here will probably also be influenced by your Privacy Policy. But regardless of the text customization, that visitor should only be cookied if they click the button (ie affirmatively give consent).

Thank you for the answer @allenyang but what makes the plugin compliant or not it’s not the message that is shown to the user or how you customize it, it’s the way the user can interact with which cookies want to accept or which ones no. As a company in EU I’m required to ask the consent for such particular cookies individually like: Analytics or User preferences + inform what does each consent of that individual “cookie”.

The only cookie that can be checked by default it’s the “required” cookies in order to make sure the website will run correctly.

For example, similar bar as bubble plugin:

User interact with the cookies:

Extended information about the cookies of the website:

This one is compliant. Why? Because user can check/modify the cookie settings from the cookie advice.

Another example:

User interact with the cookies:

Extended information about the cookies of the website:

I’m just informing you about this because we have runned an external test/audit and we got advised that the current cookie consent isn’t compliant with the current GDPR and EDPB guidelines.

Thanks.

2 Likes

GDPR is a nightmare, and you’re right @yusaney1 that the cookie consent plugin as-is is not compliant as long as it does not allow for cookie (un)selection.

It would be awesome, and real game changer, to have this plugin able to show all cookies used by Bubble and let users interact with them. The touchy point is that adding external plug-ins or APIs, we - as makers, can add lot of cookies Bubble is not aware of. The alone, this plugin won’t be able to cover all GDPR requirements.

Cookie banners providers, such as Axeptio may be an answer for compliance. I’m currently looking at Axeptio solution and integration.

1 Like

(Friendly reminder that this should not be construed as legal advice and that you should consider speaking to legal counsel if you want guidance on your particular case.)

My understanding is that GDPR compliance doesn’t require fine-grained control over the different categories of cookies (but I do agree that is a nicer UX for privacy-conscious users).

Here’s a resource about cookies and GDPR. My read of this is that having one control for all cookies from a site is sufficient for fulfilling this particular requirement for GDPR. (There is such a thing as “strictly necessary” cookies which can be used regardless.)

In other words, the plugin I mentioned should be enough to fulfill GDPR, but it won’t provide a higher degree of customizability that you’re seeking with specific cookie categories. As @Christophe_HK suggests, there are potentially other providers out there who could offer this, but I’m not an expert there. The situation is indeed tricky given the variety of 3rd party services that could be connected to your Bubble app.

Hello again @allenyang, thanks for your answer, but this is not about your understanding or mine, it’s just as-it’s-now is not compliant.

Basically what the GPDR looks to accomplish with the new cookie consent it’s the fact that the user has to have the option to control the cookies that’s using the website.

As said two times what makes it compliant it’s the fact that the user HAS TO BE ABLE TO NAVIGATE on the website even if he doesn’t want to use any particular cookie such as analytics or others. For example: If I’m using an analytical plugin to track users experience for SEO or any other purposes, the user can’t deny that particular cookie/consent.

What Bubble plugin does is inform that the website is using cookies and forcing to accept EVERYTHING that’s running on the website. That’s not compliant. I suggest you to check with the legal department and you will see what I’m talking about.

As said before we did an external audit, and we got advised on this, and that’s the reason I’m writing on this thread.

We can’t use external cookies consent because we can’t control which cookies are used from all the elements that running in Bubble background such as plugins or unknown sources.

We can’t add an advice saying using this website requires to accept ALL THE COOKIES because that’s the exact reason why GDPR changed cookie policies (plus that even us as “platform” we don’t know exactly which or how many cookies are running in our site).

  • Receive users consent before you use any cookies except strictly necessary cookies: This condition isn’t meet. Bubble will use all the cookies, no matters if the user gives the consent before.

  • Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received: This condition isn’t meet. We don’t know how many cookies actually is using our bubble app because many plugins can use/add/modify cookies, and we don’t know what cookies bubble is using in the background.

  • Document and store consent received from users: Where is the consent stored in Bubble? How user can access/see/modify this?

  • Allow users to access your service even if they refuse to allow the use of certain cookies: This condition isn’t meet. As explained before in the example. If any user don’t want to allow the analytics in my website he has no-opt to decline these cookies, he is forced to accept all.

  • Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place: Same question in 3*

I can understand you don’t want to enter in legal situation but IMHO If I’m planning to use Bubble as a platform in EU I need to be 100% sure this is GDPR compliant with guarantees otherwise I can be fined for not being compliant at all. I’m actually very unsecure and uncomfortable with this because I’m very sure this will not work. It’s something as the “bubble builder” can’t change or use external services. Sometimes I feel Bubble gives answers without committing or giving a 100% guarantee for the companies/individuals that are using Bubble as a platform.

After checking with our engineering team, I do need to correct myself on what I wrote before - I was getting two features mixed up.

You’re right that the cookie consent plugin just offers an FYI banner, based on the version of Osano that we’ve implemented there. So you’re also correct that this is not enough.

The other feature I got mixed up with, which should be much more helpful for GDPR compliance, is the checkbox found in Settings > General called “Do not set cookies on new users by default”. If you check this box, any visitor to your app will not get any Bubble cookies - which also means they will not get a temporary user ID. When you’re using this setting, you can also use the workflow action “Opt-in to cookies”.

The combination of these two means that you can build an experience where no users get cookies, but you can show some kind of consent element that, when the user gives consent, then turns on cookies.

(Note also that there’s a workflow action to opt out of cookies when you’re using this setting. That takes care of being able to withdraw cookie consent.)

When you’re using this setting, the user is still able to navigate around your Bubble app - but you as the creator are in control of what that experience looks like for a non-cookied user.

Bubble itself sets a certain handful of cookies which are necessary for Bubble to behave properly with a logged-in experience. Cloudflare also sets a cookie which I believe is generally regarded as necessary (and not used for things like analytics, personalization, marketing, etc.). More information about these cookies can be found here.

So in short, the above feature is what you’d use to build a user flow where visitors can consent to cookies.

Bubble does not have the feature to create categories of cookies with finer grained controls over each. But, you as the app creator do have control over which plugins you use - and some plugins will influence which cookies your app sets. (I am double checking with our legal counsel on whether the EU’s stance on controls by cookie category has changed recently.)

(The original blog post of this thread had the above feature listed, but I’m editing it now to account for the information that yusaney1 has highlighted here.)

4 Likes

An addition to my last post: we’ve heard back from our legal counsel (again, caveat, that this is our legal counsel and not yours, so if you want to be absolutely sure, you should check with your own :slight_smile: ). Their opinion is that EU regulation* requires that non-essential cookies need affirmative, opt-in consent from users, and doesn’t expressly say anything about categorizations of non-essential cookies. There is a statement that such consent should be “specific, informed and unambiguous”. Listing out the categories of cookies and giving finer-grained controls appears to be one way to satisfy this clause; arguably, one could also just be very specific and transparent about all the different cookies that the site uses, even if there’s only 1 control over all of them.

* EU regulation here being both GDPR and the ePrivacy Directive

Hello @allenyang,

Is there any existing documentation where we could find description of the cookies set and used by Bubble (by default) and the ones relative to Bubble’s plug-ins (if Bubble plugin set any other cookie)?

That would really help for the legal docs :slight_smile:

Thanks for the update @allenyang we will run some more legal checks before proceeding with this…

However, it’s a bit weird that bubble website which “it’s made using bubble editor” it’s using a different “cookie consent”, actually exactly as I explained in the different posts I did here, and the “one made” from bubble to EU users to be compliant looks exactly as it shouldn’t (TBH very disappointed here, It’s like some kind of bad joke).


If Bubble website it’s made with Bubble editor how actually haves the feature to create categories of the cookies that’s using the app? If actually all what you said with the actual bubble plugin is true, why Bubble is using different cookie consent?

We haven’t added it to our formal documentation yet, but I answer the question about Bubble’s default cookies here: California Consumer Privacy Act (CCPA)

We haven’t documented what cookies different plug-ins set yet. Generally it should be the cookie of the corresponding service if it’s needed for the plugin to run. Easiest way to tell without waiting for our documentation is to set up the plugin and see for yourself!

@yusaney1 I checked with our team on this one. Yes, we use this service for our main webpage: https://cookie-script.com/. It’s a paid service that allows for more customization. Please see my above responses for why you shouldn’t rely on the Bubble-made plugin (which came out a while ago) for current GDPR compliance, and for our other guidance here.

1 Like

Cookie script sounds powerful!

Would it be possible to embed this cookie script thing into a bubble site? I was thinking the integration would work if embedded into the script/meta tags in header in the SEO/metatags page.

Like they do here for SquareSpace:

Does anyone know if this works?

2 Likes

Actually it does.

2 Likes

Hi, thanks for this - it was very helpful. @allenyang , is bubble planning any further developments around this such as more granular acceptance of individual cookies that @yusaney1 was suggesting?

No, not at this time. Bubble only sets a limited number of cookies on an end-user which are all important for core behavior of the app, namely staying logged in (see this post). You may also see a Cloudflare cookie from the Bubble platform but this is to make Cloudflare work technically, not to track end-user personal data.

Other cookies are likely due to certain plugins that the app creator chooses to use.

1 Like

Thanks allen

Thanks Allen, and others for this valuable conversation. GDPR does create issues for me (and it’s not that i’m trying to track users secretly, i just am trying not to make a mistake that costs me a fine).

That cookie script system looks like a really decent solution, and the pricing isn’t ridiculous either so thanks for sharing that one.

I appreciate what is being attempted with GDPR implementation, but the reality is for me as a sole developer, fully understanding the requirements and keeping on top of it is just such a huge task when i’m trying to build something that users want to use.

Best wishes Phil

Hello @philip.berryuk,

You can also have a look at iubenda, their GDPR solution is great and they also provide a cookies banner blocking non necessary cookies, according to users’ consent.

There was a lifetime deal on AppSumo, maybe still available.

1 Like

@vivienne @allenyang
Quick question regarding the DPA on the Bubble website. I’m a little unclear as to how this is to be used. Am I right that this is an agreement between me as a Data Controller and Bubble as my Data Processor? So I’d put my details in as the Licensee, having copied the text, and keep it on file as my DPA with you? And then I can say I have a DPA with Bubble (as Bubble does with their data-processors)? Or would the DPA with my details included normally be available to my users on my site?

Hi Shane,

You are correct that the DPA is an agreement between you and Bubble when you are the Data Controller and Bubble is your Data Processor.

We’ve been informed by our legal counsel that since we have published our DPA publicly, it is in effect for all our customers. But, in the event that you really would like a dually signed copy, please send us an email at legal@bubble.io, and we can kick that off.

I believe the DPA between you and Bubble does not need to be available to your users, but for that question you should consult your legal counsel.

Best,
Allen

1 Like