Skip to main content

Third Party Resources

Your site should not load any third party resources prior to consent in order to prevent leaking user data, increase site speed, improve your data privacy officer's quality of sleep – and for participating in the contentpass network.

In other words: To offer the same standard of ad- and tracking-free use across all participating websites, no third-party resources are allowed to load until the user has agreed to them. With exception of your CMP, of course.

The following information is merely the basis for participation in contentpass and should not be used or understood as legal advice. As the publisher you have the final authority to decide for what purpose consent is required. However, please note we reserve the right to exclude your website from our contentpass network if we reach different conclusions. Therefore this is merely our interpretation and consideration.

Ultimately it is your responsibility to implement your CMP and third-parties in a privacy compliant manner. Additionally, it is important to note that we do not block any content on your site: contentpass users are essentially regular users who have not provided their consent for anything.

For technical reasons, with each request to a third-party server the IP address of the visitor and the browser meta information are being transmitted to that third-party. It's important to note that the IP address can be considered personal data, according to the EU court of justice, whereas the browser information can be used for fingerprinting to create user profiles. In addition to this, due to the distributed nature of the internet, you are at risk of "exporting" that user data to countries that do not adhere to EU data protection standards after the Schrems II ruling.

There have been court cases where damages have been awarded for the transmission of IP addresses. Furthermore the EU court of justice recently ruled that data subjects can claim non-material damage without a specific threshold. This means that individuals can seek compensation for privacy violations, without having to prove tangible harm.

In theory, every third-party script provider can spontaneously choose to load other scripts on your website, essentially providing a privacy violation as part of their service. In reality, this is indeed happening. It's not particularly surprising, given that the business goals of third-parties often do not align with your privacy concerns. However, remember that you ultimately bear the responsibility for the actions of your third-party partners. To put it simply, you really, really do not want to load any unnecessary third-parties. We are here to help you achieve that goal. Let's focus on privacy by design, rather than privacy by disaster!

Example integration for TCF vendors

Depending on your CMP there may be more convenient ways to achieve this, but the following example works for all TCF compliant CMPs. You can learn more about the usage of the TCF API on Github.

This snippet uses the TCF API to initialize vendor with id 755 (Google Ads) and 42 (Taboola Europe Limited) only after consent for these vendors is given. You can find the according vendor ids for your specific setup on the IAB EU website. Please proceed accordingly for all your third party vendors registered with IAB.

<script>
// Ensure sure that your CMP stub is loaded before using the `__tcfapi` function, which should make it available for use.

function loadAsyncScript(src, id, type = "text/javascript") {
  if (!document.getElementById(id)) {
    var e = document.createElement("script");
    e.async = 1;
    e.src = src;
    e.id = id;
    e.type = type;
    var f = document.getElementsByTagName("script")[0];
    f.parentNode.insertBefore(e, f);
  }
}

function loadGoogleAds() {
  loadAsyncScript(
    "https://securepubads.g.doubleclick.net/tag/js/gpt.js",
    "gads_loader_script"
  );
}

function loadTaboola(taboolaPublisherId) {
  window._taboola = window._taboola || [];
  _taboola.push({ "page-type": "auto", url: "pass-url-here" });
  loadAsyncScript(
    "https://cdn.taboola.com/libtrc/" + taboolaPublisherId + "/loader.js",
    "tb_loader_script"
  );
}

__tcfapi("addEventListener", 2, function (tcData, success) {
  if (!tcData || !success) {
    return;
  }

  console.log("CMP: __tcfapi event listener success");

  if (
    tcData.eventStatus !== "useractioncomplete" &&
    tcData.eventStatus !== "tcloaded"
  ) {
    return;
  }

  console.log(
    "CMP: __tcfapi event listener consent ready",
    tcData.vendor.consents
  );

  if (!tcData.vendor || !tcData.vendor.consents) {
    return;
  }

  // check consent for vendor 755 (Google Ads)
  if (tcData.vendor.consents[755]) {
    loadGoogleAds();
  }

  // check consent for vendor 42 (Taboola Europe Limited)
  if (tcData.vendor.consents[42]) {
    loadTaboola("YOUR-TABOOLA-PUBLISHER-ID-GOES-HERE");
  }

  if (tcData.listenerId) {
    __tcfapi("removeEventListener", 2, function () {}, tcData.listenerId);
  }
});

</script>

Other third-parties

Libraries, Google Fonts & public CDNs

Since all relevant browsers introduced Cache Partitioning to prevent fingerprinting, there is no longer any benefit in loading jQuery & Co from public CDNs. On the contrary, hosting it first-party would actually result in faster performance as it reduces the need for additional DNS lookups and SSL handshakes.

The same is also true for Google Fonts. Added bonus: Serving them locally helps you to avoid punitive damages. If you're using Wordpress, have a look at the section below how to easily resolve this issue.

Tag Managers

It can be argued that tag managers are being used without consent, using the legal base of legitimate interest instead. But... when punitive damages have been awarded for loading static CSS and font files from a Google owned CDN, that's a difficult position to be in. Even more so considering that JavaScript based tag managers are vastly more powerful compared to a simple font service using static files. Tag managers also have the potential to use fingerprinting or in case of GTM even identify users logged-in with other Google services.

On top of that – loading other scripts is actually the purpose of tag managers. Tag managers by default do not consider consent signals. This can pose higher risks, especially since they are often handled by non-technical staff.

Therefore we recommend loading essential scripts as first party. This ensures smooth functioning for contentpass users, who often use adblockers to block Google Tag Manager & Co. These users are the same ones who, rightfully so, may express their discontent on social media when blocked elements appear in their browser bar, even though they pay for ad- and tracking-free access.

In a nutshell: Please do not load tag managers for contentpass users. If it is absolutely necessary to load your tag manager before obtaining consent, see the Fast Path section below to find solutions to manage this.

Audience Measurement

To better understand your content's success we advise implementing an on-premise privacy-first analytics solution. If the data is processed by a third-party instead, you need to ensure through appropriate contracts that you're the sole controller of the data, and all data processed by the third-party is only being used for your purposes.

If you choose to use Google Analytics & Co., please ensure that you track only when you have obtained proper consent to do so.

Regardless of the implementation, you may not process IP addresses for contentpass users (or any users without consent) to uniquely identify users. Storing any data on user devices, without prior consent, is only allowed if it's "strictly necessary" to provide the service requested by the user.

While consent-based analytics automatically excludes contentpass users, our preference would be for you to exclude them from any analytics. Even when no personal data is being processed. See section Fast Path for details.

Youtube, Instagram, Facebook, TikTok, Google Maps, Disqus, Glomex and other embeds

Most embeds are provided by companies whose main source of revenue is advertising and tracking. This might explain why, for example, YouTube embeds automatically load Google's advertising stack by default, unless they are explicitly configured otherwise.

Whenever possible, please use the privacy-friendly configuration when integrating third-party content. But also make sure that no requests to these third-parties are made prior to consent. If a visitor has not provided consent yet, you must display an inline consent element that allows the user to confirm the loading of third-party content.

If your chosen content provider loads resources from other third parties, we recommend discussing this potential privacy breach with them.

They should only load their sub-processors based on TCF consent signals. If the discussion with the content provider does not provide immediate results, there is a less ideal but feasible solution: You can include these additional third-parties in your vendor list and build an inline consent implementation which supports multiple vendors.

Some CMPs offer helpful tools for these inline consent cases for certain third-party providers. For details, see our CMP documentation pages or contact your CMP.

Sharing articles

Please refrain from using AddThis, ShareThis, or similar services as well as the SDKs of social networks. Because, in this instance, there's no free lunch. Instead, you can achieve similar functionality with a simple link as in the following examples.

Please note that all placeholders (e.g., <POST_URL>) must be replaced, and all parameters must be URL-encoded for proper functionality.

Facebook

Share a post:

<a href="https://www.facebook.com/sharer/sharer.php?u=<POST_URL>">Share Post</a>

X / Twitter

Tweet:

<a href="https://x.com/intent/tweet?text=<TEXT>&url=<URL>&hashtags=<COMMA_SEPARATED_TAGS_WITHOUT_HASHES>&via=<TWITTER_HANDLE>">Tweet</a>

Retweet:

<a href="https://x.com/intent/retweet?tweet_id=<TWEET_ID>">Retweet</a>

Like:

<a href="https://x.com/intent/like?tweet_id=<TWEET_ID>">Like</a>

Mini-Profile:

<a href="https://x.com/intent/user?screen_name=<TWITTER_HANDLE>"></a>

Follow:

<a href="https://x.com/intent/follow?screen_name=<TWITTER_HANDLE>">Follow</a>

Pinterest

Create (Save/Pin It):

<a href="https://www.pinterest.com/pin/create/button/?url=<URL>&media=<IMAGE_URL>&description=<DESCRIPTION>">Pin</a>

Follow User (Business):

<a href="https://pinterest.com/follow/<USERNAME>">Follow</a>

Follow Board (Business):

<a href="https://pinterest.com/follow/<USERNAME>/<BOARD_NAME><USERNAME>">Follow board</a>

Linkedin

Share an article:

<a href="https://www.linkedin.com/sharing/share-offsite/?url=<ARTICLE_OR_POST_URL>">Share</a>

WhatsApp

Share on WhatsApp:

<a href="https://wa.me/?text=<PRE-FILLED_MESSAGE_TEXT>">Share on WhatsApp</a>

Social Logins / SSO

Unfortunately a lot of the SSO providers are also focussed on data collection. Some providers, such as Facebook, don't even offer a dedicated SDK solely for authorization purposes.

It is our opinion that it should be the user's choice to decide which of those SSO providers they trust: Please initialize the respective login SDKs only after the user has selected their desired auth provider.

Gravatar

Gravatar is a service that provides profile pictures for users interacting on your site. They associate the profile pictures based on the mail addresses of the users that registered with them. We're sure that you have beautiful visitors, but please do not send every mail address of every user that ever commented on your platform to Gravatar, for the off-chance of being able to display a pretty avatar. If your website uses Wordpress, you can use the One User Avatar plugin to prevent that.

Captchas

Captchas help to protect websites from spam and abuse by using a "CAPTCHA" test to tell human and bots apart. To provide this service they need to process personal data like IP addresses and browser information. While captchas play a vital role in web security, they should not be loaded for contentpass users. We take measures, like email verification, to strongly indicate that our users are genuine. Therefore, your property should refrain from loading such services for authenticated users with valid subscriptions, or alternatively, disable the service.

The following example demonstrates how you can load the ReCaptcha script only for non-contentpass users using the contentpass SDK, ensuring no PII is processed for contentpass users. We have also included an example of a handler for the submit button to execute the captcha verification and submit the form. Please note this example uses the ReCaptcha v3 API.

warning

If your site has some logic that depends on the presence of the captcha, this example may break your site for contentpass users. Please make sure to adjust the code to your specific needs. You can use the cp('authenticate') function to check if the user is authenticated and has a valid subscription, then introduce a bypass for the captcha.

<html>
  <body>
    <script type="text/javascript">
      // contentpass stub goes here...
    </script>

    <script type="text/javascript">
      // Ensure that the recaptcha script is only loaded once.
      var resolveOnRecaptchaLoadedPromise = null;
      var onRecaptchaLoadedPromise = new Promise(function (resolve) {
        resolveOnRecaptchaLoadedPromise = resolve;
      });
      function onRecaptchaLoadedCallback() {
        if (resolveOnRecaptchaLoadedPromise) {
          resolveOnRecaptchaLoadedPromise(window.grecaptcha);
        }
      }

      // Load Recaptcha based on the contentpass login status.
      // Only load the script when the user is not a logged-in contentpass subscriber.
      cp('authenticate', (err, user) => {
        if (err || !user.hasValidSubscription()) {
          var recaptchaScript = document.createElement('script');
          recaptchaScript.setAttribute(
            'src',
            'https://www.recaptcha.net/recaptcha/api.js?onload=onRecaptchaLoadedCallback&render=reCAPTCHA_site_key',
          );
          document.head.appendChild(recaptchaScript);
        }
      });
    </script>

    <script type="text/javascript">
      function onSubmitButtonClick(e) {
        e.preventDefault();
        cp('authenticate', (err, user) => {
          var recaptchaPromise = Promise.resolve();
          if (err || !user.hasValidSubscription()) {
            recaptchaPromise = onRecaptchaLoadedPromise.then(function (grecaptcha) {
              return grecaptcha.execute('reCAPTCHA_site_key', { action: 'submit' });
            });
          }
          recaptchaPromise.then(function () {
            // Add your logic to submit to your backend server here.
          });
        });
      }
    </script>

    <form>
      <button onclick="onSubmitButtonClick">Submit</button>
    </form>
  </body>
</html>
danger

Google Recaptcha sets a cookie and requires consent according to the French DPA CNIL. At the very least you should use Google's offering hosted on recaptcha.net, like in the above code example. Please note that this does not ensure the service is fully GDPR compliant. While the above integration ensures compliance with contentpass requirements, you may also want to explore a privacy-friendly alternative captcha provider for all other users.

Acceptable Third-Parties

As long as there's no user data involved (keep in mind that IP address are nearly always collected) or when you retain full legal control of the user data in question, there are a small number of use cases for which you can use services that are technically operated by a third-party.

To make this work, you need to have a contract that ensures that the service provider:

  • is not accessing the device (no cookies, no localstorage)
  • and it's parent companies are based within the European Union, or a country with comparable privacy legislation such as Canada
  • is keeping your user's data separate from other client's user data
  • is using the user data exclusively for the purposes you ask for

Above all else, the service you choose must of course be something firmly established on the legal base of "legitimate interest" (GDPR Article 6.1 lit. f).

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

An example for such an essential service that outweighs fundamental rights and freedoms of the data subject could be a Content Delivery Network.

Although there's a catch: The GDPR applies for all citizens of EU, independent of their location. Meaning that CDNs by definition expose you to the risk of transmitting your user's IP addresses to countries where EU privacy levels can't be guaranteed. This topic is currently being contested in court. If you want to be on the safe side, and your visitors are mostly from within the EU, you could chose a CDN provider based in EU and exclusively use their European data centers.

Like for CDNs, there are European alternatives for nearly all relevant essential services. For instance, here are two providers for GDPR-compliant Captchas:

Loading times - Fast Path

We understand that loading times are very important to you. Especially advertisements should load as fast as possible to guarantee monetization of users who gave full consent. The best way is to rely on the TCF API and load third parties when according consent is given by the user. See the examples above on how to do that.

In some situations, you may want to load third parties (like cookieless analytics or Pingdom) specifically for non-contentpass users, without basing it on TCF consent. In such cases you can use the cp('authenticate') API function to check the contentpass login status of the current user.

By default, this will wait for our SDK to be loaded. However, for visitors who are not logged in, we don’t want to slow down the page load. Therefore, we provide a so-called fast-path for the non-logged-in users. You just need to add the following stub extension next to the regular stub to ensure that the authenticate function quickly returns for non-logged-in users, without waiting for our SDK to load. If the user is likely to be a contentpass user, the call is delayed until the SDK is loaded and the proper result is returned later.

When making use of the fast-path option it is technically possible to set up your site compliant with contentpass requirements, as no unwanted third-parties are being loaded for contentpass users – but still violate the GDPR regulation for users that did not give consent or login with contentpass (yet). Use with caution!

warning

The following snippet uses placeholder values that you need to replace with the correct values for your property.

  • var cpBaseUrl = 'https://cp.example.com'
  • var cpPropertyId = '1234abcd'

You can find the correct values for your property on the Publisher Dashboard

// CP parameters
var cpBaseUrl = 'https://cp.example.com';
var cpController = cpBaseUrl + '/now.js';
var cpPropertyId = '1234abcd';

// Regular stub
// prettier-ignore
!function(C,o,n,t,P,a,s){C.CPObject=n,C[n]||(C[n]=function(m,x){
C[n].q||(C[n].q=[]),
C[n].q.push(arguments),C[n].patched||("fatal"===m&&x&&(C[n].le=x,
Array.prototype.forEach.call(C[n].q,(function(e){
"error"===e[0]&&"function"==typeof e[1]&&e[1](x)
}))),C[n].le&&"error"===m&&"function"==typeof x&&x(C[n].le))}),C[n].l=+new Date,
C[n].sv=4,(a=o.createElement(t)).onerror=function(e){C[n]("fatal",e)
},a.src=P,(s=o.getElementsByTagName(t)[0]).parentNode.insertBefore(a,s)
}(window,document,"cp","script",cpController);

// Stub extension "Fast Path"
// prettier-ignore
!function(C,o,n,t,P,a,s){C[n]&&!C[n].patched&&(C[n]("extension","authenticate"),
P=C[n].q.push,C[n].q.push=function(e){if("authenticate"===e[0]){try{
t=-1===(o.cookie||"").indexOf("_cpauthhint=")&&!(C.localStorage||{})._cpuser&&
-1===C.location.href.toLowerCase().indexOf("cpauthenticated")}catch(e){t=!1}if(t)
return a={isLoggedIn:function(){return!1},hasValidSubscription:function(){return!1}},
"function"==typeof e[1]&&e[1](null,a),C[n].afp=!0,P.apply(C[n].q,[["authenticate",null]]),a}
return P.apply(C[n].q,[e])})
}(window,document,"cp");

// SDK initialization
cp('create', cpPropertyId, { baseUrl: cpBaseUrl });

// Fast Path Option:
// Check for login and subscription status
cp('authenticate', function (err, user) {
  if (err || (!user.isLoggedIn() && !user.hasValidSubscription())) {
    // Load your third party resources for users who are not contentpass users here
    //
    // Be aware, that this function just checks for contentpass subscription status.
    // Therefore code implemented here will be executed immediately and independently
    // of the consent status.
    //
    // To prevent execution for first-time visitors prior to consent, you'd either
    // need to check the TCF API as outlined above and therefore wait for the CMP,
    // or look for CMP-specific cookies instead.
  }
});

Sounds complicated... Help?

Depending on your starting point towards a privacy friendly and compliant offering, it might require some effort, yes. However we have built tooling to help you identify all third-parties present on your site.

contentpass publisher dashboard & crawler

After setting up your property via the publisher dashboard, our in-house crawler will automatically assess it. The crawler will browse your site like it was a logged-in contentpass user, collecting requests made to external resources without consent. Our system will then review the origins of those resources and determine whether your property meets our criteria to go live. If it doesn't, the dashboard will give you guidance on what to do next.

You can whitelist any other domains you operate. This will stop our tools from flagging requests from your property to these domains and remove this blocker from your property going live.

Important: The dashboard will prevent you from whitelisting restricted domains. If our crawler detects problematic third-parties after your property has gone live, we reserve the right to revoke your property's live status until such resources are no longer being loaded.

Wordpress Plugins

If you're using Wordpress with a theme or various plugins from all over the world, implementing all of the above privacy-preserving measurements might be challenging. Luckily you're not the first to encounter such issues: