GDPR

  • Henrik Thue Nielsen

    (@webministeren)


    1 week, 1 day ago

    Hi,

    I am writing regarding a concern I discovered with your plugin ‘Website LLMs.txt’ (v8.4.0), installed on my WordPress site.

    While investigating unknown cookies appearing on my website, I traced them back to your plugin. I found that the plugin automatically injects the following third-party tracking script into every page of my site:

    https://cdn.visibilitykit.ai/t/3c870d4c0489a25d/vk.js?ver=8.4.0

    This script sets the following analytics cookies on all visitors:

    • _vk_attr_first (first-touch attribution data)
    • _vk_landing (landing page URL)
    • _vk_referrer (traffic referrer)
    • _vk_session_id (session identifier)
    • _vk_vid (visitor identifier)

    I have since found the ‘Disconnect from Visibility Kit’ option in the plugin settings and have disabled the tracking. However, I would like to raise the following concerns:

    1. Opt-in vs. opt-out: The tracking is enabled by default upon installation, with no clear notification to the site owner. Under GDPR, this should be opt-in, not opt-out. Site owners should be explicitly informed during setup that VisibilityKit tracking will be activated.
    2. No CMP integration guidance: There is no documentation explaining how to integrate the tracking script with a Consent Management Platform (CMP) such as Cookiebot, Complianz, or similar. Under GDPR, analytics cookies must not fire until the visitor has given explicit consent. Without CMP guidance, site owners are unknowingly violating GDPR.
    3. No cookie declaration guidance: There is no information provided on how to properly declare the VisibilityKit cookies (vk*) in a cookie policy. Site owners need documentation describing what each cookie does, its duration, and its purpose, so they can correctly declare them in their cookie consent setup.

    I would kindly suggest the following improvements to the plugin:

    • Clearly inform site owners during installation/setup that VisibilityKit tracking will be enabled
    • Make tracking opt-in rather than opt-out by default
    • Provide documentation on how to integrate with common CMPs to ensure cookies only fire after consent is given
    • Provide a cookie declaration reference listing all vk* cookies, their purpose, and their lifetime

    These changes would go a long way in helping site owners remain GDPR compliant when using your plugin.

    All the best and THANK YOU for providing this plugin after all! NB. I would be happy to support a paid PRO version of the plugin.

    Best regards
    Henrik

You must be logged in to reply to this topic.