Can't register without accepting third party cookies

Kirby

Well-known member
Affected version
2.2.12
Steps to reproduce
  1. Enable advacned cookie consent
  2. Set CAPTCHA to hCpatcha
  3. As a guest configure cookie preference to only accept essential cookies
  4. Try to register a new account
Expected Result
Registration is still possible (shows an option to consent ReCaptcha), maybe with a notice that if ReCaptcha is not consented registration will have to undergo manual approval (Preferred)
or
A message stating that consent for hCaptcha (only hCpatcha, not all 3rd parties) must be given

Actual Result
Registration is not possible without accepting all 3rd party cookies.
Requesting consent for all kinds of 3rd party cookies (like Google Analytics, Facebook, etc.) is way too broad just for registration) and doesn't seem compliant with GDPR Art. 7 (4).
 
Is it better not to activate this option then? It seems critical that this can prevent visitors from registering! It's already not easy to find visitors who want to take the plunge of registration but if in addition we put a spoke in their wheels...
 
Is it better not to activate this option then? It seems critical that this can prevent visitors from registering! It's already not easy to find visitors who want to take the plunge of registration but if in addition we put a spoke in their wheels...
I would say test it in a dev before turning it on in live to make sure you know the impacts. That's how I am proceeding. I upgraded my life this morning but won't turn the cookie features on until I have tested them thoroughly in my dev. And also written some introductory material on them and on cookies to post.
 
Is it better not to activate this option then?
You are referring to the cookie consent?
If you have to comply with GDPR or similar laws it is legally required.

But you can use a privacy friendly CAPTCHA (like Question & Answer, this doesn't require Cookies) or no CAPTCHA at all (this would be the most userfriendly option).
 
CF Turnstile does not set any cookies so that’s an option too if you do not wish for users to accept cookies before registering.
 
CF Turnstile does not set any cookies so that’s an option too if you do not wish for users to accept cookies before registering.
Turnstile isn't an option either under GDPR as data (the users IP address) might be transferred to the USA.

As the "Privacy Shield" agreement beween the EU and the US has been turned over by EUCJ ruling C-311/18 (and there is no replacement yet) such data transfer requires user consent as per GDPR Art. 6 (1) a - no matter if cookies are used or not.
 
You are referring to the cookie consent?
I'm referring to the advanced cookie consent.
If i use the "old" cookie system i'm still legally good isn't it ?

The problem you described comes from the new cookie consent, which is beta, correct ?
 
Thanks.

And so if i understand well if i activate the advanced cookie consent but i set CAPTCHA to another system than hCaptcha this combo will no prevent users to register to my forum if they only accept essentials cookies, right ? I want to be sure to not missing something.
 
but i set CAPTCHA to another system than hCaptcha this combo will no prevent users to register to my forum if they only accept essentials cookies, right ?
As pointed out before, you'd need to use
  • No CAPTCHA
  • Question and Answer
  • Text Captcha
  • Turnstile (see previous notes)
for users to be able to register without accepting 3rd party cookies.
 
Last edited:

It's starting to do a lot not for a single feature, right? Ok it's a beta feature and it implies imperfection but we're not talking about just anything but a system that allows you to comply with national and international laws. Or the only way to detect these flaws was to make this feature public? But if you are able to spot them, why aren't XenForo developers? Or do they not have the means to do so? Not enough people, lack of time... The skills for sure they have them.

Personally, I find that worrying.
 
Or maybe also XenForo was pressed for time to comply with privacy laws etc... And so it was put into action a bit in a rush, that would explain it... 🤷‍♂️
 
This is nonsense... sorry, but:

The point is that we now have the situation that there are corresponding laws and that non-compliance can be expensive if you are warned by a lawyer.

So the question is not whether we think the laws are great or not, but whether Xenforo has an interest in continuing to earn money from European customers.
Personally, I also think some points of data protection are exaggerated - but that doesn't change the legal situation.

Likewise, one cannot keep saying that it is only a German problem - yes and no. Our government has largely implemented the EU data protection regulations and in some cases even exceeded them. But that doesn't mean that the situation, which other EU countries have been dealing with much more laxly so far, can't change after all.

At the end of the day, none of this is surprisingly new and certainly easy to implement if you really want to (hello Xenforo developers). I don't think it's a matter of skill. ;)

And I also hope that the problems will still be fixed, after all this feature has only been marked as a beta so far. :)
 
I think so too. Thanks to @Kirby for investigating. (y)

@Chris D: It would be great if all those bugs related to the Advanced Cookie Consent system could be fixed with a Patch for 2.2.12. Any chance?
No. Of course there won’t be a patch. If the functionality isn’t working to your satisfaction you can just switch it off.

The functionality is also clearly marked as a beta. We’re not going to be breaking our backs and rushing out fixes for beta functionality.

Things will be fixed on a best effort basis IF certain reports are considered to be worthy of fixing at all.
 
The fact is that I don't know anything about the GDPR and consorts at all and therefore I rely mainly on what I can read here on this forum: What I understand is that it's something mandatory and that any website that stores personal data about its users must comply with it. What I understand is that the basic cookie system is not up to standard on XenForo and that probably this feature, currently beta, tends to solve this lack.

So now if we are told that we are not going to break our backs finding solutions to the bugs detected and that therefore, IF I HAVE UNDERSTOOD CORRECTLY, as it stands, this functionality still does not meet the GDPR and equivalent what is it for?? And so using XF 2 are we in rule or not ???

Otherwise, given the tone of the response, if it annoys the XenForo developers that their customers ask them to account for their paid products, that they hire someone for customer relations... It's enough that you almost never communicate, but if when you deign to answer us it's to tell us it's like that and that's it if you're not happy it's the same it gets serious!
 
So now if we are told that we are not going to break our backs finding solutions to the bugs detected and that therefore, IF I HAVE UNDERSTOOD CORRECTLY, as it stands, this functionality still does not meet the GDPR and equivalent what is it for?? And so using XF 2 are we in rule or not ???
You’re misrepresenting what we’re discussing here.

We were asked to push out a 2.2.12 Patch 1 in order to fix this issue and we’re just not going to do that when a) this functionality is in beta b) you do not have to use the functionality and you can change the option to “simple” to revert back to the same functionality as has existed for several years and c) patches take time to deploy and test on top of fixing any issues. Any issues we confirm to be issues will be fixed but will be fixed in future third point releases and not in emergency patch releases.

I don’t think that is unreasonable.
 
Back
Top Bottom