#6231 - GDPR: Composr must get consent before creating any cookies
-
By PDStig
- Added
- 10 views
| Identifier | #6231 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | GDPR: Composr must get consent before creating any cookies |
| Status | Completed |
| Tags |
Roadmap: v11 (custom) Type: Legal compliance / Privacy (custom) |
| Handling member | PDStig |
| Version | 11 beta7 |
| Addon | core_privacy |
| Description | Under the GDPR, freely-given informed consent must be granted by the user *before any* cookies may be saved on their browser.
Composr doesn't do this. They don't even have an opt-out strategy. This is a major problem legally. Bundle the cookie consent banner as part of core_privacy code (if not already). Modify it so that clicking OK sends an AJAX request to trigger a flag in Composr allowing cookies to be saved. May need to be careful about how to implement this as we cannot track consent by session for obvious reasons. Discuss implementation ideas first. Edit: Actually I think we can look for the cookie saved by the banner in each request to determine if Composr can send its own cookies. Edit: Make sure non-bundled addons like Hybridauth also comply. |
| Steps to reproduce | |
| Additional information | GDPR compliance |
| Funded? | No |
| Commits |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
Cookie Consent banner needs to use opt-in for GDPR compliance.
It previously only used 'inform', which means Composr always uses cookies, and the banner simply told the user such. But this violates data protection laws.
This fix ensures cookie consent has "deny" and "allow" options; and if Composr does not see the ALLOW cookie set, it assumes deny, and behaves as if cookies are not supported in the user's browser.
This also deletes the 'cookie_notice' configuration option; without prompting, Composr will always assume 'deny', so turning this off would mean Composr behaves as if every user denied cookies. It is best to prompt no matter what and get rid of this option.