Are Paddle's Cookies GDPR Compliant?
I just saw a post from another Indie Hacker announcing their new site (in turkish): https://bulutmuhasebe.co/
I'm considering Paddle, so I checked it out.
Going to the home page for the first time then inspecting the cookies, Paddle.com has downloaded a ton of cookies:
- intercom-session-dayl7x91
- hubspotutk
- _hijd
- intercom-id-dayl7x91
- _fbp
- __hstc
- _gid
- _gcl_au
- __hssrc
- __cfduid
- _ga
- __cfduid
Looks like this includes things like Google Analytics.
I got all these cookies downloaded even before I clicked on anything (never saw a Paddle modal to view/accept their ToS/Privacy/Cookie policies, or choose what types of Paddle cookies to accept (exempt, functional, analytics, etc)).
I haven't deployed yet, but I'm seeing these in my dev site as well. I contacted Paddle, and they haven't been very helpful.
Is Paddle not GDPR complaint with the load of cookies that they are dumping on visitors?
If you integrate Paddle, what is YOUR exposure and risk of violating GDPR?
Note that Paddle has more issues with cookies/GDPR that I noticed. If you, for example, link directly to a purchase form on their site, they use 3rd party cookies but no consent is being shown. I contacted them about this, and they said I should show a cookie consent on my site before redirecting to that form, but it clearly doesn't work when sending the link directly to someone. The support person also said that the issue was forwarded to the technical team, but I doubt they will solve anything.
This is anyway 100x better than Gumroad, where they add Google Analytics AND Facebook Pixel on your own website, even if you don't want or use those features, with no way to disable them.
Paddle has been adding the Facebook pixel cookie (_fbp).
The dump of cookies happens on any page that has <script src="https://cdn.paddle.com/paddle/paddle.js"></script>, even before the user takes any action like making the first click on a subscribe button.
When was the last time you corresponded with Paddle on this issue?
I think I last contacted them about this issue about 2 months ago.
the GDPR popup is the worst thing that ever happened to the web. This should have been handled through an http protocol update, but the bureaucrats in charge are too incompetent to understand that.
Are Paddle's Cookies GDPR Compliant?
On the face of it, likely not for the marketing/re-marketing cookies. They might argue legitimate interests if you brought a compliant to a regulator in the EU, but that would likely get slapped down.
If you integrate Paddle, what is YOUR exposure and risk of violating GDPR?
As a business, you should as part of GDPR your obligations, be doing a "Record of Processing" to establish and rate the risk any third party you use. If you're unfamiliar with how to do that, I created Dapple to help small business create and manage their GDPR compliance requirements.
Upon first visiting Dapple, I see:
I got these cookies without being given a cookie consent modal, and the option to accept/refuse.
I'm located in the US. Is that why I get these cookies without a modal for consent?
For people coming to your site from the EU, do they get a consent modal before the cookies load? If not, then can you help me understand how you are allowed to do this under GDPR?
One of GDPR's prime motivations is to give people options around how their data is obtained, used and removed. GDPR calls out some specifics about what it considers identifying a person (e.g. I can link it to a living person using that information). Therefore things like IP address or building a profile using remarketing techniques falls into the specific of "personal data".
So in the instance of Paddle, they are potentially using tools like Hubspot, facebook, etc to create profiles. They should be asking people visiting their site for consent before they begin capturing it and processing their personal data.
The requirement for a "Cookie Consent modal" comes from the EU's ePrivacy Directive, not GDPR. They are linked, in fact a new version is on the way to better align them, but they aren't doing the same thing. For "cookie compliance" you need to
However, different EU privacy regulators have taken slightly views on cookies, which is one of the reasons why the ePrivacy Directive is getting a rewrite. Last time I looked the UK says analytics are fine without consent, FR says absolutely none without consent first, etc.
In the instance of Dapple, I use the browsers "Do not track" policy for any analytics systems (e.g. Hotjar), note that and list them out in the terms and conditions*. Since I'm not using any remarketing stuff, just analytics I believe I fall into the "necessary cookies" category.
After all that tho, if you're in the US and not really targeting EU people, theoretically you shouldn't worry about GDPR too much. Unless of course you plan on setting up shop in the EU soon.
*Although I've not realised I've screwed up a release that should have updated the T&Cs (thanks for helping me find that!)
This is sadly not true, analytics cookies require consent like any other.
The grey area (towards the bottom of the linked section) is that that the ICO are unlikely to go after you if you're using first-party analytics cookies (i.e., they're served from your domain, and controlled by you)
GDPR only requires sites to seek permission for cookies that record personally identifiable information (PII). Google Analytics does very much do that, so users must give their consent. Cookies that are solely concerned with site functionality, e.g. the "have I seen the cookie notice dialog?" cooke are not required to be covered in the privacy statement or have prior permission sought. Which, if you think about it makes sense: if you can't show someone a dialog asking for their cookie permission without first showing them a dialog to ask for their cookie permission, then you would have a infinite sequence that the user could never finish answering!
Just tried this in incognito mode and the only cookies I can see are
paddlejs_checkout_variantand__cfduid(CloudFlare), both attached to bulutmuhasebe.co domain@gondo
Thanks for looking into this!
Help me understand, what does incognito mode have to do with GDPR, when visitors more likely visit a site in normal mode?
It means, that the cookies you listed were created by you visiting other pages.
It has nothing to do with GDPR. I am just explaining that your assumption that Paddle creates these cookies the way you described is wrong.
@gondo
Wow! That would be great!
I really don't have a full grasp on how cookies work.
But, let me ask a couple more questions:
In my development system (served on localhost), I'll go to my home page, in chrome dev tools, I'll clear all of the cookies for my site (my site uses NO cookies). I can navigate to every page on my site (except the page that has the Paddle subscription buttons), and chrome dev tools show no cookies. As soon as I navigate to the page that has the Paddle subscribe button (with <script src="https://cdn.paddle.com/paddle/paddle.js"></script>), then all of those other cookies get dumped. If what you are saying is true, then why wouldn't I get all of the cookies loaded for all of the other pages?
Why does chrome dev tools show the domain as "paddle.com" in the table (name, value, domain, path, ...)?
Another data point. If I go to the page that has the Paddle subscription buttons and clear the cookies in chrome dev tools, then refresh the page, all of the cookies disappear except "paddle_campaign_referrer" and "paddle_checkout_variant". But, if I 1) return a day later, 2) restart my computer, 3) use a different browser, and go back to the page with the Paddle subscription button, then the entire boat load of cookies gets downloaded like before.
Apologies for such stupid questions. I don't fully understand how cookies work ... It would be great if this is actually a non-problem, and I could move on ...
Are you sure you are not using another library or SDK that might not be GDPR complaint?
I checked out a few sites using Paddle and my results were exactly the same as @gondo
Another site using Paddle - https://tailwindui.com/pricing (Select a package to hit the checkout page)
I'm using Firebase, and Paddle.
These cookies only show up on the pages with the Paddle CDN.
I've mentioned in another post here, that these will usually only show up once per day. Meaning, if I clear the cookies and refresh the page, they don't come back (except for the 2 Paddle specific cookies). But when I come back the next day, the entire load of cookies returns.
A possible positive note: the load of cookies has not shown up today.
I hope it's positive, but I still haven't heard from Paddle directly. On April 16, they apologized for taking so long to reach a conclusion on this (after a couple of weeks), but assured me everything would be OK. They wanted to discuss with their legal counsel who would be back 04/19. Didn't hear anything. Checked in again over the weekend, and still no response.
I should add that I've found the rest of their email support (outside of this cookie issue) to be excellent.
So, maybe since the cookies didn't show up today, they're actually working on it. But, I don't know. As recently as 2 days ago (when the other IH posted his MVP, and I was able to confirm that it wasn't just me getting all these cookies) the full load of cookies was getting saved.
I sincerely hope they come up with a solution here. I've invested a lot of time to integrate Paddle, because I believe in the value they provide for world-wide tax compliance. But, it would be crazy for them to sell the value of paying extra for their service for world-wide compliance concerns, to then turn around and dump cookies that are not compliant and put my business at risk.
If/when I hear back from them directly, I'll update IH ...
I have no idea how your page works and how did you implement Paddle.js, could you share a public link somewhere?