Take care of your templates
Somehow, I hoped that someone at SAP would find the budget to go through some resources that are used to build their public web sites. At least to ensure that new sites are aligned with the law (EU/ German). I have the impression that it is too easy for anyone with browser access to find SAP web sites that interpret the law generously. Specially when considering that SAP is a large company. Recently I came across the event website for the SAP Mobile Day 2023 (if you can, try to join the event). As I do have access to a web browser, I looked a little bit closer to the site.
Accessing the site gives you the mandatory cookie notification.
Decline all cookies and the site works just fine. The required cookies list looks like the standard for SAP sites. Google is only needed because SAP wants to use ReCaptcha.
You have to accept marketing cookies for the site to allow setting Google AD cookies.
Looking at what the site does reveals that Google cookies are set. Unfortunately, not only cookies for ReCaptcha, but for fls.doubleclick.net too. The declined cookies for Google advertising.
The cookies I see is:
After staying for a few minutes on the web site, the cookie list grows and looked like this:
That’s a lot of cookies considering that I said to only accept the technically required cookies.
But why? Yes, of course because the web site is ignoring my cookie settings and is calling a Google website that sets cookies it should not. I could now in detail talk about data privacy, GDPR, law and adding the data protection officer responsible to watch over SAP. But first let’s find out why the cookie is set.
From the network tab I can see that the URL is called while the page is loading.
The app is calling a Google service. The responsible line can be found at home:1133. What is the coding there?
This is hard coded. No check if the user gave permission or not. And … it is coding from SAPPHIRE NOW 2014? The comment is:
Activity name of this tag: 2014_SAPPHIRENOW_CR_Social_SANOW Events Page
URL of the webpage where the tag is expected to be placed: http://events.sap.com/sapphirenow/en/home
This tag must be placed between the <body> and </body> tags, as close as possible to the opening tag.
Creation Date: 05/06/2014
Creation date 05/06/2014? This is from 2014? OK, explains a lot. 2014 no one was really talking about GDPR and cookie settings. This coding is almost 9 years old. And violates GDPR. In 9 years, no one thought about adjusting the template? Never touch a running system, but how about updating from time to time the template that runs the system?
Maybe the site creators used a standard template for event web sites. Maybe the person/team/company has a template on their share and is reusing it from there? Maybe the site creator is not even aware that there is a problem? Anyway: governance is missing. The template should have been retired years ago or received an update. In case the same template is still in usage for other events: how many are violating the user cookie settings? How many cases are there? X Sites multiplied by Y users that did not opted-in to marketing cookies makes Z violations?
The root cause should be a warning to everyone that works with templates. Templates must be checked from time to time. Create them once is not enough. A process to ensure that people cannot copy a template once and then can reuse it years later. What was best practice 10 years ago is maybe not best practice today. Governance is important.
Ah, last but not least: if someone from SAP is reading this: fix the problem ASAP. Also: JQuery 1.12.0 is from 2016 and EOL. I am somewhat disappointed that JQuery is not deleting their old libraries from CDN as SAP does with UI5.