Cookie Banner Not compliant with GDPR, ICO, EPrivacy regulations

[ayush-oberoi]

Hello Gitcoin
Please read each and every point carefully.

Title : No active Cookie consent , No Ip anonymization and storage of non essential cookies without user's explicit consent leads to Privacy concern and possibility of financial loss through fines due to non compliance.

Description : I have noticed that Gitcoin does have cookie banner as soon as an eu visitor visits the website. There are certain non compliance issues which are described below. These are being put forward after reading the cookie and privacy policy of gitcoin.

• There is cookie banner not active cookie consent where the user explicitly control the storage of non essential cookies as described under information commissioner office (ICO) guidelines. This is clearly not acceptable as a valid consent to put forward for user under Eu data protection law. Below I referenced certain abstract from ICO guidelines. Read it full through the given link.

To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.

Ref : https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/#consent

• The non essential cookies are getting stored as soon as the user visits the website. According to ICO, any type of third party web analytic cookies like google analytic's _ga , _gid etc are not essential for a website to work. These require active consent from the use which can either block or accept these cookies. In the below abstract from ICO guidelines, it is clearly written that the consent should not be anything like 'by continuing to the website" etc.

Similarly, you cannot set non-essential cookies on your website’s homepage before the user has consented to them.

Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should have the means to enable or disable non-essential cookies, and you should make this easy to do.

ref : https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/#consent

• Also, As claimed by Gitcoin in their privacy policy that third party cookies does send data anonymized , it is also not true because there is no I.P anonymization in the google analytics collect requests. Also these requests does collect ip address of the user and even these are not anonymized. please seen below screenshot , the collect requests are missing (aip=1) parameter. Google makes it compulsory for the websites to enable ip anonymization in order to comply with data protection policy. Please refer

https://support.google.com/analytics/answer/2763052?hl=en
https://www.datadrivenu.com/gdpr-ip-addresses-google-analytics/

• To prove my findings and concern, I have done a compliance check in adherence with the the said guidelines and found Gitcoin to beNon compliant To rule out any possibility of false positive, I have also made a compliance check for ico.org.uk and find it compliant. I attach the screenshot. I also have a detailed cookie report regarding this. This clearly contradicts the fact gitcoin put forward through cookie banner about being compliant to GDPR.

[Kweiss]

Thanks @ayush-oberoi for the report. We will have to review

[Kweiss]

Hey @ayush-oberoi - Thanks for posting this. Do you have interest in resolving these for us? We can create a bounty and pay you for your work if so. Thanks!

[ayush-oberoi]

Yes, I could possibly provide the steps to remediate the issue. Do let me know if I can continue writing the steps below?

[Kweiss]

Yes, @ayush-oberoi - We would love the support in detailing how to remediate for someone to work on.

[ayush-oberoi]

Below I provide certain recommendation and steps which could possibly solve the issue.

• Update Cookie Policy
  First, In the cookie policy Gitcoin does not have clear disclosure of types of cookies that it will be using. As I could notice they have mentioned the details of around 5 cookie storing websites not about individual cookie. I have a detailed cookie report which could easily identify the variety of cookies that gitcoin is storing across the webpages in the domain and not having a clear information in cookie policy. I'm sharing the report. Detailed-Cookie-Report.pdf

Remediation - Update the cookie policy with details of each and every cookie (Both first and third party) not about the provider only.

• Implement Active Cookie Consent and block non essential cookies unless user consent it.
  Gitcoin needs to have a clear and active cookie consent not cookie banner. As I have already shared, The cookies could be non essential whether it is first party or third party. These non essential cookies are getting stored as soon as user visits it. Please refer above ICO documentations.

Remediation - Please refer this article that demonstrates the issue which I am trying to convey and provides remediate step by step solution.

• Implement I.P Anonymization
  There might be a situation where gitcoin needs to store google analytics cookies for business requirements. But storing analytics cookies without I.P anonymization and no active consent is not acceptable. For this, gitcoin needs to have I.P anonymization enabled in google analytics. It is a feature provided by google as I have refered in the report.
  After enabling it, gitcoin then needs to update the privacy policy mentioning that it uses anonymized cookies.

Remediation - Please refer the steps in this article for enabling it.

• The second point article actually sums up the core issue that I was trying to convey. All the references are given in the original report.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 0.4 ETH (405.36 USD @ $1013.39/ETH) attached to it.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin's Discord
• $992,619.00 more funded OSS Work available on the Gitcoin Issue Explorer

[ayush-oberoi]

Hi @Kweiss, How can I claim the bounty? I have again provided my previous comment through gitcoin "express interest"

[Kweiss]

Hi @ayush-oberoi - Are you interested in fixing these things for us in our code base? If so, I am happy to assign you the bounty if you can resolve all these items for us.

[ayush-oberoi]

Hi @Kweiss ,

The issue and the remediation steps that I have addressed is something that requires changes by gitcoin core privacy team on their cookie policy, changes in the Google tag manager account which is of course not publicly accessible, google analytics settings also. My job was to concern the gitcoin about the issue, I have also provided the remediation steps and that requires access to gitcoin's Google tag manager, google analytics account which can only be done by the engineering team at gitcoin.

[Kweiss]

Thanks @ayush-oberoi - I did not understand this. What is your Eth address and I can tip you for reporting and detailing the information (It wont be as large as the bounty as we still have to do the work).

[ayush-oberoi]

Hi @Kweiss ,

Here is my ETH address

0x4CAB12e55277E164ADb59d74F2C036837960b0E5

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

The funding of 0.4 ETH (489.37 USD @ $1223.42/ETH) attached to this issue has been cancelled by the bounty submitter

• Questions? Checkout Gitcoin Help or the Gitcoin's Discord
• $1,001,401.67 more funded OSS Work available on the Gitcoin Issue Explorer

[gitcoinbot]

⚡️ A tip worth 0.10000 ETH (122.34 USD @ $1223.42/ETH) has been granted to @ayush-oberoi for this issue from @Kweiss. ⚡️

Nice work @ayush-oberoi! Your tip has automatically been deposited in the ETH address we have on file.

• $1000912.30 in Funded OSS Work Available at: https://gitcoin.co/explorer
• Incentivize contributions to your repo: Send a Tip or Fund a PR
• No Email? Get help on the Gitcoin's Discord