GDPR Cookie Compliance and The __cfduid Cookie

forms

#1

Hello, I'm working to bring a site into GDPR cookie compliance. We primarily use forms embedded in a non-Hubspot site, and have been able to gate the majority of our cookies behind an acceptance click. However when embedding a Hubspot form it causes two 3rd party 1 year expiration cookies.

  • The first cookie is set just by loading the hsforms.net/forms/v2.js file, and is set under the .hsforms.net domain.
  • The second cookie is set when creating an embedded form via hbsp.forms.create this cookie is set under the .hubspot.com domain.

To be compliant we must not set any 3rd party cookies without consent, but the issue is that just loading in the js and creating a form causes cookies to be issued. The preference would be to continue being able to show forms to visitors that have not yet accepted cookies.

Here is an example URL that has been created to show these cookies being set:
https://dev-onecallnow.pantheonsite.io/wp-content/themes/onecallnow/template-parts/test.html

Is there any method for stopping these cookies from being created?


#2

I'd like to follow this question, have the same problem.
We have wordpress built webpage and found a plugin, that blocks all scripts from loading, untill the user consents (including hubspot forms), if it's any help - eu cookie law (https://wordpress.org/plugins/eu-cookie-law/)

regarding the __cfduid cookie, did you find anything useful about that?


#3

Unfortunately I believe the __cfduid cookie belongs to CloudFlare.


https://cookiepedia.co.uk/cookies/__cfduid

Accordingly to CookiePedia it does not store any personal information, but for GDPR we're all very sensitive of 3rd party long expiry cookies with long strings of seemingly unique IDs which is why I bring the question here.


#4

It is categorized as "Strictly Necessary" for security reasons. As far as I could see so far at most pages that allow opt in for different categories of cookies, you could never deactivate the "strictly necessary" ones. So I guess it should be fine for GDPR?